1# Transition to crash_dump when /system/bin/crash_dump* is executed.
2# This occurs when the process crashes.
3# We do not apply this to the su domain to avoid interfering with
4# tests (b/114136122)
5domain_auto_trans({ domain userdebug_or_eng(`-su') }, crash_dump_exec, crash_dump);
6allow domain crash_dump:process sigchld;
7
8# Allow every process to check the heapprofd.enable properties to determine
9# whether to load the heap profiling library. This does not necessarily enable
10# heap profiling, as initialization will fail if it does not have the
11# necessary SELinux permissions.
12get_prop(domain, heapprofd_prop);
13
14# See private/crash_dump.te
15define(`dumpable_domain',`{
16  domain
17  -apexd
18  -bpfloader
19  -crash_dump
20  -crosvm # TODO(b/236672526): Remove exception for crosvm
21  -init
22  -kernel
23  -keystore
24  -llkd
25  -logd
26  -ueventd
27  -vendor_init
28  -vold
29}')
30
31# Allow heap profiling by heapprofd.
32# Zygotes are excluded due to potential issues with holding open file
33# descriptors or other state across forks. Other exclusions conflict with
34# neverallows, and are not considered important to profile.
35can_profile_heap({
36  dumpable_domain
37  -app_zygote
38  -hal_configstore_server
39  -logpersist
40  -recovery
41  -recovery_persist
42  -recovery_refresh
43  -webview_zygote
44  -zygote
45})
46
47# Allow profiling using perf_event_open by traced_perf.
48can_profile_perf({
49  dumpable_domain
50  -app_zygote
51  -hal_configstore_server
52  -webview_zygote
53  -zygote
54})
55
56# Everyone can access the IncFS list of features.
57r_dir_file(domain, sysfs_fs_incfs_features);
58
59# Everyone can access the fuse list of features.
60r_dir_file(domain, sysfs_fs_fuse_features);
61
62# Path resolution access in cgroups.
63allow domain cgroup:dir search;
64allow { domain -appdomain -rs } cgroup:dir w_dir_perms;
65allow { domain -appdomain -rs } cgroup:file w_file_perms;
66
67allow domain cgroup_v2:dir search;
68allow { domain -appdomain -rs } cgroup_v2:dir w_dir_perms;
69allow { domain -appdomain -rs } cgroup_v2:file w_file_perms;
70
71allow domain cgroup_rc_file:dir search;
72allow domain cgroup_rc_file:file r_file_perms;
73allow domain task_profiles_file:file r_file_perms;
74allow domain task_profiles_api_file:file r_file_perms;
75allow domain vendor_task_profiles_file:file r_file_perms;
76
77# Allow all domains to read sys.use_memfd to determine
78# if memfd support can be used if device supports it
79get_prop(domain, use_memfd_prop);
80
81# Read access to sdkextensions props
82get_prop(domain, module_sdkextensions_prop)
83
84# Read access to bq configuration values
85get_prop(domain, bq_config_prop);
86
87# Allow all domains to check whether MTE is set to permissive mode.
