-
-
Save E3V3A/1540b5b7ba4f160b8800 to your computer and use it in GitHub Desktop.
sediff output of the changes done by Chainfire's supolicy to sepolicy to allow root in Enforcing mode
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Classes (Added 0, Removed 0, Modified 0) | |
| Added Classes: 0 | |
| Removed Classes: 0 | |
| Modified Classes: 0 | |
| Commons (Added 0, Removed 0, Modified 0) | |
| Added Commons: 0 | |
| Removed Commons: 0 | |
| Modified Commons: 0 | |
| Levels (Added 0, Removed 0, Modified 0) | |
| Added Levels: 0 | |
| Removed Levels: 0 | |
| Modified Levels: 0 | |
| Categories (Added 0, Removed 0, Modified 0) | |
| Added Categories: 0 | |
| Removed Categories: 0 | |
| Modified Categories: 0 | |
| Types (Added 0, Removed 0, Modified 2) | |
| Added Types: 0 | |
| Removed Types: 0 | |
| Modified Types: 2 | |
| * init (5 Added Attributes) | |
| + appdomain | |
| + binderservicedomain | |
| + bluetoothdomain | |
| + mlstrustedobject | |
| + netdomain | |
| * recovery (4 Added Attributes) | |
| + appdomain | |
| + binderservicedomain | |
| + bluetoothdomain | |
| + netdomain | |
| Attributes (Added 0, Removed 0, Modified 5) | |
| Added Attributes: 0 | |
| Removed Attributes: 0 | |
| Modified Attributes: 5 | |
| * appdomain (2 Added Types) | |
| + init | |
| + recovery | |
| * binderservicedomain (2 Added Types) | |
| + init | |
| + recovery | |
| * bluetoothdomain (2 Added Types) | |
| + init | |
| + recovery | |
| * mlstrustedobject (1 Added Type) | |
| + init | |
| * netdomain (2 Added Types) | |
| + init | |
| + recovery | |
| Roles (Added 0, Removed 0, Modified 0) | |
| Added Roles: 0 | |
| Removed Roles: 0 | |
| Modified Roles: 0 | |
| Users (Added 0, Removed 0, Modified 0) | |
| Added Users: 0 | |
| Removed Users: 0 | |
| Modified Users: 0 | |
| Booleans (Added 0, Removed 0, Modified 0) | |
| Added Booleans: 0 | |
| Removed Booleans: 0 | |
| Modified Booleans: 0 | |
| AV-Allow Rules (Added 376, Added New Type 0, Removed 0, Removed Missing Type 0, Modified 103) | |
| Added AV-Allow Rules: 376 | |
| + allow adbd recovery : unix_stream_socket { connectto }; | |
| + allow bluetooth init : binder { call transfer }; | |
| + allow bluetooth init : fifo_file { append getattr ioctl lock open read write }; | |
| + allow bluetooth recovery : binder { call transfer }; | |
| + allow bluetooth recovery : fd { use }; | |
| + allow bluetooth recovery : fifo_file { append getattr ioctl lock open read write }; | |
| + allow bluetooth recovery : unix_stream_socket { getattr getopt read shutdown write }; | |
| + allow drmserver init : binder { call transfer }; | |
| + allow drmserver init : fifo_file { write }; | |
| + allow drmserver recovery : binder { call transfer }; | |
| + allow drmserver recovery : fd { use }; | |
| + allow drmserver recovery : fifo_file { write }; | |
| + allow dumpstate init : binder { call transfer }; | |
| + allow dumpstate recovery : binder { call transfer }; | |
| + allow dumpstate recovery : fd { use }; | |
| + allow gatekeeperd init : binder { transfer }; | |
| + allow gatekeeperd init : fifo_file { write }; | |
| + allow gatekeeperd recovery : binder { transfer }; | |
| + allow gatekeeperd recovery : fd { use }; | |
| + allow gatekeeperd recovery : fifo_file { write }; | |
| + allow healthd init : binder { transfer }; | |
| + allow healthd init : fifo_file { write }; | |
| + allow healthd recovery : binder { transfer }; | |
| + allow healthd recovery : fd { use }; | |
| + allow healthd recovery : fifo_file { write }; | |
| + allow init bluetooth : binder { call transfer }; | |
| + allow init bluetooth : fd { use }; | |
| + allow init bluetooth : fifo_file { append getattr ioctl lock open read write }; | |
| + allow init dex2oat_exec : file { execute execute_no_trans getattr ioctl lock open read }; | |
| + allow init drmserver : binder { call transfer }; | |
| + allow init drmserver : fd { use }; | |
| + allow init dumpstate : binder { transfer }; | |
| + allow init dumpstate : fd { use }; | |
| + allow init fuse : file { append create execute execute_no_trans getattr ioctl lock mounton open read relabelfrom relabelto rename setattr unlink write }; | |
| + allow init gatekeeperd : binder { call transfer }; | |
| + allow init gatekeeperd : fd { use }; | |
| + allow init healthd : binder { call transfer }; | |
| + allow init healthd : fd { use }; | |
| + allow init init : binder { call transfer }; | |
| + allow init inputflinger : binder { call transfer }; | |
| + allow init inputflinger : fd { use }; | |
| + allow init isolated_app : binder { call transfer }; | |
| + allow init isolated_app : fd { use }; | |
| + allow init isolated_app : fifo_file { append getattr ioctl lock open read write }; | |
| + allow init keystore : binder { call transfer }; | |
| + allow init keystore : fd { use }; | |
| + allow init keystore : keystore_key { delete exist get get_state insert list sign verify }; | |
| + allow init keystore_service : service_manager { find }; | |
| + allow init logcat_exec : file { execute execute_no_trans getattr ioctl lock open read }; | |
| + allow init mediaserver : binder { call transfer }; | |
| + allow init mediaserver : fd { use }; | |
| + allow init nfc : binder { call transfer }; | |
| + allow init nfc : fd { use }; | |
| + allow init nfc : fifo_file { append getattr ioctl lock open read write }; | |
| + allow init node : tcp_socket { node_bind }; | |
| + allow init node : udp_socket { node_bind }; | |
| + allow init platform_app : binder { call transfer }; | |
| + allow init platform_app : fd { use }; | |
