Merge "Revert "Merge AuthFsHostTest into MicrodroidTestCase""
diff --git a/apex/Android.bp b/apex/Android.bp
index 4c2c00c..ccf34fd 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -48,11 +48,13 @@
binaries: [
"fd_server",
"vm",
- "compos_key_cmd",
],
java_libs: [
"android.system.virtualmachine",
],
+ apps: [
+ "android.system.virtualmachine.res",
+ ],
prebuilts: [
"com.android.virt.init.rc",
"microdroid.json",
diff --git a/apex/product_packages.mk b/apex/product_packages.mk
index ef99f0f..fef6316 100644
--- a/apex/product_packages.mk
+++ b/apex/product_packages.mk
@@ -19,8 +19,12 @@
# To include the APEX in your build, insert this in your device.mk:
# $(call inherit-product, packages/modules/Virtualization/apex/product_packages.mk)
-PRODUCT_PACKAGES += com.android.virt
+PRODUCT_PACKAGES += \
+ com.android.compos \
+ com.android.virt
+
PRODUCT_ARTIFACT_PATH_REQUIREMENT_ALLOWED_LIST += \
+ system/apex/com.android.compos.apex \
system/apex/com.android.virt.apex \
system/bin/crosvm \
system/lib64/%.dylib.so \
diff --git a/apkdmverity/src/dm.rs b/apkdmverity/src/dm.rs
index 75a4366..2b44876 100644
--- a/apkdmverity/src/dm.rs
+++ b/apkdmverity/src/dm.rs
@@ -28,7 +28,7 @@
use crate::util::*;
-use anyhow::Result;
+use anyhow::{Context, Result};
use data_model::DataInit;
use std::fs::{File, OpenOptions};
use std::io::Write;
@@ -135,7 +135,11 @@
/// Constructs a new `DeviceMapper` entrypoint. This is essentially the same as opening
/// "/dev/mapper/control".
pub fn new() -> Result<DeviceMapper> {
- let f = OpenOptions::new().read(true).write(true).open(MAPPER_CONTROL)?;
+ let f = OpenOptions::new()
+ .read(true)
+ .write(true)
+ .open(MAPPER_CONTROL)
+ .context(format!("failed to open {}", MAPPER_CONTROL))?;
Ok(DeviceMapper(f))
}
@@ -145,7 +149,8 @@
// Step 1: create an empty device
let mut data = DmIoctl::new(&name)?;
data.set_uuid(&uuid()?)?;
- dm_dev_create(&self, &mut data)?;
+ dm_dev_create(&self, &mut data)
+ .context(format!("failed to create an empty device with name {}", &name))?;
// Step 2: load table onto the device
let payload_size = size_of::<DmIoctl>() + target.as_slice().len();
@@ -159,12 +164,13 @@
let mut payload = Vec::with_capacity(payload_size);
payload.extend_from_slice(data.as_slice());
payload.extend_from_slice(target.as_slice());
- dm_table_load(&self, payload.as_mut_ptr() as *mut DmIoctl)?;
+ dm_table_load(&self, payload.as_mut_ptr() as *mut DmIoctl)
+ .context("failed to load table")?;
// Step 3: activate the device (note: the term 'suspend' might be misleading, but it
// actually activates the table. See include/uapi/linux/dm-ioctl.h
let mut data = DmIoctl::new(&name)?;
- dm_dev_suspend(&self, &mut data)?;
+ dm_dev_suspend(&self, &mut data).context("failed to activate")?;
// Step 4: wait unti the device is created and return the device path
let path = Path::new(MAPPER_DEV_ROOT).join(&name);
@@ -177,7 +183,8 @@
pub fn delete_device_deferred(&self, name: &str) -> Result<()> {
let mut data = DmIoctl::new(&name)?;
data.flags |= Flag::DM_DEFERRED_REMOVE;
- dm_dev_remove(&self, &mut data)?;
+ dm_dev_remove(&self, &mut data)
+ .context(format!("failed to remove device with name {}", &name))?;
Ok(())
}
}
diff --git a/apkdmverity/src/main.rs b/apkdmverity/src/main.rs
index 54d5def..321f79a 100644
--- a/apkdmverity/src/main.rs
+++ b/apkdmverity/src/main.rs
@@ -98,7 +98,9 @@
// Parse the idsig file to locate the merkle tree in it, then attach the file to a loop device
// with the offset so that the start of the merkle tree becomes the beginning of the loop
// device.
- let sig = V4Signature::from(File::open(&idsig)?)?;
+ let sig = V4Signature::from(
+ File::open(&idsig).context(format!("Failed to open idsig file {:?}", &idsig))?,
+ )?;
let offset = sig.merkle_tree_offset;
let size = sig.merkle_tree_size as u64;
let hash_device = loopdevice::attach(&idsig, offset, size)?;
diff --git a/compos/aidl/Android.bp b/compos/aidl/Android.bp
index 07bec09..4d36d3d 100644
--- a/compos/aidl/Android.bp
+++ b/compos/aidl/Android.bp
@@ -17,7 +17,7 @@
},
ndk: {
apex_available: [
- "com.android.virt",
+ "com.android.compos",
],
},
},
diff --git a/compos/aidl/com/android/compos/ICompOsKeyService.aidl b/compos/aidl/com/android/compos/ICompOsKeyService.aidl
index 2ddae58..a2ff917 100644
--- a/compos/aidl/com/android/compos/ICompOsKeyService.aidl
+++ b/compos/aidl/com/android/compos/ICompOsKeyService.aidl
@@ -37,4 +37,15 @@
* @return whether the inputs are valid and correspond to each other.
*/
boolean verifySigningKey(in byte[] keyBlob, in byte[] publicKey);
+
+ /**
+ * Use the supplied encrypted private key to sign some data.
+ *
+ * @param keyBlob The encrypted blob containing the private key, as returned by
+ * generateSigningKey().
+ * @param data The data to be signed. (Large data sizes may cause failure.)
+ * @return the signature.
+ */
+ // STOPSHIP(b/193241041): We must not expose this from the PVM.
+ byte[] sign(in byte[] keyBlob, in byte[] data);
}
diff --git a/compos/apex/Android.bp b/compos/apex/Android.bp
index 1fffa2e..2dded99 100644
--- a/compos/apex/Android.bp
+++ b/compos/apex/Android.bp
@@ -37,6 +37,7 @@
platform_apis: true,
binaries: [
+ "compos_key_cmd",
"compos_key_service",
"compsvc",
"compsvc_worker",
diff --git a/compos/compos_key_cmd/Android.bp b/compos/compos_key_cmd/Android.bp
index e03dfdf..460b96f 100644
--- a/compos/compos_key_cmd/Android.bp
+++ b/compos/compos_key_cmd/Android.bp
@@ -5,12 +5,18 @@
cc_binary {
name: "compos_key_cmd",
srcs: ["compos_key_cmd.cpp"],
- apex_available: ["com.android.virt"],
+ apex_available: ["com.android.compos"],
+
+ static_libs: [
+ "lib_compos_proto",
+ ],
shared_libs: [
"compos_aidl_interface-ndk_platform",
"libbase",
"libbinder_ndk",
"libcrypto",
+ "libfsverity",
+ "libprotobuf-cpp-lite",
],
}
diff --git a/compos/compos_key_cmd/compos_key_cmd.cpp b/compos/compos_key_cmd/compos_key_cmd.cpp
index d98dac5..5047a48 100644
--- a/compos/compos_key_cmd/compos_key_cmd.cpp
+++ b/compos/compos_key_cmd/compos_key_cmd.cpp
@@ -17,21 +17,33 @@
#include <aidl/com/android/compos/ICompOsKeyService.h>
#include <android-base/file.h>
#include <android-base/result.h>
+#include <android-base/unique_fd.h>
#include <android/binder_auto_utils.h>
#include <android/binder_manager.h>
+#include <asm/byteorder.h>
+#include <libfsverity.h>
+#include <linux/fsverity.h>
#include <openssl/evp.h>
#include <openssl/mem.h>
-#include <openssl/rsa.h>
+#include <openssl/sha.h>
#include <openssl/x509.h>
+#include <filesystem>
#include <iostream>
#include <string>
+#include <string_view>
-using android::base::Error;
-using android::base::Result;
+#include "compos_signature.pb.h"
+
+using namespace std::literals;
using aidl::com::android::compos::CompOsKeyData;
using aidl::com::android::compos::ICompOsKeyService;
+using android::base::ErrnoError;
+using android::base::Error;
+using android::base::Result;
+using android::base::unique_fd;
+using compos::proto::Signature;
static bool writeBytesToFile(const std::vector<uint8_t>& bytes, const std::string& path) {
std::string str(bytes.begin(), bytes.end());
@@ -131,15 +143,103 @@
return result;
}
+static Result<void> signFile(ICompOsKeyService* service, const std::vector<uint8_t>& key_blob,
+ const std::string& file) {
+ unique_fd fd(TEMP_FAILURE_RETRY(open(file.c_str(), O_RDONLY | O_CLOEXEC)));
+ if (!fd.ok()) {
+ return ErrnoError() << "Failed to open";
+ }
+
+ std::filesystem::path signature_path{file};
+ signature_path += ".signature";
+ unique_fd out_fd(TEMP_FAILURE_RETRY(open(signature_path.c_str(),
+ O_CREAT | O_WRONLY | O_TRUNC | O_CLOEXEC,
+ S_IRUSR | S_IWUSR | S_IRGRP)));
+ if (!out_fd.ok()) {
+ return ErrnoError() << "Unable to create signature file";
+ }
+
+ struct stat filestat;
+ if (fstat(fd, &filestat) != 0) {
+ return ErrnoError() << "Failed to fstat";
+ }
+
+ struct libfsverity_merkle_tree_params params = {
+ .version = 1,
+ .hash_algorithm = FS_VERITY_HASH_ALG_SHA256,
+ .file_size = static_cast<uint64_t>(filestat.st_size),
+ .block_size = 4096,
+ };
+
+ auto read_callback = [](void* file, void* buf, size_t count) {
+ int* fd = static_cast<int*>(file);
+ if (TEMP_FAILURE_RETRY(read(*fd, buf, count)) < 0) return -errno;
+ return 0;
+ };
+
+ struct libfsverity_digest* digest;
+ int ret = libfsverity_compute_digest(&fd, read_callback, ¶ms, &digest);
+ if (ret < 0) {
+ return Error(-ret) << "Failed to compute fs-verity digest";
+ }
+ std::unique_ptr<libfsverity_digest, decltype(&std::free)> digestOwner{digest, std::free};
+
+ std::vector<uint8_t> buffer(sizeof(fsverity_formatted_digest) + digest->digest_size);
+ auto to_be_signed = new (buffer.data()) fsverity_formatted_digest;
+ memcpy(to_be_signed->magic, "FSVerity", sizeof(to_be_signed->magic));
+ to_be_signed->digest_algorithm = __cpu_to_le16(digest->digest_algorithm);
+ to_be_signed->digest_size = __cpu_to_le16(digest->digest_size);
+ memcpy(to_be_signed->digest, digest->digest, digest->digest_size);
+
+ std::vector<uint8_t> signature;
+ auto status = service->sign(key_blob, buffer, &signature);
+ if (!status.isOk()) {
+ return Error() << "Failed to sign: " << status.getDescription();
+ }
+
+ Signature compos_signature;
+ compos_signature.set_digest(digest->digest, digest->digest_size);
+ compos_signature.set_signature(signature.data(), signature.size());
+ if (!compos_signature.SerializeToFileDescriptor(out_fd.get())) {
+ return Error() << "Failed to write signature";
+ }
+ if (close(out_fd.release()) != 0) {
+ return ErrnoError() << "Failed to close signature file";
+ }
+
+ return {};
+}
+
+static Result<void> sign(const std::string& blob_file, const std::vector<std::string>& files) {
+ ndk::SpAIBinder binder(AServiceManager_getService("android.system.composkeyservice"));
+ auto service = ICompOsKeyService::fromBinder(binder);
+ if (!service) {
+ return Error() << "No service";
+ }
+
+ auto blob = readBytesFromFile(blob_file);
+ if (!blob.ok()) {
+ return blob.error();
+ }
+
+ for (auto& file : files) {
+ auto result = signFile(service.get(), blob.value(), file);
+ if (!result.ok()) {
+ return Error() << result.error() << ": " << file;
+ }
+ }
+ return {};
+}
+
int main(int argc, char** argv) {
- if (argc == 4 && std::string(argv[1]) == "--generate") {
+ if (argc == 4 && argv[1] == "--generate"sv) {
auto result = generate(argv[2], argv[3]);
if (result.ok()) {
return 0;
} else {
std::cerr << result.error() << '\n';
}
- } else if (argc == 4 && std::string(argv[1]) == "--verify") {
+ } else if (argc == 4 && argv[1] == "--verify"sv) {
auto result = verify(argv[2], argv[3]);
if (result.ok()) {
if (result.value()) {
@@ -151,13 +251,24 @@
} else {
std::cerr << result.error() << '\n';
}
+ } else if (argc >= 4 && argv[1] == "--sign"sv) {
+ const std::vector<std::string> files{&argv[3], &argv[argc]};
+ auto result = sign(argv[2], files);
+ if (result.ok()) {
+ std::cerr << "All signatures generated.\n";
+ return 0;
+ } else {
+ std::cerr << result.error() << '\n';
+ }
} else {
std::cerr << "Usage: \n"
<< " --generate <blob file> <public key file> Generate new key pair and "
"write\n"
<< " the private key blob and public key to the specified files.\n "
<< " --verify <blob file> <public key file> Verify that the content of the\n"
- << " specified private key blob and public key files are valid.\n ";
+ << " specified private key blob and public key files are valid.\n "
+ << " --sign <blob file> <files to be signed> Generate signatures for one or\n"
+ << " more files using the supplied private key blob.\n";
}
return 1;
}
diff --git a/compos/src/compos_key_service.rs b/compos/src/compos_key_service.rs
index 0cbe8de..993ef20 100644
--- a/compos/src/compos_key_service.rs
+++ b/compos/src/compos_key_service.rs
@@ -86,6 +86,11 @@
true
})
}
+
+ fn sign(&self, key_blob: &[u8], data: &[u8]) -> binder::Result<Vec<u8>> {
+ self.do_sign(key_blob, data)
+ .map_err(|e| new_binder_exception(ExceptionCode::ILLEGAL_STATE, e.to_string()))
+ }
}
/// Constructs a new Binder error `Status` with the given `ExceptionCode` and message.
@@ -126,7 +131,7 @@
let mut data = [0u8; 32];
self.random.fill(&mut data).context("No random data")?;
- let signature = self.sign(key_blob, &data)?;
+ let signature = self.do_sign(key_blob, &data)?;
let public_key =
signature::UnparsedPublicKey::new(&signature::RSA_PKCS1_2048_8192_SHA256, public_key);
@@ -135,7 +140,7 @@
Ok(())
}
- fn sign(&self, key_blob: &[u8], data: &[u8]) -> Result<Vec<u8>> {
+ fn do_sign(&self, key_blob: &[u8], data: &[u8]) -> Result<Vec<u8>> {
let key_descriptor = KeyDescriptor { blob: Some(key_blob.to_vec()), ..KEY_DESCRIPTOR };
let operation_parameters = [PURPOSE_SIGN, ALGORITHM, PADDING, DIGEST];
let forced = false;
diff --git a/demo/AndroidManifest.xml b/demo/AndroidManifest.xml
index ae4f734..7e1a58d 100644
--- a/demo/AndroidManifest.xml
+++ b/demo/AndroidManifest.xml
@@ -2,6 +2,8 @@
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="com.android.microdroid.demo">
+ <uses-permission android:name="android.permission.MANAGE_VIRTUAL_MACHINE" />
+
<application
android:label="MicrodroidDemo"
android:theme="@style/Theme.MicrodroidDemo">
diff --git a/demo/java/com/android/microdroid/demo/MainActivity.java b/demo/java/com/android/microdroid/demo/MainActivity.java
index 6373b55..b6c7714 100644
--- a/demo/java/com/android/microdroid/demo/MainActivity.java
+++ b/demo/java/com/android/microdroid/demo/MainActivity.java
@@ -18,7 +18,9 @@
import android.app.Application;
import android.os.Bundle;
+import android.os.ParcelFileDescriptor;
import android.system.virtualmachine.VirtualMachine;
+import android.system.virtualmachine.VirtualMachineCallback;
import android.system.virtualmachine.VirtualMachineConfig;
import android.system.virtualmachine.VirtualMachineException;
import android.system.virtualmachine.VirtualMachineManager;
@@ -36,6 +38,7 @@
import androidx.lifecycle.ViewModelProvider;
import java.io.BufferedReader;
+import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStreamReader;
import java.util.concurrent.ExecutorService;
@@ -52,10 +55,12 @@
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
TextView consoleView = (TextView) findViewById(R.id.consoleOutput);
+ TextView payloadView = (TextView) findViewById(R.id.payloadOutput);
Button runStopButton = (Button) findViewById(R.id.runStopButton);
- ScrollView scrollView = (ScrollView) findViewById(R.id.scrollview);
+ ScrollView scrollView = (ScrollView) findViewById(R.id.scrollConsoleOutput);
- // When the console model is updated, append the new line to the text view.
+ // When the console output or payload output is updated, append the new line to the
+ // corresponding text view.
VirtualMachineModel model = new ViewModelProvider(this).get(VirtualMachineModel.class);
model.getConsoleOutput()
.observeForever(
@@ -66,6 +71,14 @@
scrollView.fullScroll(View.FOCUS_DOWN);
}
});
+ model.getPayloadOutput()
+ .observeForever(
+ new Observer<String>() {
+ @Override
+ public void onChanged(String line) {
+ payloadView.append(line + "\n");
+ }
+ });
// When the VM status is updated, change the label of the button
model.getStatus()
@@ -75,9 +88,10 @@
public void onChanged(VirtualMachine.Status status) {
if (status == VirtualMachine.Status.RUNNING) {
runStopButton.setText("Stop");
+ consoleView.setText("");
+ payloadView.setText("");
} else {
runStopButton.setText("Run");
- consoleView.setText("");
}
}
});
@@ -101,6 +115,7 @@
public static class VirtualMachineModel extends AndroidViewModel {
private VirtualMachine mVirtualMachine;
private final MutableLiveData<String> mConsoleOutput = new MutableLiveData<>();
+ private final MutableLiveData<String> mPayloadOutput = new MutableLiveData<>();
private final MutableLiveData<VirtualMachine.Status> mStatus = new MutableLiveData<>();
public VirtualMachineModel(Application app) {
@@ -119,8 +134,33 @@
.debugMode(debug);
VirtualMachineConfig config = builder.build();
VirtualMachineManager vmm = VirtualMachineManager.getInstance(getApplication());
- mVirtualMachine = vmm.create("demo_vm", config);
+ mVirtualMachine = vmm.getOrCreate("demo_vm", config);
mVirtualMachine.run();
+ mVirtualMachine.setCallback(
+ new VirtualMachineCallback() {
+ @Override
+ public void onPayloadStarted(
+ VirtualMachine vm, ParcelFileDescriptor out) {
+ try {
+ BufferedReader reader =
+ new BufferedReader(
+ new InputStreamReader(
+ new FileInputStream(
+ out.getFileDescriptor())));
+ String line;
+ while ((line = reader.readLine()) != null) {
+ mPayloadOutput.postValue(line);
+ }
+ } catch (IOException e) {
+ // Consume
+ }
+ }
+
+ @Override
+ public void onDied(VirtualMachine vm) {
+ mStatus.postValue(VirtualMachine.Status.STOPPED);
+ }
+ });
mStatus.postValue(mVirtualMachine.getStatus());
} catch (VirtualMachineException e) {
throw new RuntimeException(e);
@@ -164,6 +204,11 @@
return mConsoleOutput;
}
+ /** Returns the payload output from the VM */
+ public LiveData<String> getPayloadOutput() {
+ return mPayloadOutput;
+ }
+
/** Returns the status of the VM */
public LiveData<VirtualMachine.Status> getStatus() {
return mStatus;
diff --git a/demo/res/layout/activity_main.xml b/demo/res/layout/activity_main.xml
index cd30f35..e100027 100644
--- a/demo/res/layout/activity_main.xml
+++ b/demo/res/layout/activity_main.xml
@@ -33,10 +33,38 @@
android:text="Debug mode" />
</LinearLayout>
+ <TextView
+ android:layout_width="wrap_content"
+ android:layout_height="wrap_content"
+ android:layout_marginTop="10dp"
+ android:text="App output:" />
+
<ScrollView
- android:id="@+id/scrollview"
+ android:id="@+id/scrollPayloadOutput"
android:layout_width="match_parent"
- android:layout_height="match_parent">
+ android:layout_height="0dp"
+ android:layout_weight="1">
+
+ <TextView
+ android:id="@+id/payloadOutput"
+ android:layout_width="match_parent"
+ android:layout_height="wrap_content"
+ android:background="#9089e0"
+ android:fontFamily="monospace"
+ android:textColor="#000000" />
+ </ScrollView>
+
+ <TextView
+ android:layout_width="wrap_content"
+ android:layout_height="wrap_content"
+ android:layout_marginTop="10dp"
+ android:text="Console output:" />
+
+ <ScrollView
+ android:id="@+id/scrollConsoleOutput"
+ android:layout_width="match_parent"
+ android:layout_height="0dp"
+ android:layout_weight="2">
<TextView
android:id="@+id/consoleOutput"
diff --git a/javalib/Android.bp b/javalib/Android.bp
index f920175..26ad848 100644
--- a/javalib/Android.bp
+++ b/javalib/Android.bp
@@ -20,3 +20,10 @@
// TODO(jiyong): remove the below once this gets public
unsafe_ignore_missing_latest_api: true,
}
+
+android_app {
+ name: "android.system.virtualmachine.res",
+ installable: true,
+ apex_available: ["com.android.virt"],
+ sdk_version: "current",
+}
diff --git a/javalib/AndroidManifest.xml b/javalib/AndroidManifest.xml
new file mode 100644
index 0000000..21857f8
--- /dev/null
+++ b/javalib/AndroidManifest.xml
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ -->
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+ package="com.android.virtualmachine.res">
+
+ <permission android:name="android.permission.MANAGE_VIRTUAL_MACHINE"
+ android:protectionLevel="normal" />
+
+ <permission android:name="android.permission.DEBUG_VIRTUAL_MACHINE"
+ android:protectionLevel="signature" />
+
+ <application android:hasCode="false" />
+</manifest>
diff --git a/javalib/src/android/system/virtualmachine/VirtualMachine.java b/javalib/src/android/system/virtualmachine/VirtualMachine.java
index 8089d85..3baec94 100644
--- a/javalib/src/android/system/virtualmachine/VirtualMachine.java
+++ b/javalib/src/android/system/virtualmachine/VirtualMachine.java
@@ -17,17 +17,21 @@
package android.system.virtualmachine;
import android.content.Context;
+import android.os.IBinder;
import android.os.ParcelFileDescriptor;
import android.os.RemoteException;
import android.os.ServiceManager;
import android.system.virtualizationservice.IVirtualMachine;
+import android.system.virtualizationservice.IVirtualMachineCallback;
import android.system.virtualizationservice.IVirtualizationService;
import java.io.File;
import java.io.FileInputStream;
+import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
+import java.nio.file.FileAlreadyExistsException;
import java.nio.file.Files;
import java.util.Optional;
@@ -83,6 +87,9 @@
/** Handle to the "running" VM. */
private IVirtualMachine mVirtualMachine;
+ /** The registered callback */
+ private VirtualMachineCallback mCallback;
+
private ParcelFileDescriptor mConsoleReader;
private ParcelFileDescriptor mConsoleWriter;
@@ -105,16 +112,25 @@
/* package */ static VirtualMachine create(
Context context, String name, VirtualMachineConfig config)
throws VirtualMachineException {
- // TODO(jiyong): trigger an error if the VM having 'name' already exists.
+ if (config == null) {
+ throw new VirtualMachineException("null config");
+ }
VirtualMachine vm = new VirtualMachine(context, name, config);
try {
- final File vmRoot = vm.mConfigFilePath.getParentFile();
- Files.createDirectories(vmRoot.toPath());
+ final File thisVmDir = vm.mConfigFilePath.getParentFile();
+ Files.createDirectories(thisVmDir.getParentFile().toPath());
- FileOutputStream output = new FileOutputStream(vm.mConfigFilePath);
- vm.mConfig.serialize(output);
- output.close();
+ // The checking of the existence of this directory and the creation of it is done
+ // atomically. If the directory already exists (i.e. the VM with the same name was
+ // already created), FileAlreadyExistsException is thrown
+ Files.createDirectory(thisVmDir.toPath());
+
+ try (FileOutputStream output = new FileOutputStream(vm.mConfigFilePath)) {
+ vm.mConfig.serialize(output);
+ }
+ } catch (FileAlreadyExistsException e) {
+ throw new VirtualMachineException("virtual machine already exists", e);
} catch (IOException e) {
throw new VirtualMachineException(e);
}
@@ -126,7 +142,6 @@
/** Loads a virtual machine that is already created before. */
/* package */ static VirtualMachine load(Context context, String name)
throws VirtualMachineException {
- // TODO(jiyong): return null if the VM having the 'name' doesn't exist.
VirtualMachine vm = new VirtualMachine(context, name, /* config */ null);
try {
@@ -134,6 +149,9 @@
VirtualMachineConfig config = VirtualMachineConfig.from(input);
input.close();
vm.mConfig = config;
+ } catch (FileNotFoundException e) {
+ // The VM doesn't exist.
+ return null;
} catch (IOException e) {
throw new VirtualMachineException(e);
}
@@ -176,6 +194,19 @@
}
/**
+ * Registers the callback object to get events from the virtual machine. If a callback was
+ * already registered, it is replaced with the new one.
+ */
+ public void setCallback(VirtualMachineCallback callback) {
+ mCallback = callback;
+ }
+
+ /** Returns the currently registered callback. */
+ public VirtualMachineCallback getCallback() {
+ return mCallback;
+ }
+
+ /**
* Runs this virtual machine. The returning of this method however doesn't mean that the VM has
* actually started running or the OS has booted there. Such events can be notified by
* registering a callback object (not implemented currently).
@@ -185,7 +216,8 @@
throw new VirtualMachineException(this + " is not in stopped state");
}
IVirtualizationService service =
- IVirtualizationService.Stub.asInterface(ServiceManager.getService(SERVICE_NAME));
+ IVirtualizationService.Stub.asInterface(
+ ServiceManager.waitForService(SERVICE_NAME));
try {
if (mConsoleReader == null && mConsoleWriter == null) {
@@ -198,6 +230,40 @@
android.system.virtualizationservice.VirtualMachineConfig.appConfig(
getConfig().toParcel()),
mConsoleWriter);
+
+ mVirtualMachine.registerCallback(
+ new IVirtualMachineCallback.Stub() {
+ @Override
+ public void onPayloadStarted(int cid, ParcelFileDescriptor stream) {
+ final VirtualMachineCallback cb = mCallback;
+ if (cb == null) {
+ return;
+ }
+ cb.onPayloadStarted(VirtualMachine.this, stream);
+ }
+
+ @Override
+ public void onDied(int cid) {
+ final VirtualMachineCallback cb = mCallback;
+ if (cb == null) {
+ return;
+ }
+ cb.onDied(VirtualMachine.this);
+ }
+ });
+ service.asBinder()
+ .linkToDeath(
+ new IBinder.DeathRecipient() {
+ @Override
+ public void binderDied() {
+ final VirtualMachineCallback cb = mCallback;
+ if (cb != null) {
+ cb.onDied(VirtualMachine.this);
+ }
+ }
+ },
+ 0);
+
} catch (IOException e) {
throw new VirtualMachineException(e);
} catch (RemoteException e) {
@@ -265,8 +331,25 @@
*/
public VirtualMachineConfig setConfig(VirtualMachineConfig newConfig)
throws VirtualMachineException {
- // TODO(jiyong): implement this
- throw new VirtualMachineException("Not implemented");
+ final VirtualMachineConfig oldConfig = getConfig();
+ if (!oldConfig.isCompatibleWith(newConfig)) {
+ throw new VirtualMachineException("incompatible config");
+ }
+ if (getStatus() != Status.STOPPED) {
+ throw new VirtualMachineException(
+ "can't change config while virtual machine is not stopped");
+ }
+
+ try {
+ FileOutputStream output = new FileOutputStream(mConfigFilePath);
+ newConfig.serialize(output);
+ output.close();
+ } catch (IOException e) {
+ throw new VirtualMachineException(e);
+ }
+ mConfig = newConfig;
+
+ return oldConfig;
}
@Override
diff --git a/javalib/src/android/system/virtualmachine/VirtualMachineCallback.java b/javalib/src/android/system/virtualmachine/VirtualMachineCallback.java
new file mode 100644
index 0000000..0267de8
--- /dev/null
+++ b/javalib/src/android/system/virtualmachine/VirtualMachineCallback.java
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.system.virtualmachine;
+
+import android.os.ParcelFileDescriptor;
+
+/**
+ * Callback interface to get notified with the events from the virtual machine. The methods are
+ * executed on a binder thread. Implementations can make blocking calls in the methods.
+ *
+ * @hide
+ */
+public interface VirtualMachineCallback {
+
+ /** Called when the payload starts in the VM. */
+ void onPayloadStarted(VirtualMachine vm, ParcelFileDescriptor stdout);
+
+ /** Called when the VM died. */
+ void onDied(VirtualMachine vm);
+}
diff --git a/javalib/src/android/system/virtualmachine/VirtualMachineConfig.java b/javalib/src/android/system/virtualmachine/VirtualMachineConfig.java
index b5f04a2..f0e1ce6 100644
--- a/javalib/src/android/system/virtualmachine/VirtualMachineConfig.java
+++ b/javalib/src/android/system/virtualmachine/VirtualMachineConfig.java
@@ -19,6 +19,8 @@
import static android.os.ParcelFileDescriptor.MODE_READ_ONLY;
import android.content.Context;
+import android.content.pm.PackageManager;
+import android.content.pm.Signature; // This actually is certificate!
import android.os.ParcelFileDescriptor;
import android.os.PersistableBundle;
import android.system.virtualizationservice.VirtualMachineAppConfig;
@@ -28,6 +30,9 @@
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
/**
* Represents a configuration of a virtual machine. A configuration consists of hardware
@@ -40,6 +45,7 @@
// These defines the schema of the config file persisted on disk.
private static final int VERSION = 1;
private static final String KEY_VERSION = "version";
+ private static final String KEY_CERTS = "certs";
private static final String KEY_APKPATH = "apkPath";
private static final String KEY_IDSIGPATH = "idsigPath";
private static final String KEY_PAYLOADCONFIGPATH = "payloadConfigPath";
@@ -47,6 +53,7 @@
// Paths to the APK and its idsig file of this application.
private final String mApkPath;
+ private final Signature[] mCerts;
private final String mIdsigPath;
private final boolean mDebugMode;
@@ -58,8 +65,13 @@
// TODO(jiyong): add more items like # of cpu, size of ram, debuggability, etc.
private VirtualMachineConfig(
- String apkPath, String idsigPath, String payloadConfigPath, boolean debugMode) {
+ String apkPath,
+ Signature[] certs,
+ String idsigPath,
+ String payloadConfigPath,
+ boolean debugMode) {
mApkPath = apkPath;
+ mCerts = certs;
mIdsigPath = idsigPath;
mPayloadConfigPath = payloadConfigPath;
mDebugMode = debugMode;
@@ -77,6 +89,15 @@
if (apkPath == null) {
throw new VirtualMachineException("No apkPath");
}
+ final String[] certStrings = b.getStringArray(KEY_CERTS);
+ if (certStrings == null || certStrings.length == 0) {
+ throw new VirtualMachineException("No certs");
+ }
+ List<Signature> certList = new ArrayList<>();
+ for (String s : certStrings) {
+ certList.add(new Signature(s));
+ }
+ Signature[] certs = certList.toArray(new Signature[0]);
final String idsigPath = b.getString(KEY_IDSIGPATH);
if (idsigPath == null) {
throw new VirtualMachineException("No idsigPath");
@@ -86,7 +107,7 @@
throw new VirtualMachineException("No payloadConfigPath");
}
final boolean debugMode = b.getBoolean(KEY_DEBUGMODE);
- return new VirtualMachineConfig(apkPath, idsigPath, payloadConfigPath, debugMode);
+ return new VirtualMachineConfig(apkPath, certs, idsigPath, payloadConfigPath, debugMode);
}
/** Persists this config to a stream, for example a file. */
@@ -94,6 +115,12 @@
PersistableBundle b = new PersistableBundle();
b.putInt(KEY_VERSION, VERSION);
b.putString(KEY_APKPATH, mApkPath);
+ List<String> certList = new ArrayList<>();
+ for (Signature cert : mCerts) {
+ certList.add(cert.toCharsString());
+ }
+ String[] certs = certList.toArray(new String[0]);
+ b.putStringArray(KEY_CERTS, certs);
b.putString(KEY_IDSIGPATH, mIdsigPath);
b.putString(KEY_PAYLOADCONFIGPATH, mPayloadConfigPath);
b.putBoolean(KEY_DEBUGMODE, mDebugMode);
@@ -106,6 +133,23 @@
}
/**
+ * Tests if this config is compatible with other config. Being compatible means that the configs
+ * can be interchangeably used for the same virtual machine. Compatible changes includes the
+ * number of CPUs and the size of the RAM, and change of the payload as long as the payload is
+ * signed by the same signer. All other changes (e.g. using a payload from a different signer,
+ * change of the debug mode, etc.) are considered as incompatible.
+ */
+ public boolean isCompatibleWith(VirtualMachineConfig other) {
+ if (!Arrays.equals(this.mCerts, other.mCerts)) {
+ return false;
+ }
+ if (this.mDebugMode != other.mDebugMode) {
+ return false;
+ }
+ return true;
+ }
+
+ /**
* Converts this config object into a parcel. Used when creating a VM via the virtualization
* service. Notice that the files are not passed as paths, but as file descriptors because the
* service doesn't accept paths as it might not have permission to open app-owned files and that
@@ -152,7 +196,22 @@
/** Builds an immutable {@link VirtualMachineConfig} */
public VirtualMachineConfig build() {
final String apkPath = mContext.getPackageCodePath();
- return new VirtualMachineConfig(apkPath, mIdsigPath, mPayloadConfigPath, mDebugMode);
+ final String packageName = mContext.getPackageName();
+ Signature[] certs;
+ try {
+ certs =
+ mContext.getPackageManager()
+ .getPackageInfo(
+ packageName, PackageManager.GET_SIGNING_CERTIFICATES)
+ .signingInfo
+ .getSigningCertificateHistory();
+ } catch (PackageManager.NameNotFoundException e) {
+ // This cannot happen as `packageName` is from this app.
+ throw new RuntimeException(e);
+ }
+
+ return new VirtualMachineConfig(
+ apkPath, certs, mIdsigPath, mPayloadConfigPath, mDebugMode);
}
}
}
diff --git a/javalib/src/android/system/virtualmachine/VirtualMachineManager.java b/javalib/src/android/system/virtualmachine/VirtualMachineManager.java
index dfa4f0b..317caee 100644
--- a/javalib/src/android/system/virtualmachine/VirtualMachineManager.java
+++ b/javalib/src/android/system/virtualmachine/VirtualMachineManager.java
@@ -74,7 +74,12 @@
return VirtualMachine.load(mContext, name);
}
- /** Returns an existing {@link VirtualMachine} if it exists, or create a new one. */
+ /**
+ * Returns an existing {@link VirtualMachine} if it exists, or create a new one. If the virtual
+ * machine exists, and config is not null, the virtual machine is re-configured with the new
+ * config. However, if the config is not compatible with the original config of the virtual
+ * machine, exception is thrown.
+ */
public VirtualMachine getOrCreate(String name, VirtualMachineConfig config)
throws VirtualMachineException {
VirtualMachine vm;
@@ -85,10 +90,11 @@
}
}
- if (vm.getConfig().equals(config)) {
- return vm;
- } else {
- throw new VirtualMachineException("Incompatible config");
+ if (config != null) {
+ // Can throw VirtualMachineException is the new config is not compatible with the
+ // old config.
+ vm.setConfig(config);
}
+ return vm;
}
}
diff --git a/microdroid/build.prop b/microdroid/build.prop
index b7f3510..eaca63d 100644
--- a/microdroid/build.prop
+++ b/microdroid/build.prop
@@ -2,6 +2,7 @@
ro.apex.updatable=true
ro.debuggable=1
ro.adb.secure=0
+service.adb.listen_addrs=vsock:5555
# TODO(b/189164487): support build related properties
ro.build.version.release=11
diff --git a/microdroid/keymint/Android.bp b/microdroid/keymint/Android.bp
index 5a87145..6d651b9 100644
--- a/microdroid/keymint/Android.bp
+++ b/microdroid/keymint/Android.bp
@@ -25,6 +25,7 @@
"libkeymint",
"liblog",
"libpuresoftkeymasterdevice",
+ "libsoft_attestation_cert",
"libutils",
],
local_include_dirs: [
@@ -32,6 +33,7 @@
],
srcs: [
"MicrodroidKeyMintDevice.cpp",
+ "MicrodroidKeymasterContext.cpp",
"service.cpp",
],
}
diff --git a/microdroid/keymint/MicrodroidKeyMintDevice.cpp b/microdroid/keymint/MicrodroidKeyMintDevice.cpp
index 62d6942..c2f01f2 100644
--- a/microdroid/keymint/MicrodroidKeyMintDevice.cpp
+++ b/microdroid/keymint/MicrodroidKeyMintDevice.cpp
@@ -17,14 +17,16 @@
#define LOG_TAG "android.hardware.security.keymint-impl"
#include "MicrodroidKeyMintDevice.h"
+#include <AndroidKeyMintOperation.h>
+#include <KeyMintUtils.h>
#include <aidl/android/hardware/security/keymint/ErrorCode.h>
#include <android-base/logging.h>
#include <keymaster/android_keymaster.h>
#include <keymaster/contexts/pure_soft_keymaster_context.h>
#include <keymaster/keymaster_configuration.h>
-#include "AndroidKeyMintOperation.h"
-#include "KeyMintUtils.h"
+#include "MicrodroidKeyMintDevice.h"
+#include "MicrodroidKeymasterContext.h"
namespace aidl::android::hardware::security::keymint {
@@ -41,26 +43,11 @@
namespace {
-vector<KeyCharacteristics> convertKeyCharacteristics(SecurityLevel keyMintSecurityLevel,
- const AuthorizationSet& requestParams,
+vector<KeyCharacteristics> convertKeyCharacteristics(const AuthorizationSet& requestParams,
const AuthorizationSet& sw_enforced,
const AuthorizationSet& hw_enforced,
bool include_keystore_enforced = true) {
- KeyCharacteristics keyMintEnforced{keyMintSecurityLevel, {}};
-
- if (keyMintSecurityLevel != SecurityLevel::SOFTWARE) {
- // We're pretending to be TRUSTED_ENVIRONMENT or STRONGBOX.
- keyMintEnforced.authorizations = kmParamSet2Aidl(hw_enforced);
- if (include_keystore_enforced) {
- // Put all the software authorizations in the keystore list.
- KeyCharacteristics keystoreEnforced{SecurityLevel::KEYSTORE,
- kmParamSet2Aidl(sw_enforced)};
- return {std::move(keyMintEnforced), std::move(keystoreEnforced)};
- } else {
- return {std::move(keyMintEnforced)};
- }
- }
-
+ KeyCharacteristics keyMintEnforced{SecurityLevel::SOFTWARE, {}};
KeyCharacteristics keystoreEnforced{SecurityLevel::KEYSTORE, {}};
CHECK(hw_enforced.empty()) << "Hardware-enforced list is non-empty for pure SW KeyMint";
@@ -210,26 +197,22 @@
constexpr size_t kOperationTableSize = 16;
-MicrodroidKeyMintDevice::MicrodroidKeyMintDevice(SecurityLevel securityLevel)
+MicrodroidKeyMintDevice::MicrodroidKeyMintDevice(::keymaster::KeymasterKeyBlob& rootKey)
: impl_(new ::keymaster::AndroidKeymaster(
[&]() -> auto {
- auto context =
- new PureSoftKeymasterContext(KmVersion::KEYMINT_1,
- static_cast<keymaster_security_level_t>(
- securityLevel));
+ auto context = new MicrodroidKeymasterContext(KmVersion::KEYMINT_1, rootKey);
context->SetSystemVersion(::keymaster::GetOsVersion(),
::keymaster::GetOsPatchlevel());
return context;
}(),
- kOperationTableSize)),
- securityLevel_(securityLevel) {}
+ kOperationTableSize)) {}
MicrodroidKeyMintDevice::~MicrodroidKeyMintDevice() {}
ScopedAStatus MicrodroidKeyMintDevice::getHardwareInfo(KeyMintHardwareInfo* info) {
info->versionNumber = 1;
- info->securityLevel = securityLevel_;
- info->keyMintName = "FakeKeyMintDevice";
+ info->securityLevel = SecurityLevel::SOFTWARE;
+ info->keyMintName = "MicrodroidKeyMintDevice";
info->keyMintAuthorName = "Google";
info->timestampTokenRequired = false;
return ScopedAStatus::ok();
@@ -280,7 +263,7 @@
creationResult->keyBlob = kmBlob2vector(response.key_blob);
creationResult->keyCharacteristics =
- convertKeyCharacteristics(securityLevel_, request.key_description, response.unenforced,
+ convertKeyCharacteristics(request.key_description, response.unenforced,
response.enforced);
creationResult->certificateChain = convertCertificateChain(response.certificate_chain);
return ScopedAStatus::ok();
@@ -312,7 +295,7 @@
creationResult->keyBlob = kmBlob2vector(response.key_blob);
creationResult->keyCharacteristics =
- convertKeyCharacteristics(securityLevel_, request.key_description, response.unenforced,
+ convertKeyCharacteristics(request.key_description, response.unenforced,
response.enforced);
creationResult->certificateChain = convertCertificateChain(response.certificate_chain);
@@ -320,12 +303,9 @@
}
ScopedAStatus MicrodroidKeyMintDevice::importWrappedKey(
- const vector<uint8_t>& wrappedKeyData, //
- const vector<uint8_t>& wrappingKeyBlob, //
- const vector<uint8_t>& maskingKey, //
- const vector<KeyParameter>& unwrappingParams, //
- int64_t passwordSid, int64_t biometricSid, //
- KeyCreationResult* creationResult) {
+ const vector<uint8_t>& wrappedKeyData, const vector<uint8_t>& wrappingKeyBlob,
+ const vector<uint8_t>& maskingKey, const vector<KeyParameter>& unwrappingParams,
+ int64_t passwordSid, int64_t biometricSid, KeyCreationResult* creationResult) {
ImportWrappedKeyRequest request(impl_->message_version());
request.SetWrappedMaterial(wrappedKeyData.data(), wrappedKeyData.size());
request.SetWrappingMaterial(wrappingKeyBlob.data(), wrappingKeyBlob.size());
@@ -343,8 +323,8 @@
creationResult->keyBlob = kmBlob2vector(response.key_blob);
creationResult->keyCharacteristics =
- convertKeyCharacteristics(securityLevel_, request.additional_params,
- response.unenforced, response.enforced);
+ convertKeyCharacteristics(request.additional_params, response.unenforced,
+ response.enforced);
creationResult->certificateChain = convertCertificateChain(response.certificate_chain);
return ScopedAStatus::ok();
@@ -368,23 +348,14 @@
return ScopedAStatus::ok();
}
-ScopedAStatus MicrodroidKeyMintDevice::deleteKey(const vector<uint8_t>& keyBlob) {
- DeleteKeyRequest request(impl_->message_version());
- request.SetKeyMaterial(keyBlob.data(), keyBlob.size());
-
- DeleteKeyResponse response(impl_->message_version());
- impl_->DeleteKey(request, &response);
-
- return kmError2ScopedAStatus(response.error);
+ScopedAStatus MicrodroidKeyMintDevice::deleteKey(const vector<uint8_t>&) {
+ // There's nothing to be done to delete software key blobs.
+ return kmError2ScopedAStatus(KM_ERROR_OK);
}
ScopedAStatus MicrodroidKeyMintDevice::deleteAllKeys() {
// There's nothing to be done to delete software key blobs.
- DeleteAllKeysRequest request(impl_->message_version());
- DeleteAllKeysResponse response(impl_->message_version());
- impl_->DeleteAllKeys(request, &response);
-
- return kmError2ScopedAStatus(response.error);
+ return kmError2ScopedAStatus(KM_ERROR_OK);
}
ScopedAStatus MicrodroidKeyMintDevice::destroyAttestationIds() {
@@ -420,21 +391,13 @@
}
ScopedAStatus MicrodroidKeyMintDevice::deviceLocked(
- bool passwordOnly, const std::optional<secureclock::TimeStampToken>& timestampToken) {
- DeviceLockedRequest request(impl_->message_version());
- request.passwordOnly = passwordOnly;
- if (timestampToken.has_value()) {
- request.token.challenge = timestampToken->challenge;
- request.token.mac = {timestampToken->mac.data(), timestampToken->mac.size()};
- request.token.timestamp = timestampToken->timestamp.milliSeconds;
- }
- DeviceLockedResponse response = impl_->DeviceLocked(request);
- return kmError2ScopedAStatus(response.error);
+ bool, const std::optional<secureclock::TimeStampToken>&) {
+ // Microdroid doesn't yet have a concept of a locked device.
+ return kmError2ScopedAStatus(KM_ERROR_OK);
}
ScopedAStatus MicrodroidKeyMintDevice::earlyBootEnded() {
- EarlyBootEndedResponse response = impl_->EarlyBootEnded();
- return kmError2ScopedAStatus(response.error);
+ return kmError2ScopedAStatus(KM_ERROR_UNIMPLEMENTED);
}
ScopedAStatus MicrodroidKeyMintDevice::convertStorageKeyToEphemeral(
@@ -458,15 +421,11 @@
}
AuthorizationSet emptySet;
- *keyCharacteristics = convertKeyCharacteristics(securityLevel_, emptySet, response.unenforced,
- response.enforced,
- /* include_keystore_enforced = */ false);
+ *keyCharacteristics =
+ convertKeyCharacteristics(emptySet, response.unenforced, response.enforced,
+ /* include_keystore_enforced = */ false);
return ScopedAStatus::ok();
}
-IKeyMintDevice* CreateKeyMintDevice(SecurityLevel securityLevel) {
- return ::new MicrodroidKeyMintDevice(securityLevel);
-}
-
} // namespace aidl::android::hardware::security::keymint
diff --git a/microdroid/keymint/MicrodroidKeymasterContext.cpp b/microdroid/keymint/MicrodroidKeymasterContext.cpp
new file mode 100644
index 0000000..b5440f3
--- /dev/null
+++ b/microdroid/keymint/MicrodroidKeymasterContext.cpp
@@ -0,0 +1,146 @@
+/*
+ * Copyright 2021, The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "MicrodroidKeymasterContext.h"
+
+#include <android-base/logging.h>
+#include <keymaster/key.h>
+#include <keymaster/key_blob_utils/auth_encrypted_key_blob.h>
+#include <keymaster/key_blob_utils/software_keyblobs.h>
+
+using namespace ::keymaster;
+
+// This value is used for the ROOT_OF_TRUST tag which is only used in
+// attestation records which aren't supported in this implementation so a
+// constant doesn't cause any hard. MicroDroid SoftWare root-of-trust.
+static uint8_t SWROT[] = {'M', 'D', 'S', 'W'};
+static const KeymasterBlob microdroidSoftwareRootOfTrust(SWROT);
+
+keymaster_error_t MicrodroidKeymasterContext::CreateKeyBlob(const AuthorizationSet& key_description,
+ keymaster_key_origin_t origin,
+ const KeymasterKeyBlob& key_material,
+ KeymasterKeyBlob* blob,
+ AuthorizationSet* hw_enforced,
+ AuthorizationSet* sw_enforced) const {
+ keymaster_error_t error;
+
+ if (key_description.GetTagValue(TAG_ROLLBACK_RESISTANCE)) {
+ return KM_ERROR_ROLLBACK_RESISTANCE_UNAVAILABLE;
+ }
+
+ error = SetKeyBlobAuthorizations(key_description, origin, os_version_, os_patchlevel_,
+ hw_enforced, sw_enforced);
+ if (error != KM_ERROR_OK) return error;
+
+ AuthorizationSet hidden;
+ error = BuildHiddenAuthorizations(key_description, &hidden, microdroidSoftwareRootOfTrust);
+ if (error != KM_ERROR_OK) return error;
+
+ CHECK(hw_enforced->empty());
+
+ // Note that the authorizations included in the blob are not encrypted. This
+ // doesn't pose a problem for the current applications but may be a
+ // candidate for hardening.
+ auto encrypted_key = EncryptKey(key_material, AES_GCM_WITH_SW_ENFORCED, *hw_enforced,
+ *sw_enforced, hidden, root_key_, random_, &error);
+ if (error != KM_ERROR_OK) return error;
+
+ *blob = SerializeAuthEncryptedBlob(encrypted_key, *hw_enforced, *sw_enforced, &error);
+ return error;
+}
+
+keymaster_error_t MicrodroidKeymasterContext::ParseKeyBlob(
+ const KeymasterKeyBlob& blob, const AuthorizationSet& additional_params,
+ UniquePtr<Key>* key) const {
+ keymaster_error_t error;
+
+ AuthorizationSet hidden;
+ error = BuildHiddenAuthorizations(additional_params, &hidden, microdroidSoftwareRootOfTrust);
+ if (error != KM_ERROR_OK) return error;
+
+ auto deserialized_key = DeserializeAuthEncryptedBlob(blob, &error);
+ if (error != KM_ERROR_OK) return error;
+
+ keymaster_algorithm_t algorithm;
+ if (!deserialized_key.sw_enforced.GetTagValue(TAG_ALGORITHM, &algorithm)) {
+ return KM_ERROR_INVALID_ARGUMENT;
+ }
+
+ auto key_material = DecryptKey(deserialized_key, hidden, root_key_, &error);
+ if (error != KM_ERROR_OK) return error;
+
+ auto factory = GetKeyFactory(algorithm);
+ return factory->LoadKey(move(key_material), additional_params,
+ move(deserialized_key.hw_enforced), move(deserialized_key.sw_enforced),
+ key);
+}
+
+static bool UpgradeIntegerTag(keymaster_tag_t tag, uint32_t value, AuthorizationSet* set) {
+ int index = set->find(tag);
+ if (index == -1) {
+ keymaster_key_param_t param;
+ param.tag = tag;
+ param.integer = value;
+ set->push_back(param);
+ return true;
+ }
+
+ if (set->params[index].integer > value) return false;
+
+ if (set->params[index].integer != value) {
+ set->params[index].integer = value;
+ }
+ return true;
+}
+
+keymaster_error_t MicrodroidKeymasterContext::UpgradeKeyBlob(const KeymasterKeyBlob& key_to_upgrade,
+ const AuthorizationSet& upgrade_params,
+ KeymasterKeyBlob* upgraded_key) const {
+ UniquePtr<Key> key;
+ keymaster_error_t error = ParseKeyBlob(key_to_upgrade, upgrade_params, &key);
+ if (error != KM_ERROR_OK) return error;
+
+ if (os_version_ == 0) {
+ // We need to allow "upgrading" OS version to zero, to support upgrading from proper
+ // numbered releases to unnumbered development and preview releases.
+
+ int key_os_version_pos = key->sw_enforced().find(TAG_OS_VERSION);
+ if (key_os_version_pos != -1) {
+ uint32_t key_os_version = key->sw_enforced()[key_os_version_pos].integer;
+ if (key_os_version != 0) {
+ key->sw_enforced()[key_os_version_pos].integer = os_version_;
+ }
+ }
+ }
+
+ if (!UpgradeIntegerTag(TAG_OS_VERSION, os_version_, &key->sw_enforced()) ||
+ !UpgradeIntegerTag(TAG_OS_PATCHLEVEL, os_patchlevel_, &key->sw_enforced()))
+ // One of the version fields would have been a downgrade. Not allowed.
+ return KM_ERROR_INVALID_ARGUMENT;
+
+ AuthorizationSet hidden;
+ error = BuildHiddenAuthorizations(upgrade_params, &hidden, microdroidSoftwareRootOfTrust);
+ if (error != KM_ERROR_OK) return error;
+
+ auto encrypted_key =
+ EncryptKey(key->key_material(), AES_GCM_WITH_SW_ENFORCED, key->hw_enforced(),
+ key->sw_enforced(), hidden, root_key_, random_, &error);
+ if (error != KM_ERROR_OK) return error;
+
+ *upgraded_key = SerializeAuthEncryptedBlob(encrypted_key, key->hw_enforced(),
+ key->sw_enforced(), &error);
+ return error;
+}
diff --git a/microdroid/keymint/include/MicrodroidKeyMintDevice.h b/microdroid/keymint/include/MicrodroidKeyMintDevice.h
index 34d09bf..dec7baa 100644
--- a/microdroid/keymint/include/MicrodroidKeyMintDevice.h
+++ b/microdroid/keymint/include/MicrodroidKeyMintDevice.h
@@ -19,6 +19,7 @@
#include <aidl/android/hardware/security/keymint/BnKeyMintDevice.h>
#include <aidl/android/hardware/security/keymint/BnKeyMintOperation.h>
#include <aidl/android/hardware/security/keymint/HardwareAuthToken.h>
+#include <keymaster/android_keymaster_utils.h>
namespace keymaster {
class AndroidKeymaster;
@@ -34,7 +35,7 @@
class MicrodroidKeyMintDevice : public BnKeyMintDevice {
public:
- explicit MicrodroidKeyMintDevice(SecurityLevel securityLevel);
+ explicit MicrodroidKeyMintDevice(::keymaster::KeymasterKeyBlob& rootKey);
virtual ~MicrodroidKeyMintDevice();
ScopedAStatus getHardwareInfo(KeyMintHardwareInfo* info) override;
@@ -85,9 +86,6 @@
protected:
std::shared_ptr<::keymaster::AndroidKeymaster> impl_;
- SecurityLevel securityLevel_;
};
-IKeyMintDevice* CreateKeyMintDevice(SecurityLevel securityLevel);
-
} // namespace aidl::android::hardware::security::keymint
diff --git a/microdroid/keymint/include/MicrodroidKeymasterContext.h b/microdroid/keymint/include/MicrodroidKeymasterContext.h
new file mode 100644
index 0000000..636d240
--- /dev/null
+++ b/microdroid/keymint/include/MicrodroidKeymasterContext.h
@@ -0,0 +1,44 @@
+/*
+ * Copyright 2021, The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <keymaster/contexts/pure_soft_keymaster_context.h>
+#include <keymaster/km_openssl/software_random_source.h>
+
+class MicrodroidKeymasterContext : public ::keymaster::PureSoftKeymasterContext {
+public:
+ explicit MicrodroidKeymasterContext(::keymaster::KmVersion version,
+ ::keymaster::KeymasterKeyBlob& root_key)
+ : PureSoftKeymasterContext(version, KM_SECURITY_LEVEL_SOFTWARE), root_key_(root_key) {}
+
+ keymaster_error_t CreateKeyBlob(const ::keymaster::AuthorizationSet& auths,
+ keymaster_key_origin_t origin,
+ const ::keymaster::KeymasterKeyBlob& key_material,
+ ::keymaster::KeymasterKeyBlob* blob,
+ ::keymaster::AuthorizationSet* hw_enforced,
+ ::keymaster::AuthorizationSet* sw_enforced) const override;
+
+ keymaster_error_t ParseKeyBlob(const ::keymaster::KeymasterKeyBlob& blob,
+ const ::keymaster::AuthorizationSet& additional_params,
+ ::keymaster::UniquePtr<::keymaster::Key>* key) const override;
+
+ keymaster_error_t UpgradeKeyBlob(const ::keymaster::KeymasterKeyBlob& key_to_upgrade,
+ const ::keymaster::AuthorizationSet& upgrade_params,
+ ::keymaster::KeymasterKeyBlob* upgraded_key) const override;
+
+private:
+ ::keymaster::SoftwareRandomSource random_;
+ ::keymaster::KeymasterKeyBlob root_key_;
+};
diff --git a/microdroid/keymint/service.cpp b/microdroid/keymint/service.cpp
index 8467b33..5fc0bd2 100644
--- a/microdroid/keymint/service.cpp
+++ b/microdroid/keymint/service.cpp
@@ -18,15 +18,33 @@
#include <AndroidKeyMintDevice.h>
#include <android-base/logging.h>
+#include <android-base/properties.h>
+#include <android-base/result.h>
#include <android/binder_manager.h>
#include <android/binder_process.h>
+#include <keymaster/android_keymaster_utils.h>
+#include <keymaster/mem.h>
#include <keymaster/soft_keymaster_logger.h>
+#include <openssl/digest.h>
+#include <openssl/hkdf.h>
+#include <openssl/is_boringssl.h>
+#include <openssl/sha.h>
#include "MicrodroidKeyMintDevice.h"
using aidl::android::hardware::security::keymint::MicrodroidKeyMintDevice;
using aidl::android::hardware::security::keymint::SecurityLevel;
+using android::base::Error;
+using android::base::GetProperty;
+using android::base::Result;
+
+using keymaster::KeymasterBlob;
+using keymaster::KeymasterKeyBlob;
+using keymaster::memset_s;
+
+namespace {
+
template <typename T, class... Args>
std::shared_ptr<T> addService(Args&&... args) {
std::shared_ptr<T> ser = ndk::SharedRefBase::make<T>(std::forward<Args>(args)...);
@@ -38,24 +56,58 @@
return ser;
}
+Result<KeymasterKeyBlob> getRootKey() {
+ const std::string prop = "ro.vmsecret.keymint";
+ const std::chrono::seconds timeout(15);
+ while (!android::base::WaitForPropertyCreation(prop, timeout)) {
+ LOG(WARNING) << "waited " << timeout.count() << "seconds for " << prop
+ << ", still waiting...";
+ }
+
+ // In a small effort to avoid spreading the secret around too widely in
+ // memory, move the secert into a buffer that will wipe itself and clear
+ // the original string.
+ std::string secretProp = GetProperty(prop, "");
+ KeymasterBlob secret(reinterpret_cast<const uint8_t*>(secretProp.data()), secretProp.size());
+ memset_s(secretProp.data(), 0, secretProp.size());
+ if (secret.size() < 64u) return Error() << "secret is too small";
+
+ // Derive the root key from the secret to avoid getting locked into using
+ // the secret directly.
+ KeymasterKeyBlob rootKey(SHA512_DIGEST_LENGTH);
+ const uint8_t kRootKeyIkm[] = "keymint_root_key";
+ const uint8_t* kNoSalt = nullptr;
+ const size_t kNoSaltLen = 0;
+ if (!HKDF(rootKey.writable_data(), rootKey.size(), EVP_sha512(), (uint8_t*)secret.begin(),
+ secret.size(), kNoSalt, kNoSaltLen, kRootKeyIkm, sizeof(kRootKeyIkm))) {
+ return Error() << "Failed to derive a key";
+ }
+ if (rootKey.size() < 64u) return Error() << "root key is too small";
+
+ LOG(INFO) << "root key obtained";
+ return rootKey;
+}
+
+} // namespace
+
int main() {
- // Zero threads seems like a useless pool, but below we'll join this thread to it, increasing
- // the pool size to 1.
+ auto rootKey = getRootKey();
+ if (!rootKey.ok()) {
+ LOG(FATAL) << "Failed to get root key: " << rootKey.error();
+ }
+
+ // Zero threads seems like a useless pool, but below we'll join this thread
+ // to it, increasing the pool size to 1.
ABinderProcess_setThreadPoolMaxThreadCount(0);
+
// Add Keymint Service
std::shared_ptr<MicrodroidKeyMintDevice> keyMint =
- addService<MicrodroidKeyMintDevice>(SecurityLevel::SOFTWARE);
-
- // VMs cannot implement the Secure Clock Service
- // addService<AndroidSecureClock>(keyMint);
-
- // VMs don't need to implement the Shared Secret Service as the host
- // facilities the establishment of the shared secret.
- // addService<AndroidSharedSecret>(keyMint);
-
- // VMs don't implement the Remotely Provisioned Component Service as the
- // host facilities provisioning.
- // addService<AndroidRemotelyProvisionedComponentDevice>(keyMint);
+ ndk::SharedRefBase::make<MicrodroidKeyMintDevice>(*rootKey);
+ auto instanceName = std::string(MicrodroidKeyMintDevice::descriptor) + "/default";
+ LOG(INFO) << "adding keymint service instance: " << instanceName;
+ binder_status_t status =
+ AServiceManager_addService(keyMint->asBinder().get(), instanceName.c_str());
+ CHECK(status == STATUS_OK);
ABinderProcess_joinThreadPool();
return EXIT_FAILURE; // should not reach
diff --git a/microdroid/sepolicy/Android.bp b/microdroid/sepolicy/Android.bp
index 6488153..7a55505 100644
--- a/microdroid/sepolicy/Android.bp
+++ b/microdroid/sepolicy/Android.bp
@@ -115,7 +115,6 @@
name: "microdroid_plat_sepolicy.cil",
stem: "plat_sepolicy.cil",
src: ":microdroid_plat_sepolicy.conf",
- additional_cil_files: ["system/private/technical_debt.cil"],
installable: false,
}
diff --git a/microdroid/sepolicy/system/private/adbd.te b/microdroid/sepolicy/system/private/adbd.te
index 52070cb..2ebf9d8 100644
--- a/microdroid/sepolicy/system/private/adbd.te
+++ b/microdroid/sepolicy/system/private/adbd.te
@@ -1,5 +1,3 @@
-### ADB daemon
-
typeattribute adbd coredomain;
typeattribute adbd mlstrustedsubject;
@@ -12,21 +10,6 @@
allow adbd su:process dyntransition;
')
-# When 'adb shell' is executed in recovery mode, adbd explicitly
-# switches into shell domain using setcon() because the shell executable
-# is not labeled as shell but as rootfs.
-recovery_only(`
- domain_trans(adbd, rootfs, shell)
- allow adbd shell:process dyntransition;
-
- # Allows reboot fastboot to enter fastboot directly
- unix_socket_connect(adbd, recovery, recovery)
-')
-
-# Control Perfetto traced and obtain traces from it.
-# Needed to allow port forwarding directly to traced.
-unix_socket_connect(adbd, traced_consumer, traced)
-
# Do not sanitize the environment or open fds of the shell. Allow signaling
# created processes.
allow adbd shell:process { noatsecure signal };
@@ -37,9 +20,6 @@
# Drop capabilities from bounding set on user builds.
allow adbd self:global_capability_class_set setpcap;
-# ignore spurious denials for adbd when disk space is low.
-dontaudit adbd self:global_capability_class_set sys_resource;
-
# adbd probes for vsock support. Do not generate denials when
# this occurs. (b/123569840)
dontaudit adbd self:{ socket vsock_socket } create;
@@ -47,17 +27,6 @@
# Allow adbd inside vm to forward vm's vsock.
allow adbd self:vsock_socket { create_socket_perms_no_ioctl listen accept };
-# Create and use network sockets.
-net_domain(adbd)
-
-# Access /dev/usb-ffs/adb/ep0
-allow adbd functionfs:dir search;
-allow adbd functionfs:file rw_file_perms;
-allowxperm adbd functionfs:file ioctl {
- FUNCTIONFS_ENDPOINT_DESC
- FUNCTIONFS_CLEAR_HALT
-};
-
# Use a pseudo tty.
allow adbd devpts:chr_file rw_file_perms;
@@ -65,164 +34,11 @@
allow adbd shell_data_file:dir create_dir_perms;
allow adbd shell_data_file:file create_file_perms;
-# adb pull /data/local/traces/*
-allow adbd trace_data_file:dir r_dir_perms;
-allow adbd trace_data_file:file r_file_perms;
-
-# adb pull /data/misc/profman.
-allow adbd profman_dump_data_file:dir r_dir_perms;
-allow adbd profman_dump_data_file:file r_file_perms;
-
-# adb push/pull sdcard.
allow adbd tmpfs:dir search;
-allow adbd rootfs:lnk_file r_file_perms; # /sdcard symlink
-allow adbd tmpfs:lnk_file r_file_perms; # /mnt/sdcard symlink
-allow adbd sdcard_type:dir create_dir_perms;
-allow adbd sdcard_type:file create_file_perms;
-
-# adb pull /data/anr/traces.txt
-allow adbd anr_data_file:dir r_dir_perms;
-allow adbd anr_data_file:file r_file_perms;
-
-# adb pull /vendor/framework/*
-allow adbd vendor_framework_file:dir r_dir_perms;
-allow adbd vendor_framework_file:file r_file_perms;
-
-# Set service.adb.*, sys.powerctl, and sys.usb.ffs.ready properties.
-set_prop(adbd, shell_prop)
-set_prop(adbd, powerctl_prop)
-get_prop(adbd, ffs_config_prop)
-set_prop(adbd, ffs_control_prop)
-
-# Set service.adb.tcp.port, service.adb.tls.port, persist.adb.wifi.* properties
-set_prop(adbd, adbd_prop)
-set_prop(adbd, adbd_config_prop)
-
-# Allow adbd start/stop mdnsd via ctl.start
-set_prop(adbd, ctl_mdnsd_prop)
-
-# Access device logging gating property
-get_prop(adbd, device_logging_prop)
-
-# Read device's serial number from system properties
-get_prop(adbd, serialno_prop)
-
-# Read whether or not Test Harness Mode is enabled
-get_prop(adbd, test_harness_prop)
-
-# Read persist.adb.tls_server.enable property
-get_prop(adbd, system_adbd_prop)
-
-# Read device's overlayfs related properties and files
-userdebug_or_eng(`
- get_prop(adbd, persistent_properties_ready_prop)
- r_dir_file(adbd, sysfs_dt_firmware_android)
-')
-
-# Run /system/bin/bu
-allow adbd system_file:file rx_file_perms;
-
-# Perform binder IPC to surfaceflinger (screencap)
-# XXX Run screencap in a separate domain?
-binder_use(adbd)
-binder_call(adbd, surfaceflinger)
-binder_call(adbd, gpuservice)
-# b/13188914
-allow adbd gpu_device:chr_file rw_file_perms;
-allow adbd ion_device:chr_file rw_file_perms;
-r_dir_file(adbd, system_file)
-
-# Needed for various screenshots
-hal_client_domain(adbd, hal_graphics_allocator)
-
-# Read /data/misc/adb/adb_keys.
-allow adbd adb_keys_file:dir search;
-allow adbd adb_keys_file:file r_file_perms;
-
-userdebug_or_eng(`
- # Write debugging information to /data/adb
- # when persist.adb.trace_mask is set
- # https://code.google.com/p/android/issues/detail?id=72895
- allow adbd adb_data_file:dir rw_dir_perms;
- allow adbd adb_data_file:file create_file_perms;
-')
-
-# ndk-gdb invokes adb forward to forward the gdbserver socket.
-allow adbd app_data_file:dir search;
-allow adbd app_data_file:sock_file write;
-allow adbd appdomain:unix_stream_socket connectto;
-
-# ndk-gdb invokes adb pull of app_process, linker, and libc.so.
-allow adbd zygote_exec:file r_file_perms;
-allow adbd system_file:file r_file_perms;
-
-# Allow pulling the SELinux policy for CTS purposes
-allow adbd selinuxfs:dir r_dir_perms;
-allow adbd selinuxfs:file r_file_perms;
-allow adbd kernel:security read_policy;
-allow adbd service_contexts_file:file r_file_perms;
-allow adbd file_contexts_file:file r_file_perms;
-allow adbd seapp_contexts_file:file r_file_perms;
-allow adbd property_contexts_file:file r_file_perms;
-allow adbd sepolicy_file:file r_file_perms;
-
-# Allow pulling config.gz for CTS purposes
-allow adbd config_gz:file r_file_perms;
-
-allow adbd gpu_service:service_manager find;
-allow adbd surfaceflinger_service:service_manager find;
-allow adbd bootchart_data_file:dir search;
-allow adbd bootchart_data_file:file r_file_perms;
-
-# Allow access to external storage; we have several visible mount points under /storage
-# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
-allow adbd storage_file:dir r_dir_perms;
-allow adbd storage_file:lnk_file r_file_perms;
-allow adbd mnt_user_file:dir r_dir_perms;
-allow adbd mnt_user_file:lnk_file r_file_perms;
-
-# Access to /data/media.
-# This should be removed if sdcardfs is modified to alter the secontext for its
-# accesses to the underlying FS.
-allow adbd media_rw_data_file:dir create_dir_perms;
-allow adbd media_rw_data_file:file create_file_perms;
-
-r_dir_file(adbd, apk_data_file)
allow adbd rootfs:dir r_dir_perms;
-# Allow killing child "perfetto" binary processes, which auto-transition to
-# their own domain. Allows propagating termination of "adb shell perfetto ..."
-# invocations.
-allow adbd perfetto:process signal;
-
-# Allow to pull Perfetto traces.
-allow adbd perfetto_traces_data_file:file r_file_perms;
-allow adbd perfetto_traces_data_file:dir r_dir_perms;
-
-# Allow to push and manage configs in /data/misc/perfetto-configs.
-allow adbd perfetto_configs_data_file:dir rw_dir_perms;
-allow adbd perfetto_configs_data_file:file create_file_perms;
-
# Connect to shell and use a socket transferred from it.
# Used for e.g. abb.
allow adbd shell:unix_stream_socket { read write shutdown };
allow adbd shell:fd use;
-
-# Allow pull /vendor/apex files for CTS tests
-allow adbd vendor_apex_file:dir search;
-allow adbd vendor_apex_file:file r_file_perms;
-
-# Allow adb pull of updated apex files in /data/apex/active.
-allow adbd apex_data_file:dir search;
-allow adbd staging_data_file:file r_file_perms;
-
-###
-### Neverallow rules
-###
-
-# No transitions from adbd to non-shell, non-crash_dump domains. adbd only ever
-# transitions to the shell domain (except when it crashes). In particular, we
-# never want to see a transition from adbd to su (aka "adb root")
-neverallow adbd { domain -crash_dump -shell }:process transition;
-neverallow adbd { domain userdebug_or_eng(`-su') recovery_only(`-shell') }:process dyntransition;
diff --git a/microdroid/sepolicy/system/private/aidl_lazy_test_server.te b/microdroid/sepolicy/system/private/aidl_lazy_test_server.te
deleted file mode 100644
index 33efde0..0000000
--- a/microdroid/sepolicy/system/private/aidl_lazy_test_server.te
+++ /dev/null
@@ -1,5 +0,0 @@
-userdebug_or_eng(`
- typeattribute aidl_lazy_test_server coredomain;
-
- init_daemon_domain(aidl_lazy_test_server)
-')
diff --git a/microdroid/sepolicy/system/private/apex_test_prepostinstall.te b/microdroid/sepolicy/system/private/apex_test_prepostinstall.te
deleted file mode 100644
index f1bc214..0000000
--- a/microdroid/sepolicy/system/private/apex_test_prepostinstall.te
+++ /dev/null
@@ -1,20 +0,0 @@
-# APEX pre- & post-install test.
-#
-# Allow to run pre- and post-install hooks for APEX test modules
-# in debuggable builds.
-
-type apex_test_prepostinstall, domain, coredomain;
-type apex_test_prepostinstall_exec, system_file_type, exec_type, file_type;
-
-userdebug_or_eng(`
- # /dev/zero
- allow apex_test_prepostinstall apexd:fd use;
- # Logwrapper.
- create_pty(apex_test_prepostinstall)
- # Logwrapper executing sh.
- allow apex_test_prepostinstall shell_exec:file rx_file_perms;
- # Logwrapper exec.
- allow apex_test_prepostinstall system_file:file execute_no_trans;
- # Ls.
- allow apex_test_prepostinstall toolbox_exec:file rx_file_perms;
-')
diff --git a/microdroid/sepolicy/system/private/apexd.te b/microdroid/sepolicy/system/private/apexd.te
index b6fff92..621b1a8 100644
--- a/microdroid/sepolicy/system/private/apexd.te
+++ b/microdroid/sepolicy/system/private/apexd.te
@@ -2,41 +2,6 @@
init_daemon_domain(apexd)
-# Allow creating, reading and writing of APEX files/dirs in the APEX data dir
-allow apexd apex_data_file:dir create_dir_perms;
-allow apexd apex_data_file:file create_file_perms;
-# Allow relabeling file created in /data/apex/decompressed
-allow apexd apex_data_file:file relabelfrom;
-
-# Allow creating, reading and writing of APEX files/dirs in the APEX metadata dir
-allow apexd metadata_file:dir search;
-allow apexd apex_metadata_file:dir create_dir_perms;
-allow apexd apex_metadata_file:file create_file_perms;
-
-# Allow reserving space on /data/apex/ota_reserved for apex decompression
-allow apexd apex_ota_reserved_file:dir create_dir_perms;
-allow apexd apex_ota_reserved_file:file create_file_perms;
-
-# Allow apexd to create files and directories for snapshots of apex data
-allow apexd apex_appsearch_data_file:dir { create_dir_perms relabelto };
-allow apexd apex_appsearch_data_file:file { create_file_perms relabelto };
-allow apexd apex_art_data_file:dir { create_dir_perms relabelto };
-allow apexd apex_art_data_file:file { create_file_perms relabelto };
-allow apexd apex_permission_data_file:dir { create_dir_perms relabelto };
-allow apexd apex_permission_data_file:file { create_file_perms relabelto };
-allow apexd apex_module_data_file:dir { create_dir_perms relabelfrom };
-allow apexd apex_module_data_file:file { create_file_perms relabelfrom };
-allow apexd apex_rollback_data_file:dir create_dir_perms;
-allow apexd apex_rollback_data_file:file create_file_perms;
-allow apexd apex_scheduling_data_file:dir { create_dir_perms relabelto };
-allow apexd apex_scheduling_data_file:file { create_file_perms relabelto };
-allow apexd apex_wifi_data_file:dir { create_dir_perms relabelto };
-allow apexd apex_wifi_data_file:file { create_file_perms relabelto };
-
-# Allow apexd to read directories under /data/misc_de in order to snapshot and
-# restore apex data for all users.
-allow apexd system_data_file:dir r_dir_perms;
-
# allow apexd to create loop devices with /dev/loop-control
allow apexd loop_control_device:chr_file rw_file_perms;
# allow apexd to access loop devices
@@ -83,20 +48,8 @@
# allow apexd to create /apex/apex-info-list.xml and relabel to apex_info_file
allow apexd apex_mnt_dir:file { create_file_perms relabelfrom mounton };
allow apexd apex_info_file:file relabelto;
-# allow apexd to unlink apex files in /data/apex/active
-# note that apexd won't be able to unlink files in /data/app-staging/session_XXXX,
-# because it doesn't have write permission for staging_data_file object.
-allow apexd staging_data_file:file unlink;
-
-# allow apexd to read files from /data/app-staging and hardlink them to /data/apex.
-allow apexd staging_data_file:dir r_dir_perms;
-allow apexd staging_data_file:file { r_file_perms link };
-# # Allow relabeling file created in /data/apex/decompressed
-allow apexd staging_data_file:file relabelto;
-
-# allow apexd to read files from /vendor/apex
-allow apexd vendor_apex_file:dir r_dir_perms;
-allow apexd vendor_apex_file:file r_file_perms;
+# apexd needs to update /apex/apex-info-list.xml after non-staged APEX update.
+allow apexd apex_info_file:file rw_file_perms;
# Unmount and mount filesystems
allow apexd labeledfs:filesystem { mount unmount };
@@ -114,17 +67,6 @@
# Allow apexd to log to the kernel.
allow apexd kmsg_device:chr_file w_file_perms;
-# Allow apexd to reboot device. Required for rollbacks of apexes that are
-# not covered by rollback manager.
-set_prop(apexd, powerctl_prop)
-
-# Allow apexd to stop itself
-set_prop(apexd, ctl_apexd_prop)
-
-# Find the vold service, and call into vold to manage FS checkpoints
-allow apexd vold_service:service_manager find;
-binder_call(apexd, vold)
-
# Apex pre- & post-install permission.
# Allow self-execute for the fork mount helper.
@@ -134,70 +76,12 @@
# running system.
allow apexd rootfs:dir mounton;
-# Allow to execute shell for pre- and postinstall scripts. A transition
-# rule is required, thus restricted to execute and not execute_no_trans.
-allow apexd shell_exec:file { r_file_perms execute };
-
# apexd is using bootstrap bionic
allow apexd system_bootstrap_lib_file:dir r_dir_perms;
allow apexd system_bootstrap_lib_file:file { execute read open getattr map };
-# Allow transition to test APEX preinstall domain.
-userdebug_or_eng(`
- domain_auto_trans(apexd, apex_test_prepostinstall_exec, apex_test_prepostinstall)
-')
-
-# Allow transition to GKI update pre/post install domain
-domain_auto_trans(apexd, gki_apex_prepostinstall_exec, gki_apex_prepostinstall)
-
-# Allow apexd to be invoked with logwrapper from init during userspace reboot.
-allow apexd devpts:chr_file { read write };
-
-# Allow apexd to create pts files via logwrap_fork_exec for its own use, to pass to
-# other processes
-create_pty(apexd)
-
-# Allow apexd to read file contexts when performing restorecon of snapshots.
+# Allow apexd to read file contexts when performing restorecon
allow apexd file_contexts_file:file r_file_perms;
-# Allow apexd to execute toybox for snapshot & restore
-allow apexd toolbox_exec:file rx_file_perms;
-
-# Allow apexd to read ro.cold_boot_done prop.
-# apexd uses it to decide whether it needs to keep retrying polling for loop device.
-get_prop(apexd, cold_boot_done_prop)
-
-# Allow apexd to read per-device configuration properties.
-get_prop(apexd, apexd_config_prop)
-
-neverallow { domain -apexd -init } apex_data_file:dir no_w_dir_perms;
-neverallow { domain -apexd -init } apex_metadata_file:dir no_w_dir_perms;
-neverallow { domain -apexd -init -kernel } apex_data_file:file no_w_file_perms;
-neverallow { domain -apexd -init -kernel } apex_metadata_file:file no_w_file_perms;
-neverallow { domain -apexd } apex_mnt_dir:lnk_file no_w_file_perms;
-
-neverallow { domain -apexd -init -vold_prepare_subdirs } apex_module_data_file:dir no_w_dir_perms;
-neverallow { domain -apexd -init -vold_prepare_subdirs } apex_module_data_file:file no_w_file_perms;
-
-neverallow { domain -apexd -init -vold_prepare_subdirs } apex_rollback_data_file:dir no_w_dir_perms;
-neverallow { domain -apexd -init -vold_prepare_subdirs } apex_rollback_data_file:file no_w_file_perms;
-
-# only apexd can set apexd sysprop
-set_prop(apexd, apexd_prop)
-neverallow { domain -apexd -init } apexd_prop:property_service set;
-
-# only apexd can write apex-info-list.xml
-neverallow { domain -apexd } apex_info_file:file no_w_file_perms;
-
-# Only apexd and init should be allowed to manage /apex mounts
-# A note on otapreopt_chroot. It used to mount APEXes during postainstall stage of A/B OTAs,
-# but starting from S it just calls into apexd to prepare /apex for otapreoprt. Once the sepolicies
-# around otapreopt_chroot are cleaned up we should be able to remove it from the lists below.
-neverallow { domain -apexd -init -otapreopt_chroot } apex_mnt_dir:filesystem { mount unmount };
-neverallow { domain -apexd -init -otapreopt_chroot } apex_mnt_dir:dir { mounton };
-
-# Allow for use in postinstall
-allow apexd otapreopt_chroot:fd use;
-allow apexd postinstall_apex_mnt_dir:dir { create_dir_perms mounton };
-allow apexd postinstall_apex_mnt_dir:file { create_file_perms relabelfrom };
-allow apexd proc_filesystems:file r_file_perms;
+#-------------------------------------------
+allow apexd kmsg_device:chr_file w_file_perms;
diff --git a/microdroid/sepolicy/system/private/app.te b/microdroid/sepolicy/system/private/app.te
deleted file mode 100644
index 2b3554f..0000000
--- a/microdroid/sepolicy/system/private/app.te
+++ /dev/null
@@ -1,105 +0,0 @@
-# Allow apps to read the Test Harness Mode property. This property is used in
-# the implementation of ActivityManager.isDeviceInTestHarnessMode()
-get_prop(appdomain, test_harness_prop)
-
-get_prop(appdomain, boot_status_prop)
-get_prop(appdomain, dalvik_config_prop)
-get_prop(appdomain, media_config_prop)
-get_prop(appdomain, packagemanager_config_prop)
-get_prop(appdomain, radio_control_prop)
-get_prop(appdomain, surfaceflinger_color_prop)
-get_prop(appdomain, systemsound_config_prop)
-get_prop(appdomain, telephony_config_prop)
-get_prop(appdomain, userspace_reboot_config_prop)
-get_prop(appdomain, vold_config_prop)
-get_prop(appdomain, adbd_config_prop)
-
-# Allow ART to be configurable via device_config properties
-# (ART "runs" inside the app process)
-get_prop(appdomain, device_config_runtime_native_prop)
-get_prop(appdomain, device_config_runtime_native_boot_prop)
-
-userdebug_or_eng(`perfetto_producer({ appdomain })')
-
-# Prevent apps from causing presubmit failures.
-# Apps can cause selinux denials by accessing CE storage
-# and/or external storage. In either case, the selinux denial is
-# not the cause of the failure, but just a symptom that
-# storage isn't ready. Many apps handle the failure appropriately.
-#
-# Apps cannot access external storage before it becomes available.
-dontaudit appdomain storage_stub_file:dir getattr;
-# Attempts to write to system_data_file is generally a sign
-# that apps are attempting to access encrypted storage before
-# the ACTION_USER_UNLOCKED intent is delivered. Apps are not
-# allowed to write to CE storage before it's available.
-# Attempting to do so will be blocked by both selinux and unix
-# permissions.
-dontaudit appdomain system_data_file:dir write;
-# Apps should not be reading vendor-defined properties.
-dontaudit appdomain vendor_default_prop:file read;
-
-# Access to /mnt/media_rw/<vol> (limited by DAC to apps with external_storage gid)
-allow appdomain mnt_media_rw_file:dir search;
-
-neverallow appdomain system_server:udp_socket {
- accept append bind create ioctl listen lock name_bind
- relabelfrom relabelto setattr shutdown };
-
-# Transition to a non-app domain.
-# Exception for the shell and su domains, can transition to runas, etc.
-# Exception for crash_dump to allow for app crash reporting.
-# Exception for renderscript binaries (/system/bin/bcc, /system/bin/ld.mc)
-# to allow renderscript to create privileged executable files.
-neverallow { appdomain -shell userdebug_or_eng(`-su') }
- { domain -appdomain -crash_dump -rs }:process { transition };
-neverallow { appdomain -shell userdebug_or_eng(`-su') }
- { domain -appdomain }:process { dyntransition };
-
-# Don't allow regular apps access to storage configuration properties.
-neverallow { appdomain -mediaprovider_app } storage_config_prop:file no_rw_file_perms;
-
-# Allow to read sendbug.preferred.domain
-get_prop(appdomain, sendbug_config_prop)
-
-# Allow to read graphics related properties.
-get_prop(appdomain, graphics_config_prop)
-
-# Allow to read persist.config.calibration_fac
-get_prop(appdomain, camera_calibration_prop)
-
-# Allow to read db.log.detailed, db.log.slow_query_threshold*
-get_prop(appdomain, sqlite_log_prop)
-
-# Allow font file read by apps.
-allow appdomain font_data_file:file r_file_perms;
-allow appdomain font_data_file:dir r_dir_perms;
-
-# Enter /data/misc/apexdata/
-allow appdomain apex_module_data_file:dir search;
-# Read /data/misc/apexdata/com.android.art, execute signed AOT artifacts.
-allow appdomain apex_art_data_file:dir r_dir_perms;
-allow appdomain apex_art_data_file:file rx_file_perms;
-
-# Allow access to tombstones if an fd to one is given to you.
-# This is restricted by unix permissions, so an app must go through system_server to get one.
-allow appdomain tombstone_data_file:file { getattr read };
-neverallow appdomain tombstone_data_file:file ~{ getattr read };
-
-# Sensitive app domains are not allowed to execute from /data
-# to prevent persistence attacks and ensure all code is executed
-# from read-only locations.
-neverallow {
- bluetooth
- isolated_app
- nfc
- radio
- shared_relro
- system_app
-} {
- data_file_type
- -apex_art_data_file
- -dalvikcache_data_file
- -system_data_file # shared libs in apks
- -apk_data_file
-}:file no_x_file_perms;
diff --git a/microdroid/sepolicy/system/private/app_neverallows.te b/microdroid/sepolicy/system/private/app_neverallows.te
deleted file mode 100644
index 096a41b..0000000
--- a/microdroid/sepolicy/system/private/app_neverallows.te
+++ /dev/null
@@ -1,237 +0,0 @@
-###
-### neverallow rules for untrusted app domains
-###
-
-define(`all_untrusted_apps',`{
- ephemeral_app
- isolated_app
- mediaprovider
- mediaprovider_app
- untrusted_app
- untrusted_app_25
- untrusted_app_27
- untrusted_app_29
- untrusted_app_all
-}')
-# Receive or send uevent messages.
-neverallow all_untrusted_apps domain:netlink_kobject_uevent_socket *;
-
-# Receive or send generic netlink messages
-neverallow all_untrusted_apps domain:netlink_socket *;
-
-# Read or write kernel printk buffer
-neverallow all_untrusted_apps kmsg_device:chr_file no_rw_file_perms;
-
-# Too much leaky information in debugfs. It's a security
-# best practice to ensure these files aren't readable.
-neverallow all_untrusted_apps { debugfs_type -debugfs_kcov }:file read;
-neverallow {all_untrusted_apps userdebug_or_eng(`-domain')} debugfs_type:{ file lnk_file } read;
-
-# Do not allow untrusted apps to register services.
-# Only trusted components of Android should be registering
-# services.
-neverallow all_untrusted_apps service_manager_type:service_manager add;
-
-# Do not allow untrusted apps to use VendorBinder
-neverallow all_untrusted_apps vndbinder_device:chr_file *;
-neverallow all_untrusted_apps vndservice_manager_type:service_manager *;
-
-# Do not allow untrusted apps to connect to the property service
-# or set properties. b/10243159
-neverallow { all_untrusted_apps -mediaprovider } property_socket:sock_file write;
-neverallow { all_untrusted_apps -mediaprovider } init:unix_stream_socket connectto;
-neverallow { all_untrusted_apps -mediaprovider } property_type:property_service set;
-
-# net.dns properties are not a public API. Disallow untrusted apps from reading this property.
-neverallow { all_untrusted_apps } net_dns_prop:file read;
-
-# Shared libraries created by trusted components within an app home
-# directory can be dlopen()ed. To maintain the W^X property, these files
-# must never be writable to the app.
-neverallow all_untrusted_apps app_exec_data_file:file
- { append create link relabelfrom relabelto rename setattr write };
-
-# Block calling execve() on files in an apps home directory.
-# This is a W^X violation (loading executable code from a writable
-# home directory). For compatibility, allow for targetApi <= 28.
-# b/112357170
-neverallow {
- all_untrusted_apps
- -untrusted_app_25
- -untrusted_app_27
- -runas_app
-} { app_data_file privapp_data_file }:file execute_no_trans;
-
-# Do not allow untrusted apps to invoke dex2oat. This was historically required
-# by ART for compiling secondary dex files but has been removed in Q.
-# Exempt legacy apps (targetApi<=28) for compatibility.
-neverallow {
- all_untrusted_apps
- -untrusted_app_25
- -untrusted_app_27
-} dex2oat_exec:file no_x_file_perms;
-
-# Do not allow untrusted apps to be assigned mlstrustedsubject.
-# This would undermine the per-user isolation model being
-# enforced via levelFrom=user in seapp_contexts and the mls
-# constraints. As there is no direct way to specify a neverallow
-# on attribute assignment, this relies on the fact that fork
-# permission only makes sense within a domain (hence should
-# never be granted to any other domain within mlstrustedsubject)
-# and an untrusted app is allowed fork permission to itself.
-neverallow all_untrusted_apps mlstrustedsubject:process fork;
-
-# Do not allow untrusted apps to hard link to any files.
-# In particular, if an untrusted app links to other app data
-# files, installd will not be able to guarantee the deletion
-# of the linked to file. Hard links also contribute to security
-# bugs, so we want to ensure untrusted apps never have this
-# capability.
-neverallow all_untrusted_apps file_type:file link;
-
-# Do not allow untrusted apps to access network MAC address file
-neverallow all_untrusted_apps sysfs_net:file no_rw_file_perms;
-
-# Do not allow any write access to files in /sys
-neverallow all_untrusted_apps sysfs_type:file { no_w_file_perms no_x_file_perms };
-
-# Apps may never access the default sysfs label.
-neverallow all_untrusted_apps sysfs:file no_rw_file_perms;
-
-# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
-# ioctl permission, or 3. disallow the socket class.
-neverallowxperm all_untrusted_apps domain:{ icmp_socket rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
-neverallow all_untrusted_apps *:{ netlink_route_socket netlink_selinux_socket } ioctl;
-neverallow all_untrusted_apps *:{
- socket netlink_socket packet_socket key_socket appletalk_socket
- netlink_tcpdiag_socket netlink_nflog_socket
- netlink_xfrm_socket netlink_audit_socket
- netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
- netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
- netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
- netlink_rdma_socket netlink_crypto_socket sctp_socket
- ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket
- atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket
- bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
- alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket xdp_socket
-} *;
-
-# Disallow sending RTM_GETLINK messages on netlink sockets.
-neverallow all_untrusted_apps domain:netlink_route_socket { bind nlmsg_readpriv };
-
-# Do not allow untrusted apps access to /cache
-neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:dir ~{ r_dir_perms };
-neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:file ~{ read getattr };
-
-# Do not allow untrusted apps to create/unlink files outside of its sandbox,
-# internal storage or sdcard.
-# World accessible data locations allow application to fill the device
-# with unaccounted for data. This data will not get removed during
-# application un-installation.
-neverallow { all_untrusted_apps -mediaprovider } {
- fs_type
- -sdcard_type
- file_type
- -app_data_file # The apps sandbox itself
- -privapp_data_file
- -app_exec_data_file # stored within the app sandbox directory
- -media_rw_data_file # Internal storage. Known that apps can
- # leave artfacts here after uninstall.
- -user_profile_data_file # Access to profile files
- userdebug_or_eng(`
- -method_trace_data_file # only on ro.debuggable=1
- -coredump_file # userdebug/eng only
- ')
-}:dir_file_class_set { create unlink };
-
-# No untrusted component except mediaprovider_app should be touching /dev/fuse
-neverallow { all_untrusted_apps -mediaprovider_app } fuse_device:chr_file *;
-
-# Do not allow untrusted apps to directly open the tun_device
-neverallow all_untrusted_apps tun_device:chr_file open;
-# The tun_device ioctls below are not allowed, to prove equivalence
-# to the kernel patch at
-# https://android.googlesource.com/kernel/common/+/11cee2be0c2062ba88f04eb51196506f870a3b5d%5E%21
-neverallowxperm all_untrusted_apps tun_device:chr_file ioctl ~{ FIOCLEX FIONCLEX TUNGETIFF };
-
-# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
-neverallow all_untrusted_apps anr_data_file:file ~{ open append };
-neverallow all_untrusted_apps anr_data_file:dir ~search;
-
-# Avoid reads from generically labeled /proc files
-# Create a more specific label if needed
-neverallow all_untrusted_apps {
- proc
- proc_asound
- proc_kmsg
- proc_loadavg
- proc_mounts
- proc_pagetypeinfo
- proc_slabinfo
- proc_stat
- proc_swaps
- proc_uptime
- proc_version
- proc_vmallocinfo
- proc_vmstat
-}:file { no_rw_file_perms no_x_file_perms };
-
-# /proc/filesystems is accessible to mediaprovider_app only since it handles
-# external storage
-neverallow { all_untrusted_apps - mediaprovider_app } proc_filesystems:file { no_rw_file_perms no_x_file_perms };
-
-# Avoid all access to kernel configuration
-neverallow all_untrusted_apps config_gz:file { no_rw_file_perms no_x_file_perms };
-
-# Do not allow untrusted apps access to preloads data files
-neverallow all_untrusted_apps preloads_data_file:file no_rw_file_perms;
-
-# Locking of files on /system could lead to denial of service attacks
-# against privileged system components
-neverallow all_untrusted_apps system_file:file lock;
-
-# Do not permit untrusted apps to perform actions on HwBinder service_manager
-# other than find actions for services listed below
-neverallow all_untrusted_apps *:hwservice_manager ~find;
-
-# Do not permit access from apps which host arbitrary code to the protected services
-# The two main reasons for this are:
-# 1. Protected HwBinder servers do not perform client authentication because
-# vendor code does not have a way to understand apps or their relation to
-# caller UID information and, even if it did, those services either operate
-# at a level below that of apps (e.g., HALs) or must not rely on app identity
-# for authorization. Thus, to be safe, the default assumption for all added
-# vendor services is that they treat all their clients as equally authorized
-# to perform operations offered by the service.
-# 2. HAL servers contain code with higher incidence rate of security issues
-# than system/core components and have access to lower layes of the stack
-# (all the way down to hardware) thus increasing opportunities for bypassing
-# the Android security model.
-neverallow all_untrusted_apps protected_hwservice:hwservice_manager find;
-neverallow all_untrusted_apps protected_service:service_manager find;
-
-# SELinux is not an API for untrusted apps to use
-neverallow all_untrusted_apps selinuxfs:file no_rw_file_perms;
-
-# Access to /proc/tty/drivers, to allow apps to determine if they
-# are running in an emulated environment.
-# b/33214085 b/33814662 b/33791054 b/33211769
-# https://github.com/strazzere/anti-emulator/blob/master/AntiEmulator/src/diff/strazzere/anti/emulator/FindEmulator.java
-# This will go away in a future Android release
-neverallow { all_untrusted_apps -untrusted_app_25 } proc_tty_drivers:file r_file_perms;
-neverallow all_untrusted_apps proc_tty_drivers:file ~r_file_perms;
-
-# Untrusted apps are not allowed to use cgroups.
-neverallow all_untrusted_apps cgroup:file *;
-neverallow all_untrusted_apps cgroup_v2:file *;
-
-# /mnt/sdcard symlink was supposed to have been removed in Gingerbread. Apps
-# must not use it.
-neverallow {
- all_untrusted_apps
- -untrusted_app_25
- -untrusted_app_27
-} mnt_sdcard_file:lnk_file *;
-
-# Only privileged apps may find the incident service
-neverallow all_untrusted_apps incident_service:service_manager find;
diff --git a/microdroid/sepolicy/system/private/app_zygote.te b/microdroid/sepolicy/system/private/app_zygote.te
deleted file mode 100644
index 4ee3af7..0000000
--- a/microdroid/sepolicy/system/private/app_zygote.te
+++ /dev/null
@@ -1,168 +0,0 @@
-typeattribute app_zygote coredomain;
-
-######
-###### Policy below is different from regular zygote-spawned apps
-######
-
-# Allow access to temporary files, which is normally permitted through
-# a domain macro.
-tmpfs_domain(app_zygote);
-
-# Set the UID/GID of the process.
-# This will be further limited to a range of isolated UIDs with seccomp.
-allow app_zygote self:global_capability_class_set { setgid setuid };
-# Drop capabilities from bounding set.
-allow app_zygote self:global_capability_class_set setpcap;
-# Switch SELinux context to isolated app domain.
-allow app_zygote self:process setcurrent;
-allow app_zygote isolated_app:process dyntransition;
-
-# For JIT
-allow app_zygote self:process execmem;
-
-# Allow app_zygote to stat the files that it opens. It must
-# be able to inspect them so that it can reopen them on fork
-# if necessary: b/30963384.
-allow app_zygote debugfs_trace_marker:file getattr;
-
-# get system_server process group
-allow app_zygote system_server:process getpgid;
-
-# Interaction between the app_zygote and its children.
-allow app_zygote isolated_app:process setpgid;
-
-# TODO (b/63631799) fix this access
-dontaudit app_zygote mnt_expand_file:dir getattr;
-
-# Get seapp_contexts
-allow app_zygote seapp_contexts_file:file r_file_perms;
-# Check validity of SELinux context before use.
-selinux_check_context(app_zygote)
-# Check SELinux permissions.
-selinux_check_access(app_zygote)
-
-######
-###### Policy below is shared with regular zygote-spawned apps
-######
-
-# Child of zygote.
-allow app_zygote zygote:fd use;
-allow app_zygote zygote:process sigchld;
-
-# For ART (read /data/dalvik-cache).
-r_dir_file(app_zygote, dalvikcache_data_file);
-allow app_zygote dalvikcache_data_file:file execute;
-
-# Read /data/misc/apexdata/ to (get to com.android.art/dalvik-cache).
-allow app_zygote apex_module_data_file:dir search;
-# For ART APEX (read /data/misc/apexdata/com.android.art/dalvik-cache).
-r_dir_file(app_zygote, apex_art_data_file)
-
-# Allow reading/executing installed binaries to enable preloading
-# application data
-allow app_zygote apk_data_file:dir r_dir_perms;
-allow app_zygote apk_data_file:file { r_file_perms execute };
-
-# /oem accesses.
-allow app_zygote oemfs:dir search;
-
-# Allow app_zygote access to /vendor/overlay
-r_dir_file(app_zygote, vendor_overlay_file)
-
-allow app_zygote system_data_file:lnk_file r_file_perms;
-allow app_zygote system_data_file:file { getattr read map };
-
-# Send unsolicited message to system_server
-unix_socket_send(app_zygote, system_unsolzygote, system_server)
-
-# Allow the app_zygote to access the runtime feature flag properties.
-get_prop(app_zygote, device_config_runtime_native_prop)
-get_prop(app_zygote, device_config_runtime_native_boot_prop)
-
-#####
-##### Neverallow
-#####
-
-# Only permit transition to isolated_app.
-neverallow app_zygote { domain -isolated_app }:process dyntransition;
-
-# Only setcon() transitions, no exec() based transitions, except for crash_dump.
-neverallow app_zygote { domain -crash_dump }:process transition;
-
-# Must not exec() a program without changing domains.
-# Having said that, exec() above is not allowed.
-neverallow app_zygote *:file execute_no_trans;
-
-# The only way to enter this domain is for the zygote to fork a new
-# app_zygote child.
-neverallow { domain -zygote } app_zygote:process dyntransition;
-
-# Disallow write access to properties.
-neverallow app_zygote property_socket:sock_file write;
-neverallow app_zygote property_type:property_service set;
-
-# Should not have any access to data files.
-neverallow app_zygote app_data_file_type:file { rwx_file_perms };
-
-neverallow app_zygote {
- service_manager_type
- -activity_service
- -webviewupdate_service
-}:service_manager find;
-
-# Isolated apps should not be able to access the driver directly.
-neverallow app_zygote gpu_device:chr_file { rwx_file_perms };
-
-# Do not allow app_zygote access to /cache.
-neverallow app_zygote cache_file:dir ~{ r_dir_perms };
-neverallow app_zygote cache_file:file ~{ read getattr };
-
-# Do not allow most socket access. This is socket_class_set, excluding unix_dgram_socket,
-# unix_stream_socket, and netlink_selinux_socket.
-neverallow app_zygote domain:{
- socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket
- appletalk_socket netlink_route_socket netlink_tcpdiag_socket
- netlink_nflog_socket netlink_xfrm_socket netlink_audit_socket
- netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket
- netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket
- netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket
- sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket
- x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket
- pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket
- rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
- alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket
-} *;
-
-# Only allow app_zygote to talk to the logd socket, and
-# su/heapprofd/traced_perf on eng/userdebug. This is because
-# cap_setuid/cap_setgid allow to forge uid/gid in SCM_CREDENTIALS.
-# Think twice before changing.
-neverallow app_zygote {
- domain
- -app_zygote
- -logd
- -system_server
- userdebug_or_eng(`-su')
- userdebug_or_eng(`-heapprofd')
- userdebug_or_eng(`-traced_perf')
-}:unix_dgram_socket *;
-
-neverallow app_zygote {
- domain
- -app_zygote
- userdebug_or_eng(`-su')
- userdebug_or_eng(`-heapprofd')
- userdebug_or_eng(`-traced_perf')
-}:unix_stream_socket *;
-
-# Never allow ptrace
-neverallow app_zygote *:process ptrace;
-
-# Do not allow access to Bluetooth-related system properties.
-# neverallow rules for Bluetooth-related data files are listed above.
-neverallow app_zygote {
- bluetooth_a2dp_offload_prop
- bluetooth_audio_hal_prop
- bluetooth_prop
- exported_bluetooth_prop
-}:file create_file_perms;
diff --git a/microdroid/sepolicy/system/private/artd.te b/microdroid/sepolicy/system/private/artd.te
deleted file mode 100644
index 0aa12dc..0000000
--- a/microdroid/sepolicy/system/private/artd.te
+++ /dev/null
@@ -1,16 +0,0 @@
-# art service daemon
-type artd, domain;
-type artd_exec, system_file_type, exec_type, file_type;
-
-# Allow artd to publish a binder service and make binder calls.
-binder_use(artd)
-add_service(artd, artd_service)
-allow artd dumpstate:fifo_file { getattr write };
-
-typeattribute artd coredomain;
-
-init_daemon_domain(artd)
-
-# Allow query ART device config properties
-get_prop(artd, device_config_runtime_native_prop)
-get_prop(artd, device_config_runtime_native_boot_prop)
diff --git a/microdroid/sepolicy/system/private/asan_extract.te b/microdroid/sepolicy/system/private/asan_extract.te
deleted file mode 100644
index 69bcd50..0000000
--- a/microdroid/sepolicy/system/private/asan_extract.te
+++ /dev/null
@@ -1,11 +0,0 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
-# Technically not a daemon but we do want the transition from init domain to
-# asan_extract to occur.
-with_asan(`
- typeattribute asan_extract coredomain;
- init_daemon_domain(asan_extract)
-
- # We need to signal a reboot when done.
- set_prop(asan_extract, powerctl_prop)
-')
diff --git a/microdroid/sepolicy/system/private/atrace.te b/microdroid/sepolicy/system/private/atrace.te
deleted file mode 100644
index d4aed40..0000000
--- a/microdroid/sepolicy/system/private/atrace.te
+++ /dev/null
@@ -1,79 +0,0 @@
-# Domain for atrace process.
-# It is spawned either by traced_probes or by init for the boottrace service.
-
-type atrace_exec, exec_type, file_type, system_file_type;
-
-# boottrace services uses /data/misc/boottrace/categories
-allow atrace boottrace_data_file:dir search;
-allow atrace boottrace_data_file:file r_file_perms;
-
-# Allow atrace to access tracefs.
-allow atrace debugfs_tracing:dir r_dir_perms;
-allow atrace debugfs_tracing:file rw_file_perms;
-allow atrace debugfs_trace_marker:file getattr;
-
-# Allow atrace to write data when a pipe is used for stdout/stderr
-# This is used by Perfetto to capture the output on error in atrace.
-allow atrace traced_probes:fd use;
-allow atrace traced_probes:fifo_file write;
-
-# atrace sets debug.atrace.* properties
-set_prop(atrace, debug_prop)
-
-# atrace pokes all the binder-enabled processes at startup with a
-# SYSPROPS_TRANSACTION, to tell them to reload the debug.atrace.* properties.
-
-# Allow discovery of binder services.
-allow atrace {
- service_manager_type
- -apex_service
- -incident_service
- -iorapd_service
- -netd_service
- -dnsresolver_service
- -stats_service
- -dumpstate_service
- -installd_service
- -vold_service
- -lpdump_service
- -default_android_service
-}:service_manager { find };
-allow atrace servicemanager:service_manager list;
-
-# Allow notifying the processes hosting specific binder services that
-# trace-related system properties have changed.
-binder_use(atrace)
-allow atrace healthd:binder call;
-allow atrace surfaceflinger:binder call;
-allow atrace system_server:binder call;
-allow atrace cameraserver:binder call;
-
-# Similarly, on debug builds, allow specific HALs to be notified that
-# trace-related system properties have changed.
-userdebug_or_eng(`
- # List HAL interfaces.
- allow atrace hwservicemanager:hwservice_manager list;
- # Notify the camera HAL.
- hal_client_domain(atrace, hal_camera)
- hal_client_domain(atrace, hal_vibrator)
-')
-
-# Remove logspam from notification attempts to non-allowlisted services.
-dontaudit atrace hwservice_manager_type:hwservice_manager find;
-dontaudit atrace service_manager_type:service_manager find;
-dontaudit atrace domain:binder call;
-
-# atrace can call atrace HAL
-hal_client_domain(atrace, hal_atrace)
-
-get_prop(atrace, hwservicemanager_prop)
-
-userdebug_or_eng(`
- # atrace is generally invoked as a standalone binary from shell or perf
- # daemons like Perfetto traced_probes. However, in userdebug builds, there is
- # a further option to run atrace as an init daemon for boot tracing.
- init_daemon_domain(atrace)
-
- allow atrace debugfs_tracing_debug:dir r_dir_perms;
- allow atrace debugfs_tracing_debug:file rw_file_perms;
-')
diff --git a/microdroid/sepolicy/system/private/audioserver.te b/microdroid/sepolicy/system/private/audioserver.te
deleted file mode 100644
index feda8d4..0000000
--- a/microdroid/sepolicy/system/private/audioserver.te
+++ /dev/null
@@ -1,105 +0,0 @@
-# audioserver - audio services daemon
-
-typeattribute audioserver coredomain;
-
-type audioserver_exec, exec_type, file_type, system_file_type;
-init_daemon_domain(audioserver)
-tmpfs_domain(audioserver)
-
-r_dir_file(audioserver, sdcard_type)
-
-binder_use(audioserver)
-binder_call(audioserver, binderservicedomain)
-binder_call(audioserver, appdomain)
-binder_service(audioserver)
-
-hal_client_domain(audioserver, hal_allocator)
-# /system/lib64/hw for always-passthrough Allocator HAL ashmem / mapper .so
-r_dir_file(audioserver, system_file)
-
-hal_client_domain(audioserver, hal_audio)
-
-userdebug_or_eng(`
- # used for TEE sink - pcm capture for debug.
- allow audioserver media_data_file:dir create_dir_perms;
- allow audioserver audioserver_data_file:dir create_dir_perms;
- allow audioserver audioserver_data_file:file create_file_perms;
-
- # ptrace to processes in the same domain for memory leak detection
- allow audioserver self:process ptrace;
-')
-
-add_service(audioserver, audioserver_service)
-allow audioserver activity_service:service_manager find;
-allow audioserver appops_service:service_manager find;
-allow audioserver batterystats_service:service_manager find;
-allow audioserver external_vibrator_service:service_manager find;
-allow audioserver package_native_service:service_manager find;
-allow audioserver permission_service:service_manager find;
-allow audioserver permission_checker_service:service_manager find;
-allow audioserver power_service:service_manager find;
-allow audioserver scheduling_policy_service:service_manager find;
-allow audioserver mediametrics_service:service_manager find;
-allow audioserver sensor_privacy_service:service_manager find;
-allow audioserver soundtrigger_middleware_service:service_manager find;
-
-# Allow read/write access to bluetooth-specific properties
-set_prop(audioserver, bluetooth_a2dp_offload_prop)
-set_prop(audioserver, bluetooth_audio_hal_prop)
-set_prop(audioserver, bluetooth_prop)
-set_prop(audioserver, exported_bluetooth_prop)
-
-# Grant access to audio files to audioserver
-allow audioserver audio_data_file:dir ra_dir_perms;
-allow audioserver audio_data_file:file create_file_perms;
-
-# allow access to ALSA MMAP FDs for AAudio API
-allow audioserver audio_device:chr_file { read write };
-
-not_full_treble(`allow audioserver audio_device:dir r_dir_perms;')
-not_full_treble(`allow audioserver audio_device:chr_file rw_file_perms;')
-
-# For A2DP bridge which is loaded directly into audioserver
-unix_socket_connect(audioserver, bluetooth, bluetooth)
-
-# Allow shell commands from ADB and shell for CTS testing/dumping
-allow audioserver adbd:fd use;
-allow audioserver adbd:unix_stream_socket { read write };
-allow audioserver shell:fifo_file { read write };
-
-# Allow shell commands from ADB for CTS testing/dumping
-userdebug_or_eng(`
- allow audioserver su:fd use;
- allow audioserver su:fifo_file { read write };
- allow audioserver su:unix_stream_socket { read write };
-')
-
-# Allow write access to log tag property
-set_prop(audioserver, log_tag_prop);
-
-###
-### neverallow rules
-###
-
-# audioserver should never execute any executable without a
-# domain transition
-neverallow audioserver { file_type fs_type }:file execute_no_trans;
-
-# The goal of the mediaserver split is to place media processing code into
-# restrictive sandboxes with limited responsibilities and thus limited
-# permissions. Example: Audioserver is only responsible for controlling audio
-# hardware and processing audio content. Cameraserver does the same for camera
-# hardware/content. Etc.
-#
-# Media processing code is inherently risky and thus should have limited
-# permissions and be isolated from the rest of the system and network.
-# Lengthier explanation here:
-# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow audioserver domain:{ udp_socket rawip_socket } *;
-neverallow audioserver { domain userdebug_or_eng(`-su') }:tcp_socket *;
-
-# Allow using wake locks
-wakelock_use(audioserver)
-
-# Allow reading audio config props, e.g. af.fast_track_multiplier
-get_prop(audioserver, audio_config_prop)
diff --git a/microdroid/sepolicy/system/private/auditctl.te b/microdroid/sepolicy/system/private/auditctl.te
deleted file mode 100644
index f634d3d..0000000
--- a/microdroid/sepolicy/system/private/auditctl.te
+++ /dev/null
@@ -1,18 +0,0 @@
-#
-# /system/bin/auditctl executed for logd
-#
-# Performs maintenance of the kernel auditing system, including
-# setting rate limits on SELinux denials.
-#
-
-type auditctl, domain, coredomain;
-type auditctl_exec, file_type, system_file_type, exec_type;
-
-# Uncomment the line below to put this domain into permissive
-# mode. This helps speed SELinux policy development.
-# userdebug_or_eng(`permissive auditctl;')
-
-init_daemon_domain(auditctl)
-
-allow auditctl self:global_capability_class_set audit_control;
-allow auditctl self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write };
diff --git a/microdroid/sepolicy/system/private/automotive_display_service.te b/microdroid/sepolicy/system/private/automotive_display_service.te
deleted file mode 100644
index fa11ca4..0000000
--- a/microdroid/sepolicy/system/private/automotive_display_service.te
+++ /dev/null
@@ -1,33 +0,0 @@
-# Display proxy service for Automotive
-type automotive_display_service, domain, coredomain;
-type automotive_display_service_exec, system_file_type, exec_type, file_type;
-
-typeattribute automotive_display_service automotive_display_service_server;
-
-# Allow to add a display service to the manager
-add_hwservice(automotive_display_service, fwk_automotive_display_hwservice);
-
-# Allow init to launch automotive display service
-init_daemon_domain(automotive_display_service)
-
-# Allow to use Binder IPC for SurfaceFlinger.
-binder_use(automotive_display_service)
-
-# Allow to use HwBinder IPC for HAL implementations.
-hwbinder_use(automotive_display_service)
-hal_client_domain(automotive_display_service, hal_graphics_composer)
-
-# Allow to read the target property.
-get_prop(automotive_display_service, hwservicemanager_prop)
-
-# Allow to find SurfaceFlinger.
-allow automotive_display_service surfaceflinger_service:service_manager find;
-
-# Allow client domain to do binder IPC to serverdomain.
-binder_call(automotive_display_service, surfaceflinger)
-
-# Allow to use a graphics mapper
-allow automotive_display_service hal_graphics_mapper_hwservice:hwservice_manager find;
-
-# Allow to use hidl token service
-allow automotive_display_service hidl_token_hwservice:hwservice_manager find;
diff --git a/microdroid/sepolicy/system/private/binderservicedomain.te b/microdroid/sepolicy/system/private/binderservicedomain.te
index 7275954..99006bf 100644
--- a/microdroid/sepolicy/system/private/binderservicedomain.te
+++ b/microdroid/sepolicy/system/private/binderservicedomain.te
@@ -1,22 +1,3 @@
-# Rules common to all binder service domains
-
-# Allow dumpstate and incidentd to collect information from binder services
-allow binderservicedomain { dumpstate incidentd }:fd use;
-allow binderservicedomain { dumpstate incidentd }:unix_stream_socket { read write getopt getattr };
-allow binderservicedomain { dumpstate incidentd }:fifo_file { getattr write };
-allow binderservicedomain shell_data_file:file { getattr write };
-
-# Allow dumpsys to work from adb shell or the serial console
-allow binderservicedomain devpts:chr_file rw_file_perms;
-allow binderservicedomain console_device:chr_file rw_file_perms;
-
-# Receive and write to a pipe received over Binder from an app.
-allow binderservicedomain appdomain:fd use;
-allow binderservicedomain appdomain:fifo_file write;
-
-# allow all services to run permission checks
-allow binderservicedomain permission_service:service_manager find;
-
allow binderservicedomain keystore:keystore_key { get_state get insert delete exist list sign verify };
allow binderservicedomain keystore:keystore2 { get_state };
allow binderservicedomain keystore:keystore2_key { delete get_info rebind use };
diff --git a/microdroid/sepolicy/system/private/blank_screen.te b/microdroid/sepolicy/system/private/blank_screen.te
deleted file mode 100644
index 20d50cc..0000000
--- a/microdroid/sepolicy/system/private/blank_screen.te
+++ /dev/null
@@ -1,7 +0,0 @@
-type blank_screen, domain, coredomain;
-type blank_screen_exec, exec_type, file_type, system_file_type;
-
-init_daemon_domain(blank_screen)
-
-# hal_light_client has access to hal_light_server
-hal_client_domain(blank_screen, hal_light)
diff --git a/microdroid/sepolicy/system/private/blkid.te b/microdroid/sepolicy/system/private/blkid.te
deleted file mode 100644
index 4e972ab..0000000
--- a/microdroid/sepolicy/system/private/blkid.te
+++ /dev/null
@@ -1,22 +0,0 @@
-# blkid called from vold
-
-typeattribute blkid coredomain;
-
-type blkid_exec, system_file_type, exec_type, file_type;
-
-# Allowed read-only access to encrypted devices to extract UUID/label
-allow blkid block_device:dir search;
-allow blkid userdata_block_device:blk_file r_file_perms;
-allow blkid dm_device:blk_file r_file_perms;
-
-# Allow stdin/out back to vold
-allow blkid vold:fd use;
-allow blkid vold:fifo_file { read write getattr };
-
-# For blkid launched through popen()
-allow blkid blkid_exec:file rx_file_perms;
-
-# Only allow entry from vold
-neverallow { domain -vold } blkid:process transition;
-neverallow * blkid:process dyntransition;
-neverallow blkid { file_type fs_type -blkid_exec -shell_exec }:file entrypoint;
diff --git a/microdroid/sepolicy/system/private/blkid_untrusted.te b/microdroid/sepolicy/system/private/blkid_untrusted.te
deleted file mode 100644
index 1256771..0000000
--- a/microdroid/sepolicy/system/private/blkid_untrusted.te
+++ /dev/null
@@ -1,37 +0,0 @@
-# blkid for untrusted block devices
-
-typeattribute blkid_untrusted coredomain;
-
-# Allowed read-only access to vold block devices to extract UUID/label
-allow blkid_untrusted block_device:dir search;
-allow blkid_untrusted vold_device:blk_file r_file_perms;
-
-# Allow stdin/out back to vold
-allow blkid_untrusted vold:fd use;
-allow blkid_untrusted vold:fifo_file { read write getattr };
-
-# For blkid launched through popen()
-allow blkid_untrusted blkid_exec:file rx_file_perms;
-
-###
-### neverallow rules
-###
-
-# Untrusted blkid should never be run on block devices holding sensitive data
-neverallow blkid_untrusted {
- boot_block_device
- frp_block_device
- metadata_block_device
- recovery_block_device
- root_block_device
- swap_block_device
- system_block_device
- userdata_block_device
- cache_block_device
- dm_device
-}:blk_file no_rw_file_perms;
-
-# Only allow entry from vold via blkid binary
-neverallow { domain -vold } blkid_untrusted:process transition;
-neverallow * blkid_untrusted:process dyntransition;
-neverallow blkid_untrusted { file_type fs_type -blkid_exec -shell_exec }:file entrypoint;
diff --git a/microdroid/sepolicy/system/private/bluetooth.te b/microdroid/sepolicy/system/private/bluetooth.te
deleted file mode 100644
index 8fc6d20..0000000
--- a/microdroid/sepolicy/system/private/bluetooth.te
+++ /dev/null
@@ -1,87 +0,0 @@
-# bluetooth app
-
-typeattribute bluetooth coredomain, mlstrustedsubject;
-
-app_domain(bluetooth)
-net_domain(bluetooth)
-
-# Socket creation under /data/misc/bluedroid.
-type_transition bluetooth bluetooth_data_file:sock_file bluetooth_socket;
-
-# Allow access to net_admin ioctls
-allowxperm bluetooth self:udp_socket ioctl priv_sock_ioctls;
-
-wakelock_use(bluetooth);
-
-# Data file accesses.
-allow bluetooth bluetooth_data_file:dir create_dir_perms;
-allow bluetooth bluetooth_data_file:notdevfile_class_set create_file_perms;
-allow bluetooth bluetooth_logs_data_file:dir rw_dir_perms;
-allow bluetooth bluetooth_logs_data_file:file create_file_perms;
-
-# Socket creation under /data/misc/bluedroid.
-allow bluetooth bluetooth_socket:sock_file create_file_perms;
-
-allow bluetooth self:global_capability_class_set net_admin;
-allow bluetooth self:global_capability2_class_set wake_alarm;
-
-# tethering
-allow bluetooth self:packet_socket create_socket_perms_no_ioctl;
-allow bluetooth self:global_capability_class_set { net_admin net_raw net_bind_service };
-allow bluetooth self:tun_socket create_socket_perms_no_ioctl;
-allow bluetooth tun_device:chr_file rw_file_perms;
-allowxperm bluetooth tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF };
-allow bluetooth efs_file:dir search;
-
-# allow Bluetooth to access uhid device for HID profile
-allow bluetooth uhid_device:chr_file rw_file_perms;
-
-# proc access.
-allow bluetooth proc_bluetooth_writable:file rw_file_perms;
-
-# Allow write access to bluetooth specific properties
-set_prop(bluetooth, binder_cache_bluetooth_server_prop);
-neverallow { domain -bluetooth -init }
- binder_cache_bluetooth_server_prop:property_service set;
-set_prop(bluetooth, bluetooth_a2dp_offload_prop)
-set_prop(bluetooth, bluetooth_audio_hal_prop)
-set_prop(bluetooth, bluetooth_prop)
-set_prop(bluetooth, exported_bluetooth_prop)
-set_prop(bluetooth, pan_result_prop)
-
-allow bluetooth audioserver_service:service_manager find;
-allow bluetooth bluetooth_service:service_manager find;
-allow bluetooth drmserver_service:service_manager find;
-allow bluetooth mediaserver_service:service_manager find;
-allow bluetooth radio_service:service_manager find;
-allow bluetooth app_api_service:service_manager find;
-allow bluetooth system_api_service:service_manager find;
-allow bluetooth network_stack_service:service_manager find;
-allow bluetooth system_suspend_control_service:service_manager find;
-
-# already open bugreport file descriptors may be shared with
-# the bluetooth process, from a file in
-# /data/data/com.android.shell/files/bugreports/bugreport-*.
-allow bluetooth shell_data_file:file read;
-
-# Bluetooth audio needs RT scheduling to meet deadlines, allow sys_nice
-allow bluetooth self:global_capability_class_set sys_nice;
-
-hal_client_domain(bluetooth, hal_bluetooth)
-hal_client_domain(bluetooth, hal_telephony)
-
-# Bluetooth A2DP offload requires binding with audio HAL
-hal_client_domain(bluetooth, hal_audio)
-
-read_runtime_log_tags(bluetooth)
-
-###
-### Neverallow rules
-###
-### These are things that the bluetooth app should NEVER be able to do
-###
-
-# Superuser capabilities.
-# Bluetooth requires net_{admin,raw,bind_service} and wake_alarm and block_suspend and sys_nice.
-neverallow bluetooth self:global_capability_class_set ~{ net_admin net_raw net_bind_service sys_nice};
-neverallow bluetooth self:global_capability2_class_set ~{ wake_alarm block_suspend };
diff --git a/microdroid/sepolicy/system/private/bluetoothdomain.te b/microdroid/sepolicy/system/private/bluetoothdomain.te
deleted file mode 100644
index fe4f0e6..0000000
--- a/microdroid/sepolicy/system/private/bluetoothdomain.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# Allow clients to use a socket provided by the bluetooth app.
-allow bluetoothdomain bluetooth:unix_stream_socket { getopt setopt getattr read write ioctl shutdown };
diff --git a/microdroid/sepolicy/system/private/bootanim.te b/microdroid/sepolicy/system/private/bootanim.te
deleted file mode 100644
index 855bc3d..0000000
--- a/microdroid/sepolicy/system/private/bootanim.te
+++ /dev/null
@@ -1,17 +0,0 @@
-typeattribute bootanim coredomain;
-
-init_daemon_domain(bootanim)
-
-# b/68864350
-dontaudit bootanim unlabeled:dir search;
-
-# Bootanim should not be reading default vendor-defined properties.
-dontaudit bootanim vendor_default_prop:file read;
-
-# Read ro.boot.bootreason b/30654343
-get_prop(bootanim, bootloader_boot_reason_prop)
-
-get_prop(bootanim, bootanim_config_prop)
-
-# Allow updating boot animation status.
-set_prop(bootanim, bootanim_system_prop)
diff --git a/microdroid/sepolicy/system/private/bootstat.te b/microdroid/sepolicy/system/private/bootstat.te
deleted file mode 100644
index 016292e..0000000
--- a/microdroid/sepolicy/system/private/bootstat.te
+++ /dev/null
@@ -1,34 +0,0 @@
-typeattribute bootstat coredomain;
-
-init_daemon_domain(bootstat)
-
-# Collect metrics on boot time created by init
-get_prop(bootstat, boottime_prop)
-
-# Read/Write [persist.]sys.boot.reason and ro.boot.bootreason (write if empty)
-set_prop(bootstat, bootloader_boot_reason_prop)
-set_prop(bootstat, system_boot_reason_prop)
-set_prop(bootstat, last_boot_reason_prop)
-
-neverallow {
- domain
- -bootanim
- -bootstat
- -dumpstate
- userdebug_or_eng(`-incidentd')
- -init
- -recovery
- -shell
- -system_server
-} { bootloader_boot_reason_prop last_boot_reason_prop }:file r_file_perms;
-# ... and refine, as these components should not set the last boot reason
-neverallow { bootanim recovery } last_boot_reason_prop:file r_file_perms;
-
-neverallow {
- domain
- -bootstat
- -init
- -system_server
-} { bootloader_boot_reason_prop last_boot_reason_prop }:property_service set;
-# ... and refine ... for a ro propertly no less ... keep this _tight_
-neverallow system_server bootloader_boot_reason_prop:property_service set;
diff --git a/microdroid/sepolicy/system/private/boringssl_self_test.te b/microdroid/sepolicy/system/private/boringssl_self_test.te
deleted file mode 100644
index 50fc1fc..0000000
--- a/microdroid/sepolicy/system/private/boringssl_self_test.te
+++ /dev/null
@@ -1,74 +0,0 @@
-# System and vendor domains for BoringSSL self test binaries.
-#
-# For FIPS compliance, all processes linked against libcrypto perform a startup
-# self test which computes a hash of the BoringSSL Crypto Module (BCM) and, at least once
-# per device boot, also run a series of Known Answer Tests (KAT) to verify functionality.
-#
-# The KATs are expensive, and to ensure they are run as few times as possible, they
-# are skipped if a marker file exists in /dev/boringssl/selftest whose name is
-# the hash of the BCM that was computed earlier. The files are zero length and their contents
-# should never be read or written. To avoid giving arbitrary processes access to /dev/boringssl
-# to create these marker files, there are dedicated self test binaries which this policy
-# gives access to and which are run during early-init.
-#
-# Due to build skew, the version of libcrypto in /vendor may have a different hash than
-# the system one. To cater for this there are vendor variants of the self test binaries
-# which also have permission to write to the same files in /dev/boringssl. In the case where
-# vendor and system libcrypto have the same hash, there will be a race to create the file,
-# but this is harmless.
-#
-# If the self tests fail, then the device should reboot into firmware and for this reason
-# the system boringssl_self_test domain needs to be in coredomain. As vendor domains
-# are not allowed in coredomain, this means that the vendor self tests cannot trigger a
-# reboot. However every binary linked against the vendor libcrypto will abort on startup,
-# so in practice the device will crash anyway in this unlikely scenario.
-
-# System boringssl_self_test domain
-type boringssl_self_test, domain, coredomain;
-type boringssl_self_test_exec, system_file_type, exec_type, file_type;
-
-# Vendor boringssl_self_test domain
-type vendor_boringssl_self_test, domain;
-type vendor_boringssl_self_test_exec, vendor_file_type, exec_type, file_type;
-
-# Switch to boringssl_self_test security domain when running boringssl_self_test_exec
-init_daemon_domain(boringssl_self_test)
-
-# Switch to vendor_boringssl_self_test security domain when running vendor_boringssl_self_test_exec
-init_daemon_domain(vendor_boringssl_self_test)
-
-# Marker files, common to both domains, indicating KAT have been performed on a particular libcrypto
-#
-# The files are zero length so there is no issue if both vendor and system code
-# try to create the same file simultaneously. One will succeed and the other will fail
-# silently, i.e. still indicate success. Similar harmless naming collisions will happen in the
-# system domain e.g. when system and APEX copies of libcrypto are identical.
-type boringssl_self_test_marker, file_type;
-
-# Allow self test binaries to create/check for the existence of boringssl_self_test_marker files
-allow { boringssl_self_test vendor_boringssl_self_test }
- boringssl_self_test_marker:file create_file_perms;
-allow { boringssl_self_test vendor_boringssl_self_test }
- boringssl_self_test_marker:dir ra_dir_perms;
-
-# Allow self test binaries to write their stdout/stderr messages to kmsg_debug
-allow { boringssl_self_test vendor_boringssl_self_test }
- kmsg_debug_device:chr_file { w_file_perms getattr ioctl };
-
-# No other process should be able to create marker files because their existence causes the
-# boringssl KAT to be skipped.
-neverallow {
- domain
- -vendor_boringssl_self_test
- -boringssl_self_test
- -init
- -vendor_init
-} boringssl_self_test_marker:file no_rw_file_perms;
-
-neverallow {
- domain
- -vendor_boringssl_self_test
- -boringssl_self_test
- -init
- -vendor_init
-} boringssl_self_test_marker:dir write;
diff --git a/microdroid/sepolicy/system/private/bpfloader.te b/microdroid/sepolicy/system/private/bpfloader.te
deleted file mode 100644
index ae9b52c..0000000
--- a/microdroid/sepolicy/system/private/bpfloader.te
+++ /dev/null
@@ -1,43 +0,0 @@
-# bpf program loader
-type bpfloader, domain;
-type bpfloader_exec, system_file_type, exec_type, file_type;
-typeattribute bpfloader coredomain;
-
-# These permissions are required to pin ebpf maps & programs.
-allow bpfloader { fs_bpf fs_bpf_tethering }:dir { add_name create search write };
-allow bpfloader { fs_bpf fs_bpf_tethering }:file { create read setattr };
-allow fs_bpf_tethering fs_bpf:filesystem associate;
-
-# Allow bpfloader to create bpf maps and programs.
-allow bpfloader self:bpf { map_create map_read map_write prog_load prog_run };
-
-allow bpfloader self:capability { chown sys_admin net_admin };
-
-set_prop(bpfloader, bpf_progs_loaded_prop)
-
-###
-### Neverallow rules
-###
-
-# TODO: get rid of init & vendor_init; Note: we don't care about getattr/mounton/search
-neverallow { domain -init -vendor_init } { fs_bpf fs_bpf_tethering }:dir { open read setattr };
-neverallow { domain -bpfloader } { fs_bpf fs_bpf_tethering }:dir { add_name create write };
-neverallow domain { fs_bpf fs_bpf_tethering }:dir ~{ add_name create getattr mounton open read search setattr write };
-
-# TODO: get rid of init & vendor_init
-neverallow { domain -bpfloader -init -vendor_init } { fs_bpf fs_bpf_tethering }:file { map open setattr };
-neverallow { domain -bpfloader } { fs_bpf fs_bpf_tethering }:file create;
-neverallow { domain -bpfloader -gpuservice -init -netd -netutils_wrapper -network_stack -system_server -vendor_init } { fs_bpf fs_bpf_tethering }:file read;
-neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } { fs_bpf fs_bpf_tethering }:file write;
-neverallow domain { fs_bpf fs_bpf_tethering }:file ~{ create map open read setattr write };
-
-neverallow { domain -bpfloader } *:bpf { map_create prog_load };
-neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } *:bpf prog_run;
-neverallow { domain -bpfloader -gpuservice -netd -network_stack -system_server } *:bpf { map_read map_write };
-
-neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
-
-neverallow bpfloader *:{ tcp_socket udp_socket rawip_socket } *;
-
-# No domain should be allowed to ptrace bpfloader
-neverallow { domain userdebug_or_eng(`-llkd') } bpfloader:process ptrace;
diff --git a/microdroid/sepolicy/system/private/bufferhubd.te b/microdroid/sepolicy/system/private/bufferhubd.te
deleted file mode 100644
index 012eb20..0000000
--- a/microdroid/sepolicy/system/private/bufferhubd.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute bufferhubd coredomain;
-
-init_daemon_domain(bufferhubd)
diff --git a/microdroid/sepolicy/system/private/cameraserver.te b/microdroid/sepolicy/system/private/cameraserver.te
deleted file mode 100644
index 2be3c9e..0000000
--- a/microdroid/sepolicy/system/private/cameraserver.te
+++ /dev/null
@@ -1,6 +0,0 @@
-typeattribute cameraserver coredomain;
-
-typeattribute cameraserver camera_service_server;
-
-init_daemon_domain(cameraserver)
-tmpfs_domain(cameraserver)
diff --git a/microdroid/sepolicy/system/private/canhalconfigurator.te b/microdroid/sepolicy/system/private/canhalconfigurator.te
deleted file mode 100644
index 9ba60ac..0000000
--- a/microdroid/sepolicy/system/private/canhalconfigurator.te
+++ /dev/null
@@ -1,7 +0,0 @@
-type canhalconfigurator, domain, coredomain;
-type canhalconfigurator_exec, exec_type, system_file_type, file_type;
-init_daemon_domain(canhalconfigurator)
-
-# This allows the configurator to look up the CAN HAL controller via
-# hwservice_manager and communicate with it.