88get_prop(domain, permissive_mte_prop);
89
90# Allow ART to be configurable via device_config properties
91# (ART "runs" inside the app process), and MTE bootloader override to be
92# observed by everything
93get_prop(domain, device_config_memory_safety_native_boot_prop);
94get_prop(domain, device_config_memory_safety_native_prop);
95get_prop(domain, device_config_runtime_native_boot_prop);
96get_prop(domain, device_config_runtime_native_prop);
97
98# For now, everyone can access core property files
99# Device specific properties are not granted by default
100not_compatible_property(`
101    # DO NOT ADD ANY PROPERTIES HERE
102    get_prop(domain, core_property_type)
103    get_prop(domain, exported3_system_prop)
104    get_prop(domain, vendor_default_prop)
105')
106compatible_property_only(`
107    # DO NOT ADD ANY PROPERTIES HERE
108    get_prop({coredomain appdomain shell}, core_property_type)
109    get_prop({coredomain appdomain shell}, exported3_system_prop)
110    get_prop({coredomain appdomain shell}, exported_camera_prop)
111    get_prop({coredomain shell}, userspace_reboot_exported_prop)
112    get_prop({coredomain shell}, userspace_reboot_log_prop)
113    get_prop({coredomain shell}, userspace_reboot_test_prop)
114    get_prop({domain -coredomain -appdomain}, vendor_default_prop)
115')
116
117# Public readable properties
118get_prop(domain, aaudio_config_prop)
119get_prop(domain, apexd_select_prop)
120get_prop(domain, arm64_memtag_prop)
121get_prop(domain, bluetooth_config_prop)
122get_prop(domain, bootloader_prop)
123get_prop(domain, build_odm_prop)
124get_prop(domain, build_prop)
125get_prop(domain, build_vendor_prop)
126get_prop(domain, debug_prop)
127get_prop(domain, exported_config_prop)
128get_prop(domain, exported_default_prop)
129get_prop(domain, exported_dumpstate_prop)
130get_prop(domain, exported_secure_prop)
131get_prop(domain, exported_system_prop)
132get_prop(domain, fingerprint_prop)
133get_prop(domain, framework_status_prop)
134get_prop(domain, gwp_asan_prop)
135get_prop(domain, hal_instrumentation_prop)
136get_prop(domain, hw_timeout_multiplier_prop)
137get_prop(domain, init_service_status_prop)
138get_prop(domain, libc_debug_prop)
139get_prop(domain, locale_prop)
140get_prop(domain, logd_prop)
141get_prop(domain, mediadrm_config_prop)
142get_prop(domain, property_service_version_prop)
143get_prop(domain, soc_prop)
144get_prop(domain, socket_hook_prop)
145get_prop(domain, surfaceflinger_prop)
146get_prop(domain, telephony_status_prop)
147get_prop(domain, timezone_prop)
148get_prop({domain -untrusted_app_all -isolated_app_all -ephemeral_app },  userdebug_or_eng_prop)
149get_prop(domain, vendor_socket_hook_prop)
150get_prop(domain, vndk_prop)
151get_prop(domain, vold_status_prop)
152get_prop(domain, vts_config_prop)
153
154# Binder cache properties are world-readable
155get_prop(domain, binder_cache_bluetooth_server_prop)
156get_prop(domain, binder_cache_system_server_prop)
157get_prop(domain, binder_cache_telephony_server_prop)
158
159# Allow access to fsverity keyring.
160allow domain kernel:key search;
161# Allow access to keys in the fsverity keyring that were installed at boot.
162allow domain fsverity_init:key search;
163# For testing purposes, allow access to keys installed with su.
164userdebug_or_eng(`
165  allow domain su:key search;
166')
167
168# Allow access to linkerconfig file
169allow domain linkerconfig_file:dir search;
170allow domain linkerconfig_file:file r_file_perms;
171
172# Allow all processes to check for the existence of the boringssl_self_test_marker files.
173allow domain boringssl_self_test_marker:dir search;
174
175# Allow all processes to read the file_logger property that liblog uses to check if file_logger
176# should be used.
177get_prop(domain, log_file_logger_prop)
178
179# Allow all processes to connect to PRNG seeder daemon.
180unix_socket_connect(domain, prng_seeder, prng_seeder)
181
182# No domains other than a select few can access the misc_block_device. This
183# block device is reserved for OTA use.
184# Do not assert this rule on userdebug/eng builds, due to some devices using
185# this partition for testing purposes.
186neverallow {
187  domain
188  userdebug_or_eng(`-domain') # exclude debuggable builds
189  -fastbootd
190  -hal_bootctl_server
191  -init
192  -uncrypt
193  -update_engine
194  -vendor_init
195  -vendor_misc_writer
196  -vold
197  -recovery
198  -ueventd
199  -mtectrl
200} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };
201
202# Limit ability to ptrace or read sensitive /proc/pid files of processes
203# with other UIDs to these allowlisted domains.
204neverallow {
205  domain
206  -vold
207  userdebug_or_eng(`-llkd')
208  -dumpstate
209  userdebug_or_eng(`-incidentd')
210  userdebug_or_eng(`-profcollectd')
211  userdebug_or_eng(`-simpleperf_boot')
212  -storaged
213  -system_server
214} self:global_capability_class_set sys_ptrace;
215
216# Limit ability to generate hardware unique device ID attestations to priv_apps
217neverallow { domain -priv_app -gmscore_app } *:keystore_key gen_unique_id;
218neverallow { domain -priv_app -gmscore_app } *:keystore2_key gen_unique_id;
219neverallow { domain -system_server } *:keystore2_key use_dev_id;
220neverallow { domain -system_server } keystore:keystore2 { clear_ns lock reset unlock };
221
222neverallow {
223  domain
224  -init
225  -vendor_init
226  userdebug_or_eng(`-domain')
227} debugfs_tracing_debug:file no_rw_file_perms;
228
229# System_server owns dropbox data, and init creates/restorecons the directory
230# Disallow direct access by other processes.