| + allow init platform_app : fifo_file { append getattr ioctl lock open read write }; | |
| + allow init port : tcp_socket { name_bind name_connect }; | |
| + allow init port : udp_socket { name_bind }; | |
| + allow init radio : binder { call transfer }; | |
| + allow init radio : fd { use }; | |
| + allow init radio : fifo_file { append getattr ioctl lock open read write }; | |
| + allow init recovery : binder { call transfer }; | |
| + allow init recovery : fd { use }; | |
| + allow init recovery : fifo_file { append getattr ioctl lock open read write }; | |
| + allow init rild : binder { call transfer }; | |
| + allow init rild : fd { use }; | |
| + allow init runas_exec : file { getattr }; | |
| + allow init servicemanager : binder { call transfer }; | |
| + allow init shared_relro : binder { call transfer }; | |
| + allow init shared_relro : fd { use }; | |
| + allow init shared_relro : fifo_file { append getattr ioctl lock open read write }; | |
| + allow init shell : binder { call transfer }; | |
| + allow init shell : fd { use }; | |
| + allow init shell : fifo_file { append getattr ioctl lock open read write }; | |
| + allow init surfaceflinger : binder { call transfer }; | |
| + allow init surfaceflinger : fd { use }; | |
| + allow init system_app : binder { call transfer }; | |
| + allow init system_app : fd { use }; | |
| + allow init system_app : fifo_file { append getattr ioctl lock open read write }; | |
| + allow init system_server : binder { call transfer }; | |
| + allow init system_server : fifo_file { append getattr ioctl lock open read write }; | |
| + allow init system_server : tcp_socket { getattr getopt read shutdown write }; | |
| + allow init untrusted_app : binder { call transfer }; | |
| + allow init untrusted_app : fd { use }; | |
| + allow init untrusted_app : fifo_file { append getattr ioctl lock open read write }; | |
| + allow init vfat : file { append getattr ioctl lock open read write }; | |
| + allow init zygote : fd { use }; | |
| + allow inputflinger init : binder { transfer }; | |
| + allow inputflinger init : fifo_file { write }; | |
| + allow inputflinger recovery : binder { transfer }; | |
| + allow inputflinger recovery : fd { use }; | |
| + allow inputflinger recovery : fifo_file { write }; | |
| + allow isolated_app init : binder { call transfer }; | |
| + allow isolated_app init : fifo_file { append getattr ioctl lock open read write }; | |
| + allow isolated_app init : unix_stream_socket { getattr getopt read shutdown write }; | |
| + allow isolated_app recovery : binder { call transfer }; | |
| + allow isolated_app recovery : fd { use }; | |
| + allow isolated_app recovery : fifo_file { append getattr ioctl lock open read write }; | |
| + allow isolated_app recovery : unix_stream_socket { getattr getopt read shutdown write }; | |
| + allow keystore init : binder { transfer }; | |
| + allow keystore init : dir { search }; | |
| + allow keystore init : fifo_file { write }; | |
| + allow keystore init : file { open read }; | |
| + allow keystore recovery : binder { transfer }; | |
| + allow keystore recovery : dir { search }; | |
| + allow keystore recovery : fd { use }; | |
| + allow keystore recovery : fifo_file { write }; | |
| + allow keystore recovery : file { open read }; | |
| + allow keystore recovery : process { getattr }; | |
| + allow lmkd init : dir { getattr ioctl open read search }; | |
| + allow lmkd init : file { getattr ioctl lock open read write }; | |
| + allow lmkd init : lnk_file { getattr ioctl lock open read }; | |
| + allow lmkd recovery : dir { getattr ioctl open read search }; | |
| + allow lmkd recovery : file { getattr ioctl lock open read write }; | |
| + allow lmkd recovery : lnk_file { getattr ioctl lock open read }; | |
| + allow lmkd recovery : process { sigkill }; | |
| + allow mediaserver init : binder { call transfer }; | |
| + allow mediaserver init : fifo_file { getattr read write }; | |
| + allow mediaserver recovery : binder { call transfer }; | |
| + allow mediaserver recovery : fd { use }; | |
| + allow mediaserver recovery : fifo_file { getattr read write }; | |
| + allow netd init : dccp_socket { getattr getopt read setattr setopt write }; | |
| + allow netd init : rawip_socket { getattr getopt read setattr setopt write }; | |
| + allow netd init : tcp_socket { getattr getopt read setattr setopt write }; | |
| + allow netd init : tun_socket { getattr getopt read setattr setopt write }; | |
| + allow netd init : udp_socket { getattr getopt read setattr setopt write }; | |
| + allow netd recovery : dccp_socket { getattr getopt read setattr setopt write }; | |
| + allow netd recovery : fd { use }; | |
| + allow netd recovery : rawip_socket { getattr getopt read setattr setopt write }; | |
| + allow netd recovery : tcp_socket { getattr getopt read setattr setopt write }; | |
| + allow netd recovery : tun_socket { getattr getopt read setattr setopt write }; | |
| + allow netd recovery : udp_socket { getattr getopt read setattr setopt write }; | |
| + allow nfc init : binder { call transfer }; | |
| + allow nfc init : fifo_file { append getattr ioctl lock open read write }; | |
| + allow nfc recovery : binder { call transfer }; | |
| + allow nfc recovery : fd { use }; | |
| + allow nfc recovery : fifo_file { append getattr ioctl lock open read write }; | |
| + allow nfc recovery : unix_stream_socket { getattr getopt read shutdown write }; | |
| + allow platform_app init : binder { call transfer }; | |
| + allow platform_app init : fifo_file { append getattr ioctl lock open read write }; | |
