Leave minimal sepolicy for microdroid
Steps taken:
1) Grab remaining types in contexts files.
2) Leave such types and remove all other types.
3) Set attributes, according to system/etc/selinux/plat_sepolicy.cil.
4) Repeat booting and adding missing types, rules, and attributes.
5) Organize types and allow rules.
Bug: 191131624
Test: atest MicrodroidHostTestCases
Change-Id: I1302701f67e61795474c667e8e6094d67912eea0
diff --git a/microdroid/sepolicy/system/public/adbd.te b/microdroid/sepolicy/system/public/adbd.te
index 5056b35..a41d4a3 100644
--- a/microdroid/sepolicy/system/public/adbd.te
+++ b/microdroid/sepolicy/system/public/adbd.te
@@ -1,13 +1,2 @@
-# adbd seclabel is specified in init.rc since
-# it lives in the rootfs and has no unique file type.
type adbd, domain;
type adbd_exec, exec_type, file_type, system_file_type;
-
-# Only init is allowed to enter the adbd domain via exec()
-neverallow { domain -init } adbd:process transition;
-neverallow * adbd:process dyntransition;
-
-# Access /data/local/tests.
-allow adbd shell_test_data_file:dir create_dir_perms;
-allow adbd shell_test_data_file:file create_file_perms;
-allow adbd shell_test_data_file:lnk_file create_file_perms;
diff --git a/microdroid/sepolicy/system/public/aidl_lazy_test_server.te b/microdroid/sepolicy/system/public/aidl_lazy_test_server.te
deleted file mode 100644
index 626d008..0000000
--- a/microdroid/sepolicy/system/public/aidl_lazy_test_server.te
+++ /dev/null
@@ -1,9 +0,0 @@
-type aidl_lazy_test_server, domain;
-type aidl_lazy_test_server_exec, exec_type, file_type, system_file_type;
-
-userdebug_or_eng(`
- binder_use(aidl_lazy_test_server)
- binder_call(aidl_lazy_test_server, binderservicedomain)
-
- add_service(aidl_lazy_test_server, aidl_lazy_test_service)
-')
diff --git a/microdroid/sepolicy/system/public/apexd.te b/microdroid/sepolicy/system/public/apexd.te
index 53bc569..f80c1da 100644
--- a/microdroid/sepolicy/system/public/apexd.te
+++ b/microdroid/sepolicy/system/public/apexd.te
@@ -1,11 +1,5 @@
-# apexd -- manager for APEX packages
-type apexd, domain;
-type apexd_exec, exec_type, file_type, system_file_type;
+type apexd, domain, coredomain;
+type apexd_exec, file_type, exec_type, system_file_type;
binder_use(apexd)
add_service(apexd, apex_service)
-
-neverallow { domain -init -apexd -system_server -update_engine } apex_service:service_manager find;
-neverallow { domain -init -apexd -system_server -servicemanager -update_engine } apexd:binder call;
-
-neverallow { domain userdebug_or_eng(`-crash_dump') } apexd:process ptrace;
diff --git a/microdroid/sepolicy/system/public/app.te b/microdroid/sepolicy/system/public/app.te
deleted file mode 100644
index ae8d7fd..0000000
--- a/microdroid/sepolicy/system/public/app.te
+++ /dev/null
@@ -1,597 +0,0 @@
-###
-### Domain for all zygote spawned apps
-###
-### This file is the base policy for all zygote spawned apps.
-### Other policy files, such as isolated_app.te, untrusted_app.te, etc
-### extend from this policy. Only policies which should apply to ALL
-### zygote spawned apps should be added here.
-###
-type appdomain_tmpfs, file_type;
-
-# WebView and other application-specific JIT compilers
-allow appdomain self:process execmem;
-
-allow appdomain { ashmem_device ashmem_libcutils_device }:chr_file execute;
-
-# Receive and use open file descriptors inherited from zygote.
-allow appdomain zygote:fd use;
-
-# gdbserver for ndk-gdb reads the zygote.
-# valgrind needs mmap exec for zygote
-allow appdomain zygote_exec:file rx_file_perms;
-
-# Notify zygote of death;
-allow appdomain zygote:process sigchld;
-
-# Read /data/dalvik-cache.
-allow appdomain dalvikcache_data_file:dir { search getattr };
-allow appdomain dalvikcache_data_file:file r_file_perms;
-
-# Read the /sdcard and /mnt/sdcard symlinks
-allow { appdomain -isolated_app } rootfs:lnk_file r_file_perms;
-allow { appdomain -isolated_app } tmpfs:lnk_file r_file_perms;
-
-# Search /storage/emulated tmpfs mount.
-allow appdomain tmpfs:dir r_dir_perms;
-
-# Notify zygote of the wrapped process PID when using --invoke-with.
-allow appdomain zygote:fifo_file write;
-
-userdebug_or_eng(`
- # Allow apps to create and write method traces in /data/misc/trace.
- allow appdomain method_trace_data_file:dir w_dir_perms;
- allow appdomain method_trace_data_file:file { create w_file_perms };
-')
-
-# Notify shell and adbd of death when spawned via runas for ndk-gdb.
-allow appdomain shell:process sigchld;
-allow appdomain adbd:process sigchld;
-
-# child shell or gdbserver pty access for runas.
-allow appdomain devpts:chr_file { getattr read write ioctl };
-
-# Use pipes and sockets provided by system_server via binder or local socket.
-allow appdomain system_server:fd use;
-allow appdomain system_server:fifo_file rw_file_perms;
-allow appdomain system_server:unix_stream_socket { read write setopt getattr getopt shutdown };
-allow appdomain system_server:tcp_socket { read write getattr getopt shutdown };
-
-# For AppFuse.
-allow appdomain vold:fd use;
-
-# Communication with other apps via fifos
-allow appdomain appdomain:fifo_file rw_file_perms;
-
-# Communicate with surfaceflinger.
-allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
-
-# App sandbox file accesses.
-allow { appdomain -isolated_app -mlstrustedsubject } { app_data_file privapp_data_file }:dir create_dir_perms;
-allow { appdomain -isolated_app -mlstrustedsubject } { app_data_file privapp_data_file }:file create_file_perms;
-
-# Access via already open fds is ok even for mlstrustedsubject.
-allow { appdomain -isolated_app } { app_data_file privapp_data_file }:file { getattr map read write };
-
-# Traverse into expanded storage
-allow appdomain mnt_expand_file:dir r_dir_perms;
-
-# Keychain and user-trusted credentials
-r_dir_file(appdomain, keychain_data_file)
-allow appdomain misc_user_data_file:dir r_dir_perms;
-allow appdomain misc_user_data_file:file r_file_perms;
-
-# TextClassifier
-r_dir_file({ appdomain -isolated_app }, textclassifier_data_file)
-
-# Access to OEM provided data and apps
-allow appdomain oemfs:dir r_dir_perms;
-allow appdomain oemfs:file rx_file_perms;
-
-# Execute the shell or other system executables.
-allow { appdomain -ephemeral_app } shell_exec:file rx_file_perms;
-allow { appdomain -ephemeral_app } toolbox_exec:file rx_file_perms;
-allow appdomain system_file:file x_file_perms;
-not_full_treble(`allow { appdomain -ephemeral_app } vendor_file:file x_file_perms;')
-
-# Renderscript needs the ability to read directories on /system
-allow appdomain system_file:dir r_dir_perms;
-allow appdomain system_file:lnk_file { getattr open read };
-# Renderscript specific permissions to open /system/vendor/lib64.
