Lines Matching refs:kernel

1 # Life begins with the kernel.
2 type kernel, domain, mlstrustedsubject;
4 allow kernel self:global_capability_class_set sys_nice;
7 r_dir_file(kernel, rootfs)
10 allow kernel {
16 allow kernel selinuxfs:dir r_dir_perms;
17 allow kernel selinuxfs:file r_file_perms;
20 allow kernel file_contexts_file:file r_file_perms;
23 allow kernel rootfs:file relabelfrom;
24 allow kernel init_exec:file relabelto;
26 allow kernel init:process share;
29 allow kernel unlabeled:dir search;
32 allow kernel usbfs:filesystem mount;
33 allow kernel usbfs:dir search;
36 # We use dontaudit instead of allow to prevent a kernel spawned userspace
38 dontaudit kernel self:security setenforce;
41 allow kernel self:global_capability_class_set sys_resource;
48 allow kernel self:global_capability_class_set sys_boot;
49 allow kernel proc_sysrq:file w_file_perms;
52 allow kernel tmpfs:chr_file write;
55 allow kernel selinuxfs:file write;
56 allow kernel self:security setcheckreqprot;
58 # kernel thread "loop0", used by the loop block device, for ASECs (b/17158723)
59 allow kernel sdcard_type:file { read write };
61 # f_mtp driver accesses files from kernel context.
62 allow kernel mediaprovider:fd use;
64 # Allow the kernel to read OBB files from app directories. (b/17428116)
69 allow kernel vold:fd use;
70 allow kernel { app_data_file privapp_data_file }:file read;
71 allow kernel asec_image_file:file read;
74 # and for LTP kernel tests (b/73220071)
76   allow kernel update_engine_data_file:file { read write };
77   allow kernel nativetest_data_file:file { read write };
83 allow kernel media_rw_data_file:dir create_dir_perms;
84 allow kernel media_rw_data_file:file create_file_perms;
87 allow kernel vold_data_file:file { read write };
89 # Allow the kernel to read APEX file descriptors and (staged) data files;
91 # a kernel thread in earlier kernel version.
92 allow kernel apexd:fd use;
93 allow kernel {
99 # Allow the first-stage init (which is running in the kernel domain) to execute the
102 # before the domain is switched to the target domain. So, we need to allow the kernel
105 # kernel older than 4.8.
106 allow kernel system_file:file execute;
111   allow kernel rootfs:file execute;
115 allow kernel appdomain_tmpfs:file { read write };
121 # The initial task starts in the kernel domain (assigned via
123 neverallow * kernel:process { transition dyntransition };
125 # The kernel domain is never entered via an exec, nor should it
127 # If you encounter an execute_no_trans denial on the kernel domain, then
129 # - The program is a kernel usermodehelper.  In this case, define a domain
133 neverallow kernel *:file { entrypoint execute_no_trans };
135 # the kernel should not be accessing files owned by other users.
138 neverallow kernel self:global_capability_class_set { dac_override dac_read_search };
140 # Nobody should be ptracing kernel threads
141 neverallow * kernel:process ptrace;