| + allow platform_app init : unix_stream_socket { accept bind connectto getattr getopt lock name_bind read relabelto setattr shutdown write }; | |
| + allow platform_app platform_app : capability { audit_control audit_write chown dac_override dac_read_search ipc_lock kill net_bind_service net_raw setgid setpcap setuid sys_admin sys_boot sys_chroot sys_pacct sys_resource }; | |
| + allow platform_app recovery : binder { call transfer }; | |
| + allow platform_app recovery : fd { use }; | |
| + allow platform_app recovery : fifo_file { append getattr ioctl lock open read write }; | |
| + allow platform_app recovery : unix_stream_socket { getattr getopt read shutdown write }; | |
| + allow platform_app untrusted_app_devpts : chr_file { getattr ioctl open read write }; | |
| + allow radio init : binder { call transfer }; | |
| + allow radio init : fifo_file { append getattr ioctl lock open read write }; | |
| + allow radio recovery : binder { call transfer }; | |
| + allow radio recovery : fd { use }; | |
| + allow radio recovery : fifo_file { append getattr ioctl lock open read write }; | |
| + allow radio recovery : unix_stream_socket { getattr getopt read shutdown write }; | |
| + allow recovery adbd : process { sigchld }; | |
| + allow recovery anr_data_file : dir { search }; | |
| + allow recovery anr_data_file : file { append open }; | |
| + allow recovery app_data_file : dir { add_name getattr open read relabelfrom relabelto remove_name search setattr write }; | |
| + allow recovery app_data_file : file { create execute execute_no_trans getattr open read relabelfrom relabelto setattr unlink write }; | |
| + allow recovery backup_data_file : file { getattr read write }; | |
| + allow recovery block_device : blk_file { execute getattr lock mounton read relabelto setattr swapon unlink }; | |
| + allow recovery bluetooth : binder { call transfer }; | |
| + allow recovery bluetooth : fd { use }; | |
| + allow recovery bluetooth : fifo_file { append getattr ioctl lock open read write }; | |
| + allow recovery bluetooth : unix_stream_socket { getattr getopt ioctl read setopt shutdown write }; | |
| + allow recovery cache_backup_file : dir { getattr }; | |
| + allow recovery cache_backup_file : file { getattr read write }; | |
| + allow recovery console_device : chr_file { append getattr ioctl lock open read write }; | |
| + allow recovery dalvikcache_data_file : lnk_file { getattr ioctl lock open read }; | |
| + allow recovery dalvikcache_profiles_data_file : dir { getattr search }; | |
| + allow recovery dalvikcache_profiles_data_file : file { append getattr ioctl lock open read write }; | |
| + allow recovery devpts : chr_file { append getattr ioctl lock open read write }; | |
| + allow recovery dex2oat_exec : file { execute execute_no_trans getattr ioctl lock open read }; | |
| + allow recovery dnsproxyd_socket : sock_file { write }; | |
| + allow recovery drmserver : binder { call transfer }; | |
| + allow recovery drmserver : fd { use }; | |
| + allow recovery dumpstate : binder { transfer }; | |
| + allow recovery dumpstate : fd { use }; | |
| + allow recovery dumpstate : unix_stream_socket { getattr getopt read shutdown write }; | |
| + allow recovery fuse : file { append create execute execute_no_trans getattr ioctl lock open read relabelfrom relabelto rename setattr unlink write }; | |
| + allow recovery fwmarkd_socket : sock_file { write }; | |
| + allow recovery gatekeeperd : binder { call transfer }; | |
| + allow recovery gatekeeperd : fd { use }; | |
| + allow recovery healthd : binder { call transfer }; | |
| + allow recovery healthd : fd { use }; | |
| + allow recovery init : binder { call transfer }; | |
| + allow recovery init : fifo_file { append getattr ioctl lock open read write }; | |
| + allow recovery init : unix_stream_socket { connectto getattr getopt read shutdown write }; | |
| + allow recovery inputflinger : binder { call transfer }; | |
| + allow recovery inputflinger : fd { use }; | |
| + allow recovery isolated_app : binder { call transfer }; | |
| + allow recovery isolated_app : fd { use }; | |
| + allow recovery isolated_app : fifo_file { append getattr ioctl lock open read write }; | |
| + allow recovery isolated_app : unix_stream_socket { getattr getopt read shutdown write }; | |
| + allow recovery kernel : process { execheap execmem execstack fork getcap getsched getsession rlimitinh setcap setexec setrlimit setsched setsockcreate siginh sigkill signal signull transition }; | |
| + allow recovery kernel : security { check_context compute_av }; | |
| + allow recovery keychain_data_file : dir { getattr ioctl open read search }; | |
| + allow recovery keychain_data_file : file { getattr ioctl lock open read }; | |
| + allow recovery keystore : binder { call transfer }; | |
| + allow recovery keystore : fd { use }; | |
| + allow recovery keystore : keystore_key { delete exist get get_state insert list sign verify }; | |
| + allow recovery keystore_service : service_manager { find }; | |
| + allow recovery logcat_exec : file { execute execute_no_trans getattr ioctl lock open read }; | |
| + allow recovery logd : unix_stream_socket { connectto }; | |
| + allow recovery logd_socket : sock_file { write }; | |
| + allow recovery logdr_socket : sock_file { write }; | |
| + allow recovery mdnsd : unix_stream_socket { connectto }; | |
| + allow recovery mdnsd_socket : sock_file { write }; | |
| + allow recovery media_rw_data_file : file { getattr read }; | |
| + allow recovery mediaserver : binder { call transfer }; | |
| + allow recovery mediaserver : fd { use }; | |
