1# Transition to crash_dump when /system/bin/crash_dump* is executed. 2# This occurs when the process crashes. 3# We do not apply this to the su domain to avoid interfering with 4# tests (b/114136122) 5domain_auto_trans({ domain userdebug_or_eng(`-su') }, crash_dump_exec, crash_dump); 6allow domain crash_dump:process sigchld; 7 8# Allow every process to check the heapprofd.enable properties to determine 9# whether to load the heap profiling library. This does not necessarily enable 10# heap profiling, as initialization will fail if it does not have the 11# necessary SELinux permissions. 12get_prop(domain, heapprofd_prop); 13 14# See private/crash_dump.te 15define(`dumpable_domain',`{ 16 domain 17 -apexd 18 -bpfloader 19 -crash_dump 20 -crosvm # TODO(b/236672526): Remove exception for crosvm 21 -init 22 -kernel 23 -keystore 24 -llkd 25 -logd 26 -ueventd 27 -vendor_init 28 -vold 29}') 30 31# Allow heap profiling by heapprofd. 32# Zygotes are excluded due to potential issues with holding open file 33# descriptors or other state across forks. Other exclusions conflict with 34# neverallows, and are not considered important to profile. 35can_profile_heap({ 36 dumpable_domain 37 -app_zygote 38 -hal_configstore_server 39 -logpersist 40 -recovery 41 -recovery_persist 42 -recovery_refresh 43 -webview_zygote 44 -zygote 45}) 46 47# Allow profiling using perf_event_open by traced_perf. 48can_profile_perf({ 49 dumpable_domain 50 -app_zygote 51 -hal_configstore_server 52 -webview_zygote 53 -zygote 54}) 55 56# Everyone can access the IncFS list of features. 57r_dir_file(domain, sysfs_fs_incfs_features); 58 59# Everyone can access the fuse list of features. 60r_dir_file(domain, sysfs_fs_fuse_features); 61 62# Path resolution access in cgroups. 63allow domain cgroup:dir search; 64allow { domain -appdomain -rs } cgroup:dir w_dir_perms; 65allow { domain -appdomain -rs } cgroup:file w_file_perms; 66 67allow domain cgroup_v2:dir search; 68allow { domain -appdomain -rs } cgroup_v2:dir w_dir_perms; 69allow { domain -appdomain -rs } cgroup_v2:file w_file_perms; 70 71allow domain cgroup_rc_file:dir search; 72allow domain cgroup_rc_file:file r_file_perms; 73allow domain task_profiles_file:file r_file_perms; 74allow domain task_profiles_api_file:file r_file_perms; 75allow domain vendor_task_profiles_file:file r_file_perms; 76 77# Allow all domains to read sys.use_memfd to determine 78# if memfd support can be used if device supports it 79get_prop(domain, use_memfd_prop); 80 81# Read access to sdkextensions props 82get_prop(domain, module_sdkextensions_prop) 83 84# Read access to bq configuration values 85get_prop(domain, bq_config_prop); 86 87# Allow all domains to check whether MTE is set to permissive mode. 88get_prop(domain, permissive_mte_prop); 89 90# Allow ART to be configurable via device_config properties 91# (ART "runs" inside the app process), and MTE bootloader override to be 92# observed by everything 93get_prop(domain, device_config_memory_safety_native_boot_prop); 94get_prop(domain, device_config_memory_safety_native_prop); 95get_prop(domain, device_config_runtime_native_boot_prop); 96get_prop(domain, device_config_runtime_native_prop); 97 98# For now, everyone can access core property files 99# Device specific properties are not granted by default 100not_compatible_property(` 101 # DO NOT ADD ANY PROPERTIES HERE 102 get_prop(domain, core_property_type) 103 get_prop(domain, exported3_system_prop) 104 get_prop(domain, vendor_default_prop) 105') 106compatible_property_only(` 107 # DO NOT ADD ANY PROPERTIES HERE 108 get_prop({coredomain appdomain shell}, core_property_type) 109 get_prop({coredomain appdomain shell}, exported3_system_prop) 110 get_prop({coredomain appdomain shell}, exported_camera_prop) 111 get_prop({coredomain shell}, userspace_reboot_exported_prop) 112 get_prop({coredomain shell}, userspace_reboot_log_prop) 113 get_prop({coredomain shell}, userspace_reboot_test_prop) 114 get_prop({domain -coredomain -appdomain}, vendor_default_prop) 115') 116 117# Public readable properties 118get_prop(domain, aaudio_config_prop) 119get_prop(domain, apexd_select_prop) 120get_prop(domain, arm64_memtag_prop) 121get_prop(domain, bluetooth_config_prop) 122get_prop(domain, bootloader_prop) 123get_prop(domain, build_odm_prop) 124get_prop(domain, build_prop) 125get_prop(domain, build_vendor_prop) 126get_prop(domain, debug_prop) 127get_prop(domain, exported_config_prop) 128get_prop(domain, exported_default_prop) 129get_prop(domain, exported_dumpstate_prop) 130get_prop(domain, exported_secure_prop) 131get_prop(domain, exported_system_prop) 132get_prop(domain, fingerprint_prop) 133get_prop(domain, framework_status_prop) 134get_prop(domain, gwp_asan_prop) 135get_prop(domain, hal_instrumentation_prop) 136get_prop(domain, hw_timeout_multiplier_prop) 137get_prop(domain, init_service_status_prop) 138get_prop(domain, libc_debug_prop) 139get_prop(domain, locale_prop) 140get_prop(domain, logd_prop) 141get_prop(domain, mediadrm_config_prop) 142get_prop(domain, property_service_version_prop) 143get_prop(domain, soc_prop) 144get_prop(domain, socket_hook_prop) 145get_prop(domain, surfaceflinger_prop) 146get_prop(domain, telephony_status_prop) 147get_prop(domain, timezone_prop) 148get_prop({domain -untrusted_app_all -isolated_app_all -ephemeral_app }, userdebug_or_eng_prop) 149get_prop(domain, vendor_socket_hook_prop) 150get_prop(domain, vndk_prop) 151get_prop(domain, vold_status_prop) 152get_prop(domain, vts_config_prop) 153 154# Binder cache properties are world-readable 155get_prop(domain, binder_cache_bluetooth_server_prop) 156get_prop(domain, binder_cache_system_server_prop) 157get_prop(domain, binder_cache_telephony_server_prop) 158 159# Allow access to fsverity keyring. 160allow domain kernel:key search; 161# Allow access to keys in the fsverity keyring that were installed at boot. 162allow domain fsverity_init:key search; 163# For testing purposes, allow access to keys installed with su. 164userdebug_or_eng(` 165 allow domain su:key search; 166') 167 168# Allow access to linkerconfig file 169allow domain linkerconfig_file:dir search; 170allow domain linkerconfig_file:file r_file_perms; 171 172# Allow all processes to check for the existence of the boringssl_self_test_marker files. 173allow domain boringssl_self_test_marker:dir search; 174 175# Allow all processes to read the file_logger property that liblog uses to check if file_logger 176# should be used. 177get_prop(domain, log_file_logger_prop) 178 179# Allow all processes to connect to PRNG seeder daemon. 180unix_socket_connect(domain, prng_seeder, prng_seeder) 181 182# No domains other than a select few can access the misc_block_device. This 183# block device is reserved for OTA use. 184# Do not assert this rule on userdebug/eng builds, due to some devices using 185# this partition for testing purposes. 186neverallow { 187 domain 188 userdebug_or_eng(`-domain') # exclude debuggable builds 189 -fastbootd 190 -hal_bootctl_server 191 -init 192 -uncrypt 193 -update_engine 194 -vendor_init 195 -vendor_misc_writer 196 -vold 197 -recovery 198 -ueventd 199 -mtectrl 200} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock }; 201 202# Limit ability to ptrace or read sensitive /proc/pid files of processes 203# with other UIDs to these allowlisted domains. 204neverallow { 205 domain 206 -vold 207 userdebug_or_eng(`-llkd') 208 -dumpstate 209 userdebug_or_eng(`-incidentd') 210 userdebug_or_eng(`-profcollectd') 211 userdebug_or_eng(`-simpleperf_boot') 212 -storaged 213 -system_server 214} self:global_capability_class_set sys_ptrace; 215 216# Limit ability to generate hardware unique device ID attestations to priv_apps 217neverallow { domain -priv_app -gmscore_app } *:keystore_key gen_unique_id; 218neverallow { domain -priv_app -gmscore_app } *:keystore2_key gen_unique_id; 219neverallow { domain -system_server } *:keystore2_key use_dev_id; 220neverallow { domain -system_server } keystore:keystore2 { clear_ns lock reset unlock }; 221 222neverallow { 223 domain 224 -init 225 -vendor_init 226 userdebug_or_eng(`-domain') 227} debugfs_tracing_debug:file no_rw_file_perms; 228 229# System_server owns dropbox data, and init creates/restorecons the directory 230# Disallow direct access by other processes. 