Move microdroid sepolicy to system/sepolicy
Bug: 190511750
Test: boot microdroid
Change-Id: I34118ec289ee782caf7019a628becf0f1649a54a
diff --git a/microdroid/sepolicy/Android.bp b/microdroid/sepolicy/Android.bp
deleted file mode 100644
index 7a55505..0000000
--- a/microdroid/sepolicy/Android.bp
+++ /dev/null
@@ -1,294 +0,0 @@
-package {
- // See: http://go/android-license-faq
- // A large-scale-change added 'default_applicable_licenses' to import
- // all of the 'license_kinds' from "packages_modules_Virtualization_license"
- // to get the below license kinds:
- // legacy_unencumbered
- default_applicable_licenses: ["packages_modules_Virtualization_license"],
-}
-
-system_policy_files = [
- "system/private/security_classes",
- "system/private/initial_sids",
- "system/private/access_vectors",
- "system/public/global_macros",
- "system/public/neverallow_macros",
- "system/private/mls_macros",
- "system/private/mls_decl",
- "system/private/mls",
- "system/private/policy_capabilities",
- "system/public/te_macros",
- "system/public/attributes",
- "system/private/attributes",
- "system/public/ioctl_defines",
- "system/public/ioctl_macros",
- "system/public/*.te",
- "system/private/*.te",
- "system/private/roles_decl",
- "system/public/roles",
- "system/private/users",
- "system/private/initial_sid_contexts",
- "system/private/fs_use",
- "system/private/genfs_contexts",
- "system/private/port_contexts",
-]
-
-reqd_mask_files = [
- "reqd_mask/security_classes",
- "reqd_mask/initial_sids",
- "reqd_mask/access_vectors",
- "reqd_mask/mls_macros",
- "reqd_mask/mls_decl",
- "reqd_mask/mls",
- "reqd_mask/reqd_mask.te",
- "reqd_mask/roles_decl",
- "reqd_mask/roles",
- "reqd_mask/users",
- "reqd_mask/initial_sid_contexts",
-]
-
-system_public_policy_files = [
- "reqd_mask/security_classes",
- "reqd_mask/initial_sids",
- "reqd_mask/access_vectors",
- "system/public/global_macros",
- "system/public/neverallow_macros",
- "reqd_mask/mls_macros",
- "reqd_mask/mls_decl",
- "reqd_mask/mls",
- "system/public/te_macros",
- "system/public/attributes",
- "system/public/ioctl_defines",
- "system/public/ioctl_macros",
- "system/public/*.te",
- "reqd_mask/reqd_mask.te",
- "reqd_mask/roles_decl",
- "reqd_mask/roles",
- "system/public/roles",
- "reqd_mask/users",
- "reqd_mask/initial_sid_contexts",
-]
-
-vendor_policy_files = [
- "reqd_mask/security_classes",
- "reqd_mask/initial_sids",
- "reqd_mask/access_vectors",
- "system/public/global_macros",
- "system/public/neverallow_macros",
- "reqd_mask/mls_macros",
- "reqd_mask/mls_decl",
- "reqd_mask/mls",
- "system/public/te_macros",
- "system/public/attributes",
- "system/public/ioctl_defines",
- "system/public/ioctl_macros",
- "system/public/*.te",
- "reqd_mask/reqd_mask.te",
- "vendor/*.te",
- "reqd_mask/roles_decl",
- "reqd_mask/roles",
- "system/public/roles",
- "reqd_mask/users",
- "reqd_mask/initial_sid_contexts",
-]
-
-se_policy_conf {
- name: "microdroid_reqd_policy_mask.conf",
- srcs: reqd_mask_files,
- installable: false,
-}
-
-se_policy_cil {
- name: "microdroid_reqd_policy_mask.cil",
- src: ":microdroid_reqd_policy_mask.conf",
- secilc_check: false,
- installable: false,
-}
-
-se_policy_conf {
- name: "microdroid_plat_sepolicy.conf",
- srcs: system_policy_files,
- installable: false,
-}
-
-se_policy_cil {
- name: "microdroid_plat_sepolicy.cil",
- stem: "plat_sepolicy.cil",
- src: ":microdroid_plat_sepolicy.conf",
- installable: false,
-}
-
-se_policy_conf {
- name: "microdroid_plat_pub_policy.conf",
- srcs: system_public_policy_files,
- installable: false,
-}
-
-se_policy_cil {
- name: "microdroid_plat_pub_policy.cil",
- src: ":microdroid_plat_pub_policy.conf",
- filter_out: [":microdroid_reqd_policy_mask.cil"],
- secilc_check: false,
- installable: false,
-}
-
-se_versioned_policy {
- name: "microdroid_plat_mapping_file",
- base: ":microdroid_plat_pub_policy.cil",
- mapping: true,
- version: "current",
- relative_install_path: "mapping", // install to /system/etc/selinux/mapping
- installable: false,
-}
-
-se_versioned_policy {
- name: "microdroid_plat_pub_versioned.cil",
- stem: "plat_pub_versioned.cil",
- base: ":microdroid_plat_pub_policy.cil",
- target_policy: ":microdroid_plat_pub_policy.cil",
- version: "current",
- dependent_cils: [
- ":microdroid_plat_sepolicy.cil",
- ":microdroid_plat_mapping_file",
- ],
- installable: false,
-}
-
-se_policy_conf {
- name: "microdroid_vendor_sepolicy.conf",
- srcs: vendor_policy_files,
- installable: false,
-}
-
-se_policy_cil {
- name: "microdroid_vendor_sepolicy.cil.raw",
- src: ":microdroid_vendor_sepolicy.conf",
- filter_out: [":microdroid_reqd_policy_mask.cil"],
- secilc_check: false, // will be done in se_versioned_policy module
- installable: false,
-}
-
-se_versioned_policy {
- name: "microdroid_vendor_sepolicy.cil",
- stem: "vendor_sepolicy.cil",
- base: ":microdroid_plat_pub_policy.cil",
- target_policy: ":microdroid_vendor_sepolicy.cil.raw",
- version: "current", // microdroid is bundled to system
- dependent_cils: [
- ":microdroid_plat_sepolicy.cil",
- ":microdroid_plat_pub_versioned.cil",
- ":microdroid_plat_mapping_file",
- ],
- filter_out: [":microdroid_plat_pub_versioned.cil"],
- installable: false,
-}
-
-sepolicy_vers {
- name: "microdroid_plat_sepolicy_vers.txt",
- version: "platform",
- stem: "plat_sepolicy_vers.txt",
- installable: false,
-}
-
-// sepolicy sha256 for vendor
-genrule {
- name: "microdroid_plat_sepolicy_and_mapping.sha256_gen",
- srcs: [":microdroid_plat_sepolicy.cil", ":microdroid_plat_mapping_file"],
- out: ["microdroid_plat_sepolicy_and_mapping.sha256"],
- cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)",
-}
-
-prebuilt_etc {
- name: "microdroid_plat_sepolicy_and_mapping.sha256",
- src: ":microdroid_plat_sepolicy_and_mapping.sha256_gen",
- filename: "plat_sepolicy_and_mapping.sha256",
- relative_install_path: "selinux",
- installable: false,
-}
-
-prebuilt_etc {
- name: "microdroid_precompiled_sepolicy.plat_sepolicy_and_mapping.sha256",
- src: ":microdroid_plat_sepolicy_and_mapping.sha256_gen",
- filename: "precompiled_sepolicy.plat_sepolicy_and_mapping.sha256",
- relative_install_path: "selinux",
- installable: false,
-}
-
-genrule {
- name: "microdroid_precompiled_sepolicy_gen",
- tools: ["secilc"],
- srcs: [
- ":microdroid_plat_sepolicy.cil",
- ":microdroid_plat_mapping_file",
- ":microdroid_plat_pub_versioned.cil",
- ":microdroid_vendor_sepolicy.cil",
- ],
- out: ["precompiled_sepolicy"],
- cmd: "$(location secilc) -m -M true -G -c 30 $(in) -o $(out) -f /dev/null",
-}
-
-prebuilt_etc {
- name: "microdroid_precompiled_sepolicy",
- src: ":microdroid_precompiled_sepolicy_gen",
- filename: "precompiled_sepolicy",
- relative_install_path: "selinux",
- installable: false,
-}
-
-genrule {
- name: "microdroid_file_contexts.gen",
- srcs: ["system/private/file_contexts"],
- tools: ["fc_sort"],
- out: ["file_contexts"],
- cmd: "sed -e 's/#.*$$//' -e '/^$$/d' $(in) > $(out).tmp && " +
- "$(location fc_sort) -i $(out).tmp -o $(out)",
-}
-
-prebuilt_etc {
- name: "microdroid_file_contexts",
- filename: "plat_file_contexts",
- src: ":microdroid_file_contexts.gen",
- relative_install_path: "selinux",
- installable: false,
-}
-
-genrule {
- name: "microdroid_vendor_file_contexts.gen",
- srcs: ["vendor/file_contexts"],
- tools: ["fc_sort"],
- out: ["file_contexts"],
- cmd: "sed -e 's/#.*$$//' -e '/^$$/d' $(in) > $(out).tmp && " +
- "$(location fc_sort) -i $(out).tmp -o $(out)",
-}
-
-prebuilt_etc {
- name: "microdroid_hwservice_contexts",
- filename: "plat_hwservice_contexts",
- src: "system/private/hwservice_contexts",
- relative_install_path: "selinux",
- installable: false,
-}
-
-prebuilt_etc {
- name: "microdroid_property_contexts",
- filename: "plat_property_contexts",
- src: "system/private/property_contexts",
- relative_install_path: "selinux",
- installable: false,
-}
-
-prebuilt_etc {
- name: "microdroid_service_contexts",
- filename: "plat_service_contexts",
- src: "system/private/service_contexts",
- relative_install_path: "selinux",
- installable: false,
-}
-
-prebuilt_etc {
- name: "microdroid_keystore2_key_contexts",
- filename: "plat_keystore2_key_contexts",
- src: "system/private/keystore2_key_contexts",
- relative_install_path: "selinux",
- installable: false,
-}
diff --git a/microdroid/sepolicy/reqd_mask/access_vectors b/microdroid/sepolicy/reqd_mask/access_vectors
deleted file mode 100644
index 22f2ffa..0000000
--- a/microdroid/sepolicy/reqd_mask/access_vectors
+++ /dev/null
@@ -1,777 +0,0 @@
-#
-# Define common prefixes for access vectors
-#
-# common common_name { permission_name ... }
-
-
-#
-# Define a common prefix for file access vectors.
-#
-
-common file
-{
- ioctl
- read
- write
- create
- getattr
- setattr
- lock
- relabelfrom
- relabelto
- append
- map
- unlink
- link
- rename
- execute
- quotaon
- mounton
- audit_access
- open
- execmod
- watch
- watch_mount
- watch_sb
- watch_with_perm
- watch_reads
-}
-
-
-#
-# Define a common prefix for socket access vectors.
-#
-
-common socket
-{
-# inherited from file
- ioctl
- read
- write
- create
- getattr
- setattr
- lock
- relabelfrom
- relabelto
- append
- map
-# socket-specific
- bind
- connect
- listen
- accept
- getopt
- setopt
- shutdown
- recvfrom
- sendto
- name_bind
-}
-
-#
-# Define a common prefix for ipc access vectors.
-#
-
-common ipc
-{
- create
- destroy
- getattr
- setattr
- read
- write
- associate
- unix_read
- unix_write
-}
-
-#
-# Define a common for capability access vectors.
-#
-common cap
-{
- # The capabilities are defined in include/linux/capability.h
- # Capabilities >= 32 are defined in the cap2 common.
- # Care should be taken to ensure that these are consistent with
- # those definitions. (Order matters)
-
- chown
- dac_override
- dac_read_search
- fowner
- fsetid
- kill
- setgid
- setuid
- setpcap
- linux_immutable
- net_bind_service
- net_broadcast
- net_admin
- net_raw
- ipc_lock
- ipc_owner
- sys_module
- sys_rawio
- sys_chroot
- sys_ptrace
- sys_pacct
- sys_admin
- sys_boot
- sys_nice
- sys_resource
- sys_time
- sys_tty_config
- mknod
- lease
- audit_write
- audit_control
- setfcap
-}
-
-common cap2
-{
- mac_override # unused by SELinux
- mac_admin
- syslog
- wake_alarm
- block_suspend
- audit_read
- perfmon
-}
-
-#
-# Define the access vectors.
-#
-# class class_name [ inherits common_name ] { permission_name ... }
-
-
-#
-# Define the access vector interpretation for file-related objects.
-#
-
-class filesystem
-{
- mount
- remount
- unmount
- getattr
- relabelfrom
- relabelto
- associate
- quotamod
- quotaget
- watch
-}
-
-class dir
-inherits file
-{
- add_name
- remove_name
- reparent
- search
- rmdir
-}
-
-class file
-inherits file
-{
- execute_no_trans
- entrypoint
-}
-
-class anon_inode
-inherits file
-
-class lnk_file
-inherits file
-
-class chr_file
-inherits file
-{
- execute_no_trans
- entrypoint
-}
-
-class blk_file
-inherits file
-
-class sock_file
-inherits file
-
-class fifo_file
-inherits file
-
-class fd
-{
- use
-}
-
-
-#
-# Define the access vector interpretation for network-related objects.
-#
-
-class socket
-inherits socket
-
-class tcp_socket
-inherits socket
-{
- node_bind
- name_connect
-}
-
-class udp_socket
-inherits socket
-{
- node_bind
-}
-
-class rawip_socket
-inherits socket
-{
- node_bind
-}
-
-class node
-{
- recvfrom
- sendto
-}
-
-class netif
-{
- ingress
- egress
-}
-
-class netlink_socket
-inherits socket
-
-class packet_socket
-inherits socket
-
-class key_socket
-inherits socket
-
-class unix_stream_socket
-inherits socket
-{
- connectto
-}
-
-class unix_dgram_socket
-inherits socket
-
-#
-# Define the access vector interpretation for process-related objects
-#
-
-class process
-{
- fork
- transition
- sigchld # commonly granted from child to parent
- sigkill # cannot be caught or ignored
- sigstop # cannot be caught or ignored
- signull # for kill(pid, 0)
- signal # all other signals
- ptrace
- getsched
- setsched
- getsession
- getpgid
- setpgid
- getcap
- setcap
- share
- getattr
- setexec
- setfscreate
- noatsecure
- siginh
- setrlimit
- rlimitinh
- dyntransition
- setcurrent
- execmem
- execstack
- execheap
- setkeycreate
- setsockcreate
- getrlimit
-}
-
-class process2
-{
- nnp_transition
- nosuid_transition
-}
-
-#
-# Define the access vector interpretation for ipc-related objects
-#
-
-class ipc
-inherits ipc
-
-class sem
-inherits ipc
-
-class msgq
-inherits ipc
-{
- enqueue
-}
-
-class msg
-{
- send
- receive
-}
-
-class shm
-inherits ipc
-{
- lock
-}
-
-
-#
-# Define the access vector interpretation for the security server.
-#
-
-class security
-{
- compute_av
- compute_create
- compute_member
- check_context
- load_policy
- compute_relabel
- compute_user
- setenforce # was avc_toggle in system class
- setbool
- setsecparam
- setcheckreqprot
- read_policy
- validate_trans
-}
-
-
-#
-# Define the access vector interpretation for system operations.
-#
-
-class system
-{
- ipc_info
- syslog_read
- syslog_mod
- syslog_console
- module_request
- module_load
-}
-
-#
-# Define the access vector interpretation for controlling capabilities
-#
-
-class capability
-inherits cap
-
-class capability2
-inherits cap2
-
-#
-# Extended Netlink classes
-#
-class netlink_route_socket
-inherits socket
-{
- nlmsg_read
- nlmsg_write
- nlmsg_readpriv
-}
-
-class netlink_tcpdiag_socket
-inherits socket
-{
- nlmsg_read
- nlmsg_write
-}
-
-class netlink_nflog_socket
-inherits socket
-
-class netlink_xfrm_socket
-inherits socket
-{
- nlmsg_read
- nlmsg_write
-}
-
-class netlink_selinux_socket
-inherits socket
-
-class netlink_audit_socket
-inherits socket
-{
- nlmsg_read
- nlmsg_write
- nlmsg_relay
- nlmsg_readpriv
- nlmsg_tty_audit
-}
-
-class netlink_dnrt_socket
-inherits socket
-
-# Define the access vector interpretation for controlling
-# access to IPSec network data by association
-#
-class association
-{
- sendto
- recvfrom
- setcontext
- polmatch
-}
-
-# Updated Netlink class for KOBJECT_UEVENT family.
-class netlink_kobject_uevent_socket
-inherits socket
-
-class appletalk_socket
-inherits socket
-
-class packet
-{
- send
- recv
- relabelto
- forward_in
- forward_out
-}
-
-class key
-{
- view
- read
- write
- search
- link
- setattr
- create
-}
-
-class dccp_socket
-inherits socket
-{
- node_bind
- name_connect
-}
-
-class memprotect
-{
- mmap_zero
-}
-
-# network peer labels
-class peer
-{
- recv
-}
-
-class kernel_service
-{
- use_as_override
- create_files_as
-}
-
-class tun_socket
-inherits socket
-{
- attach_queue
-}
-
-class binder
-{
- impersonate
- call
- set_context_mgr
- transfer
-}
-
-class netlink_iscsi_socket
-inherits socket
-
-class netlink_fib_lookup_socket
-inherits socket
-
-class netlink_connector_socket
-inherits socket
-
-class netlink_netfilter_socket
-inherits socket
-
-class netlink_generic_socket
-inherits socket
-
-class netlink_scsitransport_socket
-inherits socket
-
-class netlink_rdma_socket
-inherits socket
-
-class netlink_crypto_socket
-inherits socket
-
-class infiniband_pkey
-{
- access
-}
-
-class infiniband_endport
-{
- manage_subnet
-}
-
-#
-# Define the access vector interpretation for controlling capabilities
-# in user namespaces
-#
-
-class cap_userns
-inherits cap
-
-class cap2_userns
-inherits cap2
-
-
-#
-# Define the access vector interpretation for the new socket classes
-# enabled by the extended_socket_class policy capability.
-#
-
-#
-# The next two classes were previously mapped to rawip_socket and therefore
-# have the same definition as rawip_socket (until further permissions
-# are defined).
-#
-class sctp_socket
-inherits socket
-{
- node_bind
- name_connect
- association
-}
-
-class icmp_socket
-inherits socket
-{
- node_bind
-}
-
-#
-# The remaining network socket classes were previously
-# mapped to the socket class and therefore have the
-# same definition as socket.
-#
-
-class ax25_socket
-inherits socket
-
-class ipx_socket
-inherits socket
-
-class netrom_socket
-inherits socket
-
-class atmpvc_socket
-inherits socket
-
-class x25_socket
-inherits socket
-
-class rose_socket
-inherits socket
-
-class decnet_socket
-inherits socket
-
-class atmsvc_socket
-inherits socket
-
-class rds_socket
-inherits socket
-
-class irda_socket
-inherits socket
-
-class pppox_socket
-inherits socket
-
-class llc_socket
-inherits socket
-
-class can_socket
-inherits socket
-
-class tipc_socket
-inherits socket
-
-class bluetooth_socket
-inherits socket
-
-class iucv_socket
-inherits socket
-
-class rxrpc_socket
-inherits socket
-
-class isdn_socket
-inherits socket
-
-class phonet_socket
-inherits socket
-
-class ieee802154_socket
-inherits socket
-
-class caif_socket
-inherits socket
-
-class alg_socket
-inherits socket
-
-class nfc_socket
-inherits socket
-
-class vsock_socket
-inherits socket
-
-class kcm_socket
-inherits socket
-
-class qipcrtr_socket
-inherits socket
-
-class smc_socket
-inherits socket
-
-class bpf
-{
- map_create
- map_read
- map_write
- prog_load
- prog_run
-}
-
-class property_service
-{
- set
-}
-
-class service_manager
-{
- add
- find
- list
-}
-
-class hwservice_manager
-{
- add
- find
- list
-}
-
-class keystore_key
-{
- get_state
- get
- insert
- delete
- exist
- list
- reset
- password
- lock
- unlock
- is_empty
- sign
- verify
- grant
- duplicate
- clear_uid
- add_auth
- user_changed
- gen_unique_id
-}
-
-class keystore2
-{
- add_auth
- change_password
- change_user
- clear_ns
- clear_uid
- early_boot_ended
- get_auth_token
- get_state
- list
- lock
- report_off_body
- reset
- unlock
-}
-
-class keystore2_key
-{
- convert_storage_key_to_ephemeral
- delete
- gen_unique_id
- get_info
- grant
- manage_blob
- rebind
- req_forced_op
- update
- use
- use_dev_id
-}
-
-class drmservice {
- consumeRights
- setPlaybackStatus
- openDecryptSession
- closeDecryptSession
- initializeDecryptUnit
- decrypt
- finalizeDecryptUnit
- pread
-}
-
-class xdp_socket
-inherits socket
-
-class perf_event
-{
- open
- cpu
- kernel
- tracepoint
- read
- write
-}
-
-class lockdown
-{
- integrity
- confidentiality
-}
diff --git a/microdroid/sepolicy/reqd_mask/initial_sid_contexts b/microdroid/sepolicy/reqd_mask/initial_sid_contexts
deleted file mode 100644
index aa465cd..0000000
--- a/microdroid/sepolicy/reqd_mask/initial_sid_contexts
+++ /dev/null
@@ -1 +0,0 @@
-sid reqd_mask u:r:reqd_mask_type:s0
diff --git a/microdroid/sepolicy/reqd_mask/initial_sids b/microdroid/sepolicy/reqd_mask/initial_sids
deleted file mode 100644
index 366cfb1..0000000
--- a/microdroid/sepolicy/reqd_mask/initial_sids
+++ /dev/null
@@ -1,3 +0,0 @@
-sid reqd_mask
-
-# FLASK
diff --git a/microdroid/sepolicy/reqd_mask/keys.conf b/microdroid/sepolicy/reqd_mask/keys.conf
deleted file mode 100644
index ce7166b..0000000
--- a/microdroid/sepolicy/reqd_mask/keys.conf
+++ /dev/null
@@ -1,2 +0,0 @@
-# empty keys.conf file - used to generate an empty nonplat_mac_permissions.xml
-# on devices without any keys.conf or mac_permissions additions.
diff --git a/microdroid/sepolicy/reqd_mask/mac_permissions.xml b/microdroid/sepolicy/reqd_mask/mac_permissions.xml
deleted file mode 100644
index ef9c6dd..0000000
--- a/microdroid/sepolicy/reqd_mask/mac_permissions.xml
+++ /dev/null
@@ -1,3 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<policy>
-</policy>
diff --git a/microdroid/sepolicy/reqd_mask/mls b/microdroid/sepolicy/reqd_mask/mls
deleted file mode 100644
index d276924..0000000
--- a/microdroid/sepolicy/reqd_mask/mls
+++ /dev/null
@@ -1 +0,0 @@
-mlsconstrain binder { set_context_mgr } (l1 eq l2);
diff --git a/microdroid/sepolicy/reqd_mask/mls_decl b/microdroid/sepolicy/reqd_mask/mls_decl
deleted file mode 100644
index dd53bea..0000000
--- a/microdroid/sepolicy/reqd_mask/mls_decl
+++ /dev/null
@@ -1,10 +0,0 @@
-#########################################
-# MLS declarations
-#
-
-# Generate the desired number of sensitivities and categories.
-gen_sens(mls_num_sens)
-gen_cats(mls_num_cats)
-
-# Generate level definitions for each sensitivity and category.
-gen_levels(mls_num_sens,mls_num_cats)
diff --git a/microdroid/sepolicy/reqd_mask/mls_macros b/microdroid/sepolicy/reqd_mask/mls_macros
deleted file mode 100644
index 83e0542..0000000
--- a/microdroid/sepolicy/reqd_mask/mls_macros
+++ /dev/null
@@ -1,54 +0,0 @@
-########################################
-#
-# gen_cats(N)
-#
-# declares categores c0 to c(N-1)
-#
-define(`decl_cats',`dnl
-category c$1;
-ifelse(`$1',`$2',,`decl_cats(incr($1),$2)')dnl
-')
-
-define(`gen_cats',`decl_cats(0,decr($1))')
-
-########################################
-#
-# gen_sens(N)
-#
-# declares sensitivites s0 to s(N-1) with dominance
-# in increasing numeric order with s0 lowest, s(N-1) highest
-#
-define(`decl_sens',`dnl
-sensitivity s$1;
-ifelse(`$1',`$2',,`decl_sens(incr($1),$2)')dnl
-')
-
-define(`gen_dominance',`s$1 ifelse(`$1',`$2',,`gen_dominance(incr($1),$2)')')
-
-define(`gen_sens',`
-# Each sensitivity has a name and zero or more aliases.
-decl_sens(0,decr($1))
-
-# Define the ordering of the sensitivity levels (least to greatest)
-dominance { gen_dominance(0,decr($1)) }
-')
-
-########################################
-#
-# gen_levels(N,M)
-#
-# levels from s0 to (N-1) with categories c0 to (M-1)
-#
-define(`decl_levels',`dnl
-level s$1:c0.c$3;
-ifelse(`$1',`$2',,`decl_levels(incr($1),$2,$3)')dnl
-')
-
-define(`gen_levels',`decl_levels(0,decr($1),decr($2))')
-
-########################################
-#
-# Basic level names for system low and high
-#
-define(`mls_systemlow',`s0')
-define(`mls_systemhigh',`s`'decr(mls_num_sens):c0.c`'decr(mls_num_cats)')
diff --git a/microdroid/sepolicy/reqd_mask/property_contexts b/microdroid/sepolicy/reqd_mask/property_contexts
deleted file mode 100644
index 8e0bdbb..0000000
--- a/microdroid/sepolicy/reqd_mask/property_contexts
+++ /dev/null
@@ -1,3 +0,0 @@
-# empty property_contexts file - this file is used to generate an empty
-# non-platform property context for devices without any property_contexts
-# customizations.
diff --git a/microdroid/sepolicy/reqd_mask/reqd_mask.te b/microdroid/sepolicy/reqd_mask/reqd_mask.te
deleted file mode 100644
index f77eef4..0000000
--- a/microdroid/sepolicy/reqd_mask/reqd_mask.te
+++ /dev/null
@@ -1 +0,0 @@
-type reqd_mask_type;
diff --git a/microdroid/sepolicy/reqd_mask/roles b/microdroid/sepolicy/reqd_mask/roles
deleted file mode 100644
index 926cb7a..0000000
--- a/microdroid/sepolicy/reqd_mask/roles
+++ /dev/null
@@ -1 +0,0 @@
-role r types reqd_mask_type;
diff --git a/microdroid/sepolicy/reqd_mask/roles_decl b/microdroid/sepolicy/reqd_mask/roles_decl
deleted file mode 100644
index c84fcba..0000000
--- a/microdroid/sepolicy/reqd_mask/roles_decl
+++ /dev/null
@@ -1 +0,0 @@
-role r;
diff --git a/microdroid/sepolicy/reqd_mask/seapp_contexts b/microdroid/sepolicy/reqd_mask/seapp_contexts
deleted file mode 100644
index 0f4e0ad..0000000
--- a/microdroid/sepolicy/reqd_mask/seapp_contexts
+++ /dev/null
@@ -1,2 +0,0 @@
-# empty seapp_contexts file - used to generate an empty seapp_contexts for
-# devices without any non-platform seapp_contexts customizations.
diff --git a/microdroid/sepolicy/reqd_mask/security_classes b/microdroid/sepolicy/reqd_mask/security_classes
deleted file mode 100644
index 200b030..0000000
--- a/microdroid/sepolicy/reqd_mask/security_classes
+++ /dev/null
@@ -1,167 +0,0 @@
-# FLASK
-
-#
-# Define the security object classes
-#
-
-# Classes marked as userspace are classes
-# for userspace object managers
-
-class security
-class process
-class system
-class capability
-
-# file-related classes
-class filesystem
-class file
-class anon_inode
-class dir
-class fd
-class lnk_file
-class chr_file
-class blk_file
-class sock_file
-class fifo_file
-
-# network-related classes
-class socket
-class tcp_socket
-class udp_socket
-class rawip_socket
-class node
-class netif
-class netlink_socket
-class packet_socket
-class key_socket
-class unix_stream_socket
-class unix_dgram_socket
-
-# sysv-ipc-related classes
-class sem
-class msg
-class msgq
-class shm
-class ipc
-
-# extended netlink sockets
-class netlink_route_socket
-class netlink_tcpdiag_socket
-class netlink_nflog_socket
-class netlink_xfrm_socket
-class netlink_selinux_socket
-class netlink_audit_socket
-class netlink_dnrt_socket
-
-# IPSec association
-class association
-
-# Updated Netlink class for KOBJECT_UEVENT family.
-class netlink_kobject_uevent_socket
-
-class appletalk_socket
-
-class packet
-
-# Kernel access key retention
-class key
-
-class dccp_socket
-
-class memprotect
-
-# network peer labels
-class peer
-
-# Capabilities >= 32
-class capability2
-
-# kernel services that need to override task security, e.g. cachefiles
-class kernel_service
-
-class tun_socket
-
-class binder
-
-# Updated netlink classes for more recent netlink protocols.
-class netlink_iscsi_socket
-class netlink_fib_lookup_socket
-class netlink_connector_socket
-class netlink_netfilter_socket
-class netlink_generic_socket
-class netlink_scsitransport_socket
-class netlink_rdma_socket
-class netlink_crypto_socket
-
-# Infiniband
-class infiniband_pkey
-class infiniband_endport
-
-# Capability checks when on a non-init user namespace
-class cap_userns
-class cap2_userns
-
-# New socket classes introduced by extended_socket_class policy capability.
-# These two were previously mapped to rawip_socket.
-class sctp_socket
-class icmp_socket
-# These were previously mapped to socket.
-class ax25_socket
-class ipx_socket
-class netrom_socket
-class atmpvc_socket
-class x25_socket
-class rose_socket
-class decnet_socket
-class atmsvc_socket
-class rds_socket
-class irda_socket
-class pppox_socket
-class llc_socket
-class can_socket
-class tipc_socket
-class bluetooth_socket
-class iucv_socket
-class rxrpc_socket
-class isdn_socket
-class phonet_socket
-class ieee802154_socket
-class caif_socket
-class alg_socket
-class nfc_socket
-class vsock_socket
-class kcm_socket
-class qipcrtr_socket
-class smc_socket
-
-class process2
-
-class bpf
-
-class xdp_socket
-
-class perf_event
-
-# Introduced in https://github.com/torvalds/linux/commit/59438b46471ae6cdfb761afc8c9beaf1e428a331
-class lockdown
-
-# Property service
-class property_service # userspace
-
-# Service manager
-class service_manager # userspace
-
-# hardware service manager # userspace
-class hwservice_manager
-
-# Legacy Keystore key permissions
-class keystore_key # userspace
-
-# Keystore 2.0 permissions
-class keystore2 # userspace
-
-# Keystore 2.0 key permissions
-class keystore2_key # userspace
-
-class drmservice # userspace
-# FLASK
diff --git a/microdroid/sepolicy/reqd_mask/service_contexts b/microdroid/sepolicy/reqd_mask/service_contexts
deleted file mode 100644
index 481967b..0000000
--- a/microdroid/sepolicy/reqd_mask/service_contexts
+++ /dev/null
@@ -1,3 +0,0 @@
-# empty service_contexts file - this file is used to generate an empty
-# non-platform service_context for devices without any service_contexts
-# customizations.
diff --git a/microdroid/sepolicy/reqd_mask/users b/microdroid/sepolicy/reqd_mask/users
deleted file mode 100644
index 51b7b57..0000000
--- a/microdroid/sepolicy/reqd_mask/users
+++ /dev/null
@@ -1 +0,0 @@
-user u roles { r } level s0 range s0 - mls_systemhigh;
diff --git a/microdroid/sepolicy/system/private/access_vectors b/microdroid/sepolicy/system/private/access_vectors
deleted file mode 100644
index 22f2ffa..0000000
--- a/microdroid/sepolicy/system/private/access_vectors
+++ /dev/null
@@ -1,777 +0,0 @@
-#
-# Define common prefixes for access vectors
-#
-# common common_name { permission_name ... }
-
-
-#
-# Define a common prefix for file access vectors.
-#
-
-common file
-{
- ioctl
- read
- write
- create
- getattr
- setattr
- lock
- relabelfrom
- relabelto
- append
- map
- unlink
- link
- rename
- execute
- quotaon
- mounton
- audit_access
- open
- execmod
- watch
- watch_mount
- watch_sb
- watch_with_perm
- watch_reads
-}
-
-
-#
-# Define a common prefix for socket access vectors.
-#
-
-common socket
-{
-# inherited from file
- ioctl
- read
- write
- create
- getattr
- setattr
- lock
- relabelfrom
- relabelto
- append
- map
-# socket-specific
- bind
- connect
- listen
- accept
- getopt
- setopt
- shutdown
- recvfrom
- sendto
- name_bind
-}
-
-#
-# Define a common prefix for ipc access vectors.
-#
-
-common ipc
-{
- create
- destroy
- getattr
- setattr
- read
- write
- associate
- unix_read
- unix_write
-}
-
-#
-# Define a common for capability access vectors.
-#
-common cap
-{
- # The capabilities are defined in include/linux/capability.h
- # Capabilities >= 32 are defined in the cap2 common.
- # Care should be taken to ensure that these are consistent with
- # those definitions. (Order matters)
-
- chown
- dac_override
- dac_read_search
- fowner
- fsetid
- kill
- setgid
- setuid
- setpcap
- linux_immutable
- net_bind_service
- net_broadcast
- net_admin
- net_raw
- ipc_lock
- ipc_owner
- sys_module
- sys_rawio
- sys_chroot
- sys_ptrace
- sys_pacct
- sys_admin
- sys_boot
- sys_nice
- sys_resource
- sys_time
- sys_tty_config
- mknod
- lease
- audit_write
- audit_control
- setfcap
-}
-
-common cap2
-{
- mac_override # unused by SELinux
- mac_admin
- syslog
- wake_alarm
- block_suspend
- audit_read
- perfmon
-}
-
-#
-# Define the access vectors.
-#
-# class class_name [ inherits common_name ] { permission_name ... }
-
-
-#
-# Define the access vector interpretation for file-related objects.
-#
-
-class filesystem
-{
- mount
- remount
- unmount
- getattr
- relabelfrom
- relabelto
- associate
- quotamod
- quotaget
- watch
-}
-
-class dir
-inherits file
-{
- add_name
- remove_name
- reparent
- search
- rmdir
-}
-
-class file
-inherits file
-{
- execute_no_trans
- entrypoint
-}
-
-class anon_inode
-inherits file
-
-class lnk_file
-inherits file
-
-class chr_file
-inherits file
-{
- execute_no_trans
- entrypoint
-}
-
-class blk_file
-inherits file
-
-class sock_file
-inherits file
-
-class fifo_file
-inherits file
-
-class fd
-{
- use
-}
-
-
-#
-# Define the access vector interpretation for network-related objects.
-#
-
-class socket
-inherits socket
-
-class tcp_socket
-inherits socket
-{
- node_bind
- name_connect
-}
-
-class udp_socket
-inherits socket
-{
- node_bind
-}
-
-class rawip_socket
-inherits socket
-{
- node_bind
-}
-
-class node
-{
- recvfrom
- sendto
-}
-
-class netif
-{
- ingress
- egress
-}
-
-class netlink_socket
-inherits socket
-
-class packet_socket
-inherits socket
-
-class key_socket
-inherits socket
-
-class unix_stream_socket
-inherits socket
-{
- connectto
-}
-
-class unix_dgram_socket
-inherits socket
-
-#
-# Define the access vector interpretation for process-related objects
-#
-
-class process
-{
- fork
- transition
- sigchld # commonly granted from child to parent
- sigkill # cannot be caught or ignored
- sigstop # cannot be caught or ignored
- signull # for kill(pid, 0)
- signal # all other signals
- ptrace
- getsched
- setsched
- getsession
- getpgid
- setpgid
- getcap
- setcap
- share
- getattr
- setexec
- setfscreate
- noatsecure
- siginh
- setrlimit
- rlimitinh
- dyntransition
- setcurrent
- execmem
- execstack
- execheap
- setkeycreate
- setsockcreate
- getrlimit
-}
-
-class process2
-{
- nnp_transition
- nosuid_transition
-}
-
-#
-# Define the access vector interpretation for ipc-related objects
-#
-
-class ipc
-inherits ipc
-
-class sem
-inherits ipc
-
-class msgq
-inherits ipc
-{
- enqueue
-}
-
-class msg
-{
- send
- receive
-}
-
-class shm
-inherits ipc
-{
- lock
-}
-
-
-#
-# Define the access vector interpretation for the security server.
-#
-
-class security
-{
- compute_av
- compute_create
- compute_member
- check_context
- load_policy
- compute_relabel
- compute_user
- setenforce # was avc_toggle in system class
- setbool
- setsecparam
- setcheckreqprot
- read_policy
- validate_trans
-}
-
-
-#
-# Define the access vector interpretation for system operations.
-#
-
-class system
-{
- ipc_info
- syslog_read
- syslog_mod
- syslog_console
- module_request
- module_load
-}
-
-#
-# Define the access vector interpretation for controlling capabilities
-#
-
-class capability
-inherits cap
-
-class capability2
-inherits cap2
-
-#
-# Extended Netlink classes
-#
-class netlink_route_socket
-inherits socket
-{
- nlmsg_read
- nlmsg_write
- nlmsg_readpriv
-}
-
-class netlink_tcpdiag_socket
-inherits socket
-{
- nlmsg_read
- nlmsg_write
-}
-
-class netlink_nflog_socket
-inherits socket
-
-class netlink_xfrm_socket
-inherits socket
-{
- nlmsg_read
- nlmsg_write
-}
-
-class netlink_selinux_socket
-inherits socket
-
-class netlink_audit_socket
-inherits socket
-{
- nlmsg_read
- nlmsg_write
- nlmsg_relay
- nlmsg_readpriv
- nlmsg_tty_audit
-}
-
-class netlink_dnrt_socket
-inherits socket
-
-# Define the access vector interpretation for controlling
-# access to IPSec network data by association
-#
-class association
-{
- sendto
- recvfrom
- setcontext
- polmatch
-}
-
-# Updated Netlink class for KOBJECT_UEVENT family.
-class netlink_kobject_uevent_socket
-inherits socket
-
-class appletalk_socket
-inherits socket
-
-class packet
-{
- send
- recv
- relabelto
- forward_in
- forward_out
-}
-
-class key
-{
- view
- read
- write
- search
- link
- setattr
- create
-}
-
-class dccp_socket
-inherits socket
-{
- node_bind
- name_connect
-}
-
-class memprotect
-{
- mmap_zero
-}
-
-# network peer labels
-class peer
-{
- recv
-}
-
-class kernel_service
-{
- use_as_override
- create_files_as
-}
-
-class tun_socket
-inherits socket
-{
- attach_queue
-}
-
-class binder
-{
- impersonate
- call
- set_context_mgr
- transfer
-}
-
-class netlink_iscsi_socket
-inherits socket
-
-class netlink_fib_lookup_socket
-inherits socket
-
-class netlink_connector_socket
-inherits socket
-
-class netlink_netfilter_socket
-inherits socket
-
-class netlink_generic_socket
-inherits socket
-
-class netlink_scsitransport_socket
-inherits socket
-
-class netlink_rdma_socket
-inherits socket
-
-class netlink_crypto_socket
-inherits socket
-
-class infiniband_pkey
-{
- access
-}
-
-class infiniband_endport
-{
- manage_subnet
-}
-
-#
-# Define the access vector interpretation for controlling capabilities
-# in user namespaces
-#
-
-class cap_userns
-inherits cap
-
-class cap2_userns
-inherits cap2
-
-
-#
-# Define the access vector interpretation for the new socket classes
-# enabled by the extended_socket_class policy capability.
-#
-
-#
-# The next two classes were previously mapped to rawip_socket and therefore
-# have the same definition as rawip_socket (until further permissions
-# are defined).
-#
-class sctp_socket
-inherits socket
-{
- node_bind
- name_connect
- association
-}
-
-class icmp_socket
-inherits socket
-{
- node_bind
-}
-
-#
-# The remaining network socket classes were previously
-# mapped to the socket class and therefore have the
-# same definition as socket.
-#
-
-class ax25_socket
-inherits socket
-
-class ipx_socket
-inherits socket
-
-class netrom_socket
-inherits socket
-
-class atmpvc_socket
-inherits socket
-
-class x25_socket
-inherits socket
-
-class rose_socket
-inherits socket
-
-class decnet_socket
-inherits socket
-
-class atmsvc_socket
-inherits socket
-
-class rds_socket
-inherits socket
-
-class irda_socket
-inherits socket
-
-class pppox_socket
-inherits socket
-
-class llc_socket
-inherits socket
-
-class can_socket
-inherits socket
-
-class tipc_socket
-inherits socket
-
-class bluetooth_socket
-inherits socket
-
-class iucv_socket
-inherits socket
-
-class rxrpc_socket
-inherits socket
-
-class isdn_socket
-inherits socket
-
-class phonet_socket
-inherits socket
-
-class ieee802154_socket
-inherits socket
-
-class caif_socket
-inherits socket
-
-class alg_socket
-inherits socket
-
-class nfc_socket
-inherits socket
-
-class vsock_socket
-inherits socket
-
-class kcm_socket
-inherits socket
-
-class qipcrtr_socket
-inherits socket
-
-class smc_socket
-inherits socket
-
-class bpf
-{
- map_create
- map_read
- map_write
- prog_load
- prog_run
-}
-
-class property_service
-{
- set
-}
-
-class service_manager
-{
- add
- find
- list
-}
-
-class hwservice_manager
-{
- add
- find
- list
-}
-
-class keystore_key
-{
- get_state
- get
- insert
- delete
- exist
- list
- reset
- password
- lock
- unlock
- is_empty
- sign
- verify
- grant
- duplicate
- clear_uid
- add_auth
- user_changed
- gen_unique_id
-}
-
-class keystore2
-{
- add_auth
- change_password
- change_user
- clear_ns
- clear_uid
- early_boot_ended
- get_auth_token
- get_state
- list
- lock
- report_off_body
- reset
- unlock
-}
-
-class keystore2_key
-{
- convert_storage_key_to_ephemeral
- delete
- gen_unique_id
- get_info
- grant
- manage_blob
- rebind
- req_forced_op
- update
- use
- use_dev_id
-}
-
-class drmservice {
- consumeRights
- setPlaybackStatus
- openDecryptSession
- closeDecryptSession
- initializeDecryptUnit
- decrypt
- finalizeDecryptUnit
- pread
-}
-
-class xdp_socket
-inherits socket
-
-class perf_event
-{
- open
- cpu
- kernel
- tracepoint
- read
- write
-}
-
-class lockdown
-{
- integrity
- confidentiality
-}
diff --git a/microdroid/sepolicy/system/private/adbd.te b/microdroid/sepolicy/system/private/adbd.te
deleted file mode 100644
index 2ebf9d8..0000000
--- a/microdroid/sepolicy/system/private/adbd.te
+++ /dev/null
@@ -1,44 +0,0 @@
-typeattribute adbd coredomain;
-typeattribute adbd mlstrustedsubject;
-
-init_daemon_domain(adbd)
-
-domain_auto_trans(adbd, shell_exec, shell)
-
-userdebug_or_eng(`
- allow adbd self:process setcurrent;
- allow adbd su:process dyntransition;
-')
-
-# Do not sanitize the environment or open fds of the shell. Allow signaling
-# created processes.
-allow adbd shell:process { noatsecure signal };
-
-# Set UID and GID to shell. Set supplementary groups.
-allow adbd self:global_capability_class_set { setuid setgid };
-
-# Drop capabilities from bounding set on user builds.
-allow adbd self:global_capability_class_set setpcap;
-
-# adbd probes for vsock support. Do not generate denials when
-# this occurs. (b/123569840)
-dontaudit adbd self:{ socket vsock_socket } create;
-
-# Allow adbd inside vm to forward vm's vsock.
-allow adbd self:vsock_socket { create_socket_perms_no_ioctl listen accept };
-
-# Use a pseudo tty.
-allow adbd devpts:chr_file rw_file_perms;
-
-# adb push/pull /data/local/tmp.
-allow adbd shell_data_file:dir create_dir_perms;
-allow adbd shell_data_file:file create_file_perms;
-
-allow adbd tmpfs:dir search;
-
-allow adbd rootfs:dir r_dir_perms;
-
-# Connect to shell and use a socket transferred from it.
-# Used for e.g. abb.
-allow adbd shell:unix_stream_socket { read write shutdown };
-allow adbd shell:fd use;
diff --git a/microdroid/sepolicy/system/private/apexd.te b/microdroid/sepolicy/system/private/apexd.te
deleted file mode 100644
index 621b1a8..0000000
--- a/microdroid/sepolicy/system/private/apexd.te
+++ /dev/null
@@ -1,87 +0,0 @@
-typeattribute apexd coredomain;
-
-init_daemon_domain(apexd)
-
-# allow apexd to create loop devices with /dev/loop-control
-allow apexd loop_control_device:chr_file rw_file_perms;
-# allow apexd to access loop devices
-allow apexd loop_device:blk_file rw_file_perms;
-allowxperm apexd loop_device:blk_file ioctl {
- LOOP_GET_STATUS64
- LOOP_SET_STATUS64
- LOOP_SET_FD
- LOOP_SET_BLOCK_SIZE
- LOOP_SET_DIRECT_IO
- LOOP_CLR_FD
- BLKFLSBUF
- LOOP_CONFIGURE
-};
-# allow apexd to access /dev/block
-allow apexd block_device:dir r_dir_perms;
-
-#allow apexd to access virtual disks
-allow apexd vd_device:blk_file r_file_perms;
-
-# allow apexd to access /dev/block/dm-* (device-mapper entries)
-allow apexd dm_device:chr_file rw_file_perms;
-allow apexd dm_device:blk_file rw_file_perms;
-
-# sys_admin is required to access the device-mapper and mount
-# dac_override, chown, and fowner are needed for snapshot and restore
-allow apexd self:global_capability_class_set { sys_admin chown dac_override dac_read_search fowner };
-
-# Note: fsetid is deliberately not included above. fsetid checks are
-# triggered by chmod on a directory or file owned by a group other
-# than one of the groups assigned to the current process to see if
-# the setgid bit should be cleared, regardless of whether the setgid
-# bit was even set. We do not appear to truly need this capability
-# for apexd to operate.
-dontaudit apexd self:global_capability_class_set fsetid;
-
-# allow apexd to create a mount point in /apex
-allow apexd apex_mnt_dir:dir create_dir_perms;
-# allow apexd to mount in /apex
-allow apexd apex_mnt_dir:filesystem { mount unmount };
-allow apexd apex_mnt_dir:dir mounton;
-# allow apexd to create symlinks in /apex
-allow apexd apex_mnt_dir:lnk_file create_file_perms;
-# allow apexd to create /apex/apex-info-list.xml and relabel to apex_info_file
-allow apexd apex_mnt_dir:file { create_file_perms relabelfrom mounton };
-allow apexd apex_info_file:file relabelto;
-# apexd needs to update /apex/apex-info-list.xml after non-staged APEX update.
-allow apexd apex_info_file:file rw_file_perms;
-
-# Unmount and mount filesystems
-allow apexd labeledfs:filesystem { mount unmount };
-
-# /sys directory tree traversal
-allow apexd sysfs_type:dir search;
-# Configure read-ahead of dm-verity and loop devices
-# for dm-X
-allow apexd sysfs_dm:dir r_dir_perms;
-allow apexd sysfs_dm:file rw_file_perms;
-# for loopX
-allow apexd sysfs_loop:dir r_dir_perms;
-allow apexd sysfs_loop:file rw_file_perms;
-
-# Allow apexd to log to the kernel.
-allow apexd kmsg_device:chr_file w_file_perms;
-
-# Apex pre- & post-install permission.
-
-# Allow self-execute for the fork mount helper.
-allow apexd apexd_exec:file execute_no_trans;
-
-# Unshare and make / private so that hooks cannot influence the
-# running system.
-allow apexd rootfs:dir mounton;
-
-# apexd is using bootstrap bionic
-allow apexd system_bootstrap_lib_file:dir r_dir_perms;
-allow apexd system_bootstrap_lib_file:file { execute read open getattr map };
-
-# Allow apexd to read file contexts when performing restorecon
-allow apexd file_contexts_file:file r_file_perms;
-
-#-------------------------------------------
-allow apexd kmsg_device:chr_file w_file_perms;
diff --git a/microdroid/sepolicy/system/private/apkdmverity.te b/microdroid/sepolicy/system/private/apkdmverity.te
deleted file mode 100644
index 8974a1d..0000000
--- a/microdroid/sepolicy/system/private/apkdmverity.te
+++ /dev/null
@@ -1,29 +0,0 @@
-# apkdmverity is a program that protects a signed APK file using dm-verity.
-
-type apkdmverity, domain, coredomain;
-type apkdmverity_exec, exec_type, file_type, system_file_type;
-
-# allow domain transition from init
-init_daemon_domain(apkdmverity)
-
-# apkdmverity accesses "payload metadata disk" which points to
-# a /dev/vd* block device file.
-allow apkdmverity block_device:dir r_dir_perms;
-allow apkdmverity block_device:lnk_file r_file_perms;
-allow apkdmverity vd_device:blk_file r_file_perms;
-
-# allow apkdmverity to create dm-verity devices
-allow apkdmverity dm_device:{chr_file blk_file} rw_file_perms;
-# sys_admin is required to access the device-mapper and mount
-allow apkdmverity self:global_capability_class_set sys_admin;
-
-# allow apkdmverity to create loop devices with /dev/loop-control
-allow apkdmverity loop_control_device:chr_file rw_file_perms;
-
-# allow apkdmverity to access loop devices
-allow apkdmverity loop_device:blk_file rw_file_perms;
-allowxperm apkdmverity loop_device:blk_file ioctl {
- LOOP_SET_STATUS64
- LOOP_SET_FD
- LOOP_SET_DIRECT_IO
-};
diff --git a/microdroid/sepolicy/system/private/attributes b/microdroid/sepolicy/system/private/attributes
deleted file mode 100644
index 991bac1..0000000
--- a/microdroid/sepolicy/system/private/attributes
+++ /dev/null
@@ -1,12 +0,0 @@
-hal_attribute(lazy_test);
-
-# This is applied to apps on vendor images with SDK <=30 only,
-# to exempt them from recent mls changes. It must not be applied
-# to any domain on newer system or vendor image.
-attribute mlsvendorcompat;
-
-# Attributes for property types having both system_property_type
-# and vendor_property_type. Such types are ill-formed because
-# property owner attributes must be exclusive.
-attribute system_and_vendor_property_type;
-expandattribute system_and_vendor_property_type false;
diff --git a/microdroid/sepolicy/system/private/binderservicedomain.te b/microdroid/sepolicy/system/private/binderservicedomain.te
deleted file mode 100644
index 99006bf..0000000
--- a/microdroid/sepolicy/system/private/binderservicedomain.te
+++ /dev/null
@@ -1,5 +0,0 @@
-allow binderservicedomain keystore:keystore_key { get_state get insert delete exist list sign verify };
-allow binderservicedomain keystore:keystore2 { get_state };
-allow binderservicedomain keystore:keystore2_key { delete get_info rebind use };
-
-use_keystore(binderservicedomain)
diff --git a/microdroid/sepolicy/system/private/bug_map b/microdroid/sepolicy/system/private/bug_map
deleted file mode 100644
index 5b042ae..0000000
--- a/microdroid/sepolicy/system/private/bug_map
+++ /dev/null
@@ -1,35 +0,0 @@
-dnsmasq netd fifo_file b/77868789
-dnsmasq netd unix_stream_socket b/77868789
-gmscore_app system_data_file dir b/146166941
-init app_data_file file b/77873135
-init cache_file blk_file b/77873135
-init logpersist file b/77873135
-init nativetest_data_file dir b/77873135
-init pstorefs dir b/77873135
-init shell_data_file dir b/77873135
-init shell_data_file file b/77873135
-init shell_data_file lnk_file b/77873135
-init shell_data_file sock_file b/77873135
-init system_data_file chr_file b/77873135
-isolated_app privapp_data_file dir b/119596573
-isolated_app app_data_file dir b/120394782
-mediaextractor app_data_file file b/77923736
-mediaextractor radio_data_file file b/77923736
-mediaprovider cache_file blk_file b/77925342
-mediaprovider mnt_media_rw_file dir b/77925342
-mediaprovider shell_data_file dir b/77925342
-mediaswcodec ashmem_device chr_file b/142679232
-netd priv_app unix_stream_socket b/77870037
-netd untrusted_app unix_stream_socket b/77870037
-netd untrusted_app_25 unix_stream_socket b/77870037
-netd untrusted_app_27 unix_stream_socket b/77870037
-netd untrusted_app_29 unix_stream_socket b/77870037
-platform_app nfc_data_file dir b/74331887
-system_server crash_dump process b/73128755
-system_server overlayfs_file file b/142390309
-system_server sdcardfs file b/77856826
-system_server zygote process b/77856826
-untrusted_app untrusted_app netlink_route_socket b/155595000
-vold system_data_file file b/124108085
-zygote untrusted_app_25 process b/77925912
-zygote labeledfs filesystem b/170748799
diff --git a/microdroid/sepolicy/system/private/crash_dump.te b/microdroid/sepolicy/system/private/crash_dump.te
deleted file mode 100644
index 90587fa..0000000
--- a/microdroid/sepolicy/system/private/crash_dump.te
+++ /dev/null
@@ -1,71 +0,0 @@
-# crash_dump might inherit CAP_SYS_PTRACE from a privileged process,
-# which will result in an audit log even when it's allowed to trace.
-dontaudit crash_dump self:global_capability_class_set { sys_ptrace };
-
-allow crash_dump kmsg_debug_device:chr_file { open append };
-
-# Use inherited file descriptors
-allow crash_dump domain:fd use;
-
-# Read/write IPC pipes inherited from crashing processes.
-allow crash_dump domain:fifo_file { read write };
-
-# Append to pipes given to us by processes requesting dumps (e.g. dumpstate)
-allow crash_dump domain:fifo_file { append };
-
-# Read information from /proc/$PID.
-allow crash_dump domain:process getattr;
-
-r_dir_file(crash_dump, domain)
-allow crash_dump exec_type:file r_file_perms;
-
-# Read all /vendor
-r_dir_file(crash_dump, vendor_file)
-
-# Talk to tombstoned
-unix_socket_connect(crash_dump, tombstoned_crash, tombstoned)
-
-# Append to tombstone files.
-allow crash_dump tombstone_data_file:file { append getattr };
-
-# crash_dump writes out logcat logs at the bottom of tombstones,
-# which is super useful in some cases.
-unix_socket_connect(crash_dump, logdr, logd)
-
-# Crash dump is not intended to access the following files. Since these
-# are WAI, suppress the denials to clean up the logs.
-dontaudit crash_dump {
- core_data_file_type
- vendor_file_type
-}:dir search;
-dontaudit crash_dump system_data_file:{ lnk_file file } read;
-dontaudit crash_dump property_type:file read;
-
-# Suppress denials for files in /proc that are passed
-# across exec().
-dontaudit crash_dump proc_type:file rw_file_perms;
-
-typeattribute crash_dump coredomain;
-
-# Crash dump does not need to access devices passed across exec().
-dontaudit crash_dump { devpts dev_type }:chr_file { read write };
-
-allow crash_dump {
- domain
- -apexd
- -crash_dump
- -init
- -kernel
- -keystore
- -logd
- -ueventd
- -vendor_init
-}:process { ptrace signal sigchld sigstop sigkill };
-
-userdebug_or_eng(`
- allow crash_dump {
- apexd
- keystore
- logd
- }:process { ptrace signal sigchld sigstop sigkill };
-')
diff --git a/microdroid/sepolicy/system/private/domain.te b/microdroid/sepolicy/system/private/domain.te
deleted file mode 100644
index fe4d072..0000000
--- a/microdroid/sepolicy/system/private/domain.te
+++ /dev/null
@@ -1,254 +0,0 @@
-# Rules for all domains.
-
-# Allow reaping by init.
-allow domain init:process sigchld;
-
-# Intra-domain accesses.
-allow domain self:process {
- fork
- sigchld
- sigkill
- sigstop
- signull
- signal
- getsched
- setsched
- getsession
- getpgid
- setpgid
- getcap
- setcap
- getattr
- setrlimit
-};
-allow domain self:fd use;
-allow domain proc:dir r_dir_perms;
-allow domain proc_net_type:dir search;
-r_dir_file(domain, self)
-allow domain self:{ fifo_file file } rw_file_perms;
-allow domain self:unix_dgram_socket { create_socket_perms sendto };
-allow domain self:unix_stream_socket { create_stream_socket_perms connectto };
-
-# Inherit or receive open files from others.
-allow domain init:fd use;
-
-# Root fs.
-allow domain tmpfs:dir { getattr search };
-allow domain rootfs:dir search;
-allow domain rootfs:lnk_file { read getattr };
-
-# Device accesses.
-allow domain device:dir search;
-allow domain dev_type:lnk_file r_file_perms;
-allow domain devpts:dir search;
-allow domain socket_device:dir r_dir_perms;
-allow domain owntty_device:chr_file rw_file_perms;
-allow domain null_device:chr_file rw_file_perms;
-allow domain zero_device:chr_file rw_file_perms;
-
-# /dev/binder can be accessed by ... everyone! :)
-allow { domain -hwservicemanager } binder_device:chr_file rw_file_perms;
-
-# Restrict binder ioctls to an allowlist. Additional ioctl commands may be
-# added to individual domains, but this sets safe defaults for all processes.