-hal_client_domain(canhalconfigurator, hal_can_controller)
diff --git a/microdroid/sepolicy/system/private/charger.te b/microdroid/sepolicy/system/private/charger.te
deleted file mode 100644
index 8be113f..0000000
--- a/microdroid/sepolicy/system/private/charger.te
+++ /dev/null
@@ -1,31 +0,0 @@
-typeattribute charger coredomain;
-
-# charger needs to tell init to continue the boot
-# process when running in charger mode.
-set_prop(charger, system_prop)
-set_prop(charger, exported_system_prop)
-set_prop(charger, exported3_system_prop)
-set_prop(charger, charger_status_prop)
-
-get_prop(charger, charger_prop)
-get_prop(charger, charger_config_prop)
-
-# get minui properties
-get_prop(charger, recovery_config_prop)
-
-compatible_property_only(`
- neverallow {
- domain
- -init
- -dumpstate
- -charger
- } charger_prop:file no_rw_file_perms;
-')
-
-neverallow {
- domain
- -init
- -dumpstate
- -vendor_init
- -charger
-} { charger_config_prop charger_status_prop }:file no_rw_file_perms;
diff --git a/microdroid/sepolicy/system/private/clatd.te b/microdroid/sepolicy/system/private/clatd.te
deleted file mode 100644
index 0fa774a..0000000
--- a/microdroid/sepolicy/system/private/clatd.te
+++ /dev/null
@@ -1,36 +0,0 @@
-# 464xlat daemon
-type clatd, domain, coredomain;
-type clatd_exec, system_file_type, exec_type, file_type;
-
-net_domain(clatd)
-
-r_dir_file(clatd, proc_net_type)
-userdebug_or_eng(`
- auditallow clatd proc_net_type:{ dir file lnk_file } { getattr open read };
-')
-
-# Access objects inherited from netd.
-allow clatd netd:fd use;
-allow clatd netd:fifo_file { read write };
-# TODO: Check whether some or all of these sockets should be close-on-exec.
-allow clatd netd:netlink_kobject_uevent_socket { read write };
-allow clatd netd:netlink_nflog_socket { read write };
-allow clatd netd:netlink_route_socket { read write };
-allow clatd netd:udp_socket { read write };
-allow clatd netd:unix_stream_socket { read write };
-allow clatd netd:unix_dgram_socket { read write };
-
-allow clatd self:global_capability_class_set { net_admin net_raw setuid setgid };
-
-# clatd calls mmap(MAP_LOCKED) with a 1M buffer. MAP_LOCKED first checks
-# capable(CAP_IPC_LOCK), and then checks to see the requested amount is
-# under RLIMIT_MEMLOCK. If the latter check succeeds clatd won't have
-# needed CAP_IPC_LOCK. But this is not guaranteed to succeed on all devices
-# so we permit any requests we see from clatd asking for this capability.
-# See https://android-review.googlesource.com/127940 and
-# https://b.corp.google.com/issues/21736319
-allow clatd self:global_capability_class_set ipc_lock;
-
-allow clatd self:netlink_route_socket nlmsg_write;
-allow clatd self:{ packet_socket rawip_socket } create_socket_perms_no_ioctl;
-allow clatd tun_device:chr_file rw_file_perms;
diff --git a/microdroid/sepolicy/system/private/coredomain.te b/microdroid/sepolicy/system/private/coredomain.te
deleted file mode 100644
index b7f4f5d..0000000
--- a/microdroid/sepolicy/system/private/coredomain.te
+++ /dev/null
@@ -1,246 +0,0 @@
-get_prop(coredomain, boot_status_prop)
-get_prop(coredomain, camera_config_prop)
-get_prop(coredomain, dalvik_config_prop)
-get_prop(coredomain, dalvik_runtime_prop)
-get_prop(coredomain, exported_pm_prop)
-get_prop(coredomain, ffs_config_prop)
-get_prop(coredomain, graphics_config_prop)
-get_prop(coredomain, hdmi_config_prop)
-get_prop(coredomain, init_service_status_private_prop)
-get_prop(coredomain, lmkd_config_prop)
-get_prop(coredomain, localization_prop)
-get_prop(coredomain, pm_prop)
-get_prop(coredomain, radio_control_prop)
-get_prop(coredomain, rollback_test_prop)
-get_prop(coredomain, setupwizard_prop)
-get_prop(coredomain, sqlite_log_prop)
-get_prop(coredomain, storagemanager_config_prop)
-get_prop(coredomain, surfaceflinger_color_prop)
-get_prop(coredomain, systemsound_config_prop)
-get_prop(coredomain, telephony_config_prop)
-get_prop(coredomain, usb_config_prop)
-get_prop(coredomain, usb_control_prop)
-get_prop(coredomain, userspace_reboot_config_prop)
-get_prop(coredomain, vold_config_prop)
-get_prop(coredomain, vts_status_prop)
-get_prop(coredomain, zygote_config_prop)
-get_prop(coredomain, zygote_wrap_prop)
-
-# TODO(b/170590987): remove this after cleaning up default_prop
-get_prop(coredomain, default_prop)
-
-full_treble_only(`
-neverallow {
- coredomain
-
- # for chowning
- -init
-
- # generic access to sysfs_type
- -ueventd
- -vold
-} sysfs_leds:file *;
-')
-
-# On TREBLE devices, a limited set of files in /vendor are accessible to
-# only a few allowlisted coredomains to keep system/vendor separation.
-full_treble_only(`
- # Limit access to /vendor/app
- neverallow {
- coredomain
- -appdomain
- -dex2oat
- -dexoptanalyzer
- -idmap
- -init
- -installd
- -heapprofd
- -postinstall_dexopt
- -rs # spawned by appdomain, so carryover the exception above
- -system_server
- -traced_perf
- } vendor_app_file:dir { open read getattr search };
-')
-
-full_treble_only(`
- neverallow {
- coredomain
- -appdomain
- -dex2oat
- -dexoptanalyzer
- -idmap
- -init
- -installd
- -heapprofd
- userdebug_or_eng(`-profcollectd')
- -postinstall_dexopt
- -rs # spawned by appdomain, so carryover the exception above
- -system_server
- -traced_perf
- -mediaserver
- } vendor_app_file:file r_file_perms;
-')
-
-full_treble_only(`
- # Limit access to /vendor/overlay
- neverallow {
- coredomain
- -appdomain
- -idmap
- -init
- -installd
- -iorap_inode2filename
- -iorap_prefetcherd
- -postinstall_dexopt
- -rs # spawned by appdomain, so carryover the exception above
- -system_server
- -traced_perf
- -app_zygote
- -webview_zygote
- -zygote
- -heapprofd
- } vendor_overlay_file:dir { getattr open read search };
-')
-
-full_treble_only(`
- neverallow {
- coredomain
- -appdomain
- -idmap
- -init
- -installd
- -iorap_inode2filename
- -iorap_prefetcherd
- -postinstall_dexopt
- -rs # spawned by appdomain, so carryover the exception above
- -system_server
- -traced_perf
- -app_zygote
- -webview_zygote
- -zygote
- -heapprofd
- userdebug_or_eng(`-profcollectd')
- } vendor_overlay_file:file open;
-')
-
-# Core domains are not permitted to use kernel interfaces which are not
-# explicitly labeled.
-# TODO(b/65643247): Apply these neverallow rules to all coredomain.
-full_treble_only(`
- # /proc
- neverallow {
- coredomain
- -init
- -vold
- } proc:file no_rw_file_perms;
-
- # /sys
- neverallow {
- coredomain
- -init
- -ueventd
- -vold
- } sysfs:file no_rw_file_perms;
-
- # /dev
- neverallow {
- coredomain
- -fsck
- -init
- -ueventd
- } device:{ blk_file file } no_rw_file_perms;
-
- # debugfs
- neverallow {
- coredomain
- no_debugfs_restriction(`
- -dumpstate
- -init
- -system_server
- ')
- } debugfs:file no_rw_file_perms;
-
- # tracefs
- neverallow {
- coredomain
- -atrace
- -dumpstate
- -gpuservice
- -init
- -traced_perf
- -traced_probes
- -shell
- -system_server
- -traceur_app
- userdebug_or_eng(`-profcollectd')
- } debugfs_tracing:file no_rw_file_perms;
-
- # inotifyfs
- neverallow {
- coredomain
- -init
- } inotify:file no_rw_file_perms;
-
- # pstorefs
- neverallow {
- coredomain
- -bootstat
- -charger
- -dumpstate
- -healthd
- userdebug_or_eng(`-incidentd')
- -init
- -logd
- -logpersist
- -recovery_persist
- -recovery_refresh
- -shell
- -system_server
- } pstorefs:file no_rw_file_perms;
-
- # configfs
- neverallow {
- coredomain
- -init
- -system_server
- } configfs:file no_rw_file_perms;
-
- # functionfs
- neverallow {
- coredomain
- -adbd
- -init
- -mediaprovider
- -system_server
- } functionfs:file no_rw_file_perms;
-
- # usbfs and binfmt_miscfs
- neverallow {
- coredomain
- -init
- }{ usbfs binfmt_miscfs }:file no_rw_file_perms;
-
- # dmabuf heaps
- neverallow {
- coredomain
- -init
- -ueventd
- }{
- dmabuf_heap_device_type
- -dmabuf_system_heap_device
- -dmabuf_system_secure_heap_device
- }:chr_file no_rw_file_perms;
-')
-
-# Following /dev nodes must not be directly accessed by coredomain, but should
-# instead be wrapped by HALs.
-neverallow coredomain {
- iio_device
- radio_device
-}:chr_file { open read append write ioctl };
-
-# TODO(b/120243891): HAL permission to tee_device is included into coredomain
-# on non-Treble devices.
-full_treble_only(`
- neverallow coredomain tee_device:chr_file { open read append write ioctl };
-')
diff --git a/microdroid/sepolicy/system/private/cppreopts.te b/microdroid/sepolicy/system/private/cppreopts.te
deleted file mode 100644
index 1192ba6..0000000
--- a/microdroid/sepolicy/system/private/cppreopts.te
+++ /dev/null
@@ -1,31 +0,0 @@
-# cppreopts
-#
-# This command copies preopted files from the system_b partition to the data
-# partition. This domain ensures that we are only copying into specific
-# directories.
-
-type cppreopts, domain, mlstrustedsubject, coredomain;
-type cppreopts_exec, system_file_type, exec_type, file_type;
-
-# Technically not a daemon but we do want the transition from init domain to
-# cppreopts to occur.
-init_daemon_domain(cppreopts)
-domain_auto_trans(cppreopts, preopt2cachename_exec, preopt2cachename);
-
-# Allow cppreopts copy files into the dalvik-cache
-allow cppreopts dalvikcache_data_file:dir { add_name remove_name search write };
-allow cppreopts dalvikcache_data_file:file { create getattr open read rename write unlink };
-
-# Allow cppreopts to execute itself using #!/system/bin/sh
-allow cppreopts shell_exec:file rx_file_perms;
-
-# Allow us to run find on /postinstall
-allow cppreopts system_file:dir { open read };
-
-# Allow running the cp command using cppreopts permissions. Needed so we can
-# write into dalvik-cache
-allow cppreopts toolbox_exec:file rx_file_perms;
-
-# Silence the denial when /postinstall cannot be mounted, e.g., system_other
-# is wiped, but cppreopts.sh still runs.
-dontaudit cppreopts postinstall_mnt_dir:dir search;
diff --git a/microdroid/sepolicy/system/private/crash_dump.te b/microdroid/sepolicy/system/private/crash_dump.te
index 9233a4d..90587fa 100644
--- a/microdroid/sepolicy/system/private/crash_dump.te
+++ b/microdroid/sepolicy/system/private/crash_dump.te
@@ -1,3 +1,50 @@
+# crash_dump might inherit CAP_SYS_PTRACE from a privileged process,
+# which will result in an audit log even when it's allowed to trace.
+dontaudit crash_dump self:global_capability_class_set { sys_ptrace };
+
+allow crash_dump kmsg_debug_device:chr_file { open append };
+
+# Use inherited file descriptors
+allow crash_dump domain:fd use;
+
+# Read/write IPC pipes inherited from crashing processes.
+allow crash_dump domain:fifo_file { read write };
+
+# Append to pipes given to us by processes requesting dumps (e.g. dumpstate)
+allow crash_dump domain:fifo_file { append };
+
+# Read information from /proc/$PID.
+allow crash_dump domain:process getattr;
+
+r_dir_file(crash_dump, domain)
+allow crash_dump exec_type:file r_file_perms;
+
+# Read all /vendor
+r_dir_file(crash_dump, vendor_file)
+
+# Talk to tombstoned
+unix_socket_connect(crash_dump, tombstoned_crash, tombstoned)
+
+# Append to tombstone files.
+allow crash_dump tombstone_data_file:file { append getattr };
+
+# crash_dump writes out logcat logs at the bottom of tombstones,
+# which is super useful in some cases.
+unix_socket_connect(crash_dump, logdr, logd)
+
+# Crash dump is not intended to access the following files. Since these
+# are WAI, suppress the denials to clean up the logs.
+dontaudit crash_dump {
+ core_data_file_type
+ vendor_file_type
+}:dir search;
+dontaudit crash_dump system_data_file:{ lnk_file file } read;
+dontaudit crash_dump property_type:file read;
+
+# Suppress denials for files in /proc that are passed
+# across exec().
+dontaudit crash_dump proc_type:file rw_file_perms;
+
typeattribute crash_dump coredomain;
# Crash dump does not need to access devices passed across exec().
@@ -6,57 +53,19 @@
allow crash_dump {
domain
-apexd
- -bpfloader
-crash_dump
-init
-kernel
-keystore
- -llkd
-logd
-ueventd
-vendor_init
- -vold
}:process { ptrace signal sigchld sigstop sigkill };
-# TODO(b/186868271): Remove the keystore exception soon-ish (maybe by May 14, 2021?)
userdebug_or_eng(`
allow crash_dump {
apexd
keystore
- llkd
logd
- vold
}:process { ptrace signal sigchld sigstop sigkill };
')
-
-###
-### neverallow assertions
-###
-
-# ptrace neverallow assertions are spread throughout the other policy
-# files, so we avoid adding redundant assertions here
-
-neverallow crash_dump {
- apexd
- userdebug_or_eng(`-apexd')
- bpfloader
- init
- kernel
- keystore
- userdebug_or_eng(`-keystore')
- llkd
- userdebug_or_eng(`-llkd')
- logd
- userdebug_or_eng(`-logd')
- ueventd
- vendor_init
- vold
- userdebug_or_eng(`-vold')
-}:process { signal sigstop sigkill };
-
-neverallow crash_dump self:process ptrace;
-neverallow crash_dump gpu_device:chr_file *;
-
-# Read ART APEX data directory
-allow crash_dump apex_art_data_file:dir { getattr search };
-allow crash_dump apex_art_data_file:file r_file_perms;
diff --git a/microdroid/sepolicy/system/private/credstore.te b/microdroid/sepolicy/system/private/credstore.te
deleted file mode 100644
index 8d87e2f..0000000
--- a/microdroid/sepolicy/system/private/credstore.te
+++ /dev/null
@@ -1,6 +0,0 @@
-typeattribute credstore coredomain;
-
-init_daemon_domain(credstore)
-
-# talk to Identity Credential
-hal_client_domain(credstore, hal_identity)
diff --git a/microdroid/sepolicy/system/private/crosvm.te b/microdroid/sepolicy/system/private/crosvm.te
deleted file mode 100644
index f7729fd..0000000
--- a/microdroid/sepolicy/system/private/crosvm.te
+++ /dev/null
@@ -1,16 +0,0 @@
-type crosvm, domain, coredomain;
-type crosvm_exec, system_file_type, exec_type, file_type;
-type crosvm_tmpfs, file_type;
-
-# Let crosvm create temporary files.
-tmpfs_domain(crosvm)
-
-# Let crosvm receive file descriptors from VirtualizationService.
-allow crosvm virtualizationservice:fd use;
-
-# Let crosvm open /dev/kvm.
-allow crosvm kvm_device:chr_file rw_file_perms;
-
-# Most other domains shouldn't access /dev/kvm.
-neverallow { domain -crosvm -ueventd -shell } kvm_device:chr_file getattr;
-neverallow { domain -crosvm -ueventd } kvm_device:chr_file ~getattr;
diff --git a/microdroid/sepolicy/system/private/dex2oat.te b/microdroid/sepolicy/system/private/dex2oat.te
deleted file mode 100644
index 28d8b9a..0000000
--- a/microdroid/sepolicy/system/private/dex2oat.te
+++ /dev/null
@@ -1,109 +0,0 @@
-# dex2oat
-type dex2oat, domain, coredomain;
-type dex2oat_exec, system_file_type, exec_type, file_type;
-
-userfaultfd_use(dex2oat)
-
-r_dir_file(dex2oat, apk_data_file)
-# Access to /vendor/app
-r_dir_file(dex2oat, vendor_app_file)
-# Access /vendor/framework
-allow dex2oat vendor_framework_file:dir { getattr search };
-allow dex2oat vendor_framework_file:file { getattr open read map };
-
-allow dex2oat tmpfs:file { read getattr map };
-
-r_dir_file(dex2oat, dalvikcache_data_file)
-allow dex2oat dalvikcache_data_file:file write;
-allow dex2oat installd:fd use;
-
-# Acquire advisory lock on /system/framework/arm/*
-allow dex2oat system_file:file lock;
-allow dex2oat postinstall_file:file lock;
-
-# Read already open asec_apk_file file descriptors passed by installd.
-# Also allow reading unlabeled files, to allow for upgrading forward
-# locked APKs.
-allow dex2oat asec_apk_file:file { read map };
-allow dex2oat unlabeled:file { read map };
-allow dex2oat oemfs:file { read map };
-allow dex2oat apk_tmp_file:dir search;
-allow dex2oat apk_tmp_file:file r_file_perms;
-allow dex2oat user_profile_data_file:file { getattr read lock map };
-
-# Allow dex2oat to compile app's secondary dex files which were reported back to
-# the framework.
-allow dex2oat { privapp_data_file app_data_file }:file { getattr read write lock map };
-
-# Allow dex2oat to find files and directories under /data/misc/apexdata/com.android.runtime.
-allow dex2oat apex_module_data_file:dir search;
-
-# Allow dex2oat to use file descriptors passed from odrefresh.
-allow dex2oat odrefresh:fd use;
-
-# Allow dex2oat to use devpts and file descriptors passed from odsign
-allow dex2oat odsign_devpts:chr_file { read write };
-allow dex2oat odsign:fd use;
-
-# Allow dex2oat to write to file descriptors from odrefresh for files
-# in the staging area.
-allow dex2oat apex_art_staging_data_file:dir r_dir_perms;
-allow dex2oat apex_art_staging_data_file:file { getattr map read write unlink };
-
-# Allow dex2oat to read artifacts from odrefresh.
-allow dex2oat apex_art_data_file:dir r_dir_perms;
-allow dex2oat apex_art_data_file:file r_file_perms;
-
-# Allow dex2oat to read runtime native flag properties.
-get_prop(dex2oat, device_config_runtime_native_prop)
-get_prop(dex2oat, device_config_runtime_native_boot_prop)
-
-# Allow dex2oat to read /apex/apex-info-list.xml
-allow dex2oat apex_info_file:file r_file_perms;
-
-##################
-# A/B OTA Dexopt #
-##################
-
-# Allow dex2oat to use file descriptors from otapreopt.
-allow dex2oat postinstall_dexopt:fd use;
-
-# Allow dex2oat to read files under /postinstall (e.g. APKs under /system, /system/bin/linker).
-allow dex2oat postinstall_file:dir r_dir_perms;
-allow dex2oat postinstall_file:filesystem getattr;
-allow dex2oat postinstall_file:lnk_file { getattr read };
-allow dex2oat postinstall_file:file read;
-# Allow dex2oat to use libraries under /postinstall/system (e.g. /system/lib/libc.so).
-# TODO(b/120266448): Remove when Bionic libraries are part of the Runtime APEX.
-allow dex2oat postinstall_file:file { execute getattr open };
-
-# Allow dex2oat access to /postinstall/apex.
-allow dex2oat postinstall_apex_mnt_dir:dir { getattr search };
-
-# Allow dex2oat access to files in /data/ota.
-allow dex2oat ota_data_file:dir ra_dir_perms;
-allow dex2oat ota_data_file:file r_file_perms;
-
-# Create and read symlinks in /data/ota/dalvik-cache. This is required for PIC mode boot images,
-# where the oat file is symlinked to the original file in /system.
-allow dex2oat ota_data_file:lnk_file { create read };
-
-# It would be nice to tie this down, but currently, because of how images are written, we can't
-# pass file descriptors for the preopted boot image to dex2oat. So dex2oat needs to be able to
-# create them itself (and make them world-readable).
-allow dex2oat ota_data_file:file { create w_file_perms setattr };
-
-###############
-# APEX Update #
-###############
-
-# /dev/zero is inherited.
-allow dex2oat apexd:fd use;
-
-# Allow dex2oat to use file descriptors from preinstall.
-
-##############
-# Neverallow #
-##############
-
-neverallow dex2oat { privapp_data_file app_data_file }:notdevfile_class_set open;
diff --git a/microdroid/sepolicy/system/private/dexoptanalyzer.te b/microdroid/sepolicy/system/private/dexoptanalyzer.te
deleted file mode 100644
index d194acb..0000000
--- a/microdroid/sepolicy/system/private/dexoptanalyzer.te
+++ /dev/null
@@ -1,53 +0,0 @@
-# dexoptanalyzer
-type dexoptanalyzer, domain, coredomain, mlstrustedsubject;
-type dexoptanalyzer_exec, system_file_type, exec_type, file_type;
-type dexoptanalyzer_tmpfs, file_type;
-
-r_dir_file(dexoptanalyzer, apk_data_file)
-# Access to /vendor/app
-r_dir_file(dexoptanalyzer, vendor_app_file)
-
-# Reading an APK opens a ZipArchive, which unpack to tmpfs.
-# Use tmpfs_domain() which will give tmpfs files created by dexoptanalyzer their
-# own label, which differs from other labels created by other processes.
-# This allows to distinguish in policy files created by dexoptanalyzer vs other
-# processes.
-tmpfs_domain(dexoptanalyzer)
-
-userfaultfd_use(dexoptanalyzer)
-
-# Allow dexoptanalyzer to read files in the dalvik cache.
-allow dexoptanalyzer dalvikcache_data_file:dir { getattr search };
-allow dexoptanalyzer dalvikcache_data_file:file r_file_perms;
-
-# Read symlinks in /data/dalvik-cache. This is required for PIC mode boot
-# app_data_file the oat file is symlinked to the original file in /system.
-allow dexoptanalyzer dalvikcache_data_file:lnk_file read;
-
-# Allow dexoptanalyzer to read files in the ART APEX data directory.
-allow dexoptanalyzer { apex_art_data_file apex_module_data_file }:dir { getattr search };
-allow dexoptanalyzer apex_art_data_file:file r_file_perms;
-
-# Allow dexoptanalyzer to use file descriptors from odrefresh.
-allow dexoptanalyzer odrefresh:fd use;
-
-# Use devpts and fd from odsign (which exec()'s odrefresh)
-allow dexoptanalyzer odsign:fd use;
-allow dexoptanalyzer odsign_devpts:chr_file { read write };
-
-allow dexoptanalyzer installd:fd use;
-allow dexoptanalyzer installd:fifo_file { getattr write };
-
-# Acquire advisory lock on /system/framework/arm/*
-allow dexoptanalyzer system_file:file lock;
-
-# Allow reading secondary dex files that were reported by the app to the
-# package manager.
-allow dexoptanalyzer { privapp_data_file app_data_file }:file { getattr read map };
-
-# Allow testing /data/user/0 which symlinks to /data/data
-allow dexoptanalyzer system_data_file:lnk_file { getattr };
-
-# Allow query ART device config properties
-get_prop(dexoptanalyzer, device_config_runtime_native_prop)
-get_prop(dexoptanalyzer, device_config_runtime_native_boot_prop)
diff --git a/microdroid/sepolicy/system/private/dhcp.te b/microdroid/sepolicy/system/private/dhcp.te
deleted file mode 100644
index 8ec9111..0000000
--- a/microdroid/sepolicy/system/private/dhcp.te
+++ /dev/null
@@ -1,7 +0,0 @@
-typeattribute dhcp coredomain;
-
-init_daemon_domain(dhcp)
-type_transition dhcp system_data_file:{ dir file } dhcp_data_file;
-
-set_prop(dhcp, dhcp_prop)
-set_prop(dhcp, pan_result_prop)
diff --git a/microdroid/sepolicy/system/private/dnsmasq.te b/microdroid/sepolicy/system/private/dnsmasq.te
deleted file mode 100644
index 96084b4..0000000
--- a/microdroid/sepolicy/system/private/dnsmasq.te
+++ /dev/null
@@ -1 +0,0 @@
-typeattribute dnsmasq coredomain;
diff --git a/microdroid/sepolicy/system/private/domain.te b/microdroid/sepolicy/system/private/domain.te
index e979f3e..da811ed 100644
--- a/microdroid/sepolicy/system/private/domain.te
+++ b/microdroid/sepolicy/system/private/domain.te
@@ -1,544 +1,252 @@
-# Transition to crash_dump when /system/bin/crash_dump* is executed.
-# This occurs when the process crashes.
-# We do not apply this to the su domain to avoid interfering with
-# tests (b/114136122)
-domain_auto_trans({ domain userdebug_or_eng(`-su') }, crash_dump_exec, crash_dump);
-allow domain crash_dump:process sigchld;
+# Rules for all domains.
-# Allow every process to check the heapprofd.enable properties to determine
-# whether to load the heap profiling library. This does not necessarily enable
-# heap profiling, as initialization will fail if it does not have the
-# necessary SELinux permissions.
-get_prop(domain, heapprofd_prop);
-# Allow heap profiling on debug builds.
-userdebug_or_eng(`can_profile_heap({
- domain
- -bpfloader
- -init
- -kernel
- -keystore
- -llkd
- -logd
- -logpersist
- -recovery
- -recovery_persist
- -recovery_refresh
- -ueventd
- -vendor_init
- -vold
-})')
+# Allow reaping by init.
+allow domain init:process sigchld;
-# As above, allow perf profiling most processes on debug builds.
-# zygote is excluded as system-wide profiling could end up with it
-# (unexpectedly) holding an open fd across a fork.
-userdebug_or_eng(`can_profile_perf({
- domain
- -bpfloader
- -init
- -kernel
- -keystore
- -llkd
- -logd
- -logpersist
- -recovery
- -recovery_persist
- -recovery_refresh
- -ueventd
- -vendor_init
- -vold
- -zygote
-})')
+# Intra-domain accesses.
+allow domain self:process {
+ fork
+ sigchld
+ sigkill
+ sigstop
+ signull
+ signal
+ getsched
+ setsched
+ getsession
+ getpgid
+ setpgid
+ getcap
+ setcap
+ getattr
+ setrlimit
+};
+allow domain self:fd use;
+allow domain proc:dir r_dir_perms;
+allow domain proc_net_type:dir search;
+r_dir_file(domain, self)
+allow domain self:{ fifo_file file } rw_file_perms;
+allow domain self:unix_dgram_socket { create_socket_perms sendto };
+allow domain self:unix_stream_socket { create_stream_socket_perms connectto };
-# Everyone can access the IncFS list of features.
-r_dir_file(domain, sysfs_fs_incfs_features);
+# Inherit or receive open files from others.
+allow domain init:fd use;
+# Root fs.
+allow domain tmpfs:dir { getattr search };
+allow domain rootfs:dir search;
+allow domain rootfs:lnk_file { read getattr };
+
+# Device accesses.
+allow domain device:dir search;
+allow domain dev_type:lnk_file r_file_perms;
+allow domain devpts:dir search;
+allow domain socket_device:dir r_dir_perms;
+allow domain owntty_device:chr_file rw_file_perms;
+allow domain null_device:chr_file rw_file_perms;
+allow domain zero_device:chr_file rw_file_perms;
+
+# /dev/binder can be accessed by ... everyone! :)
+allow { domain -hwservicemanager } binder_device:chr_file rw_file_perms;
+
+# Restrict binder ioctls to an allowlist. Additional ioctl commands may be
+# added to individual domains, but this sets safe defaults for all processes.
+allowxperm domain binder_device:chr_file ioctl { unpriv_binder_ioctls };
+
+# /dev/binderfs needs to be accessed by everyone too!
+allow domain binderfs:dir { getattr search };
+allow domain binderfs_logs_proc:dir search;
+
+allow { domain -servicemanager } hwbinder_device:chr_file rw_file_perms;
+allow domain ptmx_device:chr_file rw_file_perms;
+allow domain random_device:chr_file rw_file_perms;
+allow domain proc_random:dir r_dir_perms;
+allow domain proc_random:file r_file_perms;
+allow domain properties_device:dir { search getattr };
+allow domain properties_serial:file r_file_perms;
+allow domain property_info:file r_file_perms;
+
+allow domain property_contexts_file:file r_file_perms;
+
+allow domain init:key search;
+
+# logd access
+unix_socket_send(domain, logdw, logd)
+
+# Directory/link file access for path resolution.
+allow domain {
+ system_file
+ system_lib_file
+ system_seccomp_policy_file
+ system_security_cacerts_file
+}:dir r_dir_perms;
+allow domain system_file:lnk_file { getattr read };
+
+# Global access to /system/etc/security/cacerts/*, /system/etc/seccomp_policy/*, /system/lib[64]/*,
+# /(system|product|system_ext)/etc/(group|passwd), linker and its config.
+allow domain system_seccomp_policy_file:file r_file_perms;
+# cacerts are accessible from public Java API.
+allow domain system_security_cacerts_file:file r_file_perms;
+allow domain system_group_file:file r_file_perms;
+allow domain system_passwd_file:file r_file_perms;
+allow domain system_linker_exec:file { execute read open getattr map };
+allow domain system_linker_config_file:file r_file_perms;
+allow domain system_lib_file:file { execute read open getattr map };
+# To allow following symlinks at /system/bin/linker, /system/lib/libc.so, etc.
+allow domain system_linker_exec:lnk_file { read open getattr };
+allow domain system_lib_file:lnk_file { read open getattr };
+
+allow domain system_event_log_tags_file:file r_file_perms;
+
+allow coredomain system_file:file { execute read open getattr map };
+
+# All domains get access to /vendor/etc
+allow domain vendor_configs_file:dir r_dir_perms;
+allow domain vendor_configs_file:file { read open getattr map };
+
+# Allow all domains to be able to follow /system/vendor and/or
+# /vendor/odm symlinks.
+allow domain vendor_file_type:lnk_file { getattr open read };
+
+# This is required to be able to search & read /vendor/lib64
+# in order to lookup vendor libraries. The execute permission
+# for coredomains is granted *only* for same process HALs
+allow domain vendor_file:dir { getattr search };
+
+# Allow reading and executing out of /vendor to all vendor domains
+allow { domain -coredomain } vendor_file_type:dir r_dir_perms;
+allow { domain -coredomain } vendor_file_type:file { read open getattr execute map };
+allow { domain -coredomain } vendor_file_type:lnk_file { getattr read };
+
+# read and stat any sysfs symlinks
+allow domain sysfs:lnk_file { getattr read };
+
+# Lots of processes access current CPU information
+r_dir_file(domain, sysfs_devices_system_cpu)
+
+# If kernel CONFIG_TRANSPARENT_HUGEPAGE is enabled, libjemalloc5 (statically
+# included by libc) reads /sys/kernel/mm/transparent_hugepage/enabled.
+allow domain sysfs_transparent_hugepage:dir search;
+allow domain sysfs_transparent_hugepage:file r_file_perms;
+
+allow coredomain system_data_file:dir getattr;
+# /data has the label system_data_root_file. Vendor components need the search
+# permission on system_data_root_file for path traversal to /data/vendor.
+allow domain system_data_root_file:dir { search getattr } ;
+allow domain system_data_file:dir search;
+# TODO restrict this to non-coredomain
+allow domain vendor_data_file:dir { getattr search };
+
+# required by the dynamic linker
+allow domain proc:lnk_file { getattr read };
+
+# /proc/cpuinfo
+allow domain proc_cpuinfo:file r_file_perms;
+
+# profiling needs to read /proc/sys/kernel/perf_event_max_sample_rate
+allow domain proc_perf:file r_file_perms;
+
+# toybox loads libselinux which stats /sys/fs/selinux/
+allow domain selinuxfs:dir search;
+allow domain selinuxfs:file getattr;
+allow domain sysfs:dir search;
+allow domain selinuxfs:filesystem getattr;
+
+# Almost all processes log tracing information to
+# /sys/kernel/debug/tracing/trace_marker
+# The reason behind this is documented in b/6513400
+allow domain debugfs:dir search;
+allow domain debugfs_tracing:dir search;
+allow domain debugfs_tracing_debug:dir search;
+allow domain debugfs_trace_marker:file w_file_perms;
+
+# Linux lockdown mode offers coarse-grained definitions for access controls.
+# The "confidentiality" level detects access to tracefs or the perf subsystem.
+# This overlaps with more precise declarations in Android's policy. The
+# debugfs_trace_marker above is an example in which all processes should have
+# some access to tracefs. Therefore, allow all domains to access this level.
+# The "integrity" level is however enforced.
+allow domain self:lockdown confidentiality;
+
+# Filesystem access.
+allow domain fs_type:filesystem getattr;
+allow domain fs_type:dir getattr;
+
+# Restrict all domains to an allowlist for common socket types. Additional
+# ioctl commands may be added to individual domains, but this sets safe
+# defaults for all processes. Note that granting this allowlist to domain does
+# not grant the ioctl permission on these socket types. That must be granted
+# separately.
+allowxperm domain domain:{ icmp_socket rawip_socket tcp_socket udp_socket }
+ ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
+# default allowlist for unix sockets.
+allowxperm domain { domain pdx_channel_socket_type }:{ unix_dgram_socket unix_stream_socket }
+ ioctl unpriv_unix_sock_ioctls;
+
+# Restrict PTYs to only allowed ioctls.
+# Note that granting this allowlist to domain does
+# not grant the wider ioctl permission. That must be granted
+# separately.
+allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
+
+# All domains must clearly enumerate what ioctls they use
+# on filesystem objects (plain files, directories, symbolic links,
+# named pipes, and named sockets). We start off with a safe set.
+allowxperm domain { file_type fs_type domain dev_type }:{ dir notdevfile_class_set blk_file } ioctl { FIOCLEX FIONCLEX };
+
+# If a domain has ioctl access to tun_device, it must clearly enumerate the
+# ioctls used. Safe defaults are listed below.
+allowxperm domain tun_device:chr_file ioctl { FIOCLEX FIONCLEX };
+
+# Allow a process to make a determination whether a file descriptor
+# for a plain file or pipe (fifo_file) is a tty. Note that granting
+# this allowlist to domain does not grant the ioctl permission to
+# these files. That must be granted separately.
+allowxperm domain { file_type fs_type }:file ioctl { TCGETS };
+allowxperm domain domain:fifo_file ioctl { TCGETS };
+
+# If a domain has access to perform an ioctl on a block device, allow these
+# very common, benign ioctls
+allowxperm domain dev_type:blk_file ioctl { BLKGETSIZE64 BLKSSZGET };
+
+# read APEX dir and stat any symlink pointing to APEXs.
+allow domain apex_mnt_dir:dir { getattr search };
+allow domain apex_mnt_dir:lnk_file r_file_perms;
+
+allow domain self:global_capability_class_set audit_control;
+allow domain self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write };
+
+# workaround for supressing property accesses.
+# TODO: remove these
+set_prop(domain, property_type -vmsecret_keymint_prop)
+# auditallow { domain -init } property_type:property_service set;
+# auditallow { domain -init } property_type:file rw_file_perms;
+
+allow domain linkerconfig_file:dir search;
+allow domain linkerconfig_file:file r_file_perms;
+
+#-----------------------------------------
# Path resolution access in cgroups.
allow domain cgroup:dir search;
-allow { domain -appdomain -rs } cgroup:dir w_dir_perms;
-allow { domain -appdomain -rs } cgroup:file w_file_perms;
+allow { domain } cgroup:dir w_dir_perms;
+allow { domain } cgroup:file w_file_perms;
allow domain cgroup_v2:dir search;
-allow { domain -appdomain -rs } cgroup_v2:dir w_dir_perms;
-allow { domain -appdomain -rs } cgroup_v2:file w_file_perms;
+allow { domain } cgroup_v2:dir w_dir_perms;
+allow { domain } cgroup_v2:file w_file_perms;
allow domain cgroup_rc_file:dir search;
allow domain cgroup_rc_file:file r_file_perms;
allow domain task_profiles_file:file r_file_perms;
allow domain task_profiles_api_file:file r_file_perms;
-allow domain vendor_task_profiles_file:file r_file_perms;
-# Allow all domains to read sys.use_memfd to determine
-# if memfd support can be used if device supports it
-get_prop(domain, use_memfd_prop);
-
-# Read access to sdkextensions props
-get_prop(domain, module_sdkextensions_prop)
-
-# Read access to bq configuration values
-get_prop(domain, bq_config_prop);
-
-# For now, everyone can access core property files
-# Device specific properties are not granted by default
-not_compatible_property(`
- # DO NOT ADD ANY PROPERTIES HERE
- get_prop(domain, core_property_type)
- get_prop(domain, exported3_system_prop)
- get_prop(domain, vendor_default_prop)
-')
-compatible_property_only(`
- # DO NOT ADD ANY PROPERTIES HERE
- get_prop({coredomain appdomain shell}, core_property_type)
- get_prop({coredomain appdomain shell}, exported3_system_prop)
- get_prop({coredomain appdomain shell}, exported_camera_prop)
- get_prop({coredomain shell}, userspace_reboot_exported_prop)
- get_prop({coredomain shell}, userspace_reboot_log_prop)
- get_prop({coredomain shell}, userspace_reboot_test_prop)
- get_prop({domain -coredomain -appdomain}, vendor_default_prop)
-')
-
+#-----------------------------------------
# Allow access to fsverity keyring.
allow domain kernel:key search;
-# Allow access to keys in the fsverity keyring that were installed at boot.
-allow domain fsverity_init:key search;
-# For testing purposes, allow access to keys installed with su.
-userdebug_or_eng(`
- allow domain su:key search;
-')
-# Allow access to linkerconfig file
-allow domain linkerconfig_file:dir search;
-allow domain linkerconfig_file:file r_file_perms;
-
-# Allow all processes to check for the existence of the boringssl_self_test_marker files.
-allow domain boringssl_self_test_marker:dir search;
-
-# Limit ability to ptrace or read sensitive /proc/pid files of processes
-# with other UIDs to these allowlisted domains.
-neverallow {
- domain
- -vold
- userdebug_or_eng(`-llkd')
- -dumpstate
- userdebug_or_eng(`-incidentd')
- userdebug_or_eng(`-profcollectd')
- -storaged
- -system_server
-} self:global_capability_class_set sys_ptrace;
-
-# Limit ability to generate hardware unique device ID attestations to priv_apps
-neverallow { domain -priv_app -gmscore_app } *:keystore_key gen_unique_id;
-neverallow { domain -priv_app -gmscore_app } *:keystore2_key gen_unique_id;
-neverallow { domain -system_server } *:keystore2_key use_dev_id;
-neverallow { domain -system_server } keystore:keystore2 { clear_ns lock reset unlock };
-
-neverallow {
- domain
- -init
- -vendor_init
- userdebug_or_eng(`-domain')
-} debugfs_tracing_debug:file no_rw_file_perms;
-
-# System_server owns dropbox data, and init creates/restorecons the directory
-# Disallow direct access by other processes.
-neverallow { domain -init -system_server } dropbox_data_file:dir *;
-neverallow { domain -init -system_server } dropbox_data_file:file ~{ getattr read };
-
-###
-# Services should respect app sandboxes
-neverallow {
- domain
- -appdomain
- -installd # creation of sandbox
-} { privapp_data_file app_data_file }:dir_file_class_set { create unlink };
-
-# Only the following processes should be directly accessing private app
-# directories.
-neverallow {
- domain
- -adbd
- -appdomain
- -app_zygote
- -dexoptanalyzer
- -installd
- -iorap_inode2filename
- -iorap_prefetcherd
- -profman
- -rs # spawned by appdomain, so carryover the exception above
- -runas
- -system_server
- -viewcompiler
- -zygote
-} { privapp_data_file app_data_file }:dir *;
-
-# Only apps should be modifying app data. installd is exempted for
-# restorecon and package install/uninstall.
-neverallow {
- domain
- -appdomain
- -installd
- -rs # spawned by appdomain, so carryover the exception above
-} { privapp_data_file app_data_file }:dir ~r_dir_perms;
-
-neverallow {
- domain
- -appdomain
- -app_zygote
- -installd
- -iorap_prefetcherd
- -rs # spawned by appdomain, so carryover the exception above
-} { privapp_data_file app_data_file }:file_class_set open;
-
-neverallow {
- domain
- -appdomain
- -installd # creation of sandbox
-} { privapp_data_file app_data_file }:dir_file_class_set { create unlink };
-
-neverallow {
- domain
- -installd
-} { privapp_data_file app_data_file }:dir_file_class_set { relabelfrom relabelto };
-
-# The staging directory contains APEX and APK files. It is important to ensure
-# that these files cannot be accessed by other domains to ensure that the files
-# do not change between system_server staging the files and apexd processing
-# the files.
-neverallow { domain -init -system_server -apexd -installd -iorap_inode2filename -priv_app } staging_data_file:dir *;
-neverallow { domain -init -system_app -system_server -apexd -adbd -kernel -installd -iorap_inode2filename -priv_app } staging_data_file:file *;
-neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms;
-# apexd needs the link and unlink permissions, so list every `no_w_file_perms`
-# except for `link` and `unlink`.
-neverallow { domain -init -system_server } staging_data_file:file
- { append create relabelfrom rename setattr write no_x_file_perms };
-
-neverallow {
- domain
- -appdomain # for oemfs
- -bootanim # for oemfs
- -recovery # for /tmp/update_binary in tmpfs
- -microdroid_app -microdroid_manager # for executing shared libs on /mnt/apk in Microdroid
-} { fs_type -rootfs }:file execute;
-
-#
-# Assert that, to the extent possible, we're not loading executable content from
-# outside the rootfs or /system partition except for a few allowlisted domains.
-# Executable files loaded from /data is a persistence vector
-# we want to avoid. See
-# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example.
-#
-neverallow {
- domain
- -appdomain
- with_asan(`-asan_extract')
- -iorap_prefetcherd
- -shell
- userdebug_or_eng(`-su')
- -system_server_startup # for memfd backed executable regions
- -app_zygote
- -webview_zygote
- -zygote
- userdebug_or_eng(`-mediaextractor')
- userdebug_or_eng(`-mediaswcodec')
-} {
- file_type
- -system_file_type
- -system_lib_file
- -system_linker_exec
- -vendor_file_type
- -exec_type
- -postinstall_file
-}:file execute;
-
-# Only init is allowed to write cgroup.rc file
-neverallow {
- domain
- -init
- -vendor_init
-} cgroup_rc_file:file no_w_file_perms;
-
-# Only authorized processes should be writing to files in /data/dalvik-cache
-neverallow {
- domain
- -init # TODO: limit init to relabelfrom for files
- -zygote
- -installd
- -postinstall_dexopt
- -cppreopts
- -dex2oat
- -otapreopt_slot
-} dalvikcache_data_file:file no_w_file_perms;
-
-neverallow {
- domain
- -init
- -installd
- -postinstall_dexopt
- -cppreopts
- -dex2oat
- -zygote
- -otapreopt_slot
-} dalvikcache_data_file:dir no_w_dir_perms;
-
-# Only authorized processes should be writing to /data/misc/apexdata/com.android.art as it
-# contains boot class path and system server AOT artifacts following an ART APEX Mainline update.
-neverallow {
- domain
- # art processes
- -odrefresh
- -odsign
- # others
- -apexd
- -init
- -vold_prepare_subdirs
-} apex_art_data_file:file no_w_file_perms;
-
-neverallow {
- domain
- # art processes
- -odrefresh
- -odsign
- # others
- -apexd
- -init
- -vold_prepare_subdirs
-} apex_art_data_file:dir no_w_dir_perms;
-
-# Protect most domains from executing arbitrary content from /data.
-neverallow {
- domain
- -appdomain
-} {
- data_file_type
- -apex_art_data_file
- -dalvikcache_data_file
- -system_data_file # shared libs in apks
- -apk_data_file
-}:file no_x_file_perms;
-
-# Minimize dac_override and dac_read_search.
-# Instead of granting them it is usually better to add the domain to
-# a Unix group or change the permissions of a file.
-define(`dac_override_allowed', `{
- apexd
- dnsmasq
- dumpstate
- init
- installd
- userdebug_or_eng(`llkd')
- lmkd
- migrate_legacy_obb_data
- netd
- postinstall_dexopt
- recovery
- rss_hwm_reset
- sdcardd
- tee
- ueventd
- uncrypt
- vendor_init
- vold
- vold_prepare_subdirs
- zygote
-}')
-neverallow ~dac_override_allowed self:global_capability_class_set dac_override;
-# Since the kernel checks dac_read_search before dac_override, domains that
-# have dac_override should also have dac_read_search to eliminate spurious
-# denials. Some domains have dac_read_search without having dac_override, so
-# this list should be a superset of the one above.
-neverallow ~{
- dac_override_allowed
- iorap_inode2filename
- iorap_prefetcherd
- traced_perf
- traced_probes
- heapprofd
-} self:global_capability_class_set dac_read_search;
-
-# Limit what domains can mount filesystems or change their mount flags.
-# sdcard_type / vfat is exempt as a larger set of domains need
-# this capability, including device-specific domains.
-neverallow {
- domain
- -apexd
- recovery_only(`-fastbootd')
- -init
- -kernel
- -otapreopt_chroot
- -recovery
- -update_engine
- -vold
- -zygote
- -zipfuse
-} { fs_type
- -sdcard_type
-}:filesystem { mount remount relabelfrom relabelto };
-
-enforce_debugfs_restriction(`
- neverallow {
- domain userdebug_or_eng(`-init')
- } { debugfs_type -debugfs_tracing_debug }:filesystem { mount remount relabelfrom relabelto };
-')
-
-# Limit raw I/O to these allowlisted domains. Do not apply to debug builds.
-neverallow {
- domain
- userdebug_or_eng(`-domain')
- -kernel
- -gsid
- -init
- -recovery
- -ueventd
- -healthd
- -uncrypt
- -tee
- -hal_bootctl_server
- -fastbootd
-} self:global_capability_class_set sys_rawio;
-
-# Limit directory operations that doesn't need to do app data isolation.
-neverallow {
- domain
- -init
- -installd
- -zygote
-} mirror_data_file:dir *;
-
-# This property is being removed. Remove remaining access.
-neverallow { domain -init -system_server -vendor_init } net_dns_prop:property_service set;
-neverallow { domain -dumpstate -init -system_server -vendor_init } net_dns_prop:file read;
-
-# Only core domains are allowed to access package_manager properties
-neverallow { domain -init -system_server } pm_prop:property_service set;
-neverallow { domain -coredomain } pm_prop:file no_rw_file_perms;
-
-# Do not allow reading the last boot timestamp from system properties
-neverallow { domain -init -system_server -dumpstate } firstboot_prop:file r_file_perms;
-
-# Kprobes should only be used by adb root
-neverallow { domain -init -vendor_init } debugfs_kprobes:file *;
-
-# On TREBLE devices, most coredomains should not access vendor_files.
-# TODO(b/71553434): Remove exceptions here.
-full_treble_only(`
- neverallow {
- coredomain
- -appdomain
- -bootanim
- -crash_dump
- -heapprofd
- userdebug_or_eng(`-profcollectd')
- -init
- -iorap_inode2filename
- -iorap_prefetcherd
- -kernel
- -traced_perf
- -ueventd
- } vendor_file:file { no_w_file_perms no_x_file_perms open };
-')
-
-# Vendor domains are not permitted to initiate communications to core domain sockets
-full_treble_only(`
- neverallow_establish_socket_comms({
- domain
- -coredomain
- -appdomain
- -socket_between_core_and_vendor_violators
- }, {
- coredomain
- -logd # Logging by writing to logd Unix domain socket is public API
- -netd # netdomain needs this
- -mdnsd # netdomain needs this
- userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds
- -init
- -tombstoned # linker to tombstoned
- userdebug_or_eng(`-heapprofd')
- userdebug_or_eng(`-traced_perf')
- });
-')
-
-full_treble_only(`
- # Do not allow system components access to /vendor files except for the
- # ones allowed here.
- neverallow {
- coredomain
- # TODO(b/37168747): clean up fwk access to /vendor
- -crash_dump
- -init # starts vendor executables
- -iorap_inode2filename
- -iorap_prefetcherd
- -kernel # loads /vendor/firmware
- -heapprofd
- userdebug_or_eng(`-profcollectd')
- -shell
- -system_executes_vendor_violators
- -traced_perf # library/binary access for symbolization
- -ueventd # reads /vendor/ueventd.rc
- -vold # loads incremental fs driver
- } {
- vendor_file_type
- -same_process_hal_file
- -vendor_app_file
- -vendor_apex_file
- -vendor_configs_file
- -vendor_service_contexts_file
- -vendor_framework_file
- -vendor_idc_file
- -vendor_keychars_file
- -vendor_keylayout_file
- -vendor_overlay_file
- -vendor_public_framework_file
- -vendor_public_lib_file
- -vendor_task_profiles_file
- -vndk_sp_file
- }:file *;
-')
-
-# mlsvendorcompat is only for compatibility support for older vendor
-# images, and should not be granted to any domain in current policy.
-# (Every domain is allowed self:fork, so this will trigger if the
-# intsersection of domain & mlsvendorcompat is not empty.)
-neverallow domain mlsvendorcompat:process fork;
-
-# Only init and otapreopt_chroot should be mounting filesystems on locations
-# labeled system or vendor (/product and /vendor respectively).
-# In microdroid, zipfuse is allowed mounton /mnt/apk.
-neverallow { domain -init -otapreopt_chroot -zipfuse } { system_file_type vendor_file_type }:dir_file_class_set mounton;
-
-# Only allow init and vendor_init to read/write mm_events properties
-# NOTE: dumpstate is allowed to read any system property
-neverallow {
- domain
- -init
- -vendor_init
- -dumpstate
-} mm_events_config_prop:file no_rw_file_perms;
-
-# Allow the tracing daemon and callstack sampler to use kallsyms to symbolize
-# kernel traces. Addresses are not disclosed, they are repalced with symbol
-# names (if available). Traces don't disclose KASLR.
-neverallow {
- domain
- -init
- userdebug_or_eng(`-profcollectd')
- -vendor_init
- -traced_probes
- -traced_perf
-} proc_kallsyms:file { open read };
-
-# debugfs_kcov type is not included in this neverallow statement since the KCOV
-# tool uses it for kernel fuzzing.
-# vendor_modprobe is also exempted since the kernel modules it loads may create
-# debugfs files in its context.
-enforce_debugfs_restriction(`
- neverallow {
- domain
- -vendor_modprobe
- userdebug_or_eng(`
- -init
- -hal_dumpstate
- ')
- } { debugfs_type
- userdebug_or_eng(`-debugfs_kcov')
- -tracefs_type
- }:file no_rw_file_perms;
-')
+# Transition to crash_dump when /system/bin/crash_dump* is executed.
+# This occurs when the process crashes.
+# We do not apply this to the su domain to avoid interfering with
+# tests (b/114136122)
+domain_auto_trans(domain, crash_dump_exec, crash_dump);
+allow domain crash_dump:process sigchld;
diff --git a/microdroid/sepolicy/system/private/drmserver.te b/microdroid/sepolicy/system/private/drmserver.te
deleted file mode 100644
index 8449c3e..0000000
--- a/microdroid/sepolicy/system/private/drmserver.te
+++ /dev/null
@@ -1,9 +0,0 @@
-typeattribute drmserver coredomain;
-
-init_daemon_domain(drmserver)
-
-type_transition drmserver apk_data_file:sock_file drmserver_socket;
-
-typeattribute drmserver_socket coredomain_socket;
-
-get_prop(drmserver, drm_service_config_prop)
diff --git a/microdroid/sepolicy/system/private/dumpstate.te b/microdroid/sepolicy/system/private/dumpstate.te
deleted file mode 100644
index 37a9a0c..0000000
--- a/microdroid/sepolicy/system/private/dumpstate.te
+++ /dev/null
@@ -1,115 +0,0 @@
-typeattribute dumpstate coredomain;
-type dumpstate_tmpfs, file_type;
-
-init_daemon_domain(dumpstate)
-
-# Execute and transition to the vdc domain
-domain_auto_trans(dumpstate, vdc_exec, vdc)
-
-# Acquire advisory lock on /system/etc/xtables.lock from ip[6]tables
-allow dumpstate system_file:file lock;
-
-allow dumpstate storaged_exec:file rx_file_perms;
-
-# /data/misc/a11ytrace for accessibility traces
-userdebug_or_eng(`
- allow dumpstate accessibility_trace_data_file:dir r_dir_perms;
- allow dumpstate accessibility_trace_data_file:file r_file_perms;
-')
-
-# /data/misc/wmtrace for wm traces
-userdebug_or_eng(`
- allow dumpstate wm_trace_data_file:dir r_dir_perms;
- allow dumpstate wm_trace_data_file:file r_file_perms;
-')
-
-# Allow dumpstate to make binder calls to incidentd
-binder_call(dumpstate, incidentd)
-
-# Allow dumpstate to make binder calls to storaged service
-binder_call(dumpstate, storaged)
-
-# Allow dumpstate to make binder calls to statsd
-binder_call(dumpstate, statsd)
-
-# Allow dumpstate to talk to gpuservice over binder
-binder_call(dumpstate, gpuservice);
-
-# Allow dumpstate to talk to idmap over binder
-binder_call(dumpstate, idmap);
-
-# Allow dumpstate to talk to profcollectd over binder
-userdebug_or_eng(`
- binder_call(dumpstate, profcollectd)
-')
-
-# Collect metrics on boot time created by init
-get_prop(dumpstate, boottime_prop)
-
-# Signal native processes to dump their stack.
-allow dumpstate {
- mediatranscoding
- statsd
- netd
-}:process signal;
-
-userdebug_or_eng(`
- allow dumpstate keystore:process signal;
-')
-
-# For collecting bugreports.
-no_debugfs_restriction(`
- allow dumpstate debugfs_wakeup_sources:file r_file_perms;
-')
-
-allow dumpstate dev_type:blk_file getattr;
-allow dumpstate webview_zygote:process signal;
-allow dumpstate sysfs_dmabuf_stats:file r_file_perms;
-dontaudit dumpstate update_engine:binder call;
-
-# Read files in /proc
-allow dumpstate {
- proc_net_tcp_udp
- proc_pid_max
-}:file r_file_perms;
-
-# For comminucating with the system process to do confirmation ui.
-binder_call(dumpstate, incidentcompanion_service)
-
-# Set properties.
-# dumpstate_prop is used to share state with the Shell app.
-set_prop(dumpstate, dumpstate_prop)
-set_prop(dumpstate, exported_dumpstate_prop)
-
-# dumpstate_options_prop is used to pass extra command-line args.
-set_prop(dumpstate, dumpstate_options_prop)
-
-# Allow dumpstate to kill vendor dumpstate service by init
-set_prop(dumpstate, ctl_dumpstate_prop)
-
-# For dumping dynamic partition information.
-set_prop(dumpstate, lpdumpd_prop)
-binder_call(dumpstate, lpdumpd)
-
-# For dumping device-mapper and snapshot information.
-allow dumpstate gsid_exec:file rx_file_perms;
-set_prop(dumpstate, ctl_gsid_prop)
-binder_call(dumpstate, gsid)
-
-r_dir_file(dumpstate, ota_metadata_file)
-
-# For starting (and killing) perfetto --save-for-bugreport. If a labelled trace
-# is being recorded, the command above will serialize it into
-# /data/misc/perfetto-traces/bugreport/*.pftrace .
-domain_auto_trans(dumpstate, perfetto_exec, perfetto)
-allow dumpstate perfetto:process signal;
-allow dumpstate perfetto_traces_data_file:dir { search };
-allow dumpstate perfetto_traces_bugreport_data_file:dir rw_dir_perms;
-allow dumpstate perfetto_traces_bugreport_data_file:file { r_file_perms unlink };
-
-# When exec-ing /system/bin/perfetto, dumpstates redirects stdio to /dev/null
-# (which is labelled as dumpstate_tmpfs) to avoid leaking a FD to the bugreport
-# zip file. These rules are to allow perfetto.te to inherit dumpstate's
-# /dev/null.
-allow perfetto dumpstate_tmpfs:file rw_file_perms;
-allow perfetto dumpstate:fd use;
diff --git a/microdroid/sepolicy/system/private/ephemeral_app.te b/microdroid/sepolicy/system/private/ephemeral_app.te
deleted file mode 100644
index e004891..0000000
--- a/microdroid/sepolicy/system/private/ephemeral_app.te
+++ /dev/null
@@ -1,95 +0,0 @@
-###
-### Ephemeral apps.
-###
-### This file defines the security policy for apps with the ephemeral
-### feature.
-###
-### The ephemeral_app domain is a reduced permissions sandbox allowing
-### ephemeral applications to be safely installed and run. Non ephemeral
-### applications may also opt-in to ephemeral to take advantage of the
-### additional security features.
-###
-### PackageManager flags an app as ephemeral at install time.
-
-typeattribute ephemeral_app coredomain;
-
-net_domain(ephemeral_app)
-app_domain(ephemeral_app)
-
-# Allow ephemeral apps to read/write files in visible storage if provided fds
-allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr ioctl lock append};
-
-# Some apps ship with shared libraries and binaries that they write out
-# to their sandbox directory and then execute.
-allow ephemeral_app privapp_data_file:file { r_file_perms execute };
-allow ephemeral_app app_data_file:file { r_file_perms execute };
-
-# Follow priv-app symlinks. This is used for dynamite functionality.
-allow ephemeral_app privapp_data_file:lnk_file r_file_perms;
-
-# Allow the renderscript compiler to be run.
-domain_auto_trans(ephemeral_app, rs_exec, rs)
-
-# Allow loading and deleting shared libraries created by trusted system
-# components within an application home directory.
-allow ephemeral_app app_exec_data_file:file { r_file_perms execute unlink };
-
-# services
-allow ephemeral_app audioserver_service:service_manager find;
-allow ephemeral_app cameraserver_service:service_manager find;
-allow ephemeral_app mediaserver_service:service_manager find;
-allow ephemeral_app mediaextractor_service:service_manager find;
-allow ephemeral_app mediametrics_service:service_manager find;
-allow ephemeral_app mediadrmserver_service:service_manager find;
-allow ephemeral_app drmserver_service:service_manager find;
-allow ephemeral_app radio_service:service_manager find;
-allow ephemeral_app ephemeral_app_api_service:service_manager find;
-
-# Write app-specific trace data to the Perfetto traced damon. This requires
-# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
-perfetto_producer(ephemeral_app)
-
-# Allow profiling if the app opts in by being marked profileable/debuggable.
-can_profile_heap(ephemeral_app)
-can_profile_perf(ephemeral_app)
-
-# allow ephemeral apps to use UDP sockets provided by the system server but not
-# modify them other than to connect
-allow ephemeral_app system_server:udp_socket {
- connect getattr read recvfrom sendto write getopt setopt };
-
-allow ephemeral_app ashmem_device:chr_file rw_file_perms;
-
-###
-### neverallow rules
-###
-
-neverallow ephemeral_app { app_data_file privapp_data_file }:file execute_no_trans;
-
-# Receive or send uevent messages.
-neverallow ephemeral_app domain:netlink_kobject_uevent_socket *;
-
-# Receive or send generic netlink messages
-neverallow ephemeral_app domain:netlink_socket *;
-
-# Too much leaky information in debugfs. It's a security
-# best practice to ensure these files aren't readable.
-neverallow ephemeral_app debugfs:file read;
-
-# execute gpu_device
-neverallow ephemeral_app gpu_device:chr_file execute;
-
-# access files in /sys with the default sysfs label
-neverallow ephemeral_app sysfs:file *;
-
-# Avoid reads from generically labeled /proc files
-# Create a more specific label if needed
-neverallow ephemeral_app proc:file { no_rw_file_perms no_x_file_perms };
-
-# Directly access external storage
-neverallow ephemeral_app { sdcard_type media_rw_data_file }:file {open create};
-neverallow ephemeral_app { sdcard_type media_rw_data_file }:dir search;
-
-# Avoid reads to proc_net, it contains too much device wide information about
-# ongoing connections.
-neverallow ephemeral_app proc_net:file no_rw_file_perms;
diff --git a/microdroid/sepolicy/system/private/fastbootd.te b/microdroid/sepolicy/system/private/fastbootd.te
deleted file mode 100644
index 0174faa..0000000
--- a/microdroid/sepolicy/system/private/fastbootd.te
+++ /dev/null
@@ -1,44 +0,0 @@
-typeattribute fastbootd coredomain;
-
-# The allow rules are only included in the recovery policy.
-# Otherwise fastbootd is only allowed the domain rules.
-recovery_only(`
- # Reboot the device
- set_prop(fastbootd, powerctl_prop)
-
- # Read serial number of the device from system properties
- get_prop(fastbootd, serialno_prop)
-
- # Set sys.usb.ffs.ready.
- get_prop(fastbootd, ffs_config_prop)
- set_prop(fastbootd, ffs_control_prop)
-
- userdebug_or_eng(`
- get_prop(fastbootd, persistent_properties_ready_prop)
- ')
-
- set_prop(fastbootd, gsid_prop)
-
- # Determine allocation scheme (whether B partitions needs to be
- # at the second half of super.
- get_prop(fastbootd, virtual_ab_prop)
-
- # Needed for TCP protocol
- allow fastbootd node:tcp_socket node_bind;
- allow fastbootd port:tcp_socket name_bind;
- allow fastbootd self:tcp_socket { create_socket_perms_no_ioctl listen accept };
-
- # Start snapuserd for merging VABC updates
- set_prop(fastbootd, ctl_snapuserd_prop)
-
- # Needed to communicate with snapuserd to complete merges.
- allow fastbootd snapuserd_socket:sock_file write;
- allow fastbootd snapuserd:unix_stream_socket connectto;
- allow fastbootd dm_user_device:dir r_dir_perms;
-
- # Get fastbootd protocol property
- get_prop(fastbootd, fastbootd_protocol_prop)
-
- # Mount /metadata to interact with Virtual A/B snapshots.
- allow fastbootd labeledfs:filesystem { mount unmount };
-')
diff --git a/microdroid/sepolicy/system/private/file.te b/microdroid/sepolicy/system/private/file.te
index 0f7e689..1989d7e 100644
--- a/microdroid/sepolicy/system/private/file.te
+++ b/microdroid/sepolicy/system/private/file.te
@@ -1,67 +1,12 @@
-# /proc/config.gz
-type config_gz, fs_type, proc_type;
-
-# /data/misc/storaged
-type storaged_data_file, file_type, data_file_type, core_data_file_type;
-
-# /data/misc/wmtrace for wm traces
-type wm_trace_data_file, file_type, data_file_type, core_data_file_type;
-
-# /data/misc/a11ytrace for accessibility traces
-type accessibility_trace_data_file, file_type, data_file_type, core_data_file_type;
-
-# /data/misc/perfetto-traces for perfetto traces
-type perfetto_traces_data_file, file_type, data_file_type, core_data_file_type;
-
-# /data/misc/perfetto-traces/bugreport for perfetto traces for bugreports.
-type perfetto_traces_bugreport_data_file, file_type, data_file_type, core_data_file_type;
-
-# /data/misc/perfetto-configs for perfetto configs
-type perfetto_configs_data_file, file_type, data_file_type, core_data_file_type;
-
-# /sys/kernel/debug/kcov for coverage guided kernel fuzzing in userdebug builds.
-type debugfs_kcov, fs_type, debugfs_type;
-
-# App executable files in /data/data directories
-type app_exec_data_file, file_type, data_file_type, core_data_file_type;
-typealias app_exec_data_file alias rs_data_file;
-
-# /data/misc_[ce|de]/rollback : Used by installd to store snapshots
-# of application data.
-type rollback_data_file, file_type, data_file_type, core_data_file_type;
-
-# /data/gsi/ota
-type ota_image_data_file, file_type, data_file_type, core_data_file_type;
-
-# /data/gsi_persistent_data
-type gsi_persistent_data_file, file_type, data_file_type, core_data_file_type;
-
-# /data/misc/emergencynumberdb
-type emergency_data_file, file_type, data_file_type, core_data_file_type;
-
-# /data/misc/profcollectd
-type profcollectd_data_file, file_type, data_file_type, core_data_file_type;
-
-# /data/misc/apexdata/com.android.art
-type apex_art_data_file, file_type, data_file_type, core_data_file_type;
-
-# /data/misc/apexdata/com.android.art/staging
-type apex_art_staging_data_file, file_type, data_file_type, core_data_file_type;
-
-# /data/font/files
-type font_data_file, file_type, data_file_type, core_data_file_type;
-
-# /data/misc/odrefresh
-type odrefresh_data_file, file_type, data_file_type, core_data_file_type;
-
-# /data/misc/odsign
-type odsign_data_file, file_type, data_file_type, core_data_file_type;
-
-# /data/misc/virtualizationservice
-type virtualizationservice_data_file, file_type, data_file_type, core_data_file_type;
-
-# /data/system/environ
-type environ_system_data_file, file_type, data_file_type, core_data_file_type;
-
-# /dev/kvm
-type kvm_device, dev_type;
+allow fs_type self:filesystem associate;
+allow cgroup tmpfs:filesystem associate;
+allow cgroup_v2 tmpfs:filesystem associate;
+allow cgroup_rc_file tmpfs:filesystem associate;
+allow debugfs_type { debugfs debugfs_tracing debugfs_tracing_debug }:filesystem associate;
+allow dev_type tmpfs:filesystem associate;
+allow file_type labeledfs:filesystem associate;
+allow file_type tmpfs:filesystem associate;
+allow file_type rootfs:filesystem associate;
+allow proc_net proc:filesystem associate;
+allow sysfs_type sysfs:filesystem associate;
+allow system_data_file tmpfs:filesystem associate;
diff --git a/microdroid/sepolicy/system/private/file_contexts b/microdroid/sepolicy/system/private/file_contexts
index 4318bb0..97e756d 100644
--- a/microdroid/sepolicy/system/private/file_contexts
+++ b/microdroid/sepolicy/system/private/file_contexts
@@ -64,11 +64,11 @@
/dev/rtc[0-9] u:object_r:rtc_device:s0
/dev/socket(/.*)? u:object_r:socket_device:s0
/dev/socket/adbd u:object_r:adbd_socket:s0
-/dev/socket/dumpstate u:object_r:dumpstate_socket:s0
/dev/socket/logd u:object_r:logd_socket:s0
/dev/socket/logdr u:object_r:logdr_socket:s0
/dev/socket/logdw u:object_r:logdw_socket:s0
/dev/socket/property_service u:object_r:property_socket:s0
+/dev/socket/statsdw u:object_r:statsdw_socket:s0
/dev/socket/tombstoned_crash u:object_r:tombstoned_crash_socket:s0
/dev/socket/tombstoned_java_trace u:object_r:tombstoned_java_trace_socket:s0
/dev/socket/tombstoned_intercept u:object_r:tombstoned_intercept_socket:s0
@@ -153,7 +153,6 @@
#
/data u:object_r:system_data_root_file:s0
/data/(.*)? u:object_r:system_data_file:s0
-/data/anr(/.*)? u:object_r:anr_data_file:s0
/data/local/tests(/.*)? u:object_r:shell_test_data_file:s0
/data/local/tmp(/.*)? u:object_r:shell_data_file:s0
/data/local/tmp/ltp(/.*)? u:object_r:nativetest_data_file:s0
@@ -161,3 +160,7 @@
/data/misc/keystore(/.*)? u:object_r:keystore_data_file:s0
/data/tombstones(/.*)? u:object_r:tombstone_data_file:s0
/data/vendor(/.*)? u:object_r:vendor_data_file:s0
+
+# microdroid doesn't use anr, but tombstoned tries to read this.
+# So marking /data/anr as tombstone_data_file
+/data/anr(/.*)? u:object_r:tombstone_data_file:s0
diff --git a/microdroid/sepolicy/system/private/fingerprintd.te b/microdroid/sepolicy/system/private/fingerprintd.te
deleted file mode 100644
index eb73ef8..0000000
--- a/microdroid/sepolicy/system/private/fingerprintd.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute fingerprintd coredomain;
-
-init_daemon_domain(fingerprintd)
diff --git a/microdroid/sepolicy/system/private/flags_health_check.te b/microdroid/sepolicy/system/private/flags_health_check.te
deleted file mode 100644
index 55d1a9a..0000000
--- a/microdroid/sepolicy/system/private/flags_health_check.te
+++ /dev/null
@@ -1,32 +0,0 @@
-typeattribute flags_health_check coredomain;
-
-init_daemon_domain(flags_health_check)
-
-set_prop(flags_health_check, device_config_boot_count_prop)
-set_prop(flags_health_check, device_config_reset_performed_prop)
-set_prop(flags_health_check, device_config_runtime_native_boot_prop)
-set_prop(flags_health_check, device_config_runtime_native_prop)
-set_prop(flags_health_check, device_config_input_native_boot_prop)
-set_prop(flags_health_check, device_config_netd_native_prop)
-set_prop(flags_health_check, device_config_activity_manager_native_boot_prop)
-set_prop(flags_health_check, device_config_media_native_prop)
-set_prop(flags_health_check, device_config_profcollect_native_boot_prop)
-set_prop(flags_health_check, device_config_statsd_native_prop)
-set_prop(flags_health_check, device_config_statsd_native_boot_prop)
-set_prop(flags_health_check, device_config_storage_native_boot_prop)
-set_prop(flags_health_check, device_config_swcodec_native_prop)
-set_prop(flags_health_check, device_config_sys_traced_prop)
-set_prop(flags_health_check, device_config_window_manager_native_boot_prop)
-set_prop(flags_health_check, device_config_configuration_prop)
-set_prop(flags_health_check, device_config_connectivity_prop)
-
-# system property device_config_boot_count_prop is used for deciding when to perform server
-# configurable flags related disaster recovery. Mistakenly set up by unrelated components can, at a
-# wrong timing, trigger server configurable flag related disaster recovery, which will override
-# server configured values of all flags with default values.
-neverallow { domain -init -flags_health_check } device_config_boot_count_prop:property_service set;
-
-# system property device_config_reset_performed_prop is used for indicating whether server
-# configurable flags have been reset during booting. Mistakenly modified by unrelated components can
-# cause bad server configurable flags synced back to device.
-neverallow { domain -init -flags_health_check } device_config_reset_performed_prop:property_service set;
diff --git a/microdroid/sepolicy/system/private/fsck.te b/microdroid/sepolicy/system/private/fsck.te
deleted file mode 100644
index 4d68fa5..0000000
--- a/microdroid/sepolicy/system/private/fsck.te
+++ /dev/null
@@ -1,7 +0,0 @@
-typeattribute fsck coredomain;
-
-init_daemon_domain(fsck)
-
-allow fsck metadata_block_device:blk_file rw_file_perms;
-
-allow fsck vd_device:blk_file rw_file_perms;
diff --git a/microdroid/sepolicy/system/private/fsck_untrusted.te b/microdroid/sepolicy/system/private/fsck_untrusted.te
deleted file mode 100644
index 9a57bf0..0000000
--- a/microdroid/sepolicy/system/private/fsck_untrusted.te
+++ /dev/null
@@ -1 +0,0 @@
-typeattribute fsck_untrusted coredomain;
diff --git a/microdroid/sepolicy/system/private/fsverity_init.te b/microdroid/sepolicy/system/private/fsverity_init.te
deleted file mode 100644
index 42d142f..0000000
--- a/microdroid/sepolicy/system/private/fsverity_init.te
+++ /dev/null
@@ -1,25 +0,0 @@
-type fsverity_init, domain, coredomain;
-type fsverity_init_exec, exec_type, file_type, system_file_type;
-
-init_daemon_domain(fsverity_init)
-
-# Allow to read /proc/keys for searching key id.
-allow fsverity_init proc_keys:file r_file_perms;
-
-# Kernel only prints the keys that can be accessed and only kernel keyring is needed here.
-dontaudit fsverity_init init:key view;
-dontaudit fsverity_init vold:key view;
-allow fsverity_init kernel:key { view search write setattr };
-allow fsverity_init fsverity_init:key { view search write };
-
-# Allow init to write to /proc/sys/fs/verity/require_signatures
-allow fsverity_init proc_fs_verity:file w_file_perms;
-
-# Read the on-device signing certificate, to be able to add it to the keyring
-allow fsverity_init odsign:fd use;
-allow fsverity_init odsign_data_file:file { getattr read };
-
-# When kernel requests an algorithm, the crypto API first looks for an
-# already registered algorithm with that name. If it fails, the kernel creates
-# an implementation of the algorithm from templates.
-dontaudit fsverity_init kernel:system module_request;
diff --git a/microdroid/sepolicy/system/private/fwk_bufferhub.te b/microdroid/sepolicy/system/private/fwk_bufferhub.te
deleted file mode 100644
index 6b69cca..0000000
--- a/microdroid/sepolicy/system/private/fwk_bufferhub.te
+++ /dev/null
@@ -1,8 +0,0 @@
-type fwk_bufferhub, domain, coredomain;
-type fwk_bufferhub_exec, system_file_type, exec_type, file_type;
-
-hal_client_domain(fwk_bufferhub, hal_graphics_allocator)
-allow fwk_bufferhub ion_device:chr_file r_file_perms;
-
-hal_server_domain(fwk_bufferhub, hal_bufferhub)
-init_daemon_domain(fwk_bufferhub)
diff --git a/microdroid/sepolicy/system/private/gatekeeperd.te b/microdroid/sepolicy/system/private/gatekeeperd.te
deleted file mode 100644
index 2fb88a3..0000000
--- a/microdroid/sepolicy/system/private/gatekeeperd.te
+++ /dev/null
@@ -1,6 +0,0 @@
-typeattribute gatekeeperd coredomain;
-
-init_daemon_domain(gatekeeperd)
-
-# For checking whether GSI is running
-get_prop(gatekeeperd, gsid_prop)
diff --git a/microdroid/sepolicy/system/private/gki_apex_prepostinstall.te b/microdroid/sepolicy/system/private/gki_apex_prepostinstall.te
deleted file mode 100644
index 1155389..0000000
--- a/microdroid/sepolicy/system/private/gki_apex_prepostinstall.te
+++ /dev/null
@@ -1,23 +0,0 @@
-# GKI pre- & post-install hooks.
-#
-# Allow to run pre- and post-install hooks for GKI APEXes
-
-type gki_apex_prepostinstall, domain, coredomain;
-type gki_apex_prepostinstall_exec, system_file_type, exec_type, file_type;
-
-# Execute /system/bin/sh.
-allow gki_apex_prepostinstall shell_exec:file rx_file_perms;
-
-# Execute various toolsbox utilities.
-allow gki_apex_prepostinstall toolbox_exec:file rx_file_perms;
-
-# Allow preinstall.sh to execute update_engine_stable_client binary.
-allow gki_apex_prepostinstall gki_apex_prepostinstall_exec:file execute_no_trans;
-
-# Allow preinstall hook to communicate with update_engine to execute update.
-binder_use(gki_apex_prepostinstall)
-allow gki_apex_prepostinstall update_engine_stable_service:service_manager find;
-binder_call(gki_apex_prepostinstall, update_engine)
-
-# /dev/zero is inherited although it is not used. See b/126787589.
-allow gki_apex_prepostinstall apexd:fd use;
diff --git a/microdroid/sepolicy/system/private/gmscore_app.te b/microdroid/sepolicy/system/private/gmscore_app.te
deleted file mode 100644
index 571d155..0000000
--- a/microdroid/sepolicy/system/private/gmscore_app.te
+++ /dev/null
@@ -1,140 +0,0 @@
-###
-### A domain for further sandboxing the PrebuiltGMSCore app.
-###
-typeattribute gmscore_app coredomain;
-
-app_domain(gmscore_app)
-
-allow gmscore_app sysfs_type:dir search;
-# Read access to /sys/class/net/wlan*/address
-r_dir_file(gmscore_app, sysfs_net)
-# Read access to /sys/block/zram*/mm_stat
-r_dir_file(gmscore_app, sysfs_zram)
-
-r_dir_file(gmscore_app, rootfs)
-
-# Allow GMS core to open kernel config for OTA matching through libvintf
-allow gmscore_app config_gz:file { open read getattr };
-
-# Allow GMS core to communicate with update_engine for A/B update.
-binder_call(gmscore_app, update_engine)
-allow gmscore_app update_engine_service:service_manager find;
-
-# Allow GMS core to communicate with dumpsys storaged.
-binder_call(gmscore_app, storaged)
-allow gmscore_app storaged_service:service_manager find;
-
-# Allow GMS core to access system_update_service (e.g. to publish pending
-# system update info).
-allow gmscore_app system_update_service:service_manager find;
-
-# Allow GMS core to communicate with statsd.
-binder_call(gmscore_app, statsd)
-
-# Allow GMS core to generate unique hardware IDs
-allow gmscore_app keystore:keystore_key gen_unique_id;
-allow gmscore_app keystore:keystore2_key gen_unique_id;
-
-# Allow GMS core to access /sys/fs/selinux/policyvers for compatibility check
-allow gmscore_app selinuxfs:file r_file_perms;
-
-# suppress denials for non-API accesses.
-dontaudit gmscore_app exec_type:file r_file_perms;
-dontaudit gmscore_app device:dir r_dir_perms;
-dontaudit gmscore_app fs_bpf:dir r_dir_perms;
-dontaudit gmscore_app net_dns_prop:file r_file_perms;
-dontaudit gmscore_app proc:file r_file_perms;
-dontaudit gmscore_app proc_interrupts:file r_file_perms;
-dontaudit gmscore_app proc_modules:file r_file_perms;
-dontaudit gmscore_app proc_net:file r_file_perms;
-dontaudit gmscore_app proc_stat:file r_file_perms;
-dontaudit gmscore_app proc_version:file r_file_perms;
-dontaudit gmscore_app sysfs:dir r_dir_perms;
-dontaudit gmscore_app sysfs:file r_file_perms;
-dontaudit gmscore_app sysfs_android_usb:file r_file_perms;
-dontaudit gmscore_app sysfs_dm:file r_file_perms;
-dontaudit gmscore_app sysfs_loop:file r_file_perms;
-dontaudit gmscore_app { wifi_prop wifi_hal_prop }:file r_file_perms;
-dontaudit gmscore_app mirror_data_file:dir search;
-dontaudit gmscore_app mnt_vendor_file:dir search;
-
-# Access the network
-net_domain(gmscore_app)
-
-# webview crash handling depends on self ptrace (b/27697529, b/20150694, b/19277529#comment7)
-allow gmscore_app self:process ptrace;
-
-# Allow loading executable code from writable priv-app home
-# directories. This is a W^X violation, however, it needs
-# to be supported for now for the following reasons.
-# * /data/user_*/0/*/code_cache/* POSSIBLE uses (b/117841367)
-# 1) com.android.opengl.shaders_cache
-# 2) com.android.skia.shaders_cache
-# 3) com.android.renderscript.cache
-# * /data/user_de/0/com.google.android.gms/app_chimera
-# TODO: Tighten (b/112357170)
-allow gmscore_app privapp_data_file:file execute;
-
-# Chrome Crashpad uses the the dynamic linker to load native executables
-# from an APK (b/112050209, crbug.com/928422)
-allow gmscore_app system_linker_exec:file execute_no_trans;
-
-allow gmscore_app privapp_data_file:lnk_file create_file_perms;
-
-# /proc access
-allow gmscore_app proc_vmstat:file r_file_perms;
-
-# Allow interaction with gpuservice
-binder_call(gmscore_app, gpuservice)
-allow gmscore_app gpu_service:service_manager find;
-
-# find services that expose both @SystemAPI and normal APIs.
-allow gmscore_app app_api_service:service_manager find;
-allow gmscore_app system_api_service:service_manager find;
-allow gmscore_app audioserver_service:service_manager find;
-allow gmscore_app cameraserver_service:service_manager find;
-allow gmscore_app drmserver_service:service_manager find;
-allow gmscore_app mediadrmserver_service:service_manager find;
-allow gmscore_app mediaextractor_service:service_manager find;
-allow gmscore_app mediametrics_service:service_manager find;
-allow gmscore_app mediaserver_service:service_manager find;
-allow gmscore_app network_watchlist_service:service_manager find;
-allow gmscore_app nfc_service:service_manager find;
-allow gmscore_app oem_lock_service:service_manager find;
-allow gmscore_app persistent_data_block_service:service_manager find;
-allow gmscore_app radio_service:service_manager find;
-allow gmscore_app recovery_service:service_manager find;
-allow gmscore_app stats_service:service_manager find;
-
-# Used by Finsky / Android "Verify Apps" functionality when
-# running "adb install foo.apk".
-allow gmscore_app shell_data_file:file r_file_perms;
-allow gmscore_app shell_data_file:dir r_dir_perms;
-
-# Write to /cache.
-allow gmscore_app { cache_file cache_recovery_file }:dir create_dir_perms;
-allow gmscore_app { cache_file cache_recovery_file }:file create_file_perms;
-# /cache is a symlink to /data/cache on some devices. Allow reading the link.
-allow gmscore_app cache_file:lnk_file r_file_perms;
-
-# Write to /data/ota_package for OTA packages.
-allow gmscore_app ota_package_file:dir rw_dir_perms;
-allow gmscore_app ota_package_file:file create_file_perms;
-
-# Used by Finsky / Android "Verify Apps" functionality when
-# running "adb install foo.apk".
-allow gmscore_app shell_data_file:file r_file_perms;
-allow gmscore_app shell_data_file:dir r_dir_perms;
-
-# b/18504118: Allow reads from /data/anr/traces.txt
-allow gmscore_app anr_data_file:file r_file_perms;
-
-# b/148974132: com.android.vending needs this
-allow gmscore_app priv_app:tcp_socket { read write };
-
-# b/168059475 Allow GMSCore to read Virtual AB properties to determine
-# if device supports VAB.
-get_prop(gmscore_app, virtual_ab_prop)
-
-# b/186488185: Allow GMSCore to read dck properties
-get_prop(gmscore_app, dck_prop)
diff --git a/microdroid/sepolicy/system/private/gpuservice.te b/microdroid/sepolicy/system/private/gpuservice.te
deleted file mode 100644
index 2e4254c..0000000
--- a/microdroid/sepolicy/system/private/gpuservice.te
+++ /dev/null
@@ -1,66 +0,0 @@
-# gpuservice - server for gpu stats and other gpu related services
-typeattribute gpuservice coredomain;
-type gpuservice_exec, system_file_type, exec_type, file_type;
-
-init_daemon_domain(gpuservice)
-
-binder_call(gpuservice, adbd)
-binder_call(gpuservice, shell)
-binder_call(gpuservice, system_server)
-binder_use(gpuservice)
-
-# Access the GPU.
-allow gpuservice gpu_device:chr_file rw_file_perms;
-
-# GPU service will need to load GPU driver, for example Vulkan driver in order
-# to get the capability of the driver.
-allow gpuservice same_process_hal_file:file { open read getattr execute map };
-allow gpuservice ion_device:chr_file r_file_perms;
-get_prop(gpuservice, hwservicemanager_prop)
-hwbinder_use(gpuservice)
-
-# Access /dev/graphics/fb0.
-allow gpuservice graphics_device:dir search;
-allow gpuservice graphics_device:chr_file rw_file_perms;
-
-# Needed for dumpsys pipes.
-allow gpuservice shell:fifo_file write;
-
-# Needed for perfetto producer.
-perfetto_producer(gpuservice)
-
-# Use socket supplied by adbd, for cmd gpu vkjson etc.
-allow gpuservice adbd:unix_stream_socket { read write getattr };
-
-# Needed for interactive shell
-allow gpuservice devpts:chr_file { read write getattr };
-
-# Needed for dumpstate to dumpsys gpu.
-allow gpuservice dumpstate:fd use;
-allow gpuservice dumpstate:fifo_file write;
-
-# Needed for stats callback registration to statsd.
-allow gpuservice stats_service:service_manager find;
-allow gpuservice statsmanager_service:service_manager find;
-# TODO(b/146461633): remove this once native pullers talk to StatsManagerService
-binder_call(gpuservice, statsd);
-
-# Needed for reading tracepoint ids in order to attach bpf programs.
-allow gpuservice debugfs_tracing:file r_file_perms;
-allow gpuservice self:perf_event { cpu kernel open write };
-neverallow gpuservice self:perf_event ~{ cpu kernel open write };
-
-# Needed for interact with bpf fs.
-allow gpuservice fs_bpf:dir search;
-allow gpuservice fs_bpf:file read;
-
-# Needed for enable the bpf program and read the map.
-allow gpuservice bpfloader:bpf { map_read prog_run };
-
-# Needed for getting a prop to ensure bpf programs loaded.
-get_prop(gpuservice, bpf_progs_loaded_prop)
-
-add_service(gpuservice, gpu_service)
-
-# Only uncomment below line when in development
-# userdebug_or_eng(`permissive gpuservice;')
diff --git a/microdroid/sepolicy/system/private/gsid.te b/microdroid/sepolicy/system/private/gsid.te
deleted file mode 100644
index 8a13cb1..0000000
--- a/microdroid/sepolicy/system/private/gsid.te
+++ /dev/null
@@ -1,200 +0,0 @@
-# gsid - Manager for GSI Installation
-
-type gsid, domain;
-type gsid_exec, exec_type, file_type, system_file_type;
-typeattribute gsid coredomain;
-
-init_daemon_domain(gsid)
-
-binder_use(gsid)
-binder_service(gsid)
-add_service(gsid, gsi_service)
-
-# Manage DSU metadata encryption key through vold.
-allow gsid vold_service:service_manager find;
-binder_call(gsid, vold)
-
-set_prop(gsid, gsid_prop)
-
-# Needed to create/delete device-mapper nodes, and read/write to them.
-allow gsid dm_device:chr_file rw_file_perms;
-allow gsid dm_device:blk_file rw_file_perms;
-allow gsid self:global_capability_class_set sys_admin;
-dontaudit gsid self:global_capability_class_set dac_override;
-
-# On FBE devices (not using dm-default-key), gsid will use loop devices to map
-# images rather than device-mapper.
-allow gsid loop_control_device:chr_file rw_file_perms;
-allow gsid loop_device:blk_file rw_file_perms;
-allowxperm gsid loop_device:blk_file ioctl {
- LOOP_GET_STATUS64
- LOOP_SET_STATUS64
- LOOP_SET_FD
- LOOP_SET_BLOCK_SIZE
- LOOP_SET_DIRECT_IO
- LOOP_CLR_FD
- BLKFLSBUF
-};
-
-# libfiemap_writer uses sysfs to derive the bottom of a device-mapper stacking.
-# This requires traversing /sys/block/dm-N/slaves/* and reading the list of
-# file names.
-r_dir_file(gsid, sysfs_dm)
-
-# libfiemap_writer needs to read /sys/fs/f2fs/<dev>/features to determine
-# whether pin_file support is enabled.
-r_dir_file(gsid, sysfs_fs_f2fs)
-
-# Needed to read fstab, which is used to validate that system verity does not
-# use check_once_at_most for sdcard installs. (Note: proc_cmdline is needed
-# to get the A/B slot suffix).
-allow gsid proc_cmdline:file r_file_perms;
-allow gsid sysfs_dt_firmware_android:dir r_dir_perms;
-allow gsid sysfs_dt_firmware_android:file r_file_perms;
-
-# Needed to stat /data/gsi/* and realpath on /dev/block/by-name/*
-allow gsid block_device:dir r_dir_perms;
-
-# liblp queries these block alignment properties.
-allowxperm gsid { userdata_block_device sdcard_block_device }:blk_file ioctl {
- BLKIOMIN
- BLKALIGNOFF
-};
-
-# When installing images to an sdcard, gsid needs to be able to stat() the
-# block device. gsid also calls realpath() to remove symlinks.
-allow gsid mnt_media_rw_file:dir r_dir_perms;
-allow gsid mnt_media_rw_stub_file:dir r_dir_perms;
-
-# When installing images to an sdcard, gsid must bypass sdcardfs and install
-# directly to vfat, which supports the FIBMAP ioctl.
-allow gsid vfat:dir create_dir_perms;
-allow gsid vfat:file create_file_perms;
-allow gsid sdcard_block_device:blk_file r_file_perms;
-# This is needed for FIBMAP unfortunately. Oddly FIEMAP does not carry this
-# requirement, but the kernel does not implement FIEMAP support for VFAT.
-allow gsid self:global_capability_class_set sys_rawio;
-
-# Allow rules for gsi_tool.
-userdebug_or_eng(`
- # gsi_tool passes the system image over the adb connection, via stdin.
- allow gsid adbd:fd use;
- # Needed when running gsi_tool through "su root" rather than adb root.
- allow gsid adbd:unix_stream_socket rw_socket_perms;
- # gsi_tool passes a FIFO to gsid if invoked with pipe redirection.
- allow gsid { shell su }:fifo_file r_file_perms;
- # Allow installing images from /storage/emulated/...
- allow gsid sdcard_type:file r_file_perms;
-')
-
-neverallow {
- domain
- -gsid
- -init
- -update_engine_common
- -recovery
- -fastbootd
-} gsid_prop:property_service set;
-
-# gsid needs to store images on /data, but cannot use file I/O. If it did, the
-# underlying blocks would be encrypted, and we couldn't mount the GSI image in
-# first-stage init. So instead of directly writing to /data, we:
-#
-# 1. fallocate a file large enough to hold the signed GSI
-# 2. extract its block layout with FIEMAP
-# 3. create a dm-linear device using the FIEMAP, targeting /dev/block/by-name/userdata
-# 4. write system_gsi into that dm device
-#
-# To make this process work, we need to unwrap the device-mapper stacking for
-# userdata to reach the underlying block device. To verify the result we use
-# stat(), which requires read access.
-allow gsid userdata_block_device:blk_file r_file_perms;
-
-# gsid uses /metadata/gsi to communicate GSI boot information to first-stage
-# init. It cannot use userdata since data cannot be decrypted during this
-# stage.
-#
-# gsid uses /metadata/gsi to store three files:
-# install_status - A short string indicating whether a GSI image is bootable.
-# lp_metadata - LpMetadata blob describing the block ranges on userdata
-# where system_gsi resides.
-# booted - An empty file that, if exists, indicates that a GSI is
-# currently running.
-#
-allow gsid metadata_file:dir { search getattr };
-allow gsid {
- gsi_metadata_file_type
-}:dir create_dir_perms;
-
-allow gsid {
- ota_metadata_file
-}:dir rw_dir_perms;
-
-allow gsid {
- gsi_metadata_file_type
- ota_metadata_file
-}:file create_file_perms;
-
-# Allow restorecon to fix context of gsi_public_metadata_file.
-allow gsid file_contexts_file:file r_file_perms;
-allow gsid gsi_metadata_file:file relabelfrom;
-allow gsid gsi_public_metadata_file:file relabelto;
-
-allow gsid {
- gsi_data_file
- ota_image_data_file
-}:dir rw_dir_perms;
-allow gsid {
- gsi_data_file
- ota_image_data_file
-}:file create_file_perms;
-allowxperm gsid {
- gsi_data_file
- ota_image_data_file
-}:file ioctl {
- FS_IOC_FIEMAP
- FS_IOC_GETFLAGS
-};
-
-allow gsid system_server:binder call;
-
-# Prevent most processes from writing to gsi_metadata_file_type, but allow
-# adding rules for path resolution of gsi_public_metadata_file and reading
-# gsi_public_metadata_file.
-neverallow {
- domain
- -init
- -gsid
- -fastbootd
-} gsi_metadata_file_type:dir no_w_dir_perms;
-
-neverallow {
- domain
- -init
- -gsid
- -fastbootd
-} { gsi_metadata_file_type -gsi_public_metadata_file }:file_class_set *;
-
-neverallow {
- domain
- -init
- -gsid
- -fastbootd
-} gsi_public_metadata_file:file_class_set ~{ r_file_perms };
-
-# Prevent apps from accessing gsi_metadata_file_type.
-neverallow {
- appdomain
- -shell
-} gsi_metadata_file_type:dir_file_class_set *;
-
-neverallow {
- domain
- -init
- -gsid
-} gsi_data_file:dir_file_class_set *;
-
-neverallow {
- domain
- -gsid
-} gsi_data_file:file_class_set ~{ relabelto getattr };
diff --git a/microdroid/sepolicy/system/private/hal_allocator_default.te b/microdroid/sepolicy/system/private/hal_allocator_default.te
deleted file mode 100644
index 7aa28aa..0000000
--- a/microdroid/sepolicy/system/private/hal_allocator_default.te
+++ /dev/null
@@ -1,5 +0,0 @@
-type hal_allocator_default, domain, coredomain;
-hal_server_domain(hal_allocator_default, hal_allocator)
-
-type hal_allocator_default_exec, system_file_type, exec_type, file_type;
-init_daemon_domain(hal_allocator_default)
diff --git a/microdroid/sepolicy/system/private/hal_lazy_test.te b/microdroid/sepolicy/system/private/hal_lazy_test.te
deleted file mode 100644
index 93cf235..0000000
--- a/microdroid/sepolicy/system/private/hal_lazy_test.te
+++ /dev/null
@@ -1,3 +0,0 @@
-userdebug_or_eng(`
- hal_attribute_hwservice(hal_lazy_test, hal_lazy_test_hwservice)
-')
diff --git a/microdroid/sepolicy/system/private/halclientdomain.te b/microdroid/sepolicy/system/private/halclientdomain.te
index 9dcd3ee..5f2afb3 100644
--- a/microdroid/sepolicy/system/private/halclientdomain.te
+++ b/microdroid/sepolicy/system/private/halclientdomain.te
@@ -6,8 +6,5 @@
# binderized/out-of-process mode
hwbinder_use(halclientdomain)
-# Used to wait for hwservicemanager
-get_prop(halclientdomain, hwservicemanager_prop)
-
# Wait for HAL server to be up (used by getService)
allow halclientdomain hidl_manager_hwservice:hwservice_manager find;
diff --git a/microdroid/sepolicy/system/private/halserverdomain.te b/microdroid/sepolicy/system/private/halserverdomain.te
deleted file mode 100644
index f36e0e7..0000000
--- a/microdroid/sepolicy/system/private/halserverdomain.te
+++ /dev/null
@@ -1,12 +0,0 @@
-###
-### Rules for all domains which offer a HAL service over HwBinder
-###
-
-# Register the HAL service with hwservicemanager
-hwbinder_use(halserverdomain)
-
-# Find HAL implementations
-allow halserverdomain system_file:dir r_dir_perms;
-
-# Used to wait for hwservicemanager
-get_prop(halserverdomain, hwservicemanager_prop)
diff --git a/microdroid/sepolicy/system/private/healthd.te b/microdroid/sepolicy/system/private/healthd.te
deleted file mode 100644
index 93bc3d8..0000000
--- a/microdroid/sepolicy/system/private/healthd.te
+++ /dev/null
@@ -1,12 +0,0 @@
-typeattribute healthd coredomain;
-
-init_daemon_domain(healthd)
-
-# Allow healthd to serve health HAL
-hal_server_domain(healthd, hal_health)
-
-# Healthd needs to tell init to continue the boot
-# process when running in charger mode.
-set_prop(healthd, system_prop)
-set_prop(healthd, exported_system_prop)
-set_prop(healthd, exported3_system_prop)
diff --git a/microdroid/sepolicy/system/private/heapprofd.te b/microdroid/sepolicy/system/private/heapprofd.te
deleted file mode 100644
index 246f936..0000000
--- a/microdroid/sepolicy/system/private/heapprofd.te
+++ /dev/null
@@ -1,77 +0,0 @@
-# Android heap profiling daemon. go/heapprofd.
-#
-# On user builds, this daemon is responsible for receiving the initial
-# profiling configuration, finding matching target processes (if profiling by
-# process name), and sending the activation signal to them (+ setting system
-# properties for new processes to start profiling from startup). When profiling
-# is triggered in a process, it spawns a private heapprofd subprocess (in its
-# own SELinux domain), which will exclusively handle profiling of its parent.
-#
-# On debug builds, this central daemon performs profiling for all target
-# processes (which talk directly to this daemon).
-type heapprofd_exec, exec_type, file_type, system_file_type;
-type heapprofd_tmpfs, file_type;
-
-init_daemon_domain(heapprofd)
-tmpfs_domain(heapprofd)
-
-# Allow apps in other MLS contexts (for multi-user) to access
-# shared memory buffers created by heapprofd.
-typeattribute heapprofd_tmpfs mlstrustedobject;
-
-set_prop(heapprofd, heapprofd_prop);
-
-# Necessary for /proc/[pid]/cmdline access & sending signals.
-typeattribute heapprofd mlstrustedsubject;
-
-# Allow sending signals to processes. This excludes SIGKILL, SIGSTOP and
-# SIGCHLD, which are controlled by separate permissions.
-allow heapprofd self:capability kill;
-
-# When scanning /proc/[pid]/cmdline to find matching processes for by-name
-# profiling, only allowlisted domains will be allowed by SELinux. Avoid
-# spamming logs with denials for entries that we can not access.
-dontaudit heapprofd domain:dir { search open };
-
-# Write trace data to the Perfetto traced daemon. This requires connecting to
-# its producer socket and obtaining a (per-process) tmpfs fd.
-perfetto_producer(heapprofd)
-
-# When handling profiling for all processes, heapprofd needs to read
-# executables/libraries/etc to do stack unwinding.
-r_dir_file(heapprofd, nativetest_data_file)
-r_dir_file(heapprofd, system_file_type)
-r_dir_file(heapprofd, apex_art_data_file)
-r_dir_file(heapprofd, apk_data_file)
-r_dir_file(heapprofd, dalvikcache_data_file)
-r_dir_file(heapprofd, vendor_file_type)
-r_dir_file(heapprofd, shell_test_data_file)
-# Some dex files are not world-readable.
-# We are still constrained by the SELinux rules above.
-allow heapprofd self:global_capability_class_set dac_read_search;
-
-# For checking profileability.
-allow heapprofd packages_list_file:file r_file_perms;
-
-# This is going to happen on user but is benign because central heapprofd
-# does not actually need these permission.
-# If the dac_read_search capability check is rejected, the kernel then tries
-# to perform a dac_override capability check, so we need to dontaudit that
-# as well.
-dontaudit heapprofd self:global_capability_class_set { dac_read_search dac_override };
-
-never_profile_heap(`{
- bpfloader
- init
- kernel
- keystore
- llkd
- logd
- ueventd
- vendor_init
- vold
-}')
-
-full_treble_only(`
- neverallow heapprofd vendor_file:file { no_w_file_perms no_x_file_perms };
-')
diff --git a/microdroid/sepolicy/system/private/hidl_lazy_test_server.te b/microdroid/sepolicy/system/private/hidl_lazy_test_server.te
deleted file mode 100644
index 04e8c9f..0000000
--- a/microdroid/sepolicy/system/private/hidl_lazy_test_server.te
+++ /dev/null
@@ -1,8 +0,0 @@
-type hidl_lazy_test_server, domain;
-type hidl_lazy_test_server_exec, exec_type, file_type, system_file_type;
-
-userdebug_or_eng(`
- typeattribute hidl_lazy_test_server coredomain;
- init_daemon_domain(hidl_lazy_test_server)
- hal_server_domain(hidl_lazy_test_server, hal_lazy_test)
-')
diff --git a/microdroid/sepolicy/system/private/hwservice.te b/microdroid/sepolicy/system/private/hwservice.te
deleted file mode 100644
index b7ba4d7..0000000
--- a/microdroid/sepolicy/system/private/hwservice.te
+++ /dev/null
@@ -1 +0,0 @@
-type hal_lazy_test_hwservice, hwservice_manager_type, protected_hwservice;
diff --git a/microdroid/sepolicy/system/private/hwservicemanager.te b/microdroid/sepolicy/system/private/hwservicemanager.te
index e1fde43..17456db 100644
--- a/microdroid/sepolicy/system/private/hwservicemanager.te
+++ b/microdroid/sepolicy/system/private/hwservicemanager.te
@@ -2,8 +2,24 @@
init_daemon_domain(hwservicemanager)
+allow hwservicemanager vendor_configs_file:file { open getattr };
+
+# Note that we do not use the binder_* macros here.
+# hwservicemanager provides name service (aka context manager)
+# for hwbinder.
+# Additionally, it initiates binder IPC calls to
+# clients who request service notifications. The permission
+# to do this is granted in the hwbinder_use macro.
+allow hwservicemanager self:binder set_context_mgr;
+
+# Scan through /system/lib64/hw looking for installed HALs
+allow hwservicemanager system_file:dir r_dir_perms;
+
+# Read hwservice_contexts
+allow hwservicemanager hwservice_contexts_file:file r_file_perms;
+
+# Check SELinux permissions.
+selinux_check_access(hwservicemanager)
+
add_hwservice(hwservicemanager, hidl_manager_hwservice)
add_hwservice(hwservicemanager, hidl_token_hwservice)
-
-set_prop(hwservicemanager, ctl_interface_start_prop)
-set_prop(hwservicemanager, hwservicemanager_prop)
diff --git a/microdroid/sepolicy/system/private/idmap.te b/microdroid/sepolicy/system/private/idmap.te
deleted file mode 100644
index c982783..0000000
--- a/microdroid/sepolicy/system/private/idmap.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute idmap coredomain;
-
-init_daemon_domain(idmap)
diff --git a/microdroid/sepolicy/system/private/incident.te b/microdroid/sepolicy/system/private/incident.te
deleted file mode 100644
index db9ae86..0000000
--- a/microdroid/sepolicy/system/private/incident.te
+++ /dev/null
@@ -1,37 +0,0 @@
-typeattribute incident coredomain;
-
-type incident_exec, system_file_type, exec_type, file_type;
-
-# switch to incident domain for incident command
-domain_auto_trans(shell, incident_exec, incident)
-domain_auto_trans(dumpstate, incident_exec, incident)
-
-# allow incident access to stdout from its parent shell.
-allow incident shell:fd use;
-
-# allow incident to communicate with dumpstate, and write incident report to
-# /data/data/com.android.shell/files/bugreports/tmp_incident_report
-allow incident dumpstate:fd use;
-allow incident dumpstate:unix_stream_socket { read write };
-allow incident shell_data_file:file write;
-
-# allow incident be able to output data for CTS to fetch.
-allow incident devpts:chr_file { read write };
-
-# allow incident to communicate use, read and write over the adb
-# connection.
-allow incident adbd:fd use;
-allow incident adbd:unix_stream_socket { read write };
-
-# allow adbd to reap incident
-allow incident adbd:process { sigchld };
-
-# Allow the incident command to talk to the incidentd over the binder, and get
-# back the incident report data from a ParcelFileDescriptor.
-binder_use(incident)
-allow incident incident_service:service_manager find;
-binder_call(incident, incidentd)
-allow incident incidentd:fifo_file write;
-
-# only allow incident being called by shell or dumpstate
-neverallow { domain -su -shell -incident -dumpstate} incident_exec:file { execute execute_no_trans };
diff --git a/microdroid/sepolicy/system/private/incident_helper.te b/microdroid/sepolicy/system/private/incident_helper.te
deleted file mode 100644
index b453855..0000000
--- a/microdroid/sepolicy/system/private/incident_helper.te
+++ /dev/null
@@ -1,14 +0,0 @@
-typeattribute incident_helper coredomain;
-
-type incident_helper_exec, system_file_type, exec_type, file_type;
-
-# switch to incident_helper domain for incident_helper command
-domain_auto_trans(incidentd, incident_helper_exec, incident_helper)
-
-# use pipe to transmit data from/to incidentd/incident_helper for parsing
-allow incident_helper { shell incident incidentd dumpstate }:fd use;
-allow incident_helper { shell incident incidentd dumpstate }:fifo_file { getattr read write };
-allow incident_helper incidentd:unix_stream_socket { read write };
-
-# only allow incidentd and shell to call incident_helper
-neverallow { domain -incidentd -incident_helper -shell } incident_helper_exec:file { execute execute_no_trans };
diff --git a/microdroid/sepolicy/system/private/incidentd.te b/microdroid/sepolicy/system/private/incidentd.te
deleted file mode 100644
index ef191a2..0000000
--- a/microdroid/sepolicy/system/private/incidentd.te
+++ /dev/null
@@ -1,210 +0,0 @@
-typeattribute incidentd coredomain;
-typeattribute incidentd mlstrustedsubject;
-
-init_daemon_domain(incidentd)
-type incidentd_exec, system_file_type, exec_type, file_type;
-binder_use(incidentd)
-wakelock_use(incidentd)
-
-# Allow incidentd to scan through /proc/pid for all processes
-r_dir_file(incidentd, domain)
-
-# Allow incidentd to kill incident_helper when timeout
-allow incidentd incident_helper:process sigkill;
-
-# Allow executing files on system, such as:
-# /system/bin/toolbox
-# /system/bin/logcat
-# /system/bin/dumpsys
-allow incidentd system_file:file execute_no_trans;
-allow incidentd toolbox_exec:file rx_file_perms;
-
-# section id 1002, allow reading kernel version /proc/version
-allow incidentd proc_version:file r_file_perms;
-
-# section id 1116, allow accessing statsd socket
-unix_socket_send(incidentd, statsdw, statsd)
-
-# section id 2001, allow reading /proc/pagetypeinfo
-allow incidentd proc_pagetypeinfo:file r_file_perms;
-
-# section id 2002, allow reading /d/wakeup_sources
-no_debugfs_restriction(`
- allow incidentd debugfs_wakeup_sources:file r_file_perms;
-')
-
-# section id 2003, allow executing top
-allow incidentd proc_meminfo:file { open read };
-
-# section id 2004, allow reading /sys/devices/system/cpu/cpufreq/all_time_in_state
-allow incidentd sysfs_devices_system_cpu:file r_file_perms;
-
-# section id 2005, allow reading ps dump in full
-allow incidentd domain:process getattr;
-
-# section id 2006, allow reading /sys/class/power_supply/bms/battery_type
-allow incidentd sysfs_batteryinfo:dir { search };
-allow incidentd sysfs_batteryinfo:file r_file_perms;
-
-# section id 2007, allow reading LAST_KMSG /sys/fs/pstore/console-ramoops
-userdebug_or_eng(`allow incidentd pstorefs:dir search');
-userdebug_or_eng(`allow incidentd pstorefs:file r_file_perms');
-
-# section id 3023, allow obtaining stats report
-allow incidentd stats_service:service_manager find;
-binder_call(incidentd, statsd)
-
-# section id 3026, allow reading /data/misc/perfetto-traces.
-allow incidentd perfetto_traces_data_file:dir r_dir_perms;
-allow incidentd perfetto_traces_data_file:file r_file_perms;
-
-# section id 3052, allow accessing nfc_service
-allow incidentd nfc_service:service_manager find;
-
-# Create and write into /data/misc/incidents
-allow incidentd incident_data_file:dir rw_dir_perms;
-allow incidentd incident_data_file:file create_file_perms;
-
-# Enable incidentd to get stack traces.
-binder_use(incidentd)
-hwbinder_use(incidentd)
-allow incidentd hwservicemanager:hwservice_manager { list };
-get_prop(incidentd, hwservicemanager_prop)
-allow incidentd hidl_manager_hwservice:hwservice_manager { find };
-
-# Read files in /proc
-allow incidentd {
- proc_cmdline
- proc_pid_max
- proc_pipe_conf
- proc_stat
-}:file r_file_perms;
-
-# Signal java processes to dump their stack and get the results
-allow incidentd { appdomain ephemeral_app system_server }:process signal;
-
-# Signal native processes to dump their stack.
-# This list comes from native_processes_to_dump in incidentd/utils.c
-allow incidentd {
- # This list comes from native_processes_to_dump in dumputils/dump_utils.cpp
- audioserver
- cameraserver
- drmserver
- inputflinger
- mediadrmserver
- mediaextractor
- mediametrics
- mediaserver
- sdcardd
- statsd
- surfaceflinger
-
- # This list comes from hal_interfaces_to_dump in dumputils/dump_utils.cpp
- hal_audio_server
- hal_bluetooth_server
- hal_camera_server
- hal_codec2_server
- hal_face_server
- hal_graphics_allocator_server
- hal_graphics_composer_server
- hal_health_server
- hal_omx_server
- hal_sensors_server
- hal_vr_server
-}:process signal;
-
-# Allow incidentd to make binder calls to any binder service
-binder_call(incidentd, system_server)
-binder_call(incidentd, appdomain)
-
-# Reading /proc/PID/maps of other processes
-userdebug_or_eng(`allow incidentd self:global_capability_class_set { sys_ptrace }');
-# incidentd has capability sys_ptrace, but should only use that capability for
-# accessing sensitive /proc/PID files, never for using ptrace attach.
-neverallow incidentd *:process ptrace;
-
-allow incidentd self:global_capability_class_set {
- # Send signals to processes
- kill
-};
-
-# Connect to tombstoned to intercept dumps.
-unix_socket_connect(incidentd, tombstoned_intercept, tombstoned)
-
-# Run a shell.
-allow incidentd shell_exec:file rx_file_perms;
-
-# For running am, incident-helper-cmd and similar framework commands.
-# Run /system/bin/app_process.
-allow incidentd zygote_exec:file { rx_file_perms };
-# Access the runtime feature flag properties.
-get_prop(incidentd, device_config_runtime_native_prop)
-get_prop(incidentd, device_config_runtime_native_boot_prop)
-# ART locks profile files.
-allow incidentd system_file:file lock;
-# Incidentd should never exec from the memory (e.g. JIT cache). These denials are expected.
-dontaudit incidentd dalvikcache_data_file:dir r_dir_perms;
-dontaudit incidentd apex_module_data_file:dir r_dir_perms;
-dontaudit incidentd apex_art_data_file:dir r_dir_perms;
-dontaudit incidentd tmpfs:file rwx_file_perms;
-
-# logd access - work to be done is a PII safe log (possibly an event log?)
-userdebug_or_eng(`read_logd(incidentd)')
-# TODO control_logd(incidentd)
-
-# Access /data/misc/logd
-r_dir_file(incidentd, misc_logd_file)
-
-# Allow incidentd to find these standard groups of services.
-# Others can be allowlisted individually.
-allow incidentd {
- system_server_service
- app_api_service
- system_api_service
-}:service_manager find;
-
-# Only incidentd can publish the binder service
-add_service(incidentd, incident_service)
-
-# Allow pipes only from dumpstate and incident
-allow incidentd { dumpstate incident }:fd use;
-allow incidentd { dumpstate incident }:fifo_file write;
-
-# Allow incident to call back to incident with status updates.
-binder_call(incidentd, incident)
-
-# Read device serial number from system properties
-# This is used to track reports from lab testing devices
-userdebug_or_eng(`
- get_prop(incidentd, serialno_prop)
-')
-
-# Read ro.boot.bootreason, persist.sys.boot.bootreason
-# This is used to track reports from lab testing devices
-userdebug_or_eng(`
- get_prop(incidentd, bootloader_boot_reason_prop);
- get_prop(incidentd, system_boot_reason_prop);
- get_prop(incidentd, last_boot_reason_prop);
-')
-
-###
-### neverallow rules
-###
-# only incidentd and the other root services in limited circumstances
-# can get to the files in /data/misc/incidents
-#
-# write, execute, append are forbidden almost everywhere
-neverallow { domain -incidentd -init -vold } incident_data_file:file {
- w_file_perms
- x_file_perms
- create
- rename
- setattr
- unlink
- append
-};
-# read is also allowed by system_server, for when the file is handed to dropbox
-neverallow { domain -incidentd -init -vold -system_server } incident_data_file:file r_file_perms;
-# limited access to the directory itself
-neverallow { domain -incidentd -init -vold } incident_data_file:dir create_dir_perms;
-
diff --git a/microdroid/sepolicy/system/private/init.te b/microdroid/sepolicy/system/private/init.te
index 99afd84..ff3f6f5 100644
--- a/microdroid/sepolicy/system/private/init.te
+++ b/microdroid/sepolicy/system/private/init.te
@@ -2,35 +2,9 @@
tmpfs_domain(init)
-# Transitions to seclabel processes in init.rc
-domain_trans(init, rootfs, healthd)
-domain_trans(init, rootfs, slideshow)
-domain_auto_trans(init, charger_exec, charger)
-domain_auto_trans(init, e2fs_exec, e2fs)
-domain_auto_trans(init, bpfloader_exec, bpfloader)
-
-recovery_only(`
- # Files in recovery image are labeled as rootfs.
- domain_trans(init, rootfs, adbd)
- domain_trans(init, rootfs, charger)
- domain_trans(init, rootfs, fastbootd)
- domain_trans(init, rootfs, recovery)
- domain_trans(init, rootfs, linkerconfig)
- domain_trans(init, rootfs, snapuserd)
-')
domain_trans(init, shell_exec, shell)
domain_trans(init, init_exec, ueventd)
domain_trans(init, init_exec, vendor_init)
-domain_trans(init, { rootfs toolbox_exec }, modprobe)
-userdebug_or_eng(`
- # case where logpersistd is actually logcat -f in logd context (nee: logcatd)
- domain_auto_trans(init, logcat_exec, logpersist)
-
- # allow init to execute services marked with seclabel u:r:su:s0 in userdebug/eng
- allow init su:process transition;
- dontaudit init su:process noatsecure;
- allow init su:process { siginh rlimitinh };
-')
# Allow init to figure out name of dm-device from it's /dev/block/dm-XX path.
# This is useful in case of remounting ext4 userdata into checkpointing mode,
@@ -38,67 +12,435 @@
# that userdata is mounted onto.
allow init sysfs_dm:file read;
-# Allow init to write to the drop_caches file.
-allow init proc_drop_caches:file rw_file_perms;
-
-# Allow the BoringSSL self test to request a reboot upon failure
-set_prop(init, powerctl_prop)
-
-# Only init is allowed to set userspace reboot related properties.
-set_prop(init, userspace_reboot_exported_prop)
-neverallow { domain -init } userspace_reboot_exported_prop:property_service set;
-
# Second-stage init performs a test for whether the kernel has SELinux hooks
# for the perf_event_open() syscall. This is done by testing for the syscall
# outcomes corresponding to this policy.
-# TODO(b/137092007): this can be removed once the platform stops supporting
-# kernels that precede the perf_event_open hooks (Android common kernels 4.4
-# and 4.9).
allow init self:perf_event { open cpu };
allow init self:global_capability2_class_set perfmon;
-neverallow init self:perf_event { kernel tracepoint read write };
dontaudit init self:perf_event { kernel tracepoint read write };
-# Allow init to communicate with snapuserd to transition Virtual A/B devices
-# from the first-stage daemon to the second-stage.
-allow init snapuserd_socket:sock_file write;
-allow init snapuserd:unix_stream_socket connectto;
-# Allow for libsnapshot's use of flock() on /metadata/ota.
-allow init ota_metadata_file:dir lock;
-
# Allow init to restore contexts of vd_device(/dev/block/vd[..]) when labeling
# /dev/block.
allow init vd_device:blk_file relabelto;
-# Only init is allowed to set the sysprop indicating whether perf_event_open()
-# SELinux hooks were detected.
-set_prop(init, init_perf_lsm_hooks_prop)
-neverallow { domain -init } init_perf_lsm_hooks_prop:property_service set;
-
-# Only init can write vts.native_server.on
-set_prop(init, vts_status_prop)
-neverallow { domain -init } vts_status_prop:property_service set;
-
-# Only init can write normal ro.boot. properties
-neverallow { domain -init } bootloader_prop:property_service set;
-
-# Only init can write hal.instrumentation.enable
-neverallow { domain -init } hal_instrumentation_prop:property_service set;
-
-# Only init can write ro.property_service.version
-neverallow { domain -init } property_service_version_prop:property_service set;
-
-# Only init can set keystore.boot_level
-neverallow { domain -init } keystore_listen_prop:property_service set;
-
-# Allow accessing /sys/kernel/tracing/instances/bootreceiver to set up tracing.
-allow init debugfs_bootreceiver_tracing:file w_file_perms;
-
# chown/chmod on devices.
allow init {
dev_type
-hw_random_device
- -keychord_device
-kvm_device
- -port_device
}:chr_file setattr;
+
+# /dev/__null__ node created by init.
+allow init tmpfs:chr_file { create setattr unlink rw_file_perms };
+
+# /dev/__properties__
+allow init properties_device:dir relabelto;
+allow init properties_serial:file { write relabelto };
+allow init property_type:file { append create getattr map open read relabelto rename setattr unlink write };
+# /dev/__properties__/property_info
+allow init properties_device:file create_file_perms;
+allow init property_info:file relabelto;
+# /dev/event-log-tags
+allow init device:file relabelfrom;
+allow init runtime_event_log_tags_file:file { open write setattr relabelto create };
+# /dev/socket
+allow init { device socket_device dm_user_device }:dir relabelto;
+# Relabel /dev nodes created in first stage init, /dev/null, /dev/ptmx, /dev/random, /dev/urandom
+allow init { null_device ptmx_device random_device } : chr_file relabelto;
+# /dev/device-mapper, /dev/block(/.*)?
+allow init tmpfs:{ chr_file blk_file } relabelfrom;
+allow init tmpfs:blk_file getattr;
+allow init block_device:{ dir blk_file lnk_file } relabelto;
+allow init dm_device:{ chr_file blk_file } relabelto;
+allow init dm_user_device:chr_file relabelto;
+allow init kernel:fd use;
+# restorecon for early mount device symlinks
+allow init tmpfs:lnk_file { getattr read relabelfrom };
+
+# setrlimit
+allow init self:global_capability_class_set sys_resource;
+
+# Remove /dev/.booting and load /debug_ramdisk/* files
+allow init tmpfs:file { getattr unlink };
+
+# Access pty created for fsck.
+allow init devpts:chr_file { read write open };
+
+# Access /dev/__null__ node created prior to initial policy load.
+allow init tmpfs:chr_file write;
+
+# Access /dev/console.
+allow init console_device:chr_file rw_file_perms;
+
+# Access /dev/tty0.
+allow init tty_device:chr_file rw_file_perms;
+
+# Call mount(2).
+allow init self:global_capability_class_set sys_admin;
+
+# Call setns(2).
+allow init self:global_capability_class_set sys_chroot;
+
+# Create and mount on directories in /.
+allow init rootfs:dir create_dir_perms;
+allow init {
+ rootfs
+ cgroup
+ linkerconfig_file
+ system_data_file
+ system_data_root_file
+ system_file
+ vendor_file
+}:dir mounton;
+
+# Mount bpf fs on sys/fs/bpf
+allow init fs_bpf:dir mounton;
+
+# Mount on /dev/usb-ffs/adb.
+allow init device:dir mounton;
+
+# Mount tmpfs on /apex
+allow init apex_mnt_dir:dir mounton;
+
+# Create and remove symlinks in /.
+allow init rootfs:lnk_file { create unlink };
+
+# Mount debugfs on /sys/kernel/debug.
+allow init sysfs:dir mounton;
+
+# Create cgroups mount points in tmpfs and mount cgroups on them.
+allow init tmpfs:dir create_dir_perms;
+allow init tmpfs:dir mounton;
+allow init cgroup:dir create_dir_perms;
+allow init cgroup:file rw_file_perms;
+allow init cgroup_rc_file:file rw_file_perms;
+allow init cgroup_desc_file:file r_file_perms;
+allow init cgroup_desc_api_file:file r_file_perms;
+allow init cgroup_v2:dir { mounton create_dir_perms};
+allow init cgroup_v2:file rw_file_perms;
+
+# Use tmpfs as /data, used for booting when /data is encrypted
+allow init tmpfs:dir relabelfrom;
+
+# Create directories under /dev/cpuctl after chowning it to system.
+allow init self:global_capability_class_set { dac_override dac_read_search };
+
+allow init self:global_capability_class_set { sys_rawio mknod };
+
+# Mounting filesystems from block devices.
+allow init dev_type:blk_file r_file_perms;
+allowxperm init dev_type:blk_file ioctl BLKROSET;
+
+# Mounting filesystems.
+# Only allow relabelto for types used in context= mount options,
+# which should all be assigned the contextmount_type attribute.
+# This can be done in device-specific policy via type or typeattribute
+# declarations.
+allow init {
+ fs_type
+}:filesystem ~relabelto;
+
+# Allow init to mount tracefs in /sys/kernel/tracing
+allow init debugfs_tracing_debug:filesystem mount;
+
+allow init unlabeled:filesystem ~relabelto;
+allow init contextmount_type:filesystem relabelto;
+
+# Allow read-only access to context= mounted filesystems.
+allow init contextmount_type:dir r_dir_perms;
+allow init contextmount_type:notdevfile_class_set r_file_perms;
+
+# restorecon /adb_keys or any other rootfs files and directories to a more
+# specific type.
+allow init rootfs:{ dir file } relabelfrom;
+
+# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
+# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
+# system/core/init.rc requires at least cache_file and data_file_type.
+# init.<board>.rc files often include device-specific types, so
+# we just allow all file types except /system files here.
+allow init self:global_capability_class_set { chown fowner fsetid };
+
+allow init {
+ file_type
+ -exec_type
+ -system_file_type
+ -vendor_file_type
+}:dir { create search getattr open read setattr ioctl };
+
+allow init {
+ file_type
+ -exec_type
+ -keystore_data_file
+ -shell_data_file
+ -system_file_type
+ -vendor_file_type
+}:dir { write add_name remove_name rmdir relabelfrom };
+
+allow init {
+ file_type
+ -apex_info_file
+ -exec_type
+ -keystore_data_file
+ -runtime_event_log_tags_file
+ -shell_data_file
+ -system_file_type
+ -vendor_file_type
+}:file { create getattr open read write setattr relabelfrom unlink map };
+
+allow init tracefs_type:file { create_file_perms relabelfrom };
+
+allow init {
+ file_type
+ -exec_type
+ -keystore_data_file
+ -shell_data_file
+ -system_file_type
+ -vendor_file_type
+}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
+
+allow init {
+ file_type
+ -apex_mnt_dir
+ -exec_type
+ -keystore_data_file
+ -shell_data_file
+ -system_file_type
+ -vendor_file_type
+}:lnk_file { create getattr setattr relabelfrom unlink };
+
+allow init {
+ file_type
+ -system_file_type
+ -vendor_file_type
+ -exec_type
+}:dir_file_class_set relabelto;
+
+allow init { sysfs debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
+allow init { sysfs_type tracefs_type }:{ dir file lnk_file } { relabelto getattr };
+allow init dev_type:dir create_dir_perms;
+allow init dev_type:lnk_file create;
+
+# chown/chmod on pseudo files.
+allow init {
+ fs_type
+ -contextmount_type
+ -proc_type
+ -fusefs_type
+ -sysfs_type
+ -rootfs
+}:file { open read setattr };
+allow init { fs_type -contextmount_type -fusefs_type -rootfs }:dir { open read setattr search };
+
+allow init {
+ binder_device
+ console_device
+ devpts
+ dm_device
+ hwbinder_device
+ kmsg_device
+ null_device
+ owntty_device
+ ptmx_device
+ random_device
+ tty_device
+ zero_device
+}:chr_file { read open };
+
+# Any operation that can modify the kernel ring buffer, e.g. clear
+# or a read that consumes the messages that were read.
+allow init kernel:system syslog_mod;
+allow init self:global_capability2_class_set syslog;
+
+# init access to /proc.
+r_dir_file(init, proc_net_type)
+allow init proc_filesystems:file r_file_perms;
+
+allow init {
+ proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
+ proc_bootconfig
+ proc_cmdline
+ proc_diskstats
+ proc_kmsg # Open /proc/kmsg for logd service.
+ proc_meminfo
+ proc_stat # Read /proc/stat for bootchart.
+ proc_uptime
+ proc_version
+}:file r_file_perms;
+
+allow init {
+ proc_abi
+ proc_dirty
+ proc_hostname
+ proc_hung_task
+ proc_extra_free_kbytes
+ proc_net_type
+ proc_max_map_count
+ proc_min_free_order_shift
+ proc_overcommit_memory # /proc/sys/vm/overcommit_memory
+ proc_panic
+ proc_page_cluster
+ proc_perf
+ proc_sched
+ proc_sysrq
+}:file w_file_perms;
+
+allow init {
+ proc_security
+}:file rw_file_perms;
+
+# init chmod/chown access to /proc files.
+allow init {
+ proc_cmdline
+ proc_bootconfig
+ proc_kmsg
+ proc_net
+ proc_pagetypeinfo
+ proc_qtaguid_stat
+ proc_slabinfo
+ proc_sysrq
+ proc_qtaguid_ctrl
+ proc_vmallocinfo
+}:file setattr;
+
+# init access to /sys files.
+allow init {
+ sysfs_android_usb
+ sysfs_dm_verity
+ sysfs_leds
+ sysfs_power
+ sysfs_fs_f2fs
+ sysfs_dm
+}:file w_file_perms;
+
+allow init {
+ sysfs_dt_firmware_android
+ sysfs_fs_ext4_features
+}:file r_file_perms;
+
+allow init {
+ sysfs_zram
+}:file rw_file_perms;
+
+# allow init to create loop devices with /dev/loop-control
+allow init loop_control_device:chr_file rw_file_perms;
+allow init loop_device:blk_file rw_file_perms;
+allowxperm init loop_device:blk_file ioctl {
+ LOOP_SET_FD
+ LOOP_CLR_FD
+ LOOP_CTL_GET_FREE
+ LOOP_SET_BLOCK_SIZE
+ LOOP_SET_DIRECT_IO
+ LOOP_GET_STATUS
+};
+
+# init chmod/chown access to /sys files.
+allow init {
+ sysfs_android_usb
+ sysfs_devices_system_cpu
+ sysfs_ipv4
+ sysfs_leds
+ sysfs_lowmemorykiller
+ sysfs_power
+ sysfs_vibrator
+ sysfs_wake_lock
+ sysfs_zram
+}:file setattr;
+
+allow init self:global_capability_class_set net_admin;
+
+# Reboot.
+allow init self:global_capability_class_set sys_boot;
+
+# Support "adb shell stop"
+allow init self:global_capability_class_set kill;
+allow init domain:process { getpgid sigkill signal };
+
+# Init creates keystore's directory on boot, and walks through
+# the directory as part of a recursive restorecon.
+allow init keystore_data_file:dir { open create read getattr setattr search };
+allow init keystore_data_file:file { getattr };
+
+# Init creates /data/local/tmp at boot
+allow init shell_data_file:dir { open create read getattr setattr search };
+allow init shell_data_file:file { getattr };
+
+# Set UID, GID, and adjust capability bounding set for services.
+allow init self:global_capability_class_set { setuid setgid setpcap };
+
+# For bootchart to read the /proc/$pid/cmdline file of each process,
+# we need to have following line to allow init to have access
+# to different domains.
+r_dir_file(init, domain)
+
+# Use setexeccon(), setfscreatecon(), and setsockcreatecon().
+# setexec is for services with seclabel options.
+# setfscreate is for labeling directories and socket files.
+# setsockcreate is for labeling local/unix domain sockets.
+allow init self:process { setexec setfscreate setsockcreate };
+
+# Get file context
+allow init file_contexts_file:file r_file_perms;
+
+# sepolicy access
+allow init sepolicy_file:file r_file_perms;
+
+# Perform SELinux access checks on setting properties.
+selinux_check_access(init)
+
+# Ask the kernel for the new context on services to label their sockets.
+allow init kernel:security compute_create;
+
+# Create sockets for the services.
+allow init domain:unix_stream_socket { create bind setopt };
+allow init domain:unix_dgram_socket { create bind setopt };
+
+# Set any property.
+allow init property_type:property_service set;
+
+# Send an SELinux userspace denial to the kernel audit subsystem,
+# so it can be picked up and processed by logd. These denials are
+# generated when an attempt to set a property is denied by policy.
+allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay };
+allow init self:global_capability_class_set audit_write;
+
+# Run "ifup lo" to bring up the localhost interface
+allow init self:udp_socket { create ioctl };
+# in addition to unpriv ioctls granted to all domains, init also needs:
+allowxperm init self:udp_socket ioctl SIOCSIFFLAGS;
+allow init self:global_capability_class_set net_raw;
+
+# Set scheduling info for psi monitor thread.
+# TODO: delete or revise this line b/131761776
+allow init kernel:process { getsched setsched };
+
+# Create and access /dev files without a specific type,
+# e.g. /dev/.coldboot_done, /dev/.booting
+# TODO: Move these files into their own type unless they are
+# only ever accessed by init.
+allow init device:file create_file_perms;
+
+# Access device mapper for setting up dm-verity
+allow init dm_device:chr_file rw_file_perms;
+allow init dm_device:blk_file rw_file_perms;
+
+# linux keyring configuration
+allow init init:key { write search setattr };
+
+r_dir_file(init, system_file)
+r_dir_file(init, vendor_file_type)
+
+allow init system_data_file:file { getattr read };
+allow init system_data_file:lnk_file r_file_perms;
+
+# Allow init to touch PSI monitors
+allow init proc_pressure_mem:file { rw_file_perms setattr };
+
+# init is using bootstrap bionic
+allow init system_bootstrap_lib_file:dir r_dir_perms;
+allow init system_bootstrap_lib_file:file { execute read open getattr map };
+
+# stat the root dir of fuse filesystems (for the mount handler)
+allow init fuse:dir { search getattr };
+
+set_prop(init, property_type)
diff --git a/microdroid/sepolicy/system/private/inputflinger.te b/microdroid/sepolicy/system/private/inputflinger.te
deleted file mode 100644
index 9696b49..0000000
--- a/microdroid/sepolicy/system/private/inputflinger.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute inputflinger coredomain;
-
-init_daemon_domain(inputflinger)
diff --git a/microdroid/sepolicy/system/private/installd.te b/microdroid/sepolicy/system/private/installd.te
deleted file mode 100644
index c89ba8b..0000000
--- a/microdroid/sepolicy/system/private/installd.te
+++ /dev/null
@@ -1,45 +0,0 @@
-typeattribute installd coredomain;
-
-init_daemon_domain(installd)
-
-# Run migrate_legacy_obb_data.sh in its own sandbox.
-domain_auto_trans(installd, migrate_legacy_obb_data_exec, migrate_legacy_obb_data)
-allow installd shell_exec:file rx_file_perms;
-
-# Run dex2oat in its own sandbox.
-domain_auto_trans(installd, dex2oat_exec, dex2oat)
-
-# Run dexoptanalyzer in its own sandbox.
-domain_auto_trans(installd, dexoptanalyzer_exec, dexoptanalyzer)
-
-# Run viewcompiler in its own sandbox.