231neverallow { 232 domain 233 -init 234 -system_server 235 userdebug_or_eng(`-dumpstate') 236} dropbox_data_file:dir *; 237neverallow { 238 domain 239 -init 240 -system_server 241 userdebug_or_eng(`-dumpstate') 242} dropbox_data_file:file ~{ getattr read }; 243 244### 245# Services should respect app sandboxes 246neverallow { 247 domain 248 -appdomain 249 -artd # compile secondary dex files 250 -installd # creation of sandbox 251} { privapp_data_file app_data_file }:dir_file_class_set { create unlink }; 252 253# Only the following processes should be directly accessing private app 254# directories. 255neverallow { 256 domain 257 -adbd 258 -appdomain 259 -app_zygote 260 -artd # compile secondary dex files 261 -dexoptanalyzer 262 -installd 263 -profman 264 -rs # spawned by appdomain, so carryover the exception above 265 -runas 266 -system_server 267 -viewcompiler 268 -zygote 269} { privapp_data_file app_data_file }:dir *; 270 271# Only apps should be modifying app data. installd is exempted for 272# restorecon and package install/uninstall. 273neverallow { 274 domain 275 -appdomain 276 -artd # compile secondary dex files 277 -installd 278 -rs # spawned by appdomain, so carryover the exception above 279} { privapp_data_file app_data_file }:dir ~r_dir_perms; 280 281neverallow { 282 domain 283 -appdomain 284 -app_zygote 285 -artd # compile secondary dex files 286 -installd 287 -rs # spawned by appdomain, so carryover the exception above 288} { privapp_data_file app_data_file }:file_class_set open; 289 290neverallow { 291 domain 292 -appdomain 293 -artd # compile secondary dex files 294 -installd # creation of sandbox 295} { privapp_data_file app_data_file }:dir_file_class_set { create unlink }; 296 297neverallow { 298 domain 299 -artd # compile secondary dex files 300 -installd 301} { privapp_data_file app_data_file }:dir_file_class_set { relabelfrom relabelto }; 302 303# The staging directory contains APEX and APK files. It is important to ensure 304# that these files cannot be accessed by other domains to ensure that the files 305# do not change between system_server staging the files and apexd processing 306# the files. 307neverallow { 308 domain 309 -init 310 -system_server 311 -apexd 312 -installd 313 -priv_app 314 -virtualizationmanager 315} staging_data_file:dir *; 316neverallow { 317 domain 318 -init 319 -system_app 320 -system_server 321 -apexd 322 -adbd 323 -kernel 324 -installd 325 -priv_app 326 -shell 327 -virtualizationmanager 328 -crosvm 329} staging_data_file:file *; 330neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms; 331# apexd needs the link and unlink permissions, so list every `no_w_file_perms` 332# except for `link` and `unlink`. 333neverallow { domain -init -system_server } staging_data_file:file 334 { append create relabelfrom rename setattr write no_x_file_perms }; 335 336neverallow { 337 domain 338 -appdomain # for oemfs 339 -bootanim # for oemfs 340 -recovery # for /tmp/update_binary in tmpfs 341} { fs_type -rootfs }:file execute; 342 343# 344# Assert that, to the extent possible, we're not loading executable content from 345# outside the rootfs or /system partition except for a few allowlisted domains. 346# Executable files loaded from /data is a persistence vector 347# we want to avoid. See 348# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example. 