-not_full_treble(`
- allow appdomain vendor_file_type:dir r_dir_perms;
- allow appdomain vendor_file_type:lnk_file { getattr open read };
-')
-
-full_treble_only(`
- # For looking up Renderscript vendor drivers
- allow { appdomain -isolated_app } vendor_file:dir { open read };
-')
-
-# Allow apps access to /vendor/app except for privileged
-# apps which cannot be in /vendor.
-r_dir_file({ appdomain -ephemeral_app }, vendor_app_file)
-allow { appdomain -ephemeral_app } vendor_app_file:file execute;
-
-# Allow apps access to /vendor/overlay
-r_dir_file(appdomain, vendor_overlay_file)
-
-# Allow apps access to /vendor/framework
-# for vendor provided libraries.
-r_dir_file(appdomain, vendor_framework_file)
-
-# Allow apps read / execute access to vendor public libraries.
-allow appdomain {vendor_public_framework_file vendor_public_lib_file}:dir r_dir_perms;
-allow appdomain {vendor_public_framework_file vendor_public_lib_file}:file { execute read open getattr map };
-
-# Read/write wallpaper file (opened by system).
-allow appdomain wallpaper_file:file { getattr read write map };
-
-# Read/write cached ringtones (opened by system).
-allow appdomain ringtone_file:file { getattr read write map };
-
-# Read ShortcutManager icon files (opened by system).
-allow appdomain shortcut_manager_icons:file { getattr read map };
-
-# Read icon file (opened by system).
-allow appdomain icon_file:file { getattr read map };
-
-# Old stack dumping scheme : append to a global trace file (/data/anr/traces.txt).
-#
-# TODO: All of these permissions except for anr_data_file:file append can be
-# withdrawn once we've switched to the new stack dumping mechanism, see b/32064548
-# and the rules below.
-allow appdomain anr_data_file:dir search;
-allow appdomain anr_data_file:file { open append };
-
-# New stack dumping scheme : request an output FD from tombstoned via a unix
-# domain socket.
-#
-# Allow apps to connect and write to the tombstoned java trace socket in
-# order to dump their traces. Also allow them to append traces to pipes
-# created by dumptrace. (Also see the rules below where they are given
-# additional permissions to dumpstate pipes for other aspects of bug report
-# creation).
-unix_socket_connect(appdomain, tombstoned_java_trace, tombstoned)
-allow appdomain tombstoned:fd use;
-allow appdomain dumpstate:fifo_file append;
-allow appdomain incidentd:fifo_file append;
-
-# Allow apps to send dump information to dumpstate
-allow appdomain dumpstate:fd use;
-allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown };
-allow appdomain dumpstate:fifo_file { write getattr };
-allow appdomain shell_data_file:file { write getattr };
-
-# Allow apps to send dump information to incidentd
-allow appdomain incidentd:fd use;
-allow appdomain incidentd:fifo_file { write getattr };
-
-# Allow apps to send information to statsd socket.
-unix_socket_send(appdomain, statsdw, statsd)
-
-# Write profiles /data/misc/profiles
-allow appdomain user_profile_root_file:dir search;
-allow appdomain user_profile_data_file:dir { search write add_name };
-allow appdomain user_profile_data_file:file create_file_perms;
-
-# Send heap dumps to system_server via an already open file descriptor
-# % adb shell am set-watch-heap com.android.systemui 1048576
-# % adb shell dumpsys procstats --start-testing
-# debuggable builds only.
-userdebug_or_eng(`
- allow appdomain heapdump_data_file:file append;
-')
-
-# /proc/net access.
-# TODO(b/9496886) Audit access for removal.
-# proc_net access for the negated domains below is granted (or not) in their
-# individual .te files.
-r_dir_file({
- appdomain
- -ephemeral_app
- -isolated_app
- -platform_app
- -priv_app
- -shell
- -system_app
- -untrusted_app_all
-}, proc_net_type)
-# audit access for all these non-core app domains.
-userdebug_or_eng(`
- auditallow {
- appdomain
- -ephemeral_app
- -isolated_app
- -platform_app
- -priv_app
- -shell
- -su
- -system_app
- -untrusted_app_all
- } proc_net_type:{ dir file lnk_file } { getattr open read };
-')
-
-# Grant GPU access to all processes started by Zygote.
-# They need that to render the standard UI.
-allow { appdomain -isolated_app } gpu_device:chr_file rw_file_perms;
-
-# Use the Binder.
-binder_use(appdomain)
-# Perform binder IPC to binder services.
-binder_call(appdomain, binderservicedomain)
-# Perform binder IPC to other apps.
-binder_call(appdomain, appdomain)
-# Perform binder IPC to ephemeral apps.
-binder_call(appdomain, ephemeral_app)
-# Perform binder IPC to gpuservice.
-binder_call({ appdomain -isolated_app }, gpuservice)
-
-# Talk with graphics composer fences
-allow appdomain hal_graphics_composer:fd use;
-
-# Already connected, unnamed sockets being passed over some other IPC
-# hence no sock_file or connectto permission. This appears to be how
-# Chrome works, may need to be updated as more apps using isolated services
-# are examined.
-allow appdomain appdomain:unix_stream_socket { getopt getattr read write shutdown };
-
-# Backup ability for every app. BMS opens and passes the fd
-# to any app that has backup ability. Hence, no open permissions here.
-allow appdomain backup_data_file:file { read write getattr map };
-allow appdomain cache_backup_file:file { read write getattr map };
-allow appdomain cache_backup_file:dir getattr;
-# Backup ability using 'adb backup'
-allow appdomain system_data_file:lnk_file r_file_perms;
-allow appdomain system_data_file:file { getattr read map };
-
-# Allow read/stat of /data/media files passed by Binder or local socket IPC.
-allow { appdomain -isolated_app } media_rw_data_file:file { read getattr };
-
-# Read and write /data/data/com.android.providers.telephony files passed over Binder.
-allow { appdomain -isolated_app } radio_data_file:file { read write getattr };
-
-# Allow access to external storage; we have several visible mount points under /storage
-# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
-allow { appdomain -isolated_app -ephemeral_app } storage_file:dir r_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } storage_file:lnk_file r_file_perms;
-allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:dir r_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:lnk_file r_file_perms;
-
-# Read/write visible storage
-allow { appdomain -isolated_app -ephemeral_app } sdcard_type:dir create_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } sdcard_type:file create_file_perms;
-# This should be removed if sdcardfs is modified to alter the secontext for its
-# accesses to the underlying FS.
-allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:dir create_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:file create_file_perms;
-
-# Allow apps to use the USB Accessory interface.
-# http://developer.android.com/guide/topics/connectivity/usb/accessory.html
-#
-# USB devices are first opened by the system server (USBDeviceManagerService)
-# and the file descriptor is passed to the right Activity via binder.
-allow { appdomain -isolated_app -ephemeral_app } usb_device:chr_file { read write getattr ioctl };
-allow { appdomain -isolated_app -ephemeral_app } usbaccessory_device:chr_file { read write getattr };
-
-# For art.
-allow appdomain dalvikcache_data_file:file execute;
-allow appdomain dalvikcache_data_file:lnk_file r_file_perms;
-
-# Allow any app to read shared RELRO files.