| + allow recovery misc_user_data_file : dir { getattr ioctl open read search }; | |
| + allow recovery misc_user_data_file : file { getattr ioctl lock open read }; | |
| + allow recovery mnt_expand_file : dir { getattr ioctl open read search }; | |
| + allow recovery mnt_user_file : dir { getattr ioctl open read search }; | |
| + allow recovery mnt_user_file : lnk_file { getattr ioctl lock open read }; | |
| + allow recovery netd : unix_stream_socket { connectto }; | |
| + allow recovery nfc : binder { call transfer }; | |
| + allow recovery nfc : fd { use }; | |
| + allow recovery nfc : fifo_file { append getattr ioctl lock open read write }; | |
| + allow recovery nfc : unix_stream_socket { getattr getopt read shutdown write }; | |
| + allow recovery node : tcp_socket { node_bind }; | |
| + allow recovery node : udp_socket { node_bind }; | |
| + allow recovery oemfs : file { execute execute_no_trans getattr ioctl lock open read }; | |
| + allow recovery platform_app : binder { call transfer }; | |
| + allow recovery platform_app : fd { use }; | |
| + allow recovery platform_app : fifo_file { append getattr ioctl lock open read write }; | |
| + allow recovery platform_app : process { getattr }; | |
| + allow recovery platform_app : unix_stream_socket { getattr getopt read shutdown write }; | |
| + allow recovery port : tcp_socket { name_bind name_connect }; | |
| + allow recovery port : udp_socket { name_bind }; | |
| + allow recovery qtaguid_device : chr_file { getattr ioctl lock open read }; | |
| + allow recovery qtaguid_proc : file { append getattr ioctl lock open read write }; | |
| + allow recovery radio : binder { call transfer }; | |
| + allow recovery radio : fd { use }; | |
| + allow recovery radio : fifo_file { append getattr ioctl lock open read write }; | |
| + allow recovery radio : unix_stream_socket { getattr getopt read shutdown write }; | |
| + allow recovery radio_data_file : file { getattr read write }; | |
| + allow recovery recovery : binder { call transfer }; | |
| + allow recovery recovery : capability { dac_override fsetid setgid setuid sys_ptrace }; | |
| + allow recovery resourcecache_data_file : dir { getattr ioctl open read search }; | |
| + allow recovery resourcecache_data_file : file { getattr ioctl lock open read }; | |
| + allow recovery rild : binder { call transfer }; | |
| + allow recovery rild : fd { use }; | |
| + allow recovery runas_exec : file { getattr }; | |
| + allow recovery servicemanager : binder { call transfer }; | |
| + allow recovery shared_relro : binder { call transfer }; | |
| + allow recovery shared_relro : fd { use }; | |
| + allow recovery shared_relro : fifo_file { append getattr ioctl lock open read write }; | |
| + allow recovery shared_relro : unix_stream_socket { getattr getopt read shutdown write }; | |
| + allow recovery shared_relro_file : dir { search }; | |
| + allow recovery shared_relro_file : file { getattr ioctl lock open read }; | |
| + allow recovery shell : binder { call transfer }; | |
| + allow recovery shell : fd { use }; | |
| + allow recovery shell : fifo_file { append getattr ioctl lock open read write }; | |
| + allow recovery shell : process { sigchld }; | |
| + allow recovery shell : unix_stream_socket { getattr getopt read shutdown write }; | |
| + allow recovery shell_data_file : dir { add_name getattr open read relabelfrom relabelto remove_name search setattr write }; | |
| + allow recovery shell_data_file : file { create execute execute_no_trans getattr open read relabelfrom relabelto setattr unlink write }; | |
| + allow recovery shell_exec : file { execute execute_no_trans getattr ioctl lock open read }; | |
| + allow recovery storage_file : dir { getattr ioctl open read search }; | |
| + allow recovery storage_file : lnk_file { getattr ioctl lock open read }; | |
| + allow recovery surfaceflinger : binder { call transfer }; | |
| + allow recovery surfaceflinger : fd { use }; | |
| + allow recovery surfaceflinger : unix_stream_socket { getattr getopt read setopt shutdown write }; | |
| + allow recovery system_app : binder { call transfer }; | |
| + allow recovery system_app : fd { use }; | |
| + allow recovery system_app : fifo_file { append getattr ioctl lock open read write }; | |
| + allow recovery system_app : process { getattr }; | |
| + allow recovery system_app : unix_stream_socket { getattr getopt read shutdown write }; | |
| + allow recovery system_app_data_file : dir { add_name getattr open read relabelfrom relabelto remove_name search setattr write }; | |
| + allow recovery system_app_data_file : file { create execute execute_no_trans getattr open read relabelfrom relabelto setattr unlink write }; | |
| + allow recovery system_server : binder { call transfer }; | |
| + allow recovery system_server : fifo_file { append getattr ioctl lock open read write }; | |
| + allow recovery system_server : process { execstack fork getattr getcap getpgid getsession noatsecure rlimitinh setcap setkeycreate setrlimit setsched setsockcreate sigkill signal signull }; | |
| + allow recovery system_server : tcp_socket { getattr getopt read shutdown write }; | |
| + allow recovery system_server : unix_stream_socket { getattr getopt read setopt shutdown write }; | |
| + allow recovery toolbox : fd { use }; | |
| + allow recovery untrusted_app : binder { call transfer }; | |
| + allow recovery untrusted_app : fd { use }; | |
| + allow recovery untrusted_app : fifo_file { append getattr ioctl lock open read write }; | |
| + allow recovery untrusted_app : process { getattr }; | |
| + allow recovery untrusted_app : unix_stream_socket { connectto getattr getopt read shutdown write }; | |