349# 350neverallow { 351 domain 352 -appdomain 353 with_asan(`-asan_extract') 354 -shell 355 userdebug_or_eng(`-su') 356 -system_server_startup # for memfd backed executable regions 357 -app_zygote 358 -webview_zygote 359 -zygote 360 userdebug_or_eng(`-mediaextractor') 361 userdebug_or_eng(`-mediaswcodec') 362} { 363 file_type 364 -system_file_type 365 -system_lib_file 366 -system_linker_exec 367 -vendor_file_type 368 -exec_type 369 -postinstall_file 370}:file execute; 371 372# Only init is allowed to write cgroup.rc file 373neverallow { 374 domain 375 -init 376 -vendor_init 377} cgroup_rc_file:file no_w_file_perms; 378 379# Only authorized processes should be writing to files in /data/dalvik-cache 380neverallow { 381 domain 382 -init # TODO: limit init to relabelfrom for files 383 -zygote 384 -installd 385 -postinstall_dexopt 386 -cppreopts 387 -dex2oat 388 -otapreopt_slot 389 -artd 390} dalvikcache_data_file:file no_w_file_perms; 391 392neverallow { 393 domain 394 -init 395 -installd 396 -postinstall_dexopt 397 -cppreopts 398 -dex2oat 399 -zygote 400 -otapreopt_slot 401 -artd 402} dalvikcache_data_file:dir no_w_dir_perms; 403 404# Only authorized processes should be writing to /data/misc/apexdata/com.android.art as it 405# contains boot class path and system server AOT artifacts following an ART APEX Mainline update. 406neverallow { 407 domain 408 # art-related processes 409 -composd 410 -compos_fd_server 411 -odrefresh 412 -odsign 413 # others 414 -apexd 415 -init 416 -vold_prepare_subdirs 417} apex_art_data_file:file no_w_file_perms; 418 419neverallow { 420 domain 421 # art-related processes 422 -composd 423 -compos_fd_server 424 -odrefresh 425 -odsign 426 # others 427 -apexd 428 -init 429 -vold_prepare_subdirs 430} apex_art_data_file:dir no_w_dir_perms; 431 432# Protect most domains from executing arbitrary content from /data. 433neverallow { 434 domain 435 -appdomain 436} { 437 data_file_type 438 -apex_art_data_file 439 -dalvikcache_data_file 440 -system_data_file # shared libs in apks 441 -apk_data_file 442}:file no_x_file_perms; 443 444# Minimize dac_override and dac_read_search. 445# Instead of granting them it is usually better to add the domain to 446# a Unix group or change the permissions of a file. 447define(`dac_override_allowed', `{ 448 apexd 449 artd 450 dnsmasq 451 dumpstate 452 init 453 installd 454 userdebug_or_eng(`llkd') 455 lmkd 456 migrate_legacy_obb_data 457 netd 458 postinstall_dexopt 459 recovery 460 rss_hwm_reset 461 sdcardd 462 tee 463 ueventd 464 uncrypt 465 vendor_init 466 vold 467 vold_prepare_subdirs 468 zygote 469}') 470neverallow ~dac_override_allowed self:global_capability_class_set dac_override; 471# Since the kernel checks dac_read_search before dac_override, domains that 472# have dac_override should also have dac_read_search to eliminate spurious 473# denials. Some domains have dac_read_search without having dac_override, so 474# this list should be a superset of the one above. 475neverallow ~{ 476 dac_override_allowed 477 traced_perf 478 traced_probes 479 heapprofd 480} self:global_capability_class_set dac_read_search; 481 482# Limit what domains can mount filesystems or change their mount flags. 483# sdcard_type (including vfat and exfat) and fusefs_type are exempt as a larger 484# set of domains need this capability, including device-specific domains. 485neverallow { 486 domain 487 -apexd 488 recovery_only(`-fastbootd') 489 -init 490 -kernel 491 -otapreopt_chroot 492 -recovery 493 -update_engine 494 -vold 495 -zygote 496} { fs_type 497 -sdcard_type 498 -fusefs_type 499}:filesystem { mount remount relabelfrom relabelto }; 500 501enforce_debugfs_restriction(` 502 neverallow { 503 domain userdebug_or_eng(`-init') 504 } { debugfs_type -debugfs_tracing_debug }:filesystem { mount remount relabelfrom relabelto }; 505') 506 507# Limit raw I/O to these allowlisted domains. Do not apply to debug builds. 508neverallow { 509 domain 510 userdebug_or_eng(`-domain') 511 -kernel 512 -gsid 513 -init 514 -recovery 515 -ueventd 516 -uncrypt 517 -tee 518 -hal_bootctl_server 519 -fastbootd 520} self:global_capability_class_set sys_rawio; 521 522# Limit directory operations that doesn't need to do app data isolation. 