-allow appdomain shared_relro_file:dir search;
-allow appdomain shared_relro_file:file r_file_perms;
-
-# Allow apps to read/execute installed binaries
-allow appdomain apk_data_file:dir r_dir_perms;
-allow appdomain apk_data_file:file rx_file_perms;
-
-# /data/resource-cache
-allow appdomain resourcecache_data_file:file r_file_perms;
-allow appdomain resourcecache_data_file:dir r_dir_perms;
-
-# logd access
-read_logd(appdomain)
-control_logd({ appdomain -ephemeral_app })
-# application inherit logd write socket (urge is to deprecate this long term)
-allow appdomain zygote:unix_dgram_socket write;
-
-allow { appdomain -isolated_app -ephemeral_app } keystore:keystore_key { get_state get insert delete exist list sign verify };
-allow { appdomain -isolated_app -ephemeral_app } keystore:keystore2_key { delete use get_info rebind update };
-
-allow { appdomain -isolated_app -ephemeral_app } keystore_maintenance_service:service_manager find;
-allow { appdomain -isolated_app -ephemeral_app } keystore:keystore2 get_state;
-
-use_keystore({ appdomain -isolated_app -ephemeral_app })
-
-use_credstore({ appdomain -isolated_app -ephemeral_app })
-
-allow appdomain console_device:chr_file { read write };
-
-# only allow unprivileged socket ioctl commands
-allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket }
- ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
-
-allow { appdomain -isolated_app } ion_device:chr_file r_file_perms;
-allow { appdomain -isolated_app } dmabuf_system_heap_device:chr_file r_file_perms;
-allow { appdomain -isolated_app } dmabuf_system_secure_heap_device:chr_file r_file_perms;
-
-# Allow AAudio apps to use shared memory file descriptors from the HAL
-allow { appdomain -isolated_app } hal_audio:fd use;
-
-# Allow app to access shared memory created by camera HAL1
-allow { appdomain -isolated_app } hal_camera:fd use;
-
-# Allow apps to access shared memory file descriptor from the tuner HAL
-allow {appdomain -isolated_app} hal_tv_tuner_server:fd use;
-
-# RenderScript always-passthrough HAL
-allow { appdomain -isolated_app } hal_renderscript_hwservice:hwservice_manager find;
-allow appdomain same_process_hal_file:file { execute read open getattr map };
-
-# TODO: switch to meminfo service
-allow appdomain proc_meminfo:file r_file_perms;
-
-# For app fuse.
-allow appdomain app_fuse_file:file { getattr read append write map };
-
-pdx_client({ appdomain -isolated_app -ephemeral_app }, display_client)
-pdx_client({ appdomain -isolated_app -ephemeral_app }, display_manager)
-pdx_client({ appdomain -isolated_app -ephemeral_app }, display_vsync)
-pdx_client({ appdomain -isolated_app -ephemeral_app }, performance_client)
-# Apps do not directly open the IPC socket for bufferhubd.
-pdx_use({ appdomain -isolated_app -ephemeral_app }, bufferhub_client)
-
-###
-### CTS-specific rules
-###
-
-# For cts/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java.
-# testRunAsHasCorrectCapabilities
-allow appdomain runas_exec:file getattr;
-# Others are either allowed elsewhere or not desired.
-
-# Apps receive an open tun fd from the framework for
-# device traffic. Do not allow untrusted app to directly open tun_device
-allow { appdomain -isolated_app -ephemeral_app } tun_device:chr_file { read write getattr append ioctl };
-allowxperm { appdomain -isolated_app -ephemeral_app } tun_device:chr_file ioctl TUNGETIFF;
-
-# Connect to adbd and use a socket transferred from it.
-# This is used for e.g. adb backup/restore.
-allow appdomain adbd:unix_stream_socket connectto;
-allow appdomain adbd:fd use;
-allow appdomain adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
-
-allow appdomain cache_file:dir getattr;
-
-# Allow apps to run with asanwrapper.
-with_asan(`allow appdomain asanwrapper_exec:file rx_file_perms;')
-
-# Read access to FDs from the DropboxManagerService.
-allow appdomain dropbox_data_file:file { getattr read };
-
-# Read tmpfs types from these processes.
-allow appdomain audioserver_tmpfs:file { getattr map read write };
-allow appdomain system_server_tmpfs:file { getattr map read write };
-allow appdomain zygote_tmpfs:file { map read };
-
-###
-### Neverallow rules
-###
-### These are things that Android apps should NEVER be able to do
-###
-
-# Superuser capabilities.
-# bluetooth requires net_admin and wake_alarm. network stack app requires net_admin.
-neverallow { appdomain -bluetooth -network_stack } self:capability_class_set *;
-
-# Block device access.
-neverallow appdomain dev_type:blk_file { read write };
-
-# Access to any of the following character devices.
-neverallow appdomain {
- audio_device
- camera_device
- dm_device
- radio_device
- rpmsg_device
- video_device
-}:chr_file { read write };
-
-# Note: Try expanding list of app domains in the future.
-neverallow { untrusted_app isolated_app shell } graphics_device:chr_file { read write };
-
-neverallow { appdomain -nfc } nfc_device:chr_file
- { read write };
-neverallow { appdomain -bluetooth } hci_attach_dev:chr_file
- { read write };
-neverallow appdomain tee_device:chr_file { read write };
-
-# Privileged netlink socket interfaces.
-neverallow { appdomain -network_stack }
- domain:{
- netlink_tcpdiag_socket
- netlink_nflog_socket
- netlink_xfrm_socket
- netlink_audit_socket
- netlink_dnrt_socket
- } *;
-
-# These messages are broadcast messages from the kernel to userspace.
-# Do not allow the writing of netlink messages, which has been a source
-# of rooting vulns in the past.
-neverallow appdomain domain:netlink_kobject_uevent_socket { write append };
-
-# Sockets under /dev/socket that are not specifically typed.
-neverallow appdomain socket_device:sock_file write;
-
-# Unix domain sockets.
-neverallow appdomain adbd_socket:sock_file write;
-neverallow { appdomain -radio } rild_socket:sock_file write;
-
-# ptrace access to non-app domains.
-neverallow appdomain { domain -appdomain }:process ptrace;
-
-# The Android security model guarantees the confidentiality and integrity
-# of application data and execution state. Ptrace bypasses those
-# confidentiality guarantees. Disallow ptrace access from system components
-# to apps. Crash_dump is excluded, as it needs ptrace access to
-# produce stack traces. llkd is excluded, as it needs ptrace access to
-# inspect stack traces for live lock conditions.
-
-neverallow {
- domain
- -appdomain
- -crash_dump
- userdebug_or_eng(`-llkd')
-} appdomain:process ptrace;
-
-# Read or write access to /proc/pid entries for any non-app domain.
-# A different form of hidepid=2 like protections
-neverallow appdomain { domain -appdomain }:file no_w_file_perms;
-neverallow { appdomain -shell } { domain -appdomain }:file no_rw_file_perms;
-
-# signal access to non-app domains.
-# sigchld allowed for parent death notification.
-# signull allowed for kill(pid, 0) existence test.
-# All others prohibited.
-# -perfetto is to allow shell (which is an appdomain) to kill perfetto
-# (see private/shell.te).
-neverallow appdomain { domain -appdomain -perfetto }:process
- { sigkill sigstop signal };
-
-# Write to rootfs.
-neverallow appdomain rootfs:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-
-# Write to /system.
-neverallow appdomain system_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-
-# Write to entrypoint executables.
-neverallow appdomain exec_type:file
- { create write setattr relabelfrom relabelto append unlink link rename };
-
-# Write to system-owned parts of /data.
-# This is the default type for anything under /data not otherwise
-# specified in file_contexts. Define a different type for portions
-# that should be writable by apps.
-neverallow appdomain system_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-
-# Write to various other parts of /data.
-neverallow appdomain drm_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -platform_app }
- apk_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -platform_app }
- apk_tmp_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -platform_app }
- apk_private_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -platform_app }
- apk_private_tmp_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -shell }
- shell_data_file:dir_file_class_set
- { create setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -bluetooth }
- bluetooth_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { domain -credstore -init } credstore_data_file:dir_file_class_set *;
-neverallow appdomain
- keystore_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow appdomain
- systemkeys_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow appdomain
- wifi_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow appdomain
- dhcp_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-
-# access tmp apk files
-neverallow { appdomain -untrusted_app_all -platform_app -priv_app }
- { apk_tmp_file apk_private_tmp_file }:dir_file_class_set *;
-
-neverallow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:{ devfile_class_set dir fifo_file lnk_file sock_file } *;
-neverallow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:file ~{ getattr read };
-
-# Access to factory files.
