diff --git a/prebuilts/api/26.0/private/app.te b/prebuilts/api/26.0/private/app.te index 6f2b820b7..da8c67b47 100644 --- a/prebuilts/api/26.0/private/app.te +++ b/prebuilts/api/26.0/private/app.te @@ -494,7 +494,7 @@ neverallow appdomain { tmpfs }:lnk_file no_w_file_perms; -# Blacklist app domains not allowed to execute from /data +# Denylist app domains not allowed to execute from /data neverallow { bluetooth isolated_app @@ -515,7 +515,7 @@ neverallow { -shell # bugreport } input_device:chr_file ~getattr; -# Do not allow access to Bluetooth-related system properties except for a few whitelisted domains. +# Do not allow access to Bluetooth-related system properties except for a few allowlisted domains. # neverallow rules for access to Bluetooth-related data files are above. neverallow { appdomain diff --git a/prebuilts/api/26.0/private/domain.te b/prebuilts/api/26.0/private/domain.te index d37a0bd26..999c16a3d 100644 --- a/prebuilts/api/26.0/private/domain.te +++ b/prebuilts/api/26.0/private/domain.te @@ -4,7 +4,7 @@ domain_auto_trans(domain, crash_dump_exec, crash_dump); allow domain crash_dump:process sigchld; # Limit ability to ptrace or read sensitive /proc/pid files of processes -# with other UIDs to these whitelisted domains. +# with other UIDs to these allowlisted domains. neverallow { domain -vold diff --git a/prebuilts/api/26.0/private/incidentd.te b/prebuilts/api/26.0/private/incidentd.te index efd23bdae..64e174ffd 100644 --- a/prebuilts/api/26.0/private/incidentd.te +++ b/prebuilts/api/26.0/private/incidentd.te @@ -66,7 +66,7 @@ allow incidentd shell_exec:file rx_file_perms; # TODO control_logd(incidentd) # Allow incidentd to find these standard groups of services. -# Others can be whitelisted individually. +# Others can be allowlisted individually. allow incidentd { system_server_service app_api_service diff --git a/prebuilts/api/26.0/private/system_server.te b/prebuilts/api/26.0/private/system_server.te index 05e47734b..2e14d1826 100644 --- a/prebuilts/api/26.0/private/system_server.te +++ b/prebuilts/api/26.0/private/system_server.te @@ -50,7 +50,7 @@ allow system_server zygote:unix_stream_socket { getopt getattr }; # system server gets network and bluetooth permissions. net_domain(system_server) -# in addition to ioctls whitelisted for all domains, also allow system_server +# in addition to ioctls allowlisted for all domains, also allow system_server # to use privileged ioctls commands. Needed to set up VPNs. allowxperm system_server self:udp_socket ioctl priv_sock_ioctls; bluetooth_domain(system_server) @@ -92,7 +92,7 @@ allow system_server config_gz:file { read open }; # Use generic "sockets" where the address family is not known # to the kernel. The ioctl permission is specifically omitted here, but may # be added to device specific policy along with the ioctl commands to be -# whitelisted. +# allowlisted. allow system_server self:socket create_socket_perms_no_ioctl; # Set and get routes directly via netlink. diff --git a/prebuilts/api/26.0/public/domain.te b/prebuilts/api/26.0/public/domain.te index d2b370a21..3adefd1bb 100644 --- a/prebuilts/api/26.0/public/domain.te +++ b/prebuilts/api/26.0/public/domain.te @@ -195,19 +195,19 @@ allow domain debugfs_trace_marker:file w_file_perms; allow domain fs_type:filesystem getattr; allow domain fs_type:dir getattr; -# Restrict all domains to a whitelist for common socket types. Additional +# Restrict all domains to a allowlist for common socket types. Additional # ioctl commands may be added to individual domains, but this sets safe -# defaults for all processes. Note that granting this whitelist to domain does +# defaults for all processes. Note that granting this allowlist to domain does # not grant the ioctl permission on these socket types. That must be granted # separately. allowxperm domain domain:{ rawip_socket tcp_socket udp_socket } ioctl { unpriv_sock_ioctls unpriv_tty_ioctls }; -# default whitelist for unix sockets. +# default allowlist for unix sockets. allowxperm domain domain:{ unix_dgram_socket unix_stream_socket } ioctl unpriv_unix_sock_ioctls; -# Restrict PTYs to only whitelisted ioctls. -# Note that granting this whitelist to domain does +# Restrict PTYs to only allowlisted ioctls. +# Note that granting this allowlist to domain does # not grant the wider ioctl permission. That must be granted # separately. allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls; @@ -223,7 +223,7 @@ allow { domain -domain } vndservice_manager_type:service_manager { add find }; ### neverallow rules ### -# All socket ioctls must be restricted to a whitelist. +# All socket ioctls must be restricted to a allowlist. neverallowxperm domain domain:socket_class_set ioctl { 0 }; # TIOCSTI is only ever used for exploits. Block it. @@ -234,7 +234,7 @@ neverallowxperm * devpts:chr_file ioctl TIOCSTI; # Do not allow any domain other than init or recovery to create unlabeled files. neverallow { domain -init -recovery } unlabeled:dir_file_class_set create; -# Limit device node creation to these whitelisted domains. +# Limit device node creation to these allowlisted domains. neverallow { domain -kernel @@ -243,7 +243,7 @@ neverallow { -vold } self:capability mknod; -# Limit raw I/O to these whitelisted domains. Do not apply to debug builds. +# Limit raw I/O to these allowlisted domains. Do not apply to debug builds. neverallow { domain userdebug_or_eng(`-domain') @@ -343,7 +343,7 @@ neverallow { domain -kernel -init -recovery -vold -zygote -update_engine -otapre # # Assert that, to the extent possible, we're not loading executable content from -# outside the rootfs or /system partition except for a few whitelisted domains. +# outside the rootfs or /system partition except for a few allowlisted domains. # neverallow { domain @@ -445,7 +445,7 @@ neverallow { domain -init } default_prop:property_service set; neverallow { domain -init } mmc_prop:property_service set; # Do not allow reading device's serial number from system properties except form -# a few whitelisted domains. +# a few allowlisted domains. neverallow { domain -adbd @@ -668,7 +668,7 @@ full_treble_only(` ') # On TREBLE devices, a limited set of files in /vendor are accessible to -# only a few whitelisted coredomains to keep system/vendor separation. +# only a few allowlisted coredomains to keep system/vendor separation. full_treble_only(` # Limit access to /vendor/app neverallow { @@ -722,7 +722,7 @@ full_treble_only(` } vendor_shell_exec:file { execute execute_no_trans }; # Do not allow vendor components to execute files from system - # except for the ones whitelist here. + # except for the ones allowlist here. neverallow { domain -coredomain @@ -923,7 +923,7 @@ neverallow { # In addition to the symlink reading restrictions above, restrict # write access to shell owned directories. The /data/local/tmp -# directory is untrustworthy, and non-whitelisted domains should +# directory is untrustworthy, and non-allowlisted domains should # not be trusting any content in those directories. neverallow { domain diff --git a/prebuilts/api/26.0/public/hal_wifi_supplicant.te b/prebuilts/api/26.0/public/hal_wifi_supplicant.te index 0f2540e40..028440c16 100644 --- a/prebuilts/api/26.0/public/hal_wifi_supplicant.te +++ b/prebuilts/api/26.0/public/hal_wifi_supplicant.te @@ -5,7 +5,7 @@ binder_call(hal_wifi_supplicant_server, hal_wifi_supplicant_client) add_hwservice(hal_wifi_supplicant_server, hal_wifi_supplicant_hwservice) allow hal_wifi_supplicant_client hal_wifi_supplicant_hwservice:hwservice_manager find; -# in addition to ioctls whitelisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls. +# in addition to ioctls allowlisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls. allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls; r_dir_file(hal_wifi_supplicant, sysfs_type) diff --git a/prebuilts/api/26.0/public/netd.te b/prebuilts/api/26.0/public/netd.te index 691887fcd..80fb76dc2 100644 --- a/prebuilts/api/26.0/public/netd.te +++ b/prebuilts/api/26.0/public/netd.te @@ -3,7 +3,7 @@ type