-domain_auto_trans(installd, viewcompiler_exec, viewcompiler)
-
-# Run profman in its own sandbox.
-domain_auto_trans(installd, profman_exec, profman)
-
-# Run idmap in its own sandbox.
-domain_auto_trans(installd, idmap_exec, idmap)
-
-# For collecting bugreports.
-allow installd dumpstate:fd use;
-allow installd dumpstate:fifo_file r_file_perms;
-
-# Delete /system/bin/bcc generated artifacts
-allow installd app_exec_data_file:file unlink;
-
-# Capture userdata snapshots to /data/misc_[ce|de]/rollback and
-# subsequently restore them.
-allow installd rollback_data_file:dir create_dir_perms;
-allow installd rollback_data_file:file create_file_perms;
-
-# Allow installd to access the runtime feature flag properties.
-get_prop(installd, device_config_runtime_native_prop)
-get_prop(installd, device_config_runtime_native_boot_prop)
-
-# Allow installd to access apk verity feature flag (for legacy case).
-get_prop(installd, apk_verity_prop)
-
-# Allow installd to delete files in /data/staging
-allow installd staging_data_file:file unlink;
-allow installd staging_data_file:dir { open read remove_name rmdir search write };
diff --git a/microdroid/sepolicy/system/private/iorap_inode2filename.te b/microdroid/sepolicy/system/private/iorap_inode2filename.te
deleted file mode 100644
index 5acb262..0000000
--- a/microdroid/sepolicy/system/private/iorap_inode2filename.te
+++ /dev/null
@@ -1,11 +0,0 @@
-typeattribute iorap_inode2filename coredomain;
-
-# Grant access to open most of the files under /
-allow iorap_inode2filename { apex_module_data_file apex_art_data_file }:dir r_dir_perms;
-allow iorap_inode2filename apex_data_file:file { getattr };
-allow iorap_inode2filename dalvikcache_data_file:dir { getattr open read search };
-allow iorap_inode2filename dalvikcache_data_file:file { getattr };
-allow iorap_inode2filename dex2oat_exec:lnk_file { getattr open read };
-allow iorap_inode2filename dexoptanalyzer_exec:file { getattr };
-allow iorap_inode2filename storaged_data_file:dir { getattr open read search };
-allow iorap_inode2filename storaged_data_file:file { getattr };
diff --git a/microdroid/sepolicy/system/private/iorap_prefecherd.te b/microdroid/sepolicy/system/private/iorap_prefecherd.te
deleted file mode 100644
index 9ddb512..0000000
--- a/microdroid/sepolicy/system/private/iorap_prefecherd.te
+++ /dev/null
@@ -1,4 +0,0 @@
-typeattribute iorap_prefetcherd coredomain;
-
-init_daemon_domain(iorap_prefetcherd)
-tmpfs_domain(iorap_prefetcherd)
diff --git a/microdroid/sepolicy/system/private/iorapd.te b/microdroid/sepolicy/system/private/iorapd.te
deleted file mode 100644
index 73acec9..0000000
--- a/microdroid/sepolicy/system/private/iorapd.te
+++ /dev/null
@@ -1,10 +0,0 @@
-typeattribute iorapd coredomain;
-
-init_daemon_domain(iorapd)
-tmpfs_domain(iorapd)
-
-domain_auto_trans(iorapd, iorap_prefetcherd_exec, iorap_prefetcherd)
-domain_auto_trans(iorapd, iorap_inode2filename_exec, iorap_inode2filename)
-
-# Allow iorapd to access the runtime native boot feature flag properties.
-get_prop(iorapd, device_config_runtime_native_boot_prop)
diff --git a/microdroid/sepolicy/system/private/isolated_app.te b/microdroid/sepolicy/system/private/isolated_app.te
deleted file mode 100644
index 71749c0..0000000
--- a/microdroid/sepolicy/system/private/isolated_app.te
+++ /dev/null
@@ -1,153 +0,0 @@
-###
-### Services with isolatedProcess=true in their manifest.
-###
-### This file defines the rules for isolated apps. An "isolated
-### app" is an APP with UID between AID_ISOLATED_START (99000)
-### and AID_ISOLATED_END (99999).
-###
-
-typeattribute isolated_app coredomain;
-
-app_domain(isolated_app)
-
-# Access already open app data files received over Binder or local socket IPC.
-allow isolated_app { app_data_file privapp_data_file }:file { append read write getattr lock map };
-
-# Allow access to network sockets received over IPC. New socket creation is not
-# permitted.
-allow isolated_app { ephemeral_app priv_app untrusted_app_all }:{ tcp_socket udp_socket } { rw_socket_perms_no_ioctl };
-
-allow isolated_app activity_service:service_manager find;
-allow isolated_app display_service:service_manager find;
-allow isolated_app webviewupdate_service:service_manager find;
-
-# Google Breakpad (crash reporter for Chrome) relies on ptrace
-# functionality. Without the ability to ptrace, the crash reporter
-# tool is broken.
-# b/20150694
-# https://code.google.com/p/chromium/issues/detail?id=475270
-allow isolated_app self:process ptrace;
-
-# b/32896414: Allow accessing sdcard file descriptors passed to isolated_apps
-# by other processes. Open should never be allowed, and is blocked by
-# neverallow rules below.
-# media_rw_data_file is included for sdcardfs, and can be removed if sdcardfs
-# is modified to change the secontext when accessing the lower filesystem.
-allow isolated_app { sdcard_type media_rw_data_file }:file { read write append getattr lock map };
-
-# For webviews, isolated_app processes can be forked from the webview_zygote
-# in addition to the zygote. Allow access to resources inherited from the
-# webview_zygote process. These rules are specialized copies of the ones in app.te.
-# Inherit FDs from the webview_zygote.
-allow isolated_app webview_zygote:fd use;
-# Notify webview_zygote of child death.
-allow isolated_app webview_zygote:process sigchld;
-# Inherit logd write socket.
-allow isolated_app webview_zygote:unix_dgram_socket write;
-# Read system properties managed by webview_zygote.
-allow isolated_app webview_zygote_tmpfs:file read;
-
-# Inherit FDs from the app_zygote.
-allow isolated_app app_zygote:fd use;
-# Notify app_zygote of child death.
-allow isolated_app app_zygote:process sigchld;
-# Inherit logd write socket.
-allow isolated_app app_zygote:unix_dgram_socket write;
-
-# TODO (b/63631799) fix this access
-# suppress denials to /data/local/tmp
-dontaudit isolated_app shell_data_file:dir search;
-
-# Write app-specific trace data to the Perfetto traced damon. This requires
-# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
-perfetto_producer(isolated_app)
-
-# Allow profiling if the main app has been marked as profileable or
-# debuggable.
-can_profile_heap(isolated_app)
-can_profile_perf(isolated_app)
-
-#####
-##### Neverallow
-#####
-
-# Isolated apps should not directly open app data files themselves.
-neverallow isolated_app { app_data_file privapp_data_file }:file open;
-
-# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
-# TODO: are there situations where isolated_apps write to this file?
-# TODO: should we tighten these restrictions further?
-neverallow isolated_app anr_data_file:file ~{ open append };
-neverallow isolated_app anr_data_file:dir ~search;
-
-# Isolated apps must not be permitted to use HwBinder
-neverallow isolated_app hwbinder_device:chr_file *;
-neverallow isolated_app *:hwservice_manager *;
-
-# Isolated apps must not be permitted to use VndBinder
-neverallow isolated_app vndbinder_device:chr_file *;
-
-# Isolated apps must not be permitted to perform actions on Binder and VndBinder service_manager
-# except the find actions for services allowlisted below.
-neverallow isolated_app *:service_manager ~find;
-
-# b/17487348
-# Isolated apps can only access three services,
-# activity_service, display_service, webviewupdate_service.
-neverallow isolated_app {
- service_manager_type
- -activity_service
- -display_service
- -webviewupdate_service
-}:service_manager find;
-
-# Isolated apps shouldn't be able to access the driver directly.
-neverallow isolated_app gpu_device:chr_file { rw_file_perms execute };
-
-# Do not allow isolated_app access to /cache
-neverallow isolated_app cache_file:dir ~{ r_dir_perms };
-neverallow isolated_app cache_file:file ~{ read getattr };
-
-# Do not allow isolated_app to access external storage, except for files passed
-# via file descriptors (b/32896414).
-neverallow isolated_app { storage_file mnt_user_file sdcard_type }:dir ~getattr;
-neverallow isolated_app { storage_file mnt_user_file }:file_class_set *;
-neverallow isolated_app sdcard_type:{ devfile_class_set lnk_file sock_file fifo_file } *;
-neverallow isolated_app sdcard_type:file ~{ read write append getattr lock map };
-
-# Do not allow USB access
-neverallow isolated_app { usb_device usbaccessory_device }:chr_file *;
-
-# Restrict the webview_zygote control socket.
-neverallow isolated_app webview_zygote:sock_file write;
-
-# Limit the /sys files which isolated_app can access. This is important
-# for controlling isolated_app attack surface.
-neverallow isolated_app {
- sysfs_type
- -sysfs_devices_system_cpu
- -sysfs_transparent_hugepage
- -sysfs_usb # TODO: check with audio team if needed for isolated_app (b/28417852)
- -sysfs_fs_incfs_features
-}:file no_rw_file_perms;
-
-# No creation of sockets families other than AF_UNIX sockets.
-# List taken from system/sepolicy/public/global_macros - socket_class_set
-# excluding unix_stream_socket and unix_dgram_socket.
-# Many of these are socket families which have never and will never
-# be compiled into the Android kernel.
-neverallow isolated_app { self ephemeral_app priv_app untrusted_app_all }:{
- socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket
- key_socket appletalk_socket netlink_route_socket
- netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket
- netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket
- netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket
- netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket
- netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket
- netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket
- netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket
- rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket
- bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket
- ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket
- qipcrtr_socket smc_socket xdp_socket
-} create;
diff --git a/microdroid/sepolicy/system/private/iw.te b/microdroid/sepolicy/system/private/iw.te
deleted file mode 100644
index adc8c96..0000000
--- a/microdroid/sepolicy/system/private/iw.te
+++ /dev/null
@@ -1,4 +0,0 @@
-type iw, domain, coredomain;
-type iw_exec, system_file_type, exec_type, file_type;
-
-init_daemon_domain(iw)
diff --git a/microdroid/sepolicy/system/private/kernel.te b/microdroid/sepolicy/system/private/kernel.te
index 2d49445..1d03c4a 100644
--- a/microdroid/sepolicy/system/private/kernel.te
+++ b/microdroid/sepolicy/system/private/kernel.te
@@ -1,12 +1,6 @@
typeattribute kernel coredomain;
domain_auto_trans(kernel, init_exec, init)
-domain_auto_trans(kernel, snapuserd_exec, snapuserd)
-
-# Allow the kernel to read otapreopt_chroot's file descriptors and files under
-# /postinstall, as it uses apexd logic to mount APEX packages in /postinstall/apex.
-allow kernel otapreopt_chroot:fd use;
-allow kernel postinstall_file:file read;
# The following sections are for the transition period during a Virtual A/B
# OTA. Once sepolicy is loaded, snapuserd must be re-launched in the correct
@@ -27,13 +21,63 @@
allow kernel kmsg_device:chr_file relabelto;
allow kernel null_device:chr_file relabelto;
allow kernel random_device:chr_file relabelto;
-allow kernel snapuserd_exec:file relabelto;
+allow kernel kmsg_device:chr_file write;
allow kernel vd_device:blk_file read;
-allow kernel kmsg_device:chr_file write;
-allow kernel gsid:fd use;
+allow kernel self:global_capability_class_set sys_nice;
-# apkdmverity attaches a loop device to idsig file
-# and the loop device is used by zipfuse later.
-# This requires kernel to use the fd opened by apkdmverity.
+# Root fs.
+r_dir_file(kernel, rootfs)
+
+# Used to read androidboot.selinux property
+allow kernel {
+ proc_bootconfig
+ proc_cmdline
+}:file r_file_perms;
+
+# Get SELinux enforcing status.
+allow kernel selinuxfs:dir r_dir_perms;
+allow kernel selinuxfs:file r_file_perms;
+
+# Get file contexts during first stage
+allow kernel file_contexts_file:file r_file_perms;
+
+# Allow init relabel itself.
+allow kernel rootfs:file relabelfrom;
+allow kernel init_exec:file relabelto;
+# TODO: investigate why we need this.
+allow kernel init:process share;
+
+# cgroup filesystem initialization prior to setting the cgroup root directory label.
+allow kernel unlabeled:dir search;
+
+# Initial setenforce by init prior to switching to init domain.
+# We use dontaudit instead of allow to prevent a kernel spawned userspace
+# process from turning off SELinux once enabled.
+dontaudit kernel self:security setenforce;
+
+# Init reboot before switching selinux domains under certain error
+# conditions. Allow it.
+# As part of rebooting, init writes "u" to /proc/sysrq-trigger to
+# remount filesystems read-only. /data is not mounted at this point,
+# so we could ignore this. For now, we allow it.
+allow kernel self:global_capability_class_set sys_boot;
+allow kernel proc_sysrq:file w_file_perms;
+
+# Allow writing to /dev/kmsg which was created prior to loading policy.
+allow kernel tmpfs:chr_file write;
+
+# Set checkreqprot by init.rc prior to switching to init domain.
+allow kernel selinuxfs:file write;
+allow kernel self:security setcheckreqprot;
+
+# kernel thread "loop0", used by the loop block device, for ASECs (b/17158723)
+allow kernel { sdcard_type fuse }:file { read write };
+
+# Allow the kernel to read APEX file descriptors and (staged) data files;
+# Needed because APEX uses the loopback driver, which issues requests from
+# a kernel thread in earlier kernel version.
+allow kernel apexd:fd use;
+
+#-----------------------------------------
allow kernel apkdmverity:fd use;
diff --git a/microdroid/sepolicy/system/private/keystore.te b/microdroid/sepolicy/system/private/keystore.te
index 0e57045..ac3ada1 100644
--- a/microdroid/sepolicy/system/private/keystore.te
+++ b/microdroid/sepolicy/system/private/keystore.te
@@ -2,33 +2,14 @@
init_daemon_domain(keystore)
-# talk to keymaster
-hal_client_domain(keystore, hal_keymaster)
-
-# talk to confirmationui
-hal_client_domain(keystore, hal_confirmationui)
-
# talk to keymint
hal_client_domain(keystore, hal_keymint)
-# This is used for the ConfirmationUI async callback.
-allow keystore platform_app:binder call;
-
-# Allow to check whether security logging is enabled.
-get_prop(keystore, device_logging_prop)
-
# Allow keystore to write to statsd.
unix_socket_send(keystore, statsdw, statsd)
-# Allow keystore to register callbacks with statsd.
-allow keystore stats_service:service_manager find;
-binder_call(keystore, statsd);
-
# Keystore need access to the keystore_key context files to load the keystore key backend.
allow keystore keystore2_key_contexts_file:file r_file_perms;
-get_prop(keystore, keystore_listen_prop)
-
-# Keystore needs to transfer binder references to vold so that it
-# can call keystore methods on those references.
-allow keystore vold:binder transfer;
+# microdroid doesn't use keymaster HAL
+dontaudit keystore hal_keymaster_hwservice:hwservice_manager find;
diff --git a/microdroid/sepolicy/system/private/keystore_keys.te b/microdroid/sepolicy/system/private/keystore_keys.te
deleted file mode 100644
index 03625dc..0000000
--- a/microdroid/sepolicy/system/private/keystore_keys.te
+++ /dev/null
@@ -1,25 +0,0 @@
-# Specify keystore2_key namespaces in this file.
-# Please keep the names in alphabetical order and comment each new entry.
-
-# A keystore2_key namespace for the shell domain. Mainly used for native tests.
-type shell_key, keystore2_key_type;
-
-# A keystore2 namespace for the su domain. Mainly used for native tests.
-type su_key, keystore2_key_type;
-
-# A keystore2 namespace for vold. Vold need special permission to handle
-# its own Keymint blobs.
-type vold_key, keystore2_key_type;
-
-# A keystore2 namespace for the on-device signing daemon.
-type odsign_key, keystore2_key_type;
-
-# A keystore2 namespace for LockSettingsService.
-type locksettings_key, keystore2_key_type;
-
-# A keystore2 namespace for resume on reboot.
-type resume_on_reboot_key, keystore2_key_type;
-
-# A keystore2 namespace for VM payloads.
-type vm_payload_key, keystore2_key_type;
-
diff --git a/microdroid/sepolicy/system/private/linkerconfig.te b/microdroid/sepolicy/system/private/linkerconfig.te
index 2688102..4d8db0c 100644
--- a/microdroid/sepolicy/system/private/linkerconfig.te
+++ b/microdroid/sepolicy/system/private/linkerconfig.te
@@ -19,9 +19,3 @@
# Allow linkerconfig to read apex-info-list.xml
allow linkerconfig apex_info_file:file r_file_perms;
-# Allow linkerconfig to be called in the otapreopt_chroot
-allow linkerconfig otapreopt_chroot:fd use;
-allow linkerconfig postinstall_apex_mnt_dir:dir r_dir_perms;
-allow linkerconfig postinstall_apex_mnt_dir:file r_file_perms;
-
-neverallow { domain -init -linkerconfig -otapreopt_chroot } linkerconfig_exec:file no_x_file_perms;
diff --git a/microdroid/sepolicy/system/private/llkd.te b/microdroid/sepolicy/system/private/llkd.te
deleted file mode 100644
index f218dec..0000000
--- a/microdroid/sepolicy/system/private/llkd.te
+++ /dev/null
@@ -1,53 +0,0 @@
-# llkd Live LocK Daemon
-typeattribute llkd coredomain;
-
-init_daemon_domain(llkd)
-
-get_prop(llkd, llkd_prop)
-
-allow llkd self:global_capability_class_set kill;
-userdebug_or_eng(`
- allow llkd self:global_capability_class_set { sys_ptrace sys_admin };
- allow llkd self:global_capability_class_set { dac_override dac_read_search };
-')
-
-# llkd optionally locks itself in memory, to prevent it from being
-# swapped out and unable to discover a kernel in live-lock state.
-allow llkd self:global_capability_class_set ipc_lock;
-
-# Send kill signals to _anyone_ suffering from Live Lock
-allow llkd domain:process sigkill;
-
-# read stack to check for Live Lock
-userdebug_or_eng(`
- allow llkd {
- domain
- -apexd
- -kernel
- -keystore
- -init
- -llkd
- -ueventd
- -vendor_init
- }:process ptrace;
-')
-
-# live lock watchdog process allowed to look through /proc/
-allow llkd domain:dir r_dir_perms;
-allow llkd domain:file r_file_perms;
-allow llkd domain:lnk_file read;
-# Set /proc/sys/kernel/hung_task_*
-allow llkd proc_hung_task:file rw_file_perms;
-
-# live lock watchdog process allowed to dump process trace and
-# reboot because orderly shutdown may not be possible.
-allow llkd proc_sysrq:file w_file_perms;
-allow llkd kmsg_device:chr_file w_file_perms;
-
-### neverallow rules
-
-neverallow { domain -init } llkd:process { dyntransition transition };
-neverallow { domain userdebug_or_eng(`-crash_dump') } llkd:process ptrace;
-
-# never honor LD_PRELOAD
-neverallow * llkd:process noatsecure;
diff --git a/microdroid/sepolicy/system/private/lmkd.te b/microdroid/sepolicy/system/private/lmkd.te
deleted file mode 100644
index fef3a89..0000000
--- a/microdroid/sepolicy/system/private/lmkd.te
+++ /dev/null
@@ -1,11 +0,0 @@
-typeattribute lmkd coredomain;
-
-init_daemon_domain(lmkd)
-
-# Set sys.lmk.* properties.
-set_prop(lmkd, system_lmk_prop)
-
-# Set lmkd.* properties.
-set_prop(lmkd, lmkd_prop)
-
-neverallow { domain -init -lmkd -vendor_init } lmkd_prop:property_service set;
diff --git a/microdroid/sepolicy/system/private/logd.te b/microdroid/sepolicy/system/private/logd.te
index 7112c4f..0cc6e96 100644
--- a/microdroid/sepolicy/system/private/logd.te
+++ b/microdroid/sepolicy/system/private/logd.te
@@ -2,40 +2,42 @@
init_daemon_domain(logd)
-# Access device logging gating property
-get_prop(logd, device_logging_prop)
-
-# logd is not allowed to write anywhere other than /data/misc/logd, and then
-# only on userdebug or eng builds
-neverallow logd {
- file_type
- -runtime_event_log_tags_file
- userdebug_or_eng(`-coredump_file -misc_logd_file')
- with_native_coverage(`-method_trace_data_file')
-}:file { create write append };
-
-# protect the event-log-tags file
-neverallow {
- domain
- -appdomain # covered below
- -bootstat
- -dumpstate
- -init
- -logd
- userdebug_or_eng(`-logpersist')
- -servicemanager
- -system_server
- -surfaceflinger
- -zygote
-} runtime_event_log_tags_file:file no_rw_file_perms;
-
-neverallow {
- appdomain
- -bluetooth
- -platform_app
- -priv_app
- -radio
- -shell
- userdebug_or_eng(`-su')
- -system_app
-} runtime_event_log_tags_file:file no_rw_file_perms;
+allow logd adbd:dir search;
+allow logd adbd:file { getattr open read };
+allow logd device:dir search;
+allow logd hwservicemanager:dir search;
+allow logd hwservicemanager:file { open read };
+allow logd init:dir search;
+allow logd init:fd use;
+allow logd init:file { getattr open read };
+allow logd kernel:dir search;
+allow logd kernel:file { getattr open read };
+allow logd kernel:system { syslog_mod syslog_read };
+allow logd keystore:dir search;
+allow logd keystore:file { getattr open read };
+allow logd linkerconfig_file:dir search;
+allow logd microdroid_manager:dir search;
+allow logd microdroid_manager:file { getattr open read };
+allow logd null_device:chr_file { open read };
+#allow logd proc_kmsg:file read;
+r_dir_file(logd, cgroup)
+r_dir_file(logd, cgroup_v2)
+r_dir_file(logd, proc_kmsg)
+r_dir_file(logd, proc_meminfo)
+allow logd self:fifo_file { read write };
+allow logd self:file { getattr open read };
+allow logd self:global_capability_class_set { setuid setgid setpcap sys_nice audit_control };
+allow logd self:global_capability2_class_set syslog;
+#allow logd self:netlink_audit_socket getopt;
+allow logd self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write };
+allow logd kmsg_device:chr_file { getattr w_file_perms };
+r_dir_file(logd, domain)
+allow logd self:unix_stream_socket { accept getopt setopt shutdown };
+allow logd servicemanager:dir search;
+allow logd servicemanager:file { open read };
+allow logd tombstoned:dir search;
+allow logd tombstoned:file { getattr open read };
+allow logd ueventd:dir search;
+allow logd ueventd:file { getattr open read };
+control_logd(logd)
+read_runtime_log_tags(logd)
diff --git a/microdroid/sepolicy/system/private/logpersist.te b/microdroid/sepolicy/system/private/logpersist.te
deleted file mode 100644
index ab2c9c6..0000000
--- a/microdroid/sepolicy/system/private/logpersist.te
+++ /dev/null
@@ -1,30 +0,0 @@
-typeattribute logpersist coredomain;
-
-# android debug log storage in logpersist domains (eng and userdebug only)
-userdebug_or_eng(`
-
- r_dir_file(logpersist, cgroup)
- r_dir_file(logpersist, cgroup_v2)
-
- allow logpersist misc_logd_file:file create_file_perms;
- allow logpersist misc_logd_file:dir rw_dir_perms;
-
- allow logpersist self:global_capability_class_set sys_nice;
- allow logpersist pstorefs:dir search;
- allow logpersist pstorefs:file r_file_perms;
-
- control_logd(logpersist)
- unix_socket_connect(logpersist, logdr, logd)
- read_runtime_log_tags(logpersist)
-
-')
-
-# logpersist is allowed to write to /data/misc/log for userdebug and eng builds
-neverallow logpersist {
- file_type
- userdebug_or_eng(`-misc_logd_file -coredump_file')
- with_native_coverage(`-method_trace_data_file')
-}:file { create write append };
-neverallow { domain -init -dumpstate -incidentd userdebug_or_eng(`-logpersist -logd') } misc_logd_file:file no_rw_file_perms;
-neverallow { domain -init userdebug_or_eng(`-logpersist -logd') } misc_logd_file:file no_w_file_perms;
-neverallow { domain -init userdebug_or_eng(`-logpersist -logd') } misc_logd_file:dir { add_name link relabelfrom remove_name rename reparent rmdir write };
diff --git a/microdroid/sepolicy/system/private/lpdumpd.te b/microdroid/sepolicy/system/private/lpdumpd.te
deleted file mode 100644
index 9f5f87e..0000000
--- a/microdroid/sepolicy/system/private/lpdumpd.te
+++ /dev/null
@@ -1,37 +0,0 @@
-type lpdumpd, domain, coredomain;
-type lpdumpd_exec, system_file_type, exec_type, file_type;
-
-init_daemon_domain(lpdumpd)
-
-# Allow lpdumpd to register itself as a service.
-binder_use(lpdumpd)
-add_service(lpdumpd, lpdump_service)
-
-# Allow lpdumpd to find the super partition block device.
-allow lpdumpd block_device:dir r_dir_perms;
-
-# Allow lpdumpd to read super partition metadata.
-allow lpdumpd super_block_device_type:blk_file r_file_perms;
-
-# Allow lpdumpd to read fstab.
-allow lpdumpd sysfs_dt_firmware_android:dir r_dir_perms;
-allow lpdumpd sysfs_dt_firmware_android:file r_file_perms;
-read_fstab(lpdumpd)
-
-### Neverallow rules
-
-# Disallow other domains to get lpdump_service and call lpdumpd.
-neverallow {
- domain
- -dumpstate
- -lpdumpd
- -shell
-} lpdump_service:service_manager find;
-
-neverallow {
- domain
- -dumpstate
- -lpdumpd
- -shell
- -servicemanager
-} lpdumpd:binder call;
diff --git a/microdroid/sepolicy/system/private/mdnsd.te b/microdroid/sepolicy/system/private/mdnsd.te
deleted file mode 100644
index 98e95da..0000000
--- a/microdroid/sepolicy/system/private/mdnsd.te
+++ /dev/null
@@ -1,12 +0,0 @@
-# mdns daemon
-
-typeattribute mdnsd coredomain;
-typeattribute mdnsd mlstrustedsubject;
-
-type mdnsd_exec, system_file_type, exec_type, file_type;
-init_daemon_domain(mdnsd)
-
-net_domain(mdnsd)
-
-# Read from /proc/net
-r_dir_file(mdnsd, proc_net_type)
diff --git a/microdroid/sepolicy/system/private/mediadrmserver.te b/microdroid/sepolicy/system/private/mediadrmserver.te
deleted file mode 100644
index 4e511a8..0000000
--- a/microdroid/sepolicy/system/private/mediadrmserver.te
+++ /dev/null
@@ -1,8 +0,0 @@
-typeattribute mediadrmserver coredomain;
-
-init_daemon_domain(mediadrmserver)
-
-# allocate and use graphic buffers
-hal_client_domain(mediadrmserver, hal_graphics_allocator)
-auditallow mediadrmserver hal_graphics_allocator_server:binder call;
-
diff --git a/microdroid/sepolicy/system/private/mediaextractor.te b/microdroid/sepolicy/system/private/mediaextractor.te
deleted file mode 100644
index 7bcf5c8..0000000
--- a/microdroid/sepolicy/system/private/mediaextractor.te
+++ /dev/null
@@ -1,10 +0,0 @@
-typeattribute mediaextractor coredomain;
-
-init_daemon_domain(mediaextractor)
-tmpfs_domain(mediaextractor)
-allow mediaextractor appdomain_tmpfs:file { getattr map read write };
-allow mediaextractor mediaserver_tmpfs:file { getattr map read write };
-allow mediaextractor system_server_tmpfs:file { getattr map read write };
-
-get_prop(mediaextractor, device_config_media_native_prop)
-get_prop(mediaextractor, device_config_swcodec_native_prop)
diff --git a/microdroid/sepolicy/system/private/mediametrics.te b/microdroid/sepolicy/system/private/mediametrics.te
deleted file mode 100644
index 5a6f2e1..0000000
--- a/microdroid/sepolicy/system/private/mediametrics.te
+++ /dev/null
@@ -1,8 +0,0 @@
-typeattribute mediametrics coredomain;
-
-init_daemon_domain(mediametrics)
-
-# Needed for stats callback registration to statsd.
-allow mediametrics stats_service:service_manager find;
-allow mediametrics statsmanager_service:service_manager find;
-binder_call(mediametrics, statsd)
diff --git a/microdroid/sepolicy/system/private/mediaprovider.te b/microdroid/sepolicy/system/private/mediaprovider.te
deleted file mode 100644
index 78bbdb0..0000000
--- a/microdroid/sepolicy/system/private/mediaprovider.te
+++ /dev/null
@@ -1,48 +0,0 @@
-###
-### A domain for android.process.media, which contains both
-### MediaProvider and DownloadProvider and associated services.
-###
-
-typeattribute mediaprovider coredomain;
-app_domain(mediaprovider)
-
-# DownloadProvider accesses the network.
-net_domain(mediaprovider)
-
-# DownloadProvider uses /cache.
-allow mediaprovider cache_file:dir create_dir_perms;
-allow mediaprovider cache_file:file create_file_perms;
-# /cache is a symlink to /data/cache on some devices. Allow reading the link.
-allow mediaprovider cache_file:lnk_file r_file_perms;
-# mediaprovider searches through /cache looking for orphans
-# Ignore denials to /cache/recovery and /cache/backup.
-dontaudit mediaprovider cache_private_backup_file:dir getattr;
-dontaudit mediaprovider cache_recovery_file:dir getattr;
-
-# Access external sdcards through /mnt/media_rw
-allow mediaprovider { mnt_media_rw_file }:dir search;
-
-allow mediaprovider app_api_service:service_manager find;
-allow mediaprovider audioserver_service:service_manager find;
-allow mediaprovider cameraserver_service:service_manager find;
-allow mediaprovider drmserver_service:service_manager find;
-allow mediaprovider mediaextractor_service:service_manager find;
-allow mediaprovider mediaserver_service:service_manager find;
-
-# Allow MediaProvider to read/write cached ringtones (opened by system).
-allow mediaprovider ringtone_file:file { getattr read write };
-
-# MtpServer uses /dev/mtp_usb
-allow mediaprovider mtp_device:chr_file rw_file_perms;
-
-# MtpServer uses /dev/usb-ffs/mtp
-allow mediaprovider functionfs:dir search;
-allow mediaprovider functionfs:file rw_file_perms;
-allowxperm mediaprovider functionfs:file ioctl FUNCTIONFS_ENDPOINT_DESC;
-
-# MtpServer sets sys.usb.ffs.mtp.ready
-get_prop(mediaprovider, ffs_config_prop)
-set_prop(mediaprovider, ffs_control_prop)
-
-# DownloadManager may retrieve DRM status
-get_prop(mediaprovider, drm_service_config_prop)
diff --git a/microdroid/sepolicy/system/private/mediaprovider_app.te b/microdroid/sepolicy/system/private/mediaprovider_app.te
deleted file mode 100644
index 0e4a50e..0000000
--- a/microdroid/sepolicy/system/private/mediaprovider_app.te
+++ /dev/null
@@ -1,56 +0,0 @@
-###
-### A domain for further sandboxing the MediaProvider mainline module.
-###
-type mediaprovider_app, domain, coredomain;
-
-app_domain(mediaprovider_app)
-
-# Access to /mnt/pass_through.
-r_dir_file(mediaprovider_app, mnt_pass_through_file)
-
-# Allow MediaProvider to host a FUSE daemon for external storage
-allow mediaprovider_app fuse_device:chr_file { read write ioctl getattr };
-
-# Allow MediaProvider to read/write media_rw_data_file files and dirs
-allow mediaprovider_app media_rw_data_file:file create_file_perms;
-allow mediaprovider_app media_rw_data_file:dir create_dir_perms;
-
-# Talk to the DRM service
-allow mediaprovider_app drmserver_service:service_manager find;
-
-# Talk to the MediaServer service
-allow mediaprovider_app mediaserver_service:service_manager find;
-
-# Talk to regular app services
-allow mediaprovider_app app_api_service:service_manager find;
-
-# Talk to the GPU service
-binder_call(mediaprovider_app, gpuservice)
-
-# Talk to statsd
-allow mediaprovider_app statsmanager_service:service_manager find;
-binder_call(mediaprovider_app, statsd)
-
-# read pipe-max-size configuration
-allow mediaprovider_app proc_pipe_conf:file r_file_perms;
-
-# Allow MediaProvider to set extended attributes (such as quota project ID)
-# on media files.
-allowxperm mediaprovider_app media_rw_data_file:{ dir file } ioctl {
- FS_IOC_FSGETXATTR
- FS_IOC_FSSETXATTR
- FS_IOC_GETFLAGS
- FS_IOC_SETFLAGS
-};
-
-# Access external sdcards through /mnt/media_rw
-allow mediaprovider_app { mnt_media_rw_file }:dir search;
-
-allow mediaprovider_app proc_filesystems:file r_file_perms;
-
-#Allow MediaProvider to see if sdcardfs is in use
-get_prop(mediaprovider_app, storage_config_prop)
-
-get_prop(mediaprovider_app, drm_service_config_prop)
-
-allow mediaprovider_app gpu_device:dir search;
diff --git a/microdroid/sepolicy/system/private/mediaserver.te b/microdroid/sepolicy/system/private/mediaserver.te
deleted file mode 100644
index 6fe460c..0000000
--- a/microdroid/sepolicy/system/private/mediaserver.te
+++ /dev/null
@@ -1,20 +0,0 @@
-typeattribute mediaserver coredomain;
-
-init_daemon_domain(mediaserver)
-tmpfs_domain(mediaserver)
-allow mediaserver appdomain_tmpfs:file { getattr map read write };
-
-# allocate and use graphic buffers
-hal_client_domain(mediaserver, hal_graphics_allocator)
-hal_client_domain(mediaserver, hal_configstore)
-hal_client_domain(mediaserver, hal_drm)
-hal_client_domain(mediaserver, hal_omx)
-hal_client_domain(mediaserver, hal_codec2)
-
-set_prop(mediaserver, audio_prop)
-
-get_prop(mediaserver, drm_service_config_prop)
-get_prop(mediaserver, media_config_prop)
-
-# Allow mediaserver to start media.transcoding service via ctl.start.
-set_prop(mediaserver, ctl_mediatranscoding_prop);
diff --git a/microdroid/sepolicy/system/private/mediaswcodec.te b/microdroid/sepolicy/system/private/mediaswcodec.te
deleted file mode 100644
index 02079c1..0000000
--- a/microdroid/sepolicy/system/private/mediaswcodec.te
+++ /dev/null
@@ -1,6 +0,0 @@
-typeattribute mediaswcodec coredomain;
-
-init_daemon_domain(mediaswcodec)
-
-get_prop(mediaswcodec, device_config_media_native_prop)
-get_prop(mediaswcodec, device_config_swcodec_native_prop)
diff --git a/microdroid/sepolicy/system/private/mediatranscoding.te b/microdroid/sepolicy/system/private/mediatranscoding.te
deleted file mode 100644
index d812525..0000000
--- a/microdroid/sepolicy/system/private/mediatranscoding.te
+++ /dev/null
@@ -1,65 +0,0 @@
-# mediatranscoding - daemon for transcoding video and image.
-type mediatranscoding, domain;
-type mediatranscoding_exec, system_file_type, exec_type, file_type;
-type mediatranscoding_tmpfs, file_type;
-typeattribute mediatranscoding coredomain;
-
-init_daemon_domain(mediatranscoding)
-tmpfs_domain(mediatranscoding)
-allow mediatranscoding appdomain_tmpfs:file { getattr map read write };
-
-binder_use(mediatranscoding)
-binder_call(mediatranscoding, binderservicedomain)
-binder_call(mediatranscoding, appdomain)
-binder_service(mediatranscoding)
-
-add_service(mediatranscoding, mediatranscoding_service)
-
-hal_client_domain(mediatranscoding, hal_graphics_allocator)
-hal_client_domain(mediatranscoding, hal_configstore)
-hal_client_domain(mediatranscoding, hal_omx)
-hal_client_domain(mediatranscoding, hal_codec2)
-
-allow mediatranscoding mediaserver_service:service_manager find;
-allow mediatranscoding mediametrics_service:service_manager find;
-allow mediatranscoding mediaextractor_service:service_manager find;
-allow mediatranscoding package_native_service:service_manager find;
-allow mediatranscoding thermal_service:service_manager find;
-
-allow mediatranscoding system_server:fd use;
-allow mediatranscoding activity_service:service_manager find;
-
-# allow mediatranscoding service read/write permissions for file sources
-allow mediatranscoding sdcardfs:file { getattr read write };
-allow mediatranscoding media_rw_data_file:file { getattr read write };
-allow mediatranscoding apk_data_file:file { getattr read };
-allow mediatranscoding app_data_file:file { getattr read write };
-allow mediatranscoding shell_data_file:file { getattr read write };
-
-# allow mediatranscoding service write permission to statsd socket
-unix_socket_send(mediatranscoding, statsdw, statsd)
-
-# Allow mediatranscoding to access the DMA-BUF system heap
-allow mediatranscoding dmabuf_system_heap_device:chr_file r_file_perms;
-
-allow mediatranscoding gpu_device:dir search;
-
-# Allow mediatranscoding service to access media-related system properties
-get_prop(mediatranscoding, media_config_prop)
-
-# mediatranscoding should never execute any executable without a
-# domain transition
-neverallow mediatranscoding { file_type fs_type }:file execute_no_trans;
-
-# The goal of the mediaserver split is to place media processing code into
-# restrictive sandboxes with limited responsibilities and thus limited
-# permissions. Example: Audioserver is only responsible for controlling audio
-# hardware and processing audio content. Cameraserver does the same for camera
-# hardware/content. Etc.
-#
-# Media processing code is inherently risky and thus should have limited
-# permissions and be isolated from the rest of the system and network.
-# Lengthier explanation here:
-# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediatranscoding domain:{ udp_socket rawip_socket } *;
-neverallow mediatranscoding { domain userdebug_or_eng(`-su') }:tcp_socket *;
diff --git a/microdroid/sepolicy/system/private/mediatuner.te b/microdroid/sepolicy/system/private/mediatuner.te
deleted file mode 100644
index 413d2e5..0000000
--- a/microdroid/sepolicy/system/private/mediatuner.te
+++ /dev/null
@@ -1,30 +0,0 @@
-# mediatuner - mediatuner daemon
-type mediatuner, domain;
-type mediatuner_exec, system_file_type, exec_type, file_type;
-
-typeattribute mediatuner coredomain;
-
-init_daemon_domain(mediatuner)
-hal_client_domain(mediatuner, hal_tv_tuner)
-
-binder_use(mediatuner)
-binder_call(mediatuner, appdomain)
-binder_service(mediatuner)
-
-add_service(mediatuner, mediatuner_service)
-allow mediatuner system_server:fd use;
-allow mediatuner tv_tuner_resource_mgr_service:service_manager find;
-allow mediatuner package_native_service:service_manager find;
-binder_call(mediatuner, system_server)
-
-###
-### neverallow rules
-###
-
-# mediatuner should never execute any executable without a
-# domain transition
-neverallow mediatuner { file_type fs_type }:file execute_no_trans;
-
-# do not allow privileged socket ioctl commands
-neverallowxperm mediatuner domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
-
diff --git a/microdroid/sepolicy/system/private/microdroid_app.te b/microdroid/sepolicy/system/private/microdroid_app.te
index eff9120..820ec68 100644
--- a/microdroid/sepolicy/system/private/microdroid_app.te
+++ b/microdroid/sepolicy/system/private/microdroid_app.te
@@ -43,3 +43,9 @@
rebind
use
};
+
+# Allow microdroid_app to use vsock inherited from microdroid_manager
+allow microdroid_app microdroid_manager:vsock_socket { read write };
+
+# Write to /dev/kmsg.
+allow microdroid_app kmsg_device:chr_file rw_file_perms;
diff --git a/microdroid/sepolicy/system/private/microdroid_manager.te b/microdroid/sepolicy/system/private/microdroid_manager.te
index 53c63ae..074024f 100644
--- a/microdroid/sepolicy/system/private/microdroid_manager.te
+++ b/microdroid/sepolicy/system/private/microdroid_manager.te
@@ -23,9 +23,15 @@
# Let microdroid_manager kernel-log.
allow microdroid_manager kmsg_device:chr_file w_file_perms;
+# Let microdroid_manager initialize the derived VM secrets.
+set_prop(microdroid_manager, vmsecret_keymint_prop);
+
# Let microdroid_manager read a config file from /mnt/apk (fusefs)
# TODO(b/188400186) remove the below two rules
userdebug_or_eng(`
allow microdroid_manager fuse:dir r_dir_perms;
allow microdroid_manager fuse:file rx_file_perms;
')
+
+# Let microdroid_manager to create a vsock connection back to the host VM
+allow microdroid_manager self:vsock_socket { create_socket_perms_no_ioctl };
diff --git a/microdroid/sepolicy/system/private/migrate_legacy_obb_data.te b/microdroid/sepolicy/system/private/migrate_legacy_obb_data.te
deleted file mode 100644
index b2a1fb1..0000000
--- a/microdroid/sepolicy/system/private/migrate_legacy_obb_data.te
+++ /dev/null
@@ -1,28 +0,0 @@
-type migrate_legacy_obb_data, domain, coredomain;
-type migrate_legacy_obb_data_exec, system_file_type, exec_type, file_type;
-
-allow migrate_legacy_obb_data media_rw_data_file:dir create_dir_perms;
-allow migrate_legacy_obb_data media_rw_data_file:file create_file_perms;
-
-allow migrate_legacy_obb_data shell_exec:file rx_file_perms;
-
-allow migrate_legacy_obb_data toolbox_exec:file rx_file_perms;
-
-allow migrate_legacy_obb_data self:capability { chown dac_override dac_read_search fowner fsetid };
-
-allow migrate_legacy_obb_data mnt_user_file:dir search;
-allow migrate_legacy_obb_data mnt_user_file:lnk_file read;
-allow migrate_legacy_obb_data storage_file:dir search;
-allow migrate_legacy_obb_data storage_file:lnk_file read;
-
-allow migrate_legacy_obb_data sdcard_type:dir create_dir_perms;
-allow migrate_legacy_obb_data sdcard_type:file create_file_perms;
-
-# TODO: This should not be necessary. We don't deliberately hand over
-# any open file descriptors to this domain, so anything that triggers this
-# should be a candidate for O_CLOEXEC.
-allow migrate_legacy_obb_data installd:fd use;
-
-# This rule is required to let this process read /proc/{parent_pid}/mount.
-# TODO: Why is this required ?
-allow migrate_legacy_obb_data installd:file read;
diff --git a/microdroid/sepolicy/system/private/mls b/microdroid/sepolicy/system/private/mls
index 955c27b..303df81 100644
--- a/microdroid/sepolicy/system/private/mls
+++ b/microdroid/sepolicy/system/private/mls
@@ -48,52 +48,25 @@
(l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject));
#
-# Userfaultfd constraints
-#
-# To enforce that anonymous inodes are self contained in the application's process.
-mlsconstrain anon_inode { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute open execmod }
- (l1 eq l2);
-
-#
-# Constraints for app data files only.
-#
-
-# Only constrain open, not read/write, so already open fds can be used.
-# Also constrain other forms of manipulation, e.g. chmod/chown, unlink, rename, etc.
-# Subject must dominate object unless the subject is trusted.
-mlsconstrain dir { open search getattr setattr rename add_name remove_name reparent rmdir }
- (t2 != app_data_file_type or l1 dom l2 or t1 == mlstrustedsubject);
-mlsconstrain { file sock_file } { open setattr unlink link rename }
- ( (t2 != app_data_file_type and t2 != appdomain_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject);
-
-# For symlinks in app data files, require equivalence in order to manipulate or follow (read).
-mlsconstrain { lnk_file } { open setattr unlink link rename read }
- ( (t2 != app_data_file_type or t2 == privapp_data_file) or l1 eq l2 or t1 == mlstrustedsubject);
-# But for priv_app_data_file, continue to use dominance for symlinks because dynamite relies on this.
-# TODO: Migrate to equivalence when it's no longer needed.
-mlsconstrain { lnk_file } { open setattr unlink link rename read }
- ( (t2 != privapp_data_file and t2 != appdomain_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject);
-
-#
# Constraints for file types other than app data files.
#
# Read operations: Subject must dominate object unless the subject
# or the object is trusted.
mlsconstrain dir { read getattr search }
- (t2 == app_data_file_type or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject
- or (t1 == mlsvendorcompat and (t2 == system_data_file or t2 == user_profile_root_file) ) );
+ (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject
+ or (t1 == mlsvendorcompat and t2 == system_data_file) );
mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute }
- (t2 == app_data_file_type or t2 == appdomain_tmpfs or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+ (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
# Write operations: Subject must be equivalent to the object unless the
# subject or the object is trusted.
mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir }
- (t2 == app_data_file_type or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+ (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename }
- (t2 == app_data_file_type or t2 == appdomain_tmpfs or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+ (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
# Special case for FIFOs.
# These can be unnamed pipes, in which case they will be labeled with the
diff --git a/microdroid/sepolicy/system/private/mlstrustedsubject.te b/microdroid/sepolicy/system/private/mlstrustedsubject.te
deleted file mode 100644
index 22482d9..0000000
--- a/microdroid/sepolicy/system/private/mlstrustedsubject.te
+++ /dev/null
@@ -1,30 +0,0 @@
-# MLS override can't be used to access private app data.
-
-# Apps should not normally be mlstrustedsubject, but if they must be
-# they cannot use this to access app private data files; their own app
-# data files must use a different label.
-
-neverallow {
- mlstrustedsubject
- -installd
- -iorap_prefetcherd
- -iorap_inode2filename
-} { app_data_file privapp_data_file }:file ~{ read write map getattr ioctl lock append };
-
-neverallow {
- mlstrustedsubject
- -installd
- -iorap_prefetcherd
- -iorap_inode2filename
-} { app_data_file privapp_data_file }:dir ~{ read getattr search };
-
-neverallow {
- mlstrustedsubject
- -installd
- -iorap_prefetcherd
- -iorap_inode2filename
- -system_server
- -adbd
- -runas
- -zygote
-} { app_data_file privapp_data_file }:dir { read getattr search };
diff --git a/microdroid/sepolicy/system/private/mm_events.te b/microdroid/sepolicy/system/private/mm_events.te
deleted file mode 100644
index 4875d40..0000000
--- a/microdroid/sepolicy/system/private/mm_events.te
+++ /dev/null
@@ -1,14 +0,0 @@
-type mm_events, domain, coredomain;
-type mm_events_exec, system_file_type, exec_type, file_type;
-
-init_daemon_domain(mm_events)
-
-allow mm_events shell_exec:file rx_file_perms;
-
-# Allow running the sleep command to rate limit attempts
-# to arm mm_events on failure.
-allow mm_events toolbox_exec:file rx_file_perms;
-
-allow mm_events perfetto_exec:file rx_file_perms;
-
-domain_auto_trans(mm_events, perfetto_exec, perfetto)
diff --git a/microdroid/sepolicy/system/private/modprobe.te b/microdroid/sepolicy/system/private/modprobe.te
deleted file mode 100644
index 9858675..0000000
--- a/microdroid/sepolicy/system/private/modprobe.te
+++ /dev/null
@@ -1 +0,0 @@
-typeattribute modprobe coredomain;
diff --git a/microdroid/sepolicy/system/private/mtp.te b/microdroid/sepolicy/system/private/mtp.te
deleted file mode 100644
index 732e111..0000000
--- a/microdroid/sepolicy/system/private/mtp.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute mtp coredomain;
-
-init_daemon_domain(mtp)
diff --git a/microdroid/sepolicy/system/private/net.te b/microdroid/sepolicy/system/private/net.te
new file mode 100644
index 0000000..1b2fd41
--- /dev/null
+++ b/microdroid/sepolicy/system/private/net.te
@@ -0,0 +1,16 @@
+## Network types
+type node, node_type;
+type netif, netif_type;
+type port, port_type;
+
+###
+### Domain with network access
+###
+
+allow netdomain self:tcp_socket create_stream_socket_perms;
+allow netdomain self:{ icmp_socket udp_socket rawip_socket } create_socket_perms;
+
+allow netdomain port_type:tcp_socket name_connect;
+allow netdomain node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind;
+allow netdomain port_type:udp_socket name_bind;
+allow netdomain port_type:tcp_socket name_bind;
diff --git a/microdroid/sepolicy/system/private/netd.te b/microdroid/sepolicy/system/private/netd.te
deleted file mode 100644
index 670a4bf..0000000
--- a/microdroid/sepolicy/system/private/netd.te
+++ /dev/null
@@ -1,44 +0,0 @@
-typeattribute netd coredomain;
-
-init_daemon_domain(netd)
-
-# Allow netd to spawn dnsmasq in it's own domain
-domain_auto_trans(netd, dnsmasq_exec, dnsmasq)
-
-# Allow netd to start clatd in its own domain and kill it
-domain_auto_trans(netd, clatd_exec, clatd)
-allow netd clatd:process signal;
-
-# give netd permission to setup iptables rule with xt_bpf, attach program to cgroup, and read/write
-# the map created by bpfloader
-allow netd bpfloader:bpf { prog_run map_read map_write };
-
-# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
-# TODO: Remove this permission when 4.9 kernel is deprecated.
-allow netd self:key_socket create;
-
-set_prop(netd, ctl_mdnsd_prop)
-set_prop(netd, netd_stable_secret_prop)
-
-get_prop(netd, adbd_config_prop)
-get_prop(netd, bpf_progs_loaded_prop)
-get_prop(netd, hwservicemanager_prop)
-get_prop(netd, device_config_netd_native_prop)
-
-# Allow netd to write to statsd.
-unix_socket_send(netd, statsdw, statsd)
-
-# Allow netd to send callbacks to network_stack
-binder_call(netd, network_stack)
-
-# Allow netd to send dump info to dumpstate
-allow netd dumpstate:fd use;
-allow netd dumpstate:fifo_file { getattr write };
-
-# persist.netd.stable_secret contains RFC 7217 secret key which should never be
-# leaked to other processes. Make sure it never leaks.
-neverallow { domain -netd -init -dumpstate } netd_stable_secret_prop:file r_file_perms;
-
-# We want to ensure that no other process ever tries tampering with persist.netd.stable_secret,
-# the RFC 7217 secret key managed by netd. Doing so could compromise user privacy.
-neverallow { domain -netd -init } netd_stable_secret_prop:property_service set;
diff --git a/microdroid/sepolicy/system/private/netutils_wrapper.te b/microdroid/sepolicy/system/private/netutils_wrapper.te
deleted file mode 100644
index ca3b515..0000000
--- a/microdroid/sepolicy/system/private/netutils_wrapper.te
+++ /dev/null
@@ -1,44 +0,0 @@
-typeattribute netutils_wrapper coredomain;
-
-r_dir_file(netutils_wrapper, system_file);
-
-# For netutils (ip, iptables, tc)
-allow netutils_wrapper self:global_capability_class_set net_raw;
-
-allow netutils_wrapper system_file:file { execute execute_no_trans };
-allow netutils_wrapper proc_net_type:file { open read getattr };
-allow netutils_wrapper self:rawip_socket create_socket_perms;
-allow netutils_wrapper self:udp_socket create_socket_perms;
-allow netutils_wrapper self:global_capability_class_set net_admin;
-# ip utils need everything but ioctl
-allow netutils_wrapper self:netlink_route_socket ~ioctl;
-allow netutils_wrapper self:netlink_xfrm_socket ~ioctl;
-
-# For netutils (ndc) to be able to talk to netd
-allow netutils_wrapper netd_service:service_manager find;
-allow netutils_wrapper dnsresolver_service:service_manager find;
-binder_use(netutils_wrapper);
-binder_call(netutils_wrapper, netd);
-
-# For vendor code that update the iptables rules at runtime. They need to reload
-# the whole chain including the xt_bpf rules. They need to access to the pinned
-# program when reloading the rule.
-allow netutils_wrapper fs_bpf:dir search;
-allow netutils_wrapper fs_bpf:file { read write };
-allow netutils_wrapper bpfloader:bpf prog_run;
-
-# For /data/misc/net access to ndc and ip
-r_dir_file(netutils_wrapper, net_data_file)
-
-domain_auto_trans({
- domain
- -coredomain
- -appdomain
-}, netutils_wrapper_exec, netutils_wrapper)
-
-# suppress spurious denials
-dontaudit netutils_wrapper self:global_capability_class_set sys_resource;
-dontaudit netutils_wrapper sysfs_type:file read;
-
-# netutils wrapper may only use the following capabilities.
-neverallow netutils_wrapper self:global_capability_class_set ~{ net_admin net_raw };
diff --git a/microdroid/sepolicy/system/private/network_stack.te b/microdroid/sepolicy/system/private/network_stack.te
deleted file mode 100644
index 09a98b5..0000000
--- a/microdroid/sepolicy/system/private/network_stack.te
+++ /dev/null
@@ -1,62 +0,0 @@
-# Networking service app
-typeattribute network_stack coredomain, mlstrustedsubject;
-
-app_domain(network_stack);
-net_domain(network_stack);
-
-allow network_stack self:global_capability_class_set {
- net_admin
- net_bind_service
- net_broadcast
- net_raw
-};
-
-# Allow access to net_admin ioctl, DHCP server uses SIOCSARP
-allowxperm network_stack self:udp_socket ioctl priv_sock_ioctls;
-
-# The DhcpClient uses packet_sockets
-allow network_stack self:packet_socket create_socket_perms_no_ioctl;
-
-# Monitor neighbors via netlink.
-allow network_stack self:netlink_route_socket nlmsg_write;
-
-allow network_stack app_api_service:service_manager find;
-allow network_stack dnsresolver_service:service_manager find;
-allow network_stack netd_service:service_manager find;
-allow network_stack network_watchlist_service:service_manager find;
-allow network_stack radio_service:service_manager find;
-allow network_stack system_config_service:service_manager find;
-allow network_stack radio_data_file:dir create_dir_perms;
-allow network_stack radio_data_file:file create_file_perms;
-
-binder_call(network_stack, netd);
-
-# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
-# TODO: Remove this permission when 4.9 kernel is deprecated.
-allow network_stack self:key_socket create;
-# Java's Os.close() in libcore/luni/src/main/java/libcore/io/BlockGuardOs.java;l=100
-# calls if (fd.isSocket$()) if (isLingerSocket(fd)) ...
-dontaudit network_stack self:key_socket getopt;
-
-# Grant read permission of connectivity namespace system property prefix.
-get_prop(network_stack, device_config_connectivity_prop)
-
-# Create/use netlink_tcpdiag_socket to get tcp info
-allow network_stack self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
-############### Tethering Service app - Tethering.apk ##############
-hal_client_domain(network_stack, hal_tetheroffload)
-# Create and share netlink_netfilter_sockets for tetheroffload.
-allow network_stack self:netlink_netfilter_socket create_socket_perms_no_ioctl;
-allow network_stack network_stack_service:service_manager find;
-# allow Tethering(network_stack process) to run/update/read the eBPF maps to offload tethering traffic by eBPF.
-allow network_stack { fs_bpf fs_bpf_tethering }:dir search;
-allow network_stack { fs_bpf fs_bpf_tethering }:file { read write };
-allow network_stack bpfloader:bpf { map_read map_write prog_run };
-
-# Only the bpfloader and the network_stack should ever touch 'fs_bpf_tethering' programs/maps.
-# Unfortunately init/vendor_init have all sorts of extra privs
-neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:dir ~getattr;
-neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:file *;
-
-neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:dir ~{ getattr open read search setattr };
-neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:file ~{ map open read setattr };
diff --git a/microdroid/sepolicy/system/private/nfc.te b/microdroid/sepolicy/system/private/nfc.te
deleted file mode 100644
index f1a08f7..0000000
--- a/microdroid/sepolicy/system/private/nfc.te
+++ /dev/null
@@ -1,35 +0,0 @@
-# nfc subsystem
-typeattribute nfc coredomain, mlstrustedsubject;
-app_domain(nfc)
-net_domain(nfc)
-
-binder_service(nfc)
-add_service(nfc, nfc_service)
-
-hal_client_domain(nfc, hal_nfc)
-
-# Data file accesses.
-allow nfc nfc_data_file:dir create_dir_perms;
-allow nfc nfc_data_file:notdevfile_class_set create_file_perms;
-allow nfc nfc_logs_data_file:dir rw_dir_perms;
-allow nfc nfc_logs_data_file:file create_file_perms;
-
-# SoundPool loading and playback
-allow nfc audioserver_service:service_manager find;
-allow nfc drmserver_service:service_manager find;
-allow nfc mediametrics_service:service_manager find;
-allow nfc mediaextractor_service:service_manager find;
-allow nfc mediaserver_service:service_manager find;
-
-allow nfc radio_service:service_manager find;
-allow nfc app_api_service:service_manager find;
-allow nfc system_api_service:service_manager find;
-allow nfc vr_manager_service:service_manager find;
-allow nfc secure_element_service:service_manager find;
-
-set_prop(nfc, nfc_prop);
-
-# already open bugreport file descriptors may be shared with
-# the nfc process, from a file in
-# /data/data/com.android.shell/files/bugreports/bugreport-*.
-allow nfc shell_data_file:file read;
diff --git a/microdroid/sepolicy/system/private/odrefresh.te b/microdroid/sepolicy/system/private/odrefresh.te
deleted file mode 100644
index 7a64247..0000000
--- a/microdroid/sepolicy/system/private/odrefresh.te
+++ /dev/null
@@ -1,54 +0,0 @@
-# odrefresh
-type odrefresh, domain, coredomain;
-type odrefresh_exec, system_file_type, exec_type, file_type;
-
-# Allow odrefresh to create files and directories for on device signing.
-allow odrefresh apex_module_data_file:dir { getattr search };
-allow odrefresh apex_art_data_file:dir { create_dir_perms relabelfrom };
-allow odrefresh apex_art_data_file:file create_file_perms;
-
-# Allow odrefresh to create data files (typically for metrics before statsd starts).
-allow odrefresh odrefresh_data_file:dir create_dir_perms;
-allow odrefresh odrefresh_data_file:file create_file_perms;
-
-userfaultfd_use(odrefresh)
-
-# Staging area labels (/data/misc/apexdata/com.android.art/staging). odrefresh
-# sets up files here and passes file descriptors for dex2oat to write to.
-allow odrefresh apex_art_staging_data_file:dir { create_dir_perms relabelto };
-allow odrefresh apex_art_staging_data_file:file create_file_perms;
-
-# Run dex2oat in its own sandbox.
-domain_auto_trans(odrefresh, dex2oat_exec, dex2oat)
-
-# Run dexoptanalyzer in its own sandbox.
-domain_auto_trans(odrefresh, dexoptanalyzer_exec, dexoptanalyzer)
-
-# Use devpts and fd from odsign (which exec()'s odrefresh)
-allow odrefresh odsign_devpts:chr_file { read write };
-allow odrefresh odsign:fd use;
-
-# Do not audit unused resources from parent processes (adb, shell, su).
-# These appear to be unnecessary for odrefresh.
-dontaudit odrefresh { adbd shell }:fd use;
-dontaudit odrefresh devpts:chr_file rw_file_perms;
-dontaudit odrefresh adbd:unix_stream_socket { getattr read write };
-
-# Allow odrefresh to read /apex/apex-info-list.xml to determine
-# whether current apex is in /system or /data.
-allow odrefresh apex_info_file:file r_file_perms;
-
-# No other processes should be creating files in the staging area.
-neverallow { domain -init -odrefresh } apex_art_staging_data_file:file open;
-
-# No processes other than init, odrefresh and system_server access
-# odrefresh_data_files.
-neverallow { domain -init -odrefresh -system_server } odrefresh_data_file:dir *;
-neverallow { domain -init -odrefresh -system_server } odrefresh_data_file:file *;
-
-# Allow updating boot animation status.
-set_prop(odrefresh, bootanim_system_prop)
-
-# Allow query ART device config properties
-get_prop(odrefresh, device_config_runtime_native_prop)
-get_prop(odrefresh, device_config_runtime_native_boot_prop)
diff --git a/microdroid/sepolicy/system/private/odsign.te b/microdroid/sepolicy/system/private/odsign.te
deleted file mode 100644
index 0ff3b7b..0000000
--- a/microdroid/sepolicy/system/private/odsign.te
+++ /dev/null
@@ -1,59 +0,0 @@
-# odsign - on-device signing.
-type odsign, domain;
-
-# odsign - Binary for signing ART artifacts.
-typeattribute odsign coredomain;
-
-type odsign_exec, exec_type, file_type, system_file_type;
-
-# Allow init to start odsign
-init_daemon_domain(odsign)
-
-# Allow using persistent storage in /data/odsign
-allow odsign odsign_data_file:dir create_dir_perms;
-allow odsign odsign_data_file:file create_file_perms;
-
-# Create and use pty created by android_fork_execvp().
-create_pty(odsign)
-
-# FS_IOC_ENABLE_VERITY and FS_IOC_MEASURE_VERITY on ART data files
-allowxperm odsign apex_art_data_file:file ioctl {
- FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY FS_IOC_GETFLAGS
-};
-
-# talk to binder services (for keystore)
-binder_use(odsign);
-
-# talk to keystore specifically
-use_keystore(odsign);
-
-# Use our dedicated keystore key
-allow odsign odsign_key:keystore2_key {
- delete
- get_info
- rebind
- use
-};
-
-# talk to keymaster
-hal_client_domain(odsign, hal_keymaster)
-
-# For ART apex data dir access
-allow odsign apex_module_data_file:dir { getattr search };
-
-allow odsign apex_art_data_file:dir { rw_dir_perms rmdir };
-allow odsign apex_art_data_file:file { rw_file_perms unlink };
-
-# Run odrefresh to refresh ART artifacts
-domain_auto_trans(odsign, odrefresh_exec, odrefresh)
-
-# Run fsverity_init to add key to fsverity keyring
-domain_auto_trans(odsign, fsverity_init_exec, fsverity_init)
-
-# only odsign can set odsign sysprop
-set_prop(odsign, odsign_prop)
-neverallow { domain -odsign -init } odsign_prop:property_service set;
-
-# Neverallows
-neverallow { domain -odsign -init -fsverity_init } odsign_data_file:dir *;
-neverallow { domain -odsign -init -fsverity_init } odsign_data_file:file *;
diff --git a/microdroid/sepolicy/system/private/otapreopt_chroot.te b/microdroid/sepolicy/system/private/otapreopt_chroot.te
deleted file mode 100644
index ea9d4ee..0000000
--- a/microdroid/sepolicy/system/private/otapreopt_chroot.te
+++ /dev/null
@@ -1,98 +0,0 @@
-# otapreopt_chroot executable
-typeattribute otapreopt_chroot coredomain;
-type otapreopt_chroot_exec, exec_type, file_type, system_file_type;
-
-# Chroot preparation and execution.
-# We need to create an unshared mount namespace, and then mount /data.
-allow otapreopt_chroot postinstall_file:dir { search mounton };
-allow otapreopt_chroot apex_mnt_dir:dir mounton;
-allow otapreopt_chroot device:dir mounton;
-allow otapreopt_chroot linkerconfig_file:dir mounton;
-allow otapreopt_chroot rootfs:dir mounton;
-allow otapreopt_chroot sysfs:dir mounton;
-allow otapreopt_chroot system_data_root_file:dir mounton;
-allow otapreopt_chroot system_file:dir mounton;
-allow otapreopt_chroot vendor_file:dir mounton;
-allow otapreopt_chroot self:global_capability_class_set { sys_admin sys_chroot };
-
-# This is required to mount /vendor and mount/unmount ext4 images from
-# APEX packages in /postinstall/apex.
-allow otapreopt_chroot block_device:dir search;
-allow otapreopt_chroot labeledfs:filesystem { mount unmount };
-# This is required for dynamic partitions.
-allow otapreopt_chroot dm_device:chr_file rw_file_perms;
-
-# This is required to unmount flattened APEX packages under
-# /postinstall/system/apex (which are bind-mounted in /postinstall/apex).
-allow otapreopt_chroot postinstall_file:filesystem unmount;
-# Mounting /vendor can have this side-effect. Ignore denial.
-dontaudit otapreopt_chroot kernel:process setsched;
-
-# Allow otapreopt_chroot to read SELinux policy files.
-allow otapreopt_chroot file_contexts_file:file r_file_perms;
-
-# Allow otapreopt_chroot to open and read the contents of /postinstall/system/apex.
-allow otapreopt_chroot postinstall_file:dir r_dir_perms;
-# Allow otapreopt_chroot to read the persist.apexd.verity_on_system system property.
-get_prop(otapreopt_chroot, apexd_prop)
-
-# Allow otapreopt to use file descriptors from update-engine. It will
-# close them immediately.
-allow otapreopt_chroot postinstall:fd use;
-allow otapreopt_chroot update_engine:fd use;
-allow otapreopt_chroot update_engine:fifo_file write;
-
-# Allow to transition to postinstall_dexopt, to run otapreopt in its own sandbox.
-domain_auto_trans(otapreopt_chroot, postinstall_dexopt_exec, postinstall_dexopt)
-domain_auto_trans(otapreopt_chroot, linkerconfig_exec, linkerconfig)
-domain_auto_trans(otapreopt_chroot, apexd_exec, apexd)
-
-# Allow otapreopt_chroot to control linkerconfig
-allow otapreopt_chroot linkerconfig_file:dir { create_dir_perms relabelto };
-allow otapreopt_chroot linkerconfig_file:file create_file_perms;
-
-# Allow otapreopt_chroot to create loop devices with /dev/loop-control.
-allow otapreopt_chroot loop_control_device:chr_file rw_file_perms;
-# Allow otapreopt_chroot to access loop devices.
-allow otapreopt_chroot loop_device:blk_file rw_file_perms;
-allowxperm otapreopt_chroot loop_device:blk_file ioctl {
- LOOP_CONFIGURE
- LOOP_GET_STATUS64
- LOOP_SET_STATUS64
- LOOP_SET_FD
- LOOP_SET_BLOCK_SIZE
- LOOP_SET_DIRECT_IO
- LOOP_CLR_FD
- BLKFLSBUF
-};
-
-# Allow otapreopt_chroot to configure read-ahead of loop devices.
-allow otapreopt_chroot sysfs_loop:dir r_dir_perms;
-allow otapreopt_chroot sysfs_loop:file rw_file_perms;
-
-# Allow otapreopt_chroot to mount a tmpfs filesystem in /postinstall/apex.
-allow otapreopt_chroot tmpfs:filesystem mount;
-# Allow otapreopt_chroot to restore the security context of /postinstall/apex.
-allow otapreopt_chroot tmpfs:dir relabelfrom;
-allow otapreopt_chroot postinstall_apex_mnt_dir:dir relabelto;
-
-# Allow otapreopt_chroot to manipulate directory /postinstall/apex.
-allow otapreopt_chroot postinstall_apex_mnt_dir:dir create_dir_perms;
-allow otapreopt_chroot postinstall_apex_mnt_dir:file create_file_perms;
-# Allow otapreopt_chroot to mount APEX packages in /postinstall/apex.
-allow otapreopt_chroot postinstall_apex_mnt_dir:dir mounton;
-
-# Allow otapreopt_chroot to access /dev/block (needed to detach loop
-# devices used by ext4 images from APEX packages).
-allow otapreopt_chroot block_device:dir r_dir_perms;
-
-# Allow to access the linker through the symlink.
-allow otapreopt_chroot postinstall_file:lnk_file r_file_perms;
-
-# Allow otapreopt_chroot to read ro.cold_boot_done prop.
-# This is a temporary solution to make sure that otapreopt_chroot doesn't block indefinetelly.
-# TODO(b/165948777): remove this once otapreopt_chroot is migrated to libapexmount.
-get_prop(otapreopt_chroot, cold_boot_done_prop)
-
-# allow otapreopt_chroot to run the linkerconfig from the new image.
-allow otapreopt_chroot linkerconfig_exec:file rx_file_perms;
diff --git a/microdroid/sepolicy/system/private/otapreopt_slot.te b/microdroid/sepolicy/system/private/otapreopt_slot.te
deleted file mode 100644
index 27a3b0e..0000000
--- a/microdroid/sepolicy/system/private/otapreopt_slot.te
+++ /dev/null
@@ -1,28 +0,0 @@
-# This command set moves the artifact corresponding to the current slot
-# from /data/ota to /data/dalvik-cache.
-
-type otapreopt_slot, domain, mlstrustedsubject, coredomain;
-type otapreopt_slot_exec, system_file_type, exec_type, file_type;
-
-# Technically not a daemon but we do want the transition from init domain to
-# cppreopts to occur.
-init_daemon_domain(otapreopt_slot)
-
-# The otapreopt_slot renames the OTA dalvik-cache to the regular dalvik-cache, and cleans up
-# the directory afterwards. For logging of aggregate size, we need getattr.
-allow otapreopt_slot ota_data_file:dir { rw_dir_perms rename reparent rmdir };
-allow otapreopt_slot ota_data_file:{ file lnk_file } getattr;
-# (du follows symlinks)
-allow otapreopt_slot ota_data_file:lnk_file read;
-
-# Delete old content of the dalvik-cache.
-allow otapreopt_slot dalvikcache_data_file:dir { add_name getattr open read remove_name rmdir search write };
-allow otapreopt_slot dalvikcache_data_file:file { getattr unlink };
-allow otapreopt_slot dalvikcache_data_file:lnk_file { getattr read unlink };
-
-# Allow cppreopts to execute itself using #!/system/bin/sh
-allow otapreopt_slot shell_exec:file rx_file_perms;
-
-# Allow running the mv and rm/rmdir commands using otapreopt_slot permissions.
-# Needed so we can move artifacts into /data/dalvik-cache/dalvik-cache.
-allow otapreopt_slot toolbox_exec:file rx_file_perms;
diff --git a/microdroid/sepolicy/system/private/perfetto.te b/microdroid/sepolicy/system/private/perfetto.te
deleted file mode 100644
index f9693da..0000000
--- a/microdroid/sepolicy/system/private/perfetto.te
+++ /dev/null
@@ -1,102 +0,0 @@
-# Perfetto command-line client. Can be used only from the domains that are
-# explicitly allowlisted with a domain_auto_trans(X, perfetto_exec, perfetto).
-# This command line client accesses the privileged socket of the traced
-# daemon.
-
-type perfetto_exec, system_file_type, exec_type, file_type;
-type perfetto_tmpfs, file_type;
-
-tmpfs_domain(perfetto);
-
-# Allow to access traced's privileged consumer socket.
-unix_socket_connect(perfetto, traced_consumer, traced)
-
-# Connect to the Perfetto traced daemon as a producer. This requires
-# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
-perfetto_producer(perfetto)
-
-# Allow to write and unlink traces into /data/misc/perfetto-traces.
-allow perfetto perfetto_traces_data_file:dir rw_dir_perms;
-allow perfetto perfetto_traces_data_file:file create_file_perms;
-
-# Allow to access binder to pass the traces to Dropbox.
-binder_use(perfetto)
-binder_call(perfetto, system_server)
-allow perfetto dropbox_service:service_manager find;
-
-# Allow perfetto to read the trace config from /data/misc/perfetto-configs.
-# shell and adb can write files into that directory.
-allow perfetto perfetto_configs_data_file:dir r_dir_perms;
-allow perfetto perfetto_configs_data_file:file r_file_perms;
-
-# Allow perfetto to read the trace config from statsd, mm_events and shell
-# (both root and non-root) on stdin and also to write the resulting trace to
-# stdout.
-allow perfetto { statsd mm_events shell su }:fd use;
-allow perfetto { statsd mm_events shell su }:fifo_file { getattr read write };
-
-# Allow to communicate use, read and write over the adb connection.
-allow perfetto adbd:fd use;
-allow perfetto adbd:unix_stream_socket { read write };
-
-# Allow adbd to reap perfetto.
-allow perfetto adbd:process { sigchld };
-
-# Allow perfetto to write to statsd.
-unix_socket_send(perfetto, statsdw, statsd)
-
-# Allow to access /dev/pts when launched in an adb shell.
-allow perfetto devpts:chr_file rw_file_perms;
-
-# Allow perfetto to ask incidentd to start a report.
-allow perfetto incident_service:service_manager find;
-binder_call(perfetto, incidentd)
-
-# perfetto log formatter calls isatty() on its stderr. Denial when running
-# under adbd is harmless. Avoid generating denial logs.
-dontaudit perfetto adbd:unix_stream_socket getattr;
-dontauditxperm perfetto adbd:unix_stream_socket ioctl unpriv_tty_ioctls;
-# As above, when adbd is running in "su" domain (only the ioctl is denied in
-# practice).
-dontauditxperm perfetto su:unix_stream_socket ioctl unpriv_tty_ioctls;
-# Similarly, CTS tests end up hitting a denial on shell pipes.
-dontauditxperm perfetto shell:fifo_file ioctl unpriv_tty_ioctls;
-
-###
-### Neverallow rules
-###
-### perfetto should NEVER do any of this
-
-# Disallow mapping executable memory (execstack and exec are already disallowed
-# globally in domain.te).
-neverallow perfetto self:process execmem;
-
-# Block device access.
-neverallow perfetto dev_type:blk_file { read write };
-
-# ptrace any other process
-neverallow perfetto domain:process ptrace;
-
-# Disallows access to other /data files.
-neverallow perfetto {
- data_file_type
- -system_data_file
- -system_data_root_file
- # TODO(b/72998741) Remove exemption. Further restricted in a subsequent
- # neverallow. Currently only getattr and search are allowed.
- -vendor_data_file
- -zoneinfo_data_file
- -perfetto_traces_data_file
- -perfetto_configs_data_file
- with_native_coverage(`-method_trace_data_file')
-}:dir *;
-neverallow perfetto { system_data_file -perfetto_traces_data_file }:dir ~{ getattr search };
-neverallow perfetto zoneinfo_data_file:dir ~r_dir_perms;
-neverallow perfetto { data_file_type -zoneinfo_data_file -perfetto_traces_data_file }:lnk_file *;
-neverallow perfetto {
- data_file_type
- -zoneinfo_data_file
- -perfetto_traces_data_file
- -perfetto_configs_data_file
- with_native_coverage(`-method_trace_data_file')
-}:file ~write;
diff --git a/microdroid/sepolicy/system/private/performanced.te b/microdroid/sepolicy/system/private/performanced.te
deleted file mode 100644
index 792826e..0000000
--- a/microdroid/sepolicy/system/private/performanced.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute performanced coredomain;
-
-init_daemon_domain(performanced)
diff --git a/microdroid/sepolicy/system/private/permissioncontroller_app.te b/microdroid/sepolicy/system/private/permissioncontroller_app.te
deleted file mode 100644
index 5f81875..0000000
--- a/microdroid/sepolicy/system/private/permissioncontroller_app.te
+++ /dev/null
@@ -1,22 +0,0 @@
-###
-### A domain for further sandboxing the GooglePermissionController app.
-###
-type permissioncontroller_app, domain, coredomain;
-
-app_domain(permissioncontroller_app)
-
-allow permissioncontroller_app app_api_service:service_manager find;
-allow permissioncontroller_app system_api_service:service_manager find;
-
-# Allow interaction with gpuservice
-binder_call(permissioncontroller_app, gpuservice)
-
-allow permissioncontroller_app radio_service:service_manager find;
-
-# Allow the app to request and collect incident reports.
-# (Also requires DUMP and PACKAGE_USAGE_STATS permissions)
-allow permissioncontroller_app incident_service:service_manager find;
-binder_call(permissioncontroller_app, incidentd)
-allow permissioncontroller_app incidentd:fifo_file { read write };
-
-allow permissioncontroller_app gpu_device:dir search;
diff --git a/microdroid/sepolicy/system/private/platform_app.te b/microdroid/sepolicy/system/private/platform_app.te
deleted file mode 100644
index a112081..0000000
--- a/microdroid/sepolicy/system/private/platform_app.te
+++ /dev/null
@@ -1,107 +0,0 @@
-###
-### Apps signed with the platform key.
-###
-
-typeattribute platform_app coredomain;
-
-app_domain(platform_app)
-
-# Access the network.
-net_domain(platform_app)
-# Access bluetooth.
-bluetooth_domain(platform_app)
-# Read from /data/local/tmp or /data/data/com.android.shell.
-allow platform_app shell_data_file:dir search;
-allow platform_app shell_data_file:file { open getattr read };
-allow platform_app icon_file:file { open getattr read };
-# Populate /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files
-# created by system server.
-allow platform_app { apk_tmp_file apk_private_tmp_file }:dir rw_dir_perms;
-allow platform_app { apk_tmp_file apk_private_tmp_file }:file rw_file_perms;
-allow platform_app apk_private_data_file:dir search;
-# ASEC
-allow platform_app asec_apk_file:dir create_dir_perms;
-allow platform_app asec_apk_file:file create_file_perms;
-
-# Access to /data/media.
-allow platform_app media_rw_data_file:dir create_dir_perms;
-allow platform_app media_rw_data_file:file create_file_perms;
-
-# Write to /cache.
-allow platform_app cache_file:dir create_dir_perms;
-allow platform_app cache_file:file create_file_perms;
-
-# Direct access to vold-mounted storage under /mnt/media_rw
-# This is a performance optimization that allows platform apps to bypass the FUSE layer
-allow platform_app mnt_media_rw_file:dir r_dir_perms;
-allow platform_app sdcard_type:dir create_dir_perms;
-allow platform_app sdcard_type:file create_file_perms;
-
-# com.android.systemui
-allow platform_app rootfs:dir getattr;
-
-# com.android.captiveportallogin reads /proc/vmstat
-allow platform_app {
- proc_vmstat
-}:file r_file_perms;
-
-# /proc/net access.
-# TODO(b/9496886) Audit access for removal.
-r_dir_file(platform_app, proc_net_type)
-userdebug_or_eng(`
- auditallow platform_app proc_net_type:{ dir file lnk_file } { getattr open read };
-')
-
-allow platform_app audioserver_service:service_manager find;
-allow platform_app cameraserver_service:service_manager find;
-allow platform_app drmserver_service:service_manager find;
-allow platform_app mediaserver_service:service_manager find;
-allow platform_app mediametrics_service:service_manager find;
-allow platform_app mediaextractor_service:service_manager find;
-allow platform_app mediadrmserver_service:service_manager find;
-allow platform_app persistent_data_block_service:service_manager find;
-allow platform_app radio_service:service_manager find;
-allow platform_app thermal_service:service_manager find;
-allow platform_app timezone_service:service_manager find;
-allow platform_app app_api_service:service_manager find;
-allow platform_app system_api_service:service_manager find;
-allow platform_app vr_manager_service:service_manager find;
-allow platform_app stats_service:service_manager find;
-
-# Allow platform apps to log via statsd.
-binder_call(platform_app, statsd)
-
-# Access to /data/preloads
-allow platform_app preloads_data_file:file r_file_perms;
-allow platform_app preloads_data_file:dir r_dir_perms;
-allow platform_app preloads_media_file:file r_file_perms;
-allow platform_app preloads_media_file:dir r_dir_perms;
-
-read_runtime_log_tags(platform_app)
-
-# allow platform apps to use UDP sockets provided by the system server but not
-# modify them other than to connect
-allow platform_app system_server:udp_socket {
- connect getattr read recvfrom sendto write getopt setopt };
-
-# allow platform apps to connect to the property service
-set_prop(platform_app, test_boot_reason_prop)
-
-# allow platform apps to read keyguard.no_require_sim
-get_prop(platform_app, keyguard_config_prop)
-
-# allow platform apps to read qemu.hw.mainkeys
-get_prop(platform_app, qemu_hw_prop)
-
-# allow platform apps to create symbolic link
-allow platform_app app_data_file:lnk_file create_file_perms;
-
-# suppress denials caused by debugfs_tracing
-dontaudit platform_app debugfs_tracing:file rw_file_perms;
-
-###
-### Neverallow rules
-###
-
-# app domains which access /dev/fuse should not run as platform_app
-neverallow platform_app fuse_device:chr_file *;
diff --git a/microdroid/sepolicy/system/private/postinstall.te b/microdroid/sepolicy/system/private/postinstall.te
deleted file mode 100644
index 7060c59..0000000
--- a/microdroid/sepolicy/system/private/postinstall.te
+++ /dev/null
@@ -1,5 +0,0 @@
-typeattribute postinstall coredomain;
-type postinstall_exec, system_file_type, exec_type, file_type;
-domain_auto_trans(postinstall, otapreopt_chroot_exec, otapreopt_chroot)
-
-allow postinstall rootfs:dir r_dir_perms;
diff --git a/microdroid/sepolicy/system/private/postinstall_dexopt.te b/microdroid/sepolicy/system/private/postinstall_dexopt.te
deleted file mode 100644
index 14e7854..0000000
--- a/microdroid/sepolicy/system/private/postinstall_dexopt.te
+++ /dev/null
@@ -1,81 +0,0 @@
-# Domain for the otapreopt executable, running under postinstall_dexopt
-#
-# Note: otapreopt is a driver for dex2oat, and reuses parts of installd. As such,
-# this is derived and adapted from installd.te.
-
-type postinstall_dexopt, domain, coredomain, mlstrustedsubject;
-type postinstall_dexopt_exec, system_file_type, exec_type, file_type;
-type postinstall_dexopt_tmpfs, file_type;
-
-# Run dex2oat/patchoat in its own sandbox.
-# We have to manually transition, as we don't have an entrypoint.
-# - Case where dex2oat is in a non-flattened APEX, which has retained
-# the correct type (`dex2oat_exec`).
-domain_auto_trans(postinstall_dexopt, dex2oat_exec, dex2oat)
-# - Case where dex2oat is in a flattened APEX, which has been tagged
-# with the `postinstall_file` type by update_engine.
-domain_auto_trans(postinstall_dexopt, postinstall_file, dex2oat)
-
-allow postinstall_dexopt postinstall_dexopt_tmpfs:file open;
-
-allow postinstall_dexopt self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid };
-
-allow postinstall_dexopt postinstall_file:filesystem getattr;
-allow postinstall_dexopt postinstall_file:dir { getattr read search };
-allow postinstall_dexopt postinstall_file:lnk_file { getattr read };
-allow postinstall_dexopt proc_filesystems:file { getattr open read };
-allow postinstall_dexopt rootfs:file r_file_perms;
-
-allow postinstall_dexopt tmpfs:file read;
-
-# Allow access to /postinstall/apex.
-allow postinstall_dexopt postinstall_apex_mnt_dir:dir { getattr search };
-
-# Note: /data/ota is created by init (see system/core/rootdir/init.rc) to avoid giving access
-# here and having to relabel the directory.
-
-# Read app data (APKs) as input to dex2oat.
-r_dir_file(postinstall_dexopt, apk_data_file)
-# Read vendor app data (APKs) as input to dex2oat.
-r_dir_file(postinstall_dexopt, vendor_app_file)
-# Read vendor overlay files (APKs) as input to dex2oat.
-r_dir_file(postinstall_dexopt, vendor_overlay_file)
-# Access to app oat directory.
-r_dir_file(postinstall_dexopt, dalvikcache_data_file)
-
-# Read profile data.
-allow postinstall_dexopt { user_profile_root_file user_profile_data_file }:dir { getattr search };
-allow postinstall_dexopt user_profile_data_file:file r_file_perms;
-# Suppress deletion denial (we do not want to update the profile).
-dontaudit postinstall_dexopt user_profile_data_file:file { write };
-
-# Write to /data/ota(/*). Create symlinks in /data/ota(/*)
-allow postinstall_dexopt ota_data_file:dir create_dir_perms;
-allow postinstall_dexopt ota_data_file:file create_file_perms;
-allow postinstall_dexopt ota_data_file:lnk_file create_file_perms;
-
-# Need to write .b files, which are dalvikcache_data_file, not ota_data_file.
-# TODO: See whether we can apply ota_data_file?
-allow postinstall_dexopt dalvikcache_data_file:dir rw_dir_perms;
-allow postinstall_dexopt dalvikcache_data_file:file create_file_perms;
-
-# Allow labeling of files under /data/app/com.example/oat/
-# TODO: Restrict to .b suffix?
-allow postinstall_dexopt dalvikcache_data_file:dir relabelto;
-allow postinstall_dexopt dalvikcache_data_file:file { relabelto link };
-
-# Check validity of SELinux context before use.
-selinux_check_context(postinstall_dexopt)
-selinux_check_access(postinstall_dexopt)
-
-
-# Postinstall wants to know about our child.
-allow postinstall_dexopt postinstall:process sigchld;
-
-# Allow otapreopt to use file descriptors from otapreopt_chroot.
-# TODO: Probably we can actually close file descriptors...
-allow postinstall_dexopt otapreopt_chroot:fd use;
-
-# Allow postinstall_dexopt to access the runtime feature flag properties.
-get_prop(postinstall_dexopt, device_config_runtime_native_prop)
-get_prop(postinstall_dexopt, device_config_runtime_native_boot_prop)
diff --git a/microdroid/sepolicy/system/private/ppp.te b/microdroid/sepolicy/system/private/ppp.te
deleted file mode 100644
index 968b221..0000000
--- a/microdroid/sepolicy/system/private/ppp.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute ppp coredomain;
-
-domain_auto_trans(mtp, ppp_exec, ppp)
diff --git a/microdroid/sepolicy/system/private/preloads_copy.te b/microdroid/sepolicy/system/private/preloads_copy.te
deleted file mode 100644
index ba54b70..0000000
--- a/microdroid/sepolicy/system/private/preloads_copy.te
+++ /dev/null
@@ -1,18 +0,0 @@
-type preloads_copy, domain, coredomain;
-type preloads_copy_exec, system_file_type, exec_type, file_type;
-
-init_daemon_domain(preloads_copy)
-
-allow preloads_copy shell_exec:file rx_file_perms;
-allow preloads_copy toolbox_exec:file rx_file_perms;
-allow preloads_copy preloads_data_file:dir create_dir_perms;
-allow preloads_copy preloads_data_file:file create_file_perms;
-allow preloads_copy preloads_media_file:dir create_dir_perms;
-allow preloads_copy preloads_media_file:file create_file_perms;
-
-# Allow to copy from /postinstall
-allow preloads_copy system_file:dir r_dir_perms;
-
-# Silence the denial when /postinstall cannot be mounted, e.g., system_other
-# is wiped, but preloads_copy.sh still runs.
-dontaudit preloads_copy postinstall_mnt_dir:dir search;
diff --git a/microdroid/sepolicy/system/private/preopt2cachename.te b/microdroid/sepolicy/system/private/preopt2cachename.te
deleted file mode 100644
index dcfba14..0000000
--- a/microdroid/sepolicy/system/private/preopt2cachename.te
+++ /dev/null
@@ -1,17 +0,0 @@
-# preopt2cachename executable
-#
-# This executable translates names from the preopted versions the build system
-# creates to the names the runtime expects in the data directory.
-
-type preopt2cachename, domain, coredomain;
-type preopt2cachename_exec, system_file_type, exec_type, file_type;
-
-# Allow write to stdout.
-allow preopt2cachename cppreopts:fd use;
-allow preopt2cachename cppreopts:fifo_file { getattr read write };
-
-# Allow write to logcat.
-allow preopt2cachename proc_net_type:file r_file_perms;
-userdebug_or_eng(`
- auditallow preopt2cachename proc_net_type:{ dir file lnk_file } { getattr open read };
-')
diff --git a/microdroid/sepolicy/system/private/priv_app.te b/microdroid/sepolicy/system/private/priv_app.te
deleted file mode 100644
index 63a9cbf..0000000
--- a/microdroid/sepolicy/system/private/priv_app.te
+++ /dev/null
@@ -1,254 +0,0 @@
-###
-### A domain for further sandboxing privileged apps.
-###
-
-typeattribute priv_app coredomain;
-app_domain(priv_app)
-
-# Access the network.
-net_domain(priv_app)
-# Access bluetooth.
-bluetooth_domain(priv_app)
-
-# Allow the allocation and use of ptys
-# Used by: https://play.privileged.com/store/apps/details?id=jackpal.androidterm
-create_pty(priv_app)
-
-# Allow loading executable code from writable priv-app home
-# directories. This is a W^X violation, however, it needs
-# to be supported for now for the following reasons.
-# * /data/user_*/0/*/code_cache/* POSSIBLE uses (b/117841367)
-# 1) com.android.opengl.shaders_cache
-# 2) com.android.skia.shaders_cache
-# 3) com.android.renderscript.cache
-# * /data/user_de/0/com.google.android.gms/app_chimera
-# TODO: Tighten (b/112357170)
-allow priv_app privapp_data_file:file execute;
-
-# Chrome Crashpad uses the the dynamic linker to load native executables
-# from an APK (b/112050209, crbug.com/928422)
-allow priv_app system_linker_exec:file execute_no_trans;
-
-allow priv_app privapp_data_file:lnk_file create_file_perms;
-
-# Priv apps can find services that expose both @SystemAPI and normal APIs.
-allow priv_app app_api_service:service_manager find;
-allow priv_app system_api_service:service_manager find;
-
-allow priv_app audioserver_service:service_manager find;
-allow priv_app cameraserver_service:service_manager find;
-allow priv_app drmserver_service:service_manager find;
-allow priv_app mediadrmserver_service:service_manager find;
-allow priv_app mediaextractor_service:service_manager find;
-allow priv_app mediametrics_service:service_manager find;
-allow priv_app mediaserver_service:service_manager find;
-allow priv_app music_recognition_service:service_manager find;
-allow priv_app network_watchlist_service:service_manager find;
-allow priv_app nfc_service:service_manager find;
-allow priv_app oem_lock_service:service_manager find;
-allow priv_app persistent_data_block_service:service_manager find;
-allow priv_app radio_service:service_manager find;
-allow priv_app recovery_service:service_manager find;
-allow priv_app stats_service:service_manager find;
-
-# Write to /cache.
-allow priv_app { cache_file cache_recovery_file }:dir create_dir_perms;
-allow priv_app { cache_file cache_recovery_file }:file create_file_perms;
-# /cache is a symlink to /data/cache on some devices. Allow reading the link.
-allow priv_app cache_file:lnk_file r_file_perms;
-
-# Access to /data/media.
-allow priv_app media_rw_data_file:dir create_dir_perms;
-allow priv_app media_rw_data_file:file create_file_perms;
-
-# Used by Finsky / Android "Verify Apps" functionality when
-# running "adb install foo.apk".
-allow priv_app shell_data_file:file r_file_perms;
-allow priv_app shell_data_file:dir r_dir_perms;
-
-# Allow traceur to pass file descriptors through a content provider to betterbug
-allow priv_app trace_data_file:file { getattr read };
-
-# Allow betterbug to read profile reports generated by profcollect.
-userdebug_or_eng(`
- allow priv_app profcollectd_data_file:file r_file_perms;
-')
-
-# Allow the bug reporting frontend to read the presence and timestamp of the
-# trace attached to the bugreport (but not its contents, which will go in the
-# usual bugreport .zip file). This is used by the bug reporting UI to tell if
-# the bugreport will contain a system trace or not while the bugreport is still
-# in progress.
-allow priv_app perfetto_traces_bugreport_data_file:dir r_dir_perms;
-allow priv_app perfetto_traces_bugreport_data_file:file { getattr };
-# Required to traverse the parent dir (/data/misc/perfetto-traces).
-allow priv_app perfetto_traces_data_file:dir { search };
-
-# Allow verifier to access staged apks.
-allow priv_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
-allow priv_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
-
-# For AppFuse.
-allow priv_app vold:fd use;
-allow priv_app fuse_device:chr_file { read write };
-
-# /proc access
-allow priv_app {
- proc_vmstat
-}:file r_file_perms;
-
-allow priv_app sysfs_type:dir search;
-# Read access to /sys/class/net/wlan*/address
-r_dir_file(priv_app, sysfs_net)
-# Read access to /sys/block/zram*/mm_stat
-r_dir_file(priv_app, sysfs_zram)
-
-r_dir_file(priv_app, rootfs)
-
-# access the mac address
-allowxperm priv_app self:udp_socket ioctl SIOCGIFHWADDR;
-
-# Allow com.android.vending to communicate with statsd.
-binder_call(priv_app, statsd)
-
-# Allow Phone to read/write cached ringtones (opened by system).
-allow priv_app ringtone_file:file { getattr read write };
-
-# Access to /data/preloads
-allow priv_app preloads_data_file:file r_file_perms;
-allow priv_app preloads_data_file:dir r_dir_perms;
-allow priv_app preloads_media_file:file r_file_perms;
-allow priv_app preloads_media_file:dir r_dir_perms;
-
-read_runtime_log_tags(priv_app)
-
-# Write app-specific trace data to the Perfetto traced damon. This requires
-# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
-perfetto_producer(priv_app)
-
-# Allow priv_apps to request and collect incident reports.
-# (Also requires DUMP and PACKAGE_USAGE_STATS permissions)
-allow priv_app incident_service:service_manager find;
-binder_call(priv_app, incidentd)
-allow priv_app incidentd:fifo_file { read write };
-
-# Allow profiling if the app opts in by being marked profileable/debuggable.
-can_profile_heap(priv_app)
-can_profile_perf(priv_app)
-
-# Allow priv_apps to check whether Dynamic System Update is enabled
-get_prop(priv_app, dynamic_system_prop)
-
-# suppress denials for non-API accesses.
-dontaudit priv_app exec_type:file getattr;
-dontaudit priv_app device:dir read;
-dontaudit priv_app fs_bpf:dir search;
-dontaudit priv_app net_dns_prop:file read;
-dontaudit priv_app proc:file read;
-dontaudit priv_app proc_interrupts:file read;
-dontaudit priv_app proc_modules:file read;
-dontaudit priv_app proc_net:file read;
-dontaudit priv_app proc_stat:file read;
-dontaudit priv_app proc_version:file read;
-dontaudit priv_app sysfs:dir read;
-dontaudit priv_app sysfs:file read;
-dontaudit priv_app sysfs_android_usb:file read;
-dontaudit priv_app sysfs_dm:file r_file_perms;
-dontaudit priv_app { wifi_prop wifi_hal_prop }:file read;
-
-# allow privileged apps to use UDP sockets provided by the system server but not
-# modify them other than to connect
-allow priv_app system_server:udp_socket {
- connect getattr read recvfrom sendto write getopt setopt };
-
-# allow apps like Phonesky to check the file signature of an apk installed on
-# the Incremental File System, fill missing blocks and get the app status and loading progress
-allowxperm priv_app apk_data_file:file ioctl {
- INCFS_IOCTL_READ_SIGNATURE
- INCFS_IOCTL_FILL_BLOCKS
- INCFS_IOCTL_GET_BLOCK_COUNT
- INCFS_IOCTL_GET_FILLED_BLOCKS
-};
-
-# allow privileged data loader apps (e.g. com.android.vending) to read logs from Incremental File System
-allow priv_app incremental_control_file:file { read getattr ioctl };
-
-# allow apps like Phonesky to request permission to fill blocks of an apk file
-# on the Incremental File System.
-allowxperm priv_app incremental_control_file:file ioctl INCFS_IOCTL_PERMIT_FILL;
-
-# allow privileged apps to read the vendor property that indicates if Incremental File System is enabled
-get_prop(priv_app, incremental_prop)
-
-# Required for Phonesky to be able to read APEX files under /data/apex/active/.
-allow priv_app apex_data_file:dir search;
-allow priv_app staging_data_file:file r_file_perms;
-# Required for Phonesky to be able to read staged files under /data/app-staging.
-allow priv_app staging_data_file:dir r_dir_perms;
-
-# allow priv app to access the system app data files for ContentProvider case.
-allow priv_app system_app_data_file:file { read getattr };
-
-###
-### neverallow rules
-###
-
-# Receive or send uevent messages.
-neverallow priv_app domain:netlink_kobject_uevent_socket *;
-
-# Receive or send generic netlink messages
-neverallow priv_app domain:netlink_socket *;
-
-# Read or write kernel printk buffer
-neverallow priv_app kmsg_device:chr_file no_rw_file_perms;
-
-# Too much leaky information in debugfs. It's a security
-# best practice to ensure these files aren't readable.
-neverallow priv_app debugfs:file read;
-
-# Do not allow privileged apps to register services.
-# Only trusted components of Android should be registering
-# services.
-neverallow priv_app service_manager_type:service_manager add;
-
-# Do not allow privileged apps to connect to the property service
-# or set properties. b/10243159
-neverallow priv_app property_socket:sock_file write;
-neverallow priv_app init:unix_stream_socket connectto;
-neverallow priv_app property_type:property_service set;
-
-# Do not allow priv_app to be assigned mlstrustedsubject.
-# This would undermine the per-user isolation model being
-# enforced via levelFrom=user in seapp_contexts and the mls
-# constraints. As there is no direct way to specify a neverallow
-# on attribute assignment, this relies on the fact that fork
-# permission only makes sense within a domain (hence should
-# never be granted to any other domain within mlstrustedsubject)
-# and priv_app is allowed fork permission to itself.
-neverallow priv_app mlstrustedsubject:process fork;
-
-# Do not allow priv_app to hard link to any files.
-# In particular, if priv_app links to other app data
-# files, installd will not be able to guarantee the deletion
-# of the linked to file. Hard links also contribute to security
-# bugs, so we want to ensure priv_app never has this
-# capability.
-neverallow priv_app file_type:file link;
-
-# priv apps should not be able to open trace data files, they should depend
-# upon traceur to pass a file descriptor which they can then read
-neverallow priv_app trace_data_file:dir *;
-neverallow priv_app trace_data_file:file { no_w_file_perms open };
-
-# Do not allow priv_app access to cgroups.
-neverallow priv_app cgroup:file *;
-neverallow priv_app cgroup_v2:file *;
-
-# Do not allow loading executable code from non-privileged
-# application home directories. Code loading across a security boundary
-# is dangerous and allows a full compromise of a privileged process
-# by an unprivileged process. b/112357170
-neverallow priv_app app_data_file:file no_x_file_perms;
-
-# Do not follow untrusted app provided symlinks
-neverallow priv_app app_data_file:lnk_file { open read getattr };
diff --git a/microdroid/sepolicy/system/private/profcollectd.te b/microdroid/sepolicy/system/private/profcollectd.te
deleted file mode 100644
index efde321..0000000
--- a/microdroid/sepolicy/system/private/profcollectd.te
+++ /dev/null
@@ -1,61 +0,0 @@
-# profcollectd - hardware profile collection daemon
-type profcollectd, domain, coredomain, mlstrustedsubject;
-type profcollectd_exec, system_file_type, exec_type, file_type;
-
-userdebug_or_eng(`
- init_daemon_domain(profcollectd)
-
- # profcollectd opens a file for writing in /data/misc/profcollectd.
- allow profcollectd profcollectd_data_file:file create_file_perms;
- allow profcollectd profcollectd_data_file:dir create_dir_perms;
-
- # Allow profcollectd full use of perf_event_open(2), to enable system wide profiling.
- allow profcollectd self:perf_event { cpu kernel open read write };
-
- # Allow profcollectd to scan through /proc/pid for all processes.
- r_dir_file(profcollectd, domain)
-
- # Allow profcollectd to read executable binaries.
- allow profcollectd system_file_type:file r_file_perms;
- allow profcollectd vendor_file_type:file r_file_perms;
-
- # Allow profcollectd to search for and read kernel modules.
- allow profcollectd vendor_file:dir r_dir_perms;
- allow profcollectd vendor_kernel_modules:file r_file_perms;
-
- # Allow profcollectd to read system bootstrap libs.
- allow profcollectd system_bootstrap_lib_file:dir search;
- allow profcollectd system_bootstrap_lib_file:file r_file_perms;
-
- # Allow profcollectd to access tracefs.
- allow profcollectd debugfs_tracing:dir r_dir_perms;
- allow profcollectd debugfs_tracing:file rw_file_perms;
- allow profcollectd debugfs_tracing_debug:dir r_dir_perms;
- allow profcollectd debugfs_tracing_debug:file rw_file_perms;
-
- # Allow profcollectd to write to perf_event_paranoid under /proc.
- allow profcollectd proc_perf:file write;
-
- # Allow profcollectd to access cs_etm sysfs.
- r_dir_file(profcollectd, sysfs_devices_cs_etm)
-
- # Allow profcollectd to ptrace.
- allow profcollectd self:global_capability_class_set sys_ptrace;
-
- # Allow profcollectd to read its system properties.
- get_prop(profcollectd, device_config_profcollect_native_boot_prop)
- set_prop(profcollectd, profcollectd_node_id_prop)
-
- # Allow profcollectd to publish a binder service and make binder calls.
- binder_use(profcollectd)
- add_service(profcollectd, profcollectd_service)
-
- # Allow to temporarily lift the kptr_restrict setting and get kernel start address
- # by reading /proc/kallsyms, get module start address by reading /proc/modules.
- set_prop(profcollectd, lower_kptr_restrict_prop)
- allow profcollectd proc_kallsyms:file r_file_perms;
- allow profcollectd proc_modules:file r_file_perms;
-
- # Allow profcollectd to read kernel build id.
- allow profcollectd sysfs_kernel_notes:file r_file_perms;
-')
diff --git a/microdroid/sepolicy/system/private/profman.te b/microdroid/sepolicy/system/private/profman.te
deleted file mode 100644
index f61d05e..0000000
--- a/microdroid/sepolicy/system/private/profman.te
+++ /dev/null
@@ -1 +0,0 @@
-typeattribute profman coredomain;
diff --git a/microdroid/sepolicy/system/private/property.te b/microdroid/sepolicy/system/private/property.te
index 01d4fd9..d3d413e 100644
--- a/microdroid/sepolicy/system/private/property.te
+++ b/microdroid/sepolicy/system/private/property.te
@@ -1,604 +1,16 @@
-# Properties used only in /system
-system_internal_prop(adbd_prop)
-system_internal_prop(ctl_snapuserd_prop)
-system_internal_prop(device_config_profcollect_native_boot_prop)
-system_internal_prop(device_config_statsd_native_prop)
-system_internal_prop(device_config_statsd_native_boot_prop)
-system_internal_prop(device_config_storage_native_boot_prop)
-system_internal_prop(device_config_sys_traced_prop)
-system_internal_prop(device_config_window_manager_native_boot_prop)
-system_internal_prop(device_config_configuration_prop)
-system_internal_prop(device_config_connectivity_prop)
-system_internal_prop(device_config_swcodec_native_prop)
-system_internal_prop(fastbootd_protocol_prop)
-system_internal_prop(gsid_prop)
-system_internal_prop(init_perf_lsm_hooks_prop)
-system_internal_prop(init_service_status_private_prop)
-system_internal_prop(init_svc_debug_prop)
-system_internal_prop(keystore_listen_prop)
-system_internal_prop(last_boot_reason_prop)
-system_internal_prop(localization_prop)
-system_internal_prop(lower_kptr_restrict_prop)
-system_internal_prop(net_464xlat_fromvendor_prop)
-system_internal_prop(net_connectivity_prop)
-system_internal_prop(netd_stable_secret_prop)
-system_internal_prop(odsign_prop)
-system_internal_prop(perf_drop_caches_prop)
-system_internal_prop(pm_prop)
-system_internal_prop(profcollectd_node_id_prop)
-system_internal_prop(rollback_test_prop)
-system_internal_prop(setupwizard_prop)
-system_internal_prop(system_adbd_prop)
-system_internal_prop(traced_perf_enabled_prop)
-system_internal_prop(userspace_reboot_log_prop)
-system_internal_prop(userspace_reboot_test_prop)
-system_internal_prop(verity_status_prop)
-system_internal_prop(zygote_wrap_prop)
-system_internal_prop(ctl_mediatranscoding_prop)
-
###
### Neverallow rules
###
-treble_sysprop_neverallow(`
-
-enforce_sysprop_owner(`
- neverallow domain {
- property_type
- -system_property_type
- -product_property_type
- -vendor_property_type
- }:file no_rw_file_perms;
-')
-
-neverallow { domain -coredomain } {
- system_property_type
- system_internal_property_type
- -system_restricted_property_type
- -system_public_property_type
-}:file no_rw_file_perms;
-
-neverallow { domain -coredomain } {
- system_property_type
- -system_public_property_type
-}:property_service set;
-
-# init is in coredomain, but should be able to read/write all props.
-# dumpstate is also in coredomain, but should be able to read all props.
-neverallow { coredomain -init -dumpstate } {
- vendor_property_type
- vendor_internal_property_type
- -vendor_restricted_property_type
- -vendor_public_property_type
-}:file no_rw_file_perms;
-
-neverallow { coredomain -init } {
- vendor_property_type
- -vendor_public_property_type
-}:property_service set;
-
-')
-
-# There is no need to perform ioctl or advisory locking operations on
-# property files. If this neverallow is being triggered, it is
-# likely that the policy is using r_file_perms directly instead of
-# the get_prop() macro.
-neverallow domain property_type:file { ioctl lock };
-
-neverallow * {
- core_property_type
- -audio_prop
- -config_prop
- -cppreopt_prop
- -dalvik_prop
- -debuggerd_prop
- -debug_prop
- -dhcp_prop
- -dumpstate_prop
- -fingerprint_prop
- -logd_prop
- -net_radio_prop
- -nfc_prop
- -ota_prop
- -pan_result_prop
- -persist_debug_prop
- -powerctl_prop
- -radio_prop
- -restorecon_prop
- -shell_prop
- -system_prop
- -usb_prop
- -vold_prop
-}:file no_rw_file_perms;
-
-# sigstop property is only used for debugging; should only be set by su which is permissive
-# for userdebug/eng
neverallow {
domain
-init
- -vendor_init
-} ctl_sigstop_prop:property_service set;
-
-# Don't audit legacy ctl. property handling. We only want the newer permission check to appear
-# in the audit log
-dontaudit domain {
- ctl_bootanim_prop
- ctl_bugreport_prop
- ctl_console_prop
- ctl_default_prop
- ctl_dumpstate_prop
- ctl_fuse_prop
- ctl_mdnsd_prop
- ctl_rildaemon_prop
-}:property_service set;
+ -microdroid_manager
+} vmsecret_keymint_prop:property_service set;
neverallow {
domain
-init
-} init_svc_debug_prop:property_service set;
-
-neverallow {
- domain
- -init
- -dumpstate
- userdebug_or_eng(`-su')
-} init_svc_debug_prop:file no_rw_file_perms;
-
-compatible_property_only(`
-# Prevent properties from being set
- neverallow {
- domain
- -coredomain
- -appdomain
- -vendor_init
- } {
- core_property_type
- extended_core_property_type
- exported_config_prop
- exported_default_prop
- exported_dumpstate_prop
- exported_system_prop
- exported3_system_prop
- usb_control_prop
- -nfc_prop
- -powerctl_prop
- -radio_prop
- }:property_service set;
-
- neverallow {
- domain
- -coredomain
- -appdomain
- -hal_nfc_server
- } {
- nfc_prop
- }:property_service set;
-
- neverallow {
- domain
- -coredomain
- -appdomain
- -hal_telephony_server
- -vendor_init
- } {
- radio_control_prop
- }:property_service set;
-
- neverallow {
- domain
- -coredomain
- -appdomain
- -hal_telephony_server
- } {
- radio_prop
- }:property_service set;
-
- neverallow {
- domain
- -coredomain
- -bluetooth
- -hal_bluetooth_server
- } {
- bluetooth_prop
- }:property_service set;
-
- neverallow {
- domain
- -coredomain
- -bluetooth
- -hal_bluetooth_server
- -vendor_init
- } {
- exported_bluetooth_prop
- }:property_service set;
-
- neverallow {
- domain
- -coredomain
- -hal_camera_server
- -cameraserver
- -vendor_init
- } {
- exported_camera_prop
- }:property_service set;
-
- neverallow {
- domain
- -coredomain
- -hal_wifi_server
- -wificond
- } {
- wifi_prop
- }:property_service set;
-
- neverallow {
- domain
- -init
- -dumpstate
- -hal_wifi_server
- -wificond
- -vendor_init
- } {
- wifi_hal_prop
- }:property_service set;
-
-# Prevent properties from being read
- neverallow {
- domain
- -coredomain
- -appdomain
- -vendor_init
- } {
- core_property_type
- dalvik_config_prop
- extended_core_property_type
- exported3_system_prop
- systemsound_config_prop
- -debug_prop
- -logd_prop
- -nfc_prop
- -powerctl_prop
- -radio_prop
- }:file no_rw_file_perms;
-
- neverallow {
- domain
- -coredomain
- -appdomain
- -hal_nfc_server
- } {
- nfc_prop
- }:file no_rw_file_perms;
-
- neverallow {
- domain
- -coredomain
- -appdomain
- -hal_telephony_server
- } {
- radio_prop
- }:file no_rw_file_perms;
-
- neverallow {
- domain
- -coredomain
- -bluetooth
- -hal_bluetooth_server
- } {
- bluetooth_prop
- }:file no_rw_file_perms;
-
- neverallow {
- domain
- -coredomain
- -hal_wifi_server
- -wificond
- } {
- wifi_prop
- }:file no_rw_file_perms;
-
- neverallow {
- domain
- -coredomain
- -vendor_init
- } {
- suspend_prop
- }:property_service set;
-')
-
-compatible_property_only(`
- # Neverallow coredomain to set vendor properties
- neverallow {
- coredomain
- -init
- -system_writes_vendor_properties_violators
- } {
- property_type
- -system_property_type
- -extended_core_property_type
- }:property_service set;
-')
-
-neverallow {
- domain
- -coredomain
- -vendor_init
-} {
- ffs_config_prop
- ffs_control_prop
-}:file no_rw_file_perms;
-
-neverallow {
- domain
- -init
- -system_server
-} {
- userspace_reboot_log_prop
-}:property_service set;
-
-neverallow {
- # Only allow init and system_server to set system_adbd_prop
- domain
- -init
- -system_server
-} {
- system_adbd_prop
-}:property_service set;
-
-# Let (vendor_)init, adbd, and system_server set service.adb.tcp.port
-neverallow {
- domain
- -init
- -vendor_init
- -adbd
- -system_server
-} {
- adbd_config_prop
-}:property_service set;
-
-neverallow {
- # Only allow init and adbd to set adbd_prop
- domain
- -init
- -adbd
-} {
- adbd_prop
-}:property_service set;
-
-neverallow {
- # Only allow init and shell to set userspace_reboot_test_prop
- domain
- -init
- -shell
-} {
- userspace_reboot_test_prop
-}:property_service set;
-
-neverallow {
- domain
- -init
- -system_server
- -vendor_init
-} {
- surfaceflinger_color_prop
-}:property_service set;
-
-neverallow {
- domain
- -init
-} {
- libc_debug_prop
-}:property_service set;
-
-# Allow the shell to set MTE props, so that non-root users with adb shell
-# access can control the settings on their device.
-neverallow {
- domain
- -init
- -shell
-} {
- arm64_memtag_prop
-}:property_service set;
-
-neverallow {
- domain
- -init
- -system_server
- -vendor_init
-} zram_control_prop:property_service set;
-
-neverallow {
- domain
- -init
- -system_server
- -vendor_init
-} dalvik_runtime_prop:property_service set;
-
-neverallow {
- domain
- -coredomain
- -vendor_init
-} {
- usb_config_prop
- usb_control_prop
-}:property_service set;
-
-neverallow {
- domain
- -init
- -system_server
-} {
- provisioned_prop
- retaildemo_prop
-}:property_service set;
-
-neverallow {
- domain
- -coredomain
- -vendor_init
-} {
- provisioned_prop
- retaildemo_prop
-}:file no_rw_file_perms;
-
-neverallow {
- domain
- -init
-} {
- init_service_status_private_prop
- init_service_status_prop
-}:property_service set;
-
-neverallow {
- domain
- -init
- -radio
- -appdomain
- -hal_telephony_server
- not_compatible_property(`-vendor_init')
-} telephony_status_prop:property_service set;
-
-neverallow {
- domain
- -init
- -vendor_init
-} {
- graphics_config_prop
-}:property_service set;
-
-neverallow {
- domain
- -init
- -surfaceflinger
-} {
- surfaceflinger_display_prop
-}:property_service set;
-
-neverallow {
- domain
- -coredomain
- -appdomain
- -vendor_init
-} packagemanager_config_prop:file no_rw_file_perms;
-
-neverallow {
- domain
- -coredomain
- -vendor_init
-} keyguard_config_prop:file no_rw_file_perms;
-
-neverallow {
- domain
- -init
-} {
- localization_prop
-}:property_service set;
-
-neverallow {
- domain
- -init
- -vendor_init
- -dumpstate
- -system_app
-} oem_unlock_prop:file no_rw_file_perms;
-
-neverallow {
- domain
- -coredomain
- -vendor_init
-} storagemanager_config_prop:file no_rw_file_perms;
-
-neverallow {
- domain
- -init
- -vendor_init
- -dumpstate
- -appdomain
-} sendbug_config_prop:file no_rw_file_perms;
-
-neverallow {
- domain
- -init
- -vendor_init
- -dumpstate
- -appdomain
-} camera_calibration_prop:file no_rw_file_perms;
-
-neverallow {
- domain
- -init
- -dumpstate
- -hal_dumpstate_server
- not_compatible_property(`-vendor_init')
-} hal_dumpstate_config_prop:file no_rw_file_perms;
-
-neverallow {
- domain
- -init
- userdebug_or_eng(`-profcollectd')
- userdebug_or_eng(`-traced_probes')
- userdebug_or_eng(`-traced_perf')
-} {
- lower_kptr_restrict_prop
-}:property_service set;
-
-neverallow {
- domain
- -init
-} zygote_wrap_prop:property_service set;
-
-neverallow {
- domain
- -init
-} verity_status_prop:property_service set;
-
-neverallow {
- domain
- -init
-} setupwizard_prop:property_service set;
-
-# ro.product.property_source_order is useless after initialization of ro.product.* props.
-# So making it accessible only from init and vendor_init.
-neverallow {
- domain
- -init
- -dumpstate
- -vendor_init
-} build_config_prop:file no_rw_file_perms;
-
-neverallow {
- domain
- -init
- -shell
-} sqlite_log_prop:property_service set;
-
-neverallow {
- domain
- -coredomain
- -appdomain
-} sqlite_log_prop:file no_rw_file_perms;
-
-neverallow {
- domain
- -init
-} default_prop:property_service set;
-
-# Only one of system_property_type and vendor_property_type can be assigned.
-# Property types having both attributes won't be accessible from anywhere.
-neverallow domain system_and_vendor_property_type:{file property_service} *;
-
-neverallow {
- # Only allow init and shell to set rollback_test_prop
- domain
- -init
- -shell
-} rollback_test_prop:property_service set;
-
-neverallow {
- # Only allow init and profcollectd to access profcollectd_node_id_prop
- domain
- -init
- -dumpstate
- -profcollectd
-} profcollectd_node_id_prop:file r_file_perms;
-
+ -microdroid_manager
+ -hal_keymint_server
+} vmsecret_keymint_prop:file no_rw_file_perms;
diff --git a/microdroid/sepolicy/system/private/property_contexts b/microdroid/sepolicy/system/private/property_contexts
index deeb840..c8be9d9 100644
--- a/microdroid/sepolicy/system/private/property_contexts
+++ b/microdroid/sepolicy/system/private/property_contexts
@@ -50,6 +50,8 @@
ro.build.fingerprint u:object_r:fingerprint_prop:s0 exact string
+ro.vmsecret.keymint u:object_r:vmsecret_keymint_prop:s0 exact string
+
hwservicemanager.ready u:object_r:hwservicemanager_prop:s0 exact bool
apexd.status u:object_r:apexd_prop:s0 exact enum starting activated ready
diff --git a/microdroid/sepolicy/system/private/racoon.te b/microdroid/sepolicy/system/private/racoon.te
deleted file mode 100644
index 42ea7c9..0000000
--- a/microdroid/sepolicy/system/private/racoon.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute racoon coredomain;
-
-init_daemon_domain(racoon)
diff --git a/microdroid/sepolicy/system/private/radio.te b/microdroid/sepolicy/system/private/radio.te
deleted file mode 100644
index 2758289..0000000
--- a/microdroid/sepolicy/system/private/radio.te
+++ /dev/null
@@ -1,35 +0,0 @@
-typeattribute radio coredomain, mlstrustedsubject;
-
-app_domain(radio)
-
-read_runtime_log_tags(radio)
-
-# Property service
-set_prop(radio, radio_control_prop)
-set_prop(radio, radio_prop)
-set_prop(radio, net_radio_prop)
-set_prop(radio, telephony_status_prop)
-
-# ctl interface
-set_prop(radio, ctl_rildaemon_prop)
-
-# Telephony code contains time / time zone detection logic so it reads the associated properties.
-get_prop(radio, time_prop)
-
-# allow telephony to access platform compat to log permission denials
-allow radio platform_compat_service:service_manager find;
-
-allow radio uce_service:service_manager find;
-
-# Manage /data/misc/emergencynumberdb
-allow radio emergency_data_file:dir r_dir_perms;
-allow radio emergency_data_file:file r_file_perms;
-
-# allow telephony to access related cache properties
-set_prop(radio, binder_cache_telephony_server_prop);
-neverallow { domain -radio -init }
- binder_cache_telephony_server_prop:property_service set;
-
-# allow sending pulled atoms to statsd
-binder_call(radio, statsd)
-
diff --git a/microdroid/sepolicy/system/private/recovery.te b/microdroid/sepolicy/system/private/recovery.te
deleted file mode 100644
index 00d7132..0000000
--- a/microdroid/sepolicy/system/private/recovery.te
+++ /dev/null
@@ -1,46 +0,0 @@
-typeattribute recovery coredomain;
-
-# The allow rules are only included in the recovery policy.
-# Otherwise recovery is only allowed the domain rules.
-recovery_only(`
- # Reboot the device
- set_prop(recovery, powerctl_prop)
-
- # Read serial number of the device from system properties
- get_prop(recovery, serialno_prop)
-
- # Set sys.usb.ffs.ready when starting minadbd for sideload.
- get_prop(recovery, ffs_config_prop)
- set_prop(recovery, ffs_control_prop)
-
- # Set sys.usb.config when switching into fastboot.
- set_prop(recovery, usb_control_prop)
- set_prop(recovery, usb_prop)
-
- # Read ro.boot.bootreason
- get_prop(recovery, bootloader_boot_reason_prop)
-
- # Read storage properties (for correctly formatting filesystems)
- get_prop(recovery, storage_config_prop)
-
- set_prop(recovery, gsid_prop)
-
- # These are needed to allow recovery to manage network
- allow recovery self:netlink_route_socket { create write read nlmsg_readpriv nlmsg_read };
- allow recovery self:global_capability_class_set net_admin;
- allow recovery self:tcp_socket { create ioctl };
- allowxperm recovery self:tcp_socket ioctl { SIOCGIFFLAGS SIOCSIFFLAGS };
-
- # Start snapuserd for merging VABC updates
- set_prop(recovery, ctl_snapuserd_prop)
-
- # Needed to communicate with snapuserd to complete merges.
- allow recovery snapuserd_socket:sock_file write;
- allow recovery snapuserd:unix_stream_socket connectto;
- allow recovery dm_user_device:dir r_dir_perms;
-
- # Set fastbootd protocol property
- set_prop(recovery, fastbootd_protocol_prop)
-
- get_prop(recovery, recovery_config_prop)
-')
diff --git a/microdroid/sepolicy/system/private/recovery_persist.te b/microdroid/sepolicy/system/private/recovery_persist.te
deleted file mode 100644
index 7cb2e67..0000000
--- a/microdroid/sepolicy/system/private/recovery_persist.te
+++ /dev/null
@@ -1,11 +0,0 @@
-typeattribute recovery_persist coredomain;
-
-init_daemon_domain(recovery_persist)
-
-# recovery_persist is not allowed to write anywhere other than recovery_data_file
-neverallow recovery_persist {
- file_type
- -recovery_data_file
- userdebug_or_eng(`-coredump_file')
- with_native_coverage(`-method_trace_data_file')
-}:file write;
diff --git a/microdroid/sepolicy/system/private/recovery_refresh.te b/microdroid/sepolicy/system/private/recovery_refresh.te
deleted file mode 100644
index 3c095cc..0000000
--- a/microdroid/sepolicy/system/private/recovery_refresh.te
+++ /dev/null
@@ -1,10 +0,0 @@
-typeattribute recovery_refresh coredomain;
-
-init_daemon_domain(recovery_refresh)
-
-# recovery_refresh is not allowed to write anywhere
-neverallow recovery_refresh {
- file_type
- userdebug_or_eng(`-coredump_file')
- with_native_coverage(`-method_trace_data_file')
-}:file write;
diff --git a/microdroid/sepolicy/system/private/remote_prov_app.te b/microdroid/sepolicy/system/private/remote_prov_app.te
deleted file mode 100644
index 010c9bc..0000000
--- a/microdroid/sepolicy/system/private/remote_prov_app.te
+++ /dev/null
@@ -1,13 +0,0 @@
-type remote_prov_app, domain;
-typeattribute remote_prov_app coredomain;
-
-app_domain(remote_prov_app)
-net_domain(remote_prov_app)
-
-# The app needs access to properly build a DeviceInfo package for the verifying server
-get_prop(remote_prov_app, vendor_security_patch_level_prop)
-
-allow remote_prov_app {
- app_api_service
- remoteprovisioning_service
-}:service_manager find;
diff --git a/microdroid/sepolicy/system/private/rs.te b/microdroid/sepolicy/system/private/rs.te
deleted file mode 100644
index bf10841..0000000
--- a/microdroid/sepolicy/system/private/rs.te
+++ /dev/null
@@ -1,39 +0,0 @@
-# Any files which would have been created as app_data_file
-# will be created as app_exec_data_file instead.
-allow rs app_data_file:dir ra_dir_perms;
-allow rs app_exec_data_file:file create_file_perms;
-type_transition rs app_data_file:file app_exec_data_file;
-
-# Follow /data/user/0 symlink
-allow rs system_data_file:lnk_file read;
-
-# Read files from the app home directory.
-allow rs app_data_file:file r_file_perms;
-allow rs app_data_file:dir r_dir_perms;
-
-# Cleanup app_exec_data_file files in the app home directory.
-allow rs app_data_file:dir remove_name;
-
-# Use vendor resources
-allow rs vendor_file:dir r_dir_perms;
-r_dir_file(rs, vendor_overlay_file)
-r_dir_file(rs, vendor_app_file)
-
-# Read contents of app apks
-r_dir_file(rs, apk_data_file)
-
-allow rs gpu_device:chr_file rw_file_perms;
-allow rs ion_device:chr_file r_file_perms;
-allow rs same_process_hal_file:file { r_file_perms execute };
-
-# File descriptors passed from app to renderscript
-allow rs { untrusted_app_all ephemeral_app }:fd use;
-
-# rs can access app data, so ensure it can only be entered via an app domain and cannot have
-# CAP_DAC_OVERRIDE.
-neverallow rs rs:capability_class_set *;
-neverallow { domain -appdomain } rs:process { dyntransition transition };
-neverallow rs { domain -crash_dump }:process { dyntransition transition };
-neverallow rs app_data_file:file_class_set ~r_file_perms;
-# rs should never use network sockets
-neverallow rs *:network_socket_class_set *;
diff --git a/microdroid/sepolicy/system/private/rss_hwm_reset.te b/microdroid/sepolicy/system/private/rss_hwm_reset.te
deleted file mode 100644
index 30818c2..0000000
--- a/microdroid/sepolicy/system/private/rss_hwm_reset.te
+++ /dev/null
@@ -1,14 +0,0 @@
-type rss_hwm_reset_exec, system_file_type, exec_type, file_type;
-
-# Start rss_hwm_reset from init.
-init_daemon_domain(rss_hwm_reset)
-
-# Search /proc/pid directories.
-allow rss_hwm_reset domain:dir search;
-
-# Write to /proc/pid/clear_refs of other processes.
-# /proc/pid/clear_refs is S_IWUSER, see: fs/proc/base.c
-allow rss_hwm_reset self:global_capability_class_set { dac_override };
-
-# Write to /prc/pid/clear_refs.
-allow rss_hwm_reset domain:file w_file_perms;
diff --git a/microdroid/sepolicy/system/private/runas.te b/microdroid/sepolicy/system/private/runas.te
deleted file mode 100644
index ef31aac..0000000
--- a/microdroid/sepolicy/system/private/runas.te
+++ /dev/null
@@ -1,4 +0,0 @@
-typeattribute runas coredomain;
-
-# ndk-gdb invokes adb shell run-as.
-domain_auto_trans(shell, runas_exec, runas)
diff --git a/microdroid/sepolicy/system/private/runas_app.te b/microdroid/sepolicy/system/private/runas_app.te
deleted file mode 100644
index c1b354a..0000000
--- a/microdroid/sepolicy/system/private/runas_app.te
+++ /dev/null
@@ -1,32 +0,0 @@
-typeattribute runas_app coredomain;
-
-app_domain(runas_app)
-untrusted_app_domain(runas_app)
-net_domain(runas_app)
-bluetooth_domain(runas_app)
-
-# The ability to call exec() on files in the apps home directories
-# when using run-as on a debuggable app. Used to run lldb/ndk-gdb/simpleperf,
-# which are copied to the apps home directories.
-allow runas_app app_data_file:file execute_no_trans;
-
-# Allow lldb/ndk-gdb/simpleperf to read maps of debuggable app processes.
-r_dir_file(runas_app, untrusted_app_all)
-
-# Allow lldb/ndk-gdb/simpleperf to ptrace attach to debuggable app processes.
-allow runas_app untrusted_app_all:process { ptrace signal sigstop };
-allow runas_app untrusted_app_all:unix_stream_socket connectto;
-
-# Allow executing system image simpleperf without a domain transition.
-allow runas_app simpleperf_exec:file rx_file_perms;
-
-# Suppress denial logspam when simpleperf is trying to find a matching process
-# by scanning /proc/<pid>/cmdline files. The /proc/<pid> directories are within
-# the same domain as their respective process, most of which this domain is not
-# allowed to see.
-dontaudit runas_app domain:dir search;
-
-# Allow runas_app to call perf_event_open for profiling debuggable app
-# processes, but not the whole system.
-allow runas_app self:perf_event { open read write kernel };
-neverallow runas_app self:perf_event ~{ open read write kernel };
diff --git a/microdroid/sepolicy/system/private/sdcardd.te b/microdroid/sepolicy/system/private/sdcardd.te
deleted file mode 100644
index 126d643..0000000
--- a/microdroid/sepolicy/system/private/sdcardd.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute sdcardd coredomain;
-
-type_transition sdcardd system_data_file:{ dir file } media_rw_data_file;
diff --git a/microdroid/sepolicy/system/private/secure_element.te b/microdroid/sepolicy/system/private/secure_element.te
deleted file mode 100644
index 57f512b..0000000
--- a/microdroid/sepolicy/system/private/secure_element.te
+++ /dev/null
@@ -1,14 +0,0 @@
-# secure element subsystem
-typeattribute secure_element coredomain;
-app_domain(secure_element)
-
-binder_service(secure_element)
-add_service(secure_element, secure_element_service)
-
-allow secure_element app_api_service:service_manager find;
-hal_client_domain(secure_element, hal_secure_element)
-
-# already open bugreport file descriptors may be shared with
-# the secure element process, from a file in
-# /data/data/com.android.shell/files/bugreports/bugreport-*.
-allow secure_element shell_data_file:file read;
diff --git a/microdroid/sepolicy/system/private/service.te b/microdroid/sepolicy/system/private/service.te
deleted file mode 100644
index 7f692f3..0000000
--- a/microdroid/sepolicy/system/private/service.te
+++ /dev/null
@@ -1,12 +0,0 @@
-type attention_service, system_server_service, service_manager_type;
-type dynamic_system_service, system_api_service, system_server_service, service_manager_type;
-type gsi_service, service_manager_type;
-type incidentcompanion_service, system_api_service, system_server_service, service_manager_type;
-type mediatuner_service, app_api_service, service_manager_type;
-type profcollectd_service, service_manager_type;
-type resolver_service, system_server_service, service_manager_type;
-type stats_service, service_manager_type;
-type statscompanion_service, system_server_service, service_manager_type;
-type statsmanager_service, system_api_service, system_server_service, service_manager_type;
-type tracingproxy_service, system_server_service, service_manager_type;
-type uce_service, service_manager_type;
diff --git a/microdroid/sepolicy/system/private/service_contexts b/microdroid/sepolicy/system/private/service_contexts
index 150c89a..5857a0f 100644
--- a/microdroid/sepolicy/system/private/service_contexts
+++ b/microdroid/sepolicy/system/private/service_contexts
@@ -12,6 +12,7 @@
android.security.keystore u:object_r:keystore_service:s0
android.security.legacykeystore u:object_r:legacykeystore_service:s0
android.security.maintenance u:object_r:keystore_maintenance_service:s0
+android.security.metrics u:object_r:keystore_metrics_service:s0
android.security.remoteprovisioning u:object_r:remoteprovisioning_service:s0
apexservice u:object_r:apex_service:s0
* u:object_r:default_android_service:s0
diff --git a/microdroid/sepolicy/system/private/servicemanager.te b/microdroid/sepolicy/system/private/servicemanager.te
index 6294452..8ff964f 100644
--- a/microdroid/sepolicy/system/private/servicemanager.te
+++ b/microdroid/sepolicy/system/private/servicemanager.te
@@ -2,6 +2,22 @@
init_daemon_domain(servicemanager)
-read_runtime_log_tags(servicemanager)
+selinux_check_access(servicemanager)
-set_prop(servicemanager, ctl_interface_start_prop)
+# Note that we do not use the binder_* macros here.
+# servicemanager is unique in that it only provides
+# name service (aka context manager) for Binder.
+# As such, it only ever receives and transfers other references
+# created by other domains. It never passes its own references
+# or initiates a Binder IPC.
+allow servicemanager self:binder set_context_mgr;
+allow servicemanager {
+ domain
+ -init
+ -vendor_init
+ -hwservicemanager
+}:binder transfer;
+
+allow servicemanager service_contexts_file:file r_file_perms;
+
+allow servicemanager vendor_service_contexts_file:file r_file_perms;
diff --git a/microdroid/sepolicy/system/private/sgdisk.te b/microdroid/sepolicy/system/private/sgdisk.te
deleted file mode 100644
index a17342e..0000000
--- a/microdroid/sepolicy/system/private/sgdisk.te
+++ /dev/null
@@ -1 +0,0 @@
-typeattribute sgdisk coredomain;
diff --git a/microdroid/sepolicy/system/private/shared_relro.te b/microdroid/sepolicy/system/private/shared_relro.te
deleted file mode 100644
index 31fdb8c..0000000
--- a/microdroid/sepolicy/system/private/shared_relro.te
+++ /dev/null
@@ -1,15 +0,0 @@
-typeattribute shared_relro coredomain;
-
-# The shared relro process is a Java program forked from the zygote, so it
-# inherits from app to get basic permissions it needs to run.