| + allow recovery untrusted_app_devpts : chr_file { getattr ioctl open read write }; | |
| + allow recovery usb_device : chr_file { getattr ioctl read write }; | |
| + allow recovery usbaccessory_device : chr_file { getattr read write }; | |
| + allow recovery vfat : file { append getattr ioctl lock open read write }; | |
| + allow recovery wallpaper_file : file { getattr read write }; | |
| + allow recovery zygote : fd { use }; | |
| + allow recovery zygote : process { execstack getattr getcap getsched getsession rlimitinh setcap setcurrent setexec setpgid setrlimit setsockcreate sigchld siginh signal signull transition }; | |
| + allow recovery zygote : unix_dgram_socket { write }; | |
| + allow recovery zygote_exec : file { create execute execute_no_trans getattr ioctl lock open read relabelfrom relabelto setattr unlink write }; | |
| + allow recovery zygote_tmpfs : file { read }; | |
| + allow rild init : binder { transfer }; | |
| + allow rild init : fifo_file { write }; | |
| + allow rild recovery : binder { transfer }; | |
| + allow rild recovery : fd { use }; | |
| + allow rild recovery : fifo_file { write }; | |
| + allow servicemanager init : dir { execute getattr ioctl lock mounton open read relabelto rmdir search setattr swapon unlink }; | |
| + allow servicemanager init : file { getattr open read }; | |
| + allow servicemanager recovery : dir { search }; | |
| + allow servicemanager recovery : file { open read }; | |
| + allow servicemanager recovery : process { getattr }; | |
| + allow shared_relro init : binder { call transfer }; | |
| + allow shared_relro init : fifo_file { append getattr ioctl lock open read write }; | |
| + allow shared_relro init : unix_stream_socket { getattr getopt read shutdown write }; | |
| + allow shared_relro recovery : binder { call transfer }; | |
| + allow shared_relro recovery : fd { use }; | |
| + allow shared_relro recovery : fifo_file { append getattr ioctl lock open read write }; | |
| + allow shared_relro recovery : unix_stream_socket { getattr getopt read shutdown write }; | |
| + allow shell init : binder { call transfer }; | |
| + allow shell init : fifo_file { append getattr ioctl lock open read write }; | |
| + allow shell recovery : binder { call transfer }; | |
| + allow shell recovery : fd { use }; | |
| + allow shell recovery : fifo_file { append getattr ioctl lock open read write }; | |
| + allow shell recovery : unix_stream_socket { getattr getopt read shutdown write }; | |
| + allow shell shell : capability { setgid setuid }; | |
| + allow shell toolbox : fd { use }; | |
| + allow shell untrusted_app_devpts : chr_file { getattr ioctl open read write }; | |
| + allow surfaceflinger init : binder { call transfer }; | |
| + allow surfaceflinger init : dir { getattr ioctl open read search }; | |
| + allow surfaceflinger init : fifo_file { write }; | |
| + allow surfaceflinger init : file { getattr ioctl lock open read }; | |
| + allow surfaceflinger init : lnk_file { getattr ioctl lock open read }; | |
| + allow surfaceflinger recovery : binder { call transfer }; | |
| + allow surfaceflinger recovery : dir { getattr ioctl open read search }; | |
| + allow surfaceflinger recovery : fd { use }; | |
| + allow surfaceflinger recovery : fifo_file { write }; | |
| + allow surfaceflinger recovery : file { getattr ioctl lock open read }; | |
| + allow surfaceflinger recovery : lnk_file { getattr ioctl lock open read }; | |
| + allow system_app init : binder { call transfer }; | |
| + allow system_app init : fifo_file { append getattr ioctl lock open read write }; | |
| + allow system_app recovery : binder { call transfer }; | |
| + allow system_app recovery : fd { use }; | |
| + allow system_app recovery : fifo_file { append getattr ioctl lock open read write }; | |
| + allow system_app recovery : unix_stream_socket { getattr getopt read shutdown write }; | |
| + allow system_app system_app : capability { audit_control audit_write chown dac_override dac_read_search ipc_lock kill mknod net_bind_service net_raw setgid setpcap setuid sys_admin sys_boot sys_chroot sys_pacct sys_resource sys_time sys_tty_config }; | |
| + allow system_app untrusted_app_devpts : chr_file { getattr ioctl open read write }; | |
| + allow system_server init : binder { call transfer }; | |
| + allow system_server init : fifo_file { getattr read write }; | |
| + allow system_server init : tcp_socket { getattr getopt read setopt shutdown write }; | |
| + allow system_server init : udp_socket { getattr getopt read setopt shutdown write }; | |
| + allow system_server recovery : binder { call transfer }; | |
| + allow system_server recovery : fd { use }; | |
| + allow system_server recovery : fifo_file { getattr read write }; | |
| + allow system_server recovery : process { getsched setsched sigkill signal }; | |
| + allow system_server recovery : tcp_socket { getattr getopt read setopt shutdown write }; | |
| + allow system_server recovery : udp_socket { getattr getopt read setopt shutdown write }; | |
| + allow system_server recovery : unix_stream_socket { accept getattr getopt listen read setattr setopt write }; | |
| + allow system_server untrusted_app_devpts : chr_file { getattr ioctl open read write }; | |
| + allow untrusted_app init : binder { call transfer }; | |
| + allow untrusted_app init : fifo_file { append getattr ioctl lock open read write }; | |
| + allow untrusted_app init : unix_stream_socket { accept connectto create getattr getopt ioctl listen lock name_bind read sendto setattr shutdown write }; | |