netd, domain, mlstrustedsubject; type netd_exec, exec_type, file_type; net_domain(netd) -# in addition to ioctls whitelisted for all domains, grant netd priv_sock_ioctls. +# in addition to ioctls allowlisted for all domains, grant netd priv_sock_ioctls. allowxperm netd self:udp_socket ioctl priv_sock_ioctls; r_dir_file(netd, cgroup) diff --git a/prebuilts/api/26.0/public/vendor_toolbox.te b/prebuilts/api/26.0/public/vendor_toolbox.te index eb292cafb..63f938de1 100644 --- a/prebuilts/api/26.0/public/vendor_toolbox.te +++ b/prebuilts/api/26.0/public/vendor_toolbox.te @@ -7,7 +7,7 @@ type vendor_toolbox_exec, exec_type, vendor_file_type, file_type; # or read, execute the vendor_toolbox file. full_treble_only(` # Do not allow non-vendor domains to transition - # to vendor toolbox except for the whitelisted domains. + # to vendor toolbox except for the allowlisted domains. neverallow { coredomain -init diff --git a/prebuilts/api/27.0/private/app.te b/prebuilts/api/27.0/private/app.te index 9251ed9cb..c53fa36ba 100644 --- a/prebuilts/api/27.0/private/app.te +++ b/prebuilts/api/27.0/private/app.te @@ -512,7 +512,7 @@ neverallow appdomain { tmpfs }:lnk_file no_w_file_perms; -# Blacklist app domains not allowed to execute from /data +# Denylist app domains not allowed to execute from /data neverallow { bluetooth isolated_app @@ -533,7 +533,7 @@ neverallow { -shell # bugreport } input_device:chr_file ~getattr; -# Do not allow access to Bluetooth-related system properties except for a few whitelisted domains. +# Do not allow access to Bluetooth-related system properties except for a few allowlisted domains. # neverallow rules for access to Bluetooth-related data files are above. neverallow { appdomain diff --git a/prebuilts/api/27.0/private/domain.te b/prebuilts/api/27.0/private/domain.te index d37a0bd26..999c16a3d 100644 --- a/prebuilts/api/27.0/private/domain.te +++ b/prebuilts/api/27.0/private/domain.te @@ -4,7 +4,7 @@ domain_auto_trans(domain, crash_dump_exec, crash_dump); allow domain crash_dump:process sigchld; # Limit ability to ptrace or read sensitive /proc/pid files of processes -# with other UIDs to these whitelisted domains. +# with other UIDs to these allowlisted domains. neverallow { domain -vold diff --git a/prebuilts/api/27.0/private/incidentd.te b/prebuilts/api/27.0/private/incidentd.te index efd23bdae..64e174ffd 100644 --- a/prebuilts/api/27.0/private/incidentd.te +++ b/prebuilts/api/27.0/private/incidentd.te @@ -66,7 +66,7 @@ allow incidentd shell_exec:file rx_file_perms; # TODO control_logd(incidentd) # Allow incidentd to find these standard groups of services. -# Others can be whitelisted individually. +# Others can be allowlisted individually. allow incidentd { system_server_service app_api_service diff --git a/prebuilts/api/27.0/private/isolated_app.te b/prebuilts/api/27.0/private/isolated_app.te index 37935c395..fbfb8a56c 100644 --- a/prebuilts/api/27.0/private/isolated_app.te +++ b/prebuilts/api/27.0/private/isolated_app.te @@ -74,7 +74,7 @@ neverallow isolated_app *:hwservice_manager *; neverallow isolated_app vndbinder_device:chr_file *; # Isolated apps must not be permitted to perform actions on Binder and VndBinder service_manager -# except the find actions for services whitelisted below. +# except the find actions for services allowlisted below. neverallow isolated_app *:service_manager ~find; # b/17487348 diff --git a/prebuilts/api/27.0/private/system_server.te b/prebuilts/api/27.0/private/system_server.te index 40c5382d5..3a5b53b9f 100644 --- a/prebuilts/api/27.0/private/system_server.te +++ b/prebuilts/api/27.0/private/system_server.te @@ -50,7 +50,7 @@ allow system_server zygote:unix_stream_socket { getopt getattr }; # system server gets network and bluetooth permissions. net_domain(system_server) -# in addition to ioctls whitelisted for all domains, also allow system_server +# in addition to ioctls allowlisted for all domains, also allow system_server # to use privileged ioctls commands. Needed to set up VPNs. allowxperm system_server self:udp_socket ioctl priv_sock_ioctls; bluetooth_domain(system_server) @@ -95,7 +95,7 @@ allow system_server config_gz:file { read open }; # Use generic "sockets" where the address family is not known # to the kernel. The ioctl permission is specifically omitted here, but may # be added to device specific policy along with the ioctl commands to be -# whitelisted. +# allowlisted. allow system_server self:socket create_socket_perms_no_ioctl; # Set and get routes directly via netlink. diff --git a/prebuilts/api/27.0/public/domain.te b/prebuilts/api/27.0/public/domain.te index f5c72cc4d..e9ae56c01 100644 --- a/prebuilts/api/27.0/public/domain.te +++ b/prebuilts/api/27.0/public/domain.te @@ -195,19 +195,19 @@ allow domain debugfs_trace_marker:file w_file_perms; allow domain fs_type:filesystem getattr; allow domain fs_type:dir getattr; -# Restrict all domains to a whitelist for common socket types. Additional +# Restrict all domains to a allowlist for common socket types. Additional # ioctl commands may be added to individual domains, but this sets safe -# defaults for all processes. Note that granting this whitelist to domain does +# defaults for all processes. Note that granting this allowlist to domain does # not grant the ioctl permission on these socket types. That must be granted # separately. allowxperm domain domain:{ rawip_socket tcp_socket udp_socket } ioctl { unpriv_sock_ioctls unpriv_tty_ioctls }; -# default whitelist for unix sockets. +# default allowlist for unix sockets. allowxperm domain domain:{ unix_dgram_socket unix_stream_socket } ioctl unpriv_unix_sock_ioctls; -# Restrict PTYs to only whitelisted ioctls. -# Note that granting this whitelist to domain does +# Restrict PTYs to only allowlisted ioctls. +# Note that granting this allowlist to domain does # not grant the wider ioctl permission. That must be granted # separately. allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls; @@ -226,7 +226,7 @@ with_asan(`allow domain system_data_file:dir getattr;') ### neverallow rules ### -# All socket ioctls must be restricted to a whitelist. +# All socket ioctls must be restricted to a allowlist. neverallowxperm domain domain:socket_class_set ioctl { 0 }; # TIOCSTI is only ever used for exploits. Block it. @@ -237,7 +237,7 @@ neverallowxperm * devpts:chr_file ioctl TIOCSTI; # Do not allow any domain other than init or recovery to create unlabeled files. neverallow { domain -init -recovery } unlabeled:dir_file_class_set create; -# Limit device node creation to these whitelisted domains. +# Limit device node creation to these allowlisted domains. neverallow { domain -kernel @@ -246,7 +246,7 @@ neverallow { -vold } self:capability mknod; -# Limit raw I/O to these whitelisted domains. Do not apply to debug builds. +# Limit raw I/O to these allowlisted domains. Do not apply to debug builds. neverallow { domain userdebug_or_eng(`-domain') @@ -347,7 +347,7 @@ neverallow { domain -kernel -init -recovery -vold -zygote -update_engine -otapre # # Assert that, to the extent possible, we're not loading executable content from -# outside the rootfs or /system partition except for a few whitelisted domains. +# outside the rootfs or /system partition except for a few allowlisted domains. # neverallow { domain @@ -448,7 +448,7 @@ neverallow { domain -init } default_prop:property_service set; neverallow { domain -init } mmc_prop:property_service set; # Do not allow reading device's serial number from system properties except form -# a few whitelisted domains. +# a few allowlisted domains. neverallow { domain -adbd @@ -664,7 +664,7 @@ full_treble_only(` ') # On TREBLE devices, a limited set of files in /vendor are accessible to -# only a few whitelisted coredomains to keep system/vendor separation. +# only a few allowlisted coredomains to keep system/vendor separation. full_treble_only(` # Limit access to /vendor/app neverallow { @@ -718,7 +718,7 @@ full_treble_only(` } vendor_shell_exec:file { execute execute_no_trans }; # Do not allow vendor components to execute