-app_domain(shared_relro)
-
-allow shared_relro shared_relro_file:dir rw_dir_perms;
-allow shared_relro shared_relro_file:file create_file_perms;
-
-allow shared_relro activity_service:service_manager find;
-allow shared_relro webviewupdate_service:service_manager find;
-allow shared_relro package_service:service_manager find;
-
-# StrictMode may attempt to find this service, failure is harmless.
-dontaudit shared_relro network_management_service:service_manager find;
diff --git a/microdroid/sepolicy/system/private/shell.te b/microdroid/sepolicy/system/private/shell.te
index 03490b0..fc51ad8 100644
--- a/microdroid/sepolicy/system/private/shell.te
+++ b/microdroid/sepolicy/system/private/shell.te
@@ -3,202 +3,29 @@
# allow shell input injection
allow shell uhid_device:chr_file rw_file_perms;
-# systrace support - allow atrace to run
-allow shell debugfs_tracing_debug:dir r_dir_perms;
-allow shell debugfs_tracing:dir r_dir_perms;
-allow shell debugfs_tracing:file rw_file_perms;
-allow shell debugfs_trace_marker:file getattr;
-allow shell atrace_exec:file rx_file_perms;
-
-userdebug_or_eng(`
- allow shell debugfs_tracing_debug:file rw_file_perms;
-')
-
-# read config.gz for CTS purposes
-allow shell config_gz:file r_file_perms;
-
-# Run app_process.
-# XXX Transition into its own domain?
-app_domain(shell)
-
-# allow shell to call dumpsys storaged
-binder_call(shell, storaged)
-
# Perform SELinux access checks, needed for CTS
selinux_check_access(shell)
selinux_check_context(shell)
-# Control Perfetto traced and obtain traces from it.
-# Needed for Studio and debugging.
-unix_socket_connect(shell, traced_consumer, traced)
-
-# Allow shell binaries to write trace data to Perfetto. Used for testing and
-# cmdline utils.
-perfetto_producer(shell)
-
-domain_auto_trans(shell, vendor_shell_exec, vendor_shell)
-
-# Allow shell binaries to exec the perfetto cmdline util and have that
-# transition into its own domain, so that it behaves consistently to
-# when exec()-d by statsd.
-domain_auto_trans(shell, perfetto_exec, perfetto)
-# Allow to send SIGINT to perfetto when daemonized.
-allow shell perfetto:process signal;
-
# Allow shell to run adb shell cmd stats commands. Needed for CTS.
binder_call(shell, statsd);
-# Allow shell to read and unlink traces stored in /data/misc/a11ytraces.
-userdebug_or_eng(`
- allow shell accessibility_trace_data_file:dir rw_dir_perms;
- allow shell accessibility_trace_data_file:file { r_file_perms unlink };
-')
-
-# Allow shell to read and unlink traces stored in /data/misc/perfetto-traces.
-allow shell perfetto_traces_data_file:dir rw_dir_perms;
-allow shell perfetto_traces_data_file:file { r_file_perms unlink };
-# ... and /data/misc/perfetto-traces/bugreport/ .
-allow shell perfetto_traces_bugreport_data_file:dir rw_dir_perms;
-allow shell perfetto_traces_bugreport_data_file:file { r_file_perms unlink };
-
-# Allow shell to create/remove configs stored in /data/misc/perfetto-configs.
-allow shell perfetto_configs_data_file:dir rw_dir_perms;
-allow shell perfetto_configs_data_file:file create_file_perms;
-
-# Allow shell to run adb shell cmd gpu commands.
-binder_call(shell, gpuservice);
-
-# Allow shell to use atrace HAL
-hal_client_domain(shell, hal_atrace)
-
-# For hostside tests such as CTS listening ports test.
-allow shell proc_net_tcp_udp:file r_file_perms;
-
-# The dl.exec_linker* tests need to execute /system/bin/linker
-# b/124789393
-allow shell system_linker_exec:file rx_file_perms;
-
-# Renderscript host side tests depend on being able to execute
-# /system/bin/bcc (b/126388046)
-allow shell rs_exec:file rx_file_perms;
-
-# Allow (host-driven) ART run-tests to execute dex2oat, in order to
-# check ART's compiler.
-allow shell dex2oat_exec:file rx_file_perms;
-
-# Allow shell to start and comminicate with lpdumpd.
-set_prop(shell, lpdumpd_prop);
-binder_call(shell, lpdumpd)
-
-# Allow shell to set and read value of properties used for CTS tests of
-# userspace reboot
-set_prop(shell, userspace_reboot_test_prop)
-
-# Allow shell to set this property used for rollback tests
-set_prop(shell, rollback_test_prop)
-
-# Allow shell to get encryption policy of /data/local/tmp/, for CTS
-allowxperm shell shell_data_file:dir ioctl {
- FS_IOC_GET_ENCRYPTION_POLICY
- FS_IOC_GET_ENCRYPTION_POLICY_EX
-};
-
-# Allow shell to execute simpleperf without a domain transition.
-allow shell simpleperf_exec:file rx_file_perms;
-
-# Allow shell to execute profcollectctl without a domain transition.
-allow shell profcollectd_exec:file rx_file_perms;
-
-# Allow shell to call perf_event_open for profiling other shell processes, but
-# not the whole system.
-allow shell self:perf_event { open read write kernel };
-neverallow shell self:perf_event ~{ open read write kernel };
-
-# Set properties.
-set_prop(shell, shell_prop)
-set_prop(shell, ctl_bugreport_prop)
-set_prop(shell, ctl_dumpstate_prop)
-set_prop(shell, dumpstate_prop)
-set_prop(shell, exported_dumpstate_prop)
-set_prop(shell, debug_prop)
-set_prop(shell, perf_drop_caches_prop)
-set_prop(shell, powerctl_prop)
-set_prop(shell, log_tag_prop)
-set_prop(shell, wifi_log_prop)
-# Allow shell to start/stop traced via the persist.traced.enable
-# property (which also takes care of /data/misc initialization).
-set_prop(shell, traced_enabled_prop)
-# adjust is_loggable properties
-userdebug_or_eng(`set_prop(shell, log_prop)')
-# logpersist script
-userdebug_or_eng(`set_prop(shell, logpersistd_logging_prop)')
-# Allow shell to start/stop heapprofd via the persist.heapprofd.enable
-# property.
-set_prop(shell, heapprofd_enabled_prop)
-# Allow shell to start/stop traced_perf via the persist.traced_perf.enable
-# property.
-set_prop(shell, traced_perf_enabled_prop)
-# Allow shell to start/stop gsid via ctl.start|stop|restart gsid.
-set_prop(shell, ctl_gsid_prop)
-set_prop(shell, ctl_snapuserd_prop)
-# Allow shell to enable Dynamic System Update
-set_prop(shell, dynamic_system_prop)
-# Allow shell to mock an OTA using persist.pm.mock-upgrade
-set_prop(shell, mock_ota_prop)
-
-# Read device's serial number from system properties
-get_prop(shell, serialno_prop)
-
-# Allow shell to read the vendor security patch level for CTS
-get_prop(shell, vendor_security_patch_level_prop)
-
-# Read state of logging-related properties
-get_prop(shell, device_logging_prop)
-
-# Read state of boot reason properties
-get_prop(shell, bootloader_boot_reason_prop)
-get_prop(shell, last_boot_reason_prop)
-get_prop(shell, system_boot_reason_prop)
-
-# Allow reading the outcome of perf_event_open LSM support test for CTS.
-get_prop(shell, init_perf_lsm_hooks_prop)
-
-# Allow shell to read boot image timestamps and fingerprints.
-get_prop(shell, build_bootimage_prop)
-
-userdebug_or_eng(`set_prop(shell, persist_debug_prop)')
-
-# Allow to issue control commands to profcollectd binder service.
-userdebug_or_eng(`
- allow shell profcollectd:binder call;
-')
-
-# Allow shell to read the keystore key contexts files. Used by native tests to test label lookup.
-allow shell keystore2_key_contexts_file:file r_file_perms;
-
-# Allow shell to access the keystore2_key namespace shell_key. Mainly used for native tests.
-allow shell shell_key:keystore2_key { delete rebind use get_info update };
-
-# Allow shell to write db.log.detailed, db.log.slow_query_threshold*
-set_prop(shell, sqlite_log_prop)
-
-# Allow shell to write MTE properties even on user builds.
-set_prop(shell, arm64_memtag_prop)
-
-# Allow shell to read the dm-verity props on user builds.
-get_prop(shell, verity_status_prop)
-
-# Allow shell to read Virtual A/B related properties
-get_prop(shell, virtual_ab_prop)
-
# Allow shell to launch microdroid_launcher in its own domain
# TODO(b/186396070) remove this when microdroid_manager can do this
domain_auto_trans(shell, microdroid_app_exec, microdroid_app)
domain_auto_trans(shell, microdroid_manager_exec, microdroid_manager)
-# Never allow others to set or get the perf.drop_caches property.
-neverallow { domain -shell -init } perf_drop_caches_prop:property_service set;
-neverallow { domain -shell -init -dumpstate } perf_drop_caches_prop:file read;
+# Connect to adbd and use a socket transferred from it.
+# This is used for e.g. adb backup/restore.
+allow shell adbd:unix_stream_socket connectto;
+allow shell adbd:fd use;
+allow shell adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
-# Allow ReadDefaultFstab() for CTS.
-read_fstab(shell)
+# filesystem test for insecure chr_file's is done
+# via a host side test
+allow shell dev_type:dir r_dir_perms;
+allow shell dev_type:chr_file getattr;
+
+# filesystem test for insucre blk_file's is done
+# via hostside test
+allow shell dev_type:blk_file getattr;
diff --git a/microdroid/sepolicy/system/private/simpleperf.te b/microdroid/sepolicy/system/private/simpleperf.te
deleted file mode 100644
index 0639c11..0000000
--- a/microdroid/sepolicy/system/private/simpleperf.te
+++ /dev/null
@@ -1,37 +0,0 @@
-# Domain used when running /system/bin/simpleperf to profile a specific app.
-# Entered either by the app itself exec-ing the binary, or through
-# simpleperf_app_runner (with shell as its origin). Certain other domains
-# (runas_app, shell) can also exec this binary without a domain transition.
-typeattribute simpleperf coredomain;
-type simpleperf_exec, system_file_type, exec_type, file_type;
-
-domain_auto_trans({ untrusted_app_all -runas_app }, simpleperf_exec, simpleperf)
-
-# When running in this domain, simpleperf is scoped to profiling an individual
-# app. The necessary MAC permissions for profiling are more maintainable and
-# consistent if simpleperf is marked as an app domain as well (as, for example,
-# it will then see the same set of system libraries as the app).
-app_domain(simpleperf)
-untrusted_app_domain(simpleperf)
-
-# Allow ptrace attach to the target app, for reading JIT debug info (using
-# process_vm_readv) during unwinding and symbolization.
-allow simpleperf untrusted_app_all:process ptrace;
-
-# Allow using perf_event_open syscall for profiling the target app.
-allow simpleperf self:perf_event { open read write kernel };
-
-# Allow /proc/<pid> access for the target app (for example, when trying to
-# discover it by cmdline).
-r_dir_file(simpleperf, untrusted_app_all)
-
-# Suppress denial logspam when simpleperf is trying to find a matching process
-# by scanning /proc/<pid>/cmdline files. The /proc/<pid> directories are within
-# the same domain as their respective processes, most of which this domain is
-# not allowed to see.
-dontaudit simpleperf domain:dir search;
-
-# Neverallows:
-
-# Profiling must be confined to the scope of an individual app.
-neverallow simpleperf self:perf_event ~{ open read write kernel };
diff --git a/microdroid/sepolicy/system/private/simpleperf_app_runner.te b/microdroid/sepolicy/system/private/simpleperf_app_runner.te
deleted file mode 100644
index 8501826..0000000
--- a/microdroid/sepolicy/system/private/simpleperf_app_runner.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute simpleperf_app_runner coredomain;
-
-domain_auto_trans(shell, simpleperf_app_runner_exec, simpleperf_app_runner)
diff --git a/microdroid/sepolicy/system/private/slideshow.te b/microdroid/sepolicy/system/private/slideshow.te
deleted file mode 100644
index 7dfa994..0000000
--- a/microdroid/sepolicy/system/private/slideshow.te
+++ /dev/null
@@ -1 +0,0 @@
-typeattribute slideshow coredomain;
diff --git a/microdroid/sepolicy/system/private/snapshotctl.te b/microdroid/sepolicy/system/private/snapshotctl.te
deleted file mode 100644
index fb2bbca..0000000
--- a/microdroid/sepolicy/system/private/snapshotctl.te
+++ /dev/null
@@ -1,45 +0,0 @@
-type snapshotctl, domain, coredomain;
-type snapshotctl_exec, system_file_type, exec_type, file_type;
-
-# Allow init to run snapshotctl and do auto domain transfer.
-init_daemon_domain(snapshotctl);
-
-# Allow to start gsid service.
-set_prop(snapshotctl, ctl_gsid_prop)
-
-# Allow to talk to gsid.
-binder_use(snapshotctl)
-allow snapshotctl gsi_service:service_manager find;
-binder_call(snapshotctl, gsid)
-
-# Allow to create/read/write/delete OTA metadata files for snapshot status and COW file status.
-allow snapshotctl metadata_file:dir search;
-allow snapshotctl ota_metadata_file:dir rw_dir_perms;
-allow snapshotctl ota_metadata_file:file create_file_perms;
-
-# Allow to get A/B slot suffix from device tree or kernel cmdline.
-r_dir_file(snapshotctl, sysfs_dt_firmware_android);
-allow snapshotctl proc_cmdline:file r_file_perms;
-
-# Needed to (re-)map logical partitions.
-allow snapshotctl block_device:dir r_dir_perms;
-allow snapshotctl super_block_device:blk_file r_file_perms;
-
-# Interact with device-mapper to collapse snapshots.
-allow snapshotctl dm_device:chr_file rw_file_perms;
-
-# Needed to mutate device-mapper nodes.
-allow snapshotctl self:global_capability_class_set sys_admin;
-
-# Snapshotctl talk to boot control HAL to set merge status.
-hwbinder_use(snapshotctl)
-hal_client_domain(snapshotctl, hal_bootctl)
-
-# Allow snapshotctl to write to statsd socket.
-unix_socket_send(snapshotctl, statsdw, statsd)
-
-# Logging
-userdebug_or_eng(`
- allow snapshotctl snapshotctl_log_data_file:dir rw_dir_perms;
- allow snapshotctl snapshotctl_log_data_file:file create_file_perms;
-')
diff --git a/microdroid/sepolicy/system/private/snapuserd.te b/microdroid/sepolicy/system/private/snapuserd.te
deleted file mode 100644
index d96b31e..0000000
--- a/microdroid/sepolicy/system/private/snapuserd.te
+++ /dev/null
@@ -1,26 +0,0 @@
-# snapuserd - Daemon for servicing dm-user requests for Virtual A/B snapshots.
-type snapuserd, domain;
-type snapuserd_exec, exec_type, file_type, system_file_type;
-
-typeattribute snapuserd coredomain;
-
-init_daemon_domain(snapuserd)
-
-allow snapuserd kmsg_device:chr_file rw_file_perms;
-
-# Reading and writing to /dev/block/dm-* (device-mapper) nodes.
-allow snapuserd block_device:dir r_dir_perms;
-allow snapuserd dm_device:chr_file rw_file_perms;
-allow snapuserd dm_device:blk_file rw_file_perms;
-
-# Reading and writing to dm-user control nodes.
-allow snapuserd dm_user_device:dir r_dir_perms;
-allow snapuserd dm_user_device:chr_file rw_file_perms;
-
-# Reading and writing to /dev/socket/snapuserd.
-allow snapuserd snapuserd_socket:unix_stream_socket { accept listen getattr read write };
-
-# This arises due to first-stage init opening /dev/null without F_CLOEXEC
-# (see SetStdioToDevNull in init). When we fork() and execveat() snapuserd
-# again, the descriptor leaks into the new process.
-allow snapuserd kernel:fd use;
diff --git a/microdroid/sepolicy/system/private/stats.te b/microdroid/sepolicy/system/private/stats.te
deleted file mode 100644
index db29072..0000000
--- a/microdroid/sepolicy/system/private/stats.te
+++ /dev/null
@@ -1,57 +0,0 @@
-type stats, domain;
-typeattribute stats coredomain;
-type stats_exec, system_file_type, exec_type, file_type;
-
-# switch to stats domain for stats command
-domain_auto_trans(shell, stats_exec, stats)
-
-# allow stats access to stdout from its parent shell.
-allow stats shell:fd use;
-
-# allow stats to communicate use, read and write over the adb
-# connection.
-allow stats adbd:fd use;
-allow stats adbd:unix_stream_socket { read write };
-
-# allow adbd to reap stats
-allow stats adbd:process { sigchld };
-
-# Allow the stats command to talk to the statsd over the binder, and get
-# back the stats report data from a ParcelFileDescriptor.
-binder_use(stats)
-allow stats stats_service:service_manager find;
-binder_call(stats, statsd)
-allow stats statsd:fifo_file write;
-
-# Only statsd can publish the binder service.
-add_service(statsd, stats_service)
-
-# Allow pipes from (and only from) stats.
-allow statsd stats:fd use;
-allow statsd stats:fifo_file write;
-
-# Allow statsd to call back to stats with status updates.
-binder_call(statsd, stats)
-
-###
-### neverallow rules
-###
-
-neverallow {
- domain
- -dumpstate
- -gmscore_app
- -gpuservice
- -incidentd
- -keystore
- -mediametrics
- -platform_app
- -priv_app
- -shell
- -stats
- -statsd
- -surfaceflinger
- -system_app
- -system_server
- -traceur_app
-} stats_service:service_manager find;
diff --git a/microdroid/sepolicy/system/private/statsd.te b/microdroid/sepolicy/system/private/statsd.te
index 444d82e..437f505 100644
--- a/microdroid/sepolicy/system/private/statsd.te
+++ b/microdroid/sepolicy/system/private/statsd.te
@@ -1,27 +1,3 @@
typeattribute statsd coredomain;
init_daemon_domain(statsd)
-
-# Allow to exec the perfetto cmdline client and pass it the trace config on
-# stdint through a pipe. It allows statsd to capture traces and hand them
-# to Android dropbox.
-allow statsd perfetto_exec:file rx_file_perms;
-domain_auto_trans(statsd, perfetto_exec, perfetto)
-
-# Grant statsd with permissions to register the services.
-allow statsd {
- statscompanion_service
-}:service_manager find;
-
-# Allow incidentd to obtain the statsd incident section.
-allow statsd incidentd:fifo_file write;
-
-# Allow StatsCompanionService to pipe data to statsd.
-allow statsd system_server:fifo_file { read getattr };
-
-# Allow statsd to retrieve SF statistics over binder
-binder_call(statsd, surfaceflinger);
-
-# Allow statsd to read its system properties
-get_prop(statsd, device_config_statsd_native_prop)
-get_prop(statsd, device_config_statsd_native_boot_prop)
diff --git a/microdroid/sepolicy/system/private/storaged.te b/microdroid/sepolicy/system/private/storaged.te
deleted file mode 100644
index bb39e5b..0000000
--- a/microdroid/sepolicy/system/private/storaged.te
+++ /dev/null
@@ -1,69 +0,0 @@
-# storaged daemon
-type storaged, domain, coredomain, mlstrustedsubject;
-type storaged_exec, system_file_type, exec_type, file_type;
-
-init_daemon_domain(storaged)
-
-# Read access to pseudo filesystems
-r_dir_file(storaged, domain)
-
-# Read /proc/uid_io/stats
-allow storaged proc_uid_io_stats:file r_file_perms;
-
-# Read /data/system/packages.list
-allow storaged system_data_file:file r_file_perms;
-allow storaged packages_list_file:file r_file_perms;
-
-# Store storaged proto file
-allow storaged storaged_data_file:dir rw_dir_perms;
-allow storaged storaged_data_file:file create_file_perms;
-
-no_debugfs_restriction(`
- userdebug_or_eng(`
- # Read access to debugfs
- allow storaged debugfs_mmc:dir search;
- allow storaged debugfs_mmc:file r_file_perms;
- ')
-')
-
-# Needed to provide debug dump output via dumpsys pipes.
-allow storaged shell:fd use;
-allow storaged shell:fifo_file write;
-
-# Needed for GMScore to call dumpsys storaged
-allow storaged priv_app:fd use;
-# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
-# Remove after no logs are seen for this rule.
-userdebug_or_eng(`
- auditallow storaged priv_app:fd use;
-')
-allow storaged gmscore_app:fd use;
-allow storaged { privapp_data_file app_data_file }:file write;
-allow storaged permission_service:service_manager find;
-
-# Binder permissions
-add_service(storaged, storaged_service)
-
-binder_use(storaged)
-binder_call(storaged, system_server)
-
-hal_client_domain(storaged, hal_health)
-
-# Implements a dumpsys interface.
-allow storaged dumpstate:fd use;
-
-# use a subset of the package manager service
-allow storaged package_native_service:service_manager find;
-
-# Kernel does extra check on CAP_DAC_OVERRIDE for libbinder when storaged is
-# running as root. See b/35323867 #3.
-dontaudit storaged self:global_capability_class_set { dac_override dac_read_search };
-
-# For collecting bugreports.
-allow storaged dumpstate:fifo_file write;
-
-###
-### neverallow
-###
-neverallow storaged domain:process ptrace;
-neverallow storaged self:capability_class_set *;
diff --git a/microdroid/sepolicy/system/private/su.te b/microdroid/sepolicy/system/private/su.te
index 587f449..55b7308 100644
--- a/microdroid/sepolicy/system/private/su.te
+++ b/microdroid/sepolicy/system/private/su.te
@@ -2,28 +2,10 @@
typeattribute su coredomain;
domain_auto_trans(shell, su_exec, su)
- # Allow dumpstate to call su on userdebug / eng builds to collect
- # additional information.
- domain_auto_trans(dumpstate, su_exec, su)
-
- # Make sure that dumpstate runs the same from the "su" domain as
- # from the "init" domain.
- domain_auto_trans(su, dumpstate_exec, dumpstate)
-
- # Put the incident command into its domain so it is the same on user, userdebug and eng.
- domain_auto_trans(su, incident_exec, incident)
-
- # Put the odrefresh command into its domain.
- domain_auto_trans(su, odrefresh_exec, odrefresh)
-
- # Put the perfetto command into its domain so it is the same on user, userdebug and eng.
- domain_auto_trans(su, perfetto_exec, perfetto)
# su is also permissive to permit setenforce.
permissive su;
- app_domain(su)
-
# Do not audit accesses to keystore2 namespace for the su domain.
dontaudit su keystore2_key_type:{ keystore2 keystore2_key } *;
diff --git a/microdroid/sepolicy/system/private/surfaceflinger.te b/microdroid/sepolicy/system/private/surfaceflinger.te
deleted file mode 100644
index 7a92bd4..0000000
--- a/microdroid/sepolicy/system/private/surfaceflinger.te
+++ /dev/null
@@ -1,148 +0,0 @@
-# surfaceflinger - display compositor service
-
-typeattribute surfaceflinger coredomain;
-
-type surfaceflinger_exec, system_file_type, exec_type, file_type;
-init_daemon_domain(surfaceflinger)
-tmpfs_domain(surfaceflinger)
-
-typeattribute surfaceflinger mlstrustedsubject;
-typeattribute surfaceflinger display_service_server;
-
-read_runtime_log_tags(surfaceflinger)
-
-# Perform HwBinder IPC.
-hal_client_domain(surfaceflinger, hal_graphics_allocator)
-hal_client_domain(surfaceflinger, hal_graphics_composer)
-typeattribute surfaceflinger_tmpfs hal_graphics_composer_client_tmpfs;
-hal_client_domain(surfaceflinger, hal_codec2)
-hal_client_domain(surfaceflinger, hal_omx)
-hal_client_domain(surfaceflinger, hal_configstore)
-hal_client_domain(surfaceflinger, hal_power)
-hal_client_domain(surfaceflinger, hal_bufferhub)
-allow surfaceflinger hidl_token_hwservice:hwservice_manager find;
-
-# Perform Binder IPC.
-binder_use(surfaceflinger)
-binder_call(surfaceflinger, binderservicedomain)
-binder_call(surfaceflinger, appdomain)
-binder_call(surfaceflinger, bootanim)
-binder_call(surfaceflinger, system_server);
-binder_service(surfaceflinger)
-
-# Binder IPC to bu, presently runs in adbd domain.
-binder_call(surfaceflinger, adbd)
-
-# Read /proc/pid files for Binder clients.
-r_dir_file(surfaceflinger, binderservicedomain)
-r_dir_file(surfaceflinger, appdomain)
-
-# Access the GPU.
-allow surfaceflinger gpu_device:chr_file rw_file_perms;
-
-# Access /dev/graphics/fb0.
-allow surfaceflinger graphics_device:dir search;
-allow surfaceflinger graphics_device:chr_file rw_file_perms;
-
-# Access /dev/video1.
-allow surfaceflinger video_device:dir r_dir_perms;
-allow surfaceflinger video_device:chr_file rw_file_perms;
-
-# Create and use netlink kobject uevent sockets.
-allow surfaceflinger self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-
-# Set properties.
-set_prop(surfaceflinger, system_prop)
-set_prop(surfaceflinger, bootanim_system_prop)
-set_prop(surfaceflinger, exported_system_prop)
-set_prop(surfaceflinger, exported3_system_prop)
-set_prop(surfaceflinger, ctl_bootanim_prop)
-set_prop(surfaceflinger, surfaceflinger_display_prop)
-
-# Get properties.
-get_prop(surfaceflinger, qemu_sf_lcd_density_prop)
-
-# Use open files supplied by an app.
-allow surfaceflinger appdomain:fd use;
-allow surfaceflinger { app_data_file privapp_data_file }:file { read write };
-
-# Allow writing surface traces to /data/misc/wmtrace.
-userdebug_or_eng(`
- allow surfaceflinger wm_trace_data_file:dir rw_dir_perms;
- allow surfaceflinger wm_trace_data_file:file { getattr setattr create w_file_perms };
-')
-
-# Needed to register as a Perfetto producer.
-perfetto_producer(surfaceflinger)
-
-# Use socket supplied by adbd, for cmd gpu vkjson etc.
-allow surfaceflinger adbd:unix_stream_socket { read write getattr };
-
-# Allow a dumpstate triggered screenshot
-binder_call(surfaceflinger, dumpstate)
-binder_call(surfaceflinger, shell)
-r_dir_file(surfaceflinger, dumpstate)
-
-# media.player service
-
-# do not use add_service() as hal_graphics_composer_default may be the
-# provider as well
-#add_service(surfaceflinger, surfaceflinger_service)
-allow surfaceflinger surfaceflinger_service:service_manager { add find };
-
-add_service(surfaceflinger, vrflinger_vsync_service)
-
-allow surfaceflinger mediaserver_service:service_manager find;
-allow surfaceflinger permission_service:service_manager find;
-allow surfaceflinger power_service:service_manager find;
-allow surfaceflinger vr_manager_service:service_manager find;
-allow surfaceflinger window_service:service_manager find;
-allow surfaceflinger inputflinger_service:service_manager find;
-
-
-# allow self to set SCHED_FIFO
-allow surfaceflinger self:global_capability_class_set sys_nice;
-allow surfaceflinger proc_meminfo:file r_file_perms;
-r_dir_file(surfaceflinger, cgroup)
-r_dir_file(surfaceflinger, cgroup_v2)
-r_dir_file(surfaceflinger, system_file)
-allow surfaceflinger tmpfs:dir r_dir_perms;
-allow surfaceflinger system_server:fd use;
-allow surfaceflinger system_server:unix_stream_socket { read write };
-allow surfaceflinger ion_device:chr_file r_file_perms;
-allow surfaceflinger dmabuf_system_heap_device:chr_file r_file_perms;
-
-# pdx IPC
-pdx_server(surfaceflinger, display_client)
-pdx_server(surfaceflinger, display_manager)
-pdx_server(surfaceflinger, display_screenshot)
-pdx_server(surfaceflinger, display_vsync)
-
-pdx_client(surfaceflinger, bufferhub_client)
-pdx_client(surfaceflinger, performance_client)
-
-# Allow supplying timestats statistics to statsd
-allow surfaceflinger stats_service:service_manager find;
-allow surfaceflinger statsmanager_service:service_manager find;
-# TODO(146461633): remove this once native pullers talk to StatsManagerService
-binder_call(surfaceflinger, statsd);
-
-# Allow pushing jank event atoms to statsd
-userdebug_or_eng(`
- unix_socket_send(surfaceflinger, statsdw, statsd)
-')
-
-# Surfaceflinger should not be reading default vendor-defined properties.
-dontaudit surfaceflinger vendor_default_prop:file read;
-
-###
-### Neverallow rules
-###
-### surfaceflinger should NEVER do any of this
-
-# Do not allow accessing SDcard files as unsafe ejection could
-# cause the kernel to kill the process.
-neverallow surfaceflinger sdcard_type:file rw_file_perms;
-
-# b/68864350
-dontaudit surfaceflinger unlabeled:dir search;
diff --git a/microdroid/sepolicy/system/private/system_app.te b/microdroid/sepolicy/system/private/system_app.te
deleted file mode 100644
index 48d5f9d..0000000
--- a/microdroid/sepolicy/system/private/system_app.te
+++ /dev/null
@@ -1,184 +0,0 @@
-###
-### Apps that run with the system UID, e.g. com.android.system.ui,
-### com.android.settings. These are not as privileged as the system
-### server.
-###
-
-typeattribute system_app coredomain, mlstrustedsubject;
-
-app_domain(system_app)
-net_domain(system_app)
-binder_service(system_app)
-
-# android.ui and system.ui
-allow system_app rootfs:dir getattr;
-
-# Read and write /data/data subdirectory.
-allow system_app system_app_data_file:dir create_dir_perms;
-allow system_app system_app_data_file:{ file lnk_file } create_file_perms;
-
-# Read and write to /data/misc/user.
-allow system_app misc_user_data_file:dir create_dir_perms;
-allow system_app misc_user_data_file:file create_file_perms;
-
-# Access to apex files stored on /data (b/136063500)
-# Needed so that Settings can access NOTICE files inside apex
-# files located in the assets/ directory.
-allow system_app apex_data_file:dir search;
-allow system_app staging_data_file:file r_file_perms;
-
-# Read wallpaper file.
-allow system_app wallpaper_file:file r_file_perms;
-
-# Read icon file.
-allow system_app icon_file:file r_file_perms;
-
-# Write to properties
-set_prop(system_app, bluetooth_a2dp_offload_prop)
-set_prop(system_app, bluetooth_audio_hal_prop)
-set_prop(system_app, bluetooth_prop)
-set_prop(system_app, debug_prop)
-set_prop(system_app, system_prop)
-set_prop(system_app, exported_bluetooth_prop)
-set_prop(system_app, exported_system_prop)
-set_prop(system_app, exported3_system_prop)
-set_prop(system_app, logd_prop)
-set_prop(system_app, net_radio_prop)
-set_prop(system_app, usb_control_prop)
-set_prop(system_app, usb_prop)
-set_prop(system_app, log_tag_prop)
-userdebug_or_eng(`set_prop(system_app, logpersistd_logging_prop)')
-auditallow system_app net_radio_prop:property_service set;
-auditallow system_app usb_control_prop:property_service set;
-auditallow system_app usb_prop:property_service set;
-# Allow Settings to enable Dynamic System Update
-set_prop(system_app, dynamic_system_prop)
-
-# ctl interface
-set_prop(system_app, ctl_default_prop)
-set_prop(system_app, ctl_bugreport_prop)
-
-# Allow developer settings to query gsid status
-get_prop(system_app, gsid_prop)
-
-# Create /data/anr/traces.txt.
-allow system_app anr_data_file:dir ra_dir_perms;
-allow system_app anr_data_file:file create_file_perms;
-
-# Settings need to access app name and icon from asec
-allow system_app asec_apk_file:file r_file_perms;
-
-# Allow system apps (like Settings) to interact with statsd
-binder_call(system_app, statsd)
-
-# Allow system apps to interact with incidentd
-binder_call(system_app, incidentd)
-
-# Allow system app to interact with Dumpstate HAL
-hal_client_domain(system_app, hal_dumpstate)
-
-allow system_app servicemanager:service_manager list;
-# TODO: scope this down? Too broad?
-allow system_app {
- service_manager_type
- -apex_service
- -dnsresolver_service
- -dumpstate_service
- -installd_service
- -iorapd_service
- -lpdump_service
- -netd_service
- -system_suspend_control_internal_service
- -system_suspend_control_service
- -virtual_touchpad_service
- -vold_service
- -vr_hwc_service
- -default_android_service
-}:service_manager find;
-# suppress denials for services system_app should not be accessing.
-dontaudit system_app {
- dnsresolver_service
- dumpstate_service
- installd_service
- iorapd_service
- netd_service
- virtual_touchpad_service
- vold_service
- vr_hwc_service
-}:service_manager find;
-
-# suppress denials caused by debugfs_tracing
-dontaudit system_app debugfs_tracing:file rw_file_perms;
-
-allow system_app keystore:keystore_key {
- get_state
- get
- insert
- delete
- exist
- list
- reset
- password
- lock
- unlock
- is_empty
- sign
- verify
- grant
- duplicate
- clear_uid
- user_changed
-};
-
-allow system_app keystore:keystore2_key {
- delete
- get_info
- grant
- rebind
- update
- use
-};
-
-# Allow Settings to manage WI-FI keys.
-allow system_app wifi_key:keystore2_key {
- delete
- get_info
- rebind
- update
- use
-};
-
-# settings app reads /proc/version
-allow system_app {
- proc_version
-}:file r_file_perms;
-
-# Settings app writes to /dev/stune/foreground/tasks.
-allow system_app cgroup:file w_file_perms;
-allow system_app cgroup_v2:file w_file_perms;
-
-control_logd(system_app)
-read_runtime_log_tags(system_app)
-get_prop(system_app, device_logging_prop)
-
-# allow system apps to use UDP sockets provided by the system server but not
-# modify them other than to connect
-allow system_app system_server:udp_socket {
- connect getattr read recvfrom sendto write getopt setopt };
-
-# Settings app reads ro.oem_unlock_supported
-get_prop(system_app, oem_unlock_prop)
-
-###
-### Neverallow rules
-###
-
-# app domains which access /dev/fuse should not run as system_app
-neverallow system_app fuse_device:chr_file *;
-
-# Apps which run as UID=system should not rely on any attacker controlled
-# filesystem locations, such as /data/local/tmp. For /data/local/tmp, we
-# allow writes to files passed by file descriptor to support dumpstate and
-# bug reports, but not reads.
-neverallow system_app shell_data_file:dir { no_w_dir_perms open search read };
-neverallow system_app shell_data_file:file { open read ioctl lock };
diff --git a/microdroid/sepolicy/system/private/system_server.te b/microdroid/sepolicy/system/private/system_server.te
deleted file mode 100644
index 0e57739..0000000
--- a/microdroid/sepolicy/system/private/system_server.te
+++ /dev/null
@@ -1,1403 +0,0 @@
-#
-# System Server aka system_server spawned by zygote.
-# Most of the framework services run in this process.
-#
-
-typeattribute system_server coredomain;
-typeattribute system_server mlstrustedsubject;
-typeattribute system_server scheduler_service_server;
-typeattribute system_server sensor_service_server;
-typeattribute system_server stats_service_server;
-
-# Define a type for tmpfs-backed ashmem regions.
-tmpfs_domain(system_server)
-
-userfaultfd_use(system_server)
-
-# Create a socket for connections from crash_dump.
-type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
-
-# Create a socket for connections from zygotes.
-type_transition system_server system_data_file:sock_file system_unsolzygote_socket "unsolzygotesocket";
-
-allow system_server zygote_tmpfs:file read;
-allow system_server appdomain_tmpfs:file { getattr map read write };
-
-# For Incremental Service to check if incfs is available
-allow system_server proc_filesystems:file r_file_perms;
-
-# To create files, get permission to fill blocks, and configure Incremental File System
-allow system_server incremental_control_file:file { ioctl r_file_perms };
-allowxperm system_server incremental_control_file:file ioctl {
- INCFS_IOCTL_CREATE_FILE
- INCFS_IOCTL_CREATE_MAPPED_FILE
- INCFS_IOCTL_PERMIT_FILL
- INCFS_IOCTL_GET_READ_TIMEOUTS
- INCFS_IOCTL_SET_READ_TIMEOUTS
- INCFS_IOCTL_GET_LAST_READ_ERROR
-};
-
-# To get signature of an APK installed on Incremental File System, and fill in data
-# blocks and get the filesystem state
-allowxperm system_server apk_data_file:file ioctl {
- INCFS_IOCTL_READ_SIGNATURE
- INCFS_IOCTL_FILL_BLOCKS
- INCFS_IOCTL_GET_FILLED_BLOCKS
- INCFS_IOCTL_GET_BLOCK_COUNT
- F2FS_IOC_GET_FEATURES
- F2FS_IOC_GET_COMPRESS_BLOCKS
- F2FS_IOC_COMPRESS_FILE
- F2FS_IOC_DECOMPRESS_FILE
- F2FS_IOC_RELEASE_COMPRESS_BLOCKS
- F2FS_IOC_RESERVE_COMPRESS_BLOCKS
- FS_IOC_SETFLAGS
- FS_IOC_GETFLAGS
-};
-
-allowxperm system_server apk_tmp_file:file ioctl {
- F2FS_IOC_RELEASE_COMPRESS_BLOCKS
- FS_IOC_GETFLAGS
-};
-
-# For Incremental Service to check incfs metrics
-allow system_server sysfs_fs_incfs_metrics:file r_file_perms;
-
-# For f2fs-compression support
-allow system_server sysfs_fs_f2fs:dir r_dir_perms;
-allow system_server sysfs_fs_f2fs:file r_file_perms;
-
-# For art.
-allow system_server { apex_art_data_file dalvikcache_data_file }:dir r_dir_perms;
-allow system_server { apex_art_data_file dalvikcache_data_file }:file r_file_perms;
-
-# When running system server under --invoke-with, we'll try to load the boot image under the
-# system server domain, following links to the system partition.
-with_asan(`allow system_server dalvikcache_data_file:lnk_file r_file_perms;')
-
-# /data/resource-cache
-allow system_server resourcecache_data_file:file r_file_perms;
-allow system_server resourcecache_data_file:dir r_dir_perms;
-
-# ptrace to processes in the same domain for debugging crashes.
-allow system_server self:process ptrace;
-
-# Child of the zygote.
-allow system_server zygote:fd use;
-allow system_server zygote:process sigchld;
-
-# May kill zygote on crashes.
-allow system_server {
- app_zygote
- crash_dump
- webview_zygote
- zygote
-}:process { sigkill signull };
-
-# Read /system/bin/app_process.
-allow system_server zygote_exec:file r_file_perms;
-
-# Needed to close the zygote socket, which involves getopt / getattr
-allow system_server zygote:unix_stream_socket { getopt getattr };
-
-# system server gets network and bluetooth permissions.
-net_domain(system_server)
-# in addition to ioctls allowlisted for all domains, also allow system_server
-# to use privileged ioctls commands. Needed to set up VPNs.
-allowxperm system_server self:udp_socket ioctl priv_sock_ioctls;
-bluetooth_domain(system_server)
-
-# Allow setup of tcp keepalive offload. This gives system_server the permission to
-# call ioctl on app domains' tcp sockets. Additional ioctl commands still need to
-# be granted individually, except for a small set of safe values allowlisted in
-# public/domain.te.
-allow system_server appdomain:tcp_socket ioctl;
-
-# These are the capabilities assigned by the zygote to the
-# system server.
-allow system_server self:global_capability_class_set {
- ipc_lock
- kill
- net_admin
- net_bind_service
- net_broadcast
- net_raw
- sys_boot
- sys_nice
- sys_ptrace
- sys_time
- sys_tty_config
-};
-
-# Trigger module auto-load.
-allow system_server kernel:system module_request;
-
-# Allow alarmtimers to be set
-allow system_server self:global_capability2_class_set wake_alarm;
-
-# Create and share netlink_netfilter_sockets for tetheroffload.
-allow system_server self:netlink_netfilter_socket create_socket_perms_no_ioctl;
-
-# Create/use netlink_tcpdiag_socket for looking up connection UIDs for VPN apps.
-allow system_server self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read };
-
-# Use netlink uevent sockets.
-allow system_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-
-# Use generic netlink sockets.
-allow system_server self:netlink_socket create_socket_perms_no_ioctl;
-allow system_server self:netlink_generic_socket create_socket_perms_no_ioctl;
-
-# libvintf reads the kernel config to verify vendor interface compatibility.
-allow system_server config_gz:file { read open };
-
-# Use generic "sockets" where the address family is not known
-# to the kernel. The ioctl permission is specifically omitted here, but may
-# be added to device specific policy along with the ioctl commands to be
-# allowlisted.
-allow system_server self:socket create_socket_perms_no_ioctl;
-
-# Set and get routes directly via netlink.
-allow system_server self:netlink_route_socket nlmsg_write;
-
-# Kill apps.
-allow system_server appdomain:process { getpgid sigkill signal };
-# signull allowed for kill(pid, 0) existence test.
-allow system_server appdomain:process { signull };
-
-# Set scheduling info for apps.
-allow system_server appdomain:process { getsched setsched };
-allow system_server audioserver:process { getsched setsched };
-allow system_server hal_audio:process { getsched setsched };
-allow system_server hal_bluetooth:process { getsched setsched };
-allow system_server hal_codec2_server:process { getsched setsched };
-allow system_server hal_omx_server:process { getsched setsched };
-allow system_server mediaswcodec:process { getsched setsched };
-allow system_server cameraserver:process { getsched setsched };
-allow system_server hal_camera:process { getsched setsched };
-allow system_server mediaserver:process { getsched setsched };
-allow system_server bootanim:process { getsched setsched };
-
-# Set scheduling info for psi monitor thread.
-# TODO: delete this line b/131761776
-allow system_server kernel:process { getsched setsched };
-
-# Allow system_server to write to /proc/<pid>/*
-allow system_server domain:file w_file_perms;
-
-# Read /proc/pid data for all domains. This is used by ProcessCpuTracker
-# within system_server to keep track of memory and CPU usage for
-# all processes on the device. In addition, /proc/pid files access is needed
-# for dumping stack traces of native processes.
-r_dir_file(system_server, domain)
-
-# Write /proc/uid_cputime/remove_uid_range.
-allow system_server proc_uid_cputime_removeuid:file { w_file_perms getattr };
-
-# Write /proc/uid_procstat/set.
-allow system_server proc_uid_procstat_set:file { w_file_perms getattr };
-
-# Write to /proc/sysrq-trigger.
-allow system_server proc_sysrq:file rw_file_perms;
-
-# Delete /data/misc/stats-data/ and /data/misc/stats-service/ directories.
-allow system_server stats_data_file:dir { open read remove_name search write };
-allow system_server stats_data_file:file unlink;
-
-# Read /sys/kernel/debug/wakeup_sources.
-no_debugfs_restriction(`
- allow system_server debugfs_wakeup_sources:file r_file_perms;
-')
-
-# Read /sys/kernel/ion/*.
-allow system_server sysfs_ion:file r_file_perms;
-
-# Read /sys/kernel/dma_heap/*.
-allow system_server sysfs_dma_heap:file r_file_perms;
-
-# Allow reading DMA-BUF sysfs stats from /sys/kernel/dmabuf.
-allow system_server sysfs_dmabuf_stats:dir r_dir_perms;
-allow system_server sysfs_dmabuf_stats:file r_file_perms;
-
-# Allow ActivityManager to look at the list of DMA-BUF heaps from /dev/dma_heap
-# for dumpsys meminfo
-allow system_server dmabuf_heap_device:dir r_dir_perms;
-
-# The DhcpClient and WifiWatchdog use packet_sockets
-allow system_server self:packet_socket create_socket_perms_no_ioctl;
-
-# 3rd party VPN clients require a tun_socket to be created
-allow system_server self:tun_socket create_socket_perms_no_ioctl;
-
-# Talk to init and various daemons via sockets.
-unix_socket_connect(system_server, lmkd, lmkd)
-unix_socket_connect(system_server, mtpd, mtp)
-unix_socket_connect(system_server, zygote, zygote)
-unix_socket_connect(system_server, racoon, racoon)
-unix_socket_connect(system_server, uncrypt, uncrypt)
-
-# Allow system_server to write to statsd.
-unix_socket_send(system_server, statsdw, statsd)
-
-# Communicate over a socket created by surfaceflinger.
-allow system_server surfaceflinger:unix_stream_socket { read write setopt };
-
-allow system_server gpuservice:unix_stream_socket { read write setopt };
-
-# Communicate over a socket created by webview_zygote.
-allow system_server webview_zygote:unix_stream_socket { read write connectto setopt };
-
-# Communicate over a socket created by app_zygote.
-allow system_server app_zygote:unix_stream_socket { read write connectto setopt };
-
-# Perform Binder IPC.
-binder_use(system_server)
-binder_call(system_server, appdomain)
-binder_call(system_server, binderservicedomain)
-binder_call(system_server, dumpstate)
-binder_call(system_server, fingerprintd)
-binder_call(system_server, gatekeeperd)
-binder_call(system_server, gpuservice)
-binder_call(system_server, idmap)
-binder_call(system_server, installd)
-binder_call(system_server, incidentd)
-binder_call(system_server, iorapd)
-binder_call(system_server, netd)
-userdebug_or_eng(`binder_call(system_server, profcollectd)')
-binder_call(system_server, statsd)
-binder_call(system_server, storaged)
-binder_call(system_server, update_engine)
-binder_call(system_server, vold)
-binder_call(system_server, wificond)
-binder_call(system_server, wpantund)
-binder_service(system_server)
-
-# Use HALs
-hal_client_domain(system_server, hal_allocator)
-hal_client_domain(system_server, hal_audio)
-hal_client_domain(system_server, hal_authsecret)
-hal_client_domain(system_server, hal_broadcastradio)
-hal_client_domain(system_server, hal_codec2)
-hal_client_domain(system_server, hal_configstore)
-hal_client_domain(system_server, hal_contexthub)
-hal_client_domain(system_server, hal_face)
-hal_client_domain(system_server, hal_fingerprint)
-hal_client_domain(system_server, hal_gnss)
-hal_client_domain(system_server, hal_graphics_allocator)
-hal_client_domain(system_server, hal_health)
-hal_client_domain(system_server, hal_input_classifier)
-hal_client_domain(system_server, hal_ir)
-hal_client_domain(system_server, hal_light)
-hal_client_domain(system_server, hal_memtrack)
-hal_client_domain(system_server, hal_neuralnetworks)
-hal_client_domain(system_server, hal_oemlock)
-hal_client_domain(system_server, hal_omx)
-hal_client_domain(system_server, hal_power)
-hal_client_domain(system_server, hal_power_stats)
-hal_client_domain(system_server, hal_rebootescrow)
-hal_client_domain(system_server, hal_sensors)
-hal_client_domain(system_server, hal_tetheroffload)
-hal_client_domain(system_server, hal_thermal)
-hal_client_domain(system_server, hal_tv_cec)
-hal_client_domain(system_server, hal_tv_input)
-hal_client_domain(system_server, hal_usb)
-hal_client_domain(system_server, hal_usb_gadget)
-hal_client_domain(system_server, hal_vibrator)
-hal_client_domain(system_server, hal_vr)
-hal_client_domain(system_server, hal_weaver)
-hal_client_domain(system_server, hal_wifi)
-hal_client_domain(system_server, hal_wifi_hostapd)
-hal_client_domain(system_server, hal_wifi_supplicant)
-# The bootctl is a pass through HAL mode under recovery mode. So we skip the
-# permission for recovery in order not to give system server the access to
-# the low level block devices.
-not_recovery(`hal_client_domain(system_server, hal_bootctl)')
-
-# Talk with graphics composer fences
-allow system_server hal_graphics_composer:fd use;
-
-# Use RenderScript always-passthrough HAL
-allow system_server hal_renderscript_hwservice:hwservice_manager find;
-allow system_server same_process_hal_file:file { execute read open getattr map };
-
-# Talk to tombstoned to get ANR traces.
-unix_socket_connect(system_server, tombstoned_intercept, tombstoned)
-
-# List HAL interfaces to get ANR traces.
-allow system_server hwservicemanager:hwservice_manager list;
-allow system_server servicemanager:service_manager list;
-
-# Send signals to trigger ANR traces.
-allow system_server {
- # This is derived from the list that system server defines as interesting native processes
- # to dump during ANRs or watchdog aborts, defined in NATIVE_STACKS_OF_INTEREST in
- # frameworks/base/services/core/java/com/android/server/Watchdog.java.
- audioserver
- cameraserver
- drmserver
- gpuservice
- inputflinger
- keystore
- mediadrmserver
- mediaextractor
- mediametrics
- mediaserver
- mediaswcodec
- mediatranscoding
- mediatuner
- netd
- sdcardd
- statsd
- surfaceflinger
- vold
-
- # This list comes from HAL_INTERFACES_OF_INTEREST in
- # frameworks/base/services/core/java/com/android/server/Watchdog.java.
- hal_audio_server
- hal_bluetooth_server
- hal_camera_server
- hal_codec2_server
- hal_face_server
- hal_fingerprint_server
- hal_gnss_server
- hal_graphics_allocator_server
- hal_graphics_composer_server
- hal_health_server
- hal_light_server
- hal_neuralnetworks_server
- hal_omx_server
- hal_power_stats_server
- hal_sensors_server
- hal_vr_server
- system_suspend_server
-}:process { signal };
-
-# Use sockets received over binder from various services.
-allow system_server audioserver:tcp_socket rw_socket_perms;
-allow system_server audioserver:udp_socket rw_socket_perms;
-allow system_server mediaserver:tcp_socket rw_socket_perms;
-allow system_server mediaserver:udp_socket rw_socket_perms;
-
-# Use sockets received over binder from various services.
-allow system_server mediadrmserver:tcp_socket rw_socket_perms;
-allow system_server mediadrmserver:udp_socket rw_socket_perms;
-
-userdebug_or_eng(`perfetto_producer({ system_server })')
-
-# Get file context
-allow system_server file_contexts_file:file r_file_perms;
-# access for mac_permissions
-allow system_server mac_perms_file: file r_file_perms;
-# Check SELinux permissions.
-selinux_check_access(system_server)
-
-allow system_server sysfs_type:dir search;
-
-r_dir_file(system_server, sysfs_android_usb)
-allow system_server sysfs_android_usb:file w_file_perms;
-
-allow system_server sysfs_extcon:dir r_dir_perms;
-
-r_dir_file(system_server, sysfs_ipv4)
-allow system_server sysfs_ipv4:file w_file_perms;
-
-r_dir_file(system_server, sysfs_rtc)
-r_dir_file(system_server, sysfs_switch)
-
-allow system_server sysfs_nfc_power_writable:file rw_file_perms;
-allow system_server sysfs_power:dir search;
-allow system_server sysfs_power:file rw_file_perms;
-allow system_server sysfs_thermal:dir search;
-allow system_server sysfs_thermal:file r_file_perms;
-allow system_server sysfs_uhid:dir r_dir_perms;
-allow system_server sysfs_uhid:file rw_file_perms;
-
-# TODO: Remove when HALs are forced into separate processes
-allow system_server sysfs_vibrator:file { write append };
-
-# TODO: added to match above sysfs rule. Remove me?
-allow system_server sysfs_usb:file w_file_perms;
-
-# Access devices.
-allow system_server device:dir r_dir_perms;
-allow system_server mdns_socket:sock_file rw_file_perms;
-allow system_server gpu_device:chr_file rw_file_perms;
-allow system_server input_device:dir r_dir_perms;
-allow system_server input_device:chr_file rw_file_perms;
-allow system_server tty_device:chr_file rw_file_perms;
-allow system_server usbaccessory_device:chr_file rw_file_perms;
-allow system_server video_device:dir r_dir_perms;
-allow system_server video_device:chr_file rw_file_perms;
-allow system_server adbd_socket:sock_file rw_file_perms;
-allow system_server rtc_device:chr_file rw_file_perms;
-allow system_server audio_device:dir r_dir_perms;
-
-# write access to ALSA interfaces (/dev/snd/*) needed for MIDI
-allow system_server audio_device:chr_file rw_file_perms;
-
-# tun device used for 3rd party vpn apps
-allow system_server tun_device:chr_file rw_file_perms;
-allowxperm system_server tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF };
-
-# Manage data/ota_package
-allow system_server ota_package_file:dir rw_dir_perms;
-allow system_server ota_package_file:file create_file_perms;
-
-# Manage system data files.
-allow system_server system_data_file:dir create_dir_perms;
-allow system_server system_data_file:notdevfile_class_set create_file_perms;
-allow system_server packages_list_file:file create_file_perms;
-allow system_server keychain_data_file:dir create_dir_perms;
-allow system_server keychain_data_file:file create_file_perms;
-allow system_server keychain_data_file:lnk_file create_file_perms;
-
-# Manage /data/app.
-allow system_server apk_data_file:dir create_dir_perms;
-allow system_server apk_data_file:{ file lnk_file } { create_file_perms link };
-allow system_server apk_tmp_file:dir create_dir_perms;
-allow system_server apk_tmp_file:file create_file_perms;
-
-# Access input configuration files in the /vendor directory
-r_dir_file(system_server, vendor_keylayout_file)
-r_dir_file(system_server, vendor_keychars_file)
-r_dir_file(system_server, vendor_idc_file)
-
-# Access /vendor/{app,framework,overlay}
-r_dir_file(system_server, vendor_app_file)
-r_dir_file(system_server, vendor_framework_file)
-r_dir_file(system_server, vendor_overlay_file)
-
-# Manage /data/app-private.
-allow system_server apk_private_data_file:dir create_dir_perms;
-allow system_server apk_private_data_file:file create_file_perms;
-allow system_server apk_private_tmp_file:dir create_dir_perms;
-allow system_server apk_private_tmp_file:file create_file_perms;
-
-# Manage files within asec containers.
-allow system_server asec_apk_file:dir create_dir_perms;
-allow system_server asec_apk_file:file create_file_perms;
-allow system_server asec_public_file:file create_file_perms;
-
-# Manage /data/anr.
-#
-# TODO: Some of these permissions can be withdrawn once we've switched to the
-# new stack dumping mechanism, see b/32064548 and the rules below. In particular,
-# the system_server should never need to create a new anr_data_file:file or write
-# to one, but it will still need to read and append to existing files.
-allow system_server anr_data_file:dir create_dir_perms;
-allow system_server anr_data_file:file create_file_perms;
-
-# New stack dumping scheme : request an output FD from tombstoned via a unix
-# domain socket.
-#
-# Allow system_server to connect and write to the tombstoned java trace socket in
-# order to dump its traces. Also allow the system server to write its traces to
-# dumpstate during bugreport capture and incidentd during incident collection.
-unix_socket_connect(system_server, tombstoned_java_trace, tombstoned)
-allow system_server tombstoned:fd use;
-allow system_server dumpstate:fifo_file append;
-allow system_server incidentd:fifo_file append;
-# Write to a pipe created from `adb shell` (for debuggerd -j `pidof system_server`)
-userdebug_or_eng(`
- allow system_server su:fifo_file append;
-')
-
-# Allow system_server to read pipes from incidentd (used to deliver incident reports
-# to dropbox)
-allow system_server incidentd:fifo_file read;
-
-# Read /data/misc/incidents - only read. The fd will be sent over binder,
-# with no DAC access to it, for dropbox to read.
-allow system_server incident_data_file:file read;
-
-# Manage /data/misc/prereboot.
-allow system_server prereboot_data_file:dir rw_dir_perms;
-allow system_server prereboot_data_file:file create_file_perms;
-
-# Allow dropbox to read /data/misc/perfetto-traces. Only the fd is sent over
-# binder.
-allow system_server perfetto_traces_data_file:file read;
-allow system_server perfetto:fd use;
-
-# Manage /data/backup.
-allow system_server backup_data_file:dir create_dir_perms;
-allow system_server backup_data_file:file create_file_perms;
-
-# Write to /data/system/dropbox
-allow system_server dropbox_data_file:dir create_dir_perms;
-allow system_server dropbox_data_file:file create_file_perms;
-
-# Write to /data/system/heapdump
-allow system_server heapdump_data_file:dir rw_dir_perms;
-allow system_server heapdump_data_file:file create_file_perms;
-
-# Manage /data/misc/adb.
-allow system_server adb_keys_file:dir create_dir_perms;
-allow system_server adb_keys_file:file create_file_perms;
-
-# Manage /data/misc/appcompat.
-allow system_server appcompat_data_file:dir rw_dir_perms;
-allow system_server appcompat_data_file:file create_file_perms;
-
-# Manage /data/misc/emergencynumberdb
-allow system_server emergency_data_file:dir create_dir_perms;
-allow system_server emergency_data_file:file create_file_perms;
-
-# Manage /data/misc/network_watchlist
-allow system_server network_watchlist_data_file:dir create_dir_perms;
-allow system_server network_watchlist_data_file:file create_file_perms;
-
-# Manage /data/misc/sms.
-# TODO: Split into a separate type?
-allow system_server radio_data_file:dir create_dir_perms;
-allow system_server radio_data_file:file create_file_perms;
-
-# Manage /data/misc/systemkeys.
-allow system_server systemkeys_data_file:dir create_dir_perms;
-allow system_server systemkeys_data_file:file create_file_perms;
-
-# Manage /data/misc/textclassifier.
-allow system_server textclassifier_data_file:dir create_dir_perms;
-allow system_server textclassifier_data_file:file create_file_perms;
-
-# Access /data/tombstones.
-allow system_server tombstone_data_file:dir r_dir_perms;
-allow system_server tombstone_data_file:file r_file_perms;
-
-# Allow write access to be able to truncate tombstones.
-allow system_server tombstone_data_file:file write;
-
-# Manage /data/misc/vpn.
-allow system_server vpn_data_file:dir create_dir_perms;
-allow system_server vpn_data_file:file create_file_perms;
-
-# Manage /data/misc/wifi.
-allow system_server wifi_data_file:dir create_dir_perms;
-allow system_server wifi_data_file:file create_file_perms;
-
-# Manage /data/misc/zoneinfo.
-allow system_server zoneinfo_data_file:dir create_dir_perms;
-allow system_server zoneinfo_data_file:file create_file_perms;
-
-# Manage /data/app-staging.
-allow system_server staging_data_file:dir create_dir_perms;
-allow system_server staging_data_file:file create_file_perms;
-
-# Manage /data/rollback.
-allow system_server staging_data_file:{ file lnk_file } { create_file_perms link };
-
-# Walk /data/data subdirectories.
-allow system_server app_data_file_type:dir { getattr read search };
-
-# Also permit for unlabeled /data/data subdirectories and
-# for unlabeled asec containers on upgrades from 4.2.
-allow system_server unlabeled:dir r_dir_perms;
-# Read pkg.apk file before it has been relabeled by vold.
-allow system_server unlabeled:file r_file_perms;
-
-# Populate com.android.providers.settings/databases/settings.db.
-allow system_server system_app_data_file:dir create_dir_perms;
-allow system_server system_app_data_file:file create_file_perms;
-
-# Receive and use open app data files passed over binder IPC.
-allow system_server app_data_file_type:file { getattr read write append map };
-
-# Access to /data/media for measuring disk usage.
-allow system_server media_rw_data_file:dir { search getattr open read };
-
-# Receive and use open /data/media files passed over binder IPC.
-# Also used for measuring disk usage.
-allow system_server media_rw_data_file:file { getattr read write append };
-
-# System server needs to setfscreate to packages_list_file when writing
-# /data/system/packages.list
-allow system_server system_server:process setfscreate;
-
-# Relabel apk files.
-allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto };
-allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto };
-# Allow PackageManager to:
-# 1. rename file from /data/app-staging folder to /data/app
-# 2. relabel files (linked to /data/rollback) under /data/app-staging
-# during staged apk/apex install.
-allow system_server { staging_data_file }:{ dir file } { relabelfrom relabelto };
-
-# Relabel wallpaper.
-allow system_server system_data_file:file relabelfrom;
-allow system_server wallpaper_file:file relabelto;
-allow system_server wallpaper_file:file { rw_file_perms rename unlink };
-
-# Backup of wallpaper imagery uses temporary hard links to avoid data churn
-allow system_server { system_data_file wallpaper_file }:file link;
-
-# ShortcutManager icons
-allow system_server system_data_file:dir relabelfrom;
-allow system_server shortcut_manager_icons:dir { create_dir_perms relabelto };
-allow system_server shortcut_manager_icons:file create_file_perms;
-
-# Manage ringtones.
-allow system_server ringtone_file:dir { create_dir_perms relabelto };
-allow system_server ringtone_file:file create_file_perms;
-
-# Relabel icon file.
-allow system_server icon_file:file relabelto;
-allow system_server icon_file:file { rw_file_perms unlink };
-
-# FingerprintService.java does a restorecon of the directory /data/system/users/[0-9]+/fpdata(/.*)?
-allow system_server system_data_file:dir relabelfrom;
-
-# server_configurable_flags_data_file is used for storing server configurable flags which
-# have been reset during current booting. system_server needs to read the data to perform related
-# disaster recovery actions.
-allow system_server server_configurable_flags_data_file:dir r_dir_perms;
-allow system_server server_configurable_flags_data_file:file r_file_perms;
-
-# Property Service write
-set_prop(system_server, system_prop)
-set_prop(system_server, bootanim_system_prop)
-set_prop(system_server, exported_system_prop)
-set_prop(system_server, exported3_system_prop)
-set_prop(system_server, safemode_prop)
-set_prop(system_server, theme_prop)
-set_prop(system_server, dhcp_prop)
-set_prop(system_server, net_connectivity_prop)
-set_prop(system_server, net_radio_prop)
-set_prop(system_server, net_dns_prop)
-set_prop(system_server, usb_control_prop)
-set_prop(system_server, usb_prop)
-set_prop(system_server, debug_prop)
-set_prop(system_server, powerctl_prop)
-set_prop(system_server, fingerprint_prop)
-set_prop(system_server, device_logging_prop)
-set_prop(system_server, dumpstate_options_prop)
-set_prop(system_server, overlay_prop)
-set_prop(system_server, exported_overlay_prop)
-set_prop(system_server, pm_prop)
-set_prop(system_server, exported_pm_prop)
-set_prop(system_server, socket_hook_prop)
-set_prop(system_server, audio_prop)
-set_prop(system_server, boot_status_prop)
-set_prop(system_server, surfaceflinger_color_prop)
-set_prop(system_server, provisioned_prop)
-set_prop(system_server, retaildemo_prop)
-userdebug_or_eng(`set_prop(system_server, wifi_log_prop)')
-
-# ctl interface
-set_prop(system_server, ctl_default_prop)
-set_prop(system_server, ctl_bugreport_prop)
-set_prop(system_server, ctl_gsid_prop)
-
-# cppreopt property
-set_prop(system_server, cppreopt_prop)
-
-# server configurable flags properties
-set_prop(system_server, device_config_input_native_boot_prop)
-set_prop(system_server, device_config_netd_native_prop)
-set_prop(system_server, device_config_activity_manager_native_boot_prop)
-set_prop(system_server, device_config_runtime_native_boot_prop)
-set_prop(system_server, device_config_runtime_native_prop)
-set_prop(system_server, device_config_media_native_prop)
-set_prop(system_server, device_config_profcollect_native_boot_prop)
-set_prop(system_server, device_config_statsd_native_prop)
-set_prop(system_server, device_config_statsd_native_boot_prop)
-set_prop(system_server, device_config_storage_native_boot_prop)
-set_prop(system_server, device_config_swcodec_native_prop)
-set_prop(system_server, device_config_sys_traced_prop)
-set_prop(system_server, device_config_window_manager_native_boot_prop)
-set_prop(system_server, device_config_configuration_prop)
-set_prop(system_server, device_config_connectivity_prop)
-
-
-# Allow query ART device config properties
-get_prop(system_server, device_config_runtime_native_boot_prop)
-get_prop(system_server, device_config_runtime_native_prop)
-
-# BootReceiver to read ro.boot.bootreason
-get_prop(system_server, bootloader_boot_reason_prop)
-# PowerManager to read sys.boot.reason
-get_prop(system_server, system_boot_reason_prop)
-
-# Collect metrics on boot time created by init
-get_prop(system_server, boottime_prop)
-
-# Read device's serial number from system properties
-get_prop(system_server, serialno_prop)
-
-# Read/write the property which keeps track of whether this is the first start of system_server
-set_prop(system_server, firstboot_prop)
-
-# Audio service in system server can read audio config properties,
-# such as camera shutter enforcement
-get_prop(system_server, audio_config_prop)
-
-# system server reads this property to keep track of whether server configurable flags have been
-# reset during current boot.
-get_prop(system_server, device_config_reset_performed_prop)
-
-# Read/write the property that enables Test Harness Mode
-set_prop(system_server, test_harness_prop)
-
-# Read gsid.image_running.
-get_prop(system_server, gsid_prop)
-
-# Read the property that mocks an OTA
-get_prop(system_server, mock_ota_prop)
-
-# Read the property as feature flag for protecting apks with fs-verity.
-get_prop(system_server, apk_verity_prop)
-
-# Read wifi.interface
-get_prop(system_server, wifi_prop)
-
-# Read the vendor property that indicates if Incremental features is enabled
-get_prop(system_server, incremental_prop)
-
-# Read ro.zram. properties
-get_prop(system_server, zram_config_prop)
-
-# Read/write persist.sys.zram_enabled
-set_prop(system_server, zram_control_prop)
-
-# Read/write persist.sys.dalvik.vm.lib.2
-set_prop(system_server, dalvik_runtime_prop)
-
-# Read ro.control_privapp_permissions and ro.cp_system_other_odex
-get_prop(system_server, packagemanager_config_prop)
-
-# Read the net.464xlat.cellular.enabled property (written by init).
-get_prop(system_server, net_464xlat_fromvendor_prop)
-
-# Create a socket for connections from debuggerd.
-allow system_server system_ndebug_socket:sock_file create_file_perms;
-
-# Create a socket for connections from zygotes.
-allow system_server system_unsolzygote_socket:sock_file create_file_perms;
-
-# Manage cache files.
-allow system_server cache_file:lnk_file r_file_perms;
-allow system_server { cache_file cache_recovery_file }:dir { relabelfrom create_dir_perms };
-allow system_server { cache_file cache_recovery_file }:file { relabelfrom create_file_perms };
-allow system_server { cache_file cache_recovery_file }:fifo_file create_file_perms;
-
-allow system_server system_file:dir r_dir_perms;
-allow system_server system_file:lnk_file r_file_perms;
-
-# ART locks profile files.
-allow system_server system_file:file lock;
-
-# LocationManager(e.g, GPS) needs to read and write
-# to uart driver and ctrl proc entry
-allow system_server gps_control:file rw_file_perms;
-
-# Allow system_server to use app-created sockets and pipes.
-allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown };
-allow system_server appdomain:{ fifo_file unix_stream_socket } { getattr read write };
-
-# BackupManagerService needs to manipulate backup data files
-allow system_server cache_backup_file:dir rw_dir_perms;
-allow system_server cache_backup_file:file create_file_perms;
-# LocalTransport works inside /cache/backup
-allow system_server cache_private_backup_file:dir create_dir_perms;
-allow system_server cache_private_backup_file:file create_file_perms;
-
-# Allow system to talk to usb device
-allow system_server usb_device:chr_file rw_file_perms;
-allow system_server usb_device:dir r_dir_perms;
-
-# Read and delete files under /dev/fscklogs.
-r_dir_file(system_server, fscklogs)
-allow system_server fscklogs:dir { write remove_name };
-allow system_server fscklogs:file unlink;
-
-# logd access, system_server inherit logd write socket
-# (urge is to deprecate this long term)
-allow system_server zygote:unix_dgram_socket write;
-
-# Read from log daemon.
-read_logd(system_server)
-read_runtime_log_tags(system_server)
-
-# Be consistent with DAC permissions. Allow system_server to write to
-# /sys/module/lowmemorykiller/parameters/adj
-# /sys/module/lowmemorykiller/parameters/minfree
-allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms };
-
-# Read /sys/fs/pstore/console-ramoops
-# Don't worry about overly broad permissions for now, as there's
-# only one file in /sys/fs/pstore
-allow system_server pstorefs:dir r_dir_perms;
-allow system_server pstorefs:file r_file_perms;
-
-# /sys access
-allow system_server sysfs_zram:dir search;
-allow system_server sysfs_zram:file rw_file_perms;
-
-add_service(system_server, system_server_service);
-allow system_server audioserver_service:service_manager find;
-allow system_server authorization_service:service_manager find;
-allow system_server batteryproperties_service:service_manager find;
-allow system_server cameraserver_service:service_manager find;
-allow system_server dataloader_manager_service:service_manager find;
-allow system_server dnsresolver_service:service_manager find;
-allow system_server drmserver_service:service_manager find;
-allow system_server dumpstate_service:service_manager find;
-allow system_server fingerprintd_service:service_manager find;
-allow system_server gatekeeper_service:service_manager find;
-allow system_server gpu_service:service_manager find;
-allow system_server gsi_service:service_manager find;
-allow system_server idmap_service:service_manager find;
-allow system_server incident_service:service_manager find;
-allow system_server incremental_service:service_manager find;
-allow system_server installd_service:service_manager find;
-allow system_server iorapd_service:service_manager find;
-allow system_server keystore_maintenance_service:service_manager find;
-allow system_server keystore_service:service_manager find;
-allow system_server mediaserver_service:service_manager find;
-allow system_server mediametrics_service:service_manager find;
-allow system_server mediaextractor_service:service_manager find;
-allow system_server mediadrmserver_service:service_manager find;
-allow system_server mediatuner_service:service_manager find;
-allow system_server netd_service:service_manager find;
-allow system_server nfc_service:service_manager find;
-allow system_server radio_service:service_manager find;
-allow system_server stats_service:service_manager find;
-allow system_server storaged_service:service_manager find;
-allow system_server surfaceflinger_service:service_manager find;
-allow system_server update_engine_service:service_manager find;
-allow system_server vold_service:service_manager find;
-allow system_server wifinl80211_service:service_manager find;
-userdebug_or_eng(`
- allow system_server profcollectd_service:service_manager find;
-')
-
-add_service(system_server, batteryproperties_service)
-
-allow system_server keystore:keystore_key {
- get_state
- get
- insert
- delete
- exist
- list
- reset
- password
- lock
- unlock
- is_empty
- sign
- verify
- grant
- duplicate
- clear_uid
- add_auth
- user_changed
-};
-
-allow system_server keystore:keystore2 {
- add_auth
- change_password
- change_user
- clear_ns
- clear_uid
- get_state
- lock
- reset
- unlock
-};
-
-allow system_server keystore:keystore2_key {
- delete
- use_dev_id
- grant
- get_info
- rebind
- update
- use
-};
-
-# Allow Wifi module to manage Wi-Fi keys.
-allow system_server wifi_key:keystore2_key {
- delete
- get_info
- rebind
- update
- use
-};
-
-# Allow lock_settings service to manage RoR keys.
-allow system_server resume_on_reboot_key:keystore2_key {
- delete
- get_info
- rebind
- update
- use
-};
-
-# Allow lock_settings service to manage locksettings keys (e.g. the synthetic password key).
-allow system_server locksettings_key:keystore2_key {
- delete
- get_info
- rebind
- update
- use
-};
-
-
-# Allow system server to search and write to the persistent factory reset
-# protection partition. This block device does not get wiped in a factory reset.
-allow system_server block_device:dir search;
-allow system_server frp_block_device:blk_file rw_file_perms;
-allowxperm system_server frp_block_device:blk_file ioctl { BLKSECDISCARD BLKDISCARD };
-
-# Create new process groups and clean up old cgroups
-allow system_server cgroup:dir { remove_name rmdir };
-allow system_server cgroup_v2:dir create_dir_perms;
-allow system_server cgroup_v2:file { r_file_perms setattr };
-
-# /oem access
-r_dir_file(system_server, oemfs)
-
-# Allow resolving per-user storage symlinks
-allow system_server { mnt_user_file storage_file }:dir { getattr search };
-allow system_server { mnt_user_file storage_file }:lnk_file { getattr read };
-
-# Allow statfs() on storage devices, which happens fast enough that
-# we shouldn't be killed during unsafe removal
-allow system_server sdcard_type:dir { getattr search };
-
-# Traverse into expanded storage
-allow system_server mnt_expand_file:dir r_dir_perms;
-
-# Allow system process to relabel the fingerprint directory after mkdir
-# and delete the directory and files when no longer needed
-allow system_server fingerprintd_data_file:dir { r_dir_perms remove_name rmdir relabelto write };
-allow system_server fingerprintd_data_file:file { getattr unlink };
-
-userdebug_or_eng(`
- # Allow system server to create and write method traces in /data/misc/trace.
- allow system_server method_trace_data_file:dir w_dir_perms;
- allow system_server method_trace_data_file:file { create w_file_perms };
-
- # Allow system server to read dmesg
- allow system_server kernel:system syslog_read;
-
- # Allow writing and removing window traces in /data/misc/wmtrace.
- allow system_server wm_trace_data_file:dir rw_dir_perms;
- allow system_server wm_trace_data_file:file { getattr setattr create unlink w_file_perms };
-
- # Allow writing and removing accessibility traces in /data/misc/a11ytrace.
- allow system_server accessibility_trace_data_file:dir rw_dir_perms;
- allow system_server accessibility_trace_data_file:file { getattr setattr create unlink w_file_perms };
-')
-
-# For AppFuse.
-allow system_server vold:fd use;
-allow system_server fuse_device:chr_file { read write ioctl getattr };
-allow system_server app_fuse_file:file { read write getattr };
-
-# For configuring sdcardfs
-allow system_server configfs:dir { create_dir_perms };
-allow system_server configfs:file { getattr open create unlink write };
-
-# Connect to adbd and use a socket transferred from it.
-# Used for e.g. jdwp.
-allow system_server adbd:unix_stream_socket connectto;
-allow system_server adbd:fd use;
-allow system_server adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
-
-# Read service.adb.tls.port, persist.adb.wifi. properties
-get_prop(system_server, adbd_prop)
-
-# Set persist.adb.tls_server.enable property
-set_prop(system_server, system_adbd_prop)
-
-# Allow invoking tools like "timeout"
-allow system_server toolbox_exec:file rx_file_perms;
-
-# Allow system process to setup and measure fs-verity
-allowxperm system_server apk_data_file:file ioctl {
- FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
-};
-
-# Postinstall
-#
-# For OTA dexopt, allow calls coming from postinstall.
-binder_call(system_server, postinstall)
-
-allow system_server postinstall:fifo_file write;
-allow system_server update_engine:fd use;
-allow system_server update_engine:fifo_file write;
-
-# Access to /data/preloads
-allow system_server preloads_data_file:file { r_file_perms unlink };
-allow system_server preloads_data_file:dir { r_dir_perms write remove_name rmdir };
-allow system_server preloads_media_file:file { r_file_perms unlink };
-allow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdir };
-
-r_dir_file(system_server, cgroup)
-r_dir_file(system_server, cgroup_v2)
-allow system_server ion_device:chr_file r_file_perms;
-
-# Access to /dev/dma_heap/system
-allow system_server dmabuf_system_heap_device:chr_file r_file_perms;
-# Access to /dev/dma_heap/system-secure
-allow system_server dmabuf_system_secure_heap_device:chr_file r_file_perms;
-
-r_dir_file(system_server, proc_asound)
-r_dir_file(system_server, proc_net_type)
-r_dir_file(system_server, proc_qtaguid_stat)
-allow system_server {
- proc_cmdline
- proc_loadavg
- proc_locks
- proc_meminfo
- proc_pagetypeinfo
- proc_pipe_conf
- proc_stat
- proc_uid_cputime_showstat
- proc_uid_io_stats
- proc_uid_time_in_state
- proc_uid_concurrent_active_time
- proc_uid_concurrent_policy_time
- proc_version
- proc_vmallocinfo
-}:file r_file_perms;
-
-allow system_server proc_uid_time_in_state:dir r_dir_perms;
-allow system_server proc_uid_cpupower:file r_file_perms;
-
-r_dir_file(system_server, rootfs)
-
-# Allow WifiService to start, stop, and read wifi-specific trace events.
-allow system_server debugfs_tracing_instances:dir search;
-allow system_server debugfs_wifi_tracing:dir search;
-allow system_server debugfs_wifi_tracing:file rw_file_perms;
-
-# Allow BootReceiver to watch trace error_report events.
-allow system_server debugfs_bootreceiver_tracing:dir search;
-allow system_server debugfs_bootreceiver_tracing:file r_file_perms;
-
-# Allow system_server to read tracepoint ids in order to attach BPF programs to them.
-allow system_server debugfs_tracing:file r_file_perms;
-
-# allow system_server to exec shell, asanwrapper & zygote(app_process) on ASAN builds. Needed to run
-# asanwrapper.
-with_asan(`
- allow system_server shell_exec:file rx_file_perms;
- allow system_server asanwrapper_exec:file rx_file_perms;
- allow system_server zygote_exec:file rx_file_perms;
-')
-
-# allow system_server to read the eBPF maps that stores the traffic stats information and update
-# the map after snapshot is recorded, and to read, update and run the maps and programs used for
-# time in state accounting
-allow system_server fs_bpf:dir search;
-allow system_server fs_bpf:file { read write };
-allow system_server bpfloader:bpf { map_read map_write prog_run };
-
-# ART Profiles.
-# Allow system_server to open profile snapshots for read.
-# System server never reads the actual content. It passes the descriptor to
-# to privileged apps which acquire the permissions to inspect the profiles.
-allow system_server { user_profile_root_file user_profile_data_file}:dir { getattr search };
-allow system_server user_profile_data_file:file { getattr open read };
-
-# System server may dump profile data for debuggable apps in the /data/misc/profman.
-# As such it needs to be able create files but it should never read from them.
-allow system_server profman_dump_data_file:file { create getattr setattr w_file_perms};
-allow system_server profman_dump_data_file:dir w_dir_perms;
-
-# On userdebug build we may profile system server. Allow it to write and create its own profile.
-userdebug_or_eng(`
- allow system_server user_profile_data_file:file create_file_perms;
-')
-# Allow system server to load JVMTI agents under control of a property.
-get_prop(system_server,system_jvmti_agent_prop)
-
-# UsbDeviceManager uses /dev/usb-ffs
-allow system_server functionfs:dir search;
-allow system_server functionfs:file rw_file_perms;
-
-# system_server contains time / time zone detection logic so reads the associated properties.
-get_prop(system_server, time_prop)
-
-# system_server reads this property to know it should expect the lmkd sends notification to it
-# on low memory kills.
-get_prop(system_server, system_lmk_prop)
-
-get_prop(system_server, wifi_config_prop)
-
-# Only system server can access BINDER_FREEZE and BINDER_GET_FROZEN_INFO
-allowxperm system_server binder_device:chr_file ioctl { BINDER_FREEZE BINDER_GET_FROZEN_INFO };
-
-# Watchdog prints debugging log to /dev/kmsg_debug.
-userdebug_or_eng(`
- allow system_server kmsg_debug_device:chr_file { open append getattr };
-')
-# Watchdog reads sysprops framework_watchdog.fatal_* to handle watchdog timeout loop.
-get_prop(system_server, framework_watchdog_config_prop)
-
-
-# Font files are written by system server
-allow system_server font_data_file:file create_file_perms;
-allow system_server font_data_file:dir create_dir_perms;
-# Allow system process to setup fs-verity for font files
-allowxperm system_server font_data_file:file ioctl FS_IOC_ENABLE_VERITY;
-
-###
-### Neverallow rules
-###
-### system_server should NEVER do any of this
-
-# Do not allow opening files from external storage as unsafe ejection
-# could cause the kernel to kill the system_server.
-neverallow system_server sdcard_type:dir { open read write };
-neverallow system_server sdcard_type:file rw_file_perms;
-
-# system server should never be operating on zygote spawned app data
-# files directly. Rather, they should always be passed via a
-# file descriptor.
-# Exclude those types that system_server needs to open directly.
-neverallow system_server {
- app_data_file_type
- -system_app_data_file
- -radio_data_file
-}:file { open create unlink link };
-
-# Forking and execing is inherently dangerous and racy. See, for
-# example, https://www.linuxprogrammingblog.com/threads-and-fork-think-twice-before-using-them
-# Prevent the addition of new file execs to stop the problem from
-# getting worse. b/28035297
-neverallow system_server {
- file_type
- -toolbox_exec
- -logcat_exec
- with_asan(`-shell_exec -asanwrapper_exec -zygote_exec')
-}:file execute_no_trans;
-
-# Ensure that system_server doesn't perform any domain transitions other than
-# transitioning to the crash_dump domain when a crash occurs.
-neverallow system_server { domain -crash_dump }:process transition;
-neverallow system_server *:process dyntransition;
-
-# Only allow crash_dump to connect to system_ndebug_socket.
-neverallow { domain -init -system_server -crash_dump } system_ndebug_socket:sock_file { open write };
-
-# Only allow zygotes to connect to system_unsolzygote_socket.
-neverallow {
- domain
- -init
- -system_server
- -zygote
- -app_zygote
- -webview_zygote
-} system_unsolzygote_socket:sock_file { open write };
-
-# Only allow init, system_server, flags_health_check to set properties for server configurable flags
-neverallow {
- domain
- -init
- -system_server
- -flags_health_check
-} {
- device_config_activity_manager_native_boot_prop
- device_config_connectivity_prop
- device_config_input_native_boot_prop
- device_config_netd_native_prop
- device_config_runtime_native_boot_prop
- device_config_runtime_native_prop
- device_config_media_native_prop
- device_config_storage_native_boot_prop
- device_config_sys_traced_prop
- device_config_swcodec_native_prop
- device_config_window_manager_native_boot_prop
-}:property_service set;
-
-# system_server should never be executing dex2oat. This is either
-# a bug (for example, bug 16317188), or represents an attempt by
-# system server to dynamically load a dex file, something we do not
-# want to allow.
-neverallow system_server dex2oat_exec:file no_x_file_perms;
-
-# system_server should never execute or load executable shared libraries
-# in /data. Executable files in /data are a persistence vector.
-# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example.
-neverallow system_server data_file_type:file no_x_file_perms;
-
-# The only block device system_server should be accessing is
-# the frp_block_device. This helps avoid a system_server to root
-# escalation by writing to raw block devices.
-neverallow system_server { dev_type -frp_block_device }:blk_file no_rw_file_perms;
-
-# system_server should never use JIT functionality
-# See https://googleprojectzero.blogspot.com/2016/12/bitunmap-attacking-android-ashmem.html
-# in the section titled "A Short ROP Chain" for why.
-# However, in emulator builds without OpenGL passthrough, we use software
-# rendering via SwiftShader, which requires JIT support. These builds are
-# never shipped to users.
-ifelse(target_requires_insecure_execmem_for_swiftshader, `true',
- `allow system_server self:process execmem;',
- `neverallow system_server self:process execmem;')
-neverallow system_server { ashmem_device ashmem_libcutils_device }:chr_file execute;
-
-# TODO: deal with tmpfs_domain pub/priv split properly
-neverallow system_server system_server_tmpfs:file execute;
-
-# Resources handed off by system_server_startup
-allow system_server system_server_startup:fd use;
-allow system_server system_server_startup_tmpfs:file { read write map };
-allow system_server system_server_startup:unix_dgram_socket write;
-
-# Allow system server to communicate to apexd
-allow system_server apex_service:service_manager find;
-allow system_server apexd:binder call;
-
-# Allow system server to scan /apex for flattened APEXes
-allow system_server apex_mnt_dir:dir r_dir_perms;
-
-# Allow system server to read /apex/apex-info-list.xml
-allow system_server apex_info_file:file r_file_perms;
-
-# Allow system server to communicate to system-suspend's control interface
-allow system_server system_suspend_control_internal_service:service_manager find;
-allow system_server system_suspend_control_service:service_manager find;
-binder_call(system_server, system_suspend)
-binder_call(system_suspend, system_server)
-
-# Allow system server to communicate to system-suspend's wakelock interface
-wakelock_use(system_server)
-
-# Allow the system server to read files under /data/apex. The system_server
-# needs these privileges to compare file signatures while processing installs.
-#
-# Only apexd is allowed to create new entries or write to any file under /data/apex.
-allow system_server apex_data_file:dir { getattr search };
-allow system_server apex_data_file:file r_file_perms;
-
-# Allow the system server to read files under /vendor/apex. This is where
-# vendor APEX packages might be installed and system_server needs to parse
-# these packages to inspect the signatures and other metadata.
-allow system_server vendor_apex_file:dir { getattr search };
-allow system_server vendor_apex_file:file r_file_perms;
-
-# Allow the system server to manage relevant apex module data files.
-allow system_server apex_module_data_file:dir { getattr search };
-allow system_server apex_appsearch_data_file:dir create_dir_perms;
-allow system_server apex_appsearch_data_file:file create_file_perms;
-allow system_server apex_permission_data_file:dir create_dir_perms;
-allow system_server apex_permission_data_file:file create_file_perms;
-allow system_server apex_scheduling_data_file:dir create_dir_perms;
-allow system_server apex_scheduling_data_file:file create_file_perms;
-allow system_server apex_wifi_data_file:dir create_dir_perms;
-allow system_server apex_wifi_data_file:file create_file_perms;
-
-# Allow PasswordSlotManager rw access to /metadata/password_slots, so GSIs and the host image can
-# communicate which slots are available for use.
-allow system_server metadata_file:dir search;
-allow system_server password_slot_metadata_file:dir rw_dir_perms;
-allow system_server password_slot_metadata_file:file create_file_perms;
-
-allow system_server userspace_reboot_metadata_file:dir create_dir_perms;
-allow system_server userspace_reboot_metadata_file:file create_file_perms;
-
-# Allow system server rw access to files in /metadata/staged-install folder
-allow system_server staged_install_file:dir rw_dir_perms;
-allow system_server staged_install_file:file create_file_perms;
-
-allow system_server watchdog_metadata_file:dir rw_dir_perms;
-allow system_server watchdog_metadata_file:file create_file_perms;
-
-allow system_server gsi_persistent_data_file:dir rw_dir_perms;
-allow system_server gsi_persistent_data_file:file create_file_perms;
-
-# Allow system server read and remove files under /data/misc/odrefresh
-allow system_server odrefresh_data_file:dir rw_dir_perms;
-allow system_server odrefresh_data_file:file { r_file_perms unlink };
-
-# Allow system server r access to /system/bin/surfaceflinger for PinnerService.
-allow system_server surfaceflinger_exec:file r_file_perms;
-
-# Allow init to set sysprop used to compute stats about userspace reboot.
-set_prop(system_server, userspace_reboot_log_prop)
-
-# JVMTI agent settings are only readable from the system server.
-neverallow {
- domain
- -system_server
- -dumpstate
- -init
- -vendor_init
-} {
- system_jvmti_agent_prop
-}:file no_rw_file_perms;
-
-# Read/Write /proc/pressure/memory
-allow system_server proc_pressure_mem:file rw_file_perms;
-
-# dexoptanalyzer is currently used only for secondary dex files which
-# system_server should never access.
-neverallow system_server dexoptanalyzer_exec:file no_x_file_perms;
-
-# No ptracing others
-neverallow system_server { domain -system_server }:process ptrace;
-
-# CAP_SYS_RESOURCE was traditionally needed for sensitive /proc/PID
-# file read access. However, that is now unnecessary (b/34951864)
-neverallow system_server system_server:global_capability_class_set sys_resource;
-
-# Only system_server/init should access /metadata/password_slots.
-neverallow { domain -init -system_server } password_slot_metadata_file:dir *;
-neverallow {
- domain
- -init
- -system_server
-} password_slot_metadata_file:notdevfile_class_set ~{ relabelto getattr };
-neverallow { domain -init -system_server } password_slot_metadata_file:notdevfile_class_set *;
-
-# Only system_server/init should access /metadata/userspacereboot.
-neverallow { domain -init -system_server } userspace_reboot_metadata_file:dir *;
-neverallow { domain -init -system_server } userspace_reboot_metadata_file:file no_rw_file_perms;
-
-# Allow systemserver to read/write the invalidation property
-set_prop(system_server, binder_cache_system_server_prop)
-neverallow { domain -system_server -init }
- binder_cache_system_server_prop:property_service set;
-
-# Allow system server to attach BPF programs to tracepoints. Deny read permission so that
-# system_server cannot use this access to read perf event data like process stacks.
-allow system_server self:perf_event { open write cpu kernel };
-neverallow system_server self:perf_event ~{ open write cpu kernel };
-
-# Do not allow any domain other than init or system server to set the property
-neverallow { domain -init -system_server } socket_hook_prop:property_service set;
-
-neverallow { domain -init -system_server } boot_status_prop:property_service set;
-
-neverallow {
- domain
- -init
- -vendor_init
- -dumpstate
- -system_server
-} wifi_config_prop:file no_rw_file_perms;
-
-# Only allow system server to write uhid sysfs files
-neverallow {
- domain
- -init
- -system_server
- -ueventd
- -vendor_init
-} sysfs_uhid:file no_w_file_perms;
-
-# BINDER_FREEZE is used to block ipc transactions to frozen processes, so it
-# can be accessed by system_server only (b/143717177)
-# BINDER_GET_FROZEN_INFO is used by system_server to determine the state of a frozen binder
-# interface
-neverallowxperm { domain -system_server } binder_device:chr_file ioctl { BINDER_FREEZE BINDER_GET_FROZEN_INFO };
-
-# Only system server can write the font files.
-neverallow { domain -init -system_server } font_data_file:file no_w_file_perms;
-neverallow { domain -init -system_server } font_data_file:dir no_w_dir_perms;
-
-# Read qemu.hw.mainkeys property
-get_prop(system_server, qemu_hw_prop)
diff --git a/microdroid/sepolicy/system/private/system_server_startup.te b/microdroid/sepolicy/system/private/system_server_startup.te
deleted file mode 100644
index 3301304..0000000
--- a/microdroid/sepolicy/system/private/system_server_startup.te
+++ /dev/null
@@ -1,20 +0,0 @@
-type system_server_startup, domain, coredomain;
-type system_server_startup_tmpfs, file_type;
-
-tmpfs_domain(system_server_startup)
-
-# Create JIT memory
-allow system_server_startup self:process execmem;
-allow system_server_startup system_server_startup_tmpfs:file { execute read write open map };
-
-# Allow system_server_startup to run setcon() and enter the
-# system_server domain
-allow system_server_startup self:process setcurrent;
-allow system_server_startup system_server:process dyntransition;
-
-# Child of the zygote.
-allow system_server_startup zygote:process sigchld;
-
-# Allow query ART device config properties
-get_prop(system_server_startup, device_config_runtime_native_boot_prop)
-get_prop(system_server_startup, device_config_runtime_native_prop)
diff --git a/microdroid/sepolicy/system/private/system_suspend.te b/microdroid/sepolicy/system/private/system_suspend.te
deleted file mode 100644
index caf8955..0000000
--- a/microdroid/sepolicy/system/private/system_suspend.te
+++ /dev/null
@@ -1,38 +0,0 @@
-type system_suspend, domain, coredomain, system_suspend_server, system_suspend_internal_server;
-
-type system_suspend_exec, system_file_type, exec_type, file_type;
-init_daemon_domain(system_suspend)
-
-# To serve ISuspendControlService.
-binder_use(system_suspend)
-add_service(system_suspend, system_suspend_control_service)
-
-# Access to /sys/power/{ wakeup_count, state } suspend interface.
-allow system_suspend sysfs_power:file rw_file_perms;
-
-# Access to wakeup, suspend stats, and wakeup reasons.
-r_dir_file(system_suspend, sysfs_suspend_stats)
-r_dir_file(system_suspend, sysfs_wakeup)
-r_dir_file(system_suspend, sysfs_wakeup_reasons)
-# To resolve arbitrary sysfs paths from /sys/class/wakeup/* symlinks.
-allow system_suspend sysfs_type:dir search;
-
-# Access to suspend_hal system properties
-get_prop(system_suspend, suspend_prop)
-
-# To call BTAA registered callbacks
-allow system_suspend bluetooth:binder call;
-
-# For adding `dumpsys syspend_control` output to bugreport
-allow system_suspend dumpstate:fd use;
-allow system_suspend dumpstate:fifo_file write;
-
-neverallow {
- domain
- -atrace # tracing
- -bluetooth # support Bluetooth activity attribution (BTAA)
- -dumpstate # bug reports
- -system_suspend # implements system_suspend_control_service
- -system_server # configures system_suspend via ISuspendControlService
- -traceur_app # tracing
-} system_suspend_control_service:service_manager find;
diff --git a/microdroid/sepolicy/system/private/technical_debt.cil b/microdroid/sepolicy/system/private/technical_debt.cil
deleted file mode 100644
index 9b3e3c6..0000000
--- a/microdroid/sepolicy/system/private/technical_debt.cil
+++ /dev/null
@@ -1,71 +0,0 @@
-; THIS IS A WORKAROUND for the current limitations of the module policy language
-; This should be used sparingly until we figure out a saner way to achieve the
-; stuff below, for example, by improving typeattribute statement of module
-; language.
-;
-; NOTE: This file has no effect on recovery policy.
-
-; Apps, except isolated apps, are clients of Allocator HAL
-; Unfortunately, we can't currently express this in module policy language:
-; typeattribute { appdomain -isolated_app } hal_allocator_client;
-; typeattribute hal_allocator_client halclientdomain;
-(typeattributeset hal_allocator_client ((and (appdomain) ((not (isolated_app))))))
-(typeattributeset halclientdomain (hal_allocator_client))
-
-; Apps, except isolated apps, are clients of OMX-related services
-; Unfortunately, we can't currently express this in module policy language:
-(typeattributeset hal_omx_client ((and (appdomain) ((not (isolated_app))))))
-
-; Apps, except isolated apps, are clients of Codec2-related services
-; Unfortunately, we can't currently express this in module policy language:
-(typeattributeset hal_codec2_client ((and (appdomain) ((not (isolated_app))))))
-
-; Apps, except isolated apps, are clients of Drm-related services
-; Unfortunately, we can't currently express this in module policy language:
-(typeattributeset hal_drm_client ((and (appdomain) ((not (isolated_app))))))
-
-; Apps, except isolated apps, are clients of Configstore HAL
-; Unfortunately, we can't currently express this in module policy language:
-; typeattribute { appdomain -isolated_app } hal_configstore_client;
-(typeattributeset hal_configstore_client ((and (appdomain) ((not (isolated_app))))))
-
-; Apps, except isolated apps, are clients of Graphics Allocator HAL
-; Unfortunately, we can't currently express this in module policy language:
-; typeattribute { appdomain -isolated_app } hal_graphics_allocator_client;
-(typeattributeset hal_graphics_allocator_client ((and (appdomain) ((not (isolated_app))))))
-
-; Apps, except isolated apps, are clients of Cas HAL
-; Unfortunately, we can't currently express this in module policy language:
-; typeattribute { appdomain -isolated_app } hal_cas_client;
-(typeattributeset hal_cas_client ((and (appdomain) ((not (isolated_app))))))
-
-; Domains hosting Camera HAL implementations are clients of Allocator HAL
-; Unfortunately, we can't currently express this in module policy language:
-; typeattribute hal_camera hal_allocator_client;
-(typeattributeset hal_allocator_client (hal_camera))
-
-; Apps, except isolated apps, are clients of Neuralnetworks HAL
-; Unfortunately, we can't currently express this in module policy language:
-; typeattribute { appdomain -isolated_app } hal_neuralnetworks_client;
-(typeattributeset hal_neuralnetworks_client ((and (appdomain) ((not (isolated_app))))))
-
-; TODO(b/112056006): move these to mapping files when/if we implement 'versioned' attributes.
-; Rename untrusted_app_visible_* to untrusted_app_visible_*_violators.
-; Unfortunately, we can't currently express this in module policy language:
-; typeattribute untrusted_app_visible_hwservice untrusted_app_visible_hwservice_violators;
-; typeattribute untrusted_app_visible_halserver untrusted_app_visible_halserver_violators;
-(typeattribute untrusted_app_visible_hwservice)
-(typeattributeset untrusted_app_visible_hwservice_violators (untrusted_app_visible_hwservice))
-(typeattribute untrusted_app_visible_halserver)
-(typeattributeset untrusted_app_visible_halserver_violators (untrusted_app_visible_halserver))
-
-; Apps, except isolated apps, are clients of BufferHub HAL
-; Unfortunately, we can't currently express this in module policy language:
-; typeattribute { appdomain -isolated_app } hal_cas_client;
-(typeattributeset hal_bufferhub_client ((and (appdomain) ((not (isolated_app))))))
-
-; Properties having both system_property_type and vendor_property_type are illegal
-; Unfortunately, we can't currently express this in module policy language:
-; typeattribute { system_property_type && vendor_property_type } system_and_vendor_property_type;
-(typeattribute system_and_vendor_property_type)
-(typeattributeset system_and_vendor_property_type ((and (system_property_type) (vendor_property_type))))
diff --git a/microdroid/sepolicy/system/private/tombstoned.te b/microdroid/sepolicy/system/private/tombstoned.te
index b6dfd1e..2567a23 100644
--- a/microdroid/sepolicy/system/private/tombstoned.te
+++ b/microdroid/sepolicy/system/private/tombstoned.te
@@ -2,12 +2,11 @@
init_daemon_domain(tombstoned)
-get_prop(tombstoned, tombstone_config_prop)
+# Write to arbitrary pipes given to us.
+allow tombstoned domain:fd use;
+allow tombstoned domain:fifo_file write;
-neverallow {
- domain
- -init
- -vendor_init
- -dumpstate
- -tombstoned
-} tombstone_config_prop:file no_rw_file_perms;
+allow tombstoned domain:dir r_dir_perms;
+allow tombstoned domain:file r_file_perms;
+allow tombstoned tombstone_data_file:dir rw_dir_perms;
+allow tombstoned tombstone_data_file:file { create_file_perms link };
diff --git a/microdroid/sepolicy/system/private/traced.te b/microdroid/sepolicy/system/private/traced.te
deleted file mode 100644
index 6e3ad46..0000000
--- a/microdroid/sepolicy/system/private/traced.te
+++ /dev/null
@@ -1,118 +0,0 @@
-# Perfetto user-space tracing daemon (unprivileged)
-
-# type traced is defined under /public (because iorapd rules
-# under public/ need to refer to it).
-type traced_exec, system_file_type, exec_type, file_type;
-
-# Allow init to exec the daemon.
-init_daemon_domain(traced)
-tmpfs_domain(traced)
-
-# Allow apps in other MLS contexts (for multi-user) to access
-# share memory buffers created by traced.
-typeattribute traced_tmpfs mlstrustedobject;
-
-# Allow traced to start with a lower scheduling class and change
-# class accordingly to what defined in the config provided by
-# the privileged process that controls it.
-allow traced self:global_capability_class_set { sys_nice };
-
-# Allow to pass a file descriptor for the output trace from "perfetto" (the
-# cmdline client) and other shell binaries to traced and let traced write
-# directly into that (rather than returning the trace contents over the socket).
-allow traced perfetto:fd use;
-allow traced shell:fd use;
-allow traced shell:fifo_file { read write };
-
-# Allow the service to create new files within /data/misc/perfetto-traces.
-allow traced perfetto_traces_data_file:file create_file_perms;
-allow traced perfetto_traces_data_file:dir rw_dir_perms;
-# ... and /data/misc/perfetto-traces/bugreport*
-allow traced perfetto_traces_bugreport_data_file:file create_file_perms;
-allow traced perfetto_traces_bugreport_data_file:dir rw_dir_perms;
-
-# Allow traceur to pass open file descriptors to traced, so traced can directly
-# write into the output file without doing roundtrips over IPC.
-allow traced traceur_app:fd use;
-allow traced trace_data_file:file { read write };
-
-# Allow perfetto to access the proxy service for notifying Traceur.
-allow traced tracingproxy_service:service_manager find;
-binder_use(traced);
-binder_call(traced, system_server);
-
-# Allow iorapd to pass memfd descriptors to traced, so traced can directly
-# write into the shmem buffer file without doing roundtrips over IPC.
-allow traced iorapd:fd use;
-allow traced iorapd_tmpfs:file { read write };
-
-# Allow traced to use shared memory supplied by producers. Typically, traced
-# (i.e. the tracing service) creates the shared memory used for data transfer
-# from the producer. This rule allows an alternative scheme, where the producer
-# creates the shared memory, that is then adopted by traced (after validating
-# that it is appropriately sealed).
-# This list has to replicate the tmpfs domains of all applicable domains that
-# have perfetto_producer() macro applied to them.
-# perfetto_tmpfs excluded as it should never need to use the producer-supplied
-# shared memory scheme.
-allow traced {
- appdomain_tmpfs
- heapprofd_tmpfs
- surfaceflinger_tmpfs
- traced_probes_tmpfs
- userdebug_or_eng(`system_server_tmpfs')
-}:file { getattr map read write };
-
-# Allow traced to notify Traceur when a trace ends by setting the
-# sys.trace.trace_end_signal property.
-set_prop(traced, system_trace_prop)
-# Allow to lazily start producers.
-set_prop(traced, traced_lazy_prop)
-
-# Allow traced to talk to statsd for logging metrics.
-unix_socket_send(traced, statsdw, statsd)
-
-###
-### Neverallow rules
-###
-### traced should NEVER do any of this
-
-# Disallow mapping executable memory (execstack and exec are already disallowed
-# globally in domain.te).
-neverallow traced self:process execmem;
-
-# Block device access.
-neverallow traced dev_type:blk_file { read write };
-
-# ptrace any other process
-neverallow traced domain:process ptrace;
-
-# Disallows access to /data files, still allowing to write to file descriptors
-# passed through the socket.
-neverallow traced {
- data_file_type
- -perfetto_traces_data_file
- -perfetto_traces_bugreport_data_file
- -system_data_file
- -system_data_root_file
- # TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
- # subsequent neverallow. Currently only getattr and search are allowed.
- -vendor_data_file
- -zoneinfo_data_file
- with_native_coverage(`-method_trace_data_file')
-}:dir *;
-neverallow traced { system_data_file }:dir ~{ getattr search };
-neverallow traced zoneinfo_data_file:dir ~r_dir_perms;
-neverallow traced { data_file_type -zoneinfo_data_file }:lnk_file *;
-neverallow traced {
- data_file_type
- -zoneinfo_data_file
- -perfetto_traces_data_file
- -perfetto_traces_bugreport_data_file
- -trace_data_file
- with_native_coverage(`-method_trace_data_file')
-}:file ~write;
-
-# Only init is allowed to enter the traced domain via exec()
-neverallow { domain -init } traced:process transition;
-neverallow * traced:process dyntransition;
diff --git a/microdroid/sepolicy/system/private/traced_perf.te b/microdroid/sepolicy/system/private/traced_perf.te
deleted file mode 100644
index 96a7263..0000000
--- a/microdroid/sepolicy/system/private/traced_perf.te
+++ /dev/null
@@ -1,72 +0,0 @@
-# Performance profiler, backed by perf_event_open(2).
-# See go/perfetto-perf-android.
-typeattribute traced_perf coredomain;
-typeattribute traced_perf mlstrustedsubject;
-
-type traced_perf_exec, system_file_type, exec_type, file_type;
-
-init_daemon_domain(traced_perf)
-perfetto_producer(traced_perf)
-
-# Allow traced_perf full use of perf_event_open(2). It will perform cpu-wide
-# profiling, but retain samples only for profileable processes.
-# Thread-specific profiling is still disallowed due to a PTRACE_MODE_ATTACH
-# check (which would require a process:attach SELinux allow-rule).
-allow traced_perf self:perf_event { open cpu kernel read write tracepoint };
-
-# Allow CAP_KILL for delivery of dedicated signal to obtain proc-fds from a
-# process. Allow CAP_DAC_READ_SEARCH for stack unwinding and symbolization of
-# sampled stacks, which requires opening the backing libraries/executables (as
-# symbols are usually not mapped into the process space). Not all such files
-# are world-readable, e.g. odex files that included user profiles during
-# profile-guided optimization.
-allow traced_perf self:capability { kill dac_read_search };
-
-# Allow reading /system/data/packages.list.
-allow traced_perf packages_list_file:file r_file_perms;
-
-# Allow reading files for stack unwinding and symbolization.
-r_dir_file(traced_perf, nativetest_data_file)
-r_dir_file(traced_perf, system_file_type)
-r_dir_file(traced_perf, apex_art_data_file)
-r_dir_file(traced_perf, apk_data_file)
-r_dir_file(traced_perf, dalvikcache_data_file)
-r_dir_file(traced_perf, vendor_file_type)
-
-# Allow to temporarily lift the kptr_restrict setting and build a symbolization
-# map reading /proc/kallsyms.
-userdebug_or_eng(`set_prop(traced_perf, lower_kptr_restrict_prop)')
-allow traced_perf proc_kallsyms:file r_file_perms;
-
-# Allow reading tracefs files to get the format and numeric ids of tracepoints.
-allow traced_perf debugfs_tracing:dir r_dir_perms;
-allow traced_perf debugfs_tracing:file r_file_perms;
-userdebug_or_eng(`
- allow traced_perf debugfs_tracing_debug:dir r_dir_perms;
- allow traced_perf debugfs_tracing_debug:file r_file_perms;
-')
-
-# Do not audit the cases where traced_perf attempts to access /proc/[pid] for
-# domains that it cannot read.
-dontaudit traced_perf domain:dir { search getattr open };
-
-# Do not audit failures to signal a process, as there are cases when this is
-# expected (native processes on debug builds use the policy for enforcing which
-# processes are profileable).
-dontaudit traced_perf domain:process signal;
-
-# Never allow access to app data files
-neverallow traced_perf { app_data_file privapp_data_file system_app_data_file }:file *;
-
-# Never allow profiling highly privileged processes.
-never_profile_perf(`{
- bpfloader
- init
- kernel
- keystore
- llkd
- logd
- ueventd
- vendor_init
- vold
-}')
diff --git a/microdroid/sepolicy/system/private/traced_probes.te b/microdroid/sepolicy/system/private/traced_probes.te
deleted file mode 100644
index 730a45c..0000000
--- a/microdroid/sepolicy/system/private/traced_probes.te
+++ /dev/null
@@ -1,152 +0,0 @@
-# Perfetto tracing probes, has tracefs access.
-type traced_probes_exec, system_file_type, exec_type, file_type;
-type traced_probes_tmpfs, file_type;
-
-# Allow init to exec the daemon.
-init_daemon_domain(traced_probes)
-tmpfs_domain(traced_probes)
-
-# Write trace data to the Perfetto traced damon. This requires connecting to its
-# producer socket and obtaining a (per-process) tmpfs fd.
-perfetto_producer(traced_probes)
-
-# Allow traced_probes to access tracefs.
-allow traced_probes debugfs_tracing:dir r_dir_perms;
-allow traced_probes debugfs_tracing:file rw_file_perms;
-allow traced_probes debugfs_trace_marker:file getattr;
-allow traced_probes debugfs_tracing_printk_formats:file r_file_perms;
-
-# Allow traced_probes to access mm_events trace instance
-allow traced_probes debugfs_tracing_instances:dir search;
-allow traced_probes debugfs_mm_events_tracing:dir search;
-allow traced_probes debugfs_mm_events_tracing:file rw_file_perms;
-
-# TODO(primiano): temporarily I/O tracing categories are still
-# userdebug only until we nail down the denylist/allowlist.
-userdebug_or_eng(`
-allow traced_probes debugfs_tracing_debug:dir r_dir_perms;
-allow traced_probes debugfs_tracing_debug:file rw_file_perms;
-')
-
-# Allow traced_probes to start with a higher scheduling class and then downgrade
-# itself.
-allow traced_probes self:global_capability_class_set { sys_nice };
-
-# Allow procfs access
-r_dir_file(traced_probes, domain)
-
-# Allow to temporarily lift the kptr_restrict setting and build a symbolization
-# map reading /proc/kallsyms.
-userdebug_or_eng(`set_prop(traced_probes, lower_kptr_restrict_prop)')
-allow traced_probes proc_kallsyms:file r_file_perms;
-
-# Allow to read packages.list file.
-allow traced_probes packages_list_file:file r_file_perms;
-
-# Allow to log to kernel dmesg when starting / stopping ftrace.
-allow traced_probes kmsg_device:chr_file write;
-
-# Allow traced_probes to list the system partition.
-allow traced_probes system_file:dir { open read };
-
-# Allow traced_probes to list some of the data partition.
-allow traced_probes self:global_capability_class_set dac_read_search;
-
-allow traced_probes apk_data_file:dir { getattr open read search };
-allow traced_probes { apex_art_data_file apex_module_data_file }:dir { getattr open read search };
-allow traced_probes dalvikcache_data_file:dir { getattr open read search };
-userdebug_or_eng(`
-# search and getattr are granted via domain and coredomain, respectively.
-allow traced_probes system_data_file:dir { open read };
-')
-allow traced_probes system_app_data_file:dir { getattr open read search };
-allow traced_probes backup_data_file:dir { getattr open read search };
-allow traced_probes bootstat_data_file:dir { getattr open read search };
-allow traced_probes update_engine_data_file:dir { getattr open read search };
-allow traced_probes update_engine_log_data_file:dir { getattr open read search };
-allow traced_probes { user_profile_root_file user_profile_data_file}:dir { getattr open read search };
-
-# Allow traced_probes to run atrace. atrace pokes at system services to enable
-# their userspace TRACE macros.
-domain_auto_trans(traced_probes, atrace_exec, atrace);
-
-# Allow traced_probes to kill atrace on timeout.
-allow traced_probes atrace:process sigkill;
-
-# Allow traced_probes to access /proc files for system stats.
-# Note: trace data is NOT exposed to anything other than shell and privileged
-# system apps that have access to the traced consumer socket.
-allow traced_probes {
- proc_meminfo
- proc_vmstat
- proc_stat
-}:file r_file_perms;
-
-# Allow access to read /sys/class/devfreq/ and /$DEVICE/cur_freq files
-allow traced_probes sysfs_devfreq_dir:dir r_dir_perms;
-allow traced_probes sysfs_devfreq_cur:file r_file_perms;
-
-# Allow access to the IHealth and IPowerStats HAL service for tracing battery counters.
-hal_client_domain(traced_probes, hal_health)
-hal_client_domain(traced_probes, hal_power_stats)
-
-# Allow access to Atrace HAL for enabling vendor/device specific tracing categories.
-hal_client_domain(traced_probes, hal_atrace)
-
-# On debug builds allow to ingest system logs into the trace.
-userdebug_or_eng(`read_logd(traced_probes)')
-
-# Allow traced_probes to talk to statsd for logging metrics.
-unix_socket_send(traced_probes, statsdw, statsd)
-
-###
-### Neverallow rules
-###
-### traced_probes should NEVER do any of this
-
-# Disallow mapping executable memory (execstack and exec are already disallowed
-# globally in domain.te).
-neverallow traced_probes self:process execmem;
-
-# Block device access.
-neverallow traced_probes dev_type:blk_file { read write };
-
-# ptrace any other app
-neverallow traced_probes domain:process ptrace;
-
-# Disallows access to /data files.
-neverallow traced_probes {
- data_file_type
- -apex_module_data_file
- -apex_art_data_file
- -apk_data_file
- -dalvikcache_data_file
- -system_data_file
- -system_data_root_file
- -system_app_data_file
- -backup_data_file
- -bootstat_data_file
- -update_engine_data_file
- -update_engine_log_data_file
- -user_profile_root_file
- -user_profile_data_file
- # TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
- # subsequent neverallow. Currently only getattr and search are allowed.
- -vendor_data_file
- -zoneinfo_data_file
- with_native_coverage(`-method_trace_data_file')
-}:dir *;
-neverallow traced_probes system_data_file:dir ~{ getattr userdebug_or_eng(`open read') search };
-neverallow traced_probes zoneinfo_data_file:dir ~r_dir_perms;
-neverallow traced_probes { data_file_type -zoneinfo_data_file }:lnk_file *;
-neverallow traced_probes {
- data_file_type
- -zoneinfo_data_file
- -packages_list_file
- with_native_coverage(`-method_trace_data_file')
-}:file *;
-
-# Only init is allowed to enter the traced_probes domain via exec()
-neverallow { domain -init } traced_probes:process transition;
-neverallow * traced_probes:process dyntransition;
-
diff --git a/microdroid/sepolicy/system/private/traceur_app.te b/microdroid/sepolicy/system/private/traceur_app.te
deleted file mode 100644
index 2937e26..0000000
--- a/microdroid/sepolicy/system/private/traceur_app.te
+++ /dev/null
@@ -1,24 +0,0 @@
-typeattribute traceur_app coredomain;
-
-app_domain(traceur_app);
-allow traceur_app debugfs_tracing:file rw_file_perms;
-allow traceur_app debugfs_tracing_debug:dir r_dir_perms;
-
-userdebug_or_eng(`
- allow traceur_app debugfs_tracing_debug:file rw_file_perms;
-')
-
-allow traceur_app trace_data_file:file create_file_perms;
-allow traceur_app trace_data_file:dir rw_dir_perms;
-allow traceur_app atrace_exec:file rx_file_perms;
-
-# To exec the perfetto cmdline client and pass it the trace config on
-# stdint through a pipe.
-allow traceur_app perfetto_exec:file rx_file_perms;
-
-# Allow to access traced's privileged consumer socket.
-unix_socket_connect(traceur_app, traced_consumer, traced)
-
-dontaudit traceur_app debugfs_tracing_debug:file audit_access;
-
-set_prop(traceur_app, debug_prop)
diff --git a/microdroid/sepolicy/system/private/tzdatacheck.te b/microdroid/sepolicy/system/private/tzdatacheck.te
deleted file mode 100644
index 502735c..0000000
--- a/microdroid/sepolicy/system/private/tzdatacheck.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute tzdatacheck coredomain;
-
-init_daemon_domain(tzdatacheck)
diff --git a/microdroid/sepolicy/system/private/ueventd.te b/microdroid/sepolicy/system/private/ueventd.te
index 8bcdbf9..eb06672 100644
--- a/microdroid/sepolicy/system/private/ueventd.te
+++ b/microdroid/sepolicy/system/private/ueventd.te
@@ -2,6 +2,51 @@
tmpfs_domain(ueventd)
-# ueventd can set properties, particularly it sets ro.cold_boot_done to signal
-# to init that cold boot has completed.
-set_prop(ueventd, cold_boot_done_prop)
+# Write to /dev/kmsg.
+allow ueventd kmsg_device:chr_file rw_file_perms;
+
+allow ueventd self:global_capability_class_set { chown mknod net_admin setgid fsetid sys_rawio dac_override dac_read_search fowner setuid };
+allow ueventd device:file create_file_perms;
+
+r_dir_file(ueventd, rootfs)
+
+# ueventd needs write access to files in /sys to regenerate uevents
+allow ueventd sysfs_type:file w_file_perms;
+r_dir_file(ueventd, sysfs_type)
+allow ueventd sysfs_type:{ file lnk_file } { relabelfrom relabelto setattr };
+allow ueventd sysfs_type:dir { relabelfrom relabelto setattr };
+allow ueventd tmpfs:chr_file rw_file_perms;
+allow ueventd dev_type:dir create_dir_perms;
+allow ueventd dev_type:lnk_file { create unlink };
+allow ueventd dev_type:chr_file { getattr create setattr unlink };
+allow ueventd dev_type:blk_file { getattr relabelfrom relabelto create setattr unlink };
+allow ueventd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+# Get SELinux enforcing status.
+r_dir_file(ueventd, selinuxfs)
+
+# Access for /vendor/ueventd.rc and /vendor/firmware
+r_dir_file(ueventd, vendor_file_type)
+
+# Access for /apex/*/firmware
+allow ueventd apex_mnt_dir:dir r_dir_perms;
+
+# Get file contexts for new device nodes
+allow ueventd file_contexts_file:file r_file_perms;
+
+# Use setfscreatecon() to label /dev directories and files.
+allow ueventd self:process setfscreate;
+
+# Allow ueventd to read androidboot.android_dt_dir from kernel cmdline or bootconfig.
+allow ueventd proc_cmdline:file r_file_perms;
+allow ueventd proc_bootconfig:file r_file_perms;
+
+# ueventd loads modules in response to modalias events.
+allow ueventd self:global_capability_class_set sys_module;
+allow ueventd vendor_file:system module_load;
+allow ueventd kernel:key search;
+
+# ueventd is using bootstrap bionic
+allow ueventd system_bootstrap_lib_file:dir r_dir_perms;
+allow ueventd system_bootstrap_lib_file:file { execute read open getattr map };
+
diff --git a/microdroid/sepolicy/system/private/uncrypt.te b/microdroid/sepolicy/system/private/uncrypt.te
deleted file mode 100644
index 1a94cd1..0000000
--- a/microdroid/sepolicy/system/private/uncrypt.te
+++ /dev/null
@@ -1,6 +0,0 @@
-typeattribute uncrypt coredomain;
-
-init_daemon_domain(uncrypt)
-
-# Set a property to reboot the device.
-set_prop(uncrypt, powerctl_prop)
diff --git a/microdroid/sepolicy/system/private/untrusted_app.te b/microdroid/sepolicy/system/private/untrusted_app.te
deleted file mode 100644
index 6e7a99c..0000000
--- a/microdroid/sepolicy/system/private/untrusted_app.te
+++ /dev/null
@@ -1,16 +0,0 @@
-###
-### Untrusted apps.
-###
-### This file defines the rules for untrusted apps running with
-### targetSdkVersion >= 30.
-###
-### See public/untrusted_app.te for more information about which apps are
-### placed in this selinux domain.
-###
-
-typeattribute untrusted_app coredomain;
-
-app_domain(untrusted_app)
-untrusted_app_domain(untrusted_app)
-net_domain(untrusted_app)
-bluetooth_domain(untrusted_app)
diff --git a/microdroid/sepolicy/system/private/untrusted_app_25.te b/microdroid/sepolicy/system/private/untrusted_app_25.te
deleted file mode 100644
index 82c07ff..0000000
--- a/microdroid/sepolicy/system/private/untrusted_app_25.te
+++ /dev/null
@@ -1,50 +0,0 @@
-###
-### Untrusted_app_25
-###
-### This file defines the rules for untrusted apps running with
-### targetSdkVersion <= 25.
-###
-### See public/untrusted_app.te for more information about which apps are
-### placed in this selinux domain.
-###
-
-typeattribute untrusted_app_25 coredomain;
-
-app_domain(untrusted_app_25)
-untrusted_app_domain(untrusted_app_25)
-net_domain(untrusted_app_25)
-bluetooth_domain(untrusted_app_25)
-
-# b/35917228 - /proc/misc access
-# This will go away in a future Android release
-allow untrusted_app_25 proc_misc:file r_file_perms;
-
-# Access to /proc/tty/drivers, to allow apps to determine if they
-# are running in an emulated environment.
-# b/33214085 b/33814662 b/33791054 b/33211769
-# https://github.com/strazzere/anti-emulator/blob/master/AntiEmulator/src/diff/strazzere/anti/emulator/FindEmulator.java
-# This will go away in a future Android release
-allow untrusted_app_25 proc_tty_drivers:file r_file_perms;
-
-# Text relocation support for API < 23. This is now disallowed for targetSdkVersion>=Q.
-# https://android.googlesource.com/platform/bionic/+/master/android-changes-for-ndk-developers.md#text-relocations-enforced-for-api-level-23
-allow untrusted_app_25 { apk_data_file app_data_file asec_public_file }:file execmod;
-
-# The ability to call exec() on files in the apps home directories
-# for targetApi<=25. This is also allowed for targetAPIs 26, 27,
-# and 28 in untrusted_app_27.te.
-allow untrusted_app_25 app_data_file:file execute_no_trans;
-auditallow untrusted_app_25 app_data_file:file { execute execute_no_trans };
-
-# The ability to invoke dex2oat. Historically required by ART, now only
-# allowed for targetApi<=28 for compat reasons.
-allow untrusted_app_25 dex2oat_exec:file rx_file_perms;
-userdebug_or_eng(`auditallow untrusted_app_25 dex2oat_exec:file rx_file_perms;')
-
-# The ability to talk to /dev/ashmem directly. targetApi>=29 must use
-# ASharedMemory instead.
-allow untrusted_app_25 ashmem_device:chr_file rw_file_perms;
-auditallow untrusted_app_25 ashmem_device:chr_file open;
-
-# Read /mnt/sdcard symlink.
-allow untrusted_app_25 mnt_sdcard_file:lnk_file r_file_perms;
diff --git a/microdroid/sepolicy/system/private/untrusted_app_27.te b/microdroid/sepolicy/system/private/untrusted_app_27.te
deleted file mode 100644
index 7a326a5..0000000
--- a/microdroid/sepolicy/system/private/untrusted_app_27.te
+++ /dev/null
@@ -1,38 +0,0 @@
-###
-### Untrusted_27.
-###
-### This file defines the rules for untrusted apps running with
-### 25 < targetSdkVersion <= 28.
-###
-### See public/untrusted_app.te for more information about which apps are
-### placed in this selinux domain.
-###
-
-typeattribute untrusted_app_27 coredomain;
-
-app_domain(untrusted_app_27)
-untrusted_app_domain(untrusted_app_27)
-net_domain(untrusted_app_27)
-bluetooth_domain(untrusted_app_27)
-
-# Text relocation support for API < 23. This is now disallowed for targetSdkVersion>=Q.
-# https://android.googlesource.com/platform/bionic/+/master/android-changes-for-ndk-developers.md#text-relocations-enforced-for-api-level-23
-allow untrusted_app_27 { apk_data_file app_data_file asec_public_file }:file execmod;
-
-# The ability to call exec() on files in the apps home directories
-# for targetApi 26, 27, and 28.
-allow untrusted_app_27 app_data_file:file execute_no_trans;
-auditallow untrusted_app_27 app_data_file:file { execute execute_no_trans };
-
-# The ability to invoke dex2oat. Historically required by ART, now only
-# allowed for targetApi<=28 for compat reasons.
-allow untrusted_app_27 dex2oat_exec:file rx_file_perms;
-userdebug_or_eng(`auditallow untrusted_app_27 dex2oat_exec:file rx_file_perms;')
-
-# The ability to talk to /dev/ashmem directly. targetApi>=29 must use
-# ASharedMemory instead.
-allow untrusted_app_27 ashmem_device:chr_file rw_file_perms;
-auditallow untrusted_app_27 ashmem_device:chr_file open;
-
-# Read /mnt/sdcard symlink.
-allow untrusted_app_27 mnt_sdcard_file:lnk_file r_file_perms;
diff --git a/microdroid/sepolicy/system/private/untrusted_app_29.te b/microdroid/sepolicy/system/private/untrusted_app_29.te
deleted file mode 100644
index d03f399..0000000
--- a/microdroid/sepolicy/system/private/untrusted_app_29.te
+++ /dev/null
@@ -1,16 +0,0 @@
-###
-### Untrusted_29.
-###
-### This file defines the rules for untrusted apps running with
-### targetSdkVersion = 29.
-###
-### See public/untrusted_app.te for more information about which apps are
-### placed in this selinux domain.
-###
-
-typeattribute untrusted_app_29 coredomain;
-
-app_domain(untrusted_app_29)
-untrusted_app_domain(untrusted_app_29)
-net_domain(untrusted_app_29)
-bluetooth_domain(untrusted_app_29)
diff --git a/microdroid/sepolicy/system/private/untrusted_app_all.te b/microdroid/sepolicy/system/private/untrusted_app_all.te
deleted file mode 100644
index 6064c14..0000000
--- a/microdroid/sepolicy/system/private/untrusted_app_all.te
+++ /dev/null
@@ -1,177 +0,0 @@
-###
-### Untrusted_app_all.
-###
-### This file defines the rules shared by all untrusted app domains except
-### ephemeral_app for instant apps and isolated_app (which has a reduced
-### permission set).
-### Apps are labeled based on mac_permissions.xml (maps signer and
-### optionally package name to seinfo value) and seapp_contexts (maps UID
-### and optionally seinfo value to domain for process and type for data
-### directory). The untrusted_app_all attribute is assigned to all default
-### seapp_contexts for any app with UID between APP_AID (10000)
-### and AID_ISOLATED_START (99000) if the app has no specific seinfo
-### value as determined from mac_permissions.xml. In current AOSP, this
-### attribute is assigned to all non-system apps as well as to any system apps
-### that are not signed by the platform key. To move
-### a system app into a specific domain, add a signer entry for it to
-### mac_permissions.xml and assign it one of the pre-existing seinfo values
-### or define and use a new seinfo value in both mac_permissions.xml and
-### seapp_contexts.
-###
-### Note that rules that should apply to all untrusted apps must be in app.te or also
-### added to ephemeral_app.te.
-
-# Some apps ship with shared libraries and binaries that they write out
-# to their sandbox directory and then execute.
-allow untrusted_app_all privapp_data_file:file { r_file_perms execute };
-allow untrusted_app_all app_data_file:file { r_file_perms execute };
-auditallow untrusted_app_all app_data_file:file execute;
-
-# Chrome Crashpad uses the the dynamic linker to load native executables
-# from an APK (b/112050209, crbug.com/928422)
-allow untrusted_app_all system_linker_exec:file execute_no_trans;
-
-# Follow priv-app symlinks. This is used for dynamite functionality.
-allow untrusted_app_all privapp_data_file:lnk_file r_file_perms;
-
-# Allow handling of less common filesystem objects
-allow untrusted_app_all app_data_file:{ lnk_file sock_file fifo_file } create_file_perms;
-
-# Allow loading and deleting executable shared libraries
-# within an application home directory. Such shared libraries would be
-# created by things like renderscript or via other mechanisms.
-allow untrusted_app_all app_exec_data_file:file { r_file_perms execute unlink };
-
-# ASEC
-allow untrusted_app_all asec_apk_file:file r_file_perms;
-allow untrusted_app_all asec_apk_file:dir r_dir_perms;
-# Execute libs in asec containers.
-allow untrusted_app_all asec_public_file:file { execute };
-
-# Used by Finsky / Android "Verify Apps" functionality when
-# running "adb install foo.apk".
-# TODO: Long term, we don't want apps probing into shell data files.
-# Figure out a way to remove these rules.
-allow untrusted_app_all shell_data_file:file r_file_perms;
-allow untrusted_app_all shell_data_file:dir r_dir_perms;
-
-# Allow traceur to pass file descriptors through a content provider to untrusted apps
-# for the purpose of sharing files through e.g. gmail
-allow untrusted_app_all trace_data_file:file { getattr read };
-
-# untrusted apps should not be able to open trace data files, they should depend
-# upon traceur to pass a file descriptor
-neverallow untrusted_app_all trace_data_file:dir *;
-neverallow untrusted_app_all trace_data_file:file { no_w_file_perms open };
-
-# neverallow untrusted apps accessing debugfs_tracing
-neverallow untrusted_app_all debugfs_tracing:file no_rw_file_perms;
-
-# Allow to read staged apks.
-allow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:file {read getattr};
-
-# Read and write system app data files passed over Binder.
-# Motivating case was /data/data/com.android.settings/cache/*.jpg for
-# cropping or taking user photos.
-allow untrusted_app_all system_app_data_file:file { read write getattr };
-
-#
-# Rules migrated from old app domains coalesced into untrusted_app.
-# This includes what used to be media_app, shared_app, and release_app.
-#
-
-# Access to /data/media.
-allow untrusted_app_all media_rw_data_file:dir create_dir_perms;
-allow untrusted_app_all media_rw_data_file:file create_file_perms;
-
-# allow cts to query all services
-allow untrusted_app_all servicemanager:service_manager list;
-
-allow untrusted_app_all audioserver_service:service_manager find;
-allow untrusted_app_all cameraserver_service:service_manager find;
-allow untrusted_app_all drmserver_service:service_manager find;
-allow untrusted_app_all mediaserver_service:service_manager find;
-allow untrusted_app_all mediaextractor_service:service_manager find;
-allow untrusted_app_all mediametrics_service:service_manager find;
-allow untrusted_app_all mediadrmserver_service:service_manager find;
-allow untrusted_app_all nfc_service:service_manager find;
-allow untrusted_app_all radio_service:service_manager find;
-allow untrusted_app_all app_api_service:service_manager find;
-allow untrusted_app_all vr_manager_service:service_manager find;
-
-# gdbserver for ndk-gdb ptrace attaches to app process.
-allow untrusted_app_all self:process ptrace;
-
-# Android Studio Instant Run has the application connect to a
-# runas_app socket listening in the abstract namespace.
-# https://developer.android.com/studio/run/
-# b/123297648
-allow untrusted_app_all runas_app:unix_stream_socket connectto;
-
-# Untrusted apps need to be able to send a SIGCHLD to runas_app
-# when running under a debugger (b/123612207)
-allow untrusted_app_all runas_app:process sigchld;
-
-# Cts: HwRngTest
-allow untrusted_app_all sysfs_hwrandom:dir search;
-allow untrusted_app_all sysfs_hwrandom:file r_file_perms;
-
-# Allow apps to view preloaded media content
-allow untrusted_app_all preloads_media_file:dir r_dir_perms;
-allow untrusted_app_all preloads_media_file:file r_file_perms;
-allow untrusted_app_all preloads_data_file:dir search;
-
-# Allow untrusted apps read / execute access to /vendor/app for there can
-# be pre-installed vendor apps that package a library within themselves.
-# TODO (b/37784178) Consider creating a special type for /vendor/app installed
-# apps.
-allow untrusted_app_all vendor_app_file:dir { open getattr read search };
-allow untrusted_app_all vendor_app_file:file { r_file_perms execute };
-allow untrusted_app_all vendor_app_file:lnk_file { open getattr read };
-
-# Write app-specific trace data to the Perfetto traced damon. This requires
-# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
-perfetto_producer(untrusted_app_all)
-
-# Allow profiling if the app opts in by being marked profileable/debuggable.
-can_profile_heap(untrusted_app_all)
-can_profile_perf(untrusted_app_all)
-
-# allow untrusted apps to use UDP sockets provided by the system server but not
-# modify them other than to connect
-allow untrusted_app_all system_server:udp_socket {
- connect getattr read recvfrom sendto write getopt setopt };
-
-# Allow the renderscript compiler to be run.
-domain_auto_trans(untrusted_app_all, rs_exec, rs)
-
-# suppress denials caused by debugfs_tracing
-dontaudit untrusted_app_all debugfs_tracing:file rw_file_perms;
-
-# This is allowed for targetSdkVersion <= 25 but disallowed on newer versions.
-dontaudit untrusted_app_all net_dns_prop:file read;
-
-# These have been disallowed since Android O.
-# For P, we assume that apps are safely handling the denial.