523neverallow { 524 domain 525 -fsck 526 -init 527 -installd 528 -zygote 529} mirror_data_file:dir *; 530 531# This property is being removed. Remove remaining access. 532neverallow { domain -init -system_server -vendor_init } net_dns_prop:property_service set; 533neverallow { domain -dumpstate -init -system_server -vendor_init } net_dns_prop:file read; 534 535# Only core domains are allowed to access package_manager properties 536neverallow { domain -init -system_server } pm_prop:property_service set; 537neverallow { domain -coredomain } pm_prop:file no_rw_file_perms; 538 539# Do not allow reading the last boot timestamp from system properties 540neverallow { domain -init -system_server -dumpstate } firstboot_prop:file r_file_perms; 541 542# Allow ART to set its config properties in its oneshot boot service, in 543# addition to the common init and vendor_init access. 544neverallow { domain -art_boot -init -vendor_init } dalvik_config_prop:property_service set; 545 546# Kprobes should only be used by adb root 547neverallow { domain -init -vendor_init } debugfs_kprobes:file *; 548 549# On TREBLE devices, most coredomains should not access vendor_files. 550# TODO(b/71553434): Remove exceptions here. 551full_treble_only(` 552 neverallow { 553 coredomain 554 -appdomain 555 -bootanim 556 -crash_dump 557 -heapprofd 558 userdebug_or_eng(`-profcollectd') 559 -init 560 -kernel 561 userdebug_or_eng(`-simpleperf_boot') 562 -traced_perf 563 -ueventd 564 } vendor_file:file { no_w_file_perms no_x_file_perms open }; 565') 566 567# Vendor domains are not permitted to initiate communications to core domain sockets 568full_treble_only(` 569 neverallow_establish_socket_comms({ 570 domain 571 -coredomain 572 -appdomain 573 -socket_between_core_and_vendor_violators 574 }, { 575 coredomain 576 -logd # Logging by writing to logd Unix domain socket is public API 577 -netd # netdomain needs this 578 -mdnsd # netdomain needs this 579 -prng_seeder # Any process using libcrypto needs this 580 userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds 581 -init 582 -tombstoned # linker to tombstoned 583 -heapprofd 584 -traced 585 -traced_perf 586 }); 587') 588 589full_treble_only(` 590 # Do not allow system components access to /vendor files except for the 591 # ones allowed here. 592 neverallow { 593 coredomain 594 # TODO(b/37168747): clean up fwk access to /vendor 595 -crash_dump 596 -crosvm # loads vendor-specific disk images 597 -init # starts vendor executables 598 -kernel # loads /vendor/firmware 599 -heapprofd 600 userdebug_or_eng(`-profcollectd') 601 -shell 602 userdebug_or_eng(`-simpleperf_boot') 603 -system_executes_vendor_violators 604 -traced_perf # library/binary access for symbolization 605 -ueventd # reads /vendor/ueventd.rc 606 -vold # loads incremental fs driver 607 } { 608 vendor_file_type 609 -same_process_hal_file 610 -vendor_app_file 611 -vendor_apex_file 612 -vendor_configs_file 613 -vendor_service_contexts_file 614 -vendor_framework_file 615 -vendor_idc_file 616 -vendor_keychars_file 617 -vendor_keylayout_file 618 -vendor_overlay_file 619 -vendor_public_framework_file 620 -vendor_public_lib_file 621 -vendor_task_profiles_file 622 -vendor_uuid_mapping_config_file 623 -vndk_sp_file 624 }:file *; 625') 626 627# mlsvendorcompat is only for compatibility support for older vendor 628# images, and should not be granted to any domain in current policy. 629# (Every domain is allowed self:fork, so this will trigger if the 630# intsersection of domain & mlsvendorcompat is not empty.) 631neverallow domain mlsvendorcompat:process fork; 632 633# Only init and otapreopt_chroot should be mounting filesystems on locations 634# labeled system or vendor (/product and /vendor respectively). 