| + allow untrusted_app recovery : binder { call transfer }; | |
| + allow untrusted_app recovery : fd { use }; | |
| + allow untrusted_app recovery : fifo_file { append getattr ioctl lock open read write }; | |
| + allow untrusted_app recovery : unix_stream_socket { getattr getopt read shutdown write }; | |
| + allow untrusted_app untrusted_app : capability { audit_control audit_write dac_read_search fowner ipc_lock kill lease net_broadcast net_raw setgid setpcap setuid sys_admin sys_boot sys_module sys_pacct sys_rawio sys_tty_config }; | |
| + allow zygote devpts : chr_file { getattr ioctl open read write }; | |
| + allow zygote init : dir { getattr search }; | |
| + allow zygote init : fifo_file { getattr ioctl read write }; | |
| + allow zygote init : file { getattr ioctl lock open read }; | |
| + allow zygote init : unix_stream_socket { accept connect connectto getattr getopt ioctl listen lock name_bind read sendto setattr setopt shutdown write }; | |
| + allow zygote platform_app : unix_stream_socket { connectto read write }; | |
| + allow zygote recovery : dir { getattr search }; | |
| + allow zygote recovery : fifo_file { getattr ioctl read write }; | |
| + allow zygote recovery : file { getattr ioctl lock open read }; | |
| + allow zygote recovery : process { dyntransition getpgid setpgid }; | |
| + allow zygote recovery : unix_stream_socket { accept connectto getattr getopt listen read setattr setopt write }; | |
| + allow zygote system_app : unix_stream_socket { connectto read write }; | |
| + allow zygote system_server : unix_stream_socket { connectto read write }; | |
| + allow zygote toolbox : fd { use }; | |
| + allow zygote untrusted_app : unix_stream_socket { connectto read write }; | |
| + allow zygote untrusted_app_devpts : chr_file { getattr ioctl open read write }; | |
| Added AV-Allow Rules because of new type: 0 | |
| Removed AV-Allow Rules: 0 | |
| Removed AV-Allow Rules because of missing type: 0 | |
| Modified AV-Allow Rules: 103 | |
| * allow bluetooth init : unix_stream_socket { connectto +getattr +getopt +read +shutdown +write }; | |
| * allow dumpstate init : process { getattr sigchld +signal }; | |
| * allow dumpstate recovery : process { getattr +signal }; | |
| * allow init adbd : process { rlimitinh siginh sigkill transition +sigchld }; | |
| * allow init anr_data_file : file { create getattr open read relabelfrom relabelto setattr unlink write +append }; | |
| * allow init apk_data_file : file { create getattr ioctl lock open read relabelfrom relabelto setattr unlink write +execmod +execute +execute_no_trans }; | |
| * allow init app_data_file : dir { relabelto +add_name +getattr +open +read +relabelfrom +remove_name +search +setattr +write }; | |
| * allow init app_data_file : file { relabelto +create +execute +execute_no_trans +getattr +open +read +relabelfrom +setattr +unlink +write }; | |
| * allow init ashmem_device : chr_file { append getattr ioctl lock open read setattr write +execute }; | |
| * allow init bluetooth : unix_stream_socket { bind create +getattr +getopt +ioctl +read +setopt +shutdown +write }; | |
| * allow init dalvikcache_data_file : file { create getattr ioctl lock open read relabelfrom relabelto setattr unlink write +execute }; | |
| * allow init dalvikcache_data_file : lnk_file { create getattr relabelfrom relabelto setattr unlink +ioctl +lock +open +read }; | |
| * allow init dalvikcache_profiles_data_file : file { create getattr open read relabelfrom relabelto setattr unlink write +append +ioctl +lock }; | |
| * allow init devpts : chr_file { open read write +append +getattr +ioctl +lock }; | |
| * allow init dnsproxyd_socket : sock_file { create getattr open read relabelfrom relabelto setattr unlink +write }; | |
| * allow init dumpstate : unix_stream_socket { bind create +getattr +getopt +read +shutdown +write }; | |
| * allow init fuse : dir { getattr +add_name +append +create +execute +ioctl +link +lock +mounton +open +read +relabelfrom +relabelto +remove_name +rename +reparent +rmdir +search +setattr +swapon +unlink +write }; | |
| * allow init fwmarkd_socket : sock_file { create getattr open read relabelfrom relabelto setattr unlink +write }; | |
| * allow init init : capability { chown dac_override fowner fsetid kill mknod net_admin net_raw setgid setuid sys_admin sys_boot sys_rawio sys_resource sys_time sys_tty_config +sys_ptrace }; | |
| * allow init isolated_app : unix_stream_socket { bind create +getattr +getopt +read +shutdown +write }; | |
| * allow init kernel : security { compute_av compute_create +check_context }; | |
| * allow init keychain_data_file : file { create getattr open read relabelfrom relabelto setattr unlink write +ioctl +lock }; | |
| * allow init logd : unix_stream_socket { bind create +connectto }; | |
| * allow init logd_socket : sock_file { create getattr open read relabelfrom relabelto setattr unlink +write }; | |
| * allow init logdr_socket : sock_file { create getattr open read relabelfrom relabelto setattr unlink +write }; | |
| * allow init mdnsd : unix_stream_socket { bind create +connectto }; | |
| * allow init mdnsd_socket : sock_file { create getattr open read relabelfrom relabelto setattr unlink +write }; | |
| * allow init misc_user_data_file : file { create getattr open read relabelfrom relabelto setattr unlink write +ioctl +lock }; | |
| * allow init mnt_user_file : lnk_file { create getattr relabelfrom relabelto setattr unlink +ioctl +lock +open +read }; | |
| * allow init netd : unix_stream_socket { bind create +connectto }; | |
| * allow init nfc : unix_stream_socket { bind create +getattr +getopt +read +shutdown +write }; | |