-allowxperm domain binder_device:chr_file ioctl { unpriv_binder_ioctls };
-
-# /dev/binderfs needs to be accessed by everyone too!
-allow domain binderfs:dir { getattr search };
-allow domain binderfs_logs_proc:dir search;
-
-allow { domain -servicemanager } hwbinder_device:chr_file rw_file_perms;
-allow domain ptmx_device:chr_file rw_file_perms;
-allow domain random_device:chr_file rw_file_perms;
-allow domain proc_random:dir r_dir_perms;
-allow domain proc_random:file r_file_perms;
-allow domain properties_device:dir { search getattr };
-allow domain properties_serial:file r_file_perms;
-allow domain property_info:file r_file_perms;
-
-allow domain property_contexts_file:file r_file_perms;
-
-dontaudit domain property_type:file audit_access;
-
-allow domain init:key search;
-
-# logd access
-unix_socket_send(domain, logdw, logd)
-
-# Directory/link file access for path resolution.
-allow domain {
- system_file
- system_lib_file
- system_seccomp_policy_file
- system_security_cacerts_file
-}:dir r_dir_perms;
-allow domain system_file:lnk_file { getattr read };
-
-# Global access to /system/etc/security/cacerts/*, /system/etc/seccomp_policy/*, /system/lib[64]/*,
-# /(system|product|system_ext)/etc/(group|passwd), linker and its config.
-allow domain system_seccomp_policy_file:file r_file_perms;
-# cacerts are accessible from public Java API.
-allow domain system_security_cacerts_file:file r_file_perms;
-allow domain system_group_file:file r_file_perms;
-allow domain system_passwd_file:file r_file_perms;
-allow domain system_linker_exec:file { execute read open getattr map };
-allow domain system_linker_config_file:file r_file_perms;
-allow domain system_lib_file:file { execute read open getattr map };
-# To allow following symlinks at /system/bin/linker, /system/lib/libc.so, etc.
-allow domain system_linker_exec:lnk_file { read open getattr };
-allow domain system_lib_file:lnk_file { read open getattr };
-
-allow domain system_event_log_tags_file:file r_file_perms;
-
-allow coredomain system_file:file { execute read open getattr map };
-
-# All domains get access to /vendor/etc
-allow domain vendor_configs_file:dir r_dir_perms;
-allow domain vendor_configs_file:file { read open getattr map };
-
-# Allow all domains to be able to follow /system/vendor and/or
-# /vendor/odm symlinks.
-allow domain vendor_file_type:lnk_file { getattr open read };
-
-# This is required to be able to search & read /vendor/lib64
-# in order to lookup vendor libraries. The execute permission
-# for coredomains is granted *only* for same process HALs
-allow domain vendor_file:dir { getattr search };
-
-# Allow reading and executing out of /vendor to all vendor domains
-allow { domain -coredomain } vendor_file_type:dir r_dir_perms;
-allow { domain -coredomain } vendor_file_type:file { read open getattr execute map };
-allow { domain -coredomain } vendor_file_type:lnk_file { getattr read };
-
-# read and stat any sysfs symlinks
-allow domain sysfs:lnk_file { getattr read };
-
-# Lots of processes access current CPU information
-r_dir_file(domain, sysfs_devices_system_cpu)
-
-# If kernel CONFIG_TRANSPARENT_HUGEPAGE is enabled, libjemalloc5 (statically
-# included by libc) reads /sys/kernel/mm/transparent_hugepage/enabled.
-allow domain sysfs_transparent_hugepage:dir search;
-allow domain sysfs_transparent_hugepage:file r_file_perms;
-
-allow coredomain system_data_file:dir getattr;
-# /data has the label system_data_root_file. Vendor components need the search
-# permission on system_data_root_file for path traversal to /data/vendor.
-allow domain system_data_root_file:dir { search getattr } ;
-allow domain system_data_file:dir search;
-# TODO restrict this to non-coredomain
-allow domain vendor_data_file:dir { getattr search };
-
-# required by the dynamic linker
-allow domain proc:lnk_file { getattr read };
-
-# /proc/cpuinfo
-allow domain proc_cpuinfo:file r_file_perms;
-
-# profiling needs to read /proc/sys/kernel/perf_event_max_sample_rate
-allow domain proc_perf:file r_file_perms;
-
-# toybox loads libselinux which stats /sys/fs/selinux/
-allow domain selinuxfs:dir search;
-allow domain selinuxfs:file getattr;
-allow domain sysfs:dir search;
-allow domain selinuxfs:filesystem getattr;
-
-# Almost all processes log tracing information to
-# /sys/kernel/debug/tracing/trace_marker
-# The reason behind this is documented in b/6513400
-allow domain debugfs:dir search;
-allow domain debugfs_tracing:dir search;
-allow domain debugfs_tracing_debug:dir search;
-allow domain debugfs_trace_marker:file w_file_perms;
-
-# Linux lockdown mode offers coarse-grained definitions for access controls.
-# The "confidentiality" level detects access to tracefs or the perf subsystem.
-# This overlaps with more precise declarations in Android's policy. The
-# debugfs_trace_marker above is an example in which all processes should have
-# some access to tracefs. Therefore, allow all domains to access this level.
-# The "integrity" level is however enforced.
-allow domain self:lockdown confidentiality;
-
-# Filesystem access.
-allow domain fs_type:filesystem getattr;
-allow domain fs_type:dir getattr;
-
-# Restrict all domains to an allowlist for common socket types. Additional
-# ioctl commands may be added to individual domains, but this sets safe
-# defaults for all processes. Note that granting this allowlist to domain does
-# not grant the ioctl permission on these socket types. That must be granted
-# separately.
-allowxperm domain domain:{ icmp_socket rawip_socket tcp_socket udp_socket }
- ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
-# default allowlist for unix sockets.
-allowxperm domain { domain pdx_channel_socket_type }:{ unix_dgram_socket unix_stream_socket }
- ioctl unpriv_unix_sock_ioctls;
-
-# Restrict PTYs to only allowed ioctls.
-# Note that granting this allowlist to domain does
-# not grant the wider ioctl permission. That must be granted
-# separately.
-allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
-
-# All domains must clearly enumerate what ioctls they use
-# on filesystem objects (plain files, directories, symbolic links,
-# named pipes, and named sockets). We start off with a safe set.
-allowxperm domain { file_type fs_type domain dev_type }:{ dir notdevfile_class_set blk_file } ioctl { FIOCLEX FIONCLEX };
-
-# If a domain has ioctl access to tun_device, it must clearly enumerate the
-# ioctls used. Safe defaults are listed below.
-allowxperm domain tun_device:chr_file ioctl { FIOCLEX FIONCLEX };
-
-# Allow a process to make a determination whether a file descriptor
-# for a plain file or pipe (fifo_file) is a tty. Note that granting
-# this allowlist to domain does not grant the ioctl permission to
-# these files. That must be granted separately.
-allowxperm domain { file_type fs_type }:file ioctl { TCGETS };
-allowxperm domain domain:fifo_file ioctl { TCGETS };
-
-# If a domain has access to perform an ioctl on a block device, allow these
-# very common, benign ioctls
-allowxperm domain dev_type:blk_file ioctl { BLKGETSIZE64 BLKSSZGET };
-
-# read APEX dir and stat any symlink pointing to APEXs.
-allow domain apex_mnt_dir:dir { getattr search };
-allow domain apex_mnt_dir:lnk_file r_file_perms;
-
-allow domain self:global_capability_class_set audit_control;
-allow domain self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write };
-
-# workaround for supressing property accesses.
-# TODO: remove these
-set_prop(domain, property_type -vmsecret_keymint_prop)
-# auditallow { domain -init } property_type:property_service set;
-# auditallow { domain -init } property_type:file rw_file_perms;
-
-allow domain linkerconfig_file:dir search;
-allow domain linkerconfig_file:file r_file_perms;
-
-#-----------------------------------------
-# Path resolution access in cgroups.
-allow domain cgroup:dir search;
-allow { domain } cgroup:dir w_dir_perms;
-allow { domain } cgroup:file w_file_perms;
-
-allow domain cgroup_v2:dir search;
-allow { domain } cgroup_v2:dir w_dir_perms;
-allow { domain } cgroup_v2:file w_file_perms;
-
-allow domain cgroup_rc_file:dir search;
-allow domain cgroup_rc_file:file r_file_perms;
-allow domain task_profiles_file:file r_file_perms;
-allow domain task_profiles_api_file:file r_file_perms;
-
-#-----------------------------------------
-# Allow access to fsverity keyring.
-allow domain kernel:key search;
-
-# Transition to crash_dump when /system/bin/crash_dump* is executed.
-# This occurs when the process crashes.
-# We do not apply this to the su domain to avoid interfering with
-# tests (b/114136122)
-domain_auto_trans(domain, crash_dump_exec, crash_dump);
-allow domain crash_dump:process sigchld;
diff --git a/microdroid/sepolicy/system/private/file.te b/microdroid/sepolicy/system/private/file.te
deleted file mode 100644
index 1989d7e..0000000
--- a/microdroid/sepolicy/system/private/file.te
+++ /dev/null
@@ -1,12 +0,0 @@
-allow fs_type self:filesystem associate;
-allow cgroup tmpfs:filesystem associate;
-allow cgroup_v2 tmpfs:filesystem associate;
-allow cgroup_rc_file tmpfs:filesystem associate;
-allow debugfs_type { debugfs debugfs_tracing debugfs_tracing_debug }:filesystem associate;
-allow dev_type tmpfs:filesystem associate;
-allow file_type labeledfs:filesystem associate;
-allow file_type tmpfs:filesystem associate;
-allow file_type rootfs:filesystem associate;
-allow proc_net proc:filesystem associate;
-allow sysfs_type sysfs:filesystem associate;
-allow system_data_file tmpfs:filesystem associate;
diff --git a/microdroid/sepolicy/system/private/file_contexts b/microdroid/sepolicy/system/private/file_contexts
deleted file mode 100644
index 97e756d..0000000
--- a/microdroid/sepolicy/system/private/file_contexts
+++ /dev/null
@@ -1,166 +0,0 @@
-###########################################
-# Root
-/ u:object_r:rootfs:s0
-
-# Data files
-/build\.prop u:object_r:rootfs:s0
-/init\..* u:object_r:rootfs:s0
-
-# Executables
-/init u:object_r:init_exec:s0
-
-# For kernel modules
-/lib(/.*)? u:object_r:rootfs:s0
-
-# Empty directories
-/lost\+found u:object_r:rootfs:s0
-/debug_ramdisk u:object_r:tmpfs:s0
-/mnt u:object_r:tmpfs:s0
-/proc u:object_r:rootfs:s0
-/second_stage_resources u:object_r:tmpfs:s0
-/sys u:object_r:sysfs:s0
-/apex u:object_r:apex_mnt_dir:s0
-
-/apex/(\.(bootstrap|default)-)?apex-info-list.xml u:object_r:apex_info_file:s0
-
-# Symlinks
-/bin u:object_r:rootfs:s0
-/d u:object_r:rootfs:s0
-/etc u:object_r:rootfs:s0
-
-##########################
-# Devices
-#
-/dev(/.*)? u:object_r:device:s0
-/dev/ashmem u:object_r:ashmem_device:s0
-/dev/ashmem(.*)? u:object_r:ashmem_libcutils_device:s0
-/dev/binder u:object_r:binder_device:s0
-/dev/block(/.*)? u:object_r:block_device:s0
-/dev/block/dm-[0-9]+ u:object_r:dm_device:s0
-/dev/block/loop[0-9]* u:object_r:loop_device:s0
-/dev/block/vd[a-z][0-9]* u:object_r:vd_device:s0
-/dev/block/ram[0-9]* u:object_r:ram_device:s0
-/dev/block/zram[0-9]* u:object_r:ram_device:s0
-/dev/console u:object_r:console_device:s0
-/dev/dma_heap(/.*)? u:object_r:dmabuf_heap_device:s0
-/dev/dma_heap/system u:object_r:dmabuf_system_heap_device:s0
-/dev/dma_heap/system-uncached u:object_r:dmabuf_system_heap_device:s0
-/dev/dma_heap/system-secure(.*) u:object_r:dmabuf_system_secure_heap_device:s0
-/dev/dm-user(/.*)? u:object_r:dm_user_device:s0
-/dev/device-mapper u:object_r:dm_device:s0
-/dev/event-log-tags u:object_r:runtime_event_log_tags_file:s0
-/dev/cgroup_info(/.*)? u:object_r:cgroup_rc_file:s0
-/dev/fuse u:object_r:fuse_device:s0
-/dev/hw_random u:object_r:hw_random_device:s0
-/dev/hwbinder u:object_r:hwbinder_device:s0
-/dev/loop-control u:object_r:loop_control_device:s0
-/dev/ppp u:object_r:ppp_device:s0
-/dev/ptmx u:object_r:ptmx_device:s0
-/dev/kmsg u:object_r:kmsg_device:s0
-/dev/kmsg_debug u:object_r:kmsg_debug_device:s0
-/dev/kvm u:object_r:kvm_device:s0
-/dev/null u:object_r:null_device:s0
-/dev/random u:object_r:random_device:s0
-/dev/rtc[0-9] u:object_r:rtc_device:s0
-/dev/socket(/.*)? u:object_r:socket_device:s0
-/dev/socket/adbd u:object_r:adbd_socket:s0
-/dev/socket/logd u:object_r:logd_socket:s0
-/dev/socket/logdr u:object_r:logdr_socket:s0
-/dev/socket/logdw u:object_r:logdw_socket:s0
-/dev/socket/property_service u:object_r:property_socket:s0
-/dev/socket/statsdw u:object_r:statsdw_socket:s0
-/dev/socket/tombstoned_crash u:object_r:tombstoned_crash_socket:s0
-/dev/socket/tombstoned_java_trace u:object_r:tombstoned_java_trace_socket:s0
-/dev/socket/tombstoned_intercept u:object_r:tombstoned_intercept_socket:s0
-/dev/sys/block/by-name/userdata(/.*)? u:object_r:userdata_sysdev:s0
-/dev/sys/fs/by-name/userdata(/.*)? u:object_r:userdata_sysdev:s0
-/dev/tty u:object_r:owntty_device:s0
-/dev/tty[0-9]* u:object_r:tty_device:s0
-/dev/ttyS[0-9]* u:object_r:serial_device:s0
-/dev/tun u:object_r:tun_device:s0
-/dev/uhid u:object_r:uhid_device:s0
-/dev/uinput u:object_r:uhid_device:s0
-/dev/uio[0-9]* u:object_r:uio_device:s0
-/dev/urandom u:object_r:random_device:s0
-/dev/vhost-vsock u:object_r:kvm_device:s0
-/dev/vndbinder u:object_r:vndbinder_device:s0
-/dev/zero u:object_r:zero_device:s0
-/dev/__properties__ u:object_r:properties_device:s0
-/dev/__properties__/property_info u:object_r:property_info:s0
-#############################
-# Linker configuration
-#
-/linkerconfig(/.*)? u:object_r:linkerconfig_file:s0
-#############################
-# System files
-#
-/system(/.*)? u:object_r:system_file:s0
-/system/lib(64)?(/.*)? u:object_r:system_lib_file:s0
-/system/lib(64)?/bootstrap(/.*)? u:object_r:system_bootstrap_lib_file:s0
-/system/bin/apexd u:object_r:apexd_exec:s0
-/system/bin/linker(64)? u:object_r:system_linker_exec:s0
-/system/bin/linkerconfig u:object_r:linkerconfig_exec:s0
-/system/bin/bootstrap/linker(64)? u:object_r:system_linker_exec:s0
-/system/bin/bootstrap/linkerconfig u:object_r:linkerconfig_exec:s0
-/system/bin/servicemanager u:object_r:servicemanager_exec:s0
-/system/bin/hwservicemanager u:object_r:hwservicemanager_exec:s0
-/system/bin/init u:object_r:init_exec:s0
-/system/bin/keystore2 u:object_r:keystore_exec:s0
-/system/bin/logcat -- u:object_r:logcat_exec:s0
-/system/bin/logd u:object_r:logd_exec:s0
-/system/bin/run-as -- u:object_r:runas_exec:s0
-/system/bin/sh -- u:object_r:shell_exec:s0
-/system/bin/tombstoned u:object_r:tombstoned_exec:s0
-/system/bin/toolbox -- u:object_r:toolbox_exec:s0
-/system/bin/toybox -- u:object_r:toolbox_exec:s0
-/system/bin/zipfuse u:object_r:zipfuse_exec:s0
-/system/bin/microdroid_launcher u:object_r:microdroid_app_exec:s0
-/system/bin/microdroid_manager u:object_r:microdroid_manager_exec:s0
-/system/bin/apkdmverity u:object_r:apkdmverity_exec:s0
-/system/etc/cgroups\.json u:object_r:cgroup_desc_file:s0
-/system/etc/task_profiles/cgroups_[0-9]+\.json u:object_r:cgroup_desc_api_file:s0
-/system/etc/event-log-tags u:object_r:system_event_log_tags_file:s0
-/system/etc/group u:object_r:system_group_file:s0
-/system/etc/ld\.config.* u:object_r:system_linker_config_file:s0
-/system/etc/passwd u:object_r:system_passwd_file:s0
-/system/etc/seccomp_policy(/.*)? u:object_r:system_seccomp_policy_file:s0
-/system/etc/security/cacerts(/.*)? u:object_r:system_security_cacerts_file:s0
-/system/etc/selinux/mapping/[0-9]+\.[0-9]+\.cil u:object_r:sepolicy_file:s0
-/system/etc/selinux/plat_mac_permissions\.xml u:object_r:mac_perms_file:s0
-/system/etc/selinux/plat_property_contexts u:object_r:property_contexts_file:s0
-/system/etc/selinux/plat_service_contexts u:object_r:service_contexts_file:s0
-/system/etc/selinux/plat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
-/system/etc/selinux/plat_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0
-/system/etc/selinux/plat_file_contexts u:object_r:file_contexts_file:s0
-/system/etc/selinux/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
-/system/etc/selinux/plat_sepolicy\.cil u:object_r:sepolicy_file:s0
-/system/etc/selinux/plat_and_mapping_sepolicy\.cil\.sha256 u:object_r:sepolicy_file:s0
-/system/etc/task_profiles\.json u:object_r:task_profiles_file:s0
-/system/etc/task_profiles/task_profiles_[0-9]+\.json u:object_r:task_profiles_api_file:s0
-
-#############################
-# Vendor files
-#
-/vendor(/.*)? u:object_r:vendor_file:s0
-/vendor/etc(/.*)? u:object_r:vendor_configs_file:s0
-/vendor/etc/vintf(/.*)? u:object_r:vendor_configs_file:s0
-
-#############################
-# Data files
-#
-# NOTE: When modifying existing label rules, changes may also need to
-# propagate to the "Expanded data files" section.
-#
-/data u:object_r:system_data_root_file:s0
-/data/(.*)? u:object_r:system_data_file:s0
-/data/local/tests(/.*)? u:object_r:shell_test_data_file:s0
-/data/local/tmp(/.*)? u:object_r:shell_data_file:s0
-/data/local/tmp/ltp(/.*)? u:object_r:nativetest_data_file:s0
-/data/local/traces(/.*)? u:object_r:trace_data_file:s0
-/data/misc/keystore(/.*)? u:object_r:keystore_data_file:s0
-/data/tombstones(/.*)? u:object_r:tombstone_data_file:s0
-/data/vendor(/.*)? u:object_r:vendor_data_file:s0
-
-# microdroid doesn't use anr, but tombstoned tries to read this.
-# So marking /data/anr as tombstone_data_file
-/data/anr(/.*)? u:object_r:tombstone_data_file:s0
diff --git a/microdroid/sepolicy/system/private/fs_use b/microdroid/sepolicy/system/private/fs_use
deleted file mode 100644
index 93d7f1b..0000000
--- a/microdroid/sepolicy/system/private/fs_use
+++ /dev/null
@@ -1,27 +0,0 @@
-# Label inodes via getxattr.
-fs_use_xattr yaffs2 u:object_r:labeledfs:s0;
-fs_use_xattr jffs2 u:object_r:labeledfs:s0;
-fs_use_xattr ext2 u:object_r:labeledfs:s0;
-fs_use_xattr ext3 u:object_r:labeledfs:s0;
-fs_use_xattr ext4 u:object_r:labeledfs:s0;
-fs_use_xattr xfs u:object_r:labeledfs:s0;
-fs_use_xattr btrfs u:object_r:labeledfs:s0;
-fs_use_xattr f2fs u:object_r:labeledfs:s0;
-fs_use_xattr squashfs u:object_r:labeledfs:s0;
-fs_use_xattr overlay u:object_r:labeledfs:s0;
-fs_use_xattr erofs u:object_r:labeledfs:s0;
-fs_use_xattr incremental-fs u:object_r:labeledfs:s0;
-fs_use_xattr virtiofs u:object_r:labeledfs:s0;
-
-# Label inodes from task label.
-fs_use_task pipefs u:object_r:pipefs:s0;
-fs_use_task sockfs u:object_r:sockfs:s0;
-
-# Label inodes from combination of task label and fs label.
-# Define type_transition rules if you want per-domain types.
-fs_use_trans devpts u:object_r:devpts:s0;
-fs_use_trans tmpfs u:object_r:tmpfs:s0;
-fs_use_trans devtmpfs u:object_r:device:s0;
-fs_use_trans shm u:object_r:shm:s0;
-fs_use_trans mqueue u:object_r:mqueue:s0;
-
diff --git a/microdroid/sepolicy/system/private/genfs_contexts b/microdroid/sepolicy/system/private/genfs_contexts
deleted file mode 100644
index 3499aa0..0000000
--- a/microdroid/sepolicy/system/private/genfs_contexts
+++ /dev/null
@@ -1,378 +0,0 @@
-# Label inodes with the fs label.
-genfscon rootfs / u:object_r:rootfs:s0
-# proc labeling can be further refined (longest matching prefix).
-genfscon proc / u:object_r:proc:s0
-genfscon proc /asound u:object_r:proc_asound:s0
-genfscon proc /bootconfig u:object_r:proc_bootconfig:s0
-genfscon proc /buddyinfo u:object_r:proc_buddyinfo:s0
-genfscon proc /cmdline u:object_r:proc_cmdline:s0
-genfscon proc /config.gz u:object_r:config_gz:s0
-genfscon proc /diskstats u:object_r:proc_diskstats:s0
-genfscon proc /filesystems u:object_r:proc_filesystems:s0
-genfscon proc /interrupts u:object_r:proc_interrupts:s0
-genfscon proc /iomem u:object_r:proc_iomem:s0
-genfscon proc /kallsyms u:object_r:proc_kallsyms:s0
-genfscon proc /keys u:object_r:proc_keys:s0
-genfscon proc /kmsg u:object_r:proc_kmsg:s0
-genfscon proc /loadavg u:object_r:proc_loadavg:s0
-genfscon proc /locks u:object_r:proc_locks:s0
-genfscon proc /lowmemorykiller u:object_r:proc_lowmemorykiller:s0
-genfscon proc /meminfo u:object_r:proc_meminfo:s0
-genfscon proc /misc u:object_r:proc_misc:s0
-genfscon proc /modules u:object_r:proc_modules:s0
-genfscon proc /mounts u:object_r:proc_mounts:s0
-genfscon proc /net u:object_r:proc_net:s0
-genfscon proc /net/tcp u:object_r:proc_net_tcp_udp:s0
-genfscon proc /net/udp u:object_r:proc_net_tcp_udp:s0
-genfscon proc /net/xt_qtaguid/ctrl u:object_r:proc_qtaguid_ctrl:s0
-genfscon proc /net/xt_qtaguid/ u:object_r:proc_qtaguid_stat:s0
-genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0
-genfscon proc /pagetypeinfo u:object_r:proc_pagetypeinfo:s0
-genfscon proc /pressure/cpu u:object_r:proc_pressure_cpu:s0
-genfscon proc /pressure/io u:object_r:proc_pressure_io:s0
-genfscon proc /pressure/memory u:object_r:proc_pressure_mem:s0
-genfscon proc /slabinfo u:object_r:proc_slabinfo:s0
-genfscon proc /softirqs u:object_r:proc_timer:s0
-genfscon proc /stat u:object_r:proc_stat:s0
-genfscon proc /swaps u:object_r:proc_swaps:s0
-genfscon proc /sysrq-trigger u:object_r:proc_sysrq:s0
-genfscon proc /kpageflags u:object_r:proc_kpageflags:s0
-genfscon proc /sys/abi/swp u:object_r:proc_abi:s0
-genfscon proc /sys/fs/pipe-max-size u:object_r:proc_pipe_conf:s0
-genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0
-genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0
-genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0
-genfscon proc /sys/fs/verity/require_signatures u:object_r:proc_fs_verity:s0
-genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0
-genfscon proc /sys/kernel/core_pipe_limit u:object_r:usermodehelper:s0
-genfscon proc /sys/kernel/domainname u:object_r:proc_hostname:s0
-genfscon proc /sys/kernel/dmesg_restrict u:object_r:proc_security:s0
-genfscon proc /sys/kernel/hostname u:object_r:proc_hostname:s0
-genfscon proc /sys/kernel/hotplug u:object_r:usermodehelper:s0
-genfscon proc /sys/kernel/hung_task_ u:object_r:proc_hung_task:s0
-genfscon proc /sys/kernel/kptr_restrict u:object_r:proc_security:s0
-genfscon proc /sys/kernel/modprobe u:object_r:usermodehelper:s0
-genfscon proc /sys/kernel/modules_disabled u:object_r:proc_security:s0
-genfscon proc /sys/kernel/panic_on_oops u:object_r:proc_panic:s0
-genfscon proc /sys/kernel/perf_event_max_sample_rate u:object_r:proc_perf:s0
-genfscon proc /sys/kernel/perf_event_paranoid u:object_r:proc_perf:s0
-genfscon proc /sys/kernel/perf_cpu_time_max_percent u:object_r:proc_perf:s0
-genfscon proc /sys/kernel/perf_event_mlock_kb u:object_r:proc_perf:s0
-genfscon proc /sys/kernel/pid_max u:object_r:proc_pid_max:s0
-genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0
-genfscon proc /sys/kernel/random u:object_r:proc_random:s0
-genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0
-genfscon proc /sys/kernel/sched_child_runs_first u:object_r:proc_sched:s0
-genfscon proc /sys/kernel/sched_latency_ns u:object_r:proc_sched:s0
-genfscon proc /sys/kernel/sched_rt_period_us u:object_r:proc_sched:s0
-genfscon proc /sys/kernel/sched_rt_runtime_us u:object_r:proc_sched:s0
-genfscon proc /sys/kernel/sched_schedstats u:object_r:proc_sched:s0
-genfscon proc /sys/kernel/sched_tunable_scaling u:object_r:proc_sched:s0
-genfscon proc /sys/kernel/sched_util_clamp_max u:object_r:proc_sched:s0
-genfscon proc /sys/kernel/sched_util_clamp_min u:object_r:proc_sched:s0
-genfscon proc /sys/kernel/sched_util_clamp_min_rt_default u:object_r:proc_sched:s0
-genfscon proc /sys/kernel/sched_wakeup_granularity_ns u:object_r:proc_sched:s0
-genfscon proc /sys/kernel/sysrq u:object_r:proc_sysrq:s0
-genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
-genfscon proc /sys/net u:object_r:proc_net:s0
-genfscon proc /sys/vm/dirty_background_ratio u:object_r:proc_dirty:s0
-genfscon proc /sys/vm/dirty_expire_centisecs u:object_r:proc_dirty:s0
-genfscon proc /sys/vm/extra_free_kbytes u:object_r:proc_extra_free_kbytes:s0
-genfscon proc /sys/vm/max_map_count u:object_r:proc_max_map_count:s0
-genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0
-genfscon proc /sys/vm/mmap_rnd_bits u:object_r:proc_security:s0
-genfscon proc /sys/vm/mmap_rnd_compat_bits u:object_r:proc_security:s0
-genfscon proc /sys/vm/page-cluster u:object_r:proc_page_cluster:s0
-genfscon proc /sys/vm/drop_caches u:object_r:proc_drop_caches:s0
-genfscon proc /sys/vm/overcommit_memory u:object_r:proc_overcommit_memory:s0
-genfscon proc /sys/vm/min_free_order_shift u:object_r:proc_min_free_order_shift:s0
-genfscon proc /timer_list u:object_r:proc_timer:s0
-genfscon proc /timer_stats u:object_r:proc_timer:s0
-genfscon proc /tty/drivers u:object_r:proc_tty_drivers:s0
-genfscon proc /uid/ u:object_r:proc_uid_time_in_state:s0
-genfscon proc /uid_cputime/show_uid_stat u:object_r:proc_uid_cputime_showstat:s0
-genfscon proc /uid_cputime/remove_uid_range u:object_r:proc_uid_cputime_removeuid:s0
-genfscon proc /uid_io/stats u:object_r:proc_uid_io_stats:s0
-genfscon proc /uid_procstat/set u:object_r:proc_uid_procstat_set:s0
-genfscon proc /uid_time_in_state u:object_r:proc_uid_time_in_state:s0
-genfscon proc /uid_concurrent_active_time u:object_r:proc_uid_concurrent_active_time:s0
-genfscon proc /uid_concurrent_policy_time u:object_r:proc_uid_concurrent_policy_time:s0
-genfscon proc /uid_cpupower/ u:object_r:proc_uid_cpupower:s0
-genfscon proc /uptime u:object_r:proc_uptime:s0
-genfscon proc /version u:object_r:proc_version:s0
-genfscon proc /vmallocinfo u:object_r:proc_vmallocinfo:s0
-genfscon proc /vmstat u:object_r:proc_vmstat:s0
-genfscon proc /zoneinfo u:object_r:proc_zoneinfo:s0
-
-genfscon fusectl / u:object_r:fusectlfs:s0
-
-# selinuxfs booleans can be individually labeled.
-genfscon selinuxfs / u:object_r:selinuxfs:s0
-genfscon cgroup / u:object_r:cgroup:s0
-genfscon cgroup2 / u:object_r:cgroup_v2:s0
-# sysfs labels can be set by userspace.
-genfscon sysfs / u:object_r:sysfs:s0
-genfscon sysfs /devices/cs_etm u:object_r:sysfs_devices_cs_etm:s0
-genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0
-genfscon sysfs /class/android_usb u:object_r:sysfs_android_usb:s0
-genfscon sysfs /class/extcon u:object_r:sysfs_extcon:s0
-genfscon sysfs /class/leds u:object_r:sysfs_leds:s0
-genfscon sysfs /class/net u:object_r:sysfs_net:s0
-genfscon sysfs /class/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0
-genfscon sysfs /class/rfkill/rfkill1/state u:object_r:sysfs_bluetooth_writable:s0
-genfscon sysfs /class/rfkill/rfkill2/state u:object_r:sysfs_bluetooth_writable:s0
-genfscon sysfs /class/rfkill/rfkill3/state u:object_r:sysfs_bluetooth_writable:s0
-genfscon sysfs /class/rtc u:object_r:sysfs_rtc:s0
-genfscon sysfs /class/switch u:object_r:sysfs_switch:s0
-genfscon sysfs /class/wakeup u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/nfc-power/nfc_power u:object_r:sysfs_nfc_power_writable:s0
-genfscon sysfs /devices/virtual/android_usb u:object_r:sysfs_android_usb:s0
-genfscon sysfs /devices/virtual/block/ u:object_r:sysfs_devices_block:s0
-genfscon sysfs /devices/virtual/block/dm- u:object_r:sysfs_dm:s0
-genfscon sysfs /devices/virtual/block/loop u:object_r:sysfs_loop:s0
-genfscon sysfs /devices/virtual/block/zram0 u:object_r:sysfs_zram:s0
-genfscon sysfs /devices/virtual/block/zram1 u:object_r:sysfs_zram:s0
-genfscon sysfs /devices/virtual/block/zram0/uevent u:object_r:sysfs_zram_uevent:s0
-genfscon sysfs /devices/virtual/block/zram1/uevent u:object_r:sysfs_zram_uevent:s0
-genfscon sysfs /devices/virtual/misc/hw_random u:object_r:sysfs_hwrandom:s0
-genfscon sysfs /devices/virtual/net u:object_r:sysfs_net:s0
-genfscon sysfs /devices/virtual/switch u:object_r:sysfs_switch:s0
-genfscon sysfs /devices/virtual/wakeup u:object_r:sysfs_wakeup:s0
-genfscon sysfs /firmware/devicetree/base/firmware/android u:object_r:sysfs_dt_firmware_android:s0
-genfscon sysfs /fs/ext4/features u:object_r:sysfs_fs_ext4_features:s0
-genfscon sysfs /fs/f2fs u:object_r:sysfs_fs_f2fs:s0
-genfscon sysfs /fs/incremental-fs/features u:object_r:sysfs_fs_incfs_features:s0
-genfscon sysfs /fs/incremental-fs/instances u:object_r:sysfs_fs_incfs_metrics:s0
-genfscon sysfs /power/autosleep u:object_r:sysfs_power:s0
-genfscon sysfs /power/state u:object_r:sysfs_power:s0
-genfscon sysfs /power/suspend_stats u:object_r:sysfs_suspend_stats:s0
-genfscon sysfs /power/wakeup_count u:object_r:sysfs_power:s0
-genfscon sysfs /power/wake_lock u:object_r:sysfs_wake_lock:s0
-genfscon sysfs /power/wake_unlock u:object_r:sysfs_wake_lock:s0
-genfscon sysfs /kernel/memory_state_time u:object_r:sysfs_power:s0
-genfscon sysfs /kernel/dma_heap u:object_r:sysfs_dma_heap:s0
-genfscon sysfs /kernel/ion u:object_r:sysfs_ion:s0
-genfscon sysfs /kernel/ipv4 u:object_r:sysfs_ipv4:s0
-genfscon sysfs /kernel/mm/transparent_hugepage u:object_r:sysfs_transparent_hugepage:s0
-genfscon sysfs /kernel/notes u:object_r:sysfs_kernel_notes:s0
-genfscon sysfs /kernel/uevent_helper u:object_r:sysfs_usermodehelper:s0
-genfscon sysfs /kernel/wakeup_reasons u:object_r:sysfs_wakeup_reasons:s0
-genfscon sysfs /kernel/dmabuf/buffers u:object_r:sysfs_dmabuf_stats:s0
-genfscon sysfs /module/dm_verity/parameters/prefetch_cluster u:object_r:sysfs_dm_verity:s0
-genfscon sysfs /module/lowmemorykiller u:object_r:sysfs_lowmemorykiller:s0
-genfscon sysfs /module/tcp_cubic/parameters u:object_r:sysfs_net:s0
-genfscon sysfs /module/wlan/parameters/fwpath u:object_r:sysfs_wlan_fwpath:s0
-genfscon sysfs /devices/virtual/timed_output/vibrator/enable u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/virtual/misc/uhid u:object_r:sysfs_uhid:s0
-
-genfscon debugfs /kprobes u:object_r:debugfs_kprobes:s0
-genfscon debugfs /mmc0 u:object_r:debugfs_mmc:s0
-genfscon debugfs /tracing u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs / u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/tracing_on u:object_r:debugfs_tracing:s0
-genfscon tracefs /tracing_on u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/trace u:object_r:debugfs_tracing:s0
-genfscon tracefs /trace u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/per_cpu/cpu u:object_r:debugfs_tracing:s0
-genfscon tracefs /per_cpu/cpu u:object_r:debugfs_tracing:s0
-
-genfscon debugfs /tracing/instances u:object_r:debugfs_tracing_instances:s0
-genfscon tracefs /instances u:object_r:debugfs_tracing_instances:s0
-genfscon debugfs /tracing/instances/bootreceiver u:object_r:debugfs_bootreceiver_tracing:s0
-genfscon tracefs /instances/bootreceiver u:object_r:debugfs_bootreceiver_tracing:s0
-genfscon debugfs /tracing/instances/mm_events u:object_r:debugfs_mm_events_tracing:s0
-genfscon tracefs /instances/mm_events u:object_r:debugfs_mm_events_tracing:s0
-genfscon debugfs /tracing/instances/wifi u:object_r:debugfs_wifi_tracing:s0
-genfscon tracefs /instances/wifi u:object_r:debugfs_wifi_tracing:s0
-genfscon debugfs /tracing/trace_marker u:object_r:debugfs_trace_marker:s0
-genfscon tracefs /trace_marker u:object_r:debugfs_trace_marker:s0
-genfscon debugfs /wakeup_sources u:object_r:debugfs_wakeup_sources:s0
-genfscon debugfs /tracing/printk_formats u:object_r:debugfs_tracing_printk_formats:s0
-genfscon tracefs /printk_formats u:object_r:debugfs_tracing_printk_formats:s0
-
-genfscon debugfs /tracing/events/header_page u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/f2fs/f2fs_get_data_block/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/f2fs/f2fs_iget/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/f2fs/f2fs_sync_file_enter/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/f2fs/f2fs_sync_file_exit/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/f2fs/f2fs_write_begin/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/f2fs/f2fs_write_end/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/ext4/ext4_da_write_begin/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/ext4/ext4_da_write_end/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/ext4/ext4_es_lookup_extent_enter/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/ext4/ext4_es_lookup_extent_exit/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/ext4/ext4_load_inode/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/ext4/ext4_sync_file_enter/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/ext4/ext4_sync_file_exit/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/block/block_rq_issue/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/block/block_rq_complete/ u:object_r:debugfs_tracing:s0
-
-genfscon tracefs /events/header_page u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/f2fs/f2fs_get_data_block/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/f2fs/f2fs_iget/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/f2fs/f2fs_sync_file_enter/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/f2fs/f2fs_sync_file_exit/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/f2fs/f2fs_write_begin/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/f2fs/f2fs_write_end/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/ext4/ext4_da_write_begin/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/ext4/ext4_da_write_end/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/ext4/ext4_es_lookup_extent_enter/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/ext4/ext4_es_lookup_extent_exit/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/ext4/ext4_load_inode/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/ext4/ext4_sync_file_enter/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/ext4/ext4_sync_file_exit/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/block/block_rq_issue/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/block/block_rq_complete/ u:object_r:debugfs_tracing:s0
-
-genfscon tracefs /trace_clock u:object_r:debugfs_tracing:s0
-genfscon tracefs /buffer_size_kb u:object_r:debugfs_tracing:s0
-genfscon tracefs /options/overwrite u:object_r:debugfs_tracing:s0
-genfscon tracefs /options/print-tgid u:object_r:debugfs_tracing:s0
-genfscon tracefs /options/record-tgid u:object_r:debugfs_tracing:s0
-genfscon tracefs /saved_cmdlines_size u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/sched/sched_switch/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/sched/sched_wakeup/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/sched/sched_wakeup_new/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/sched/sched_waking/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/sched/sched_blocked_reason/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/sched/sched_cpu_hotplug/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/sched/sched_process_exit/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/sched/sched_process_free/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/sched/sched_pi_setprio/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/cgroup/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/power/cpu_frequency/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/power/cpu_idle/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/power/clock_enable/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/power/clock_disable/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/power/clock_set_rate/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/power/cpu_frequency_limits/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/power/gpu_frequency/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/power/suspend_resume/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/cpufreq_interactive/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/vmscan/mm_vmscan_direct_reclaim_begin/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/vmscan/mm_vmscan_direct_reclaim_end/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/vmscan/mm_vmscan_kswapd_wake/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/vmscan/mm_vmscan_kswapd_sleep/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/binder/binder_transaction/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/binder/binder_transaction_received/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/binder/binder_lock/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/binder/binder_locked/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/binder/binder_unlock/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/binder/binder_transaction_alloc_buf/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/binder/binder_set_priority/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/lowmemorykiller/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/sync/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/fence/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/dma_fence/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/filemap/mm_filemap_add_to_page_cache/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/filemap/mm_filemap_delete_from_page_cache/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/kmem/rss_stat/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/kmem/ion_heap_grow/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/kmem/ion_heap_shrink/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/ion/ion_stat/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/mm_event/mm_event_record/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/oom/oom_score_adj_update/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/oom/mark_victim/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/task/task_rename/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/task/task_newtask/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/ftrace/print/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/gpu_mem/gpu_mem_total u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/thermal/thermal_temperature/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/thermal/cdev_update/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/cpuhp/cpuhp_enter/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/cpuhp/cpuhp_exit/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/cpuhp/cpuhp_pause/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/ipi/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/irq/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/clk/clk_enable/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/clk/clk_disable/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/clk/clk_set_rate/ u:object_r:debugfs_tracing:s0
-
-genfscon debugfs /tracing/trace_clock u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/buffer_size_kb u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/options/overwrite u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/options/print-tgid u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/options/record-tgid u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/saved_cmdlines_size u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/sched/sched_switch/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/sched/sched_wakeup/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/sched/sched_wakeup_new/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/sched/sched_waking/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/sched/sched_blocked_reason/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/sched/sched_cpu_hotplug/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/sched/sched_process_exit/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/sched/sched_process_free/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/sched/sched_pi_setprio/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/cgroup/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/power/cpu_frequency/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/power/cpu_idle/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/power/clock_enable/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/power/clock_disable/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/power/clock_set_rate/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/power/cpu_frequency_limits/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/power/gpu_frequency/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/power/suspend_resume/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/cpufreq_interactive/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_begin/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_end/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/vmscan/mm_vmscan_kswapd_wake/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/vmscan/mm_vmscan_kswapd_sleep/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/binder/binder_transaction/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/binder/binder_transaction_received/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/binder/binder_lock/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/binder/binder_locked/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/binder/binder_unlock/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/binder/binder_transaction_alloc_buf/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/binder/binder_set_priority/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/lowmemorykiller/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/sync/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/fence/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/dma_fence/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/filemap/mm_filemap_add_to_page_cache/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/filemap/mm_filemap_delete_from_page_cache/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/kmem/rss_stat/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/kmem/ion_heap_grow/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/kmem/ion_heap_shrink/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/ion/ion_stat/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/mm_event/mm_event_record/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/oom/oom_score_adj_update/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/oom/mark_victim/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/task/task_rename/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/task/task_newtask/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/ftrace/print/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/gpu_mem/gpu_mem_total u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/thermal/thermal_temperature/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/thermal/cdev_update/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/cpuhp/cpuhp_enter/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/cpuhp/cpuhp_exit/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/ipi/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/irq/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/clk/clk_enable/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/clk/clk_disable/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/clk/clk_set_rate/ u:object_r:debugfs_tracing:s0
-
-genfscon debugfs /kcov u:object_r:debugfs_kcov:s0
-
-genfscon securityfs / u:object_r:securityfs:s0
-
-genfscon binder /binder u:object_r:binder_device:s0
-genfscon binder /hwbinder u:object_r:hwbinder_device:s0
-genfscon binder /vndbinder u:object_r:vndbinder_device:s0
-genfscon binder /binder_logs u:object_r:binderfs_logs:s0
-genfscon binder /binder_logs/proc u:object_r:binderfs_logs_proc:s0
-
-genfscon inotifyfs / u:object_r:inotify:s0
-genfscon vfat / u:object_r:vfat:s0
-genfscon binder / u:object_r:binderfs:s0
-genfscon exfat / u:object_r:exfat:s0
-genfscon debugfs / u:object_r:debugfs:s0
-genfscon fuse / u:object_r:fuse:s0
-genfscon configfs / u:object_r:configfs:s0
-genfscon sdcardfs / u:object_r:sdcardfs:s0
-genfscon esdfs / u:object_r:sdcardfs:s0
-genfscon pstore / u:object_r:pstorefs:s0
-genfscon functionfs / u:object_r:functionfs:s0
-genfscon usbfs / u:object_r:usbfs:s0
-genfscon binfmt_misc / u:object_r:binfmt_miscfs:s0
-genfscon bpf / u:object_r:fs_bpf:s0
-genfscon bpf /tethering u:object_r:fs_bpf_tethering:s0
diff --git a/microdroid/sepolicy/system/private/halclientdomain.te b/microdroid/sepolicy/system/private/halclientdomain.te
deleted file mode 100644
index 5f2afb3..0000000
--- a/microdroid/sepolicy/system/private/halclientdomain.te
+++ /dev/null
@@ -1,10 +0,0 @@
-###
-### Rules for all domains which are clients of a HAL
-###
-
-# Find out whether a HAL in passthrough/in-process mode or
-# binderized/out-of-process mode
-hwbinder_use(halclientdomain)
-
-# Wait for HAL server to be up (used by getService)
-allow halclientdomain hidl_manager_hwservice:hwservice_manager find;
diff --git a/microdroid/sepolicy/system/private/hwservice_contexts b/microdroid/sepolicy/system/private/hwservice_contexts
deleted file mode 100644
index 9b47b06..0000000
--- a/microdroid/sepolicy/system/private/hwservice_contexts
+++ /dev/null
@@ -1,7 +0,0 @@
-android.hardware.keymaster::IKeymasterDevice u:object_r:hal_keymaster_hwservice:s0
-android.hidl.allocator::IAllocator u:object_r:hidl_allocator_hwservice:s0
-android.hidl.base::IBase u:object_r:hidl_base_hwservice:s0
-android.hidl.manager::IServiceManager u:object_r:hidl_manager_hwservice:s0
-android.hidl.memory::IMapper u:object_r:hidl_memory_hwservice:s0
-android.hidl.token::ITokenManager u:object_r:hidl_token_hwservice:s0
-* u:object_r:default_android_hwservice:s0
diff --git a/microdroid/sepolicy/system/private/hwservicemanager.te b/microdroid/sepolicy/system/private/hwservicemanager.te
deleted file mode 100644
index 17456db..0000000
--- a/microdroid/sepolicy/system/private/hwservicemanager.te
+++ /dev/null
@@ -1,25 +0,0 @@
-typeattribute hwservicemanager coredomain;
-
-init_daemon_domain(hwservicemanager)
-
-allow hwservicemanager vendor_configs_file:file { open getattr };
-
-# Note that we do not use the binder_* macros here.
-# hwservicemanager provides name service (aka context manager)
-# for hwbinder.
-# Additionally, it initiates binder IPC calls to
-# clients who request service notifications. The permission
-# to do this is granted in the hwbinder_use macro.
-allow hwservicemanager self:binder set_context_mgr;
-
-# Scan through /system/lib64/hw looking for installed HALs
-allow hwservicemanager system_file:dir r_dir_perms;
-
-# Read hwservice_contexts
-allow hwservicemanager hwservice_contexts_file:file r_file_perms;
-
-# Check SELinux permissions.
-selinux_check_access(hwservicemanager)
-
-add_hwservice(hwservicemanager, hidl_manager_hwservice)
-add_hwservice(hwservicemanager, hidl_token_hwservice)
diff --git a/microdroid/sepolicy/system/private/init.te b/microdroid/sepolicy/system/private/init.te
deleted file mode 100644
index ff3f6f5..0000000
--- a/microdroid/sepolicy/system/private/init.te
+++ /dev/null
@@ -1,446 +0,0 @@
-typeattribute init coredomain;
-
-tmpfs_domain(init)
-
-domain_trans(init, shell_exec, shell)
-domain_trans(init, init_exec, ueventd)
-domain_trans(init, init_exec, vendor_init)
-
-# Allow init to figure out name of dm-device from it's /dev/block/dm-XX path.
-# This is useful in case of remounting ext4 userdata into checkpointing mode,
-# since it potentially requires tearing down dm-devices (e.g. dm-bow, dm-crypto)
-# that userdata is mounted onto.
-allow init sysfs_dm:file read;
-
-# Second-stage init performs a test for whether the kernel has SELinux hooks
-# for the perf_event_open() syscall. This is done by testing for the syscall
-# outcomes corresponding to this policy.
-allow init self:perf_event { open cpu };
-allow init self:global_capability2_class_set perfmon;
-dontaudit init self:perf_event { kernel tracepoint read write };
-
-# Allow init to restore contexts of vd_device(/dev/block/vd[..]) when labeling
-# /dev/block.
-allow init vd_device:blk_file relabelto;
-
-# chown/chmod on devices.
-allow init {
- dev_type
- -hw_random_device
- -kvm_device
-}:chr_file setattr;
-
-# /dev/__null__ node created by init.
-allow init tmpfs:chr_file { create setattr unlink rw_file_perms };
-
-# /dev/__properties__
-allow init properties_device:dir relabelto;
-allow init properties_serial:file { write relabelto };
-allow init property_type:file { append create getattr map open read relabelto rename setattr unlink write };
-# /dev/__properties__/property_info
-allow init properties_device:file create_file_perms;
-allow init property_info:file relabelto;
-# /dev/event-log-tags
-allow init device:file relabelfrom;
-allow init runtime_event_log_tags_file:file { open write setattr relabelto create };
-# /dev/socket
-allow init { device socket_device dm_user_device }:dir relabelto;
-# Relabel /dev nodes created in first stage init, /dev/null, /dev/ptmx, /dev/random, /dev/urandom
-allow init { null_device ptmx_device random_device } : chr_file relabelto;
-# /dev/device-mapper, /dev/block(/.*)?
-allow init tmpfs:{ chr_file blk_file } relabelfrom;
-allow init tmpfs:blk_file getattr;
-allow init block_device:{ dir blk_file lnk_file } relabelto;
-allow init dm_device:{ chr_file blk_file } relabelto;
-allow init dm_user_device:chr_file relabelto;
-allow init kernel:fd use;
-# restorecon for early mount device symlinks
-allow init tmpfs:lnk_file { getattr read relabelfrom };
-
-# setrlimit
-allow init self:global_capability_class_set sys_resource;
-
-# Remove /dev/.booting and load /debug_ramdisk/* files
-allow init tmpfs:file { getattr unlink };
-
-# Access pty created for fsck.
-allow init devpts:chr_file { read write open };
-
-# Access /dev/__null__ node created prior to initial policy load.
-allow init tmpfs:chr_file write;
-
-# Access /dev/console.
-allow init console_device:chr_file rw_file_perms;
-
-# Access /dev/tty0.
-allow init tty_device:chr_file rw_file_perms;
-
-# Call mount(2).
-allow init self:global_capability_class_set sys_admin;
-
-# Call setns(2).
-allow init self:global_capability_class_set sys_chroot;
-
-# Create and mount on directories in /.
-allow init rootfs:dir create_dir_perms;
-allow init {
- rootfs
- cgroup
- linkerconfig_file
- system_data_file
- system_data_root_file
- system_file
- vendor_file
-}:dir mounton;
-
-# Mount bpf fs on sys/fs/bpf
-allow init fs_bpf:dir mounton;
-
-# Mount on /dev/usb-ffs/adb.
-allow init device:dir mounton;
-
-# Mount tmpfs on /apex
-allow init apex_mnt_dir:dir mounton;
-
-# Create and remove symlinks in /.
-allow init rootfs:lnk_file { create unlink };
-
-# Mount debugfs on /sys/kernel/debug.
-allow init sysfs:dir mounton;
-
-# Create cgroups mount points in tmpfs and mount cgroups on them.
-allow init tmpfs:dir create_dir_perms;
-allow init tmpfs:dir mounton;
-allow init cgroup:dir create_dir_perms;
-allow init cgroup:file rw_file_perms;
-allow init cgroup_rc_file:file rw_file_perms;
-allow init cgroup_desc_file:file r_file_perms;
-allow init cgroup_desc_api_file:file r_file_perms;
-allow init cgroup_v2:dir { mounton create_dir_perms};
-allow init cgroup_v2:file rw_file_perms;
-
-# Use tmpfs as /data, used for booting when /data is encrypted
-allow init tmpfs:dir relabelfrom;
-
-# Create directories under /dev/cpuctl after chowning it to system.
-allow init self:global_capability_class_set { dac_override dac_read_search };
-
-allow init self:global_capability_class_set { sys_rawio mknod };
-
-# Mounting filesystems from block devices.
-allow init dev_type:blk_file r_file_perms;
-allowxperm init dev_type:blk_file ioctl BLKROSET;
-
-# Mounting filesystems.
-# Only allow relabelto for types used in context= mount options,
-# which should all be assigned the contextmount_type attribute.
-# This can be done in device-specific policy via type or typeattribute
-# declarations.
-allow init {
- fs_type
-}:filesystem ~relabelto;
-
-# Allow init to mount tracefs in /sys/kernel/tracing
-allow init debugfs_tracing_debug:filesystem mount;
-
-allow init unlabeled:filesystem ~relabelto;
-allow init contextmount_type:filesystem relabelto;
-
-# Allow read-only access to context= mounted filesystems.
-allow init contextmount_type:dir r_dir_perms;
-allow init contextmount_type:notdevfile_class_set r_file_perms;
-
-# restorecon /adb_keys or any other rootfs files and directories to a more
-# specific type.
-allow init rootfs:{ dir file } relabelfrom;
-
-# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
-# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
-# system/core/init.rc requires at least cache_file and data_file_type.
-# init.<board>.rc files often include device-specific types, so
-# we just allow all file types except /system files here.
-allow init self:global_capability_class_set { chown fowner fsetid };
-
-allow init {
- file_type
- -exec_type
- -system_file_type
- -vendor_file_type
-}:dir { create search getattr open read setattr ioctl };
-
-allow init {
- file_type
- -exec_type
- -keystore_data_file
- -shell_data_file
- -system_file_type
- -vendor_file_type
-}:dir { write add_name remove_name rmdir relabelfrom };
-
-allow init {
- file_type
- -apex_info_file
- -exec_type
- -keystore_data_file
- -runtime_event_log_tags_file
- -shell_data_file
- -system_file_type
- -vendor_file_type
-}:file { create getattr open read write setattr relabelfrom unlink map };
-
-allow init tracefs_type:file { create_file_perms relabelfrom };
-
-allow init {
- file_type
- -exec_type
- -keystore_data_file
- -shell_data_file
- -system_file_type
- -vendor_file_type
-}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
-
-allow init {
- file_type
- -apex_mnt_dir
- -exec_type
- -keystore_data_file
- -shell_data_file
- -system_file_type
- -vendor_file_type
-}:lnk_file { create getattr setattr relabelfrom unlink };
-
-allow init {
- file_type
- -system_file_type
- -vendor_file_type
- -exec_type
-}:dir_file_class_set relabelto;
-
-allow init { sysfs debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
-allow init { sysfs_type tracefs_type }:{ dir file lnk_file } { relabelto getattr };
-allow init dev_type:dir create_dir_perms;
-allow init dev_type:lnk_file create;
-
-# chown/chmod on pseudo files.
-allow init {
- fs_type
- -contextmount_type
- -proc_type
- -fusefs_type
- -sysfs_type
- -rootfs
-}:file { open read setattr };
-allow init { fs_type -contextmount_type -fusefs_type -rootfs }:dir { open read setattr search };
-
-allow init {
- binder_device
- console_device
- devpts
- dm_device
- hwbinder_device
- kmsg_device
- null_device
- owntty_device
- ptmx_device
- random_device
- tty_device
- zero_device
-}:chr_file { read open };
-
-# Any operation that can modify the kernel ring buffer, e.g. clear
-# or a read that consumes the messages that were read.
-allow init kernel:system syslog_mod;
-allow init self:global_capability2_class_set syslog;
-
-# init access to /proc.
-r_dir_file(init, proc_net_type)
-allow init proc_filesystems:file r_file_perms;
-
-allow init {
- proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
- proc_bootconfig
- proc_cmdline
- proc_diskstats
- proc_kmsg # Open /proc/kmsg for logd service.
- proc_meminfo
- proc_stat # Read /proc/stat for bootchart.
- proc_uptime
- proc_version
-}:file r_file_perms;
-
-allow init {
- proc_abi
- proc_dirty
- proc_hostname
- proc_hung_task
- proc_extra_free_kbytes
- proc_net_type
- proc_max_map_count
- proc_min_free_order_shift
- proc_overcommit_memory # /proc/sys/vm/overcommit_memory
- proc_panic
- proc_page_cluster
- proc_perf
- proc_sched
- proc_sysrq
-}:file w_file_perms;
-
-allow init {
- proc_security
-}:file rw_file_perms;
-
-# init chmod/chown access to /proc files.
-allow init {
- proc_cmdline
- proc_bootconfig
- proc_kmsg
- proc_net
- proc_pagetypeinfo
- proc_qtaguid_stat
- proc_slabinfo
- proc_sysrq
- proc_qtaguid_ctrl
- proc_vmallocinfo
-}:file setattr;
-
-# init access to /sys files.
-allow init {
- sysfs_android_usb
- sysfs_dm_verity
- sysfs_leds
- sysfs_power
- sysfs_fs_f2fs
- sysfs_dm
-}:file w_file_perms;
-
-allow init {
- sysfs_dt_firmware_android
- sysfs_fs_ext4_features
-}:file r_file_perms;
-
-allow init {
- sysfs_zram
-}:file rw_file_perms;
-
-# allow init to create loop devices with /dev/loop-control
-allow init loop_control_device:chr_file rw_file_perms;
-allow init loop_device:blk_file rw_file_perms;
-allowxperm init loop_device:blk_file ioctl {
- LOOP_SET_FD
- LOOP_CLR_FD
- LOOP_CTL_GET_FREE
- LOOP_SET_BLOCK_SIZE
- LOOP_SET_DIRECT_IO
- LOOP_GET_STATUS
-};
-
-# init chmod/chown access to /sys files.