files from system - # except for the ones whitelist here. + # except for the ones allowlist here. neverallow { domain -coredomain @@ -916,7 +916,7 @@ neverallow { # In addition to the symlink reading restrictions above, restrict # write access to shell owned directories. The /data/local/tmp -# directory is untrustworthy, and non-whitelisted domains should +# directory is untrustworthy, and non-allowlisted domains should # not be trusting any content in those directories. neverallow { domain diff --git a/prebuilts/api/27.0/public/hal_wifi_supplicant.te b/prebuilts/api/27.0/public/hal_wifi_supplicant.te index 0f2540e40..028440c16 100644 --- a/prebuilts/api/27.0/public/hal_wifi_supplicant.te +++ b/prebuilts/api/27.0/public/hal_wifi_supplicant.te @@ -5,7 +5,7 @@ binder_call(hal_wifi_supplicant_server, hal_wifi_supplicant_client) add_hwservice(hal_wifi_supplicant_server, hal_wifi_supplicant_hwservice) allow hal_wifi_supplicant_client hal_wifi_supplicant_hwservice:hwservice_manager find; -# in addition to ioctls whitelisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls. +# in addition to ioctls allowlisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls. allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls; r_dir_file(hal_wifi_supplicant, sysfs_type) diff --git a/prebuilts/api/27.0/public/netd.te b/prebuilts/api/27.0/public/netd.te index aa99da21a..7f7872ec3 100644 --- a/prebuilts/api/27.0/public/netd.te +++ b/prebuilts/api/27.0/public/netd.te @@ -3,7 +3,7 @@ type netd, domain, mlstrustedsubject; type netd_exec, exec_type, file_type; net_domain(netd) -# in addition to ioctls whitelisted for all domains, grant netd priv_sock_ioctls. +# in addition to ioctls allowlisted for all domains, grant netd priv_sock_ioctls. allowxperm netd self:udp_socket ioctl priv_sock_ioctls; r_dir_file(netd, cgroup) diff --git a/prebuilts/api/27.0/public/vendor_toolbox.te b/prebuilts/api/27.0/public/vendor_toolbox.te index eb292cafb..63f938de1 100644 --- a/prebuilts/api/27.0/public/vendor_toolbox.te +++ b/prebuilts/api/27.0/public/vendor_toolbox.te @@ -7,7 +7,7 @@ type vendor_toolbox_exec, exec_type, vendor_file_type, file_type; # or read, execute the vendor_toolbox file. full_treble_only(` # Do not allow non-vendor domains to transition - # to vendor toolbox except for the whitelisted domains. + # to vendor toolbox except for the allowlisted domains. neverallow { coredomain -init diff --git a/prebuilts/api/28.0/private/domain.te b/prebuilts/api/28.0/private/domain.te index fb6ba4f78..5053c287b 100644 --- a/prebuilts/api/28.0/private/domain.te +++ b/prebuilts/api/28.0/private/domain.te @@ -4,7 +4,7 @@ domain_auto_trans(domain, crash_dump_exec, crash_dump); allow domain crash_dump:process sigchld; # Limit ability to ptrace or read sensitive /proc/pid files of processes -# with other UIDs to these whitelisted domains. +# with other UIDs to these allowlisted domains. neverallow { domain -vold diff --git a/prebuilts/api/28.0/private/incidentd.te b/prebuilts/api/28.0/private/incidentd.te index 6b248f181..35b184c89 100644 --- a/prebuilts/api/28.0/private/incidentd.te +++ b/prebuilts/api/28.0/private/incidentd.te @@ -115,7 +115,7 @@ userdebug_or_eng(`read_logd(incidentd)') # TODO control_logd(incidentd) # Allow incidentd to find these standard groups of services. -# Others can be whitelisted individually. +# Others can be allowlisted individually. allow incidentd { system_server_service app_api_service diff --git a/prebuilts/api/28.0/private/isolated_app.te b/prebuilts/api/28.0/private/isolated_app.te index a6276b38c..6af6040d7 100644 --- a/prebuilts/api/28.0/private/isolated_app.te +++ b/prebuilts/api/28.0/private/isolated_app.te @@ -77,7 +77,7 @@ neverallow isolated_app *:hwservice_manager *; neverallow isolated_app vndbinder_device:chr_file *; # Isolated apps must not be permitted to perform actions on Binder and VndBinder service_manager -# except the find actions for services whitelisted below. +# except the find actions for services allowlisted below. neverallow isolated_app *:service_manager ~find; # b/17487348 diff --git a/prebuilts/api/28.0/private/perfetto.te b/prebuilts/api/28.0/private/perfetto.te index 9ac5d8761..67725bfca 100644 --- a/prebuilts/api/28.0/private/perfetto.te +++ b/prebuilts/api/28.0/private/perfetto.te @@ -1,5 +1,5 @@ # Perfetto command-line client. Can be used only from the domains that are -# explicitly whitelisted with a domain_auto_trans(X, perfetto_exec, perfetto). +# explicitly allowlisted with a domain_auto_trans(X, perfetto_exec, perfetto). # This command line client accesses the privileged socket of the traced # daemon. diff --git a/prebuilts/api/28.0/private/system_server.te b/prebuilts/api/28.0/private/system_server.te index fa84c3226..2927e0bca 100644 --- a/prebuilts/api/28.0/private/system_server.te +++ b/prebuilts/api/28.0/private/system_server.te @@ -46,7 +46,7 @@ allow system_server zygote:unix_stream_socket { getopt getattr }; # system server gets network and bluetooth permissions. net_domain(system_server) -# in addition to ioctls whitelisted for all domains, also allow system_server +# in addition to ioctls allowlisted for all domains, also allow system_server # to use privileged ioctls commands. Needed to set up VPNs. allowxperm system_server self:udp_socket ioctl priv_sock_ioctls; bluetooth_domain(system_server) @@ -91,7 +91,7 @@ allow system_server config_gz:file { read open }; # Use generic "sockets" where the address family is not known # to the kernel. The ioctl permission is specifically omitted here, but may # be added to device specific policy along with the ioctl commands to be -# whitelisted. +# allowlisted. allow system_server self:socket create_socket_perms_no_ioctl; # Set and get routes directly via netlink. diff --git a/prebuilts/api/28.0/private/traced_probes.te b/prebuilts/api/28.0/private/traced_probes.te index 5d80f7e8b..e32e2e697 100644 --- a/prebuilts/api/28.0/private/traced_probes.te +++ b/prebuilts/api/28.0/private/traced_probes.te @@ -16,7 +16,7 @@ allow traced_probes debugfs_tracing:file rw_file_perms; allow traced_probes debugfs_trace_marker:file getattr; # TODO(primiano): temporarily I/O tracing categories are still -# userdebug only until we nail down the blacklist/whitelist. +# userdebug only until we nail down the denylist/allowlist. userdebug_or_eng(` allow traced_probes debugfs_tracing_debug:file rw_file_perms; ') diff --git a/prebuilts/api/28.0/public/app.te b/prebuilts/api/28.0/public/app.te index 439c1f80f..55308da51 100644 --- a/prebuilts/api/28.0/public/app.te +++ b/prebuilts/api/28.0/public/app.te @@ -530,7 +530,7 @@ neverallow appdomain { tmpfs }:lnk_file no_w_file_perms; -# Blacklist app domains not allowed to execute from /data +# Denylist app domains not allowed to execute from /data neverallow { bluetooth isolated_app @@ -551,7 +551,7 @@ neverallow { -shell # bugreport } input_device:chr_file ~getattr; -# Do not allow access to Bluetooth-related system properties except for a few whitelisted domains. +# Do not allow access to Bluetooth-related system properties except for a few allowlisted domains. # neverallow rules for access to Bluetooth-related data files are above. neverallow { appdomain diff --git a/prebuilts/api/28.0/public/domain.te b/prebuilts/api/28.0/public/domain.te index e9337b654..2533aecbd 100644 --- a/prebuilts/api/28.0/public/domain.te +++ b/prebuilts/api/28.0/public/domain.te @@ -257,19 +257,19 @@ allow domain debugfs_trace_marker:file w_file_perms; allow domain fs_type:filesystem getattr; allow domain fs_type:dir getattr; -# Restrict all domains to a whitelist for common socket types. Additional +# Restrict all domains to a allowlist for common socket types. Additional # ioctl commands may be added to individual domains, but this sets safe -# defaults for all processes. Note that granting this whitelist to domain does +# defaults for all processes. Note that granting this allowlist to domain does # not grant the ioctl permission on these socket types. That must be granted # separately. allowxperm domain domain:{ rawip_socket tcp_socket udp_socket } ioctl { unpriv_sock_ioctls unpriv_tty_ioctls }; -# default whitelist for unix sockets. +# default allowlist for unix sockets. allowxperm domain domain:{ unix_dgram_socket unix_stream_socket } ioctl unpriv_unix_sock_ioctls; -# Restrict PTYs to only whitelisted ioctls. -# Note that granting this whitelist to domain does +# Restrict PTYs to only allowlisted ioctls. +# Note that granting this allowlist to domain does # not grant the wider ioctl permission. That must be granted # separately. allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls; @@ -288,7 +288,7 @@ with_asan(`allow domain system_data_file:dir getattr;') ### neverallow rules ### -# All socket ioctls must be restricted to a whitelist. +# All socket ioctls must be restricted to a allowlist. neverallowxperm domain domain:socket_class_set ioctl { 0 }; # b/68014825 and https://android-review.googlesource.com/516535 @@ -303,7 +303,7 @@ neverallowxperm * devpts:chr_file ioctl TIOCSTI; # Do not allow any domain other than init to create unlabeled files. neverallow { domain -init -recovery } unlabeled:dir_file_class_set create; -# Limit device node creation to these whitelisted domains. +# Limit device node creation to these allowlisted domains. neverallow { domain -kernel @@ -312,7 +312,7 @@ neverallow { -vold } self:global_capability_class_set mknod; -# Limit raw I/O to these whitelisted domains. Do not apply to debug builds. +# Limit raw I/O to these allowlisted domains. Do not apply to debug builds. neverallow { domain userdebug_or_eng(`-domain') @@ -424,7 +424,7 @@ neverallow { domain -kernel -init -recovery -vold -zygote -update_engine -otapre # # Assert that, to the extent possible, we're not loading executable content from -# outside the rootfs or /system partition except for a few whitelisted domains. +# outside the rootfs or /system partition except for a few allowlisted domains. # neverallow { domain @@ -552,7 +552,7 @@ compatible_property_only(` ') # Do not allow reading device's serial number from system properties except form -# a few whitelisted domains. +# a few allowlisted domains. neverallow { domain -adbd @@ -928,7 +928,7 @@ full_treble_only(` ') # On TREBLE devices, a limited set of files in /vendor are accessible to -# only a few whitelisted coredomains to keep system/vendor separation. +# only a few allowlisted coredomains to keep system/vendor separation. full_treble_only(` # Limit access to /vendor/app neverallow { @@ -997,7 +997,7 @@ full_treble_only(` full_treble_only(` # Do not allow vendor components to execute files from system - # except for the ones whitelist here. + # except for the ones allowlist here. neverallow { domain -coredomain @@ -1014,7 +1014,7 @@ full_treble_only(` full_treble_only(` # Do not allow system components to execute files from vendor - # except for the ones whitelisted here. + # except for the ones allowlisted here. neverallow { coredomain -init @@ -1224,7 +1224,7 @@ neverallow { # In addition to the symlink reading restrictions above, restrict # write access to shell owned directories. The /data/local/tmp -# directory is untrustworthy, and non-whitelisted domains should +# directory is untrustworthy, and non-allowlisted domains should # not be trusting any content in those directories. neverallow { domain diff --git a/prebuilts/api/28.0/public/hal_wifi_supplicant.te b/prebuilts/api/28.0/public/hal_wifi_supplicant.te index 6bf0d3265..377851543 100644 --- a/prebuilts/api/28.0/public/hal_wifi_supplicant.te +++ b/prebuilts/api/28.0/public/hal_wifi_supplicant.te @@ -5,7 +5,7 @@ binder_call(hal_wifi_supplicant_server, hal_wifi_supplicant_client) add_hwservice(hal_wifi_supplicant_server, hal_wifi_supplicant_hwservice) allow hal_wifi_supplicant_client hal_wifi_supplicant_hwservice:hwservice_manager find; -# in addition to ioctls whitelisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls. +# in addition to ioctls allowlisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls. allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls; r_dir_file(hal_wifi_supplicant, sysfs_type) diff --git a/prebuilts/api/28.0/public/netd.te b/prebuilts/api/28.0/public/netd.te index 18113e756..1fb3d482a 100644 --- a/prebuilts/api/28.0/public/netd.te +++ b/prebuilts/api/28.0/public/netd.te @@ -3,7 +3,7 @@ type netd, domain, mlstrustedsubject; type netd_exec, exec_type, file_type; net_domain(netd) -# in addition to ioctls whitelisted for all domains, grant netd priv_sock_ioctls. +# in addition to ioctls allowlisted for all domains, grant netd priv_sock_ioctls. allowxperm netd self:udp_socket ioctl priv_sock_ioctls; r_dir_file(netd, cgroup) diff --git a/prebuilts/api/28.0/public/vendor_toolbox.te b/prebuilts/api/28.0/public/vendor_toolbox.te index eb292cafb..63f938de1 100644 --- a/prebuilts/api/28.0/public/vendor_toolbox.te +++ b/prebuilts/api/28.0/public/vendor_toolbox.te @@ -7,7 +7,7 @@ type vendor_toolbox_exec, exec_type, vendor_file_type, file_type; # or read, execute the vendor_toolbox file. full_treble_only(` # Do not allow non-vendor domains to transition - # to vendor toolbox except for the whitelisted domains. + # to vendor toolbox except for the allowlisted domains. neverallow { coredomain -init diff --git a/prebuilts/api/29.0/private/coredomain.te b/prebuilts/api/29.0/private/coredomain.te index 169f6b249..419d9fe76 100644 --- a/prebuilts/api/29.0/private/coredomain.te +++ b/prebuilts/api/29.0/private/coredomain.te @@ -15,7 +15,7 @@ neverallow { ') # On TREBLE devices, a limited set of files in /vendor are accessible to -# only a few whitelisted coredomains to keep system/vendor separation. +# only a few allowlisted coredomains to keep system/vendor separation. full_treble_only(` # Limit access to /vendor/app neverallow { diff --git a/prebuilts/api/29.0/private/domain.te b/prebuilts/api/29.0/private/domain.te index 209eeb0dd..447176ed0 100644 --- a/prebuilts/api/29.0/private/domain.te +++ b/prebuilts/api/29.0/private/domain.te @@ -83,7 +83,7 @@ userdebug_or_eng(` ') # Limit ability to ptrace or read sensitive /proc/pid files of processes -# with other UIDs to these whitelisted domains. +# with other UIDs to these allowlisted domains. neverallow { domain -vold @@ -185,7 +185,7 @@ neverallow { # # Assert that, to the extent possible, we're not loading executable content from -# outside the rootfs or /system partition except for a few whitelisted domains. +# outside the rootfs or /system partition except for a few allowlisted domains. # Executable files loaded from /data is a persistence vector # we want to avoid. See # https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example. @@ -299,7 +299,7 @@ neverallow { -zygote } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto }; -# Limit raw I/O to these whitelisted domains. Do not apply to debug builds. +# Limit raw I/O to these allowlisted domains. Do not apply to debug builds. neverallow { domain userdebug_or_eng(`-domain') diff --git a/prebuilts/api/29.0/private/heapprofd.te b/prebuilts/api/29.0/private/heapprofd.te index 5330c589e..f98467712 100644 --- a/prebuilts/api/29.0/private/heapprofd.te +++ b/prebuilts/api/29.0/private/heapprofd.te @@ -29,7 +29,7 @@ typeattribute heapprofd mlstrustedsubject; allow heapprofd self:capability kill; # When scanning /proc/[pid]/cmdline to find matching processes for by-name -# profiling, only whitelisted domains will be allowed by SELinux. Avoid +# profiling, only allowlisted domains will be allowed by SELinux. Avoid # spamming logs with denials for entries that we can not access. dontaudit heapprofd domain:dir { search open }; diff --git a/prebuilts/api/29.0/private/incidentd.te b/prebuilts/api/29.0/private/incidentd.te index b93f1b2f6..ee9812e30 100644 --- a/prebuilts/api/29.0/private/incidentd.te +++ b/prebuilts/api/29.0/private/incidentd.te @@ -126,7 +126,7 @@ userdebug_or_eng(`read_logd(incidentd)') # TODO control_logd(incidentd) # Allow incidentd to find these standard groups of services. -# Others can be whitelisted individually. +# Others can be allowlisted