-dontaudit untrusted_app_all proc_stat:file read;
-dontaudit untrusted_app_all proc_vmstat:file read;
-dontaudit untrusted_app_all proc_uptime:file read;
-
-# Allow the allocation and use of ptys
-# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
-create_pty(untrusted_app_all)
-
-# Allow access to kcov via its ioctl interface for coverage
-# guided kernel fuzzing.
-userdebug_or_eng(`
- allow untrusted_app_all debugfs_kcov:file rw_file_perms;
- allowxperm untrusted_app_all debugfs_kcov:file ioctl { KCOV_INIT_TRACE KCOV_ENABLE KCOV_DISABLE };
- # The use of debugfs kcov is considered a breach of the kernel integrity
- # according to the heuristic of lockdown.
- allow untrusted_app_all self:lockdown integrity;
-')
-
-# Allow signalling simpleperf domain, which is the domain that the simpleperf
-# profiler runs as when executed by the app. The signals are used to control
-# the profiler (which would be profiling the app that is sending the signal).
-allow untrusted_app_all simpleperf:process signal;
diff --git a/microdroid/sepolicy/system/private/update_engine.te b/microdroid/sepolicy/system/private/update_engine.te
deleted file mode 100644
index d828e1f..0000000
--- a/microdroid/sepolicy/system/private/update_engine.te
+++ /dev/null
@@ -1,31 +0,0 @@
-typeattribute update_engine coredomain;
-
-init_daemon_domain(update_engine);
-
-# Allow to talk to gsid.
-allow update_engine gsi_service:service_manager find;
-binder_call(update_engine, gsid)
-
-# Allow to start gsid service.
-set_prop(update_engine, ctl_gsid_prop)
-
-# Allow to start snapuserd for dm-user communication.
-set_prop(update_engine, ctl_snapuserd_prop)
-
-# Allow to set the OTA related properties, e.g. ota.warm_reset.
-set_prop(update_engine, ota_prop)
-
-# Allow to get the DSU status
-get_prop(update_engine, gsid_prop)
-
-# Allow update_engine to call the callback function provided by GKI update hook.
-binder_call(update_engine, gki_apex_prepostinstall)
-
-# Allow to communicate with the snapuserd service, for dm-user snapshots.
-allow update_engine snapuserd:unix_stream_socket connectto;
-allow update_engine snapuserd_socket:sock_file write;
-
-# Allow to communicate with apexd for calculating and reserving space for
-# capex decompression
-allow update_engine apex_service:service_manager find;
-binder_call(update_engine, apexd)
diff --git a/microdroid/sepolicy/system/private/update_engine_common.te b/microdroid/sepolicy/system/private/update_engine_common.te
deleted file mode 100644
index 8571ff6..0000000
--- a/microdroid/sepolicy/system/private/update_engine_common.te
+++ /dev/null
@@ -1,13 +0,0 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
-# The postinstall program is run by update_engine_common and must be tagged
-# with postinstall_exec in the new filesystem.
-# TODO Have build system attempt to verify this
-domain_auto_trans(update_engine_common, postinstall_exec, postinstall)
-
-# Vendor directories can have the transition as well during OTA. This is caused
-# by update_engine execing scripts in vendor to perform any update tasks needed
-# there.
-domain_auto_trans(update_engine_common, postinstall_file, postinstall)
-
-allow update_engine_common labeledfs:filesystem { mount unmount relabelfrom };
diff --git a/microdroid/sepolicy/system/private/update_verifier.te b/microdroid/sepolicy/system/private/update_verifier.te
deleted file mode 100644
index 5e1b27b..0000000
--- a/microdroid/sepolicy/system/private/update_verifier.te
+++ /dev/null
@@ -1,9 +0,0 @@
-typeattribute update_verifier coredomain;
-
-init_daemon_domain(update_verifier)
-
-# Allow update_verifier to reboot the device.
-set_prop(update_verifier, powerctl_prop)
-
-# Allow to set the OTA related properties e.g. ota.warm_reset.
-set_prop(update_verifier, ota_prop)
diff --git a/microdroid/sepolicy/system/private/usbd.te b/microdroid/sepolicy/system/private/usbd.te
deleted file mode 100644
index 42f2324..0000000
--- a/microdroid/sepolicy/system/private/usbd.te
+++ /dev/null
@@ -1,15 +0,0 @@
-typeattribute usbd coredomain;
-
-init_daemon_domain(usbd)
-
-# Access usb gadget hal
-hal_client_domain(usbd, hal_usb_gadget)
-
-# Access persist.sys.usb.config
-get_prop(usbd, system_prop)
-
-# start adbd during boot if adb is enabled
-set_prop(usbd, ctl_default_prop)
-
-# Start/stop adbd via ctl.start adbd
-set_prop(usbd, ctl_adbd_prop)
diff --git a/microdroid/sepolicy/system/private/vdc.te b/microdroid/sepolicy/system/private/vdc.te
deleted file mode 100644
index bc7409e..0000000
--- a/microdroid/sepolicy/system/private/vdc.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute vdc coredomain;
-
-init_daemon_domain(vdc)
diff --git a/microdroid/sepolicy/system/private/vendor_init.te b/microdroid/sepolicy/system/private/vendor_init.te
deleted file mode 100644
index 2e616f3..0000000
--- a/microdroid/sepolicy/system/private/vendor_init.te
+++ /dev/null
@@ -1,20 +0,0 @@
-# Creating files on sysfs is impossible so this isn't a threat
-# Sometimes we have to write to non-existent files to avoid conditional
-# init behavior. See b/35303861 for an example.
-dontaudit vendor_init sysfs:dir write;
-
-# TODO(b/140259336) We want to remove vendor_init in the long term but allow for now
-allow vendor_init system_data_root_file:dir rw_dir_perms;
-
-# Let vendor_init set service.adb.tcp.port.
-set_prop(vendor_init, adbd_config_prop)
-
-# chown/chmod on devices, e.g. /dev/ttyHS0
-allow vendor_init {
- dev_type
- -keychord_device
- -kvm_device
- -port_device
- -lowpan_device
- -hw_random_device
-}:chr_file setattr;
diff --git a/microdroid/sepolicy/system/private/viewcompiler.te b/microdroid/sepolicy/system/private/viewcompiler.te
deleted file mode 100644
index d1f0964..0000000
--- a/microdroid/sepolicy/system/private/viewcompiler.te
+++ /dev/null
@@ -1,25 +0,0 @@
-# viewcompiler
-type viewcompiler, domain, coredomain, mlstrustedsubject;
-type viewcompiler_exec, system_file_type, exec_type, file_type;
-type viewcompiler_tmpfs, file_type;
-
-# Reading an APK opens a ZipArchive, which unpack to tmpfs.
-# Use tmpfs_domain() which will give tmpfs files created by viewcompiler their
-# own label, which differs from other labels created by other processes.
-# This allows to distinguish in policy files created by viewcompiler vs other
-# processes.
-tmpfs_domain(viewcompiler)
-
-allow viewcompiler installd:fd use;
-
-# Include write permission for app data files so viewcompiler can generate
-# compiled layout dex files
-allow viewcompiler app_data_file:file { getattr write };
-
-# Allow the view compiler to read resources from the apps APK.
-allow viewcompiler apk_data_file:file { read map };
-
-# priv-apps are moving to a world where they can only execute
-# signed code. Make sure viewcompiler never can write to privapp
-# directories to avoid introducing unsigned executable code
-neverallow viewcompiler privapp_data_file:file no_w_file_perms;
diff --git a/microdroid/sepolicy/system/private/virtual_touchpad.te b/microdroid/sepolicy/system/private/virtual_touchpad.te
deleted file mode 100644
index e735172..0000000
--- a/microdroid/sepolicy/system/private/virtual_touchpad.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute virtual_touchpad coredomain;
-
-init_daemon_domain(virtual_touchpad)
diff --git a/microdroid/sepolicy/system/private/virtualizationservice.te b/microdroid/sepolicy/system/private/virtualizationservice.te
deleted file mode 100644
index 097f0a0..0000000
--- a/microdroid/sepolicy/system/private/virtualizationservice.te
+++ /dev/null
@@ -1,22 +0,0 @@
-type virtualizationservice, domain, coredomain;
-type virtualizationservice_exec, system_file_type, exec_type, file_type;
-
-# When init runs a file labelled with virtualizationservice_exec, run it in the
-# virtualizationservice domain.
-init_daemon_domain(virtualizationservice)
-
-# Let the virtualizationservice domain use Binder.
-binder_use(virtualizationservice)
-
-# Let the virtualizationservice domain register the virtualization_service with ServiceManager.
-add_service(virtualizationservice, virtualization_service)
-
-# When virtualizationservice execs a file with the crosvm_exec label, run it in the crosvm domain.
-domain_auto_trans(virtualizationservice, crosvm_exec, crosvm)
-
-# Let virtualizationservice kill crosvm.
-allow virtualizationservice crosvm:process sigkill;
-
-# Let virtualizationservice access its data directory.
-allow virtualizationservice virtualizationservice_data_file:file create_file_perms;
-allow virtualizationservice virtualizationservice_data_file:dir create_dir_perms;
diff --git a/microdroid/sepolicy/system/private/vold.te b/microdroid/sepolicy/system/private/vold.te
deleted file mode 100644
index a802bdb..0000000
--- a/microdroid/sepolicy/system/private/vold.te
+++ /dev/null
@@ -1,67 +0,0 @@
-typeattribute vold coredomain;
-
-init_daemon_domain(vold)
-
-# Switch to more restrictive domains when executing common tools
-domain_auto_trans(vold, sgdisk_exec, sgdisk);
-domain_auto_trans(vold, sdcardd_exec, sdcardd);
-
-# For a handful of probing tools, we choose an even more restrictive
-# domain when working with untrusted block devices
-domain_trans(vold, blkid_exec, blkid);
-domain_trans(vold, blkid_exec, blkid_untrusted);
-domain_trans(vold, fsck_exec, fsck);
-domain_trans(vold, fsck_exec, fsck_untrusted);
-
-# Newly created storage dirs are always treated as mount stubs to prevent us
-# from accidentally writing when the mount point isn't present.
-type_transition vold storage_file:dir storage_stub_file;
-type_transition vold mnt_media_rw_file:dir mnt_media_rw_stub_file;
-
-# Property Service
-get_prop(vold, vold_config_prop)
-get_prop(vold, storage_config_prop);
-get_prop(vold, incremental_prop);
-
-set_prop(vold, vold_post_fs_data_prop)
-set_prop(vold, vold_prop)
-set_prop(vold, vold_status_prop)
-set_prop(vold, powerctl_prop)
-set_prop(vold, ctl_fuse_prop)
-set_prop(vold, restorecon_prop)
-set_prop(vold, ota_prop)
-set_prop(vold, boottime_prop)
-set_prop(vold, boottime_public_prop)
-
-# Vold will use Keystore instead of using Keymint directly. But it still needs
-# to manage its Keymint blobs. This is why it needs the `manage_blob` permission.
-allow vold vold_key:keystore2_key {
- convert_storage_key_to_ephemeral
- delete
- get_info
- manage_blob
- rebind
- req_forced_op
- update
- use
-};
-
-# vold needs to call keystore methods
-allow vold keystore:binder call;
-
-# vold needs to find keystore2 services
-allow vold keystore_service:service_manager find;
-allow vold keystore_maintenance_service:service_manager find;
-
-# vold needs to be able to call earlyBootEnded()
-allow vold keystore:keystore2 early_boot_ended;
-
-neverallow {
- domain
- -system_server
- -vdc
- -vold
- -update_verifier
- -apexd
- -gsid
-} vold_service:service_manager find;
diff --git a/microdroid/sepolicy/system/private/vold_prepare_subdirs.te b/microdroid/sepolicy/system/private/vold_prepare_subdirs.te
deleted file mode 100644
index 956e94e..0000000
--- a/microdroid/sepolicy/system/private/vold_prepare_subdirs.te
+++ /dev/null
@@ -1,60 +0,0 @@
-domain_auto_trans(vold, vold_prepare_subdirs_exec, vold_prepare_subdirs)
-
-typeattribute vold_prepare_subdirs mlstrustedsubject;
-
-allow vold_prepare_subdirs system_file:file execute_no_trans;
-allow vold_prepare_subdirs shell_exec:file rx_file_perms;
-allow vold_prepare_subdirs toolbox_exec:file rx_file_perms;
-allow vold_prepare_subdirs devpts:chr_file rw_file_perms;
-allow vold_prepare_subdirs vold:fd use;
-allow vold_prepare_subdirs vold:fifo_file { read write };
-allow vold_prepare_subdirs file_contexts_file:file r_file_perms;
-allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override dac_read_search fowner };
-allow vold_prepare_subdirs self:process setfscreate;
-allow vold_prepare_subdirs {
- system_data_file
- vendor_data_file
-}:dir { open read write add_name remove_name rmdir relabelfrom };
-allow vold_prepare_subdirs {
- apex_appsearch_data_file
- apex_art_data_file
- apex_module_data_file
- apex_permission_data_file
- apex_rollback_data_file
- apex_scheduling_data_file
- apex_wifi_data_file
- backup_data_file
- face_vendor_data_file
- fingerprint_vendor_data_file
- iris_vendor_data_file
- rollback_data_file
- storaged_data_file
- system_data_file
- vold_data_file
-}:dir { create_dir_perms relabelto };
-allow vold_prepare_subdirs {
- apex_appsearch_data_file
- apex_art_data_file
- apex_art_staging_data_file
- apex_module_data_file
- apex_permission_data_file
- apex_rollback_data_file
- apex_scheduling_data_file
- apex_wifi_data_file
- backup_data_file
- face_vendor_data_file
- fingerprint_vendor_data_file
- iris_vendor_data_file
- rollback_data_file
- storaged_data_file
- system_data_file
- vold_data_file
-}:file { getattr unlink };
-allow vold_prepare_subdirs apex_mnt_dir:dir { open read };
-allow vold_prepare_subdirs mnt_expand_file:dir search;
-allow vold_prepare_subdirs user_profile_data_file:dir { search getattr relabelfrom };
-allow vold_prepare_subdirs user_profile_root_file:dir { search getattr relabelfrom relabelto };
-# /data/misc is unlabeled during early boot.
-allow vold_prepare_subdirs unlabeled:dir search;
-
-dontaudit vold_prepare_subdirs { proc unlabeled }:file r_file_perms;
diff --git a/microdroid/sepolicy/system/private/vr_hwc.te b/microdroid/sepolicy/system/private/vr_hwc.te
deleted file mode 100644
index 053c03d..0000000
--- a/microdroid/sepolicy/system/private/vr_hwc.te
+++ /dev/null
@@ -1,6 +0,0 @@
-typeattribute vr_hwc coredomain;
-
-# Daemon started by init.
-init_daemon_domain(vr_hwc)
-
-hal_server_domain(vr_hwc, hal_graphics_composer)
diff --git a/microdroid/sepolicy/system/private/vzwomatrigger_app.te b/microdroid/sepolicy/system/private/vzwomatrigger_app.te
deleted file mode 100644
index 8deb22b..0000000
--- a/microdroid/sepolicy/system/private/vzwomatrigger_app.te
+++ /dev/null
@@ -1,6 +0,0 @@
-###
-### A domain for further sandboxing the VzwOmaTrigger app.
-###
-type vzwomatrigger_app, domain;
-
-app_domain(vzwomatrigger_app)
diff --git a/microdroid/sepolicy/system/private/watchdogd.te b/microdroid/sepolicy/system/private/watchdogd.te
deleted file mode 100644
index 91ece70..0000000
--- a/microdroid/sepolicy/system/private/watchdogd.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute watchdogd coredomain;
-
-init_daemon_domain(watchdogd)
diff --git a/microdroid/sepolicy/system/private/webview_zygote.te b/microdroid/sepolicy/system/private/webview_zygote.te
deleted file mode 100644
index 10bcf1c..0000000
--- a/microdroid/sepolicy/system/private/webview_zygote.te
+++ /dev/null
@@ -1,152 +0,0 @@
-# webview_zygote is an auxiliary zygote process that is used to spawn
-# isolated_app processes for rendering untrusted web content.
-
-typeattribute webview_zygote coredomain;
-
-# The webview_zygote needs to be able to transition domains.
-typeattribute webview_zygote mlstrustedsubject;
-
-# Allow access to temporary files, which is normally permitted through
-# a domain macro.
-tmpfs_domain(webview_zygote);
-
-userfaultfd_use(webview_zygote)
-
-# Allow reading/executing installed binaries to enable preloading the
-# installed WebView implementation.
-allow webview_zygote apk_data_file:dir r_dir_perms;
-allow webview_zygote apk_data_file:file { r_file_perms execute };
-
-# Access to the WebView relro file.
-allow webview_zygote shared_relro_file:dir search;
-allow webview_zygote shared_relro_file:file r_file_perms;
-
-# Set the UID/GID of the process.
-allow webview_zygote self:global_capability_class_set { setgid setuid };
-# Drop capabilities from bounding set.
-allow webview_zygote self:global_capability_class_set setpcap;
-# Switch SELinux context to app domains.
-allow webview_zygote self:process setcurrent;
-allow webview_zygote isolated_app:process dyntransition;
-
-# For art.
-allow webview_zygote { apex_art_data_file dalvikcache_data_file }:dir r_dir_perms;
-allow webview_zygote dalvikcache_data_file:lnk_file r_file_perms;
-allow webview_zygote { apex_art_data_file dalvikcache_data_file }:file { r_file_perms execute };
-allow webview_zygote apex_module_data_file:dir search;
-
-# Allow webview_zygote to create JIT memory.
-allow webview_zygote self:process execmem;
-
-# Allow webview_zygote to stat the files that it opens. It must
-# be able to inspect them so that it can reopen them on fork
-# if necessary: b/30963384.
-allow webview_zygote debugfs_trace_marker:file getattr;
-
-# Allow webview_zygote to manage the pgroup of its children.
-allow webview_zygote system_server:process getpgid;
-
-# Interaction between the webview_zygote and its children.
-allow webview_zygote isolated_app:process setpgid;
-
-# TODO (b/63631799) fix this access
-# Suppress denials to storage. Webview zygote should not be accessing.
-dontaudit webview_zygote mnt_expand_file:dir getattr;
-
-# TODO (b/72957399) remove this when webview_zygote is reparented to
-# app_process zygote
-dontaudit webview_zygote dex2oat_exec:file execute;
-
-# Get seapp_contexts
-allow webview_zygote seapp_contexts_file:file r_file_perms;
-# Check validity of SELinux context before use.
-selinux_check_context(webview_zygote)
-# Check SELinux permissions.
-selinux_check_access(webview_zygote)
-
-# Directory listing in /system.
-allow webview_zygote system_file:dir r_dir_perms;
-
-# Read and inspect temporary files (like system properties) managed by zygote.
-allow webview_zygote zygote_tmpfs:file { read getattr };
-# Child of zygote.
-allow webview_zygote zygote:fd use;
-allow webview_zygote zygote:process sigchld;
-
-# Allow apps access to /vendor/overlay
-r_dir_file(webview_zygote, vendor_overlay_file)
-
-allow webview_zygote same_process_hal_file:file { execute read open getattr map };
-
-allow webview_zygote system_data_file:lnk_file r_file_perms;
-
-# Send unsolicited message to system_server
-unix_socket_send(webview_zygote, system_unsolzygote, system_server)
-
-# Allow the webview_zygote to access the runtime feature flag properties.
-get_prop(webview_zygote, device_config_runtime_native_prop)
-get_prop(webview_zygote, device_config_runtime_native_boot_prop)
-
-#####
-##### Neverallow
-#####
-
-# Only permit transition to isolated_app.
-neverallow webview_zygote { domain -isolated_app }:process dyntransition;
-
-# Only setcon() transitions, no exec() based transitions, except for crash_dump.
-neverallow webview_zygote { domain -crash_dump }:process transition;
-
-# Must not exec() a program without changing domains.
-# Having said that, exec() above is not allowed.
-neverallow webview_zygote *:file execute_no_trans;
-
-# The only way to enter this domain is for the zygote to fork a new
-# webview_zygote child.
-neverallow { domain -zygote } webview_zygote:process dyntransition;
-
-# Disallow write access to properties.
-neverallow webview_zygote property_socket:sock_file write;
-neverallow webview_zygote property_type:property_service set;
-
-# Should not have any access to app data files.
-neverallow webview_zygote app_data_file_type:file { rwx_file_perms };
-
-neverallow webview_zygote {
- service_manager_type
- -activity_service
- -webviewupdate_service
-}:service_manager find;
-
-# Isolated apps shouldn't be able to access the driver directly.
-neverallow webview_zygote gpu_device:chr_file { rwx_file_perms };
-
-# Do not allow webview_zygote access to /cache.
-neverallow webview_zygote cache_file:dir ~{ r_dir_perms };
-neverallow webview_zygote cache_file:file ~{ read getattr };
-
-# Do not allow most socket access. This is socket_class_set, excluding unix_dgram_socket,
-# unix_stream_socket, and netlink_selinux_socket.
-neverallow webview_zygote domain:{
- socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket
- appletalk_socket netlink_route_socket netlink_tcpdiag_socket
- netlink_nflog_socket netlink_xfrm_socket netlink_audit_socket
- netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket
- netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket
- netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket
- sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket
- x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket
- pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket
- rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
- alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket
- xdp_socket
-} *;
-
-# Do not allow access to Bluetooth-related system properties.
-# neverallow rules for Bluetooth-related data files are listed above.
-neverallow webview_zygote {
- bluetooth_a2dp_offload_prop
- bluetooth_audio_hal_prop
- bluetooth_prop
- exported_bluetooth_prop
-}:file create_file_perms;
diff --git a/microdroid/sepolicy/system/private/wificond.te b/microdroid/sepolicy/system/private/wificond.te
deleted file mode 100644
index 8bf37ca..0000000
--- a/microdroid/sepolicy/system/private/wificond.te
+++ /dev/null
@@ -1,9 +0,0 @@
-typeattribute wificond coredomain;
-
-set_prop(wificond, wifi_hal_prop)
-set_prop(wificond, wifi_prop)
-set_prop(wificond, ctl_default_prop)
-
-get_prop(wificond, hwservicemanager_prop)
-
-init_daemon_domain(wificond)
diff --git a/microdroid/sepolicy/system/private/wpantund.te b/microdroid/sepolicy/system/private/wpantund.te
deleted file mode 100644
index e91662c..0000000
--- a/microdroid/sepolicy/system/private/wpantund.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute wpantund coredomain;
-
-init_daemon_domain(wpantund)
diff --git a/microdroid/sepolicy/system/private/zygote.te b/microdroid/sepolicy/system/private/zygote.te
deleted file mode 100644
index 9038c4f..0000000
--- a/microdroid/sepolicy/system/private/zygote.te
+++ /dev/null
@@ -1,265 +0,0 @@
-# zygote
-typeattribute zygote coredomain;
-typeattribute zygote mlstrustedsubject;
-
-init_daemon_domain(zygote)
-tmpfs_domain(zygote)
-
-read_runtime_log_tags(zygote)
-
-# Override DAC on files and switch uid/gid.
-allow zygote self:global_capability_class_set { dac_override dac_read_search setgid setuid fowner chown };
-
-# Drop capabilities from bounding set.
-allow zygote self:global_capability_class_set setpcap;
-
-# Switch SELinux context to app domains.
-allow zygote self:process setcurrent;
-allow zygote system_server_startup:process dyntransition;
-allow zygote appdomain:process dyntransition;
-allow zygote webview_zygote:process dyntransition;
-allow zygote app_zygote:process dyntransition;
-
-# Allow zygote to read app /proc/pid dirs (b/10455872).
-allow zygote appdomain:dir { getattr search };
-allow zygote appdomain:file { r_file_perms };
-
-userfaultfd_use(zygote)
-
-# Move children into the peer process group.
-allow zygote system_server:process { getpgid setpgid };
-allow zygote appdomain:process { getpgid setpgid };
-allow zygote webview_zygote:process { getpgid setpgid };
-allow zygote app_zygote:process { getpgid setpgid };
-
-# Read system data.
-allow zygote system_data_file:dir r_dir_perms;
-allow zygote system_data_file:file r_file_perms;
-
-# Write to /data/dalvik-cache.
-allow zygote dalvikcache_data_file:dir create_dir_perms;
-allow zygote dalvikcache_data_file:file create_file_perms;
-
-# Create symlinks in /data/dalvik-cache.
-allow zygote dalvikcache_data_file:lnk_file create_file_perms;
-
-# Write to /data/resource-cache.
-allow zygote resourcecache_data_file:dir rw_dir_perms;
-allow zygote resourcecache_data_file:file create_file_perms;
-
-# For updateability, the zygote may fetch the current boot
-# classpath from the dalvik cache. Integrity of the files
-# is ensured by fsverity protection (checked in art_apex_boot_integrity).
-allow zygote dalvikcache_data_file:file execute;
-
-# Allow zygote to find files in APEX data directories.
-allow zygote apex_module_data_file:dir search;
-
-# Allow zygote to find and map files created by on device signing.
-allow zygote apex_art_data_file:dir { getattr search };
-allow zygote apex_art_data_file:file { r_file_perms execute };
-
-# Bind mount on /data/data and mounted volumes
-allow zygote { system_data_file mnt_expand_file }:dir mounton;
-
-# Relabel /data/user /data/user_de and /data/data
-allow zygote tmpfs:{ dir lnk_file } relabelfrom;
-allow zygote system_data_file:{ dir lnk_file } relabelto;
-
-# Zygote opens /mnt/expand to mount CE DE storage on each vol
-allow zygote mnt_expand_file:dir { open read search relabelto };
-
-# Bind mount subdirectories on /data/misc/profiles/cur
-allow zygote user_profile_root_file:dir { mounton search };
-
-# Create and bind dirs on /data/data
-allow zygote tmpfs:dir { create_dir_perms mounton };
-
-# Goes into media directory and bind mount obb directory
-allow zygote media_rw_data_file:dir { getattr search };
-
-# Bind mount on top of existing mounted obb and data directory
-allow zygote media_rw_data_file:dir { mounton };
-
-# Read if sdcardfs is supported
-allow zygote proc_filesystems:file r_file_perms;
-
-# Create symlink for /data/user/0
-allow zygote tmpfs:lnk_file create;
-
-allow zygote mirror_data_file:dir r_dir_perms;
-
-# Get inode of directories for app data isolation
-allow zygote {
- app_data_file_type
- system_data_file
- mnt_expand_file
-}:dir getattr;
-
-# Allow zygote to create JIT memory.
-allow zygote self:process execmem;
-allow zygote zygote_tmpfs:file execute;
-allow zygote ashmem_libcutils_device:chr_file execute;
-
-# Execute idmap and dex2oat within zygote's own domain.
-# TODO: Should either of these be transitioned to the same domain
-# used by installd or stay in-domain for zygote?
-allow zygote idmap_exec:file rx_file_perms;
-allow zygote dex2oat_exec:file rx_file_perms;
-
-# Allow apps access to /vendor/overlay
-r_dir_file(zygote, vendor_overlay_file)
-
-# Control cgroups.
-allow zygote cgroup:dir create_dir_perms;
-allow zygote cgroup:{ file lnk_file } r_file_perms;
-allow zygote cgroup_v2:dir create_dir_perms;
-allow zygote cgroup_v2:{ file lnk_file } { r_file_perms setattr };
-allow zygote self:global_capability_class_set sys_admin;
-
-# Allow zygote to stat the files that it opens. The zygote must
-# be able to inspect them so that it can reopen them on fork
-# if necessary: b/30963384.
-allow zygote pmsg_device:chr_file getattr;
-allow zygote debugfs_trace_marker:file getattr;
-
-# Get seapp_contexts
-allow zygote seapp_contexts_file:file r_file_perms;
-# Check validity of SELinux context before use.
-selinux_check_context(zygote)
-# Check SELinux permissions.
-selinux_check_access(zygote)
-
-# Native bridge functionality requires that zygote replaces
-# /proc/cpuinfo with /system/lib/<ISA>/cpuinfo using a bind mount
-allow zygote proc_cpuinfo:file mounton;
-
-# Allow remounting rootfs as MS_SLAVE.
-allow zygote rootfs:dir mounton;
-allow zygote tmpfs:filesystem { mount unmount };
-allow zygote fuse:filesystem { unmount };
-allow zygote sdcardfs:filesystem { unmount };
-
-# Allow creating user-specific storage source if started before vold.
-allow zygote mnt_user_file:dir { create_dir_perms mounton };
-allow zygote mnt_user_file:lnk_file create_file_perms;
-allow zygote mnt_user_file:file create_file_perms;
-
-# Allow mounting user-specific storage source if started before vold.
-allow zygote mnt_pass_through_file:dir { create_dir_perms mounton };
-
-# Allowed to mount user-specific storage into place
-allow zygote storage_file:dir { search mounton };
-
-# Allow mounting and creating files, dirs on sdcardfs.
-allow zygote { sdcard_type }:dir { create_dir_perms mounton };
-allow zygote { sdcard_type }:file { create_file_perms };
-
-# Handle --invoke-with command when launching Zygote with a wrapper command.
-allow zygote zygote_exec:file rx_file_perms;
-
-# Allow zygote to write to statsd.
-unix_socket_send(zygote, statsdw, statsd)
-
-# Root fs.
-r_dir_file(zygote, rootfs)
-
-# System file accesses.
-r_dir_file(zygote, system_file)
-
-# /oem accesses.
-allow zygote oemfs:dir search;
-
-userdebug_or_eng(`
- # Allow zygote to create and write method traces in /data/misc/trace.
- allow zygote method_trace_data_file:dir w_dir_perms;
- allow zygote method_trace_data_file:file { create w_file_perms };
-')
-
-allow zygote ion_device:chr_file r_file_perms;
-allow zygote tmpfs:dir r_dir_perms;
-
-allow zygote same_process_hal_file:file { execute read open getattr map };
-
-# Allow the zygote to access storage properties to check if sdcardfs is enabled.
-get_prop(zygote, storage_config_prop);
-
-# Let the zygote access overlays so it can initialize the AssetManager.
-get_prop(zygote, overlay_prop)
-get_prop(zygote, exported_overlay_prop)
-
-# Allow the zygote to access the runtime feature flag properties.
-get_prop(zygote, device_config_runtime_native_prop)
-get_prop(zygote, device_config_runtime_native_boot_prop)
-
-# Allow the zygote to access window manager native boot feature flags
-# to initialize WindowManager static properties.
-get_prop(zygote, device_config_window_manager_native_boot_prop)
-
-# ingore spurious denials
-# fsetid can be checked as a consequence of chmod when using cgroup v2 uid/pid hierarchy. This is
-# done to determine if the file should inherit setgid. In this case, setgid on the file is
-# undesirable, so suppress the denial.
-dontaudit zygote self:global_capability_class_set { sys_resource fsetid };
-
-# Ignore spurious denials calling access() on fuse.
-# Also ignore read and open as sdcardfs may read and open dir when app tries to access a dir that
-# doesn't exist.
-# TODO(b/151316657): avoid the denials
-dontaudit zygote media_rw_data_file:dir { read open setattr };
-
-# Allow zygote to use ashmem fds from system_server.
-allow zygote system_server:fd use;
-
-# Send unsolicited message to system_server
-unix_socket_send(zygote, system_unsolzygote, system_server)
-
-# Allow zygote to access media_variant_prop for static initialization
-get_prop(zygote, media_variant_prop)
-
-# Allow zygote to read ro.control_privapp_permissions and ro.cp_system_other_odex
-get_prop(zygote, packagemanager_config_prop)
-
-# Allow zygote to read qemu.sf.lcd_density
-get_prop(zygote, qemu_sf_lcd_density_prop)
-
-# Allow zygote to read /apex/apex-info-list.xml
-allow zygote apex_info_file:file r_file_perms;
-
-###
-### neverallow rules
-###
-
-# Ensure that all types assigned to app processes are included
-# in the appdomain attribute, so that all allow and neverallow rules
-# written on appdomain are applied to all app processes.
-# This is achieved by ensuring that it is impossible for zygote to
-# setcon (dyntransition) to any types other than those associated
-# with appdomain plus system_server_startup, webview_zygote and
-# app_zygote.
-neverallow zygote ~{
- appdomain
- system_server_startup
- webview_zygote
- app_zygote
-}:process dyntransition;
-
-# Zygote should never execute anything from /data except for
-# /data/dalvik-cache files or files generated during on-device
-# signing under /data/misc/apexdata/com.android.art/.
-neverallow zygote {
- data_file_type
- -apex_art_data_file # map PROT_EXEC
- -dalvikcache_data_file # map PROT_EXEC
-}:file no_x_file_perms;
-
-# Do not allow access to Bluetooth-related system properties and files
-neverallow zygote {
- bluetooth_a2dp_offload_prop
- bluetooth_audio_hal_prop
- bluetooth_prop
- exported_bluetooth_prop
-}:file create_file_perms;
-
-# Zygote should not be able to access app private data.
-neverallow zygote app_data_file_type:dir ~getattr;
diff --git a/microdroid/sepolicy/system/public/adbd.te b/microdroid/sepolicy/system/public/adbd.te
index 5056b35..a41d4a3 100644
--- a/microdroid/sepolicy/system/public/adbd.te
+++ b/microdroid/sepolicy/system/public/adbd.te
@@ -1,13 +1,2 @@
-# adbd seclabel is specified in init.rc since
-# it lives in the rootfs and has no unique file type.
type adbd, domain;
type adbd_exec, exec_type, file_type, system_file_type;
-
-# Only init is allowed to enter the adbd domain via exec()
-neverallow { domain -init } adbd:process transition;
-neverallow * adbd:process dyntransition;
-
-# Access /data/local/tests.
-allow adbd shell_test_data_file:dir create_dir_perms;
-allow adbd shell_test_data_file:file create_file_perms;
-allow adbd shell_test_data_file:lnk_file create_file_perms;
diff --git a/microdroid/sepolicy/system/public/aidl_lazy_test_server.te b/microdroid/sepolicy/system/public/aidl_lazy_test_server.te
deleted file mode 100644
index 626d008..0000000
--- a/microdroid/sepolicy/system/public/aidl_lazy_test_server.te
+++ /dev/null
@@ -1,9 +0,0 @@
-type aidl_lazy_test_server, domain;
-type aidl_lazy_test_server_exec, exec_type, file_type, system_file_type;
-
-userdebug_or_eng(`
- binder_use(aidl_lazy_test_server)
- binder_call(aidl_lazy_test_server, binderservicedomain)
-
- add_service(aidl_lazy_test_server, aidl_lazy_test_service)
-')
diff --git a/microdroid/sepolicy/system/public/apexd.te b/microdroid/sepolicy/system/public/apexd.te
index 53bc569..f80c1da 100644
--- a/microdroid/sepolicy/system/public/apexd.te
+++ b/microdroid/sepolicy/system/public/apexd.te
@@ -1,11 +1,5 @@
-# apexd -- manager for APEX packages
-type apexd, domain;
-type apexd_exec, exec_type, file_type, system_file_type;
+type apexd, domain, coredomain;
+type apexd_exec, file_type, exec_type, system_file_type;
binder_use(apexd)
add_service(apexd, apex_service)
-
-neverallow { domain -init -apexd -system_server -update_engine } apex_service:service_manager find;
-neverallow { domain -init -apexd -system_server -servicemanager -update_engine } apexd:binder call;
-
-neverallow { domain userdebug_or_eng(`-crash_dump') } apexd:process ptrace;
diff --git a/microdroid/sepolicy/system/public/app.te b/microdroid/sepolicy/system/public/app.te
deleted file mode 100644
index ae8d7fd..0000000
--- a/microdroid/sepolicy/system/public/app.te
+++ /dev/null
@@ -1,597 +0,0 @@
-###
-### Domain for all zygote spawned apps
-###
-### This file is the base policy for all zygote spawned apps.
-### Other policy files, such as isolated_app.te, untrusted_app.te, etc
-### extend from this policy. Only policies which should apply to ALL
-### zygote spawned apps should be added here.
-###
-type appdomain_tmpfs, file_type;
-
-# WebView and other application-specific JIT compilers
-allow appdomain self:process execmem;
-
-allow appdomain { ashmem_device ashmem_libcutils_device }:chr_file execute;
-
-# Receive and use open file descriptors inherited from zygote.
-allow appdomain zygote:fd use;
-
-# gdbserver for ndk-gdb reads the zygote.
-# valgrind needs mmap exec for zygote
-allow appdomain zygote_exec:file rx_file_perms;
-
-# Notify zygote of death;
-allow appdomain zygote:process sigchld;
-
-# Read /data/dalvik-cache.
-allow appdomain dalvikcache_data_file:dir { search getattr };
-allow appdomain dalvikcache_data_file:file r_file_perms;
-
-# Read the /sdcard and /mnt/sdcard symlinks
-allow { appdomain -isolated_app } rootfs:lnk_file r_file_perms;
-allow { appdomain -isolated_app } tmpfs:lnk_file r_file_perms;
-
-# Search /storage/emulated tmpfs mount.
-allow appdomain tmpfs:dir r_dir_perms;
-
-# Notify zygote of the wrapped process PID when using --invoke-with.
-allow appdomain zygote:fifo_file write;
-
-userdebug_or_eng(`
- # Allow apps to create and write method traces in /data/misc/trace.
- allow appdomain method_trace_data_file:dir w_dir_perms;
- allow appdomain method_trace_data_file:file { create w_file_perms };
-')
-
-# Notify shell and adbd of death when spawned via runas for ndk-gdb.
-allow appdomain shell:process sigchld;
-allow appdomain adbd:process sigchld;
-
-# child shell or gdbserver pty access for runas.
-allow appdomain devpts:chr_file { getattr read write ioctl };
-
-# Use pipes and sockets provided by system_server via binder or local socket.
-allow appdomain system_server:fd use;
-allow appdomain system_server:fifo_file rw_file_perms;
-allow appdomain system_server:unix_stream_socket { read write setopt getattr getopt shutdown };
-allow appdomain system_server:tcp_socket { read write getattr getopt shutdown };
-
-# For AppFuse.
-allow appdomain vold:fd use;
-
-# Communication with other apps via fifos
-allow appdomain appdomain:fifo_file rw_file_perms;
-
-# Communicate with surfaceflinger.
-allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
-
-# App sandbox file accesses.
-allow { appdomain -isolated_app -mlstrustedsubject } { app_data_file privapp_data_file }:dir create_dir_perms;
-allow { appdomain -isolated_app -mlstrustedsubject } { app_data_file privapp_data_file }:file create_file_perms;
-
-# Access via already open fds is ok even for mlstrustedsubject.
-allow { appdomain -isolated_app } { app_data_file privapp_data_file }:file { getattr map read write };
-
-# Traverse into expanded storage
-allow appdomain mnt_expand_file:dir r_dir_perms;
-
-# Keychain and user-trusted credentials
-r_dir_file(appdomain, keychain_data_file)
-allow appdomain misc_user_data_file:dir r_dir_perms;
-allow appdomain misc_user_data_file:file r_file_perms;
-
-# TextClassifier
-r_dir_file({ appdomain -isolated_app }, textclassifier_data_file)
-
-# Access to OEM provided data and apps
-allow appdomain oemfs:dir r_dir_perms;
-allow appdomain oemfs:file rx_file_perms;
-
-# Execute the shell or other system executables.
-allow { appdomain -ephemeral_app } shell_exec:file rx_file_perms;
-allow { appdomain -ephemeral_app } toolbox_exec:file rx_file_perms;
-allow appdomain system_file:file x_file_perms;
-not_full_treble(`allow { appdomain -ephemeral_app } vendor_file:file x_file_perms;')
-
-# Renderscript needs the ability to read directories on /system
-allow appdomain system_file:dir r_dir_perms;
-allow appdomain system_file:lnk_file { getattr open read };
-# Renderscript specific permissions to open /system/vendor/lib64.
-not_full_treble(`
- allow appdomain vendor_file_type:dir r_dir_perms;
- allow appdomain vendor_file_type:lnk_file { getattr open read };
-')
-
-full_treble_only(`
- # For looking up Renderscript vendor drivers
- allow { appdomain -isolated_app } vendor_file:dir { open read };
-')
-
-# Allow apps access to /vendor/app except for privileged
-# apps which cannot be in /vendor.
-r_dir_file({ appdomain -ephemeral_app }, vendor_app_file)
-allow { appdomain -ephemeral_app } vendor_app_file:file execute;
-
-# Allow apps access to /vendor/overlay
-r_dir_file(appdomain, vendor_overlay_file)
-
-# Allow apps access to /vendor/framework
-# for vendor provided libraries.
-r_dir_file(appdomain, vendor_framework_file)
-
-# Allow apps read / execute access to vendor public libraries.
-allow appdomain {vendor_public_framework_file vendor_public_lib_file}:dir r_dir_perms;
-allow appdomain {vendor_public_framework_file vendor_public_lib_file}:file { execute read open getattr map };
-
-# Read/write wallpaper file (opened by system).
-allow appdomain wallpaper_file:file { getattr read write map };
-
-# Read/write cached ringtones (opened by system).
-allow appdomain ringtone_file:file { getattr read write map };
-
-# Read ShortcutManager icon files (opened by system).
-allow appdomain shortcut_manager_icons:file { getattr read map };
-
-# Read icon file (opened by system).
-allow appdomain icon_file:file { getattr read map };
-
-# Old stack dumping scheme : append to a global trace file (/data/anr/traces.txt).
-#
-# TODO: All of these permissions except for anr_data_file:file append can be
-# withdrawn once we've switched to the new stack dumping mechanism, see b/32064548
-# and the rules below.
-allow appdomain anr_data_file:dir search;
-allow appdomain anr_data_file:file { open append };
-
-# New stack dumping scheme : request an output FD from tombstoned via a unix
-# domain socket.
-#
-# Allow apps to connect and write to the tombstoned java trace socket in
-# order to dump their traces. Also allow them to append traces to pipes
-# created by dumptrace. (Also see the rules below where they are given
-# additional permissions to dumpstate pipes for other aspects of bug report
-# creation).
-unix_socket_connect(appdomain, tombstoned_java_trace, tombstoned)
-allow appdomain tombstoned:fd use;
-allow appdomain dumpstate:fifo_file append;
-allow appdomain incidentd:fifo_file append;
-
-# Allow apps to send dump information to dumpstate
-allow appdomain dumpstate:fd use;
-allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown };
-allow appdomain dumpstate:fifo_file { write getattr };
-allow appdomain shell_data_file:file { write getattr };
-
-# Allow apps to send dump information to incidentd
-allow appdomain incidentd:fd use;
-allow appdomain incidentd:fifo_file { write getattr };
-
-# Allow apps to send information to statsd socket.
-unix_socket_send(appdomain, statsdw, statsd)
-
-# Write profiles /data/misc/profiles
-allow appdomain user_profile_root_file:dir search;
-allow appdomain user_profile_data_file:dir { search write add_name };
-allow appdomain user_profile_data_file:file create_file_perms;
-
-# Send heap dumps to system_server via an already open file descriptor
-# % adb shell am set-watch-heap com.android.systemui 1048576
-# % adb shell dumpsys procstats --start-testing
-# debuggable builds only.
-userdebug_or_eng(`
- allow appdomain heapdump_data_file:file append;
-')
-
-# /proc/net access.
-# TODO(b/9496886) Audit access for removal.
-# proc_net access for the negated domains below is granted (or not) in their
-# individual .te files.
-r_dir_file({
- appdomain
- -ephemeral_app
- -isolated_app
- -platform_app
- -priv_app
- -shell
- -system_app
- -untrusted_app_all
-}, proc_net_type)
-# audit access for all these non-core app domains.
-userdebug_or_eng(`
- auditallow {
- appdomain
- -ephemeral_app
- -isolated_app
- -platform_app
- -priv_app
- -shell
- -su
- -system_app
- -untrusted_app_all
- } proc_net_type:{ dir file lnk_file } { getattr open read };
-')
-
-# Grant GPU access to all processes started by Zygote.
-# They need that to render the standard UI.
-allow { appdomain -isolated_app } gpu_device:chr_file rw_file_perms;
-
-# Use the Binder.
-binder_use(appdomain)
-# Perform binder IPC to binder services.
-binder_call(appdomain, binderservicedomain)
-# Perform binder IPC to other apps.
-binder_call(appdomain, appdomain)
-# Perform binder IPC to ephemeral apps.
-binder_call(appdomain, ephemeral_app)
-# Perform binder IPC to gpuservice.
-binder_call({ appdomain -isolated_app }, gpuservice)
-
-# Talk with graphics composer fences
-allow appdomain hal_graphics_composer:fd use;
-
-# Already connected, unnamed sockets being passed over some other IPC
-# hence no sock_file or connectto permission. This appears to be how
-# Chrome works, may need to be updated as more apps using isolated services
-# are examined.
-allow appdomain appdomain:unix_stream_socket { getopt getattr read write shutdown };
-
-# Backup ability for every app. BMS opens and passes the fd
-# to any app that has backup ability. Hence, no open permissions here.
-allow appdomain backup_data_file:file { read write getattr map };
-allow appdomain cache_backup_file:file { read write getattr map };
-allow appdomain cache_backup_file:dir getattr;
-# Backup ability using 'adb backup'
-allow appdomain system_data_file:lnk_file r_file_perms;
-allow appdomain system_data_file:file { getattr read map };
-
-# Allow read/stat of /data/media files passed by Binder or local socket IPC.
-allow { appdomain -isolated_app } media_rw_data_file:file { read getattr };
-
-# Read and write /data/data/com.android.providers.telephony files passed over Binder.
-allow { appdomain -isolated_app } radio_data_file:file { read write getattr };
-
-# Allow access to external storage; we have several visible mount points under /storage
-# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
-allow { appdomain -isolated_app -ephemeral_app } storage_file:dir r_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } storage_file:lnk_file r_file_perms;
-allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:dir r_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:lnk_file r_file_perms;
-
-# Read/write visible storage
-allow { appdomain -isolated_app -ephemeral_app } sdcard_type:dir create_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } sdcard_type:file create_file_perms;
-# This should be removed if sdcardfs is modified to alter the secontext for its
-# accesses to the underlying FS.
-allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:dir create_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:file create_file_perms;
-
-# Allow apps to use the USB Accessory interface.
-# http://developer.android.com/guide/topics/connectivity/usb/accessory.html
-#
-# USB devices are first opened by the system server (USBDeviceManagerService)
-# and the file descriptor is passed to the right Activity via binder.
-allow { appdomain -isolated_app -ephemeral_app } usb_device:chr_file { read write getattr ioctl };
-allow { appdomain -isolated_app -ephemeral_app } usbaccessory_device:chr_file { read write getattr };
-
-# For art.
-allow appdomain dalvikcache_data_file:file execute;
-allow appdomain dalvikcache_data_file:lnk_file r_file_perms;
-
-# Allow any app to read shared RELRO files.
-allow appdomain shared_relro_file:dir search;
-allow appdomain shared_relro_file:file r_file_perms;
-
-# Allow apps to read/execute installed binaries
-allow appdomain apk_data_file:dir r_dir_perms;
-allow appdomain apk_data_file:file rx_file_perms;
-
-# /data/resource-cache
-allow appdomain resourcecache_data_file:file r_file_perms;
-allow appdomain resourcecache_data_file:dir r_dir_perms;
-
-# logd access
-read_logd(appdomain)
-control_logd({ appdomain -ephemeral_app })
-# application inherit logd write socket (urge is to deprecate this long term)
-allow appdomain zygote:unix_dgram_socket write;
-
-allow { appdomain -isolated_app -ephemeral_app } keystore:keystore_key { get_state get insert delete exist list sign verify };
-allow { appdomain -isolated_app -ephemeral_app } keystore:keystore2_key { delete use get_info rebind update };
-
-allow { appdomain -isolated_app -ephemeral_app } keystore_maintenance_service:service_manager find;
-allow { appdomain -isolated_app -ephemeral_app } keystore:keystore2 get_state;
-
-use_keystore({ appdomain -isolated_app -ephemeral_app })
-
-use_credstore({ appdomain -isolated_app -ephemeral_app })
-
-allow appdomain console_device:chr_file { read write };
-
-# only allow unprivileged socket ioctl commands
-allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket }
- ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
-
-allow { appdomain -isolated_app } ion_device:chr_file r_file_perms;
-allow { appdomain -isolated_app } dmabuf_system_heap_device:chr_file r_file_perms;
-allow { appdomain -isolated_app } dmabuf_system_secure_heap_device:chr_file r_file_perms;
-
-# Allow AAudio apps to use shared memory file descriptors from the HAL
-allow { appdomain -isolated_app } hal_audio:fd use;
-
-# Allow app to access shared memory created by camera HAL1
-allow { appdomain -isolated_app } hal_camera:fd use;
-
-# Allow apps to access shared memory file descriptor from the tuner HAL
-allow {appdomain -isolated_app} hal_tv_tuner_server:fd use;
-
-# RenderScript always-passthrough HAL
-allow { appdomain -isolated_app } hal_renderscript_hwservice:hwservice_manager find;
-allow appdomain same_process_hal_file:file { execute read open getattr map };
-
-# TODO: switch to meminfo service
-allow appdomain proc_meminfo:file r_file_perms;
-
-# For app fuse.
-allow appdomain app_fuse_file:file { getattr read append write map };
-
-pdx_client({ appdomain -isolated_app -ephemeral_app }, display_client)
-pdx_client({ appdomain -isolated_app -ephemeral_app }, display_manager)
-pdx_client({ appdomain -isolated_app -ephemeral_app }, display_vsync)
-pdx_client({ appdomain -isolated_app -ephemeral_app }, performance_client)
-# Apps do not directly open the IPC socket for bufferhubd.
-pdx_use({ appdomain -isolated_app -ephemeral_app }, bufferhub_client)
-
-###
-### CTS-specific rules
-###
-
-# For cts/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java.
-# testRunAsHasCorrectCapabilities
-allow appdomain runas_exec:file getattr;
-# Others are either allowed elsewhere or not desired.
-
-# Apps receive an open tun fd from the framework for
-# device traffic. Do not allow untrusted app to directly open tun_device
-allow { appdomain -isolated_app -ephemeral_app } tun_device:chr_file { read write getattr append ioctl };
-allowxperm { appdomain -isolated_app -ephemeral_app } tun_device:chr_file ioctl TUNGETIFF;
-
-# Connect to adbd and use a socket transferred from it.
-# This is used for e.g. adb backup/restore.
-allow appdomain adbd:unix_stream_socket connectto;
-allow appdomain adbd:fd use;
-allow appdomain adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
-
-allow appdomain cache_file:dir getattr;
-
-# Allow apps to run with asanwrapper.
-with_asan(`allow appdomain asanwrapper_exec:file rx_file_perms;')
-
-# Read access to FDs from the DropboxManagerService.
-allow appdomain dropbox_data_file:file { getattr read };
-
-# Read tmpfs types from these processes.
-allow appdomain audioserver_tmpfs:file { getattr map read write };
-allow appdomain system_server_tmpfs:file { getattr map read write };
-allow appdomain zygote_tmpfs:file { map read };
-
-###
-### Neverallow rules
-###
-### These are things that Android apps should NEVER be able to do
-###
-
-# Superuser capabilities.
-# bluetooth requires net_admin and wake_alarm. network stack app requires net_admin.
-neverallow { appdomain -bluetooth -network_stack } self:capability_class_set *;
-
-# Block device access.
-neverallow appdomain dev_type:blk_file { read write };
-
-# Access to any of the following character devices.
-neverallow appdomain {
- audio_device
- camera_device
- dm_device
- radio_device
- rpmsg_device
- video_device
-}:chr_file { read write };
-
-# Note: Try expanding list of app domains in the future.
-neverallow { untrusted_app isolated_app shell } graphics_device:chr_file { read write };
-
-neverallow { appdomain -nfc } nfc_device:chr_file
- { read write };
-neverallow { appdomain -bluetooth } hci_attach_dev:chr_file
- { read write };
-neverallow appdomain tee_device:chr_file { read write };
-
-# Privileged netlink socket interfaces.
-neverallow { appdomain -network_stack }
- domain:{
- netlink_tcpdiag_socket
- netlink_nflog_socket
- netlink_xfrm_socket
- netlink_audit_socket
- netlink_dnrt_socket
- } *;
-
-# These messages are broadcast messages from the kernel to userspace.
-# Do not allow the writing of netlink messages, which has been a source
-# of rooting vulns in the past.
-neverallow appdomain domain:netlink_kobject_uevent_socket { write append };
-
-# Sockets under /dev/socket that are not specifically typed.
-neverallow appdomain socket_device:sock_file write;
-
-# Unix domain sockets.
-neverallow appdomain adbd_socket:sock_file write;
-neverallow { appdomain -radio } rild_socket:sock_file write;
-
-# ptrace access to non-app domains.
-neverallow appdomain { domain -appdomain }:process ptrace;
-
-# The Android security model guarantees the confidentiality and integrity
-# of application data and execution state. Ptrace bypasses those
-# confidentiality guarantees. Disallow ptrace access from system components
-# to apps. Crash_dump is excluded, as it needs ptrace access to
-# produce stack traces. llkd is excluded, as it needs ptrace access to
-# inspect stack traces for live lock conditions.
-
-neverallow {
- domain
- -appdomain
- -crash_dump
- userdebug_or_eng(`-llkd')
-} appdomain:process ptrace;
-
-# Read or write access to /proc/pid entries for any non-app domain.
-# A different form of hidepid=2 like protections
-neverallow appdomain { domain -appdomain }:file no_w_file_perms;
-neverallow { appdomain -shell } { domain -appdomain }:file no_rw_file_perms;
-
-# signal access to non-app domains.
-# sigchld allowed for parent death notification.
-# signull allowed for kill(pid, 0) existence test.
-# All others prohibited.
-# -perfetto is to allow shell (which is an appdomain) to kill perfetto
-# (see private/shell.te).
-neverallow appdomain { domain -appdomain -perfetto }:process
- { sigkill sigstop signal };
-
-# Write to rootfs.
-neverallow appdomain rootfs:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-
-# Write to /system.
-neverallow appdomain system_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-
-# Write to entrypoint executables.
-neverallow appdomain exec_type:file
- { create write setattr relabelfrom relabelto append unlink link rename };
-
-# Write to system-owned parts of /data.
-# This is the default type for anything under /data not otherwise
-# specified in file_contexts. Define a different type for portions
-# that should be writable by apps.
-neverallow appdomain system_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-
-# Write to various other parts of /data.
-neverallow appdomain drm_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -platform_app }
- apk_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -platform_app }
- apk_tmp_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -platform_app }
- apk_private_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -platform_app }
- apk_private_tmp_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -shell }
- shell_data_file:dir_file_class_set
- { create setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -bluetooth }
- bluetooth_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { domain -credstore -init } credstore_data_file:dir_file_class_set *;
-neverallow appdomain
- keystore_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow appdomain
- systemkeys_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow appdomain
- wifi_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow appdomain
- dhcp_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-
-# access tmp apk files
-neverallow { appdomain -untrusted_app_all -platform_app -priv_app }
- { apk_tmp_file apk_private_tmp_file }:dir_file_class_set *;
-
-neverallow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:{ devfile_class_set dir fifo_file lnk_file sock_file } *;
-neverallow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:file ~{ getattr read };
-
-# Access to factory files.
-neverallow appdomain efs_file:dir_file_class_set write;
-neverallow { appdomain -shell } efs_file:dir_file_class_set read;
-
-# Write to various pseudo file systems.
-neverallow { appdomain -bluetooth -nfc }
- sysfs:dir_file_class_set write;
-neverallow appdomain
- proc:dir_file_class_set write;
-
-# Access to syslog(2) or /proc/kmsg.
-neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console };
-
-# SELinux is not an API for apps to use
-neverallow { appdomain -shell } *:security { compute_av check_context };
-neverallow { appdomain -shell } *:netlink_selinux_socket *;
-
-# Ability to perform any filesystem operation other than statfs(2).
-# i.e. no mount(2), unmount(2), etc.
-neverallow appdomain fs_type:filesystem ~getattr;
-
-# prevent creation/manipulation of globally readable symlinks
-neverallow appdomain {
- apk_data_file
- cache_file
- cache_recovery_file
- dev_type
- rootfs
- system_file
- tmpfs
-}:lnk_file no_w_file_perms;
-
-# Applications should use the activity model for receiving events
-neverallow {
- appdomain
- -shell # bugreport
-} input_device:chr_file ~getattr;
-
-# Do not allow access to Bluetooth-related system properties except for a few allowed domains.
-# neverallow rules for access to Bluetooth-related data files are above.
-neverallow {
- appdomain
- -bluetooth
- -system_app
-} { bluetooth_audio_hal_prop bluetooth_a2dp_offload_prop bluetooth_prop exported_bluetooth_prop }:file create_file_perms;
-
-# Apps cannot access proc_uid_time_in_state
-neverallow appdomain proc_uid_time_in_state:file *;
-
-# Apps cannot access proc_uid_concurrent_active_time
-neverallow appdomain proc_uid_concurrent_active_time:file *;
-
-# Apps cannot access proc_uid_concurrent_policy_time
-neverallow appdomain proc_uid_concurrent_policy_time:file *;
-
-# Apps cannot access proc_uid_cpupower
-neverallow appdomain proc_uid_cpupower:file *;
-
-# Apps may not read /proc/net/{tcp,tcp6,udp,udp6}. These files leak information across the
-# application boundary. VPN apps may use the ConnectivityManager.getConnectionOwnerUid() API to
-# perform UID lookups.
-neverallow { appdomain -shell } proc_net_tcp_udp:file *;
-
-# Apps cannot access bootstrap files. The bootstrap files are only for
-# extremely early processes (like init, etc.) which are started before
-# the runtime APEX is activated and Bionic libs are provided from there.
-# If app process accesses (or even load/execute) the bootstrap files,
-# it might cause problems such as ODR violation, etc.
-neverallow appdomain system_bootstrap_lib_file:file
- { open read write append execute execute_no_trans map };
-neverallow appdomain system_bootstrap_lib_file:dir
- { open read getattr search };
-
-# Allow to ro.camerax.extensions.enabled
-get_prop(appdomain, camerax_extensions_prop)
diff --git a/microdroid/sepolicy/system/public/app_zygote.te b/microdroid/sepolicy/system/public/app_zygote.te
deleted file mode 100644
index 4c1ec96..0000000
--- a/microdroid/sepolicy/system/public/app_zygote.te
+++ /dev/null
@@ -1,6 +0,0 @@
-# app_zygote is an auxiliary zygote process that is used to spawn
-# isolated service processes for individual applications. It is
-# spawned from the regular zygote process as a "child zygote".
-
-type app_zygote, domain;
-type app_zygote_tmpfs, file_type;
diff --git a/microdroid/sepolicy/system/public/asan_extract.te b/microdroid/sepolicy/system/public/asan_extract.te
deleted file mode 100644
index d8a1b73..0000000
--- a/microdroid/sepolicy/system/public/asan_extract.te
+++ /dev/null
@@ -1,33 +0,0 @@
-# asan_extract
-#
-# This command set moves the artifact corresponding to the current slot
-# from /data/ota to /data/dalvik-cache.
-
-with_asan(`
- type asan_extract, domain, coredomain;
- type asan_extract_exec, exec_type, file_type, system_file_type;
-
- # Allow asan_extract to execute itself using #!/system/bin/sh
- allow asan_extract shell_exec:file rx_file_perms;
-
- # We execute log, rm, gzip and tar.
- allow asan_extract toolbox_exec:file rx_file_perms;
- allow asan_extract system_file:file execute_no_trans;
-
- # asan_extract deletes old /data/lib.
- allow asan_extract system_file:dir { open read remove_name rmdir write };
- allow asan_extract system_file:file unlink;
-
- # asan_extract untars ASAN libraries into /data.
- allow asan_extract system_data_file:dir create_dir_perms ;
- allow asan_extract system_data_file:{ file lnk_file } create_file_perms ;
-
- # Relabel the libraries with restorecon.
- allow asan_extract file_contexts_file:file r_file_perms;
- allow asan_extract system_data_file:{ dir file } relabelfrom;
- allow asan_extract system_file:dir { relabelto setattr };
- allow asan_extract system_file:file relabelto;
-
- # Restorecon will actually already try to run with sanitized libraries (libpackagelistparser).
- allow asan_extract system_data_file:file execute;
-')
diff --git a/microdroid/sepolicy/system/public/atrace.te b/microdroid/sepolicy/system/public/atrace.te
deleted file mode 100644
index 7327f84..0000000
--- a/microdroid/sepolicy/system/public/atrace.te
+++ /dev/null
@@ -1 +0,0 @@
-type atrace, domain, coredomain;
diff --git a/microdroid/sepolicy/system/public/attributes b/microdroid/sepolicy/system/public/attributes
index daef4bb..c82c0c8 100644
--- a/microdroid/sepolicy/system/public/attributes
+++ b/microdroid/sepolicy/system/public/attributes
@@ -323,7 +323,6 @@
hal_attribute(confirmationui);
hal_attribute(contexthub);
hal_attribute(drm);
-hal_attribute(dumpstate);
hal_attribute(evs);
hal_attribute(face);
hal_attribute(fingerprint);
@@ -392,3 +391,5 @@
# All types used for DSU metadata files.
attribute gsi_metadata_file_type;
+
+attribute fusefs_type;
diff --git a/microdroid/sepolicy/system/public/audioserver.te b/microdroid/sepolicy/system/public/audioserver.te
deleted file mode 100644
index a8a33cc..0000000
--- a/microdroid/sepolicy/system/public/audioserver.te
+++ /dev/null
@@ -1,6 +0,0 @@
-# audioserver - audio services daemon
-type audioserver, domain;
-type audioserver_tmpfs, file_type;
-
-# Allow audioserver to signal audio HAL processes and dump their stacks.
-allow audioserver hal_audio_server:process signal;
diff --git a/microdroid/sepolicy/system/public/blkid.te b/microdroid/sepolicy/system/public/blkid.te
deleted file mode 100644
index dabe014..0000000
--- a/microdroid/sepolicy/system/public/blkid.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# blkid called from vold
-type blkid, domain;
diff --git a/microdroid/sepolicy/system/public/blkid_untrusted.te b/microdroid/sepolicy/system/public/blkid_untrusted.te
deleted file mode 100644
index 4be4c0c..0000000
--- a/microdroid/sepolicy/system/public/blkid_untrusted.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# blkid for untrusted block devices
-type blkid_untrusted, domain;
diff --git a/microdroid/sepolicy/system/public/bluetooth.te b/microdroid/sepolicy/system/public/bluetooth.te
deleted file mode 100644
index 9b3442a..0000000
--- a/microdroid/sepolicy/system/public/bluetooth.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# bluetooth subsystem
-type bluetooth, domain;
diff --git a/microdroid/sepolicy/system/public/bootanim.te b/microdroid/sepolicy/system/public/bootanim.te
deleted file mode 100644
index 88fe173..0000000
--- a/microdroid/sepolicy/system/public/bootanim.te
+++ /dev/null
@@ -1,43 +0,0 @@
-# bootanimation oneshot service
-type bootanim, domain;
-type bootanim_exec, system_file_type, exec_type, file_type;
-
-hal_client_domain(bootanim, hal_configstore)
-hal_client_domain(bootanim, hal_graphics_allocator)
-hal_client_domain(bootanim, hal_graphics_composer)
-
-binder_use(bootanim)
-binder_call(bootanim, surfaceflinger)
-binder_call(bootanim, audioserver)
-
-hwbinder_use(bootanim)
-
-allow bootanim gpu_device:chr_file rw_file_perms;
-
-# /oem access
-allow bootanim oemfs:dir search;
-allow bootanim oemfs:file r_file_perms;
-
-allow bootanim audio_device:dir r_dir_perms;
-allow bootanim audio_device:chr_file rw_file_perms;
-
-allow bootanim audioserver_service:service_manager find;
-allow bootanim surfaceflinger_service:service_manager find;
-allow bootanim surfaceflinger:unix_stream_socket { read write };
-
-# Allow access to ion memory allocation device
-allow bootanim ion_device:chr_file rw_file_perms;
-
-# Allow access to DMA-BUF system heap
-allow bootanim dmabuf_system_heap_device:chr_file r_file_perms;
-
-allow bootanim hal_graphics_allocator:fd use;
-
-# Fences
-allow bootanim hal_graphics_composer:fd use;
-
-# Read access to pseudo filesystems.
-allow bootanim proc_meminfo:file r_file_perms;
-
-# System file accesses.
-allow bootanim system_file:dir r_dir_perms;
diff --git a/microdroid/sepolicy/system/public/bootstat.te b/microdroid/sepolicy/system/public/bootstat.te
deleted file mode 100644
index 5079c28..0000000
--- a/microdroid/sepolicy/system/public/bootstat.te
+++ /dev/null
@@ -1,32 +0,0 @@
-# bootstat command
-type bootstat, domain;
-type bootstat_exec, system_file_type, exec_type, file_type;
-
-read_runtime_log_tags(bootstat)
-
-# Allow persistent storage in /data/misc/bootstat.
-allow bootstat bootstat_data_file:dir rw_dir_perms;
-allow bootstat bootstat_data_file:file create_file_perms;
-
-allow bootstat metadata_file:dir search;
-allow bootstat metadata_bootstat_file:dir rw_dir_perms;
-allow bootstat metadata_bootstat_file:file create_file_perms;
-
-# ToDo: TBI move access for the following to a system health HAL
-
-# Allow access to /sys/fs/pstore/ and syslog
-allow bootstat pstorefs:dir search;
-allow bootstat pstorefs:file r_file_perms;
-allow bootstat kernel:system syslog_read;
-
-# Allow access to reading the logs to read aspects of system health
-read_logd(bootstat)
-
-# Allow bootstat write to statsd.
-unix_socket_send(bootstat, statsdw, statsd)
-
-neverallow {
- domain
- -bootstat
- -init
-} system_boot_reason_prop:property_service set;
diff --git a/microdroid/sepolicy/system/public/bufferhubd.te b/microdroid/sepolicy/system/public/bufferhubd.te
deleted file mode 100644
index 37edb5d..0000000
--- a/microdroid/sepolicy/system/public/bufferhubd.te
+++ /dev/null
@@ -1,25 +0,0 @@
-# bufferhubd
-type bufferhubd, domain, mlstrustedsubject;
-type bufferhubd_exec, system_file_type, exec_type, file_type;
-
-hal_client_domain(bufferhubd, hal_graphics_allocator)
-
-# TODO(b/112338294): remove these after migrate to Binder
-pdx_server(bufferhubd, bufferhub_client)
-pdx_client(bufferhubd, performance_client)
-
-# Access the GPU.
-allow bufferhubd gpu_device:chr_file rw_file_perms;
-
-# Access /dev/ion
-allow bufferhubd ion_device:chr_file r_file_perms;
-
-# Receive sync fence FDs from hal_omx_server. Note that hal_omx_server never directly
-# connects to bufferhubd via PDX. Instead, a VR app acts as a bridge between
-# those two: it talks to hal_omx_server via Binder and talks to bufferhubd via PDX.
-# Thus, there is no need to use pdx_client macro.
-allow bufferhubd hal_omx_server:fd use;
-
-# Codec2 is similar to OMX
-allow bufferhubd hal_codec2_server:fd use;
-
diff --git a/microdroid/sepolicy/system/public/camera_service_server.te b/microdroid/sepolicy/system/public/camera_service_server.te
deleted file mode 100644
index 352e1b7..0000000
--- a/microdroid/sepolicy/system/public/camera_service_server.te
+++ /dev/null
@@ -1 +0,0 @@
-add_hwservice(camera_service_server, fwk_camera_hwservice)
diff --git a/microdroid/sepolicy/system/public/cameraserver.te b/microdroid/sepolicy/system/public/cameraserver.te
deleted file mode 100644
index d7451df..0000000
--- a/microdroid/sepolicy/system/public/cameraserver.te
+++ /dev/null
@@ -1,77 +0,0 @@
-# cameraserver - camera daemon
-type cameraserver, domain;
-type cameraserver_exec, system_file_type, exec_type, file_type;
-type cameraserver_tmpfs, file_type;
-
-binder_use(cameraserver)
-binder_call(cameraserver, binderservicedomain)
-binder_call(cameraserver, appdomain)
-binder_service(cameraserver)
-
-hal_client_domain(cameraserver, hal_camera)
-
-hal_client_domain(cameraserver, hal_graphics_allocator)
-
-allow cameraserver ion_device:chr_file rw_file_perms;
-allow cameraserver dmabuf_system_heap_device:chr_file r_file_perms;
-
-# Talk with graphics composer fences
-allow cameraserver hal_graphics_composer:fd use;
-
-add_service(cameraserver, cameraserver_service)
-add_hwservice(cameraserver, fwk_camera_hwservice)
-
-allow cameraserver activity_service:service_manager find;
-allow cameraserver appops_service:service_manager find;
-allow cameraserver audioserver_service:service_manager find;
-allow cameraserver batterystats_service:service_manager find;
-allow cameraserver cameraproxy_service:service_manager find;
-allow cameraserver mediaserver_service:service_manager find;
-allow cameraserver package_native_service:service_manager find;
-allow cameraserver processinfo_service:service_manager find;
-allow cameraserver scheduling_policy_service:service_manager find;
-allow cameraserver sensor_privacy_service:service_manager find;
-allow cameraserver surfaceflinger_service:service_manager find;
-
-allow cameraserver hidl_token_hwservice:hwservice_manager find;
-
-###
-### neverallow rules
-###
-
-# cameraserver should never execute any executable without a
-# domain transition
-neverallow cameraserver { file_type fs_type }:file execute_no_trans;
-
-# The goal of the mediaserver split is to place media processing code into
-# restrictive sandboxes with limited responsibilities and thus limited
-# permissions. Example: Audioserver is only responsible for controlling audio
-# hardware and processing audio content. Cameraserver does the same for camera
-# hardware/content. Etc.
-#
-# Media processing code is inherently risky and thus should have limited
-# permissions and be isolated from the rest of the system and network.
-# Lengthier explanation here:
-# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow cameraserver domain:{ udp_socket rawip_socket } *;
-neverallow cameraserver { domain userdebug_or_eng(`-su') }:tcp_socket *;
-
-# Allow shell commands from ADB for CTS testing/dumping
-allow cameraserver adbd:fd use;
-allow cameraserver adbd:unix_stream_socket { read write };
-allow cameraserver shell:fd use;
-allow cameraserver shell:unix_stream_socket { read write };
-allow cameraserver shell:fifo_file { read write };
-
-# Allow to talk with media codec
-allow cameraserver mediametrics_service:service_manager find;
-hal_client_domain(cameraserver, hal_codec2)
-hal_client_domain(cameraserver, hal_omx)
-hal_client_domain(cameraserver, hal_allocator)
-
-# Allow shell commands from ADB for CTS testing/dumping
-userdebug_or_eng(`
- allow cameraserver su:fd use;
- allow cameraserver su:fifo_file { read write };
- allow cameraserver su:unix_stream_socket { read write };
-')
diff --git a/microdroid/sepolicy/system/public/charger.te b/microdroid/sepolicy/system/public/charger.te
deleted file mode 100644
index 37359e3..0000000
--- a/microdroid/sepolicy/system/public/charger.te
+++ /dev/null
@@ -1,40 +0,0 @@
-type charger, domain;
-type charger_exec, system_file_type, exec_type, file_type;
-
-# Write to /dev/kmsg
-allow charger kmsg_device:chr_file rw_file_perms;
-
-# Read access to pseudo filesystems.
-r_dir_file(charger, rootfs)
-r_dir_file(charger, cgroup)
-r_dir_file(charger, cgroup_v2)
-
-# Allow to read /sys/class/power_supply directory
-allow charger sysfs_type:dir r_dir_perms;
-
-allow charger self:global_capability_class_set { sys_tty_config };
-allow charger self:global_capability_class_set sys_boot;
-
-wakelock_use(charger)
-
-allow charger self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-
-# Read/write to /sys/power/state
-allow charger sysfs_power:file rw_file_perms;
-
-r_dir_file(charger, sysfs_batteryinfo)
-
-# Read /sys/fs/pstore/console-ramoops
-# Don't worry about overly broad permissions for now, as there's
-# only one file in /sys/fs/pstore
-allow charger pstorefs:dir r_dir_perms;
-allow charger pstorefs:file r_file_perms;
-
-allow charger graphics_device:dir r_dir_perms;
-allow charger graphics_device:chr_file rw_file_perms;
-allow charger input_device:dir r_dir_perms;
-allow charger input_device:chr_file r_file_perms;
-allow charger tty_device:chr_file rw_file_perms;
-allow charger proc_sysrq:file rw_file_perms;
-
-hal_client_domain(charger, hal_health)
diff --git a/microdroid/sepolicy/system/public/crash_dump.te b/microdroid/sepolicy/system/public/crash_dump.te
index a6f0a94..d59b034 100644
--- a/microdroid/sepolicy/system/public/crash_dump.te
+++ b/microdroid/sepolicy/system/public/crash_dump.te
@@ -1,78 +1,2 @@
type crash_dump, domain;
type crash_dump_exec, system_file_type, exec_type, file_type;
-
-# crash_dump might inherit CAP_SYS_PTRACE from a privileged process,
-# which will result in an audit log even when it's allowed to trace.
-dontaudit crash_dump self:global_capability_class_set { sys_ptrace };
-
-userdebug_or_eng(`
- allow crash_dump logd:process { ptrace signal sigchld sigstop sigkill };
-
- # Let crash_dump write to /dev/kmsg_debug crashes that happen before logd comes up.
- allow crash_dump kmsg_debug_device:chr_file { open append };
-')
-
-# Use inherited file descriptors
-allow crash_dump domain:fd use;
-
-# Read/write IPC pipes inherited from crashing processes.
-allow crash_dump domain:fifo_file { read write };
-
-# Append to pipes given to us by processes requesting dumps (e.g. dumpstate)
-allow crash_dump domain:fifo_file { append };
-
-# Read information from /proc/$PID.
-allow crash_dump domain:process getattr;
-
-r_dir_file(crash_dump, domain)
-allow crash_dump exec_type:file r_file_perms;
-
-# Read /data/dalvik-cache.
-allow crash_dump dalvikcache_data_file:dir { search getattr };
-allow crash_dump dalvikcache_data_file:file r_file_perms;
-
-# Read APEX data directories.
-allow crash_dump apex_module_data_file:dir { getattr search };
-
-# Read APK files.
-r_dir_file(crash_dump, apk_data_file);
-
-# Read all /vendor
-r_dir_file(crash_dump, { vendor_file same_process_hal_file })
-
-# Talk to tombstoned
-unix_socket_connect(crash_dump, tombstoned_crash, tombstoned)
-
-# Talk to ActivityManager.
-unix_socket_connect(crash_dump, system_ndebug, system_server)
-
-# Append to ANR files.
-allow crash_dump anr_data_file:file { append getattr };
-
-# Append to tombstone files.
-allow crash_dump tombstone_data_file:file { append getattr };
-
-# crash_dump writes out logcat logs at the bottom of tombstones,
-# which is super useful in some cases.
-unix_socket_connect(crash_dump, logdr, logd)
-
-# Crash dump is not intended to access the following files. Since these
-# are WAI, suppress the denials to clean up the logs.
-dontaudit crash_dump {
- core_data_file_type
- vendor_file_type
-}:dir search;
-dontaudit crash_dump system_data_file:{ lnk_file file } read;
-dontaudit crash_dump property_type:file read;
-
-# Suppress denials for files in /proc that are passed
-# across exec().
-dontaudit crash_dump proc_type:file rw_file_perms;
-
-###
-### neverallow assertions
-###
-
-# A domain transition must occur for crash_dump to get the privileges needed to trace the process.
-# Do not allow the execution of crash_dump without a domain transition.
-neverallow domain crash_dump_exec:file execute_no_trans;
diff --git a/microdroid/sepolicy/system/public/credstore.te b/microdroid/sepolicy/system/public/credstore.te
deleted file mode 100644
index 97d942d..0000000
--- a/microdroid/sepolicy/system/public/credstore.te
+++ /dev/null
@@ -1,19 +0,0 @@
-type credstore, domain;
-type credstore_exec, system_file_type, exec_type, file_type;
-
-# credstore daemon
-binder_use(credstore)
-binder_service(credstore)
-binder_call(credstore, system_server)
-
-allow credstore credstore_data_file:dir create_dir_perms;
-allow credstore credstore_data_file:file create_file_perms;
-
-add_service(credstore, credstore_service)
-allow credstore sec_key_att_app_id_provider_service:service_manager find;
-allow credstore dropbox_service:service_manager find;
-allow credstore authorization_service:service_manager find;
-allow credstore keystore:keystore2 get_auth_token;
-
-r_dir_file(credstore, cgroup)
-r_dir_file(credstore, cgroup_v2)
diff --git a/microdroid/sepolicy/system/public/device.te b/microdroid/sepolicy/system/public/device.te
index 686f955..8d286a6 100644
--- a/microdroid/sepolicy/system/public/device.te
+++ b/microdroid/sepolicy/system/public/device.te
@@ -1,123 +1,39 @@
-# Device types
-type device, dev_type, fs_type;
type ashmem_device, dev_type, mlstrustedobject;
type ashmem_libcutils_device, dev_type, mlstrustedobject;
-type audio_device, dev_type;
type binder_device, dev_type, mlstrustedobject;
-type hwbinder_device, dev_type, mlstrustedobject;
-type vndbinder_device, dev_type;
type block_device, dev_type;
-type camera_device, dev_type;
+type console_device, dev_type;
+type device, dev_type, fs_type;
type dm_device, dev_type;
type dm_user_device, dev_type;
-type keychord_device, dev_type;
+type dmabuf_heap_device, dev_type, mlstrustedobject, dmabuf_heap_device_type;
+type dmabuf_system_heap_device, dev_type, mlstrustedobject, dmabuf_heap_device_type;
+type dmabuf_system_secure_heap_device, dev_type, mlstrustedobject, dmabuf_heap_device_type;
+type fuse_device, dev_type, mlstrustedobject;
+type hw_random_device, dev_type;
+type hwbinder_device, dev_type, mlstrustedobject;
+type kmsg_debug_device, dev_type;
+type kmsg_device, dev_type, mlstrustedobject;
+type kvm_device, dev_type;
type loop_control_device, dev_type;
type loop_device, dev_type;
-type pmsg_device, dev_type, mlstrustedobject;
-type radio_device, dev_type;
-type ram_device, dev_type;
-type rtc_device, dev_type;
-type vd_device, dev_type;
-type vold_device, dev_type;
-type console_device, dev_type;
-type fscklogs, dev_type;
-# GPU (used by most UI apps)
-type gpu_device, dev_type, mlstrustedobject;
-type graphics_device, dev_type;
-type hw_random_device, dev_type;
-type input_device, dev_type;
-type port_device, dev_type;
-type lowpan_device, dev_type;
-type mtp_device, dev_type, mlstrustedobject;
-type nfc_device, dev_type;
-type ptmx_device, dev_type, mlstrustedobject;
-type kmsg_device, dev_type, mlstrustedobject;
-type kmsg_debug_device, dev_type;
type null_device, dev_type, mlstrustedobject;
-type random_device, dev_type, mlstrustedobject;
-type secure_element_device, dev_type;
-type sensors_device, dev_type;
-type serial_device, dev_type;
-type socket_device, dev_type;
type owntty_device, dev_type, mlstrustedobject;
-type tty_device, dev_type;
-type video_device, dev_type;
-type zero_device, dev_type, mlstrustedobject;
-type fuse_device, dev_type, mlstrustedobject;
-type iio_device, dev_type;
-type ion_device, dev_type, mlstrustedobject;
-type dmabuf_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject;
-type dmabuf_system_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject;
-type dmabuf_system_secure_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject;
-type qtaguid_device, dev_type;
-type watchdog_device, dev_type;
-type uhid_device, dev_type, mlstrustedobject;
-type uio_device, dev_type;
-type tun_device, dev_type, mlstrustedobject;
-type usbaccessory_device, dev_type, mlstrustedobject;
-type usb_device, dev_type, mlstrustedobject;
-type usb_serial_device, dev_type;
-type gnss_device, dev_type;
+type ppp_device, dev_type;
type properties_device, dev_type;
type properties_serial, dev_type;
type property_info, dev_type;
-
-# All devices have a uart for the hci
-# attach service. The uart dev node
-# varies per device. This type
-# is used in per device policy
-type hci_attach_dev, dev_type;
-
-# All devices have a rpmsg device for
-# achieving remoteproc and rpmsg modules
-type rpmsg_device, dev_type;
-
-# Partition layout block device
-type root_block_device, dev_type;
-
-# factory reset protection block device
-type frp_block_device, dev_type;
-
-# System block device mounted on /system.
-# Documented at https://source.android.com/devices/bootloader/partitions-images
-type system_block_device, dev_type;
-
-# Recovery block device.
-# Documented at https://source.android.com/devices/bootloader/partitions-images
-type recovery_block_device, dev_type;
-
-# boot block device.
-# Documented at https://source.android.com/devices/bootloader/partitions-images
-type boot_block_device, dev_type;
-
-# Userdata block device mounted on /data.
-# Documented at https://source.android.com/devices/bootloader/partitions-images
-type userdata_block_device, dev_type;
-
-# Cache block device mounted on /cache.
-# Documented at https://source.android.com/devices/bootloader/partitions-images
-type cache_block_device, dev_type;
-
-# Block device for any swap partition.
-type swap_block_device, dev_type;
-
-# Metadata block device used for encryption metadata.
-# Assign this type to the partition specified by the encryptable=
-# mount option in your fstab file in the entry for userdata.
-# Documented at https://source.android.com/devices/bootloader/partitions-images
-type metadata_block_device, dev_type;
-
-# The 'misc' partition used by recovery and A/B.
-# Documented at https://source.android.com/devices/bootloader/partitions-images
-type misc_block_device, dev_type;
-
-# 'super' partition to be used for logical partitioning.
-type super_block_device, super_block_device_type, dev_type;
-
-# sdcard devices; normally vold uses the vold_block_device label and creates a
-# separate device node. gsid, however, accesses the original devide node
-# created through uevents, so we use a separate label.
-type sdcard_block_device, dev_type;
-
-# Userdata device file for filesystem tunables
+type ptmx_device, dev_type, mlstrustedobject;
+type ram_device, dev_type;
+type random_device, dev_type, mlstrustedobject;
+type rtc_device, dev_type;
+type serial_device, dev_type;
+type socket_device, dev_type;
+type tty_device, dev_type;
+type tun_device, dev_type, mlstrustedobject;
+type uhid_device, dev_type, mlstrustedobject;
+type uio_device, dev_type;
type userdata_sysdev, dev_type;
+type vd_device, dev_type;
+type vndbinder_device, dev_type;
+type zero_device, dev_type, mlstrustedobject;
diff --git a/microdroid/sepolicy/system/public/dhcp.te b/microdroid/sepolicy/system/public/dhcp.te
deleted file mode 100644
index 1d875ab..0000000
--- a/microdroid/sepolicy/system/public/dhcp.te
+++ /dev/null
@@ -1,28 +0,0 @@
-type dhcp, domain;
-type dhcp_exec, system_file_type, exec_type, file_type;
-
-net_domain(dhcp)
-
-allow dhcp cgroup:dir { create write add_name };
-allow dhcp cgroup_v2:dir { create write add_name };
-allow dhcp self:global_capability_class_set { setgid setuid net_admin net_raw net_bind_service };
-allow dhcp self:packet_socket create_socket_perms_no_ioctl;
-allow dhcp self:netlink_route_socket nlmsg_write;
-allow dhcp shell_exec:file rx_file_perms;
-allow dhcp system_file:file rx_file_perms;
-not_full_treble(`allow dhcp vendor_file:file rx_file_perms;')
-
-# dhcpcd runs dhcpcd-hooks/*, which runs getprop / setprop (toolbox_exec)
-allow dhcp toolbox_exec:file rx_file_perms;
-
-# For /proc/sys/net/ipv4/conf/*/promote_secondaries
-allow dhcp proc_net_type:file write;
-
-allow dhcp dhcp_data_file:dir create_dir_perms;
-allow dhcp dhcp_data_file:file create_file_perms;
-
-# PAN connections
-allow dhcp netd:fd use;
-allow dhcp netd:fifo_file rw_file_perms;
-allow dhcp netd:{ dgram_socket_class_set unix_stream_socket } { read write };
-allow dhcp netd:{ netlink_kobject_uevent_socket netlink_route_socket netlink_nflog_socket } { read write };
diff --git a/microdroid/sepolicy/system/public/display_service_server.te b/microdroid/sepolicy/system/public/display_service_server.te
deleted file mode 100644
index c5839fa..0000000
--- a/microdroid/sepolicy/system/public/display_service_server.te
+++ /dev/null
@@ -1 +0,0 @@
-add_hwservice(display_service_server, fwk_display_hwservice)
diff --git a/microdroid/sepolicy/system/public/dnsmasq.te b/microdroid/sepolicy/system/public/dnsmasq.te
deleted file mode 100644
index 86f1eb1..0000000
--- a/microdroid/sepolicy/system/public/dnsmasq.te
+++ /dev/null
@@ -1,28 +0,0 @@
-# DNS, DHCP services
-type dnsmasq, domain;
-type dnsmasq_exec, system_file_type, exec_type, file_type;
-
-net_domain(dnsmasq)
-allowxperm dnsmasq self:udp_socket ioctl priv_sock_ioctls;
-
-# TODO: Run with dhcp group to avoid need for dac_override.
-allow dnsmasq self:global_capability_class_set { dac_override dac_read_search };
-
-allow dnsmasq self:global_capability_class_set { net_admin net_raw net_bind_service setgid setuid };
-
-allow dnsmasq dhcp_data_file:dir w_dir_perms;
-allow dnsmasq dhcp_data_file:file create_file_perms;
-
-# Inherit and use open files from netd.
-allow dnsmasq netd:fd use;
-allow dnsmasq netd:fifo_file { getattr read write };
-# TODO: Investigate whether these inherited sockets should be closed on exec.
-allow dnsmasq netd:netlink_kobject_uevent_socket { read write };
-allow dnsmasq netd:netlink_nflog_socket { read write };
-allow dnsmasq netd:netlink_route_socket { read write };
-allow dnsmasq netd:unix_stream_socket { getattr read write };
-allow dnsmasq netd:unix_dgram_socket { read write };
-allow dnsmasq netd:udp_socket { read write };
-
-# sometimes a network device vanishes and we try to load module netdev-{devicename}
-dontaudit dnsmasq kernel:system module_request;
diff --git a/microdroid/sepolicy/system/public/domain.te b/microdroid/sepolicy/system/public/domain.te
deleted file mode 100644
index 799a2f1..0000000
--- a/microdroid/sepolicy/system/public/domain.te
+++ /dev/null
@@ -1,1400 +0,0 @@
-# Rules for all domains.
-
-# Allow reaping by init.
-allow domain init:process sigchld;
-
-# Intra-domain accesses.
-allow domain self:process {
- fork
- sigchld
- sigkill
- sigstop
- signull
- signal
- getsched
- setsched
- getsession
- getpgid
- setpgid
- getcap
- setcap
- getattr
- setrlimit
-};
-allow domain self:fd use;
-allow domain proc:dir r_dir_perms;
-allow domain proc_net_type:dir search;
-r_dir_file(domain, self)
-allow domain self:{ fifo_file file } rw_file_perms;
-allow domain self:unix_dgram_socket { create_socket_perms sendto };
-allow domain self:unix_stream_socket { create_stream_socket_perms connectto };
-
-# Inherit or receive open files from others.
-allow domain init:fd use;
-
-userdebug_or_eng(`
- allow domain su:fd use;
- allow domain su:unix_stream_socket { connectto getattr getopt read write shutdown };
- allow domain su:unix_dgram_socket sendto;
-
- allow { domain -init } su:binder { call transfer };
-
- # Running something like "pm dump com.android.bluetooth" requires
- # fifo writes
- allow domain su:fifo_file { write getattr };
-
- # allow "gdbserver --attach" to work for su.
- allow domain su:process sigchld;
-
- # Allow writing coredumps to /cores/*
- allow domain coredump_file:file create_file_perms;
- allow domain coredump_file:dir ra_dir_perms;
-')
-
-with_native_coverage(`
- # Allow writing coverage information to /data/misc/trace
- allow domain method_trace_data_file:dir create_dir_perms;
- allow domain method_trace_data_file:file create_file_perms;
-')
-
-# Root fs.
-allow domain tmpfs:dir { getattr search };
-allow domain rootfs:dir search;
-allow domain rootfs:lnk_file { read getattr };
-
-# Device accesses.
-allow domain device:dir search;
-allow domain dev_type:lnk_file r_file_perms;
-allow domain devpts:dir search;
-allow domain dmabuf_heap_device:dir r_dir_perms;
-allow domain socket_device:dir r_dir_perms;
-allow domain owntty_device:chr_file rw_file_perms;
-allow domain null_device:chr_file rw_file_perms;
-allow domain zero_device:chr_file rw_file_perms;
-
-# /dev/ashmem is being deprecated by means of constraining and eventually
-# removing all "open" permissions. We preserve the other permissions.
-allow domain ashmem_device:chr_file { getattr read ioctl lock map append write };
-# This device is used by libcutils, which is accessible to everyone.
-allow domain ashmem_libcutils_device:chr_file rw_file_perms;
-
-# /dev/binder can be accessed by ... everyone! :)
-allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;
-
-# Restrict binder ioctls to an allowlist. Additional ioctl commands may be
-# added to individual domains, but this sets safe defaults for all processes.
-allowxperm domain binder_device:chr_file ioctl { unpriv_binder_ioctls };
-
-# /dev/binderfs needs to be accessed by everyone too!
-allow domain binderfs:dir { getattr search };
-allow domain binderfs_logs_proc:dir search;
-
-allow { domain -servicemanager -vndservicemanager -isolated_app } hwbinder_device:chr_file rw_file_perms;
-allow domain ptmx_device:chr_file rw_file_perms;
-allow domain random_device:chr_file rw_file_perms;
-allow domain proc_random:dir r_dir_perms;
-allow domain proc_random:file r_file_perms;
-allow domain properties_device:dir { search getattr };
-allow domain properties_serial:file r_file_perms;
-allow domain property_info:file r_file_perms;
-
-# Public readable properties
-get_prop(domain, aaudio_config_prop)
-get_prop(domain, arm64_memtag_prop)
-get_prop(domain, bootloader_prop)
-get_prop(domain, build_odm_prop)
-get_prop(domain, build_prop)
-get_prop(domain, build_vendor_prop)
-get_prop(domain, debug_prop)
-get_prop(domain, exported_config_prop)
-get_prop(domain, exported_default_prop)
-get_prop(domain, exported_dumpstate_prop)
-get_prop(domain, exported_secure_prop)
-get_prop(domain, exported_system_prop)
-get_prop(domain, fingerprint_prop)
-get_prop(domain, hal_instrumentation_prop)
-get_prop(domain, hw_timeout_multiplier_prop)
-get_prop(domain, init_service_status_prop)
-get_prop(domain, libc_debug_prop)
-get_prop(domain, logd_prop)
-get_prop(domain, mediadrm_config_prop)
-get_prop(domain, property_service_version_prop)
-get_prop(domain, soc_prop)
-get_prop(domain, socket_hook_prop)
-get_prop(domain, surfaceflinger_prop)
-get_prop(domain, telephony_status_prop)
-get_prop(domain, vendor_socket_hook_prop)
-get_prop(domain, vndk_prop)
-get_prop(domain, vold_status_prop)
-get_prop(domain, vts_config_prop)
-
-# Binder cache properties are world-readable
-get_prop(domain, binder_cache_bluetooth_server_prop)
-get_prop(domain, binder_cache_system_server_prop)
-get_prop(domain, binder_cache_telephony_server_prop)
-
-# Let everyone read log properties, so that liblog can avoid sending unloggable
-# messages to logd.
-get_prop(domain, log_property_type)
-dontaudit domain property_type:file audit_access;
-allow domain property_contexts_file:file r_file_perms;
-
-allow domain init:key search;
-allow domain vold:key search;
-
-# logd access
-write_logd(domain)
-
-# Directory/link file access for path resolution.
-allow domain {
- system_file
- system_lib_file
- system_seccomp_policy_file
- system_security_cacerts_file
-}:dir r_dir_perms;
-allow domain system_file:lnk_file { getattr read };
-
-# Global access to /system/etc/security/cacerts/*, /system/etc/seccomp_policy/*, /system/lib[64]/*,
-# /(system|product|system_ext)/etc/(group|passwd), linker and its config.
-allow domain system_seccomp_policy_file:file r_file_perms;
-# cacerts are accessible from public Java API.
-allow domain system_security_cacerts_file:file r_file_perms;
-allow domain system_group_file:file r_file_perms;
-allow domain system_passwd_file:file r_file_perms;
-allow domain system_linker_exec:file { execute read open getattr map };
-allow domain system_linker_config_file:file r_file_perms;
-allow domain system_lib_file:file { execute read open getattr map };
-# To allow following symlinks at /system/bin/linker, /system/lib/libc.so, etc.
-allow domain system_linker_exec:lnk_file { read open getattr };
-allow domain system_lib_file:lnk_file { read open getattr };
-
-allow domain system_event_log_tags_file:file r_file_perms;
-
-allow { appdomain coredomain } system_file:file { execute read open getattr map };
-
-# Make sure system/vendor split doesn not affect non-treble
-# devices
-not_full_treble(`
- allow domain system_file:file { execute read open getattr map };
- allow domain vendor_file_type:dir { search getattr };
- allow domain vendor_file_type:file { execute read open getattr map };
- allow domain vendor_file_type:lnk_file { getattr read };
-')
-
-# All domains are allowed to open and read directories
-# that contain HAL implementations (e.g. passthrough
-# HALs require clients to have these permissions)
-allow domain vendor_hal_file:dir r_dir_perms;
-
-# Everyone can read and execute all same process HALs
-allow domain same_process_hal_file:dir r_dir_perms;
-allow {
- domain
- -coredomain # access is explicitly granted to individual coredomains
-} same_process_hal_file:file { execute read open getattr map };
-
-# Any process can load vndk-sp libraries, which are system libraries
-# used by same process HALs
-allow domain vndk_sp_file:dir r_dir_perms;
-allow domain vndk_sp_file:file { execute read open getattr map };
-
-# All domains get access to /vendor/etc
-allow domain vendor_configs_file:dir r_dir_perms;
-allow domain vendor_configs_file:file { read open getattr map };
-
-full_treble_only(`
- # Allow all domains to be able to follow /system/vendor and/or
- # /vendor/odm symlinks.
- allow domain vendor_file_type:lnk_file { getattr open read };
-
- # This is required to be able to search & read /vendor/lib64
- # in order to lookup vendor libraries. The execute permission
- # for coredomains is granted *only* for same process HALs
- allow domain vendor_file:dir { getattr search };
-
- # Allow reading and executing out of /vendor to all vendor domains
- allow { domain -coredomain } vendor_file_type:dir r_dir_perms;
- allow { domain -coredomain } vendor_file_type:file { read open getattr execute map };
- allow { domain -coredomain } vendor_file_type:lnk_file { getattr read };
-')
-
-# read and stat any sysfs symlinks
-allow domain sysfs:lnk_file { getattr read };
-
-# libc references /data/misc/zoneinfo and /system/usr/share/zoneinfo for
-# timezone related information.
-# This directory is considered to be a VNDK-stable
-allow domain { system_zoneinfo_file zoneinfo_data_file }:file r_file_perms;
-allow domain { system_zoneinfo_file zoneinfo_data_file }:dir r_dir_perms;
-
-# Lots of processes access current CPU information
-r_dir_file(domain, sysfs_devices_system_cpu)
-
-r_dir_file(domain, sysfs_usb);
-
-# If kernel CONFIG_TRANSPARENT_HUGEPAGE is enabled, libjemalloc5 (statically
-# included by libc) reads /sys/kernel/mm/transparent_hugepage/enabled.
-allow domain sysfs_transparent_hugepage:dir search;
-allow domain sysfs_transparent_hugepage:file r_file_perms;
-
-# files under /data.
-not_full_treble(`
- allow domain system_data_file:dir getattr;
-')
-allow { coredomain appdomain } system_data_file:dir getattr;
-# /data has the label system_data_root_file. Vendor components need the search
-# permission on system_data_root_file for path traversal to /data/vendor.
-allow domain system_data_root_file:dir { search getattr } ;
-allow domain system_data_file:dir search;
-# TODO restrict this to non-coredomain
-allow domain vendor_data_file:dir { getattr search };
-
-# required by the dynamic linker
-allow domain proc:lnk_file { getattr read };
-
-# /proc/cpuinfo
-allow domain proc_cpuinfo:file r_file_perms;
-
-# /dev/cpu_variant:.*
-allow domain dev_cpu_variant:file r_file_perms;
-
-# profiling needs to read /proc/sys/kernel/perf_event_max_sample_rate
-allow domain proc_perf:file r_file_perms;
-
-# toybox loads libselinux which stats /sys/fs/selinux/
-allow domain selinuxfs:dir search;
-allow domain selinuxfs:file getattr;
-allow domain sysfs:dir search;
-allow domain selinuxfs:filesystem getattr;
-
-# Almost all processes log tracing information to
-# /sys/kernel/debug/tracing/trace_marker
-# The reason behind this is documented in b/6513400
-allow domain debugfs:dir search;
-allow domain debugfs_tracing:dir search;
-allow domain debugfs_tracing_debug:dir search;
-allow domain debugfs_trace_marker:file w_file_perms;
-
-# Linux lockdown mode offers coarse-grained definitions for access controls.
-# The "confidentiality" level detects access to tracefs or the perf subsystem.
-# This overlaps with more precise declarations in Android's policy. The
-# debugfs_trace_marker above is an example in which all processes should have
-# some access to tracefs. Therefore, allow all domains to access this level.
-# The "integrity" level is however enforced.
-allow domain self:lockdown confidentiality;
-
-# Filesystem access.
-allow domain fs_type:filesystem getattr;
-allow domain fs_type:dir getattr;
-
-# Restrict all domains to an allowlist for common socket types. Additional
-# ioctl commands may be added to individual domains, but this sets safe
-# defaults for all processes. Note that granting this allowlist to domain does
-# not grant the ioctl permission on these socket types. That must be granted
-# separately.
-allowxperm domain domain:{ icmp_socket rawip_socket tcp_socket udp_socket }
- ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
-# default allowlist for unix sockets.
-allowxperm domain { domain pdx_channel_socket_type }:{ unix_dgram_socket unix_stream_socket }
- ioctl unpriv_unix_sock_ioctls;
-
-# Restrict PTYs to only allowed ioctls.
-# Note that granting this allowlist to domain does
-# not grant the wider ioctl permission. That must be granted
-# separately.
-allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
-
-# All domains must clearly enumerate what ioctls they use
-# on filesystem objects (plain files, directories, symbolic links,
-# named pipes, and named sockets). We start off with a safe set.
-allowxperm domain { file_type fs_type domain dev_type }:{ dir notdevfile_class_set blk_file } ioctl { FIOCLEX FIONCLEX };
-
-# If a domain has ioctl access to tun_device, it must clearly enumerate the
-# ioctls used. Safe defaults are listed below.
-allowxperm domain tun_device:chr_file ioctl { FIOCLEX FIONCLEX };
-
-# Allow a process to make a determination whether a file descriptor
-# for a plain file or pipe (fifo_file) is a tty. Note that granting
-# this allowlist to domain does not grant the ioctl permission to
-# these files. That must be granted separately.
-allowxperm domain { file_type fs_type }:file ioctl { TCGETS };
-allowxperm domain domain:fifo_file ioctl { TCGETS };
-
-# If a domain has access to perform an ioctl on a block device, allow these
-# very common, benign ioctls
-allowxperm domain dev_type:blk_file ioctl { BLKGETSIZE64 BLKSSZGET };
-
-# Support sqlite F2FS specific optimizations
-# ioctl permission on the specific file type is still required
-# TODO: consider only compiling these rules if we know the
-# /data partition is F2FS
-allowxperm domain { file_type sdcard_type }:file ioctl {
- F2FS_IOC_ABORT_VOLATILE_WRITE
- F2FS_IOC_COMMIT_ATOMIC_WRITE
- F2FS_IOC_GET_FEATURES
- F2FS_IOC_GET_PIN_FILE
- F2FS_IOC_SET_PIN_FILE
- F2FS_IOC_START_ATOMIC_WRITE
-};
-
-# Workaround for policy compiler being too aggressive and removing hwservice_manager_type
-# when it's not explicitly used in allow rules
-allow { domain -domain } hwservice_manager_type:hwservice_manager { add find };
-# Workaround for policy compiler being too aggressive and removing vndservice_manager_type
-# when it's not explicitly used in allow rules
-allow { domain -domain } vndservice_manager_type:service_manager { add find };
-
-# Under ASAN, processes will try to read /data, as the sanitized libraries are there.
-with_asan(`allow domain system_data_file:dir getattr;')
-# Under ASAN, /system/asan.options needs to be globally accessible.
-with_asan(`allow domain system_asan_options_file:file r_file_perms;')
-
-# read APEX dir and stat any symlink pointing to APEXs.
-allow domain apex_mnt_dir:dir { getattr search };
-allow domain apex_mnt_dir:lnk_file r_file_perms;
-
-###
-### neverallow rules
-###
-
-# All ioctls on file-like objects (except chr_file and blk_file) and
-# sockets must be restricted to an allowlist.
-neverallowxperm * *:{ dir notdevfile_class_set socket_class_set blk_file } ioctl { 0 };
-
-# b/68014825 and https://android-review.googlesource.com/516535
-# rfc6093 says that processes should not use the TCP urgent mechanism
-neverallowxperm domain domain:socket_class_set ioctl { SIOCATMARK };
-
-# TIOCSTI is only ever used for exploits. Block it.
-# b/33073072, b/7530569
-# http://www.openwall.com/lists/oss-security/2016/09/26/14
-neverallowxperm * devpts:chr_file ioctl TIOCSTI;
-
-# Do not allow any domain other than init to create unlabeled files.
-neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
-
-# Limit device node creation to these allowed domains.
-neverallow {
- domain
- -kernel
- -init
- -ueventd
- -vold
-} self:global_capability_class_set mknod;
-
-# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR).
-neverallow * self:memprotect mmap_zero;
-
-# No domain needs mac_override as it is unused by SELinux.
-neverallow * self:global_capability2_class_set mac_override;
-
-# Disallow attempts to set contexts not defined in current policy
-# This helps guarantee that unknown or dangerous contents will not ever
-# be set.
-neverallow * self:global_capability2_class_set mac_admin;
-
-# Once the policy has been loaded there shall be none to modify the policy.
-# It is sealed.
-neverallow * kernel:security load_policy;
-
-# Only init prior to switching context should be able to set enforcing mode.
-# init starts in kernel domain and switches to init domain via setcon in
-# the init.rc, so the setenforce occurs while still in kernel. After
-# switching domains, there is never any need to setenforce again by init.
-neverallow * kernel:security setenforce;
-neverallow { domain -kernel } kernel:security setcheckreqprot;
-
-# No booleans in AOSP policy, so no need to ever set them.
-neverallow * kernel:security setbool;
-
-# Adjusting the AVC cache threshold.
-# Not presently allowed to anything in policy, but possibly something
-# that could be set from init.rc.
-neverallow { domain -init } kernel:security setsecparam;
-
-# Only the kernel hwrng thread should be able to read from the HW RNG.
-neverallow {
- domain
- -shell # For CTS, restricted to just getattr in shell.te
- -ueventd # To create the /dev/hw_random file
-} hw_random_device:chr_file *;
-# b/78174219 b/64114943
-neverallow {
- domain
- -shell # stat of /dev, getattr only
- -ueventd
-} keychord_device:chr_file *;
-
-# Ensure that all entrypoint executables are in exec_type or postinstall_file.
-neverallow * { file_type -exec_type -postinstall_file }:file entrypoint;
-
-# The dynamic linker always calls access(2) on the path. Don't generate SElinux
-# denials since the linker does not actually access the path in case the path
-# does not exist or isn't accessible for the process.
-dontaudit domain postinstall_mnt_dir:dir audit_access;
-
-#Ensure that nothing in userspace can access /dev/port
-neverallow {
- domain
- -shell # Shell user should not have any abilities outside of getattr
- -ueventd
-} port_device:chr_file *;
-neverallow * port_device:chr_file ~{ create relabelto unlink setattr getattr };
-# Only init should be able to configure kernel usermodehelpers or
-# security-sensitive proc settings.
-neverallow { domain -init } usermodehelper:file { append write };
-neverallow { domain -init -ueventd } sysfs_usermodehelper:file { append write };
-neverallow { domain -init -vendor_init } proc_security:file { append open read write };
-
-# Init can't do anything with binder calls. If this neverallow rule is being
-# triggered, it's probably due to a service with no SELinux domain.
-neverallow * init:binder *;
-neverallow * vendor_init:binder *;
-
-# Don't allow raw read/write/open access to block_device
-# Rather force a relabel to a more specific type
-neverallow { domain -kernel -init -recovery } block_device:blk_file { open read write };
-
-# Do not allow renaming of block files or character files
-# Ability to do so can lead to possible use in an exploit chain
-# e.g. https://googleprojectzero.blogspot.com/2016/12/chrome-os-exploit-one-byte-overflow-and.html
-neverallow * *:{ blk_file chr_file } rename;
-
-# Don't allow raw read/write/open access to generic devices.
-# Rather force a relabel to a more specific type.
-neverallow domain device:chr_file { open read write };
-
-# Files from cache should never be executed
-neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute;
-
-# The test files and executables MUST not be accessible to any domain
-neverallow { domain userdebug_or_eng(`-kernel') } nativetest_data_file:file_class_set no_w_file_perms;
-neverallow domain nativetest_data_file:dir no_w_dir_perms;
-neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms;
-
-neverallow { domain -shell -init -adbd } shell_test_data_file:file_class_set no_w_file_perms;
-neverallow { domain -shell -init -adbd } shell_test_data_file:dir no_w_dir_perms;
-neverallow { domain -shell -init -adbd -heapprofd } shell_test_data_file:file *;
-neverallow heapprofd shell_test_data_file:file { no_w_file_perms no_x_file_perms };
-neverallow { domain -shell -init -adbd } shell_test_data_file:sock_file *;
-
-# Only the init property service should write to /data/property and /dev/__properties__
-neverallow { domain -init } property_data_file:dir no_w_dir_perms;
-neverallow { domain -init } property_data_file:file { no_w_file_perms no_x_file_perms };
-neverallow { domain -init } property_type:file { no_w_file_perms no_x_file_perms };
-neverallow { domain -init } properties_device:file { no_w_file_perms no_x_file_perms };
-neverallow { domain -init } properties_serial:file { no_w_file_perms no_x_file_perms };
-
-# Nobody should be doing writes to /system & /vendor
-# These partitions are intended to be read-only and must never be
-# modified. Doing so would violate important Android security guarantees
-# and invalidate dm-verity signatures.
-neverallow {
- domain
- with_asan(`-asan_extract')
- recovery_only(`userdebug_or_eng(`-fastbootd')')
-} {
- system_file_type
- vendor_file_type
- exec_type
-}:dir_file_class_set { create write setattr relabelfrom append unlink link rename };
-
-neverallow { domain -kernel with_asan(`-asan_extract') } { system_file_type vendor_file_type exec_type }:dir_file_class_set relabelto;
-
-# Don't allow mounting on top of /system files or directories
-neverallow * exec_type:dir_file_class_set mounton;
-
-# Nothing should be writing to files in the rootfs.
-neverallow * rootfs:file { create write setattr relabelto append unlink link rename };
-
-# Restrict context mounts to specific types marked with
-# the contextmount_type attribute.
-neverallow * {fs_type -contextmount_type}:filesystem relabelto;
-
-# Ensure that context mount types are not writable, to ensure that
-# the write to /system restriction above is not bypassed via context=
-# mount to another type.
-neverallow * contextmount_type:dir_file_class_set
- { create setattr relabelfrom relabelto append link rename };
-neverallow { domain recovery_only(`userdebug_or_eng(`-fastbootd')') } contextmount_type:dir_file_class_set { write unlink };
-
-# Do not allow service_manager add for default service labels.
-# Instead domains should use a more specific type such as
-# system_app_service rather than the generic type.
-# New service_types are defined in {,hw,vnd}service.te and new mappings
-# from service name to service_type are defined in {,hw,vnd}service_contexts.
-neverallow * default_android_service:service_manager *;
-neverallow * default_android_vndservice:service_manager *;
-neverallow * default_android_hwservice:hwservice_manager *;
-
-# Looking up the base class/interface of all HwBinder services is a bad idea.
-# hwservicemanager currently offer such lookups only to make it so that security
-# decisions are expressed in SELinux policy. However, it's unclear whether this
-# lookup has security implications. If it doesn't, hwservicemanager should be
-# modified to not offer this lookup.
-# This rule can be removed if hwservicemanager is modified to not permit these
-# lookups.
-neverallow * hidl_base_hwservice:hwservice_manager find;
-
-# Require that domains explicitly label unknown properties, and do not allow
-# anyone but init to modify unknown properties.
-neverallow { domain -init -vendor_init } mmc_prop:property_service set;
-neverallow { domain -init -vendor_init } vndk_prop:property_service set;
-
-compatible_property_only(`
- neverallow { domain -init } mmc_prop:property_service set;
- neverallow { domain -init -vendor_init } exported_default_prop:property_service set;
- neverallow { domain -init } exported_secure_prop:property_service set;
- neverallow { domain -init -vendor_init } vendor_default_prop:property_service set;
- neverallow { domain -init -vendor_init } storage_config_prop:property_service set;
- neverallow { domain -init -vendor_init } hw_timeout_multiplier_prop:property_service set;
-')
-
-compatible_property_only(`
- neverallow { domain -init -system_server -vendor_init } exported_pm_prop:property_service set;
- neverallow { domain -coredomain -vendor_init } exported_pm_prop:file no_rw_file_perms;
-')
-
-neverallow { domain -init } aac_drc_prop:property_service set;
-neverallow { domain -init } build_prop:property_service set;
-
-# Do not allow reading device's serial number from system properties except form
-# a few allowed domains.
-neverallow {
- domain
- -adbd
- -dumpstate
- -fastbootd
- -hal_camera_server
- -hal_cas_server
- -hal_drm_server
- userdebug_or_eng(`-incidentd')
- -init
- -mediadrmserver
- -mediaserver
- -recovery
- -shell
- -system_server
- -vendor_init
-} serialno_prop:file r_file_perms;
-
-neverallow {
- domain
- -init
- -recovery
- -system_server
- -shell # Shell is further restricted in shell.te
- -ueventd # Further restricted in ueventd.te
-} frp_block_device:blk_file no_rw_file_perms;
-
-# The metadata block device is set aside for device encryption and
-# verified boot metadata. It may be reset at will and should not
-# be used by other domains.
-neverallow {
- domain
- -init
- -recovery
- -vold
- -e2fs
- -fsck
- -fastbootd
-} metadata_block_device:blk_file { append link rename write open read ioctl lock };
-
-# No domain other than recovery, update_engine and fastbootd can write to system partition(s).
-neverallow {
- domain
- -fastbootd
- userdebug_or_eng(`-fsck')
- userdebug_or_eng(`-init')
- -recovery
- -update_engine
-} system_block_device:blk_file { write append };
-
-# No domains other than a select few can access the misc_block_device. This
-# block device is reserved for OTA use.
-# Do not assert this rule on userdebug/eng builds, due to some devices using
-# this partition for testing purposes.
-neverallow {
- domain
- userdebug_or_eng(`-domain') # exclude debuggable builds
- -fastbootd
- -hal_bootctl_server
- -init
- -uncrypt
- -update_engine
- -vendor_init
- -vendor_misc_writer
- -vold
- -recovery
- -ueventd
-} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };
-
-# Only (hw|vnd|)servicemanager should be able to register with binder as the context manager
-neverallow { domain -servicemanager -hwservicemanager -vndservicemanager } *:binder set_context_mgr;
-# The service managers are only allowed to access their own device node
-neverallow servicemanager hwbinder_device:chr_file no_rw_file_perms;
-neverallow servicemanager vndbinder_device:chr_file no_rw_file_perms;
-neverallow hwservicemanager binder_device:chr_file no_rw_file_perms;
-neverallow hwservicemanager vndbinder_device:chr_file no_rw_file_perms;
-neverallow vndservicemanager binder_device:chr_file no_rw_file_perms;
-neverallow vndservicemanager hwbinder_device:chr_file no_rw_file_perms;
-
-# system services cant add vendor services
-neverallow {
- coredomain
-} vendor_service:service_manager add;
-
-full_treble_only(`
- # vendor services cant add system services
- neverallow {
- domain
- -coredomain
- } {
- service_manager_type
- -vendor_service
- }:service_manager add;
-')
-
-full_treble_only(`
- # Vendor apps are permited to use only stable public services. If they were to use arbitrary
- # services which can change any time framework/core is updated, breakage is likely.
- #
- # Note, this same logic applies to untrusted apps, but neverallows for these are separate.
- neverallow {
- appdomain
- -coredomain
- } {
- service_manager_type
-
- -app_api_service
- -vendor_service # must be @VintfStability to be used by an app
- -ephemeral_app_api_service
-
- -apc_service
- -audioserver_service # TODO(b/36783122) remove exemptions below once app_api_service is fixed
- -cameraserver_service
- -drmserver_service
- -credstore_service
- -keystore_maintenance_service
- -keystore_service
- -legacykeystore_service
- -mediadrmserver_service
- -mediaextractor_service
- -mediametrics_service
- -mediaserver_service
- -nfc_service
- -radio_service
- -virtual_touchpad_service
- -vr_hwc_service
- -vr_manager_service
- userdebug_or_eng(`-hal_face_service')
- }:service_manager find;
-')
-
-# On full TREBLE devices, only vendor components, shell, and su can use VendorBinder.
-full_treble_only(`
- neverallow {
- coredomain
- -shell
- userdebug_or_eng(`-su')
- -ueventd # uevent is granted create for this device, but we still neverallow I/O below
- } vndbinder_device:chr_file rw_file_perms;
-')
-full_treble_only(`
- neverallow ueventd vndbinder_device:chr_file { read write append ioctl };
-')
-full_treble_only(`
- neverallow {
- coredomain
- -shell
- userdebug_or_eng(`-su')
- } vndservice_manager_type:service_manager *;
-')
-full_treble_only(`
- neverallow {
- coredomain
- -shell
- userdebug_or_eng(`-su')
- } vndservicemanager:binder *;
-')
-
-# On full TREBLE devices, socket communications between core components and vendor components are
-# not permitted.
- # Most general rules first, more specific rules below.
-
- # Core domains are not permitted to initiate communications to vendor domain sockets.
- # We are not restricting the use of already established sockets because it is fine for a process
- # to obtain an already established socket via some public/official/stable API and then exchange
- # data with its peer over that socket. The wire format in this scenario is dicatated by the API
- # and thus does not break the core-vendor separation.
-full_treble_only(`
- neverallow_establish_socket_comms({
- coredomain
- -init
- -adbd
- }, {
- domain
- -coredomain
- -socket_between_core_and_vendor_violators
- });
-')
-
- # Vendor domains are not permitted to initiate create/open sockets owned by core domains
-full_treble_only(`
- neverallow {
- domain
- -coredomain
- -appdomain # appdomain restrictions below
- -data_between_core_and_vendor_violators # b/70393317
- -socket_between_core_and_vendor_violators
- -vendor_init
- } {
- coredomain_socket
- core_data_file_type
- unlabeled # used only by core domains
- }:sock_file ~{ append getattr ioctl read write };
-')
-full_treble_only(`
- neverallow {
- appdomain
- -coredomain
- } {
- coredomain_socket
- unlabeled # used only by core domains
- core_data_file_type
- -app_data_file
- -privapp_data_file
- -pdx_endpoint_socket_type # used by VR layer
- -pdx_channel_socket_type # used by VR layer
- }:sock_file ~{ append getattr ioctl read write };
-')
-
- # Core domains are not permitted to create/open sockets owned by vendor domains
-full_treble_only(`
- neverallow {
- coredomain
- -init
- -ueventd
- -socket_between_core_and_vendor_violators
- } {
- file_type
- dev_type
- -coredomain_socket
- -core_data_file_type
- -app_data_file_type
- -unlabeled
- }:sock_file ~{ append getattr ioctl read write };
-')
-
-# On TREBLE devices, vendor and system components are only allowed to share
-# files by passing open FDs over hwbinder. Ban all directory access and all file
-# accesses other than what can be applied to an open FD such as
-# ioctl/stat/read/write/append. This is enforced by segregating /data.
-# Vendor domains may directly access file in /data/vendor by path, but may only
-# access files outside of /data/vendor via an open FD passed over hwbinder.
-# Likewise, core domains may only directly access files outside /data/vendor by
-# path and files in /data/vendor by open FD.
-full_treble_only(`
- # only coredomains may only access core_data_file_type, particularly not
- # /data/vendor
- neverallow {
- coredomain
- -appdomain # TODO(b/34980020) remove exemption for appdomain
- -data_between_core_and_vendor_violators
- -init
- -vold_prepare_subdirs
- } {
- data_file_type
- -core_data_file_type
- -app_data_file_type
- }:file_class_set ~{ append getattr ioctl read write map };
-')
-full_treble_only(`
- neverallow {
- coredomain
- -appdomain # TODO(b/34980020) remove exemption for appdomain
- -data_between_core_and_vendor_violators
- -init
- -vold_prepare_subdirs
- } {
- data_file_type
- -core_data_file_type
- -app_data_file_type
- # TODO(b/72998741) Remove exemption. Further restricted in a subsequent
- # neverallow. Currently only getattr and search are allowed.
- -vendor_data_file
- }:dir *;
-
-')
-full_treble_only(`
- # vendor domains may only access files in /data/vendor, never core_data_file_types
- neverallow {
- domain
- -appdomain # TODO(b/34980020) remove exemption for appdomain
- -coredomain
- -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
- -vendor_init
- } {
- core_data_file_type
- # libc includes functions like mktime and localtime which attempt to access
- # files in /data/misc/zoneinfo/tzdata and /system/usr/share/zoneinfo/tzdata.
- # These functions are considered vndk-stable and thus must be allowed for
- # all processes.
- -zoneinfo_data_file
- with_native_coverage(`-method_trace_data_file')
- }:file_class_set ~{ append getattr ioctl read write map };
- neverallow {
- vendor_init
- -data_between_core_and_vendor_violators
- } {
- core_data_file_type
- -unencrypted_data_file
- -zoneinfo_data_file
- with_native_coverage(`-method_trace_data_file')
- }:file_class_set ~{ append getattr ioctl read write map };
- # vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
- # The vendor init binary lives on the system partition so there is not a concern with stability.
- neverallow vendor_init unencrypted_data_file:file ~r_file_perms;
-')
-full_treble_only(`
- # vendor domains may only access dirs in /data/vendor, never core_data_file_types
- neverallow {
- domain
- -appdomain # TODO(b/34980020) remove exemption for appdomain
- -coredomain
- -data_between_core_and_vendor_violators
- -vendor_init
- } {
- core_data_file_type
- -system_data_file # default label for files on /data. Covered below...
- -system_data_root_file
- -vendor_data_file
- -zoneinfo_data_file
- with_native_coverage(`-method_trace_data_file')
- }:dir *;
- neverallow {
- vendor_init
- -data_between_core_and_vendor_violators
- } {
- core_data_file_type
- -unencrypted_data_file
- -system_data_file
- -system_data_root_file
- -vendor_data_file
- -zoneinfo_data_file
- with_native_coverage(`-method_trace_data_file')
- }:dir *;
- # vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
- # The vendor init binary lives on the system partition so there is not a concern with stability.
- neverallow vendor_init unencrypted_data_file:dir ~search;
-')
-full_treble_only(`
- # vendor domains may only access dirs in /data/vendor, never core_data_file_types
- neverallow {
- domain
- -appdomain # TODO(b/34980020) remove exemption for appdomain
- -coredomain
- -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
- } {
- system_data_file # default label for files on /data. Covered below
- }:dir ~{ getattr search };
-')
-
-full_treble_only(`
- # coredomains may not access dirs in /data/vendor.
- neverallow {
- coredomain
- -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
- -init
- -vold # vold creates per-user storage for both system and vendor
- -vold_prepare_subdirs
- } {
- vendor_data_file # default label for files on /data. Covered below
- }:dir ~{ getattr search };
-')
-
-full_treble_only(`
- # coredomains may not access dirs in /data/vendor.
- neverallow {
- coredomain
- -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
- -init
- } {
- vendor_data_file # default label for files on /data/vendor{,_ce,_de}.
- }:file_class_set ~{ append getattr ioctl read write map };
-')
-
-full_treble_only(`
- # Non-vendor domains are not allowed to file execute shell
- # from vendor
- neverallow {
- coredomain
- -init
- -shell
- -ueventd
- } vendor_shell_exec:file { execute execute_no_trans };
-')
-
-full_treble_only(`
- # Do not allow vendor components to execute files from system
- # except for the ones allowed here.
- neverallow {
- domain
- -coredomain
- -appdomain
- -vendor_executes_system_violators
- -vendor_init
- } {
- system_file_type
- -system_lib_file
- -system_linker_exec
- -crash_dump_exec
- -iorap_prefetcherd_exec
- -iorap_inode2filename_exec
- -netutils_wrapper_exec
- userdebug_or_eng(`-tcpdump_exec')
- }:file { entrypoint execute execute_no_trans };
-')
-
-full_treble_only(`
- # Do not allow coredomain to access entrypoint for files other
- # than system_file_type and postinstall_file
- neverallow coredomain {
- file_type
- -system_file_type
- -postinstall_file
- }:file entrypoint;
- # Do not allow domains other than coredomain to access entrypoint
- # for anything but vendor_file_type and init_exec for vendor_init.
- neverallow { domain -coredomain } {
- file_type
- -vendor_file_type
- -init_exec
- }:file entrypoint;
-')
-
-full_treble_only(`
- # Do not allow system components to execute files from vendor
- # except for the ones allowed here.
- neverallow {
- coredomain
- -init
- -shell
- -system_executes_vendor_violators
- -ueventd
- } {
- vendor_file_type
- -same_process_hal_file
- -vndk_sp_file
- -vendor_app_file
- -vendor_public_framework_file
- -vendor_public_lib_file
- }:file execute;
-')
-
-full_treble_only(`
- neverallow {
- coredomain
- -shell
- -system_executes_vendor_violators
- } {
- vendor_file_type
- -same_process_hal_file
- }:file execute_no_trans;
-')
-
-full_treble_only(`
- # Do not allow vendor components access to /system files except for the
- # ones allowed here.
- neverallow {
- domain
- -appdomain
- -coredomain
- -vendor_executes_system_violators
- # vendor_init needs access to init_exec for domain transition. vendor_init
- # neverallows are covered in public/vendor_init.te
- -vendor_init
- } {
- system_file_type
- -crash_dump_exec
- -file_contexts_file
- -iorap_inode2filename_exec
- -netutils_wrapper_exec
- -property_contexts_file
- -system_event_log_tags_file
- -system_group_file
- -system_lib_file
- with_asan(`-system_asan_options_file')
- -system_linker_exec
- -system_linker_config_file
- -system_passwd_file
- -system_seccomp_policy_file
- -system_security_cacerts_file
- -system_zoneinfo_file
- -task_profiles_api_file
- -task_profiles_file
- userdebug_or_eng(`-tcpdump_exec')
- }:file *;
-')
-
-# Only system_server should be able to send commands via the zygote socket
-neverallow { domain -zygote -system_server } zygote:unix_stream_socket connectto;
-neverallow { domain -system_server } zygote_socket:sock_file write;
-
-neverallow { domain -system_server -webview_zygote -app_zygote } webview_zygote:unix_stream_socket connectto;
-neverallow { domain -system_server } webview_zygote:sock_file write;
-neverallow { domain -system_server } app_zygote:sock_file write;
-
-neverallow {
- domain
- -tombstoned
- -crash_dump
- -dumpstate
- -incidentd
- -system_server
-
- # Processes that can't exec crash_dump
- -hal_codec2_server
- -hal_omx_server
- -mediaextractor
-} tombstoned_crash_socket:unix_stream_socket connectto;
-
-# Never allow anyone except dumpstate, incidentd, or the system server to connect or write to
-# the tombstoned intercept socket.
-neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:sock_file write;
-neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:unix_stream_socket connectto;
-
-# Never allow anyone but system_server to read heapdumps in /data/system/heapdump.
-neverallow { domain -init -system_server } heapdump_data_file:file read;
-
-# Android does not support System V IPCs.
-#
-# The reason for this is due to the fact that, by design, they lead to global
-# kernel resource leakage.
-#
-# For example, there is no way to automatically release a SysV semaphore
-# allocated in the kernel when:
-#
-# - a buggy or malicious process exits
-# - a non-buggy and non-malicious process crashes or is explicitly killed.
-#
-# Killing processes automatically to make room for new ones is an
-# important part of Android's application lifecycle implementation. This means
-# that, even assuming only non-buggy and non-malicious code, it is very likely
-# that over time, the kernel global tables used to implement SysV IPCs will fill
-# up.
-neverallow * *:{ shm sem msg msgq } *;
-
-# Do not mount on top of symlinks, fifos, or sockets.
-# Feature parity with Chromium LSM.
-neverallow * { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton;
-
-# Nobody should be able to execute su on user builds.
-# On userdebug/eng builds, only dumpstate, shell, and
-# su itself execute su.
-neverallow { domain userdebug_or_eng(`-dumpstate -shell -su') } su_exec:file no_x_file_perms;
-
-# Do not allow the introduction of new execmod rules. Text relocations
-# and modification of executable pages are unsafe.
-# The only exceptions are for NDK text relocations associated with
-# https://code.google.com/p/android/issues/detail?id=23203
-# which, long term, need to go away.
-neverallow * {
- file_type
- -apk_data_file
- -app_data_file
- -asec_public_file
-}:file execmod;
-
-# Do not allow making the stack or heap executable.
-# We would also like to minimize execmem but it seems to be
-# required by some device-specific service domains.
-neverallow * self:process { execstack execheap };
-
-# Do not allow the introduction of new execmod rules. Text relocations
-# and modification of executable pages are unsafe.
-neverallow { domain -untrusted_app_25 -untrusted_app_27 } file_type:file execmod;
-
-neverallow { domain -init } proc:{ file dir } mounton;
-
-# Ensure that all types assigned to processes are included
-# in the domain attribute, so that all allow and neverallow rules
-# written on domain are applied to all processes.
-# This is achieved by ensuring that it is impossible to transition
-# from a domain to a non-domain type and vice versa.
-# TODO - rework this: neverallow domain ~domain:process { transition dyntransition };
-neverallow ~domain domain:process { transition dyntransition };
-
-#
-# Only system_app and system_server should be creating or writing
-# their files. The proper way to share files is to setup
-# type transitions to a more specific type or assigning a type
-# to its parent directory via a file_contexts entry.
-# Example type transition:
-# mydomain.te:file_type_auto_trans(mydomain, system_data_file, new_file_type)
-#
-neverallow {
- domain
- -system_server
- -system_app
- -init
- -toolbox # TODO(b/141108496) We want to remove toolbox
- -installd # for relabelfrom and unlink, check for this in explicit neverallow
- -vold_prepare_subdirs # For unlink
- with_asan(`-asan_extract')
-} system_data_file:file no_w_file_perms;
-# do not grant anything greater than r_file_perms and relabelfrom unlink
-# to installd
-neverallow installd system_data_file:file ~{ r_file_perms relabelfrom unlink };
-
-# respect system_app sandboxes
-neverallow {
- domain
- -appdomain # finer-grained rules for appdomain are listed below
- -system_server #populate com.android.providers.settings/databases/settings.db.
- -installd # creation of app sandbox
- -iorap_inode2filename
- -traced_probes # resolve inodes for i/o tracing.
- # only needs open and read, the rest is neverallow in
- # traced_probes.te.
-} system_app_data_file:dir_file_class_set { create unlink open };
-neverallow {
- isolated_app
- untrusted_app_all # finer-grained rules for appdomain are listed below
- ephemeral_app
- priv_app
-} system_app_data_file:dir_file_class_set { create unlink open };
-
-#
-# Only these domains should transition to shell domain. This domain is
-# permissible for the "shell user". If you need a process to exec a shell
-# script with differing privilege, define a domain and set up a transition.
-#
-neverallow {
- domain
- -adbd
- -init
- -runas
- -zygote
-} shell:process { transition dyntransition };
-
-# Only domains spawned from zygote, runas and simpleperf_app_runner may have
-# the appdomain attribute. simpleperf is excluded as a domain transitioned to
-# when running an app-scoped profiling session.
-neverallow { domain -simpleperf_app_runner -runas -app_zygote -webview_zygote -zygote } {
- appdomain -shell -simpleperf userdebug_or_eng(`-su')
-}:process { transition dyntransition };
-
-# Minimize read access to shell- or app-writable symlinks.
-# This is to prevent malicious symlink attacks.
-neverallow {
- domain
- -appdomain
- -installd
-} { app_data_file privapp_data_file }:lnk_file read;
-
-neverallow {
- domain
- -shell
- userdebug_or_eng(`-uncrypt')
- -installd
-} shell_data_file:lnk_file read;
-
-# In addition to the symlink reading restrictions above, restrict
-# write access to shell owned directories. The /data/local/tmp
-# directory is untrustworthy, and non-allowed domains should
-# not be trusting any content in those directories.
-neverallow {
- domain
- -adbd
- -dumpstate
- -installd
- -init
- -shell
- -vold
-} shell_data_file:dir no_w_dir_perms;
-
-neverallow {
- domain
- -adbd
- -appdomain
- -dumpstate
- -init
- -installd
- -iorap_inode2filename
- -simpleperf_app_runner
- -system_server # why?
- userdebug_or_eng(`-uncrypt')
-} shell_data_file:dir { open search };
-
-# Same as above for /data/local/tmp files. We allow shell files
-# to be passed around by file descriptor, but not directly opened.
-neverallow {
- domain
- -adbd
- -appdomain
- -dumpstate
- -installd
- userdebug_or_eng(`-uncrypt')
-} shell_data_file:file open;
-
-# servicemanager and vndservicemanager are the only processes which handle the
-# service_manager list request
-neverallow * ~{
- servicemanager
- vndservicemanager
- }:service_manager list;
-
-# hwservicemanager is the only process which handles hw list requests
-neverallow * ~{
- hwservicemanager
- }:hwservice_manager list;
-
-# only service_manager_types can be added to service_manager
-# TODO - rework this: neverallow * ~service_manager_type:service_manager { add find };
-
-# Prevent assigning non property types to properties
-# TODO - rework this: neverallow * ~property_type:property_service set;
-
-# Domain types should never be assigned to any files other
-# than the /proc/pid files associated with a process. The
-# executable file used to enter a domain should be labeled
-# with its own _exec type, not with the domain type.