-allow init {
- sysfs_android_usb
- sysfs_devices_system_cpu
- sysfs_ipv4
- sysfs_leds
- sysfs_lowmemorykiller
- sysfs_power
- sysfs_vibrator
- sysfs_wake_lock
- sysfs_zram
-}:file setattr;
-
-allow init self:global_capability_class_set net_admin;
-
-# Reboot.
-allow init self:global_capability_class_set sys_boot;
-
-# Support "adb shell stop"
-allow init self:global_capability_class_set kill;
-allow init domain:process { getpgid sigkill signal };
-
-# Init creates keystore's directory on boot, and walks through
-# the directory as part of a recursive restorecon.
-allow init keystore_data_file:dir { open create read getattr setattr search };
-allow init keystore_data_file:file { getattr };
-
-# Init creates /data/local/tmp at boot
-allow init shell_data_file:dir { open create read getattr setattr search };
-allow init shell_data_file:file { getattr };
-
-# Set UID, GID, and adjust capability bounding set for services.
-allow init self:global_capability_class_set { setuid setgid setpcap };
-
-# For bootchart to read the /proc/$pid/cmdline file of each process,
-# we need to have following line to allow init to have access
-# to different domains.
-r_dir_file(init, domain)
-
-# Use setexeccon(), setfscreatecon(), and setsockcreatecon().
-# setexec is for services with seclabel options.
-# setfscreate is for labeling directories and socket files.
-# setsockcreate is for labeling local/unix domain sockets.
-allow init self:process { setexec setfscreate setsockcreate };
-
-# Get file context
-allow init file_contexts_file:file r_file_perms;
-
-# sepolicy access
-allow init sepolicy_file:file r_file_perms;
-
-# Perform SELinux access checks on setting properties.
-selinux_check_access(init)
-
-# Ask the kernel for the new context on services to label their sockets.
-allow init kernel:security compute_create;
-
-# Create sockets for the services.
-allow init domain:unix_stream_socket { create bind setopt };
-allow init domain:unix_dgram_socket { create bind setopt };
-
-# Set any property.
-allow init property_type:property_service set;
-
-# Send an SELinux userspace denial to the kernel audit subsystem,
-# so it can be picked up and processed by logd. These denials are
-# generated when an attempt to set a property is denied by policy.
-allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay };
-allow init self:global_capability_class_set audit_write;
-
-# Run "ifup lo" to bring up the localhost interface
-allow init self:udp_socket { create ioctl };
-# in addition to unpriv ioctls granted to all domains, init also needs:
-allowxperm init self:udp_socket ioctl SIOCSIFFLAGS;
-allow init self:global_capability_class_set net_raw;
-
-# Set scheduling info for psi monitor thread.
-# TODO: delete or revise this line b/131761776
-allow init kernel:process { getsched setsched };
-
-# Create and access /dev files without a specific type,
-# e.g. /dev/.coldboot_done, /dev/.booting
-# TODO: Move these files into their own type unless they are
-# only ever accessed by init.
-allow init device:file create_file_perms;
-
-# Access device mapper for setting up dm-verity
-allow init dm_device:chr_file rw_file_perms;
-allow init dm_device:blk_file rw_file_perms;
-
-# linux keyring configuration
-allow init init:key { write search setattr };
-
-r_dir_file(init, system_file)
-r_dir_file(init, vendor_file_type)
-
-allow init system_data_file:file { getattr read };
-allow init system_data_file:lnk_file r_file_perms;
-
-# Allow init to touch PSI monitors
-allow init proc_pressure_mem:file { rw_file_perms setattr };
-
-# init is using bootstrap bionic
-allow init system_bootstrap_lib_file:dir r_dir_perms;
-allow init system_bootstrap_lib_file:file { execute read open getattr map };
-
-# stat the root dir of fuse filesystems (for the mount handler)
-allow init fuse:dir { search getattr };
-
-set_prop(init, property_type)
diff --git a/microdroid/sepolicy/system/private/initial_sid_contexts b/microdroid/sepolicy/system/private/initial_sid_contexts
deleted file mode 100644
index 9819051..0000000
--- a/microdroid/sepolicy/system/private/initial_sid_contexts
+++ /dev/null
@@ -1,27 +0,0 @@
-sid kernel u:r:kernel:s0
-sid security u:object_r:kernel:s0
-sid unlabeled u:object_r:unlabeled:s0
-sid fs u:object_r:labeledfs:s0
-sid file u:object_r:unlabeled:s0
-sid file_labels u:object_r:unlabeled:s0
-sid init u:object_r:unlabeled:s0
-sid any_socket u:object_r:unlabeled:s0
-sid port u:object_r:port:s0
-sid netif u:object_r:netif:s0
-sid netmsg u:object_r:unlabeled:s0
-sid node u:object_r:node:s0
-sid igmp_packet u:object_r:unlabeled:s0
-sid icmp_socket u:object_r:unlabeled:s0
-sid tcp_socket u:object_r:unlabeled:s0
-sid sysctl_modprobe u:object_r:unlabeled:s0
-sid sysctl u:object_r:proc:s0
-sid sysctl_fs u:object_r:unlabeled:s0
-sid sysctl_kernel u:object_r:unlabeled:s0
-sid sysctl_net u:object_r:unlabeled:s0
-sid sysctl_net_unix u:object_r:unlabeled:s0
-sid sysctl_vm u:object_r:unlabeled:s0
-sid sysctl_dev u:object_r:unlabeled:s0
-sid kmod u:object_r:unlabeled:s0
-sid policy u:object_r:unlabeled:s0
-sid scmp_packet u:object_r:unlabeled:s0
-sid devnull u:object_r:null_device:s0
diff --git a/microdroid/sepolicy/system/private/initial_sids b/microdroid/sepolicy/system/private/initial_sids
deleted file mode 100644
index 91ac816..0000000
--- a/microdroid/sepolicy/system/private/initial_sids
+++ /dev/null
@@ -1,35 +0,0 @@
-# FLASK
-
-#
-# Define initial security identifiers
-#
-
-sid kernel
-sid security
-sid unlabeled
-sid fs
-sid file
-sid file_labels
-sid init
-sid any_socket
-sid port
-sid netif
-sid netmsg
-sid node
-sid igmp_packet
-sid icmp_socket
-sid tcp_socket
-sid sysctl_modprobe
-sid sysctl
-sid sysctl_fs
-sid sysctl_kernel
-sid sysctl_net
-sid sysctl_net_unix
-sid sysctl_vm
-sid sysctl_dev
-sid kmod
-sid policy
-sid scmp_packet
-sid devnull
-
-# FLASK
diff --git a/microdroid/sepolicy/system/private/kernel.te b/microdroid/sepolicy/system/private/kernel.te
deleted file mode 100644
index 1d03c4a..0000000
--- a/microdroid/sepolicy/system/private/kernel.te
+++ /dev/null
@@ -1,83 +0,0 @@
-typeattribute kernel coredomain;
-
-domain_auto_trans(kernel, init_exec, init)
-
-# The following sections are for the transition period during a Virtual A/B
-# OTA. Once sepolicy is loaded, snapuserd must be re-launched in the correct
-# context, and with properly labelled devices. This must be done before
-# enabling enforcement, eg, in permissive mode while still in the kernel
-# context.
-allow kernel tmpfs:blk_file { getattr relabelfrom };
-allow kernel tmpfs:chr_file { getattr relabelfrom };
-allow kernel tmpfs:lnk_file { getattr relabelfrom };
-allow kernel tmpfs:dir { open read relabelfrom };
-
-allow kernel block_device:blk_file relabelto;
-allow kernel block_device:lnk_file relabelto;
-allow kernel dm_device:chr_file relabelto;
-allow kernel dm_device:blk_file relabelto;
-allow kernel dm_user_device:dir { read open search relabelto };
-allow kernel dm_user_device:chr_file relabelto;
-allow kernel kmsg_device:chr_file relabelto;
-allow kernel null_device:chr_file relabelto;
-allow kernel random_device:chr_file relabelto;
-allow kernel kmsg_device:chr_file write;
-allow kernel vd_device:blk_file read;
-
-allow kernel self:global_capability_class_set sys_nice;
-
-# Root fs.
-r_dir_file(kernel, rootfs)
-
-# Used to read androidboot.selinux property
-allow kernel {
- proc_bootconfig
- proc_cmdline
-}:file r_file_perms;
-
-# Get SELinux enforcing status.
-allow kernel selinuxfs:dir r_dir_perms;
-allow kernel selinuxfs:file r_file_perms;
-
-# Get file contexts during first stage
-allow kernel file_contexts_file:file r_file_perms;
-
-# Allow init relabel itself.
-allow kernel rootfs:file relabelfrom;
-allow kernel init_exec:file relabelto;
-# TODO: investigate why we need this.
-allow kernel init:process share;
-
-# cgroup filesystem initialization prior to setting the cgroup root directory label.
-allow kernel unlabeled:dir search;
-
-# Initial setenforce by init prior to switching to init domain.
-# We use dontaudit instead of allow to prevent a kernel spawned userspace
-# process from turning off SELinux once enabled.
-dontaudit kernel self:security setenforce;
-
-# Init reboot before switching selinux domains under certain error
-# conditions. Allow it.
-# As part of rebooting, init writes "u" to /proc/sysrq-trigger to
-# remount filesystems read-only. /data is not mounted at this point,
-# so we could ignore this. For now, we allow it.
-allow kernel self:global_capability_class_set sys_boot;
-allow kernel proc_sysrq:file w_file_perms;
-
-# Allow writing to /dev/kmsg which was created prior to loading policy.
-allow kernel tmpfs:chr_file write;
-
-# Set checkreqprot by init.rc prior to switching to init domain.
-allow kernel selinuxfs:file write;
-allow kernel self:security setcheckreqprot;
-
-# kernel thread "loop0", used by the loop block device, for ASECs (b/17158723)
-allow kernel { sdcard_type fuse }:file { read write };
-
-# Allow the kernel to read APEX file descriptors and (staged) data files;
-# Needed because APEX uses the loopback driver, which issues requests from
-# a kernel thread in earlier kernel version.
-allow kernel apexd:fd use;
-
-#-----------------------------------------
-allow kernel apkdmverity:fd use;
diff --git a/microdroid/sepolicy/system/private/keys.conf b/microdroid/sepolicy/system/private/keys.conf
deleted file mode 100644
index 362e73d..0000000
--- a/microdroid/sepolicy/system/private/keys.conf
+++ /dev/null
@@ -1,28 +0,0 @@
-#
-# Maps an arbitrary tag [TAGNAME] with the string contents found in
-# TARGET_BUILD_VARIANT. Common convention is to start TAGNAME with an @ and
-# name it after the base file name of the pem file.
-#
-# Each tag (section) then allows one to specify any string found in
-# TARGET_BUILD_VARIANT. Typcially this is user, eng, and userdebug. Another
-# option is to use ALL which will match ANY TARGET_BUILD_VARIANT string.
-#
-
-[@PLATFORM]
-ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/platform.x509.pem
-
-[@MEDIA]
-ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/media.x509.pem
-
-[@NETWORK_STACK]
-ALL : $MAINLINE_SEPOLICY_DEV_CERTIFICATES/networkstack.x509.pem
-
-[@SHARED]
-ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/shared.x509.pem
-
-# Example of ALL TARGET_BUILD_VARIANTS
-[@RELEASE]
-ENG : $DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem
-USER : $DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem
-USERDEBUG : $DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem
-
diff --git a/microdroid/sepolicy/system/private/keystore.te b/microdroid/sepolicy/system/private/keystore.te
deleted file mode 100644
index ac3ada1..0000000
--- a/microdroid/sepolicy/system/private/keystore.te
+++ /dev/null
@@ -1,15 +0,0 @@
-typeattribute keystore coredomain;
-
-init_daemon_domain(keystore)
-
-# talk to keymint
-hal_client_domain(keystore, hal_keymint)
-
-# Allow keystore to write to statsd.
-unix_socket_send(keystore, statsdw, statsd)
-
-# Keystore need access to the keystore_key context files to load the keystore key backend.
-allow keystore keystore2_key_contexts_file:file r_file_perms;
-
-# microdroid doesn't use keymaster HAL
-dontaudit keystore hal_keymaster_hwservice:hwservice_manager find;
diff --git a/microdroid/sepolicy/system/private/keystore2_key_contexts b/microdroid/sepolicy/system/private/keystore2_key_contexts
deleted file mode 100644
index 02cdd5e..0000000
--- a/microdroid/sepolicy/system/private/keystore2_key_contexts
+++ /dev/null
@@ -1,11 +0,0 @@
-# Keystore 2.0 key contexts.
-# This file defines Keystore 2.0 namespaces and maps them to labels.
-# Format:
-# <namespace> <label>
-#
-# <namespace> must be an integer in the interval [0 ... 2^31)
-
-# vm_payload_key is a keystore2_key namespace intended for microdroid VM payloads.
-# TODO(b/191843770): sort out a longer term policy
-140 u:object_r:vm_payload_key:s0
-
diff --git a/microdroid/sepolicy/system/private/linkerconfig.te b/microdroid/sepolicy/system/private/linkerconfig.te
deleted file mode 100644
index 4d8db0c..0000000
--- a/microdroid/sepolicy/system/private/linkerconfig.te
+++ /dev/null
@@ -1,21 +0,0 @@
-type linkerconfig, domain, coredomain;
-type linkerconfig_exec, exec_type, file_type, system_file_type;
-
-init_daemon_domain(linkerconfig)
-
-## Read and write linkerconfig subdirectory.
-allow linkerconfig linkerconfig_file:dir create_dir_perms;
-allow linkerconfig linkerconfig_file:file create_file_perms;
-
-# Allow linkerconfig to log to the kernel.
-allow linkerconfig kmsg_device:chr_file w_file_perms;
-
-# Allow linkerconfig to be invoked with logwrapper from init.
-allow linkerconfig devpts:chr_file { read write };
-
-# Allow linkerconfig to scan for apex modules
-allow linkerconfig apex_mnt_dir:dir r_dir_perms;
-
-# Allow linkerconfig to read apex-info-list.xml
-allow linkerconfig apex_info_file:file r_file_perms;
-
diff --git a/microdroid/sepolicy/system/private/logd.te b/microdroid/sepolicy/system/private/logd.te
deleted file mode 100644
index 0cc6e96..0000000
--- a/microdroid/sepolicy/system/private/logd.te
+++ /dev/null
@@ -1,43 +0,0 @@
-typeattribute logd coredomain;
-
-init_daemon_domain(logd)
-
-allow logd adbd:dir search;
-allow logd adbd:file { getattr open read };
-allow logd device:dir search;
-allow logd hwservicemanager:dir search;
-allow logd hwservicemanager:file { open read };
-allow logd init:dir search;
-allow logd init:fd use;
-allow logd init:file { getattr open read };
-allow logd kernel:dir search;
-allow logd kernel:file { getattr open read };
-allow logd kernel:system { syslog_mod syslog_read };
-allow logd keystore:dir search;
-allow logd keystore:file { getattr open read };
-allow logd linkerconfig_file:dir search;
-allow logd microdroid_manager:dir search;
-allow logd microdroid_manager:file { getattr open read };
-allow logd null_device:chr_file { open read };
-#allow logd proc_kmsg:file read;
-r_dir_file(logd, cgroup)
-r_dir_file(logd, cgroup_v2)
-r_dir_file(logd, proc_kmsg)
-r_dir_file(logd, proc_meminfo)
-allow logd self:fifo_file { read write };
-allow logd self:file { getattr open read };
-allow logd self:global_capability_class_set { setuid setgid setpcap sys_nice audit_control };
-allow logd self:global_capability2_class_set syslog;
-#allow logd self:netlink_audit_socket getopt;
-allow logd self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write };
-allow logd kmsg_device:chr_file { getattr w_file_perms };
-r_dir_file(logd, domain)
-allow logd self:unix_stream_socket { accept getopt setopt shutdown };
-allow logd servicemanager:dir search;
-allow logd servicemanager:file { open read };
-allow logd tombstoned:dir search;
-allow logd tombstoned:file { getattr open read };
-allow logd ueventd:dir search;
-allow logd ueventd:file { getattr open read };
-control_logd(logd)
-read_runtime_log_tags(logd)
diff --git a/microdroid/sepolicy/system/private/mac_permissions.xml b/microdroid/sepolicy/system/private/mac_permissions.xml
deleted file mode 100644
index 7fc37c1..0000000
--- a/microdroid/sepolicy/system/private/mac_permissions.xml
+++ /dev/null
@@ -1,62 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<policy>
-
-<!--
-
- * A signature is a hex encoded X.509 certificate or a tag defined in
- keys.conf and is required for each signer tag. The signature can
- either appear as a set of attached cert child tags or as an attribute.
- * A signer tag must contain a seinfo tag XOR multiple package stanzas.
- * Each signer/package tag is allowed to contain one seinfo tag. This tag
- represents additional info that each app can use in setting a SELinux security
- context on the eventual process as well as the apps data directory.
- * seinfo assignments are made according to the following rules:
- - Stanzas with package name refinements will be checked first.
- - Stanzas w/o package name refinements will be checked second.
- - The "default" seinfo label is automatically applied.
-
- * valid stanzas can take one of the following forms:
-
- // single cert protecting seinfo
- <signer signature="@PLATFORM" >
- <seinfo value="platform" />
- </signer>
-
- // multiple certs protecting seinfo (all contained certs must match)
- <signer>
- <cert signature="@PLATFORM1"/>
- <cert signature="@PLATFORM2"/>
- <seinfo value="platform" />
- </signer>
-
- // single cert protecting explicitly named app
- <signer signature="@PLATFORM" >
- <package name="com.android.foo">
- <seinfo value="bar" />
- </package>
- </signer>
-
- // multiple certs protecting explicitly named app (all certs must match)
- <signer>
- <cert signature="@PLATFORM1"/>
- <cert signature="@PLATFORM2"/>
- <package name="com.android.foo">
- <seinfo value="bar" />
- </package>
- </signer>
--->
-
- <!-- Platform dev key in AOSP -->
- <signer signature="@PLATFORM" >
- <seinfo value="platform" />
- </signer>
-
- <!-- Media key in AOSP -->
- <signer signature="@MEDIA" >
- <seinfo value="media" />
- </signer>
-
- <signer signature="@NETWORK_STACK" >
- <seinfo value="network_stack" />
- </signer>
-</policy>
diff --git a/microdroid/sepolicy/system/private/microdroid_app.te b/microdroid/sepolicy/system/private/microdroid_app.te
deleted file mode 100644
index 820ec68..0000000
--- a/microdroid/sepolicy/system/private/microdroid_app.te
+++ /dev/null
@@ -1,51 +0,0 @@
-# microdroid_app is a domain for microdroid_launcher, which is a binary that
-# loads a shared library from an apk and executes it by calling an entry point
-# in the library. This can be considered as the native counterpart of
-# app_process for Java.
-#
-# Both microdroid_launcher and payload from the shared library run in the
-# context of microdroid_app.
-
-type microdroid_app, domain, coredomain;
-type microdroid_app_exec, exec_type, file_type, system_file_type;
-
-# Allow to communicate use, read and write over the adb connection.
-allow microdroid_app adbd:fd use;
-allow microdroid_app adbd:unix_stream_socket { read write };
-
-# microdroid_launcher is launched by microdroid_manager with fork/execvp.
-allow microdroid_app microdroid_manager:fd use;
-
-# Allow to use FDs inherited from the shell. This includes the FD opened for
-# the microdroid_launcher executable itself and the FD for adb connection.
-# TODO(b/186396070) remove this when this is executed from microdroid_manager
-userdebug_or_eng(`
- allow microdroid_app shell:fd use;
-')
-
-# Allow to use terminal
-allow microdroid_app devpts:chr_file rw_file_perms;
-
-# Allow to set debug prop
-set_prop(microdroid_app, debug_prop)
-
-# Talk to binder services (for keystore)
-binder_use(microdroid_app);
-
-# Allow payloads to use keystore
-use_keystore(microdroid_app);
-
-# Allow payloads to use and manage their keys
-allow microdroid_app vm_payload_key:keystore2_key {
- delete
- get_info
- manage_blob
- rebind
- use
-};
-
-# Allow microdroid_app to use vsock inherited from microdroid_manager
-allow microdroid_app microdroid_manager:vsock_socket { read write };
-
-# Write to /dev/kmsg.
-allow microdroid_app kmsg_device:chr_file rw_file_perms;
diff --git a/microdroid/sepolicy/system/private/microdroid_manager.te b/microdroid/sepolicy/system/private/microdroid_manager.te
deleted file mode 100644
index 074024f..0000000
--- a/microdroid/sepolicy/system/private/microdroid_manager.te
+++ /dev/null
@@ -1,37 +0,0 @@
-# microdroid_manager is a daemon running in the microdroid.
-
-type microdroid_manager, domain, coredomain;
-type microdroid_manager_exec, exec_type, file_type, system_file_type;
-
-# allow domain transition from init
-init_daemon_domain(microdroid_manager)
-
-# microdroid_manager accesses a virtual disk block device to read VM payload
-allow microdroid_manager block_device:dir r_dir_perms;
-allow microdroid_manager block_device:lnk_file r_file_perms;
-allow microdroid_manager vd_device:blk_file r_file_perms;
-
-# microdroid_manager start payload task via microdroid_launcher
-domain_auto_trans(microdroid_manager, microdroid_app_exec, microdroid_app);
-
-# Let microdroid_manager exec other files (e.g. payload command) in the same domain.
-# TODO(b/189706019) we need to a domain for the app process.
-allow microdroid_manager system_file:file execute_no_trans;
-# Until then, allow microdroid_manager to execute the shell or other system executables.
-allow microdroid_manager {shell_exec toolbox_exec}:file rx_file_perms;
-
-# Let microdroid_manager kernel-log.
-allow microdroid_manager kmsg_device:chr_file w_file_perms;
-
-# Let microdroid_manager initialize the derived VM secrets.
-set_prop(microdroid_manager, vmsecret_keymint_prop);
-
-# Let microdroid_manager read a config file from /mnt/apk (fusefs)
-# TODO(b/188400186) remove the below two rules
-userdebug_or_eng(`
- allow microdroid_manager fuse:dir r_dir_perms;
- allow microdroid_manager fuse:file rx_file_perms;
-')
-
-# Let microdroid_manager to create a vsock connection back to the host VM
-allow microdroid_manager self:vsock_socket { create_socket_perms_no_ioctl };
diff --git a/microdroid/sepolicy/system/private/mls b/microdroid/sepolicy/system/private/mls
deleted file mode 100644
index 303df81..0000000
--- a/microdroid/sepolicy/system/private/mls
+++ /dev/null
@@ -1,89 +0,0 @@
-#################################################
-# MLS policy constraints
-#
-
-#
-# Process constraints
-#
-
-# Process transition: Require equivalence unless the subject is trusted.
-mlsconstrain process { transition dyntransition }
- ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);
-
-# Process read operations: No read up unless trusted.
-mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share }
- (l1 dom l2 or t1 == mlstrustedsubject);
-
-# Process write operations: Require equivalence unless trusted.
-mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setrlimit ptrace share }
- (l1 eq l2 or t1 == mlstrustedsubject);
-
-#
-# Socket constraints
-#
-
-# Create/relabel operations: Subject must be equivalent to object unless
-# the subject is trusted. Sockets inherit the range of their creator.
-mlsconstrain socket_class_set { create relabelfrom relabelto }
- ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);
-
-# Datagram send: Sender must be equivalent to the receiver unless one of them
-# is trusted.
-mlsconstrain unix_dgram_socket { sendto }
- (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
-
-# Stream connect: Client must be equivalent to server unless one of them
-# is trusted.
-mlsconstrain unix_stream_socket { connectto }
- (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
-
-#
-# Directory/file constraints
-#
-
-# Create/relabel operations: Subject must be equivalent to object unless
-# the subject is trusted. Also, files should always be single-level.
-# Do NOT exempt mlstrustedobject types from this constraint.
-mlsconstrain dir_file_class_set { create relabelfrom relabelto }
- (l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject));
-
-#
-# Constraints for file types other than app data files.
-#
-
-# Read operations: Subject must dominate object unless the subject
-# or the object is trusted.
-mlsconstrain dir { read getattr search }
- (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject
- or (t1 == mlsvendorcompat and t2 == system_data_file) );
-
-mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute }
- (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
-
-# Write operations: Subject must be equivalent to the object unless the
-# subject or the object is trusted.
-mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir }
- (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
-
-mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename }
- (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
-
-# Special case for FIFOs.
-# These can be unnamed pipes, in which case they will be labeled with the
-# creating process' label. Thus we also have an exemption when the "object"
-# is a domain type, so that processes can communicate via unnamed pipes
-# passed by binder or local socket IPC.
-mlsconstrain fifo_file { read getattr }
- (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain);
-
-mlsconstrain fifo_file { write setattr append unlink link rename }
- (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain);
-
-#
-# Binder IPC constraints
-#
-# Presently commented out, as apps are expected to call one another.
-# This would only make sense if apps were assigned categories
-# based on allowable communications rather than per-app categories.
-#mlsconstrain binder call
-# (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
diff --git a/microdroid/sepolicy/system/private/mls_decl b/microdroid/sepolicy/system/private/mls_decl
deleted file mode 100644
index dd53bea..0000000
--- a/microdroid/sepolicy/system/private/mls_decl
+++ /dev/null
@@ -1,10 +0,0 @@
-#########################################
-# MLS declarations
-#
-
-# Generate the desired number of sensitivities and categories.
-gen_sens(mls_num_sens)
-gen_cats(mls_num_cats)
-
-# Generate level definitions for each sensitivity and category.
-gen_levels(mls_num_sens,mls_num_cats)
diff --git a/microdroid/sepolicy/system/private/mls_macros b/microdroid/sepolicy/system/private/mls_macros
deleted file mode 100644
index 83e0542..0000000
--- a/microdroid/sepolicy/system/private/mls_macros
+++ /dev/null
@@ -1,54 +0,0 @@
-########################################
-#
-# gen_cats(N)
-#
-# declares categores c0 to c(N-1)
-#
-define(`decl_cats',`dnl
-category c$1;
-ifelse(`$1',`$2',,`decl_cats(incr($1),$2)')dnl
-')
-
-define(`gen_cats',`decl_cats(0,decr($1))')
-
-########################################
-#
-# gen_sens(N)
-#
-# declares sensitivites s0 to s(N-1) with dominance
-# in increasing numeric order with s0 lowest, s(N-1) highest
-#
-define(`decl_sens',`dnl
-sensitivity s$1;
-ifelse(`$1',`$2',,`decl_sens(incr($1),$2)')dnl
-')
-
-define(`gen_dominance',`s$1 ifelse(`$1',`$2',,`gen_dominance(incr($1),$2)')')
-
-define(`gen_sens',`
-# Each sensitivity has a name and zero or more aliases.
-decl_sens(0,decr($1))
-
-# Define the ordering of the sensitivity levels (least to greatest)
-dominance { gen_dominance(0,decr($1)) }
-')
-
-########################################
-#
-# gen_levels(N,M)
-#
-# levels from s0 to (N-1) with categories c0 to (M-1)
-#
-define(`decl_levels',`dnl
-level s$1:c0.c$3;
-ifelse(`$1',`$2',,`decl_levels(incr($1),$2,$3)')dnl
-')
-
-define(`gen_levels',`decl_levels(0,decr($1),decr($2))')
-
-########################################
-#
-# Basic level names for system low and high
-#
-define(`mls_systemlow',`s0')
-define(`mls_systemhigh',`s`'decr(mls_num_sens):c0.c`'decr(mls_num_cats)')
diff --git a/microdroid/sepolicy/system/private/net.te b/microdroid/sepolicy/system/private/net.te
deleted file mode 100644
index 1b2fd41..0000000
--- a/microdroid/sepolicy/system/private/net.te
+++ /dev/null
@@ -1,16 +0,0 @@
-## Network types
-type node, node_type;
-type netif, netif_type;
-type port, port_type;
-
-###
-### Domain with network access
-###
-
-allow netdomain self:tcp_socket create_stream_socket_perms;
-allow netdomain self:{ icmp_socket udp_socket rawip_socket } create_socket_perms;
-
-allow netdomain port_type:tcp_socket name_connect;
-allow netdomain node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind;
-allow netdomain port_type:udp_socket name_bind;
-allow netdomain port_type:tcp_socket name_bind;
diff --git a/microdroid/sepolicy/system/private/policy_capabilities b/microdroid/sepolicy/system/private/policy_capabilities
deleted file mode 100644
index 9290e3a..0000000
--- a/microdroid/sepolicy/system/private/policy_capabilities
+++ /dev/null
@@ -1,20 +0,0 @@
-# Enable new networking controls.
-policycap network_peer_controls;
-
-# Enable open permission check.
-policycap open_perms;
-
-# Enable separate security classes for
-# all network address families previously
-# mapped to the socket class and for
-# ICMP and SCTP sockets previously mapped
-# to the rawip_socket class.
-policycap extended_socket_class;
-
-# Enable NoNewPrivileges support. Requires libsepol 2.7+
-# and kernel 4.14 (estimated).
-#
-# Checks enabled;
-# process2: nnp_transition, nosuid_transition
-#
-policycap nnp_nosuid_transition;
diff --git a/microdroid/sepolicy/system/private/port_contexts b/microdroid/sepolicy/system/private/port_contexts
deleted file mode 100644
index 2f40b38..0000000
--- a/microdroid/sepolicy/system/private/port_contexts
+++ /dev/null
@@ -1 +0,0 @@
-# This file can't be empty, but is unused on microdroid
diff --git a/microdroid/sepolicy/system/private/property.te b/microdroid/sepolicy/system/private/property.te
deleted file mode 100644
index d3d413e..0000000
--- a/microdroid/sepolicy/system/private/property.te
+++ /dev/null
@@ -1,16 +0,0 @@
-###
-### Neverallow rules
-###
-
-neverallow {
- domain
- -init
- -microdroid_manager
-} vmsecret_keymint_prop:property_service set;
-
-neverallow {
- domain
- -init
- -microdroid_manager
- -hal_keymint_server
-} vmsecret_keymint_prop:file no_rw_file_perms;
diff --git a/microdroid/sepolicy/system/private/property_contexts b/microdroid/sepolicy/system/private/property_contexts
deleted file mode 100644
index c8be9d9..0000000
--- a/microdroid/sepolicy/system/private/property_contexts
+++ /dev/null
@@ -1,97 +0,0 @@
-# property contexts for microdroid
-# microdroid only uses much fewer properties than normal Android, so every property is listed here.
-# The only exceptions are "debug.", "init.svc_debug_pid.", and "ctl." properties.
-
-debug. u:object_r:debug_prop:s0 prefix
-
-init.svc_debug_pid. u:object_r:init_svc_debug_prop:s0 prefix int
-
-ctl.sigstop_on$ u:object_r:ctl_sigstop_prop:s0
-ctl.sigstop_off$ u:object_r:ctl_sigstop_prop:s0
-ctl.start$ u:object_r:ctl_start_prop:s0
-ctl.stop$ u:object_r:ctl_stop_prop:s0
-ctl.restart$ u:object_r:ctl_restart_prop:s0
-ctl.interface_start$ u:object_r:ctl_interface_start_prop:s0
-ctl.interface_stop$ u:object_r:ctl_interface_stop_prop:s0
-ctl.interface_restart$ u:object_r:ctl_interface_restart_prop:s0
-
-ctl.start$adbd u:object_r:ctl_adbd_prop:s0
-ctl.stop$adbd u:object_r:ctl_adbd_prop:s0
-ctl.restart$adbd u:object_r:ctl_adbd_prop:s0
-
-ctl.stop$apexd u:object_r:ctl_apexd_prop:s0
-
-ctl.fuse_ u:object_r:ctl_fuse_prop:s0
-ctl.console u:object_r:ctl_console_prop:s0
-ctl. u:object_r:ctl_default_prop:s0
-
-sys.init.perf_lsm_hooks u:object_r:init_perf_lsm_hooks_prop:s0 exact bool
-
-service.adb.root u:object_r:shell_prop:s0 exact bool
-
-ro.logd.kernel u:object_r:logd_prop:s0 exact bool
-
-ro.boottime.adbd u:object_r:boottime_prop:s0 exact int
-ro.boottime.hwservicemanager u:object_r:boottime_prop:s0 exact int
-ro.boottime.init u:object_r:boottime_prop:s0 exact int
-ro.boottime.init.cold_boot_wait u:object_r:boottime_prop:s0 exact int
-ro.boottime.init.first_stage u:object_r:boottime_prop:s0 exact int
-ro.boottime.init.modules u:object_r:boottime_prop:s0 exact int
-ro.boottime.init.selinux u:object_r:boottime_prop:s0 exact int
-ro.boottime.keystore2 u:object_r:boottime_prop:s0 exact int
-ro.boottime.logd u:object_r:boottime_prop:s0 exact int
-ro.boottime.logd-reinit u:object_r:boottime_prop:s0 exact int
-ro.boottime.microdroid_manager u:object_r:boottime_prop:s0 exact int
-ro.boottime.servicemanager u:object_r:boottime_prop:s0 exact int
-ro.boottime.tombstoned u:object_r:boottime_prop:s0 exact int
-ro.boottime.ueventd u:object_r:boottime_prop:s0 exact int
-ro.boottime.vendor.keymint-microdroid u:object_r:boottime_prop:s0 exact int
-ro.boottime.zipfuse u:object_r:boottime_prop:s0 exact int
-
-ro.build.fingerprint u:object_r:fingerprint_prop:s0 exact string
-
-ro.vmsecret.keymint u:object_r:vmsecret_keymint_prop:s0 exact string
-
-hwservicemanager.ready u:object_r:hwservicemanager_prop:s0 exact bool
-
-apexd.status u:object_r:apexd_prop:s0 exact enum starting activated ready
-
-ro.cold_boot_done u:object_r:cold_boot_done_prop:s0 exact bool
-
-sys.usb.controller u:object_r:usb_control_prop:s0 exact string
-
-init.svc.hwservicemanager u:object_r:init_service_status_private_prop:s0 exact string
-init.svc.keystore2 u:object_r:init_service_status_private_prop:s0 exact string
-init.svc.logd u:object_r:init_service_status_private_prop:s0 exact string
-init.svc.logd-reinit u:object_r:init_service_status_private_prop:s0 exact string
-init.svc.microdroid_manager u:object_r:init_service_status_private_prop:s0 exact string
-init.svc.servicemanager u:object_r:init_service_status_private_prop:s0 exact string
-init.svc.ueventd u:object_r:init_service_status_private_prop:s0 exact string
-init.svc.zipfuse u:object_r:init_service_status_private_prop:s0 exact string
-
-init.svc.adbd u:object_r:init_service_status_prop:s0 exact string
-init.svc.tombstoned u:object_r:init_service_status_prop:s0 exact string
-
-init.svc.vendor.keymint-microdroid u:object_r:vendor_default_prop:s0 exact string
-
-ro.boot.hardware u:object_r:bootloader_prop:s0 exact string
-ro.baseband u:object_r:bootloader_prop:s0 exact string
-ro.bootloader u:object_r:bootloader_prop:s0 exact string
-ro.bootmode u:object_r:bootloader_prop:s0 exact string
-ro.hardware u:object_r:bootloader_prop:s0 exact string
-ro.revision u:object_r:bootloader_prop:s0 exact string
-
-ro.build.id u:object_r:build_prop:s0 exact string
-ro.build.version.release u:object_r:build_prop:s0 exact string
-ro.build.version.security_patch u:object_r:build_prop:s0 exact string
-ro.debuggable u:object_r:build_prop:s0 exact bool
-ro.product.cpu.abilist u:object_r:build_prop:s0 exact string
-ro.adb.secure u:object_r:build_prop:s0 exact bool
-
-ro.property_service.version u:object_r:property_service_version_prop:s0 exact int
-
-ro.boot.slot_suffix u:object_r:exported_default_prop:s0 exact string
-
-ro.apex.updatable u:object_r:exported_default_prop:s0 exact bool
-
-keystore.boot_level u:object_r:keystore_listen_prop:s0 exact int
diff --git a/microdroid/sepolicy/system/private/roles_decl b/microdroid/sepolicy/system/private/roles_decl
deleted file mode 100644
index c84fcba..0000000
--- a/microdroid/sepolicy/system/private/roles_decl
+++ /dev/null
@@ -1 +0,0 @@
-role r;
diff --git a/microdroid/sepolicy/system/private/seapp_contexts b/microdroid/sepolicy/system/private/seapp_contexts
deleted file mode 100644
index 2f40b38..0000000
--- a/microdroid/sepolicy/system/private/seapp_contexts
+++ /dev/null
@@ -1 +0,0 @@
-# This file can't be empty, but is unused on microdroid
diff --git a/microdroid/sepolicy/system/private/security_classes b/microdroid/sepolicy/system/private/security_classes
deleted file mode 100644
index 200b030..0000000
--- a/microdroid/sepolicy/system/private/security_classes
+++ /dev/null
@@ -1,167 +0,0 @@
-# FLASK
-
-#
-# Define the security object classes
-#
-
-# Classes marked as userspace are classes
-# for userspace object managers
-
-class security
-class process
-class system
-class capability
-
-# file-related classes
-class filesystem
-class file
-class anon_inode
-class dir
-class fd
-class lnk_file
-class chr_file
-class blk_file
-class sock_file
-class fifo_file
-
-# network-related classes
-class socket
-class tcp_socket
-class udp_socket
-class rawip_socket
-class node
-class netif
-class netlink_socket
-class packet_socket
-class key_socket
-class unix_stream_socket
-class unix_dgram_socket
-
-# sysv-ipc-related classes
-class sem
-class msg
-class msgq
-class shm
-class ipc
-
-# extended netlink sockets
-class netlink_route_socket
-class netlink_tcpdiag_socket
-class netlink_nflog_socket
-class netlink_xfrm_socket
-class netlink_selinux_socket
-class netlink_audit_socket
-class netlink_dnrt_socket
-
-# IPSec association
-class association
-
-# Updated Netlink class for KOBJECT_UEVENT family.
-class netlink_kobject_uevent_socket
-
-class appletalk_socket
-
-class packet
-
-# Kernel access key retention
-class key
-
-class dccp_socket
-
-class memprotect
-
-# network peer labels
-class peer
-
-# Capabilities >= 32
-class capability2
-
-# kernel services that need to override task security, e.g. cachefiles
-class kernel_service
-
-class tun_socket
-
-class binder
-
-# Updated netlink classes for more recent netlink protocols.
-class netlink_iscsi_socket
-class netlink_fib_lookup_socket
-class netlink_connector_socket
-class netlink_netfilter_socket
-class netlink_generic_socket
-class netlink_scsitransport_socket
-class netlink_rdma_socket
-class netlink_crypto_socket
-
-# Infiniband
-class infiniband_pkey
-class infiniband_endport
-
-# Capability checks when on a non-init user namespace
-class cap_userns
-class cap2_userns
-
-# New socket classes introduced by extended_socket_class policy capability.
-# These two were previously mapped to rawip_socket.
-class sctp_socket
-class icmp_socket
-# These were previously mapped to socket.
-class ax25_socket
-class ipx_socket
-class netrom_socket
-class atmpvc_socket
-class x25_socket
-class rose_socket
-class decnet_socket
-class atmsvc_socket
-class rds_socket
-class irda_socket
-class pppox_socket
-class llc_socket
-class can_socket
-class tipc_socket
-class bluetooth_socket
-class iucv_socket
-class rxrpc_socket
-class isdn_socket
-class phonet_socket
-class ieee802154_socket
-class caif_socket
-class alg_socket
-class nfc_socket
-class vsock_socket
-class kcm_socket
-class qipcrtr_socket
-class smc_socket
-
-class process2
-
-class bpf
-
-class xdp_socket
-
-class perf_event
-
-# Introduced in https://github.com/torvalds/linux/commit/59438b46471ae6cdfb761afc8c9beaf1e428a331
-class lockdown
-
-# Property service
-class property_service # userspace
-
-# Service manager
-class service_manager # userspace
-
-# hardware service manager # userspace
-class hwservice_manager
-
-# Legacy Keystore key permissions
-class keystore_key # userspace
-
-# Keystore 2.0 permissions
-class keystore2 # userspace
-
-# Keystore 2.0 key permissions
-class keystore2_key # userspace
-
-class drmservice # userspace
-# FLASK
diff --git a/microdroid/sepolicy/system/private/service_contexts b/microdroid/sepolicy/system/private/service_contexts
deleted file mode 100644
index 5857a0f..0000000
--- a/microdroid/sepolicy/system/private/service_contexts
+++ /dev/null
@@ -1,18 +0,0 @@
-android.hardware.security.keymint.IKeyMintDevice/default u:object_r:hal_keymint_service:s0
-android.hardware.security.keymint.IRemotelyProvisionedComponent/default u:object_r:hal_remotelyprovisionedcomponent_service:s0
-android.hardware.security.secureclock.ISecureClock/default u:object_r:hal_secureclock_service:s0
-android.hardware.security.sharedsecret.ISharedSecret/default u:object_r:hal_sharedsecret_service:s0
-android.system.keystore2.IKeystoreService/default u:object_r:keystore_service:s0
-
-adb u:object_r:adb_service:s0
-android.security.apc u:object_r:apc_service:s0
-android.security.authorization u:object_r:authorization_service:s0
-android.security.compat u:object_r:keystore_compat_hal_service:s0
-android.security.identity u:object_r:credstore_service:s0
-android.security.keystore u:object_r:keystore_service:s0
-android.security.legacykeystore u:object_r:legacykeystore_service:s0
-android.security.maintenance u:object_r:keystore_maintenance_service:s0
-android.security.metrics u:object_r:keystore_metrics_service:s0
-android.security.remoteprovisioning u:object_r:remoteprovisioning_service:s0
-apexservice u:object_r:apex_service:s0
-* u:object_r:default_android_service:s0
diff --git a/microdroid/sepolicy/system/private/servicemanager.te b/microdroid/sepolicy/system/private/servicemanager.te
deleted file mode 100644
index 8ff964f..0000000
--- a/microdroid/sepolicy/system/private/servicemanager.te
+++ /dev/null
@@ -1,23 +0,0 @@
-typeattribute servicemanager coredomain;
-
-init_daemon_domain(servicemanager)
-
-selinux_check_access(servicemanager)
-
-# Note that we do not use the binder_* macros here.
-# servicemanager is unique in that it only provides
-# name service (aka context manager) for Binder.
-# As such, it only ever receives and transfers other references
-# created by other domains. It never passes its own references
-# or initiates a Binder IPC.
-allow servicemanager self:binder set_context_mgr;
-allow servicemanager {
- domain
- -init
- -vendor_init
- -hwservicemanager
-}:binder transfer;
-
-allow servicemanager service_contexts_file:file r_file_perms;
-
-allow servicemanager vendor_service_contexts_file:file r_file_perms;
diff --git a/microdroid/sepolicy/system/private/shell.te b/microdroid/sepolicy/system/private/shell.te
deleted file mode 100644
index fc51ad8..0000000
--- a/microdroid/sepolicy/system/private/shell.te
+++ /dev/null
@@ -1,31 +0,0 @@
-typeattribute shell coredomain, mlstrustedsubject;
-
-# allow shell input injection
-allow shell uhid_device:chr_file rw_file_perms;
-
-# Perform SELinux access checks, needed for CTS
-selinux_check_access(shell)
-selinux_check_context(shell)
-
-# Allow shell to run adb shell cmd stats commands. Needed for CTS.
-binder_call(shell, statsd);
-
-# Allow shell to launch microdroid_launcher in its own domain
-# TODO(b/186396070) remove this when microdroid_manager can do this
-domain_auto_trans(shell, microdroid_app_exec, microdroid_app)
-domain_auto_trans(shell, microdroid_manager_exec, microdroid_manager)
-
-# Connect to adbd and use a socket transferred from it.
-# This is used for e.g. adb backup/restore.
-allow shell adbd:unix_stream_socket connectto;
-allow shell adbd:fd use;
-allow shell adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
-
-# filesystem test for insecure chr_file's is done
-# via a host side test
-allow shell dev_type:dir r_dir_perms;
-allow shell dev_type:chr_file getattr;
-
-# filesystem test for insucre blk_file's is done
-# via hostside test
-allow shell dev_type:blk_file getattr;
diff --git a/microdroid/sepolicy/system/private/statsd.te b/microdroid/sepolicy/system/private/statsd.te
deleted file mode 100644
index 437f505..0000000
--- a/microdroid/sepolicy/system/private/statsd.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute statsd coredomain;
-
-init_daemon_domain(statsd)
diff --git a/microdroid/sepolicy/system/private/su.te b/microdroid/sepolicy/system/private/su.te
deleted file mode 100644
index 55b7308..0000000
--- a/microdroid/sepolicy/system/private/su.te
+++ /dev/null
@@ -1,12 +0,0 @@
-userdebug_or_eng(`
- typeattribute su coredomain;
-
- domain_auto_trans(shell, su_exec, su)
-
- # su is also permissive to permit setenforce.
- permissive su;
-
- # Do not audit accesses to keystore2 namespace for the su domain.
- dontaudit su keystore2_key_type:{ keystore2 keystore2_key } *;
-
-')
diff --git a/microdroid/sepolicy/system/private/tombstoned.te b/microdroid/sepolicy/system/private/tombstoned.te
deleted file mode 100644
index 2567a23..0000000
--- a/microdroid/sepolicy/system/private/tombstoned.te
+++ /dev/null
@@ -1,12 +0,0 @@
-typeattribute tombstoned coredomain;
-
-init_daemon_domain(tombstoned)
-
-# Write to arbitrary pipes given to us.
-allow tombstoned domain:fd use;
-allow tombstoned domain:fifo_file write;
-
-allow tombstoned domain:dir r_dir_perms;
-allow tombstoned domain:file r_file_perms;
-allow tombstoned tombstone_data_file:dir rw_dir_perms;
-allow tombstoned tombstone_data_file:file { create_file_perms link };
diff --git a/microdroid/sepolicy/system/private/toolbox.te b/microdroid/sepolicy/system/private/toolbox.te
deleted file mode 100644
index a2b958d..0000000
--- a/microdroid/sepolicy/system/private/toolbox.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute toolbox coredomain;
-
-init_daemon_domain(toolbox)
diff --git a/microdroid/sepolicy/system/private/ueventd.te b/microdroid/sepolicy/system/private/ueventd.te
deleted file mode 100644
index eb06672..0000000
--- a/microdroid/sepolicy/system/private/ueventd.te
+++ /dev/null
@@ -1,52 +0,0 @@
-typeattribute ueventd coredomain;
-
-tmpfs_domain(ueventd)
-
-# Write to /dev/kmsg.
-allow ueventd kmsg_device:chr_file rw_file_perms;
-
-allow ueventd self:global_capability_class_set { chown mknod net_admin setgid fsetid sys_rawio dac_override dac_read_search fowner setuid };
-allow ueventd device:file create_file_perms;
-
-r_dir_file(ueventd, rootfs)
-
-# ueventd needs write access to files in /sys to regenerate uevents
-allow ueventd sysfs_type:file w_file_perms;
-r_dir_file(ueventd, sysfs_type)
-allow ueventd sysfs_type:{ file lnk_file } { relabelfrom relabelto setattr };
-allow ueventd sysfs_type:dir { relabelfrom relabelto setattr };
-allow ueventd tmpfs:chr_file rw_file_perms;
-allow ueventd dev_type:dir create_dir_perms;
-allow ueventd dev_type:lnk_file { create unlink };
-allow ueventd dev_type:chr_file { getattr create setattr unlink };
-allow ueventd dev_type:blk_file { getattr relabelfrom relabelto create setattr unlink };
-allow ueventd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-
-# Get SELinux enforcing status.
-r_dir_file(ueventd, selinuxfs)
-
-# Access for /vendor/ueventd.rc and /vendor/firmware
-r_dir_file(ueventd, vendor_file_type)
-
-# Access for /apex/*/firmware
-allow ueventd apex_mnt_dir:dir r_dir_perms;
-
-# Get file contexts for new device nodes
-allow ueventd file_contexts_file:file r_file_perms;
-
-# Use setfscreatecon() to label /dev directories and files.
-allow ueventd self:process setfscreate;
-
-# Allow ueventd to read androidboot.android_dt_dir from kernel cmdline or bootconfig.
-allow ueventd proc_cmdline:file r_file_perms;
-allow ueventd proc_bootconfig:file r_file_perms;
-
-# ueventd loads modules in response to modalias events.
-allow ueventd self:global_capability_class_set sys_module;
-allow ueventd vendor_file:system module_load;
-allow ueventd kernel:key search;
-
-# ueventd is using bootstrap bionic
-allow ueventd system_bootstrap_lib_file:dir r_dir_perms;
-allow ueventd system_bootstrap_lib_file:file { execute read open getattr map };
-
diff --git a/microdroid/sepolicy/system/private/users b/microdroid/sepolicy/system/private/users
deleted file mode 100644
index 51b7b57..0000000
--- a/microdroid/sepolicy/system/private/users
+++ /dev/null
@@ -1 +0,0 @@
-user u roles { r } level s0 range s0 - mls_systemhigh;
diff --git a/microdroid/sepolicy/system/private/zipfuse.te b/microdroid/sepolicy/system/private/zipfuse.te
deleted file mode 100644
index fb7527b..0000000
--- a/microdroid/sepolicy/system/private/zipfuse.te
+++ /dev/null
@@ -1,34 +0,0 @@
-# zipfuse is a FUSE daemon running in the microdroid. It mounts
-# /dev/block/by-name/microdroid-apk whose content is from an apk file on
-# /mnt/apk so that the entries in the apk file are seen as regular files. See
-# packages/modules/Virtualization/zipfuse.
-
-type zipfuse, domain, coredomain;
-type zipfuse_exec, exec_type, file_type, system_file_type;
-
-# allow domain transition from init
-init_daemon_domain(zipfuse)
-
-# allow basic rules to implement FUSE
-allow zipfuse fuse_device:chr_file rw_file_perms;
-allow zipfuse self:global_capability_class_set sys_admin;
-
-# allow access to /dev/vd* block device files and also access to the symlinks
-# /dev/block/by-name/*
-allow zipfuse block_device:dir r_dir_perms;
-allow zipfuse block_device:lnk_file r_file_perms;
-
-# /dev/block/by-name/microdroid-apk is mapped to /dev/block/dm-*
-allow zipfuse dm_device:blk_file r_file_perms;
-
-# allow mounting on /mnt/apk
-allow zipfuse tmpfs:dir mounton;
-
-# allow mounting with fscontext=u:object_r:zipfusefs:s0
-type zipfusefs, fs_type, contextmount_type;
-allow zipfuse fuse:filesystem relabelfrom;
-allow zipfuse zipfusefs:filesystem { mount relabelfrom relabelto };
-
-# allow mounting with context=u:object_r:system_file:s0 so that files provided
-# by zipfuse are treated the same as the other files in /system or /apex
-allow system_file zipfusefs:filesystem associate;
diff --git a/microdroid/sepolicy/system/public/adbd.te b/microdroid/sepolicy/system/public/adbd.te
deleted file mode 100644
index a41d4a3..0000000
--- a/microdroid/sepolicy/system/public/adbd.te
+++ /dev/null
@@ -1,2 +0,0 @@
-type adbd, domain;
-type adbd_exec, exec_type, file_type, system_file_type;
diff --git a/microdroid/sepolicy/system/public/apexd.te b/microdroid/sepolicy/system/public/apexd.te
deleted file mode 100644
index f80c1da..0000000
--- a/microdroid/sepolicy/system/public/apexd.te
+++ /dev/null
@@ -1,5 +0,0 @@
-type apexd, domain, coredomain;
-type apexd_exec, file_type, exec_type, system_file_type;
-
-binder_use(apexd)
-add_service(apexd, apex_service)
diff --git a/microdroid/sepolicy/system/public/attributes b/microdroid/sepolicy/system/public/attributes
deleted file mode 100644
index c82c0c8..0000000
--- a/microdroid/sepolicy/system/public/attributes
+++ /dev/null
@@ -1,395 +0,0 @@
-######################################
-# Attribute declarations
-#
-
-# All types used for devices.
-# On change, update CHECK_FC_ASSERT_ATTRS
-# in tools/checkfc.c
-attribute dev_type;
-
-# All types used for processes.
-attribute domain;
-
-# All types used for filesystems.
-# On change, update CHECK_FC_ASSERT_ATTRS
-# definition in tools/checkfc.c.
-attribute fs_type;
-
-# All types used for context= mounts.
-attribute contextmount_type;
-
-# All types used for files that can exist on a labeled fs.
-# Do not use for pseudo file types.
-# On change, update CHECK_FC_ASSERT_ATTRS
-# definition in tools/checkfc.c.
-attribute file_type;
-
-# All types used for domain entry points.
-attribute exec_type;
-
-# All types used for /data files.
-attribute data_file_type;
-expandattribute data_file_type false;
-# All types in /data, not in /data/vendor
-attribute core_data_file_type;
-expandattribute core_data_file_type false;
-
-# All types used for app private data files in seapp_contexts.
-# Such types should not be applied to any other files.
-attribute app_data_file_type;
-expandattribute app_data_file_type false;
-
-# All types in /system
-attribute system_file_type;
-
-# All types in /vendor
-attribute vendor_file_type;
-
-# All types used for procfs files.
-attribute proc_type;
-expandattribute proc_type false;
-
-# Types in /proc/net, excluding qtaguid types.
-# TODO(b/9496886) Lock down access to /proc/net.
-# This attribute is used to audit access to proc_net. it is temporary and will
-# be removed.
-attribute proc_net_type;
-expandattribute proc_net_type true;
-
-# All types used for sysfs files.
-attribute sysfs_type;
-
-# All types use for debugfs files.
-attribute debugfs_type;
-
-# All types used for tracefs files.
-attribute tracefs_type;
-
-# Attribute used for all sdcards
-attribute sdcard_type;
-
-# All types used for nodes/hosts.
-attribute node_type;
-
-# All types used for network interfaces.
-attribute netif_type;
-
-# All types used for network ports.
-attribute port_type;
-
-# All types used for property service
-# On change, update CHECK_PC_ASSERT_ATTRS
-# definition in tools/checkfc.c.
-attribute property_type;
-
-# All properties defined in core SELinux policy. Should not be
-# used by device specific properties
-attribute core_property_type;
-
-# All properties used to configure log filtering.
-attribute log_property_type;
-
-# All properties that are not specific to device but are added from
-# outside of AOSP. (e.g. OEM-specific properties)
-# These properties are not accessible from device-specific domains
-attribute extended_core_property_type;
-
-# Properties used for representing ownership. All properties should have one
-# of: system_property_type, product_property_type, or vendor_property_type.
-
-# All properties defined by /system.
-attribute system_property_type;
-expandattribute system_property_type false;
-
-# All /system-defined properties used only in /system.
-attribute system_internal_property_type;
-expandattribute system_internal_property_type false;
-
-# All /system-defined properties which can't be written outside /system.
-attribute system_restricted_property_type;
-expandattribute system_restricted_property_type false;
-
-# All /system-defined properties with no restrictions.
-attribute system_public_property_type;
-expandattribute system_public_property_type false;
-
-# All keystore2_key labels.
-attribute keystore2_key_type;
-
-# All properties defined by /product.
-# Currently there are no enforcements between /system and /product, so for now
-# /product attributes are just replaced to /system attributes.
-define(`product_property_type', `system_property_type')
-define(`product_internal_property_type', `system_internal_property_type')
-define(`product_restricted_property_type', `system_restricted_property_type')
-define(`product_public_property_type', `system_public_property_type')
-
-# All properties defined by /vendor.
-attribute vendor_property_type;
-expandattribute vendor_property_type false;
-
-# All /vendor-defined properties used only in /vendor.
-attribute vendor_internal_property_type;
-expandattribute vendor_internal_property_type false;
-
-# All /vendor-defined properties which can't be written outside /vendor.
-attribute vendor_restricted_property_type;
-expandattribute vendor_restricted_property_type false;
-
-# All /vendor-defined properties with no restrictions.
-attribute vendor_public_property_type;
-expandattribute vendor_public_property_type false;
-
-# All service_manager types created by system_server
-attribute system_server_service;
-
-# services which should be available to all but isolated apps
-attribute app_api_service;
-
-# services which should be available to all ephemeral apps
-attribute ephemeral_app_api_service;
-
-# services which export only system_api
-attribute system_api_service;
-
-# services which are explicitly disallowed for untrusted apps to access
-attribute protected_service;
-
-# services which served by vendor and also using the copy of libbinder on
-# system (for instance via libbinder_ndk). services using a different copy
-# of libbinder currently need their own context manager (e.g.
-# vndservicemanager)
-attribute vendor_service;
-
-# All types used for services managed by servicemanager.
-# On change, update CHECK_SC_ASSERT_ATTRS
-# definition in tools/checkfc.c.
-attribute service_manager_type;
-
-# All types used for services managed by hwservicemanager
-attribute hwservice_manager_type;
-
-# All HwBinder services guaranteed to be passthrough. These services always run
-# in the process of their clients, and thus operate with the same access as
-# their clients.
-attribute same_process_hwservice;
-
-# All HwBinder services guaranteed to be offered only by core domain components
-attribute coredomain_hwservice;
-
-# All HwBinder services that untrusted apps can't directly access
-attribute protected_hwservice;
-
-# All types used for services managed by vndservicemanager
-attribute vndservice_manager_type;
-
-
-# All domains that can override MLS restrictions.
-# i.e. processes that can read up and write down.
-attribute mlstrustedsubject;
-
-# All types that can override MLS restrictions.