635neverallow { domain -init -otapreopt_chroot } { system_file_type vendor_file_type }:dir_file_class_set mounton; 636 637# Only allow init and vendor_init to read/write mm_events properties 638# NOTE: dumpstate is allowed to read any system property 639neverallow { 640 domain 641 -init 642 -vendor_init 643 -dumpstate 644} mm_events_config_prop:file no_rw_file_perms; 645 646# Allow the tracing daemon and callstack sampler to use kallsyms to symbolize 647# kernel traces. Addresses are not disclosed, they are repalced with symbol 648# names (if available). Traces don't disclose KASLR. 649neverallow { 650 domain 651 -init 652 userdebug_or_eng(`-profcollectd') 653 -vendor_init 654 userdebug_or_eng(`-simpleperf_boot') 655 -traced_probes 656 -traced_perf 657} proc_kallsyms:file { open read }; 658 659# debugfs_kcov type is not included in this neverallow statement since the KCOV 660# tool uses it for kernel fuzzing. 661# vendor_modprobe is also exempted since the kernel modules it loads may create 662# debugfs files in its context. 663enforce_debugfs_restriction(` 664 neverallow { 665 domain 666 -vendor_modprobe 667 userdebug_or_eng(` 668 -init 669 -hal_dumpstate 670 ') 671 } { debugfs_type 672 userdebug_or_eng(`-debugfs_kcov') 673 -tracefs_type 674 }:file no_rw_file_perms; 675') 676 677# Restrict write access to etm sysfs interface. 678neverallow { domain -ueventd -vendor_init } sysfs_devices_cs_etm:file no_w_file_perms; 679 680# Restrict direct access to shell owned files. The /data/local/tmp directory is 681# untrustworthy, and non-allowed domains should not be trusting any content in 682# those directories. We allow shell files to be passed around by file 683# descriptor, but not directly opened. 684# artd doesn't need to access /data/local/tmp, but it needs to access 685# /data/{user,user_de}/<user-id>/com.android.shell/... for compiling secondary 686# dex files. 687neverallow { 688 domain 689 -adbd 690 -appdomain 691 -artd 692 -dumpstate 693 -installd 694 userdebug_or_eng(`-uncrypt') 695 userdebug_or_eng(`-virtualizationmanager') 696 userdebug_or_eng(`-virtualizationservice') 697 userdebug_or_eng(`-crosvm') 698} shell_data_file:file open; 699 700# In addition to the symlink reading restrictions above, restrict 701# write access to shell owned directories. The /data/local/tmp 702# directory is untrustworthy, and non-allowed domains should 703# not be trusting any content in those directories. 704# artd doesn't need to access /data/local/tmp, but it needs to access 705# /data/{user,user_de}/<user-id>/com.android.shell/... for compiling secondary 706# dex files. 707neverallow { 708 domain 709 -adbd 710 -artd 711 -dumpstate 712 -installd 713 -init 714 -shell 715 -vold 716} shell_data_file:dir no_w_dir_perms; 717 718neverallow { 719 domain 720 -adbd 721 -appdomain 722 -artd 723 -dumpstate 724 -init 725 -installd 726 -simpleperf_app_runner 727 -system_server # why? 728 userdebug_or_eng(`-uncrypt') 729} shell_data_file:dir open; 730 731neverallow { 732 domain 733 -adbd 734 -appdomain 735 -artd 736 -dumpstate 737 -init 738 -installd 739 -simpleperf_app_runner 740 -system_server # why? 741 userdebug_or_eng(`-uncrypt') 742 userdebug_or_eng(`-virtualizationmanager') 743 userdebug_or_eng(`-crosvm') 744} shell_data_file:dir search; 745 746# respect system_app sandboxes 747neverallow { 748 domain 749 -appdomain 750 -artd # compile secondary dex files 751 -system_server #populate com.android.providers.settings/databases/settings.db. 752 -installd # creation of app sandbox 753 -traced_probes # resolve inodes for i/o tracing. 754 # only needs open and read, the rest is neverallow in 755 # traced_probes.te. 756} system_app_data_file:dir_file_class_set { create unlink open }; 757neverallow { 758 isolated_app_all 759 ephemeral_app 760 priv_app 761 sdk_sandbox_all 762 untrusted_app_all 763} system_app_data_file:dir_file_class_set { create unlink open }; 764 765neverallow { domain -init } mtectrl:process { dyntransition transition }; 766 767# For now, don't allow processes other than gmscore to access /data/misc_ce/<userid>/checkin 768neverallow { domain -gmscore_app -init -vold_prepare_subdirs } checkin_data_file:{dir file} *; 769