individually. allow incidentd { system_server_service app_api_service diff --git a/prebuilts/api/29.0/private/isolated_app.te b/prebuilts/api/29.0/private/isolated_app.te index 94b49b04a..714405fa9 100644 --- a/prebuilts/api/29.0/private/isolated_app.te +++ b/prebuilts/api/29.0/private/isolated_app.te @@ -87,7 +87,7 @@ neverallow isolated_app *:hwservice_manager *; neverallow isolated_app vndbinder_device:chr_file *; # Isolated apps must not be permitted to perform actions on Binder and VndBinder service_manager -# except the find actions for services whitelisted below. +# except the find actions for services allowlisted below. neverallow isolated_app *:service_manager ~find; # b/17487348 diff --git a/prebuilts/api/29.0/private/perfetto.te b/prebuilts/api/29.0/private/perfetto.te index 60a6250a8..6b1a81a7b 100644 --- a/prebuilts/api/29.0/private/perfetto.te +++ b/prebuilts/api/29.0/private/perfetto.te @@ -1,5 +1,5 @@ # Perfetto command-line client. Can be used only from the domains that are -# explicitly whitelisted with a domain_auto_trans(X, perfetto_exec, perfetto). +# explicitly allowlisted with a domain_auto_trans(X, perfetto_exec, perfetto). # This command line client accesses the privileged socket of the traced # daemon. diff --git a/prebuilts/api/29.0/private/system_server.te b/prebuilts/api/29.0/private/system_server.te index 73891c923..5f60674b0 100644 --- a/prebuilts/api/29.0/private/system_server.te +++ b/prebuilts/api/29.0/private/system_server.te @@ -50,14 +50,14 @@ allow system_server zygote:unix_stream_socket { getopt getattr }; # system server gets network and bluetooth permissions. net_domain(system_server) -# in addition to ioctls whitelisted for all domains, also allow system_server +# in addition to ioctls allowlisted for all domains, also allow system_server # to use privileged ioctls commands. Needed to set up VPNs. allowxperm system_server self:udp_socket ioctl priv_sock_ioctls; bluetooth_domain(system_server) # Allow setup of tcp keepalive offload. This gives system_server the permission to # call ioctl on app domains' tcp sockets. Additional ioctl commands still need to -# be granted individually, except for a small set of safe values whitelisted in +# be granted individually, except for a small set of safe values allowlisted in # public/domain.te. allow system_server appdomain:tcp_socket ioctl; @@ -102,7 +102,7 @@ allow system_server config_gz:file { read open }; # Use generic "sockets" where the address family is not known # to the kernel. The ioctl permission is specifically omitted here, but may # be added to device specific policy along with the ioctl commands to be -# whitelisted. +# allowlisted. allow system_server self:socket create_socket_perms_no_ioctl; # Set and get routes directly via netlink. diff --git a/prebuilts/api/29.0/private/traced_probes.te b/prebuilts/api/29.0/private/traced_probes.te index 4820e3f35..5b4c0cc53 100644 --- a/prebuilts/api/29.0/private/traced_probes.te +++ b/prebuilts/api/29.0/private/traced_probes.te @@ -16,7 +16,7 @@ allow traced_probes debugfs_tracing:file rw_file_perms; allow traced_probes debugfs_trace_marker:file getattr; # TODO(primiano): temporarily I/O tracing categories are still -# userdebug only until we nail down the blacklist/whitelist. +# userdebug only until we nail down the denylist/allowlist. userdebug_or_eng(` allow traced_probes debugfs_tracing_debug:dir r_dir_perms; allow traced_probes debugfs_tracing_debug:file rw_file_perms; diff --git a/prebuilts/api/29.0/public/app.te b/prebuilts/api/29.0/public/app.te index 5c48e71f5..5b3459f34 100644 --- a/prebuilts/api/29.0/public/app.te +++ b/prebuilts/api/29.0/public/app.te @@ -537,7 +537,7 @@ neverallow appdomain { tmpfs }:lnk_file no_w_file_perms; -# Blacklist app domains not allowed to execute from /data +# Denylist app domains not allowed to execute from /data neverallow { bluetooth isolated_app @@ -558,7 +558,7 @@ neverallow { -shell # bugreport } input_device:chr_file ~getattr; -# Do not allow access to Bluetooth-related system properties except for a few whitelisted domains. +# Do not allow access to Bluetooth-related system properties except for a few allowlisted domains. # neverallow rules for access to Bluetooth-related data files are above. neverallow { appdomain diff --git a/prebuilts/api/29.0/public/domain.te b/prebuilts/api/29.0/public/domain.te index 987bb9f2d..1a9e0e1c2 100644 --- a/prebuilts/api/29.0/public/domain.te +++ b/prebuilts/api/29.0/public/domain.te @@ -260,19 +260,19 @@ allow domain debugfs_trace_marker:file w_file_perms; allow domain fs_type:filesystem getattr; allow domain fs_type:dir getattr; -# Restrict all domains to a whitelist for common socket types. Additional +# Restrict all domains to a allowlist for common socket types. Additional # ioctl commands may be added to individual domains, but this sets safe -# defaults for all processes. Note that granting this whitelist to domain does +# defaults for all processes. Note that granting this allowlist to domain does # not grant the ioctl permission on these socket types. That must be granted # separately. allowxperm domain domain:{ icmp_socket rawip_socket tcp_socket udp_socket } ioctl { unpriv_sock_ioctls unpriv_tty_ioctls }; -# default whitelist for unix sockets. +# default allowlist for unix sockets. allowxperm domain { domain pdx_channel_socket_type }:{ unix_dgram_socket unix_stream_socket } ioctl unpriv_unix_sock_ioctls; -# Restrict PTYs to only whitelisted ioctls. -# Note that granting this whitelist to domain does +# Restrict PTYs to only allowlisted ioctls. +# Note that granting this allowlist to domain does # not grant the wider ioctl permission. That must be granted # separately. allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls; @@ -288,7 +288,7 @@ allowxperm domain tun_device:chr_file ioctl { FIOCLEX FIONCLEX }; # Allow a process to make a determination whether a file descriptor # for a plain file or pipe (fifo_file) is a tty. Note that granting -# this whitelist to domain does not grant the ioctl permission to +# this allowlist to domain does not grant the ioctl permission to # these files. That must be granted separately. allowxperm domain { file_type fs_type }:file ioctl { TCGETS }; allowxperm domain domain:fifo_file ioctl { TCGETS }; @@ -331,7 +331,7 @@ allow domain apex_mnt_dir:lnk_file r_file_perms; ### # All ioctls on file-like objects (except chr_file and blk_file) and -# sockets must be restricted to a whitelist. +# sockets must be restricted to a allowlist. neverallowxperm * *:{ dir notdevfile_class_set socket_class_set blk_file } ioctl { 0 }; # b/68014825 and https://android-review.googlesource.com/516535 @@ -346,7 +346,7 @@ neverallowxperm * devpts:chr_file ioctl TIOCSTI; # Do not allow any domain other than init to create unlabeled files. neverallow { domain -init -recovery } unlabeled:dir_file_class_set create; -# Limit device node creation to these whitelisted domains. +# Limit device node creation to these allowlisted domains. neverallow { domain -kernel @@ -544,7 +544,7 @@ compatible_property_only(` ') # Do not allow reading device's serial number from system properties except form -# a few whitelisted domains. +# a few allowlisted domains. neverallow { domain -adbd @@ -951,7 +951,7 @@ full_treble_only(` full_treble_only(` # Do not allow vendor components to execute files from system - # except for the ones whitelist here. + # except for the ones allowlist here. neverallow { domain -coredomain @@ -970,7 +970,7 @@ full_treble_only(` full_treble_only(` # Do not allow system components to execute files from vendor - # except for the ones whitelisted here. + # except for the ones allowlisted here. neverallow { coredomain -init @@ -998,7 +998,7 @@ full_treble_only(` full_treble_only(` # Do not allow system components access to /vendor files except for the - # ones whitelisted here. + # ones allowlisted here. neverallow { coredomain # TODO(b/37168747): clean up fwk access to /vendor @@ -1028,7 +1028,7 @@ full_treble_only(` full_treble_only(` # Do not allow vendor components