231neverallow {
232  domain
233  -init
234  -system_server
235  userdebug_or_eng(`-dumpstate')
236} dropbox_data_file:dir *;
237neverallow {
238  domain
239  -init
240  -system_server
241  userdebug_or_eng(`-dumpstate')
242} dropbox_data_file:file ~{ getattr read };
243
244###
245# Services should respect app sandboxes
246neverallow {
247  domain
248  -appdomain
249  -artd # compile secondary dex files
250  -installd # creation of sandbox
251} { privapp_data_file app_data_file }:dir_file_class_set { create unlink };
252
253# Only the following processes should be directly accessing private app
254# directories.
255neverallow {
256  domain
257  -adbd
258  -appdomain
259  -app_zygote
260  -artd # compile secondary dex files
261  -dexoptanalyzer
262  -installd
263  -profman
264  -rs # spawned by appdomain, so carryover the exception above
265  -runas
266  -system_server
267  -viewcompiler
268  -zygote
269} { privapp_data_file app_data_file }:dir *;
270
271# Only apps should be modifying app data. installd is exempted for
272# restorecon and package install/uninstall.
273neverallow {
274  domain
275  -appdomain
276  -artd # compile secondary dex files
277  -installd
278  -rs # spawned by appdomain, so carryover the exception above
279} { privapp_data_file app_data_file }:dir ~r_dir_perms;
280
281neverallow {
282  domain
283  -appdomain
284  -app_zygote
285  -artd # compile secondary dex files
286  -installd
287  -rs # spawned by appdomain, so carryover the exception above
288} { privapp_data_file app_data_file }:file_class_set open;
289
290neverallow {
291  domain
292  -appdomain
293  -artd # compile secondary dex files
294  -installd # creation of sandbox
295} { privapp_data_file app_data_file }:dir_file_class_set { create unlink };
296
297neverallow {
298  domain
299  -artd # compile secondary dex files
300  -installd
301} { privapp_data_file app_data_file }:dir_file_class_set { relabelfrom relabelto };
302
303# The staging directory contains APEX and APK files. It is important to ensure
304# that these files cannot be accessed by other domains to ensure that the files
305# do not change between system_server staging the files and apexd processing
306# the files.
307neverallow {
308  domain
309  -init
310  -system_server
311  -apexd
312  -installd
313  -priv_app
314  -virtualizationmanager
315} staging_data_file:dir *;
316neverallow {
317  domain
318  -init
319  -system_app
320  -system_server
321  -apexd
322  -adbd
323  -kernel
324  -installd
325  -priv_app
326  -shell
327  -virtualizationmanager
328  -crosvm
329} staging_data_file:file *;
330neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms;
331# apexd needs the link and unlink permissions, so list every `no_w_file_perms`
332# except for `link` and `unlink`.
333neverallow { domain -init -system_server } staging_data_file:file
334  { append create relabelfrom rename setattr write no_x_file_perms };
335
336neverallow {
337    domain
338    -appdomain # for oemfs
339    -bootanim # for oemfs
340    -recovery # for /tmp/update_binary in tmpfs
341} { fs_type -rootfs }:file execute;
342
343#
344# Assert that, to the extent possible, we're not loading executable content from
345# outside the rootfs or /system partition except for a few allowlisted domains.
346# Executable files loaded from /data is a persistence vector
347# we want to avoid. See
348# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example.