-neverallow appdomain efs_file:dir_file_class_set write;
-neverallow { appdomain -shell } efs_file:dir_file_class_set read;
-
-# Write to various pseudo file systems.
-neverallow { appdomain -bluetooth -nfc }
- sysfs:dir_file_class_set write;
-neverallow appdomain
- proc:dir_file_class_set write;
-
-# Access to syslog(2) or /proc/kmsg.
-neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console };
-
-# SELinux is not an API for apps to use
-neverallow { appdomain -shell } *:security { compute_av check_context };
-neverallow { appdomain -shell } *:netlink_selinux_socket *;
-
-# Ability to perform any filesystem operation other than statfs(2).
-# i.e. no mount(2), unmount(2), etc.
-neverallow appdomain fs_type:filesystem ~getattr;
-
-# prevent creation/manipulation of globally readable symlinks
-neverallow appdomain {
- apk_data_file
- cache_file
- cache_recovery_file
- dev_type
- rootfs
- system_file
- tmpfs
-}:lnk_file no_w_file_perms;
-
-# Applications should use the activity model for receiving events
-neverallow {
- appdomain
- -shell # bugreport
-} input_device:chr_file ~getattr;
-
-# Do not allow access to Bluetooth-related system properties except for a few allowed domains.
-# neverallow rules for access to Bluetooth-related data files are above.
-neverallow {
- appdomain
- -bluetooth
- -system_app
-} { bluetooth_audio_hal_prop bluetooth_a2dp_offload_prop bluetooth_prop exported_bluetooth_prop }:file create_file_perms;
-
-# Apps cannot access proc_uid_time_in_state
-neverallow appdomain proc_uid_time_in_state:file *;
-
-# Apps cannot access proc_uid_concurrent_active_time
-neverallow appdomain proc_uid_concurrent_active_time:file *;
-
-# Apps cannot access proc_uid_concurrent_policy_time
-neverallow appdomain proc_uid_concurrent_policy_time:file *;
-
-# Apps cannot access proc_uid_cpupower
-neverallow appdomain proc_uid_cpupower:file *;
-
-# Apps may not read /proc/net/{tcp,tcp6,udp,udp6}. These files leak information across the
-# application boundary. VPN apps may use the ConnectivityManager.getConnectionOwnerUid() API to
-# perform UID lookups.
-neverallow { appdomain -shell } proc_net_tcp_udp:file *;
-
-# Apps cannot access bootstrap files. The bootstrap files are only for
-# extremely early processes (like init, etc.) which are started before
-# the runtime APEX is activated and Bionic libs are provided from there.
-# If app process accesses (or even load/execute) the bootstrap files,
-# it might cause problems such as ODR violation, etc.
-neverallow appdomain system_bootstrap_lib_file:file
- { open read write append execute execute_no_trans map };
-neverallow appdomain system_bootstrap_lib_file:dir
- { open read getattr search };
-
-# Allow to ro.camerax.extensions.enabled
-get_prop(appdomain, camerax_extensions_prop)
diff --git a/microdroid/sepolicy/system/public/app_zygote.te b/microdroid/sepolicy/system/public/app_zygote.te
deleted file mode 100644
index 4c1ec96..0000000
--- a/microdroid/sepolicy/system/public/app_zygote.te
+++ /dev/null
@@ -1,6 +0,0 @@
-# app_zygote is an auxiliary zygote process that is used to spawn
-# isolated service processes for individual applications. It is
-# spawned from the regular zygote process as a "child zygote".
-
-type app_zygote, domain;
-type app_zygote_tmpfs, file_type;
diff --git a/microdroid/sepolicy/system/public/asan_extract.te b/microdroid/sepolicy/system/public/asan_extract.te
deleted file mode 100644
index d8a1b73..0000000
--- a/microdroid/sepolicy/system/public/asan_extract.te
+++ /dev/null
@@ -1,33 +0,0 @@
-# asan_extract
-#
-# This command set moves the artifact corresponding to the current slot
-# from /data/ota to /data/dalvik-cache.
-
-with_asan(`
- type asan_extract, domain, coredomain;
- type asan_extract_exec, exec_type, file_type, system_file_type;
-
- # Allow asan_extract to execute itself using #!/system/bin/sh
- allow asan_extract shell_exec:file rx_file_perms;
-
- # We execute log, rm, gzip and tar.
- allow asan_extract toolbox_exec:file rx_file_perms;
- allow asan_extract system_file:file execute_no_trans;
-
- # asan_extract deletes old /data/lib.
- allow asan_extract system_file:dir { open read remove_name rmdir write };
- allow asan_extract system_file:file unlink;
-
- # asan_extract untars ASAN libraries into /data.
- allow asan_extract system_data_file:dir create_dir_perms ;
- allow asan_extract system_data_file:{ file lnk_file } create_file_perms ;
-
- # Relabel the libraries with restorecon.
- allow asan_extract file_contexts_file:file r_file_perms;
- allow asan_extract system_data_file:{ dir file } relabelfrom;
- allow asan_extract system_file:dir { relabelto setattr };
- allow asan_extract system_file:file relabelto;
-
- # Restorecon will actually already try to run with sanitized libraries (libpackagelistparser).
- allow asan_extract system_data_file:file execute;
-')
diff --git a/microdroid/sepolicy/system/public/atrace.te b/microdroid/sepolicy/system/public/atrace.te
deleted file mode 100644
index 7327f84..0000000
--- a/microdroid/sepolicy/system/public/atrace.te
+++ /dev/null
@@ -1 +0,0 @@
-type atrace, domain, coredomain;
diff --git a/microdroid/sepolicy/system/public/attributes b/microdroid/sepolicy/system/public/attributes
index daef4bb..c82c0c8 100644
--- a/microdroid/sepolicy/system/public/attributes
+++ b/microdroid/sepolicy/system/public/attributes
@@ -323,7 +323,6 @@
hal_attribute(confirmationui);
hal_attribute(contexthub);
hal_attribute(drm);
-hal_attribute(dumpstate);
hal_attribute(evs);
hal_attribute(face);
hal_attribute(fingerprint);
@@ -392,3 +391,5 @@
# All types used for DSU metadata files.
attribute gsi_metadata_file_type;
+
+attribute fusefs_type;
diff --git a/microdroid/sepolicy/system/public/audioserver.te b/microdroid/sepolicy/system/public/audioserver.te
deleted file mode 100644
index a8a33cc..0000000
--- a/microdroid/sepolicy/system/public/audioserver.te
+++ /dev/null
@@ -1,6 +0,0 @@
-# audioserver - audio services daemon
-type audioserver, domain;
-type audioserver_tmpfs, file_type;
-
-# Allow audioserver to signal audio HAL processes and dump their stacks.