access to /system files except for the - # ones whitelisted here. + # ones allowlisted here. neverallow { domain -appdomain @@ -1215,7 +1215,7 @@ neverallow { # In addition to the symlink reading restrictions above, restrict # write access to shell owned directories. The /data/local/tmp -# directory is untrustworthy, and non-whitelisted domains should +# directory is untrustworthy, and non-allowlisted domains should # not be trusting any content in those directories. neverallow { domain diff --git a/prebuilts/api/29.0/public/hal_wifi_supplicant.te b/prebuilts/api/29.0/public/hal_wifi_supplicant.te index 6004c3327..79a0667e3 100644 --- a/prebuilts/api/29.0/public/hal_wifi_supplicant.te +++ b/prebuilts/api/29.0/public/hal_wifi_supplicant.te @@ -4,7 +4,7 @@ binder_call(hal_wifi_supplicant_server, hal_wifi_supplicant_client) hal_attribute_hwservice(hal_wifi_supplicant, hal_wifi_supplicant_hwservice) -# in addition to ioctls whitelisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls. +# in addition to ioctls allowlisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls. allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls; r_dir_file(hal_wifi_supplicant, sysfs_type) diff --git a/prebuilts/api/29.0/public/netd.te b/prebuilts/api/29.0/public/netd.te index c8877b245..f776db66f 100644 --- a/prebuilts/api/29.0/public/netd.te +++ b/prebuilts/api/29.0/public/netd.te @@ -3,7 +3,7 @@ type netd, domain, mlstrustedsubject; type netd_exec, system_file_type, exec_type, file_type; net_domain(netd) -# in addition to ioctls whitelisted for all domains, grant netd priv_sock_ioctls. +# in addition to ioctls allowlisted for all domains, grant netd priv_sock_ioctls. allowxperm netd self:udp_socket ioctl priv_sock_ioctls; r_dir_file(netd, cgroup) diff --git a/prebuilts/api/29.0/public/vendor_toolbox.te b/prebuilts/api/29.0/public/vendor_toolbox.te index eb292cafb..63f938de1 100644 --- a/prebuilts/api/29.0/public/vendor_toolbox.te +++ b/prebuilts/api/29.0/public/vendor_toolbox.te @@ -7,7 +7,7 @@ type vendor_toolbox_exec, exec_type, vendor_file_type, file_type; # or read, execute the vendor_toolbox file. full_treble_only(` # Do not allow non-vendor domains to transition - # to vendor toolbox except for the whitelisted domains. + # to vendor toolbox except for the allowlisted domains. neverallow { coredomain -init diff --git a/prebuilts/api/30.0/private/atrace.te b/prebuilts/api/30.0/private/atrace.te index ad7d177e6..585c25484 100644 --- a/prebuilts/api/30.0/private/atrace.te +++ b/prebuilts/api/30.0/private/atrace.te @@ -59,7 +59,7 @@ userdebug_or_eng(` hal_client_domain(atrace, hal_vibrator) ') -# Remove logspam from notification attempts to non-whitelisted services. +# Remove logspam from notification attempts to non-allowlisted services. dontaudit atrace hwservice_manager_type:hwservice_manager find; dontaudit atrace service_manager_type:service_manager find; dontaudit atrace domain:binder call; diff --git a/prebuilts/api/30.0/private/coredomain.te b/prebuilts/api/30.0/private/coredomain.te index 86e800962..f13d98a1d 100644 --- a/prebuilts/api/30.0/private/coredomain.te +++ b/prebuilts/api/30.0/private/coredomain.te @@ -15,7 +15,7 @@ neverallow { ') # On TREBLE devices, a limited set of files in /vendor are accessible to -# only a few whitelisted coredomains to keep system/vendor separation. +# only a few allowlisted coredomains to keep system/vendor separation. full_treble_only(` # Limit access to /vendor/app neverallow { diff --git a/prebuilts/api/30.0/private/domain.te b/prebuilts/api/30.0/private/domain.te index 1a8ce5053..dc83b8f64 100644 --- a/prebuilts/api/30.0/private/domain.te +++ b/prebuilts/api/30.0/private/domain.te @@ -122,7 +122,7 @@ allow domain linkerconfig_file:file r_file_perms; allow domain boringssl_self_test_marker:dir search; # Limit ability to ptrace or read sensitive /proc/pid files of processes -# with other UIDs to these whitelisted domains. +# with other UIDs to these allowlisted domains. neverallow { domain -vold @@ -225,7 +225,7 @@ neverallow { # # Assert that, to the extent possible, we're not loading executable content from -# outside the rootfs or /system partition except for a few whitelisted domains. +# outside the rootfs or /system partition except for a few allowlisted domains. # Executable files loaded from /data is a persistence vector # we want to avoid. See # https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example. @@ -342,7 +342,7 @@ neverallow { -zygote } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto }; -# Limit raw I/O to these whitelisted domains. Do not apply to debug builds. +# Limit raw I/O to these allowlisted domains. Do not apply to debug builds. neverallow { domain userdebug_or_eng(`-domain') diff --git a/prebuilts/api/30.0/private/heapprofd.te b/prebuilts/api/30.0/private/heapprofd.te index ec3e4d067..7bd60a46e 100644 --- a/prebuilts/api/30.0/private/heapprofd.te +++ b/prebuilts/api/30.0/private/heapprofd.te @@ -29,7 +29,7 @@ typeattribute heapprofd mlstrustedsubject; allow heapprofd self:capability kill; # When scanning /proc/[pid]/cmdline to find matching processes for by-name -# profiling, only whitelisted domains will be allowed by SELinux. Avoid +# profiling, only allowlisted domains will be allowed by SELinux. Avoid # spamming logs with denials for entries that we can not access. dontaudit heapprofd domain:dir { search open }; diff --git a/prebuilts/api/30.0/private/incidentd.te b/prebuilts/api/30.0/private/incidentd.te index 656f69fed..f10173b00 100644 --- a/prebuilts/api/30.0/private/incidentd.te +++ b/prebuilts/api/30.0/private/incidentd.te @@ -145,7 +145,7 @@ userdebug_or_eng(`read_logd(incidentd)') r_dir_file(incidentd, misc_logd_file) # Allow incidentd to find these standard groups of services. -# Others can be whitelisted individually. +# Others can be allowlisted individually. allow incidentd { system_server_service app_api_service diff --git a/prebuilts/api/30.0/private/isolated_app.te b/prebuilts/api/30.0/private/isolated_app.te index 4c6c5aad9..94d60f066 100644 --- a/prebuilts/api/30.0/private/isolated_app.te +++ b/prebuilts/api/30.0/private/isolated_app.te @@ -88,7 +88,7 @@ neverallow isolated_app *:hwservice_manager *; neverallow isolated_app vndbinder_device:chr_file *; # Isolated apps must not be permitted to perform actions on Binder and VndBinder service_manager -# except the find actions for services whitelisted below. +# except the find actions for services allowlisted below. neverallow isolated_app *:service_manager ~find; # b/17487348 diff --git a/prebuilts/api/30.0/private/perfetto.te b/prebuilts/api/30.0/private/perfetto.te index 0161361c7..14707ac52 100644 --- a/prebuilts/api/30.0/private/perfetto.te +++ b/prebuilts/api/30.0/private/perfetto.te @@ -1,5 +1,5 @@ # Perfetto command-line client. Can be used only from the domains that are -# explicitly whitelisted with a domain_auto_trans(X, perfetto_exec, perfetto). +# explicitly allowlisted with a domain_auto_trans(X, perfetto_exec, perfetto). # This command line client accesses the privileged socket of the traced # daemon. diff --git a/prebuilts/api/30.0/private/system_server.te b/prebuilts/api/30.0/private/system_server.te index 66c46ed97..00828274d 100644 --- a/prebuilts/api/30.0/private/system_server.te +++ b/prebuilts/api/30.0/private/system_server.te @@ -66,14 +66,14 @@ allow system_server zygote:unix_stream_socket { getopt getattr }; # system server gets network and bluetooth permissions. net_domain(system_server) -# in addition to ioctls whitelisted for all domains, also allow system_server +# in addition to ioctls allowlisted for all domains, also allow system_server # to use privileged ioctls commands. Needed to set up VPNs. allowxperm system_server self:udp_socket ioctl priv_sock_ioctls; bluetooth_domain(system_server) # Allow setup of tcp keepalive offload. This gives system_server the permission to # call ioctl on app domains' tcp sockets. Additional ioctl commands still need to -# be granted individually, except for a small set of safe values whitelisted in +# be granted individually, except for a small set of safe values allowlisted in # public/domain.te. allow system_server appdomain:tcp_socket ioctl; @@ -118,7 +118,7 @@ allow system_server config_gz:file { read open }; # Use generic "sockets" where the address family is not known # to the kernel. The ioctl permission is specifically omitted here, but may # be added to device specific policy along with the ioctl commands to be -# whitelisted. +# allowlisted. allow system_server self:socket create_socket_perms_no_ioctl; # Set and get routes directly via netlink. diff --git a/prebuilts/api/30.0/private/traced_probes.te b/prebuilts/api/30.0/private/traced_probes.te index dd6ece0ed..36f9c51df 100644 --- a/prebuilts/api/30.0/private/traced_probes.te +++ b/prebuilts/api/30.0/private/traced_probes.te @@ -16,7 +16,7 @@ allow traced_probes debugfs_tracing:file rw_file_perms; allow traced_probes debugfs_trace_marker:file getattr; # TODO(primiano): temporarily I/O tracing categories are still -# userdebug only until we nail down the blacklist/whitelist. +# userdebug only until we nail down the denylist/allowlist. userdebug_or_eng(` allow traced_probes debugfs_tracing_debug:dir r_dir_perms; allow traced_probes debugfs_tracing_debug:file rw_file_perms; diff --git a/prebuilts/api/30.0/public/app.te b/prebuilts/api/30.0/public/app.te index e5b9fd670..c892d9e47 100644 --- a/prebuilts/api/30.0/public/app.te +++ b/prebuilts/api/30.0/public/app.te @@ -537,7 +537,7 @@ neverallow appdomain { tmpfs }:lnk_file no_w_file_perms; -# Blacklist app domains not allowed to execute from /data +# Denylist app domains not allowed to execute from /data neverallow { bluetooth isolated_app @@ -558,7 +558,7 @@ neverallow { -shell # bugreport } input_device:chr_file ~getattr; -# Do not allow access to Bluetooth-related system properties except for a few whitelisted domains. +# Do not allow access to Bluetooth-related system properties except for a few allowlisted domains. # neverallow rules for access to Bluetooth-related data files are above. neverallow { appdomain diff --git a/prebuilts/api/30.0/public/domain.te b/prebuilts/api/30.0/public/domain.te index 8cb495037..c151b9528 100644 --- a/prebuilts/api/30.0/public/domain.te +++ b/prebuilts/api/30.0/public/domain.te @@ -260,19 +260,19 @@ allow domain debugfs_trace_marker:file w_file_perms; allow domain fs_type:filesystem getattr; allow domain fs_type:dir getattr; -# Restrict all domains to a whitelist for common socket types. Additional +# Restrict all domains to a allowlist for common socket types. Additional # ioctl commands may be added to individual domains, but this sets safe -# defaults for all processes. Note that granting this whitelist to domain does +# defaults for all processes. Note that granting this allowlist to domain does # not grant the ioctl permission on these socket types. That must be granted # separately. allowxperm domain domain:{ icmp_socket rawip_socket tcp_socket udp_socket } ioctl { unpriv_sock_ioctls unpriv_tty_ioctls }; -# default whitelist for unix sockets. +# default allowlist for unix sockets. allowxperm domain { domain pdx_channel_socket_type }:{ unix_dgram_socket unix_stream_socket } ioctl unpriv_unix_sock_ioctls; -# Restrict PTYs to only whitelisted ioctls. -# Note that granting this whitelist to domain does +# Restrict PTYs to only allowlisted ioctls. +# Note that granting this allowlist to domain does # not grant the wider ioctl permission. That must be granted # separately. allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls; @@ -288,7 +288,7 @@ allowxperm domain tun_device:chr_file ioctl { FIOCLEX FIONCLEX }; # Allow a process to make a determination whether a file descriptor # for a plain file or pipe (fifo_file) is a tty. Note that granting -# this whitelist to domain does not grant the ioctl permission to +# this allowlist to domain does not grant the ioctl permission to # these files. That must be granted separately. allowxperm domain { file_type fs_type }:file ioctl { TCGETS }; allowxperm domain domain:fifo_file ioctl { TCGETS }; @@ -331,7 +331,7 @@ allow domain apex_mnt_dir:lnk_file r_file_perms; ### # All ioctls on file-like objects (except chr_file and blk_file) and -# sockets must be restricted to a whitelist. +# sockets must be restricted to a allowlist. neverallowxperm * *:{ dir notdevfile_class_set socket_class_set blk_file } ioctl { 0 }; # b/68014825 and https://android-review.googlesource.com/516535 @@ -346,7 +346,7 @@ neverallowxperm * devpts:chr_file ioctl TIOCSTI; # Do not allow any domain other than init to create unlabeled files. neverallow { domain -init -recovery } unlabeled:dir_file_class_set create; -# Limit device node creation to these whitelisted domains. +# Limit device node creation to these allowlisted domains. neverallow { domain -kernel @@ -544,7 +544,7 @@ compatible_property_only(` ') # Do not allow reading device's serial number from system properties except form -# a few whitelisted domains. +# a few allowlisted domains. neverallow { domain -adbd @@ -934,7 +934,7 @@ full_treble_only(` full_treble_only(` # Do not allow vendor components to execute files from system - # except for the ones whitelist here. + # except for the ones allowlist here. neverallow { domain -coredomain @@ -955,7 +955,7 @@ full_treble_only(` full_treble_only(` # Do not allow system components to execute files from vendor - # except for the ones whitelisted here. + # except for the ones allowlisted here. neverallow { coredomain -init @@ -984,7 +984,7 @@ full_treble_only(` full_treble_only(` # Do not allow system components access to /vendor files except for the - # ones whitelisted here. + # ones allowlisted here. neverallow { coredomain # TODO(b/37168747): clean up fwk access to /vendor @@ -1019,7 +1019,7 @@ full_treble_only(` full_treble_only(` # Do not allow vendor components access to /system files except for the - # ones whitelisted here. + # ones allowlisted here. neverallow { domain -appdomain @@ -1212,7 +1212,7 @@ neverallow { # In addition to the symlink reading restrictions above, restrict # write access to shell owned directories. The /data/local/tmp -# directory is untrustworthy, and non-whitelisted domains should +# directory is untrustworthy, and non-allowlisted domains should # not be trusting any content in those directories. neverallow { domain diff --git a/prebuilts/api/30.0/public/hal_wifi_supplicant.te b/prebuilts/api/30.0/public/hal_wifi_supplicant.te index 6004c3327..79a0667e3 100644 --- a/prebuilts/api/30.0/public/hal_wifi_supplicant.te +++ b/prebuilts/api/30.0/public/hal_wifi_supplicant.te @@ -4,7 +4,7 @@ binder_call(hal_wifi_supplicant_server, hal_wifi_supplicant_client) hal_attribute_hwservice(hal_wifi_supplicant, hal_wifi_supplicant_hwservice) -# in addition to ioctls whitelisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls. +# in addition to ioctls allowlisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls. allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls; r_dir_file(hal_wifi_supplicant, sysfs_type) diff --git a/prebuilts/api/30.0/public/netd.te b/prebuilts/api/30.0/public/netd.te index 8005406d6..0b83d4c9d 100644 --- a/prebuilts/api/30.0/public/netd.te +++ b/prebuilts/api/30.0/public/netd.te @@ -3,7 +3,7 @@ type netd, domain, mlstrustedsubject; type netd_exec, system_file_type, exec_type, file_type; net_domain(netd) -# in addition to ioctls whitelisted for all domains, grant netd priv_sock_ioctls. +# in addition to ioctls allowlisted for all domains, grant netd priv_sock_ioctls. allowxperm netd self:udp_socket ioctl priv_sock_ioctls; r_dir_file(netd, cgroup) diff --git a/prebuilts/api/30.0/public/vendor_toolbox.te b/prebuilts/api/30.0/public/vendor_toolbox.te index eb292cafb..63f938de1 100644 --- a/prebuilts/api/30.0/public/vendor_toolbox.te +++ b/prebuilts/api/30.0/public/vendor_toolbox.te @@ -7,7 +7,7 @@ type vendor_toolbox_exec, exec_type, vendor_file_type, file_type; # or read, execute the vendor_toolbox file. full_treble_only(` # Do not allow non-vendor domains to transition - # to vendor toolbox except for the whitelisted domains. + # to vendor toolbox except for the allowlisted domains. neverallow { coredomain -init diff --git a/private/atrace.te b/private/atrace.te index ad7d177e6..585c25484 100644 --- a/private/atrace.te +++ b/private/atrace.te @@ -59,7 +59,7 @@ userdebug_or_eng(` hal_client_domain(atrace, hal_vibrator) ') -# Remove logspam from notification attempts to non-whitelisted services. +# Remove logspam from notification attempts to non-allowlisted services. dontaudit atrace hwservice_manager_type:hwservice_manager find; dontaudit atrace service_manager_type:service_manager find; dontaudit atrace domain:binder call; diff --git a/private/coredomain.te b/private/coredomain.te index edb22452b..f14faf180 100644 --- a/private/coredomain.te +++ b/private/coredomain.te @@ -34,7 +34,7 @@ neverallow { ') # On TREBLE devices, a limited set of files in /vendor are accessible to -# only a few whitelisted coredomains to keep system/vendor separation. +# only a few allowlisted coredomains to keep system/vendor separation. full_treble_only(` # Limit access to /vendor/app neverallow { diff --git a/private/domain.te b/private/domain.te index 8ba992b15..6cee382a5 100644 --- a/private/domain.te +++ b/private/domain.te @@ -109,7 +109,7 @@ allow domain linkerconfig_file:file r_file_perms; allow domain boringssl_self_test_marker:dir search; # Limit ability to ptrace or read sensitive /proc/pid files of processes -# with other UIDs to these whitelisted domains. +# with other UIDs to these allowlisted domains. neverallow { domain -vold @@ -212,7 +212,7 @@ neverallow { # # Assert that, to the extent possible, we're not loading executable content from -# outside the rootfs or /system partition except for a few whitelisted domains. +# outside the rootfs or /system partition except for a few allowlisted domains. # Executable files loaded from /data is a persistence vector # we want to avoid. See # https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example. @@ -329,7 +329,7 @@ neverallow { -zygote } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto }; -# Limit raw I/O to these whitelisted domains. Do not apply to debug builds. +# Limit raw I/O to these allowlisted domains. Do not apply to debug builds. neverallow { domain userdebug_or_eng(`-domain') diff --git a/private/heapprofd.te b/private/heapprofd.te index ec3e4d067..7bd60a46e 100644 --- a/private/heapprofd.te +++ b/private/heapprofd.te @@ -29,7 +29,7 @@ typeattribute heapprofd mlstrustedsubject; allow heapprofd self:capability kill; # When scanning /proc/[pid]/cmdline to find matching processes for by-name -# profiling, only whitelisted domains will be allowed by SELinux. Avoid +# profiling, only allowlisted domains will be allowed by SELinux. Avoid # spamming logs with denials for entries that we can not access. dontaudit heapprofd domain:dir { search open }; diff --git a/private/incidentd.te b/private/incidentd.te index 656f69fed..f10173b00 100644 --- a/private/incidentd.te +++ b/private/incidentd.te @@ -145,7 +145,7 @@ userdebug_or_eng(`read_logd(incidentd)') r_dir_file(incidentd, misc_logd_file) # Allow incidentd to find these standard groups of services. -# Others can be whitelisted individually. +# Others can be allowlisted individually. allow incidentd { system_server_service app_api_service diff --git a/private/isolated_app.te b/private/isolated_app.te index 33b5219e8..e9411f56f 100644 --- a/private/isolated_app.te +++ b/private/isolated_app.te @@ -91,7 +91,7 @@ neverallow isolated_app *:hwservice_manager *; neverallow isolated_app vndbinder_device:chr_file *; # Isolated apps must not be permitted to perform actions on Binder and VndBinder service_manager -# except the find actions for services whitelisted below. +# except the find actions for services allowlisted below. neverallow isolated_app *:service_manager ~find; # b/17487348 diff --git a/private/perfetto.te b/private/perfetto.te index 0161361c7..14707ac52 100644 --- a/private/perfetto.te +++ b/private/perfetto.te @@ -1,5 +1,5 @@ # Perfetto command-line client. Can be used only from the domains that are -# explicitly whitelisted with a domain_auto_trans(X, perfetto_exec, perfetto). +# explicitly allowlisted with a domain_auto_trans(X, perfetto_exec, perfetto). # This command line client accesses the privileged socket of the traced # daemon. diff --git a/private/system_server.te b/private/system_server.te index fc4ba0d13..0622908bc 100644 --- a/private/system_server.te +++ b/private/system_server.te @@ -66,14 +66,14 @@ allow system_server zygote:unix_stream_socket { getopt getattr }; # system server gets network and bluetooth permissions. net_domain(system_server) -# in addition to ioctls whitelisted for all domains, also allow system_server +# in addition to ioctls allowlisted for all domains, also allow system_server # to use privileged ioctls commands. Needed to set up VPNs. allowxperm system_server self:udp_socket ioctl priv_sock_ioctls; bluetooth_domain(system_server) # Allow setup of tcp keepalive offload. This gives system_server the permission to # call ioctl on app domains' tcp sockets. Additional ioctl commands still need to -# be granted individually, except for a small set of safe values whitelisted in +# be granted individually, except for a small set of safe values allowlisted in # public/domain.te. allow system_server appdomain:tcp_socket ioctl; @@ -118,7 +118,7 @@ allow system_server config_gz:file { read open }; # Use generic "sockets" where the address family is not known # to the kernel. The ioctl permission is specifically omitted here, but may # be added to device specific policy along with the ioctl commands to be -# whitelisted. +# allowlisted. allow system_server self:socket create_socket_perms_no_ioctl; # Set and get routes directly via netlink. diff --git a/private/traced_probes.te b/private/traced_probes.te index dd6ece0ed..36f9c51df 100644 --- a/private/traced_probes.te +++ b/private/traced_probes.te @@ -16,7 +16,7 @@ allow traced_probes debugfs_tracing:file rw_file_perms; allow traced_probes debugfs_trace_marker:file getattr; # TODO(primiano): temporarily I/O tracing categories are still -# userdebug only until we nail down the blacklist/whitelist. +# userdebug only until we nail down the denylist/allowlist. userdebug_or_eng(` allow traced_probes debugfs_tracing_debug:dir r_dir_perms; allow traced_probes debugfs_tracing_debug:file rw_file_perms; diff --git a/public/hal_wifi_supplicant.te b/public/hal_wifi_supplicant.te index 6004c3327..79a0667e3 100644 --- a/public/hal_wifi_supplicant.te +++ b/public/hal_wifi_supplicant.te @@ -4,7 +4,7 @@ binder_call(hal_wifi_supplicant_server, hal_wifi_supplicant_client) hal_attribute_hwservice(hal_wifi_supplicant, hal_wifi_supplicant_hwservice) -# in addition to ioctls whitelisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls. +# in addition to ioctls allowlisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls. allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls; r_dir_file(hal_wifi_supplicant, sysfs_type) diff --git a/public/netd.te b/public/netd.te index 55b62839a..ad2dde9b9 100644 --- a/public/netd.te +++ b/public/netd.te @@ -3,7 +3,7 @@ type netd, domain, mlstrustedsubject; type netd_exec, system_file_type, exec_type, file_type; net_domain(netd) -# in addition to ioctls whitelisted for all domains, grant netd priv_sock_ioctls. +# in addition to ioctls allowlisted for all domains, grant netd priv_sock_ioctls. allowxperm netd self:udp_socket ioctl priv_sock_ioctls; r_dir_file(netd, cgroup) diff --git a/public/vendor_toolbox.te b/public/vendor_toolbox.te index eb292cafb..63f938de1 100644 --- a/public/vendor_toolbox.te +++ b/public/vendor_toolbox.te @@ -7,7 +7,7 @@ type vendor_toolbox_exec, exec_type, vendor_file_type, file_type; # or read, execute the vendor_toolbox file. full_treble_only(` # Do not allow non-vendor domains to transition - # to vendor toolbox except for the whitelisted domains. + # to vendor toolbox except for the allowlisted domains. neverallow { coredomain -init