349#
350neverallow {
351    domain
352    -appdomain
353    with_asan(`-asan_extract')
354    -shell
355    userdebug_or_eng(`-su')
356    -system_server_startup # for memfd backed executable regions
357    -app_zygote
358    -webview_zygote
359    -zygote
360    userdebug_or_eng(`-mediaextractor')
361    userdebug_or_eng(`-mediaswcodec')
362} {
363    file_type
364    -system_file_type
365    -system_lib_file
366    -system_linker_exec
367    -vendor_file_type
368    -exec_type
369    -postinstall_file
370}:file execute;
371
372# Only init is allowed to write cgroup.rc file
373neverallow {
374  domain
375  -init
376  -vendor_init
377} cgroup_rc_file:file no_w_file_perms;
378
379# Only authorized processes should be writing to files in /data/dalvik-cache
380neverallow {
381  domain
382  -init # TODO: limit init to relabelfrom for files
383  -zygote
384  -installd
385  -postinstall_dexopt
386  -cppreopts
387  -dex2oat
388  -otapreopt_slot
389  -artd
390} dalvikcache_data_file:file no_w_file_perms;
391
392neverallow {
393  domain
394  -init
395  -installd
396  -postinstall_dexopt
397  -cppreopts
398  -dex2oat
399  -zygote
400  -otapreopt_slot
401  -artd
402} dalvikcache_data_file:dir no_w_dir_perms;
403
404# Only authorized processes should be writing to /data/misc/apexdata/com.android.art as it
405# contains boot class path and system server AOT artifacts following an ART APEX Mainline update.
406neverallow {
407  domain
408  # art-related processes
409  -composd
410  -compos_fd_server
411  -odrefresh
412  -odsign
413  # others
414  -apexd
415  -init
416  -vold_prepare_subdirs
417} apex_art_data_file:file no_w_file_perms;
418
419neverallow {
420  domain
421  # art-related processes
422  -composd
423  -compos_fd_server
424  -odrefresh
425  -odsign
426  # others
427  -apexd
428  -init
429  -vold_prepare_subdirs
430} apex_art_data_file:dir no_w_dir_perms;
431
432# Protect most domains from executing arbitrary content from /data.
433neverallow {
434  domain
435  -appdomain
436} {
437  data_file_type
438  -apex_art_data_file
439  -dalvikcache_data_file
440  -system_data_file # shared libs in apks
441  -apk_data_file
442}:file no_x_file_perms;
443
444# Minimize dac_override and dac_read_search.
445# Instead of granting them it is usually better to add the domain to
446# a Unix group or change the permissions of a file.
447define(`dac_override_allowed', `{
448  apexd
449  artd
450  dnsmasq
451  dumpstate
452  init
453  installd
454  userdebug_or_eng(`llkd')
455  lmkd
456  migrate_legacy_obb_data
457  netd
458  postinstall_dexopt
459  recovery
460  rss_hwm_reset
461  sdcardd
462  tee
463  ueventd
464  uncrypt
465  vendor_init
466  vold
467  vold_prepare_subdirs
468  zygote
469}')
470neverallow ~dac_override_allowed self:global_capability_class_set dac_override;
471# Since the kernel checks dac_read_search before dac_override, domains that
472# have dac_override should also have dac_read_search to eliminate spurious
473# denials.  Some domains have dac_read_search without having dac_override, so
474# this list should be a superset of the one above.
475neverallow ~{
476  dac_override_allowed
477  traced_perf
478  traced_probes
479  heapprofd
480} self:global_capability_class_set dac_read_search;
481
482# Limit what domains can mount filesystems or change their mount flags.
483# sdcard_type (including vfat and exfat) and fusefs_type are exempt as a larger
484# set of domains need this capability, including device-specific domains.
485neverallow {
486    domain
487    -apexd
488    recovery_only(`-fastbootd')
489    -init
490    -kernel
491    -otapreopt_chroot
492    -recovery
493    -update_engine
494    -vold
495    -zygote
496} { fs_type
497    -sdcard_type
498    -fusefs_type
499}:filesystem { mount remount relabelfrom relabelto };
500
501enforce_debugfs_restriction(`
502  neverallow {
503    domain userdebug_or_eng(`-init')
504  } { debugfs_type -debugfs_tracing_debug }:filesystem { mount remount relabelfrom relabelto };
505')
506
507# Limit raw I/O to these allowlisted domains. Do not apply to debug builds.
508neverallow {
509  domain
510  userdebug_or_eng(`-domain')
511  -kernel
512  -gsid
513  -init
514  -recovery
515  -ueventd
516  -uncrypt
517  -tee
518  -hal_bootctl_server
519  -fastbootd
520} self:global_capability_class_set sys_rawio;
521
522# Limit directory operations that doesn't need to do app data isolation.