-allow audioserver hal_audio_server:process signal;
diff --git a/microdroid/sepolicy/system/public/blkid.te b/microdroid/sepolicy/system/public/blkid.te
deleted file mode 100644
index dabe014..0000000
--- a/microdroid/sepolicy/system/public/blkid.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# blkid called from vold
-type blkid, domain;
diff --git a/microdroid/sepolicy/system/public/blkid_untrusted.te b/microdroid/sepolicy/system/public/blkid_untrusted.te
deleted file mode 100644
index 4be4c0c..0000000
--- a/microdroid/sepolicy/system/public/blkid_untrusted.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# blkid for untrusted block devices
-type blkid_untrusted, domain;
diff --git a/microdroid/sepolicy/system/public/bluetooth.te b/microdroid/sepolicy/system/public/bluetooth.te
deleted file mode 100644
index 9b3442a..0000000
--- a/microdroid/sepolicy/system/public/bluetooth.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# bluetooth subsystem
-type bluetooth, domain;
diff --git a/microdroid/sepolicy/system/public/bootanim.te b/microdroid/sepolicy/system/public/bootanim.te
deleted file mode 100644
index 88fe173..0000000
--- a/microdroid/sepolicy/system/public/bootanim.te
+++ /dev/null
@@ -1,43 +0,0 @@
-# bootanimation oneshot service
-type bootanim, domain;
-type bootanim_exec, system_file_type, exec_type, file_type;
-
-hal_client_domain(bootanim, hal_configstore)
-hal_client_domain(bootanim, hal_graphics_allocator)
-hal_client_domain(bootanim, hal_graphics_composer)
-
-binder_use(bootanim)
-binder_call(bootanim, surfaceflinger)
-binder_call(bootanim, audioserver)
-
-hwbinder_use(bootanim)
-
-allow bootanim gpu_device:chr_file rw_file_perms;
-
-# /oem access
-allow bootanim oemfs:dir search;
-allow bootanim oemfs:file r_file_perms;
-
-allow bootanim audio_device:dir r_dir_perms;
-allow bootanim audio_device:chr_file rw_file_perms;
-
-allow bootanim audioserver_service:service_manager find;
-allow bootanim surfaceflinger_service:service_manager find;
-allow bootanim surfaceflinger:unix_stream_socket { read write };
-
-# Allow access to ion memory allocation device
-allow bootanim ion_device:chr_file rw_file_perms;
-
-# Allow access to DMA-BUF system heap
-allow bootanim dmabuf_system_heap_device:chr_file r_file_perms;
-
-allow bootanim hal_graphics_allocator:fd use;
-
-# Fences
-allow bootanim hal_graphics_composer:fd use;
-
-# Read access to pseudo filesystems.
-allow bootanim proc_meminfo:file r_file_perms;
-
-# System file accesses.
-allow bootanim system_file:dir r_dir_perms;
diff --git a/microdroid/sepolicy/system/public/bootstat.te b/microdroid/sepolicy/system/public/bootstat.te
deleted file mode 100644
index 5079c28..0000000
--- a/microdroid/sepolicy/system/public/bootstat.te
+++ /dev/null
@@ -1,32 +0,0 @@
-# bootstat command
-type bootstat, domain;
-type bootstat_exec, system_file_type, exec_type, file_type;
-
-read_runtime_log_tags(bootstat)
-
-# Allow persistent storage in /data/misc/bootstat.
-allow bootstat bootstat_data_file:dir rw_dir_perms;
-allow bootstat bootstat_data_file:file create_file_perms;
-
-allow bootstat metadata_file:dir search;
-allow bootstat metadata_bootstat_file:dir rw_dir_perms;
-allow bootstat metadata_bootstat_file:file create_file_perms;
-
-# ToDo: TBI move access for the following to a system health HAL
-
-# Allow access to /sys/fs/pstore/ and syslog
-allow bootstat pstorefs:dir search;
-allow bootstat pstorefs:file r_file_perms;
-allow bootstat kernel:system syslog_read;
-
-# Allow access to reading the logs to read aspects of system health
-read_logd(bootstat)
-
-# Allow bootstat write to statsd.
-unix_socket_send(bootstat, statsdw, statsd)
-
-neverallow {
- domain
- -bootstat
- -init
-} system_boot_reason_prop:property_service set;
diff --git a/microdroid/sepolicy/system/public/bufferhubd.te b/microdroid/sepolicy/system/public/bufferhubd.te
deleted file mode 100644
index 37edb5d..0000000
--- a/microdroid/sepolicy/system/public/bufferhubd.te
+++ /dev/null
@@ -1,25 +0,0 @@
-# bufferhubd
-type bufferhubd, domain, mlstrustedsubject;
-type bufferhubd_exec, system_file_type, exec_type, file_type;
-
-hal_client_domain(bufferhubd, hal_graphics_allocator)
-
-# TODO(b/112338294): remove these after migrate to Binder
-pdx_server(bufferhubd, bufferhub_client)
-pdx_client(bufferhubd, performance_client)
-
-# Access the GPU.
-allow bufferhubd gpu_device:chr_file rw_file_perms;
-
-# Access /dev/ion
-allow bufferhubd ion_device:chr_file r_file_perms;
-
-# Receive sync fence FDs from hal_omx_server. Note that hal_omx_server never directly
-# connects to bufferhubd via PDX. Instead, a VR app acts as a bridge between
-# those two: it talks to hal_omx_server via Binder and talks to bufferhubd via PDX.
-# Thus, there is no need to use pdx_client macro.
-allow bufferhubd hal_omx_server:fd use;
-
-# Codec2 is similar to OMX
-allow bufferhubd hal_codec2_server:fd use;
-
diff --git a/microdroid/sepolicy/system/public/camera_service_server.te b/microdroid/sepolicy/system/public/camera_service_server.te
deleted file mode 100644
index 352e1b7..0000000
--- a/microdroid/sepolicy/system/public/camera_service_server.te
+++ /dev/null
@@ -1 +0,0 @@
-add_hwservice(camera_service_server, fwk_camera_hwservice)
diff --git a/microdroid/sepolicy/system/public/cameraserver.te b/microdroid/sepolicy/system/public/cameraserver.te
deleted file mode 100644
index d7451df..0000000
--- a/microdroid/sepolicy/system/public/cameraserver.te
+++ /dev/null
@@ -1,77 +0,0 @@
-# cameraserver - camera daemon
-type cameraserver, domain;
-type cameraserver_exec, system_file_type, exec_type, file_type;
-type cameraserver_tmpfs, file_type;
-
-binder_use(cameraserver)
-binder_call(cameraserver, binderservicedomain)
-binder_call(cameraserver, appdomain)
-binder_service(cameraserver)
-
-hal_client_domain(cameraserver, hal_camera)
-
-hal_client_domain(cameraserver, hal_graphics_allocator)
-
-allow cameraserver ion_device:chr_file rw_file_perms;
-allow cameraserver dmabuf_system_heap_device:chr_file r_file_perms;
-
-# Talk with graphics composer fences
-allow cameraserver hal_graphics_composer:fd use;
-
-add_service(cameraserver, cameraserver_service)
-add_hwservice(cameraserver, fwk_camera_hwservice)
-
-allow cameraserver activity_service:service_manager find;
-allow cameraserver appops_service:service_manager find;
-allow cameraserver audioserver_service:service_manager find;
-allow cameraserver batterystats_service:service_manager find;
-allow cameraserver cameraproxy_service:service_manager find;
-allow cameraserver mediaserver_service:service_manager find;
-allow cameraserver package_native_service:service_manager find;
-allow cameraserver processinfo_service:service_manager find;
-allow cameraserver scheduling_policy_service:service_manager find;
-allow cameraserver sensor_privacy_service:service_manager find;
-allow cameraserver surfaceflinger_service:service_manager find;
-
-allow cameraserver hidl_token_hwservice:hwservice_manager find;
-
-###
-### neverallow rules
-###
-
-# cameraserver should never execute any executable without a
-# domain transition
-neverallow cameraserver { file_type fs_type }:file execute_no_trans;
-
-# The goal of the mediaserver split is to place media processing code into
-# restrictive sandboxes with limited responsibilities and thus limited
-# permissions. Example: Audioserver is only responsible for controlling audio
-# hardware and processing audio content. Cameraserver does the same for camera
-# hardware/content. Etc.
-#
-# Media processing code is inherently risky and thus should have limited
-# permissions and be isolated from the rest of the system and network.