-# Conventionally, this looks something like:
-# $ cat mydaemon.te
-# type mydaemon, domain;
-# type mydaemon_exec, exec_type, file_type;
-# init_daemon_domain(mydaemon)
-# $ grep mydaemon file_contexts
-# /system/bin/mydaemon -- u:object_r:mydaemon_exec:s0
-neverallow * domain:file { execute execute_no_trans entrypoint };
-
-# Do not allow access to the generic debugfs label. This is too broad.
-# Instead, if access to part of debugfs is desired, it should have a
-# more specific label.
-# TODO: fix dumpstate
-neverallow { domain -init -vendor_init -dumpstate } debugfs:{ file lnk_file } no_rw_file_perms;
-
-# Do not allow executable files in debugfs.
-neverallow domain debugfs_type:file { execute execute_no_trans };
-
-# Don't allow access to the FUSE control filesystem, except to vold and init's
-neverallow { domain -vold -init -vendor_init } fusectlfs:file no_rw_file_perms;
-
-# Profiles contain untrusted data and profman parses that. We should only run
-# in from installd forked processes.
-neverallow {
- domain
- -installd
- -profman
-} profman_exec:file no_x_file_perms;
-
-# Enforce restrictions on kernel module origin.
-# Do not allow kernel module loading except from system,
-# vendor, and boot partitions.
-neverallow * ~{ system_file_type vendor_file_type rootfs }:system module_load;
-
-# Only allow filesystem caps to be set at build time. Runtime changes
-# to filesystem capabilities are not permitted.
-neverallow * self:global_capability_class_set setfcap;
-
-# Enforce AT_SECURE for executing crash_dump.
-neverallow domain crash_dump:process noatsecure;
-
-# Do not permit non-core domains to register HwBinder services which are
-# guaranteed to be provided by core domains only.
-neverallow ~coredomain coredomain_hwservice:hwservice_manager add;
-
-# Do not permit the registeration of HwBinder services which are guaranteed to
-# be passthrough only (i.e., run in the process of their clients instead of a
-# separate server process).
-neverallow * same_process_hwservice:hwservice_manager add;
-
-# If an already existing file is opened with O_CREAT, the kernel might generate
-# a false report of a create denial. Silence these denials and make sure that
-# inappropriate permissions are not granted.
-
-# These filesystems don't allow files or directories to be created, so the permission
-# to do so should never be granted.
-neverallow domain {
- proc_type
- sysfs_type
-}:dir { add_name create link remove_name rename reparent rmdir write };
-
-# cgroupfs directories can be created, but not files within them.
-neverallow domain cgroup:file create;
-neverallow domain cgroup_v2:file create;
-
-dontaudit domain proc_type:dir write;
-dontaudit domain sysfs_type:dir write;
-dontaudit domain cgroup:file create;
-dontaudit domain cgroup_v2:file create;
-
-# These are only needed in permissive mode - in enforcing mode the
-# directory write check fails and so these are never attempted.
-userdebug_or_eng(`
- dontaudit domain proc_type:dir add_name;
- dontaudit domain sysfs_type:dir add_name;
- dontaudit domain proc_type:file create;
- dontaudit domain sysfs_type:file create;
-')
-
-# Platform must not have access to /mnt/vendor.
-neverallow {
- coredomain
- -init
- -ueventd
- -vold
- -system_writes_mnt_vendor_violators
-} mnt_vendor_file:dir *;
-
-# Only apps are allowed access to vendor public libraries.
-full_treble_only(`
- neverallow {
- coredomain
- -appdomain
- } {vendor_public_framework_file vendor_public_lib_file}:file { execute execute_no_trans };
-')
-
-# Vendor domian must not have access to /mnt/product.
-neverallow {
- domain
- -coredomain
-} mnt_product_file:dir *;
-
-# Platform must not have access to sysfs_batteryinfo, but should do it via health HAL and healthd
-full_treble_only(`
- neverallow {
- coredomain
- -healthd
- -shell
- # Generate uevents for health info
- -ueventd
- # Recovery uses health HAL passthrough implementation.
- -recovery
- # Charger uses health HAL passthrough implementation.
- -charger
- # TODO(b/110891300): remove this exception
- -incidentd
- } sysfs_batteryinfo:file { open read };
-')
-
-neverallow {
- domain
- -hal_codec2_server
- -hal_omx_server
-} hal_codec2_hwservice:hwservice_manager add;
-
-# Only apps targetting < Q are allowed to open /dev/ashmem directly.
-# Apps must use ASharedMemory NDK API. Native code must use libcutils API.
-neverallow {
- domain
- -ephemeral_app # We don't distinguish ephemeral apps based on target API.
- -untrusted_app_25
- -untrusted_app_27
-} ashmem_device:chr_file open;
-
-neverallow { domain -traced_probes -init -vendor_init } debugfs_tracing_printk_formats:file *;
-
-# Linux lockdown "integrity" level is enforced for user builds.
-neverallow { domain userdebug_or_eng(`-domain') } self:lockdown integrity;
diff --git a/microdroid/sepolicy/system/public/drmserver.te b/microdroid/sepolicy/system/public/drmserver.te
deleted file mode 100644
index eede0fc..0000000
--- a/microdroid/sepolicy/system/public/drmserver.te
+++ /dev/null
@@ -1,65 +0,0 @@
-# drmserver - DRM service
-type drmserver, domain;
-type drmserver_exec, system_file_type, exec_type, file_type;
-
-typeattribute drmserver mlstrustedsubject;
-
-net_domain(drmserver)
-
-# Perform Binder IPC to system server.
-binder_use(drmserver)
-binder_call(drmserver, system_server)
-binder_call(drmserver, appdomain)
-binder_call(drmserver, mediametrics)
-binder_service(drmserver)
-# Inherit or receive open files from system_server.
-allow drmserver system_server:fd use;
-
-# Perform Binder IPC to mediaserver
-binder_call(drmserver, mediaserver)
-
-allow drmserver sdcard_type:dir search;
-allow drmserver drm_data_file:dir create_dir_perms;
-allow drmserver drm_data_file:file create_file_perms;
-allow drmserver { app_data_file privapp_data_file }:file { read write getattr map };
-allow drmserver sdcard_type:file { read write getattr map };
-r_dir_file(drmserver, efs_file)
-
-type drmserver_socket, file_type;
-
-# /data/app/tlcd_sock socket file.
-# Clearly, /data/app is the most logical place to create a socket. Not.
-allow drmserver apk_data_file:dir rw_dir_perms;
-auditallow drmserver apk_data_file:dir { add_name write };
-allow drmserver drmserver_socket:sock_file create_file_perms;
-auditallow drmserver drmserver_socket:sock_file create;
-# Delete old socket file if present.
-allow drmserver apk_data_file:sock_file unlink;
-
-# After taking a video, drmserver looks at the video file.
-r_dir_file(drmserver, media_rw_data_file)
-
-# Read resources from open apk files passed over Binder.
-allow drmserver apk_data_file:file { read getattr map };
-allow drmserver asec_apk_file:file { read getattr map };
-allow drmserver ringtone_file:file { read getattr map };
-
-# Read /data/data/com.android.providers.telephony files passed over Binder.
-allow drmserver radio_data_file:file { read getattr map };
-
-# /oem access
-allow drmserver oemfs:dir search;
-allow drmserver oemfs:file r_file_perms;
-
-# overlay package access
-allow drmserver vendor_overlay_file:file { read map };
-
-add_service(drmserver, drmserver_service)
-allow drmserver permission_service:service_manager find;
-allow drmserver mediametrics_service:service_manager find;
-
-selinux_check_access(drmserver)
-
-r_dir_file(drmserver, cgroup)
-r_dir_file(drmserver, cgroup_v2)
-r_dir_file(drmserver, system_file)
diff --git a/microdroid/sepolicy/system/public/dumpstate.te b/microdroid/sepolicy/system/public/dumpstate.te
deleted file mode 100644
index 85a5796..0000000
--- a/microdroid/sepolicy/system/public/dumpstate.te
+++ /dev/null
@@ -1,394 +0,0 @@
-# dumpstate
-type dumpstate, domain, mlstrustedsubject;
-type dumpstate_exec, system_file_type, exec_type, file_type;
-
-net_domain(dumpstate)
-binder_use(dumpstate)
-wakelock_use(dumpstate)
-
-# Allow setting process priority, protect from OOM killer, and dropping
-# privileges by switching UID / GID
-allow dumpstate self:global_capability_class_set { setuid setgid sys_resource };
-
-# Allow dumpstate to scan through /proc/pid for all processes
-r_dir_file(dumpstate, domain)
-
-allow dumpstate self:global_capability_class_set {
- # Send signals to processes
- kill
- # Run iptables
- net_raw
- net_admin
-};
-
-# Allow executing files on system, such as:
-# /system/bin/toolbox
-# /system/bin/logcat
-# /system/bin/dumpsys
-allow dumpstate system_file:file execute_no_trans;
-not_full_treble(`allow dumpstate vendor_file:file execute_no_trans;')
-allow dumpstate toolbox_exec:file rx_file_perms;
-
-# hidl searches for files in /system/lib(64)/hw/
-allow dumpstate system_file:dir r_dir_perms;
-
-# Create and write into /data/anr/
-allow dumpstate self:global_capability_class_set { dac_override dac_read_search chown fowner fsetid };
-allow dumpstate anr_data_file:dir rw_dir_perms;
-allow dumpstate anr_data_file:file create_file_perms;
-
-# Allow reading /data/system/uiderrors.txt
-# TODO: scope this down.
-allow dumpstate system_data_file:file r_file_perms;
-
-# Allow dumpstate to append into apps' private files.
-allow dumpstate { privapp_data_file app_data_file }:file append;
-
-# Read dmesg
-allow dumpstate self:global_capability2_class_set syslog;
-allow dumpstate kernel:system syslog_read;
-
-# Read /sys/fs/pstore/console-ramoops
-allow dumpstate pstorefs:dir r_dir_perms;
-allow dumpstate pstorefs:file r_file_perms;
-
-# Get process attributes
-allow dumpstate domain:process getattr;
-
-# Signal java processes to dump their stack
-allow dumpstate { appdomain system_server zygote }:process signal;
-
-# Signal native processes to dump their stack.
-allow dumpstate {
- # This list comes from native_processes_to_dump in dumputils/dump_utils.c
- audioserver
- cameraserver
- drmserver
- inputflinger
- mediadrmserver
- mediaextractor
- mediametrics
- mediaserver
- mediaswcodec
- sdcardd
- surfaceflinger
- vold
-
- # This list comes from hal_interfaces_to_dump in dumputils/dump_utils.c
- hal_audio_server
- hal_audiocontrol_server
- hal_bluetooth_server
- hal_camera_server
- hal_codec2_server
- hal_drm_server
- hal_evs_server
- hal_face_server
- hal_fingerprint_server
- hal_graphics_allocator_server
- hal_graphics_composer_server
- hal_health_server
- hal_neuralnetworks_server
- hal_omx_server
- hal_power_server
- hal_power_stats_server
- hal_sensors_server
- hal_thermal_server
- hal_vehicle_server
- hal_vr_server
- system_suspend_server
-}:process signal;
-
-# Connect to tombstoned to intercept dumps.
-unix_socket_connect(dumpstate, tombstoned_intercept, tombstoned)
-
-# Access to /sys
-allow dumpstate sysfs_type:dir r_dir_perms;
-
-allow dumpstate {
- sysfs_devices_block
- sysfs_dm
- sysfs_loop
- sysfs_usb
- sysfs_zram
-}:file r_file_perms;
-
-# Other random bits of data we want to collect
-no_debugfs_restriction(`
- allow dumpstate debugfs:file r_file_perms;
- auditallow dumpstate debugfs:file r_file_perms;
-
- allow dumpstate debugfs_mmc:file r_file_perms;
-')
-
-# df for
-allow dumpstate {
- block_device
- cache_file
- metadata_file
- rootfs
- selinuxfs
- storage_file
- tmpfs
-}:dir { search getattr };
-allow dumpstate fuse_device:chr_file getattr;
-allow dumpstate { dm_device cache_block_device }:blk_file getattr;
-allow dumpstate { cache_file rootfs }:lnk_file { getattr read };
-
-# Read /dev/cpuctl and /dev/cpuset
-r_dir_file(dumpstate, cgroup)
-r_dir_file(dumpstate, cgroup_v2)
-
-# Allow dumpstate to make binder calls to any binder service
-binder_call(dumpstate, binderservicedomain)
-binder_call(dumpstate, { appdomain netd wificond })
-
-dump_hal(hal_dumpstate)
-dump_hal(hal_wifi)
-dump_hal(hal_graphics_allocator)
-dump_hal(hal_light)
-dump_hal(hal_neuralnetworks)
-dump_hal(hal_thermal)
-dump_hal(hal_power)
-dump_hal(hal_power_stats)
-dump_hal(hal_identity)
-dump_hal(hal_face)
-dump_hal(hal_fingerprint)
-dump_hal(hal_gnss)
-
-# Vibrate the device after we are done collecting the bugreport
-hal_client_domain(dumpstate, hal_vibrator)
-
-# Reading /proc/PID/maps of other processes
-allow dumpstate self:global_capability_class_set sys_ptrace;
-
-# Allow the bugreport service to create a file in
-# /data/data/com.android.shell/files/bugreports/bugreport
-allow dumpstate shell_data_file:dir create_dir_perms;
-allow dumpstate shell_data_file:file create_file_perms;
-
-# Run a shell.
-allow dumpstate shell_exec:file rx_file_perms;
-
-# For running am and similar framework commands.
-# Run /system/bin/app_process.
-allow dumpstate zygote_exec:file rx_file_perms;
-
-# For Bluetooth
-allow dumpstate bluetooth_data_file:dir search;
-allow dumpstate bluetooth_logs_data_file:dir r_dir_perms;
-allow dumpstate bluetooth_logs_data_file:file r_file_perms;
-
-# For Nfc
-allow dumpstate nfc_logs_data_file:dir r_dir_perms;
-allow dumpstate nfc_logs_data_file:file r_file_perms;
-
-# Dumpstate calls screencap, which grabs a screenshot. Needs gpu access
-allow dumpstate gpu_device:chr_file rw_file_perms;
-
-# logd access
-read_logd(dumpstate)
-control_logd(dumpstate)
-read_runtime_log_tags(dumpstate)
-
-# Read files in /proc
-allow dumpstate {
- proc_buddyinfo
- proc_cmdline
- proc_meminfo
- proc_modules
- proc_net_type
- proc_pipe_conf
- proc_pagetypeinfo
- proc_qtaguid_ctrl
- proc_qtaguid_stat
- proc_slabinfo
- proc_version
- proc_vmallocinfo
- proc_vmstat
-}:file r_file_perms;
-
-# Read network state info files.
-allow dumpstate net_data_file:dir search;
-allow dumpstate net_data_file:file r_file_perms;
-
-# List sockets via ss.
-allow dumpstate self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read };
-
-# Access /data/tombstones.
-allow dumpstate tombstone_data_file:dir r_dir_perms;
-allow dumpstate tombstone_data_file:file r_file_perms;
-
-# Access /cache/recovery
-allow dumpstate cache_recovery_file:dir r_dir_perms;
-allow dumpstate cache_recovery_file:file r_file_perms;
-
-# Access /data/misc/recovery
-allow dumpstate recovery_data_file:dir r_dir_perms;
-allow dumpstate recovery_data_file:file r_file_perms;
-
-#Access /data/misc/update_engine_log
-allow dumpstate update_engine_log_data_file:dir r_dir_perms;
-allow dumpstate update_engine_log_data_file:file r_file_perms;
-
-# Access /data/misc/profiles/{cur,ref}/
-userdebug_or_eng(`
- allow dumpstate { user_profile_root_file user_profile_data_file}:dir r_dir_perms;
- allow dumpstate user_profile_data_file:file r_file_perms;
-')
-
-# Access /data/misc/logd
-allow dumpstate misc_logd_file:dir r_dir_perms;
-allow dumpstate misc_logd_file:file r_file_perms;
-
-# Access /data/misc/prereboot
-allow dumpstate prereboot_data_file:dir r_dir_perms;
-allow dumpstate prereboot_data_file:file r_file_perms;
-
-allow dumpstate app_fuse_file:dir r_dir_perms;
-allow dumpstate overlayfs_file:dir r_dir_perms;
-
-allow dumpstate {
- service_manager_type
- -apex_service
- -dumpstate_service
- -gatekeeper_service
- -virtual_touchpad_service
- -vold_service
- -vr_hwc_service
- -default_android_service
-}:service_manager find;
-# suppress denials for services dumpstate should not be accessing.
-dontaudit dumpstate {
- apex_service
- dumpstate_service
- gatekeeper_service
- virtual_touchpad_service
- vold_service
- vr_hwc_service
-}:service_manager find;
-
-# Most of these are neverallowed.
-dontaudit dumpstate hwservice_manager_type:hwservice_manager find;
-
-allow dumpstate servicemanager:service_manager list;
-allow dumpstate hwservicemanager:hwservice_manager list;
-
-allow dumpstate devpts:chr_file rw_file_perms;
-
-# Read any system properties
-get_prop(dumpstate, property_type)
-
-# Access to /data/media.
-# This should be removed if sdcardfs is modified to alter the secontext for its
-# accesses to the underlying FS.
-allow dumpstate media_rw_data_file:dir getattr;
-allow dumpstate proc_interrupts:file r_file_perms;
-allow dumpstate proc_zoneinfo:file r_file_perms;
-
-# Create a service for talking back to system_server
-add_service(dumpstate, dumpstate_service)
-
-# use /dev/ion for screen capture
-allow dumpstate ion_device:chr_file r_file_perms;
-
-# Allow dumpstate to run top
-allow dumpstate proc_stat:file r_file_perms;
-
-allow dumpstate proc_pressure_cpu:file r_file_perms;
-allow dumpstate proc_pressure_mem:file r_file_perms;
-allow dumpstate proc_pressure_io:file r_file_perms;
-
-# Allow dumpstate to run ps
-allow dumpstate proc_pid_max:file r_file_perms;
-
-# Allow dumpstate to talk to installd over binder
-binder_call(dumpstate, installd);
-
-# Allow dumpstate to talk to iorapd over binder.
-binder_call(dumpstate, iorapd)
-
-# Allow dumpstate to run ip xfrm policy
-allow dumpstate self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_read };
-
-# Allow dumpstate to run iotop
-allow dumpstate self:netlink_socket create_socket_perms_no_ioctl;
-# newer kernels (e.g. 4.4) have a new class for sockets
-allow dumpstate self:netlink_generic_socket create_socket_perms_no_ioctl;
-
-# Allow dumpstate to run ss
-allow dumpstate { domain pdx_channel_socket_type pdx_endpoint_socket_type }:socket_class_set getattr;
-
-# Allow dumpstate to read linkerconfig directory
-allow dumpstate linkerconfig_file:dir { read open };
-
-# For when dumpstate runs df
-dontaudit dumpstate {
- mnt_vendor_file
- mirror_data_file
- mnt_user_file
-}:dir search;
-dontaudit dumpstate {
- apex_mnt_dir
- linkerconfig_file
- mirror_data_file
- mnt_user_file
-}:dir getattr;
-
-# Allow dumpstate to talk to bufferhubd over binder
-binder_call(dumpstate, bufferhubd);
-
-# Allow dumpstate to talk to mediaswcodec over binder
-binder_call(dumpstate, mediaswcodec);
-
-# Allow dumpstate to talk to these stable AIDL services over binder
-binder_call(dumpstate, hal_rebootescrow_server)
-allow hal_rebootescrow_server dumpstate:fifo_file write;
-allow hal_rebootescrow_server dumpstate:fd use;
-
-binder_call(dumpstate, hal_authsecret_server)
-allow hal_authsecret_server dumpstate:fifo_file write;
-allow hal_authsecret_server dumpstate:fd use;
-
-binder_call(dumpstate, hal_keymint_server)
-allow hal_keymint_server dumpstate:fifo_file write;
-allow hal_keymint_server dumpstate:fd use;
-
-binder_call(dumpstate, hal_memtrack_server)
-allow hal_memtrack_server dumpstate:fifo_file write;
-allow hal_memtrack_server dumpstate:fd use;
-
-binder_call(dumpstate, hal_oemlock_server)
-allow hal_oemlock_server dumpstate:fifo_file write;
-allow hal_oemlock_server dumpstate:fd use;
-
-binder_call(dumpstate, hal_weaver_server)
-allow hal_weaver_server dumpstate:fifo_file write;
-allow hal_weaver_server dumpstate:fd use;
-
-#Access /data/misc/snapshotctl_log
-allow dumpstate snapshotctl_log_data_file:dir r_dir_perms;
-allow dumpstate snapshotctl_log_data_file:file r_file_perms;
-
-#Allow access to /dev/binderfs/binder_logs
-allow dumpstate binderfs_logs:dir r_dir_perms;
-allow dumpstate binderfs_logs:file r_file_perms;
-allow dumpstate binderfs_logs_proc:file r_file_perms;
-
-allow dumpstate apex_info_file:file getattr;
-
-###
-### neverallow rules
-###
-
-# dumpstate has capability sys_ptrace, but should only use that capability for
-# accessing sensitive /proc/PID files, never for using ptrace attach.
-neverallow dumpstate *:process ptrace;
-
-# only system_server, dumpstate, traceur_app and shell can find the dumpstate service
-neverallow {
- domain
- -system_server
- -shell
- -traceur_app
- -dumpstate
-} dumpstate_service:service_manager find;
diff --git a/microdroid/sepolicy/system/public/e2fs.te b/microdroid/sepolicy/system/public/e2fs.te
deleted file mode 100644
index fe8b2ba..0000000
--- a/microdroid/sepolicy/system/public/e2fs.te
+++ /dev/null
@@ -1,32 +0,0 @@
-type e2fs, domain, coredomain;
-type e2fs_exec, system_file_type, exec_type, file_type;
-
-allow e2fs devpts:chr_file { read write getattr ioctl };
-
-allow e2fs dev_type:blk_file getattr;
-allow e2fs block_device:dir search;
-allow e2fs userdata_block_device:blk_file rw_file_perms;
-allow e2fs metadata_block_device:blk_file rw_file_perms;
-allow e2fs dm_device:blk_file rw_file_perms;
-allowxperm e2fs { userdata_block_device metadata_block_device dm_device }:blk_file ioctl {
- BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET
-};
-
-# Allow e2fs to format /dev/block/vd*
-allow e2fs vd_device:blk_file rw_file_perms;
-allowxperm e2fs vd_device:blk_file ioctl {
- BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET
-};
-
-allow e2fs {
- proc_filesystems
- proc_mounts
- proc_swaps
-}:file r_file_perms;
-
-# access /sys/fs/ext4/features
-allow e2fs sysfs_fs_ext4_features:dir search;
-allow e2fs sysfs_fs_ext4_features:file r_file_perms;
-
-# access SELinux context files
-allow e2fs file_contexts_file:file r_file_perms;
diff --git a/microdroid/sepolicy/system/public/ephemeral_app.te b/microdroid/sepolicy/system/public/ephemeral_app.te
deleted file mode 100644
index dc39a22..0000000
--- a/microdroid/sepolicy/system/public/ephemeral_app.te
+++ /dev/null
@@ -1,14 +0,0 @@
-###
-### Ephemeral apps.
-###
-### This file defines the security policy for apps with the ephemeral
-### feature.
-###
-### The ephemeral_app domain is a reduced permissions sandbox allowing
-### ephemeral applications to be safely installed and run. Non ephemeral
-### applications may also opt-in to ephemeral to take advantage of the
-### additional security features.
-###
-### PackageManager flags an app as ephemeral at install time.
-
-type ephemeral_app, domain;
diff --git a/microdroid/sepolicy/system/public/fastbootd.te b/microdroid/sepolicy/system/public/fastbootd.te
deleted file mode 100644
index e167a5e..0000000
--- a/microdroid/sepolicy/system/public/fastbootd.te
+++ /dev/null
@@ -1,118 +0,0 @@
-# fastbootd (used in recovery init.rc for /sbin/fastbootd)
-
-# Declare the domain unconditionally so we can always reference it
-# in neverallow rules.
-type fastbootd, domain;
-
-# But the allow rules are only included in the recovery policy.
-# Otherwise fastbootd is only allowed the domain rules.
-recovery_only(`
- # fastbootd can only use HALs in passthrough mode
- passthrough_hal_client_domain(fastbootd, hal_bootctl)
-
- # Access /dev/usb-ffs/fastbootd/ep0
- allow fastbootd functionfs:dir search;
- allow fastbootd functionfs:file rw_file_perms;
-
- allowxperm fastbootd functionfs:file ioctl { FUNCTIONFS_ENDPOINT_DESC };
- # Log to serial
- allow fastbootd kmsg_device:chr_file { open getattr write };
-
- # battery info
- allow fastbootd sysfs_batteryinfo:file r_file_perms;
-
- allow fastbootd device:dir r_dir_perms;
-
- # For dev/block/by-name dir
- allow fastbootd block_device:dir r_dir_perms;
-
- # Needed for DM_DEV_CREATE ioctl call
- allow fastbootd self:capability sys_admin;
-
- unix_socket_connect(fastbootd, recovery, recovery)
-
- # Required for flashing
- allow fastbootd dm_device:chr_file rw_file_perms;
- allow fastbootd dm_device:blk_file rw_file_perms;
-
- allow fastbootd cache_block_device:blk_file rw_file_perms;
- allow fastbootd super_block_device_type:blk_file rw_file_perms;
- allow fastbootd {
- boot_block_device
- metadata_block_device
- system_block_device
- userdata_block_device
- }:blk_file { w_file_perms getattr ioctl };
-
- # For disabling/wiping GSI, and for modifying/deleting files created via
- # libfiemap.
- allow fastbootd metadata_block_device:blk_file r_file_perms;
- allow fastbootd {rootfs tmpfs}:dir mounton;
- allow fastbootd metadata_file:dir { search getattr mounton };
- allow fastbootd gsi_metadata_file_type:dir rw_dir_perms;
- allow fastbootd gsi_metadata_file_type:file create_file_perms;
-
- allowxperm fastbootd super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
-
- allowxperm fastbootd {
- metadata_block_device
- userdata_block_device
- dm_device
- cache_block_device
- }:blk_file ioctl { BLKSECDISCARD BLKDISCARD };
-
- allow fastbootd misc_block_device:blk_file rw_file_perms;
-
- allow fastbootd proc_cmdline:file r_file_perms;
- allow fastbootd rootfs:dir r_dir_perms;
-
- # Needed to read fstab node from device tree.
- allow fastbootd sysfs_dt_firmware_android:file r_file_perms;
- allow fastbootd sysfs_dt_firmware_android:dir r_dir_perms;
-
- # Needed because libdm reads sysfs to validate when a dm path is ready.
- r_dir_file(fastbootd, sysfs_dm)
-
- # Needed for realpath() call to resolve symlinks.
- allow fastbootd block_device:dir getattr;
- userdebug_or_eng(`
- # Refined manipulation of /mnt/scratch, without these perms resorts
- # to deleting scratch partition when partition(s) are flashed.
- allow fastbootd self:process setfscreate;
- allow fastbootd cache_file:dir search;
- allow fastbootd proc_filesystems:file { getattr open read };
- allow fastbootd self:capability sys_rawio;
- dontaudit fastbootd kernel:system module_request;
- allowxperm fastbootd dev_type:blk_file ioctl BLKROSET;
- allow fastbootd overlayfs_file:dir { create_dir_perms mounton };
- allow fastbootd {
- system_file_type
- unlabeled
- vendor_file_type
- }:dir { remove_name rmdir search write };
- allow fastbootd {
- overlayfs_file
- system_file_type
- unlabeled
- vendor_file_type
- }:{ file lnk_file } unlink;
- allow fastbootd tmpfs:dir rw_dir_perms;
- # Fetch vendor_boot partition
- allow fastbootd boot_block_device:blk_file r_file_perms;
- ')
-
- # Allow using libfiemap/gsid directly (no binder in recovery).
- allow fastbootd gsi_metadata_file_type:dir search;
- allow fastbootd ota_metadata_file:dir rw_dir_perms;
- allow fastbootd ota_metadata_file:file create_file_perms;
-')
-
-###
-### neverallow rules
-###
-
-# Write permission is required to wipe userdata
-# until recovery supports vold.
-neverallow fastbootd {
- data_file_type
-}:file { no_x_file_perms };
diff --git a/microdroid/sepolicy/system/public/file.te b/microdroid/sepolicy/system/public/file.te
index 20348b5..67d5068 100644
--- a/microdroid/sepolicy/system/public/file.te
+++ b/microdroid/sepolicy/system/public/file.te
@@ -1,24 +1,92 @@
-# Filesystem types
-type labeledfs, fs_type;
-type pipefs, fs_type;
-type sockfs, fs_type;
-type rootfs, fs_type;
-type proc, fs_type, proc_type;
+type system_linker_exec, file_type, system_file_type;
+
+# file types
+type adbd_socket, file_type, coredomain_socket;
+type apc_service, service_manager_type;
+type anr_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+type apex_info_file, file_type;
+type apex_mnt_dir, file_type;
+type cgroup_desc_api_file, file_type, system_file_type;
+type cgroup_desc_file, file_type, system_file_type;
+type cgroup_rc_file, file_type;
+type file_contexts_file, file_type, system_file_type;
+type hwservice_contexts_file, file_type, system_file_type;
+type keystore2_key_contexts_file, file_type, system_file_type;
+type keystore_data_file, file_type, data_file_type, core_data_file_type;
+type linkerconfig_file, file_type;
+type logd_socket, file_type, mlstrustedobject, coredomain_socket;
+type logdr_socket, file_type, mlstrustedobject, coredomain_socket;
+type logdw_socket, file_type, mlstrustedobject, coredomain_socket;
+type mac_perms_file, file_type, system_file_type;
+type nativetest_data_file, file_type, data_file_type, core_data_file_type;
+type property_contexts_file, file_type, system_file_type;
+type property_socket, file_type, mlstrustedobject, coredomain_socket;
+type runtime_event_log_tags_file, file_type;
+type seapp_contexts_file, file_type, system_file_type;
+type sepolicy_file, file_type, system_file_type;
+type service_contexts_file, file_type, system_file_type;
+type shell_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type, mlstrustedobject;
+type shell_test_data_file, file_type, data_file_type, core_data_file_type;
+type statsdw_socket, file_type, coredomain_socket, mlstrustedobject;
+type system_bootstrap_lib_file, file_type, system_file_type;
+type system_data_file, file_type, data_file_type, core_data_file_type;
+type system_data_root_file, file_type, data_file_type, core_data_file_type;
+type system_event_log_tags_file, file_type, system_file_type;
+type system_file, file_type, system_file_type;
+type system_group_file, file_type, system_file_type;
+type system_lib_file, file_type, system_file_type;
+type system_linker_config_file, file_type, system_file_type;
+type system_passwd_file, file_type, system_file_type;
+type system_seccomp_policy_file, file_type, system_file_type;
+type system_security_cacerts_file, file_type, system_file_type;
+type task_profiles_api_file, file_type, system_file_type;
+type task_profiles_file, file_type, system_file_type;
+type tombstone_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+type tombstoned_crash_socket, file_type, mlstrustedobject, coredomain_socket;
+type tombstoned_intercept_socket, file_type, coredomain_socket;
+type tombstoned_java_trace_socket, file_type, mlstrustedobject;
+type trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+type unlabeled, file_type;
+type vendor_configs_file, file_type, vendor_file_type;
+type vendor_data_file, file_type, data_file_type;
+type vendor_file, file_type, vendor_file_type;
+type vendor_service_contexts_file, vendor_file_type, file_type;
+
+# file system types
type binderfs, fs_type;
type binderfs_logs, fs_type;
type binderfs_logs_proc, fs_type;
-# Security-sensitive proc nodes that should not be writable to most.
-type proc_security, fs_type, proc_type;
-type proc_drop_caches, fs_type, proc_type;
-type proc_overcommit_memory, fs_type, proc_type;
-type proc_min_free_order_shift, fs_type, proc_type;
-type proc_kpageflags, fs_type, proc_type;
-# proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers.
-type usermodehelper, fs_type, proc_type;
-type sysfs_usermodehelper, fs_type, sysfs_type;
-type proc_qtaguid_ctrl, fs_type, mlstrustedobject, proc_type;
-type proc_qtaguid_stat, fs_type, mlstrustedobject, proc_type;
-type proc_bluetooth_writable, fs_type, proc_type;
+type binfmt_miscfs, fs_type;
+type cgroup, fs_type, mlstrustedobject;
+type cgroup_v2, fs_type;
+type config_gz, fs_type, proc_type;
+type configfs, fs_type;
+type debugfs, fs_type, debugfs_type;
+type debugfs_bootreceiver_tracing, fs_type, debugfs_type, tracefs_type;
+type debugfs_kcov, fs_type, debugfs_type;
+type debugfs_kprobes, fs_type, debugfs_type;
+type debugfs_mm_events_tracing, fs_type, debugfs_type, tracefs_type;
+type debugfs_mmc, fs_type, debugfs_type;
+type debugfs_trace_marker, fs_type, debugfs_type, tracefs_type, mlstrustedobject;
+type debugfs_tracing, fs_type, debugfs_type, tracefs_type, mlstrustedobject;
+type debugfs_tracing_debug, fs_type, debugfs_type, tracefs_type, mlstrustedobject;
+type debugfs_tracing_instances, fs_type, debugfs_type, tracefs_type;
+type debugfs_tracing_printk_formats, fs_type, debugfs_type, tracefs_type;
+type debugfs_wakeup_sources, fs_type, debugfs_type;
+type debugfs_wifi_tracing, fs_type, debugfs_type, tracefs_type;
+type devpts, fs_type, mlstrustedobject;
+type devtmpfs;
+type exfat, fs_type, sdcard_type, mlstrustedobject;
+type fs_bpf, fs_type;
+type fs_bpf_tethering, fs_type;
+type functionfs, fs_type, mlstrustedobject;
+type fuse, fs_type, fusefs_type, mlstrustedobject;
+type fusectlfs, fs_type;
+type inotify, fs_type, mlstrustedobject;
+type labeledfs, fs_type;
+type mqueue, fs_type;
+type pipefs, fs_type;
+type proc, fs_type, proc_type;
type proc_abi, fs_type, proc_type;
type proc_asound, fs_type, proc_type;
type proc_bootconfig, fs_type, proc_type;
@@ -27,6 +95,7 @@
type proc_cpuinfo, fs_type, proc_type;
type proc_dirty, fs_type, proc_type;
type proc_diskstats, fs_type, proc_type;
+type proc_drop_caches, fs_type, proc_type;
type proc_extra_free_kbytes, fs_type, proc_type;
type proc_filesystems, fs_type, proc_type;
type proc_fs_verity, fs_type, proc_type;
@@ -37,16 +106,19 @@
type proc_kallsyms, fs_type, proc_type;
type proc_keys, fs_type, proc_type;
type proc_kmsg, fs_type, proc_type;
+type proc_kpageflags, fs_type, proc_type;
type proc_loadavg, fs_type, proc_type;
type proc_locks, fs_type, proc_type;
type proc_lowmemorykiller, fs_type, proc_type;
type proc_max_map_count, fs_type, proc_type;
type proc_meminfo, fs_type, proc_type;
+type proc_min_free_order_shift, fs_type, proc_type;
type proc_misc, fs_type, proc_type;
type proc_modules, fs_type, proc_type;
type proc_mounts, fs_type, proc_type;
type proc_net, fs_type, proc_type, proc_net_type;
type proc_net_tcp_udp, fs_type, proc_type;
+type proc_overcommit_memory, fs_type, proc_type;
type proc_page_cluster, fs_type, proc_type;
type proc_pagetypeinfo, fs_type, proc_type;
type proc_panic, fs_type, proc_type;
@@ -56,545 +128,77 @@
type proc_pressure_cpu, fs_type, proc_type;
type proc_pressure_io, fs_type, proc_type;
type proc_pressure_mem, fs_type, proc_type;
+type proc_qtaguid_ctrl, fs_type, proc_type, mlstrustedobject;
+type proc_qtaguid_stat, fs_type, proc_type, mlstrustedobject;
type proc_random, fs_type, proc_type;
type proc_sched, fs_type, proc_type;
+type proc_security, fs_type, proc_type;
type proc_slabinfo, fs_type, proc_type;
type proc_stat, fs_type, proc_type;
type proc_swaps, fs_type, proc_type;
type proc_sysrq, fs_type, proc_type;
type proc_timer, fs_type, proc_type;
type proc_tty_drivers, fs_type, proc_type;
-type proc_uid_cputime_showstat, fs_type, proc_type;
-type proc_uid_cputime_removeuid, fs_type, proc_type;
-type proc_uid_io_stats, fs_type, proc_type;
-type proc_uid_procstat_set, fs_type, proc_type;
-type proc_uid_time_in_state, fs_type, proc_type;
type proc_uid_concurrent_active_time, fs_type, proc_type;
type proc_uid_concurrent_policy_time, fs_type, proc_type;
type proc_uid_cpupower, fs_type, proc_type;
+type proc_uid_cputime_removeuid, fs_type, proc_type;
+type proc_uid_cputime_showstat, fs_type, proc_type;
+type proc_uid_io_stats, fs_type, proc_type;
+type proc_uid_procstat_set, fs_type, proc_type;
+type proc_uid_time_in_state, fs_type, proc_type;
type proc_uptime, fs_type, proc_type;
type proc_version, fs_type, proc_type;
type proc_vmallocinfo, fs_type, proc_type;
type proc_vmstat, fs_type, proc_type;
type proc_zoneinfo, fs_type, proc_type;
+type pstorefs, fs_type;
+type rootfs, fs_type;
+type sdcardfs, fs_type, sdcard_type, mlstrustedobject;
+type securityfs, fs_type;
type selinuxfs, fs_type, mlstrustedobject;
-type fusectlfs, fs_type;
-type cgroup, fs_type, mlstrustedobject;
-type cgroup_v2, fs_type;
+type shm, fs_type;
+type sockfs, fs_type;
type sysfs, fs_type, sysfs_type, mlstrustedobject;
type sysfs_android_usb, fs_type, sysfs_type;
-type sysfs_uio, sysfs_type, fs_type;
-type sysfs_batteryinfo, fs_type, sysfs_type;
type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
-type sysfs_devfreq_cur, fs_type, sysfs_type;
-type sysfs_devfreq_dir, fs_type, sysfs_type;
type sysfs_devices_block, fs_type, sysfs_type;
+type sysfs_devices_cs_etm, fs_type, sysfs_type;
+type sysfs_devices_system_cpu, fs_type, sysfs_type;
type sysfs_dm, fs_type, sysfs_type;
type sysfs_dm_verity, fs_type, sysfs_type;
type sysfs_dma_heap, fs_type, sysfs_type;
type sysfs_dmabuf_stats, fs_type, sysfs_type;
type sysfs_dt_firmware_android, fs_type, sysfs_type;
type sysfs_extcon, fs_type, sysfs_type;
+type sysfs_fs_ext4_features, fs_type, sysfs_type;
+type sysfs_fs_f2fs, fs_type, sysfs_type;
+type sysfs_fs_incfs_features, fs_type, sysfs_type;
+type sysfs_fs_incfs_metrics, fs_type, sysfs_type;
+type sysfs_hwrandom, fs_type, sysfs_type;
type sysfs_ion, fs_type, sysfs_type;
type sysfs_ipv4, fs_type, sysfs_type;
type sysfs_kernel_notes, fs_type, sysfs_type, mlstrustedobject;
type sysfs_leds, fs_type, sysfs_type;
type sysfs_loop, fs_type, sysfs_type;
-type sysfs_hwrandom, fs_type, sysfs_type;
-type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
-type sysfs_wake_lock, fs_type, sysfs_type;
+type sysfs_lowmemorykiller, fs_type, sysfs_type;
type sysfs_net, fs_type, sysfs_type;
+type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
type sysfs_power, fs_type, sysfs_type;
type sysfs_rtc, fs_type, sysfs_type;
type sysfs_suspend_stats, fs_type, sysfs_type;
type sysfs_switch, fs_type, sysfs_type;
type sysfs_transparent_hugepage, fs_type, sysfs_type;
-type sysfs_usb, fs_type, sysfs_type;
+type sysfs_uhid, fs_type, sysfs_type;
+type sysfs_usermodehelper, fs_type, sysfs_type;
+type sysfs_vibrator, fs_type, sysfs_type;
+type sysfs_wake_lock, fs_type, sysfs_type;
type sysfs_wakeup, fs_type, sysfs_type;
type sysfs_wakeup_reasons, fs_type, sysfs_type;
-type sysfs_fs_ext4_features, sysfs_type, fs_type;
-type sysfs_fs_f2fs, sysfs_type, fs_type;
-type sysfs_fs_incfs_features, sysfs_type, fs_type;
-type sysfs_fs_incfs_metrics, sysfs_type, fs_type;
-type fs_bpf, fs_type;
-type fs_bpf_tethering, fs_type;
-type configfs, fs_type;
-# /sys/devices/cs_etm
-type sysfs_devices_cs_etm, fs_type, sysfs_type;
-# /sys/devices/system/cpu
-type sysfs_devices_system_cpu, fs_type, sysfs_type;
-# /sys/module/lowmemorykiller
-type sysfs_lowmemorykiller, fs_type, sysfs_type;
-# /sys/module/wlan/parameters/fwpath
type sysfs_wlan_fwpath, fs_type, sysfs_type;
-type sysfs_vibrator, fs_type, sysfs_type;
-type sysfs_uhid, fs_type, sysfs_type;
-type sysfs_thermal, sysfs_type, fs_type;
-
type sysfs_zram, fs_type, sysfs_type;
type sysfs_zram_uevent, fs_type, sysfs_type;
-type inotify, fs_type, mlstrustedobject;
-type devpts, fs_type, mlstrustedobject;
type tmpfs, fs_type;
-type shm, fs_type;
-type mqueue, fs_type;
-type fuse, sdcard_type, fs_type, mlstrustedobject;
-type sdcardfs, sdcard_type, fs_type, mlstrustedobject;
-type vfat, sdcard_type, fs_type, mlstrustedobject;
-type exfat, sdcard_type, fs_type, mlstrustedobject;
-type debugfs, fs_type, debugfs_type;
-type debugfs_kprobes, fs_type, debugfs_type;
-type debugfs_mmc, fs_type, debugfs_type;
-type debugfs_mm_events_tracing, fs_type, debugfs_type, tracefs_type;
-type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject, tracefs_type;
-type debugfs_tracing, fs_type, debugfs_type, mlstrustedobject, tracefs_type;
-type debugfs_tracing_debug, fs_type, debugfs_type, mlstrustedobject, tracefs_type;
-type debugfs_tracing_instances, fs_type, debugfs_type, tracefs_type;
-type debugfs_tracing_printk_formats, fs_type, debugfs_type, tracefs_type;
-type debugfs_wakeup_sources, fs_type, debugfs_type;
-type debugfs_wifi_tracing, fs_type, debugfs_type, tracefs_type;
-type securityfs, fs_type;
-
-type pstorefs, fs_type;
-type functionfs, fs_type, mlstrustedobject;
-type oemfs, fs_type, contextmount_type;
type usbfs, fs_type;
-type binfmt_miscfs, fs_type;
-type app_fusefs, fs_type, contextmount_type;
-
-# File types
-type unlabeled, file_type;
-
-# Default type for anything under /system.
-type system_file, system_file_type, file_type;
-# Default type for /system/asan.options
-type system_asan_options_file, system_file_type, file_type;
-# Type for /system/etc/event-log-tags (liblog implementation detail)
-type system_event_log_tags_file, system_file_type, file_type;
-# Default type for anything under /system/lib[64].
-type system_lib_file, system_file_type, file_type;
-# system libraries that are available only to bootstrap processes
-type system_bootstrap_lib_file, system_file_type, file_type;
-# Default type for the group file /system/etc/group.
-type system_group_file, system_file_type, file_type;
-# Default type for linker executable /system/bin/linker[64].
-type system_linker_exec, system_file_type, file_type;
-# Default type for linker config /system/etc/ld.config.*.
-type system_linker_config_file, system_file_type, file_type;
-# Default type for the passwd file /system/etc/passwd.
-type system_passwd_file, system_file_type, file_type;
-# Default type for linker config /system/etc/seccomp_policy/*.
-type system_seccomp_policy_file, system_file_type, file_type;
-# Default type for cacerts in /system/etc/security/cacerts/*.
-type system_security_cacerts_file, system_file_type, file_type;
-# Default type for /system/bin/tcpdump.
-type tcpdump_exec, system_file_type, exec_type, file_type;
-# Default type for zoneinfo files in /system/usr/share/zoneinfo/*.
-type system_zoneinfo_file, system_file_type, file_type;
-# Cgroups description file under /system/etc/cgroups.json
-type cgroup_desc_file, system_file_type, file_type;
-# Cgroups description file under /system/etc/task_profiles/cgroups_*.json
-type cgroup_desc_api_file, system_file_type, file_type;
-# Vendor cgroups description file under /vendor/etc/cgroups.json
-type vendor_cgroup_desc_file, vendor_file_type, file_type;
-# Task profiles file under /system/etc/task_profiles.json
-type task_profiles_file, system_file_type, file_type;
-# Task profiles file under /system/etc/task_profiles/task_profiles_*.json
-type task_profiles_api_file, system_file_type, file_type;
-# Vendor task profiles file under /vendor/etc/task_profiles.json
-type vendor_task_profiles_file, vendor_file_type, file_type;
-# Type for /system/apex/com.android.art
-type art_apex_dir, system_file_type, file_type;
-# /linkerconfig(/.*)?
-type linkerconfig_file, file_type;
-# Control files under /data/incremental
-type incremental_control_file, file_type, data_file_type, core_data_file_type;
-
-# Default type for directories search for
-# HAL implementations
-type vendor_hal_file, vendor_file_type, file_type;
-# Default type for under /vendor or /system/vendor
-type vendor_file, vendor_file_type, file_type;
-# Default type for everything in /vendor/app
-type vendor_app_file, vendor_file_type, file_type;
-# Default type for everything under /vendor/etc/
-type vendor_configs_file, vendor_file_type, file_type;
-# Default type for all *same process* HALs and their lib/bin dependencies.
-# e.g. libEGL_xxx.so, android.hardware.graphics.mapper@2.0-impl.so
-type same_process_hal_file, vendor_file_type, file_type;
-# Default type for vndk-sp libs. /vendor/lib/vndk-sp
-type vndk_sp_file, vendor_file_type, file_type;
-# Default type for everything in /vendor/framework
-type vendor_framework_file, vendor_file_type, file_type;
-# Default type for everything in /vendor/overlay
-type vendor_overlay_file, vendor_file_type, file_type;
-# Type for all vendor public libraries. These libs should only be exposed to
-# apps. ABI stability of these libs is vendor's responsibility.
-type vendor_public_lib_file, vendor_file_type, file_type;
-# Type for all vendor public libraries for system. These libs should only be exposed to
-# system. ABI stability of these libs is vendor's responsibility.
-type vendor_public_framework_file, vendor_file_type, file_type;
-
-# Input configuration
-type vendor_keylayout_file, vendor_file_type, file_type;
-type vendor_keychars_file, vendor_file_type, file_type;
-type vendor_idc_file, vendor_file_type, file_type;
-
-# /metadata partition itself
-type metadata_file, file_type;
-# Vold files within /metadata
-type vold_metadata_file, file_type;
-# GSI files within /metadata
-type gsi_metadata_file, gsi_metadata_file_type, file_type;
-# DSU (GSI) files within /metadata that are globally readable.
-type gsi_public_metadata_file, gsi_metadata_file_type, file_type;
-# system_server shares Weaver slot information in /metadata
-type password_slot_metadata_file, file_type;
-# APEX files within /metadata
-type apex_metadata_file, file_type;
-# libsnapshot files within /metadata
-type ota_metadata_file, file_type;
-# property files within /metadata/bootstat
-type metadata_bootstat_file, file_type;
-# userspace reboot files within /metadata/userspacereboot
-type userspace_reboot_metadata_file, file_type;
-# Staged install files within /metadata/staged-install
-type staged_install_file, file_type;
-# Metadata information within /metadata/watchdog
-type watchdog_metadata_file, file_type;
-
-# Type for /dev/cpu_variant:.*.
-type dev_cpu_variant, file_type;
-# Speedup access for trusted applications to the runtime event tags
-type runtime_event_log_tags_file, file_type;
-# Type for /system/bin/logcat.
-type logcat_exec, system_file_type, exec_type, file_type;
-# Speedup access to cgroup map file
-type cgroup_rc_file, file_type;
-# /cores for coredumps on userdebug / eng builds
-type coredump_file, file_type;
-# Type of /data itself
-type system_data_root_file, file_type, data_file_type, core_data_file_type;
-# Default type for anything under /data.
-type system_data_file, file_type, data_file_type, core_data_file_type;
-# Type for /data/system/packages.list.
-# TODO(b/129332765): Narrow down permissions to this.
-# Find out users of system_data_file that should be granted only this.
-type packages_list_file, file_type, data_file_type, core_data_file_type;
-# Default type for anything under /data/vendor{_ce,_de}.
-type vendor_data_file, file_type, data_file_type;
-# Unencrypted data
-type unencrypted_data_file, file_type, data_file_type, core_data_file_type;
-# installd-create files in /data/misc/installd such as layout_version
-type install_data_file, file_type, data_file_type, core_data_file_type;
-# /data/drm - DRM plugin data
-type drm_data_file, file_type, data_file_type, core_data_file_type;
-# /data/adb - adb debugging files
-type adb_data_file, file_type, data_file_type, core_data_file_type;
-# /data/anr - ANR traces
-type anr_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# /data/tombstones - core dumps
-type tombstone_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# /data/vendor/tombstones/wifi - vendor wifi dumps
-type tombstone_wifi_data_file, file_type, data_file_type;
-# /data/apex - APEX data files
-type apex_data_file, file_type, data_file_type, core_data_file_type;
-# /data/app - user-installed apps
-type apk_data_file, file_type, data_file_type, core_data_file_type;
-type apk_tmp_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# /data/app-private - forward-locked apps
-type apk_private_data_file, file_type, data_file_type, core_data_file_type;
-type apk_private_tmp_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# /data/dalvik-cache
-type dalvikcache_data_file, file_type, data_file_type, core_data_file_type;
-# /data/ota
-type ota_data_file, file_type, data_file_type, core_data_file_type;
-# /data/ota_package
-type ota_package_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# /data/misc/profiles
-type user_profile_root_file, file_type, data_file_type, core_data_file_type;
-type user_profile_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# /data/misc/profman
-type profman_dump_data_file, file_type, data_file_type, core_data_file_type;
-# /data/misc/prereboot
-type prereboot_data_file, file_type, data_file_type, core_data_file_type;
-# /data/resource-cache
-type resourcecache_data_file, file_type, data_file_type, core_data_file_type;
-# /data/local - writable by shell
-type shell_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type, mlstrustedobject;
-# /data/property
-type property_data_file, file_type, data_file_type, core_data_file_type;
-# /data/bootchart
-type bootchart_data_file, file_type, data_file_type, core_data_file_type;
-# /data/system/dropbox
-type dropbox_data_file, file_type, data_file_type, core_data_file_type;
-# /data/system/heapdump
-type heapdump_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# /data/nativetest
-type nativetest_data_file, file_type, data_file_type, core_data_file_type;
-# /data/local/tests
-type shell_test_data_file, file_type, data_file_type, core_data_file_type;
-# /data/system_de/0/ringtones
-type ringtone_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# /data/preloads
-type preloads_data_file, file_type, data_file_type, core_data_file_type;
-# /data/preloads/media
-type preloads_media_file, file_type, data_file_type, core_data_file_type;
-# /data/misc/dhcp and /data/misc/dhcp-6.8.2
-type dhcp_data_file, file_type, data_file_type, core_data_file_type;
-# /data/server_configurable_flags
-type server_configurable_flags_data_file, file_type, data_file_type, core_data_file_type;
-# /data/app-staging
-type staging_data_file, file_type, data_file_type, core_data_file_type;
-# /vendor/apex
-type vendor_apex_file, vendor_file_type, file_type;
-
-# Mount locations managed by vold
-type mnt_media_rw_file, file_type;
-type mnt_user_file, file_type;
-type mnt_pass_through_file, file_type;
-type mnt_expand_file, file_type;
-type mnt_sdcard_file, file_type;
-type storage_file, file_type;
-
-# Label for storage dirs which are just mount stubs
-type mnt_media_rw_stub_file, file_type;
-type storage_stub_file, file_type;
-
-# Mount location for read-write vendor partitions.
-type mnt_vendor_file, file_type;
-
-# Mount location for read-write product partitions.
-type mnt_product_file, file_type;
-
-# Mount point used for APEX images
-type apex_mnt_dir, file_type;
-
-# /apex/apex-info-list.xml created by apexd
-type apex_info_file, file_type;
-
-# /postinstall: Mount point used by update_engine to run postinstall.
-type postinstall_mnt_dir, file_type;
-# Files inside the /postinstall mountpoint are all labeled as postinstall_file.
-type postinstall_file, file_type;
-# /postinstall/apex: Mount point used for APEX images within /postinstall.
-type postinstall_apex_mnt_dir, file_type;
-
-# /data_mirror: Contains mirror directory for storing all apps data.
-type mirror_data_file, file_type, core_data_file_type;
-
-# /data/misc subdirectories
-type adb_keys_file, file_type, data_file_type, core_data_file_type;
-type apex_appsearch_data_file, file_type, data_file_type, core_data_file_type;
-type apex_module_data_file, file_type, data_file_type, core_data_file_type;
-type apex_ota_reserved_file, file_type, data_file_type, core_data_file_type;
-type apex_permission_data_file, file_type, data_file_type, core_data_file_type;
-type apex_rollback_data_file, file_type, data_file_type, core_data_file_type;
-type apex_scheduling_data_file, file_type, data_file_type, core_data_file_type;
-type apex_wifi_data_file, file_type, data_file_type, core_data_file_type;
-type appcompat_data_file, file_type, data_file_type, core_data_file_type;
-type audio_data_file, file_type, data_file_type, core_data_file_type;
-type audioserver_data_file, file_type, data_file_type, core_data_file_type;
-type bluetooth_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
-type bluetooth_logs_data_file, file_type, data_file_type, core_data_file_type;
-type bootstat_data_file, file_type, data_file_type, core_data_file_type;
-type boottrace_data_file, file_type, data_file_type, core_data_file_type;
-type camera_data_file, file_type, data_file_type, core_data_file_type;
-type credstore_data_file, file_type, data_file_type, core_data_file_type;
-type gatekeeper_data_file, file_type, data_file_type, core_data_file_type;
-type incident_data_file, file_type, data_file_type, core_data_file_type;
-type keychain_data_file, file_type, data_file_type, core_data_file_type;
-type keystore_data_file, file_type, data_file_type, core_data_file_type;
-type media_data_file, file_type, data_file_type, core_data_file_type;
-type media_rw_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-type misc_user_data_file, file_type, data_file_type, core_data_file_type;
-type net_data_file, file_type, data_file_type, core_data_file_type;
-type network_watchlist_data_file, file_type, data_file_type, core_data_file_type;
-type nfc_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
-type nfc_logs_data_file, file_type, data_file_type, core_data_file_type;
-type radio_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type, mlstrustedobject;
-type recovery_data_file, file_type, data_file_type, core_data_file_type;
-type shared_relro_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-type snapshotctl_log_data_file, file_type, data_file_type, core_data_file_type;
-type stats_data_file, file_type, data_file_type, core_data_file_type;
-type systemkeys_data_file, file_type, data_file_type, core_data_file_type;
-type textclassifier_data_file, file_type, data_file_type, core_data_file_type;
-type trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-type vpn_data_file, file_type, data_file_type, core_data_file_type;
-type wifi_data_file, file_type, data_file_type, core_data_file_type;
-type zoneinfo_data_file, file_type, data_file_type, core_data_file_type;
-type vold_data_file, file_type, data_file_type, core_data_file_type;
-type iorapd_data_file, file_type, data_file_type, core_data_file_type;
-type tee_data_file, file_type, data_file_type;
-type update_engine_data_file, file_type, data_file_type, core_data_file_type;
-type update_engine_log_data_file, file_type, data_file_type, core_data_file_type;
-# /data/misc/trace for method traces on userdebug / eng builds
-type method_trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-type gsi_data_file, file_type, data_file_type, core_data_file_type;
-type radio_core_data_file, file_type, data_file_type, core_data_file_type;
-
-# /data/data subdirectories - app sandboxes
-type app_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
-# /data/data subdirectories - priv-app sandboxes
-type privapp_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
-# /data/data subdirectory for system UID apps.
-type system_app_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type, mlstrustedobject;
-# Compatibility with type name used in Android 4.3 and 4.4.
-# Default type for anything under /cache
-type cache_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# Type for /cache/overlay /mnt/scratch/overlay
-type overlayfs_file, file_type, data_file_type, core_data_file_type;
-# Type for /cache/backup_stage/* (fd interchange with apps)
-type cache_backup_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# type for anything under /cache/backup (local transport storage)
-type cache_private_backup_file, file_type, data_file_type, core_data_file_type;
-# Type for anything under /cache/recovery
-type cache_recovery_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# Default type for anything under /efs
-type efs_file, file_type;
-# Type for wallpaper file.
-type wallpaper_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# Type for shortcut manager icon file.
-type shortcut_manager_icons, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# Type for user icon file.
-type icon_file, file_type, data_file_type, core_data_file_type;
-# /mnt/asec
-type asec_apk_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# Elements of asec files (/mnt/asec) that are world readable
-type asec_public_file, file_type, data_file_type, core_data_file_type;
-# /data/app-asec
-type asec_image_file, file_type, data_file_type, core_data_file_type;
-# /data/backup and /data/secure/backup
-type backup_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# All devices have bluetooth efs files. But they
-# vary per device, so this type is used in per
-# device policy
-type bluetooth_efs_file, file_type;
-# Type for fingerprint template file
-type fingerprintd_data_file, file_type, data_file_type, core_data_file_type;
-# Type for _new_ fingerprint template file
-type fingerprint_vendor_data_file, file_type, data_file_type;
-# Type for appfuse file.
-type app_fuse_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# Type for face template file
-type face_vendor_data_file, file_type, data_file_type;
-# Type for iris template file
-type iris_vendor_data_file, file_type, data_file_type;
-
-# Socket types
-type adbd_socket, file_type, coredomain_socket;
-type bluetooth_socket, file_type, data_file_type, core_data_file_type, coredomain_socket;
-type dnsproxyd_socket, file_type, coredomain_socket, mlstrustedobject;
-type dumpstate_socket, file_type, coredomain_socket;
-type fwmarkd_socket, file_type, coredomain_socket, mlstrustedobject;
-type lmkd_socket, file_type, coredomain_socket;
-type logd_socket, file_type, coredomain_socket, mlstrustedobject;
-type logdr_socket, file_type, coredomain_socket, mlstrustedobject;
-type logdw_socket, file_type, coredomain_socket, mlstrustedobject;
-type mdns_socket, file_type, coredomain_socket;
-type mdnsd_socket, file_type, coredomain_socket, mlstrustedobject;
-type misc_logd_file, coredomain_socket, file_type, data_file_type, core_data_file_type;
-type mtpd_socket, file_type, coredomain_socket;
-type property_socket, file_type, coredomain_socket, mlstrustedobject;
-type racoon_socket, file_type, coredomain_socket;
-type recovery_socket, file_type, coredomain_socket;
-type rild_socket, file_type;
-type rild_debug_socket, file_type;
-type snapuserd_socket, file_type, coredomain_socket;
-type statsdw_socket, file_type, coredomain_socket, mlstrustedobject;
-type system_wpa_socket, file_type, data_file_type, core_data_file_type, coredomain_socket;
-type system_ndebug_socket, file_type, data_file_type, core_data_file_type, coredomain_socket, mlstrustedobject;
-type system_unsolzygote_socket, file_type, data_file_type, core_data_file_type, coredomain_socket, mlstrustedobject;
-type tombstoned_crash_socket, file_type, coredomain_socket, mlstrustedobject;
-type tombstoned_java_trace_socket, file_type, mlstrustedobject;
-type tombstoned_intercept_socket, file_type, coredomain_socket;
-type traced_consumer_socket, file_type, coredomain_socket, mlstrustedobject;
-type traced_perf_socket, file_type, coredomain_socket, mlstrustedobject;
-type traced_producer_socket, file_type, coredomain_socket, mlstrustedobject;
-type uncrypt_socket, file_type, coredomain_socket;
-type wpa_socket, file_type, data_file_type, core_data_file_type;
-type zygote_socket, file_type, coredomain_socket;
-type heapprofd_socket, file_type, coredomain_socket, mlstrustedobject;
-# UART (for GPS) control proc file
-type gps_control, file_type;
-
-# PDX endpoint types
-type pdx_display_dir, pdx_endpoint_dir_type, file_type;
-type pdx_performance_dir, pdx_endpoint_dir_type, file_type;
-type pdx_bufferhub_dir, pdx_endpoint_dir_type, file_type;
-
-pdx_service_socket_types(display_client, pdx_display_dir)
-pdx_service_socket_types(display_manager, pdx_display_dir)
-pdx_service_socket_types(display_screenshot, pdx_display_dir)
-pdx_service_socket_types(display_vsync, pdx_display_dir)
-pdx_service_socket_types(performance_client, pdx_performance_dir)
-pdx_service_socket_types(bufferhub_client, pdx_bufferhub_dir)
-
-# file_contexts files
-type file_contexts_file, system_file_type, file_type;
-
-# mac_permissions file
-type mac_perms_file, system_file_type, file_type;
-
-# property_contexts file
-type property_contexts_file, system_file_type, file_type;
-
-# seapp_contexts file
-type seapp_contexts_file, system_file_type, file_type;
-
-# sepolicy files binary and others
-type sepolicy_file, system_file_type, file_type;
-
-# service_contexts file
-type service_contexts_file, system_file_type, file_type;
-
-# keystore2_key_contexts_file
-type keystore2_key_contexts_file, system_file_type, file_type;
-
-# vendor service_contexts file
-type vendor_service_contexts_file, vendor_file_type, file_type;
-
-# nonplat service_contexts file (only accessible on non full-treble devices)
-type nonplat_service_contexts_file, vendor_file_type, file_type;
-
-# hwservice_contexts file
-type hwservice_contexts_file, system_file_type, file_type;
-
-# vndservice_contexts file
-type vndservice_contexts_file, file_type;
-
-# /sys/kernel/tracing/instances/bootreceiver for monitoring kernel memory corruptions.
-type debugfs_bootreceiver_tracing, fs_type, debugfs_type, tracefs_type;
-
-# kernel modules
-type vendor_kernel_modules, vendor_file_type, file_type;
-
-# Allow files to be created in their appropriate filesystems.
-allow fs_type self:filesystem associate;
-allow cgroup tmpfs:filesystem associate;
-allow cgroup_v2 tmpfs:filesystem associate;
-allow cgroup_rc_file tmpfs:filesystem associate;
-allow sysfs_type sysfs:filesystem associate;
-allow debugfs_type { debugfs debugfs_tracing debugfs_tracing_debug }:filesystem associate;
-allow file_type labeledfs:filesystem associate;
-allow file_type tmpfs:filesystem associate;
-allow file_type rootfs:filesystem associate;
-allow dev_type tmpfs:filesystem associate;
-allow app_fuse_file app_fusefs:filesystem associate;
-allow postinstall_file self:filesystem associate;
-allow proc_net proc:filesystem associate;
-
-# asanwrapper (run a sanitized app_process, to be used with wrap properties)
-with_asan(`type asanwrapper_exec, exec_type, file_type;')
-
-# Deprecated in SDK version 28
-type audiohal_data_file, file_type, data_file_type, core_data_file_type;
-
-# It's a bug to assign the file_type attribute and fs_type attribute
-# to any type. Do not allow it.
-#
-# For example, the following is a bug:
-# type apk_data_file, file_type, data_file_type, fs_type;
-# Should be:
-# type apk_data_file, file_type, data_file_type;
-neverallow fs_type file_type:filesystem associate;
+type usermodehelper, fs_type, proc_type;
+type vfat, fs_type, sdcard_type, mlstrustedobject;
diff --git a/microdroid/sepolicy/system/public/fingerprintd.te b/microdroid/sepolicy/system/public/fingerprintd.te
deleted file mode 100644
index 8cf2411..0000000
--- a/microdroid/sepolicy/system/public/fingerprintd.te
+++ /dev/null
@@ -1,27 +0,0 @@
-type fingerprintd, domain;
-type fingerprintd_exec, system_file_type, exec_type, file_type;
-
-binder_use(fingerprintd)
-
-# Scan through /system/lib64/hw looking for installed HALs
-allow fingerprintd system_file:dir r_dir_perms;
-
-# need to find KeyStore and add self
-add_service(fingerprintd, fingerprintd_service)
-
-# allow HAL module to read dir contents
-allow fingerprintd fingerprintd_data_file:file { create_file_perms };
-
-# allow HAL module to read/write/unlink contents of this dir
-allow fingerprintd fingerprintd_data_file:dir rw_dir_perms;
-
-# Need to add auth tokens to KeyStore
-use_keystore(fingerprintd)
-allow fingerprintd keystore:keystore_key { add_auth };
-allow fingerprintd keystore:keystore2 { add_auth };
-
-# For permissions checking
-binder_call(fingerprintd, system_server);
-allow fingerprintd permission_service:service_manager find;
-
-allow fingerprintd ion_device:chr_file r_file_perms;
diff --git a/microdroid/sepolicy/system/public/flags_health_check.te b/microdroid/sepolicy/system/public/flags_health_check.te
deleted file mode 100644
index 25a7768..0000000
--- a/microdroid/sepolicy/system/public/flags_health_check.te
+++ /dev/null
@@ -1,11 +0,0 @@
-# The flags_health_check command run by init.
-type flags_health_check, domain, coredomain;
-type flags_health_check_exec, system_file_type, exec_type, file_type;
-
-allow flags_health_check server_configurable_flags_data_file:dir rw_dir_perms;
-allow flags_health_check server_configurable_flags_data_file:file create_file_perms;
-
-# server_configurable_flags_data_file is used for storing whether server configurable flags which
-# have been reset during current booting. Mistakenly modified by unrelated components can
-# cause bad server configurable flags synced back to device.
-neverallow { domain -init -flags_health_check } server_configurable_flags_data_file:file no_w_file_perms;
diff --git a/microdroid/sepolicy/system/public/fsck.te b/microdroid/sepolicy/system/public/fsck.te
deleted file mode 100644
index 7a9fbee..0000000
--- a/microdroid/sepolicy/system/public/fsck.te
+++ /dev/null
@@ -1,68 +0,0 @@
-# Any fsck program run by init
-type fsck, domain;
-type fsck_exec, system_file_type, exec_type, file_type;
-
-# /dev/__null__ created by init prior to policy load,
-# open fd inherited by fsck.
-allow fsck tmpfs:chr_file { read write ioctl };
-
-# Inherit and use pty created by android_fork_execvp_ext().
-allow fsck devpts:chr_file { read write ioctl getattr };
-
-# Allow stdin/out back to vold
-allow fsck vold:fd use;
-allow fsck vold:fifo_file { read write getattr };
-
-# Run fsck on certain block devices
-allow fsck block_device:dir search;
-allow fsck userdata_block_device:blk_file rw_file_perms;
-allow fsck cache_block_device:blk_file rw_file_perms;
-allow fsck dm_device:blk_file rw_file_perms;
-userdebug_or_eng(`
-allow fsck system_block_device:blk_file rw_file_perms;
-')
-
-# For the block devices where we have ioctl access,
-# allow at a minimum the following common fsck ioctls.
-allowxperm fsck dev_type:blk_file ioctl {
- BLKDISCARDZEROES
- BLKROGET
-};
-
-# To determine if it is safe to run fsck on a filesystem, e2fsck
-# must first determine if the filesystem is mounted. To do that,
-# e2fsck scans through /proc/mounts and collects all the mounted
-# block devices. With that information, it runs stat() on each block
-# device, comparing the major and minor numbers to the filesystem
-# passed in on the command line. If there is a match, then the filesystem
-# is currently mounted and running fsck is dangerous.
-# Allow stat access to all block devices so that fsck can compare
-# major/minor values.
-allow fsck dev_type:blk_file getattr;
-
-allow fsck {
- proc_mounts
- proc_swaps
-}:file r_file_perms;
-allow fsck rootfs:dir r_dir_perms;
-
-###
-### neverallow rules
-###
-
-# fsck should never be run on these block devices
-neverallow fsck {
- boot_block_device
- frp_block_device
- recovery_block_device
- root_block_device
- swap_block_device
- system_block_device
- userdebug_or_eng(`-system_block_device')
- vold_device
-}:blk_file no_rw_file_perms;
-
-# Only allow entry from init or vold via fsck binaries
-neverallow { domain -init -vold } fsck:process transition;
-neverallow * fsck:process dyntransition;
-neverallow fsck { file_type fs_type -fsck_exec }:file entrypoint;
diff --git a/microdroid/sepolicy/system/public/fsck_untrusted.te b/microdroid/sepolicy/system/public/fsck_untrusted.te
deleted file mode 100644
index 8510c94..0000000
--- a/microdroid/sepolicy/system/public/fsck_untrusted.te
+++ /dev/null
@@ -1,49 +0,0 @@
-# Any fsck program run on untrusted block devices
-type fsck_untrusted, domain;
-
-# Inherit and use pty created by android_fork_execvp_ext().
-allow fsck_untrusted devpts:chr_file { read write ioctl getattr };
-
-# Allow stdin/out back to vold
-allow fsck_untrusted vold:fd use;
-allow fsck_untrusted vold:fifo_file { read write getattr };
-
-# Run fsck on vold block devices
-allow fsck_untrusted block_device:dir search;
-allow fsck_untrusted vold_device:blk_file rw_file_perms;
-
-allow fsck_untrusted proc_mounts:file r_file_perms;
-
-# To determine if it is safe to run fsck on a filesystem, e2fsck
-# must first determine if the filesystem is mounted. To do that,
-# e2fsck scans through /proc/mounts and collects all the mounted
-# block devices. With that information, it runs stat() on each block
-# device, comparing the major and minor numbers to the filesystem
-# passed in on the command line. If there is a match, then the filesystem
-# is currently mounted and running fsck is dangerous.
-# Allow stat access to all block devices so that fsck can compare
-# major/minor values.
-allow fsck_untrusted dev_type:blk_file getattr;
-
-###
-### neverallow rules
-###
-
-# Untrusted fsck should never be run on block devices holding sensitive data
-neverallow fsck_untrusted {
- boot_block_device
- frp_block_device
- metadata_block_device
- recovery_block_device
- root_block_device
- swap_block_device
- system_block_device
- userdata_block_device
- cache_block_device
- dm_device
-}:blk_file no_rw_file_perms;
-
-# Only allow entry from vold via fsck binaries
-neverallow { domain -vold } fsck_untrusted:process transition;
-neverallow * fsck_untrusted:process dyntransition;
-neverallow fsck_untrusted { file_type fs_type -fsck_exec }:file entrypoint;
diff --git a/microdroid/sepolicy/system/public/fwk_bufferhub.te b/microdroid/sepolicy/system/public/fwk_bufferhub.te
deleted file mode 100644
index 03486bd..0000000
--- a/microdroid/sepolicy/system/public/fwk_bufferhub.te
+++ /dev/null
@@ -1,4 +0,0 @@
-binder_call(hal_bufferhub_client, hal_bufferhub_server)
-binder_call(hal_bufferhub_server, hal_bufferhub_client)
-
-hal_attribute_hwservice(hal_bufferhub, fwk_bufferhub_hwservice)
diff --git a/microdroid/sepolicy/system/public/gatekeeperd.te b/microdroid/sepolicy/system/public/gatekeeperd.te
deleted file mode 100644
index d48c5f8..0000000
--- a/microdroid/sepolicy/system/public/gatekeeperd.te
+++ /dev/null
@@ -1,42 +0,0 @@
-type gatekeeperd, domain;
-type gatekeeperd_exec, system_file_type, exec_type, file_type;
-
-# gatekeeperd
-binder_service(gatekeeperd)
-binder_use(gatekeeperd)
-
-### Rules needed when Gatekeeper HAL runs inside gatekeeperd process.
-### These rules should eventually be granted only when needed.
-allow gatekeeperd ion_device:chr_file r_file_perms;
-# Load HAL implementation
-allow gatekeeperd system_file:dir r_dir_perms;
-###
-
-### Rules needed when Gatekeeper HAL runs outside of gatekeeperd process.
-### These rules should eventually be granted only when needed.
-hal_client_domain(gatekeeperd, hal_gatekeeper)
-###
-
-# need to find KeyStore and add self
-add_service(gatekeeperd, gatekeeper_service)
-
-# Need to add auth tokens to KeyStore
-use_keystore(gatekeeperd)
-allow gatekeeperd keystore:keystore_key { add_auth };
-allow gatekeeperd keystore:keystore2 { add_auth };
-allow gatekeeperd authorization_service:service_manager find;
-
-
-# For permissions checking
-allow gatekeeperd system_server:binder call;
-allow gatekeeperd permission_service:service_manager find;
-
-# for SID file access
-allow gatekeeperd gatekeeper_data_file:dir rw_dir_perms;
-allow gatekeeperd gatekeeper_data_file:file create_file_perms;
-
-# For hardware properties retrieval
-allow gatekeeperd hardware_properties_service:service_manager find;
-
-r_dir_file(gatekeeperd, cgroup)
-r_dir_file(gatekeeperd, cgroup_v2)
diff --git a/microdroid/sepolicy/system/public/gmscore_app.te b/microdroid/sepolicy/system/public/gmscore_app.te
deleted file mode 100644
index b574bf3..0000000
--- a/microdroid/sepolicy/system/public/gmscore_app.te
+++ /dev/null
@@ -1,5 +0,0 @@
-###
-### A domain for further sandboxing the PrebuiltGMSCore app.
-###
-
-type gmscore_app, domain;
diff --git a/microdroid/sepolicy/system/public/gpuservice.te b/microdroid/sepolicy/system/public/gpuservice.te
deleted file mode 100644
index c862d0b..0000000
--- a/microdroid/sepolicy/system/public/gpuservice.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# gpuservice - server for gpu stats and other gpu related services
-type gpuservice, domain;
diff --git a/microdroid/sepolicy/system/public/hal_allocator.te b/microdroid/sepolicy/system/public/hal_allocator.te
deleted file mode 100644
index 6417b62..0000000
--- a/microdroid/sepolicy/system/public/hal_allocator.te
+++ /dev/null
@@ -1,6 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_allocator_client, hal_allocator_server)
-
-hal_attribute_hwservice(hal_allocator, hidl_allocator_hwservice)
-allow hal_allocator_client hidl_memory_hwservice:hwservice_manager find;
-allow hal_allocator_client same_process_hal_file:file { execute read open getattr map };
diff --git a/microdroid/sepolicy/system/public/hal_atrace.te b/microdroid/sepolicy/system/public/hal_atrace.te
deleted file mode 100644
index 51d9237..0000000
--- a/microdroid/sepolicy/system/public/hal_atrace.te
+++ /dev/null
@@ -1,4 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_atrace_client, hal_atrace_server)
-
-hal_attribute_hwservice(hal_atrace, hal_atrace_hwservice)
diff --git a/microdroid/sepolicy/system/public/hal_audio.te b/microdroid/sepolicy/system/public/hal_audio.te
deleted file mode 100644
index d1970b9..0000000
--- a/microdroid/sepolicy/system/public/hal_audio.te
+++ /dev/null
@@ -1,39 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_audio_client, hal_audio_server)
-binder_call(hal_audio_server, hal_audio_client)
-
-hal_attribute_hwservice(hal_audio, hal_audio_hwservice)
-hal_attribute_service(hal_audio, hal_audio_service)
-
-allow hal_audio ion_device:chr_file r_file_perms;
-
-r_dir_file(hal_audio, proc)
-r_dir_file(hal_audio, proc_asound)
-allow hal_audio_server audio_device:dir r_dir_perms;
-allow hal_audio_server audio_device:chr_file rw_file_perms;
-
-# Needed to provide debug dump output via dumpsys' pipes.
-allow hal_audio shell:fd use;
-allow hal_audio shell:fifo_file write;
-allow hal_audio dumpstate:fd use;
-allow hal_audio dumpstate:fifo_file write;
-
-# Needed to allow sound trigger hal to access shared memory from apps.
-allow hal_audio_server appdomain:fd use;
-
-# allow hal audio to use vnbinder
-vndbinder_use(hal_audio)
-
-###
-### neverallow rules
-###
-
-# Should never execute any executable without a domain transition
-neverallow hal_audio_server { file_type fs_type }:file execute_no_trans;
-
-# Only audio HAL may directly access the audio hardware
-neverallow { halserverdomain -hal_audio_server -hal_omx_server } audio_device:chr_file *;
-
-get_prop(hal_audio, audio_config_prop)
-get_prop(hal_audio, bluetooth_a2dp_offload_prop)
-get_prop(hal_audio, bluetooth_audio_hal_prop)
diff --git a/microdroid/sepolicy/system/public/hal_audiocontrol.te b/microdroid/sepolicy/system/public/hal_audiocontrol.te
deleted file mode 100644
index 6f45b0e..0000000
--- a/microdroid/sepolicy/system/public/hal_audiocontrol.te
+++ /dev/null
@@ -1,8 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_audiocontrol_client, hal_audiocontrol_server)
-binder_call(hal_audiocontrol_server, hal_audiocontrol_client)
-
-hal_attribute_hwservice(hal_audiocontrol, hal_audiocontrol_hwservice)
-hal_attribute_service(hal_audiocontrol, hal_audiocontrol_service)
-
-binder_call(hal_audiocontrol_server, servicemanager)
diff --git a/microdroid/sepolicy/system/public/hal_authsecret.te b/microdroid/sepolicy/system/public/hal_authsecret.te
deleted file mode 100644
index bbcdb9a..0000000
--- a/microdroid/sepolicy/system/public/hal_authsecret.te
+++ /dev/null
@@ -1,7 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_authsecret_client, hal_authsecret_server)
-
-hal_attribute_hwservice(hal_authsecret, hal_authsecret_hwservice)
-hal_attribute_service(hal_authsecret, hal_authsecret_service)
-
-binder_call(hal_authsecret_server, servicemanager)
diff --git a/microdroid/sepolicy/system/public/hal_bluetooth.te b/microdroid/sepolicy/system/public/hal_bluetooth.te
deleted file mode 100644
index 97177ba..0000000
--- a/microdroid/sepolicy/system/public/hal_bluetooth.te
+++ /dev/null
@@ -1,32 +0,0 @@
-# HwBinder IPC from clients into server, and callbacks
-binder_call(hal_bluetooth_client, hal_bluetooth_server)
-binder_call(hal_bluetooth_server, hal_bluetooth_client)
-
-hal_attribute_hwservice(hal_bluetooth, hal_bluetooth_hwservice)
-
-wakelock_use(hal_bluetooth);
-
-# The HAL toggles rfkill to power the chip off/on.
-allow hal_bluetooth self:global_capability_class_set net_admin;
-
-# bluetooth factory file accesses.
-r_dir_file(hal_bluetooth, bluetooth_efs_file)
-
-allow hal_bluetooth { uhid_device hci_attach_dev }:chr_file rw_file_perms;
-
-# sysfs access.
-r_dir_file(hal_bluetooth, sysfs_type)
-allow hal_bluetooth sysfs_bluetooth_writable:file rw_file_perms;
-allow hal_bluetooth self:global_capability2_class_set wake_alarm;
-
-# Allow write access to bluetooth-specific properties
-set_prop(hal_bluetooth, bluetooth_a2dp_offload_prop)
-set_prop(hal_bluetooth, bluetooth_audio_hal_prop)
-set_prop(hal_bluetooth, bluetooth_prop)
-set_prop(hal_bluetooth, exported_bluetooth_prop)
-
-# /proc access (bluesleep etc.).
-allow hal_bluetooth proc_bluetooth_writable:file rw_file_perms;
-
-# allow to run with real-time scheduling policy
-allow hal_bluetooth self:global_capability_class_set sys_nice;
diff --git a/microdroid/sepolicy/system/public/hal_bootctl.te b/microdroid/sepolicy/system/public/hal_bootctl.te
deleted file mode 100644
index a1f3d7f..0000000
--- a/microdroid/sepolicy/system/public/hal_bootctl.te
+++ /dev/null
@@ -1,6 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_bootctl_client, hal_bootctl_server)
-binder_call(hal_bootctl_server, hal_bootctl_client)
-
-hal_attribute_hwservice(hal_bootctl, hal_bootctl_hwservice)
-allow hal_bootctl_server proc_bootconfig:file r_file_perms;
diff --git a/microdroid/sepolicy/system/public/hal_broadcastradio.te b/microdroid/sepolicy/system/public/hal_broadcastradio.te
deleted file mode 100644
index 84a2597..0000000
--- a/microdroid/sepolicy/system/public/hal_broadcastradio.te
+++ /dev/null
@@ -1,4 +0,0 @@
-binder_call(hal_broadcastradio_client, hal_broadcastradio_server)
-binder_call(hal_broadcastradio_server, hal_broadcastradio_client)
-
-hal_attribute_hwservice(hal_broadcastradio, hal_broadcastradio_hwservice)
diff --git a/microdroid/sepolicy/system/public/hal_camera.te b/microdroid/sepolicy/system/public/hal_camera.te
deleted file mode 100644
index 45fad56..0000000
--- a/microdroid/sepolicy/system/public/hal_camera.te
+++ /dev/null
@@ -1,38 +0,0 @@
-# HwBinder IPC from clients to server and callbacks
-binder_call(hal_camera_client, hal_camera_server)
-binder_call(hal_camera_server, hal_camera_client)
-
-hal_attribute_hwservice(hal_camera, hal_camera_hwservice)
-
-allow hal_camera device:dir r_dir_perms;
-allow hal_camera video_device:dir r_dir_perms;
-allow hal_camera video_device:chr_file rw_file_perms;
-allow hal_camera camera_device:chr_file rw_file_perms;
-allow hal_camera ion_device:chr_file rw_file_perms;
-allow hal_camera dmabuf_system_heap_device:chr_file r_file_perms;
-
-# Both the client and the server need to use the graphics allocator
-allow { hal_camera_client hal_camera_server } hal_graphics_allocator:fd use;
-
-# Allow hal_camera to use fd from app,gralloc,and ashmem HAL
-allow hal_camera { appdomain -isolated_app }:fd use;
-allow hal_camera surfaceflinger:fd use;
-allow hal_camera hal_allocator_server:fd use;
-
-# Needed to provide debug dump output via dumpsys' pipes.
-allow hal_camera shell:fd use;
-allow hal_camera shell:fifo_file write;
-
-###
-### neverallow rules
-###
-
-# hal_camera should never execute any executable without a
-# domain transition
-neverallow hal_camera_server { file_type fs_type }:file execute_no_trans;
-
-# hal_camera should never need network access. Disallow network sockets.
-neverallow hal_camera_server domain:{ tcp_socket udp_socket rawip_socket } *;
-
-# Only camera HAL may directly access the camera hardware
-neverallow { halserverdomain -hal_camera_server } camera_device:chr_file *;
diff --git a/microdroid/sepolicy/system/public/hal_can.te b/microdroid/sepolicy/system/public/hal_can.te
deleted file mode 100644
index 959d1d9..0000000
--- a/microdroid/sepolicy/system/public/hal_can.te
+++ /dev/null
@@ -1,9 +0,0 @@
-# CAN controller
-binder_call(hal_can_controller_client, hal_can_controller_server)
-binder_call(hal_can_controller_server, hal_can_controller_client)
-hal_attribute_hwservice(hal_can_controller, hal_can_controller_hwservice)
-
-# CAN bus
-binder_call(hal_can_bus_client, hal_can_bus_server)
-binder_call(hal_can_bus_server, hal_can_bus_client)
-hal_attribute_hwservice(hal_can_bus, hal_can_bus_hwservice)
diff --git a/microdroid/sepolicy/system/public/hal_cas.te b/microdroid/sepolicy/system/public/hal_cas.te
deleted file mode 100644
index e699a6b..0000000
--- a/microdroid/sepolicy/system/public/hal_cas.te
+++ /dev/null
@@ -1,38 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_cas_client, hal_cas_server)
-binder_call(hal_cas_server, hal_cas_client)
-
-hal_attribute_hwservice(hal_cas, hal_cas_hwservice)
-allow hal_cas_server hidl_memory_hwservice:hwservice_manager find;
-
-# Permit reading device's serial number from system properties
-get_prop(hal_cas_server, serialno_prop)
-
-# Read files already opened under /data
-allow hal_cas system_data_file:file { getattr read };
-
-# Read access to pseudo filesystems
-r_dir_file(hal_cas, cgroup)
-allow hal_cas cgroup:dir { search write };
-allow hal_cas cgroup:file w_file_perms;
-
-r_dir_file(hal_cas, cgroup_v2)
-allow hal_cas cgroup_v2:dir { search write };
-allow hal_cas cgroup_v2:file w_file_perms;
-
-# Allow access to ion memory allocation device
-allow hal_cas ion_device:chr_file rw_file_perms;
-allow hal_cas hal_graphics_allocator:fd use;
-
-allow hal_cas tee_device:chr_file rw_file_perms;
-
-###
-### neverallow rules
-###
-
-# hal_cas should never execute any executable without a
-# domain transition
-neverallow hal_cas_server { file_type fs_type }:file execute_no_trans;
-
-# do not allow privileged socket ioctl commands
-neverallowxperm hal_cas_server domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
diff --git a/microdroid/sepolicy/system/public/hal_codec2.te b/microdroid/sepolicy/system/public/hal_codec2.te
deleted file mode 100644
index a379bb3..0000000
--- a/microdroid/sepolicy/system/public/hal_codec2.te
+++ /dev/null
@@ -1,27 +0,0 @@
-get_prop(hal_codec2_client, media_variant_prop)
-get_prop(hal_codec2_server, media_variant_prop)
-get_prop(hal_codec2_client, codec2_config_prop)
-get_prop(hal_codec2_server, codec2_config_prop)
-
-binder_call(hal_codec2_client, hal_codec2_server)
-binder_call(hal_codec2_server, hal_codec2_client)
-
-hal_attribute_hwservice(hal_codec2, hal_codec2_hwservice)
-
-# The following permissions are added to hal_codec2_server because vendor and
-# vndk libraries provided for Codec2 implementation need them.
-
-# Allow server access to composer sync fences
-allow hal_codec2_server hal_graphics_composer:fd use;
-
-# Allow both server and client access to ion
-allow hal_codec2_server ion_device:chr_file r_file_perms;
-
-# Allow server access to camera HAL's fences
-allow hal_codec2_server hal_camera:fd use;
-
-# Receive gralloc buffer FDs from bufferhubd.
-allow hal_codec2_server bufferhubd:fd use;
-
-allow hal_codec2_client ion_device:chr_file r_file_perms;
-
diff --git a/microdroid/sepolicy/system/public/hal_configstore.te b/microdroid/sepolicy/system/public/hal_configstore.te
deleted file mode 100644
index 069da47..0000000
--- a/microdroid/sepolicy/system/public/hal_configstore.te
+++ /dev/null
@@ -1,69 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_configstore_client, hal_configstore_server)
-
-hal_attribute_hwservice(hal_configstore, hal_configstore_ISurfaceFlingerConfigs)
-
-# hal_configstore runs with a strict seccomp filter. Use crash_dump's
-# fallback path to collect crash data.
-crash_dump_fallback(hal_configstore_server)
-
-###
-### neverallow rules
-###
-
-# Should never execute an executable without a domain transition
-neverallow hal_configstore_server { file_type fs_type }:file execute_no_trans;
-
-# Should never need network access. Disallow sockets except for
-# for unix stream/dgram sockets used for logging/debugging.
-neverallow hal_configstore_server domain:{
- rawip_socket tcp_socket udp_socket
- netlink_route_socket netlink_selinux_socket
- socket netlink_socket packet_socket key_socket appletalk_socket
- netlink_tcpdiag_socket netlink_nflog_socket
- netlink_xfrm_socket netlink_audit_socket
- netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
- netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
- netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
- netlink_rdma_socket netlink_crypto_socket
-} *;
-neverallow hal_configstore_server {
- domain
- -hal_configstore_server
- -logd
- userdebug_or_eng(`-su')
- -tombstoned
- userdebug_or_eng(`-heapprofd')
- userdebug_or_eng(`-traced_perf')
-}:{ unix_dgram_socket unix_stream_socket } *;
-
-# Should never need access to anything on /data
-neverallow hal_configstore_server {
- data_file_type
- -anr_data_file # for crash dump collection
- -tombstone_data_file # for crash dump collection
- -zoneinfo_data_file # granted to domain
- with_native_coverage(`-method_trace_data_file')
-}:{ file fifo_file sock_file } *;
-
-# Should never need sdcard access
-neverallow hal_configstore_server {
- sdcard_type
- fuse sdcardfs vfat exfat # manual expansion for completeness
-}:dir ~getattr;
-neverallow hal_configstore_server {
- sdcard_type
- fuse sdcardfs vfat exfat # manual expansion for completeness
-}:file *;
-
-# Do not permit access to service_manager and vndservice_manager
-neverallow hal_configstore_server *:service_manager *;
-
-# No privileged capabilities
-neverallow hal_configstore_server self:capability_class_set *;
-
-# No ptracing other processes
-neverallow hal_configstore_server *:process ptrace;
-
-# no relabeling
-neverallow hal_configstore_server *:dir_file_class_set { relabelfrom relabelto };
diff --git a/microdroid/sepolicy/system/public/hal_confirmationui.te b/microdroid/sepolicy/system/public/hal_confirmationui.te
deleted file mode 100644
index 5d2e4b7..0000000
--- a/microdroid/sepolicy/system/public/hal_confirmationui.te
+++ /dev/null
@@ -1,4 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_confirmationui_client, hal_confirmationui_server)
-
-hal_attribute_hwservice(hal_confirmationui, hal_confirmationui_hwservice)
diff --git a/microdroid/sepolicy/system/public/hal_contexthub.te b/microdroid/sepolicy/system/public/hal_contexthub.te
deleted file mode 100644
index 34acb38..0000000
--- a/microdroid/sepolicy/system/public/hal_contexthub.te
+++ /dev/null
@@ -1,5 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_contexthub_client, hal_contexthub_server)
-binder_call(hal_contexthub_server, hal_contexthub_client)
-
-hal_attribute_hwservice(hal_contexthub, hal_contexthub_hwservice)
diff --git a/microdroid/sepolicy/system/public/hal_drm.te b/microdroid/sepolicy/system/public/hal_drm.te
deleted file mode 100644
index bb1bd91..0000000
--- a/microdroid/sepolicy/system/public/hal_drm.te
+++ /dev/null
@@ -1,56 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_drm_client, hal_drm_server)
-binder_call(hal_drm_server, hal_drm_client)
-
-hal_attribute_hwservice(hal_drm, hal_drm_hwservice)
-
-allow hal_drm hidl_memory_hwservice:hwservice_manager find;
-
-# Required by Widevine DRM (b/22990512)
-allow hal_drm self:process execmem;
-
-# Permit reading device's serial number from system properties
-get_prop(hal_drm, serialno_prop)
-
-# Read files already opened under /data
-allow hal_drm system_data_file:file { getattr read };
-
-# Read access to pseudo filesystems
-r_dir_file(hal_drm, cgroup)
-allow hal_drm cgroup:dir { search write };
-allow hal_drm cgroup:file w_file_perms;
-
-r_dir_file(hal_drm, cgroup_v2)
-allow hal_drm cgroup_v2:dir { search write };
-allow hal_drm cgroup_v2:file w_file_perms;
-
-# Allow access to ion memory allocation device
-allow hal_drm ion_device:chr_file rw_file_perms;
-allow hal_drm hal_graphics_allocator:fd use;
-
-# Allow access to hidl_memory allocation service
-allow hal_drm hal_allocator_server:fd use;
-
-# Allow access to fds allocated by mediaserver
-allow hal_drm mediaserver:fd use;
-
-allow hal_drm sysfs:file r_file_perms;
-
-allow hal_drm tee_device:chr_file rw_file_perms;
-
-allow hal_drm_server { appdomain -isolated_app }:fd use;
-
-# only allow unprivileged socket ioctl commands
-allowxperm hal_drm self:{ rawip_socket tcp_socket udp_socket }
- ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
-
-###
-### neverallow rules
-###
-
-# hal_drm should never execute any executable without a
-# domain transition
-neverallow hal_drm_server { file_type fs_type }:file execute_no_trans;
-
-# do not allow privileged socket ioctl commands
-neverallowxperm hal_drm_server domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
diff --git a/microdroid/sepolicy/system/public/hal_dumpstate.te b/microdroid/sepolicy/system/public/hal_dumpstate.te
deleted file mode 100644
index 9f854e3..0000000
--- a/microdroid/sepolicy/system/public/hal_dumpstate.te
+++ /dev/null
@@ -1,12 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_dumpstate_client, hal_dumpstate_server)
-binder_call(hal_dumpstate_server, hal_dumpstate_client)
-
-set_prop(hal_dumpstate_server, hal_dumpstate_config_prop)
-
-hal_attribute_hwservice(hal_dumpstate, hal_dumpstate_hwservice)
-
-# write bug reports in /data/data/com.android.shell/files/bugreports/bugreport
-allow hal_dumpstate shell_data_file:file write;
-# allow reading /proc/interrupts for all hal impls
-allow hal_dumpstate proc_interrupts:file r_file_perms;
diff --git a/microdroid/sepolicy/system/public/hal_evs.te b/microdroid/sepolicy/system/public/hal_evs.te
deleted file mode 100644
index 789333a..0000000
--- a/microdroid/sepolicy/system/public/hal_evs.te
+++ /dev/null
@@ -1,5 +0,0 @@
-hwbinder_use(hal_evs_client)
-hwbinder_use(hal_evs_server)
-binder_call(hal_evs_client, hal_evs_server)
-binder_call(hal_evs_server, hal_evs_client)
-hal_attribute_hwservice(hal_evs, hal_evs_hwservice)
diff --git a/microdroid/sepolicy/system/public/hal_face.te b/microdroid/sepolicy/system/public/hal_face.te
deleted file mode 100644
index 0134576..0000000
--- a/microdroid/sepolicy/system/public/hal_face.te
+++ /dev/null
@@ -1,15 +0,0 @@
-# Allow HwBinder IPC from client to server, and vice versa for callbacks.
-binder_call(hal_face_client, hal_face_server)
-binder_call(hal_face_server, hal_face_client)
-
-hal_attribute_hwservice(hal_face, hal_face_hwservice)
-hal_attribute_service(hal_face, hal_face_service)
-
-binder_call(hal_face_server, servicemanager)
-
-# Allow access to the ion memory allocation device.
-allow hal_face ion_device:chr_file r_file_perms;
-
-# Allow read/write access to the face template directory.
-allow hal_face face_vendor_data_file:file create_file_perms;
-allow hal_face face_vendor_data_file:dir rw_dir_perms;
diff --git a/microdroid/sepolicy/system/public/hal_fingerprint.te b/microdroid/sepolicy/system/public/hal_fingerprint.te
deleted file mode 100644
index 444cfda..0000000
--- a/microdroid/sepolicy/system/public/hal_fingerprint.te
+++ /dev/null
@@ -1,20 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_fingerprint_client, hal_fingerprint_server)
-binder_call(hal_fingerprint_server, hal_fingerprint_client)
-
-hal_attribute_hwservice(hal_fingerprint, hal_fingerprint_hwservice)
-hal_attribute_service(hal_fingerprint, hal_fingerprint_service)
-
-binder_call(hal_fingerprint_server, servicemanager)
-
-# For memory allocation
-allow hal_fingerprint ion_device:chr_file r_file_perms;
-
-allow hal_fingerprint fingerprint_vendor_data_file:file { create_file_perms };
-allow hal_fingerprint fingerprint_vendor_data_file:dir rw_dir_perms;
-
-r_dir_file(hal_fingerprint, cgroup)
-r_dir_file(hal_fingerprint, cgroup_v2)
-r_dir_file(hal_fingerprint, sysfs)
-
-
diff --git a/microdroid/sepolicy/system/public/hal_gatekeeper.te b/microdroid/sepolicy/system/public/hal_gatekeeper.te
deleted file mode 100644
index b918f88..0000000
--- a/microdroid/sepolicy/system/public/hal_gatekeeper.te
+++ /dev/null
@@ -1,7 +0,0 @@
-binder_call(hal_gatekeeper_client, hal_gatekeeper_server)
-
-hal_attribute_hwservice(hal_gatekeeper, hal_gatekeeper_hwservice)
-
-# TEE access.
-allow hal_gatekeeper tee_device:chr_file rw_file_perms;
-allow hal_gatekeeper ion_device:chr_file r_file_perms;
diff --git a/microdroid/sepolicy/system/public/hal_gnss.te b/microdroid/sepolicy/system/public/hal_gnss.te
deleted file mode 100644
index 832bc8d..0000000
--- a/microdroid/sepolicy/system/public/hal_gnss.te
+++ /dev/null
@@ -1,9 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_gnss_client, hal_gnss_server)
-binder_call(hal_gnss_server, hal_gnss_client)
-
-hal_attribute_hwservice(hal_gnss, hal_gnss_hwservice)
-hal_attribute_service(hal_gnss, hal_gnss_service)
-binder_call(hal_gnss_server, servicemanager)
-binder_call(hal_gnss_client, servicemanager)
-
diff --git a/microdroid/sepolicy/system/public/hal_graphics_allocator.te b/microdroid/sepolicy/system/public/hal_graphics_allocator.te
deleted file mode 100644
index 3ec6b96..0000000
--- a/microdroid/sepolicy/system/public/hal_graphics_allocator.te
+++ /dev/null
@@ -1,14 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_graphics_allocator_client, hal_graphics_allocator_server)
-
-hal_attribute_hwservice(hal_graphics_allocator, hal_graphics_allocator_hwservice)
-allow hal_graphics_allocator_client hal_graphics_mapper_hwservice:hwservice_manager find;
-allow hal_graphics_allocator_client same_process_hal_file:file { execute read open getattr map };
-
-# GPU device access
-allow hal_graphics_allocator gpu_device:chr_file rw_file_perms;
-allow hal_graphics_allocator ion_device:chr_file r_file_perms;
-allow hal_graphics_allocator dmabuf_system_heap_device:chr_file r_file_perms;
-
-# allow to run with real-time scheduling policy
-allow hal_graphics_allocator self:global_capability_class_set sys_nice;
diff --git a/microdroid/sepolicy/system/public/hal_graphics_composer.te b/microdroid/sepolicy/system/public/hal_graphics_composer.te
deleted file mode 100644
index 1c69c99..0000000
--- a/microdroid/sepolicy/system/public/hal_graphics_composer.te
+++ /dev/null
@@ -1,32 +0,0 @@
-type hal_graphics_composer_server_tmpfs, file_type;
-attribute hal_graphics_composer_client_tmpfs;
-expandattribute hal_graphics_composer_client_tmpfs true;
-
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_graphics_composer_client, hal_graphics_composer_server)
-binder_call(hal_graphics_composer_server, hal_graphics_composer_client)
-allow hal_graphics_composer_client hal_graphics_composer_server_tmpfs:file { getattr map read write };
-allow hal_graphics_composer_server hal_graphics_composer_client_tmpfs:file { getattr map read write };
-
-hal_attribute_hwservice(hal_graphics_composer, hal_graphics_composer_hwservice)
-
-# Coordinate with hal_graphics_mapper
-allow hal_graphics_composer_server hal_graphics_mapper_hwservice:hwservice_manager find;
-
-# GPU device access
-allow hal_graphics_composer gpu_device:chr_file rw_file_perms;
-allow hal_graphics_composer ion_device:chr_file r_file_perms;
-allow hal_graphics_composer dmabuf_system_heap_device:chr_file r_file_perms;
-allow hal_graphics_composer hal_graphics_allocator:fd use;
-
-# Access /dev/graphics/fb0.
-allow hal_graphics_composer graphics_device:dir search;
-allow hal_graphics_composer graphics_device:chr_file rw_file_perms;
-
-# Fences
-allow hal_graphics_composer system_server:fd use;
-allow hal_graphics_composer bootanim:fd use;
-allow hal_graphics_composer appdomain:fd use;
-
-# allow self to set SCHED_FIFO
-allow hal_graphics_composer self:global_capability_class_set sys_nice;
diff --git a/microdroid/sepolicy/system/public/hal_health.te b/microdroid/sepolicy/system/public/hal_health.te
deleted file mode 100644
index dc7d083..0000000
--- a/microdroid/sepolicy/system/public/hal_health.te
+++ /dev/null
@@ -1,27 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_health_client, hal_health_server)
-binder_call(hal_health_server, hal_health_client)
-
-hal_attribute_hwservice(hal_health, hal_health_hwservice)
-
-# Common rules for a health service.
-
-# Allow to listen to uevents for updates
-allow hal_health_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-
-# Allow to read /sys/class/power_supply directory
-allow hal_health_server sysfs:dir r_dir_perms;
-
-# Allow to read files under /sys/class/power_supply. Implementations typically have symlinks
-# to vendor specific files. Vendors should mark sysfs_batteryinfo on all files read by health
-# HAL service.
-r_dir_file(hal_health_server, sysfs_batteryinfo)
-
-# Allow to wake up to send periodic events
-wakelock_use(hal_health_server)
-
-# Write to /dev/kmsg
-allow hal_health_server kmsg_device:chr_file { getattr w_file_perms };
-
-# Allow to use timerfd to wake itself up periodically to send health info.
-allow hal_health_server self:capability2 wake_alarm;
diff --git a/microdroid/sepolicy/system/public/hal_health_storage.te b/microdroid/sepolicy/system/public/hal_health_storage.te
deleted file mode 100644
index 4938a16..0000000
--- a/microdroid/sepolicy/system/public/hal_health_storage.te
+++ /dev/null
@@ -1,11 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_health_storage_client, hal_health_storage_server)
-binder_call(hal_health_storage_server, hal_health_storage_client)
-
-binder_use(hal_health_storage_server)
-
-hal_attribute_hwservice(hal_health_storage, hal_health_storage_hwservice)
-hal_attribute_service(hal_health_storage, hal_health_storage_service)
-
-# Allow ReadDefaultFstab().
-read_fstab(hal_health_storage_server)
diff --git a/microdroid/sepolicy/system/public/hal_identity.te b/microdroid/sepolicy/system/public/hal_identity.te
deleted file mode 100644
index 8d558ad..0000000
--- a/microdroid/sepolicy/system/public/hal_identity.te
+++ /dev/null
@@ -1,6 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_identity_client, hal_identity_server)
-
-hal_attribute_service(hal_identity, hal_identity_service)
-
-binder_call(hal_identity_server, servicemanager)
diff --git a/microdroid/sepolicy/system/public/hal_input_classifier.te b/microdroid/sepolicy/system/public/hal_input_classifier.te
deleted file mode 100644
index 70a4b7d..0000000
--- a/microdroid/sepolicy/system/public/hal_input_classifier.te
+++ /dev/null
@@ -1,4 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_input_classifier_client, hal_input_classifier_server)
-
-hal_attribute_hwservice(hal_input_classifier, hal_input_classifier_hwservice)
diff --git a/microdroid/sepolicy/system/public/hal_ir.te b/microdroid/sepolicy/system/public/hal_ir.te
deleted file mode 100644
index 29555f7..0000000
--- a/microdroid/sepolicy/system/public/hal_ir.te
+++ /dev/null
@@ -1,5 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_ir_client, hal_ir_server)
-binder_call(hal_ir_server, hal_ir_client)
-
-hal_attribute_hwservice(hal_ir, hal_ir_hwservice)
diff --git a/microdroid/sepolicy/system/public/hal_keymaster.te b/microdroid/sepolicy/system/public/hal_keymaster.te
deleted file mode 100644
index 3e164ad..0000000
--- a/microdroid/sepolicy/system/public/hal_keymaster.te
+++ /dev/null
@@ -1,7 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_keymaster_client, hal_keymaster_server)
-
-hal_attribute_hwservice(hal_keymaster, hal_keymaster_hwservice)
-
-allow hal_keymaster tee_device:chr_file rw_file_perms;
-allow hal_keymaster ion_device:chr_file r_file_perms;
diff --git a/microdroid/sepolicy/system/public/hal_keymint.te b/microdroid/sepolicy/system/public/hal_keymint.te
index e56ab99..7570188 100644
--- a/microdroid/sepolicy/system/public/hal_keymint.te
+++ b/microdroid/sepolicy/system/public/hal_keymint.te
@@ -1,5 +1,4 @@
binder_call(hal_keymint_client, hal_keymint_server)
hal_attribute_service(hal_keymint, hal_keymint_service)
-hal_attribute_service(hal_keymint, hal_remotelyprovisionedcomponent_service)
binder_call(hal_keymint_server, servicemanager)
diff --git a/microdroid/sepolicy/system/public/hal_light.te b/microdroid/sepolicy/system/public/hal_light.te
deleted file mode 100644
index 40829b6..0000000
--- a/microdroid/sepolicy/system/public/hal_light.te
+++ /dev/null
@@ -1,15 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_light_client, hal_light_server)
-binder_call(hal_light_server, hal_light_client)
-
-hal_attribute_hwservice(hal_light, hal_light_hwservice)
-hal_attribute_service(hal_light, hal_light_service)
-
-binder_call(hal_light_server, servicemanager)
-binder_use(hal_light_client)
-
-allow hal_light_server dumpstate:fifo_file write;
-
-allow hal_light sysfs_leds:lnk_file read;
-allow hal_light sysfs_leds:file rw_file_perms;
-allow hal_light sysfs_leds:dir r_dir_perms;
diff --git a/microdroid/sepolicy/system/public/hal_lowpan.te b/microdroid/sepolicy/system/public/hal_lowpan.te
deleted file mode 100644
index 6fb95e9..0000000
--- a/microdroid/sepolicy/system/public/hal_lowpan.te
+++ /dev/null
@@ -1,20 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_lowpan_client, hal_lowpan_server)
-binder_call(hal_lowpan_server, hal_lowpan_client)
-
-
-# Allow hal_lowpan_client to be able to find the hal_lowpan_server
-hal_attribute_hwservice(hal_lowpan, hal_lowpan_hwservice)
-
-# hal_lowpan domain can write/read to/from lowpan_prop
-set_prop(hal_lowpan_server, lowpan_prop)
-
-# Allow hal_lowpan_server to open lowpan_devices
-allow hal_lowpan_server lowpan_device:chr_file rw_file_perms;
-
-###
-### neverallow rules
-###
-
-# Only LoWPAN HAL may directly access LoWPAN hardware
-neverallow { domain -hal_lowpan_server -init -ueventd } lowpan_device:chr_file ~getattr;
diff --git a/microdroid/sepolicy/system/public/hal_memtrack.te b/microdroid/sepolicy/system/public/hal_memtrack.te
deleted file mode 100644
index 30a4480..0000000
--- a/microdroid/sepolicy/system/public/hal_memtrack.te
+++ /dev/null
@@ -1,7 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_memtrack_client, hal_memtrack_server)
-
-hal_attribute_hwservice(hal_memtrack, hal_memtrack_hwservice)
-
-hal_attribute_service(hal_memtrack, hal_memtrack_service)
-binder_call(hal_memtrack_server, servicemanager)
diff --git a/microdroid/sepolicy/system/public/hal_neuralnetworks.te b/microdroid/sepolicy/system/public/hal_neuralnetworks.te
deleted file mode 100644
index 7497dec..0000000
--- a/microdroid/sepolicy/system/public/hal_neuralnetworks.te
+++ /dev/null
@@ -1,41 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_neuralnetworks_client, hal_neuralnetworks_server)
-binder_call(hal_neuralnetworks_server, hal_neuralnetworks_client)
-
-hal_attribute_hwservice(hal_neuralnetworks, hal_neuralnetworks_hwservice)
-allow hal_neuralnetworks hidl_memory_hwservice:hwservice_manager find;
-allow hal_neuralnetworks hal_allocator:fd use;
-allow hal_neuralnetworks hal_graphics_mapper_hwservice:hwservice_manager find;
-allow hal_neuralnetworks hal_graphics_allocator:fd use;
-
-# Allow NN HAL service to use a client-provided fd residing in /data/data/.
-allow hal_neuralnetworks_server app_data_file:file { read write getattr map };
-allow hal_neuralnetworks_server privapp_data_file:file { read write getattr map };
-
-# Allow NN HAL service to use a client-provided fd residing in /data/local/tmp/.
-allow hal_neuralnetworks_server shell_data_file:file { read write getattr map };
-
-# Allow NN HAL service to read a client-provided ION memory fd.
-allow hal_neuralnetworks_server ion_device:chr_file r_file_perms;
-
-# Allow NN HAL service to use a client-provided fd residing in /storage
-allow hal_neuralnetworks_server storage_file:file { getattr map read };
-
-# Allow NN HAL service to read a client-provided fd residing in /data/app/.
-allow hal_neuralnetworks_server apk_data_file:file { getattr map read };
-
-# Allow NN HAL client to check the ro.nnapi.extensions.deny_on_product
-# property to determine whether to deny NNAPI extensions use for apps
-# on product partition (apps in GSI are not allowed to use NNAPI extensions).
-get_prop(hal_neuralnetworks_client, nnapi_ext_deny_product_prop);
-# This property is only expected to be found in /product/build.prop,
-# allow to be set only by init.
-neverallow { domain -init } nnapi_ext_deny_product_prop:property_service set;
-
-# Define sepolicy for NN AIDL HAL service
-hal_attribute_service(hal_neuralnetworks, hal_neuralnetworks_service)
-binder_call(hal_neuralnetworks_server, servicemanager)
-
-binder_use(hal_neuralnetworks_server)
-
-allow hal_neuralnetworks_server dumpstate:fifo_file write;
diff --git a/microdroid/sepolicy/system/public/hal_neverallows.te b/microdroid/sepolicy/system/public/hal_neverallows.te
deleted file mode 100644
index 4117878..0000000
--- a/microdroid/sepolicy/system/public/hal_neverallows.te
+++ /dev/null
@@ -1,61 +0,0 @@
-# only HALs responsible for network hardware should have privileged
-# network capabilities
-neverallow {
- halserverdomain
- -hal_bluetooth_server
- -hal_can_controller_server
- -hal_wifi_server
- -hal_wifi_hostapd_server
- -hal_wifi_supplicant_server
- -hal_telephony_server
-} self:global_capability_class_set { net_admin net_raw };
-
-# Unless a HAL's job is to communicate over the network, or control network
-# hardware, it should not be using network sockets.
-# NOTE: HALs for automotive devices have an exemption from this rule because in
-# a car it is common to have external modules and HALs need to communicate to
-# those modules using network. Using this exemption for non-automotive builds
-# will result in CTS failure.
-neverallow {
- halserverdomain
- -hal_automotive_socket_exemption
- -hal_can_controller_server
- -hal_tetheroffload_server
- -hal_wifi_server
- -hal_wifi_hostapd_server
- -hal_wifi_supplicant_server
- -hal_telephony_server
-} domain:{ tcp_socket udp_socket rawip_socket } *;
-
-###
-# HALs are defined as an attribute and so a given domain could hypothetically
-# have multiple HALs in it (or even all of them) with the subsequent policy of
-# the domain comprised of the union of all the HALs.
-#
-# This is a problem because
-# 1) Security sensitive components should only be accessed by specific HALs.
-# 2) hwbinder_call and the restrictions it provides cannot be reasoned about in
-# the platform.
-# 3) The platform cannot reason about defense in depth if there are
-# monolithic domains etc.
-#
-# As an example, hal_keymaster and hal_gatekeeper can access the TEE and while
-# its OK for them to share a process its not OK with them to share processes
-# with other hals.
-#
-# The following neverallow rules, in conjuntion with CTS tests, assert that
-# these security principles are adhered to.
-#
-# Do not allow a hal to exec another process without a domain transition.
-# TODO remove exemptions.
-neverallow {
- halserverdomain
- -hal_dumpstate_server
- -hal_telephony_server
-} { file_type fs_type }:file execute_no_trans;
-# Do not allow a process other than init to transition into a HAL domain.
-neverallow { domain -init } halserverdomain:process transition;
-# Only allow transitioning to a domain by running its executable. Do not
-# allow transitioning into a HAL domain by use of seclabel in an
-# init.*.rc script.
-neverallow * halserverdomain:process dyntransition;
diff --git a/microdroid/sepolicy/system/public/hal_nfc.te b/microdroid/sepolicy/system/public/hal_nfc.te
deleted file mode 100644
index 7cef4a1..0000000
--- a/microdroid/sepolicy/system/public/hal_nfc.te
+++ /dev/null
@@ -1,11 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_nfc_client, hal_nfc_server)
-binder_call(hal_nfc_server, hal_nfc_client)
-
-hal_attribute_hwservice(hal_nfc, hal_nfc_hwservice)
-
-# Set NFC properties (used by bcm2079x HAL).
-set_prop(hal_nfc, nfc_prop)
-
-# NFC device access.
-allow hal_nfc nfc_device:chr_file rw_file_perms;
diff --git a/microdroid/sepolicy/system/public/hal_oemlock.te b/microdroid/sepolicy/system/public/hal_oemlock.te
deleted file mode 100644
index 9f38fa5..0000000
--- a/microdroid/sepolicy/system/public/hal_oemlock.te
+++ /dev/null
@@ -1,7 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_oemlock_client, hal_oemlock_server)
-
-hal_attribute_hwservice(hal_oemlock, hal_oemlock_hwservice)
-hal_attribute_service(hal_oemlock, hal_oemlock_service)
-
-binder_call(hal_oemlock_server, servicemanager)
diff --git a/microdroid/sepolicy/system/public/hal_omx.te b/microdroid/sepolicy/system/public/hal_omx.te
deleted file mode 100644
index 8e74383..0000000
--- a/microdroid/sepolicy/system/public/hal_omx.te
+++ /dev/null
@@ -1,49 +0,0 @@
-# applies all permissions to hal_omx NOT hal_omx_server
-# since OMX must always be in its own process.
-
-binder_call(hal_omx_server, binderservicedomain)
-binder_call(hal_omx_server, { appdomain -isolated_app })
-
-# Allow hal_omx_server access to composer sync fences
-allow hal_omx_server hal_graphics_composer:fd use;
-
-allow hal_omx_server ion_device:chr_file rw_file_perms;
-allow hal_omx_server hal_camera:fd use;
-
-crash_dump_fallback(hal_omx_server)
-
-# Recieve gralloc buffer FDs from bufferhubd. Note that hal_omx_server never
-# directly connects to bufferhubd via PDX. Instead, a VR app acts as a bridge
-# between those two: it talks to hal_omx_server via Binder and talks to bufferhubd
-# via PDX. Thus, there is no need to use pdx_client macro.
-allow hal_omx_server bufferhubd:fd use;
-
-hal_attribute_hwservice(hal_omx, hal_omx_hwservice)
-
-allow hal_omx_client hidl_token_hwservice:hwservice_manager find;
-
-get_prop(hal_omx_client, media_variant_prop)
-get_prop(hal_omx_server, media_variant_prop)
-
-binder_call(hal_omx_client, hal_omx_server)
-binder_call(hal_omx_server, hal_omx_client)
-
-###
-### neverallow rules
-###
-
-# hal_omx_server should never execute any executable without a
-# domain transition
-neverallow hal_omx_server { file_type fs_type }:file execute_no_trans;
-
-# The goal of the mediaserver split is to place media processing code into
-# restrictive sandboxes with limited responsibilities and thus limited
-# permissions. Example: Audioserver is only responsible for controlling audio
-# hardware and processing audio content. Cameraserver does the same for camera
-# hardware/content. Etc.
-#
-# Media processing code is inherently risky and thus should have limited
-# permissions and be isolated from the rest of the system and network.
-# Lengthier explanation here:
-# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow hal_omx_server domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/microdroid/sepolicy/system/public/hal_power.te b/microdroid/sepolicy/system/public/hal_power.te
deleted file mode 100644
index aae32a0..0000000
--- a/microdroid/sepolicy/system/public/hal_power.te
+++ /dev/null
@@ -1,9 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_power_client, hal_power_server)
-binder_call(hal_power_server, hal_power_client)
-
-hal_attribute_hwservice(hal_power, hal_power_hwservice)
-hal_attribute_service(hal_power, hal_power_service)
-
-binder_call(hal_power_server, servicemanager)
-binder_call(hal_power_client, servicemanager)
diff --git a/microdroid/sepolicy/system/public/hal_power_stats.te b/microdroid/sepolicy/system/public/hal_power_stats.te
deleted file mode 100644
index 4076eff..0000000
--- a/microdroid/sepolicy/system/public/hal_power_stats.te
+++ /dev/null
@@ -1,9 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_power_stats_client, hal_power_stats_server)
-binder_call(hal_power_stats_server, hal_power_stats_client)
-
-hal_attribute_hwservice(hal_power_stats, hal_power_stats_hwservice)
-hal_attribute_service(hal_power_stats, hal_power_stats_service)
-
-binder_call(hal_power_stats_server, servicemanager)
-binder_call(hal_power_stats_client, servicemanager)
diff --git a/microdroid/sepolicy/system/public/hal_rebootescrow.te b/microdroid/sepolicy/system/public/hal_rebootescrow.te
deleted file mode 100644
index d16333b..0000000
--- a/microdroid/sepolicy/system/public/hal_rebootescrow.te
+++ /dev/null
@@ -1,6 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_rebootescrow_client, hal_rebootescrow_server)
-
-hal_attribute_service(hal_rebootescrow, hal_rebootescrow_service)
-
-binder_use(hal_rebootescrow_server)
diff --git a/microdroid/sepolicy/system/public/hal_secure_element.te b/microdroid/sepolicy/system/public/hal_secure_element.te
deleted file mode 100644
index 3724d35..0000000
--- a/microdroid/sepolicy/system/public/hal_secure_element.te
+++ /dev/null
@@ -1,5 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_secure_element_client, hal_secure_element_server)
-binder_call(hal_secure_element_server, hal_secure_element_client)
-
-hal_attribute_hwservice(hal_secure_element, hal_secure_element_hwservice)
diff --git a/microdroid/sepolicy/system/public/hal_sensors.te b/microdroid/sepolicy/system/public/hal_sensors.te
deleted file mode 100644
index 06e76f1..0000000
--- a/microdroid/sepolicy/system/public/hal_sensors.te
+++ /dev/null
@@ -1,14 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_sensors_client, hal_sensors_server)
-
-hal_attribute_hwservice(hal_sensors, hal_sensors_hwservice)
-
-# Allow sensor hals to access ashmem memory allocated by apps
-allow hal_sensors { appdomain -isolated_app }:fd use;
-
-# Allow sensor hals to access ashmem memory allocated by android.hidl.allocator
-# fd is passed in from framework sensorservice HAL.
-allow hal_sensors hal_allocator:fd use;
-
-# allow to run with real-time scheduling policy
-allow hal_sensors self:global_capability_class_set sys_nice;
diff --git a/microdroid/sepolicy/system/public/hal_telephony.te b/microdroid/sepolicy/system/public/hal_telephony.te
deleted file mode 100644
index f0cf075..0000000
--- a/microdroid/sepolicy/system/public/hal_telephony.te
+++ /dev/null
@@ -1,44 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_telephony_client, hal_telephony_server)
-binder_call(hal_telephony_server, hal_telephony_client)
-
-hal_attribute_hwservice(hal_telephony, hal_telephony_hwservice)
-
-allowxperm hal_telephony_server self:udp_socket ioctl priv_sock_ioctls;
-
-allow hal_telephony_server self:netlink_route_socket nlmsg_write;
-allow hal_telephony_server kernel:system module_request;
-allow hal_telephony_server self:global_capability_class_set { setpcap setgid setuid net_admin net_raw };
-allow hal_telephony_server cgroup:dir create_dir_perms;
-allow hal_telephony_server cgroup:{ file lnk_file } r_file_perms;
-allow hal_telephony_server cgroup_v2:dir create_dir_perms;
-allow hal_telephony_server cgroup_v2:{ file lnk_file } r_file_perms;
-allow hal_telephony_server radio_device:chr_file rw_file_perms;
-allow hal_telephony_server radio_device:blk_file r_file_perms;
-allow hal_telephony_server efs_file:dir create_dir_perms;
-allow hal_telephony_server efs_file:file create_file_perms;
-allow hal_telephony_server vendor_shell_exec:file rx_file_perms;
-allow hal_telephony_server bluetooth_efs_file:file r_file_perms;
-allow hal_telephony_server bluetooth_efs_file:dir r_dir_perms;
-
-# property service
-get_prop(hal_telephony_server, telephony_config_prop)
-set_prop(hal_telephony_server, radio_control_prop)
-set_prop(hal_telephony_server, radio_prop)
-set_prop(hal_telephony_server, telephony_status_prop)
-
-allow hal_telephony_server tty_device:chr_file rw_file_perms;
-
-# Allow hal_telephony_server to create and use netlink sockets.
-allow hal_telephony_server self:netlink_socket create_socket_perms_no_ioctl;
-allow hal_telephony_server self:netlink_generic_socket create_socket_perms_no_ioctl;
-allow hal_telephony_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-
-# Access to wake locks
-wakelock_use(hal_telephony_server)
-
-r_dir_file(hal_telephony_server, proc_net_type)
-r_dir_file(hal_telephony_server, sysfs_type)
-
-# granting the ioctl permission for hal_telephony_server should be device specific
-allow hal_telephony_server self:socket create_socket_perms_no_ioctl;
diff --git a/microdroid/sepolicy/system/public/hal_tetheroffload.te b/microdroid/sepolicy/system/public/hal_tetheroffload.te
deleted file mode 100644
index cf51723..0000000
--- a/microdroid/sepolicy/system/public/hal_tetheroffload.te
+++ /dev/null
@@ -1,8 +0,0 @@
-## HwBinder IPC from client to server, and callbacks
-binder_call(hal_tetheroffload_client, hal_tetheroffload_server)
-binder_call(hal_tetheroffload_server, hal_tetheroffload_client)
-
-hal_attribute_hwservice(hal_tetheroffload, hal_tetheroffload_hwservice)
-
-# allow the client to pass the server already open netlink sockets
-allow hal_tetheroffload_server hal_tetheroffload_client:netlink_netfilter_socket { getattr read setopt write };
diff --git a/microdroid/sepolicy/system/public/hal_thermal.te b/microdroid/sepolicy/system/public/hal_thermal.te
deleted file mode 100644
index 2115da1..0000000
--- a/microdroid/sepolicy/system/public/hal_thermal.te
+++ /dev/null
@@ -1,5 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_thermal_client, hal_thermal_server)
-binder_call(hal_thermal_server, hal_thermal_client)
-
-hal_attribute_hwservice(hal_thermal, hal_thermal_hwservice)
diff --git a/microdroid/sepolicy/system/public/hal_tv_cec.te b/microdroid/sepolicy/system/public/hal_tv_cec.te
deleted file mode 100644
index 6584904..0000000
--- a/microdroid/sepolicy/system/public/hal_tv_cec.te
+++ /dev/null
@@ -1,5 +0,0 @@
-# HwBinder IPC from clients into server, and callbacks
-binder_call(hal_tv_cec_client, hal_tv_cec_server)
-binder_call(hal_tv_cec_server, hal_tv_cec_client)
-
-hal_attribute_hwservice(hal_tv_cec, hal_tv_cec_hwservice)
diff --git a/microdroid/sepolicy/system/public/hal_tv_input.te b/microdroid/sepolicy/system/public/hal_tv_input.te
deleted file mode 100644
index 5a5bdda..0000000
--- a/microdroid/sepolicy/system/public/hal_tv_input.te
+++ /dev/null
@@ -1,5 +0,0 @@
-# HwBinder IPC from clients into server, and callbacks
-binder_call(hal_tv_input_client, hal_tv_input_server)
-binder_call(hal_tv_input_server, hal_tv_input_client)
-
-hal_attribute_hwservice(hal_tv_input, hal_tv_input_hwservice)
diff --git a/microdroid/sepolicy/system/public/hal_tv_tuner.te b/microdroid/sepolicy/system/public/hal_tv_tuner.te
deleted file mode 100644
index 0da4ec7..0000000
--- a/microdroid/sepolicy/system/public/hal_tv_tuner.te
+++ /dev/null
@@ -1,4 +0,0 @@
-binder_call(hal_tv_tuner_client, hal_tv_tuner_server)
-binder_call(hal_tv_tuner_server, hal_tv_tuner_client)
-
-hal_attribute_hwservice(hal_tv_tuner, hal_tv_tuner_hwservice)
diff --git a/microdroid/sepolicy/system/public/hal_usb.te b/microdroid/sepolicy/system/public/hal_usb.te
deleted file mode 100644
index 38bc49a..0000000
--- a/microdroid/sepolicy/system/public/hal_usb.te
+++ /dev/null
@@ -1,18 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_usb_client, hal_usb_server)
-binder_call(hal_usb_server, hal_usb_client)
-
-hal_attribute_hwservice(hal_usb, hal_usb_hwservice)
-
-allow hal_usb self:netlink_kobject_uevent_socket create;
-allow hal_usb self:netlink_kobject_uevent_socket setopt;
-allow hal_usb self:netlink_kobject_uevent_socket getopt;
-allow hal_usb self:netlink_kobject_uevent_socket bind;
-allow hal_usb self:netlink_kobject_uevent_socket read;
-allow hal_usb sysfs:dir open;
-allow hal_usb sysfs:dir read;
-allow hal_usb sysfs:file read;
-allow hal_usb sysfs:file open;
-allow hal_usb sysfs:file write;
-allow hal_usb sysfs:file getattr;
-
diff --git a/microdroid/sepolicy/system/public/hal_usb_gadget.te b/microdroid/sepolicy/system/public/hal_usb_gadget.te
deleted file mode 100644
index a474652..0000000
--- a/microdroid/sepolicy/system/public/hal_usb_gadget.te
+++ /dev/null
@@ -1,13 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_usb_gadget_client, hal_usb_gadget_server)
-binder_call(hal_usb_gadget_server, hal_usb_gadget_client)
-
-hal_attribute_hwservice(hal_usb_gadget, hal_usb_gadget_hwservice)
-
-# Configuring usb gadget functions
-allow hal_usb_gadget_server configfs:lnk_file { read create unlink};
-allow hal_usb_gadget_server configfs:dir rw_dir_perms;
-allow hal_usb_gadget_server configfs:file create_file_perms;
-allow hal_usb_gadget_server functionfs:dir { read search };
-allow hal_usb_gadget_server functionfs:file read;
-
diff --git a/microdroid/sepolicy/system/public/hal_vehicle.te b/microdroid/sepolicy/system/public/hal_vehicle.te
deleted file mode 100644
index 6855d14..0000000
--- a/microdroid/sepolicy/system/public/hal_vehicle.te
+++ /dev/null
@@ -1,6 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_vehicle_client, hal_vehicle_server)
-binder_call(hal_vehicle_server, hal_vehicle_client)
-
-
-hal_attribute_hwservice(hal_vehicle, hal_vehicle_hwservice)
diff --git a/microdroid/sepolicy/system/public/hal_vibrator.te b/microdroid/sepolicy/system/public/hal_vibrator.te
deleted file mode 100644
index c902495..0000000
--- a/microdroid/sepolicy/system/public/hal_vibrator.te
+++ /dev/null
@@ -1,14 +0,0 @@
-# HwBinder IPC client/server
-binder_call(hal_vibrator_client, hal_vibrator_server)
-binder_call(hal_vibrator_server, hal_vibrator_client);
-
-hal_attribute_hwservice(hal_vibrator, hal_vibrator_hwservice)
-hal_attribute_service(hal_vibrator, hal_vibrator_service)
-
-binder_call(hal_vibrator_server, servicemanager)
-
-allow hal_vibrator_server dumpstate:fifo_file write;
-
-# vibrator sysfs rw access
-allow hal_vibrator sysfs_vibrator:file rw_file_perms;
-allow hal_vibrator sysfs_vibrator:dir search;
diff --git a/microdroid/sepolicy/system/public/hal_vr.te b/microdroid/sepolicy/system/public/hal_vr.te
deleted file mode 100644
index e52c77f..0000000
--- a/microdroid/sepolicy/system/public/hal_vr.te
+++ /dev/null
@@ -1,5 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_vr_client, hal_vr_server)
-binder_call(hal_vr_server, hal_vr_client)
-
-hal_attribute_hwservice(hal_vr, hal_vr_hwservice)
diff --git a/microdroid/sepolicy/system/public/hal_weaver.te b/microdroid/sepolicy/system/public/hal_weaver.te
deleted file mode 100644
index 2b34989..0000000
--- a/microdroid/sepolicy/system/public/hal_weaver.te
+++ /dev/null
@@ -1,7 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_weaver_client, hal_weaver_server)
-
-hal_attribute_hwservice(hal_weaver, hal_weaver_hwservice)
-hal_attribute_service(hal_weaver, hal_weaver_service)
-
-binder_call(hal_weaver_server, servicemanager)
diff --git a/microdroid/sepolicy/system/public/hal_wifi.te b/microdroid/sepolicy/system/public/hal_wifi.te
deleted file mode 100644
index 2e4fa78..0000000
--- a/microdroid/sepolicy/system/public/hal_wifi.te
+++ /dev/null
@@ -1,32 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_wifi_client, hal_wifi_server)
-binder_call(hal_wifi_server, hal_wifi_client)
-
-hal_attribute_hwservice(hal_wifi, hal_wifi_hwservice)
-
-r_dir_file(hal_wifi, proc_net_type)
-r_dir_file(hal_wifi, sysfs_type)
-
-set_prop(hal_wifi_server, wifi_hal_prop)
-set_prop(hal_wifi, wifi_prop)
-userdebug_or_eng(`get_prop(hal_wifi, persist_vendor_debug_wifi_prop)')
-
-# allow hal wifi set interfaces up and down and get the factory MAC
-allow hal_wifi self:udp_socket create_socket_perms;
-allowxperm hal_wifi self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFHWADDR SIOCETHTOOL };
-
-allow hal_wifi self:global_capability_class_set { net_admin net_raw };
-# allow hal_wifi to speak to nl80211 in the kernel
-allow hal_wifi self:netlink_socket create_socket_perms_no_ioctl;
-# newer kernels (e.g. 4.4 but not 4.1) have a new class for sockets
-allow hal_wifi self:netlink_generic_socket create_socket_perms_no_ioctl;
-# hal_wifi writes firmware paths to this file.