-# i.e. files that can be read by lower and written by higher
-attribute mlstrustedobject;
-
-# All domains used for apps.
-attribute appdomain;
-
-# All third party apps (except isolated_app and ephemeral_app)
-attribute untrusted_app_all;
-
-# All domains used for apps with network access.
-attribute netdomain;
-
-# All domains used for apps with bluetooth access.
-attribute bluetoothdomain;
-
-# All domains used for binder service domains.
-attribute binderservicedomain;
-
-# update_engine related domains that need to apply an update and run
-# postinstall. This includes the background daemon and the sideload tool from
-# recovery for A/B devices.
-attribute update_engine_common;
-
-# All core domains (as opposed to vendor/device-specific domains)
-attribute coredomain;
-
-# All vendor hwservice.
-attribute vendor_hwservice_type;
-
-# All socket devices owned by core domain components
-attribute coredomain_socket;
-expandattribute coredomain_socket false;
-
-# All vendor domains which violate the requirement of not using sockets for
-# communicating with core components
-# TODO(b/36577153): Remove this once there are no violations
-attribute socket_between_core_and_vendor_violators;
-expandattribute socket_between_core_and_vendor_violators false;
-
-# All vendor domains which violate the requirement of not executing
-# system processes
-# TODO(b/36463595)
-attribute vendor_executes_system_violators;
-expandattribute vendor_executes_system_violators false;
-
-# All domains which violate the requirement of not sharing files by path
-# between between vendor and core domains.
-# TODO(b/34980020)
-attribute data_between_core_and_vendor_violators;
-expandattribute data_between_core_and_vendor_violators false;
-
-# All system domains which violate the requirement of not executing vendor
-# binaries/libraries.
-# TODO(b/62041836)
-attribute system_executes_vendor_violators;
-expandattribute system_executes_vendor_violators false;
-
-# All system domains which violate the requirement of not writing vendor
-# properties.
-# TODO(b/78598545): Remove this once there are no violations
-attribute system_writes_vendor_properties_violators;
-expandattribute system_writes_vendor_properties_violators false;
-
-# All system domains which violate the requirement of not writing to
-# /mnt/vendor/*. Must not be used on devices launched with P or later.
-attribute system_writes_mnt_vendor_violators;
-expandattribute system_writes_mnt_vendor_violators false;
-
-# hwservices that are accessible from untrusted applications
-# WARNING: Use of this attribute should be avoided unless
-# absolutely necessary. It is a temporary allowance to aid the
-# transition to treble and will be removed in a future platform
-# version, requiring all hwservices that are labeled with this
-# attribute to be submitted to AOSP in order to maintain their
-# app-visibility.
-attribute untrusted_app_visible_hwservice_violators;
-expandattribute untrusted_app_visible_hwservice_violators false;
-
-# halserver domains that are accessible to untrusted applications. These
-# domains are typically those hosting hwservices attributed by the
-# untrusted_app_visible_hwservice_violators.
-# WARNING: Use of this attribute should be avoided unless absolutely necessary.
-# It is a temporary allowance to aid the transition to treble and will be
-# removed in the future platform version, requiring all halserver domains that
-# are labeled with this attribute to be submitted to AOSP in order to maintain
-# their app-visibility.
-attribute untrusted_app_visible_halserver_violators;
-expandattribute untrusted_app_visible_halserver_violators false;
-
-# PDX services
-attribute pdx_endpoint_dir_type;
-attribute pdx_endpoint_socket_type;
-expandattribute pdx_endpoint_socket_type false;
-attribute pdx_channel_socket_type;
-expandattribute pdx_channel_socket_type false;
-
-pdx_service_attributes(display_client)
-pdx_service_attributes(display_manager)
-pdx_service_attributes(display_screenshot)
-pdx_service_attributes(display_vsync)
-pdx_service_attributes(performance_client)
-pdx_service_attributes(bufferhub_client)
-
-# All HAL servers
-attribute halserverdomain;
-# All HAL clients
-attribute halclientdomain;
-expandattribute halclientdomain true;
-
-# Exempt for halserverdomain to access sockets. Only builds for automotive
-# device types are allowed to use this attribute (enforced by CTS).
-# Unlike phone, in a car many modules are external from Android perspective and
-# HALs should be able to communicate with those devices through sockets.
-attribute hal_automotive_socket_exemption;
-
-# HALs
-hal_attribute(allocator);
-hal_attribute(atrace);
-hal_attribute(audio);
-hal_attribute(audiocontrol);
-hal_attribute(authsecret);
-hal_attribute(bluetooth);
-hal_attribute(bootctl);
-hal_attribute(bufferhub);
-hal_attribute(broadcastradio);
-hal_attribute(camera);
-hal_attribute(can_bus);
-hal_attribute(can_controller);
-hal_attribute(cas);
-hal_attribute(codec2);
-hal_attribute(configstore);
-hal_attribute(confirmationui);
-hal_attribute(contexthub);
-hal_attribute(drm);
-hal_attribute(evs);
-hal_attribute(face);
-hal_attribute(fingerprint);
-hal_attribute(gatekeeper);
-hal_attribute(gnss);
-hal_attribute(graphics_allocator);
-hal_attribute(graphics_composer);
-hal_attribute(health);
-hal_attribute(health_storage);
-hal_attribute(identity);
-hal_attribute(input_classifier);
-hal_attribute(ir);
-hal_attribute(keymaster);
-hal_attribute(keymint);
-hal_attribute(light);
-hal_attribute(lowpan);
-hal_attribute(memtrack);
-hal_attribute(neuralnetworks);
-hal_attribute(nfc);
-hal_attribute(oemlock);
-hal_attribute(omx);
-hal_attribute(power);
-hal_attribute(power_stats);
-hal_attribute(rebootescrow);
-hal_attribute(secure_element);
-hal_attribute(sensors);
-hal_attribute(telephony);
-hal_attribute(tetheroffload);
-hal_attribute(thermal);
-hal_attribute(tv_cec);
-hal_attribute(tv_input);
-hal_attribute(tv_tuner);
-hal_attribute(usb);
-hal_attribute(usb_gadget);
-hal_attribute(vehicle);
-hal_attribute(vibrator);
-hal_attribute(vr);
-hal_attribute(weaver);
-hal_attribute(wifi);
-hal_attribute(wifi_hostapd);
-hal_attribute(wifi_supplicant);
-
-# HwBinder services offered across the core-vendor boundary
-#
-# We annotate server domains with x_server to loosen the coupling between
-# system and vendor images. For example, it should be possible to move a service
-# from one core domain to another, without having to update the vendor image
-# which contains clients of this service.
-
-attribute automotive_display_service_server;
-attribute camera_service_server;
-attribute display_service_server;
-attribute scheduler_service_server;
-attribute sensor_service_server;
-attribute stats_service_server;
-attribute system_suspend_internal_server;
-attribute system_suspend_server;
-attribute wifi_keystore_service_server;
-
-# All types used for super partition block devices.
-attribute super_block_device_type;
-
-# All types used for DMA-BUF heaps
-attribute dmabuf_heap_device_type;
-expandattribute dmabuf_heap_device_type false;
-
-# All types used for DSU metadata files.
-attribute gsi_metadata_file_type;
-
-attribute fusefs_type;
diff --git a/microdroid/sepolicy/system/public/crash_dump.te b/microdroid/sepolicy/system/public/crash_dump.te
deleted file mode 100644
index d59b034..0000000
--- a/microdroid/sepolicy/system/public/crash_dump.te
+++ /dev/null
@@ -1,2 +0,0 @@
-type crash_dump, domain;
-type crash_dump_exec, system_file_type, exec_type, file_type;
diff --git a/microdroid/sepolicy/system/public/device.te b/microdroid/sepolicy/system/public/device.te
deleted file mode 100644
index 8d286a6..0000000
--- a/microdroid/sepolicy/system/public/device.te
+++ /dev/null
@@ -1,39 +0,0 @@
-type ashmem_device, dev_type, mlstrustedobject;
-type ashmem_libcutils_device, dev_type, mlstrustedobject;
-type binder_device, dev_type, mlstrustedobject;
-type block_device, dev_type;
-type console_device, dev_type;
-type device, dev_type, fs_type;
-type dm_device, dev_type;
-type dm_user_device, dev_type;
-type dmabuf_heap_device, dev_type, mlstrustedobject, dmabuf_heap_device_type;
-type dmabuf_system_heap_device, dev_type, mlstrustedobject, dmabuf_heap_device_type;
-type dmabuf_system_secure_heap_device, dev_type, mlstrustedobject, dmabuf_heap_device_type;
-type fuse_device, dev_type, mlstrustedobject;
-type hw_random_device, dev_type;
-type hwbinder_device, dev_type, mlstrustedobject;
-type kmsg_debug_device, dev_type;
-type kmsg_device, dev_type, mlstrustedobject;
-type kvm_device, dev_type;
-type loop_control_device, dev_type;
-type loop_device, dev_type;
-type null_device, dev_type, mlstrustedobject;
-type owntty_device, dev_type, mlstrustedobject;
-type ppp_device, dev_type;
-type properties_device, dev_type;
-type properties_serial, dev_type;
-type property_info, dev_type;
-type ptmx_device, dev_type, mlstrustedobject;
-type ram_device, dev_type;
-type random_device, dev_type, mlstrustedobject;
-type rtc_device, dev_type;
-type serial_device, dev_type;
-type socket_device, dev_type;
-type tty_device, dev_type;
-type tun_device, dev_type, mlstrustedobject;
-type uhid_device, dev_type, mlstrustedobject;
-type uio_device, dev_type;
-type userdata_sysdev, dev_type;
-type vd_device, dev_type;
-type vndbinder_device, dev_type;
-type zero_device, dev_type, mlstrustedobject;
diff --git a/microdroid/sepolicy/system/public/file.te b/microdroid/sepolicy/system/public/file.te
deleted file mode 100644
index 67d5068..0000000
--- a/microdroid/sepolicy/system/public/file.te
+++ /dev/null
@@ -1,204 +0,0 @@
-type system_linker_exec, file_type, system_file_type;
-
-# file types
-type adbd_socket, file_type, coredomain_socket;
-type apc_service, service_manager_type;
-type anr_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-type apex_info_file, file_type;
-type apex_mnt_dir, file_type;
-type cgroup_desc_api_file, file_type, system_file_type;
-type cgroup_desc_file, file_type, system_file_type;
-type cgroup_rc_file, file_type;
-type file_contexts_file, file_type, system_file_type;
-type hwservice_contexts_file, file_type, system_file_type;
-type keystore2_key_contexts_file, file_type, system_file_type;
-type keystore_data_file, file_type, data_file_type, core_data_file_type;
-type linkerconfig_file, file_type;
-type logd_socket, file_type, mlstrustedobject, coredomain_socket;
-type logdr_socket, file_type, mlstrustedobject, coredomain_socket;
-type logdw_socket, file_type, mlstrustedobject, coredomain_socket;
-type mac_perms_file, file_type, system_file_type;
-type nativetest_data_file, file_type, data_file_type, core_data_file_type;
-type property_contexts_file, file_type, system_file_type;
-type property_socket, file_type, mlstrustedobject, coredomain_socket;
-type runtime_event_log_tags_file, file_type;
-type seapp_contexts_file, file_type, system_file_type;
-type sepolicy_file, file_type, system_file_type;
-type service_contexts_file, file_type, system_file_type;
-type shell_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type, mlstrustedobject;
-type shell_test_data_file, file_type, data_file_type, core_data_file_type;
-type statsdw_socket, file_type, coredomain_socket, mlstrustedobject;
-type system_bootstrap_lib_file, file_type, system_file_type;
-type system_data_file, file_type, data_file_type, core_data_file_type;
-type system_data_root_file, file_type, data_file_type, core_data_file_type;
-type system_event_log_tags_file, file_type, system_file_type;
-type system_file, file_type, system_file_type;
-type system_group_file, file_type, system_file_type;
-type system_lib_file, file_type, system_file_type;
-type system_linker_config_file, file_type, system_file_type;
-type system_passwd_file, file_type, system_file_type;
-type system_seccomp_policy_file, file_type, system_file_type;
-type system_security_cacerts_file, file_type, system_file_type;
-type task_profiles_api_file, file_type, system_file_type;
-type task_profiles_file, file_type, system_file_type;
-type tombstone_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-type tombstoned_crash_socket, file_type, mlstrustedobject, coredomain_socket;
-type tombstoned_intercept_socket, file_type, coredomain_socket;
-type tombstoned_java_trace_socket, file_type, mlstrustedobject;
-type trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-type unlabeled, file_type;
-type vendor_configs_file, file_type, vendor_file_type;
-type vendor_data_file, file_type, data_file_type;
-type vendor_file, file_type, vendor_file_type;
-type vendor_service_contexts_file, vendor_file_type, file_type;
-
-# file system types
-type binderfs, fs_type;
-type binderfs_logs, fs_type;
-type binderfs_logs_proc, fs_type;
-type binfmt_miscfs, fs_type;
-type cgroup, fs_type, mlstrustedobject;
-type cgroup_v2, fs_type;
-type config_gz, fs_type, proc_type;
-type configfs, fs_type;
-type debugfs, fs_type, debugfs_type;
-type debugfs_bootreceiver_tracing, fs_type, debugfs_type, tracefs_type;
-type debugfs_kcov, fs_type, debugfs_type;
-type debugfs_kprobes, fs_type, debugfs_type;
-type debugfs_mm_events_tracing, fs_type, debugfs_type, tracefs_type;
-type debugfs_mmc, fs_type, debugfs_type;
-type debugfs_trace_marker, fs_type, debugfs_type, tracefs_type, mlstrustedobject;
-type debugfs_tracing, fs_type, debugfs_type, tracefs_type, mlstrustedobject;
-type debugfs_tracing_debug, fs_type, debugfs_type, tracefs_type, mlstrustedobject;
-type debugfs_tracing_instances, fs_type, debugfs_type, tracefs_type;
-type debugfs_tracing_printk_formats, fs_type, debugfs_type, tracefs_type;
-type debugfs_wakeup_sources, fs_type, debugfs_type;
-type debugfs_wifi_tracing, fs_type, debugfs_type, tracefs_type;
-type devpts, fs_type, mlstrustedobject;
-type devtmpfs;
-type exfat, fs_type, sdcard_type, mlstrustedobject;
-type fs_bpf, fs_type;
-type fs_bpf_tethering, fs_type;
-type functionfs, fs_type, mlstrustedobject;
-type fuse, fs_type, fusefs_type, mlstrustedobject;
-type fusectlfs, fs_type;
-type inotify, fs_type, mlstrustedobject;
-type labeledfs, fs_type;
-type mqueue, fs_type;
-type pipefs, fs_type;
-type proc, fs_type, proc_type;
-type proc_abi, fs_type, proc_type;
-type proc_asound, fs_type, proc_type;
-type proc_bootconfig, fs_type, proc_type;
-type proc_buddyinfo, fs_type, proc_type;
-type proc_cmdline, fs_type, proc_type;
-type proc_cpuinfo, fs_type, proc_type;
-type proc_dirty, fs_type, proc_type;
-type proc_diskstats, fs_type, proc_type;
-type proc_drop_caches, fs_type, proc_type;
-type proc_extra_free_kbytes, fs_type, proc_type;
-type proc_filesystems, fs_type, proc_type;
-type proc_fs_verity, fs_type, proc_type;
-type proc_hostname, fs_type, proc_type;
-type proc_hung_task, fs_type, proc_type;
-type proc_interrupts, fs_type, proc_type;
-type proc_iomem, fs_type, proc_type;
-type proc_kallsyms, fs_type, proc_type;
-type proc_keys, fs_type, proc_type;
-type proc_kmsg, fs_type, proc_type;
-type proc_kpageflags, fs_type, proc_type;
-type proc_loadavg, fs_type, proc_type;
-type proc_locks, fs_type, proc_type;
-type proc_lowmemorykiller, fs_type, proc_type;
-type proc_max_map_count, fs_type, proc_type;
-type proc_meminfo, fs_type, proc_type;
-type proc_min_free_order_shift, fs_type, proc_type;
-type proc_misc, fs_type, proc_type;
-type proc_modules, fs_type, proc_type;
-type proc_mounts, fs_type, proc_type;
-type proc_net, fs_type, proc_type, proc_net_type;
-type proc_net_tcp_udp, fs_type, proc_type;
-type proc_overcommit_memory, fs_type, proc_type;
-type proc_page_cluster, fs_type, proc_type;
-type proc_pagetypeinfo, fs_type, proc_type;
-type proc_panic, fs_type, proc_type;
-type proc_perf, fs_type, proc_type;
-type proc_pid_max, fs_type, proc_type;
-type proc_pipe_conf, fs_type, proc_type;
-type proc_pressure_cpu, fs_type, proc_type;
-type proc_pressure_io, fs_type, proc_type;
-type proc_pressure_mem, fs_type, proc_type;
-type proc_qtaguid_ctrl, fs_type, proc_type, mlstrustedobject;
-type proc_qtaguid_stat, fs_type, proc_type, mlstrustedobject;
-type proc_random, fs_type, proc_type;
-type proc_sched, fs_type, proc_type;
-type proc_security, fs_type, proc_type;
-type proc_slabinfo, fs_type, proc_type;
-type proc_stat, fs_type, proc_type;
-type proc_swaps, fs_type, proc_type;
-type proc_sysrq, fs_type, proc_type;
-type proc_timer, fs_type, proc_type;
-type proc_tty_drivers, fs_type, proc_type;
-type proc_uid_concurrent_active_time, fs_type, proc_type;
-type proc_uid_concurrent_policy_time, fs_type, proc_type;
-type proc_uid_cpupower, fs_type, proc_type;
-type proc_uid_cputime_removeuid, fs_type, proc_type;
-type proc_uid_cputime_showstat, fs_type, proc_type;
-type proc_uid_io_stats, fs_type, proc_type;
-type proc_uid_procstat_set, fs_type, proc_type;
-type proc_uid_time_in_state, fs_type, proc_type;
-type proc_uptime, fs_type, proc_type;
-type proc_version, fs_type, proc_type;
-type proc_vmallocinfo, fs_type, proc_type;
-type proc_vmstat, fs_type, proc_type;
-type proc_zoneinfo, fs_type, proc_type;
-type pstorefs, fs_type;
-type rootfs, fs_type;
-type sdcardfs, fs_type, sdcard_type, mlstrustedobject;
-type securityfs, fs_type;
-type selinuxfs, fs_type, mlstrustedobject;
-type shm, fs_type;
-type sockfs, fs_type;
-type sysfs, fs_type, sysfs_type, mlstrustedobject;
-type sysfs_android_usb, fs_type, sysfs_type;
-type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
-type sysfs_devices_block, fs_type, sysfs_type;
-type sysfs_devices_cs_etm, fs_type, sysfs_type;
-type sysfs_devices_system_cpu, fs_type, sysfs_type;
-type sysfs_dm, fs_type, sysfs_type;
-type sysfs_dm_verity, fs_type, sysfs_type;
-type sysfs_dma_heap, fs_type, sysfs_type;
-type sysfs_dmabuf_stats, fs_type, sysfs_type;
-type sysfs_dt_firmware_android, fs_type, sysfs_type;
-type sysfs_extcon, fs_type, sysfs_type;
-type sysfs_fs_ext4_features, fs_type, sysfs_type;
-type sysfs_fs_f2fs, fs_type, sysfs_type;
-type sysfs_fs_incfs_features, fs_type, sysfs_type;
-type sysfs_fs_incfs_metrics, fs_type, sysfs_type;
-type sysfs_hwrandom, fs_type, sysfs_type;
-type sysfs_ion, fs_type, sysfs_type;
-type sysfs_ipv4, fs_type, sysfs_type;
-type sysfs_kernel_notes, fs_type, sysfs_type, mlstrustedobject;
-type sysfs_leds, fs_type, sysfs_type;
-type sysfs_loop, fs_type, sysfs_type;
-type sysfs_lowmemorykiller, fs_type, sysfs_type;
-type sysfs_net, fs_type, sysfs_type;
-type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
-type sysfs_power, fs_type, sysfs_type;
-type sysfs_rtc, fs_type, sysfs_type;
-type sysfs_suspend_stats, fs_type, sysfs_type;
-type sysfs_switch, fs_type, sysfs_type;
-type sysfs_transparent_hugepage, fs_type, sysfs_type;
-type sysfs_uhid, fs_type, sysfs_type;
-type sysfs_usermodehelper, fs_type, sysfs_type;
-type sysfs_vibrator, fs_type, sysfs_type;
-type sysfs_wake_lock, fs_type, sysfs_type;
-type sysfs_wakeup, fs_type, sysfs_type;
-type sysfs_wakeup_reasons, fs_type, sysfs_type;
-type sysfs_wlan_fwpath, fs_type, sysfs_type;
-type sysfs_zram, fs_type, sysfs_type;
-type sysfs_zram_uevent, fs_type, sysfs_type;
-type tmpfs, fs_type;
-type usbfs, fs_type;
-type usermodehelper, fs_type, proc_type;
-type vfat, fs_type, sdcard_type, mlstrustedobject;
diff --git a/microdroid/sepolicy/system/public/global_macros b/microdroid/sepolicy/system/public/global_macros
deleted file mode 100644
index 2c87fde..0000000
--- a/microdroid/sepolicy/system/public/global_macros
+++ /dev/null
@@ -1,51 +0,0 @@
-#####################################
-# Common groupings of object classes.
-#
-define(`capability_class_set', `{ capability capability2 cap_userns cap2_userns }')
-define(`global_capability_class_set', `{ capability cap_userns }')
-define(`global_capability2_class_set', `{ capability2 cap2_userns }')
-
-define(`devfile_class_set', `{ chr_file blk_file }')
-define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }')
-define(`file_class_set', `{ devfile_class_set notdevfile_class_set }')
-define(`dir_file_class_set', `{ dir file_class_set }')
-
-define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket xdp_socket }')
-define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }')
-define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket sctp_socket }')
-define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket sctp_socket }')
-define(`network_socket_class_set', `{ icmp_socket rawip_socket tcp_socket udp_socket }')
-
-define(`ipc_class_set', `{ sem msgq shm ipc }')
-
-#####################################
-# Common groupings of permissions.
-#
-define(`x_file_perms', `{ getattr execute execute_no_trans map }')
-define(`r_file_perms', `{ getattr open read ioctl lock map watch watch_reads }')
-define(`w_file_perms', `{ open append write lock map }')
-define(`rx_file_perms', `{ r_file_perms x_file_perms }')
-define(`ra_file_perms', `{ r_file_perms append }')
-define(`rw_file_perms', `{ r_file_perms w_file_perms }')
-define(`rwx_file_perms', `{ rw_file_perms x_file_perms }')
-define(`create_file_perms', `{ create rename setattr unlink rw_file_perms }')
-
-define(`r_dir_perms', `{ open getattr read search ioctl lock watch watch_reads }')
-define(`w_dir_perms', `{ open search write add_name remove_name lock }')
-define(`ra_dir_perms', `{ r_dir_perms add_name write }')
-define(`rw_dir_perms', `{ r_dir_perms w_dir_perms }')
-define(`create_dir_perms', `{ create reparent rename rmdir setattr rw_dir_perms }')
-
-define(`r_ipc_perms', `{ getattr read associate unix_read }')
-define(`w_ipc_perms', `{ write unix_write }')
-define(`rw_ipc_perms', `{ r_ipc_perms w_ipc_perms }')
-define(`create_ipc_perms', `{ create setattr destroy rw_ipc_perms }')
-
-#####################################
-# Common socket permission sets.
-define(`rw_socket_perms', `{ ioctl read getattr write setattr lock append bind connect getopt setopt shutdown map }')
-define(`rw_socket_perms_no_ioctl', `{ read getattr write setattr lock append bind connect getopt setopt shutdown map }')
-define(`create_socket_perms', `{ create rw_socket_perms }')
-define(`create_socket_perms_no_ioctl', `{ create rw_socket_perms_no_ioctl }')
-define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }')
-define(`create_stream_socket_perms', `{ create rw_stream_socket_perms }')
diff --git a/microdroid/sepolicy/system/public/hal_keymint.te b/microdroid/sepolicy/system/public/hal_keymint.te
deleted file mode 100644
index 7570188..0000000
--- a/microdroid/sepolicy/system/public/hal_keymint.te
+++ /dev/null
@@ -1,4 +0,0 @@
-binder_call(hal_keymint_client, hal_keymint_server)
-
-hal_attribute_service(hal_keymint, hal_keymint_service)
-binder_call(hal_keymint_server, servicemanager)
diff --git a/microdroid/sepolicy/system/public/hwservicemanager.te b/microdroid/sepolicy/system/public/hwservicemanager.te
deleted file mode 100644
index 5421b11..0000000
--- a/microdroid/sepolicy/system/public/hwservicemanager.te
+++ /dev/null
@@ -1,2 +0,0 @@
-type hwservicemanager, domain, mlstrustedsubject;
-type hwservicemanager_exec, file_type, exec_type, system_file_type;
diff --git a/microdroid/sepolicy/system/public/init.te b/microdroid/sepolicy/system/public/init.te
deleted file mode 100644
index bccdb70..0000000
--- a/microdroid/sepolicy/system/public/init.te
+++ /dev/null
@@ -1,8 +0,0 @@
-# init is its own domain.
-type init, domain, mlstrustedsubject;
-type init_exec, system_file_type, exec_type, file_type;
-type init_tmpfs, file_type;
-
-allow init tmpfs:chr_file relabelfrom;
-allow init kmsg_device:chr_file { getattr write relabelto };
-allow init kmsg_debug_device:chr_file { open write relabelto };
diff --git a/microdroid/sepolicy/system/public/ioctl_defines b/microdroid/sepolicy/system/public/ioctl_defines
deleted file mode 100644
index 5ac4d94..0000000
--- a/microdroid/sepolicy/system/public/ioctl_defines
+++ /dev/null
@@ -1,2751 +0,0 @@
-define(`ADD_NEW_DISK', `0x40140921')
-define(`ADV7842_CMD_RAM_TEST', `0x000056c0')
-define(`AGPIOC_ACQUIRE', `0x00004101')
-define(`AGPIOC_ALLOCATE', `0xc0084106')
-define(`AGPIOC_BIND', `0x40084108')
-define(`AGPIOC_CHIPSET_FLUSH', `0x0000410a')
-define(`AGPIOC_DEALLOCATE', `0x40044107')
-define(`AGPIOC_INFO', `0x80084100')
-define(`AGPIOC_PROTECT', `0x40084105')
-define(`AGPIOC_RELEASE', `0x00004102')
-define(`AGPIOC_RESERVE', `0x40084104')
-define(`AGPIOC_SETUP', `0x40084103')
-define(`AGPIOC_UNBIND', `0x40084109')
-define(`AMDKFD_IOC_CREATE_QUEUE', `0xc0584b02')
-define(`AMDKFD_IOC_DESTROY_QUEUE', `0xc0084b03')
-define(`AMDKFD_IOC_GET_CLOCK_COUNTERS', `0xc0284b05')
-define(`AMDKFD_IOC_GET_PROCESS_APERTURES', `0x81904b06')
-define(`AMDKFD_IOC_GET_VERSION', `0x80084b01')
-define(`AMDKFD_IOC_SET_MEMORY_POLICY', `0x40204b04')
-define(`AMDKFD_IOC_UPDATE_QUEUE', `0x40184b07')
-define(`ANDROID_ALARM_SET_RTC', `0x40106105')
-define(`ANDROID_ALARM_WAIT', `0x00006101')
-define(`APEI_ERST_CLEAR_RECORD', `0x40084501')
-define(`APEI_ERST_GET_RECORD_COUNT', `0x80044502')
-define(`APM_IOC_STANDBY', `0x00004101')
-define(`APM_IOC_SUSPEND', `0x00004102')
-define(`ASHMEM_GET_NAME', `0x81007702')
-define(`ASHMEM_GET_PIN_STATUS', `0x00007709')
-define(`ASHMEM_GET_PROT_MASK', `0x00007706')
-define(`ASHMEM_GET_SIZE', `0x00007704')
-define(`ASHMEM_PIN', `0x40087707')
-define(`ASHMEM_PURGE_ALL_CACHES', `0x0000770a')
-define(`ASHMEM_SET_NAME', `0x41007701')
-define(`ASHMEM_SET_PROT_MASK', `0x40087705')
-define(`ASHMEM_SET_SIZE', `0x40087703')
-define(`ASHMEM_UNPIN', `0x40087708')
-define(`ATM_ADDADDR', `0x40106188')
-define(`ATM_ADDLECSADDR', `0x4010618e')
-define(`ATM_ADDPARTY', `0x401061f4')
-define(`ATMARPD_CTRL', `0x000061e1')
-define(`ATMARP_ENCAP', `0x000061e5')
-define(`ATMARP_MKIP', `0x000061e2')
-define(`ATMARP_SETENTRY', `0x000061e3')
-define(`ATM_DELADDR', `0x40106189')
-define(`ATM_DELLECSADDR', `0x4010618f')
-define(`ATM_DROPPARTY', `0x400461f5')
-define(`ATM_GETADDR', `0x40106186')
-define(`ATM_GETCIRANGE', `0x4010618a')
-define(`ATM_GETESI', `0x40106185')
-define(`ATM_GETLECSADDR', `0x40106190')
-define(`ATM_GETLINKRATE', `0x40106181')
-define(`ATM_GETLOOP', `0x40106152')
-define(`ATM_GETNAMES', `0x40106183')
-define(`ATM_GETSTAT', `0x40106150')
-define(`ATM_GETSTATZ', `0x40106151')
-define(`ATM_GETTYPE', `0x40106184')
-define(`ATMLEC_CTRL', `0x000061d0')
-define(`ATMLEC_DATA', `0x000061d1')
-define(`ATMLEC_MCAST', `0x000061d2')
-define(`ATMMPC_CTRL', `0x000061d8')
-define(`ATMMPC_DATA', `0x000061d9')
-define(`ATM_NEWBACKENDIF', `0x400261f3')
-define(`ATM_QUERYLOOP', `0x40106154')
-define(`ATM_RSTADDR', `0x40106187')
-define(`ATM_SETBACKEND', `0x400261f2')
-define(`ATM_SETCIRANGE', `0x4010618b')
-define(`ATM_SETESI', `0x4010618c')
-define(`ATM_SETESIF', `0x4010618d')
-define(`ATM_SETLOOP', `0x40106153')
-define(`ATM_SETSC', `0x400461f1')
-define(`ATMSIGD_CTRL', `0x000061f0')
-define(`ATMTCP_CREATE', `0x0000618e')
-define(`ATMTCP_REMOVE', `0x0000618f')
-define(`AUDIO_BILINGUAL_CHANNEL_SELECT', `0x00006f14')
-define(`AUDIO_CHANNEL_SELECT', `0x00006f09')
-define(`AUDIO_CLEAR_BUFFER', `0x00006f0c')
-define(`AUDIO_CONTINUE', `0x00006f04')
-define(`AUDIO_GET_CAPABILITIES', `0x80046f0b')
-define(`AUDIO_GET_PTS', `0x80086f13')
-define(`AUDIO_GET_STATUS', `0x80206f0a')
-define(`AUDIO_PAUSE', `0x00006f03')
-define(`AUDIO_PLAY', `0x00006f02')
-define(`AUDIO_SELECT_SOURCE', `0x00006f05')
-define(`AUDIO_SET_ATTRIBUTES', `0x40026f11')
-define(`AUDIO_SET_AV_SYNC', `0x00006f07')
-define(`AUDIO_SET_BYPASS_MODE', `0x00006f08')
-define(`AUDIO_SET_EXT_ID', `0x00006f10')
-define(`AUDIO_SET_ID', `0x00006f0d')
-define(`AUDIO_SET_KARAOKE', `0x400c6f12')
-define(`AUDIO_SET_MIXER', `0x40086f0e')
-define(`AUDIO_SET_MUTE', `0x00006f06')
-define(`AUDIO_SET_STREAMTYPE', `0x00006f0f')
-define(`AUDIO_STOP', `0x00006f01')
-define(`AUTOFS_DEV_IOCTL_ASKUMOUNT', `0xc018937d')
-define(`AUTOFS_DEV_IOCTL_CATATONIC', `0xc0189379')
-define(`AUTOFS_DEV_IOCTL_CLOSEMOUNT', `0xc0189375')
-define(`AUTOFS_DEV_IOCTL_EXPIRE', `0xc018937c')
-define(`AUTOFS_DEV_IOCTL_FAIL', `0xc0189377')
-define(`AUTOFS_DEV_IOCTL_ISMOUNTPOINT', `0xc018937e')
-define(`AUTOFS_DEV_IOCTL_OPENMOUNT', `0xc0189374')
-define(`AUTOFS_DEV_IOCTL_PROTOSUBVER', `0xc0189373')
-define(`AUTOFS_DEV_IOCTL_PROTOVER', `0xc0189372')
-define(`AUTOFS_DEV_IOCTL_READY', `0xc0189376')
-define(`AUTOFS_DEV_IOCTL_REQUESTER', `0xc018937b')
-define(`AUTOFS_DEV_IOCTL_SETPIPEFD', `0xc0189378')
-define(`AUTOFS_DEV_IOCTL_TIMEOUT', `0xc018937a')
-define(`AUTOFS_DEV_IOCTL_VERSION', `0xc0189371')
-define(`AUTOFS_IOC_ASKUMOUNT', `0x80049370')
-define(`AUTOFS_IOC_CATATONIC', `0x00009362')
-define(`AUTOFS_IOC_EXPIRE', `0x810c9365')
-define(`AUTOFS_IOC_EXPIRE_MULTI', `0x40049366')
-define(`AUTOFS_IOC_FAIL', `0x00009361')
-define(`AUTOFS_IOC_PROTOSUBVER', `0x80049367')
-define(`AUTOFS_IOC_PROTOVER', `0x80049363')
-define(`AUTOFS_IOC_READY', `0x00009360')
-define(`AUTOFS_IOC_SETTIMEOUT', `0xc0089364')
-define(`AUTOFS_IOC_SETTIMEOUT32', `0xc0049364')
-define(`BC_ACQUIRE', `0x40046305')
-define(`BC_ACQUIRE_DONE', `0x40106309')
-define(`BC_ACQUIRE_RESULT', `0x40046302')
-define(`BC_ATTEMPT_ACQUIRE', `0x4008630a')
-define(`BC_CLEAR_DEATH_NOTIFICATION', `0x400c630f')
-define(`BC_DEAD_BINDER_DONE', `0x40086310')
-define(`BC_DECREFS', `0x40046307')
-define(`BC_ENTER_LOOPER', `0x0000630c')
-define(`BC_EXIT_LOOPER', `0x0000630d')
-define(`BC_FREE_BUFFER', `0x40086303')
-define(`BC_INCREFS', `0x40046304')
-define(`BC_INCREFS_DONE', `0x40106308')
-define(`BC_REGISTER_LOOPER', `0x0000630b')
-define(`BC_RELEASE', `0x40046306')
-define(`BC_REPLY', `0x40406301')
-define(`BC_REQUEST_DEATH_NOTIFICATION', `0x400c630e')
-define(`BC_TRANSACTION', `0x40406300')
-define(`BINDER_ENABLE_ONEWAY_SPAM_DETECTION', `0x40046210')
-define(`BINDER_FREEZE', `0x400c620e')
-define(`BINDER_GET_FROZEN_INFO', `0xc00c620f')
-define(`BINDER_GET_NODE_DEBUG_INFO', `0xc018620b')
-define(`BINDER_GET_NODE_INFO_FOR_REF', `0xc018620c')
-define(`BINDER_SET_CONTEXT_MGR', `0x40046207')
-define(`BINDER_SET_CONTEXT_MGR_EXT', `0x4018620d')
-define(`BINDER_SET_IDLE_PRIORITY', `0x40046206')
-define(`BINDER_SET_IDLE_TIMEOUT', `0x40086203')
-define(`BINDER_SET_MAX_THREADS', `0x40046205')
-define(`BINDER_THREAD_EXIT', `0x40046208')
-define(`BINDER_VERSION', `0xc0046209')
-define(`BINDER_WRITE_READ', `0xc0306201')
-define(`BLKALIGNOFF', `0x0000127a')
-define(`BLKBSZGET', `0x80081270')
-define(`BLKBSZSET', `0x40081271')
-define(`BLKDISCARD', `0x00001277')
-define(`BLKDISCARDZEROES', `0x0000127c')
-define(`BLKFLSBUF', `0x00001261')
-define(`BLKFRAGET', `0x00001265')
-define(`BLKFRASET', `0x00001264')
-define(`BLKGETSIZE', `0x00001260')
-define(`BLKGETSIZE64', `0x80081272')
-define(`BLKI2OGRSTRAT', `0x80043201')
-define(`BLKI2OGWSTRAT', `0x80043202')
-define(`BLKI2OSRSTRAT', `0x40043203')
-define(`BLKI2OSWSTRAT', `0x40043204')
-define(`BLKIOMIN', `0x00001278')
-define(`BLKIOOPT', `0x00001279')
-define(`BLKPBSZGET', `0x0000127b')
-define(`BLKPG', `0x00001269')
-define(`BLKRAGET', `0x00001263')
-define(`BLKRASET', `0x00001262')
-define(`BLKROGET', `0x0000125e')
-define(`BLKROSET', `0x0000125d')
-define(`BLKROTATIONAL', `0x0000127e')
-define(`BLKRRPART', `0x0000125f')
-define(`BLKSECDISCARD', `0x0000127d')
-define(`BLKSECTGET', `0x00001267')
-define(`BLKSECTSET', `0x00001266')
-define(`BLKSSZGET', `0x00001268')
-define(`BLKTRACESETUP', `0xc0481273')
-define(`BLKTRACESTART', `0x00001274')
-define(`BLKTRACESTOP', `0x00001275')
-define(`BLKTRACETEARDOWN', `0x00001276')
-define(`BLKZEROOUT', `0x0000127f')
-define(`BR2684_SETFILT', `0x401c6190')
-define(`BR_ACQUIRE', `0x80107208')
-define(`BR_ACQUIRE_RESULT', `0x80047204')
-define(`BR_ATTEMPT_ACQUIRE', `0x8018720b')
-define(`BR_CLEAR_DEATH_NOTIFICATION_DONE', `0x80087210')
-define(`BR_DEAD_BINDER', `0x8008720f')
-define(`BR_DEAD_REPLY', `0x00007205')
-define(`BR_DECREFS', `0x8010720a')
-define(`BR_ERROR', `0x80047200')
-define(`BR_FAILED_REPLY', `0x00007211')
-define(`BR_FINISHED', `0x0000720e')
-define(`BR_INCREFS', `0x80107207')
-define(`BR_NOOP', `0x0000720c')
-define(`BR_OK', `0x00007201')
-define(`BR_ONEWAY_SPAM_SUSPECT', `0x00007213')
-define(`BR_RELEASE', `0x80107209')
-define(`BR_REPLY', `0x80407203')
-define(`BR_SPAWN_LOOPER', `0x0000720d')
-define(`BR_TRANSACTION', `0x80407202')
-define(`BR_TRANSACTION_COMPLETE', `0x00007206')
-define(`BT819_FIFO_RESET_HIGH', `0x00006201')
-define(`BT819_FIFO_RESET_LOW', `0x00006200')
-define(`BTRFS_IOC_ADD_DEV', `0x5000940a')
-define(`BTRFS_IOC_BALANCE', `0x5000940c')
-define(`BTRFS_IOC_BALANCE_CTL', `0x40049421')
-define(`BTRFS_IOC_BALANCE_PROGRESS', `0x84009422')
-define(`BTRFS_IOC_BALANCE_V2', `0xc4009420')
-define(`BTRFS_IOC_CLONE', `0x40049409')
-define(`BTRFS_IOC_CLONE_RANGE', `0x4020940d')
-define(`BTRFS_IOC_DEFAULT_SUBVOL', `0x40089413')
-define(`BTRFS_IOC_DEFRAG', `0x50009402')
-define(`BTRFS_IOC_DEFRAG_RANGE', `0x40309410')
-define(`BTRFS_IOC_DEVICES_READY', `0x90009427')
-define(`BTRFS_IOC_DEV_INFO', `0xd000941e')
-define(`BTRFS_IOC_DEV_REPLACE', `0xca289435')
-define(`BTRFS_IOC_FILE_EXTENT_SAME', `0xc0189436')
-define(`BTRFS_IOC_FS_INFO', `0x8400941f')
-define(`BTRFS_IOC_GET_DEV_STATS', `0xc4089434')
-define(`BTRFS_IOC_GET_FEATURES', `0x80189439')
-define(`BTRFS_IOC_GET_FSLABEL', `0x81009431')
-define(`BTRFS_IOC_GET_SUPPORTED_FEATURES', `0x80489439')
-define(`BTRFS_IOC_INO_LOOKUP', `0xd0009412')
-define(`BTRFS_IOC_INO_PATHS', `0xc0389423')
-define(`BTRFS_IOC_LOGICAL_INO', `0xc0389424')
-define(`BTRFS_IOC_QGROUP_ASSIGN', `0x40189429')
-define(`BTRFS_IOC_QGROUP_CREATE', `0x4010942a')
-define(`BTRFS_IOC_QGROUP_LIMIT', `0x8030942b')
-define(`BTRFS_IOC_QUOTA_CTL', `0xc0109428')
-define(`BTRFS_IOC_QUOTA_RESCAN', `0x4040942c')
-define(`BTRFS_IOC_QUOTA_RESCAN_STATUS', `0x8040942d')
-define(`BTRFS_IOC_QUOTA_RESCAN_WAIT', `0x0000942e')
-define(`BTRFS_IOC_RESIZE', `0x50009403')
-define(`BTRFS_IOC_RM_DEV', `0x5000940b')
-define(`BTRFS_IOC_SCAN_DEV', `0x50009404')
-define(`BTRFS_IOC_SCRUB', `0xc400941b')
-define(`BTRFS_IOC_SCRUB_CANCEL', `0x0000941c')
-define(`BTRFS_IOC_SCRUB_PROGRESS', `0xc400941d')
-define(`BTRFS_IOC_SEND', `0x40489426')
-define(`BTRFS_IOC_SET_FEATURES', `0x40309439')
-define(`BTRFS_IOC_SET_FSLABEL', `0x41009432')
-define(`BTRFS_IOC_SET_RECEIVED_SUBVOL', `0xc0c89425')
-define(`BTRFS_IOC_SNAP_CREATE', `0x50009401')
-define(`BTRFS_IOC_SNAP_CREATE_V2', `0x50009417')
-define(`BTRFS_IOC_SNAP_DESTROY', `0x5000940f')
-define(`BTRFS_IOC_SPACE_INFO', `0xc0109414')
-define(`BTRFS_IOC_START_SYNC', `0x80089418')
-define(`BTRFS_IOC_SUBVOL_CREATE', `0x5000940e')
-define(`BTRFS_IOC_SUBVOL_CREATE_V2', `0x50009418')
-define(`BTRFS_IOC_SUBVOL_GETFLAGS', `0x80089419')
-define(`BTRFS_IOC_SUBVOL_SETFLAGS', `0x4008941a')
-define(`BTRFS_IOC_SYNC', `0x00009408')
-define(`BTRFS_IOC_TRANS_END', `0x00009407')
-define(`BTRFS_IOC_TRANS_START', `0x00009406')
-define(`BTRFS_IOC_TREE_SEARCH', `0xd0009411')
-define(`BTRFS_IOC_TREE_SEARCH_V2', `0xc0709411')
-define(`BTRFS_IOC_WAIT_SYNC', `0x40089416')
-define(`CA_GET_CAP', `0x80106f81')
-define(`CA_GET_DESCR_INFO', `0x80086f83')
-define(`CA_GET_MSG', `0x810c6f84')
-define(`CA_GET_SLOT_INFO', `0x800c6f82')
-define(`CAPI_CLR_FLAGS', `0x80044325')
-define(`CAPI_GET_ERRCODE', `0x80024321')
-define(`CAPI_GET_FLAGS', `0x80044323')
-define(`CAPI_GET_MANUFACTURER', `0xc0044306')
-define(`CAPI_GET_PROFILE', `0xc0404309')
-define(`CAPI_GET_SERIAL', `0xc0044308')
-define(`CAPI_GET_VERSION', `0xc0104307')
-define(`CAPI_INSTALLED', `0x80024322')
-define(`CAPI_MANUFACTURER_CMD', `0xc0104320')
-define(`CAPI_NCCI_GETUNIT', `0x80044327')
-define(`CAPI_NCCI_OPENCOUNT', `0x80044326')
-define(`CAPI_REGISTER', `0x400c4301')
-define(`CAPI_SET_FLAGS', `0x80044324')
-define(`CA_RESET', `0x00006f80')
-define(`CA_SEND_MSG', `0x410c6f85')
-define(`CA_SET_DESCR', `0x40106f86')
-define(`CA_SET_PID', `0x40086f87')
-define(`CCISS_BIG_PASSTHRU', `0xc0604212')
-define(`CCISS_DEREGDISK', `0x0000420c')
-define(`CCISS_GETBUSTYPES', `0x80044207')
-define(`CCISS_GETDRIVVER', `0x80044209')
-define(`CCISS_GETFIRMVER', `0x80044208')
-define(`CCISS_GETHEARTBEAT', `0x80044206')
-define(`CCISS_GETINTINFO', `0x80084202')
-define(`CCISS_GETLUNINFO', `0x800c4211')
-define(`CCISS_GETNODENAME', `0x80104204')
-define(`CCISS_GETPCIINFO', `0x80084201')
-define(`CCISS_PASSTHRU', `0xc058420b')
-define(`CCISS_REGNEWD', `0x0000420e')
-define(`CCISS_REGNEWDISK', `0x4004420d')
-define(`CCISS_RESCANDISK', `0x00004210')
-define(`CCISS_REVALIDVOLS', `0x0000420a')
-define(`CCISS_SETINTINFO', `0x40084203')
-define(`CCISS_SETNODENAME', `0x40104205')
-define(`CDROMAUDIOBUFSIZ', `0x00005382')
-define(`CDROM_CHANGER_NSLOTS', `0x00005328')
-define(`CDROM_CLEAR_OPTIONS', `0x00005321')
-define(`CDROMCLOSETRAY', `0x00005319')
-define(`CDROM_DEBUG', `0x00005330')
-define(`CDROM_DISC_STATUS', `0x00005327')
-define(`CDROM_DRIVE_STATUS', `0x00005326')
-define(`CDROMEJECT', `0x00005309')
-define(`CDROMEJECT_SW', `0x0000530f')
-define(`CDROM_GET_CAPABILITY', `0x00005331')
-define(`CDROM_GET_MCN', `0x00005311')
-define(`CDROMGETSPINDOWN', `0x0000531d')
-define(`CDROM_LAST_WRITTEN', `0x00005395')
-define(`CDROM_LOCKDOOR', `0x00005329')
-define(`CDROM_MEDIA_CHANGED', `0x00005325')
-define(`CDROMMULTISESSION', `0x00005310')
-define(`CDROM_NEXT_WRITABLE', `0x00005394')
-define(`CDROMPAUSE', `0x00005301')
-define(`CDROMPLAYBLK', `0x00005317')
-define(`CDROMPLAYMSF', `0x00005303')
-define(`CDROMPLAYTRKIND', `0x00005304')
-define(`CDROMREADALL', `0x00005318')