-# Lengthier explanation here:
-# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow cameraserver domain:{ udp_socket rawip_socket } *;
-neverallow cameraserver { domain userdebug_or_eng(`-su') }:tcp_socket *;
-
-# Allow shell commands from ADB for CTS testing/dumping
-allow cameraserver adbd:fd use;
-allow cameraserver adbd:unix_stream_socket { read write };
-allow cameraserver shell:fd use;
-allow cameraserver shell:unix_stream_socket { read write };
-allow cameraserver shell:fifo_file { read write };
-
-# Allow to talk with media codec
-allow cameraserver mediametrics_service:service_manager find;
-hal_client_domain(cameraserver, hal_codec2)
-hal_client_domain(cameraserver, hal_omx)
-hal_client_domain(cameraserver, hal_allocator)
-
-# Allow shell commands from ADB for CTS testing/dumping
-userdebug_or_eng(`
- allow cameraserver su:fd use;
- allow cameraserver su:fifo_file { read write };
- allow cameraserver su:unix_stream_socket { read write };
-')
diff --git a/microdroid/sepolicy/system/public/charger.te b/microdroid/sepolicy/system/public/charger.te
deleted file mode 100644
index 37359e3..0000000
--- a/microdroid/sepolicy/system/public/charger.te
+++ /dev/null
@@ -1,40 +0,0 @@
-type charger, domain;
-type charger_exec, system_file_type, exec_type, file_type;
-
-# Write to /dev/kmsg
-allow charger kmsg_device:chr_file rw_file_perms;
-
-# Read access to pseudo filesystems.
-r_dir_file(charger, rootfs)
-r_dir_file(charger, cgroup)
-r_dir_file(charger, cgroup_v2)
-
-# Allow to read /sys/class/power_supply directory
-allow charger sysfs_type:dir r_dir_perms;
-
-allow charger self:global_capability_class_set { sys_tty_config };
-allow charger self:global_capability_class_set sys_boot;
-
-wakelock_use(charger)
-
-allow charger self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-
-# Read/write to /sys/power/state
-allow charger sysfs_power:file rw_file_perms;
-
-r_dir_file(charger, sysfs_batteryinfo)
-
-# Read /sys/fs/pstore/console-ramoops
-# Don't worry about overly broad permissions for now, as there's
-# only one file in /sys/fs/pstore
-allow charger pstorefs:dir r_dir_perms;
-allow charger pstorefs:file r_file_perms;
-
-allow charger graphics_device:dir r_dir_perms;
-allow charger graphics_device:chr_file rw_file_perms;
-allow charger input_device:dir r_dir_perms;
-allow charger input_device:chr_file r_file_perms;
-allow charger tty_device:chr_file rw_file_perms;
-allow charger proc_sysrq:file rw_file_perms;
-
-hal_client_domain(charger, hal_health)
diff --git a/microdroid/sepolicy/system/public/crash_dump.te b/microdroid/sepolicy/system/public/crash_dump.te
index a6f0a94..d59b034 100644
--- a/microdroid/sepolicy/system/public/crash_dump.te
+++ b/microdroid/sepolicy/system/public/crash_dump.te
@@ -1,78 +1,2 @@
type crash_dump, domain;
type crash_dump_exec, system_file_type, exec_type, file_type;
-
-# crash_dump might inherit CAP_SYS_PTRACE from a privileged process,
-# which will result in an audit log even when it's allowed to trace.
-dontaudit crash_dump self:global_capability_class_set { sys_ptrace };
-
-userdebug_or_eng(`
- allow crash_dump logd:process { ptrace signal sigchld sigstop sigkill };
-
- # Let crash_dump write to /dev/kmsg_debug crashes that happen before logd comes up.
- allow crash_dump kmsg_debug_device:chr_file { open append };
-')
-
-# Use inherited file descriptors
-allow crash_dump domain:fd use;
-
-# Read/write IPC pipes inherited from crashing processes.
-allow crash_dump domain:fifo_file { read write };
-
-# Append to pipes given to us by processes requesting dumps (e.g. dumpstate)
-allow crash_dump domain:fifo_file { append };
-
-# Read information from /proc/$PID.
-allow crash_dump domain:process getattr;
-
-r_dir_file(crash_dump, domain)
-allow crash_dump exec_type:file r_file_perms;
-
-# Read /data/dalvik-cache.
-allow crash_dump dalvikcache_data_file:dir { search getattr };
-allow crash_dump dalvikcache_data_file:file r_file_perms;
-
-# Read APEX data directories.
-allow crash_dump apex_module_data_file:dir { getattr search };
-
-# Read APK files.
-r_dir_file(crash_dump, apk_data_file);
-
-# Read all /vendor
-r_dir_file(crash_dump, { vendor_file same_process_hal_file })
-
-# Talk to tombstoned
-unix_socket_connect(crash_dump, tombstoned_crash, tombstoned)
-
-# Talk to ActivityManager.
-unix_socket_connect(crash_dump, system_ndebug, system_server)
-
-# Append to ANR files.
-allow crash_dump anr_data_file:file { append getattr };
-
-# Append to tombstone files.
-allow crash_dump tombstone_data_file:file { append getattr };
-
-# crash_dump writes out logcat logs at the bottom of tombstones,
-# which is super useful in some cases.
-unix_socket_connect(crash_dump, logdr, logd)
-
-# Crash dump is not intended to access the following files. Since these
-# are WAI, suppress the denials to clean up the logs.
-dontaudit crash_dump {
- core_data_file_type
- vendor_file_type
-}:dir search;
-dontaudit crash_dump system_data_file:{ lnk_file file } read;
-dontaudit crash_dump property_type:file read;
-
-# Suppress denials for files in /proc that are passed
-# across exec().
-dontaudit crash_dump proc_type:file rw_file_perms;
-
-###
-### neverallow assertions
-###
-
-# A domain transition must occur for crash_dump to get the privileges needed to trace the process.
-# Do not allow the execution of crash_dump without a domain transition.