523neverallow {
524  domain
525  -fsck
526  -init
527  -installd
528  -zygote
529} mirror_data_file:dir *;
530
531# This property is being removed. Remove remaining access.
532neverallow { domain -init -system_server -vendor_init } net_dns_prop:property_service set;
533neverallow { domain -dumpstate -init -system_server -vendor_init } net_dns_prop:file read;
534
535# Only core domains are allowed to access package_manager properties
536neverallow { domain -init -system_server } pm_prop:property_service set;
537neverallow { domain -coredomain } pm_prop:file no_rw_file_perms;
538
539# Do not allow reading the last boot timestamp from system properties
540neverallow { domain -init -system_server -dumpstate } firstboot_prop:file r_file_perms;
541
542# Allow ART to set its config properties in its oneshot boot service, in
543# addition to the common init and vendor_init access.
544neverallow { domain -art_boot -init -vendor_init } dalvik_config_prop:property_service set;
545
546# Kprobes should only be used by adb root
547neverallow { domain -init -vendor_init } debugfs_kprobes:file *;
548
549# On TREBLE devices, most coredomains should not access vendor_files.
550# TODO(b/71553434): Remove exceptions here.
551full_treble_only(`
552  neverallow {
553    coredomain
554    -appdomain
555    -bootanim
556    -crash_dump
557    -heapprofd
558    userdebug_or_eng(`-profcollectd')
559    -init
560    -kernel
561    userdebug_or_eng(`-simpleperf_boot')
562    -traced_perf
563    -ueventd
564  } vendor_file:file { no_w_file_perms no_x_file_perms open };
565')
566
567# Vendor domains are not permitted to initiate communications to core domain sockets
568full_treble_only(`
569  neverallow_establish_socket_comms({
570    domain
571    -coredomain
572    -appdomain
573    -socket_between_core_and_vendor_violators
574  }, {
575    coredomain
576    -logd # Logging by writing to logd Unix domain socket is public API
577    -netd # netdomain needs this
578    -mdnsd # netdomain needs this
579    -prng_seeder # Any process using libcrypto needs this
580    userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds
581    -init
582    -tombstoned # linker to tombstoned
583    -heapprofd
584    -traced
585    -traced_perf
586  });
587')
588
589full_treble_only(`
590  # Do not allow system components access to /vendor files except for the
591  # ones allowed here.
592  neverallow {
593    coredomain
594    # TODO(b/37168747): clean up fwk access to /vendor
595    -crash_dump
596    -crosvm # loads vendor-specific disk images
597    -init # starts vendor executables
598    -kernel # loads /vendor/firmware
599    -heapprofd
600    userdebug_or_eng(`-profcollectd')
601    -shell
602    userdebug_or_eng(`-simpleperf_boot')
603    -system_executes_vendor_violators
604    -traced_perf # library/binary access for symbolization
605    -ueventd # reads /vendor/ueventd.rc
606    -vold # loads incremental fs driver
607  } {
608    vendor_file_type
609    -same_process_hal_file
610    -vendor_app_file
611    -vendor_apex_file
612    -vendor_configs_file
613    -vendor_service_contexts_file
614    -vendor_framework_file
615    -vendor_idc_file
616    -vendor_keychars_file
617    -vendor_keylayout_file
618    -vendor_overlay_file
619    -vendor_public_framework_file
620    -vendor_public_lib_file
621    -vendor_task_profiles_file
622    -vendor_uuid_mapping_config_file
623    -vndk_sp_file
624  }:file *;
625')
626
627# mlsvendorcompat is only for compatibility support for older vendor
628# images, and should not be granted to any domain in current policy.
629# (Every domain is allowed self:fork, so this will trigger if the
630# intsersection of domain & mlsvendorcompat is not empty.)
631neverallow domain mlsvendorcompat:process fork;
632
633# Only init and otapreopt_chroot should be mounting filesystems on locations
634# labeled system or vendor (/product and /vendor respectively).
635neverallow { domain -init -otapreopt_chroot } { system_file_type vendor_file_type }:dir_file_class_set mounton;
636
637# Only allow init and vendor_init to read/write mm_events properties
638# NOTE: dumpstate is allowed to read any system property
639neverallow {
640  domain
641  -init
642  -vendor_init
643  -dumpstate
644} mm_events_config_prop:file no_rw_file_perms;
645
646# Allow the tracing daemon and callstack sampler to use kallsyms to symbolize
647# kernel traces. Addresses are not disclosed, they are repalced with symbol
648# names (if available). Traces don't disclose KASLR.