-allow hal_wifi sysfs_wlan_fwpath:file { w_file_perms };
-# allow hal_wifi to access /proc/modules to check if Wi-Fi driver is loaded
-allow hal_wifi proc_modules:file { getattr open read };
-# Allow hal_wifi to send dump info to dumpstate
-allow hal_wifi dumpstate:fifo_file write;
-
-# allow hal_wifi to write into /data/vendor/tombstones/wifi
-allow hal_wifi_server tombstone_wifi_data_file:dir rw_dir_perms;
-allow hal_wifi_server tombstone_wifi_data_file:file create_file_perms;
diff --git a/microdroid/sepolicy/system/public/hal_wifi_hostapd.te b/microdroid/sepolicy/system/public/hal_wifi_hostapd.te
deleted file mode 100644
index 12d72b6..0000000
--- a/microdroid/sepolicy/system/public/hal_wifi_hostapd.te
+++ /dev/null
@@ -1,27 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_wifi_hostapd_client, hal_wifi_hostapd_server)
-binder_call(hal_wifi_hostapd_server, hal_wifi_hostapd_client)
-
-hal_attribute_hwservice(hal_wifi_hostapd, hal_wifi_hostapd_hwservice)
-
-allow hal_wifi_hostapd_server self:global_capability_class_set { net_admin net_raw };
-
-allow hal_wifi_hostapd_server sysfs_net:dir search;
-
-# Allow hal_wifi_hostapd to access /proc/net/psched
-allow hal_wifi_hostapd_server proc_net_type:file { getattr open read };
-
-# Various socket permissions.
-allowxperm hal_wifi_hostapd_server self:udp_socket ioctl priv_sock_ioctls;
-allow hal_wifi_hostapd_server self:netlink_socket create_socket_perms_no_ioctl;
-allow hal_wifi_hostapd_server self:netlink_generic_socket create_socket_perms_no_ioctl;
-allow hal_wifi_hostapd_server self:packet_socket create_socket_perms_no_ioctl;
-allow hal_wifi_hostapd_server self:netlink_route_socket nlmsg_write;
-
-###
-### neverallow rules
-###
-
-# hal_wifi_hostapd should not trust any data from sdcards
-neverallow hal_wifi_hostapd_server sdcard_type:dir ~getattr;
-neverallow hal_wifi_hostapd_server sdcard_type:file *;
diff --git a/microdroid/sepolicy/system/public/hal_wifi_supplicant.te b/microdroid/sepolicy/system/public/hal_wifi_supplicant.te
deleted file mode 100644
index 7361af1..0000000
--- a/microdroid/sepolicy/system/public/hal_wifi_supplicant.te
+++ /dev/null
@@ -1,38 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_wifi_supplicant_client, hal_wifi_supplicant_server)
-binder_call(hal_wifi_supplicant_server, hal_wifi_supplicant_client)
-
-hal_attribute_hwservice(hal_wifi_supplicant, hal_wifi_supplicant_hwservice)
-
-# in addition to ioctls allowlisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
-allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls;
-
-r_dir_file(hal_wifi_supplicant, sysfs_type)
-r_dir_file(hal_wifi_supplicant, proc_net_type)
-
-allow hal_wifi_supplicant kernel:system module_request;
-allow hal_wifi_supplicant self:global_capability_class_set { setuid net_admin setgid net_raw };
-allow hal_wifi_supplicant cgroup:dir create_dir_perms;
-allow hal_wifi_supplicant cgroup_v2:dir create_dir_perms;
-allow hal_wifi_supplicant self:netlink_route_socket nlmsg_write;
-allow hal_wifi_supplicant self:netlink_socket create_socket_perms_no_ioctl;
-allow hal_wifi_supplicant self:netlink_generic_socket create_socket_perms_no_ioctl;
-allow hal_wifi_supplicant self:packet_socket create_socket_perms;
-allowxperm hal_wifi_supplicant self:packet_socket ioctl { unpriv_sock_ioctls priv_sock_ioctls unpriv_tty_ioctls };
-
-use_keystore(hal_wifi_supplicant)
-binder_use(hal_wifi_supplicant_server)
-
-# Allow the WI-FI HAL to use keys in the keystore namespace wifi_key.
-allow hal_wifi_supplicant wifi_key:keystore2_key {
- get_info
- use
-};
-
-###
-### neverallow rules
-###
-
-# wpa_supplicant should not trust any data from sdcards
-neverallow hal_wifi_supplicant_server sdcard_type:dir ~getattr;
-neverallow hal_wifi_supplicant_server sdcard_type:file *;
diff --git a/microdroid/sepolicy/system/public/healthd.te b/microdroid/sepolicy/system/public/healthd.te
deleted file mode 100644
index 05acb84..0000000
--- a/microdroid/sepolicy/system/public/healthd.te
+++ /dev/null
@@ -1,50 +0,0 @@
-# healthd - battery/charger monitoring service daemon
-type healthd, domain;
-type healthd_exec, system_file_type, exec_type, file_type;
-
-# Write to /dev/kmsg
-allow healthd kmsg_device:chr_file rw_file_perms;
-
-# Read access to pseudo filesystems.
-allow healthd sysfs_type:dir search;
-# Allow to read /sys/class/power_supply directory.
-allow healthd sysfs:dir r_dir_perms;
-r_dir_file(healthd, rootfs)
-r_dir_file(healthd, cgroup)
-r_dir_file(healthd, cgroup_v2)
-
-allow healthd self:global_capability_class_set { sys_tty_config };
-allow healthd self:global_capability_class_set sys_boot;
-dontaudit healthd self:global_capability_class_set sys_resource;
-
-allow healthd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-
-wakelock_use(healthd)
-
-hal_client_domain(healthd, hal_health)
-
-# Read/write to /sys/power/state
-allow healthd sysfs_power:file rw_file_perms;
-
-# TODO: added to match above sysfs rule. Remove me?
-allow healthd sysfs_usb:file write;
-
-r_dir_file(healthd, sysfs_batteryinfo)
-
-###
-### healthd: charger mode
-###
-
-# Read /sys/fs/pstore/console-ramoops
-# Don't worry about overly broad permissions for now, as there's
-# only one file in /sys/fs/pstore
-allow healthd pstorefs:dir r_dir_perms;
-allow healthd pstorefs:file r_file_perms;
-
-allow healthd graphics_device:dir r_dir_perms;
-allow healthd graphics_device:chr_file rw_file_perms;
-allow healthd input_device:dir r_dir_perms;
-allow healthd input_device:chr_file r_file_perms;
-allow healthd tty_device:chr_file rw_file_perms;
-allow healthd ashmem_device:chr_file execute;
-allow healthd proc_sysrq:file rw_file_perms;
diff --git a/microdroid/sepolicy/system/public/heapprofd.te b/microdroid/sepolicy/system/public/heapprofd.te
deleted file mode 100644
index 7ceb23f..0000000
--- a/microdroid/sepolicy/system/public/heapprofd.te
+++ /dev/null
@@ -1 +0,0 @@
-type heapprofd, domain, coredomain;
diff --git a/microdroid/sepolicy/system/public/hwservice.te b/microdroid/sepolicy/system/public/hwservice.te
deleted file mode 100644
index 11b77f0..0000000
--- a/microdroid/sepolicy/system/public/hwservice.te
+++ /dev/null
@@ -1,101 +0,0 @@
-# hwservice types. By default most of the HALs are protected_hwservice, which means
-# access from untrusted apps is prohibited.
-type default_android_hwservice, hwservice_manager_type, protected_hwservice;
-type fwk_camera_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
-type fwk_display_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
-type fwk_scheduler_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
-type fwk_sensor_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
-type fwk_stats_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
-type fwk_automotive_display_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
-type hal_atrace_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_audio_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_audiocontrol_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_authsecret_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_bluetooth_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_bootctl_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_broadcastradio_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_camera_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_can_bus_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_can_controller_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_confirmationui_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_contexthub_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_dumpstate_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_evs_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_face_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_fingerprint_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_gatekeeper_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_gnss_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_graphics_composer_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_health_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_health_storage_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_input_classifier_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_ir_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_keymaster_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_light_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_lowpan_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_memtrack_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_nfc_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_oemlock_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_power_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_power_stats_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_secure_element_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_sensors_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_telephony_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_tetheroffload_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_thermal_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_tv_cec_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_tv_input_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_tv_tuner_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_usb_gadget_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_usb_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_vehicle_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_vibrator_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_vr_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_weaver_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_wifi_hostapd_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_wifi_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_wifi_supplicant_hwservice, hwservice_manager_type, protected_hwservice;
-type system_net_netd_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
-type system_suspend_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
-type system_wifi_keystore_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
-
-# Following is the hwservices that are explicitly not marked with protected_hwservice.
-# These are directly accessible from untrusted apps.
-# - same process services: because they by definition run in the process
-# of the client and thus have the same access as the client domain in which
-# the process runs
-# - coredomain_hwservice: are considered safer than ordinary hwservices which
-# are from vendor partition
-# - hal_configstore_ISurfaceFlingerConfigs: becuase it has specifically been
-# designed for use by any domain.
-# - hal_graphics_allocator_hwservice: because these operations are also offered
-# by surfaceflinger Binder service, which apps are permitted to access
-# - hal_omx_hwservice: because this is a HwBinder version of the mediacodec
-# Binder service which apps were permitted to access.
-# - hal_codec2_hwservice: because this is a newer version of hal_omx_hwservice.
-# - hal_drm_hwservice: versions > API 29 are designed specifically with
-# untrusted app access in mind.
-type fwk_bufferhub_hwservice, hwservice_manager_type, coredomain_hwservice;
-type hal_cas_hwservice, hwservice_manager_type;
-type hal_codec2_hwservice, hwservice_manager_type;
-type hal_configstore_ISurfaceFlingerConfigs, hwservice_manager_type;
-type hal_drm_hwservice, hwservice_manager_type;
-type hal_graphics_allocator_hwservice, hwservice_manager_type;
-type hal_graphics_mapper_hwservice, hwservice_manager_type, same_process_hwservice;
-type hal_neuralnetworks_hwservice, hwservice_manager_type;
-type hal_omx_hwservice, hwservice_manager_type;
-type hal_renderscript_hwservice, hwservice_manager_type, same_process_hwservice;
-type hidl_allocator_hwservice, hwservice_manager_type, coredomain_hwservice;
-type hidl_base_hwservice, hwservice_manager_type;
-type hidl_manager_hwservice, hwservice_manager_type, coredomain_hwservice;
-type hidl_memory_hwservice, hwservice_manager_type, coredomain_hwservice;
-type hidl_token_hwservice, hwservice_manager_type, coredomain_hwservice;
-
-###
-### Neverallow rules
-###
-
-# hwservicemanager handles registering or looking up named services.
-# It does not make sense to register or lookup something which is not a
-# hwservice. Trigger a compile error if this occurs.
-neverallow domain ~hwservice_manager_type:hwservice_manager { add find };
diff --git a/microdroid/sepolicy/system/public/hwservicemanager.te b/microdroid/sepolicy/system/public/hwservicemanager.te
index 7ec1872..5421b11 100644
--- a/microdroid/sepolicy/system/public/hwservicemanager.te
+++ b/microdroid/sepolicy/system/public/hwservicemanager.te
@@ -1,20 +1,2 @@
-# hwservicemanager - the Binder context manager for HAL services
type hwservicemanager, domain, mlstrustedsubject;
-type hwservicemanager_exec, system_file_type, exec_type, file_type;
-
-# Note that we do not use the binder_* macros here.
-# hwservicemanager provides name service (aka context manager)
-# for hwbinder.
-# Additionally, it initiates binder IPC calls to
-# clients who request service notifications. The permission
-# to do this is granted in the hwbinder_use macro.
-allow hwservicemanager self:binder set_context_mgr;
-
-# Scan through /system/lib64/hw looking for installed HALs
-allow hwservicemanager system_file:dir r_dir_perms;
-
-# Read hwservice_contexts
-allow hwservicemanager hwservice_contexts_file:file r_file_perms;
-
-# Check SELinux permissions.
-selinux_check_access(hwservicemanager)
+type hwservicemanager_exec, file_type, exec_type, system_file_type;
diff --git a/microdroid/sepolicy/system/public/idmap.te b/microdroid/sepolicy/system/public/idmap.te
deleted file mode 100644
index f41f573..0000000
--- a/microdroid/sepolicy/system/public/idmap.te
+++ /dev/null
@@ -1,31 +0,0 @@
-# idmap, when executed by installd
-type idmap, domain;
-type idmap_exec, system_file_type, exec_type, file_type;
-
-# TODO remove /system/bin/idmap and the link between idmap and installd (b/118711077)
-# Use open file to /data/resource-cache file inherited from installd.
-allow idmap installd:fd use;
-allow idmap resourcecache_data_file:file create_file_perms;
-allow idmap resourcecache_data_file:dir rw_dir_perms;
-
-# Ignore reading /proc/<pid>/maps after a fork.
-dontaudit idmap installd:file read;
-
-# Open and read from target and overlay apk files passed by argument.
-allow idmap apk_data_file:file r_file_perms;
-allow idmap apk_data_file:dir search;
-
-# Allow /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files
-allow idmap { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
-allow idmap { apk_tmp_file apk_private_tmp_file }:dir search;
-
-# Allow apps access to /vendor/app
-r_dir_file(idmap, vendor_app_file)
-
-# Allow apps access to /vendor/overlay
-r_dir_file(idmap, vendor_overlay_file)
-
-# Allow the idmap2d binary to register as a service and communicate via AIDL
-binder_use(idmap)
-binder_service(idmap)
-add_service(idmap, idmap_service)
diff --git a/microdroid/sepolicy/system/public/incident.te b/microdroid/sepolicy/system/public/incident.te
deleted file mode 100644
index ce57bf6..0000000
--- a/microdroid/sepolicy/system/public/incident.te
+++ /dev/null
@@ -1,8 +0,0 @@
-# The incident command is used to call into the incidentd service to
-# take an incident report (binary, shared bugreport), download incident
-# reports that have already been taken, and monitor for new ones.
-# It doesn't do anything else.
-
-# incident
-type incident, domain;
-
diff --git a/microdroid/sepolicy/system/public/incident_helper.te b/microdroid/sepolicy/system/public/incident_helper.te
deleted file mode 100644
index bca1018..0000000
--- a/microdroid/sepolicy/system/public/incident_helper.te
+++ /dev/null
@@ -1,5 +0,0 @@
-# The incident_helper is called by incidentd and
-# can only read/write data from/to incidentd
-
-# incident_helper
-type incident_helper, domain;
diff --git a/microdroid/sepolicy/system/public/incidentd.te b/microdroid/sepolicy/system/public/incidentd.te
deleted file mode 100644
index b03249c..0000000
--- a/microdroid/sepolicy/system/public/incidentd.te
+++ /dev/null
@@ -1,3 +0,0 @@
-# incidentd
-type incidentd, domain;
-
diff --git a/microdroid/sepolicy/system/public/init.te b/microdroid/sepolicy/system/public/init.te
index ea5a979..bccdb70 100644
--- a/microdroid/sepolicy/system/public/init.te
+++ b/microdroid/sepolicy/system/public/init.te
@@ -3,657 +3,6 @@
type init_exec, system_file_type, exec_type, file_type;
type init_tmpfs, file_type;
-# /dev/__null__ node created by init.
-allow init tmpfs:chr_file { create setattr unlink rw_file_perms };
-
-#
-# init direct restorecon calls.
-#
-# /dev/kmsg
allow init tmpfs:chr_file relabelfrom;
allow init kmsg_device:chr_file { getattr write relabelto };
-# /dev/kmsg_debug
-userdebug_or_eng(`
- allow init kmsg_debug_device:chr_file { open write relabelto };
-')
-
-# allow init to mount and unmount debugfs in debug builds
-userdebug_or_eng(`
- allow init debugfs:dir mounton;
-')
-
-# /dev/__properties__
-allow init properties_device:dir relabelto;
-allow init properties_serial:file { write relabelto };
-allow init property_type:file { append create getattr map open read relabelto rename setattr unlink write };
-# /dev/__properties__/property_info
-allow init properties_device:file create_file_perms;
-allow init property_info:file relabelto;
-# /dev/event-log-tags
-allow init device:file relabelfrom;
-allow init runtime_event_log_tags_file:file { open write setattr relabelto create };
-# /dev/socket
-allow init { device socket_device dm_user_device }:dir relabelto;
-# allow init to establish connection and communicate with lmkd
-unix_socket_connect(init, lmkd, lmkd)
-# Relabel /dev nodes created in first stage init, /dev/null, /dev/ptmx, /dev/random, /dev/urandom
-allow init { null_device ptmx_device random_device } : chr_file relabelto;
-# /dev/device-mapper, /dev/block(/.*)?
-allow init tmpfs:{ chr_file blk_file } relabelfrom;
-allow init tmpfs:blk_file getattr;
-allow init block_device:{ dir blk_file lnk_file } relabelto;
-allow init dm_device:{ chr_file blk_file } relabelto;
-allow init dm_user_device:chr_file relabelto;
-allow init kernel:fd use;
-# restorecon for early mount device symlinks
-allow init tmpfs:lnk_file { getattr read relabelfrom };
-allow init {
- metadata_block_device
- misc_block_device
- recovery_block_device
- system_block_device
- userdata_block_device
-}:{ blk_file lnk_file } relabelto;
-
-allow init super_block_device:lnk_file relabelto;
-
-# Create /mnt/sdcard -> /storage/self/primary symlink.
-allow init mnt_sdcard_file:lnk_file create;
-
-# setrlimit
-allow init self:global_capability_class_set sys_resource;
-
-# Remove /dev/.booting and load /debug_ramdisk/* files
-allow init tmpfs:file { getattr unlink };
-
-# Access pty created for fsck.
-allow init devpts:chr_file { read write open };
-
-# Create /dev/fscklogs files.
-allow init fscklogs:file create_file_perms;
-
-# Access /dev/__null__ node created prior to initial policy load.
-allow init tmpfs:chr_file write;
-
-# Access /dev/console.
-allow init console_device:chr_file rw_file_perms;
-
-# Access /dev/tty0.
-allow init tty_device:chr_file rw_file_perms;
-
-# Call mount(2).
-allow init self:global_capability_class_set sys_admin;
-
-# Call setns(2).
-allow init self:global_capability_class_set sys_chroot;
-
-# Create and mount on directories in /.
-allow init rootfs:dir create_dir_perms;
-allow init {
- rootfs
- cache_file
- cgroup
- linkerconfig_file
- storage_file
- mnt_user_file
- system_data_file
- system_data_root_file
- system_file
- vendor_file
- postinstall_mnt_dir
- mirror_data_file
-}:dir mounton;
-
-# Mount bpf fs on sys/fs/bpf
-allow init fs_bpf:dir mounton;
-
-# Mount on /dev/usb-ffs/adb.
-allow init device:dir mounton;
-
-# Mount tmpfs on /apex
-allow init apex_mnt_dir:dir mounton;
-
-# Bind-mount on /system/apex/com.android.art
-allow init art_apex_dir:dir mounton;
-
-# Create and remove symlinks in /.
-allow init rootfs:lnk_file { create unlink };
-
-# Mount debugfs on /sys/kernel/debug.
-allow init sysfs:dir mounton;
-
-# Create cgroups mount points in tmpfs and mount cgroups on them.
-allow init tmpfs:dir create_dir_perms;
-allow init tmpfs:dir mounton;
-allow init cgroup:dir create_dir_perms;
-allow init cgroup:file rw_file_perms;
-allow init cgroup_rc_file:file rw_file_perms;
-allow init cgroup_desc_file:file r_file_perms;
-allow init cgroup_desc_api_file:file r_file_perms;
-allow init vendor_cgroup_desc_file:file r_file_perms;
-allow init cgroup_v2:dir { mounton create_dir_perms};
-allow init cgroup_v2:file rw_file_perms;
-
-# /config
-allow init configfs:dir mounton;
-allow init configfs:dir create_dir_perms;
-allow init configfs:{ file lnk_file } create_file_perms;
-
-# /metadata
-allow init metadata_file:dir mounton;
-
-# Use tmpfs as /data, used for booting when /data is encrypted
-allow init tmpfs:dir relabelfrom;
-
-# Create directories under /dev/cpuctl after chowning it to system.
-allow init self:global_capability_class_set { dac_override dac_read_search };
-
-# Set system clock.
-allow init self:global_capability_class_set sys_time;
-
-allow init self:global_capability_class_set { sys_rawio mknod };
-
-# Mounting filesystems from block devices.
-allow init dev_type:blk_file r_file_perms;
-allowxperm init dev_type:blk_file ioctl BLKROSET;
-
-# Mounting filesystems.
-# Only allow relabelto for types used in context= mount options,
-# which should all be assigned the contextmount_type attribute.
-# This can be done in device-specific policy via type or typeattribute
-# declarations.
-allow init {
- fs_type
- enforce_debugfs_restriction(`-debugfs_type')
-}:filesystem ~relabelto;
-
-# Allow init to mount/unmount debugfs in non-user builds.
-enforce_debugfs_restriction(`
- userdebug_or_eng(`allow init debugfs_type:filesystem { mount unmount };')
-')
-
-# Allow init to mount tracefs in /sys/kernel/tracing
-allow init debugfs_tracing_debug:filesystem mount;
-
-allow init unlabeled:filesystem ~relabelto;
-allow init contextmount_type:filesystem relabelto;
-
-# Allow read-only access to context= mounted filesystems.
-allow init contextmount_type:dir r_dir_perms;
-allow init contextmount_type:notdevfile_class_set r_file_perms;
-
-# restorecon /adb_keys or any other rootfs files and directories to a more
-# specific type.
-allow init rootfs:{ dir file } relabelfrom;
-
-# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
-# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
-# system/core/init.rc requires at least cache_file and data_file_type.
-# init.<board>.rc files often include device-specific types, so
-# we just allow all file types except /system files here.
-allow init self:global_capability_class_set { chown fowner fsetid };
-
-allow init {
- file_type
- -app_data_file
- -exec_type
- -misc_logd_file
- -nativetest_data_file
- -privapp_data_file
- -system_app_data_file
- -system_file_type
- -vendor_file_type
-}:dir { create search getattr open read setattr ioctl };
-
-allow init {
- file_type
- -app_data_file
- -exec_type
- -iorapd_data_file
- -credstore_data_file
- -keystore_data_file
- -misc_logd_file
- -nativetest_data_file
- -privapp_data_file
- -shell_data_file
- -system_app_data_file
- -system_file_type
- -vendor_file_type
- -vold_data_file
-}:dir { write add_name remove_name rmdir relabelfrom };
-
-allow init {
- file_type
- -apex_info_file
- -app_data_file
- -exec_type
- -gsi_data_file
- -iorapd_data_file
- -credstore_data_file
- -keystore_data_file
- -misc_logd_file
- -nativetest_data_file
- -privapp_data_file
- -runtime_event_log_tags_file
- -shell_data_file
- -system_app_data_file
- -system_file_type
- -vendor_file_type
- -vold_data_file
- enforce_debugfs_restriction(`-debugfs_type')
-}:file { create getattr open read write setattr relabelfrom unlink map };
-
-allow init tracefs_type:file { create_file_perms relabelfrom };
-
-allow init {
- file_type
- -app_data_file
- -exec_type
- -gsi_data_file
- -iorapd_data_file
- -credstore_data_file
- -keystore_data_file
- -misc_logd_file
- -nativetest_data_file
- -privapp_data_file
- -shell_data_file
- -system_app_data_file
- -system_file_type
- -vendor_file_type
- -vold_data_file
-}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
-
-allow init {
- file_type
- -apex_mnt_dir
- -app_data_file
- -exec_type
- -gsi_data_file
- -iorapd_data_file
- -credstore_data_file
- -keystore_data_file
- -misc_logd_file
- -nativetest_data_file
- -privapp_data_file
- -shell_data_file
- -system_app_data_file
- -system_file_type
- -vendor_file_type
- -vold_data_file
-}:lnk_file { create getattr setattr relabelfrom unlink };
-
-allow init cache_file:lnk_file r_file_perms;
-
-allow init {
- file_type
- -system_file_type
- -vendor_file_type
- -exec_type
- -app_data_file
- -privapp_data_file
-}:dir_file_class_set relabelto;
-
-allow init { sysfs no_debugfs_restriction(`debugfs') debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
-allow init { sysfs_type no_debugfs_restriction(`debugfs_type') tracefs_type }:{ dir file lnk_file } { relabelto getattr };
-allow init dev_type:dir create_dir_perms;
-allow init dev_type:lnk_file create;
-
-# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
-allow init debugfs_tracing:file w_file_perms;
-
-# Setup and control wifi event tracing (see wifi-events.rc)
-allow init debugfs_tracing_instances:dir create_dir_perms;
-allow init debugfs_tracing_instances:file w_file_perms;
-allow init debugfs_wifi_tracing:file w_file_perms;
-
-# chown/chmod on pseudo files.
-allow init {
- fs_type
- -contextmount_type
- -keychord_device
- -proc_type
- -sdcard_type
- -sysfs_type
- -rootfs
- enforce_debugfs_restriction(`-debugfs_type')
-}:file { open read setattr };
-allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir { open read setattr search };
-
-allow init {
- binder_device
- console_device
- devpts
- dm_device
- hwbinder_device
- input_device
- kmsg_device
- null_device
- owntty_device
- pmsg_device
- ptmx_device
- random_device
- tty_device
- zero_device
-}:chr_file { read open };
-
-# Unlabeled file access for upgrades from 4.2.
-allow init unlabeled:dir { create_dir_perms relabelfrom };
-allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
-
-# Any operation that can modify the kernel ring buffer, e.g. clear
-# or a read that consumes the messages that were read.
-allow init kernel:system syslog_mod;
-allow init self:global_capability2_class_set syslog;
-
-# init access to /proc.
-r_dir_file(init, proc_net_type)
-allow init proc_filesystems:file r_file_perms;
-
-userdebug_or_eng(`
- # Overlayfs workdir write access check during mount to permit remount,rw
- allow init overlayfs_file:dir { relabelfrom mounton write };
- allow init overlayfs_file:file { append };
- allow init system_block_device:blk_file { write };
-')
-
-allow init {
- proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
- proc_bootconfig
- proc_cmdline
- proc_diskstats
- proc_kmsg # Open /proc/kmsg for logd service.
- proc_meminfo
- proc_stat # Read /proc/stat for bootchart.
- proc_uptime
- proc_version
-}:file r_file_perms;
-
-allow init {
- proc_abi
- proc_dirty
- proc_hostname
- proc_hung_task
- proc_extra_free_kbytes
- proc_net_type
- proc_max_map_count
- proc_min_free_order_shift
- proc_overcommit_memory # /proc/sys/vm/overcommit_memory
- proc_panic
- proc_page_cluster
- proc_perf
- proc_sched
- proc_sysrq
-}:file w_file_perms;
-
-allow init {
- proc_security
-}:file rw_file_perms;
-
-# init chmod/chown access to /proc files.
-allow init {
- proc_cmdline
- proc_bootconfig
- proc_kmsg
- proc_net
- proc_pagetypeinfo
- proc_qtaguid_stat
- proc_slabinfo
- proc_sysrq
- proc_qtaguid_ctrl
- proc_vmallocinfo
-}:file setattr;
-
-# init access to /sys files.
-allow init {
- sysfs_android_usb
- sysfs_dm_verity
- sysfs_leds
- sysfs_power
- sysfs_fs_f2fs
- sysfs_dm
-}:file w_file_perms;
-
-allow init {
- sysfs_dt_firmware_android
- sysfs_fs_ext4_features
-}:file r_file_perms;
-
-allow init {
- sysfs_zram
-}:file rw_file_perms;
-
-# allow init to create loop devices with /dev/loop-control
-allow init loop_control_device:chr_file rw_file_perms;
-allow init loop_device:blk_file rw_file_perms;
-allowxperm init loop_device:blk_file ioctl {
- LOOP_SET_FD
- LOOP_CLR_FD
- LOOP_CTL_GET_FREE
- LOOP_SET_BLOCK_SIZE
- LOOP_SET_DIRECT_IO
- LOOP_GET_STATUS
-};
-
-# Allow init to write to vibrator/trigger
-allow init sysfs_vibrator:file w_file_perms;
-
-# init chmod/chown access to /sys files.
-allow init {
- sysfs_android_usb
- sysfs_devices_system_cpu
- sysfs_ipv4
- sysfs_leds
- sysfs_lowmemorykiller
- sysfs_power
- sysfs_vibrator
- sysfs_wake_lock
- sysfs_zram
-}:file setattr;
-
-# Set usermodehelpers.
-allow init { usermodehelper sysfs_usermodehelper }:file rw_file_perms;
-
-allow init self:global_capability_class_set net_admin;
-
-# Reboot.
-allow init self:global_capability_class_set sys_boot;
-
-# Init will create /data/misc/logd when the property persist.logd.logpersistd is "logcatd".
-# Init will also walk through the directory as part of a recursive restorecon.
-allow init misc_logd_file:dir { add_name open create read getattr setattr search write };
-allow init misc_logd_file:file { open create getattr setattr write };
-
-# Support "adb shell stop"
-allow init self:global_capability_class_set kill;
-allow init domain:process { getpgid sigkill signal };
-
-# Init creates credstore's directory on boot, and walks through
-# the directory as part of a recursive restorecon.
-allow init credstore_data_file:dir { open create read getattr setattr search };
-allow init credstore_data_file:file { getattr };
-
-# Init creates keystore's directory on boot, and walks through
-# the directory as part of a recursive restorecon.
-allow init keystore_data_file:dir { open create read getattr setattr search };
-allow init keystore_data_file:file { getattr };
-
-# Init creates vold's directory on boot, and walks through
-# the directory as part of a recursive restorecon.
-allow init vold_data_file:dir { open create read getattr setattr search };
-allow init vold_data_file:file { getattr };
-
-# Init creates /data/local/tmp at boot
-allow init shell_data_file:dir { open create read getattr setattr search };
-allow init shell_data_file:file { getattr };
-
-# Set UID, GID, and adjust capability bounding set for services.
-allow init self:global_capability_class_set { setuid setgid setpcap };
-
-# For bootchart to read the /proc/$pid/cmdline file of each process,
-# we need to have following line to allow init to have access
-# to different domains.
-r_dir_file(init, domain)
-
-# Use setexeccon(), setfscreatecon(), and setsockcreatecon().
-# setexec is for services with seclabel options.
-# setfscreate is for labeling directories and socket files.
-# setsockcreate is for labeling local/unix domain sockets.
-allow init self:process { setexec setfscreate setsockcreate };
-
-# Get file context
-allow init file_contexts_file:file r_file_perms;
-
-# sepolicy access
-allow init sepolicy_file:file r_file_perms;
-
-# Perform SELinux access checks on setting properties.
-selinux_check_access(init)
-
-# Ask the kernel for the new context on services to label their sockets.
-allow init kernel:security compute_create;
-
-# Create sockets for the services.
-allow init domain:unix_stream_socket { create bind setopt };
-allow init domain:unix_dgram_socket { create bind setopt };
-
-# Create /data/property and files within it.
-allow init property_data_file:dir create_dir_perms;
-allow init property_data_file:file create_file_perms;
-
-# Set any property.
-allow init property_type:property_service set;
-
-# Send an SELinux userspace denial to the kernel audit subsystem,
-# so it can be picked up and processed by logd. These denials are
-# generated when an attempt to set a property is denied by policy.
-allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay };
-allow init self:global_capability_class_set audit_write;
-
-# Run "ifup lo" to bring up the localhost interface
-allow init self:udp_socket { create ioctl };
-# in addition to unpriv ioctls granted to all domains, init also needs:
-allowxperm init self:udp_socket ioctl SIOCSIFFLAGS;
-allow init self:global_capability_class_set net_raw;
-
-# Set scheduling info for psi monitor thread.
-# TODO: delete or revise this line b/131761776
-allow init kernel:process { getsched setsched };
-
-# swapon() needs write access to swap device
-# system/core/fs_mgr/fs_mgr.c - fs_mgr_swapon_all
-allow init swap_block_device:blk_file rw_file_perms;
-
-# Create and access /dev files without a specific type,
-# e.g. /dev/.coldboot_done, /dev/.booting
-# TODO: Move these files into their own type unless they are
-# only ever accessed by init.
-allow init device:file create_file_perms;
-
-# keychord retrieval from /dev/input/ devices
-allow init input_device:dir r_dir_perms;
-allow init input_device:chr_file rw_file_perms;
-
-# Access device mapper for setting up dm-verity
-allow init dm_device:chr_file rw_file_perms;
-allow init dm_device:blk_file rw_file_perms;
-
-# Access dm-user for OTA boot
-allow init dm_user_device:chr_file rw_file_perms;
-
-# Access metadata block device for storing dm-verity state
-allow init metadata_block_device:blk_file rw_file_perms;
-
-# Read /sys/fs/pstore/console-ramoops to detect restarts caused
-# by dm-verity detecting corrupted blocks
-allow init pstorefs:dir search;
-allow init pstorefs:file r_file_perms;
-allow init kernel:system syslog_read;
-
-# linux keyring configuration
-allow init init:key { write search setattr };
-
-# Allow init to create /data/unencrypted
-allow init unencrypted_data_file:dir create_dir_perms;
-
-# Set encryption policy on dirs in /data
-allowxperm init { data_file_type unlabeled }:dir ioctl {
- FS_IOC_GET_ENCRYPTION_POLICY
- FS_IOC_SET_ENCRYPTION_POLICY
-};
-
-# Raw writes to misc block device
-allow init misc_block_device:blk_file w_file_perms;
-
-r_dir_file(init, system_file)
-r_dir_file(init, vendor_file_type)
-
-allow init system_data_file:file { getattr read };
-allow init system_data_file:lnk_file r_file_perms;
-
-# For init to be able to run shell scripts from vendor
-allow init vendor_shell_exec:file execute;
-
-# Metadata setup
-allow init vold_metadata_file:dir create_dir_perms;
-allow init vold_metadata_file:file getattr;
-allow init metadata_bootstat_file:dir create_dir_perms;
-allow init metadata_bootstat_file:file w_file_perms;
-allow init userspace_reboot_metadata_file:file w_file_perms;
-
-# Allow init to touch PSI monitors
-allow init proc_pressure_mem:file { rw_file_perms setattr };
-
-# init is using bootstrap bionic
-allow init system_bootstrap_lib_file:dir r_dir_perms;
-allow init system_bootstrap_lib_file:file { execute read open getattr map };
-
-# stat the root dir of fuse filesystems (for the mount handler)
-allow init fuse:dir { search getattr };
-
-# allow filesystem tuning
-allow init userdata_sysdev:file create_file_perms;
-
-###
-### neverallow rules
-###
-
-# The init domain is only entered via an exec based transition from the
-# kernel domain, never via setcon().
-neverallow domain init:process dyntransition;
-neverallow { domain -kernel } init:process transition;
-neverallow init { file_type fs_type -init_exec }:file entrypoint;
-
-# Never read/follow symlinks created by shell or untrusted apps.
-neverallow init shell_data_file:lnk_file read;
-neverallow init { app_data_file privapp_data_file }:lnk_file read;
-
-# init should never execute a program without changing to another domain.
-neverallow init { file_type fs_type }:file execute_no_trans;
-
-# The use of sensitive environment variables, such as LD_PRELOAD, is disallowed
-# when init is executing other binaries. The use of LD_PRELOAD for init spawned
-# services is generally considered a no-no, as it injects libraries which the
-# binary was not expecting. This is especially problematic for APEXes. The use
-# of LD_PRELOAD via APEXes is a layering violation, and inappropriately loads
-# code into a process which wasn't expecting that code, with potentially
-# unexpected side effects. (b/140789528)
-neverallow init *:process noatsecure;
-
-# init can never add binder services
-neverallow init service_manager_type:service_manager { add find };
-# init can never list binder services
-neverallow init servicemanager:service_manager list;
-
-# Init should not be creating subdirectories in /data/local/tmp
-neverallow init shell_data_file:dir { write add_name remove_name };
-
-# Init should not access sysfs node that are not explicitly labeled.
-neverallow init sysfs:file { open read write };
-
-# No domain should be allowed to ptrace init.
-neverallow * init:process ptrace;
-
-# init owns the root of /data
-# TODO(b/140259336) We want to remove vendor_init
-# TODO(b/141108496) We want to remove toolbox
-neverallow { domain -init -toolbox -vendor_init -vold } system_data_root_file:dir { write add_name remove_name };
+allow init kmsg_debug_device:chr_file { open write relabelto };
diff --git a/microdroid/sepolicy/system/public/inputflinger.te b/microdroid/sepolicy/system/public/inputflinger.te
deleted file mode 100644
index b62c06d..0000000
--- a/microdroid/sepolicy/system/public/inputflinger.te
+++ /dev/null
@@ -1,16 +0,0 @@
-# inputflinger
-type inputflinger, domain;
-type inputflinger_exec, system_file_type, exec_type, file_type;
-
-binder_use(inputflinger)
-binder_service(inputflinger)
-
-binder_call(inputflinger, system_server)
-
-wakelock_use(inputflinger)
-
-allow inputflinger input_device:dir r_dir_perms;
-allow inputflinger input_device:chr_file rw_file_perms;
-
-r_dir_file(inputflinger, cgroup)
-r_dir_file(inputflinger, cgroup_v2)
diff --git a/microdroid/sepolicy/system/public/installd.te b/microdroid/sepolicy/system/public/installd.te
deleted file mode 100644
index eb13cfa..0000000
--- a/microdroid/sepolicy/system/public/installd.te
+++ /dev/null
@@ -1,175 +0,0 @@
-# installer daemon
-type installd, domain;
-type installd_exec, system_file_type, exec_type, file_type;
-typeattribute installd mlstrustedsubject;
-allow installd self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid sys_admin };
-
-# Allow labeling of files under /data/app/com.example/oat/
-allow installd dalvikcache_data_file:dir relabelto;
-allow installd dalvikcache_data_file:file { relabelto link };
-
-# Allow movement of APK files between volumes
-allow installd apk_data_file:dir { create_dir_perms relabelfrom };
-allow installd apk_data_file:file { create_file_perms relabelfrom link };
-allow installd apk_data_file:lnk_file { create r_file_perms unlink };
-
-# FS_IOC_ENABLE_VERITY and FS_IOC_MEASURE_VERITY (or in old implementation used in installd,
-# FS_IOC_SET_VERITY_MEASUREMENT) ioctls on APKs in /data/app, to support fsverity.
-# TODO(b/120629632): this path is deprecated, remove when possible.
-allowxperm installd apk_data_file:file ioctl {
- FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
-};
-
-allow installd asec_apk_file:file r_file_perms;
-allow installd apk_tmp_file:file { r_file_perms unlink };
-allow installd apk_tmp_file:dir { relabelfrom create_dir_perms };
-allow installd oemfs:dir r_dir_perms;
-allow installd oemfs:file r_file_perms;
-allow installd cgroup:dir create_dir_perms;
-allow installd cgroup_v2:dir create_dir_perms;
-allow installd mnt_expand_file:dir { search getattr };
-# Check validity of SELinux context before use.
-selinux_check_context(installd)
-
-r_dir_file(installd, rootfs)
-# Scan through APKs in /system/app and /system/priv-app
-r_dir_file(installd, system_file)
-# Scan through APKs in /vendor/app
-r_dir_file(installd, vendor_app_file)
-# Scan through JARs in /vendor/framework
-r_dir_file(installd, vendor_framework_file)
-# Scan through Runtime Resource Overlay APKs in /vendor/overlay
-r_dir_file(installd, vendor_overlay_file)
-# Get file context
-allow installd file_contexts_file:file r_file_perms;
-# Get seapp_context
-allow installd seapp_contexts_file:file r_file_perms;
-
-# Search /data/app-asec and stat files in it.
-allow installd asec_image_file:dir search;
-allow installd asec_image_file:file getattr;
-
-# Create /data/user and /data/user/0 if necessary.
-# Also required to initially create /data/data subdirectories
-# and lib symlinks before the setfilecon call. May want to
-# move symlink creation after setfilecon in installd.
-allow installd system_data_file:dir create_dir_perms;
-# Also, allow read for lnk_file so that we can process /data/user/0 links when
-# optimizing application code.
-allow installd system_data_file:lnk_file { create getattr read setattr unlink };
-
-# Manage lower filesystem via pass_through mounts
-allow installd mnt_pass_through_file:dir r_dir_perms;
-
-# Upgrade /data/media for multi-user if necessary.
-allow installd media_rw_data_file:dir create_dir_perms;
-allow installd media_rw_data_file:file { getattr unlink };
-# restorecon new /data/media directory.
-allow installd system_data_file:dir relabelfrom;
-allow installd media_rw_data_file:dir relabelto;
-
-# Delete /data/media files through sdcardfs, instead of going behind its back
-allow installd tmpfs:dir r_dir_perms;
-allow installd storage_file:dir search;
-allow installd sdcard_type:dir { search open read write remove_name getattr rmdir };
-allow installd sdcard_type:file { getattr unlink };
-
-# Create app's mirror data directory in /data_mirror, and bind mount the real directory to it
-allow installd mirror_data_file:dir { create_dir_perms mounton };
-
-# Upgrade /data/misc/keychain for multi-user if necessary.
-allow installd misc_user_data_file:dir create_dir_perms;
-allow installd misc_user_data_file:file create_file_perms;
-allow installd keychain_data_file:dir create_dir_perms;
-allow installd keychain_data_file:file {r_file_perms unlink};
-
-# Create /data/misc/installd/layout_version.* file
-allow installd install_data_file:file create_file_perms;
-allow installd install_data_file:dir rw_dir_perms;
-
-# Create files under /data/dalvik-cache.
-allow installd dalvikcache_data_file:dir create_dir_perms;
-allow installd dalvikcache_data_file:file create_file_perms;
-allow installd dalvikcache_data_file:lnk_file getattr;
-
-# Create files under /data/resource-cache.
-allow installd resourcecache_data_file:dir rw_dir_perms;
-allow installd resourcecache_data_file:file create_file_perms;
-
-# Upgrade from unlabeled userdata.
-# Just need enough to remove and/or relabel it.
-allow installd unlabeled:dir { getattr search relabelfrom rw_dir_perms rmdir };
-allow installd unlabeled:notdevfile_class_set { getattr relabelfrom rename unlink setattr };
-# Read pkg.apk file for input during dexopt.
-allow installd unlabeled:file r_file_perms;
-
-# Upgrade from before system_app_data_file was used for system UID apps.
-# Just need enough to relabel it and to unlink removed package files.
-# Directory access covered by earlier rule above.
-allow installd system_data_file:notdevfile_class_set { getattr relabelfrom unlink };
-
-# Manage /data/data subdirectories, including initially labeling them
-# upon creation via setfilecon or running restorecon_recursive,
-# setting owner/mode, creating symlinks within them, and deleting them
-# upon package uninstall.
-allow installd app_data_file_type:dir { create_dir_perms relabelfrom relabelto };
-allow installd app_data_file_type:notdevfile_class_set { create_file_perms relabelfrom relabelto };
-
-# Similar for the files under /data/misc/profiles/
-allow installd user_profile_root_file:dir { create_dir_perms relabelfrom };
-allow installd user_profile_data_file:dir { create_dir_perms relabelto };
-allow installd user_profile_data_file:file create_file_perms;
-allow installd user_profile_data_file:file unlink;
-
-# Allow zygote to unmount mirror directories
-allow installd labeledfs:filesystem unmount;
-
-# Files created/updated by profman dumps.
-allow installd profman_dump_data_file:dir { search add_name write };
-allow installd profman_dump_data_file:file { create setattr open write };
-
-# Create and use pty created by android_fork_execvp().
-allow installd devpts:chr_file rw_file_perms;
-
-# execute toybox for app relocation
-allow installd toolbox_exec:file rx_file_perms;
-
-# Allow installd to publish a binder service and make binder calls.
-binder_use(installd)
-add_service(installd, installd_service)
-allow installd dumpstate:fifo_file { getattr write };
-
-# Allow installd to call into the system server so it can check permissions.
-binder_call(installd, system_server)
-allow installd permission_service:service_manager find;
-
-# Allow installd to read and write quotas
-allow installd block_device:dir { search };
-allow installd labeledfs:filesystem { quotaget quotamod };
-
-# Allow installd to delete from /data/preloads when trimming data caches
-# TODO b/34690396 Remove when time-based purge policy for preloads is implemented in system_server
-allow installd preloads_data_file:file { r_file_perms unlink };
-allow installd preloads_data_file:dir { r_dir_perms write remove_name rmdir };
-allow installd preloads_media_file:file { r_file_perms unlink };
-allow installd preloads_media_file:dir { r_dir_perms write remove_name rmdir };
-
-# Allow installd to read /proc/filesystems
-allow installd proc_filesystems:file r_file_perms;
-
-#add for move app to sd card
-get_prop(installd, storage_config_prop)
-
-###
-### Neverallow rules
-###
-
-# only system_server, installd, dumpstate, and servicemanager may interact with installd over binder
-neverallow { domain -system_server -dumpstate -installd } installd_service:service_manager find;
-neverallow { domain -system_server -dumpstate -servicemanager } installd:binder call;
-neverallow installd {
- domain
- -system_server
- -servicemanager
- userdebug_or_eng(`-su')
-}:binder call;
diff --git a/microdroid/sepolicy/system/public/iorap_inode2filename.te b/microdroid/sepolicy/system/public/iorap_inode2filename.te
deleted file mode 100644
index 6f119ee..0000000
--- a/microdroid/sepolicy/system/public/iorap_inode2filename.te
+++ /dev/null
@@ -1,70 +0,0 @@
-# iorap.inode2filename -> look up file paths from an inode
-type iorap_inode2filename, domain;
-type iorap_inode2filename_exec, exec_type, file_type, system_file_type;
-type iorap_inode2filename_tmpfs, file_type;
-
-r_dir_file(iorap_inode2filename, rootfs)
-
-# Allow usage of pipes (child stdout -> parent pipe).
-allow iorap_inode2filename iorapd:fd use;
-allow iorap_inode2filename iorapd:fifo_file { read write getattr };
-
-# Allow reading most files under / ignoring usual access controls.
-allow iorap_inode2filename self:capability dac_read_search;
-
-typeattribute iorap_inode2filename mlstrustedsubject;
-
-# Grant access to open most of the files under /
-allow iorap_inode2filename apex_data_file:dir { getattr open read search };
-allow iorap_inode2filename apex_data_file:file { getattr };
-allow iorap_inode2filename apex_mnt_dir:dir { getattr open read search };
-allow iorap_inode2filename apex_mnt_dir:file { getattr };
-allow iorap_inode2filename apk_data_file:dir { getattr open read search };
-allow iorap_inode2filename apk_data_file:file { getattr };
-allow iorap_inode2filename app_data_file_type:dir { getattr open read search };
-allow iorap_inode2filename app_data_file_type:file { getattr };
-allow iorap_inode2filename backup_data_file:dir { getattr open read search };
-allow iorap_inode2filename backup_data_file:file { getattr };
-allow iorap_inode2filename bootchart_data_file:dir { getattr open read search };
-allow iorap_inode2filename bootchart_data_file:file { getattr };
-allow iorap_inode2filename metadata_file:dir { getattr open read search search };
-allow iorap_inode2filename metadata_file:file { getattr };
-allow iorap_inode2filename packages_list_file:dir { getattr open read search };
-allow iorap_inode2filename packages_list_file:file { getattr };
-allow iorap_inode2filename property_data_file:dir { getattr open read search };
-allow iorap_inode2filename property_data_file:file { getattr };
-allow iorap_inode2filename resourcecache_data_file:dir { getattr open read search };
-allow iorap_inode2filename resourcecache_data_file:file { getattr };
-allow iorap_inode2filename recovery_data_file:dir { getattr open read search };
-allow iorap_inode2filename ringtone_file:dir { getattr open read search };
-allow iorap_inode2filename ringtone_file:file { getattr };
-allow iorap_inode2filename same_process_hal_file:dir { getattr open read search };
-allow iorap_inode2filename same_process_hal_file:file { getattr };
-allow iorap_inode2filename sepolicy_file:file { getattr };
-allow iorap_inode2filename staging_data_file:dir { getattr open read search };
-allow iorap_inode2filename staging_data_file:file { getattr };
-allow iorap_inode2filename system_bootstrap_lib_file:dir { getattr open read search };
-allow iorap_inode2filename system_bootstrap_lib_file:file { getattr };
-allow iorap_inode2filename system_data_file:dir { getattr open read search };
-allow iorap_inode2filename system_data_file:file { getattr };
-allow iorap_inode2filename system_data_file:lnk_file { getattr open read };
-allow iorap_inode2filename system_data_root_file:dir { getattr open read search };
-allow iorap_inode2filename textclassifier_data_file:dir { getattr open read search };
-allow iorap_inode2filename textclassifier_data_file:file { getattr };
-allow iorap_inode2filename toolbox_exec:file getattr;
-allow iorap_inode2filename user_profile_root_file:dir { getattr open read search };
-allow iorap_inode2filename user_profile_data_file:dir { getattr open read search };
-allow iorap_inode2filename user_profile_data_file:file { getattr };
-allow iorap_inode2filename unencrypted_data_file:dir { getattr open read search };
-allow iorap_inode2filename unlabeled:file { getattr };
-allow iorap_inode2filename vendor_file:dir { getattr open read search };
-allow iorap_inode2filename vendor_file:file { getattr };
-allow iorap_inode2filename vendor_overlay_file:file { getattr };
-allow iorap_inode2filename zygote_exec:file { getattr };
-
-###
-### neverallow rules
-###
-
-neverallow { domain -init -iorapd } iorap_inode2filename:process { transition dyntransition };
-neverallow iorap_inode2filename domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/microdroid/sepolicy/system/public/iorap_prefetcherd.te b/microdroid/sepolicy/system/public/iorap_prefetcherd.te
deleted file mode 100644
index 4b218fb..0000000
--- a/microdroid/sepolicy/system/public/iorap_prefetcherd.te
+++ /dev/null
@@ -1,55 +0,0 @@
-# volume manager
-type iorap_prefetcherd, domain;
-type iorap_prefetcherd_exec, exec_type, file_type, system_file_type;
-type iorap_prefetcherd_tmpfs, file_type;
-
-r_dir_file(iorap_prefetcherd, rootfs)
-
-# Allow read/write /proc/sys/vm/drop/caches
-allow iorap_prefetcherd proc_drop_caches:file rw_file_perms;
-
-# iorap_prefetcherd temporarily changes its priority when running benchmarks
-allow iorap_prefetcherd self:global_capability_class_set sys_nice;
-
-# Allow usage of pipes (--input-fd=# and --output-fd=# command line parameters).
-allow iorap_prefetcherd iorapd:fd use;
-allow iorap_prefetcherd iorapd:fifo_file { read write };
-
-# Allow reading most files under / ignoring usual access controls.
-allow iorap_prefetcherd self:capability dac_read_search;
-
-typeattribute iorap_prefetcherd mlstrustedsubject;
-
-# Grant logcat access
-allow iorap_prefetcherd logcat_exec:file { open read };
-
-# Grant access to open most of the files under /
-allow iorap_prefetcherd apk_data_file:dir { open read search };
-allow iorap_prefetcherd apk_data_file:file { open read };
-allow iorap_prefetcherd app_data_file:dir { open read search };
-allow iorap_prefetcherd app_data_file:file { open read };
-allow iorap_prefetcherd dalvikcache_data_file:dir { open read search };
-allow iorap_prefetcherd dalvikcache_data_file:file{ open read };
-allow iorap_prefetcherd packages_list_file:dir { open read search };
-allow iorap_prefetcherd packages_list_file:file { open read };
-allow iorap_prefetcherd privapp_data_file:dir { open read search };
-allow iorap_prefetcherd privapp_data_file:file { open read };
-allow iorap_prefetcherd same_process_hal_file:dir{ open read search };
-allow iorap_prefetcherd same_process_hal_file:file { open read };
-allow iorap_prefetcherd system_data_file:dir { open read search };
-allow iorap_prefetcherd system_data_file:file { open read };
-allow iorap_prefetcherd system_data_file:lnk_file { open read };
-allow iorap_prefetcherd user_profile_root_file:dir { open read search };
-allow iorap_prefetcherd user_profile_data_file:dir { open read search };
-allow iorap_prefetcherd user_profile_data_file:file { open read };
-allow iorap_prefetcherd vendor_overlay_file:dir { open read search };
-allow iorap_prefetcherd vendor_overlay_file:file { open read };
-# Note: Do not add any /vendor labels because they can be customized
-# by the vendor and we won't know about them beforehand.
-
-###
-### neverallow rules
-###
-
-neverallow { domain -init -iorapd } iorap_prefetcherd:process { transition dyntransition };
-neverallow iorap_prefetcherd domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/microdroid/sepolicy/system/public/iorapd.te b/microdroid/sepolicy/system/public/iorapd.te
deleted file mode 100644
index b772af8..0000000
--- a/microdroid/sepolicy/system/public/iorapd.te
+++ /dev/null
@@ -1,98 +0,0 @@
-# volume manager
-type iorapd, domain;
-type iorapd_exec, exec_type, file_type, system_file_type;
-type iorapd_tmpfs, file_type;
-
-r_dir_file(iorapd, rootfs)
-
-# Allow read/write /proc/sys/vm/drop/caches
-allow iorapd proc_drop_caches:file rw_file_perms;
-
-# Give iorapd a place where only iorapd can store files; everyone else is off limits
-allow iorapd iorapd_data_file:dir create_dir_perms;
-allow iorapd iorapd_data_file:file create_file_perms;
-
-# Allow iorapd to publish a binder service and make binder calls.
-binder_use(iorapd)
-add_service(iorapd, iorapd_service)
-
-# Allow iorapd to call into the system server so it can check permissions.
-binder_call(iorapd, system_server)
-allow iorapd permission_service:service_manager find;
-# IUserManager
-allow iorapd user_service:service_manager find;
-# IPackageManagerNative
-allow iorapd package_native_service:service_manager find;
-# Allow dumpstate (bugreport) to call into iorapd.
-allow iorapd dumpstate:fd use;
-allow iorapd dumpstate:fifo_file write;
-
-# talk to batteryservice
-binder_call(iorapd, healthd)
-
-# TODO: does each of the service_manager allow finds above need the binder_call?
-
-# iorapd temporarily changes its priority when running benchmarks
-allow iorapd self:global_capability_class_set sys_nice;
-
-# Allow to access Perfetto traced's privileged consumer socket to start/stop
-# tracing sessions and read trace data.
-unix_socket_connect(iorapd, traced_consumer, traced)
-
-# Allow iorapd to execute compilation (iorap.cmd.compiler) in idle time.
-allow iorapd system_file:file rx_file_perms;
-
-# Allow iorapd to send signull to iorap_inode2filename and iorap_prefetcherd.
-allow iorapd iorap_inode2filename:process signull;
-allow iorapd iorap_prefetcherd:process signull;
-
-# Allowing system_server to check for the existence and size of files under iorapd
-# dir without collecting any sensitive app data.
-# This is used to predict if iorapd is doing prefetching or not.
-allow system_server iorapd_data_file:dir { getattr open read search };
-allow system_server iorapd_data_file:file getattr;
-
-###
-### neverallow rules
-###
-
-neverallow {
- domain
- -iorapd
-} iorapd_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
-
-neverallow {
- domain
- -init
- -iorapd
- -system_server
-} iorapd_data_file:dir *;
-
-neverallow {
- domain
- -kernel
- -iorapd
-} iorapd_data_file:notdevfile_class_set ~{ relabelto getattr };
-
-neverallow {
- domain
- -init
- -kernel
- -vendor_init
- -iorapd
- -system_server
-} { iorapd_data_file }:notdevfile_class_set *;
-
-# Only system_server and shell (for dumpsys) can interact with iorapd over binder
-neverallow { domain -dumpstate -system_server -iorapd } iorapd_service:service_manager find;
-neverallow iorapd {
- domain
- -healthd
- -servicemanager
- -system_server
- userdebug_or_eng(`-su')
-}:binder call;
-
-neverallow { domain -init } iorapd:process { transition dyntransition };
-neverallow iorapd domain:{ udp_socket rawip_socket } *;
-neverallow iorapd { domain userdebug_or_eng(`-su') }:tcp_socket *;
diff --git a/microdroid/sepolicy/system/public/isolated_app.te b/microdroid/sepolicy/system/public/isolated_app.te
deleted file mode 100644
index a907dac..0000000
--- a/microdroid/sepolicy/system/public/isolated_app.te
+++ /dev/null
@@ -1,9 +0,0 @@
-###
-### Services with isolatedProcess=true in their manifest.
-###
-### This file defines the rules for isolated apps. An "isolated
-### app" is an APP with UID between AID_ISOLATED_START (99000)
-### and AID_ISOLATED_END (99999).
-###
-
-type isolated_app, domain;
diff --git a/microdroid/sepolicy/system/public/kernel.te b/microdroid/sepolicy/system/public/kernel.te
index 9aa40cc..c117a1a 100644
--- a/microdroid/sepolicy/system/public/kernel.te
+++ b/microdroid/sepolicy/system/public/kernel.te
@@ -1,141 +1,2 @@
# Life begins with the kernel.
type kernel, domain, mlstrustedsubject;
-
-allow kernel self:global_capability_class_set sys_nice;
-
-# Root fs.
-r_dir_file(kernel, rootfs)
-
-# Used to read androidboot.selinux property
-allow kernel {
- proc_bootconfig
- proc_cmdline
-}:file r_file_perms;
-
-# Get SELinux enforcing status.
-allow kernel selinuxfs:dir r_dir_perms;
-allow kernel selinuxfs:file r_file_perms;
-
-# Get file contexts during first stage
-allow kernel file_contexts_file:file r_file_perms;
-
-# Allow init relabel itself.
-allow kernel rootfs:file relabelfrom;
-allow kernel init_exec:file relabelto;
-# TODO: investigate why we need this.
-allow kernel init:process share;
-
-# cgroup filesystem initialization prior to setting the cgroup root directory label.
-allow kernel unlabeled:dir search;
-
-# Mount usbfs.
-allow kernel usbfs:filesystem mount;
-allow kernel usbfs:dir search;
-
-# Initial setenforce by init prior to switching to init domain.
-# We use dontaudit instead of allow to prevent a kernel spawned userspace
-# process from turning off SELinux once enabled.
-dontaudit kernel self:security setenforce;
-
-# Write to /proc/1/oom_adj prior to switching to init domain.
-allow kernel self:global_capability_class_set sys_resource;
-
-# Init reboot before switching selinux domains under certain error
-# conditions. Allow it.
-# As part of rebooting, init writes "u" to /proc/sysrq-trigger to
-# remount filesystems read-only. /data is not mounted at this point,
-# so we could ignore this. For now, we allow it.
-allow kernel self:global_capability_class_set sys_boot;
-allow kernel proc_sysrq:file w_file_perms;
-
-# Allow writing to /dev/kmsg which was created prior to loading policy.
-allow kernel tmpfs:chr_file write;
-
-# Set checkreqprot by init.rc prior to switching to init domain.
-allow kernel selinuxfs:file write;
-allow kernel self:security setcheckreqprot;
-
-# kernel thread "loop0", used by the loop block device, for ASECs (b/17158723)
-allow kernel sdcard_type:file { read write };
-
-# f_mtp driver accesses files from kernel context.
-allow kernel mediaprovider:fd use;
-
-# Allow the kernel to read OBB files from app directories. (b/17428116)
-# Kernel thread "loop0" reads a vold supplied file descriptor.
-# Fixes CTS tests:
-# * android.os.storage.cts.StorageManagerTest#testMountAndUnmountObbNormal
-# * android.os.storage.cts.StorageManagerTest#testMountAndUnmountTwoObbs
-allow kernel vold:fd use;
-allow kernel { app_data_file privapp_data_file }:file read;
-allow kernel asec_image_file:file read;
-
-# Allow mounting loop device in update_engine_unittests. (b/28319454)
-# and for LTP kernel tests (b/73220071)
-userdebug_or_eng(`
- allow kernel update_engine_data_file:file { read write };
- allow kernel nativetest_data_file:file { read write };
-')
-
-# Access to /data/media.
-# This should be removed if sdcardfs is modified to alter the secontext for its
-# accesses to the underlying FS.
-allow kernel media_rw_data_file:dir create_dir_perms;
-allow kernel media_rw_data_file:file create_file_perms;
-
-# Access to /data/misc/vold/virtual_disk.
-allow kernel vold_data_file:file { read write };
-
-# Allow the kernel to read APEX file descriptors and (staged) data files;
-# Needed because APEX uses the loopback driver, which issues requests from
-# a kernel thread in earlier kernel version.
-allow kernel apexd:fd use;
-allow kernel {
- apex_data_file
- staging_data_file
- vendor_apex_file
-}:file read;
-
-# Allow the first-stage init (which is running in the kernel domain) to execute the
-# dynamic linker when it re-executes /init to switch into the second stage.
-# Until Linux 4.8, the program interpreter (dynamic linker in this case) is executed
-# before the domain is switched to the target domain. So, we need to allow the kernel
-# domain (the source domain) to execute the dynamic linker (system_file type).
-# TODO(b/110147943) remove these allow rules when we no longer need to support Linux
-# kernel older than 4.8.
-allow kernel system_file:file execute;
-# The label for the dynamic linker is rootfs in the recovery partition. This is because
-# the recovery partition which is rootfs does not support xattr and thus labeling can't be
-# done at build-time. All files are by default labeled as rootfs upon booting.
-recovery_only(`
- allow kernel rootfs:file execute;
-')
-
-# required by VTS lidbm unit test
-allow kernel appdomain_tmpfs:file { read write };
-
-###
-### neverallow rules
-###
-
-# The initial task starts in the kernel domain (assigned via
-# initial_sid_contexts), but nothing ever transitions to it.
-neverallow * kernel:process { transition dyntransition };
-
-# The kernel domain is never entered via an exec, nor should it
-# ever execute a program outside the rootfs without changing to another domain.
-# If you encounter an execute_no_trans denial on the kernel domain, then
-# possible causes include:
-# - The program is a kernel usermodehelper. In this case, define a domain
-# for the program and domain_auto_trans() to it.
-# - You are running an exploit which switched to the init task credentials
-# and is then trying to exec a shell or other program. You lose!
-neverallow kernel *:file { entrypoint execute_no_trans };
-
-# the kernel should not be accessing files owned by other users.
-# Instead of adding dac_{read_search,override}, fix the unix permissions
-# on files being accessed.
-neverallow kernel self:global_capability_class_set { dac_override dac_read_search };
-
-# Nobody should be ptracing kernel threads
-neverallow * kernel:process ptrace;
diff --git a/microdroid/sepolicy/system/public/keystore.te b/microdroid/sepolicy/system/public/keystore.te
index 43ee28d..295d3d9 100644
--- a/microdroid/sepolicy/system/public/keystore.te
+++ b/microdroid/sepolicy/system/public/keystore.te
@@ -1,12 +1,10 @@
-type keystore, domain, keystore2_key_type;
-type keystore_exec, system_file_type, exec_type, file_type;
+type keystore, domain;
+type keystore_exec, file_type, exec_type, system_file_type;
# keystore daemon
typeattribute keystore mlstrustedsubject;
binder_use(keystore)
binder_service(keystore)
-binder_call(keystore, system_server)
-binder_call(keystore, wificond)
allow keystore keystore_data_file:dir create_dir_perms;
allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
@@ -14,12 +12,11 @@
add_service(keystore, keystore_service)
add_service(keystore, remoteprovisioning_service)
-allow keystore sec_key_att_app_id_provider_service:service_manager find;
-allow keystore dropbox_service:service_manager find;
add_service(keystore, apc_service)
add_service(keystore, keystore_compat_hal_service)
add_service(keystore, authorization_service)
add_service(keystore, keystore_maintenance_service)
+add_service(keystore, keystore_metrics_service)
add_service(keystore, legacykeystore_service)
# Check SELinux permissions.
@@ -27,18 +24,3 @@
r_dir_file(keystore, cgroup)
r_dir_file(keystore, cgroup_v2)
-
-###
-### Neverallow rules
-###
-### Protect ourself from others
-###
-
-neverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
-neverallow { domain -keystore } keystore_data_file:notdevfile_class_set ~{ relabelto getattr };
-
-neverallow { domain -keystore -init } keystore_data_file:dir *;
-neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *;
-
-# TODO(b/186868271): Remove the crash dump exception soon-ish (maybe by May 14, 2021?)
-neverallow { domain userdebug_or_eng(`-crash_dump') } keystore:process ptrace;
diff --git a/microdroid/sepolicy/system/public/keystore_keys.te b/microdroid/sepolicy/system/public/keystore_keys.te
deleted file mode 100644
index 3c35984..0000000
--- a/microdroid/sepolicy/system/public/keystore_keys.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# A keystore2 namespace for WI-FI.
-type wifi_key, keystore2_key_type;
diff --git a/microdroid/sepolicy/system/public/llkd.te b/microdroid/sepolicy/system/public/llkd.te
deleted file mode 100644
index 1faa429..0000000
--- a/microdroid/sepolicy/system/public/llkd.te
+++ /dev/null
@@ -1,3 +0,0 @@
-# llkd Live LocK Daemon
-type llkd, domain, mlstrustedsubject;
-type llkd_exec, system_file_type, exec_type, file_type;
diff --git a/microdroid/sepolicy/system/public/lmkd.te b/microdroid/sepolicy/system/public/lmkd.te
deleted file mode 100644
index de6052d..0000000
--- a/microdroid/sepolicy/system/public/lmkd.te
+++ /dev/null
@@ -1,72 +0,0 @@
-# lmkd low memory killer daemon
-type lmkd, domain, mlstrustedsubject;
-type lmkd_exec, system_file_type, exec_type, file_type;
-
-allow lmkd self:global_capability_class_set { dac_override dac_read_search sys_resource kill };
-
-# lmkd locks itself in memory, to prevent it from being
-# swapped out and unable to kill other memory hogs.
-# system/core commit b28ff9131363f7b4a698990da5748b2a88c3ed35
-# b/16236289
-allow lmkd self:global_capability_class_set ipc_lock;
-
-## Open and write to /proc/PID/oom_score_adj and /proc/PID/timerslack_ns
-## TODO: maybe scope this down?
-r_dir_file(lmkd, domain)
-allow lmkd domain:file write;
-
-## Writes to /sys/module/lowmemorykiller/parameters/minfree
-r_dir_file(lmkd, sysfs_lowmemorykiller)
-allow lmkd sysfs_lowmemorykiller:file w_file_perms;
-
-# setsched and send kill signals to any registered process
-allow lmkd domain:process { setsched sigkill };
-# TODO: delete this line b/131761776
-allow lmkd kernel:process { setsched };
-
-# Clean up old cgroups
-allow lmkd cgroup:dir { remove_name rmdir };
-allow lmkd cgroup_v2:dir { remove_name rmdir };
-
-# Allow to read memcg stats
-allow lmkd cgroup:file r_file_perms;
-allow lmkd cgroup_v2:file r_file_perms;
-
-# Set self to SCHED_FIFO
-allow lmkd self:global_capability_class_set sys_nice;
-
-allow lmkd proc_zoneinfo:file r_file_perms;
-allow lmkd proc_vmstat:file r_file_perms;
-
-# live lock watchdog process allowed to look through /proc/
-allow lmkd domain:dir { search open read };
-allow lmkd domain:file { open read };
-
-# live lock watchdog process allowed to dump process trace and
-# reboot because orderly shutdown may not be possible.
-allow lmkd proc_sysrq:file rw_file_perms;
-
-# Read /proc/lowmemorykiller
-allow lmkd proc_lowmemorykiller:file r_file_perms;
-
-# Read /proc/meminfo
-allow lmkd proc_meminfo:file r_file_perms;
-
-# Read /proc/pressure/cpu and /proc/pressure/io
-allow lmkd proc_pressure_cpu:file r_file_perms;
-allow lmkd proc_pressure_io:file r_file_perms;
-
-# Read/Write /proc/pressure/memory
-allow lmkd proc_pressure_mem:file rw_file_perms;
-
-# Allow lmkd to connect during reinit.
-allow lmkd lmkd_socket:sock_file write;
-
-# Allow lmkd to write to statsd.
-unix_socket_send(lmkd, statsdw, statsd)
-
-### neverallow rules
-
-# never honor LD_PRELOAD
-neverallow * lmkd:process noatsecure;
-neverallow lmkd self:global_capability_class_set sys_ptrace;
diff --git a/microdroid/sepolicy/system/public/logcat.te b/microdroid/sepolicy/system/public/logcat.te
new file mode 100644
index 0000000..902fd8a
--- /dev/null
+++ b/microdroid/sepolicy/system/public/logcat.te
@@ -0,0 +1,2 @@
+type logcat;
+type logcat_exec, file_type, exec_type, system_file_type;
diff --git a/microdroid/sepolicy/system/public/logd.te b/microdroid/sepolicy/system/public/logd.te
index 8187179..67f601c 100644
--- a/microdroid/sepolicy/system/public/logd.te
+++ b/microdroid/sepolicy/system/public/logd.te
@@ -1,74 +1,2 @@
-# android user-space log manager
-type logd, domain, mlstrustedsubject;
-type logd_exec, system_file_type, exec_type, file_type;
-
-# Read access to pseudo filesystems.
-r_dir_file(logd, cgroup)
-r_dir_file(logd, cgroup_v2)
-r_dir_file(logd, proc_kmsg)
-r_dir_file(logd, proc_meminfo)
-
-allow logd self:global_capability_class_set { setuid setgid setpcap sys_nice audit_control };
-allow logd self:global_capability2_class_set syslog;
-allow logd self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write };
-allow logd kernel:system syslog_read;
-allow logd kmsg_device:chr_file { getattr w_file_perms };
-allow logd system_data_file:{ file lnk_file } r_file_perms;
-allow logd packages_list_file:file r_file_perms;
-allow logd pstorefs:dir search;
-allow logd pstorefs:file r_file_perms;
-userdebug_or_eng(`
- # Access to /data/misc/logd/event-log-tags
- allow logd misc_logd_file:dir r_dir_perms;
- allow logd misc_logd_file:file rw_file_perms;
-')
-allow logd runtime_event_log_tags_file:file rw_file_perms;
-
-r_dir_file(logd, domain)
-
-allow logd kernel:system syslog_mod;
-
-control_logd(logd)
-read_runtime_log_tags(logd)
-
-allow runtime_event_log_tags_file tmpfs:filesystem associate;
-# Typically harmlessly blindly trying to access via liblog
-# event tag mapping while in the untrusted_app domain.
-# Access for that domain is controlled and gated via the
-# event log tag service (albeit at a performance penalty,
-# expected to be locally cached).
-dontaudit domain runtime_event_log_tags_file:file { map open read };
-
-# Logd sets defaults if certain properties are empty.
-set_prop(logd, logd_prop)
-
-###
-### Neverallow rules
-###
-### logd should NEVER do any of this
-
-# Block device access.
-neverallow logd dev_type:blk_file { read write };
-
-# ptrace any other app
-neverallow logd domain:process ptrace;
-
-# ... and nobody may ptrace me (except on userdebug or eng builds)
-neverallow { domain userdebug_or_eng(`-crash_dump -llkd') } logd:process ptrace;
-
-# Write to /system.
-neverallow logd system_file:dir_file_class_set write;
-
-# Write to files in /data/data or system files on /data
-neverallow logd { app_data_file privapp_data_file system_data_file packages_list_file }:dir_file_class_set write;
-
-# Only init is allowed to enter the logd domain via exec()
-neverallow { domain -init } logd:process transition;
-neverallow * logd:process dyntransition;
-
-# protect the event-log-tags file
-neverallow {
- domain
- -init
- -logd
-} runtime_event_log_tags_file:file no_w_file_perms;
+type logd, domain;
+type logd_exec, file_type, exec_type, system_file_type;
diff --git a/microdroid/sepolicy/system/public/logpersist.te b/microdroid/sepolicy/system/public/logpersist.te
deleted file mode 100644
index c8e6af4..0000000
--- a/microdroid/sepolicy/system/public/logpersist.te
+++ /dev/null
@@ -1,30 +0,0 @@
-# android debug logging, logpersist domains
-type logpersist, domain;
-
-# logcatd is a shell script that execs logcat with various parameters.
-allow logpersist shell_exec:file rx_file_perms;
-allow logpersist logcat_exec:file rx_file_perms;
-
-###
-### Neverallow rules
-###
-### logpersist should NEVER do any of this
-
-# Block device access.
-neverallow logpersist dev_type:blk_file { read write };
-
-# ptrace any other app
-neverallow logpersist domain:process ptrace;
-
-# Write to files in /data/data or system files on /data except misc_logd_file
-neverallow logpersist { privapp_data_file app_data_file system_data_file }:dir_file_class_set write;
-
-# Only init should be allowed to enter the logpersist domain via exec()
-# Following is a list of debug domains we know that transition to logpersist
-# neverallow_with_undefined_domains {
-# domain
-# -init # goldfish, logcatd, raft
-# -mmi # bat, mtp8996, msmcobalt
-# -system_app # Smith.apk
-# } logpersist:process transition;
-neverallow * logpersist:process dyntransition;
diff --git a/microdroid/sepolicy/system/public/mdnsd.te b/microdroid/sepolicy/system/public/mdnsd.te
deleted file mode 100644
index ef7b065..0000000
--- a/microdroid/sepolicy/system/public/mdnsd.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# mdns daemon
-type mdnsd, domain;
diff --git a/microdroid/sepolicy/system/public/mediadrmserver.te b/microdroid/sepolicy/system/public/mediadrmserver.te
deleted file mode 100644
index a52295e..0000000
--- a/microdroid/sepolicy/system/public/mediadrmserver.te
+++ /dev/null
@@ -1,33 +0,0 @@
-# mediadrmserver - mediadrm daemon
-type mediadrmserver, domain;
-type mediadrmserver_exec, system_file_type, exec_type, file_type;
-
-typeattribute mediadrmserver mlstrustedsubject;
-
-net_domain(mediadrmserver)
-binder_use(mediadrmserver)
-binder_call(mediadrmserver, binderservicedomain)
-binder_call(mediadrmserver, appdomain)
-binder_service(mediadrmserver)
-hal_client_domain(mediadrmserver, hal_drm)
-
-add_service(mediadrmserver, mediadrmserver_service)
-allow mediadrmserver mediaserver_service:service_manager find;
-allow mediadrmserver mediametrics_service:service_manager find;
-allow mediadrmserver processinfo_service:service_manager find;
-allow mediadrmserver surfaceflinger_service:service_manager find;
-allow mediadrmserver system_file:dir r_dir_perms;
-
-# TODO(b/80317992): remove
-binder_call(mediadrmserver, hal_omx_server)
-
-###
-### neverallow rules
-###
-
-# mediadrmserver should never execute any executable without a
-# domain transition
-neverallow mediadrmserver { file_type fs_type }:file execute_no_trans;
-
-# do not allow privileged socket ioctl commands
-neverallowxperm mediadrmserver domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
diff --git a/microdroid/sepolicy/system/public/mediaextractor.te b/microdroid/sepolicy/system/public/mediaextractor.te
deleted file mode 100644
index a29e5dc..0000000
--- a/microdroid/sepolicy/system/public/mediaextractor.te
+++ /dev/null
@@ -1,73 +0,0 @@
-# mediaextractor - multimedia daemon
-type mediaextractor, domain;
-type mediaextractor_exec, system_file_type, exec_type, file_type;
-type mediaextractor_tmpfs, file_type;
-
-typeattribute mediaextractor mlstrustedsubject;
-
-binder_use(mediaextractor)
-binder_call(mediaextractor, binderservicedomain)
-binder_call(mediaextractor, appdomain)
-binder_service(mediaextractor)
-
-add_service(mediaextractor, mediaextractor_service)
-allow mediaextractor mediametrics_service:service_manager find;
-allow mediaextractor hidl_token_hwservice:hwservice_manager find;
-
-allow mediaextractor system_server:fd use;
-
-hal_client_domain(mediaextractor, hal_cas)
-hal_client_domain(mediaextractor, hal_allocator)
-
-r_dir_file(mediaextractor, cgroup)
-r_dir_file(mediaextractor, cgroup_v2)
-allow mediaextractor proc_meminfo:file r_file_perms;
-
-crash_dump_fallback(mediaextractor)
-
-# allow mediaextractor read permissions for file sources
-allow mediaextractor sdcard_type:file { getattr read };
-allow mediaextractor media_rw_data_file:file { getattr read };
-allow mediaextractor { app_data_file privapp_data_file }:file { getattr read };
-
-# Read resources from open apk files passed over Binder
-allow mediaextractor apk_data_file:file { read getattr };
-allow mediaextractor asec_apk_file:file { read getattr };
-allow mediaextractor ringtone_file:file { read getattr };
-
-# overlay package access
-allow mediaextractor vendor_overlay_file:file { read map };
-
-# scan extractor library directory to dynamically load extractors
-allow mediaextractor system_file:dir { read open };
-
-###
-### neverallow rules
-###
-
-# mediaextractor should never execute any executable without a
-# domain transition
-neverallow mediaextractor { file_type fs_type }:file execute_no_trans;
-
-# The goal of the mediaserver split is to place media processing code into
-# restrictive sandboxes with limited responsibilities and thus limited
-# permissions. Example: Audioserver is only responsible for controlling audio
-# hardware and processing audio content. Cameraserver does the same for camera
-# hardware/content. Etc.
-#
-# Media processing code is inherently risky and thus should have limited
-# permissions and be isolated from the rest of the system and network.
-# Lengthier explanation here:
-# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediaextractor domain:{ udp_socket rawip_socket } *;
-neverallow mediaextractor { domain userdebug_or_eng(`-su') }:tcp_socket *;
-
-# mediaextractor should not be opening /data files directly. Any files
-# it touches (with a few exceptions) need to be passed to it via a file
-# descriptor opened outside the process.
-neverallow mediaextractor {
- data_file_type
- -zoneinfo_data_file # time zone data from /data/misc/zoneinfo
- userdebug_or_eng(`-apk_data_file') # for loading media extractor plugins
- with_native_coverage(`-method_trace_data_file')
-}:file open;
diff --git a/microdroid/sepolicy/system/public/mediametrics.te b/microdroid/sepolicy/system/public/mediametrics.te
deleted file mode 100644
index 76f819e..0000000
--- a/microdroid/sepolicy/system/public/mediametrics.te
+++ /dev/null
@@ -1,46 +0,0 @@
-# mediametrics - daemon for collecting media.metrics data
-type mediametrics, domain;
-type mediametrics_exec, system_file_type, exec_type, file_type;
-
-
-binder_use(mediametrics)
-binder_call(mediametrics, binderservicedomain)
-binder_service(mediametrics)
-
-add_service(mediametrics, mediametrics_service)
-
-allow mediametrics system_server:fd use;
-
-r_dir_file(mediametrics, cgroup)
-r_dir_file(mediametrics, cgroup_v2)
-allow mediametrics proc_meminfo:file r_file_perms;
-
-# allows interactions with dumpsys to GMScore
-allow mediametrics { app_data_file privapp_data_file }:file write;
-
-# allow access to package manager for uid->apk mapping
-allow mediametrics package_native_service:service_manager find;
-
-# Allow metrics service to send information to statsd socket.
-unix_socket_send(mediametrics, statsdw, statsd)
-
-###
-### neverallow rules
-###
-
-# mediametrics should never execute any executable without a
-# domain transition
-neverallow mediametrics { file_type fs_type }:file execute_no_trans;
-
-# The goal of the mediaserver split is to place media processing code into
-# restrictive sandboxes with limited responsibilities and thus limited
-# permissions. Example: Audioserver is only responsible for controlling audio
-# hardware and processing audio content. Cameraserver does the same for camera
-# hardware/content. Etc.
-#
-# Media processing code is inherently risky and thus should have limited
-# permissions and be isolated from the rest of the system and network.
-# Lengthier explanation here:
-# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediametrics domain:{ udp_socket rawip_socket } *;
-neverallow mediametrics { domain userdebug_or_eng(`-su') }:tcp_socket *;
diff --git a/microdroid/sepolicy/system/public/mediaprovider.te b/microdroid/sepolicy/system/public/mediaprovider.te
deleted file mode 100644
index 24170a5..0000000
--- a/microdroid/sepolicy/system/public/mediaprovider.te
+++ /dev/null
@@ -1,6 +0,0 @@
-###
-### A domain for android.process.media, which contains both
-### MediaProvider and DownloadProvider and associated services.
-###
-
-type mediaprovider, domain;
diff --git a/microdroid/sepolicy/system/public/mediaserver.te b/microdroid/sepolicy/system/public/mediaserver.te
deleted file mode 100644
index ad460e1..0000000
--- a/microdroid/sepolicy/system/public/mediaserver.te
+++ /dev/null
@@ -1,149 +0,0 @@
-# mediaserver - multimedia daemon
-type mediaserver, domain;
-type mediaserver_exec, system_file_type, exec_type, file_type;
-type mediaserver_tmpfs, file_type;
-
-typeattribute mediaserver mlstrustedsubject;
-
-net_domain(mediaserver)
-
-r_dir_file(mediaserver, sdcard_type)
-r_dir_file(mediaserver, cgroup)
-r_dir_file(mediaserver, cgroup_v2)
-
-# stat /proc/self
-allow mediaserver proc:lnk_file getattr;
-
-# open /vendor/lib/mediadrm
-allow mediaserver system_file:dir r_dir_perms;
-
-userdebug_or_eng(`
- # ptrace to processes in the same domain for memory leak detection
- allow mediaserver self:process ptrace;
-')
-
-binder_use(mediaserver)
-binder_call(mediaserver, binderservicedomain)
-binder_call(mediaserver, appdomain)
-binder_service(mediaserver)
-
-allow mediaserver media_data_file:dir create_dir_perms;
-allow mediaserver media_data_file:file create_file_perms;
-allow mediaserver { app_data_file privapp_data_file }:file { append getattr ioctl lock map read write };
-allow mediaserver sdcard_type:file write;
-allow mediaserver gpu_device:chr_file rw_file_perms;
-allow mediaserver video_device:dir r_dir_perms;
-allow mediaserver video_device:chr_file rw_file_perms;
-
-# Read resources from open apk files passed over Binder.
-allow mediaserver apk_data_file:file { read getattr };
-allow mediaserver asec_apk_file:file { read getattr };
-allow mediaserver ringtone_file:file { read getattr };
-
-# Read /data/data/com.android.providers.telephony files passed over Binder.
-allow mediaserver radio_data_file:file { read getattr };
-
-# Use pipes passed over Binder from app domains.
-allow mediaserver appdomain:fifo_file { getattr read write };
-
-allow mediaserver rpmsg_device:chr_file rw_file_perms;
-
-# Inter System processes communicate over named pipe (FIFO)
-allow mediaserver system_server:fifo_file r_file_perms;
-
-r_dir_file(mediaserver, media_rw_data_file)
-
-# Grant access to read files on appfuse.
-allow mediaserver app_fuse_file:file { read getattr };
-
-# Needed on some devices for playing DRM protected content,
-# but seems expected and appropriate for all devices.
-unix_socket_connect(mediaserver, drmserver, drmserver)
-
-# Needed on some devices for playing audio on paired BT device,
-# but seems appropriate for all devices.
-unix_socket_connect(mediaserver, bluetooth, bluetooth)
-
-add_service(mediaserver, mediaserver_service)
-allow mediaserver activity_service:service_manager find;
-allow mediaserver appops_service:service_manager find;
-allow mediaserver audio_service:service_manager find;
-allow mediaserver audioserver_service:service_manager find;
-allow mediaserver cameraserver_service:service_manager find;
-allow mediaserver batterystats_service:service_manager find;
-allow mediaserver drmserver_service:service_manager find;
-allow mediaserver mediaextractor_service:service_manager find;
-allow mediaserver mediametrics_service:service_manager find;
-allow mediaserver media_session_service:service_manager find;
-allow mediaserver permission_service:service_manager find;
-allow mediaserver permission_checker_service:service_manager find;
-allow mediaserver power_service:service_manager find;
-allow mediaserver processinfo_service:service_manager find;
-allow mediaserver scheduling_policy_service:service_manager find;
-allow mediaserver surfaceflinger_service:service_manager find;
-
-# for ModDrm/MediaPlayer
-allow mediaserver mediadrmserver_service:service_manager find;
-
-# For hybrid interfaces
-allow mediaserver hidl_token_hwservice:hwservice_manager find;
-
-# /oem access
-allow mediaserver oemfs:dir search;
-allow mediaserver oemfs:file r_file_perms;
-
-# /vendor apk access
-allow mediaserver vendor_app_file:file { read map getattr };
-
-use_drmservice(mediaserver)
-allow mediaserver drmserver:drmservice {
- consumeRights
- setPlaybackStatus
- openDecryptSession
- closeDecryptSession
- initializeDecryptUnit
- decrypt
- finalizeDecryptUnit
- pread
-};
-
-# only allow unprivileged socket ioctl commands
-allowxperm mediaserver self:{ rawip_socket tcp_socket udp_socket }
- ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
-
-# Access to /data/media.
-# This should be removed if sdcardfs is modified to alter the secontext for its
-# accesses to the underlying FS.
-allow mediaserver media_rw_data_file:dir create_dir_perms;
-allow mediaserver media_rw_data_file:file create_file_perms;
-
-# Access to media in /data/preloads
-allow mediaserver preloads_media_file:file { getattr read ioctl };
-
-allow mediaserver ion_device:chr_file r_file_perms;
-allow mediaserver dmabuf_system_heap_device:chr_file r_file_perms;
-allow mediaserver dmabuf_system_secure_heap_device:chr_file r_file_perms;
-allow mediaserver hal_graphics_allocator:fd use;
-allow mediaserver hal_graphics_composer:fd use;
-allow mediaserver hal_camera:fd use;
-
-allow mediaserver system_server:fd use;
-
-# b/120491318 allow mediaserver to access void:fd
-allow mediaserver vold:fd use;
-
-# overlay package access
-allow mediaserver vendor_overlay_file:file { read getattr map };
-
-hal_client_domain(mediaserver, hal_allocator)
-
-###
-### neverallow rules
-###
-
-# mediaserver should never execute any executable without a
-# domain transition
-neverallow mediaserver { file_type fs_type }:file execute_no_trans;
-
-# do not allow privileged socket ioctl commands
-neverallowxperm mediaserver domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
diff --git a/microdroid/sepolicy/system/public/mediaswcodec.te b/microdroid/sepolicy/system/public/mediaswcodec.te
deleted file mode 100644
index 5726842..0000000
--- a/microdroid/sepolicy/system/public/mediaswcodec.te
+++ /dev/null
@@ -1,27 +0,0 @@
-type mediaswcodec, domain;
-type mediaswcodec_exec, system_file_type, exec_type, file_type;
-
-hal_server_domain(mediaswcodec, hal_codec2)
-
-# mediaswcodec may use an input surface from a different Codec2 service or an
-# OMX service
-hal_client_domain(mediaswcodec, hal_codec2)
-hal_client_domain(mediaswcodec, hal_omx)
-
-hal_client_domain(mediaswcodec, hal_allocator)
-hal_client_domain(mediaswcodec, hal_graphics_allocator)
-
-crash_dump_fallback(mediaswcodec)
-
-# mediaswcodec_server should never execute any executable without a
-# domain transition
-neverallow mediaswcodec { file_type fs_type }:file execute_no_trans;
-
-# Media processing code is inherently risky and thus should have limited
-# permissions and be isolated from the rest of the system and network.
-# Lengthier explanation here:
-# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediaswcodec domain:{ tcp_socket udp_socket rawip_socket } *;
-
-allow mediaswcodec dmabuf_system_heap_device:chr_file r_file_perms;
-allow mediaswcodec dmabuf_system_secure_heap_device:chr_file r_file_perms;
diff --git a/microdroid/sepolicy/system/public/modprobe.te b/microdroid/sepolicy/system/public/modprobe.te
deleted file mode 100644
index 2c7d64b..0000000
--- a/microdroid/sepolicy/system/public/modprobe.te
+++ /dev/null
@@ -1,10 +0,0 @@
-type modprobe, domain;
-
-allow modprobe proc_modules:file r_file_perms;
-allow modprobe proc_cmdline:file r_file_perms;
-allow modprobe self:global_capability_class_set sys_module;
-allow modprobe kernel:key search;
-recovery_only(`
- allow modprobe rootfs:system module_load;
- allow modprobe rootfs:file r_file_perms;
-')
diff --git a/microdroid/sepolicy/system/public/mtp.te b/microdroid/sepolicy/system/public/mtp.te
deleted file mode 100644
index add63c0..0000000
--- a/microdroid/sepolicy/system/public/mtp.te
+++ /dev/null
@@ -1,11 +0,0 @@
-# vpn tunneling protocol manager
-type mtp, domain;
-type mtp_exec, system_file_type, exec_type, file_type;
-
-net_domain(mtp)
-
-# pptp policy
-allow mtp self:{ socket pppox_socket } create_socket_perms_no_ioctl;
-allow mtp self:global_capability_class_set net_raw;
-allow mtp ppp:process signal;
-allow mtp vpn_data_file:dir search;
diff --git a/microdroid/sepolicy/system/public/net.te b/microdroid/sepolicy/system/public/net.te
deleted file mode 100644
index e90715e..0000000
--- a/microdroid/sepolicy/system/public/net.te
+++ /dev/null
@@ -1,39 +0,0 @@
-## Network types
-type node, node_type;
-type netif, netif_type;
-type port, port_type;
-
-###
-### Domain with network access
-###
-
-# Use network sockets.
-allow netdomain self:tcp_socket create_stream_socket_perms;
-allow netdomain self:{ icmp_socket udp_socket rawip_socket } create_socket_perms;
-
-# Connect to ports.
-allow netdomain port_type:tcp_socket name_connect;
-# Bind to ports.
-allow {netdomain -ephemeral_app} node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind;
-allow {netdomain -ephemeral_app} port_type:udp_socket name_bind;
-allow {netdomain -ephemeral_app} port_type:tcp_socket name_bind;
-# See changes to the routing table.
-allow netdomain self:netlink_route_socket { create read getattr write setattr lock append connect getopt setopt shutdown nlmsg_read };
-# b/141455849 gate RTM_GETLINK with a new permission nlmsg_readpriv and block access from
-# untrusted_apps. Some untrusted apps (e.g. untrusted_app_25-29) are granted access elsewhere
-# to avoid app-compat breakage.
-allow {
- netdomain
- -ephemeral_app
- -mediaprovider
- -untrusted_app_all
-} self:netlink_route_socket { bind nlmsg_readpriv };
-
-# Talks to netd via dnsproxyd socket.
-unix_socket_connect(netdomain, dnsproxyd, netd)
-
-# Talks to netd via fwmarkd socket.
-unix_socket_connect(netdomain, fwmarkd, netd)
-
-# Connect to mdnsd via mdnsd socket.
-unix_socket_connect(netdomain, mdnsd, mdnsd)
diff --git a/microdroid/sepolicy/system/public/netd.te b/microdroid/sepolicy/system/public/netd.te
deleted file mode 100644
index ff0bff6..0000000
--- a/microdroid/sepolicy/system/public/netd.te
+++ /dev/null
@@ -1,176 +0,0 @@
-# network manager
-type netd, domain, mlstrustedsubject;
-type netd_exec, system_file_type, exec_type, file_type;
-
-net_domain(netd)
-# in addition to ioctls allowlisted for all domains, grant netd priv_sock_ioctls.
-allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
-
-r_dir_file(netd, cgroup)
-
-allow netd system_server:fd use;
-
-allow netd self:global_capability_class_set { net_admin net_raw kill };
-# Note: fsetid is deliberately not included above. fsetid checks are
-# triggered by chmod on a directory or file owned by a group other
-# than one of the groups assigned to the current process to see if
-# the setgid bit should be cleared, regardless of whether the setgid
-# bit was even set. We do not appear to truly need this capability
-# for netd to operate.
-dontaudit netd self:global_capability_class_set fsetid;
-
-# Allow netd to open /dev/tun, set it up and pass it to clatd
-allow netd tun_device:chr_file rw_file_perms;
-allowxperm netd tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF };
-allow netd self:tun_socket create;
-
-allow netd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-allow netd self:netlink_route_socket nlmsg_write;
-allow netd self:netlink_nflog_socket create_socket_perms_no_ioctl;
-allow netd self:netlink_socket create_socket_perms_no_ioctl;
-allow netd self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
-allow netd self:netlink_generic_socket create_socket_perms_no_ioctl;
-allow netd self:netlink_netfilter_socket create_socket_perms_no_ioctl;
-allow netd shell_exec:file rx_file_perms;
-allow netd system_file:file x_file_perms;
-not_full_treble(`allow netd vendor_file:file x_file_perms;')
-allow netd devpts:chr_file rw_file_perms;
-
-# Acquire advisory lock on /system/etc/xtables.lock. If this file doesn't
-# exist, suppress the denial.
-allow netd system_file:file lock;
-dontaudit netd system_file:dir write;
-
-# Allow netd to write to qtaguid ctrl file.
-# TODO: Add proper rules to prevent other process to access qtaguid_proc file
-# after migration complete
-allow netd proc_qtaguid_ctrl:file rw_file_perms;
-# Allow netd to read /dev/qtaguid. This is the same privilege level that normal apps have.
-allow netd qtaguid_device:chr_file r_file_perms;
-
-r_dir_file(netd, proc_net_type)
-# For /proc/sys/net/ipv[46]/route/flush.
-allow netd proc_net_type:file rw_file_perms;
-
-# Enables PppController and interface enumeration (among others)
-allow netd sysfs:dir r_dir_perms;
-r_dir_file(netd, sysfs_net)
-
-# Allows setting interface MTU
-allow netd sysfs_net:file w_file_perms;
-
-# TODO: added to match above sysfs rule. Remove me?
-allow netd sysfs_usb:file write;
-
-r_dir_file(netd, cgroup_v2)
-
-allow netd fs_bpf:dir search;
-allow netd fs_bpf:file { read write };
-
-# TODO: netd previously thought it needed these permissions to do WiFi related
-# work. However, after all the WiFi stuff is gone, we still need them.
-# Why?
-allow netd self:global_capability_class_set { dac_override dac_read_search chown };
-
-# Needed to update /data/misc/net/rt_tables
-allow netd net_data_file:file create_file_perms;
-allow netd net_data_file:dir rw_dir_perms;
-allow netd self:global_capability_class_set fowner;
-
-# Needed to lock the iptables lock.
-allow netd system_file:file lock;
-
-# Allow netd to spawn dnsmasq in it's own domain
-allow netd dnsmasq:process signal;
-
-# Allow netd to publish a binder service and make binder calls.
-binder_use(netd)
-add_service(netd, netd_service)
-add_service(netd, dnsresolver_service)
-allow netd dumpstate:fifo_file { getattr write };
-
-# Allow netd to call into the system server so it can check permissions.
-allow netd system_server:binder call;
-allow netd permission_service:service_manager find;
-
-# Allow netd to talk to the framework service which collects netd events.
-allow netd netd_listener_service:service_manager find;
-
-# Allow netd to operate on sockets that are passed to it.
-allow netd netdomain:{
- icmp_socket
- tcp_socket
- udp_socket
- rawip_socket
- tun_socket
-} { read write getattr setattr getopt setopt };
-allow netd netdomain:fd use;
-
-# give netd permission to read and write netlink xfrm
-allow netd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
-
-# Allow netd to register as hal server.
-add_hwservice(netd, system_net_netd_hwservice)
-hwbinder_use(netd)
-
-###
-### Neverallow rules
-###
-### netd should NEVER do any of this
-
-# Block device access.
-neverallow netd dev_type:blk_file { read write };
-
-# ptrace any other app
-neverallow netd { domain }:process ptrace;
-
-# Write to /system.
-neverallow netd system_file:dir_file_class_set write;
-
-# Write to files in /data/data or system files on /data
-neverallow netd { app_data_file_type system_data_file }:dir_file_class_set write;
-
-# only system_server, dumpstate and network stack app may find netd service
-neverallow {
- domain
- -system_server
- -dumpstate
- -network_stack
- -netd
- -netutils_wrapper
-} netd_service:service_manager find;
-
-# only system_server, dumpstate and network stack app may find dnsresolver service
-neverallow {
- domain
- -system_server
- -dumpstate
- -network_stack
- -netd
- -netutils_wrapper
-} dnsresolver_service:service_manager find;
-
-# apps may not interact with netd over binder.
-neverallow { appdomain -network_stack } netd:binder call;
-neverallow netd { appdomain -network_stack userdebug_or_eng(`-su') }:binder call;
-
-# If an already existing file is opened with O_CREATE, the kernel might generate
-# a false report of a create denial. Silence these denials and make sure that
-# inappropriate permissions are not granted.
-neverallow netd proc_net:dir no_w_dir_perms;
-dontaudit netd proc_net:dir write;
-
-neverallow netd sysfs_net:dir no_w_dir_perms;
-dontaudit netd sysfs_net:dir write;
-
-# Netd should not have SYS_ADMIN privs.
-neverallow netd self:capability sys_admin;
-dontaudit netd self:capability sys_admin;
-
-# Netd should not have SYS_MODULE privs, nor should it be requesting module loads
-# (things it requires should be built directly into the kernel)
-dontaudit netd self:capability sys_module;
-
-dontaudit netd kernel:system module_request;
-
-dontaudit netd appdomain:unix_stream_socket { read write };
diff --git a/microdroid/sepolicy/system/public/netutils_wrapper.te b/microdroid/sepolicy/system/public/netutils_wrapper.te
deleted file mode 100644
index 27aa749..0000000
--- a/microdroid/sepolicy/system/public/netutils_wrapper.te
+++ /dev/null
@@ -1,4 +0,0 @@
-type netutils_wrapper, domain;
-type netutils_wrapper_exec, system_file_type, exec_type, file_type;
-
-neverallow domain netutils_wrapper_exec:file execute_no_trans;
diff --git a/microdroid/sepolicy/system/public/network_stack.te b/microdroid/sepolicy/system/public/network_stack.te
deleted file mode 100644
index feff664..0000000
--- a/microdroid/sepolicy/system/public/network_stack.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# Network stack service app
-type network_stack, domain;
diff --git a/microdroid/sepolicy/system/public/nfc.te b/microdroid/sepolicy/system/public/nfc.te
deleted file mode 100644
index e3a03e7..0000000
--- a/microdroid/sepolicy/system/public/nfc.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# nfc subsystem
-type nfc, domain;
diff --git a/microdroid/sepolicy/system/public/otapreopt_chroot.te b/microdroid/sepolicy/system/public/otapreopt_chroot.te
deleted file mode 100644
index db8dd1a..0000000
--- a/microdroid/sepolicy/system/public/otapreopt_chroot.te
+++ /dev/null
@@ -1,4 +0,0 @@
-# otapreopt_chroot seclabel
-
-# TODO: Only present to allow mediatek/wembley-sepolicy to see it for validation reasons.
-type otapreopt_chroot, domain;
diff --git a/microdroid/sepolicy/system/public/perfetto.te b/microdroid/sepolicy/system/public/perfetto.te
deleted file mode 100644
index cec0e6f..0000000
--- a/microdroid/sepolicy/system/public/perfetto.te
+++ /dev/null
@@ -1 +0,0 @@
-type perfetto, domain, coredomain;
diff --git a/microdroid/sepolicy/system/public/performanced.te b/microdroid/sepolicy/system/public/performanced.te
deleted file mode 100644
index d694fda..0000000
--- a/microdroid/sepolicy/system/public/performanced.te
+++ /dev/null
@@ -1,31 +0,0 @@
-# performanced
-type performanced, domain, mlstrustedsubject;
-type performanced_exec, system_file_type, exec_type, file_type;
-
-# Needed to check for app permissions.
-binder_use(performanced)
-binder_call(performanced, system_server)
-allow performanced permission_service:service_manager find;
-
-pdx_server(performanced, performance_client)
-
-# TODO: use file caps to obtain sys_nice instead of setuid / setgid.
-allow performanced self:global_capability_class_set { setuid setgid sys_nice };
-
-# Access /proc to validate we're only affecting threads in the same thread group.
-# Performanced also shields unbound kernel threads. It scans every task in the
-# root cpu set, but only affects the kernel threads.
-r_dir_file(performanced, { appdomain bufferhubd kernel surfaceflinger })
-dontaudit performanced domain:dir read;
-allow performanced { appdomain bufferhubd kernel surfaceflinger }:process setsched;
-
-# These /proc accesses only show up in permissive mode but they
-# generate a lot of noise in the log.
-userdebug_or_eng(`
- dontaudit performanced domain:dir open;
- dontaudit performanced domain:file { open read getattr };
-')
-
-# Access /dev/cpuset/cpuset.cpus
-r_dir_file(performanced, cgroup)
-r_dir_file(performanced, cgroup_v2)
diff --git a/microdroid/sepolicy/system/public/platform_app.te b/microdroid/sepolicy/system/public/platform_app.te
deleted file mode 100644
index 9b1faf0..0000000
--- a/microdroid/sepolicy/system/public/platform_app.te
+++ /dev/null
@@ -1,5 +0,0 @@
-###
-### Apps signed with the platform key.
-###
-
-type platform_app, domain;
diff --git a/microdroid/sepolicy/system/public/postinstall.te b/microdroid/sepolicy/system/public/postinstall.te
deleted file mode 100644
index bcea2dc..0000000
--- a/microdroid/sepolicy/system/public/postinstall.te
+++ /dev/null
@@ -1,45 +0,0 @@
-# Domain where the postinstall program runs during the update.
-# Extend the permissions in this domain to allow this program to access other
-# files needed by the specific device on your device's sepolicy directory.
-type postinstall, domain;
-
-# Allow postinstall to write to its stdout/stderr when redirected via pipes to
-# update_engine.
-allow postinstall update_engine_common:fd use;
-allow postinstall update_engine_common:fifo_file rw_file_perms;
-
-# Allow postinstall to read and execute directories and files in the same
-# mounted location.
-allow postinstall postinstall_file:file rx_file_perms;
-allow postinstall postinstall_file:lnk_file r_file_perms;
-allow postinstall postinstall_file:dir r_dir_perms;
-
-# Allow postinstall to execute the shell or other system executables.
-allow postinstall shell_exec:file rx_file_perms;
-allow postinstall system_file:file rx_file_perms;
-allow postinstall toolbox_exec:file rx_file_perms;
-
-# Allow postinstall to execute shell in recovery.
-recovery_only(`
- allow postinstall rootfs:file rx_file_perms;
-')
-
-#
-# For OTA dexopt.
-#
-
-# Allow postinstall scripts to talk to the system server.
-binder_use(postinstall)
-binder_call(postinstall, system_server)
-
-# Need to talk to the otadexopt service.
-allow postinstall otadexopt_service:service_manager find;
-
-# Allow postinstall scripts to trigger f2fs garbage collection
-allow postinstall sysfs_fs_f2fs:file rw_file_perms;
-allow postinstall sysfs_fs_f2fs:dir r_dir_perms;
-
-# No domain other than update_engine and recovery (via update_engine_sideload)
-# should transition to postinstall, as it is only meant to run during the
-# update.
-neverallow { domain -update_engine -recovery } postinstall:process { transition dyntransition };
diff --git a/microdroid/sepolicy/system/public/ppp.te b/microdroid/sepolicy/system/public/ppp.te
deleted file mode 100644
index b736def..0000000
--- a/microdroid/sepolicy/system/public/ppp.te
+++ /dev/null
@@ -1,23 +0,0 @@
-# Point to Point Protocol daemon
-type ppp, domain;
-type ppp_device, dev_type;
-type ppp_exec, system_file_type, exec_type, file_type;
-
-net_domain(ppp)
-
-r_dir_file(ppp, proc_net_type)
-
-allow ppp mtp:{ socket pppox_socket } rw_socket_perms;
-
-# ioctls needed for VPN.
-allowxperm ppp self:udp_socket ioctl priv_sock_ioctls;
-allowxperm ppp mtp:{ socket pppox_socket } ioctl ppp_ioctls;
-
-allow ppp mtp:unix_dgram_socket rw_socket_perms;
-allow ppp ppp_device:chr_file rw_file_perms;
-allow ppp self:global_capability_class_set net_admin;
-allow ppp system_file:file rx_file_perms;
-not_full_treble(`allow ppp vendor_file:file rx_file_perms;')
-allow ppp vpn_data_file:dir w_dir_perms;
-allow ppp vpn_data_file:file create_file_perms;
-allow ppp mtp:fd use;
diff --git a/microdroid/sepolicy/system/public/priv_app.te b/microdroid/sepolicy/system/public/priv_app.te
deleted file mode 100644
index 0761fc3..0000000
--- a/microdroid/sepolicy/system/public/priv_app.te
+++ /dev/null
@@ -1,5 +0,0 @@
-###
-### A domain for further sandboxing privileged apps.
-###
-
-type priv_app, domain;
diff --git a/microdroid/sepolicy/system/public/profman.te b/microdroid/sepolicy/system/public/profman.te
deleted file mode 100644
index c014d79..0000000
--- a/microdroid/sepolicy/system/public/profman.te
+++ /dev/null
@@ -1,33 +0,0 @@
-# profman
-type profman, domain;
-type profman_exec, system_file_type, exec_type, file_type;
-
-allow profman user_profile_data_file:file { getattr read write lock map };
-
-# Dumping profile info opens the application APK file for pretty printing.
-allow profman asec_apk_file:file { read map };
-allow profman apk_data_file:file { getattr read map };
-allow profman apk_data_file:dir { getattr read search };
-
-allow profman oemfs:file { read map };
-# Reading an APK opens a ZipArchive, which unpack to tmpfs.
-allow profman tmpfs:file { read map };
-allow profman profman_dump_data_file:file { write map };
-
-allow profman installd:fd use;
-
-# Allow profman to analyze profiles for the secondary dex files. These
-# are application dex files reported back to the framework when using
-# BaseDexClassLoader.
-allow profman { privapp_data_file app_data_file }:file { getattr read write lock map };
-allow profman { privapp_data_file app_data_file }:dir { getattr read search };
-
-# Allow query ART device config properties
-get_prop(profman, device_config_runtime_native_prop)
-get_prop(profman, device_config_runtime_native_boot_prop)
-
-###
-### neverallow rules
-###
-
-neverallow profman { privapp_data_file app_data_file }:notdevfile_class_set open;
diff --git a/microdroid/sepolicy/system/public/property.te b/microdroid/sepolicy/system/public/property.te
index 57146a4..f5dc758 100644
--- a/microdroid/sepolicy/system/public/property.te
+++ b/microdroid/sepolicy/system/public/property.te
@@ -1,329 +1,40 @@
-# Properties used only in /system
-#
-# DO NOT ADD system_internal_prop here.
-# Instead, add to private/property.te.
-# TODO(b/150331497): move these to private/property.te
-system_internal_prop(apexd_prop)
-system_internal_prop(bootloader_boot_reason_prop)
-system_internal_prop(device_config_activity_manager_native_boot_prop)
-system_internal_prop(device_config_boot_count_prop)
-system_internal_prop(device_config_input_native_boot_prop)
-system_internal_prop(device_config_media_native_prop)
-system_internal_prop(device_config_netd_native_prop)
-system_internal_prop(device_config_reset_performed_prop)
-system_internal_prop(firstboot_prop)
-
-compatible_property_only(`
- # DO NOT ADD ANY PROPERTIES HERE
- system_internal_prop(boottime_prop)
- system_internal_prop(bpf_progs_loaded_prop)
- system_internal_prop(charger_prop)
- system_internal_prop(cold_boot_done_prop)
- system_internal_prop(ctl_adbd_prop)
- system_internal_prop(ctl_apexd_prop)
- system_internal_prop(ctl_bootanim_prop)
- system_internal_prop(ctl_bugreport_prop)
- system_internal_prop(ctl_console_prop)
- system_internal_prop(ctl_dumpstate_prop)
- system_internal_prop(ctl_fuse_prop)
- system_internal_prop(ctl_gsid_prop)
- system_internal_prop(ctl_interface_restart_prop)
- system_internal_prop(ctl_interface_stop_prop)
- system_internal_prop(ctl_mdnsd_prop)
- system_internal_prop(ctl_restart_prop)
- system_internal_prop(ctl_rildaemon_prop)
- system_internal_prop(ctl_sigstop_prop)
- system_internal_prop(dynamic_system_prop)
- system_internal_prop(heapprofd_enabled_prop)
- system_internal_prop(llkd_prop)
- system_internal_prop(lpdumpd_prop)
- system_internal_prop(mmc_prop)
- system_internal_prop(mock_ota_prop)
- system_internal_prop(net_dns_prop)
- system_internal_prop(overlay_prop)
- system_internal_prop(persistent_properties_ready_prop)
- system_internal_prop(safemode_prop)
- system_internal_prop(system_lmk_prop)
- system_internal_prop(system_trace_prop)
- system_internal_prop(test_boot_reason_prop)
- system_internal_prop(time_prop)
- system_internal_prop(traced_enabled_prop)
- system_internal_prop(traced_lazy_prop)
-')
-
-# Properties which can't be written outside system
-system_restricted_prop(aac_drc_prop)
-system_restricted_prop(arm64_memtag_prop)
-system_restricted_prop(binder_cache_bluetooth_server_prop)
-system_restricted_prop(binder_cache_system_server_prop)
-system_restricted_prop(binder_cache_telephony_server_prop)
-system_restricted_prop(boot_status_prop)
-system_restricted_prop(bootanim_system_prop)
-system_restricted_prop(bootloader_prop)
-system_restricted_prop(boottime_public_prop)
-system_restricted_prop(bq_config_prop)
-system_restricted_prop(build_bootimage_prop)
-system_restricted_prop(build_prop)
-system_restricted_prop(charger_status_prop)
-system_restricted_prop(device_config_runtime_native_boot_prop)
-system_restricted_prop(device_config_runtime_native_prop)
-system_restricted_prop(fingerprint_prop)
-system_restricted_prop(hal_instrumentation_prop)
-system_restricted_prop(init_service_status_prop)
-system_restricted_prop(libc_debug_prop)
-system_restricted_prop(module_sdkextensions_prop)
-system_restricted_prop(nnapi_ext_deny_product_prop)
-system_restricted_prop(power_debug_prop)
-system_restricted_prop(property_service_version_prop)
-system_restricted_prop(provisioned_prop)
-system_restricted_prop(restorecon_prop)
-system_restricted_prop(retaildemo_prop)
-system_restricted_prop(socket_hook_prop)
-system_restricted_prop(sqlite_log_prop)
-system_restricted_prop(surfaceflinger_display_prop)
-system_restricted_prop(system_boot_reason_prop)
-system_restricted_prop(system_jvmti_agent_prop)
-system_restricted_prop(ab_update_gki_prop)
-system_restricted_prop(usb_prop)
-system_restricted_prop(userspace_reboot_exported_prop)
-system_restricted_prop(vold_status_prop)
-system_restricted_prop(vts_status_prop)
-
-compatible_property_only(`
- # DO NOT ADD ANY PROPERTIES HERE
- system_restricted_prop(config_prop)
- system_restricted_prop(cppreopt_prop)
- system_restricted_prop(dalvik_prop)
- system_restricted_prop(debuggerd_prop)
- system_restricted_prop(device_logging_prop)
- system_restricted_prop(dhcp_prop)
- system_restricted_prop(dumpstate_prop)
- system_restricted_prop(exported3_system_prop)
- system_restricted_prop(exported_dumpstate_prop)
- system_restricted_prop(exported_secure_prop)
- system_restricted_prop(heapprofd_prop)
- system_restricted_prop(net_radio_prop)
- system_restricted_prop(pan_result_prop)
- system_restricted_prop(persist_debug_prop)
- system_restricted_prop(shell_prop)
- system_restricted_prop(test_harness_prop)
- system_restricted_prop(theme_prop)
- system_restricted_prop(use_memfd_prop)
- system_restricted_prop(vold_prop)
-')
-
-# Properties which can be written only by vendor_init
-system_vendor_config_prop(apexd_config_prop)
-system_vendor_config_prop(aaudio_config_prop)
-system_vendor_config_prop(apk_verity_prop)
-system_vendor_config_prop(audio_config_prop)
-system_vendor_config_prop(bootanim_config_prop)
-system_vendor_config_prop(build_config_prop)
-system_vendor_config_prop(build_odm_prop)
-system_vendor_config_prop(build_vendor_prop)
-system_vendor_config_prop(camera_calibration_prop)
-system_vendor_config_prop(camera_config_prop)
-system_vendor_config_prop(camerax_extensions_prop)
-system_vendor_config_prop(charger_config_prop)
-system_vendor_config_prop(codec2_config_prop)
-system_vendor_config_prop(cpu_variant_prop)
-system_vendor_config_prop(dalvik_config_prop)
-system_vendor_config_prop(debugfs_restriction_prop)
-system_vendor_config_prop(drm_service_config_prop)
-system_vendor_config_prop(exported_camera_prop)
-system_vendor_config_prop(exported_config_prop)
-system_vendor_config_prop(exported_default_prop)
-system_vendor_config_prop(ffs_config_prop)
-system_vendor_config_prop(framework_watchdog_config_prop)
-system_vendor_config_prop(graphics_config_prop)
-system_vendor_config_prop(hdmi_config_prop)
-system_vendor_config_prop(hw_timeout_multiplier_prop)
-system_vendor_config_prop(incremental_prop)
-system_vendor_config_prop(keyguard_config_prop)
-system_vendor_config_prop(lmkd_config_prop)
-system_vendor_config_prop(media_config_prop)
-system_vendor_config_prop(media_variant_prop)
-system_vendor_config_prop(mediadrm_config_prop)
-system_vendor_config_prop(mm_events_config_prop)
-system_vendor_config_prop(oem_unlock_prop)
-system_vendor_config_prop(packagemanager_config_prop)
-system_vendor_config_prop(recovery_config_prop)
-system_vendor_config_prop(sendbug_config_prop)
-system_vendor_config_prop(soc_prop)
-system_vendor_config_prop(storage_config_prop)
-system_vendor_config_prop(storagemanager_config_prop)
-system_vendor_config_prop(surfaceflinger_prop)
-system_vendor_config_prop(suspend_prop)
-system_vendor_config_prop(systemsound_config_prop)
-system_vendor_config_prop(telephony_config_prop)
-system_vendor_config_prop(tombstone_config_prop)
-system_vendor_config_prop(usb_config_prop)
-system_vendor_config_prop(userspace_reboot_config_prop)
-system_vendor_config_prop(vehicle_hal_prop)
-system_vendor_config_prop(vendor_security_patch_level_prop)
-system_vendor_config_prop(vendor_socket_hook_prop)
-system_vendor_config_prop(virtual_ab_prop)
-system_vendor_config_prop(vndk_prop)
-system_vendor_config_prop(vts_config_prop)
-system_vendor_config_prop(vold_config_prop)
-system_vendor_config_prop(wifi_config_prop)
-system_vendor_config_prop(zram_config_prop)
-system_vendor_config_prop(zygote_config_prop)
-system_vendor_config_prop(dck_prop)
-
-# Properties with no restrictions
-system_public_prop(adbd_config_prop)
-system_public_prop(audio_prop)
-system_public_prop(bluetooth_a2dp_offload_prop)
-system_public_prop(bluetooth_audio_hal_prop)
-system_public_prop(bluetooth_prop)
-system_public_prop(ctl_default_prop)
-system_public_prop(ctl_interface_start_prop)
-system_public_prop(ctl_start_prop)
-system_public_prop(ctl_stop_prop)
-system_public_prop(dalvik_runtime_prop)
-system_public_prop(debug_prop)
-system_public_prop(dumpstate_options_prop)
-system_public_prop(exported_system_prop)
-system_public_prop(exported_bluetooth_prop)
-system_public_prop(exported_overlay_prop)
-system_public_prop(exported_pm_prop)
-system_public_prop(ffs_control_prop)
-system_public_prop(hal_dumpstate_config_prop)
-system_public_prop(sota_prop)
-system_public_prop(hwservicemanager_prop)
-system_public_prop(lmkd_prop)
-system_public_prop(logd_prop)
-system_public_prop(logpersistd_logging_prop)
-system_public_prop(log_prop)
-system_public_prop(log_tag_prop)
-system_public_prop(lowpan_prop)
-system_public_prop(nfc_prop)
-system_public_prop(ota_prop)
-system_public_prop(powerctl_prop)
-system_public_prop(qemu_hw_prop)
-system_public_prop(qemu_sf_lcd_density_prop)
-system_public_prop(radio_control_prop)
-system_public_prop(radio_prop)
-system_public_prop(serialno_prop)
-system_public_prop(surfaceflinger_color_prop)
-system_public_prop(system_prop)
-system_public_prop(telephony_status_prop)
-system_public_prop(usb_control_prop)
-system_public_prop(vold_post_fs_data_prop)
-system_public_prop(wifi_hal_prop)
-system_public_prop(wifi_log_prop)
-system_public_prop(wifi_prop)
-system_public_prop(zram_control_prop)
-
-# Properties which don't have entries on property_contexts
-system_internal_prop(default_prop)
-
-# Properties used in default HAL implementations
-vendor_internal_prop(rebootescrow_hal_prop)
-
-vendor_public_prop(persist_vendor_debug_wifi_prop)
-
-# Properties which are public for devices launching with Android O or earlier
-# This should not be used for any new properties.
-not_compatible_property(`
- # DO NOT ADD ANY PROPERTIES HERE
- system_public_prop(boottime_prop)
- system_public_prop(bpf_progs_loaded_prop)
- system_public_prop(charger_prop)
- system_public_prop(cold_boot_done_prop)
- system_public_prop(ctl_adbd_prop)
- system_public_prop(ctl_apexd_prop)
- system_public_prop(ctl_bootanim_prop)
- system_public_prop(ctl_bugreport_prop)
- system_public_prop(ctl_console_prop)
- system_public_prop(ctl_dumpstate_prop)
- system_public_prop(ctl_fuse_prop)
- system_public_prop(ctl_gsid_prop)
- system_public_prop(ctl_interface_restart_prop)
- system_public_prop(ctl_interface_stop_prop)
- system_public_prop(ctl_mdnsd_prop)
- system_public_prop(ctl_restart_prop)
- system_public_prop(ctl_rildaemon_prop)
- system_public_prop(ctl_sigstop_prop)
- system_public_prop(dynamic_system_prop)
- system_public_prop(heapprofd_enabled_prop)
- system_public_prop(llkd_prop)
- system_public_prop(lpdumpd_prop)
- system_public_prop(mmc_prop)
- system_public_prop(mock_ota_prop)
- system_public_prop(net_dns_prop)
- system_public_prop(overlay_prop)
- system_public_prop(persistent_properties_ready_prop)
- system_public_prop(safemode_prop)
- system_public_prop(system_lmk_prop)
- system_public_prop(system_trace_prop)
- system_public_prop(test_boot_reason_prop)
- system_public_prop(time_prop)
- system_public_prop(traced_enabled_prop)
- system_public_prop(traced_lazy_prop)
-
- system_public_prop(config_prop)
- system_public_prop(cppreopt_prop)
- system_public_prop(dalvik_prop)
- system_public_prop(debuggerd_prop)
- system_public_prop(device_logging_prop)
- system_public_prop(dhcp_prop)
- system_public_prop(dumpstate_prop)
- system_public_prop(exported3_system_prop)
- system_public_prop(exported_dumpstate_prop)
- system_public_prop(exported_secure_prop)
- system_public_prop(heapprofd_prop)
- system_public_prop(net_radio_prop)
- system_public_prop(pan_result_prop)
- system_public_prop(persist_debug_prop)
- system_public_prop(shell_prop)
- system_public_prop(test_harness_prop)
- system_public_prop(theme_prop)
- system_public_prop(use_memfd_prop)
- system_public_prop(vold_prop)
-')
-
-not_compatible_property(`
- vendor_public_prop(vendor_default_prop)
-')
-
-compatible_property_only(`
- vendor_internal_prop(vendor_default_prop)
-')
-
-typeattribute log_prop log_property_type;
-typeattribute log_tag_prop log_property_type;
-typeattribute wifi_log_prop log_property_type;
+type apexd_prop, property_type;
+type bootloader_prop, property_type;
+type boottime_prop, property_type;
+type build_prop, property_type;
+type cold_boot_done_prop, property_type;
+type ctl_adbd_prop, property_type;
+type ctl_apexd_prop, property_type;
+type ctl_console_prop, property_type;
+type ctl_default_prop, property_type;
+type ctl_fuse_prop, property_type;
+type ctl_interface_restart_prop, property_type;
+type ctl_interface_start_prop, property_type;
+type ctl_interface_stop_prop, property_type;
+type ctl_restart_prop, property_type;
+type ctl_sigstop_prop, property_type;
+type ctl_start_prop, property_type;
+type ctl_stop_prop, property_type;
+type debug_prop, property_type;
+type default_prop, property_type;
+type exported_default_prop, property_type;
+type fingerprint_prop, property_type;
+type hwservicemanager_prop, property_type;
+type init_perf_lsm_hooks_prop, property_type;
+type init_service_status_private_prop, property_type;
+type init_service_status_prop, property_type;
+type init_svc_debug_prop, property_type;
+type keystore_listen_prop, property_type;
+type logd_prop, property_type;
+type property_service_version_prop, property_type;
+type shell_prop, property_type;
+type usb_control_prop, property_type;
+type vendor_default_prop, property_type;
+type vmsecret_keymint_prop, property_type;
allow property_type tmpfs:filesystem associate;
-# core_property_type should not be used for new properties or
-# device specific properties. Properties with this attribute
-# are readable to everyone, which is overly broad and should
-# be avoided.
-# New properties should have appropriate read / write access
-# control rules written.
+#----------------------------------------
+type adbd_config_prop, property_type;
-typeattribute audio_prop core_property_type;
-typeattribute config_prop core_property_type;
-typeattribute cppreopt_prop core_property_type;
-typeattribute dalvik_prop core_property_type;
-typeattribute debuggerd_prop core_property_type;
-typeattribute debug_prop core_property_type;
-typeattribute dhcp_prop core_property_type;
-typeattribute dumpstate_prop core_property_type;
-typeattribute logd_prop core_property_type;
-typeattribute net_radio_prop core_property_type;
-typeattribute nfc_prop core_property_type;
-typeattribute ota_prop core_property_type;
-typeattribute pan_result_prop core_property_type;
-typeattribute persist_debug_prop core_property_type;
-typeattribute powerctl_prop core_property_type;
-typeattribute radio_prop core_property_type;
-typeattribute restorecon_prop core_property_type;
-typeattribute shell_prop core_property_type;
-typeattribute system_prop core_property_type;
-typeattribute usb_prop core_property_type;
-typeattribute vold_prop core_property_type;
-
+type module_sdkextensions_prop, property_type;
diff --git a/microdroid/sepolicy/system/public/racoon.te b/microdroid/sepolicy/system/public/racoon.te
deleted file mode 100644
index e4b299e..0000000
--- a/microdroid/sepolicy/system/public/racoon.te
+++ /dev/null
@@ -1,35 +0,0 @@
-# IKE key management daemon
-type racoon, domain;
-type racoon_exec, system_file_type, exec_type, file_type;
-
-typeattribute racoon mlstrustedsubject;
-
-net_domain(racoon)
-allowxperm racoon self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFADDR SIOCSIFNETMASK };
-
-binder_use(racoon)
-
-allow racoon tun_device:chr_file r_file_perms;
-allowxperm racoon tun_device:chr_file ioctl TUNSETIFF;
-allow racoon cgroup:dir { add_name create };
-allow racoon cgroup_v2:dir { add_name create };
-allow racoon kernel:system module_request;
-
-allow racoon self:key_socket create_socket_perms_no_ioctl;
-allow racoon self:tun_socket create_socket_perms_no_ioctl;
-allow racoon self:global_capability_class_set { net_admin net_bind_service net_raw };
-
-# XXX: should we give ip-up-vpn its own label (currently racoon domain)
-allow racoon system_file:file rx_file_perms;
-not_full_treble(`allow racoon vendor_file:file rx_file_perms;')
-allow racoon vpn_data_file:file create_file_perms;
-allow racoon vpn_data_file:dir w_dir_perms;
-
-use_keystore(racoon)
-
-# Racoon (VPN) has a restricted set of permissions from the default.
-allow racoon keystore:keystore_key {
- get
- sign
- verify
-};
diff --git a/microdroid/sepolicy/system/public/radio.te b/microdroid/sepolicy/system/public/radio.te
deleted file mode 100644
index e03b706..0000000
--- a/microdroid/sepolicy/system/public/radio.te
+++ /dev/null
@@ -1,36 +0,0 @@
-# phone subsystem
-type radio, domain, mlstrustedsubject;
-
-net_domain(radio)
-bluetooth_domain(radio)
-binder_service(radio)
-
-# Talks to hal_telephony_server via the rild socket only for devices without full treble
-not_full_treble(`unix_socket_connect(radio, rild, hal_telephony_server)')
-
-# Data file accesses.
-allow radio radio_data_file:dir create_dir_perms;
-allow radio radio_data_file:notdevfile_class_set create_file_perms;
-allow radio radio_core_data_file:dir r_dir_perms;
-allow radio radio_core_data_file:file r_file_perms;
-
-allow radio net_data_file:dir search;
-allow radio net_data_file:file r_file_perms;
-
-add_service(radio, radio_service)
-allow radio audioserver_service:service_manager find;
-allow radio cameraserver_service:service_manager find;
-allow radio drmserver_service:service_manager find;
-allow radio mediaserver_service:service_manager find;
-allow radio nfc_service:service_manager find;
-allow radio app_api_service:service_manager find;
-allow radio system_api_service:service_manager find;
-allow radio timedetector_service:service_manager find;
-allow radio timezonedetector_service:service_manager find;
-
-# Perform HwBinder IPC.
-hwbinder_use(radio)
-hal_client_domain(radio, hal_telephony)
-
-# Used by TelephonyManager
-allow radio proc_cmdline:file r_file_perms;
diff --git a/microdroid/sepolicy/system/public/recovery.te b/microdroid/sepolicy/system/public/recovery.te
deleted file mode 100644
index 3649888..0000000
--- a/microdroid/sepolicy/system/public/recovery.te
+++ /dev/null
@@ -1,163 +0,0 @@
-# recovery console (used in recovery init.rc for /sbin/recovery)
-
-# Declare the domain unconditionally so we can always reference it
-# in neverallow rules.
-type recovery, domain;
-
-# But the allow rules are only included in the recovery policy.
-# Otherwise recovery is only allowed the domain rules.
-recovery_only(`
- # Allow recovery to perform an update as update_engine would do.
- typeattribute recovery update_engine_common;
- # Recovery can only use HALs in passthrough mode
- passthrough_hal_client_domain(recovery, hal_bootctl)
-
- allow recovery self:global_capability_class_set {
- chown
- dac_override
- dac_read_search
- fowner
- setuid
- setgid
- sys_admin
- sys_tty_config
- };
-
- # Run helpers from / or /system without changing domain.
- r_dir_file(recovery, rootfs)
- allow recovery rootfs:file execute_no_trans;
- allow recovery system_file:file execute_no_trans;
- allow recovery toolbox_exec:file rx_file_perms;
-
- # Mount filesystems.
- allow recovery rootfs:dir mounton;
- allow recovery tmpfs:dir mounton;
- allow recovery { fs_type enforce_debugfs_restriction(`-debugfs_type') }:filesystem ~relabelto;
- allow recovery unlabeled:filesystem ~relabelto;
- allow recovery contextmount_type:filesystem relabelto;
-
- # We may be asked to set an SELinux label for a type not known to the
- # currently loaded policy. Allow it.
- allow recovery unlabeled:{ file lnk_file } { create_file_perms relabelfrom relabelto };
- allow recovery unlabeled:dir { create_dir_perms relabelfrom relabelto };
-
- # Get file contexts
- allow recovery file_contexts_file:file r_file_perms;
-
- # Write to /proc/sys/vm/drop_caches
- allow recovery proc_drop_caches:file w_file_perms;
-
- # Read /proc/swaps
- allow recovery proc_swaps:file r_file_perms;
-
- # Read kernel config through libvintf for OTA matching
- allow recovery config_gz:file { open read getattr };
-
- # Write to /sys/class/android_usb/android0/enable.
- r_dir_file(recovery, sysfs_android_usb)
- allow recovery sysfs_android_usb:file w_file_perms;
-
- # Write to /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq.
- allow recovery sysfs_devices_system_cpu:file w_file_perms;
-
- allow recovery sysfs_batteryinfo:file r_file_perms;
-
- # Read /sysfs/fs/ext4/features
- r_dir_file(recovery, sysfs_fs_ext4_features)
-
- # Read from /sys/class/leds/lcd-backlight/max_brightness and write to /s/c/l/l/brightness to
- # control backlight brightness.
- allow recovery sysfs_leds:dir r_dir_perms;
- allow recovery sysfs_leds:file rw_file_perms;
- allow recovery sysfs_leds:lnk_file read;
-
- allow recovery kernel:system syslog_read;
-
- # Access /dev/usb-ffs/adb/ep0
- allow recovery functionfs:dir search;
- allow recovery functionfs:file rw_file_perms;
- allowxperm recovery functionfs:file ioctl FUNCTIONFS_ENDPOINT_DESC;
-
- # Access to /sys/fs/selinux/policyvers for compatibility check
- allow recovery selinuxfs:file r_file_perms;
-
- # Required to e.g. wipe userdata/cache.
- allow recovery device:dir r_dir_perms;
- allow recovery block_device:dir r_dir_perms;
- allow recovery dev_type:blk_file rw_file_perms;
- allowxperm recovery { userdata_block_device metadata_block_device cache_block_device }:blk_file ioctl BLKPBSZGET;
-
- # GUI
- allow recovery graphics_device:chr_file rw_file_perms;
- allow recovery graphics_device:dir r_dir_perms;
- allow recovery input_device:dir r_dir_perms;
- allow recovery input_device:chr_file r_file_perms;
- allow recovery tty_device:chr_file rw_file_perms;
-
- # Create /tmp/recovery.log and execute /tmp/update_binary.
- allow recovery tmpfs:file { create_file_perms x_file_perms };
- allow recovery tmpfs:dir create_dir_perms;
-
- # Manage files on /cache and /cache/recovery
- allow recovery { cache_file cache_recovery_file }:dir create_dir_perms;
- allow recovery { cache_file cache_recovery_file }:file create_file_perms;
-
- # Read /sys/class/thermal/*/temp for thermal info.
- r_dir_file(recovery, sysfs_thermal)
-
- # Read files on /oem.
- r_dir_file(recovery, oemfs);
-
- # Use setfscreatecon() to label files for OTA updates.
- allow recovery self:process setfscreate;
-
- # Allow recovery to create a fuse filesystem, and read files from it.
- allow recovery fuse_device:chr_file rw_file_perms;
- allow recovery fuse:dir r_dir_perms;
- allow recovery fuse:file r_file_perms;
-
- wakelock_use(recovery)
-
- # This line seems suspect, as it should not really need to
- # set scheduling parameters for a kernel domain task.
- allow recovery kernel:process setsched;
-
- # These are needed to update dynamic partitions in recovery.
- r_dir_file(recovery, sysfs_dm)
- allowxperm recovery super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
-
- # Allow using libfiemap/gsid directly (no binder in recovery).
- allow recovery gsi_metadata_file_type:dir search;
- allow recovery ota_metadata_file:dir rw_dir_perms;
- allow recovery ota_metadata_file:file create_file_perms;
-
- # Allow mounting /metadata for writing update states
- allow recovery metadata_file:dir { getattr mounton };
-')
-
-###
-### neverallow rules
-###
-
-# Recovery should never touch /data.