| * allow init oemfs : file { getattr ioctl lock open read +execute +execute_no_trans }; | |
| * allow init platform_app : process { sigkill +execmem +fork +getattr +getcap +getsched +getsession +rlimitinh +setcap +setkeycreate +setrlimit +setsockcreate +signal +signull +sigstop +transition }; | |
| * allow init platform_app : unix_stream_socket { bind create +getattr +getopt +read +shutdown +write }; | |
| * allow init qtaguid_device : chr_file { open read setattr +getattr +ioctl +lock }; | |
| * allow init qtaguid_proc : file { open read setattr +append +getattr +ioctl +lock +write }; | |
| * allow init radio : unix_stream_socket { bind create +getattr +getopt +read +shutdown +write }; | |
| * allow init recovery : process { sigkill +noatsecure +rlimitinh +siginh +signull +transition }; | |
| * allow init recovery : unix_stream_socket { bind create +getattr +getopt +read +shutdown +write }; | |
| * allow init resourcecache_data_file : file { create getattr open read relabelfrom relabelto setattr unlink write +ioctl +lock }; | |
| * allow init rootfs : dir { add_name create getattr ioctl mounton open read remove_name rename reparent rmdir search setattr write +relabelfrom +relabelto }; | |
| * allow init rootfs : file { execute getattr ioctl lock open read relabelfrom +create +execute_no_trans +relabelto +setattr +unlink +write }; | |
| * allow init shared_relro : unix_stream_socket { bind create +getattr +getopt +read +shutdown +write }; | |
| * allow init shared_relro_file : file { create getattr open read relabelfrom relabelto setattr unlink write +ioctl +lock }; | |
| * allow init shell : process { rlimitinh siginh sigkill transition +sigchld +signull }; | |
| * allow init shell : unix_stream_socket { bind create +getattr +getopt +read +shutdown +write }; | |
| * allow init shell_data_file : dir { create getattr ioctl open read relabelto search setattr +add_name +relabelfrom +remove_name +write }; | |
| * allow init shell_data_file : file { getattr relabelto +create +execute +execute_no_trans +open +read +relabelfrom +setattr +unlink +write }; | |
| * allow init shell_exec : file { execute getattr open read +execute_no_trans +ioctl +lock }; | |
| * allow init storage_file : lnk_file { create getattr relabelfrom relabelto setattr unlink +ioctl +lock +open +read }; | |
| * allow init surfaceflinger : unix_stream_socket { bind create +getattr +getopt +read +setopt +shutdown +write }; | |
| * allow init system_app : process { sigkill +execheap +execmem +execstack +fork +getattr +getcap +rlimitinh +setcap +setfscreate +setpgid +setrlimit +setsockcreate +sigchld +signal +signull +transition }; | |
| * allow init system_app : unix_stream_socket { bind create +getattr +getopt +read +shutdown +write }; | |
| * allow init system_app_data_file : file { create getattr open read relabelfrom relabelto setattr unlink write +execute +execute_no_trans }; | |
| * allow init system_data_file : file { create getattr open read relabelfrom relabelto setattr unlink write +execmod +execute +execute_no_trans }; | |
| * allow init system_file : dir { getattr ioctl open read search +add_name +append +execmod +execute +link +lock +relabelfrom +relabelto +remove_name +reparent +rmdir +setattr +swapon +unlink +write }; | |
| * allow init system_file : file { execute getattr ioctl lock open read +create +execute_no_trans +relabelfrom +relabelto +setattr +unlink +write }; | |
| * allow init system_file : lnk_file { getattr ioctl lock open read +create +unlink }; | |
| * allow init system_server : process { sigkill +fork +getattr +getcap +getsched +getsession +rlimitinh +setcap +setcurrent +setfscreate +setrlimit +setsockcreate +sigchld +siginh +signal +signull +transition }; | |
| * allow init system_server : unix_stream_socket { bind create +getattr +getopt +read +setopt +shutdown +write }; | |
| * allow init toolbox_exec : file { execute getattr open read +create +execute_no_trans +relabelfrom +relabelto +setattr +unlink +write }; | |
| * allow init untrusted_app : process { sigkill +execstack +getattr +getcap +getpgid +getsched +getsession +noatsecure +rlimitinh +setcap +setexec +setfscreate +setkeycreate +setrlimit +setsched +setsockcreate +signal +signull +sigstop +transition }; | |
| * allow init untrusted_app : unix_stream_socket { bind create +getattr +getopt +read +shutdown +write }; | |
| * allow init usb_device : chr_file { open read setattr +getattr +ioctl +write }; | |
| * allow init usbaccessory_device : chr_file { open read setattr +getattr +write }; | |
| * allow init vfat : dir { getattr +ioctl +open +read +search }; | |
| * allow init zygote : process { rlimitinh siginh sigkill transition +getattr +sigchld }; | |
| * allow init zygote : unix_dgram_socket { bind create +write }; | |
| * allow init zygote_exec : file { execute getattr open read +create +execute_no_trans +ioctl +lock +mounton +relabelfrom +relabelto +setattr +unlink +write }; | |
| * allow keystore init : process { sigchld +getattr }; | |
| * allow lmkd init : process { sigchld +sigkill }; | |
| * allow nfc init : unix_stream_socket { connectto +getattr +getopt +read +shutdown +write }; | |
| * allow platform_app devpts : chr_file { getattr ioctl read write +open }; | |
| * allow platform_app untrusted_app : unix_stream_socket { getattr getopt read shutdown write +accept +append +bind +connect +connectto +create +ioctl +lock +name_bind +recv_msg +setattr }; | |
| * allow radio init : unix_stream_socket { connectto +getattr +getopt +read +shutdown +write }; | |