649neverallow {
650  domain
651  -init
652  userdebug_or_eng(`-profcollectd')
653  -vendor_init
654  userdebug_or_eng(`-simpleperf_boot')
655  -traced_probes
656  -traced_perf
657} proc_kallsyms:file { open read };
658
659# debugfs_kcov type is not included in this neverallow statement since the KCOV
660# tool uses it for kernel fuzzing.
661# vendor_modprobe is also exempted since the kernel modules it loads may create
662# debugfs files in its context.
663enforce_debugfs_restriction(`
664  neverallow {
665    domain
666    -vendor_modprobe
667    userdebug_or_eng(`
668      -init
669      -hal_dumpstate
670    ')
671  } { debugfs_type
672      userdebug_or_eng(`-debugfs_kcov')
673      -tracefs_type
674  }:file no_rw_file_perms;
675')
676
677# Restrict write access to etm sysfs interface.
678neverallow { domain -ueventd -vendor_init } sysfs_devices_cs_etm:file no_w_file_perms;
679
680# Restrict direct access to shell owned files. The /data/local/tmp directory is
681# untrustworthy, and non-allowed domains should not be trusting any content in
682# those directories. We allow shell files to be passed around by file
683# descriptor, but not directly opened.
684# artd doesn't need to access /data/local/tmp, but it needs to access
685# /data/{user,user_de}/<user-id>/com.android.shell/... for compiling secondary
686# dex files.
687neverallow {
688  domain
689  -adbd
690  -appdomain
691  -artd
692  -dumpstate
693  -installd
694  userdebug_or_eng(`-uncrypt')
695  userdebug_or_eng(`-virtualizationmanager')
696  userdebug_or_eng(`-virtualizationservice')
697  userdebug_or_eng(`-crosvm')
698} shell_data_file:file open;
699
700# In addition to the symlink reading restrictions above, restrict
701# write access to shell owned directories. The /data/local/tmp
702# directory is untrustworthy, and non-allowed domains should
703# not be trusting any content in those directories.
704# artd doesn't need to access /data/local/tmp, but it needs to access
705# /data/{user,user_de}/<user-id>/com.android.shell/... for compiling secondary
706# dex files.
707neverallow {
708  domain
709  -adbd
710  -artd
711  -dumpstate
712  -installd
713  -init
714  -shell
715  -vold
716} shell_data_file:dir no_w_dir_perms;
717
718neverallow {
719  domain
720  -adbd
721  -appdomain
722  -artd
723  -dumpstate
724  -init
725  -installd
726  -simpleperf_app_runner
727  -system_server # why?
728  userdebug_or_eng(`-uncrypt')
729} shell_data_file:dir open;
730
731neverallow {
732  domain
733  -adbd
734  -appdomain
735  -artd
736  -dumpstate
737  -init
738  -installd
739  -simpleperf_app_runner
740  -system_server # why?
741  userdebug_or_eng(`-uncrypt')
742  userdebug_or_eng(`-virtualizationmanager')
743  userdebug_or_eng(`-crosvm')
744} shell_data_file:dir search;
745
746# respect system_app sandboxes
747neverallow {
748  domain
749  -appdomain
750  -artd # compile secondary dex files
751  -system_server #populate com.android.providers.settings/databases/settings.db.
752  -installd # creation of app sandbox
753  -traced_probes # resolve inodes for i/o tracing.
754                 # only needs open and read, the rest is neverallow in
755                 # traced_probes.te.
756} system_app_data_file:dir_file_class_set { create unlink open };
757neverallow {
758  isolated_app_all
759  ephemeral_app
760  priv_app
761  sdk_sandbox_all
762  untrusted_app_all
763} system_app_data_file:dir_file_class_set { create unlink open };
764
765neverallow { domain -init } mtectrl:process { dyntransition transition };
766
767# For now, don't allow processes other than gmscore to access /data/misc_ce/<userid>/checkin
768neverallow { domain -gmscore_app -init -vold_prepare_subdirs } checkin_data_file:{dir file} *;
769