-define(`CDROMREADAUDIO', `0x0000530e')
-define(`CDROMREADCOOKED', `0x00005315')
-define(`CDROMREADMODE1', `0x0000530d')
-define(`CDROMREADMODE2', `0x0000530c')
-define(`CDROMREADRAW', `0x00005314')
-define(`CDROMREADTOCENTRY', `0x00005306')
-define(`CDROMREADTOCHDR', `0x00005305')
-define(`CDROMRESET', `0x00005312')
-define(`CDROMRESUME', `0x00005302')
-define(`CDROMSEEK', `0x00005316')
-define(`CDROM_SELECT_DISC', `0x00005323')
-define(`CDROM_SELECT_SPEED', `0x00005322')
-define(`CDROM_SEND_PACKET', `0x00005393')
-define(`CDROM_SET_OPTIONS', `0x00005320')
-define(`CDROMSETSPINDOWN', `0x0000531e')
-define(`CDROMSTART', `0x00005308')
-define(`CDROMSTOP', `0x00005307')
-define(`CDROMSUBCHNL', `0x0000530b')
-define(`CDROMVOLCTRL', `0x0000530a')
-define(`CDROMVOLREAD', `0x00005313')
-define(`CHIOEXCHANGE', `0x401c6302')
-define(`CHIOGELEM', `0x406c6310')
-define(`CHIOGPARAMS', `0x80146306')
-define(`CHIOGPICKER', `0x80046304')
-define(`CHIOGSTATUS', `0x40106308')
-define(`CHIOGVPARAMS', `0x80706313')
-define(`CHIOINITELEM', `0x00006311')
-define(`CHIOMOVE', `0x40146301')
-define(`CHIOPOSITION', `0x400c6303')
-define(`CHIOSPICKER', `0x40046305')
-define(`CHIOSVOLTAG', `0x40306312')
-define(`CIOC_KERNEL_VERSION', `0xc008630a')
-define(`CLEAR_ARRAY', `0x00000920')
-define(`CM_IOCARDOFF', `0x00006304')
-define(`CM_IOCGATR', `0xc0086301')
-define(`CM_IOCGSTATUS', `0x80086300')
-define(`CM_IOCSPTS', `0x40086302')
-define(`CM_IOCSRDR', `0x00006303')
-define(`CM_IOSDBGLVL', `0x400863fa')
-define(`CXL_IOCTL_GET_PROCESS_ELEMENT', `0x8004ca01')
-define(`CXL_IOCTL_START_WORK', `0x4040ca00')
-define(`DM_DEV_CREATE', `0xc138fd03')
-define(`DM_DEV_REMOVE', `0xc138fd04')
-define(`DM_DEV_RENAME', `0xc138fd05')
-define(`DM_DEV_SET_GEOMETRY', `0xc138fd0f')
-define(`DM_DEV_STATUS', `0xc138fd07')
-define(`DM_DEV_SUSPEND', `0xc138fd06')
-define(`DM_DEV_WAIT', `0xc138fd08')
-define(`DM_LIST_DEVICES', `0xc138fd02')
-define(`DM_LIST_VERSIONS', `0xc138fd0d')
-define(`DM_REMOVE_ALL', `0xc138fd01')
-define(`DM_TABLE_CLEAR', `0xc138fd0a')
-define(`DM_TABLE_DEPS', `0xc138fd0b')
-define(`DM_TABLE_LOAD', `0xc138fd09')
-define(`DM_TABLE_STATUS', `0xc138fd0c')
-define(`DM_TARGET_MSG', `0xc138fd0e')
-define(`DM_VERSION', `0xc138fd00')
-define(`DMX_ADD_PID', `0x40026f33')
-define(`DMX_GET_CAPS', `0x80086f30')
-define(`DMX_GET_PES_PIDS', `0x800a6f2f')
-define(`DMX_GET_STC', `0xc0106f32')
-define(`DMX_REMOVE_PID', `0x40026f34')
-define(`DMX_SET_BUFFER_SIZE', `0x00006f2d')
-define(`DMX_SET_FILTER', `0x403c6f2b')
-define(`DMX_SET_PES_FILTER', `0x40146f2c')
-define(`DMX_SET_SOURCE', `0x40046f31')
-define(`DMX_START', `0x00006f29')
-define(`DMX_STOP', `0x00006f2a')
-define(`DRM_IOCTL_ADD_BUFS', `0xc0206416')
-define(`DRM_IOCTL_ADD_CTX', `0xc0086420')
-define(`DRM_IOCTL_ADD_DRAW', `0xc0046427')
-define(`DRM_IOCTL_ADD_MAP', `0xc0286415')
-define(`DRM_IOCTL_AGP_ACQUIRE', `0x00006430')
-define(`DRM_IOCTL_AGP_ALLOC', `0xc0206434')
-define(`DRM_IOCTL_AGP_BIND', `0x40106436')
-define(`DRM_IOCTL_AGP_ENABLE', `0x40086432')
-define(`DRM_IOCTL_AGP_FREE', `0x40206435')
-define(`DRM_IOCTL_AGP_INFO', `0x80386433')
-define(`DRM_IOCTL_AGP_RELEASE', `0x00006431')
-define(`DRM_IOCTL_AGP_UNBIND', `0x40106437')
-define(`DRM_IOCTL_AUTH_MAGIC', `0x40046411')
-define(`DRM_IOCTL_BLOCK', `0xc0046412')
-define(`DRM_IOCTL_CONTROL', `0x40086414')
-define(`DRM_IOCTL_DMA', `0xc0406429')
-define(`DRM_IOCTL_DROP_MASTER', `0x0000641f')
-define(`DRM_IOCTL_EXYNOS_G2D_EXEC', `0xc0086462')
-define(`DRM_IOCTL_EXYNOS_G2D_GET_VER', `0xc0086460')
-define(`DRM_IOCTL_EXYNOS_G2D_SET_CMDLIST', `0xc0286461')
-define(`DRM_IOCTL_EXYNOS_GEM_CREATE', `0xc0106440')
-define(`DRM_IOCTL_EXYNOS_GEM_GET', `0xc0106444')
-define(`DRM_IOCTL_EXYNOS_IPP_CMD_CTRL', `0xc0086473')
-define(`DRM_IOCTL_EXYNOS_IPP_GET_PROPERTY', `0xc0506470')
-define(`DRM_IOCTL_EXYNOS_IPP_QUEUE_BUF', `0xc0286472')
-define(`DRM_IOCTL_EXYNOS_IPP_SET_PROPERTY', `0xc0606471')
-define(`DRM_IOCTL_EXYNOS_VIDI_CONNECTION', `0xc0106447')
-define(`DRM_IOCTL_FINISH', `0x4008642c')
-define(`DRM_IOCTL_FREE_BUFS', `0x4010641a')
-define(`DRM_IOCTL_GEM_CLOSE', `0x40086409')
-define(`DRM_IOCTL_GEM_FLINK', `0xc008640a')
-define(`DRM_IOCTL_GEM_OPEN', `0xc010640b')
-define(`DRM_IOCTL_GET_CAP', `0xc010640c')
-define(`DRM_IOCTL_GET_CLIENT', `0xc0286405')
-define(`DRM_IOCTL_GET_CTX', `0xc0086423')
-define(`DRM_IOCTL_GET_MAGIC', `0x80046402')
-define(`DRM_IOCTL_GET_MAP', `0xc0286404')
-define(`DRM_IOCTL_GET_SAREA_CTX', `0xc010641d')
-define(`DRM_IOCTL_GET_STATS', `0x80f86406')
-define(`DRM_IOCTL_GET_UNIQUE', `0xc0106401')
-define(`DRM_IOCTL_I810_CLEAR', `0x400c6442')
-define(`DRM_IOCTL_I810_COPY', `0x40106447')
-define(`DRM_IOCTL_I810_DOCOPY', `0x00006448')
-define(`DRM_IOCTL_I810_FLIP', `0x0000644e')
-define(`DRM_IOCTL_I810_FLUSH', `0x00006443')
-define(`DRM_IOCTL_I810_FSTATUS', `0x0000644a')
-define(`DRM_IOCTL_I810_GETAGE', `0x00006444')
-define(`DRM_IOCTL_I810_GETBUF', `0xc0186445')
-define(`DRM_IOCTL_I810_INIT', `0x40406440')
-define(`DRM_IOCTL_I810_MC', `0x4020644c')
-define(`DRM_IOCTL_I810_OV0FLIP', `0x0000644b')
-define(`DRM_IOCTL_I810_OV0INFO', `0x80086449')
-define(`DRM_IOCTL_I810_RSTATUS', `0x0000644d')
-define(`DRM_IOCTL_I810_SWAP', `0x00006446')
-define(`DRM_IOCTL_I810_VERTEX', `0x400c6441')
-define(`DRM_IOCTL_I915_ALLOC', `0xc0186448')
-define(`DRM_IOCTL_I915_BATCHBUFFER', `0x40206443')
-define(`DRM_IOCTL_I915_CMDBUFFER', `0x4020644b')
-define(`DRM_IOCTL_I915_DESTROY_HEAP', `0x4004644c')
-define(`DRM_IOCTL_I915_FLIP', `0x00006442')
-define(`DRM_IOCTL_I915_FLUSH', `0x00006441')
-define(`DRM_IOCTL_I915_FREE', `0x40086449')
-define(`DRM_IOCTL_I915_GEM_BUSY', `0xc0086457')
-define(`DRM_IOCTL_I915_GEM_CONTEXT_CREATE', `0xc008646d')
-define(`DRM_IOCTL_I915_GEM_CONTEXT_DESTROY', `0x4008646e')
-define(`DRM_IOCTL_I915_GEM_CREATE', `0xc010645b')
-define(`DRM_IOCTL_I915_GEM_ENTERVT', `0x00006459')
-define(`DRM_IOCTL_I915_GEM_EXECBUFFER', `0x40286454')
-define(`DRM_IOCTL_I915_GEM_EXECBUFFER2', `0x40406469')
-define(`DRM_IOCTL_I915_GEM_GET_APERTURE', `0x80106463')
-define(`DRM_IOCTL_I915_GEM_GET_CACHING', `0xc0086470')
-define(`DRM_IOCTL_I915_GEM_GET_TILING', `0xc0106462')
-define(`DRM_IOCTL_I915_GEM_INIT', `0x40106453')
-define(`DRM_IOCTL_I915_GEM_LEAVEVT', `0x0000645a')
-define(`DRM_IOCTL_I915_GEM_MADVISE', `0xc00c6466')
-define(`DRM_IOCTL_I915_GEM_MMAP', `0xc020645e')
-define(`DRM_IOCTL_I915_GEM_MMAP_GTT', `0xc0106464')
-define(`DRM_IOCTL_I915_GEM_PIN', `0xc0186455')
-define(`DRM_IOCTL_I915_GEM_PREAD', `0x4020645c')
-define(`DRM_IOCTL_I915_GEM_PWRITE', `0x4020645d')
-define(`DRM_IOCTL_I915_GEM_SET_CACHING', `0x4008646f')
-define(`DRM_IOCTL_I915_GEM_SET_DOMAIN', `0x400c645f')
-define(`DRM_IOCTL_I915_GEM_SET_TILING', `0xc0106461')
-define(`DRM_IOCTL_I915_GEM_SW_FINISH', `0x40046460')
-define(`DRM_IOCTL_I915_GEM_THROTTLE', `0x00006458')
-define(`DRM_IOCTL_I915_GEM_UNPIN', `0x40086456')
-define(`DRM_IOCTL_I915_GEM_USERPTR', `0xc0186473')
-define(`DRM_IOCTL_I915_GEM_WAIT', `0xc010646c')
-define(`DRM_IOCTL_I915_GETPARAM', `0xc0106446')
-define(`DRM_IOCTL_I915_GET_PIPE_FROM_CRTC_ID', `0xc0086465')
-define(`DRM_IOCTL_I915_GET_RESET_STATS', `0xc0186472')
-define(`DRM_IOCTL_I915_GET_SPRITE_COLORKEY', `0xc014646b')
-define(`DRM_IOCTL_I915_GET_VBLANK_PIPE', `0x8004644e')
-define(`DRM_IOCTL_I915_HWS_ADDR', `0x40106451')
-define(`DRM_IOCTL_I915_INIT', `0x40446440')
-define(`DRM_IOCTL_I915_INIT_HEAP', `0x400c644a')
-define(`DRM_IOCTL_I915_IRQ_EMIT', `0xc0086444')
-define(`DRM_IOCTL_I915_IRQ_WAIT', `0x40046445')
-define(`DRM_IOCTL_I915_OVERLAY_ATTRS', `0xc02c6468')
-define(`DRM_IOCTL_I915_OVERLAY_PUT_IMAGE', `0x402c6467')
-define(`DRM_IOCTL_I915_REG_READ', `0xc0106471')
-define(`DRM_IOCTL_I915_SETPARAM', `0x40086447')
-define(`DRM_IOCTL_I915_SET_SPRITE_COLORKEY', `0xc014646b')
-define(`DRM_IOCTL_I915_SET_VBLANK_PIPE', `0x4004644d')
-define(`DRM_IOCTL_I915_VBLANK_SWAP', `0xc00c644f')
-define(`DRM_IOCTL_INFO_BUFS', `0xc0106418')
-define(`DRM_IOCTL_IRQ_BUSID', `0xc0106403')
-define(`DRM_IOCTL_LOCK', `0x4008642a')
-define(`DRM_IOCTL_MAP_BUFS', `0xc0186419')
-define(`DRM_IOCTL_MARK_BUFS', `0x40206417')
-define(`DRM_IOCTL_MGA_BLIT', `0x40346448')
-define(`DRM_IOCTL_MGA_CLEAR', `0x40146444')
-define(`DRM_IOCTL_MGA_DMA_BOOTSTRAP', `0xc020644c')
-define(`DRM_IOCTL_MGA_FLUSH', `0x40086441')
-define(`DRM_IOCTL_MGA_GETPARAM', `0xc0106449')
-define(`DRM_IOCTL_MGA_ILOAD', `0x400c6447')
-define(`DRM_IOCTL_MGA_INDICES', `0x40106446')
-define(`DRM_IOCTL_MGA_INIT', `0x40806440')
-define(`DRM_IOCTL_MGA_RESET', `0x00006442')
-define(`DRM_IOCTL_MGA_SET_FENCE', `0x4004644a')
-define(`DRM_IOCTL_MGA_SWAP', `0x00006443')
-define(`DRM_IOCTL_MGA_VERTEX', `0x400c6445')
-define(`DRM_IOCTL_MGA_WAIT_FENCE', `0xc004644b')
-define(`DRM_IOCTL_MOD_CTX', `0x40086422')
-define(`DRM_IOCTL_MODE_ADDFB', `0xc01c64ae')
-define(`DRM_IOCTL_MODE_ADDFB2', `0xc04464b8')
-define(`DRM_IOCTL_MODE_ATTACHMODE', `0xc04864a8')
-define(`DRM_IOCTL_MODE_CREATE_DUMB', `0xc02064b2')
-define(`DRM_IOCTL_MODE_CURSOR', `0xc01c64a3')
-define(`DRM_IOCTL_MODE_CURSOR2', `0xc02464bb')
-define(`DRM_IOCTL_MODE_DESTROY_DUMB', `0xc00464b4')
-define(`DRM_IOCTL_MODE_DETACHMODE', `0xc04864a9')
-define(`DRM_IOCTL_MODE_DIRTYFB', `0xc01864b1')
-define(`DRM_IOCTL_MODE_GETCONNECTOR', `0xc05064a7')
-define(`DRM_IOCTL_MODE_GETCRTC', `0xc06864a1')
-define(`DRM_IOCTL_MODE_GETENCODER', `0xc01464a6')
-define(`DRM_IOCTL_MODE_GETFB', `0xc01c64ad')
-define(`DRM_IOCTL_MODE_GETGAMMA', `0xc02064a4')
-define(`DRM_IOCTL_MODE_GETPLANE', `0xc02064b6')
-define(`DRM_IOCTL_MODE_GETPLANERESOURCES', `0xc01064b5')
-define(`DRM_IOCTL_MODE_GETPROPBLOB', `0xc01064ac')
-define(`DRM_IOCTL_MODE_GETPROPERTY', `0xc04064aa')
-define(`DRM_IOCTL_MODE_GETRESOURCES', `0xc04064a0')
-define(`DRM_IOCTL_MODE_MAP_DUMB', `0xc01064b3')
-define(`DRM_IOCTL_MODE_OBJ_GETPROPERTIES', `0xc02064b9')
-define(`DRM_IOCTL_MODE_OBJ_SETPROPERTY', `0xc01864ba')
-define(`DRM_IOCTL_MODE_PAGE_FLIP', `0xc01864b0')
-define(`DRM_IOCTL_MODE_RMFB', `0xc00464af')
-define(`DRM_IOCTL_MODE_SETCRTC', `0xc06864a2')
-define(`DRM_IOCTL_MODESET_CTL', `0x40086408')
-define(`DRM_IOCTL_MODE_SETGAMMA', `0xc02064a5')
-define(`DRM_IOCTL_MODE_SETPLANE', `0xc03064b7')
-define(`DRM_IOCTL_MODE_SETPROPERTY', `0xc01064ab')
-define(`DRM_IOCTL_MSM_GEM_CPU_FINI', `0x40046445')
-define(`DRM_IOCTL_MSM_GEM_CPU_PREP', `0x40186444')
-define(`DRM_IOCTL_MSM_GEM_INFO', `0xc0106443')
-define(`DRM_IOCTL_MSM_GEM_NEW', `0xc0106442')
-define(`DRM_IOCTL_MSM_GEM_SUBMIT', `0xc0206446')
-define(`DRM_IOCTL_MSM_GET_PARAM', `0xc0106440')
-define(`DRM_IOCTL_MSM_WAIT_FENCE', `0x40186447')
-define(`DRM_IOCTL_NEW_CTX', `0x40086425')
-define(`DRM_IOCTL_NOUVEAU_GEM_CPU_FINI', `0x40046483')
-define(`DRM_IOCTL_NOUVEAU_GEM_CPU_PREP', `0x40086482')
-define(`DRM_IOCTL_NOUVEAU_GEM_INFO', `0xc0286484')
-define(`DRM_IOCTL_NOUVEAU_GEM_NEW', `0xc0306480')
-define(`DRM_IOCTL_NOUVEAU_GEM_PUSHBUF', `0xc0406481')
-define(`DRM_IOCTL_OMAP_GEM_CPU_FINI', `0x40106445')
-define(`DRM_IOCTL_OMAP_GEM_CPU_PREP', `0x40086444')
-define(`DRM_IOCTL_OMAP_GEM_INFO', `0xc0186446')
-define(`DRM_IOCTL_OMAP_GEM_NEW', `0xc0106443')
-define(`DRM_IOCTL_OMAP_GET_PARAM', `0xc0106440')
-define(`DRM_IOCTL_OMAP_SET_PARAM', `0x40106441')
-define(`DRM_IOCTL_PRIME_FD_TO_HANDLE', `0xc00c642e')
-define(`DRM_IOCTL_PRIME_HANDLE_TO_FD', `0xc00c642d')
-define(`DRM_IOCTL_QXL_ALLOC', `0xc0086440')
-define(`DRM_IOCTL_QXL_ALLOC_SURF', `0xc0186446')
-define(`DRM_IOCTL_QXL_CLIENTCAP', `0x40086445')
-define(`DRM_IOCTL_QXL_EXECBUFFER', `0x40106442')
-define(`DRM_IOCTL_QXL_GETPARAM', `0xc0106444')
-define(`DRM_IOCTL_QXL_MAP', `0xc0106441')
-define(`DRM_IOCTL_QXL_UPDATE_AREA', `0x40186443')
-define(`DRM_IOCTL_R128_BLIT', `0x4018644b')
-define(`DRM_IOCTL_R128_CCE_IDLE', `0x00006444')
-define(`DRM_IOCTL_R128_CCE_RESET', `0x00006443')
-define(`DRM_IOCTL_R128_CCE_START', `0x00006441')
-define(`DRM_IOCTL_R128_CCE_STOP', `0x40086442')
-define(`DRM_IOCTL_R128_CLEAR', `0x40146448')
-define(`DRM_IOCTL_R128_DEPTH', `0x4028644c')
-define(`DRM_IOCTL_R128_FLIP', `0x00006453')
-define(`DRM_IOCTL_R128_FULLSCREEN', `0x40046450')
-define(`DRM_IOCTL_R128_GETPARAM', `0xc0106452')
-define(`DRM_IOCTL_R128_INDICES', `0x4014644a')
-define(`DRM_IOCTL_R128_INDIRECT', `0xc010644f')
-define(`DRM_IOCTL_R128_INIT', `0x40786440')
-define(`DRM_IOCTL_R128_RESET', `0x00006446')
-define(`DRM_IOCTL_R128_STIPPLE', `0x4008644d')
-define(`DRM_IOCTL_R128_SWAP', `0x00006447')
-define(`DRM_IOCTL_R128_VERTEX', `0x40106449')
-define(`DRM_IOCTL_RADEON_ALLOC', `0xc0186453')
-define(`DRM_IOCTL_RADEON_CLEAR', `0x40206448')
-define(`DRM_IOCTL_RADEON_CMDBUF', `0x40206450')
-define(`DRM_IOCTL_RADEON_CP_IDLE', `0x00006444')
-define(`DRM_IOCTL_RADEON_CP_INIT', `0x40786440')
-define(`DRM_IOCTL_RADEON_CP_RESET', `0x00006443')
-define(`DRM_IOCTL_RADEON_CP_RESUME', `0x00006458')
-define(`DRM_IOCTL_RADEON_CP_START', `0x00006441')
-define(`DRM_IOCTL_RADEON_CP_STOP', `0x40086442')
-define(`DRM_IOCTL_RADEON_CS', `0xc0206466')
-define(`DRM_IOCTL_RADEON_FLIP', `0x00006452')
-define(`DRM_IOCTL_RADEON_FREE', `0x40086454')
-define(`DRM_IOCTL_RADEON_FULLSCREEN', `0x40046446')
-define(`DRM_IOCTL_RADEON_GEM_BUSY', `0xc008646a')
-define(`DRM_IOCTL_RADEON_GEM_CREATE', `0xc020645d')
-define(`DRM_IOCTL_RADEON_GEM_GET_TILING', `0xc00c6469')
-define(`DRM_IOCTL_RADEON_GEM_INFO', `0xc018645c')
-define(`DRM_IOCTL_RADEON_GEM_MMAP', `0xc020645e')
-define(`DRM_IOCTL_RADEON_GEM_OP', `0xc010646c')
-define(`DRM_IOCTL_RADEON_GEM_PREAD', `0xc0206461')
-define(`DRM_IOCTL_RADEON_GEM_PWRITE', `0xc0206462')
-define(`DRM_IOCTL_RADEON_GEM_SET_DOMAIN', `0xc00c6463')
-define(`DRM_IOCTL_RADEON_GEM_SET_TILING', `0xc00c6468')
-define(`DRM_IOCTL_RADEON_GEM_USERPTR', `0xc018646d')
-define(`DRM_IOCTL_RADEON_GEM_VA', `0xc018646b')
-define(`DRM_IOCTL_RADEON_GEM_WAIT_IDLE', `0x40086464')
-define(`DRM_IOCTL_RADEON_GETPARAM', `0xc0106451')
-define(`DRM_IOCTL_RADEON_INDICES', `0x4014644a')
-define(`DRM_IOCTL_RADEON_INDIRECT', `0xc010644d')
-define(`DRM_IOCTL_RADEON_INFO', `0xc0106467')
-define(`DRM_IOCTL_RADEON_INIT_HEAP', `0x400c6455')
-define(`DRM_IOCTL_RADEON_IRQ_EMIT', `0xc0086456')
-define(`DRM_IOCTL_RADEON_IRQ_WAIT', `0x40046457')
-define(`DRM_IOCTL_RADEON_RESET', `0x00006445')
-define(`DRM_IOCTL_RADEON_SETPARAM', `0x40106459')
-define(`DRM_IOCTL_RADEON_STIPPLE', `0x4008644c')
-define(`DRM_IOCTL_RADEON_SURF_ALLOC', `0x400c645a')
-define(`DRM_IOCTL_RADEON_SURF_FREE', `0x4004645b')
-define(`DRM_IOCTL_RADEON_SWAP', `0x00006447')
-define(`DRM_IOCTL_RADEON_TEXTURE', `0xc020644e')
-define(`DRM_IOCTL_RADEON_VERTEX', `0x40106449')
-define(`DRM_IOCTL_RADEON_VERTEX2', `0x4028644f')
-define(`DRM_IOCTL_RES_CTX', `0xc0106426')
-define(`DRM_IOCTL_RM_CTX', `0xc0086421')
-define(`DRM_IOCTL_RM_DRAW', `0xc0046428')
-define(`DRM_IOCTL_RM_MAP', `0x4028641b')
-define(`DRM_IOCTL_SAVAGE_BCI_CMDBUF', `0x40386441')
-define(`DRM_IOCTL_SAVAGE_BCI_EVENT_EMIT', `0xc0086442')
-define(`DRM_IOCTL_SAVAGE_BCI_EVENT_WAIT', `0x40086443')
-define(`DRM_IOCTL_SAVAGE_BCI_INIT', `0x40606440')
-define(`DRM_IOCTL_SET_CLIENT_CAP', `0x4010640d')
-define(`DRM_IOCTL_SET_MASTER', `0x0000641e')
-define(`DRM_IOCTL_SET_SAREA_CTX', `0x4010641c')
-define(`DRM_IOCTL_SET_UNIQUE', `0x40106410')
-define(`DRM_IOCTL_SET_VERSION', `0xc0106407')
-define(`DRM_IOCTL_SG_ALLOC', `0xc0106438')
-define(`DRM_IOCTL_SG_FREE', `0x40106439')
-define(`DRM_IOCTL_SIS_AGP_ALLOC', `0xc0206454')
-define(`DRM_IOCTL_SIS_AGP_FREE', `0x40206455')
-define(`DRM_IOCTL_SIS_AGP_INIT', `0xc0106453')
-define(`DRM_IOCTL_SIS_FB_ALLOC', `0xc0206444')
-define(`DRM_IOCTL_SIS_FB_FREE', `0x40206445')
-define(`DRM_IOCTL_SIS_FB_INIT', `0x40106456')
-define(`DRM_IOCTL_SWITCH_CTX', `0x40086424')
-define(`DRM_IOCTL_TEGRA_CLOSE_CHANNEL', `0xc0106446')
-define(`DRM_IOCTL_TEGRA_GEM_CREATE', `0xc0106440')
-define(`DRM_IOCTL_TEGRA_GEM_GET_FLAGS', `0xc008644d')
-define(`DRM_IOCTL_TEGRA_GEM_GET_TILING', `0xc010644b')
-define(`DRM_IOCTL_TEGRA_GEM_MMAP', `0xc0086441')
-define(`DRM_IOCTL_TEGRA_GEM_SET_FLAGS', `0xc008644c')
-define(`DRM_IOCTL_TEGRA_GEM_SET_TILING', `0xc010644a')
-define(`DRM_IOCTL_TEGRA_GET_SYNCPT', `0xc0106447')
-define(`DRM_IOCTL_TEGRA_GET_SYNCPT_BASE', `0xc0106449')
-define(`DRM_IOCTL_TEGRA_OPEN_CHANNEL', `0xc0106445')
-define(`DRM_IOCTL_TEGRA_SUBMIT', `0xc0586448')
-define(`DRM_IOCTL_TEGRA_SYNCPT_INCR', `0xc0086443')
-define(`DRM_IOCTL_TEGRA_SYNCPT_READ', `0xc0086442')
-define(`DRM_IOCTL_TEGRA_SYNCPT_WAIT', `0xc0106444')
-define(`DRM_IOCTL_UNBLOCK', `0xc0046413')
-define(`DRM_IOCTL_UNLOCK', `0x4008642b')
-define(`DRM_IOCTL_UPDATE_DRAW', `0x4018643f')
-define(`DRM_IOCTL_VERSION', `0xc0406400')
-define(`DRM_IOCTL_VIA_AGP_INIT', `0xc0086442')
-define(`DRM_IOCTL_VIA_ALLOCMEM', `0xc0206440')
-define(`DRM_IOCTL_VIA_BLIT_SYNC', `0x4008644f')
-define(`DRM_IOCTL_VIA_CMDBUFFER', `0x40106448')
-define(`DRM_IOCTL_VIA_CMDBUF_SIZE', `0xc00c644b')
-define(`DRM_IOCTL_VIA_DEC_FUTEX', `0x40106445')
-define(`DRM_IOCTL_VIA_DMA_BLIT', `0x4030644e')
-define(`DRM_IOCTL_VIA_DMA_INIT', `0xc0206447')
-define(`DRM_IOCTL_VIA_FB_INIT', `0xc0086443')
-define(`DRM_IOCTL_VIA_FLUSH', `0x00006449')
-define(`DRM_IOCTL_VIA_FREEMEM', `0x40206441')
-define(`DRM_IOCTL_VIA_MAP_INIT', `0xc0286444')
-define(`DRM_IOCTL_VIA_PCICMD', `0x4010644a')
-define(`DRM_IOCTL_VIA_WAIT_IRQ', `0xc018644d')
-define(`DRM_IOCTL_WAIT_VBLANK', `0xc018643a')
-define(`DVD_AUTH', `0x00005392')
-define(`DVD_READ_STRUCT', `0x00005390')
-define(`DVD_WRITE_STRUCT', `0x00005391')
-define(`ECCGETLAYOUT', `0x81484d11')
-define(`ECCGETSTATS', `0x80104d12')
-define(`ENI_MEMDUMP', `0x40106160')
-define(`ENI_SETMULT', `0x40106167')
-define(`EVIOCGEFFECTS', `0x80044584')
-define(`EVIOCGID', `0x80084502')
-define(`EVIOCGKEYCODE', `0x80084504')
-define(`EVIOCGKEYCODE_V2', `0x80284504')
-define(`EVIOCGRAB', `0x40044590')
-define(`EVIOCGREP', `0x80084503')
-define(`EVIOCGVERSION', `0x80044501')
-define(`EVIOCREVOKE', `0x40044591')
-define(`EVIOCRMFF', `0x40044581')
-define(`EVIOCSCLOCKID', `0x400445a0')
-define(`EVIOCSFF', `0x40304580')
-define(`EVIOCSKEYCODE', `0x40084504')
-define(`EVIOCSKEYCODE_V2', `0x40284504')
-define(`EVIOCSREP', `0x40084503')
-define(`F2FS_IOC_START_ATOMIC_WRITE', `0xf501')
-define(`F2FS_IOC_COMMIT_ATOMIC_WRITE', `0xf502')
-define(`F2FS_IOC_START_VOLATILE_WRITE', `0xf503')
-define(`F2FS_IOC_RELEASE_VOLATILE_WRITE', `0xf504')
-define(`F2FS_IOC_ABORT_VOLATILE_WRITE', `0xf505')
-define(`F2FS_IOC_GARBAGE_COLLECT', `0xf506')
-define(`F2FS_IOC_WRITE_CHECKPOINT', `0xf507')
-define(`F2FS_IOC_DEFRAGMENT', `0xf508')
-define(`F2FS_IOC_MOVE_RANGE', `0xf509')
-define(`F2FS_IOC_FLUSH_DEVICE', `0xf50a')
-define(`F2FS_IOC_GARBAGE_COLLECT_RANGE', `0xf50b')
-define(`F2FS_IOC_GET_FEATURES', `0xf50c')
-define(`F2FS_IOC_SET_PIN_FILE', `0xf50d')
-define(`F2FS_IOC_GET_PIN_FILE', `0xf50e')
-define(`F2FS_IOC_PRECACHE_EXTENTS', `0xf50f')
-define(`F2FS_IOC_RESIZE_FS', `0xf510')
-define(`F2FS_IOC_GET_COMPRESS_BLOCKS', `0xf511')
-define(`F2FS_IOC_RELEASE_COMPRESS_BLOCKS', `0xf512')
-define(`F2FS_IOC_RESERVE_COMPRESS_BLOCKS', `0xf513')
-define(`F2FS_IOC_SEC_TRIM_FILE', `0xf514')
-define(`F2FS_IOC_GET_COMPRESS_OPTION', `0xf515')
-define(`F2FS_IOC_SET_COMPRESS_OPTION', `0xf516')
-define(`F2FS_IOC_DECOMPRESS_FILE', `0xf517')
-define(`F2FS_IOC_COMPRESS_FILE', `0xf518')
-define(`FAT_IOCTL_GET_ATTRIBUTES', `0x80047210')
-define(`FAT_IOCTL_GET_VOLUME_ID', `0x80047213')
-define(`FAT_IOCTL_SET_ATTRIBUTES', `0x40047211')
-define(`FBIGET_BRIGHTNESS', `0x80044603')
-define(`FBIGET_COLOR', `0x80044605')
-define(`FBIO_ALLOC', `0x00004613')
-define(`FBIOBLANK', `0x00004611')
-define(`FBIO_CURSOR', `0xc0684608')
-define(`FBIO_FREE', `0x00004614')
-define(`FBIOGETCMAP', `0x00004604')
-define(`FBIOGET_CON2FBMAP', `0x0000460f')
-define(`FBIOGET_CONTRAST', `0x80044601')
-define(`FBIO_GETCONTROL2', `0x80084689')
-define(`FBIOGET_DISPINFO', `0x00004618')
-define(`FBIOGET_FSCREENINFO', `0x00004602')
-define(`FBIOGET_GLYPH', `0x00004615')
-define(`FBIOGET_HWCINFO', `0x00004616')
-define(`FBIOGET_VBLANK', `0x80204612')
-define(`FBIOGET_VSCREENINFO', `0x00004600')
-define(`FBIOPAN_DISPLAY', `0x00004606')
-define(`FBIOPUTCMAP', `0x00004605')
-define(`FBIOPUT_CON2FBMAP', `0x00004610')
-define(`FBIOPUT_CONTRAST', `0x40044602')
-define(`FBIOPUT_MODEINFO', `0x00004617')
-define(`FBIOPUT_VSCREENINFO', `0x00004601')
-define(`FBIO_RADEON_GET_MIRROR', `0x80084003')
-define(`FBIO_RADEON_SET_MIRROR', `0x40084004')
-define(`FBIO_WAITEVENT', `0x00004688')
-define(`FBIO_WAITFORVSYNC', `0x40044620')
-define(`FBIPUT_BRIGHTNESS', `0x40044603')
-define(`FBIPUT_COLOR', `0x40044606')
-define(`FBIPUT_HSYNC', `0x40044609')
-define(`FBIPUT_VSYNC', `0x4004460a')
-define(`FDCLRPRM', `0x00000241')
-define(`FDDEFPRM', `0x40200243')
-define(`FDEJECT', `0x0000025a')
-define(`FDFLUSH', `0x0000024b')
-define(`FDFMTBEG', `0x00000247')
-define(`FDFMTEND', `0x00000249')
-define(`FDFMTTRK', `0x400c0248')
-define(`FDGETDRVPRM', `0x80800211')
-define(`FDGETDRVSTAT', `0x80500212')
-define(`FDGETDRVTYP', `0x8010020f')
-define(`FDGETFDCSTAT', `0x80280215')
-define(`FDGETMAXERRS', `0x8014020e')
-define(`FDGETPRM', `0x80200204')
-define(`FDMSGOFF', `0x00000246')
-define(`FDMSGON', `0x00000245')
-define(`FDPOLLDRVSTAT', `0x80500213')
-define(`FDRAWCMD', `0x00000258')
-define(`FDRESET', `0x00000254')
-define(`FDSETDRVPRM', `0x40800290')
-define(`FDSETEMSGTRESH', `0x0000024a')
-define(`FDSETMAXERRS', `0x4014024c')
-define(`FDSETPRM', `0x40200242')
-define(`FDTWADDLE', `0x00000259')
-define(`FDWERRORCLR', `0x00000256')
-define(`FDWERRORGET', `0x80280217')
-define(`FE_DISEQC_RECV_SLAVE_REPLY', `0x800c6f40')
-define(`FE_DISEQC_RESET_OVERLOAD', `0x00006f3e')
-define(`FE_DISEQC_SEND_BURST', `0x00006f41')
-define(`FE_DISEQC_SEND_MASTER_CMD', `0x40076f3f')
-define(`FE_DISHNETWORK_SEND_LEGACY_CMD', `0x00006f50')
-define(`FE_ENABLE_HIGH_LNB_VOLTAGE', `0x00006f44')
-define(`FE_GET_EVENT', `0x80286f4e')
-define(`FE_GET_FRONTEND', `0x80246f4d')
-define(`FE_GET_INFO', `0x80a86f3d')
-define(`FE_GET_PROPERTY', `0x80106f53')
-define(`FE_READ_BER', `0x80046f46')
-define(`FE_READ_SIGNAL_STRENGTH', `0x80026f47')
-define(`FE_READ_SNR', `0x80026f48')
-define(`FE_READ_STATUS', `0x80046f45')
-define(`FE_READ_UNCORRECTED_BLOCKS', `0x80046f49')
-define(`FE_SET_FRONTEND', `0x40246f4c')
-define(`FE_SET_FRONTEND_TUNE_MODE', `0x00006f51')
-define(`FE_SET_PROPERTY', `0x40106f52')
-define(`FE_SET_TONE', `0x00006f42')
-define(`FE_SET_VOLTAGE', `0x00006f43')
-define(`FIBMAP', `0x00000001')
-define(`FIFREEZE', `0xc0045877')
-define(`FIGETBSZ', `0x00000002')
-define(`FIOASYNC', `0x00005452')
-define(`FIOCLEX', ifelse(target_arch, mips, 0x00006601, 0x00005451))
-define(`FIOGETOWN', `0x00008903')
-define(`FIONBIO', `0x00005421')
-define(`FIONCLEX', ifelse(target_arch, mips, 0x00006602, 0x00005450))
-define(`FIONREAD', ifelse(target_arch, mips, 0x0000467f, 0x0000541b))
-define(`FIOQSIZE', `0x00005460')
-define(`FIOSETOWN', `0x00008901')
-define(`FITHAW', `0xc0045878')
-define(`FITRIM', `0xc0185879')
-define(`FS_IOC32_GETFLAGS', `0x80046601')
-define(`FS_IOC32_GETVERSION', `0x80047601')
-define(`FS_IOC32_SETFLAGS', `0x40046602')
-define(`FS_IOC32_SETVERSION', `0x40047602')
-define(`FS_IOC_ADD_ENCRYPTION_KEY', `0xc0506617')
-define(`FS_IOC_ENABLE_VERITY', `0x6685')
-define(`FS_IOC_FIEMAP', `0xc020660b')
-define(`FS_IOC_FSGETXATTR', `0x801c581f')
-define(`FS_IOC_FSSETXATTR', `0x401c5820')
-define(`FS_IOC_GET_ENCRYPTION_POLICY', `0x400c6615')
-define(`FS_IOC_GET_ENCRYPTION_POLICY_EX', `0xc0096616')
-define(`FS_IOC_GET_ENCRYPTION_PWSALT', `0x40106614')
-define(`FS_IOC_GETFLAGS', `0x80086601')
-define(`FS_IOC_GETVERSION', `0x80087601')
-define(`FS_IOC_MEASURE_VERITY', `0x6686')
-define(`FS_IOC_REMOVE_ENCRYPTION_KEY', `0xc0406618')
-define(`FS_IOC_SET_ENCRYPTION_POLICY', `0x800c6613')
-define(`FS_IOC_SETFLAGS', `0x40086602')
-define(`FS_IOC_SETVERSION', `0x40087602')
-define(`FSL_HV_IOCTL_DOORBELL', `0xc008af06')
-define(`FSL_HV_IOCTL_GETPROP', `0xc028af07')
-define(`FSL_HV_IOCTL_MEMCPY', `0xc028af05')
-define(`FSL_HV_IOCTL_PARTITION_GET_STATUS', `0xc00caf02')
-define(`FSL_HV_IOCTL_PARTITION_RESTART', `0xc008af01')
-define(`FSL_HV_IOCTL_PARTITION_START', `0xc010af03')
-define(`FSL_HV_IOCTL_PARTITION_STOP', `0xc008af04')
-define(`FSL_HV_IOCTL_SETPROP', `0xc028af08')
-define(`FUNCTIONFS_CLEAR_HALT', `0x00006703')
-define(`FUNCTIONFS_ENDPOINT_DESC', `0x80096782')
-define(`FUNCTIONFS_ENDPOINT_REVMAP', `0x00006781')
-define(`FUNCTIONFS_FIFO_FLUSH', `0x00006702')
-define(`FUNCTIONFS_FIFO_STATUS', `0x00006701')
-define(`FUNCTIONFS_INTERFACE_REVMAP', `0x00006780')
-define(`FW_CDEV_IOC_ADD_DESCRIPTOR', `0xc0182306')
-define(`FW_CDEV_IOC_ALLOCATE', `0xc0202302')
-define(`FW_CDEV_IOC_ALLOCATE_ISO_RESOURCE', `0xc018230d')
-define(`FW_CDEV_IOC_ALLOCATE_ISO_RESOURCE_ONCE', `0x4018230f')
-define(`FW_CDEV_IOC_CREATE_ISO_CONTEXT', `0xc0202308')
-define(`FW_CDEV_IOC_DEALLOCATE', `0x40042303')
-define(`FW_CDEV_IOC_DEALLOCATE_ISO_RESOURCE', `0x4004230e')
-define(`FW_CDEV_IOC_DEALLOCATE_ISO_RESOURCE_ONCE', `0x40182310')
-define(`FW_CDEV_IOC_FLUSH_ISO', `0x40042318')
-define(`FW_CDEV_IOC_GET_CYCLE_TIMER', `0x8010230c')
-define(`FW_CDEV_IOC_GET_CYCLE_TIMER2', `0xc0182314')
-define(`FW_CDEV_IOC_GET_INFO', `0xc0282300')
-define(`FW_CDEV_IOC_GET_SPEED', `0x00002311')
-define(`FW_CDEV_IOC_INITIATE_BUS_RESET', `0x40042305')
-define(`FW_CDEV_IOC_QUEUE_ISO', `0xc0182309')
-define(`FW_CDEV_IOC_RECEIVE_PHY_PACKETS', `0x40082316')
-define(`FW_CDEV_IOC_REMOVE_DESCRIPTOR', `0x40042307')
-define(`FW_CDEV_IOC_SEND_BROADCAST_REQUEST', `0x40282312')
-define(`FW_CDEV_IOC_SEND_PHY_PACKET', `0xc0182315')
-define(`FW_CDEV_IOC_SEND_REQUEST', `0x40282301')
-define(`FW_CDEV_IOC_SEND_RESPONSE', `0x40182304')
-define(`FW_CDEV_IOC_SEND_STREAM_PACKET', `0x40282313')
-define(`FW_CDEV_IOC_SET_ISO_CHANNELS', `0x40102317')
-define(`FW_CDEV_IOC_START_ISO', `0x4010230a')
-define(`FW_CDEV_IOC_STOP_ISO', `0x4004230b')
-define(`GADGETFS_CLEAR_HALT', `0x00006703')
-define(`GADGETFS_FIFO_FLUSH', `0x00006702')
-define(`GADGETFS_FIFO_STATUS', `0x00006701')
-define(`GADGET_GET_PRINTER_STATUS', `0x80016721')
-define(`GADGET_SET_PRINTER_STATUS', `0xc0016722')
-define(`GENWQE_EXECUTE_DDCB', `0xc0e8a532')
-define(`GENWQE_EXECUTE_RAW_DDCB', `0xc0e8a533')
-define(`GENWQE_GET_CARD_STATE', `0x8004a524')
-define(`GENWQE_PIN_MEM', `0xc020a528')
-define(`GENWQE_READ_REG16', `0x8010a522')
-define(`GENWQE_READ_REG32', `0x8010a520')
-define(`GENWQE_READ_REG64', `0x8010a51e')
-define(`GENWQE_SLU_READ', `0xc038a551')
-define(`GENWQE_SLU_UPDATE', `0xc038a550')
-define(`GENWQE_UNPIN_MEM', `0xc020a529')
-define(`GENWQE_WRITE_REG16', `0x4010a523')
-define(`GENWQE_WRITE_REG32', `0x4010a521')
-define(`GENWQE_WRITE_REG64', `0x4010a51f')
-define(`GET_ARRAY_INFO', `0x80480911')
-define(`GET_BITMAP_FILE', `0x90000915')
-define(`GET_DISK_INFO', `0x80140912')
-define(`GIGASET_BRKCHARS', `0x40064702')
-define(`GIGASET_CONFIG', `0xc0044701')
-define(`GIGASET_REDIR', `0xc0044700')
-define(`GIGASET_VERSION', `0xc0104703')
-define(`GIO_CMAP', `0x00004b70')
-define(`GIO_FONT', `0x00004b60')
-define(`GIO_FONTX', `0x00004b6b')
-define(`GIO_SCRNMAP', `0x00004b40')
-define(`GIO_UNIMAP', `0x00004b66')
-define(`GIO_UNISCRNMAP', `0x00004b69')
-define(`GSMIOC_DISABLE_NET', `0x00004703')
-define(`GSMIOC_ENABLE_NET', `0x40344702')
-define(`GSMIOC_GETCONF', `0x804c4700')
-define(`GSMIOC_SETCONF', `0x404c4701')
-define(`HCIBLOCKADDR', `0x400448e6')
-define(`HCIDEVDOWN', `0x400448ca')
-define(`HCIDEVRESET', `0x400448cb')
-define(`HCIDEVRESTAT', `0x400448cc')
-define(`HCIDEVUP', `0x400448c9')
-define(`HCIGETAUTHINFO', `0x800448d7')
-define(`HCIGETCONNINFO', `0x800448d5')
-define(`HCIGETCONNLIST', `0x800448d4')
-define(`HCIGETDEVINFO', `0x800448d3')
-define(`HCIGETDEVLIST', `0x800448d2')
-define(`HCIINQUIRY', `0x800448f0')
-define(`HCISETACLMTU', `0x400448e3')
-define(`HCISETAUTH', `0x400448de')
-define(`HCISETENCRYPT', `0x400448df')
-define(`HCISETLINKMODE', `0x400448e2')
-define(`HCISETLINKPOL', `0x400448e1')
-define(`HCISETPTYPE', `0x400448e0')
-define(`HCISETRAW', `0x400448dc')
-define(`HCISETSCAN', `0x400448dd')
-define(`HCISETSCOMTU', `0x400448e4')
-define(`HCIUNBLOCKADDR', `0x400448e7')
-define(`HDA_IOCTL_GET_WCAP', `0xc0084812')
-define(`HDA_IOCTL_PVERSION', `0x80044810')
-define(`HDA_IOCTL_VERB_WRITE', `0xc0084811')
-define(`HDIO_DRIVE_CMD', `0x0000031f')
-define(`HDIO_DRIVE_RESET', `0x0000031c')
-define(`HDIO_DRIVE_TASK', `0x0000031e')
-define(`HDIO_DRIVE_TASKFILE', `0x0000031d')
-define(`HDIO_GET_32BIT', `0x00000309')
-define(`HDIO_GET_ACOUSTIC', `0x0000030f')
-define(`HDIO_GET_ADDRESS', `0x00000310')
-define(`HDIO_GET_BUSSTATE', `0x0000031a')
-define(`HDIO_GET_DMA', `0x0000030b')
-define(`HDIO_GETGEO', `0x00000301')
-define(`HDIO_GET_IDENTITY', `0x0000030d')
-define(`HDIO_GET_KEEPSETTINGS', `0x00000308')
-define(`HDIO_GET_MULTCOUNT', `0x00000304')
-define(`HDIO_GET_NICE', `0x0000030c')
-define(`HDIO_GET_NOWERR', `0x0000030a')
-define(`HDIO_GET_QDMA', `0x00000305')
-define(`HDIO_GET_UNMASKINTR', `0x00000302')
-define(`HDIO_GET_WCACHE', `0x0000030e')
-define(`HDIO_OBSOLETE_IDENTITY', `0x00000307')
-define(`HDIO_SCAN_HWIF', `0x00000328')
-define(`HDIO_SET_32BIT', `0x00000324')
-define(`HDIO_SET_ACOUSTIC', `0x0000032c')
-define(`HDIO_SET_ADDRESS', `0x0000032f')
-define(`HDIO_SET_BUSSTATE', `0x0000032d')
-define(`HDIO_SET_DMA', `0x00000326')
-define(`HDIO_SET_KEEPSETTINGS', `0x00000323')
-define(`HDIO_SET_MULTCOUNT', `0x00000321')
-define(`HDIO_SET_NICE', `0x00000329')
-define(`HDIO_SET_NOWERR', `0x00000325')
-define(`HDIO_SET_PIO_MODE', `0x00000327')
-define(`HDIO_SET_QDMA', `0x0000032e')
-define(`HDIO_SET_UNMASKINTR', `0x00000322')
-define(`HDIO_SET_WCACHE', `0x0000032b')
-define(`HDIO_SET_XFER', `0x00000306')
-define(`HDIO_TRISTATE_HWIF', `0x0000031b')
-define(`HDIO_UNREGISTER_HWIF', `0x0000032a')
-define(`HE_GET_REG', `0x40106160')
-define(`HIDIOCAPPLICATION', `0x00004802')
-define(`HIDIOCGCOLLECTIONINDEX', `0x40184810')
-define(`HIDIOCGCOLLECTIONINFO', `0xc0104811')
-define(`HIDIOCGDEVINFO', `0x801c4803')
-define(`HIDIOCGFIELDINFO', `0xc038480a')
-define(`HIDIOCGFLAG', `0x8004480e')
-define(`HIDIOCGRAWINFO', `0x80084803')
-define(`HIDIOCGRDESC', `0x90044802')
-define(`HIDIOCGRDESCSIZE', `0x80044801')
-define(`HIDIOCGREPORT', `0x400c4807')
-define(`HIDIOCGREPORTINFO', `0xc00c4809')
-define(`HIDIOCGSTRING', `0x81044804')
-define(`HIDIOCGUCODE', `0xc018480d')
-define(`HIDIOCGUSAGE', `0xc018480b')
-define(`HIDIOCGUSAGES', `0xd01c4813')
-define(`HIDIOCGVERSION', `0x80044801')
-define(`HIDIOCINITREPORT', `0x00004805')
-define(`HIDIOCSFLAG', `0x4004480f')
-define(`HIDIOCSREPORT', `0x400c4808')
-define(`HIDIOCSUSAGE', `0x4018480c')
-define(`HIDIOCSUSAGES', `0x501c4814')
-define(`HOT_ADD_DISK', `0x00000928')
-define(`HOT_GENERATE_ERROR', `0x0000092a')
-define(`HOT_REMOVE_DISK', `0x00000922')
-define(`HPET_DPI', `0x00006805')
-define(`HPET_EPI', `0x00006804')
-define(`HPET_IE_OFF', `0x00006802')
-define(`HPET_IE_ON', `0x00006801')
-define(`HPET_INFO', `0x80186803')
-define(`HPET_IRQFREQ', `0x40086806')
-define(`HSC_GET_RX', `0x400c6b14')
-define(`HSC_GET_TX', `0x40106b16')
-define(`HSC_RESET', `0x00006b10')
-define(`HSC_SEND_BREAK', `0x00006b12')
-define(`HSC_SET_PM', `0x00006b11')
-define(`HSC_SET_RX', `0x400c6b13')
-define(`HSC_SET_TX', `0x40106b15')
-define(`I2OEVTGET', `0x8068690b')
-define(`I2OEVTREG', `0x400c690a')
-define(`I2OGETIOPS', `0x80206900')
-define(`I2OHRTGET', `0xc0186901')
-define(`I2OHTML', `0xc0306909')
-define(`I2OLCTGET', `0xc0186902')
-define(`I2OPARMGET', `0xc0286904')
-define(`I2OPARMSET', `0xc0286903')
-define(`I2OPASSTHRU', `0x8010690c')
-define(`I2OPASSTHRU32', `0x8008690c')
-define(`I2OSWDEL', `0xc0306907')
-define(`I2OSWDL', `0xc0306905')
-define(`I2OSWUL', `0xc0306906')
-define(`I2OVALIDATE', `0x80046908')
-define(`I8K_BIOS_VERSION', `0x80046980')
-define(`I8K_FN_STATUS', `0x80086983')
-define(`I8K_GET_FAN', `0xc0086986')
-define(`I8K_GET_SPEED', `0xc0086985')
-define(`I8K_GET_TEMP', `0x80086984')
-define(`I8K_MACHINE_ID', `0x80046981')
-define(`I8K_POWER_STATUS', `0x80086982')
-define(`I8K_SET_FAN', `0xc0086987')
-define(`IB_USER_MAD_ENABLE_PKEY', `0x00001b03')
-define(`IB_USER_MAD_REGISTER_AGENT', `0xc01c1b01')
-define(`IB_USER_MAD_REGISTER_AGENT2', `0xc0281b04')
-define(`IB_USER_MAD_UNREGISTER_AGENT', `0x40041b02')
-define(`IDT77105_GETSTAT', `0x40106132')
-define(`IDT77105_GETSTATZ', `0x40106133')
-define(`IIOCDBGVAR', `0x0000497f')
-define(`IIOCDRVCTL', `0x00004980')
-define(`IIOCGETCPS', `0x00004915')
-define(`IIOCGETDVR', `0x00004916')
-define(`IIOCGETMAP', `0x00004911')
-define(`IIOCGETPRF', `0x0000490f')
-define(`IIOCGETSET', `0x00004908')
-define(`IIOCNETAIF', `0x00004901')
-define(`IIOCNETALN', `0x00004920')
-define(`IIOCNETANM', `0x00004905')
-define(`IIOCNETASL', `0x00004913')
-define(`IIOCNETDIF', `0x00004902')
-define(`IIOCNETDIL', `0x00004914')
-define(`IIOCNETDLN', `0x00004921')
-define(`IIOCNETDNM', `0x00004906')
-define(`IIOCNETDWRSET', `0x00004918')
-define(`IIOCNETGCF', `0x00004904')
-define(`IIOCNETGNM', `0x00004907')
-define(`IIOCNETGPN', `0x00004922')
-define(`IIOCNETHUP', `0x0000490b')
-define(`IIOCNETLCR', `0x00004917')
-define(`IIOCNETSCF', `0x00004903')
-define(`IIOCSETBRJ', `0x0000490d')
-define(`IIOCSETGST', `0x0000490c')
-define(`IIOCSETMAP', `0x00004912')
-define(`IIOCSETPRF', `0x00004910')
-define(`IIOCSETSET', `0x00004909')
-define(`IIOCSETVER', `0x0000490a')
-define(`IIOCSIGPRF', `0x0000490e')
-define(`IIO_GET_EVENT_FD_IOCTL', `0x80046990')
-define(`IMADDTIMER', `0x80044940')
-define(`IMCLEAR_L2', `0x80044946')
-define(`IMCTRLREQ', `0x80044945')
-define(`IMDELTIMER', `0x80044941')
-define(`IMGETCOUNT', `0x80044943')
-define(`IMGETDEVINFO', `0x80044944')
-define(`IMGETVERSION', `0x80044942')
-define(`IMHOLD_L1', `0x80044948')
-define(`IMSETDEVNAME', `0x80184947')
-define(`INCFS_IOCTL_CREATE_FILE', `0x0000671e')
-define(`INCFS_IOCTL_READ_SIGNATURE', `0x0000671f')
-define(`INCFS_IOCTL_FILL_BLOCKS', `0x00006720')
-define(`INCFS_IOCTL_PERMIT_FILL', `0x00006721')
-define(`INCFS_IOCTL_GET_FILLED_BLOCKS', `0x00006722')
-define(`INCFS_IOCTL_CREATE_MAPPED_FILE', `0x00006723')
-define(`INCFS_IOCTL_GET_BLOCK_COUNT', `0x00006724')
-define(`INCFS_IOCTL_GET_READ_TIMEOUTS', `0x00006725')
-define(`INCFS_IOCTL_SET_READ_TIMEOUTS', `0x00006726')
-define(`INCFS_IOCTL_GET_LAST_READ_ERROR', `0x00006727')
-define(`IOCTL_EVTCHN_BIND_INTERDOMAIN', `0x00084501')
-define(`IOCTL_EVTCHN_BIND_UNBOUND_PORT', `0x00044502')
-define(`IOCTL_EVTCHN_BIND_VIRQ', `0x00044500')
-define(`IOCTL_EVTCHN_NOTIFY', `0x00044504')
-define(`IOCTL_EVTCHN_RESET', `0x00004505')
-define(`IOCTL_EVTCHN_UNBIND', `0x00044503')
-define(`IOCTL_MEI_CONNECT_CLIENT', `0xc0104801')
-define(`IOCTL_VMCI_CTX_ADD_NOTIFICATION', `0x000007af')
-define(`IOCTL_VMCI_CTX_GET_CPT_STATE', `0x000007b1')
-define(`IOCTL_VMCI_CTX_REMOVE_NOTIFICATION', `0x000007b0')
-define(`IOCTL_VMCI_CTX_SET_CPT_STATE', `0x000007b2')
-define(`IOCTL_VMCI_DATAGRAM_RECEIVE', `0x000007ac')
-define(`IOCTL_VMCI_DATAGRAM_SEND', `0x000007ab')
-define(`IOCTL_VMCI_GET_CONTEXT_ID', `0x000007b3')
-define(`IOCTL_VMCI_INIT_CONTEXT', `0x000007a0')
-define(`IOCTL_VMCI_NOTIFICATIONS_RECEIVE', `0x000007a6')
-define(`IOCTL_VMCI_NOTIFY_RESOURCE', `0x000007a5')
-define(`IOCTL_VMCI_QUEUEPAIR_ALLOC', `0x000007a8')
-define(`IOCTL_VMCI_QUEUEPAIR_DETACH', `0x000007aa')
-define(`IOCTL_VMCI_QUEUEPAIR_SETPAGEFILE', `0x000007a9')
-define(`IOCTL_VMCI_QUEUEPAIR_SETVA', `0x000007a4')
-define(`IOCTL_VMCI_SET_NOTIFY', `0x000007cb')
-define(`IOCTL_VMCI_SOCKETS_GET_AF_VALUE', `0x000007b8')
-define(`IOCTL_VMCI_SOCKETS_GET_LOCAL_CID', `0x000007b9')
-define(`IOCTL_VMCI_SOCKETS_VERSION', `0x000007b4')
-define(`IOCTL_VMCI_VERSION', `0x0000079f')
-define(`IOCTL_VMCI_VERSION2', `0x000007a7')
-define(`IOCTL_VM_SOCKETS_GET_LOCAL_CID', `0x000007b9')
-define(`IOCTL_WDM_MAX_COMMAND', `0x800248a0')
-define(`IOCTL_XENBUS_BACKEND_EVTCHN', `0x00004200')
-define(`IOCTL_XENBUS_BACKEND_SETUP', `0x00004201')
-define(`ION_IOC_ALLOC', `0xc0204900')
-define(`ION_IOC_CUSTOM', `0xc0104906')
-define(`ION_IOC_FREE', `0xc0044901')
-define(`ION_IOC_IMPORT', `0xc0084905')
-define(`ION_IOC_MAP', `0xc0084902')
-define(`ION_IOC_SHARE', `0xc0084904')
-define(`ION_IOC_SYNC', `0xc0084907')
-define(`ION_IOC_TEST_DMA_MAPPING', `0x402049f1')
-define(`ION_IOC_TEST_KERNEL_MAPPING', `0x402049f2')
-define(`ION_IOC_TEST_SET_FD', `0x000049f0')
-define(`IOW_GETINFO', `0x8028c003')
-define(`IOW_READ', `0x4008c002')
-define(`IOW_WRITE', `0x4008c001')
-define(`IPMICTL_GET_MAINTENANCE_MODE_CMD', `0x8004691e')
-define(`IPMICTL_GET_MY_ADDRESS_CMD', `0x80046912')
-define(`IPMICTL_GET_MY_CHANNEL_ADDRESS_CMD', `0x80046919')
-define(`IPMICTL_GET_MY_CHANNEL_LUN_CMD', `0x8004691b')
-define(`IPMICTL_GET_MY_LUN_CMD', `0x80046914')
-define(`IPMICTL_GET_TIMING_PARMS_CMD', `0x80086917')
-define(`IPMICTL_RECEIVE_MSG', `0xc030690c')
-define(`IPMICTL_RECEIVE_MSG_TRUNC', `0xc030690b')
-define(`IPMICTL_REGISTER_FOR_CMD', `0x8002690e')
-define(`IPMICTL_REGISTER_FOR_CMD_CHANS', `0x800c691c')
-define(`IPMICTL_SEND_COMMAND', `0x8028690d')
-define(`IPMICTL_SEND_COMMAND_SETTIME', `0x80306915')
-define(`IPMICTL_SET_GETS_EVENTS_CMD', `0x80046910')
-define(`IPMICTL_SET_MAINTENANCE_MODE_CMD', `0x4004691f')
-define(`IPMICTL_SET_MY_ADDRESS_CMD', `0x80046911')
-define(`IPMICTL_SET_MY_CHANNEL_ADDRESS_CMD', `0x80046918')