-neverallow domain crash_dump_exec:file execute_no_trans;
diff --git a/microdroid/sepolicy/system/public/credstore.te b/microdroid/sepolicy/system/public/credstore.te
deleted file mode 100644
index 97d942d..0000000
--- a/microdroid/sepolicy/system/public/credstore.te
+++ /dev/null
@@ -1,19 +0,0 @@
-type credstore, domain;
-type credstore_exec, system_file_type, exec_type, file_type;
-
-# credstore daemon
-binder_use(credstore)
-binder_service(credstore)
-binder_call(credstore, system_server)
-
-allow credstore credstore_data_file:dir create_dir_perms;
-allow credstore credstore_data_file:file create_file_perms;
-
-add_service(credstore, credstore_service)
-allow credstore sec_key_att_app_id_provider_service:service_manager find;
-allow credstore dropbox_service:service_manager find;
-allow credstore authorization_service:service_manager find;
-allow credstore keystore:keystore2 get_auth_token;
-
-r_dir_file(credstore, cgroup)
-r_dir_file(credstore, cgroup_v2)
diff --git a/microdroid/sepolicy/system/public/device.te b/microdroid/sepolicy/system/public/device.te
index 686f955..8d286a6 100644
--- a/microdroid/sepolicy/system/public/device.te
+++ b/microdroid/sepolicy/system/public/device.te
@@ -1,123 +1,39 @@
-# Device types
-type device, dev_type, fs_type;
type ashmem_device, dev_type, mlstrustedobject;
type ashmem_libcutils_device, dev_type, mlstrustedobject;
-type audio_device, dev_type;
type binder_device, dev_type, mlstrustedobject;
-type hwbinder_device, dev_type, mlstrustedobject;
-type vndbinder_device, dev_type;
type block_device, dev_type;
-type camera_device, dev_type;
+type console_device, dev_type;
+type device, dev_type, fs_type;
type dm_device, dev_type;
type dm_user_device, dev_type;
-type keychord_device, dev_type;
+type dmabuf_heap_device, dev_type, mlstrustedobject, dmabuf_heap_device_type;
+type dmabuf_system_heap_device, dev_type, mlstrustedobject, dmabuf_heap_device_type;
+type dmabuf_system_secure_heap_device, dev_type, mlstrustedobject, dmabuf_heap_device_type;
+type fuse_device, dev_type, mlstrustedobject;
+type hw_random_device, dev_type;
+type hwbinder_device, dev_type, mlstrustedobject;
+type kmsg_debug_device, dev_type;
+type kmsg_device, dev_type, mlstrustedobject;
+type kvm_device, dev_type;
type loop_control_device, dev_type;
type loop_device, dev_type;
-type pmsg_device, dev_type, mlstrustedobject;
-type radio_device, dev_type;
-type ram_device, dev_type;
-type rtc_device, dev_type;
-type vd_device, dev_type;
-type vold_device, dev_type;
-type console_device, dev_type;
-type fscklogs, dev_type;
-# GPU (used by most UI apps)
-type gpu_device, dev_type, mlstrustedobject;
-type graphics_device, dev_type;
-type hw_random_device, dev_type;
-type input_device, dev_type;
-type port_device, dev_type;
-type lowpan_device, dev_type;
-type mtp_device, dev_type, mlstrustedobject;
-type nfc_device, dev_type;
-type ptmx_device, dev_type, mlstrustedobject;
-type kmsg_device, dev_type, mlstrustedobject;
-type kmsg_debug_device, dev_type;
type null_device, dev_type, mlstrustedobject;
-type random_device, dev_type, mlstrustedobject;
-type secure_element_device, dev_type;
-type sensors_device, dev_type;
-type serial_device, dev_type;
-type socket_device, dev_type;
type owntty_device, dev_type, mlstrustedobject;
-type tty_device, dev_type;
-type video_device, dev_type;
-type zero_device, dev_type, mlstrustedobject;
-type fuse_device, dev_type, mlstrustedobject;
-type iio_device, dev_type;
-type ion_device, dev_type, mlstrustedobject;
-type dmabuf_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject;
-type dmabuf_system_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject;
-type dmabuf_system_secure_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject;
-type qtaguid_device, dev_type;
-type watchdog_device, dev_type;
-type uhid_device, dev_type, mlstrustedobject;
-type uio_device, dev_type;
-type tun_device, dev_type, mlstrustedobject;
-type usbaccessory_device, dev_type, mlstrustedobject;
-type usb_device, dev_type, mlstrustedobject;
-type usb_serial_device, dev_type;
-type gnss_device, dev_type;
+type ppp_device, dev_type;
type properties_device, dev_type;
type properties_serial, dev_type;
type property_info, dev_type;
-
-# All devices have a uart for the hci
-# attach service. The uart dev node
-# varies per device. This type
-# is used in per device policy
-type hci_attach_dev, dev_type;
-
-# All devices have a rpmsg device for
-# achieving remoteproc and rpmsg modules
-type rpmsg_device, dev_type;
-
-# Partition layout block device
-type root_block_device, dev_type;
-
-# factory reset protection block device
-type frp_block_device, dev_type;
-
-# System block device mounted on /system.
-# Documented at https://source.android.com/devices/bootloader/partitions-images
-type system_block_device, dev_type;
-
-# Recovery block device.
-# Documented at https://source.android.com/devices/bootloader/partitions-images
-type recovery_block_device, dev_type;
-
-# boot block device.
-# Documented at https://source.android.com/devices/bootloader/partitions-images
-type boot_block_device, dev_type;
-
-# Userdata block device mounted on /data.
-# Documented at https://source.android.com/devices/bootloader/partitions-images
-type userdata_block_device, dev_type;
-
-# Cache block device mounted on /cache.
-# Documented at https://source.android.com/devices/bootloader/partitions-images
-type cache_block_device, dev_type;
-
-# Block device for any swap partition.
-type swap_block_device, dev_type;
-
-# Metadata block device used for encryption metadata.
-# Assign this type to the partition specified by the encryptable=
-# mount option in your fstab file in the entry for userdata.
-# Documented at https://source.android.com/devices/bootloader/partitions-images
-type metadata_block_device, dev_type;
-
-# The 'misc' partition used by recovery and A/B.
-# Documented at https://source.android.com/devices/bootloader/partitions-images
-type misc_block_device, dev_type;
-
-# 'super' partition to be used for logical partitioning.
-type super_block_device, super_block_device_type, dev_type;
-
-# sdcard devices; normally vold uses the vold_block_device label and creates a
-# separate device node. gsid, however, accesses the original devide node
-# created through uevents, so we use a separate label.
-type sdcard_block_device, dev_type;
-
-# Userdata device file for filesystem tunables
+type ptmx_device, dev_type, mlstrustedobject;
+type ram_device, dev_type;
+type random_device, dev_type, mlstrustedobject;
+type rtc_device, dev_type;
+type serial_device, dev_type;
+type socket_device, dev_type;
+type tty_device, dev_type;
+type tun_device, dev_type, mlstrustedobject;
+type uhid_device, dev_type, mlstrustedobject;
+type uio_device, dev_type;
type userdata_sysdev, dev_type;
+type vd_device, dev_type;
+type vndbinder_device, dev_type;
+type zero_device, dev_type, mlstrustedobject;
diff --git a/microdroid/sepolicy/system/public/dhcp.te b/microdroid/sepolicy/system/public/dhcp.te
deleted file mode 100644
index 1d875ab..0000000
--- a/microdroid/sepolicy/system/public/dhcp.te
+++ /dev/null
@@ -1,28 +0,0 @@
-type dhcp, domain;
-type dhcp_exec, system_file_type, exec_type, file_type;
-
-net_domain(dhcp)
-
-allow dhcp cgroup:dir { create write add_name };
-allow dhcp cgroup_v2:dir { create write add_name };
-allow dhcp self:global_capability_class_set { setgid setuid net_admin net_raw net_bind_service };
-allow dhcp self:packet_socket create_socket_perms_no_ioctl;
-allow dhcp self:netlink_route_socket nlmsg_write;
-allow dhcp shell_exec:file rx_file_perms;
-allow dhcp system_file:file rx_file_perms;
-not_full_treble(`allow dhcp vendor_file:file rx_file_perms;')
-
-# dhcpcd runs dhcpcd-hooks/*, which runs getprop / setprop (toolbox_exec)
-allow dhcp toolbox_exec:file rx_file_perms;
-
-# For /proc/sys/net/ipv4/conf/*/promote_secondaries
-allow dhcp proc_net_type:file write;
-
-allow dhcp dhcp_data_file:dir create_dir_perms;
-allow dhcp dhcp_data_file:file create_file_perms;
-
-# PAN connections
-allow dhcp netd:fd use;
-allow dhcp netd:fifo_file rw_file_perms;
-allow dhcp netd:{ dgram_socket_class_set unix_stream_socket } { read write };
-allow dhcp netd:{ netlink_kobject_uevent_socket netlink_route_socket netlink_nflog_socket } { read write };
diff --git a/microdroid/sepolicy/system/public/display_service_server.te b/microdroid/sepolicy/system/public/display_service_server.te
deleted file mode 100644
index c5839fa..0000000
--- a/microdroid/sepolicy/system/public/display_service_server.te
+++ /dev/null
@@ -1 +0,0 @@
-add_hwservice(display_service_server, fwk_display_hwservice)
diff --git a/microdroid/sepolicy/system/public/dnsmasq.te b/microdroid/sepolicy/system/public/dnsmasq.te
deleted file mode 100644
index 86f1eb1..0000000
--- a/microdroid/sepolicy/system/public/dnsmasq.te
+++ /dev/null
@@ -1,28 +0,0 @@
-# DNS, DHCP services
-type dnsmasq, domain;
-type dnsmasq_exec, system_file_type, exec_type, file_type;
-
-net_domain(dnsmasq)
-allowxperm dnsmasq self:udp_socket ioctl priv_sock_ioctls;
-
-# TODO: Run with dhcp group to avoid need for dac_override.