-#
-# In particular, if /data is encrypted, it is not accessible
-# to recovery anyway.
-#
-# For now, we only enforce write/execute restrictions, as domain.te
-# contains a number of read-only rules that apply to all
-# domains, including recovery.
-#
-# TODO: tighten this up further.
-neverallow recovery {
- data_file_type
- -cache_file
- -cache_recovery_file
- with_native_coverage(`-method_trace_data_file')
-}:file { no_w_file_perms no_x_file_perms };
-neverallow recovery {
- data_file_type
- -cache_file
- -cache_recovery_file
- with_native_coverage(`-method_trace_data_file')
-}:dir no_w_dir_perms;
diff --git a/microdroid/sepolicy/system/public/recovery_persist.te b/microdroid/sepolicy/system/public/recovery_persist.te
deleted file mode 100644
index d4b4562..0000000
--- a/microdroid/sepolicy/system/public/recovery_persist.te
+++ /dev/null
@@ -1,32 +0,0 @@
-# android recovery persistent log manager
-type recovery_persist, domain;
-type recovery_persist_exec, system_file_type, exec_type, file_type;
-
-allow recovery_persist pstorefs:dir search;
-allow recovery_persist pstorefs:file r_file_perms;
-
-allow recovery_persist recovery_data_file:file create_file_perms;
-allow recovery_persist recovery_data_file:dir create_dir_perms;
-
-allow recovery_persist cache_file:dir search;
-allow recovery_persist cache_file:lnk_file read;
-allow recovery_persist cache_recovery_file:dir rw_dir_perms;
-allow recovery_persist cache_recovery_file:file { r_file_perms unlink };
-
-###
-### Neverallow rules
-###
-### recovery_persist should NEVER do any of this
-
-# Block device access.
-neverallow recovery_persist dev_type:blk_file { read write };
-
-# ptrace any other app
-neverallow recovery_persist domain:process ptrace;
-
-# Write to /system.
-neverallow recovery_persist system_file:dir_file_class_set write;
-
-# Write to files in /data/data
-neverallow recovery_persist { privapp_data_file app_data_file system_data_file }:dir_file_class_set write;
-
diff --git a/microdroid/sepolicy/system/public/recovery_refresh.te b/microdroid/sepolicy/system/public/recovery_refresh.te
deleted file mode 100644
index d6870dc..0000000
--- a/microdroid/sepolicy/system/public/recovery_refresh.te
+++ /dev/null
@@ -1,24 +0,0 @@
-# android recovery refresh log manager
-type recovery_refresh, domain;
-type recovery_refresh_exec, system_file_type, exec_type, file_type;
-
-allow recovery_refresh pstorefs:dir search;
-allow recovery_refresh pstorefs:file r_file_perms;
-# NB: domain inherits write_logd which hands us write to pmsg_device
-
-###
-### Neverallow rules
-###
-### recovery_refresh should NEVER do any of this
-
-# Block device access.
-neverallow recovery_refresh dev_type:blk_file { read write };
-
-# ptrace any other app
-neverallow recovery_refresh domain:process ptrace;
-
-# Write to /system.
-neverallow recovery_refresh system_file:dir_file_class_set write;
-
-# Write to files in /data/data or system files on /data
-neverallow recovery_refresh { app_data_file privapp_data_file system_data_file }:dir_file_class_set write;
diff --git a/microdroid/sepolicy/system/public/rs.te b/microdroid/sepolicy/system/public/rs.te
deleted file mode 100644
index 16b6e96..0000000
--- a/microdroid/sepolicy/system/public/rs.te
+++ /dev/null
@@ -1,2 +0,0 @@
-type rs, domain, coredomain;
-type rs_exec, system_file_type, exec_type, file_type;
diff --git a/microdroid/sepolicy/system/public/rss_hwm_reset.te b/microdroid/sepolicy/system/public/rss_hwm_reset.te
deleted file mode 100644
index 163e1ac..0000000
--- a/microdroid/sepolicy/system/public/rss_hwm_reset.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# rss_hwm_reset resets RSS high-water mark counters for all procesess.
-type rss_hwm_reset, domain, coredomain, mlstrustedsubject;
diff --git a/microdroid/sepolicy/system/public/runas.te b/microdroid/sepolicy/system/public/runas.te
index 356a019..4d8a6b3 100644
--- a/microdroid/sepolicy/system/public/runas.te
+++ b/microdroid/sepolicy/system/public/runas.te
@@ -1,43 +1,2 @@
-type runas, domain, mlstrustedsubject;
-type runas_exec, system_file_type, exec_type, file_type;
-
-allow runas adbd:fd use;
-allow runas adbd:process sigchld;
-allow runas adbd:unix_stream_socket { read write };
-allow runas shell:fd use;
-allow runas shell:fifo_file { read write };
-allow runas shell:unix_stream_socket { read write };
-allow runas devpts:chr_file { read write ioctl };
-allow runas shell_data_file:file { read write };
-
-# run-as reads package information.
-allow runas system_data_file:file r_file_perms;
-allow runas system_data_file:lnk_file getattr;
-allow runas packages_list_file:file r_file_perms;
-
-# The app's data dir may be accessed through a symlink.
-allow runas system_data_file:lnk_file read;
-
-# run-as checks and changes to the app data dir.
-dontaudit runas self:global_capability_class_set { dac_override dac_read_search };
-allow runas app_data_file:dir { getattr search };
-
-# run-as switches to the app UID/GID.
-allow runas self:global_capability_class_set { setuid setgid };
-
-# run-as switches to the app security context.
-selinux_check_context(runas) # validate context
-allow runas self:process setcurrent;
-allow runas non_system_app_set:process dyntransition; # setcon
-
-# runas/libselinux needs access to seapp_contexts_file to
-# determine which domain to transition to.
-allow runas seapp_contexts_file:file r_file_perms;
-
-###
-### neverallow rules
-###
-
-# run-as cannot have capabilities other than CAP_SETUID and CAP_SETGID
-neverallow runas self:global_capability_class_set ~{ setuid setgid };
-neverallow runas self:global_capability2_class_set *;
+type runas, domain, mlstrustedsubject, coredomain;
+type runas_exec, file_type, exec_type, system_file_type;
diff --git a/microdroid/sepolicy/system/public/runas_app.te b/microdroid/sepolicy/system/public/runas_app.te
deleted file mode 100644
index cdaa799..0000000
--- a/microdroid/sepolicy/system/public/runas_app.te
+++ /dev/null
@@ -1 +0,0 @@
-type runas_app, domain;
diff --git a/microdroid/sepolicy/system/public/scheduler_service_server.te b/microdroid/sepolicy/system/public/scheduler_service_server.te
deleted file mode 100644
index b3cede1..0000000
--- a/microdroid/sepolicy/system/public/scheduler_service_server.te
+++ /dev/null
@@ -1 +0,0 @@
-add_hwservice(scheduler_service_server, fwk_scheduler_hwservice)
diff --git a/microdroid/sepolicy/system/public/sdcardd.te b/microdroid/sepolicy/system/public/sdcardd.te
deleted file mode 100644
index bb1c919..0000000
--- a/microdroid/sepolicy/system/public/sdcardd.te
+++ /dev/null
@@ -1,46 +0,0 @@
-type sdcardd, domain;
-type sdcardd_exec, system_file_type, exec_type, file_type;
-
-allow sdcardd cgroup:dir create_dir_perms;
-allow sdcardd cgroup_v2:dir create_dir_perms;
-allow sdcardd fuse_device:chr_file rw_file_perms;
-allow sdcardd rootfs:dir mounton; # TODO: deprecated in M
-allow sdcardd sdcardfs:filesystem remount;
-allow sdcardd tmpfs:dir r_dir_perms;
-allow sdcardd mnt_media_rw_file:dir r_dir_perms;
-allow sdcardd storage_file:dir search;
-allow sdcardd storage_stub_file:dir { search mounton };
-allow sdcardd sdcard_type:filesystem { mount unmount };
-allow sdcardd self:global_capability_class_set { setuid setgid dac_override dac_read_search sys_admin sys_resource };
-
-allow sdcardd sdcard_type:dir create_dir_perms;
-allow sdcardd sdcard_type:file create_file_perms;
-
-allow sdcardd media_rw_data_file:dir create_dir_perms;
-allow sdcardd media_rw_data_file:file create_file_perms;
-
-# Read /data/system/packages.list.
-allow sdcardd system_data_file:file r_file_perms;
-allow sdcardd packages_list_file:file r_file_perms;
-
-# Read /data/misc/installd/layout_version
-allow sdcardd install_data_file:file r_file_perms;
-allow sdcardd install_data_file:dir search;
-
-# Allow stdin/out back to vold
-allow sdcardd vold:fd use;
-allow sdcardd vold:fifo_file { read write getattr };
-
-# Allow running on top of expanded storage
-allow sdcardd mnt_expand_file:dir search;
-
-# access /proc/filesystems
-allow sdcardd proc_filesystems:file r_file_perms;
-
-###
-### neverallow rules
-###
-
-# The sdcard daemon should no longer be started from init
-neverallow init sdcardd_exec:file execute;
-neverallow init sdcardd:process { transition dyntransition };
diff --git a/microdroid/sepolicy/system/public/secure_element.te b/microdroid/sepolicy/system/public/secure_element.te
deleted file mode 100644
index 4ce6714..0000000
--- a/microdroid/sepolicy/system/public/secure_element.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# secure_element subsystem
-type secure_element, domain;
diff --git a/microdroid/sepolicy/system/public/sensor_service_server.te b/microdroid/sepolicy/system/public/sensor_service_server.te
deleted file mode 100644
index 7c526a5..0000000
--- a/microdroid/sepolicy/system/public/sensor_service_server.te
+++ /dev/null
@@ -1 +0,0 @@
-add_hwservice(sensor_service_server, fwk_sensor_hwservice)
diff --git a/microdroid/sepolicy/system/public/service.te b/microdroid/sepolicy/system/public/service.te
deleted file mode 100644
index 365515a..0000000
--- a/microdroid/sepolicy/system/public/service.te
+++ /dev/null
@@ -1,278 +0,0 @@
-type aidl_lazy_test_service, service_manager_type;
-type apc_service, service_manager_type;
-type apex_service, service_manager_type;
-type artd_service, service_manager_type;
-type audioserver_service, service_manager_type;
-type authorization_service, service_manager_type;
-type batteryproperties_service, app_api_service, ephemeral_app_api_service, service_manager_type;
-type bluetooth_service, service_manager_type;
-type cameraserver_service, service_manager_type;
-type default_android_service, service_manager_type;
-type dnsresolver_service, service_manager_type;
-type drmserver_service, service_manager_type;
-type dumpstate_service, service_manager_type;
-type fingerprintd_service, service_manager_type;
-type gatekeeper_service, app_api_service, service_manager_type;
-type gpu_service, app_api_service, ephemeral_app_api_service, service_manager_type;
-type idmap_service, service_manager_type;
-type iorapd_service, service_manager_type;
-type incident_service, service_manager_type;
-type installd_service, service_manager_type;
-type credstore_service, app_api_service, service_manager_type;
-type keystore_compat_hal_service, service_manager_type;
-type keystore_maintenance_service, service_manager_type;
-type keystore_service, service_manager_type;
-type legacykeystore_service, service_manager_type;
-type lpdump_service, service_manager_type;
-type mediaserver_service, service_manager_type;
-type mediametrics_service, service_manager_type;
-type mediaextractor_service, service_manager_type;
-type mediadrmserver_service, service_manager_type;
-type mediatranscoding_service, app_api_service, service_manager_type;
-type netd_service, service_manager_type;
-type nfc_service, service_manager_type;
-type radio_service, service_manager_type;
-type remoteprovisioning_service, service_manager_type;
-type secure_element_service, service_manager_type;
-type service_manager_service, service_manager_type;
-type storaged_service, service_manager_type;
-type surfaceflinger_service, app_api_service, ephemeral_app_api_service, service_manager_type;
-type system_app_service, service_manager_type;
-type system_suspend_control_internal_service, service_manager_type;
-type system_suspend_control_service, service_manager_type;
-type update_engine_service, service_manager_type;
-type update_engine_stable_service, service_manager_type;
-type virtualization_service, service_manager_type;
-type virtual_touchpad_service, service_manager_type;
-type vold_service, service_manager_type;
-type vr_hwc_service, service_manager_type;
-type vrflinger_vsync_service, service_manager_type;
-
-# system_server_services broken down
-type accessibility_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type account_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type activity_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type activity_task_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type adb_service, system_api_service, system_server_service, service_manager_type;
-type alarm_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type app_binding_service, system_server_service, service_manager_type;
-type app_hibernation_service, system_api_service, system_server_service, service_manager_type;
-type app_integrity_service, system_api_service, system_server_service, service_manager_type;
-type app_prediction_service, app_api_service, system_server_service, service_manager_type;
-type app_search_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type appops_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type appwidget_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type assetatlas_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type audio_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type auth_service, app_api_service, system_server_service, service_manager_type;
-type autofill_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type backup_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type batterystats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type battery_service, system_server_service, service_manager_type;
-type binder_calls_stats_service, system_server_service, service_manager_type;
-type blob_store_service, app_api_service, system_server_service, service_manager_type;
-type bluetooth_manager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type broadcastradio_service, system_server_service, service_manager_type;
-type cacheinfo_service, system_api_service, system_server_service, service_manager_type;
-type cameraproxy_service, system_server_service, service_manager_type;
-type clipboard_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type contexthub_service, app_api_service, system_server_service, service_manager_type;
-type crossprofileapps_service, app_api_service, system_server_service, service_manager_type;
-type IProxyService_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type companion_device_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type connectivity_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type connmetrics_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type consumer_ir_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type content_capture_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type content_suggestions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type content_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type country_detector_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-# Note: The coverage_service should only be enabled for userdebug / eng builds that were compiled
-# with EMMA_INSTRUMENT=true. We should consider locking this down in the future.
-type coverage_service, system_server_service, service_manager_type;
-type cpuinfo_service, system_api_service, system_server_service, service_manager_type;
-type dataloader_manager_service, system_server_service, service_manager_type;
-type dbinfo_service, system_api_service, system_server_service, service_manager_type;
-type device_config_service, system_server_service, service_manager_type;
-type device_policy_service, app_api_service, system_server_service, service_manager_type;
-type device_state_service, app_api_service, system_api_service, system_server_service, service_manager_type;
-type deviceidle_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type device_identifiers_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type devicestoragemonitor_service, system_server_service, service_manager_type;
-type diskstats_service, system_api_service, system_server_service, service_manager_type;
-type display_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type domain_verification_service, app_api_service, system_server_service, service_manager_type;
-type color_display_service, system_api_service, system_server_service, service_manager_type;
-type external_vibrator_service, system_server_service, service_manager_type;
-type file_integrity_service, app_api_service, system_server_service, service_manager_type;
-type font_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type netd_listener_service, system_server_service, service_manager_type;
-type network_watchlist_service, system_server_service, service_manager_type;
-type DockObserver_service, system_server_service, service_manager_type;
-type dreams_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type dropbox_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type lowpan_service, system_api_service, system_server_service, service_manager_type;
-type ethernet_service, app_api_service, system_server_service, service_manager_type;
-type biometric_service, app_api_service, system_server_service, service_manager_type;
-type bugreport_service, app_api_service, system_server_service, service_manager_type;
-type platform_compat_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type face_service, app_api_service, system_server_service, service_manager_type;
-type fingerprint_service, app_api_service, system_server_service, service_manager_type;
-type fwk_stats_service, app_api_service, system_server_service, service_manager_type;
-type game_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
-type graphicsstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type hardware_service, system_server_service, service_manager_type;
-type hardware_properties_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type hdmi_control_service, app_api_service, system_server_service, service_manager_type;
-type hint_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type imms_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type incremental_service, system_server_service, service_manager_type;
-type input_method_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type ipsec_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type iris_service, app_api_service, system_server_service, service_manager_type;
-type jobscheduler_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type launcherapps_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type legacy_permission_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type light_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type location_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type location_time_zone_manager_service, system_server_service, service_manager_type;
-type lock_settings_service, app_api_service, system_api_service, system_server_service, service_manager_type;
-type looper_stats_service, system_server_service, service_manager_type;
-type media_communication_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type media_metrics_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type media_projection_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type media_router_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type media_session_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type meminfo_service, system_api_service, system_server_service, service_manager_type;
-type memtrackproxy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type midi_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type mount_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type music_recognition_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type netpolicy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type netstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type network_management_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type network_score_service, system_api_service, system_server_service, service_manager_type;
-type network_stack_service, system_server_service, service_manager_type;
-type network_time_update_service, system_server_service, service_manager_type;
-type notification_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type oem_lock_service, system_api_service, system_server_service, service_manager_type;
-type otadexopt_service, system_server_service, service_manager_type;
-type overlay_service, system_api_service, system_server_service, service_manager_type;
-type pac_proxy_service, system_server_service, service_manager_type;
-type package_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type package_native_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type people_service, app_api_service, system_server_service, service_manager_type;
-type permission_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type permissionmgr_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type permission_checker_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type persistent_data_block_service, system_api_service, system_server_service, service_manager_type;
-type pinner_service, system_server_service, service_manager_type;
-type power_stats_service, app_api_service, system_server_service, service_manager_type;
-type power_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type print_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type processinfo_service, system_server_service, service_manager_type;
-type procstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type reboot_readiness_service, app_api_service, system_server_service, service_manager_type;
-type recovery_service, system_server_service, service_manager_type;
-type registry_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type restrictions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type role_service, app_api_service, system_server_service, service_manager_type;
-type rollback_service, app_api_service, system_server_service, service_manager_type;
-type runtime_service, system_server_service, service_manager_type;
-type rttmanager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type samplingprofiler_service, system_server_service, service_manager_type;
-type scheduling_policy_service, system_server_service, service_manager_type;
-type search_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type search_ui_service, app_api_service, system_server_service, service_manager_type;
-type sec_key_att_app_id_provider_service, app_api_service, system_server_service, service_manager_type;
-type sensorservice_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type sensor_privacy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type serial_service, system_api_service, system_server_service, service_manager_type;
-type servicediscovery_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type settings_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type shortcut_service, app_api_service, system_server_service, service_manager_type;
-type slice_service, app_api_service, system_server_service, service_manager_type;
-type smartspace_service, app_api_service, system_server_service, service_manager_type;
-type statusbar_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type storagestats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type system_config_service, system_api_service, system_server_service, service_manager_type;
-type system_server_dumper_service, system_api_service, system_server_service, service_manager_type;
-type system_update_service, system_server_service, service_manager_type;
-type soundtrigger_middleware_service, system_server_service, service_manager_type;
-type speech_recognition_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type task_service, system_server_service, service_manager_type;
-type testharness_service, system_server_service, service_manager_type;
-type textclassification_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type textservices_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type texttospeech_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type telecom_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type thermal_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type timedetector_service, app_api_service, system_server_service, service_manager_type;
-type timezone_service, system_server_service, service_manager_type;
-type timezonedetector_service, app_api_service, system_server_service, service_manager_type;
-type transformer_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type trust_service, app_api_service, system_server_service, service_manager_type;
-type tv_input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type tv_tuner_resource_mgr_service, app_api_service, system_server_service, service_manager_type;
-type uimode_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type updatelock_service, system_api_service, system_server_service, service_manager_type;
-type uri_grants_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type usagestats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type usb_service, app_api_service, system_server_service, service_manager_type;
-type user_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type uwb_service, app_api_service, system_server_service, service_manager_type;
-type vcn_management_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type vibrator_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type vibrator_manager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type voiceinteraction_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type vpn_management_service, app_api_service, system_server_service, service_manager_type;
-type vr_manager_service, system_server_service, service_manager_type;
-type wallpaper_service, app_api_service, system_server_service, service_manager_type;
-type webviewupdate_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type wifip2p_service, app_api_service, system_server_service, service_manager_type;
-type wifiscanner_service, system_api_service, system_server_service, service_manager_type;
-type wifi_service, app_api_service, system_server_service, service_manager_type;
-type wifinl80211_service, service_manager_type;
-type wifiaware_service, app_api_service, system_server_service, service_manager_type;
-type window_service, system_api_service, system_server_service, service_manager_type;
-type inputflinger_service, system_api_service, system_server_service, service_manager_type;
-type wpantund_service, system_api_service, service_manager_type;
-type tethering_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type emergency_affordance_service, system_server_service, service_manager_type;
-
-###
-### HAL Services
-###
-
-type hal_audio_service, vendor_service, protected_service, service_manager_type;
-type hal_audiocontrol_service, vendor_service, service_manager_type;
-type hal_authsecret_service, vendor_service, protected_service, service_manager_type;
-type hal_face_service, vendor_service, protected_service, service_manager_type;
-type hal_fingerprint_service, vendor_service, protected_service, service_manager_type;
-type hal_gnss_service, vendor_service, protected_service, service_manager_type;
-type hal_health_storage_service, vendor_service, protected_service, service_manager_type;
-type hal_identity_service, vendor_service, protected_service, service_manager_type;
-type hal_keymint_service, vendor_service, protected_service, service_manager_type;
-type hal_light_service, vendor_service, protected_service, service_manager_type;
-type hal_memtrack_service, vendor_service, protected_service, service_manager_type;
-type hal_neuralnetworks_service, vendor_service, service_manager_type;
-type hal_oemlock_service, vendor_service, protected_service, service_manager_type;
-type hal_power_service, vendor_service, protected_service, service_manager_type;
-type hal_power_stats_service, vendor_service, protected_service, service_manager_type;
-type hal_rebootescrow_service, vendor_service, protected_service, service_manager_type;
-type hal_remotelyprovisionedcomponent_service, vendor_service, protected_service, service_manager_type;
-type hal_secureclock_service, vendor_service, protected_service, service_manager_type;
-type hal_sharedsecret_service, vendor_service, protected_service, service_manager_type;
-type hal_vibrator_service, vendor_service, protected_service, service_manager_type;
-type hal_weaver_service, vendor_service, protected_service, service_manager_type;
-
-###
-### Neverallow rules
-###
-
-# servicemanager handles registering or looking up named services.
-# It does not make sense to register or lookup something which is not a service.
-# Trigger a compile error if this occurs.
-neverallow domain ~{ service_manager_type vndservice_manager_type }:service_manager { add find };
diff --git a/microdroid/sepolicy/system/public/servicemanager.te b/microdroid/sepolicy/system/public/servicemanager.te
index 63fc227..41a1096 100644
--- a/microdroid/sepolicy/system/public/servicemanager.te
+++ b/microdroid/sepolicy/system/public/servicemanager.te
@@ -1,32 +1,2 @@
-# servicemanager - the Binder context manager
-type servicemanager, domain, mlstrustedsubject;
-type servicemanager_exec, system_file_type, exec_type, file_type;
-
-# Note that we do not use the binder_* macros here.
-# servicemanager is unique in that it only provides
-# name service (aka context manager) for Binder.
-# As such, it only ever receives and transfers other references
-# created by other domains. It never passes its own references
-# or initiates a Binder IPC.
-allow servicemanager self:binder set_context_mgr;
-allow servicemanager {
- domain
- -init
- -vendor_init
- -hwservicemanager
- -vndservicemanager
-}:binder transfer;
-
-allow servicemanager service_contexts_file:file r_file_perms;
-
-allow servicemanager vendor_service_contexts_file:file r_file_perms;
-
-# nonplat_service_contexts only accessible on non full-treble devices
-not_full_treble(`allow servicemanager nonplat_service_contexts_file:file r_file_perms;')
-
-add_service(servicemanager, service_manager_service)
-allow servicemanager dumpstate:fd use;
-allow servicemanager dumpstate:fifo_file write;
-
-# Check SELinux permissions.
-selinux_check_access(servicemanager)
+type servicemanager, domain;
+type servicemanager_exec, file_type, exec_type, system_file_type;
diff --git a/microdroid/sepolicy/system/public/sgdisk.te b/microdroid/sepolicy/system/public/sgdisk.te
deleted file mode 100644
index e5a9152..0000000
--- a/microdroid/sepolicy/system/public/sgdisk.te
+++ /dev/null
@@ -1,36 +0,0 @@
-# sgdisk called from vold
-type sgdisk, domain;
-type sgdisk_exec, system_file_type, exec_type, file_type;
-
-# Allowed to read/write low-level partition tables
-allow sgdisk block_device:dir search;
-allow sgdisk vold_device:blk_file rw_file_perms;
-# HDIO_GETGEO needed to get the number of disk heads
-# on vold_device. How quaint.
-allowxperm sgdisk vold_device:blk_file ioctl { HDIO_GETGEO };
-# sgdisk also uses BLKGETSIZE and BLKGETSIZE64. BLKGETSIZE64
-# is granted to all block device users in domain.te, so
-# no need to mention it here. sgdisk should not be
-# using the BLKGETSIZE ioctl as it is useless for devices over
-# 2T in size, but we allow it for now and hope that sgdisk
-# will fix their bug.
-allowxperm sgdisk vold_device:blk_file ioctl { BLKGETSIZE };
-# Force a re-read of the partition table.
-allowxperm sgdisk vold_device:blk_file ioctl { BLKRRPART };
-# Allow reading of the physical block size.
-allowxperm sgdisk vold_device:blk_file ioctl { BLKPBSZGET };
-
-# Inherit and use pty created by android_fork_execvp()
-allow sgdisk devpts:chr_file { read write ioctl getattr };
-
-# Allow stdin/out back to vold
-allow sgdisk vold:fd use;
-allow sgdisk vold:fifo_file { read write getattr };
-
-# Used to probe kernel to reload partition tables
-allow sgdisk self:global_capability_class_set sys_admin;
-
-# Only allow entry from vold
-neverallow { domain -vold } sgdisk:process transition;
-neverallow * sgdisk:process dyntransition;
-neverallow sgdisk { file_type fs_type -sgdisk_exec }:file entrypoint;
diff --git a/microdroid/sepolicy/system/public/shared_relro.te b/microdroid/sepolicy/system/public/shared_relro.te
deleted file mode 100644
index 6dd5bd7..0000000
--- a/microdroid/sepolicy/system/public/shared_relro.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# Process which creates/updates shared RELRO files to be used by other apps.
-type shared_relro, domain;
diff --git a/microdroid/sepolicy/system/public/shell.te b/microdroid/sepolicy/system/public/shell.te
index 29c07a4..c84e377 100644
--- a/microdroid/sepolicy/system/public/shell.te
+++ b/microdroid/sepolicy/system/public/shell.te
@@ -8,96 +8,24 @@
# logcat
read_logd(shell)
control_logd(shell)
-# logcat -L (directly, or via dumpstate)
-allow shell pstorefs:dir search;
-allow shell pstorefs:file r_file_perms;
# Root fs.
allow shell rootfs:dir r_dir_perms;
-# read files in /data/anr
-allow shell anr_data_file:dir r_dir_perms;
-allow shell anr_data_file:file r_file_perms;
-
# Access /data/local/tmp.
allow shell shell_data_file:dir create_dir_perms;
allow shell shell_data_file:file create_file_perms;
allow shell shell_data_file:file rx_file_perms;
allow shell shell_data_file:lnk_file create_file_perms;
-# Access /data/local/tests.
-allow shell shell_test_data_file:dir create_dir_perms;
-allow shell shell_test_data_file:file create_file_perms;
-allow shell shell_test_data_file:file rx_file_perms;
-allow shell shell_test_data_file:lnk_file create_file_perms;
-allow shell shell_test_data_file:sock_file create_file_perms;
-
-# Read and delete from /data/local/traces.
-allow shell trace_data_file:file { r_file_perms unlink };
-allow shell trace_data_file:dir { r_dir_perms remove_name write };
-
-# Access /data/misc/profman.
-allow shell profman_dump_data_file:dir { write remove_name r_dir_perms };
-allow shell profman_dump_data_file:file { unlink r_file_perms };
-
-# Read/execute files in /data/nativetest
-userdebug_or_eng(`
- allow shell nativetest_data_file:dir r_dir_perms;
- allow shell nativetest_data_file:file rx_file_perms;
-')
-
-# adb bugreport
-unix_socket_connect(shell, dumpstate, dumpstate)
-
allow shell devpts:chr_file rw_file_perms;
allow shell tty_device:chr_file rw_file_perms;
allow shell console_device:chr_file rw_file_perms;
-allow shell input_device:dir r_dir_perms;
-allow shell input_device:chr_file r_file_perms;
-
r_dir_file(shell, system_file)
allow shell system_file:file x_file_perms;
allow shell toolbox_exec:file rx_file_perms;
-allow shell tzdatacheck_exec:file rx_file_perms;
allow shell shell_exec:file rx_file_perms;
-allow shell zygote_exec:file rx_file_perms;
-
-r_dir_file(shell, apk_data_file)
-
-userdebug_or_eng(`
- # "systrace --boot" support - allow boottrace service to run
- allow shell boottrace_data_file:dir rw_dir_perms;
- allow shell boottrace_data_file:file create_file_perms;
-')
-
-# allow shell access to services
-allow shell servicemanager:service_manager list;
-# don't allow shell to access GateKeeper service
-# TODO: why is this so broad? Tightening candidate? It needs at list:
-# - dumpstate_service (so it can receive dumpstate progress updates)
-allow shell {
- service_manager_type
- -apex_service
- -dnsresolver_service
- -gatekeeper_service
- -incident_service
- -installd_service
- -iorapd_service
- -netd_service
- -system_suspend_control_internal_service
- -system_suspend_control_service
- -virtual_touchpad_service
- -vold_service
- -vr_hwc_service
- -default_android_service
-}:service_manager find;
-allow shell dumpstate:binder call;
-
-# allow shell to get information from hwservicemanager
-# for instance, listing hardware services with lshal
-hwbinder_use(shell)
-allow shell hwservicemanager:hwservice_manager list;
# allow shell to look through /proc/ for lsmod, ps, top, netstat, vmstat.
r_dir_file(shell, proc_net_type)
@@ -125,7 +53,6 @@
r_dir_file(shell, cgroup)
allow shell cgroup_desc_file:file r_file_perms;
allow shell cgroup_desc_api_file:file r_file_perms;
-allow shell vendor_cgroup_desc_file:file r_file_perms;
r_dir_file(shell, cgroup_v2)
allow shell domain:dir { search open read getattr };
allow shell domain:{ file lnk_file } { open read getattr };
@@ -144,86 +71,12 @@
allow shell selinuxfs:dir r_dir_perms;
allow shell selinuxfs:file r_file_perms;
-# enable shell domain to read/write files/dirs for bootchart data
-# User will creates the start and stop file via adb shell
-# and read other files created by init process under /data/bootchart
-allow shell bootchart_data_file:dir rw_dir_perms;
-allow shell bootchart_data_file:file create_file_perms;
-
-# Make sure strace works for the non-privileged shell user
-allow shell self:process ptrace;
-
-# allow shell to get battery info
-allow shell sysfs:dir r_dir_perms;
-allow shell sysfs_batteryinfo:dir r_dir_perms;
-allow shell sysfs_batteryinfo:file r_file_perms;
-
-# Allow access to ion memory allocation device.
-allow shell ion_device:chr_file rw_file_perms;
-
-#
-# filesystem test for insecure chr_file's is done
-# via a host side test
-#
-allow shell dev_type:dir r_dir_perms;
-allow shell dev_type:chr_file getattr;
-
# /dev/fd is a symlink
allow shell proc:lnk_file getattr;
-#
-# filesystem test for insucre blk_file's is done
-# via hostside test
-#
-allow shell dev_type:blk_file getattr;
-
# read selinux policy files
allow shell file_contexts_file:file r_file_perms;
allow shell property_contexts_file:file r_file_perms;
allow shell seapp_contexts_file:file r_file_perms;
allow shell service_contexts_file:file r_file_perms;
allow shell sepolicy_file:file r_file_perms;
-
-# Allow shell to start up vendor shell
-allow shell vendor_shell_exec:file rx_file_perms;
-
-# Everything is labeled as rootfs in recovery mode. Allow shell to
-# execute them.
-recovery_only(`
- allow shell rootfs:file rx_file_perms;
-')
-
-###
-### Neverallow rules
-###
-
-# Do not allow shell to hard link to any files.
-# In particular, if shell hard links to app data
-# files, installd will not be able to guarantee the deletion
-# of the linked to file. Hard links also contribute to security
-# bugs, so we want to ensure the shell user never has this
-# capability.
-neverallow shell file_type:file link;
-
-# Do not allow privileged socket ioctl commands
-neverallowxperm shell domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
-
-# limit shell access to sensitive char drivers to
-# only getattr required for host side test.
-neverallow shell {
- fuse_device
- hw_random_device
- port_device
-}:chr_file ~getattr;
-
-# Limit shell to only getattr on blk devices for host side tests.
-neverallow shell dev_type:blk_file ~getattr;
-
-# b/30861057: Shell access to existing input devices is an abuse
-# vector. The shell user can inject events that look like they
-# originate from the touchscreen etc.
-# Everyone should have already moved to UiAutomation#injectInputEvent
-# if they are running instrumentation tests (i.e. CTS), Monkey for
-# their stress tests, and the input command (adb shell input ...) for
-# injecting swipes and things.
-neverallow shell input_device:chr_file no_w_file_perms;
diff --git a/microdroid/sepolicy/system/public/simpleperf.te b/microdroid/sepolicy/system/public/simpleperf.te
deleted file mode 100644
index 218fee7..0000000
--- a/microdroid/sepolicy/system/public/simpleperf.te
+++ /dev/null
@@ -1 +0,0 @@
-type simpleperf, domain;
diff --git a/microdroid/sepolicy/system/public/simpleperf_app_runner.te b/microdroid/sepolicy/system/public/simpleperf_app_runner.te
deleted file mode 100644
index 2ed007e..0000000
--- a/microdroid/sepolicy/system/public/simpleperf_app_runner.te
+++ /dev/null
@@ -1,44 +0,0 @@
-type simpleperf_app_runner, domain, mlstrustedsubject;
-type simpleperf_app_runner_exec, system_file_type, exec_type, file_type;
-
-# run simpleperf_app_runner in adb shell.
-allow simpleperf_app_runner adbd:fd use;
-allow simpleperf_app_runner shell:fd use;
-allow simpleperf_app_runner devpts:chr_file { read write ioctl };
-
-# simpleperf_app_runner reads package information.
-allow simpleperf_app_runner system_data_file:file r_file_perms;
-allow simpleperf_app_runner system_data_file:lnk_file getattr;
-allow simpleperf_app_runner packages_list_file:file r_file_perms;
-
-# The app's data dir may be accessed through a symlink.
-allow simpleperf_app_runner system_data_file:lnk_file read;
-
-# simpleperf_app_runner switches to the app UID/GID.
-allow simpleperf_app_runner self:global_capability_class_set { setuid setgid };
-
-# simpleperf_app_runner switches to the app security context.
-selinux_check_context(simpleperf_app_runner) # validate context
-allow simpleperf_app_runner self:process setcurrent;
-allow simpleperf_app_runner untrusted_app_all:process dyntransition; # setcon
-
-# simpleperf_app_runner/libselinux needs access to seapp_contexts_file to
-# determine which domain to transition to.
-allow simpleperf_app_runner seapp_contexts_file:file r_file_perms;
-
-# simpleperf_app_runner passes pipe fds.
-# simpleperf_app_runner writes app type (debuggable or profileable) to pipe fds.
-allow simpleperf_app_runner shell:fifo_file { read write };
-
-# simpleperf_app_runner checks shell data paths.
-# simpleperf_app_runner passes shell data fds.
-allow simpleperf_app_runner shell_data_file:dir { getattr search };
-allow simpleperf_app_runner shell_data_file:file { getattr write };
-
-###
-### neverallow rules
-###
-
-# simpleperf_app_runner cannot have capabilities other than CAP_SETUID and CAP_SETGID
-neverallow simpleperf_app_runner self:global_capability_class_set ~{ setuid setgid };
-neverallow simpleperf_app_runner self:global_capability2_class_set *;
diff --git a/microdroid/sepolicy/system/public/slideshow.te b/microdroid/sepolicy/system/public/slideshow.te
deleted file mode 100644
index 10fbbb8..0000000
--- a/microdroid/sepolicy/system/public/slideshow.te
+++ /dev/null
@@ -1,14 +0,0 @@
-# slideshow seclabel is specified in init.rc since
-# it lives in the rootfs and has no unique file type.
-type slideshow, domain;
-
-allow slideshow kmsg_device:chr_file rw_file_perms;
-wakelock_use(slideshow)
-allow slideshow device:dir r_dir_perms;
-allow slideshow self:global_capability_class_set sys_tty_config;
-allow slideshow graphics_device:dir r_dir_perms;
-allow slideshow graphics_device:chr_file rw_file_perms;
-allow slideshow input_device:dir r_dir_perms;
-allow slideshow input_device:chr_file r_file_perms;
-allow slideshow tty_device:chr_file rw_file_perms;
-
diff --git a/microdroid/sepolicy/system/public/stats_service_server.te b/microdroid/sepolicy/system/public/stats_service_server.te
deleted file mode 100644
index ab8e58a..0000000
--- a/microdroid/sepolicy/system/public/stats_service_server.te
+++ /dev/null
@@ -1,4 +0,0 @@
-add_hwservice(stats_service_server, fwk_stats_hwservice)
-add_service(stats_service_server, fwk_stats_service)
-
-binder_use(stats_service_server)
diff --git a/microdroid/sepolicy/system/public/statsd.te b/microdroid/sepolicy/system/public/statsd.te
index 670f4c7..5da3ec9 100644
--- a/microdroid/sepolicy/system/public/statsd.te
+++ b/microdroid/sepolicy/system/public/statsd.te
@@ -15,72 +15,17 @@
allow statsd system_file:file execute_no_trans;
allow statsd toolbox_exec:file rx_file_perms;
-userdebug_or_eng(`
- allow statsd su:fifo_file read;
-')
-
-# Create, read, and write into /data/misc/stats-data, /data/misc/stats-system.
-allow statsd stats_data_file:dir create_dir_perms;
-allow statsd stats_data_file:file create_file_perms;
-
-# Allow statsd to make binder calls to any binder service.
-binder_call(statsd, appdomain)
-binder_call(statsd, healthd)
-binder_call(statsd, incidentd)
-binder_call(statsd, system_server)
-
-# Allow statsd to interact with gpuservice
-allow statsd gpu_service:service_manager find;
-binder_call(statsd, gpuservice)
-
# Allow statsd to interact with keystore to pull atoms
allow statsd keystore_service:service_manager find;
binder_call(statsd, keystore)
-# Allow statsd to interact with mediametrics
-allow statsd mediametrics_service:service_manager find;
-binder_call(statsd, mediametrics)
-
# Allow logd access.
read_logd(statsd)
control_logd(statsd)
-# Grant statsd with permissions to register the services.
-allow statsd {
- app_api_service
- incident_service
- system_api_service
-}:service_manager find;
-
-# Grant statsd to access health hal to access battery metrics.
-allow statsd hal_health_hwservice:hwservice_manager find;
-
-# Allow statsd to send dump info to dumpstate
-allow statsd dumpstate:fd use;
-allow statsd dumpstate:fifo_file { getattr write };
-
-# Allow access to with hardware layer and process stats.
-allow statsd proc_uid_cputime_showstat:file { getattr open read };
-hal_client_domain(statsd, hal_health)
-hal_client_domain(statsd, hal_power)
-hal_client_domain(statsd, hal_power_stats)
-hal_client_domain(statsd, hal_thermal)
-
# Allow 'adb shell cmd' to upload configs and download output.
allow statsd adbd:fd use;
allow statsd adbd:unix_stream_socket { getattr read write };
allow statsd shell:fifo_file { getattr read write };
unix_socket_send(statsd, statsdw, statsd)
-
-###
-### neverallow rules
-###
-
-# Only statsd and the other root services in limited circumstances.
-# can get to the files in /data/misc/stats-data, /data/misc/stats-service.
-# Other services are prohibitted from accessing the file.
-neverallow { domain -statsd -system_server -init -vold } stats_data_file:file *;
-
-# Limited access to the directory itself.
-neverallow { domain -statsd -system_server -init -vold } stats_data_file:dir *;
diff --git a/microdroid/sepolicy/system/public/su.te b/microdroid/sepolicy/system/public/su.te
index 074ff2e..a440c21 100644
--- a/microdroid/sepolicy/system/public/su.te
+++ b/microdroid/sepolicy/system/public/su.te
@@ -14,9 +14,6 @@
# Add su to various domains
net_domain(su)
- # grant su access to vndbinder
- vndbinder_use(su)
-
dontaudit su self:capability_class_set *;
dontaudit su self:capability2 *;
dontaudit su kernel:security *;
@@ -43,66 +40,13 @@
dontaudit su property_type:file *;
dontaudit su service_manager_type:service_manager *;
dontaudit su hwservice_manager_type:hwservice_manager *;
- dontaudit su vndservice_manager_type:service_manager *;
dontaudit su servicemanager:service_manager list;
dontaudit su hwservicemanager:hwservice_manager list;
- dontaudit su vndservicemanager:service_manager list;
dontaudit su keystore:keystore_key *;
dontaudit su keystore:keystore2 *;
dontaudit su domain:drmservice *;
dontaudit su unlabeled:filesystem *;
- dontaudit su postinstall_file:filesystem *;
dontaudit su domain:bpf *;
dontaudit su unlabeled:vsock_socket *;
dontaudit su self:perf_event *;
-
- # VTS tests run in the permissive su domain on debug builds, but the HALs
- # being tested run in enforcing mode. Because hal_foo_server is enforcing
- # su needs to be declared as hal_foo_client to grant hal_foo_server
- # permission to interact with it.
- typeattribute su halclientdomain;
- typeattribute su hal_allocator_client;
- typeattribute su hal_atrace_client;
- typeattribute su hal_audio_client;
- typeattribute su hal_authsecret_client;
- typeattribute su hal_bluetooth_client;
- typeattribute su hal_bootctl_client;
- typeattribute su hal_camera_client;
- typeattribute su hal_configstore_client;
- typeattribute su hal_confirmationui_client;
- typeattribute su hal_contexthub_client;
- typeattribute su hal_drm_client;
- typeattribute su hal_cas_client;
- typeattribute su hal_dumpstate_client;
- typeattribute su hal_fingerprint_client;
- typeattribute su hal_gatekeeper_client;
- typeattribute su hal_gnss_client;
- typeattribute su hal_graphics_allocator_client;
- typeattribute su hal_graphics_composer_client;
- typeattribute su hal_health_client;
- typeattribute su hal_input_classifier_client;
- typeattribute su hal_ir_client;
- typeattribute su hal_keymaster_client;
- typeattribute su hal_light_client;
- typeattribute su hal_memtrack_client;
- typeattribute su hal_neuralnetworks_client;
- typeattribute su hal_nfc_client;
- typeattribute su hal_oemlock_client;
- typeattribute su hal_power_client;
- typeattribute su hal_rebootescrow_client;
- typeattribute su hal_secure_element_client;
- typeattribute su hal_sensors_client;
- typeattribute su hal_telephony_client;
- typeattribute su hal_tetheroffload_client;
- typeattribute su hal_thermal_client;
- typeattribute su hal_tv_cec_client;
- typeattribute su hal_tv_input_client;
- typeattribute su hal_tv_tuner_client;
- typeattribute su hal_usb_client;
- typeattribute su hal_vibrator_client;
- typeattribute su hal_vr_client;
- typeattribute su hal_weaver_client;
- typeattribute su hal_wifi_client;
- typeattribute su hal_wifi_hostapd_client;
- typeattribute su hal_wifi_supplicant_client;
')
diff --git a/microdroid/sepolicy/system/public/surfaceflinger.te b/microdroid/sepolicy/system/public/surfaceflinger.te
deleted file mode 100644
index c1e4844..0000000
--- a/microdroid/sepolicy/system/public/surfaceflinger.te
+++ /dev/null
@@ -1,3 +0,0 @@
-# surfaceflinger - display compositor service
-type surfaceflinger, domain;
-type surfaceflinger_tmpfs, file_type;
diff --git a/microdroid/sepolicy/system/public/system_app.te b/microdroid/sepolicy/system/public/system_app.te
deleted file mode 100644
index 023058e..0000000
--- a/microdroid/sepolicy/system/public/system_app.te
+++ /dev/null
@@ -1,7 +0,0 @@
-###
-### Apps that run with the system UID, e.g. com.android.system.ui,
-### com.android.settings. These are not as privileged as the system
-### server.
-###
-
-type system_app, domain;
diff --git a/microdroid/sepolicy/system/public/system_server.te b/microdroid/sepolicy/system/public/system_server.te
deleted file mode 100644
index edefadf..0000000
--- a/microdroid/sepolicy/system/public/system_server.te
+++ /dev/null
@@ -1,17 +0,0 @@
-#
-# System Server aka system_server spawned by zygote.
-# Most of the framework services run in this process.
-#
-type system_server, domain;
-type system_server_tmpfs, file_type, mlstrustedobject;
-
-# Power controls for debugging/diagnostics
-get_prop(system_server, power_debug_prop)
-set_prop(system_server, power_debug_prop)
-
-neverallow {
- domain
- -init
- -vendor_init
- -system_server
-} power_debug_prop:property_service set;
diff --git a/microdroid/sepolicy/system/public/system_suspend_internal_server.te b/microdroid/sepolicy/system/public/system_suspend_internal_server.te
deleted file mode 100644
index 67bff77..0000000
--- a/microdroid/sepolicy/system/public/system_suspend_internal_server.te
+++ /dev/null
@@ -1,11 +0,0 @@
-# To serve ISuspendControlServiceInternal.
-add_service(system_suspend_internal_server, system_suspend_control_internal_service)
-
-neverallow {
- domain
- -atrace # tracing
- -dumpstate # bug reports
- -system_suspend_internal_server # implements system_suspend_control_internal_service
- -system_server # configures system_suspend via ISuspendControlServiceInternal
- -traceur_app # tracing
-} system_suspend_control_internal_service:service_manager find;
diff --git a/microdroid/sepolicy/system/public/system_suspend_server.te b/microdroid/sepolicy/system/public/system_suspend_server.te
deleted file mode 100644
index 8e8310d..0000000
--- a/microdroid/sepolicy/system/public/system_suspend_server.te
+++ /dev/null
@@ -1,6 +0,0 @@
-# Required to export a HIDL interface.
-hwbinder_use(system_suspend_server)
-get_prop(system_suspend_server, hwservicemanager_prop)
-
-# To serve ISystemSuspend.hal.
-add_hwservice(system_suspend_server, system_suspend_hwservice)
diff --git a/microdroid/sepolicy/system/public/te_macros b/microdroid/sepolicy/system/public/te_macros
index 7dc5062..9e73292 100644
--- a/microdroid/sepolicy/system/public/te_macros
+++ b/microdroid/sepolicy/system/public/te_macros
@@ -721,12 +721,7 @@
domain
-$1_client
-$1_server
- # some services are allowed to find all services
- -atrace
- -dumpstate
-shell
- -system_app
- -traceur_app
} $2:service_manager find;
')
')
diff --git a/microdroid/sepolicy/system/public/tee.te b/microdroid/sepolicy/system/public/tee.te
deleted file mode 100644
index 0f9b32d..0000000
--- a/microdroid/sepolicy/system/public/tee.te
+++ /dev/null
@@ -1,11 +0,0 @@
-##
-# trusted execution environment (tee) daemon
-#
-type tee, domain;
-
-# Device(s) for communicating with the TEE
-type tee_device, dev_type;
-
-allow tee fingerprint_vendor_data_file:dir rw_dir_perms;
-allow tee fingerprint_vendor_data_file:file create_file_perms;
-
diff --git a/microdroid/sepolicy/system/public/tombstoned.te b/microdroid/sepolicy/system/public/tombstoned.te
index ea2abbb..bd1626d 100644
--- a/microdroid/sepolicy/system/public/tombstoned.te
+++ b/microdroid/sepolicy/system/public/tombstoned.te
@@ -1,17 +1,2 @@
-# debugger interface
-type tombstoned, domain, mlstrustedsubject;
-type tombstoned_exec, system_file_type, exec_type, file_type;
-
-# Write to arbitrary pipes given to us.
-allow tombstoned domain:fd use;
-allow tombstoned domain:fifo_file write;
-
-allow tombstoned domain:dir r_dir_perms;
-allow tombstoned domain:file r_file_perms;
-allow tombstoned tombstone_data_file:dir rw_dir_perms;
-allow tombstoned tombstone_data_file:file { create_file_perms link };
-
-# Changes for the new stack dumping mechanism. Each trace goes into a
-# separate file, and these files are managed by tombstoned.
-allow tombstoned anr_data_file:dir rw_dir_perms;
-allow tombstoned anr_data_file:file { append create getattr open link unlink };
+type tombstoned, domain;
+type tombstoned_exec, file_type, exec_type, system_file_type;
diff --git a/microdroid/sepolicy/system/public/toolbox.te b/microdroid/sepolicy/system/public/toolbox.te
index 4c2cc3e..0a6e649 100644
--- a/microdroid/sepolicy/system/public/toolbox.te
+++ b/microdroid/sepolicy/system/public/toolbox.te
@@ -1,38 +1,2 @@
-# Any toolbox command run by init.
-# At present, the only known usage is for running mkswap via fs_mgr.
-# Do NOT use this domain for toolbox when run by any other domain.
type toolbox, domain;
-type toolbox_exec, system_file_type, exec_type, file_type;
-
-# /dev/__null__ created by init prior to policy load,
-# open fd inherited by fsck.
-allow toolbox tmpfs:chr_file { read write ioctl };
-
-# Inherit and use pty created by android_fork_execvp_ext().
-allow toolbox devpts:chr_file { read write getattr ioctl };
-
-# mkswap-specific.
-# Read/write block devices used for swap partitions.
-# Assign swap_block_device type any such partition in your
-# device/<vendor>/<product>/sepolicy/file_contexts file.
-allow toolbox block_device:dir search;
-allow toolbox swap_block_device:blk_file rw_file_perms;
-
-# Only allow entry from init via the toolbox binary.
-neverallow { domain -init } toolbox:process transition;
-neverallow * toolbox:process dyntransition;
-neverallow toolbox { file_type fs_type -toolbox_exec}:file entrypoint;
-
-# rm -rf directories in /data
-allow toolbox system_data_root_file:dir { remove_name write };
-allow toolbox system_data_file:dir { rmdir rw_dir_perms };
-allow toolbox system_data_file:file { getattr unlink };
-
-# chattr +F and chattr +P /data/media in init
-allow toolbox media_rw_data_file:dir { r_dir_perms setattr };
-allowxperm toolbox media_rw_data_file:dir ioctl {
- FS_IOC_FSGETXATTR
- FS_IOC_FSSETXATTR
- FS_IOC_GETFLAGS
- FS_IOC_SETFLAGS
-};
+type toolbox_exec, file_type, exec_type, system_file_type;
diff --git a/microdroid/sepolicy/system/public/traced.te b/microdroid/sepolicy/system/public/traced.te
deleted file mode 100644
index 922d46e..0000000
--- a/microdroid/sepolicy/system/public/traced.te
+++ /dev/null
@@ -1,3 +0,0 @@
-type traced, domain, coredomain, mlstrustedsubject;
-type traced_tmpfs, file_type;
-
diff --git a/microdroid/sepolicy/system/public/traced_perf.te b/microdroid/sepolicy/system/public/traced_perf.te
deleted file mode 100644
index f9a0324..0000000
--- a/microdroid/sepolicy/system/public/traced_perf.te
+++ /dev/null
@@ -1 +0,0 @@
-type traced_perf, domain;
diff --git a/microdroid/sepolicy/system/public/traced_probes.te b/microdroid/sepolicy/system/public/traced_probes.te
deleted file mode 100644
index 3e587c8..0000000
--- a/microdroid/sepolicy/system/public/traced_probes.te
+++ /dev/null
@@ -1 +0,0 @@
-type traced_probes, domain, coredomain, mlstrustedsubject;
diff --git a/microdroid/sepolicy/system/public/traceur_app.te b/microdroid/sepolicy/system/public/traceur_app.te
deleted file mode 100644
index ce9b844..0000000
--- a/microdroid/sepolicy/system/public/traceur_app.te
+++ /dev/null
@@ -1,27 +0,0 @@
-type traceur_app, domain;
-
-allow traceur_app servicemanager:service_manager list;
-allow traceur_app hwservicemanager:hwservice_manager list;
-
-allow traceur_app {
- service_manager_type
- -apex_service
- -dnsresolver_service
- -gatekeeper_service
- -incident_service
- -installd_service
- -iorapd_service
- -lpdump_service
- -netd_service
- -virtual_touchpad_service
- -vold_service
- -vr_hwc_service
- -default_android_service
-}:service_manager find;
-
-# Allow traceur_app to use atrace HAL
-hal_client_domain(traceur_app, hal_atrace)
-
-dontaudit traceur_app service_manager_type:service_manager find;
-dontaudit traceur_app hwservice_manager_type:hwservice_manager find;
-dontaudit traceur_app domain:binder call;
diff --git a/microdroid/sepolicy/system/public/type.te b/microdroid/sepolicy/system/public/type.te
new file mode 100644
index 0000000..c31509c
--- /dev/null
+++ b/microdroid/sepolicy/system/public/type.te
@@ -0,0 +1,23 @@
+# Miscellaneous types
+type adb_service, system_server_service, system_api_service, service_manager_type;
+type apex_service, service_manager_type;
+type authorization_service, service_manager_type;
+type credstore_service, app_api_service, service_manager_type;
+type default_android_hwservice, hwservice_manager_type, protected_hwservice;
+type default_android_service, service_manager_type;
+type hal_keymint_service, protected_service, vendor_service, service_manager_type;
+type hal_remotelyprovisionedcomponent_service, protected_service, vendor_service, service_manager_type;
+type hidl_allocator_hwservice, hwservice_manager_type, coredomain_hwservice;
+type hidl_base_hwservice, hwservice_manager_type;
+type hidl_manager_hwservice, hwservice_manager_type, coredomain_hwservice;
+type hidl_memory_hwservice, hwservice_manager_type, coredomain_hwservice;
+type hidl_token_hwservice, hwservice_manager_type, coredomain_hwservice;
+type hal_keymaster_hwservice, hwservice_manager_type, protected_hwservice;
+type keystore_compat_hal_service, service_manager_type;
+type keystore_maintenance_service, service_manager_type;
+type keystore_metrics_service, service_manager_type;
+type keystore_service, service_manager_type;
+type legacykeystore_service, service_manager_type;
+type remoteprovisioning_service, service_manager_type;
+type system_linker;
+type vm_payload_key;
diff --git a/microdroid/sepolicy/system/public/tzdatacheck.te b/microdroid/sepolicy/system/public/tzdatacheck.te
deleted file mode 100644
index cf9b95d..0000000
--- a/microdroid/sepolicy/system/public/tzdatacheck.te
+++ /dev/null
@@ -1,18 +0,0 @@
-# The tzdatacheck command run by init.
-type tzdatacheck, domain;
-type tzdatacheck_exec, system_file_type, exec_type, file_type;
-
-allow tzdatacheck zoneinfo_data_file:dir create_dir_perms;
-allow tzdatacheck zoneinfo_data_file:file unlink;
-
-# Below are strong assertion that only init, system_server and tzdatacheck
-# can modify the /data time zone rules directories. This is to make it very
-# clear that only these domains should modify the actual time zone rules data.
-# The tzdatacheck binary itself may be executed by shell for tests but it must
-# not be able to modify the real rules.
-# If other users / binaries could modify time zone rules on device this might
-# have negative implications for users (who may get incorrect local times)
-# or break assumptions made / invalidate data held by the components actually
-# responsible for updating time zone rules.
-neverallow { domain -system_server -init -tzdatacheck } zoneinfo_data_file:file no_w_file_perms;
-neverallow { domain -system_server -init -tzdatacheck } zoneinfo_data_file:dir no_w_dir_perms;
diff --git a/microdroid/sepolicy/system/public/ueventd.te b/microdroid/sepolicy/system/public/ueventd.te
index d5d4301..7bf7888 100644
--- a/microdroid/sepolicy/system/public/ueventd.te
+++ b/microdroid/sepolicy/system/public/ueventd.te
@@ -2,82 +2,3 @@
# it lives in the rootfs and has no unique file type.
type ueventd, domain;
type ueventd_tmpfs, file_type;
-
-# Write to /dev/kmsg.
-allow ueventd kmsg_device:chr_file rw_file_perms;
-
-allow ueventd self:global_capability_class_set { chown mknod net_admin setgid fsetid sys_rawio dac_override dac_read_search fowner setuid };
-allow ueventd device:file create_file_perms;
-
-r_dir_file(ueventd, rootfs)
-
-# ueventd needs write access to files in /sys to regenerate uevents
-allow ueventd sysfs_type:file w_file_perms;
-r_dir_file(ueventd, sysfs_type)
-allow ueventd sysfs_type:{ file lnk_file } { relabelfrom relabelto setattr };
-allow ueventd sysfs_type:dir { relabelfrom relabelto setattr };
-allow ueventd tmpfs:chr_file rw_file_perms;
-allow ueventd dev_type:dir create_dir_perms;
-allow ueventd dev_type:lnk_file { create unlink };
-allow ueventd dev_type:chr_file { getattr create setattr unlink };
-allow ueventd dev_type:blk_file { getattr relabelfrom relabelto create setattr unlink };
-allow ueventd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-allow ueventd efs_file:dir search;
-allow ueventd efs_file:file r_file_perms;
-
-# Get SELinux enforcing status.
-r_dir_file(ueventd, selinuxfs)
-
-# Access for /vendor/ueventd.rc and /vendor/firmware
-r_dir_file(ueventd, { vendor_file_type -vendor_app_file -vendor_overlay_file })
-
-# Access for /apex/*/firmware
-allow ueventd apex_mnt_dir:dir r_dir_perms;
-
-# Get file contexts for new device nodes
-allow ueventd file_contexts_file:file r_file_perms;
-
-# Use setfscreatecon() to label /dev directories and files.
-allow ueventd self:process setfscreate;
-
-# Allow ueventd to read androidboot.android_dt_dir from kernel cmdline or bootconfig.
-allow ueventd proc_cmdline:file r_file_perms;
-allow ueventd proc_bootconfig:file r_file_perms;
-
-# Everything is labeled as rootfs in recovery mode. ueventd has to execute
-# the dynamic linker and shared libraries.
-recovery_only(`
- allow ueventd rootfs:file { r_file_perms execute };
-')
-
-# Suppress denials for ueventd to getattr /postinstall. This occurs when the
-# linker tries to resolve paths in ld.config.txt.
-dontaudit ueventd postinstall_mnt_dir:dir getattr;
-
-# ueventd loads modules in response to modalias events.
-allow ueventd self:global_capability_class_set sys_module;
-allow ueventd vendor_file:system module_load;
-allow ueventd kernel:key search;
-
-# ueventd is using bootstrap bionic
-allow ueventd system_bootstrap_lib_file:dir r_dir_perms;
-allow ueventd system_bootstrap_lib_file:file { execute read open getattr map };
-
-# Allow ueventd to run shell scripts from vendor
-allow ueventd vendor_shell_exec:file execute;
-
-#####
-##### neverallow rules
-#####
-
-# Restrict ueventd access on block devices to maintenence operations.
-neverallow ueventd dev_type:blk_file ~{ getattr relabelfrom relabelto create setattr unlink };
-
-# Only relabelto as we would never want to relabelfrom port_device
-neverallow ueventd port_device:chr_file ~{ getattr create setattr unlink relabelto };
-
-# Nobody should be able to ptrace ueventd
-neverallow * ueventd:process ptrace;
-
-# ueventd should never execute a program without changing to another domain.
-neverallow ueventd { file_type fs_type }:file execute_no_trans;
diff --git a/microdroid/sepolicy/system/public/uncrypt.te b/microdroid/sepolicy/system/public/uncrypt.te
deleted file mode 100644
index 3b04671..0000000
--- a/microdroid/sepolicy/system/public/uncrypt.te
+++ /dev/null
@@ -1,46 +0,0 @@
-# uncrypt
-type uncrypt, domain, mlstrustedsubject;
-type uncrypt_exec, system_file_type, exec_type, file_type;
-
-allow uncrypt self:global_capability_class_set { dac_override dac_read_search };
-
-userdebug_or_eng(`
- # For debugging, allow /data/local/tmp access
- r_dir_file(uncrypt, shell_data_file)
-')
-
-# Read /cache/recovery/command
-# Read /cache/recovery/uncrypt_file
-allow uncrypt cache_file:dir search;
-allow uncrypt cache_recovery_file:dir rw_dir_perms;
-allow uncrypt cache_recovery_file:file create_file_perms;
-
-# Read and write(for f2fs_pin_file) on OTA zip file at /data/ota_package/.
-allow uncrypt ota_package_file:dir r_dir_perms;
-allow uncrypt ota_package_file:file rw_file_perms;
-
-# Write to /dev/socket/uncrypt
-unix_socket_connect(uncrypt, uncrypt, uncrypt)
-
-# Raw writes to block device
-allow uncrypt self:global_capability_class_set sys_rawio;
-allow uncrypt misc_block_device:blk_file w_file_perms;
-allow uncrypt block_device:dir r_dir_perms;
-
-# Access userdata block device.
-allow uncrypt userdata_block_device:blk_file w_file_perms;
-
-r_dir_file(uncrypt, rootfs)
-
-# Access to bootconfig is needed when calling ReadDefaultFstab.
-allow uncrypt {
- proc_bootconfig
- proc_cmdline
-
-}:file r_file_perms;
-
-# Read files in /sys
-r_dir_file(uncrypt, sysfs_dt_firmware_android)
-
-# Allow ReadDefaultFstab().
-read_fstab(uncrypt)
diff --git a/microdroid/sepolicy/system/public/untrusted_app.te b/microdroid/sepolicy/system/public/untrusted_app.te
deleted file mode 100644
index 43fe19a..0000000
--- a/microdroid/sepolicy/system/public/untrusted_app.te
+++ /dev/null
@@ -1,30 +0,0 @@
-###
-### Untrusted apps.
-###
-### Apps are labeled based on mac_permissions.xml (maps signer and
-### optionally package name to seinfo value) and seapp_contexts (maps UID
-### and optionally seinfo value to domain for process and type for data
-### directory). The untrusted_app domain is the default assignment in
-### seapp_contexts for any app with UID between APP_AID (10000)
-### and AID_ISOLATED_START (99000) if the app has no specific seinfo
-### value as determined from mac_permissions.xml. In current AOSP, this
-### domain is assigned to all non-system apps as well as to any system apps
-### that are not signed by the platform key. To move
-### a system app into a specific domain, add a signer entry for it to
-### mac_permissions.xml and assign it one of the pre-existing seinfo values
-### or define and use a new seinfo value in both mac_permissions.xml and
-### seapp_contexts.
-###
-
-# This file defines the rules for untrusted apps running with
-# targetSdkVersion >= 30.
-type untrusted_app, domain;
-# This file defines the rules for untrusted apps running with
-# targetSdkVersion = 29.
-type untrusted_app_29, domain;
-# This file defines the rules for untrusted apps running with
-# 25 < targetSdkVersion <= 28.
-type untrusted_app_27, domain;
-# This file defines the rules for untrusted apps running with
-# targetSdkVersion <= 25.
-type untrusted_app_25, domain;
diff --git a/microdroid/sepolicy/system/public/update_engine.te b/microdroid/sepolicy/system/public/update_engine.te
deleted file mode 100644
index ab7090b..0000000
--- a/microdroid/sepolicy/system/public/update_engine.te
+++ /dev/null
@@ -1,78 +0,0 @@
-# Domain for update_engine daemon.
-type update_engine, domain, update_engine_common;
-type update_engine_exec, system_file_type, exec_type, file_type;
-
-net_domain(update_engine);
-
-# Following permissions are needed for update_engine.
-allow update_engine self:process { setsched };
-allow update_engine self:global_capability_class_set { fowner sys_admin };
-# Note: fsetid checks are triggered when creating a file in a directory with
-# the setgid bit set to determine if the file should inherit setgid. In this
-# case, setgid on the file is undesirable so we should just suppress the
-# denial.
-dontaudit update_engine self:global_capability_class_set fsetid;
-
-allow update_engine kmsg_device:chr_file { getattr w_file_perms };
-allow update_engine update_engine_exec:file rx_file_perms;
-wakelock_use(update_engine);
-
-# Ignore these denials.
-dontaudit update_engine kernel:process setsched;
-dontaudit update_engine self:global_capability_class_set sys_rawio;
-
-# Allow using persistent storage in /data/misc/update_engine.
-allow update_engine update_engine_data_file:dir create_dir_perms;
-allow update_engine update_engine_data_file:file create_file_perms;
-
-# Allow using persistent storage in /data/misc/update_engine_log.
-allow update_engine update_engine_log_data_file:dir create_dir_perms;
-allow update_engine update_engine_log_data_file:file create_file_perms;
-
-# Don't allow kernel module loading, just silence the logs.
-dontaudit update_engine kernel:system module_request;
-
-# Register the service to perform Binder IPC.
-binder_use(update_engine)
-add_service(update_engine, update_engine_service)
-add_service(update_engine, update_engine_stable_service)
-
-# Allow update_engine to call the callback function provided by priv_app/GMS core.
-binder_call(update_engine, priv_app)
-# b/142672293: No other priv-app should need this rule now that GMS core runs in its own domain.
-userdebug_or_eng(`
- auditallow update_engine priv_app:binder { call transfer };
- auditallow priv_app update_engine:binder transfer;
- auditallow update_engine priv_app:fd use;
-')
-
-binder_call(update_engine, gmscore_app)
-
-# Allow update_engine to call the callback function provided by system_server.
-binder_call(update_engine, system_server)
-
-# Read OTA zip file at /data/ota_package/.
-allow update_engine ota_package_file:file r_file_perms;
-allow update_engine ota_package_file:dir r_dir_perms;
-
-# Use Boot Control HAL
-hal_client_domain(update_engine, hal_bootctl)
-
-# access /proc/misc
-allow update_engine proc_misc:file r_file_perms;
-
-# read directories on /system and /vendor
-allow update_engine system_file:dir r_dir_perms;
-
-# Allow ReadDefaultFstab().
-# update_engine tries to determine the parent path for all devices (e.g.
-# /dev/block/by-name) by reading the default fstab and looking for the misc
-# device.
-read_fstab(update_engine)
-
-# Allow to write to snapshotctl_log logs.
-# TODO(b/148818798) revert when parent bug is fixed.
-userdebug_or_eng(`
-allow update_engine snapshotctl_log_data_file:dir rw_dir_perms;
-allow update_engine snapshotctl_log_data_file:file create_file_perms;
-')
diff --git a/microdroid/sepolicy/system/public/update_engine_common.te b/microdroid/sepolicy/system/public/update_engine_common.te
deleted file mode 100644
index e8fd29e..0000000
--- a/microdroid/sepolicy/system/public/update_engine_common.te
+++ /dev/null
@@ -1,98 +0,0 @@
-# update_engine payload application permissions. These are shared between the
-# background daemon and the recovery tool to sideload an update.
-
-# Allow update_engine to reach block devices in /dev/block.
-allow update_engine_common block_device:dir search;
-
-# Allow read/write on system and boot partitions.
-allow update_engine_common boot_block_device:blk_file rw_file_perms;
-allow update_engine_common system_block_device:blk_file rw_file_perms;
-
-# Where ioctls are granted via standard allow rules to block devices,
-# automatically allow common ioctls that are generally needed by
-# update_engine.
-allowxperm update_engine_common dev_type:blk_file ioctl {
- BLKDISCARD
- BLKDISCARDZEROES
- BLKROGET
- BLKROSET
- BLKSECDISCARD
- BLKZEROOUT
-};
-
-# Allow to set recovery options in the BCB. Used to trigger factory reset when
-# the update to an older version (channel change) or incompatible version
-# requires it.
-allow update_engine_common misc_block_device:blk_file rw_file_perms;
-
-# read fstab
-allow update_engine_common rootfs:dir getattr;
-allow update_engine_common rootfs:file r_file_perms;
-
-# Allow update_engine_common to mount on the /postinstall directory and reset the
-# labels on the mounted filesystem to postinstall_file.
-allow update_engine_common postinstall_mnt_dir:dir { mounton getattr search };
-allow update_engine_common postinstall_file:filesystem { mount unmount relabelfrom relabelto };
-allow update_engine_common labeledfs:filesystem { mount unmount relabelfrom };
-
-# Allow update_engine_common to read and execute postinstall_file.
-allow update_engine_common postinstall_file:file rx_file_perms;
-allow update_engine_common postinstall_file:lnk_file r_file_perms;
-allow update_engine_common postinstall_file:dir r_dir_perms;
-
-# install update.zip from cache
-r_dir_file(update_engine_common, cache_file)
-
-# A postinstall program is typically a shell script (with a #!), so we allow
-# to execute those.
-allow update_engine_common shell_exec:file rx_file_perms;
-
-# Allow update_engine_common to suspend, resume and kill the postinstall program.
-allow update_engine_common postinstall:process { signal sigstop sigkill };
-
-# access /proc/cmdline
-allow update_engine_common proc_cmdline:file r_file_perms;
-
-# Read files in /sys/firmware/devicetree/base/firmware/android/
-r_dir_file(update_engine_common, sysfs_dt_firmware_android)
-
-# Needed because libdm reads sysfs to validate when a dm path is ready.
-r_dir_file(update_engine_common, sysfs_dm)
-
-# Scan files in /sys/fs/ext4 and /sys/fs/f2fs for device-mapper diagnostics.
-allow update_engine_common sysfs:dir r_dir_perms;
-allow update_engine_common sysfs_fs_f2fs:dir r_dir_perms;
-
-# read / write on /dev/device-mapper to map / unmap devices
-allow update_engine_common dm_device:chr_file rw_file_perms;
-
-# apply / verify updates on devices mapped via device mapper
-allow update_engine_common dm_device:blk_file rw_file_perms;
-
-# read /dev/dm-user, so that we can inotify wait for control devices to be
-# asynchronously created by ueventd.
-allow update_engine dm_user_device:dir r_dir_perms;
-
-# read / write metadata on super device to resize partitions
-allow update_engine_common super_block_device_type:blk_file rw_file_perms;
-
-# ioctl on super device to get block device alignment and alignment offset
-allowxperm update_engine_common super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
-
-# get physical block device to map logical partitions on device mapper
-allow update_engine_common block_device:dir r_dir_perms;
-
-# Allow update_engine_common to write to statsd socket.
-unix_socket_send(update_engine_common, statsdw, statsd)
-
-# Allow to read Virtual A/B feature flags.
-get_prop(update_engine_common, virtual_ab_prop)
-
-# Allow to read GKI related flags.
-get_prop(update_engine_common, ab_update_gki_prop)
-get_prop(update_engine_common, build_bootimage_prop)
-
-# Allow to read/write/create OTA metadata files for snapshot status and COW file status.
-allow update_engine_common metadata_file:dir search;
-allow update_engine_common ota_metadata_file:dir rw_dir_perms;
-allow update_engine_common ota_metadata_file:file create_file_perms;
diff --git a/microdroid/sepolicy/system/public/update_verifier.te b/microdroid/sepolicy/system/public/update_verifier.te
deleted file mode 100644
index 68b43f0..0000000
--- a/microdroid/sepolicy/system/public/update_verifier.te
+++ /dev/null
@@ -1,33 +0,0 @@
-# update_verifier
-type update_verifier, domain;
-type update_verifier_exec, system_file_type, exec_type, file_type;
-
-# Allow update_verifier to reach block devices in /dev/block.
-allow update_verifier block_device:dir search;
-
-# Read care map in /data/ota_package/.
-allow update_verifier ota_package_file:dir r_dir_perms;
-allow update_verifier ota_package_file:file r_file_perms;
-
-# Read /sys/block to find all the DM directories like (/sys/block/dm-X).
-allow update_verifier sysfs:dir r_dir_perms;
-
-# Read /sys/block/dm-X/dm/name (which is a symlink to
-# /sys/devices/virtual/block/dm-X/dm/name) to identify the mapping between
-# dm-X and system/vendor partitions.
-allow update_verifier sysfs_dm:dir r_dir_perms;
-allow update_verifier sysfs_dm:file r_file_perms;
-
-# Read all blocks in DM wrapped system partition.
-allow update_verifier dm_device:blk_file r_file_perms;
-
-# Write to kernel message.
-allow update_verifier kmsg_device:chr_file { getattr w_file_perms };
-
-# Use Boot Control HAL
-hal_client_domain(update_verifier, hal_bootctl)
-
-# Access Checkpoint commands over binder
-allow update_verifier vold_service:service_manager find;
-binder_call(update_verifier, servicemanager)
-binder_call(update_verifier, vold)
diff --git a/microdroid/sepolicy/system/public/usbd.te b/microdroid/sepolicy/system/public/usbd.te
deleted file mode 100644
index 6f34954..0000000
--- a/microdroid/sepolicy/system/public/usbd.te
+++ /dev/null
@@ -1,2 +0,0 @@
-type usbd, domain;
-type usbd_exec, system_file_type, exec_type, file_type;
diff --git a/microdroid/sepolicy/system/public/userdata_sysdev.te b/microdroid/sepolicy/system/public/userdata_sysdev.te
deleted file mode 100644
index 9974f36..0000000
--- a/microdroid/sepolicy/system/public/userdata_sysdev.te
+++ /dev/null
@@ -1 +0,0 @@
-allow userdata_sysdev sysfs:filesystem associate;
diff --git a/microdroid/sepolicy/system/public/vdc.te b/microdroid/sepolicy/system/public/vdc.te
deleted file mode 100644
index e638e50..0000000
--- a/microdroid/sepolicy/system/public/vdc.te
+++ /dev/null
@@ -1,20 +0,0 @@
-# vdc spawned from init for the following services:
-# defaultcrypto
-# encrypt
-#
-# We also transition into this domain from dumpstate, when
-# collecting bug reports.
-
-type vdc, domain;
-type vdc_exec, system_file_type, exec_type, file_type;
-
-# vdc can be invoked with logwrapper, so let it write to pty
-allow vdc devpts:chr_file rw_file_perms;
-
-# vdc writes directly to kmsg during the boot process
-allow vdc kmsg_device:chr_file { getattr w_file_perms };
-
-# vdc talks to vold over Binder
-binder_use(vdc)
-binder_call(vdc, vold)
-allow vdc vold_service:service_manager find;
diff --git a/microdroid/sepolicy/system/public/vendor_init.te b/microdroid/sepolicy/system/public/vendor_init.te
index b0e1da5..b66caa9 100644
--- a/microdroid/sepolicy/system/public/vendor_init.te
+++ b/microdroid/sepolicy/system/public/vendor_init.te
@@ -34,98 +34,51 @@
# we just allow all file types except /system files here.
allow vendor_init self:global_capability_class_set { chown fowner fsetid };
-# mkdir with FBE requires reading /data/unencrypted/{ref,mode}.
-allow vendor_init unencrypted_data_file:dir search;
-allow vendor_init unencrypted_data_file:file r_file_perms;
-
-# Set encryption policy on dirs in /data
-allowxperm vendor_init data_file_type:dir ioctl {
- FS_IOC_GET_ENCRYPTION_POLICY
- FS_IOC_SET_ENCRYPTION_POLICY
-};
-
allow vendor_init system_data_file:dir getattr;
allow vendor_init {
file_type
- -core_data_file_type
-exec_type
-system_file_type
- -mnt_product_file
- -password_slot_metadata_file
- -ota_metadata_file
-unlabeled
-vendor_file_type
- -vold_metadata_file
- -gsi_metadata_file_type
- -apex_metadata_file
- -userspace_reboot_metadata_file
}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
allow vendor_init unlabeled:{ dir notdevfile_class_set } { getattr relabelfrom };
allow vendor_init {
file_type
- -core_data_file_type
-exec_type
- -password_slot_metadata_file
- -ota_metadata_file
-runtime_event_log_tags_file
-system_file_type
-unlabeled
-vendor_file_type
- -vold_metadata_file
- -gsi_metadata_file_type
- -apex_metadata_file
-apex_info_file
- -userspace_reboot_metadata_file
enforce_debugfs_restriction(`-debugfs_type')
}:file { create getattr open read write setattr relabelfrom unlink map };
allow vendor_init {
file_type
- -core_data_file_type
-exec_type
- -password_slot_metadata_file
- -ota_metadata_file
-system_file_type
-unlabeled
-vendor_file_type
- -vold_metadata_file
- -gsi_metadata_file_type
- -apex_metadata_file
- -userspace_reboot_metadata_file
}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
allow vendor_init {
file_type
-apex_mnt_dir
- -core_data_file_type
-exec_type
- -password_slot_metadata_file
- -ota_metadata_file
-system_file_type
-unlabeled
-vendor_file_type
- -vold_metadata_file
- -gsi_metadata_file_type
- -apex_metadata_file
- -userspace_reboot_metadata_file
}:lnk_file { create getattr setattr relabelfrom unlink };
allow vendor_init {
file_type
- -core_data_file_type
-exec_type
- -mnt_product_file
- -password_slot_metadata_file
- -ota_metadata_file
-system_file_type
-vendor_file_type
- -vold_metadata_file
- -gsi_metadata_file_type
- -apex_metadata_file
- -userspace_reboot_metadata_file
}:dir_file_class_set relabelto;
allow vendor_init dev_type:dir create_dir_perms;
@@ -137,9 +90,7 @@
# chown/chmod on pseudo files.
allow vendor_init {
fs_type
- -contextmount_type
- -keychord_device
- -sdcard_type
+ -fusefs_type
-rootfs
-proc_uid_time_in_state
-proc_uid_concurrent_active_time
@@ -151,8 +102,7 @@
allow vendor_init {
fs_type
- -contextmount_type
- -sdcard_type
+ -fusefs_type
-rootfs
-proc_uid_time_in_state
-proc_uid_concurrent_active_time
@@ -179,117 +129,22 @@
r_dir_file(vendor_init, vendor_file_type)
-# Vendor init can read properties
-allow vendor_init serialno_prop:file { getattr open read map };
-
# Vendor init can perform operations on trusted and security Extended Attributes
allow vendor_init self:global_capability_class_set sys_admin;
-# Raw writes to misc block device
-allow vendor_init misc_block_device:blk_file w_file_perms;
-
# vendor_init is using bootstrap bionic
allow vendor_init system_bootstrap_lib_file:dir r_dir_perms;
allow vendor_init system_bootstrap_lib_file:file { execute read open getattr map };
-# allow filesystem tuning
-allow vendor_init userdata_sysdev:file create_file_perms;
-
-# Everything is labeled as rootfs in recovery mode. Vendor init has to execute
-# the dynamic linker and shared libraries.
-recovery_only(`
- allow vendor_init rootfs:file { r_file_perms execute };
-')
-
-not_compatible_property(`
- set_prop(vendor_init, {
- property_type
- -system_internal_property_type
- -system_restricted_property_type
- })
-')
-
# Get file context
allow vendor_init file_contexts_file:file r_file_perms;
# Allow vendor_init to (re)set nice
allow vendor_init self:capability sys_nice;
-set_prop(vendor_init, apk_verity_prop)
-set_prop(vendor_init, bluetooth_a2dp_offload_prop)
-set_prop(vendor_init, bluetooth_audio_hal_prop)
-set_prop(vendor_init, camerax_extensions_prop)
-set_prop(vendor_init, cpu_variant_prop)
-set_prop(vendor_init, dalvik_runtime_prop)
-set_prop(vendor_init, debug_prop)
-set_prop(vendor_init, exported_bluetooth_prop)
-set_prop(vendor_init, exported_camera_prop)
-set_prop(vendor_init, exported_config_prop)
-set_prop(vendor_init, exported_default_prop)
-set_prop(vendor_init, exported_overlay_prop)
-set_prop(vendor_init, exported_pm_prop)
-set_prop(vendor_init, ffs_control_prop)
-set_prop(vendor_init, hw_timeout_multiplier_prop)
-set_prop(vendor_init, incremental_prop)
-set_prop(vendor_init, lmkd_prop)
-set_prop(vendor_init, logd_prop)
-set_prop(vendor_init, log_tag_prop)
-set_prop(vendor_init, log_prop)
-set_prop(vendor_init, qemu_hw_prop)
-set_prop(vendor_init, radio_control_prop)
-set_prop(vendor_init, rebootescrow_hal_prop)
-set_prop(vendor_init, serialno_prop)
-set_prop(vendor_init, soc_prop)
-set_prop(vendor_init, surfaceflinger_color_prop)
-set_prop(vendor_init, usb_control_prop)
-set_prop(vendor_init, userspace_reboot_config_prop)
-set_prop(vendor_init, vehicle_hal_prop)
-set_prop(vendor_init, vendor_default_prop)
-set_prop(vendor_init, vendor_security_patch_level_prop)
-set_prop(vendor_init, vndk_prop)
-set_prop(vendor_init, virtual_ab_prop)
-set_prop(vendor_init, vold_post_fs_data_prop)
-set_prop(vendor_init, wifi_hal_prop)
-set_prop(vendor_init, wifi_log_prop)
-set_prop(vendor_init, zram_control_prop)
-
-get_prop(vendor_init, boot_status_prop)
-get_prop(vendor_init, exported3_system_prop)
-get_prop(vendor_init, ota_prop)
-get_prop(vendor_init, power_debug_prop)
-get_prop(vendor_init, provisioned_prop)
-get_prop(vendor_init, retaildemo_prop)
-get_prop(vendor_init, surfaceflinger_display_prop)
-get_prop(vendor_init, test_harness_prop)
-get_prop(vendor_init, theme_prop)
-set_prop(vendor_init, dck_prop)
-
-
-###
-### neverallow rules
-###
-
-# Vendor init shouldn't communicate with any vendor process, nor most system processes.
-neverallow_establish_socket_comms(vendor_init, { domain -init -logd -su -vendor_init });
-
-# The vendor_init domain is only entered via an exec based transition from the
-# init domain, never via setcon().
-neverallow domain vendor_init:process dyntransition;
-neverallow { domain -init } vendor_init:process transition;
-neverallow vendor_init { file_type fs_type -init_exec }:file entrypoint;
-
-# Never read/follow symlinks created by shell or untrusted apps.
-neverallow vendor_init { app_data_file privapp_data_file }:lnk_file read;
-neverallow vendor_init shell_data_file:lnk_file read;
-# Init should not be creating subdirectories in /data/local/tmp
-neverallow vendor_init shell_data_file:dir { write add_name remove_name };
-
-# init should never execute a program without changing to another domain.
-neverallow vendor_init { file_type fs_type }:file execute_no_trans;
-
-# Init never adds or uses services via service_manager.
-neverallow vendor_init service_manager_type:service_manager { add find };
-neverallow vendor_init servicemanager:service_manager list;
-
-# vendor_init should never be ptraced
-neverallow * vendor_init:process ptrace;
+# chown/chmod on devices, e.g. /dev/ttyHS0
+allow vendor_init {
+ dev_type
+ -kvm_device
+ -hw_random_device
+}:chr_file setattr;
diff --git a/microdroid/sepolicy/system/public/vendor_misc_writer.te b/microdroid/sepolicy/system/public/vendor_misc_writer.te
deleted file mode 100644
index 3bc3a9f..0000000
--- a/microdroid/sepolicy/system/public/vendor_misc_writer.te
+++ /dev/null
@@ -1,16 +0,0 @@
-# vendor_misc_writer
-type vendor_misc_writer, domain;
-type vendor_misc_writer_exec, vendor_file_type, exec_type, file_type;
-
-# Raw writes to misc_block_device
-allow vendor_misc_writer misc_block_device:blk_file w_file_perms;
-allow vendor_misc_writer block_device:dir r_dir_perms;
-
-# Silence the denial when calling libfstab's ReadDefaultFstab, which tries to
-# load DT fstab.
-dontaudit vendor_misc_writer proc_cmdline:file r_file_perms;
-dontaudit vendor_misc_writer sysfs_dt_firmware_android:dir search;
-dontaudit vendor_misc_writer proc_bootconfig:file r_file_perms;
-
-# Allow ReadDefaultFstab().
-read_fstab(vendor_misc_writer)
diff --git a/microdroid/sepolicy/system/public/vendor_modprobe.te b/microdroid/sepolicy/system/public/vendor_modprobe.te
deleted file mode 100644
index 529c4aa..0000000
--- a/microdroid/sepolicy/system/public/vendor_modprobe.te
+++ /dev/null
@@ -1 +0,0 @@
-type vendor_modprobe, domain;
diff --git a/microdroid/sepolicy/system/public/vendor_shell.te b/microdroid/sepolicy/system/public/vendor_shell.te
deleted file mode 100644
index 5d7cb31..0000000
--- a/microdroid/sepolicy/system/public/vendor_shell.te
+++ /dev/null
@@ -1,21 +0,0 @@
-type vendor_shell, domain;
-type vendor_shell_exec, exec_type, vendor_file_type, file_type;
-
-allow vendor_shell vendor_shell_exec:file rx_file_perms;
-allow vendor_shell vendor_toolbox_exec:file rx_file_perms;
-
-# Use fd from shell when vendor_shell is started from shell
-allow vendor_shell shell:fd use;
-
-# adbd: allow `adb shell /vendor/bin/sh` and `adb shell` then `/vendor/bin/sh`
-allow vendor_shell adbd:fd use;
-allow vendor_shell adbd:process sigchld;
-allow vendor_shell adbd:unix_stream_socket { getattr ioctl read write };
-
-allow vendor_shell devpts:chr_file rw_file_perms;
-allow vendor_shell tty_device:chr_file rw_file_perms;
-allow vendor_shell console_device:chr_file rw_file_perms;
-allow vendor_shell input_device:dir r_dir_perms;
-allow vendor_shell input_device:chr_file rw_file_perms;
-
-userdebug_or_eng(`set_prop(vendor_shell, persist_vendor_debug_wifi_prop)')
diff --git a/microdroid/sepolicy/system/public/vendor_toolbox.te b/microdroid/sepolicy/system/public/vendor_toolbox.te
deleted file mode 100644
index 63f938d..0000000
--- a/microdroid/sepolicy/system/public/vendor_toolbox.te
+++ /dev/null
@@ -1,16 +0,0 @@
-# Toolbox installation for vendor binaries / scripts
-# Non-vendor processes are not allowed to execute the binary
-# and is always executed without transition.
-type vendor_toolbox_exec, exec_type, vendor_file_type, file_type;
-
-# Do not allow domains to transition to vendor toolbox
-# or read, execute the vendor_toolbox file.
-full_treble_only(`
- # Do not allow non-vendor domains to transition
- # to vendor toolbox except for the allowlisted domains.
- neverallow {
- coredomain
- -init
- -modprobe
- } vendor_toolbox_exec:file { entrypoint execute execute_no_trans };
-')
diff --git a/microdroid/sepolicy/system/public/virtual_touchpad.te b/microdroid/sepolicy/system/public/virtual_touchpad.te
deleted file mode 100644
index 49c8704..0000000
--- a/microdroid/sepolicy/system/public/virtual_touchpad.te
+++ /dev/null
@@ -1,16 +0,0 @@
-type virtual_touchpad, domain;
-type virtual_touchpad_exec, system_file_type, exec_type, file_type;
-
-binder_use(virtual_touchpad)
-binder_service(virtual_touchpad)
-add_service(virtual_touchpad, virtual_touchpad_service)
-
-# Needed to check app permissions.
-binder_call(virtual_touchpad, system_server)
-
-# Requires access to /dev/uinput to create and feed the virtual device.
-allow virtual_touchpad uhid_device:chr_file { w_file_perms ioctl };
-
-# Requires access to the permission service to validate that clients have the
-# appropriate VR permissions.
-allow virtual_touchpad permission_service:service_manager find;
diff --git a/microdroid/sepolicy/system/public/vndservice.te b/microdroid/sepolicy/system/public/vndservice.te
deleted file mode 100644
index efd9adf..0000000
--- a/microdroid/sepolicy/system/public/vndservice.te
+++ /dev/null
@@ -1,2 +0,0 @@
-type service_manager_vndservice, vndservice_manager_type;
-type default_android_vndservice, vndservice_manager_type;
diff --git a/microdroid/sepolicy/system/public/vndservicemanager.te b/microdroid/sepolicy/system/public/vndservicemanager.te
deleted file mode 100644
index 6b9f73d..0000000
--- a/microdroid/sepolicy/system/public/vndservicemanager.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# vndservicemanager - the Binder context manager for vendor processes
-type vndservicemanager, domain;
diff --git a/microdroid/sepolicy/system/public/vold.te b/microdroid/sepolicy/system/public/vold.te
deleted file mode 100644
index 7796ba8..0000000
--- a/microdroid/sepolicy/system/public/vold.te
+++ /dev/null
@@ -1,361 +0,0 @@
-# volume manager
-type vold, domain;
-type vold_exec, exec_type, file_type, system_file_type;
-
-# Read already opened /cache files.
-allow vold cache_file:dir r_dir_perms;
-allow vold cache_file:file { getattr read };
-allow vold cache_file:lnk_file r_file_perms;
-
-r_dir_file(vold, { sysfs_type -sysfs_batteryinfo })
-# XXX Label sysfs files with a specific type?
-allow vold {
- sysfs # writing to /sys/*/uevent during coldboot.
- sysfs_devices_block
- sysfs_dm
- sysfs_loop # writing to /sys/block/loop*/uevent during coldboot.
- sysfs_usb
- sysfs_zram_uevent
- sysfs_fs_f2fs
-}:file w_file_perms;
-
-r_dir_file(vold, rootfs)
-r_dir_file(vold, metadata_file)
-allow vold {
- proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
- proc_bootconfig
- proc_cmdline
- proc_drop_caches
- proc_filesystems
- proc_meminfo
- proc_mounts
-}:file r_file_perms;
-
-#Get file contexts
-allow vold file_contexts_file:file r_file_perms;
-
-# Allow us to jump into execution domains of above tools
-allow vold self:process setexec;
-
-# For formatting adoptable storage devices
-allow vold e2fs_exec:file rx_file_perms;
-
-# Run fstrim on mounted partitions
-# allowxperm still requires the ioctl permission for the individual type
-allowxperm vold { fs_type file_type }:dir ioctl FITRIM;
-
-# Get/set file-based encryption policies on dirs in /data and adoptable storage,
-# and add/remove file-based encryption keys.
-allowxperm vold data_file_type:dir ioctl {
- FS_IOC_GET_ENCRYPTION_POLICY
- FS_IOC_SET_ENCRYPTION_POLICY
- FS_IOC_ADD_ENCRYPTION_KEY
- FS_IOC_REMOVE_ENCRYPTION_KEY
-};
-
-# Only vold and init should ever set file-based encryption policies.
-neverallowxperm {
- domain
- -vold
- -init
- -vendor_init
-} data_file_type:dir ioctl { FS_IOC_SET_ENCRYPTION_POLICY };
-
-# Only vold should ever add/remove file-based encryption keys.
-neverallowxperm {
- domain
- -vold
-} data_file_type:dir ioctl { FS_IOC_ADD_ENCRYPTION_KEY FS_IOC_REMOVE_ENCRYPTION_KEY };
-
-# Allow securely erasing crypto key files. F2FS_IOC_SEC_TRIM_FILE is
-# tried first. Otherwise, FS_IOC_FIEMAP is needed to get the
-# location of the file's blocks on the raw block device to erase.
-allowxperm vold {
- vold_data_file
- vold_metadata_file
-}:file ioctl {
- F2FS_IOC_SEC_TRIM_FILE
- FS_IOC_FIEMAP
-};
-
-typeattribute vold mlstrustedsubject;
-allow vold self:process setfscreate;
-allow vold system_file:file x_file_perms;
-not_full_treble(`allow vold vendor_file:file x_file_perms;')
-allow vold block_device:dir create_dir_perms;
-allow vold device:dir write;
-allow vold devpts:chr_file rw_file_perms;
-allow vold rootfs:dir mounton;
-allow vold sdcard_type:dir mounton; # TODO: deprecated in M
-allow vold sdcard_type:filesystem { mount remount unmount }; # TODO: deprecated in M
-allow vold sdcard_type:dir create_dir_perms; # TODO: deprecated in M
-allow vold sdcard_type:file create_file_perms; # TODO: deprecated in M
-
-# Manage locations where storage is mounted
-allow vold { mnt_media_rw_file storage_file sdcard_type }:dir create_dir_perms;
-allow vold { mnt_media_rw_file storage_file sdcard_type }:file create_file_perms;
-
-# Access to storage that backs emulated FUSE daemons for migration optimization
-allow vold media_rw_data_file:dir create_dir_perms;
-allow vold media_rw_data_file:file create_file_perms;
-# Allow mounting (lower filesystem) on parts of media for performance
-allow vold media_rw_data_file:dir mounton;
-
-# Allow setting extended attributes (for project quota IDs) on files and dirs
-# and to enable project ID inheritance through FS_IOC_SETFLAGS
-allowxperm vold media_rw_data_file:{ dir file } ioctl {
- FS_IOC_FSGETXATTR
- FS_IOC_FSSETXATTR
- FS_IOC_GETFLAGS
- FS_IOC_SETFLAGS
-};
-
-# Allow mounting of storage devices
-allow vold { mnt_media_rw_stub_file storage_stub_file }:dir { mounton create rmdir getattr setattr };
-
-# Manage per-user primary symlinks
-allow vold mnt_user_file:dir { create_dir_perms mounton };
-allow vold mnt_user_file:lnk_file create_file_perms;
-allow vold mnt_user_file:file create_file_perms;
-
-# Manage per-user pass_through primary symlinks
-allow vold mnt_pass_through_file:dir { create_dir_perms mounton };
-allow vold mnt_pass_through_file:lnk_file create_file_perms;
-
-# Allow to create and mount expanded storage
-allow vold mnt_expand_file:dir { create_dir_perms mounton };
-allow vold apk_data_file:dir { create getattr setattr };
-allow vold shell_data_file:dir { create getattr setattr };
-
-# Allow to mount incremental file system on /data/incremental and create files
-allow vold apk_data_file:dir { mounton rw_dir_perms };
-# Allow to create and write files in /data/incremental
-allow vold apk_data_file:file { rw_file_perms unlink };
-# Allow to bind-mount incremental file system on /data/app/vmdl*.tmp and read files
-allow vold apk_tmp_file:dir { mounton r_dir_perms };
-# Allow to read incremental control file and call selinux restorecon on it
-allow vold incremental_control_file:file { r_file_perms relabelto };
-
-allow vold tmpfs:filesystem { mount unmount };
-allow vold tmpfs:dir create_dir_perms;
-allow vold tmpfs:dir mounton;
-allow vold self:global_capability_class_set { net_admin dac_override dac_read_search mknod sys_admin chown fowner fsetid };
-allow vold self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-allow vold loop_control_device:chr_file rw_file_perms;
-allow vold loop_device:blk_file { create setattr unlink rw_file_perms };
-allowxperm vold loop_device:blk_file ioctl {
- LOOP_CLR_FD
- LOOP_CTL_GET_FREE
- LOOP_GET_STATUS64
- LOOP_SET_FD
- LOOP_SET_STATUS64
-};
-allow vold vold_device:blk_file { create setattr unlink rw_file_perms };
-allowxperm vold vold_device:blk_file ioctl { BLKDISCARD BLKGETSIZE };
-allow vold dm_device:chr_file rw_file_perms;
-allow vold dm_device:blk_file rw_file_perms;
-allowxperm vold dm_device:blk_file ioctl { BLKDISCARD BLKSECDISCARD };
-# For vold Process::killProcessesWithOpenFiles function.
-allow vold domain:dir r_dir_perms;
-allow vold domain:{ file lnk_file } r_file_perms;
-allow vold domain:process { signal sigkill };
-allow vold self:global_capability_class_set { sys_ptrace kill };
-
-allow vold kmsg_device:chr_file rw_file_perms;
-
-# Run fsck in the fsck domain.
-allow vold fsck_exec:file { r_file_perms execute };
-
-# Log fsck results
-allow vold fscklogs:dir rw_dir_perms;
-allow vold fscklogs:file create_file_perms;
-
-#
-# Rules to support encrypted fs support.
-#
-
-# Unmount and mount the fs.
-allow vold labeledfs:filesystem { mount unmount remount };
-
-# Access /efs/userdata_footer.
-# XXX Split into a separate type?
-allow vold efs_file:file rw_file_perms;
-
-# Create and mount on /data/tmp_mnt and management of expansion mounts
-allow vold {
- system_data_file
- system_data_root_file
-}:dir { create rw_dir_perms mounton setattr rmdir };
-allow vold system_data_file:lnk_file getattr;
-
-# Vold create users in /data/vendor_{ce,de}/[0-9]+
-allow vold vendor_data_file:dir create_dir_perms;
-
-# for secdiscard
-allow vold system_data_file:file read;
-
-# Set scheduling policy of kernel processes
-allow vold kernel:process setsched;
-
-# ASEC
-allow vold asec_image_file:file create_file_perms;
-allow vold asec_image_file:dir rw_dir_perms;
-allow vold asec_apk_file:dir { create_dir_perms mounton relabelfrom relabelto };
-allow vold asec_public_file:dir { relabelto setattr };
-allow vold asec_apk_file:file { r_file_perms setattr relabelfrom relabelto };
-allow vold asec_public_file:file { relabelto setattr };
-# restorecon files in asec containers created on 4.2 or earlier.
-allow vold unlabeled:dir { r_dir_perms setattr relabelfrom };
-allow vold unlabeled:file { r_file_perms setattr relabelfrom };
-
-# Access to FUSE control filesystem to hard-abort FUSE mounts
-allow vold fusectlfs:file rw_file_perms;
-allow vold fusectlfs:dir rw_dir_perms;
-
-# Handle wake locks (used for device encryption)
-wakelock_use(vold)
-
-# Allow vold to publish a binder service and make binder calls.
-binder_use(vold)
-add_service(vold, vold_service)
-
-# Allow vold to call into the system server so it can check permissions.
-binder_call(vold, system_server)
-allow vold permission_service:service_manager find;
-
-# talk to batteryservice
-binder_call(vold, healthd)
-
-# talk to keymaster
-hal_client_domain(vold, hal_keymaster)
-
-# talk to health storage HAL
-hal_client_domain(vold, hal_health_storage)
-
-# talk to bootloader HAL
-full_treble_only(`hal_client_domain(vold, hal_bootctl)')
-
-# Access userdata block device.
-allow vold userdata_block_device:blk_file rw_file_perms;
-allowxperm vold userdata_block_device:blk_file ioctl BLKSECDISCARD;
-
-# Access metadata block device used for encryption meta-data.
-allow vold metadata_block_device:blk_file rw_file_perms;
-allowxperm vold metadata_block_device:blk_file ioctl BLKSECDISCARD;
-
-# Allow vold to manipulate /data/unencrypted
-allow vold unencrypted_data_file:{ file } create_file_perms;
-allow vold unencrypted_data_file:dir create_dir_perms;
-
-# Write to /proc/sys/vm/drop_caches
-allow vold proc_drop_caches:file w_file_perms;
-
-# Give vold a place where only vold can store files; everyone else is off limits
-allow vold vold_data_file:dir create_dir_perms;
-allow vold vold_data_file:file create_file_perms;
-
-# And a similar place in the metadata partition
-allow vold vold_metadata_file:dir create_dir_perms;
-allow vold vold_metadata_file:file create_file_perms;
-
-# linux keyring configuration
-allow vold init:key { write search setattr };
-allow vold vold:key { write search setattr };
-
-# vold temporarily changes its priority when running benchmarks
-allow vold self:global_capability_class_set sys_nice;
-
-# vold needs to chroot into app namespaces to remount when runtime permissions change
-allow vold self:global_capability_class_set sys_chroot;
-allow vold storage_file:dir mounton;
-
-# For AppFuse.
-allow vold fuse_device:chr_file rw_file_perms;
-allow vold fuse:filesystem { relabelfrom };
-allow vold app_fusefs:filesystem { relabelfrom relabelto };
-allow vold app_fusefs:filesystem { mount unmount };
-allow vold app_fuse_file:dir rw_dir_perms;
-allow vold app_fuse_file:file { read write open getattr append };
-
-# MoveTask.cpp executes cp and rm
-allow vold toolbox_exec:file rx_file_perms;
-
-# Prepare profile dir for users.
-allow vold { user_profile_data_file user_profile_root_file }:dir create_dir_perms;
-
-# Raw writes to misc block device
-allow vold misc_block_device:blk_file w_file_perms;
-
-# vold might need to search or mount /mnt/vendor/*
-allow vold mnt_vendor_file:dir search;
-
-dontaudit vold self:global_capability_class_set sys_resource;
-
-# Allow ReadDefaultFstab().
-read_fstab(vold)
-
-# vold might need to search loopback apex files
-allow vold vendor_apex_file:file r_file_perms;
-
-neverallow {
- domain
- -vold
- -vold_prepare_subdirs
-} vold_data_file:dir ~{ open create read getattr setattr search relabelfrom relabelto ioctl };
-
-neverallow {
- domain
- -init
- -vold
- -vold_prepare_subdirs
-} vold_data_file:dir *;
-
-neverallow {
- domain
- -init
- -vold
-} vold_metadata_file:dir *;
-
-neverallow {
- domain
- -kernel
- -vold
- -vold_prepare_subdirs
-} vold_data_file:notdevfile_class_set ~{ relabelto getattr };
-
-neverallow {
- domain
- -init
- -vold
- -vold_prepare_subdirs
-} vold_metadata_file:notdevfile_class_set ~{ relabelto getattr };
-
-neverallow {
- domain
- -init
- -kernel
- -vold
- -vold_prepare_subdirs
-} { vold_data_file vold_metadata_file }:notdevfile_class_set *;
-
-neverallow { domain -vold -init } restorecon_prop:property_service set;
-
-neverallow vold {
- domain
- -hal_health_storage_server
- -hal_keymaster_server
- -system_suspend_server
- -hal_bootctl_server
- -healthd
- -hwservicemanager
- -iorapd_service
- -keystore
- -servicemanager
- -system_server
- userdebug_or_eng(`-su')
-}:binder call;
-
-neverallow vold fsck_exec:file execute_no_trans;
-neverallow { domain -init } vold:process { transition dyntransition };
-neverallow vold *:process ptrace;
-neverallow vold *:rawip_socket *;
diff --git a/microdroid/sepolicy/system/public/vold_prepare_subdirs.te b/microdroid/sepolicy/system/public/vold_prepare_subdirs.te
deleted file mode 100644
index 3087fa8..0000000
--- a/microdroid/sepolicy/system/public/vold_prepare_subdirs.te
+++ /dev/null
@@ -1,6 +0,0 @@
-# SELinux directory creation and labelling for vold-managed directories
-
-type vold_prepare_subdirs, domain;
-type vold_prepare_subdirs_exec, system_file_type, exec_type, file_type;
-
-typeattribute vold_prepare_subdirs coredomain;
diff --git a/microdroid/sepolicy/system/public/vr_hwc.te b/microdroid/sepolicy/system/public/vr_hwc.te
deleted file mode 100644
index c146887..0000000
--- a/microdroid/sepolicy/system/public/vr_hwc.te
+++ /dev/null
@@ -1,33 +0,0 @@
-type vr_hwc, domain;
-type vr_hwc_exec, system_file_type, exec_type, file_type;
-
-# Get buffer metadata.
-hal_client_domain(vr_hwc, hal_graphics_allocator)
-
-binder_use(vr_hwc)
-binder_service(vr_hwc)
-
-binder_call(vr_hwc, surfaceflinger)
-# Needed to check for app permissions.
-binder_call(vr_hwc, system_server)
-
-add_service(vr_hwc, vr_hwc_service)
-
-# Hosts the VR HWC implementation and provides a simple Binder interface for VR
-# Window Manager to receive the layers/buffers.
-hwbinder_use(vr_hwc)
-
-# Load vendor libraries.
-allow vr_hwc system_file:dir r_dir_perms;
-
-allow vr_hwc ion_device:chr_file r_file_perms;
-
-# Allow connection to VR DisplayClient to get the primary display metadata
-# (ie: size).
-pdx_client(vr_hwc, display_client)
-
-# Requires access to the permission service to validate that clients have the
-# appropriate VR permissions.
-allow vr_hwc permission_service:service_manager find;
-
-allow vr_hwc vrflinger_vsync_service:service_manager find;
diff --git a/microdroid/sepolicy/system/public/watchdogd.te b/microdroid/sepolicy/system/public/watchdogd.te
deleted file mode 100644
index 72e3685..0000000
--- a/microdroid/sepolicy/system/public/watchdogd.te
+++ /dev/null
@@ -1,6 +0,0 @@
-# watchdogd seclabel is specified in init.<board>.rc
-type watchdogd, domain;
-type watchdogd_exec, system_file_type, exec_type, file_type;
-
-allow watchdogd watchdog_device:chr_file rw_file_perms;
-allow watchdogd kmsg_device:chr_file rw_file_perms;
diff --git a/microdroid/sepolicy/system/public/webview_zygote.te b/microdroid/sepolicy/system/public/webview_zygote.te
deleted file mode 100644
index ace3a01..0000000
--- a/microdroid/sepolicy/system/public/webview_zygote.te
+++ /dev/null
@@ -1,6 +0,0 @@
-# webview_zygote is an auxiliary zygote process that is used to spawn
-# isolated_app processes for rendering untrusted web content.
-
-type webview_zygote, domain;
-type webview_zygote_exec, exec_type, file_type;
-type webview_zygote_tmpfs, file_type;
diff --git a/microdroid/sepolicy/system/public/wificond.te b/microdroid/sepolicy/system/public/wificond.te
deleted file mode 100644
index 254fcbc..0000000
--- a/microdroid/sepolicy/system/public/wificond.te
+++ /dev/null
@@ -1,43 +0,0 @@
-# wificond
-type wificond, domain;
-type wificond_exec, system_file_type, exec_type, file_type;
-
-binder_use(wificond)
-binder_call(wificond, system_server)
-binder_call(wificond, keystore)
-
-add_service(wificond, wifinl80211_service)
-
-# create sockets to set interfaces up and down
-allow wificond self:udp_socket create_socket_perms;
-# setting interface state up/down is a privileged ioctl
-allowxperm wificond self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFHWADDR };
-allow wificond self:global_capability_class_set { net_admin net_raw };
-# allow wificond to speak to nl80211 in the kernel
-allow wificond self:netlink_socket create_socket_perms_no_ioctl;
-# newer kernels (e.g. 4.4 but not 4.1) have a new class for sockets
-allow wificond self:netlink_generic_socket create_socket_perms_no_ioctl;
-
-r_dir_file(wificond, proc_net_type)
-
-# allow wificond to check permission for dumping logs
-allow wificond permission_service:service_manager find;
-
-# dumpstate support
-allow wificond dumpstate:fd use;
-allow wificond dumpstate:fifo_file write;
-
-#### Offer the Wifi Keystore HwBinder service ###
-hwbinder_use(wificond)
-typeattribute wificond wifi_keystore_service_server;
-add_hwservice(wificond, system_wifi_keystore_hwservice)
-
-# Allow keystore binder access to serve the HwBinder service.
-allow wificond keystore_service:service_manager find;
-allow wificond keystore:keystore_key get;
-
-# Allow keystore2 binder access to serve the HwBinder service.
-allow wificond wifi_key:keystore2_key {
- get_info
- use
-};
diff --git a/microdroid/sepolicy/system/public/wpantund.te b/microdroid/sepolicy/system/public/wpantund.te
deleted file mode 100644
index 8ddd693..0000000
--- a/microdroid/sepolicy/system/public/wpantund.te
+++ /dev/null
@@ -1,29 +0,0 @@
-type wpantund, domain;
-type wpantund_exec, system_file_type, exec_type, file_type;
-
-hal_client_domain(wpantund, hal_lowpan)
-net_domain(wpantund)
-
-binder_use(wpantund)
-binder_call(wpantund, system_server)
-
-# wpantund needs to be able to check in with the lowpan_service
-allow wpantund lowpan_service:service_manager find;
-
-# Allow wpantund to call any callbacks that have been registered with it.
-# Generally, only privileged apps are able to register callbacks with
-# wpantund, so we are limiting the scope for callbacks to only privileged
-# apps. We also add shell to allow the command-line utility `lowpanctl`
-# to work properly from `adb shell`.
-allow wpantund {priv_app shell}:binder call;
-
-# create sockets to set interfaces up and down, add multicast groups, etc.
-allow wpantund self:udp_socket create_socket_perms;
-
-# setting interface state up/down and changing MTU are privileged ioctls
-allowxperm wpantund self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFMTU };
-
-# Allow us to bring up a TUN network interface.
-allow wpantund tun_device:chr_file rw_file_perms;
-allow wpantund self:global_capability_class_set { net_admin net_raw };
-allow wpantund self:tun_socket create;
diff --git a/microdroid/sepolicy/system/public/zygote.te b/microdroid/sepolicy/system/public/zygote.te
deleted file mode 100644
index 071354e..0000000
--- a/microdroid/sepolicy/system/public/zygote.te
+++ /dev/null
@@ -1,4 +0,0 @@
-# zygote
-type zygote, domain;
-type zygote_tmpfs, file_type;
-type zygote_exec, system_file_type, exec_type, file_type;
diff --git a/microdroid/sepolicy/vendor/hal_keymint_default.te b/microdroid/sepolicy/vendor/hal_keymint_default.te
index 3b86a1b..359ca60 100644
--- a/microdroid/sepolicy/vendor/hal_keymint_default.te
+++ b/microdroid/sepolicy/vendor/hal_keymint_default.te
@@ -4,7 +4,10 @@
type hal_keymint_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_keymint_default)
-hal_attribute_service(hal_keymint, hal_secureclock_service)
-hal_attribute_service(hal_keymint, hal_sharedsecret_service)
+allow hal_keymint_default keystore:binder transfer;
+allow hal_keymint_default system_lib_file:file execute;
-get_prop(hal_keymint_default, vendor_security_patch_level_prop);
+allow logd hal_keymint_default:dir search;
+allow logd hal_keymint_default:file { getattr open read };
+
+get_prop(hal_keymint_default, vmsecret_keymint_prop);
diff --git a/microdroid_manager/Android.bp b/microdroid_manager/Android.bp
index 267147f..902b5da 100644
--- a/microdroid_manager/Android.bp
+++ b/microdroid_manager/Android.bp
@@ -12,12 +12,14 @@
"libanyhow",
"libkernlog",
"libkeystore2_system_property-rust",
+ "liblibc",
"liblog_rust",
"libmicrodroid_metadata",
"libmicrodroid_payload_config",
"libprotobuf",
"libserde",
"libserde_json",
+ "libvsock",
],
init_rc: ["microdroid_manager.rc"],
}
diff --git a/microdroid_manager/src/main.rs b/microdroid_manager/src/main.rs
index 9bcfa67..1506142 100644
--- a/microdroid_manager/src/main.rs
+++ b/microdroid_manager/src/main.rs
@@ -19,12 +19,15 @@
use anyhow::{anyhow, bail, Result};
use keystore2_system_property::PropertyWatcher;
-use log::info;
+use log::{error, info, warn};
use microdroid_payload_config::{Task, TaskType, VmPayloadConfig};
-use std::fs;
+use std::fs::{self, File};
+use std::os::unix::io::{FromRawFd, IntoRawFd};
use std::path::Path;
-use std::process::Command;
+use std::process::{Command, Stdio};
+use std::str;
use std::time::Duration;
+use vsock::VsockStream;
const WAIT_TIMEOUT: Duration = Duration::from_secs(10);
@@ -36,9 +39,17 @@
if !metadata.payload_config_path.is_empty() {
let config = load_config(Path::new(&metadata.payload_config_path))?;
+ let fake_secret = "This is a placeholder for a value that is derived from the images that are loaded in the VM.";
+ if let Err(err) = keystore2_system_property::write("ro.vmsecret.keymint", fake_secret) {
+ warn!("failed to set ro.vmsecret.keymint: {}", err);
+ }
+
// TODO(jooyung): wait until sys.boot_completed?
if let Some(main_task) = &config.task {
- exec_task(main_task)?;
+ exec_task(main_task).map_err(|e| {
+ error!("failed to execute task: {}", e);
+ e
+ })?;
}
}
@@ -51,16 +62,38 @@
Ok(serde_json::from_reader(file)?)
}
+/// Executes the given task. Stdout of the task is piped into the vsock stream to the
+/// virtualizationservice in the host side.
fn exec_task(task: &Task) -> Result<()> {
- info!("executing main task {:?}...", task);
- let exit_status = build_command(task)?.spawn()?.wait()?;
- if exit_status.success() {
- Ok(())
- } else {
- match exit_status.code() {
- Some(code) => bail!("task exited with exit code: {}", code),
- None => bail!("task terminated by signal"),
+ const VMADDR_CID_HOST: u32 = 2;
+ const PORT_VIRT_SVC: u32 = 3000;
+ let stdout = match VsockStream::connect_with_cid_port(VMADDR_CID_HOST, PORT_VIRT_SVC) {
+ Ok(stream) => {
+ // SAFETY: the ownership of the underlying file descriptor is transferred from stream
+ // to the file object, and then into the Command object. When the command is finished,
+ // the file descriptor is closed.
+ let f = unsafe { File::from_raw_fd(stream.into_raw_fd()) };
+ Stdio::from(f)
}
+ Err(e) => {
+ error!("failed to connect to virtualization service: {}", e);
+ // Don't fail hard here. Even if we failed to connect to the virtualizationservice,
+ // we keep executing the task. This can happen if the owner of the VM doesn't register
+ // callback to accept the stream. Use /dev/null as the stdout so that the task can
+ // make progress without waiting for someone to consume the output.
+ Stdio::null()
+ }
+ };
+ info!("executing main task {:?}...", task);
+ // TODO(jiyong): consider piping the stream into stdio (and probably stderr) as well.
+ let mut child = build_command(task)?.stdout(stdout).spawn()?;
+ match child.wait()?.code() {
+ Some(0) => {
+ info!("task successfully finished");
+ Ok(())
+ }
+ Some(code) => bail!("task exited with exit code: {}", code),
+ None => bail!("task terminated by signal"),
}
}
diff --git a/tests/testapk/src/native/testbinary.cpp b/tests/testapk/src/native/testbinary.cpp
index 20519cd..1572021 100644
--- a/tests/testapk/src/native/testbinary.cpp
+++ b/tests/testapk/src/native/testbinary.cpp
@@ -45,7 +45,7 @@
Result<void> test_keystore() {
// Connect to Keystore.
ndk::SpAIBinder binder(
- AServiceManager_getService("android.system.keystore2.IKeystoreService/default"));
+ AServiceManager_waitForService("android.system.keystore2.IKeystoreService/default"));
auto service = IKeystoreService::fromBinder(binder);
if (service == nullptr) {
return Error() << "Failed to find Keystore";
@@ -170,7 +170,7 @@
}
template <typename T>
-void report_test(std::string name, Result<T> result) {
+Result<T> report_test(std::string name, Result<T> result) {
auto property = "debug.microdroid.test." + name;
std::stringstream outcome;
if (result.ok()) {
@@ -181,6 +181,7 @@
std::cout << "[" << name << "] test failed: " << result.error() << "\n";
}
__system_property_set(property.c_str(), outcome.str().c_str());
+ return result;
}
} // Anonymous namespace
@@ -198,6 +199,7 @@
printf("\n");
__system_property_set("debug.microdroid.app.run", "true");
- report_test("keystore", test_keystore());
+ if (!report_test("keystore", test_keystore()).ok()) return 1;
+
return 0;
}
diff --git a/virtualizationservice/Android.bp b/virtualizationservice/Android.bp
index 0b8f2e5..a1dba43 100644
--- a/virtualizationservice/Android.bp
+++ b/virtualizationservice/Android.bp
@@ -21,6 +21,7 @@
prefer_rlib: true,
rustlibs: [
"android.system.virtualizationservice-rust",
+ "android.os.permissions_aidl-rust",
"libandroid_logger",
"libanyhow",
"libcommand_fds",
@@ -39,6 +40,7 @@
"libuuid",
"libvmconfig",
"libzip",
+ "libvsock",
],
}
diff --git a/virtualizationservice/aidl/android/system/virtualizationservice/IVirtualMachine.aidl b/virtualizationservice/aidl/android/system/virtualizationservice/IVirtualMachine.aidl
index e864414..33c9716 100644
--- a/virtualizationservice/aidl/android/system/virtualizationservice/IVirtualMachine.aidl
+++ b/virtualizationservice/aidl/android/system/virtualizationservice/IVirtualMachine.aidl
@@ -27,6 +27,9 @@
/**
* Register a Binder object to get callbacks when the state of the VM changes, such as if it
* dies.
+ *
+ * TODO(jiyong): this should be registered when IVirtualizationService.run is called. Otherwise,
+ * we might miss some events that happen before the registration is done.
*/
void registerCallback(IVirtualMachineCallback callback);
}
diff --git a/virtualizationservice/aidl/android/system/virtualizationservice/IVirtualMachineCallback.aidl b/virtualizationservice/aidl/android/system/virtualizationservice/IVirtualMachineCallback.aidl
index 10ef31b..7bb18a4 100644
--- a/virtualizationservice/aidl/android/system/virtualizationservice/IVirtualMachineCallback.aidl
+++ b/virtualizationservice/aidl/android/system/virtualizationservice/IVirtualMachineCallback.aidl
@@ -23,6 +23,16 @@
*/
oneway interface IVirtualMachineCallback {
/**
+ * Called when the payload starts in the VM. `stdout` is the stdout of the payload.
+ *
+ * <p>Note: when the virtual machine object is shared to multiple processes and they register
+ * this callback to the same virtual machine object, the processes will compete to read from the
+ * same payload stdout. As a result, each process might get only a part of the entire output
+ * stream. To avoid such a case, keep only one process to read from the stdout.
+ */
+ void onPayloadStarted(int cid, in ParcelFileDescriptor stdout);
+
+ /**
* Called when the VM dies.
*
* Note that this will not be called if the VirtualizationService itself dies, so you should
diff --git a/virtualizationservice/src/aidl.rs b/virtualizationservice/src/aidl.rs
index 8bdfa9d..3ebde6f 100644
--- a/virtualizationservice/src/aidl.rs
+++ b/virtualizationservice/src/aidl.rs
@@ -19,6 +19,7 @@
use crate::payload::make_payload_disk;
use crate::{Cid, FIRST_GUEST_CID};
+use android_os_permissions_aidl::aidl::android::os::IPermissionController;
use android_system_virtualizationservice::aidl::android::system::virtualizationservice::IVirtualizationService::IVirtualizationService;
use android_system_virtualizationservice::aidl::android::system::virtualizationservice::DiskImage::DiskImage;
use android_system_virtualizationservice::aidl::android::system::virtualizationservice::IVirtualMachine::{
@@ -36,36 +37,40 @@
};
use anyhow::{bail, Result};
use disk::QcowFile;
-use log::{debug, error, warn};
+use log::{debug, error, warn, info};
use microdroid_payload_config::{ApexConfig, VmPayloadConfig};
use std::convert::TryInto;
use std::ffi::CString;
use std::fs::{File, create_dir};
use std::num::NonZeroU32;
-use std::os::unix::io::AsRawFd;
+use std::os::unix::io::{AsRawFd, FromRawFd, IntoRawFd};
use std::path::{Path, PathBuf};
use std::sync::{Arc, Mutex, Weak};
use vmconfig::{VmConfig, Partition};
+use vsock::{VsockListener, SockAddr, VsockStream};
use zip::ZipArchive;
pub const BINDER_SERVICE_IDENTIFIER: &str = "android.system.virtualizationservice";
/// Directory in which to write disk image files used while running VMs.
-const TEMPORARY_DIRECTORY: &str = "/data/misc/virtualizationservice";
-
-// TODO(qwandor): Use PermissionController once it is available to Rust.
-/// Only processes running with one of these UIDs are allowed to call debug methods.
-const DEBUG_ALLOWED_UIDS: [u32; 2] = [0, 2000];
+pub const TEMPORARY_DIRECTORY: &str = "/data/misc/virtualizationservice";
/// The list of APEXes which microdroid requires.
/// TODO(b/192200378) move this to microdroid.json?
const MICRODROID_REQUIRED_APEXES: [&str; 3] =
["com.android.adbd", "com.android.i18n", "com.android.os.statsd"];
+/// The CID representing the host VM
+const VMADDR_CID_HOST: u32 = 2;
+
+/// Port number that virtualizationservice listens on connections from the guest VMs for the
+/// payload output
+const PORT_VIRT_SERVICE: u32 = 3000;
+
/// Implementation of `IVirtualizationService`, the entry point of the AIDL service.
#[derive(Debug, Default)]
pub struct VirtualizationService {
- state: Mutex<State>,
+ state: Arc<Mutex<State>>,
}
impl Interface for VirtualizationService {}
@@ -79,6 +84,7 @@
config: &VirtualMachineConfig,
log_fd: Option<&ParcelFileDescriptor>,
) -> binder::Result<Strong<dyn IVirtualMachine>> {
+ check_manage_access()?;
let state = &mut *self.state.lock().unwrap();
let log_fd = log_fd.map(clone_file).transpose()?;
let requester_uid = ThreadState::get_calling_uid();
@@ -175,6 +181,7 @@
image_fd: &ParcelFileDescriptor,
size: i64,
) -> binder::Result<()> {
+ check_manage_access()?;
let size = size.try_into().map_err(|e| {
new_binder_exception(
ExceptionCode::ILLEGAL_ARGUMENT,
@@ -235,6 +242,45 @@
}
}
+impl VirtualizationService {
+ pub fn init() -> VirtualizationService {
+ let service = VirtualizationService::default();
+ let state = service.state.clone(); // reference to state (not the state itself) is copied
+ std::thread::spawn(move || {
+ handle_connection_from_vm(state).unwrap();
+ });
+ service
+ }
+}
+
+/// Waits for incoming connections from VM. If a new connection is made, notify the event to the
+/// client via the callback (if registered).
+fn handle_connection_from_vm(state: Arc<Mutex<State>>) -> Result<()> {
+ let listener = VsockListener::bind_with_cid_port(VMADDR_CID_HOST, PORT_VIRT_SERVICE)?;
+ for stream in listener.incoming() {
+ let stream = match stream {
+ Err(e) => {
+ warn!("invalid incoming connection: {}", e);
+ continue;
+ }
+ Ok(s) => s,
+ };
+ if let Ok(SockAddr::Vsock(addr)) = stream.peer_addr() {
+ let cid = addr.cid();
+ let port = addr.port();
+ info!("connected from cid={}, port={}", cid, port);
+ if cid < FIRST_GUEST_CID {
+ warn!("connection is not from a guest VM");
+ continue;
+ }
+ if let Some(vm) = state.lock().unwrap().get_vm(cid) {
+ vm.callbacks.notify_payload_started(cid, stream);
+ }
+ }
+ }
+ Ok(())
+}
+
/// Given the configuration for a disk image, assembles the `DiskFile` to pass to crosvm.
///
/// This may involve assembling a composite disk from a set of partition images.
@@ -384,17 +430,36 @@
})
}
-/// Check whether the caller of the current Binder method is allowed to call debug methods.
-fn check_debug_access() -> binder::Result<()> {
- let uid = ThreadState::get_calling_uid();
- log::trace!("Debug method call from UID {}.", uid);
- if DEBUG_ALLOWED_UIDS.contains(&uid) {
+/// Checks whether the caller has a specific permission
+fn check_permission(perm: &str) -> binder::Result<()> {
+ let calling_pid = ThreadState::get_calling_pid();
+ let calling_uid = ThreadState::get_calling_uid();
+ // Root can do anything
+ if calling_uid == 0 {
+ return Ok(());
+ }
+ let perm_svc: Strong<dyn IPermissionController::IPermissionController> =
+ binder::get_interface("permission")?;
+ if perm_svc.checkPermission(perm, calling_pid, calling_uid as i32)? {
Ok(())
} else {
- Err(new_binder_exception(ExceptionCode::SECURITY, "Debug access denied"))
+ Err(new_binder_exception(
+ ExceptionCode::SECURITY,
+ format!("does not have the {} permission", perm),
+ ))
}
}
+/// Check whether the caller of the current Binder method is allowed to call debug methods.
+fn check_debug_access() -> binder::Result<()> {
+ check_permission("android.permission.DEBUG_VIRTUAL_MACHINE")
+}
+
+/// Check whether the caller of the current Binder method is allowed to manage VMs
+fn check_manage_access() -> binder::Result<()> {
+ check_permission("android.permission.MANAGE_VIRTUAL_MACHINE")
+}
+
/// Implementation of the AIDL `IVirtualMachine` interface. Used as a handle to a VM.
#[derive(Debug)]
struct VirtualMachine {
@@ -412,10 +477,14 @@
impl IVirtualMachine for VirtualMachine {
fn getCid(&self) -> binder::Result<i32> {
+ // Don't check permission. The owner of the VM might have passed this binder object to
+ // others.
Ok(self.instance.cid as i32)
}
fn isRunning(&self) -> binder::Result<bool> {
+ // Don't check permission. The owner of the VM might have passed this binder object to
+ // others.
Ok(self.instance.running())
}
@@ -423,6 +492,9 @@
&self,
callback: &Strong<dyn IVirtualMachineCallback>,
) -> binder::Result<()> {
+ // Don't check permission. The owner of the VM might have passed this binder object to
+ // others.
+ //
// TODO: Should this give an error if the VM is already dead?
self.instance.callbacks.add(callback.clone());
Ok(())
@@ -442,12 +514,25 @@
pub struct VirtualMachineCallbacks(Mutex<Vec<Strong<dyn IVirtualMachineCallback>>>);
impl VirtualMachineCallbacks {
+ /// Call all registered callbacks to notify that the payload has started.
+ pub fn notify_payload_started(&self, cid: Cid, stream: VsockStream) {
+ let callbacks = &*self.0.lock().unwrap();
+ // SAFETY: ownership is transferred from stream to f
+ let f = unsafe { File::from_raw_fd(stream.into_raw_fd()) };
+ let pfd = ParcelFileDescriptor::new(f);
+ for callback in callbacks {
+ if let Err(e) = callback.onPayloadStarted(cid as i32, &pfd) {
+ error!("Error notifying payload start event from VM CID {}: {}", cid, e);
+ }
+ }
+ }
+
/// Call all registered callbacks to say that the VM has died.
pub fn callback_on_died(&self, cid: Cid) {
let callbacks = &*self.0.lock().unwrap();
for callback in callbacks {
if let Err(e) = callback.onDied(cid as i32) {
- error!("Error calling callback: {}", e);
+ error!("Error notifying exit of VM CID {}: {}", cid, e);
}
}
}
@@ -492,6 +577,11 @@
self.vms.push(vm);
}
+ /// Get a VM that corresponds to the given cid
+ fn get_vm(&self, cid: Cid) -> Option<Arc<VmInstance>> {
+ self.vms().into_iter().find(|vm| vm.cid == cid)
+ }
+
/// Store a strong VM reference.
fn debug_hold_vm(&mut self, vm: Strong<dyn IVirtualMachine>) {
self.debug_held_vms.push(vm);
diff --git a/virtualizationservice/src/main.rs b/virtualizationservice/src/main.rs
index 658203b..c9cc029 100644
--- a/virtualizationservice/src/main.rs
+++ b/virtualizationservice/src/main.rs
@@ -20,10 +20,12 @@
mod gpt;
mod payload;
-use crate::aidl::{VirtualizationService, BINDER_SERVICE_IDENTIFIER};
+use crate::aidl::{VirtualizationService, BINDER_SERVICE_IDENTIFIER, TEMPORARY_DIRECTORY};
use android_system_virtualizationservice::aidl::android::system::virtualizationservice::IVirtualizationService::BnVirtualizationService;
use android_system_virtualizationservice::binder::{add_service, BinderFeatures, ProcessState};
+use anyhow::Error;
use log::{info, Level};
+use std::fs::{remove_dir_all, remove_file, read_dir};
/// The first CID to assign to a guest VM managed by the VirtualizationService. CIDs lower than this
/// are reserved for the host or other usage.
@@ -39,7 +41,9 @@
android_logger::Config::default().with_tag(LOG_TAG).with_min_level(Level::Trace),
);
- let service = VirtualizationService::default();
+ clear_temporary_files().expect("Failed to delete old temporary files");
+
+ let service = VirtualizationService::init();
let service = BnVirtualizationService::new_binder(
service,
BinderFeatures { set_requesting_sid: true, ..BinderFeatures::default() },
@@ -48,3 +52,17 @@
info!("Registered Binder service, joining threadpool.");
ProcessState::join_thread_pool();
}
+
+/// Remove any files under `TEMPORARY_DIRECTORY`.
+fn clear_temporary_files() -> Result<(), Error> {
+ for dir_entry in read_dir(TEMPORARY_DIRECTORY)? {
+ let dir_entry = dir_entry?;
+ let path = dir_entry.path();
+ if dir_entry.file_type()?.is_dir() {
+ remove_dir_all(path)?;
+ } else {
+ remove_file(path)?;
+ }
+ }
+ Ok(())
+}
diff --git a/vm/src/run.rs b/vm/src/run.rs
index 01fc724..184a396 100644
--- a/vm/src/run.rs
+++ b/vm/src/run.rs
@@ -30,7 +30,7 @@
use android_system_virtualizationservice::binder::{Interface, Result as BinderResult};
use anyhow::{Context, Error};
use std::fs::File;
-use std::io;
+use std::io::{self, BufRead, BufReader};
use std::os::unix::io::{AsRawFd, FromRawFd};
use std::path::Path;
use vmconfig::VmConfig;
@@ -129,7 +129,7 @@
/// If the returned DeathRecipient is dropped then this will no longer do anything.
fn wait_for_death(binder: &mut impl IBinder, dead: AtomicFlag) -> Result<DeathRecipient, Error> {
let mut death_recipient = DeathRecipient::new(move || {
- println!("VirtualizationService died");
+ eprintln!("VirtualizationService unexpectedly died");
dead.raise();
});
binder.link_to_death(&mut death_recipient)?;
@@ -144,8 +144,26 @@
impl Interface for VirtualMachineCallback {}
impl IVirtualMachineCallback for VirtualMachineCallback {
+ fn onPayloadStarted(&self, _cid: i32, stdout: &ParcelFileDescriptor) -> BinderResult<()> {
+ // Show the stdout of the payload
+ let mut reader = BufReader::new(stdout.as_ref());
+ loop {
+ let mut s = String::new();
+ match reader.read_line(&mut s) {
+ Ok(0) => break,
+ Ok(_) => print!("{}", s),
+ Err(e) => eprintln!("error reading from virtual machine: {}", e),
+ };
+ }
+ Ok(())
+ }
+
fn onDied(&self, _cid: i32) -> BinderResult<()> {
- println!("VM died");
+ // No need to explicitly report the event to the user (e.g. via println!) because this
+ // callback is registered only when the vm tool is invoked as interactive mode (e.g. not
+ // --daemonize) in which case the tool will exit to the shell prompt upon VM shutdown.
+ // Printing something will actually even confuse the user as the output from the app
+ // payload is printed.
self.dead.raise();
Ok(())
}