-define(`IPMICTL_SET_MY_CHANNEL_LUN_CMD', `0x8004691a')
-define(`IPMICTL_SET_MY_LUN_CMD', `0x80046913')
-define(`IPMICTL_SET_TIMING_PARMS_CMD', `0x80086916')
-define(`IPMICTL_UNREGISTER_FOR_CMD', `0x8002690f')
-define(`IPMICTL_UNREGISTER_FOR_CMD_CHANS', `0x800c691d')
-define(`IVTVFB_IOC_DMA_FRAME', `0x401856c0')
-define(`IVTV_IOC_DMA_FRAME', `0x404056c0')
-define(`IVTV_IOC_PASSTHROUGH_MODE', `0x400456c1')
-define(`IXJCTL_AEC_GET_LEVEL', `0x000071cd')
-define(`IXJCTL_AEC_START', `0x400471cb')
-define(`IXJCTL_AEC_STOP', `0x000071cc')
-define(`IXJCTL_CARDTYPE', `0x800471c1')
-define(`IXJCTL_CID', `0x800871d4')
-define(`IXJCTL_CIDCW', `0x400871d9')
-define(`IXJCTL_DAA_AGAIN', `0x400471d2')
-define(`IXJCTL_DAA_COEFF_SET', `0x400471d0')
-define(`IXJCTL_DRYBUFFER_CLEAR', `0x000071e7')
-define(`IXJCTL_DRYBUFFER_READ', `0x800871e6')
-define(`IXJCTL_DSP_IDLE', `0x000071c5')
-define(`IXJCTL_DSP_RESET', `0x000071c0')
-define(`IXJCTL_DSP_TYPE', `0x800471c3')
-define(`IXJCTL_DSP_VERSION', `0x800471c4')
-define(`IXJCTL_DTMF_PRESCALE', `0x400471e8')
-define(`IXJCTL_FILTER_CADENCE', `0x400871d6')
-define(`IXJCTL_FRAMES_READ', `0x800871e2')
-define(`IXJCTL_FRAMES_WRITTEN', `0x800871e3')
-define(`IXJCTL_GET_FILTER_HIST', `0x400471c8')
-define(`IXJCTL_HZ', `0x400471e0')
-define(`IXJCTL_INIT_TONE', `0x400871c9')
-define(`IXJCTL_INTERCOM_START', `0x400471fd')
-define(`IXJCTL_INTERCOM_STOP', `0x400471fe')
-define(`IXJCTL_MIXER', `0x400471cf')
-define(`IXJCTL_PLAY_CID', `0x000071d7')
-define(`IXJCTL_PORT', `0x400471d1')
-define(`IXJCTL_POTS_PSTN', `0x400471d5')
-define(`IXJCTL_PSTN_LINETEST', `0x000071d3')
-define(`IXJCTL_RATE', `0x400471e1')
-define(`IXJCTL_READ_WAIT', `0x800871e4')
-define(`IXJCTL_SC_RXG', `0x400471ea')
-define(`IXJCTL_SC_TXG', `0x400471eb')
-define(`IXJCTL_SERIAL', `0x800471c2')
-define(`IXJCTL_SET_FILTER', `0x400871c7')
-define(`IXJCTL_SET_FILTER_RAW', `0x400871dd')
-define(`IXJCTL_SET_LED', `0x400471ce')
-define(`IXJCTL_SIGCTL', `0x400871e9')
-define(`IXJCTL_TESTRAM', `0x000071c6')
-define(`IXJCTL_TONE_CADENCE', `0x400871ca')
-define(`IXJCTL_VERSION', `0x800871da')
-define(`IXJCTL_VMWI', `0x800471d8')
-define(`IXJCTL_WRITE_WAIT', `0x800871e5')
-define(`JSIOCGAXES', `0x80016a11')
-define(`JSIOCGAXMAP', `0x80406a32')
-define(`JSIOCGBTNMAP', `0x84006a34')
-define(`JSIOCGBUTTONS', `0x80016a12')
-define(`JSIOCGCORR', `0x80246a22')
-define(`JSIOCGVERSION', `0x80046a01')
-define(`JSIOCSAXMAP', `0x40406a31')
-define(`JSIOCSBTNMAP', `0x44006a33')
-define(`JSIOCSCORR', `0x40246a21')
-define(`KCOV_DISABLE', `0x00006365')
-define(`KCOV_ENABLE', `0x00006364')
-define(`KCOV_INIT_TRACE', `0x80086301')
-define(`KDADDIO', `0x00004b34')
-define(`KDDELIO', `0x00004b35')
-define(`KDDISABIO', `0x00004b37')
-define(`KDENABIO', `0x00004b36')
-define(`KDFONTOP', `0x00004b72')
-define(`KDGETKEYCODE', `0x00004b4c')
-define(`KDGETLED', `0x00004b31')
-define(`KDGETMODE', `0x00004b3b')
-define(`KDGKBDIACR', `0x00004b4a')
-define(`KDGKBDIACRUC', `0x00004bfa')
-define(`KDGKBENT', `0x00004b46')
-define(`KDGKBLED', `0x00004b64')
-define(`KDGKBMETA', `0x00004b62')
-define(`KDGKBMODE', `0x00004b44')
-define(`KDGKBSENT', `0x00004b48')
-define(`KDGKBTYPE', `0x00004b33')
-define(`KDKBDREP', `0x00004b52')
-define(`KDMAPDISP', `0x00004b3c')
-define(`KDMKTONE', `0x00004b30')
-define(`KDSETKEYCODE', `0x00004b4d')
-define(`KDSETLED', `0x00004b32')
-define(`KDSETMODE', `0x00004b3a')
-define(`KDSIGACCEPT', `0x00004b4e')
-define(`KDSKBDIACR', `0x00004b4b')
-define(`KDSKBDIACRUC', `0x00004bfb')
-define(`KDSKBENT', `0x00004b47')
-define(`KDSKBLED', `0x00004b65')
-define(`KDSKBMETA', `0x00004b63')
-define(`KDSKBMODE', `0x00004b45')
-define(`KDSKBSENT', `0x00004b49')
-define(`KDUNMAPDISP', `0x00004b3d')
-define(`KIOCSOUND', `0x00004b2f')
-define(`KVM_ALLOCATE_RMA', `0x8008aea9')
-define(`KVM_ARM_PREFERRED_TARGET', `0x8020aeaf')
-define(`KVM_ARM_SET_DEVICE_ADDR', `0x4010aeab')
-define(`KVM_ARM_VCPU_INIT', `0x4020aeae')
-define(`KVM_ASSIGN_DEV_IRQ', `0x4040ae70')
-define(`KVM_ASSIGN_PCI_DEVICE', `0x8040ae69')
-define(`KVM_ASSIGN_SET_INTX_MASK', `0x4040aea4')
-define(`KVM_ASSIGN_SET_MSIX_ENTRY', `0x4010ae74')
-define(`KVM_ASSIGN_SET_MSIX_NR', `0x4008ae73')
-define(`KVM_CHECK_EXTENSION', `0x0000ae03')
-define(`KVM_CREATE_DEVICE', `0xc00caee0')
-define(`KVM_CREATE_IRQCHIP', `0x0000ae60')
-define(`KVM_CREATE_PIT', `0x0000ae64')
-define(`KVM_CREATE_PIT2', `0x4040ae77')
-define(`KVM_CREATE_SPAPR_TCE', `0x400caea8')
-define(`KVM_CREATE_VCPU', `0x0000ae41')
-define(`KVM_CREATE_VM', `0x0000ae01')
-define(`KVM_DEASSIGN_DEV_IRQ', `0x4040ae75')
-define(`KVM_DEASSIGN_PCI_DEVICE', `0x4040ae72')
-define(`KVM_DIRTY_TLB', `0x4010aeaa')
-define(`KVM_ENABLE_CAP', `0x4068aea3')
-define(`KVM_GET_API_VERSION', `0x0000ae00')
-define(`KVM_GET_CLOCK', `0x8030ae7c')
-define(`KVM_GET_CPUID2', `0xc008ae91')
-define(`KVM_GET_DEBUGREGS', `0x8080aea1')
-define(`KVM_GET_DEVICE_ATTR', `0x4018aee2')
-define(`KVM_GET_DIRTY_LOG', `0x4010ae42')
-define(`KVM_GET_EMULATED_CPUID', `0xc008ae09')
-define(`KVM_GET_FPU', `0x81a0ae8c')
-define(`KVM_GET_IRQCHIP', `0xc208ae62')
-define(`KVM_GET_LAPIC', `0x8400ae8e')
-define(`KVM_GET_MP_STATE', `0x8004ae98')
-define(`KVM_GET_MSR_INDEX_LIST', `0xc004ae02')
-define(`KVM_GET_MSRS', `0xc008ae88')
-define(`KVM_GET_NR_MMU_PAGES', `0x0000ae45')
-define(`KVM_GET_ONE_REG', `0x4010aeab')
-define(`KVM_GET_PIT', `0xc048ae65')
-define(`KVM_GET_PIT2', `0x8070ae9f')
-define(`KVM_GET_REG_LIST', `0xc008aeb0')
-define(`KVM_GET_REGS', `0x8090ae81')
-define(`KVM_GET_SREGS', `0x8138ae83')
-define(`KVM_GET_SUPPORTED_CPUID', `0xc008ae05')
-define(`KVM_GET_TSC_KHZ', `0x0000aea3')
-define(`KVM_GET_VCPU_EVENTS', `0x8040ae9f')
-define(`KVM_GET_VCPU_MMAP_SIZE', `0x0000ae04')
-define(`KVM_GET_XCRS', `0x8188aea6')
-define(`KVM_GET_XSAVE', `0x9000aea4')
-define(`KVM_HAS_DEVICE_ATTR', `0x4018aee3')
-define(`KVM_INTERRUPT', `0x4004ae86')
-define(`KVM_IOEVENTFD', `0x4040ae79')
-define(`KVM_IRQFD', `0x4020ae76')
-define(`KVM_IRQ_LINE', `0x4008ae61')
-define(`KVM_IRQ_LINE_STATUS', `0xc008ae67')
-define(`KVM_KVMCLOCK_CTRL', `0x0000aead')
-define(`KVM_NMI', `0x0000ae9a')
-define(`KVM_PPC_ALLOCATE_HTAB', `0xc004aea7')
-define(`KVM_PPC_GET_HTAB_FD', `0x4020aeaa')
-define(`KVM_PPC_GET_PVINFO', `0x4080aea1')
-define(`KVM_PPC_GET_SMMU_INFO', `0x8250aea6')
-define(`KVM_PPC_RTAS_DEFINE_TOKEN', `0x4080aeac')
-define(`KVM_REGISTER_COALESCED_MMIO', `0x4010ae67')
-define(`KVM_REINJECT_CONTROL', `0x0000ae71')
-define(`KVM_RUN', `0x0000ae80')
-define(`KVM_S390_ENABLE_SIE', `0x0000ae06')
-define(`KVM_S390_INITIAL_RESET', `0x0000ae97')
-define(`KVM_S390_INTERRUPT', `0x4010ae94')
-define(`KVM_S390_SET_INITIAL_PSW', `0x4010ae96')
-define(`KVM_S390_STORE_STATUS', `0x4008ae95')
-define(`KVM_S390_UCAS_MAP', `0x4018ae50')
-define(`KVM_S390_UCAS_UNMAP', `0x4018ae51')
-define(`KVM_S390_VCPU_FAULT', `0x4008ae52')
-define(`KVM_SET_BOOT_CPU_ID', `0x0000ae78')
-define(`KVM_SET_CLOCK', `0x4030ae7b')
-define(`KVM_SET_CPUID', `0x4008ae8a')
-define(`KVM_SET_CPUID2', `0x4008ae90')
-define(`KVM_SET_DEBUGREGS', `0x4080aea2')
-define(`KVM_SET_DEVICE_ATTR', `0x4018aee1')
-define(`KVM_SET_FPU', `0x41a0ae8d')
-define(`KVM_SET_GSI_ROUTING', `0x4008ae6a')
-define(`KVM_SET_GUEST_DEBUG', `0x4048ae9b')
-define(`KVM_SET_IDENTITY_MAP_ADDR', `0x4008ae48')
-define(`KVM_SET_IRQCHIP', `0x8208ae63')
-define(`KVM_SET_LAPIC', `0x4400ae8f')
-define(`KVM_SET_MEMORY_ALIAS', `0x4020ae43')
-define(`KVM_SET_MEMORY_REGION', `0x4018ae40')
-define(`KVM_SET_MP_STATE', `0x4004ae99')
-define(`KVM_SET_MSRS', `0x4008ae89')
-define(`KVM_SET_NR_MMU_PAGES', `0x0000ae44')
-define(`KVM_SET_ONE_REG', `0x4010aeac')
-define(`KVM_SET_PIT', `0x8048ae66')
-define(`KVM_SET_PIT2', `0x4070aea0')
-define(`KVM_SET_REGS', `0x4090ae82')
-define(`KVM_SET_SIGNAL_MASK', `0x4004ae8b')
-define(`KVM_SET_SREGS', `0x4138ae84')
-define(`KVM_SET_TSC_KHZ', `0x0000aea2')
-define(`KVM_SET_TSS_ADDR', `0x0000ae47')
-define(`KVM_SET_USER_MEMORY_REGION', `0x4020ae46')
-define(`KVM_SET_VAPIC_ADDR', `0x4008ae93')
-define(`KVM_SET_VCPU_EVENTS', `0x4040aea0')
-define(`KVM_SET_XCRS', `0x4188aea7')
-define(`KVM_SET_XSAVE', `0x5000aea5')
-define(`KVM_SIGNAL_MSI', `0x4020aea5')
-define(`KVM_TPR_ACCESS_REPORTING', `0xc028ae92')
-define(`KVM_TRANSLATE', `0xc018ae85')
-define(`KVM_UNREGISTER_COALESCED_MMIO', `0x4010ae68')
-define(`KVM_X86_GET_MCE_CAP_SUPPORTED', `0x8008ae9d')
-define(`KVM_X86_SET_MCE', `0x4040ae9e')
-define(`KVM_X86_SETUP_MCE', `0x4008ae9c')
-define(`KVM_XEN_HVM_CONFIG', `0x4038ae7a')
-define(`KYRO_IOCTL_OVERLAY_CREATE', `0x00006b00')
-define(`KYRO_IOCTL_OVERLAY_OFFSET', `0x00006b04')
-define(`KYRO_IOCTL_OVERLAY_VIEWPORT_SET', `0x00006b01')
-define(`KYRO_IOCTL_SET_VIDEO_MODE', `0x00006b02')
-define(`KYRO_IOCTL_STRIDE', `0x00006b05')
-define(`KYRO_IOCTL_UVSTRIDE', `0x00006b03')
-define(`LIRC_GET_FEATURES', `0x80046900')
-define(`LIRC_GET_LENGTH', `0x8004690f')
-define(`LIRC_GET_MAX_FILTER_PULSE', `0x8004690b')
-define(`LIRC_GET_MAX_FILTER_SPACE', `0x8004690d')
-define(`LIRC_GET_MAX_TIMEOUT', `0x80046909')
-define(`LIRC_GET_MIN_FILTER_PULSE', `0x8004690a')
-define(`LIRC_GET_MIN_FILTER_SPACE', `0x8004690c')
-define(`LIRC_GET_MIN_TIMEOUT', `0x80046908')
-define(`LIRC_GET_REC_CARRIER', `0x80046904')
-define(`LIRC_GET_REC_DUTY_CYCLE', `0x80046906')
-define(`LIRC_GET_REC_MODE', `0x80046902')
-define(`LIRC_GET_REC_RESOLUTION', `0x80046907')
-define(`LIRC_GET_SEND_CARRIER', `0x80046903')
-define(`LIRC_GET_SEND_DUTY_CYCLE', `0x80046905')
-define(`LIRC_GET_SEND_MODE', `0x80046901')
-define(`LIRC_NOTIFY_DECODE', `0x00006920')
-define(`LIRC_SET_MEASURE_CARRIER_MODE', `0x4004691d')
-define(`LIRC_SET_REC_CARRIER', `0x40046914')
-define(`LIRC_SET_REC_CARRIER_RANGE', `0x4004691f')
-define(`LIRC_SET_REC_DUTY_CYCLE', `0x40046916')
-define(`LIRC_SET_REC_DUTY_CYCLE_RANGE', `0x4004691e')
-define(`LIRC_SET_REC_FILTER', `0x4004691c')
-define(`LIRC_SET_REC_FILTER_PULSE', `0x4004691a')
-define(`LIRC_SET_REC_FILTER_SPACE', `0x4004691b')
-define(`LIRC_SET_REC_MODE', `0x40046912')
-define(`LIRC_SET_REC_TIMEOUT', `0x40046918')
-define(`LIRC_SET_REC_TIMEOUT_REPORTS', `0x40046919')
-define(`LIRC_SET_SEND_CARRIER', `0x40046913')
-define(`LIRC_SET_SEND_DUTY_CYCLE', `0x40046915')
-define(`LIRC_SET_SEND_MODE', `0x40046911')
-define(`LIRC_SET_TRANSMITTER_MASK', `0x40046917')
-define(`LIRC_SETUP_END', `0x00006922')
-define(`LIRC_SETUP_START', `0x00006921')
-define(`LIRC_SET_WIDEBAND_RECEIVER', `0x40046923')
-define(`LOGGER_FLUSH_LOG', `0x0000ae04')
-define(`LOGGER_GET_LOG_BUF_SIZE', `0x0000ae01')
-define(`LOGGER_GET_LOG_LEN', `0x0000ae02')
-define(`LOGGER_GET_NEXT_ENTRY_LEN', `0x0000ae03')
-define(`LOGGER_GET_VERSION', `0x0000ae05')
-define(`LOGGER_SET_VERSION', `0x0000ae06')
-define(`LOOP_CHANGE_FD', `0x00004c06')
-define(`LOOP_CLR_FD', `0x00004c01')
-define(`LOOP_CONFIGURE', `0x00004c0a')
-define(`LOOP_CTL_ADD', `0x00004c80')
-define(`LOOP_CTL_GET_FREE', `0x00004c82')
-define(`LOOP_CTL_REMOVE', `0x00004c81')
-define(`LOOP_GET_STATUS', `0x00004c03')
-define(`LOOP_GET_STATUS64', `0x00004c05')
-define(`LOOP_SET_BLOCK_SIZE', `0x00004c09')
-define(`LOOP_SET_CAPACITY', `0x00004c07')
-define(`LOOP_SET_DIRECT_IO', `0x00004c08')
-define(`LOOP_SET_FD', `0x00004c00')
-define(`LOOP_SET_STATUS', `0x00004c02')
-define(`LOOP_SET_STATUS64', `0x00004c04')
-define(`MATROXFB_GET_ALL_OUTPUTS', `0x80086efb')
-define(`MATROXFB_GET_AVAILABLE_OUTPUTS', `0x80086ef9')
-define(`MATROXFB_GET_OUTPUT_CONNECTION', `0x80086ef8')
-define(`MATROXFB_GET_OUTPUT_MODE', `0xc0086efa')
-define(`MATROXFB_SET_OUTPUT_CONNECTION', `0x40086ef8')
-define(`MATROXFB_SET_OUTPUT_MODE', `0x40086efa')
-define(`MBXFB_IOCG_ALPHA', `0x8018f401')
-define(`MBXFB_IOCS_ALPHA', `0x4018f402')
-define(`MBXFB_IOCS_PLANEORDER', `0x8002f403')
-define(`MBXFB_IOCS_REG', `0x400cf404')
-define(`MBXFB_IOCX_OVERLAY', `0xc030f400')
-define(`MBXFB_IOCX_REG', `0xc00cf405')
-define(`MCE_GETCLEAR_FLAGS', `0x80044d03')
-define(`MCE_GET_LOG_LEN', `0x80044d02')
-define(`MCE_GET_RECORD_LEN', `0x80044d01')
-define(`MEDIA_IOC_DEVICE_INFO', `0xc1007c00')
-define(`MEDIA_IOC_ENUM_ENTITIES', `0xc1007c01')
-define(`MEDIA_IOC_ENUM_LINKS', `0xc0287c02')
-define(`MEDIA_IOC_SETUP_LINK', `0xc0347c03')
-define(`MEMERASE', `0x40084d02')
-define(`MEMERASE64', `0x40104d14')
-define(`MEMGETBADBLOCK', `0x40084d0b')
-define(`MEMGETINFO', `0x80204d01')
-define(`MEMGETOOBSEL', `0x80c84d0a')
-define(`MEMGETREGIONCOUNT', `0x80044d07')
-define(`MEMGETREGIONINFO', `0xc0104d08')
-define(`MEMISLOCKED', `0x80084d17')
-define(`MEMLOCK', `0x40084d05')
-define(`MEMREADOOB', `0xc0104d04')
-define(`MEMREADOOB64', `0xc0184d16')
-define(`MEMSETBADBLOCK', `0x40084d0c')
-define(`MEMUNLOCK', `0x40084d06')
-define(`MEMWRITE', `0xc0304d18')
-define(`MEMWRITEOOB', `0xc0104d03')
-define(`MEMWRITEOOB64', `0xc0184d15')
-define(`MEYEIOC_G_PARAMS', `0x800676c0')
-define(`MEYEIOC_QBUF_CAPT', `0x400476c2')
-define(`MEYEIOC_S_PARAMS', `0x400676c1')
-define(`MEYEIOC_STILLCAPT', `0x000076c4')
-define(`MEYEIOC_STILLJCAPT', `0x800476c5')
-define(`MEYEIOC_SYNC', `0xc00476c3')
-define(`MFB_GET_ALPHA', `0x80014d00')
-define(`MFB_GET_AOID', `0x80084d04')
-define(`MFB_GET_GAMMA', `0x80014d01')
-define(`MFB_GET_PIXFMT', `0x80044d08')
-define(`MFB_SET_ALPHA', `0x40014d00')
-define(`MFB_SET_AOID', `0x40084d04')
-define(`MFB_SET_BRIGHTNESS', `0x40014d03')
-define(`MFB_SET_CHROMA_KEY', `0x400c4d01')
-define(`MFB_SET_GAMMA', `0x40014d01')
-define(`MFB_SET_PIXFMT', `0x40044d08')
-define(`MGSL_IOCCLRMODCOUNT', `0x00006d0f')
-define(`MGSL_IOCGGPIO', `0x80106d11')
-define(`MGSL_IOCGIF', `0x00006d0b')
-define(`MGSL_IOCGPARAMS', `0x80306d01')
-define(`MGSL_IOCGSTATS', `0x00006d07')
-define(`MGSL_IOCGTXIDLE', `0x00006d03')
-define(`MGSL_IOCGXCTRL', `0x00006d16')
-define(`MGSL_IOCGXSYNC', `0x00006d14')
-define(`MGSL_IOCLOOPTXDONE', `0x00006d09')
-define(`MGSL_IOCRXENABLE', `0x00006d05')
-define(`MGSL_IOCSGPIO', `0x40106d10')
-define(`MGSL_IOCSIF', `0x00006d0a')
-define(`MGSL_IOCSPARAMS', `0x40306d00')
-define(`MGSL_IOCSTXIDLE', `0x00006d02')
-define(`MGSL_IOCSXCTRL', `0x00006d15')
-define(`MGSL_IOCSXSYNC', `0x00006d13')
-define(`MGSL_IOCTXABORT', `0x00006d06')
-define(`MGSL_IOCTXENABLE', `0x00006d04')
-define(`MGSL_IOCWAITEVENT', `0xc0046d08')
-define(`MGSL_IOCWAITGPIO', `0xc0106d12')
-define(`MIC_VIRTIO_ADD_DEVICE', `0xc0087301')
-define(`MIC_VIRTIO_CONFIG_CHANGE', `0xc0087305')
-define(`MIC_VIRTIO_COPY_DESC', `0xc0087302')
-define(`MMC_IOC_CMD', `0xc048b300')
-define(`MMTIMER_GETBITS', `0x00006d04')
-define(`MMTIMER_GETCOUNTER', `0x80086d09')
-define(`MMTIMER_GETFREQ', `0x80086d02')
-define(`MMTIMER_GETOFFSET', `0x00006d00')
-define(`MMTIMER_GETRES', `0x80086d01')
-define(`MMTIMER_MMAPAVAIL', `0x00006d06')
-define(`MSMFB_BLIT', `0x40046d02')
-define(`MSMFB_GRP_DISP', `0x40046d01')
-define(`MTDFILEMODE', `0x00004d13')
-define(`MTIOCGET', `0x80306d02')
-define(`MTIOCPOS', `0x80086d03')
-define(`MTIOCTOP', `0x40086d01')
-define(`MTRRIOC_ADD_ENTRY', `0x40104d00')
-define(`MTRRIOC_ADD_PAGE_ENTRY', `0x40104d05')
-define(`MTRRIOC_DEL_ENTRY', `0x40104d02')
-define(`MTRRIOC_DEL_PAGE_ENTRY', `0x40104d07')
-define(`MTRRIOC_GET_ENTRY', `0xc0184d03')
-define(`MTRRIOC_GET_PAGE_ENTRY', `0xc0184d08')
-define(`MTRRIOC_KILL_ENTRY', `0x40104d04')
-define(`MTRRIOC_KILL_PAGE_ENTRY', `0x40104d09')
-define(`MTRRIOC_SET_ENTRY', `0x40104d01')
-define(`MTRRIOC_SET_PAGE_ENTRY', `0x40104d06')
-define(`NBD_CLEAR_QUE', `0x0000ab05')
-define(`NBD_CLEAR_SOCK', `0x0000ab04')
-define(`NBD_DISCONNECT', `0x0000ab08')
-define(`NBD_DO_IT', `0x0000ab03')
-define(`NBD_PRINT_DEBUG', `0x0000ab06')
-define(`NBD_SET_BLKSIZE', `0x0000ab01')
-define(`NBD_SET_FLAGS', `0x0000ab0a')
-define(`NBD_SET_SIZE', `0x0000ab02')
-define(`NBD_SET_SIZE_BLOCKS', `0x0000ab07')
-define(`NBD_SET_SOCK', `0x0000ab00')
-define(`NBD_SET_TIMEOUT', `0x0000ab09')
-define(`NCP_IOC_CONN_LOGGED_IN', `0x00006e03')
-define(`NCP_IOC_GETCHARSETS', `0xc02a6e0b')
-define(`NCP_IOC_GETDENTRYTTL', `0x40046e0c')
-define(`NCP_IOC_GET_FS_INFO', `0xc0286e04')
-define(`NCP_IOC_GET_FS_INFO_V2', `0xc0306e04')
-define(`NCP_IOC_GETMOUNTUID', `0x40026e02')
-define(`NCP_IOC_GETMOUNTUID2', `0x40086e02')
-define(`NCP_IOC_GETOBJECTNAME', `0xc0186e09')
-define(`NCP_IOC_GETPRIVATEDATA', `0xc0106e0a')
-define(`NCP_IOC_GETROOT', `0x400c6e08')
-define(`NCP_IOC_LOCKUNLOCK', `0x80146e07')
-define(`NCP_IOC_NCPREQUEST', `0x80106e01')
-define(`NCP_IOC_SETCHARSETS', `0x802a6e0b')
-define(`NCP_IOC_SETDENTRYTTL', `0x80046e0c')
-define(`NCP_IOC_SETOBJECTNAME', `0x80186e09')
-define(`NCP_IOC_SETPRIVATEDATA', `0x80106e0a')
-define(`NCP_IOC_SETROOT', `0x800c6e08')
-define(`NCP_IOC_SET_SIGN_WANTED', `0x40046e06')
-define(`NCP_IOC_SIGN_INIT', `0x80186e05')
-define(`NCP_IOC_SIGN_WANTED', `0x80046e06')
-define(`NET_ADD_IF', `0xc0066f34')
-define(`NET_GET_IF', `0xc0066f36')
-define(`NET_REMOVE_IF', `0x00006f35')
-define(`NILFS_IOCTL_CHANGE_CPMODE', `0x40106e80')
-define(`NILFS_IOCTL_CLEAN_SEGMENTS', `0x40786e88')
-define(`NILFS_IOCTL_DELETE_CHECKPOINT', `0x40086e81')
-define(`NILFS_IOCTL_GET_BDESCS', `0xc0186e87')
-define(`NILFS_IOCTL_GET_CPINFO', `0x80186e82')
-define(`NILFS_IOCTL_GET_CPSTAT', `0x80186e83')
-define(`NILFS_IOCTL_GET_SUINFO', `0x80186e84')
-define(`NILFS_IOCTL_GET_SUSTAT', `0x80306e85')
-define(`NILFS_IOCTL_GET_VINFO', `0xc0186e86')
-define(`NILFS_IOCTL_RESIZE', `0x40086e8b')
-define(`NILFS_IOCTL_SET_ALLOC_RANGE', `0x40106e8c')
-define(`NILFS_IOCTL_SET_SUINFO', `0x40186e8d')
-define(`NILFS_IOCTL_SYNC', `0x80086e8a')
-define(`NS_ADJBUFLEV', `0x00006163')
-define(`NS_GETPSTAT', `0xc0106161')
-define(`NS_SETBUFLEV', `0x40106162')
-define(`NVME_IOCTL_ADMIN_CMD', `0xc0484e41')
-define(`NVME_IOCTL_ID', `0x00004e40')
-define(`NVME_IOCTL_IO_CMD', `0xc0484e43')
-define(`NVME_IOCTL_SUBMIT_IO', `0x40304e42')
-define(`NVRAM_INIT', `0x00007040')
-define(`NVRAM_SETCKS', `0x00007041')
-define(`OLD_PHONE_RING_START', `0x00007187')
-define(`OMAPFB_CTRL_TEST', `0x40044f2e')
-define(`OMAPFB_GET_CAPS', `0x800c4f2a')
-define(`OMAPFB_GET_COLOR_KEY', `0x40104f33')
-define(`OMAPFB_GET_DISPLAY_INFO', `0x80204f3f')
-define(`OMAPFB_GET_OVERLAY_COLORMODE', `0x803c4f3b')
-define(`OMAPFB_GET_UPDATE_MODE', `0x40044f2b')
-define(`OMAPFB_GET_VRAM_INFO', `0x80204f3d')
-define(`OMAPFB_LCD_TEST', `0x40044f2d')
-define(`OMAPFB_MEMORY_READ', `0x80184f3a')
-define(`OMAPFB_MIRROR', `0x40044f1f')
-define(`OMAPFB_QUERY_MEM', `0x40084f38')
-define(`OMAPFB_QUERY_PLANE', `0x40444f35')
-define(`OMAPFB_SET_COLOR_KEY', `0x40104f32')
-define(`OMAPFB_SET_TEARSYNC', `0x40084f3e')
-define(`OMAPFB_SET_UPDATE_MODE', `0x40044f28')
-define(`OMAPFB_SETUP_MEM', `0x40084f37')
-define(`OMAPFB_SETUP_PLANE', `0x40444f34')
-define(`OMAPFB_SYNC_GFX', `0x00004f25')
-define(`OMAPFB_UPDATE_WINDOW', `0x40444f36')
-define(`OMAPFB_UPDATE_WINDOW_OLD', `0x40144f2f')
-define(`OMAPFB_VSYNC', `0x00004f26')
-define(`OMAPFB_WAITFORGO', `0x00004f3c')
-define(`OMAPFB_WAITFORVSYNC', `0x00004f39')
-define(`OSD_GET_CAPABILITY', `0x80106fa1')
-define(`OSD_SEND_CMD', `0x40206fa0')
-define(`OSIOCGNETADDR', `0x800489e1')
-define(`OSIOCSNETADDR', `0x400489e0')
-define(`OSS_GETVERSION', `0x80044d76')
-define(`OTPGETREGIONCOUNT', `0x40044d0e')
-define(`OTPGETREGIONINFO', `0x400c4d0f')
-define(`OTPLOCK', `0x800c4d10')
-define(`OTPSELECT', `0x80044d0d')
-define(`PACKET_CTRL_CMD', `0xc0185801')
-define(`PERF_EVENT_IOC_DISABLE', `0x00002401')
-define(`PERF_EVENT_IOC_ENABLE', `0x00002400')
-define(`PERF_EVENT_IOC_ID', `0x80082407')
-define(`PERF_EVENT_IOC_PERIOD', `0x40082404')
-define(`PERF_EVENT_IOC_REFRESH', `0x00002402')
-define(`PERF_EVENT_IOC_RESET', `0x00002403')
-define(`PERF_EVENT_IOC_SET_FILTER', `0x40082406')
-define(`PERF_EVENT_IOC_SET_OUTPUT', `0x00002405')
-define(`PHN_GET_REG', `0xc0087000')
-define(`PHN_GETREG', `0xc0087005')
-define(`PHN_GET_REGS', `0xc0087002')
-define(`PHN_GETREGS', `0xc0287007')
-define(`PHN_NOT_OH', `0x00007004')
-define(`PHN_SET_REG', `0x40087001')
-define(`PHN_SETREG', `0x40087006')
-define(`PHN_SET_REGS', `0x40087003')
-define(`PHN_SETREGS', `0x40287008')
-define(`PHONE_BUSY', `0x000071a1')
-define(`PHONE_CAPABILITIES', `0x00007180')
-define(`PHONE_CAPABILITIES_CHECK', `0x40087182')
-define(`PHONE_CAPABILITIES_LIST', `0x80087181')
-define(`PHONE_CPT_STOP', `0x000071a4')
-define(`PHONE_DIALTONE', `0x000071a3')
-define(`PHONE_DTMF_OOB', `0x40047199')
-define(`PHONE_DTMF_READY', `0x80047196')
-define(`PHONE_EXCEPTION', `0x8004719a')
-define(`PHONE_FRAME', `0x4004718d')
-define(`PHONE_GET_DTMF', `0x80047197')
-define(`PHONE_GET_DTMF_ASCII', `0x80047198')
-define(`PHONE_GET_TONE_OFF_TIME', `0x0000719f')
-define(`PHONE_GET_TONE_ON_TIME', `0x0000719e')
-define(`PHONE_GET_TONE_STATE', `0x000071a0')
-define(`PHONE_HOOKSTATE', `0x00007184')
-define(`PHONE_MAXRINGS', `0x40017185')
-define(`PHONE_PLAY_CODEC', `0x40047190')
-define(`PHONE_PLAY_DEPTH', `0x40047193')
-define(`PHONE_PLAY_LEVEL', `0x00007195')
-define(`PHONE_PLAY_START', `0x00007191')
-define(`PHONE_PLAY_STOP', `0x00007192')
-define(`PHONE_PLAY_TONE', `0x4001719b')
-define(`PHONE_PLAY_VOLUME', `0x40047194')
-define(`PHONE_PLAY_VOLUME_LINEAR', `0x400471dc')
-define(`PHONE_PSTN_GET_STATE', `0x000071a5')
-define(`PHONE_PSTN_LINETEST', `0x000071a8')
-define(`PHONE_PSTN_SET_STATE', `0x400471a4')
-define(`PHONE_QUERY_CODEC', `0xc00871a7')
-define(`PHONE_REC_CODEC', `0x40047189')
-define(`PHONE_REC_DEPTH', `0x4004718c')
-define(`PHONE_REC_LEVEL', `0x0000718f')
-define(`PHONE_REC_START', `0x0000718a')
-define(`PHONE_REC_STOP', `0x0000718b')
-define(`PHONE_REC_VOLUME', `0x4004718e')
-define(`PHONE_REC_VOLUME_LINEAR', `0x400471db')
-define(`PHONE_RING', `0x00007183')
-define(`PHONE_RINGBACK', `0x000071a2')
-define(`PHONE_RING_CADENCE', `0x40027186')
-define(`PHONE_RING_START', `0x40087187')
-define(`PHONE_RING_STOP', `0x00007188')
-define(`PHONE_SET_TONE_OFF_TIME', `0x4004719d')
-define(`PHONE_SET_TONE_ON_TIME', `0x4004719c')
-define(`PHONE_VAD', `0x400471a9')
-define(`PHONE_WINK', `0x400471aa')
-define(`PHONE_WINK_DURATION', `0x400471a6')
-define(`PIO_CMAP', `0x00004b71')
-define(`PIO_FONT', `0x00004b61')
-define(`PIO_FONTRESET', `0x00004b6d')
-define(`PIO_FONTX', `0x00004b6c')
-define(`PIO_SCRNMAP', `0x00004b41')
-define(`PIO_UNIMAP', `0x00004b67')
-define(`PIO_UNIMAPCLR', `0x00004b68')
-define(`PIO_UNISCRNMAP', `0x00004b6a')
-define(`PMU_IOC_CAN_SLEEP', `0x80084205')
-define(`PMU_IOC_GET_BACKLIGHT', `0x80084201')
-define(`PMU_IOC_GET_MODEL', `0x80084203')
-define(`PMU_IOC_GRAB_BACKLIGHT', `0x80084206')
-define(`PMU_IOC_HAS_ADB', `0x80084204')
-define(`PMU_IOC_SET_BACKLIGHT', `0x40084202')
-define(`PMU_IOC_SLEEP', `0x00004200')
-define(`PPCLAIM', `0x0000708b')
-define(`PPCLRIRQ', `0x80047093')
-define(`PPDATADIR', `0x40047090')
-define(`PPEXCL', `0x0000708f')
-define(`PPFCONTROL', `0x4002708e')
-define(`PPGETFLAGS', `0x8004709a')
-define(`PPGETMODE', `0x80047098')
-define(`PPGETMODES', `0x80047097')
-define(`PPGETPHASE', `0x80047099')
-define(`PPGETTIME', `0x80107095')
-define(`PPNEGOT', `0x40047091')
-define(`PPPIOCATTACH', `0x743d')
-define(`PPPIOCATTCHAN', `0x7438')
-define(`PPPIOCBUNDLE', `0x7481')
-define(`PPPIOCCONNECT', `0x743a')
-define(`PPPIOCDETACH', `0x743c')
-define(`PPPIOCDISCONN', `0x7439')
-define(`PPPIOCGASYNCMAP', `0x7458')
-define(`PPPIOCGCALLINFO', `0x7480')
-define(`PPPIOCGCHAN', `0x7437')
-define(`PPPIOCGCOMPRESSORS', `0x7486')
-define(`PPPIOCGDEBUG', `0x7441')
-define(`PPPIOCGFLAGS', `0x745a')
-define(`PPPIOCGIDLE', `0x743f')
-define(`PPPIOCGIFNAME', `0x7488')
-define(`PPPIOCGL2TPSTATS', `0x7436')
-define(`PPPIOCGMPFLAGS', `0x7482')
-define(`PPPIOCGMRU', `0x7453')
-define(`PPPIOCGNPMODE', `0x744c')
-define(`PPPIOCGRASYNCMAP', `0x7455')
-define(`PPPIOCGUNIT', `0x7456')
-define(`PPPIOCGXASYNCMAP', `0x7450')
-define(`PPPIOCNEWUNIT', `0x743e')
-define(`PPPIOCSACTIVE', `0x7446')
-define(`PPPIOCSASYNCMAP', `0x7457')
-define(`PPPIOCSCOMPRESS', `0x744d')
-define(`PPPIOCSCOMPRESSOR', `0x7487')
-define(`PPPIOCSDEBUG', `0x7440')
-define(`PPPIOCSFLAGS', `0x7459')
-define(`PPPIOCSMAXCID', `0x7451')
-define(`PPPIOCSMPFLAGS', `0x7483')
-define(`PPPIOCSMPMRU', `0x7485')
-define(`PPPIOCSMPMTU', `0x7484')
-define(`PPPIOCSMRRU', `0x743b')
-define(`PPPIOCSMRU', `0x7452')
-define(`PPPIOCSNPMODE', `0x744b')
-define(`PPPIOCSPASS', `0x7447')
-define(`PPPIOCSRASYNCMAP', `0x7454')
-define(`PPPIOCSXASYNCMAP', `0x744f')
-define(`PPPIOCXFERUNIT', `0x744e')
-define(`PPPOEIOCDFWD', `0x0000b101')
-define(`PPPOEIOCSFWD', `0x4008b100')
-define(`PPRCONTROL', `0x80017083')
-define(`PPRDATA', `0x80017085')
-define(`PPRELEASE', `0x0000708c')
-define(`PPRSTATUS', `0x80017081')
-define(`PPSETFLAGS', `0x4004709b')
-define(`PPSETMODE', `0x40047080')
-define(`PPSETPHASE', `0x40047094')
-define(`PPSETTIME', `0x40107096')
-define(`PPS_FETCH', `0xc00870a4')
-define(`PPS_GETCAP', `0x800870a3')
-define(`PPS_GETPARAMS', `0x800870a1')
-define(`PPS_KC_BIND', `0x400870a5')
-define(`PPS_SETPARAMS', `0x400870a2')
-define(`PPWCONTROL', `0x40017084')
-define(`PPWCTLONIRQ', `0x40017092')
-define(`PPWDATA', `0x40017086')
-define(`PPYIELD', `0x0000708d')
-define(`PROTECT_ARRAY', `0x00000927')
-define(`PTP_CLOCK_GETCAPS', `0x80503d01')
-define(`PTP_ENABLE_PPS', `0x40043d04')
-define(`PTP_EXTTS_REQUEST', `0x40103d02')
-define(`PTP_PEROUT_REQUEST', `0x40383d03')
-define(`PTP_PIN_GETFUNC', `0xc0603d06')
-define(`PTP_PIN_SETFUNC', `0x40603d07')
-define(`PTP_SYS_OFFSET', `0x43403d05')
-define(`RAID_AUTORUN', `0x00000914')
-define(`RAID_VERSION', `0x800c0910')
-define(`RAW_GETBIND', `0x0000ac01')
-define(`RAW_SETBIND', `0x0000ac00')
-define(`REISERFS_IOC_UNPACK', `0x4008cd01')
-define(`RESTART_ARRAY_RW', `0x00000934')
-define(`RFCOMMCREATEDEV', `0x400452c8')
-define(`RFCOMMGETDEVINFO', `0x800452d3')
-define(`RFCOMMGETDEVLIST', `0x800452d2')
-define(`RFCOMMRELEASEDEV', `0x400452c9')
-define(`RFCOMMSTEALDLC', `0x400452dc')
-define(`RFKILL_IOCTL_NOINPUT', `0x00005201')
-define(`RNDADDENTROPY', `0x40085203')
-define(`RNDADDTOENTCNT', `0x40045201')
-define(`RNDCLEARPOOL', `0x00005206')
-define(`RNDGETENTCNT', `0x80045200')
-define(`RNDGETPOOL', `0x80085202')
-define(`RNDZAPENTCNT', `0x00005204')
-define(`ROCCATIOCGREPSIZE', `0x800448f1')
-define(`RTC_AIE_OFF', `0x00007002')
-define(`RTC_AIE_ON', `0x00007001')
-define(`RTC_ALM_READ', `0x80247008')
-define(`RTC_ALM_SET', `0x40247007')
-define(`RTC_EPOCH_READ', `0x8008700d')
-define(`RTC_EPOCH_SET', `0x4008700e')
-define(`RTC_IRQP_READ', `0x8008700b')
-define(`RTC_IRQP_SET', `0x4008700c')
-define(`RTC_PIE_OFF', `0x00007006')
-define(`RTC_PIE_ON', `0x00007005')
-define(`RTC_PLL_GET', `0x80207011')
-define(`RTC_PLL_SET', `0x40207012')
-define(`RTC_RD_TIME', `0x80247009')
-define(`RTC_SET_TIME', `0x4024700a')
-define(`RTC_UIE_OFF', `0x00007004')
-define(`RTC_UIE_ON', `0x00007003')
-define(`RTC_VL_CLR', `0x00007014')
-define(`RTC_VL_READ', `0x80047013')
-define(`RTC_WIE_OFF', `0x00007010')
-define(`RTC_WIE_ON', `0x0000700f')
-define(`RTC_WKALM_RD', `0x80287010')
-define(`RTC_WKALM_SET', `0x4028700f')
-define(`RUN_ARRAY', `0x400c0930')
-define(`S5P_FIMC_TX_END_NOTIFY', `0x00006500')
-define(`SAA6588_CMD_CLOSE', `0x40045202')
-define(`SAA6588_CMD_POLL', `0x80045204')
-define(`SAA6588_CMD_READ', `0x80045203')
-define(`SCSI_IOCTL_DOORLOCK', `0x00005380')
-define(`SCSI_IOCTL_DOORUNLOCK', `0x00005381')
-define(`SCSI_IOCTL_GET_BUS_NUMBER', `0x00005386')
-define(`SCSI_IOCTL_GET_IDLUN', `0x00005382')
-define(`SCSI_IOCTL_GET_PCI', `0x00005387')
-define(`SCSI_IOCTL_PROBE_HOST', `0x00005385')
-define(`SET_ARRAY_INFO', `0x40480923')
-define(`SET_BITMAP_FILE', `0x4004092b')
-define(`SET_DISK_FAULTY', `0x00000929')
-define(`SET_DISK_INFO', `0x00000924')
-define(`SG_EMULATED_HOST', `0x00002203')
-define(`SG_GET_ACCESS_COUNT', `0x00002289')
-define(`SG_GET_COMMAND_Q', `0x00002270')
-define(`SG_GET_KEEP_ORPHAN', `0x00002288')
-define(`SG_GET_LOW_DMA', `0x0000227a')
-define(`SG_GET_NUM_WAITING', `0x0000227d')
-define(`SG_GET_PACK_ID', `0x0000227c')
-define(`SG_GET_REQUEST_TABLE', `0x00002286')
-define(`SG_GET_RESERVED_SIZE', `0x00002272')
-define(`SG_GET_SCSI_ID', `0x00002276')
-define(`SG_GET_SG_TABLESIZE', `0x0000227f')
-define(`SG_GET_TIMEOUT', `0x00002202')
-define(`SG_GET_TRANSFORM', `0x00002205')
-define(`SG_GET_VERSION_NUM', `0x00002282')
-define(`SG_IO', `0x00002285')
-define(`SG_NEXT_CMD_LEN', `0x00002283')
-define(`SG_SCSI_RESET', `0x00002284')
-define(`SG_SET_COMMAND_Q', `0x00002271')
-define(`SG_SET_DEBUG', `0x0000227e')
-define(`SG_SET_FORCE_LOW_DMA', `0x00002279')
-define(`SG_SET_FORCE_PACK_ID', `0x0000227b')
-define(`SG_SET_KEEP_ORPHAN', `0x00002287')
-define(`SG_SET_RESERVED_SIZE', `0x00002275')
-define(`SG_SET_TIMEOUT', `0x00002201')
-define(`SG_SET_TRANSFORM', `0x00002204')
-define(`SI4713_IOC_MEASURE_RNL', `0xc01c56c0')
-define(`SIOCADDDLCI', `0x00008980')
-define(`SIOCADDMULTI', `0x00008931')
-define(`SIOCADDRT', `0x0000890b')
-define(`SIOCATMARK', `0x00008905')
-define(`SIOCBONDCHANGEACTIVE', `0x00008995')
-define(`SIOCBONDENSLAVE', `0x00008990')
-define(`SIOCBONDINFOQUERY', `0x00008994')
-define(`SIOCBONDRELEASE', `0x00008991')
-define(`SIOCBONDSETHWADDR', `0x00008992')
-define(`SIOCBONDSLAVEINFOQUERY', `0x00008993')
-define(`SIOCBRADDBR', `0x000089a0')
-define(`SIOCBRADDIF', `0x000089a2')
-define(`SIOCBRDELBR', `0x000089a1')
-define(`SIOCBRDELIF', `0x000089a3')
-define(`SIOCDARP', `0x00008953')
-define(`SIOCDELDLCI', `0x00008981')
-define(`SIOCDELMULTI', `0x00008932')
-define(`SIOCDELRT', `0x0000890c')
-define(`SIOCDEVPRIVATE', `0x000089f0')
-define(`SIOCDEVPRIVATE_1', `0x000089f1')
-define(`SIOCDEVPRIVATE_2', `0x000089f2')
-define(`SIOCDEVPRIVATE_3', `0x000089f3')
-define(`SIOCDEVPRIVATE_4', `0x000089f4')
-define(`SIOCDEVPRIVATE_5', `0x000089f5')
-define(`SIOCDEVPRIVATE_6', `0x000089f6')
-define(`SIOCDEVPRIVATE_7', `0x000089f7')
-define(`SIOCDEVPRIVATE_8', `0x000089f8')
-define(`SIOCDEVPRIVATE_9', `0x000089f9')
-define(`SIOCDEVPRIVATE_A', `0x000089fa')
-define(`SIOCDEVPRIVATE_B', `0x000089fb')
-define(`SIOCDEVPRIVATE_C', `0x000089fc')
-define(`SIOCDEVPRIVATE_D', `0x000089fd')
-define(`SIOCDEVPRIVATE_E', `0x000089fe')
-define(`SIOCDEVPRIVLAST', `0x000089ff')
-define(`SIOCDIFADDR', `0x00008936')
-define(`SIOCDRARP', `0x00008960')
-define(`SIOCETHTOOL', `0x00008946')
-define(`SIOCGARP', `0x00008954')
-define(`SIOCGHWTSTAMP', `0x000089b1')
-define(`SIOCGIFADDR', `0x00008915')
-define(`SIOCGIFBR', `0x00008940')
-define(`SIOCGIFBRDADDR', `0x00008919')
-define(`SIOCGIFCONF', `0x00008912')
-define(`SIOCGIFCOUNT', `0x00008938')
-define(`SIOCGIFDSTADDR', `0x00008917')
-define(`SIOCGIFENCAP', `0x00008925')
-define(`SIOCGIFFLAGS', `0x00008913')
-define(`SIOCGIFHWADDR', `0x00008927')
-define(`SIOCGIFINDEX', `0x00008933')
-define(`SIOCGIFMAP', `0x00008970')
-define(`SIOCGIFMEM', `0x0000891f')
-define(`SIOCGIFMETRIC', `0x0000891d')
-define(`SIOCGIFMTU', `0x00008921')
-define(`SIOCGIFNAME', `0x00008910')
-define(`SIOCGIFNETMASK', `0x0000891b')
-define(`SIOCGIFPFLAGS', `0x00008935')
-define(`SIOCGIFSLAVE', `0x00008929')
-define(`SIOCGIFTXQLEN', `0x00008942')
-define(`SIOCGIFVLAN', `0x00008982')
-define(`SIOCGIWAP', `0x00008b15')
-define(`SIOCGIWAPLIST', `0x00008b17')
-define(`SIOCGIWAUTH', `0x00008b33')
-define(`SIOCGIWENCODE', `0x00008b2b')
-define(`SIOCGIWENCODEEXT', `0x00008b35')
-define(`SIOCGIWESSID', `0x00008b1b')
-define(`SIOCGIWFRAG', `0x00008b25')
-define(`SIOCGIWFREQ', `0x00008b05')
-define(`SIOCGIWGENIE', `0x00008b31')
-define(`SIOCGIWMODE', `0x00008b07')
-define(`SIOCGIWNAME', `0x00008b01')
-define(`SIOCGIWNICKN', `0x00008b1d')
-define(`SIOCGIWNWID', `0x00008b03')
-define(`SIOCGIWPOWER', `0x00008b2d')
-define(`SIOCGIWPRIV', `0x00008b0d')
-define(`SIOCGIWRANGE', `0x00008b0b')
-define(`SIOCGIWRATE', `0x00008b21')
-define(`SIOCGIWRETRY', `0x00008b29')
-define(`SIOCGIWRTS', `0x00008b23')
-define(`SIOCGIWSCAN', `0x00008b19')
-define(`SIOCGIWSENS', `0x00008b09')
-define(`SIOCGIWSPY', `0x00008b11')
-define(`SIOCGIWSTATS', `0x00008b0f')
-define(`SIOCGIWTHRSPY', `0x00008b13')
-define(`SIOCGIWTXPOW', `0x00008b27')
-define(`SIOCGMIIPHY', `0x00008947')
-define(`SIOCGMIIREG', `0x00008948')
-define(`SIOCGNETADDR', `0x800489e1')
-define(`SIOCGPGRP', `0x00008904')
-define(`SIOCGRARP', `0x00008961')
-define(`SIOCGSTAMP', `0x00008906')
-define(`SIOCGSTAMPNS', `0x00008907')
-define(`SIOCIWFIRST', `0x00008b00')
-define(`SIOCIWFIRSTPRIV_01', `0x00008be1')
-define(`SIOCIWFIRSTPRIV_02', `0x00008be2')
-define(`SIOCIWFIRSTPRIV_03', `0x00008be3')
-define(`SIOCIWFIRSTPRIV_04', `0x00008be4')
-define(`SIOCIWFIRSTPRIV_05', `0x00008be5')
-define(`SIOCIWFIRSTPRIV_06', `0x00008be6')
-define(`SIOCIWFIRSTPRIV_07', `0x00008be7')
-define(`SIOCIWFIRSTPRIV_08', `0x00008be8')
-define(`SIOCIWFIRSTPRIV_09', `0x00008be9')
-define(`SIOCIWFIRSTPRIV_0A', `0x00008bea')
-define(`SIOCIWFIRSTPRIV_0B', `0x00008beb')
-define(`SIOCIWFIRSTPRIV_0C', `0x00008bec')
-define(`SIOCIWFIRSTPRIV_0D', `0x00008bed')
-define(`SIOCIWFIRSTPRIV_0E', `0x00008bee')
-define(`SIOCIWFIRSTPRIV_0F', `0x00008bef')
-define(`SIOCIWFIRSTPRIV', `0x00008be0')
-define(`SIOCIWFIRSTPRIV_10', `0x00008bf0')
-define(`SIOCIWFIRSTPRIV_11', `0x00008bf1')
-define(`SIOCIWFIRSTPRIV_12', `0x00008bf2')
-define(`SIOCIWFIRSTPRIV_13', `0x00008bf3')
-define(`SIOCIWFIRSTPRIV_14', `0x00008bf4')
-define(`SIOCIWFIRSTPRIV_15', `0x00008bf5')
-define(`SIOCIWFIRSTPRIV_16', `0x00008bf6')
-define(`SIOCIWFIRSTPRIV_17', `0x00008bf7')
-define(`SIOCIWFIRSTPRIV_18', `0x00008bf8')
-define(`SIOCIWFIRSTPRIV_19', `0x00008bf9')
-define(`SIOCIWFIRSTPRIV_1A', `0x00008bfa')
-define(`SIOCIWFIRSTPRIV_1B', `0x00008bfb')
-define(`SIOCIWFIRSTPRIV_1C', `0x00008bfc')
-define(`SIOCIWFIRSTPRIV_1D', `0x00008bfd')
-define(`SIOCIWFIRSTPRIV_1E', `0x00008bfe')
-define(`SIOCIWLASTPRIV', `0x00008bff')
-define(`SIOCKILLADDR', `0x00008939')
-define(`SIOCMKCLIP', `0x000061e0')
-define(`SIOCOUTQNSD', `0x0000894b')
-define(`SIOCPROTOPRIVATE', `0x000089e0')
-define(`SIOCPROTOPRIVATE_1', `0x000089e1')
-define(`SIOCPROTOPRIVATE_2', `0x000089e2')
-define(`SIOCPROTOPRIVATE_3', `0x000089e3')
-define(`SIOCPROTOPRIVATE_4', `0x000089e4')
-define(`SIOCPROTOPRIVATE_5', `0x000089e5')
-define(`SIOCPROTOPRIVATE_6', `0x000089e6')
-define(`SIOCPROTOPRIVATE_7', `0x000089e7')
-define(`SIOCPROTOPRIVATE_8', `0x000089e8')
-define(`SIOCPROTOPRIVATE_9', `0x000089e9')
-define(`SIOCPROTOPRIVATE_A', `0x000089ea')
-define(`SIOCPROTOPRIVATE_B', `0x000089eb')
-define(`SIOCPROTOPRIVATE_C', `0x000089ec')
-define(`SIOCPROTOPRIVATE_D', `0x000089ed')
-define(`SIOCPROTOPRIVATE_E', `0x000089ee')
-define(`SIOCPROTOPRIVLAST', `0x000089ef')
-define(`SIOCRTMSG', `0x0000890d')
-define(`SIOCSARP', `0x00008955')
-define(`SIOCSHWTSTAMP', `0x000089b0')
-define(`SIOCSIFADDR', `0x00008916')
-define(`SIOCSIFATMTCP', `0x00006180')
-define(`SIOCSIFBR', `0x00008941')
-define(`SIOCSIFBRDADDR', `0x0000891a')
-define(`SIOCSIFDSTADDR', `0x00008918')
-define(`SIOCSIFENCAP', `0x00008926')
-define(`SIOCSIFFLAGS', `0x00008914')
-define(`SIOCSIFHWADDR', `0x00008924')
-define(`SIOCSIFHWBROADCAST', `0x00008937')
-define(`SIOCSIFLINK', `0x00008911')
-define(`SIOCSIFMAP', `0x00008971')
-define(`SIOCSIFMEM', `0x00008920')
-define(`SIOCSIFMETRIC', `0x0000891e')
-define(`SIOCSIFMTU', `0x00008922')
-define(`SIOCSIFNAME', `0x00008923')
-define(`SIOCSIFNETMASK', `0x0000891c')
-define(`SIOCSIFPFLAGS', `0x00008934')
-define(`SIOCSIFSLAVE', `0x00008930')
-define(`SIOCSIFTXQLEN', `0x00008943')
-define(`SIOCSIFVLAN', `0x00008983')
-define(`SIOCSIWAP', `0x00008b14')
-define(`SIOCSIWAUTH', `0x00008b32')
-define(`SIOCSIWCOMMIT', `0x00008b00')
-define(`SIOCSIWENCODE', `0x00008b2a')
-define(`SIOCSIWENCODEEXT', `0x00008b34')
-define(`SIOCSIWESSID', `0x00008b1a')
-define(`SIOCSIWFRAG', `0x00008b24')
-define(`SIOCSIWFREQ', `0x00008b04')
-define(`SIOCSIWGENIE', `0x00008b30')
-define(`SIOCSIWMLME', `0x00008b16')
-define(`SIOCSIWMODE', `0x00008b06')
-define(`SIOCSIWNICKN', `0x00008b1c')
-define(`SIOCSIWNWID', `0x00008b02')
-define(`SIOCSIWPMKSA', `0x00008b36')
-define(`SIOCSIWPOWER', `0x00008b2c')
-define(`SIOCSIWPRIV', `0x00008b0c')
-define(`SIOCSIWRANGE', `0x00008b0a')
-define(`SIOCSIWRATE', `0x00008b20')
-define(`SIOCSIWRETRY', `0x00008b28')
-define(`SIOCSIWRTS', `0x00008b22')
-define(`SIOCSIWSCAN', `0x00008b18')
-define(`SIOCSIWSENS', `0x00008b08')
-define(`SIOCSIWSPY', `0x00008b10')
-define(`SIOCSIWSTATS', `0x00008b0e')
-define(`SIOCSIWTHRSPY', `0x00008b12')
-define(`SIOCSIWTXPOW', `0x00008b26')
-define(`SIOCSMIIREG', `0x00008949')
-define(`SIOCSNETADDR', `0x400489e0')
-define(`SIOCSPGRP', `0x00008902')
-define(`SIOCSRARP', `0x00008962')
-define(`SIOCWANDEV', `0x0000894a')
-define(`SISFB_COMMAND', `0xc054f305')
-define(`SISFB_GET_AUTOMAXIMIZE', `0x8004f303')
-define(`SISFB_GET_AUTOMAXIMIZE_OLD', `0x80046efa')
-define(`SISFB_GET_INFO', `0x811cf301')
-define(`SISFB_GET_INFO_OLD', `0x80046ef8')
-define(`SISFB_GET_INFO_SIZE', `0x8004f300')
-define(`SISFB_GET_TVPOSOFFSET', `0x8004f304')
-define(`SISFB_GET_VBRSTATUS', `0x8004f302')
-define(`SISFB_GET_VBRSTATUS_OLD', `0x80046ef9')
-define(`SISFB_SET_AUTOMAXIMIZE', `0x4004f303')
-define(`SISFB_SET_AUTOMAXIMIZE_OLD', `0x40046efa')
-define(`SISFB_SET_LOCK', `0x4004f306')
-define(`SISFB_SET_TVPOSOFFSET', `0x4004f304')
-define(`SNAPSHOT_ALLOC_SWAP_PAGE', `0x80083314')
-define(`SNAPSHOT_ATOMIC_RESTORE', `0x00003304')
-define(`SNAPSHOT_AVAIL_SWAP_SIZE', `0x80083313')
-define(`SNAPSHOT_CREATE_IMAGE', `0x40043311')
-define(`SNAPSHOT_FREE', `0x00003305')
-define(`SNAPSHOT_FREE_SWAP_PAGES', `0x00003309')
-define(`SNAPSHOT_FREEZE', `0x00003301')
-define(`SNAPSHOT_GET_IMAGE_SIZE', `0x8008330e')
-define(`SNAPSHOT_PLATFORM_SUPPORT', `0x0000330f')
-define(`SNAPSHOT_POWER_OFF', `0x00003310')
-define(`SNAPSHOT_PREF_IMAGE_SIZE', `0x00003312')
-define(`SNAPSHOT_S2RAM', `0x0000330b')
-define(`SNAPSHOT_SET_SWAP_AREA', `0x400c330d')
-define(`SNAPSHOT_UNFREEZE', `0x00003302')
-define(`SNDCTL_COPR_HALT', `0xc0144307')
-define(`SNDCTL_COPR_LOAD', `0xcfb04301')
-define(`SNDCTL_COPR_RCODE', `0xc0144303')
-define(`SNDCTL_COPR_RCVMSG', `0x8fa44309')
-define(`SNDCTL_COPR_RDATA', `0xc0144302')
-define(`SNDCTL_COPR_RESET', `0x00004300')
-define(`SNDCTL_COPR_RUN', `0xc0144306')
-define(`SNDCTL_COPR_SENDMSG', `0xcfa44308')
-define(`SNDCTL_COPR_WCODE', `0x40144305')
-define(`SNDCTL_COPR_WDATA', `0x40144304')
-define(`SNDCTL_DSP_BIND_CHANNEL', `0xc0045041')
-define(`SNDCTL_DSP_CHANNELS', `0xc0045006')
-define(`SNDCTL_DSP_GETBLKSIZE', `0xc0045004')
-define(`SNDCTL_DSP_GETCAPS', `0x8004500f')
-define(`SNDCTL_DSP_GETCHANNELMASK', `0xc0045040')
-define(`SNDCTL_DSP_GETFMTS', `0x8004500b')
-define(`SNDCTL_DSP_GETIPTR', `0x800c5011')
-define(`SNDCTL_DSP_GETISPACE', `0x8010500d')
-define(`SNDCTL_DSP_GETODELAY', `0x80045017')
-define(`SNDCTL_DSP_GETOPTR', `0x800c5012')
-define(`SNDCTL_DSP_GETOSPACE', `0x8010500c')
-define(`SNDCTL_DSP_GETSPDIF', `0x80045043')
-define(`SNDCTL_DSP_GETTRIGGER', `0x80045010')
-define(`SNDCTL_DSP_MAPINBUF', `0x80105013')
-define(`SNDCTL_DSP_MAPOUTBUF', `0x80105014')
-define(`SNDCTL_DSP_NONBLOCK', `0x0000500e')
-define(`SNDCTL_DSP_POST', `0x00005008')
-define(`SNDCTL_DSP_PROFILE', `0x40045017')
-define(`SNDCTL_DSP_RESET', `0x00005000')
-define(`SNDCTL_DSP_SETDUPLEX', `0x00005016')
-define(`SNDCTL_DSP_SETFMT', `0xc0045005')
-define(`SNDCTL_DSP_SETFRAGMENT', `0xc004500a')
-define(`SNDCTL_DSP_SETSPDIF', `0x40045042')
-define(`SNDCTL_DSP_SETSYNCRO', `0x00005015')
-define(`SNDCTL_DSP_SETTRIGGER', `0x40045010')
-define(`SNDCTL_DSP_SPEED', `0xc0045002')
-define(`SNDCTL_DSP_STEREO', `0xc0045003')
-define(`SNDCTL_DSP_SUBDIVIDE', `0xc0045009')
-define(`SNDCTL_DSP_SYNC', `0x00005001')
-define(`SNDCTL_FM_4OP_ENABLE', `0x4004510f')
-define(`SNDCTL_FM_LOAD_INSTR', `0x40285107')
-define(`SNDCTL_MIDI_INFO', `0xc074510c')
-define(`SNDCTL_MIDI_MPUCMD', `0xc0216d02')
-define(`SNDCTL_MIDI_MPUMODE', `0xc0046d01')
-define(`SNDCTL_MIDI_PRETIME', `0xc0046d00')
-define(`SNDCTL_SEQ_CTRLRATE', `0xc0045103')
-define(`SNDCTL_SEQ_GETINCOUNT', `0x80045105')
-define(`SNDCTL_SEQ_GETOUTCOUNT', `0x80045104')
-define(`SNDCTL_SEQ_GETTIME', `0x80045113')
-define(`SNDCTL_SEQ_NRMIDIS', `0x8004510b')
-define(`SNDCTL_SEQ_NRSYNTHS', `0x8004510a')
-define(`SNDCTL_SEQ_OUTOFBAND', `0x40085112')
-define(`SNDCTL_SEQ_PANIC', `0x00005111')
-define(`SNDCTL_SEQ_PERCMODE', `0x40045106')
-define(`SNDCTL_SEQ_RESET', `0x00005100')
-define(`SNDCTL_SEQ_RESETSAMPLES', `0x40045109')
-define(`SNDCTL_SEQ_SYNC', `0x00005101')
-define(`SNDCTL_SEQ_TESTMIDI', `0x40045108')
-define(`SNDCTL_SEQ_THRESHOLD', `0x4004510d')
-define(`SNDCTL_SYNTH_CONTROL', `0xcfa45115')
-define(`SNDCTL_SYNTH_ID', `0xc08c5114')
-define(`SNDCTL_SYNTH_INFO', `0xc08c5102')
-define(`SNDCTL_SYNTH_MEMAVL', `0xc004510e')
-define(`SNDCTL_SYNTH_REMOVESAMPLE', `0xc00c5116')
-define(`SNDCTL_TMR_CONTINUE', `0x00005404')
-define(`SNDCTL_TMR_METRONOME', `0x40045407')
-define(`SNDCTL_TMR_SELECT', `0x40045408')
-define(`SNDCTL_TMR_SOURCE', `0xc0045406')
-define(`SNDCTL_TMR_START', `0x00005402')
-define(`SNDCTL_TMR_STOP', `0x00005403')
-define(`SNDCTL_TMR_TEMPO', `0xc0045405')
-define(`SNDCTL_TMR_TIMEBASE', `0xc0045401')
-define(`SNDRV_COMPRESS_AVAIL', `0x801c4321')
-define(`SNDRV_COMPRESS_DRAIN', `0x00004334')
-define(`SNDRV_COMPRESS_GET_CAPS', `0xc0c44310')
-define(`SNDRV_COMPRESS_GET_CODEC_CAPS', `0xeb884311')
-define(`SNDRV_COMPRESS_GET_METADATA', `0xc0244315')
-define(`SNDRV_COMPRESS_GET_PARAMS', `0x80784313')
-define(`SNDRV_COMPRESS_IOCTL_VERSION', `0x80044300')
-define(`SNDRV_COMPRESS_NEXT_TRACK', `0x00004335')
-define(`SNDRV_COMPRESS_PARTIAL_DRAIN', `0x00004336')
-define(`SNDRV_COMPRESS_PAUSE', `0x00004330')
-define(`SNDRV_COMPRESS_RESUME', `0x00004331')
-define(`SNDRV_COMPRESS_SET_METADATA', `0x40244314')
-define(`SNDRV_COMPRESS_SET_PARAMS', `0x40844312')
-define(`SNDRV_COMPRESS_START', `0x00004332')
-define(`SNDRV_COMPRESS_STOP', `0x00004333')
-define(`SNDRV_COMPRESS_TSTAMP', `0x80144320')
-define(`SNDRV_CTL_IOCTL_CARD_INFO', `0x81785501')
-define(`SNDRV_CTL_IOCTL_ELEM_ADD', `0xc1105517')
-define(`SNDRV_CTL_IOCTL_ELEM_INFO', `0xc1105511')
-define(`SNDRV_CTL_IOCTL_ELEM_LIST', `0xc0505510')
-define(`SNDRV_CTL_IOCTL_ELEM_LOCK', `0x40405514')
-define(`SNDRV_CTL_IOCTL_ELEM_READ', `0xc4c85512')
-define(`SNDRV_CTL_IOCTL_ELEM_REMOVE', `0xc0405519')
-define(`SNDRV_CTL_IOCTL_ELEM_REPLACE', `0xc1105518')
-define(`SNDRV_CTL_IOCTL_ELEM_UNLOCK', `0x40405515')
-define(`SNDRV_CTL_IOCTL_ELEM_WRITE', `0xc4c85513')
-define(`SNDRV_CTL_IOCTL_HWDEP_INFO', `0x80dc5521')
-define(`SNDRV_CTL_IOCTL_HWDEP_NEXT_DEVICE', `0xc0045520')
-define(`SNDRV_CTL_IOCTL_PCM_INFO', `0xc1205531')
-define(`SNDRV_CTL_IOCTL_PCM_NEXT_DEVICE', `0x80045530')
-define(`SNDRV_CTL_IOCTL_PCM_PREFER_SUBDEVICE', `0x40045532')
-define(`SNDRV_CTL_IOCTL_POWER', `0xc00455d0')
-define(`SNDRV_CTL_IOCTL_POWER_STATE', `0x800455d1')
-define(`SNDRV_CTL_IOCTL_PVERSION', `0x80045500')
-define(`SNDRV_CTL_IOCTL_RAWMIDI_INFO', `0xc10c5541')
-define(`SNDRV_CTL_IOCTL_RAWMIDI_NEXT_DEVICE', `0xc0045540')
-define(`SNDRV_CTL_IOCTL_RAWMIDI_PREFER_SUBDEVICE', `0x40045542')
-define(`SNDRV_CTL_IOCTL_SUBSCRIBE_EVENTS', `0xc0045516')
-define(`SNDRV_CTL_IOCTL_TLV_COMMAND', `0xc008551c')
-define(`SNDRV_CTL_IOCTL_TLV_READ', `0xc008551a')
-define(`SNDRV_CTL_IOCTL_TLV_WRITE', `0xc008551b')
-define(`SNDRV_DM_FM_IOCTL_CLEAR_PATCHES', `0x00004840')
-define(`SNDRV_DM_FM_IOCTL_INFO', `0x80024820')
-define(`SNDRV_DM_FM_IOCTL_PLAY_NOTE', `0x400c4822')
-define(`SNDRV_DM_FM_IOCTL_RESET', `0x00004821')
-define(`SNDRV_DM_FM_IOCTL_SET_CONNECTION', `0x40044826')
-define(`SNDRV_DM_FM_IOCTL_SET_MODE', `0x40044825')
-define(`SNDRV_DM_FM_IOCTL_SET_PARAMS', `0x40094824')
-define(`SNDRV_DM_FM_IOCTL_SET_VOICE', `0x40124823')
-define(`SNDRV_EMU10K1_IOCTL_CODE_PEEK', `0xc1b04812')
-define(`SNDRV_EMU10K1_IOCTL_CODE_POKE', `0x41b04811')
-define(`SNDRV_EMU10K1_IOCTL_CONTINUE', `0x00004881')
-define(`SNDRV_EMU10K1_IOCTL_DBG_READ', `0x80044884')
-define(`SNDRV_EMU10K1_IOCTL_INFO', `0x880c4810')
-define(`SNDRV_EMU10K1_IOCTL_PCM_PEEK', `0xc0484831')
-define(`SNDRV_EMU10K1_IOCTL_PCM_POKE', `0x40484830')
-define(`SNDRV_EMU10K1_IOCTL_PVERSION', `0x80044840')
-define(`SNDRV_EMU10K1_IOCTL_SINGLE_STEP', `0x40044883')
-define(`SNDRV_EMU10K1_IOCTL_STOP', `0x00004880')
-define(`SNDRV_EMU10K1_IOCTL_TRAM_PEEK', `0xc0104822')
-define(`SNDRV_EMU10K1_IOCTL_TRAM_POKE', `0x40104821')
-define(`SNDRV_EMU10K1_IOCTL_TRAM_SETUP', `0x40044820')
-define(`SNDRV_EMU10K1_IOCTL_ZERO_TRAM_COUNTER', `0x00004882')
-define(`SNDRV_EMUX_IOCTL_LOAD_PATCH', `0xc0104881')
-define(`SNDRV_EMUX_IOCTL_MEM_AVAIL', `0x40044884')
-define(`SNDRV_EMUX_IOCTL_MISC_MODE', `0xc0104884')
-define(`SNDRV_EMUX_IOCTL_REMOVE_LAST_SAMPLES', `0x00004883')
-define(`SNDRV_EMUX_IOCTL_RESET_SAMPLES', `0x00004882')
-define(`SNDRV_EMUX_IOCTL_VERSION', `0x80044880')
-define(`SNDRV_FIREWIRE_IOCTL_GET_INFO', `0x802048f8')
-define(`SNDRV_FIREWIRE_IOCTL_LOCK', `0x000048f9')
-define(`SNDRV_FIREWIRE_IOCTL_UNLOCK', `0x000048fa')
-define(`SNDRV_HDSP_IOCTL_GET_9632_AEB', `0x80084845')
-define(`SNDRV_HDSP_IOCTL_GET_CONFIG_INFO', `0x80244841')
-define(`SNDRV_HDSP_IOCTL_GET_MIXER', `0x90004844')
-define(`SNDRV_HDSP_IOCTL_GET_PEAK_RMS', `0x83b04840')
-define(`SNDRV_HDSP_IOCTL_GET_VERSION', `0x80084843')
-define(`SNDRV_HDSP_IOCTL_UPLOAD_FIRMWARE', `0x40084842')
-define(`SNDRV_HDSPM_IOCTL_GET_CONFIG', `0x80184841')
-define(`SNDRV_HDSPM_IOCTL_GET_LTC', `0x80104846')
-define(`SNDRV_HDSPM_IOCTL_GET_MIXER', `0x80084844')
-define(`SNDRV_HDSPM_IOCTL_GET_PEAK_RMS', `0x89084842')
-define(`SNDRV_HDSPM_IOCTL_GET_STATUS', `0x80204847')
-define(`SNDRV_HDSPM_IOCTL_GET_VERSION', `0x80244848')
-define(`SNDRV_HWDEP_IOCTL_DSP_LOAD', `0x40604803')
-define(`SNDRV_HWDEP_IOCTL_DSP_STATUS', `0x80404802')
-define(`SNDRV_HWDEP_IOCTL_INFO', `0x80dc4801')
-define(`SNDRV_HWDEP_IOCTL_PVERSION', `0x80044800')
-define(`SNDRV_PCM_IOCTL_CHANNEL_INFO', `0x80184132')
-define(`SNDRV_PCM_IOCTL_DELAY', `0x80084121')
-define(`SNDRV_PCM_IOCTL_DRAIN', `0x00004144')
-define(`SNDRV_PCM_IOCTL_DROP', `0x00004143')
-define(`SNDRV_PCM_IOCTL_FORWARD', `0x40084149')
-define(`SNDRV_PCM_IOCTL_HW_FREE', `0x00004112')
-define(`SNDRV_PCM_IOCTL_HW_PARAMS', `0xc2604111')
-define(`SNDRV_PCM_IOCTL_HW_REFINE', `0xc2604110')
-define(`SNDRV_PCM_IOCTL_HWSYNC', `0x00004122')
-define(`SNDRV_PCM_IOCTL_INFO', `0x81204101')
-define(`SNDRV_PCM_IOCTL_LINK', `0x40044160')
-define(`SNDRV_PCM_IOCTL_PAUSE', `0x40044145')
-define(`SNDRV_PCM_IOCTL_PREPARE', `0x00004140')
-define(`SNDRV_PCM_IOCTL_PVERSION', `0x80044100')
-define(`SNDRV_PCM_IOCTL_READI_FRAMES', `0x80184151')
-define(`SNDRV_PCM_IOCTL_READN_FRAMES', `0x80184153')
-define(`SNDRV_PCM_IOCTL_RESET', `0x00004141')
-define(`SNDRV_PCM_IOCTL_RESUME', `0x00004147')
-define(`SNDRV_PCM_IOCTL_REWIND', `0x40084146')
-define(`SNDRV_PCM_IOCTL_START', `0x00004142')
-define(`SNDRV_PCM_IOCTL_STATUS', `0x80984120')
-define(`SNDRV_PCM_IOCTL_SW_PARAMS', `0xc0884113')
-define(`SNDRV_PCM_IOCTL_SYNC_PTR', `0xc0884123')
-define(`SNDRV_PCM_IOCTL_TSTAMP', `0x40044102')
-define(`SNDRV_PCM_IOCTL_TTSTAMP', `0x40044103')
-define(`SNDRV_PCM_IOCTL_UNLINK', `0x00004161')
-define(`SNDRV_PCM_IOCTL_WRITEI_FRAMES', `0x40184150')
-define(`SNDRV_PCM_IOCTL_WRITEN_FRAMES', `0x40184152')
-define(`SNDRV_PCM_IOCTL_XRUN', `0x00004148')
-define(`SNDRV_RAWMIDI_IOCTL_DRAIN', `0x40045731')
-define(`SNDRV_RAWMIDI_IOCTL_DROP', `0x40045730')
-define(`SNDRV_RAWMIDI_IOCTL_INFO', `0x810c5701')
-define(`SNDRV_RAWMIDI_IOCTL_PARAMS', `0xc0305710')
-define(`SNDRV_RAWMIDI_IOCTL_PVERSION', `0x80045700')
-define(`SNDRV_RAWMIDI_IOCTL_STATUS', `0xc0385720')
-define(`SNDRV_SB_CSP_IOCTL_INFO', `0x80284810')
-define(`SNDRV_SB_CSP_IOCTL_LOAD_CODE', `0x70124811')
-define(`SNDRV_SB_CSP_IOCTL_PAUSE', `0x00004815')
-define(`SNDRV_SB_CSP_IOCTL_RESTART', `0x00004816')
-define(`SNDRV_SB_CSP_IOCTL_START', `0x40084813')
-define(`SNDRV_SB_CSP_IOCTL_STOP', `0x00004814')
-define(`SNDRV_SB_CSP_IOCTL_UNLOAD_CODE', `0x00004812')
-define(`SNDRV_SEQ_IOCTL_CLIENT_ID', `0x80045301')
-define(`SNDRV_SEQ_IOCTL_CREATE_PORT', `0xc0a85320')
-define(`SNDRV_SEQ_IOCTL_CREATE_QUEUE', `0xc08c5332')
-define(`SNDRV_SEQ_IOCTL_DELETE_PORT', `0x40a85321')
-define(`SNDRV_SEQ_IOCTL_DELETE_QUEUE', `0x408c5333')
-define(`SNDRV_SEQ_IOCTL_GET_CLIENT_INFO', `0xc0bc5310')
-define(`SNDRV_SEQ_IOCTL_GET_CLIENT_POOL', `0xc058534b')
-define(`SNDRV_SEQ_IOCTL_GET_NAMED_QUEUE', `0xc08c5336')
-define(`SNDRV_SEQ_IOCTL_GET_PORT_INFO', `0xc0a85322')
-define(`SNDRV_SEQ_IOCTL_GET_QUEUE_CLIENT', `0xc04c5349')
-define(`SNDRV_SEQ_IOCTL_GET_QUEUE_INFO', `0xc08c5334')
-define(`SNDRV_SEQ_IOCTL_GET_QUEUE_OWNER', `0xc0005343')
-define(`SNDRV_SEQ_IOCTL_GET_QUEUE_STATUS', `0xc05c5340')
-define(`SNDRV_SEQ_IOCTL_GET_QUEUE_TEMPO', `0xc02c5341')
-define(`SNDRV_SEQ_IOCTL_GET_QUEUE_TIMER', `0xc0605345')
-define(`SNDRV_SEQ_IOCTL_GET_SUBSCRIPTION', `0xc0505350')
-define(`SNDRV_SEQ_IOCTL_PVERSION', `0x80045300')
-define(`SNDRV_SEQ_IOCTL_QUERY_NEXT_CLIENT', `0xc0bc5351')
-define(`SNDRV_SEQ_IOCTL_QUERY_NEXT_PORT', `0xc0a85352')
-define(`SNDRV_SEQ_IOCTL_QUERY_SUBS', `0xc058534f')
-define(`SNDRV_SEQ_IOCTL_REMOVE_EVENTS', `0x4040534e')
-define(`SNDRV_SEQ_IOCTL_RUNNING_MODE', `0xc0105303')
-define(`SNDRV_SEQ_IOCTL_SET_CLIENT_INFO', `0x40bc5311')
-define(`SNDRV_SEQ_IOCTL_SET_CLIENT_POOL', `0x4058534c')
-define(`SNDRV_SEQ_IOCTL_SET_PORT_INFO', `0x40a85323')
-define(`SNDRV_SEQ_IOCTL_SET_QUEUE_CLIENT', `0x404c534a')
-define(`SNDRV_SEQ_IOCTL_SET_QUEUE_INFO', `0xc08c5335')
-define(`SNDRV_SEQ_IOCTL_SET_QUEUE_OWNER', `0x40005344')
-define(`SNDRV_SEQ_IOCTL_SET_QUEUE_TEMPO', `0x402c5342')
-define(`SNDRV_SEQ_IOCTL_SET_QUEUE_TIMER', `0x40605346')
-define(`SNDRV_SEQ_IOCTL_SUBSCRIBE_PORT', `0x40505330')
-define(`SNDRV_SEQ_IOCTL_SYSTEM_INFO', `0xc0305302')
-define(`SNDRV_SEQ_IOCTL_UNSUBSCRIBE_PORT', `0x40505331')
-define(`SNDRV_TIMER_IOCTL_CONTINUE', `0x000054a2')
-define(`SNDRV_TIMER_IOCTL_GINFO', `0xc0f85403')
-define(`SNDRV_TIMER_IOCTL_GPARAMS', `0x40485404')
-define(`SNDRV_TIMER_IOCTL_GSTATUS', `0xc0505405')
-define(`SNDRV_TIMER_IOCTL_INFO', `0x80e85411')
-define(`SNDRV_TIMER_IOCTL_NEXT_DEVICE', `0xc0145401')
-define(`SNDRV_TIMER_IOCTL_PARAMS', `0x40505412')
-define(`SNDRV_TIMER_IOCTL_PAUSE', `0x000054a3')
-define(`SNDRV_TIMER_IOCTL_PVERSION', `0x80045400')
-define(`SNDRV_TIMER_IOCTL_SELECT', `0x40345410')
-define(`SNDRV_TIMER_IOCTL_START', `0x000054a0')
-define(`SNDRV_TIMER_IOCTL_STATUS', `0x80605414')
-define(`SNDRV_TIMER_IOCTL_STOP', `0x000054a1')
-define(`SNDRV_TIMER_IOCTL_TREAD', `0x40045402')
-define(`SONET_CLRDIAG', `0xc0046113')
-define(`SONET_GETDIAG', `0x80046114')
-define(`SONET_GETFRAMING', `0x80046116')
-define(`SONET_GETFRSENSE', `0x80066117')
-define(`SONET_GETSTAT', `0x80246110')
-define(`SONET_GETSTATZ', `0x80246111')
-define(`SONET_SETDIAG', `0xc0046112')
-define(`SONET_SETFRAMING', `0x40046115')
-define(`SONYPI_IOCGBAT1CAP', `0x80027602')
-define(`SONYPI_IOCGBAT1REM', `0x80027603')
-define(`SONYPI_IOCGBAT2CAP', `0x80027604')
-define(`SONYPI_IOCGBAT2REM', `0x80027605')
-define(`SONYPI_IOCGBATFLAGS', `0x80017607')
-define(`SONYPI_IOCGBLUE', `0x80017608')
-define(`SONYPI_IOCGBRT', `0x80017600')
-define(`SONYPI_IOCGFAN', `0x8001760a')
-define(`SONYPI_IOCGTEMP', `0x8001760c')
-define(`SONYPI_IOCSBLUE', `0x40017609')
-define(`SONYPI_IOCSBRT', `0x40017600')
-define(`SONYPI_IOCSFAN', `0x4001760b')
-define(`SOUND_MIXER_3DSE', `0xc0044d68')
-define(`SOUND_MIXER_ACCESS', `0xc0804d66')
-define(`SOUND_MIXER_AGC', `0xc0044d67')
-define(`SOUND_MIXER_GETLEVELS', `0xc0a44d74')
-define(`SOUND_MIXER_INFO', `0x805c4d65')
-define(`SOUND_MIXER_PRIVATE1', `0xc0044d6f')
-define(`SOUND_MIXER_PRIVATE2', `0xc0044d70')
-define(`SOUND_MIXER_PRIVATE3', `0xc0044d71')
-define(`SOUND_MIXER_PRIVATE4', `0xc0044d72')
-define(`SOUND_MIXER_PRIVATE5', `0xc0044d73')
-define(`SOUND_MIXER_SETLEVELS', `0xc0a44d75')
-define(`SOUND_OLD_MIXER_INFO', `0x80304d65')
-define(`SOUND_PCM_READ_BITS', `0x80045005')
-define(`SOUND_PCM_READ_CHANNELS', `0x80045006')
-define(`SOUND_PCM_READ_FILTER', `0x80045007')
-define(`SOUND_PCM_READ_RATE', `0x80045002')
-define(`SOUND_PCM_WRITE_FILTER', `0xc0045007')
-define(`SPI_IOC_RD_BITS_PER_WORD', `0x80016b03')
-define(`SPI_IOC_RD_LSB_FIRST', `0x80016b02')
-define(`SPI_IOC_RD_MAX_SPEED_HZ', `0x80046b04')
-define(`SPI_IOC_RD_MODE', `0x80016b01')
-define(`SPI_IOC_RD_MODE32', `0x80046b05')
-define(`SPI_IOC_WR_BITS_PER_WORD', `0x40016b03')
-define(`SPI_IOC_WR_LSB_FIRST', `0x40016b02')
-define(`SPI_IOC_WR_MAX_SPEED_HZ', `0x40046b04')
-define(`SPI_IOC_WR_MODE', `0x40016b01')
-define(`SPI_IOC_WR_MODE32', `0x40046b05')
-define(`SPIOCSTYPE', `0x40087101')
-define(`SSTFB_GET_VGAPASS', `0x800446dd')
-define(`SSTFB_SET_VGAPASS', `0x400446dd')
-define(`STOP_ARRAY', `0x00000932')
-define(`STOP_ARRAY_RO', `0x00000933')
-define(`SW_SYNC_IOC_CREATE_FENCE', `0xc0285700')
-define(`SW_SYNC_IOC_INC', `0x40045701')
-define(`SYNC_IOC_FENCE_INFO', `0xc0283e02')
-define(`SYNC_IOC_MERGE', `0xc0283e01')
-define(`SYNC_IOC_WAIT', `0x40043e00')
-define(`TCFLSH', `0x0000540b')
-define(`TCGETA', `0x00005405')
-define(`TCGETS2', `0x802c542a')
-define(`TCGETS', ifelse(target_arch, mips, 0x0000540d, 0x00005401))
-define(`TCGETX', `0x00005432')
-define(`TCSBRK', `0x00005409')
-define(`TCSBRKP', `0x00005425')
-define(`TCSETA', `0x00005406')
-define(`TCSETAF', `0x00005408')
-define(`TCSETAW', `0x00005407')
-define(`TCSETS', `0x00005402')
-define(`TCSETS2', `0x402c542b')
-define(`TCSETSF', `0x00005404')
-define(`TCSETSF2', `0x402c542d')
-define(`TCSETSW', `0x00005403')
-define(`TCSETSW2', `0x402c542c')
-define(`TCSETX', `0x00005433')
-define(`TCSETXF', `0x00005434')
-define(`TCSETXW', `0x00005435')
-define(`TCXONC', `0x0000540a')
-define(`TFD_IOC_SET_TICKS', `0x40085400')
-define(`TIOCCBRK', `0x00005428')
-define(`TIOCCONS', `0x0000541d')
-define(`TIOCEXCL', `0x0000540c')
-define(`TIOCGDEV', `0x80045432')
-define(`TIOCGETD', `0x00005424')
-define(`TIOCGEXCL', `0x80045440')
-define(`TIOCGICOUNT', `0x0000545d')
-define(`TIOCGLCKTRMIOS', `0x00005456')
-define(`TIOCGPGRP', `0x0000540f')
-define(`TIOCGPKT', `0x80045438')
-define(`TIOCGPTLCK', `0x80045439')
-define(`TIOCGPTN', `0x80045430')
-define(`TIOCGRS485', `0x0000542e')
-define(`TIOCGSERIAL', `0x0000541e')
-define(`TIOCGSID', `0x00005429')
-define(`TIOCGSOFTCAR', `0x00005419')
-define(`TIOCGWINSZ', ifelse(target_arch, mips, 0x80087468, 0x00005413))
-define(`TIOCLINUX', `0x0000541c')
-define(`TIOCMBIC', `0x00005417')
-define(`TIOCMBIS', `0x00005416')
-define(`TIOCMGET', `0x00005415')
-define(`TIOCMIWAIT', `0x0000545c')
-define(`TIOCMSET', `0x00005418')
-define(`TIOCNOTTY', `0x00005422')
-define(`TIOCNXCL', `0x0000540d')
-define(`TIOCOUTQ', ifelse(target_arch, mips, 0x00007472, 0x00005411))
-define(`TIOCPKT', `0x00005420')
-define(`TIOCSBRK', `0x00005427')
-define(`TIOCSCTTY', ifelse(target_arch, mips, 0x00005480, 0x0000540e))
-define(`TIOCSERCONFIG', `0x00005453')
-define(`TIOCSERGETLSR', `0x00005459')
-define(`TIOCSERGETMULTI', `0x0000545a')
-define(`TIOCSERGSTRUCT', `0x00005458')
-define(`TIOCSERGWILD', `0x00005454')
-define(`TIOCSERSETMULTI', `0x0000545b')
-define(`TIOCSERSWILD', `0x00005455')
-define(`TIOCSETD', `0x00005423')
-define(`TIOCSIG', `0x40045436')
-define(`TIOCSLCKTRMIOS', `0x00005457')
-define(`TIOCSPGRP', `0x00005410')
-define(`TIOCSPTLCK', `0x40045431')
-define(`TIOCSRS485', `0x0000542f')
-define(`TIOCSSERIAL', `0x0000541f')
-define(`TIOCSSOFTCAR', `0x0000541a')
-define(`TIOCSTI', `0x00005412')
-define(`TIOCSWINSZ', ifelse(target_arch, mips, 0x40087467, 0x00005414))
-define(`TIOCVHANGUP', `0x00005437')
-define(`TOSH_SMM', `0xc0047490')
-define(`TUNATTACHFILTER', `0x401054d5')
-define(`TUNDETACHFILTER', `0x401054d6')
-define(`TUNER_SET_CONFIG', `0x4010645c')
-define(`TUNGETFEATURES', `0x800454cf')
-define(`TUNGETFILTER', `0x801054db')
-define(`TUNGETIFF', `0x800454d2')
-define(`TUNGETSNDBUF', `0x800454d3')
-define(`TUNGETVNETHDRSZ', `0x800454d7')
-define(`TUNGETVNETLE', `0x800454dd')
-define(`TUNSETDEBUG', `0x400454c9')
-define(`TUNSETGROUP', `0x400454ce')
-define(`TUNSETIFF', `0x400454ca')
-define(`TUNSETIFINDEX', `0x400454da')
-define(`TUNSETLINK', `0x400454cd')
-define(`TUNSETNOCSUM', `0x400454c8')
-define(`TUNSETOFFLOAD', `0x400454d0')
-define(`TUNSETOWNER', `0x400454cc')
-define(`TUNSETPERSIST', `0x400454cb')
-define(`TUNSETQUEUE', `0x400454d9')
-define(`TUNSETSNDBUF', `0x400454d4')
-define(`TUNSETTXFILTER', `0x400454d1')
-define(`TUNSETVNETHDRSZ', `0x400454d8')
-define(`TUNSETVNETLE', `0x400454dc')
-define(`UBI_IOCATT', `0x40186f40')
-define(`UBI_IOCDET', `0x40046f41')
-define(`UBI_IOCEBCH', `0x40044f02')
-define(`UBI_IOCEBER', `0x40044f01')
-define(`UBI_IOCEBISMAP', `0x80044f05')
-define(`UBI_IOCEBMAP', `0x40084f03')
-define(`UBI_IOCEBUNMAP', `0x40044f04')
-define(`UBI_IOCMKVOL', `0x40986f00')
-define(`UBI_IOCRMVOL', `0x40046f01')
-define(`UBI_IOCRNVOL', `0x51106f03')
-define(`UBI_IOCRSVOL', `0x400c6f02')
-define(`UBI_IOCSETVOLPROP', `0x40104f06')
-define(`UBI_IOCVOLCRBLK', `0x40804f07')
-define(`UBI_IOCVOLRMBLK', `0x00004f08')
-define(`UBI_IOCVOLUP', `0x40084f00')
-define(`UDF_GETEABLOCK', `0x80086c41')
-define(`UDF_GETEASIZE', `0x80046c40')
-define(`UDF_GETVOLIDENT', `0x80086c42')
-define(`UDF_RELOCATE_BLOCKS', `0xc0086c43')
-define(`UI_BEGIN_FF_ERASE', `0xc00c55ca')
-define(`UI_BEGIN_FF_UPLOAD', `0xc06855c8')
-define(`UI_DEV_CREATE', `0x00005501')
-define(`UI_DEV_DESTROY', `0x00005502')
-define(`UI_END_FF_ERASE', `0x400c55cb')
-define(`UI_END_FF_UPLOAD', `0x406855c9')
-define(`UI_GET_VERSION', `0x8004552d')
-define(`UI_SET_ABSBIT', `0x40045567')
-define(`UI_SET_EVBIT', `0x40045564')
-define(`UI_SET_FFBIT', `0x4004556b')
-define(`UI_SET_KEYBIT', `0x40045565')
-define(`UI_SET_LEDBIT', `0x40045569')
-define(`UI_SET_MSCBIT', `0x40045568')
-define(`UI_SET_PHYS', `0x4008556c')
-define(`UI_SET_PROPBIT', `0x4004556e')
-define(`UI_SET_RELBIT', `0x40045566')
-define(`UI_SET_SNDBIT', `0x4004556a')
-define(`UI_SET_SWBIT', `0x4004556d')
-define(`UNPROTECT_ARRAY', `0x00000926')
-define(`USBDEVFS_ALLOC_STREAMS', `0x8008551c')
-define(`USBDEVFS_BULK', `0xc0185502')
-define(`USBDEVFS_BULK32', `0xc0105502')
-define(`USBDEVFS_CLAIMINTERFACE', `0x8004550f')
-define(`USBDEVFS_CLAIM_PORT', `0x80045518')
-define(`USBDEVFS_CLEAR_HALT', `0x80045515')
-define(`USBDEVFS_CONNECT', `0x00005517')
-define(`USBDEVFS_CONNECTINFO', `0x40085511')
-define(`USBDEVFS_CONTROL', `0xc0185500')
-define(`USBDEVFS_CONTROL32', `0xc0105500')
-define(`USBDEVFS_DISCARDURB', `0x0000550b')
-define(`USBDEVFS_DISCONNECT', `0x00005516')
-define(`USBDEVFS_DISCONNECT_CLAIM', `0x8108551b')
-define(`USBDEVFS_DISCSIGNAL', `0x8010550e')
-define(`USBDEVFS_DISCSIGNAL32', `0x8008550e')
-define(`USBDEVFS_FREE_STREAMS', `0x8008551d')
-define(`USBDEVFS_GET_CAPABILITIES', `0x8004551a')
-define(`USBDEVFS_GETDRIVER', `0x41045508')
-define(`USBDEVFS_HUB_PORTINFO', `0x80805513')
-define(`USBDEVFS_IOCTL', `0xc0105512')
-define(`USBDEVFS_IOCTL32', `0xc00c5512')
-define(`USBDEVFS_REAPURB', `0x4008550c')
-define(`USBDEVFS_REAPURB32', `0x4004550c')
-define(`USBDEVFS_REAPURBNDELAY', `0x4008550d')
-define(`USBDEVFS_REAPURBNDELAY32', `0x4004550d')
-define(`USBDEVFS_RELEASEINTERFACE', `0x80045510')
-define(`USBDEVFS_RELEASE_PORT', `0x80045519')
-define(`USBDEVFS_RESET', `0x00005514')
-define(`USBDEVFS_RESETEP', `0x80045503')
-define(`USBDEVFS_SETCONFIGURATION', `0x80045505')
-define(`USBDEVFS_SETINTERFACE', `0x80085504')
-define(`USBDEVFS_SUBMITURB', `0x8038550a')
-define(`USBDEVFS_SUBMITURB32', `0x802a550a')
-define(`USBTMC_IOCTL_ABORT_BULK_IN', `0x00005b04')
-define(`USBTMC_IOCTL_ABORT_BULK_OUT', `0x00005b03')
-define(`USBTMC_IOCTL_CLEAR', `0x00005b02')
-define(`USBTMC_IOCTL_CLEAR_IN_HALT', `0x00005b07')
-define(`USBTMC_IOCTL_CLEAR_OUT_HALT', `0x00005b06')
-define(`USBTMC_IOCTL_INDICATOR_PULSE', `0x00005b01')
-define(`UVCIOC_CTRL_MAP', `0xc0607520')
-define(`UVCIOC_CTRL_QUERY', `0xc0107521')
-define(`V4L2_SUBDEV_IR_RX_NOTIFY', `0x40047600')
-define(`V4L2_SUBDEV_IR_TX_NOTIFY', `0x40047601')
-define(`VFAT_IOCTL_READDIR_BOTH', `0x82307201')
-define(`VFAT_IOCTL_READDIR_SHORT', `0x82307202')
-define(`VFIO_CHECK_EXTENSION', `0x00003b65')
-define(`VFIO_DEVICE_GET_INFO', `0x00003b6b')
-define(`VFIO_DEVICE_GET_IRQ_INFO', `0x00003b6d')
-define(`VFIO_DEVICE_GET_PCI_HOT_RESET_INFO', `0x00003b70')
-define(`VFIO_DEVICE_GET_REGION_INFO', `0x00003b6c')
-define(`VFIO_DEVICE_PCI_HOT_RESET', `0x00003b71')
-define(`VFIO_DEVICE_RESET', `0x00003b6f')
-define(`VFIO_DEVICE_SET_IRQS', `0x00003b6e')
-define(`VFIO_EEH_PE_OP', `0x00003b79')
-define(`VFIO_GET_API_VERSION', `0x00003b64')
-define(`VFIO_GROUP_GET_DEVICE_FD', `0x00003b6a')
-define(`VFIO_GROUP_GET_STATUS', `0x00003b67')
-define(`VFIO_GROUP_SET_CONTAINER', `0x00003b68')
-define(`VFIO_GROUP_UNSET_CONTAINER', `0x00003b69')
-define(`VFIO_IOMMU_DISABLE', `0x00003b74')
-define(`VFIO_IOMMU_ENABLE', `0x00003b73')
-define(`VFIO_IOMMU_GET_INFO', `0x00003b70')
-define(`VFIO_IOMMU_MAP_DMA', `0x00003b71')
-define(`VFIO_IOMMU_SPAPR_TCE_GET_INFO', `0x00003b70')
-define(`VFIO_IOMMU_UNMAP_DMA', `0x00003b72')
-define(`VFIO_SET_IOMMU', `0x00003b66')
-define(`VHOST_GET_FEATURES', `0x8008af00')
-define(`VHOST_GET_VRING_BASE', `0xc008af12')
-define(`VHOST_NET_SET_BACKEND', `0x4008af30')
-define(`VHOST_RESET_OWNER', `0x0000af02')
-define(`VHOST_SCSI_CLEAR_ENDPOINT', `0x40e8af41')
-define(`VHOST_SCSI_GET_ABI_VERSION', `0x4004af42')
-define(`VHOST_SCSI_GET_EVENTS_MISSED', `0x4004af44')
-define(`VHOST_SCSI_SET_ENDPOINT', `0x40e8af40')
-define(`VHOST_SCSI_SET_EVENTS_MISSED', `0x4004af43')
-define(`VHOST_SET_FEATURES', `0x4008af00')
-define(`VHOST_SET_LOG_BASE', `0x4008af04')
-define(`VHOST_SET_LOG_FD', `0x4004af07')
-define(`VHOST_SET_MEM_TABLE', `0x4008af03')
-define(`VHOST_SET_OWNER', `0x0000af01')
-define(`VHOST_SET_VRING_ADDR', `0x4028af11')
-define(`VHOST_SET_VRING_BASE', `0x4008af12')
-define(`VHOST_SET_VRING_CALL', `0x4008af21')
-define(`VHOST_SET_VRING_ERR', `0x4008af22')
-define(`VHOST_SET_VRING_KICK', `0x4008af20')
-define(`VHOST_SET_VRING_NUM', `0x4008af10')
-define(`VIDEO_CLEAR_BUFFER', `0x00006f22')
-define(`VIDEO_COMMAND', `0xc0486f3b')
-define(`VIDEO_CONTINUE', `0x00006f18')
-define(`VIDEO_FAST_FORWARD', `0x00006f1f')
-define(`VIDEO_FREEZE', `0x00006f17')
-define(`VIDEO_GET_CAPABILITIES', `0x80046f21')
-define(`VIDEO_GET_EVENT', `0x80206f1c')
-define(`VIDEO_GET_FRAME_COUNT', `0x80086f3a')
-define(`VIDEO_GET_FRAME_RATE', `0x80046f38')
-define(`VIDEO_GET_NAVI', `0x84046f34')
-define(`VIDEO_GET_PTS', `0x80086f39')
-define(`VIDEO_GET_SIZE', `0x800c6f37')
-define(`VIDEO_GET_STATUS', `0x80146f1b')
-define(`VIDEO_PLAY', `0x00006f16')
-define(`VIDEO_SELECT_SOURCE', `0x00006f19')
-define(`VIDEO_SET_ATTRIBUTES', `0x00006f35')
-define(`VIDEO_SET_BLANK', `0x00006f1a')
-define(`VIDEO_SET_DISPLAY_FORMAT', `0x00006f1d')
-define(`VIDEO_SET_FORMAT', `0x00006f25')
-define(`VIDEO_SET_HIGHLIGHT', `0x40106f27')
-define(`VIDEO_SET_ID', `0x00006f23')
-define(`VIDEO_SET_SPU', `0x40086f32')
-define(`VIDEO_SET_SPU_PALETTE', `0x40106f33')
-define(`VIDEO_SET_STREAMTYPE', `0x00006f24')
-define(`VIDEO_SET_SYSTEM', `0x00006f26')
-define(`VIDEO_SLOWMOTION', `0x00006f20')
-define(`VIDEO_STILLPICTURE', `0x40106f1e')
-define(`VIDEO_STOP', `0x00006f15')
-define(`VIDEO_TRY_COMMAND', `0xc0486f3c')
-define(`VIDIOC_CREATE_BUFS', `0xc100565c')
-define(`VIDIOC_CROPCAP', `0xc02c563a')
-define(`VIDIOC_DBG_G_CHIP_INFO', `0xc0c85666')
-define(`VIDIOC_DBG_G_REGISTER', `0xc0385650')
-define(`VIDIOC_DBG_S_REGISTER', `0x4038564f')
-define(`VIDIOC_DECODER_CMD', `0xc0485660')
-define(`VIDIOC_DQBUF', `0xc0585611')
-define(`VIDIOC_DQEVENT', `0x80885659')
-define(`VIDIOC_DV_TIMINGS_CAP', `0xc0905664')
-define(`VIDIOC_ENCODER_CMD', `0xc028564d')
-define(`VIDIOC_ENUMAUDIO', `0xc0345641')
-define(`VIDIOC_ENUMAUDOUT', `0xc0345642')
-define(`VIDIOC_ENUM_DV_TIMINGS', `0xc0945662')
-define(`VIDIOC_ENUM_FMT', `0xc0405602')
-define(`VIDIOC_ENUM_FRAMEINTERVALS', `0xc034564b')
-define(`VIDIOC_ENUM_FRAMESIZES', `0xc02c564a')
-define(`VIDIOC_ENUM_FREQ_BANDS', `0xc0405665')
-define(`VIDIOC_ENUMINPUT', `0xc050561a')
-define(`VIDIOC_ENUMOUTPUT', `0xc0485630')
-define(`VIDIOC_ENUMSTD', `0xc0485619')
-define(`VIDIOC_EXPBUF', `0xc0405610')
-define(`VIDIOC_G_AUDIO', `0x80345621')
-define(`VIDIOC_G_AUDOUT', `0x80345631')
-define(`VIDIOC_G_CROP', `0xc014563b')
-define(`VIDIOC_G_CTRL', `0xc008561b')
-define(`VIDIOC_G_DV_TIMINGS', `0xc0845658')
-define(`VIDIOC_G_EDID', `0xc0285628')
-define(`VIDIOC_G_ENC_INDEX', `0x8818564c')
-define(`VIDIOC_G_EXT_CTRLS', `0xc0205647')
-define(`VIDIOC_G_FBUF', `0x8030560a')
-define(`VIDIOC_G_FMT', `0xc0d05604')
-define(`VIDIOC_G_FREQUENCY', `0xc02c5638')
-define(`VIDIOC_G_INPUT', `0x80045626')
-define(`VIDIOC_G_JPEGCOMP', `0x808c563d')
-define(`VIDIOC_G_MODULATOR', `0xc0445636')
-define(`VIDIOC_G_OUTPUT', `0x8004562e')
-define(`VIDIOC_G_PARM', `0xc0cc5615')
-define(`VIDIOC_G_PRIORITY', `0x80045643')
-define(`VIDIOC_G_SELECTION', `0xc040565e')
-define(`VIDIOC_G_SLICED_VBI_CAP', `0xc0745645')
-define(`VIDIOC_G_STD', `0x80085617')
-define(`VIDIOC_G_TUNER', `0xc054561d')
-define(`VIDIOC_INT_RESET', `0x40046466')
-define(`VIDIOC_LOG_STATUS', `0x00005646')
-define(`VIDIOC_OMAP3ISP_AEWB_CFG', `0xc02056c3')
-define(`VIDIOC_OMAP3ISP_AF_CFG', `0xc04c56c5')
-define(`VIDIOC_OMAP3ISP_CCDC_CFG', `0xc03856c1')
-define(`VIDIOC_OMAP3ISP_HIST_CFG', `0xc03056c4')
-define(`VIDIOC_OMAP3ISP_PRV_CFG', `0xc07056c2')
-define(`VIDIOC_OMAP3ISP_STAT_EN', `0xc00856c7')
-define(`VIDIOC_OMAP3ISP_STAT_REQ', `0xc02856c6')
-define(`VIDIOC_OVERLAY', `0x4004560e')
-define(`VIDIOC_PREPARE_BUF', `0xc058565d')
-define(`VIDIOC_QBUF', `0xc058560f')
-define(`VIDIOC_QUERYBUF', `0xc0585609')
-define(`VIDIOC_QUERYCAP', `0x80685600')
-define(`VIDIOC_QUERYCTRL', `0xc0445624')
-define(`VIDIOC_QUERY_DV_TIMINGS', `0x80845663')
-define(`VIDIOC_QUERY_EXT_CTRL', `0xc0e85667')
-define(`VIDIOC_QUERYMENU', `0xc02c5625')
-define(`VIDIOC_QUERYSTD', `0x8008563f')
-define(`VIDIOC_REQBUFS', `0xc0145608')
-define(`VIDIOC_RESERVED', `0x00005601')
-define(`VIDIOC_S_AUDIO', `0x40345622')
-define(`VIDIOC_S_AUDOUT', `0x40345632')
-define(`VIDIOC_S_CROP', `0x4014563c')
-define(`VIDIOC_S_CTRL', `0xc008561c')
-define(`VIDIOC_S_DV_TIMINGS', `0xc0845657')
-define(`VIDIOC_S_EDID', `0xc0285629')
-define(`VIDIOC_S_EXT_CTRLS', `0xc0205648')
-define(`VIDIOC_S_FBUF', `0x4030560b')
-define(`VIDIOC_S_FMT', `0xc0d05605')
-define(`VIDIOC_S_FREQUENCY', `0x402c5639')
-define(`VIDIOC_S_HW_FREQ_SEEK', `0x40305652')
-define(`VIDIOC_S_INPUT', `0xc0045627')
-define(`VIDIOC_S_JPEGCOMP', `0x408c563e')
-define(`VIDIOC_S_MODULATOR', `0x40445637')
-define(`VIDIOC_S_OUTPUT', `0xc004562f')
-define(`VIDIOC_S_PARM', `0xc0cc5616')
-define(`VIDIOC_S_PRIORITY', `0x40045644')
-define(`VIDIOC_S_SELECTION', `0xc040565f')
-define(`VIDIOC_S_STD', `0x40085618')
-define(`VIDIOC_STREAMOFF', `0x40045613')
-define(`VIDIOC_STREAMON', `0x40045612')
-define(`VIDIOC_S_TUNER', `0x4054561e')
-define(`VIDIOC_SUBDEV_DV_TIMINGS_CAP', `0xc0905664')
-define(`VIDIOC_SUBDEV_ENUM_DV_TIMINGS', `0xc0945662')
-define(`VIDIOC_SUBDEV_ENUM_FRAME_INTERVAL', `0xc040564b')
-define(`VIDIOC_SUBDEV_ENUM_FRAME_SIZE', `0xc040564a')
-define(`VIDIOC_SUBDEV_ENUM_MBUS_CODE', `0xc0305602')
-define(`VIDIOC_SUBDEV_G_CROP', `0xc038563b')
-define(`VIDIOC_SUBDEV_G_DV_TIMINGS', `0xc0845658')
-define(`VIDIOC_SUBDEV_G_EDID', `0xc0285628')
-define(`VIDIOC_SUBDEV_G_FMT', `0xc0585604')
-define(`VIDIOC_SUBDEV_G_FRAME_INTERVAL', `0xc0305615')
-define(`VIDIOC_SUBDEV_G_SELECTION', `0xc040563d')
-define(`VIDIOC_SUBDEV_QUERY_DV_TIMINGS', `0x80845663')
-define(`VIDIOC_SUBDEV_S_CROP', `0xc038563c')
-define(`VIDIOC_SUBDEV_S_DV_TIMINGS', `0xc0845657')
-define(`VIDIOC_SUBDEV_S_EDID', `0xc0285629')
-define(`VIDIOC_SUBDEV_S_FMT', `0xc0585605')
-define(`VIDIOC_SUBDEV_S_FRAME_INTERVAL', `0xc0305616')
-define(`VIDIOC_SUBDEV_S_SELECTION', `0xc040563e')
-define(`VIDIOC_SUBSCRIBE_EVENT', `0x4020565a')
-define(`VIDIOC_TRY_DECODER_CMD', `0xc0485661')
-define(`VIDIOC_TRY_ENCODER_CMD', `0xc028564e')
-define(`VIDIOC_TRY_EXT_CTRLS', `0xc0205649')
-define(`VIDIOC_TRY_FMT', `0xc0d05640')
-define(`VIDIOC_UNSUBSCRIBE_EVENT', `0x4020565b')
-define(`VIDIOC_VSP1_LUT_CONFIG', `0xc40056c1')
-define(`VPFE_CMD_S_CCDC_RAW_PARAMS', `0x400856c1')
-define(`VT_ACTIVATE', `0x00005606')
-define(`VT_DISALLOCATE', `0x00005608')
-define(`VT_GETHIFONTMASK', `0x0000560d')
-define(`VT_GETMODE', `0x00005601')
-define(`VT_GETSTATE', `0x00005603')
-define(`VT_LOCKSWITCH', `0x0000560b')
-define(`VT_OPENQRY', `0x00005600')
-define(`VT_RELDISP', `0x00005605')
-define(`VT_RESIZE', `0x00005609')
-define(`VT_RESIZEX', `0x0000560a')
-define(`VT_SENDSIG', `0x00005604')
-define(`VT_SETACTIVATE', `0x0000560f')
-define(`VT_SETMODE', `0x00005602')
-define(`VT_UNLOCKSWITCH', `0x0000560c')
-define(`VT_WAITACTIVE', `0x00005607')
-define(`VT_WAITEVENT', `0x0000560e')
-define(`WAN_IOC_ADD_FLT_INDEX', `0x00006902')
-define(`WAN_IOC_ADD_FLT_RULE', `0x00006900')
-define(`WDIOC_GETBOOTSTATUS', `0x80045702')
-define(`WDIOC_GETPRETIMEOUT', `0x80045709')
-define(`WDIOC_GETSTATUS', `0x80045701')
-define(`WDIOC_GETSUPPORT', `0x80285700')
-define(`WDIOC_GETTEMP', `0x80045703')
-define(`WDIOC_GETTIMELEFT', `0x8004570a')
-define(`WDIOC_GETTIMEOUT', `0x80045707')
-define(`WDIOC_KEEPALIVE', `0x80045705')
-define(`WDIOC_SETOPTIONS', `0x80045704')
-define(`WDIOC_SETPRETIMEOUT', `0xc0045708')
-define(`WDIOC_SETTIMEOUT', `0xc0045706')
-define(`WRITE_RAID_INFO', `0x00000925')
-define(`X86_IOC_RDMSR_REGS', `0xc02063a0')
-define(`X86_IOC_WRMSR_REGS', `0xc02063a1')
-define(`ZATM_GETPOOL', `0x40106161')
-define(`ZATM_GETPOOLZ', `0x40106162')
-define(`ZATM_SETPOOL', `0x40106163')
diff --git a/microdroid/sepolicy/system/public/ioctl_macros b/microdroid/sepolicy/system/public/ioctl_macros
deleted file mode 100644
index 47a5157..0000000
--- a/microdroid/sepolicy/system/public/ioctl_macros
+++ /dev/null
@@ -1,76 +0,0 @@
-# socket ioctls allowed to unprivileged apps
-define(`unpriv_sock_ioctls', `
-{
-# Socket ioctls for gathering information about the interface
-SIOCGSTAMP SIOCGSTAMPNS
-SIOCGIFNAME SIOCGIFCONF SIOCGIFFLAGS SIOCGIFADDR SIOCGIFDSTADDR SIOCGIFBRDADDR
-SIOCGIFNETMASK SIOCGIFMTU SIOCGIFINDEX SIOCGIFCOUNT SIOCGIFTXQLEN
-# Wireless extension ioctls. Primarily get functions.
-SIOCGIWNAME SIOCGIWFREQ SIOCGIWMODE SIOCGIWSENS SIOCGIWRANGE SIOCGIWPRIV
-SIOCGIWSTATS SIOCGIWSPY SIOCSIWTHRSPY SIOCGIWTHRSPY SIOCGIWRATE SIOCGIWRTS
-SIOCGIWFRAG SIOCGIWTXPOW SIOCGIWRETRY SIOCGIWPOWER
-}')
-
-# socket ioctls never allowed to unprivileged apps
-define(`priv_sock_ioctls', `
-{
-# qualcomm rmnet ioctls
-WAN_IOC_ADD_FLT_RULE WAN_IOC_ADD_FLT_INDEX
-# socket ioctls
-SIOCADDRT SIOCDELRT SIOCRTMSG SIOCSIFLINK SIOCSIFFLAGS SIOCSIFADDR
-SIOCSIFDSTADDR SIOCSIFBRDADDR SIOCSIFNETMASK SIOCGIFMETRIC SIOCSIFMETRIC SIOCGIFMEM
-SIOCSIFMEM SIOCSIFMTU SIOCSIFNAME SIOCSIFHWADDR SIOCGIFENCAP SIOCSIFENCAP
-SIOCGIFHWADDR SIOCGIFSLAVE SIOCSIFSLAVE SIOCADDMULTI SIOCDELMULTI
-SIOCSIFPFLAGS SIOCGIFPFLAGS SIOCDIFADDR SIOCSIFHWBROADCAST SIOCKILLADDR SIOCGIFBR SIOCSIFBR
-SIOCSIFTXQLEN SIOCETHTOOL SIOCGMIIPHY SIOCGMIIREG SIOCSMIIREG SIOCWANDEV
-SIOCOUTQNSD SIOCDARP SIOCGARP SIOCSARP SIOCDRARP SIOCGRARP SIOCSRARP SIOCGIFMAP
-SIOCSIFMAP SIOCADDDLCI SIOCDELDLCI SIOCGIFVLAN SIOCSIFVLAN SIOCBONDENSLAVE
-SIOCBONDRELEASE SIOCBONDSETHWADDR SIOCBONDSLAVEINFOQUERY SIOCBONDINFOQUERY
-SIOCBONDCHANGEACTIVE SIOCBRADDBR SIOCBRDELBR SIOCBRADDIF SIOCBRDELIF SIOCSHWTSTAMP
-# device and protocol specific ioctls
-SIOCDEVPRIVATE-SIOCDEVPRIVLAST
-SIOCPROTOPRIVATE-SIOCPROTOPRIVLAST
-# Wireless extension ioctls
-SIOCSIWCOMMIT SIOCSIWNWID SIOCSIWFREQ SIOCSIWMODE SIOCSIWSENS SIOCSIWRANGE
-SIOCSIWPRIV SIOCSIWSTATS SIOCSIWSPY SIOCSIWAP SIOCGIWAP SIOCSIWMLME SIOCGIWAPLIST
-SIOCSIWSCAN SIOCGIWSCAN SIOCSIWESSID SIOCGIWESSID SIOCSIWNICKN SIOCGIWNICKN
-SIOCSIWRATE SIOCSIWRTS SIOCSIWFRAG SIOCSIWTXPOW SIOCSIWRETRY SIOCSIWENCODE
-SIOCGIWENCODE SIOCSIWPOWER SIOCSIWGENIE SIOCGIWGENIE SIOCSIWAUTH SIOCGIWAUTH
-SIOCSIWENCODEEXT SIOCGIWENCODEEXT SIOCSIWPMKSA
-# Dev private ioctl i.e. hardware specific ioctls
-SIOCIWFIRSTPRIV-SIOCIWLASTPRIV
-}')
-
-# commonly used ioctls on unix sockets
-define(`unpriv_unix_sock_ioctls', `{
- TIOCOUTQ FIOCLEX FIONCLEX TCGETS TIOCGWINSZ TIOCSWINSZ FIONREAD
-}')
-
-# commonly used TTY ioctls
-# merge with unpriv_unix_sock_ioctls?
-define(`unpriv_tty_ioctls', `{
- TIOCOUTQ FIOCLEX FIONCLEX TCGETS TCSETS TCSETSW TCSETSF TIOCGWINSZ TIOCSWINSZ
- TIOCSCTTY TCFLSH TIOCSPGRP TIOCGPGRP
-}')
-
-# point to point ioctls
-define(`ppp_ioctls', `{
-PPPIOCGL2TPSTATS PPPIOCGCHAN PPPIOCATTCHAN PPPIOCDISCONN
-PPPIOCCONNECT PPPIOCSMRRU PPPIOCDETACH PPPIOCATTACH
-PPPIOCNEWUNIT PPPIOCGIDLE PPPIOCSDEBUG PPPIOCGDEBUG
-PPPIOCSACTIVE PPPIOCSPASS PPPIOCSNPMODE PPPIOCGNPMODE
-PPPIOCSCOMPRESS PPPIOCXFERUNIT PPPIOCSXASYNCMAP
-PPPIOCGXASYNCMAP PPPIOCSMAXCID PPPIOCSMRU PPPIOCGMRU
-PPPIOCSRASYNCMAP PPPIOCGRASYNCMAP PPPIOCGUNIT PPPIOCSASYNCMAP
-PPPIOCGASYNCMAP PPPIOCSFLAGS PPPIOCGFLAGS PPPIOCGCALLINFO
-PPPIOCBUNDLE PPPIOCGMPFLAGS PPPIOCSMPFLAGS PPPIOCSMPMTU
-PPPIOCSMPMRU PPPIOCGCOMPRESSORS PPPIOCSCOMPRESSOR PPPIOCGIFNAME
-}')
-
-# unprivileged binder ioctls
-define(`unpriv_binder_ioctls', `{
-BINDER_WRITE_READ BINDER_SET_IDLE_TIMEOUT BINDER_SET_MAX_THREADS
-BINDER_SET_IDLE_PRIORITY BINDER_SET_CONTEXT_MGR BINDER_THREAD_EXIT
-BINDER_VERSION BINDER_GET_NODE_DEBUG_INFO BINDER_GET_NODE_INFO_FOR_REF
-BINDER_SET_CONTEXT_MGR_EXT BINDER_ENABLE_ONEWAY_SPAM_DETECTION
-}')
diff --git a/microdroid/sepolicy/system/public/kernel.te b/microdroid/sepolicy/system/public/kernel.te
deleted file mode 100644
index c117a1a..0000000
--- a/microdroid/sepolicy/system/public/kernel.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# Life begins with the kernel.
-type kernel, domain, mlstrustedsubject;
diff --git a/microdroid/sepolicy/system/public/keystore.te b/microdroid/sepolicy/system/public/keystore.te
deleted file mode 100644
index 295d3d9..0000000
--- a/microdroid/sepolicy/system/public/keystore.te
+++ /dev/null
@@ -1,26 +0,0 @@
-type keystore, domain;
-type keystore_exec, file_type, exec_type, system_file_type;
-
-# keystore daemon
-typeattribute keystore mlstrustedsubject;
-binder_use(keystore)
-binder_service(keystore)
-
-allow keystore keystore_data_file:dir create_dir_perms;
-allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
-allow keystore keystore_exec:file { getattr };
-
-add_service(keystore, keystore_service)
-add_service(keystore, remoteprovisioning_service)
-add_service(keystore, apc_service)
-add_service(keystore, keystore_compat_hal_service)
-add_service(keystore, authorization_service)
-add_service(keystore, keystore_maintenance_service)
-add_service(keystore, keystore_metrics_service)
-add_service(keystore, legacykeystore_service)
-
-# Check SELinux permissions.