| * allow recovery apk_data_file : dir { getattr search +ioctl +open +read }; | |
| * allow recovery apk_data_file : file { getattr ioctl lock open read +execmod +execute +execute_no_trans }; | |
| * allow recovery ashmem_device : chr_file { append getattr ioctl lock open read write +execute }; | |
| * allow recovery dalvikcache_data_file : file { getattr ioctl lock open read +execute }; | |
| * allow recovery fuse : dir { getattr +add_name +create +ioctl +open +read +relabelfrom +relabelto +remove_name +rename +reparent +rmdir +search +setattr +write }; | |
| * allow recovery oemfs : dir { getattr +ioctl +open +read +search }; | |
| * allow recovery rootfs : dir { getattr ioctl open read search +add_name +relabelfrom +relabelto +remove_name +setattr +write }; | |
| * allow recovery rootfs : file { getattr ioctl lock open read +append +audit_access +create +entrypoint +execmod +execute +execute_no_trans +link +mounton +relabelfrom +relabelto +setattr +swapon +unlink +write }; | |
| * allow recovery rootfs : filesystem { getattr +quotamod +relabelfrom +relabelto +remount +transition }; | |
| * allow recovery selinuxfs : file { getattr ioctl lock open read +append +write }; | |
| * allow recovery system_data_file : dir { getattr search +ioctl +open +read }; | |
| * allow recovery system_data_file : file { getattr read +execmod +execute +execute_no_trans +open }; | |
| * allow recovery system_file : dir { getattr ioctl open read search +add_name +create +relabelfrom +relabelto +remove_name +setattr +write }; | |
| * allow recovery system_file : file { execute getattr ioctl lock open read +create +execute_no_trans +relabelfrom +relabelto +setattr +unlink +write }; | |
| * allow recovery system_file : lnk_file { getattr ioctl lock open read +create +unlink }; | |
| * allow recovery toolbox_exec : file { execute execute_no_trans getattr ioctl lock open read +create +relabelfrom +relabelto +setattr +unlink +write }; | |
| * allow recovery vfat : dir { getattr +ioctl +open +read +search }; | |
| * allow servicemanager init : process { sigchld +getattr }; | |
| * allow shell init : unix_stream_socket { connectto +getattr +getopt +read +shutdown +write }; | |
| * allow shell untrusted_app : unix_stream_socket { getattr getopt read shutdown write +connectto }; | |
| * allow system_app init : unix_stream_socket { connectto +getattr +getopt +read +shutdown +write }; | |
| * allow system_app untrusted_app : unix_stream_socket { getattr getopt read shutdown write +accept +bind +connectto +lock +name_bind +relabelto +setattr }; | |
| * allow system_server init : process { sigchld +getsched +setsched +sigkill +signal }; | |
| * allow system_server init : unix_stream_socket { connectto +accept +getattr +getopt +listen +read +setattr +setopt +write }; | |
| * allow system_server system_server : capability { kill net_admin net_bind_service net_broadcast net_raw sys_boot sys_nice sys_resource sys_time sys_tty_config +setgid +setuid }; | |
| * allow system_server untrusted_app : unix_stream_socket { getattr read write +accept +append +connectto +getopt +ioctl +listen +lock +name_bind +recv_msg +setattr +shutdown }; | |
| * allow untrusted_app devpts : chr_file { getattr ioctl read write +open }; | |
| * allow zygote init : process { sigchld +dyntransition +getpgid +setpgid }; | |
| AV-Audit Allow Rules (Added 0, Added New Type 0, Removed 0, Removed Missing Type 0, Modified 0) | |
| Added AV-Audit Allow Rules: 0 | |
| Added AV-Audit Allow Rules because of new type: 0 | |
| Removed AV-Audit Allow Rules: 0 | |
| Removed AV-Audit Allow Rules because of missing type: 0 | |
| Modified AV-Audit Allow Rules: 0 | |
| AV-Don't Audit Rules (Added 0, Added New Type 0, Removed 0, Removed Missing Type 0, Modified 0) | |
| Added AV-Don't Audit Rules: 0 | |
| Added AV-Don't Audit Rules because of new type: 0 | |
| Removed AV-Don't Audit Rules: 0 | |
| Removed AV-Don't Audit Rules because of missing type: 0 | |
| Modified AV-Don't Audit Rules: 0 | |
| TE type_change (Added 0, Added New Type 0, Removed 0, Removed Missing Type 0, Modified 0) | |
| Added TE type_change: 0 | |
| Added TE type_change because of new type: 0 | |
| Removed TE type_change: 0 | |
| Removed TE type_change because of missing type: 0 | |
| Modified TE type_change: 0 | |
| TE type_member (Added 0, Added New Type 0, Removed 0, Removed Missing Type 0, Modified 0) | |
| Added TE type_member: 0 | |
| Added TE type_member because of new type: 0 | |
| Removed TE type_member: 0 | |
| Removed TE type_member because of missing type: 0 | |
| Modified TE type_member: 0 | |
| TE type_trans (Added 0, Added New Type 0, Removed 0, Removed Missing Type 0, Modified 1) | |
| Added TE type_trans: 0 | |
| Added TE type_trans because of new type: 0 | |
| Removed TE type_trans: 0 | |
| Removed TE type_trans because of missing type: 0 | |
| Modified TE type_trans: 1 | |
| * type_transition init toolbox_exec : process { -toolbox +init }; | |
| Role Allow Rules (Added 0, Removed 0, Modified 0) | |
| Added Role Allow Rules: 0 | |
| Removed Role Allow Rules: 0 | |
| Modified Role Allow Rules: 0 | |
| Role Transitions (Added 0, Added New Type 0, Removed 0, Removed Missing Type 0, Modified 0) | |
| Added Role Transitions: 0 | |
| Added Role Transitions because of new type: 0 | |
| Removed Role Transitions: 0 | |
| Removed Role Transitions because of missing type: 0 | |
| Modified Role Transitions: 0 | |
| Range Transitions (Added 0, Removed 0, Modified 0) | |
| Added Range Transitions: 0 | |
| Removed Range Transitions: 0 | |
| Modified Range Transitions: 0 | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment