# kernel domain is used for all processes started before Android init installs SELinux policy.
# Normally, no processes should be in this domain because clumping multiple processes into a single
# SELinux domain overprivileges each of those processes.

# TODO(b/65049764): Get rid of the hostapd instance started before Android init
net_domain(kernel)
allow kernel self:capability net_admin;
allow kernel self:netlink_socket create_socket_perms_no_ioctl;
allow kernel tmpfs:dir search;

# TODO(b/65049764): Get rid of GCE proxy and similar daemons started before Android init
# gce.meta.proxy and gce.ex.outer write to /dev/console which for some reason does not appear
# labelled as console_device although it is labeled as such on the filesystem.
allow kernel rootfs:chr_file write;

# kdevtmpfs accesses devices before ueventd runs restorecon and relabels devices
allow kernel device:chr_file { create setattr getattr unlink };
allow kernel device:dir create_dir_perms;
allow kernel self:capability mknod;