-selinux_check_access(keystore)
-
-r_dir_file(keystore, cgroup)
-r_dir_file(keystore, cgroup_v2)
diff --git a/microdroid/sepolicy/system/public/logcat.te b/microdroid/sepolicy/system/public/logcat.te
deleted file mode 100644
index 902fd8a..0000000
--- a/microdroid/sepolicy/system/public/logcat.te
+++ /dev/null
@@ -1,2 +0,0 @@
-type logcat;
-type logcat_exec, file_type, exec_type, system_file_type;
diff --git a/microdroid/sepolicy/system/public/logd.te b/microdroid/sepolicy/system/public/logd.te
deleted file mode 100644
index 67f601c..0000000
--- a/microdroid/sepolicy/system/public/logd.te
+++ /dev/null
@@ -1,2 +0,0 @@
-type logd, domain;
-type logd_exec, file_type, exec_type, system_file_type;
diff --git a/microdroid/sepolicy/system/public/neverallow_macros b/microdroid/sepolicy/system/public/neverallow_macros
deleted file mode 100644
index 59fa441..0000000
--- a/microdroid/sepolicy/system/public/neverallow_macros
+++ /dev/null
@@ -1,15 +0,0 @@
-#
-# Common neverallow permissions
-define(`no_w_file_perms', `{ append create link unlink relabelfrom rename setattr write }')
-define(`no_rw_file_perms', `{ no_w_file_perms open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }')
-define(`no_x_file_perms', `{ execute execute_no_trans }')
-define(`no_w_dir_perms', `{ add_name create link relabelfrom remove_name rename reparent rmdir setattr write }')
-
-#####################################
-# neverallow_establish_socket_comms(src, dst)
-# neverallow src domain establishing socket connections to dst domain.
-#
-define(`neverallow_establish_socket_comms', `
- neverallow $1 $2:socket_class_set { connect sendto };
- neverallow $1 $2:unix_stream_socket connectto;
-')
diff --git a/microdroid/sepolicy/system/public/property.te b/microdroid/sepolicy/system/public/property.te
deleted file mode 100644
index f5dc758..0000000
--- a/microdroid/sepolicy/system/public/property.te
+++ /dev/null
@@ -1,40 +0,0 @@
-type apexd_prop, property_type;
-type bootloader_prop, property_type;
-type boottime_prop, property_type;
-type build_prop, property_type;
-type cold_boot_done_prop, property_type;
-type ctl_adbd_prop, property_type;
-type ctl_apexd_prop, property_type;
-type ctl_console_prop, property_type;
-type ctl_default_prop, property_type;
-type ctl_fuse_prop, property_type;
-type ctl_interface_restart_prop, property_type;
-type ctl_interface_start_prop, property_type;
-type ctl_interface_stop_prop, property_type;
-type ctl_restart_prop, property_type;
-type ctl_sigstop_prop, property_type;
-type ctl_start_prop, property_type;
-type ctl_stop_prop, property_type;
-type debug_prop, property_type;
-type default_prop, property_type;
-type exported_default_prop, property_type;
-type fingerprint_prop, property_type;
-type hwservicemanager_prop, property_type;
-type init_perf_lsm_hooks_prop, property_type;
-type init_service_status_private_prop, property_type;
-type init_service_status_prop, property_type;
-type init_svc_debug_prop, property_type;
-type keystore_listen_prop, property_type;
-type logd_prop, property_type;
-type property_service_version_prop, property_type;
-type shell_prop, property_type;
-type usb_control_prop, property_type;
-type vendor_default_prop, property_type;
-type vmsecret_keymint_prop, property_type;
-
-allow property_type tmpfs:filesystem associate;
-
-#----------------------------------------
-type adbd_config_prop, property_type;
-
-type module_sdkextensions_prop, property_type;
diff --git a/microdroid/sepolicy/system/public/roles b/microdroid/sepolicy/system/public/roles
deleted file mode 100644
index ca92934..0000000
--- a/microdroid/sepolicy/system/public/roles
+++ /dev/null
@@ -1 +0,0 @@
-role r types domain;
diff --git a/microdroid/sepolicy/system/public/runas.te b/microdroid/sepolicy/system/public/runas.te
deleted file mode 100644
index 4d8a6b3..0000000
--- a/microdroid/sepolicy/system/public/runas.te
+++ /dev/null
@@ -1,2 +0,0 @@
-type runas, domain, mlstrustedsubject, coredomain;
-type runas_exec, file_type, exec_type, system_file_type;
diff --git a/microdroid/sepolicy/system/public/servicemanager.te b/microdroid/sepolicy/system/public/servicemanager.te
deleted file mode 100644
index 41a1096..0000000
--- a/microdroid/sepolicy/system/public/servicemanager.te
+++ /dev/null
@@ -1,2 +0,0 @@
-type servicemanager, domain;
-type servicemanager_exec, file_type, exec_type, system_file_type;
diff --git a/microdroid/sepolicy/system/public/shell.te b/microdroid/sepolicy/system/public/shell.te
deleted file mode 100644
index c84e377..0000000
--- a/microdroid/sepolicy/system/public/shell.te
+++ /dev/null
@@ -1,82 +0,0 @@
-# Domain for shell processes spawned by ADB or console service.
-type shell, domain, mlstrustedsubject;
-type shell_exec, system_file_type, exec_type, file_type;
-
-# Create and use network sockets.
-net_domain(shell)
-
-# logcat
-read_logd(shell)
-control_logd(shell)
-
-# Root fs.
-allow shell rootfs:dir r_dir_perms;
-
-# Access /data/local/tmp.
-allow shell shell_data_file:dir create_dir_perms;
-allow shell shell_data_file:file create_file_perms;
-allow shell shell_data_file:file rx_file_perms;
-allow shell shell_data_file:lnk_file create_file_perms;
-
-allow shell devpts:chr_file rw_file_perms;
-allow shell tty_device:chr_file rw_file_perms;
-allow shell console_device:chr_file rw_file_perms;
-
-r_dir_file(shell, system_file)
-allow shell system_file:file x_file_perms;
-allow shell toolbox_exec:file rx_file_perms;
-allow shell shell_exec:file rx_file_perms;
-
-# allow shell to look through /proc/ for lsmod, ps, top, netstat, vmstat.
-r_dir_file(shell, proc_net_type)
-
-allow shell {
- proc_asound
- proc_filesystems
- proc_interrupts
- proc_loadavg # b/124024827
- proc_meminfo
- proc_modules
- proc_pid_max
- proc_slabinfo
- proc_stat
- proc_timer
- proc_uptime
- proc_version
- proc_vmstat
- proc_zoneinfo
-}:file r_file_perms;
-
-# allow listing network interfaces under /sys/class/net.
-allow shell sysfs_net:dir r_dir_perms;
-
-r_dir_file(shell, cgroup)
-allow shell cgroup_desc_file:file r_file_perms;
-allow shell cgroup_desc_api_file:file r_file_perms;
-r_dir_file(shell, cgroup_v2)
-allow shell domain:dir { search open read getattr };
-allow shell domain:{ file lnk_file } { open read getattr };
-
-# statvfs() of /proc and other labeled filesystems
-# (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs, overlay)
-allow shell { proc labeledfs }:filesystem getattr;
-
-# stat() of /dev
-allow shell device:dir getattr;
-
-# allow shell to read /proc/pid/attr/current for ps -Z
-allow shell domain:process getattr;
-
-# Allow pulling the SELinux policy for CTS purposes
-allow shell selinuxfs:dir r_dir_perms;
-allow shell selinuxfs:file r_file_perms;
-
-# /dev/fd is a symlink
-allow shell proc:lnk_file getattr;
-
-# read selinux policy files
-allow shell file_contexts_file:file r_file_perms;
-allow shell property_contexts_file:file r_file_perms;
-allow shell seapp_contexts_file:file r_file_perms;
-allow shell service_contexts_file:file r_file_perms;
-allow shell sepolicy_file:file r_file_perms;
diff --git a/microdroid/sepolicy/system/public/statsd.te b/microdroid/sepolicy/system/public/statsd.te
deleted file mode 100644
index 5da3ec9..0000000
--- a/microdroid/sepolicy/system/public/statsd.te
+++ /dev/null
@@ -1,31 +0,0 @@
-type statsd, domain, mlstrustedsubject;
-
-type statsd_exec, system_file_type, exec_type, file_type;
-binder_use(statsd)
-
-# Allow statsd to scan through /proc/pid for all processes.
-r_dir_file(statsd, domain)
-
-# Allow executing files on system, such as running a shell or running:
-# /system/bin/toolbox
-# /system/bin/logcat
-# /system/bin/dumpsys
-allow statsd devpts:chr_file { getattr ioctl read write };
-allow statsd shell_exec:file rx_file_perms;
-allow statsd system_file:file execute_no_trans;
-allow statsd toolbox_exec:file rx_file_perms;
-
-# Allow statsd to interact with keystore to pull atoms
-allow statsd keystore_service:service_manager find;
-binder_call(statsd, keystore)
-
-# Allow logd access.
-read_logd(statsd)
-control_logd(statsd)
-
-# Allow 'adb shell cmd' to upload configs and download output.
-allow statsd adbd:fd use;
-allow statsd adbd:unix_stream_socket { getattr read write };
-allow statsd shell:fifo_file { getattr read write };
-
-unix_socket_send(statsd, statsdw, statsd)
diff --git a/microdroid/sepolicy/system/public/su.te b/microdroid/sepolicy/system/public/su.te
deleted file mode 100644
index a440c21..0000000
--- a/microdroid/sepolicy/system/public/su.te
+++ /dev/null
@@ -1,52 +0,0 @@
-# All types must be defined regardless of build variant to ensure
-# policy compilation succeeds with userdebug/user combination at boot
-type su, domain;
-
-# File types must be defined for file_contexts.
-type su_exec, system_file_type, exec_type, file_type;
-
-userdebug_or_eng(`
- # Domain used for su processes, as well as for adbd and adb shell
- # after performing an adb root command. The domain definition is
- # wrapped to ensure that it does not exist at all on -user builds.
- typeattribute su mlstrustedsubject;
-
- # Add su to various domains
- net_domain(su)
-
- dontaudit su self:capability_class_set *;
- dontaudit su self:capability2 *;
- dontaudit su kernel:security *;
- dontaudit su { kernel file_type }:system *;
- dontaudit su self:memprotect *;
- dontaudit su domain:{ process process2 } *;
- dontaudit su domain:fd *;
- dontaudit su domain:dir *;
- dontaudit su domain:lnk_file *;
- dontaudit su domain:{ fifo_file file } *;
- dontaudit su domain:socket_class_set *;
- dontaudit su domain:ipc_class_set *;
- dontaudit su domain:key *;
- dontaudit su fs_type:filesystem *;
- dontaudit su {fs_type dev_type file_type}:dir_file_class_set *;
- dontaudit su node_type:node *;
- dontaudit su node_type:{ tcp_socket udp_socket rawip_socket } *;
- dontaudit su netif_type:netif *;
- dontaudit su port_type:socket_class_set *;
- dontaudit su port_type:{ tcp_socket dccp_socket } *;
- dontaudit su domain:peer *;
- dontaudit su domain:binder *;
- dontaudit su property_type:property_service *;
- dontaudit su property_type:file *;
- dontaudit su service_manager_type:service_manager *;
- dontaudit su hwservice_manager_type:hwservice_manager *;
- dontaudit su servicemanager:service_manager list;
- dontaudit su hwservicemanager:hwservice_manager list;
- dontaudit su keystore:keystore_key *;
- dontaudit su keystore:keystore2 *;
- dontaudit su domain:drmservice *;
- dontaudit su unlabeled:filesystem *;
- dontaudit su domain:bpf *;
- dontaudit su unlabeled:vsock_socket *;
- dontaudit su self:perf_event *;
-')
diff --git a/microdroid/sepolicy/system/public/te_macros b/microdroid/sepolicy/system/public/te_macros
deleted file mode 100644
index 9e73292..0000000
--- a/microdroid/sepolicy/system/public/te_macros
+++ /dev/null
@@ -1,988 +0,0 @@
-#####################################
-# domain_trans(olddomain, type, newdomain)
-# Allow a transition from olddomain to newdomain
-# upon executing a file labeled with type.
-# This only allows the transition; it does not
-# cause it to occur automatically - use domain_auto_trans
-# if that is what you want.
-#
-define(`domain_trans', `
-# Old domain may exec the file and transition to the new domain.
-allow $1 $2:file { getattr open read execute map };
-allow $1 $3:process transition;
-# New domain is entered by executing the file.
-allow $3 $2:file { entrypoint open read execute getattr map };
-# New domain can send SIGCHLD to its caller.
-ifelse($1, `init', `', `allow $3 $1:process sigchld;')
-# Enable AT_SECURE, i.e. libc secure mode.
-dontaudit $1 $3:process noatsecure;
-# XXX dontaudit candidate but requires further study.
-allow $1 $3:process { siginh rlimitinh };
-')
-
-#####################################
-# domain_auto_trans(olddomain, type, newdomain)
-# Automatically transition from olddomain to newdomain
-# upon executing a file labeled with type.
-#
-define(`domain_auto_trans', `
-# Allow the necessary permissions.
-domain_trans($1,$2,$3)
-# Make the transition occur by default.
-type_transition $1 $2:process $3;
-')
-
-#####################################
-# file_type_trans(domain, dir_type, file_type)
-# Allow domain to create a file labeled file_type in a
-# directory labeled dir_type.
-# This only allows the transition; it does not
-# cause it to occur automatically - use file_type_auto_trans
-# if that is what you want.
-#
-define(`file_type_trans', `
-# Allow the domain to add entries to the directory.
-allow $1 $2:dir ra_dir_perms;
-# Allow the domain to create the file.
-allow $1 $3:notdevfile_class_set create_file_perms;
-allow $1 $3:dir create_dir_perms;
-')
-
-#####################################
-# file_type_auto_trans(domain, dir_type, file_type)
-# Automatically label new files with file_type when
-# they are created by domain in directories labeled dir_type.
-#
-define(`file_type_auto_trans', `
-# Allow the necessary permissions.
-file_type_trans($1, $2, $3)
-# Make the transition occur by default.
-type_transition $1 $2:dir $3;
-type_transition $1 $2:notdevfile_class_set $3;
-')
-
-#####################################
-# r_dir_file(domain, type)
-# Allow the specified domain to read directories, files
-# and symbolic links of the specified type.
-define(`r_dir_file', `
-allow $1 $2:dir r_dir_perms;
-allow $1 $2:{ file lnk_file } r_file_perms;
-')
-
-#####################################
-# tmpfs_domain(domain)
-# Allow access to a unique type for this domain when creating tmpfs / ashmem files.
-define(`tmpfs_domain', `
-type_transition $1 tmpfs:file $1_tmpfs;
-allow $1 $1_tmpfs:file { read write getattr map };
-')
-
-# pdx macros for IPC. pdx is a high-level name which contains transport-specific
-# rules from underlying transport (e.g. UDS-based implementation).
-
-#####################################
-# pdx_service_attributes(service)
-# Defines type attribute used to identify various service-related types.
-define(`pdx_service_attributes', `
-attribute pdx_$1_endpoint_dir_type;
-attribute pdx_$1_endpoint_socket_type;
-attribute pdx_$1_channel_socket_type;
-attribute pdx_$1_server_type;
-')
-
-#####################################
-# pdx_service_socket_types(service, endpoint_dir_t)
-# Define types for endpoint and channel sockets.
-define(`pdx_service_socket_types', `
-typeattribute $2 pdx_$1_endpoint_dir_type;
-type pdx_$1_endpoint_socket, pdx_$1_endpoint_socket_type, pdx_endpoint_socket_type, file_type, coredomain_socket, mlstrustedobject, mlstrustedsubject;
-type pdx_$1_channel_socket, pdx_$1_channel_socket_type, pdx_channel_socket_type, coredomain_socket;
-userdebug_or_eng(`
-dontaudit su pdx_$1_endpoint_socket:unix_stream_socket *;
-dontaudit su pdx_$1_channel_socket:unix_stream_socket *;
-')
-')
-
-#####################################
-# pdx_server(server_domain, service)
-define(`pdx_server', `
-# Mark the server domain as a PDX server.
-typeattribute $1 pdx_$2_server_type;
-# Allow the init process to create the initial endpoint socket.
-allow init pdx_$2_endpoint_socket_type:unix_stream_socket { create bind };
-# Allow the server domain to use the endpoint socket and accept connections on it.
-# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights
-# than we need (e.g. we don"t need "bind" or "connect").
-allow $1 pdx_$2_endpoint_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown listen accept };
-# Allow the server domain to apply security context label to the channel socket pair (allow process to use setsockcreatecon_raw()).
-allow $1 self:process setsockcreate;
-# Allow the server domain to create a client channel socket.
-allow $1 pdx_$2_channel_socket_type:unix_stream_socket create_stream_socket_perms;
-# Prevent other processes from claiming to be a server for the same service.
-neverallow {domain -$1} pdx_$2_endpoint_socket_type:unix_stream_socket { listen accept };
-')
-
-#####################################
-# pdx_connect(client, service)
-define(`pdx_connect', `
-# Allow client to open the service endpoint file.
-allow $1 pdx_$2_endpoint_dir_type:dir r_dir_perms;
-allow $1 pdx_$2_endpoint_socket_type:sock_file rw_file_perms;
-# Allow the client to connect to endpoint socket.
-allow $1 pdx_$2_endpoint_socket_type:unix_stream_socket { connectto read write shutdown };
-')
-
-#####################################
-# pdx_use(client, service)
-define(`pdx_use', `
-# Allow the client to use the PDX channel socket.
-# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights
-# than we need (e.g. we don"t need "bind" or "connect").
-allow $1 pdx_$2_channel_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown };
-# Client needs to use an channel event fd from the server.
-allow $1 pdx_$2_server_type:fd use;
-# Servers may receive sync fences, gralloc buffers, etc, from clients.
-# This could be tightened on a per-server basis, but keeping track of service
-# clients is error prone.
-allow pdx_$2_server_type $1:fd use;
-')
-
-#####################################
-# pdx_client(client, service)
-define(`pdx_client', `
-pdx_connect($1, $2)
-pdx_use($1, $2)
-')
-
-#####################################
-# init_daemon_domain(domain)
-# Set up a transition from init to the daemon domain
-# upon executing its binary.
-define(`init_daemon_domain', `
-domain_auto_trans(init, $1_exec, $1)
-')
-
-####################################
-# userfaultfd_use(domain)
-# Allow domain to create/use userfaultfd.
-define(`userfaultfd_use', `
-# Set up a type_transition to "userfaultfd" named anonymous inode object.
-type $1_userfaultfd;
-type_transition $1 $1:anon_inode $1_userfaultfd "[userfaultfd]";
-# Allow domain to create/use userfaultfd anon_inode.
-allow $1 $1_userfaultfd:anon_inode { create ioctl read };
-# Other domains may not use userfaultfd anon_inodes created by this domain.
-neverallow { domain -$1 } $1_userfaultfd:anon_inode *;
-# This domain may not use userfaultfd anon_inodes created by other domains.
-neverallow $1 ~$1_userfaultfd:anon_inode *;
-')
-
-#####################################
-# app_domain(domain)
-# Allow a base set of permissions required for all apps.
-define(`app_domain', `
-typeattribute $1 appdomain;
-# Label tmpfs objects for all apps.
-type_transition $1 tmpfs:file appdomain_tmpfs;
-userfaultfd_use($1)
-allow $1 appdomain_tmpfs:file { execute getattr map read write };
-neverallow { $1 -runas_app -shell -simpleperf } { domain -$1 }:file no_rw_file_perms;
-neverallow { appdomain -runas_app -shell -simpleperf -$1 } $1:file no_rw_file_perms;
-# The Android security model guarantees the confidentiality and integrity
-# of application data and execution state. Ptrace bypasses those
-# confidentiality guarantees. Disallow ptrace access from system components to
-# apps. crash_dump is excluded, as it needs ptrace access to produce stack
-# traces. runas_app is excluded, as it operates only on debuggable apps.
-# simpleperf is excluded, as it operates only on debuggable or profileable
-# apps. llkd is excluded, as it needs ptrace access to inspect stack traces for
-# live lock conditions.
-neverallow { domain -$1 -crash_dump userdebug_or_eng(`-llkd') -runas_app -simpleperf } $1:process ptrace;
-')
-
-#####################################
-# untrusted_app_domain(domain)
-# Allow a base set of permissions required for all untrusted apps.
-define(`untrusted_app_domain', `
-typeattribute $1 untrusted_app_all;
-')
-
-#####################################
-# net_domain(domain)
-# Allow a base set of permissions required for network access.
-define(`net_domain', `
-typeattribute $1 netdomain;
-')
-
-#####################################
-# bluetooth_domain(domain)
-# Allow a base set of permissions required for bluetooth access.
-define(`bluetooth_domain', `
-typeattribute $1 bluetoothdomain;
-')
-
-#####################################
-# hal_attribute(hal_name)
-# Add an attribute for hal implementations along with necessary
-# restrictions.
-define(`hal_attribute', `
-attribute hal_$1;
-expandattribute hal_$1 true;
-attribute hal_$1_client;
-expandattribute hal_$1_client true;
-attribute hal_$1_server;
-expandattribute hal_$1_server false;
-
-neverallow { hal_$1_server -halserverdomain } domain:process fork;
-# hal_*_client and halclientdomain attributes are always expanded for
-# performance reasons. Neverallow rules targeting expanded attributes can not be
-# verified by CTS since these attributes are already expanded by that time.
-build_test_only(`
-neverallow { hal_$1_server -hal_$1 } domain:process fork;
-neverallow { hal_$1_client -halclientdomain } domain:process fork;
-')
-')
-
-#####################################
-# hal_server_domain(domain, hal_type)
-# Allow a base set of permissions required for a domain to offer a
-# HAL implementation of the specified type over HwBinder.
-#
-# For example, default implementation of Foo HAL:
-# type hal_foo_default, domain;
-# hal_server_domain(hal_foo_default, hal_foo)
-#
-define(`hal_server_domain', `
-typeattribute $1 halserverdomain;
-typeattribute $1 $2_server;
-typeattribute $1 $2;
-')
-
-#####################################
-# hal_client_domain(domain, hal_type)
-# Allow a base set of permissions required for a domain to be a
-# client of a HAL of the specified type.
-#
-# For example, make some_domain a client of Foo HAL:
-# hal_client_domain(some_domain, hal_foo)
-#
-define(`hal_client_domain', `
-typeattribute $1 halclientdomain;
-typeattribute $1 $2_client;
-
-# TODO(b/34170079): Make the inclusion of the rules below conditional also on
-# non-Treble devices. For now, on non-Treble device, always grant clients of a
-# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
-not_full_treble(`
-typeattribute $1 $2;
-# Find passthrough HAL implementations
-allow $2 system_file:dir r_dir_perms;
-allow $2 vendor_file:dir r_dir_perms;
-allow $2 vendor_file:file { read open getattr execute map };
-')
-')
-
-#####################################
-# passthrough_hal_client_domain(domain, hal_type)
-# Allow a base set of permissions required for a domain to be a
-# client of a passthrough HAL of the specified type.
-#
-# For example, make some_domain a client of passthrough Foo HAL:
-# passthrough_hal_client_domain(some_domain, hal_foo)
-#
-define(`passthrough_hal_client_domain', `
-typeattribute $1 halclientdomain;
-typeattribute $1 $2_client;
-typeattribute $1 $2;
-# Find passthrough HAL implementations
-allow $2 system_file:dir r_dir_perms;
-allow $2 vendor_file:dir r_dir_perms;
-allow $2 vendor_file:file { read open getattr execute map };
-')
-
-#####################################
-# unix_socket_connect(clientdomain, socket, serverdomain)
-# Allow a local socket connection from clientdomain via
-# socket to serverdomain.
-#
-# Note: If you see denial records that distill to the
-# following allow rules:
-# allow clientdomain property_socket:sock_file write;
-# allow clientdomain init:unix_stream_socket connectto;
-# allow clientdomain something_prop:property_service set;
-#
-# This sequence is indicative of attempting to set a property.
-# use set_prop(sourcedomain, targetproperty)
-#
-define(`unix_socket_connect', `
-allow $1 $2_socket:sock_file write;
-allow $1 $3:unix_stream_socket connectto;
-')
-
-#####################################
-# set_prop(sourcedomain, targetproperty)
-# Allows source domain to set the
-# targetproperty.
-#
-define(`set_prop', `
-unix_socket_connect($1, property, init)
-allow $1 $2:property_service set;
-get_prop($1, $2)
-')
-
-#####################################
-# get_prop(sourcedomain, targetproperty)
-# Allows source domain to read the
-# targetproperty.
-#
-define(`get_prop', `
-allow $1 $2:file { getattr open read map };
-')
-
-#####################################
-# unix_socket_send(clientdomain, socket, serverdomain)
-# Allow a local socket send from clientdomain via
-# socket to serverdomain.
-define(`unix_socket_send', `
-allow $1 $2_socket:sock_file write;
-allow $1 $3:unix_dgram_socket sendto;
-')
-
-#####################################
-# binder_use(domain)
-# Allow domain to use Binder IPC.
-define(`binder_use', `
-# Call the servicemanager and transfer references to it.
-allow $1 servicemanager:binder { call transfer };
-# Allow servicemanager to send out callbacks
-allow servicemanager $1:binder { call transfer };
-# servicemanager performs getpidcon on clients.
-allow servicemanager $1:dir search;
-allow servicemanager $1:file { read open };
-allow servicemanager $1:process getattr;
-# rw access to /dev/binder and /dev/ashmem is presently granted to
-# all domains in domain.te.
-')
-
-#####################################
-# hwbinder_use(domain)
-# Allow domain to use HwBinder IPC.
-define(`hwbinder_use', `
-# Call the hwservicemanager and transfer references to it.
-allow $1 hwservicemanager:binder { call transfer };
-# Allow hwservicemanager to send out callbacks
-allow hwservicemanager $1:binder { call transfer };
-# hwservicemanager performs getpidcon on clients.
-allow hwservicemanager $1:dir search;
-allow hwservicemanager $1:file { read open map };
-allow hwservicemanager $1:process getattr;
-# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
-# all domains in domain.te.
-')
-
-#####################################
-# vndbinder_use(domain)
-# Allow domain to use Binder IPC.
-define(`vndbinder_use', `
-# Talk to the vndbinder device node
-allow $1 vndbinder_device:chr_file rw_file_perms;
-# Call the vndservicemanager and transfer references to it.
-allow $1 vndservicemanager:binder { call transfer };
-# vndservicemanager performs getpidcon on clients.
-allow vndservicemanager $1:dir search;
-allow vndservicemanager $1:file { read open map };
-allow vndservicemanager $1:process getattr;
-')
-
-#####################################
-# binder_call(clientdomain, serverdomain)
-# Allow clientdomain to perform binder IPC to serverdomain.
-define(`binder_call', `
-# Call the server domain and optionally transfer references to it.
-allow $1 $2:binder { call transfer };
-# Allow the serverdomain to transfer references to the client on the reply.
-allow $2 $1:binder transfer;
-# Receive and use open files from the server.
-allow $1 $2:fd use;
-')
-
-#####################################
-# binder_service(domain)
-# Mark a domain as being a Binder service domain.
-# Used to allow binder IPC to the various system services.
-define(`binder_service', `
-typeattribute $1 binderservicedomain;
-')
-
-#####################################
-# wakelock_use(domain)
-# Allow domain to manage wake locks
-define(`wakelock_use', `
-# TODO(b/115946999): Remove /sys/power/* permissions once CONFIG_PM_WAKELOCKS is
-# deprecated.
-# Access /sys/power/wake_lock and /sys/power/wake_unlock
-allow $1 sysfs_wake_lock:file rw_file_perms;
-# Accessing these files requires CAP_BLOCK_SUSPEND
-allow $1 self:global_capability2_class_set block_suspend;
-# system_suspend permissions
-binder_call($1, system_suspend_server)
-allow $1 system_suspend_hwservice:hwservice_manager find;
-# halclientdomain permissions
-hwbinder_use($1)
-get_prop($1, hwservicemanager_prop)
-allow $1 hidl_manager_hwservice:hwservice_manager find;
-')
-
-#####################################
-# selinux_check_access(domain)
-# Allow domain to check SELinux permissions via selinuxfs.
-define(`selinux_check_access', `
-r_dir_file($1, selinuxfs)
-allow $1 selinuxfs:file w_file_perms;
-allow $1 kernel:security compute_av;
-allow $1 self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind };
-')
-
-#####################################
-# selinux_check_context(domain)
-# Allow domain to check SELinux contexts via selinuxfs.
-define(`selinux_check_context', `
-r_dir_file($1, selinuxfs)
-allow $1 selinuxfs:file w_file_perms;
-allow $1 kernel:security check_context;
-')
-
-#####################################
-# create_pty(domain)
-# Allow domain to create and use a pty, isolated from any other domain ptys.
-define(`create_pty', `
-# Each domain gets a unique devpts type.
-type $1_devpts, fs_type;
-# Label the pty with the unique type when created.
-type_transition $1 devpts:chr_file $1_devpts;
-# Allow use of the pty after creation.
-allow $1 $1_devpts:chr_file { open getattr read write ioctl };
-allowxperm $1 $1_devpts:chr_file ioctl unpriv_tty_ioctls;
-# TIOCSTI is only ever used for exploits. Block it.
-# b/33073072, b/7530569
-# http://www.openwall.com/lists/oss-security/2016/09/26/14
-neverallowxperm * $1_devpts:chr_file ioctl TIOCSTI;
-# Note: devpts:dir search and ptmx_device:chr_file rw_file_perms
-# allowed to everyone via domain.te.
-')
-
-#####################################
-# Non system_app application set
-#
-define(`non_system_app_set', `{ appdomain -system_app }')
-
-#####################################
-# Recovery only
-# SELinux rules which apply only to recovery mode
-#
-define(`recovery_only', ifelse(target_recovery, `true', $1, ))
-
-#####################################
-# Not recovery
-# SELinux rules which apply only to non-recovery (normal) mode
-#
-define(`not_recovery', ifelse(target_recovery, `true', , $1))
-
-#####################################
-# Full TREBLE only
-# SELinux rules which apply only to full TREBLE devices
-#
-define(`full_treble_only', ifelse(target_full_treble, `true', $1,
-ifelse(target_full_treble, `cts',
-# BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify
-$1
-# END_TREBLE_ONLY -- this marker is used by CTS -- do not modify
-, )))
-
-#####################################
-# Not full TREBLE
-# SELinux rules which apply only to devices which are not full TREBLE devices
-#
-define(`not_full_treble', ifelse(target_full_treble, `true', , $1))
-
-#####################################
-# enforce_debugfs_restriction
-# SELinux rules which apply to devices that enable debugfs restrictions.
-# The keyword "cts" is used to insert markers to only CTS test the neverallows
-# added by the macro for S-launch devices and newer.
-define(`enforce_debugfs_restriction', ifelse(target_enforce_debugfs_restriction, `true', $1,
-ifelse(target_enforce_debugfs_restriction, `cts',
-# BEGIN_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
-$1
-# END_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
-, )))
-
-#####################################
-# no_debugfs_restriction
-# SELinux rules which apply to devices that do not have debugfs restrictions in non-user builds.
-define(`no_debugfs_restriction', ifelse(target_enforce_debugfs_restriction, `true', , $1))
-
-#####################################
-# Compatible property only
-# SELinux rules which apply only to devices with compatible property
-#
-define(`compatible_property_only', ifelse(target_compatible_property, `true', $1,
-ifelse(target_compatible_property, `cts',
-# BEGIN_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify
-$1
-# END_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify
-, )))
-
-#####################################
-# Not compatible property
-# SELinux rules which apply only to devices without compatible property
-#
-define(`not_compatible_property', ifelse(target_compatible_property, `true', , $1))
-
-#####################################
-# Userdebug or eng builds
-# SELinux rules which apply only to userdebug or eng builds
-#
-define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1)))
-
-#####################################
-# asan builds
-# SELinux rules which apply only to asan builds
-#
-define(`with_asan', ifelse(target_with_asan, `true', userdebug_or_eng(`$1'), ))
-
-#####################################
-# native coverage builds
-# SELinux rules which apply only to builds with native coverage
-#
-define(`with_native_coverage', ifelse(target_with_native_coverage, `true', userdebug_or_eng(`$1'), ))
-
-#####################################
-# Build-time-only test
-# SELinux rules which are verified during build, but not as part of *TS testing.
-#
-define(`build_test_only', ifelse(target_exclude_build_test, `true', , $1))
-
-####################################
-# Fallback crash handling for processes that can't exec crash_dump (e.g. because of seccomp).
-#
-define(`crash_dump_fallback', `
-userdebug_or_eng(`
- allow $1 su:fifo_file append;
-')
-allow $1 anr_data_file:file append;
-allow $1 dumpstate:fd use;
-allow $1 incidentd:fd use;
-# TODO: Figure out why write is needed.
-allow $1 dumpstate:fifo_file { append write };
-allow $1 incidentd:fifo_file { append write };
-allow $1 system_server:fifo_file { append write };
-allow $1 tombstoned:unix_stream_socket connectto;
-allow $1 tombstoned:fd use;
-allow $1 tombstoned_crash_socket:sock_file write;
-allow $1 tombstone_data_file:file append;
-')
-
-#####################################
-# WITH_DEXPREOPT builds
-# SELinux rules which apply only when pre-opting.
-#
-define(`with_dexpreopt', ifelse(target_with_dexpreopt, `true', $1))
-
-#####################################
-# write_logd(domain)
-# Ability to write to android log
-# daemon via sockets
-define(`write_logd', `
-unix_socket_send($1, logdw, logd)
-allow $1 pmsg_device:chr_file w_file_perms;
-')
-
-#####################################
-# read_logd(domain)
-# Ability to run logcat and read from android
-# log daemon via sockets
-define(`read_logd', `
-allow $1 logcat_exec:file rx_file_perms;
-unix_socket_connect($1, logdr, logd)
-')
-
-#####################################
-# read_runtime_log_tags(domain)
-# ability to directly map the runtime event log tags
-define(`read_runtime_log_tags', `
-allow $1 runtime_event_log_tags_file:file r_file_perms;
-')
-
-#####################################
-# control_logd(domain)
-# Ability to control
-# android log daemon via sockets
-define(`control_logd', `
-# Group AID_LOG checked by filesystem & logd
-# to permit control commands
-unix_socket_connect($1, logd, logd)
-')
-
-#####################################
-# use_keystore(domain)
-# Ability to use keystore.
-# Keystore is requires the following permissions
-# to call getpidcon.
-define(`use_keystore', `
- allow keystore $1:dir search;
- allow keystore $1:file { read open };
- allow keystore $1:process getattr;
- allow $1 apc_service:service_manager find;
- allow $1 keystore_service:service_manager find;
- allow $1 legacykeystore_service:service_manager find;
- binder_call($1, keystore)
- binder_call(keystore, $1)
-')
-
-#####################################
-# use_credstore(domain)
-# Ability to use credstore.
-define(`use_credstore', `
- allow credstore $1:dir search;
- allow credstore $1:file { read open };
- allow credstore $1:process getattr;
- allow $1 credstore_service:service_manager find;
- binder_call($1, credstore)
- binder_call(credstore, $1)
-')
-
-###########################################
-# use_drmservice(domain)
-# Ability to use DrmService which requires
-# DrmService to call getpidcon.
-define(`use_drmservice', `
- allow drmserver $1:dir search;
- allow drmserver $1:file { read open };
- allow drmserver $1:process getattr;
-')
-
-###########################################
-# add_service(domain, service)
-# Ability for domain to add a service to service_manager
-# and find it. It also creates a neverallow preventing
-# others from adding it.
-define(`add_service', `
- allow $1 $2:service_manager { add find };
- neverallow { domain -$1 } $2:service_manager add;
-')
-
-###########################################
-# add_hwservice(domain, service)
-# Ability for domain to add a service to hwservice_manager
-# and find it. It also creates a neverallow preventing
-# others from adding it.
-define(`add_hwservice', `
- allow $1 $2:hwservice_manager { add find };
- allow $1 hidl_base_hwservice:hwservice_manager add;
- neverallow { domain -$1 } $2:hwservice_manager add;
-')
-
-###########################################
-# hal_attribute_hwservice(attribute, service)
-# Ability for domain to get a service to hwservice_manager
-# and find it. It also creates a neverallow preventing
-# others from adding it.
-#
-# Used to pair hal_foo_client with hal_foo_hwservice
-define(`hal_attribute_hwservice', `
- allow $1_client $2:hwservice_manager find;
- add_hwservice($1_server, $2)
-
- build_test_only(`
- # if you are hitting this neverallow, try using:
- # hal_client_domain(<your domain>, hal_<foo>)
- # instead
- neverallow { domain -$1_client -$1_server } $2:hwservice_manager find;
- ')
-')
-
-###########################################
-# hal_attribute_service(attribute, service)
-# Ability for domain to get a service to service_manager
-# and find it. It also creates a neverallow preventing
-# others from adding it.
-#
-# Used to pair hal_foo_client with hal_foo_service
-define(`hal_attribute_service', `
- allow $1_client $2:service_manager find;
- add_service($1_server, $2)
-
- build_test_only(`
- # if you are hitting this neverallow, try using:
- # hal_client_domain(<your domain>, hal_<foo>)
- # instead
- neverallow {
- domain
- -$1_client
- -$1_server
- -shell
- } $2:service_manager find;
- ')
-')
-
-###################################
-# can_profile_heap(domain)
-# Allow processes within the domain to have their heap profiled by central
-# heapprofd.
-define(`can_profile_heap', `
- # Allow central daemon to send signal for client initialization.
- allow heapprofd $1:process signal;
- # Allow connecting to the daemon.
- unix_socket_connect($1, heapprofd, heapprofd)
- # Allow daemon to use the passed fds.
- allow heapprofd $1:fd use;
- # Allow to read and write to heapprofd shmem.
- # The client needs to read the read and write pointers in order to write.
- allow $1 heapprofd_tmpfs:file { read write getattr map };
- # Use shared memory received over the unix socket.
- allow $1 heapprofd:fd use;
-
- # To read and write from the received file descriptors.
- # /proc/[pid]/maps and /proc/[pid]/mem have the same SELinux label as the
- # process they relate to.
- # We need to write to /proc/$PID/page_idle to find idle allocations.
- # The client only opens /proc/self/page_idle with RDWR, everything else
- # with RDONLY.
- # heapprofd cannot open /proc/$PID/mem itself, as it does not have
- # sys_ptrace.
- allow heapprofd $1:file rw_file_perms;
- # Allow searching the /proc/[pid] directory for cmdline.
- allow heapprofd $1:dir r_dir_perms;
-')
-
-###################################
-# never_profile_heap(domain)
-# Opt out of heap profiling by heapprofd.
-define(`never_profile_heap', `
- neverallow heapprofd $1:file read;
- neverallow heapprofd $1:process signal;
-')
-
-###################################
-# can_profile_perf(domain)
-# Allow processes within the domain to be profiled, and have their stacks
-# sampled, by traced_perf.
-define(`can_profile_perf', `
- # Allow directory & file read to traced_perf, as it stat(2)s /proc/[pid], and
- # reads /proc/[pid]/cmdline.
- allow traced_perf $1:file r_file_perms;
- allow traced_perf $1:dir r_dir_perms;
-
- # Allow central daemon to send signal to request /proc/[pid]/maps and
- # /proc/[pid]/mem fds from this process.
- allow traced_perf $1:process signal;
-
- # Allow connecting to the daemon.
- unix_socket_connect($1, traced_perf, traced_perf)
- # Allow daemon to use the passed fds.
- allow traced_perf $1:fd use;
-')
-
-###################################
-# never_profile_perf(domain)
-# Opt out of profiling by traced_perf.
-define(`never_profile_perf', `
- neverallow traced_perf $1:file read;
- neverallow traced_perf $1:process signal;
-')
-
-###################################
-# perfetto_producer(domain)
-# Allow processes within the domain to write data to Perfetto.
-# When applying this macro, you might need to also allow traced to use the
-# producer tmpfs domain, if the producer will be the one creating the shared
-# memory.
-define(`perfetto_producer', `
- allow $1 traced:fd use;
- allow $1 traced_tmpfs:file { read write getattr map };
- unix_socket_connect($1, traced_producer, traced)
-
- # Also allow the service to use the producer file descriptors. This is
- # necessary when the producer is creating the shared memory, as it will be
- # passed to the service as a file descriptor (obtained from memfd_create).
- allow traced $1:fd use;
-')
-
-###########################################
-# dump_hal(hal_type)
-# Ability to dump the hal debug info
-#
-define(`dump_hal', `
- hal_client_domain(dumpstate, $1);
- allow $1_server dumpstate:fifo_file write;
- allow $1_server dumpstate:fd use;
-')
-
-#####################################
-# treble_sysprop_neverallow(rules)
-# SELinux neverallow rules which enforces the accessibility of each property
-# outside the owner.
-#
-# For devices launching with R or later, exported properties must be explicitly marked as
-# "restricted" or "public", depending on the accessibility outside the owner.
-# For devices launching with Q or eariler, this neverallow rules can be relaxed with defining
-# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true on BoardConfig.mk.
-# See {partition}_{accessibility}_prop macros below.
-#
-# CTS uses these rules only for devices launching with R or later.
-#
-# TODO(b/131162102): deprecate BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW
-#
-define(`treble_sysprop_neverallow', ifelse(target_treble_sysprop_neverallow, `true', $1,
-ifelse(target_treble_sysprop_neverallow, `cts',
-# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
-$1
-# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
-, )))
-
-#####################################
-# enforce_sysprop_owner(rules)
-# SELinux neverallow rules which enforces the owner of each property.
-#
-# For devices launching with S or later, all properties must be explicitly marked as one of:
-# system_property_type, vendor_property_type, or product_property_type.
-# For devices launching with R or eariler, this neverallow rules can be relaxed with defining
-# BUILD_BROKEN_ENFORCE_SYSPROP_OWNER := true on BoardConfig.mk.
-# See {partition}_{accessibility}_prop macros below.
-#
-# CTS uses these ules only for devices launching with S or later.
-#
-define(`enforce_sysprop_owner', ifelse(target_enforce_sysprop_owner, `true', $1,
-ifelse(target_enforce_sysprop_owner, `cts',
-# BEGIN_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
-$1
-# END_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
-, )))
-
-###########################################
-# define_prop(name, owner, scope)
-# Define a property with given owner and scope
-#
-define(`define_prop', `
- type $1, property_type, $2_property_type, $2_$3_property_type;
-')
-
-###########################################
-# system_internal_prop(name)
-# Define a /system-owned property used only in /system
-# For devices launching with Q or eariler, this restriction can be relaxed with
-# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
-#
-define(`system_internal_prop', `
- define_prop($1, system, internal)
- treble_sysprop_neverallow(`
- neverallow { domain -coredomain } $1:file no_rw_file_perms;
- ')
-')
-
-###########################################
-# system_restricted_prop(name)
-# Define a /system-owned property which can't be written outside /system
-# For devices launching with Q or eariler, this restriction can be relaxed with
-# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
-#
-define(`system_restricted_prop', `
- define_prop($1, system, restricted)
- treble_sysprop_neverallow(`
- neverallow { domain -coredomain } $1:property_service set;
- ')
-')
-
-###########################################
-# system_public_prop(name)
-# Define a /system-owned property with no restrictions
-#
-define(`system_public_prop', `define_prop($1, system, public)')
-
-###########################################
-# system_vendor_config_prop(name)
-# Define a /system-owned property which can only be written by vendor_init
-# This is a macro for vendor-specific configuration properties which is meant
-# to be set once from vendor_init.
-#
-define(`system_vendor_config_prop', `
- system_public_prop($1)
- set_prop(vendor_init, $1)
- neverallow { domain -init -vendor_init } $1:property_service set;
-')
-
-###########################################
-# product_internal_prop(name)
-# Define a /product-owned property used only in /product
-# For devices launching with Q or eariler, this restriction can be relaxed with
-# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
-#
-define(`product_internal_prop', `
- define_prop($1, product, internal)
- treble_sysprop_neverallow(`
- neverallow { domain -coredomain } $1:file no_rw_file_perms;
- ')
-')
-
-###########################################
-# product_restricted_prop(name)
-# Define a /product-owned property which can't be written outside /product
-# For devices launching with Q or eariler, this restriction can be relaxed with
-# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
-#
-define(`product_restricted_prop', `
- define_prop($1, product, restricted)
- treble_sysprop_neverallow(`
- neverallow { domain -coredomain } $1:property_service set;
- ')
-')
-
-###########################################
-# product_public_prop(name)
-# Define a /product-owned property with no restrictions
-#
-define(`product_public_prop', `define_prop($1, product, public)')
-
-###########################################
-# vendor_internal_prop(name)
-# Define a /vendor-owned property used only in /vendor
-# For devices launching with Q or eariler, this restriction can be relaxed with
-# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
-#
-define(`vendor_internal_prop', `
- define_prop($1, vendor, internal)
- treble_sysprop_neverallow(`
-# init and dumpstate are in coredomain, but should be able to read all props.
- neverallow { coredomain -init -dumpstate } $1:file no_rw_file_perms;
- ')
-')
-
-###########################################
-# vendor_restricted_prop(name)
-# Define a /vendor-owned property which can't be written outside /vendor
-# For devices launching with Q or eariler, this restriction can be relaxed with
-# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
-#
-define(`vendor_restricted_prop', `
- define_prop($1, vendor, restricted)
- treble_sysprop_neverallow(`
-# init is in coredomain, but should be able to write all props.
- neverallow { coredomain -init } $1:property_service set;
- ')
-')
-
-###########################################
-# vendor_public_prop(name)
-# Define a /vendor-owned property with no restrictions
-#
-define(`vendor_public_prop', `define_prop($1, vendor, public)')
-
-#####################################
-# read_fstab(domain)
-# Ability to call ReadDefaultFstab() and ReadFstabFromFile().
-#
-define(`read_fstab', `
- allow $1 { metadata_file gsi_metadata_file_type }:dir search;
- allow $1 gsi_public_metadata_file:file r_file_perms;
-')
diff --git a/microdroid/sepolicy/system/public/tombstoned.te b/microdroid/sepolicy/system/public/tombstoned.te
deleted file mode 100644
index bd1626d..0000000
--- a/microdroid/sepolicy/system/public/tombstoned.te
+++ /dev/null
@@ -1,2 +0,0 @@
-type tombstoned, domain;
-type tombstoned_exec, file_type, exec_type, system_file_type;
diff --git a/microdroid/sepolicy/system/public/toolbox.te b/microdroid/sepolicy/system/public/toolbox.te
deleted file mode 100644
index 0a6e649..0000000
--- a/microdroid/sepolicy/system/public/toolbox.te
+++ /dev/null
@@ -1,2 +0,0 @@
-type toolbox, domain;
-type toolbox_exec, file_type, exec_type, system_file_type;
diff --git a/microdroid/sepolicy/system/public/type.te b/microdroid/sepolicy/system/public/type.te
deleted file mode 100644
index c31509c..0000000
--- a/microdroid/sepolicy/system/public/type.te
+++ /dev/null
@@ -1,23 +0,0 @@
-# Miscellaneous types
-type adb_service, system_server_service, system_api_service, service_manager_type;
-type apex_service, service_manager_type;
-type authorization_service, service_manager_type;
-type credstore_service, app_api_service, service_manager_type;
-type default_android_hwservice, hwservice_manager_type, protected_hwservice;
-type default_android_service, service_manager_type;
-type hal_keymint_service, protected_service, vendor_service, service_manager_type;
-type hal_remotelyprovisionedcomponent_service, protected_service, vendor_service, service_manager_type;
-type hidl_allocator_hwservice, hwservice_manager_type, coredomain_hwservice;
-type hidl_base_hwservice, hwservice_manager_type;
-type hidl_manager_hwservice, hwservice_manager_type, coredomain_hwservice;
-type hidl_memory_hwservice, hwservice_manager_type, coredomain_hwservice;
-type hidl_token_hwservice, hwservice_manager_type, coredomain_hwservice;
-type hal_keymaster_hwservice, hwservice_manager_type, protected_hwservice;
-type keystore_compat_hal_service, service_manager_type;
-type keystore_maintenance_service, service_manager_type;
-type keystore_metrics_service, service_manager_type;
-type keystore_service, service_manager_type;
-type legacykeystore_service, service_manager_type;
-type remoteprovisioning_service, service_manager_type;
-type system_linker;
-type vm_payload_key;
diff --git a/microdroid/sepolicy/system/public/ueventd.te b/microdroid/sepolicy/system/public/ueventd.te
deleted file mode 100644
index 7bf7888..0000000
--- a/microdroid/sepolicy/system/public/ueventd.te
+++ /dev/null
@@ -1,4 +0,0 @@
-# ueventd seclabel is specified in init.rc since
-# it lives in the rootfs and has no unique file type.
-type ueventd, domain;
-type ueventd_tmpfs, file_type;
diff --git a/microdroid/sepolicy/system/public/vendor_init.te b/microdroid/sepolicy/system/public/vendor_init.te
deleted file mode 100644
index b66caa9..0000000
--- a/microdroid/sepolicy/system/public/vendor_init.te
+++ /dev/null
@@ -1,150 +0,0 @@
-# vendor_init is its own domain.
-type vendor_init, domain, mlstrustedsubject;
-
-# Communication to the main init process
-allow vendor_init init:unix_stream_socket { read write };
-
-# Logging to kmsg
-allow vendor_init kmsg_device:chr_file { open getattr write };
-
-# Mount on /dev/usb-ffs/adb.
-allow vendor_init device:dir mounton;
-
-# Create and remove symlinks in /.
-allow vendor_init rootfs:lnk_file { create unlink };
-
-# Create cgroups mount points in tmpfs and mount cgroups on them.
-allow vendor_init cgroup:dir create_dir_perms;
-allow vendor_init cgroup:file w_file_perms;
-allow vendor_init cgroup_v2:dir create_dir_perms;
-allow vendor_init cgroup_v2:file w_file_perms;
-
-# /config
-allow vendor_init configfs:dir mounton;
-allow vendor_init configfs:dir create_dir_perms;
-allow vendor_init configfs:{ file lnk_file } create_file_perms;
-
-# Create directories under /dev/cpuctl after chowning it to system.
-allow vendor_init self:global_capability_class_set { dac_override dac_read_search };
-
-# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
-# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
-# system/core/init.rc requires at least cache_file and data_file_type.
-# init.<board>.rc files often include device-specific types, so
-# we just allow all file types except /system files here.
-allow vendor_init self:global_capability_class_set { chown fowner fsetid };
-
-allow vendor_init system_data_file:dir getattr;
-
-allow vendor_init {
- file_type
- -exec_type
- -system_file_type
- -unlabeled
- -vendor_file_type
-}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
-
-allow vendor_init unlabeled:{ dir notdevfile_class_set } { getattr relabelfrom };
-
-allow vendor_init {
- file_type
- -exec_type
- -runtime_event_log_tags_file
- -system_file_type
- -unlabeled
- -vendor_file_type
- -apex_info_file
- enforce_debugfs_restriction(`-debugfs_type')
-}:file { create getattr open read write setattr relabelfrom unlink map };
-
-allow vendor_init {
- file_type
- -exec_type
- -system_file_type
- -unlabeled
- -vendor_file_type
-}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
-
-allow vendor_init {
- file_type
- -apex_mnt_dir
- -exec_type
- -system_file_type
- -unlabeled
- -vendor_file_type
-}:lnk_file { create getattr setattr relabelfrom unlink };
-
-allow vendor_init {
- file_type
- -exec_type
- -system_file_type
- -vendor_file_type
-}:dir_file_class_set relabelto;
-
-allow vendor_init dev_type:dir create_dir_perms;
-allow vendor_init dev_type:lnk_file create;
-
-# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
-allow vendor_init debugfs_tracing:file w_file_perms;
-
-# chown/chmod on pseudo files.
-allow vendor_init {
- fs_type
- -fusefs_type
- -rootfs
- -proc_uid_time_in_state
- -proc_uid_concurrent_active_time
- -proc_uid_concurrent_policy_time
- enforce_debugfs_restriction(`-debugfs_type')
-}:file { open read setattr map };
-
-allow vendor_init tracefs_type:file { open read setattr map };
-
-allow vendor_init {
- fs_type
- -fusefs_type
- -rootfs
- -proc_uid_time_in_state
- -proc_uid_concurrent_active_time
- -proc_uid_concurrent_policy_time
-}:dir { open read setattr search };
-
-allow vendor_init dev_type:blk_file getattr;
-
-# Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.
-r_dir_file(vendor_init, proc_net_type)
-allow vendor_init proc_net_type:file w_file_perms;
-allow vendor_init self:global_capability_class_set net_admin;
-
-# Write to /proc/sys/vm/page-cluster
-allow vendor_init proc_page_cluster:file w_file_perms;
-
-# Write to sysfs nodes.
-allow vendor_init sysfs_type:dir r_dir_perms;
-allow vendor_init sysfs_type:lnk_file read;
-allow vendor_init { sysfs_type -sysfs_usermodehelper }:file rw_file_perms;
-
-# setfscreatecon() for labeling directories and socket files.
-allow vendor_init self:process { setfscreate };
-
-r_dir_file(vendor_init, vendor_file_type)
-
-# Vendor init can perform operations on trusted and security Extended Attributes
-allow vendor_init self:global_capability_class_set sys_admin;
-
-# vendor_init is using bootstrap bionic
-allow vendor_init system_bootstrap_lib_file:dir r_dir_perms;
-allow vendor_init system_bootstrap_lib_file:file { execute read open getattr map };
-
-# Get file context
-allow vendor_init file_contexts_file:file r_file_perms;
-
-# Allow vendor_init to (re)set nice
-allow vendor_init self:capability sys_nice;
-
-# chown/chmod on devices, e.g. /dev/ttyHS0
-allow vendor_init {
- dev_type
- -kvm_device
- -hw_random_device
-}:chr_file setattr;
diff --git a/microdroid/sepolicy/vendor/file_contexts b/microdroid/sepolicy/vendor/file_contexts
deleted file mode 100644
index 0aa85cf..0000000
--- a/microdroid/sepolicy/vendor/file_contexts
+++ /dev/null
@@ -1,38 +0,0 @@
-# TODO(jiyong): clean this up
-#############################
-# Vendor files
-#
-(/.*)? u:object_r:vendor_file:s0
-/bin/sh u:object_r:vendor_shell_exec:s0
-/bin/toybox_vendor u:object_r:vendor_toolbox_exec:s0
-/bin/toolbox u:object_r:vendor_toolbox_exec:s0
-/etc(/.*)? u:object_r:vendor_configs_file:s0
-/etc/cgroups\.json u:object_r:vendor_cgroup_desc_file:s0
-/etc/task_profiles\.json u:object_r:vendor_task_profiles_file:s0
-
-/lib(64)?/egl(/.*)? u:object_r:same_process_hal_file:s0
-
-/lib(64)?/vndk-sp(/.*)? u:object_r:vndk_sp_file:s0
-
-/manifest\.xml u:object_r:vendor_configs_file:s0
-/compatibility_matrix\.xml u:object_r:vendor_configs_file:s0
-/etc/vintf(/.*)? u:object_r:vendor_configs_file:s0
-/app(/.*)? u:object_r:vendor_app_file:s0
-/priv-app(/.*)? u:object_r:vendor_app_file:s0
-/overlay(/.*)? u:object_r:vendor_overlay_file:s0
-/framework(/.*)? u:object_r:vendor_framework_file:s0
-
-/apex(/[^/]+){0,2} u:object_r:vendor_apex_file:s0
-/bin/misc_writer u:object_r:vendor_misc_writer_exec:s0
-/bin/boringssl_self_test(32|64) u:object_r:vendor_boringssl_self_test_exec:s0
-
-# HAL location
-/lib(64)?/hw u:object_r:vendor_hal_file:s0
-
-/etc/selinux/nonplat_service_contexts u:object_r:nonplat_service_contexts_file:s0
-
-/etc/selinux/vendor_service_contexts u:object_r:vendor_service_contexts_file:s0
-
-/bin/install-recovery\.sh u:object_r:vendor_install_recovery_exec:s0
-
-/bin/hw/android\.hardware\.security\.keymint-service\.microdroid u:object_r:hal_keymint_default_exec:s0
diff --git a/microdroid/sepolicy/vendor/hal_keymint_default.te b/microdroid/sepolicy/vendor/hal_keymint_default.te
deleted file mode 100644
index 359ca60..0000000
--- a/microdroid/sepolicy/vendor/hal_keymint_default.te
+++ /dev/null
@@ -1,13 +0,0 @@
-type hal_keymint_default, domain;
-hal_server_domain(hal_keymint_default, hal_keymint)
-
-type hal_keymint_default_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_keymint_default)
-
-allow hal_keymint_default keystore:binder transfer;
-allow hal_keymint_default system_lib_file:file execute;
-
-allow logd hal_keymint_default:dir search;
-allow logd hal_keymint_default:file { getattr open read };
-
-get_prop(hal_keymint_default, vmsecret_keymint_prop);