-allow dnsmasq self:global_capability_class_set { dac_override dac_read_search };
-
-allow dnsmasq self:global_capability_class_set { net_admin net_raw net_bind_service setgid setuid };
-
-allow dnsmasq dhcp_data_file:dir w_dir_perms;
-allow dnsmasq dhcp_data_file:file create_file_perms;
-
-# Inherit and use open files from netd.
-allow dnsmasq netd:fd use;
-allow dnsmasq netd:fifo_file { getattr read write };
-# TODO: Investigate whether these inherited sockets should be closed on exec.
-allow dnsmasq netd:netlink_kobject_uevent_socket { read write };
-allow dnsmasq netd:netlink_nflog_socket { read write };
-allow dnsmasq netd:netlink_route_socket { read write };
-allow dnsmasq netd:unix_stream_socket { getattr read write };
-allow dnsmasq netd:unix_dgram_socket { read write };
-allow dnsmasq netd:udp_socket { read write };
-
-# sometimes a network device vanishes and we try to load module netdev-{devicename}
-dontaudit dnsmasq kernel:system module_request;
diff --git a/microdroid/sepolicy/system/public/domain.te b/microdroid/sepolicy/system/public/domain.te
deleted file mode 100644
index 799a2f1..0000000
--- a/microdroid/sepolicy/system/public/domain.te
+++ /dev/null
@@ -1,1400 +0,0 @@
-# Rules for all domains.
-
-# Allow reaping by init.
-allow domain init:process sigchld;
-
-# Intra-domain accesses.
-allow domain self:process {
- fork
- sigchld
- sigkill
- sigstop
- signull
- signal
- getsched
- setsched
- getsession
- getpgid
- setpgid
- getcap
- setcap
- getattr
- setrlimit
-};
-allow domain self:fd use;
-allow domain proc:dir r_dir_perms;
-allow domain proc_net_type:dir search;
-r_dir_file(domain, self)
-allow domain self:{ fifo_file file } rw_file_perms;
-allow domain self:unix_dgram_socket { create_socket_perms sendto };
-allow domain self:unix_stream_socket { create_stream_socket_perms connectto };
-
-# Inherit or receive open files from others.
-allow domain init:fd use;
-
-userdebug_or_eng(`
- allow domain su:fd use;
- allow domain su:unix_stream_socket { connectto getattr getopt read write shutdown };
- allow domain su:unix_dgram_socket sendto;
-
- allow { domain -init } su:binder { call transfer };
-
- # Running something like "pm dump com.android.bluetooth" requires
- # fifo writes
- allow domain su:fifo_file { write getattr };
-
- # allow "gdbserver --attach" to work for su.
- allow domain su:process sigchld;
-
- # Allow writing coredumps to /cores/*
- allow domain coredump_file:file create_file_perms;
- allow domain coredump_file:dir ra_dir_perms;
-')
-
-with_native_coverage(`
- # Allow writing coverage information to /data/misc/trace
- allow domain method_trace_data_file:dir create_dir_perms;
- allow domain method_trace_data_file:file create_file_perms;
-')
-
-# Root fs.
-allow domain tmpfs:dir { getattr search };
-allow domain rootfs:dir search;
-allow domain rootfs:lnk_file { read getattr };
-
-# Device accesses.
-allow domain device:dir search;
-allow domain dev_type:lnk_file r_file_perms;
-allow domain devpts:dir search;
-allow domain dmabuf_heap_device:dir r_dir_perms;
-allow domain socket_device:dir r_dir_perms;
-allow domain owntty_device:chr_file rw_file_perms;
-allow domain null_device:chr_file rw_file_perms;
-allow domain zero_device:chr_file rw_file_perms;
-
-# /dev/ashmem is being deprecated by means of constraining and eventually
-# removing all "open" permissions. We preserve the other permissions.
-allow domain ashmem_device:chr_file { getattr read ioctl lock map append write };
-# This device is used by libcutils, which is accessible to everyone.
-allow domain ashmem_libcutils_device:chr_file rw_file_perms;
-
-# /dev/binder can be accessed by ... everyone! :)
-allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;
-
-# Restrict binder ioctls to an allowlist. Additional ioctl commands may be
-# added to individual domains, but this sets safe defaults for all processes.
-allowxperm domain binder_device:chr_file ioctl { unpriv_binder_ioctls };
-
-# /dev/binderfs needs to be accessed by everyone too!
-allow domain binderfs:dir { getattr search };
-allow domain binderfs_logs_proc:dir search;
-
-allow { domain -servicemanager -vndservicemanager -isolated_app } hwbinder_device:chr_file rw_file_perms;
-allow domain ptmx_device:chr_file rw_file_perms;
-allow domain random_device:chr_file rw_file_perms;
-allow domain proc_random:dir r_dir_perms;
-allow domain proc_random:file r_file_perms;
-allow domain properties_device:dir { search getattr };
-allow domain properties_serial:file r_file_perms;
-allow domain property_info:file r_file_perms;
-
-# Public readable properties
-get_prop(domain, aaudio_config_prop)
-get_prop(domain, arm64_memtag_prop)
-get_prop(domain, bootloader_prop)
-get_prop(domain, build_odm_prop)
-get_prop(domain, build_prop)
-get_prop(domain, build_vendor_prop)
-get_prop(domain, debug_prop)
-get_prop(domain, exported_config_prop)
-get_prop(domain, exported_default_prop)
-get_prop(domain, exported_dumpstate_prop)
-get_prop(domain, exported_secure_prop)
-get_prop(domain, exported_system_prop)
-get_prop(domain, fingerprint_prop)
-get_prop(domain, hal_instrumentation_prop)
-get_prop(domain, hw_timeout_multiplier_prop)
-get_prop(domain, init_service_status_prop)
-get_prop(domain, libc_debug_prop)
-get_prop(domain, logd_prop)
-get_prop(domain, mediadrm_config_prop)
-get_prop(domain, property_service_version_prop)
-get_prop(domain, soc_prop)
-get_prop(domain, socket_hook_prop)
-get_prop(domain, surfaceflinger_prop)
-get_prop(domain, telephony_status_prop)
-get_prop(domain, vendor_socket_hook_prop)
-get_prop(domain, vndk_prop)
-get_prop(domain, vold_status_prop)
-get_prop(domain, vts_config_prop)
-
-# Binder cache properties are world-readable
-get_prop(domain, binder_cache_bluetooth_server_prop)
-get_prop(domain, binder_cache_system_server_prop)
-get_prop(domain, binder_cache_telephony_server_prop)
-
-# Let everyone read log properties, so that liblog can avoid sending unloggable
-# messages to logd.
-get_prop(domain, log_property_type)
-dontaudit domain property_type:file audit_access;
-allow domain property_contexts_file:file r_file_perms;
-
-allow domain init:key search;
-allow domain vold:key search;
-
-# logd access
-write_logd(domain)
-
-# Directory/link file access for path resolution.
-allow domain {
- system_file
- system_lib_file
- system_seccomp_policy_file
- system_security_cacerts_file
-}:dir r_dir_perms;
-allow domain system_file:lnk_file { getattr read };
-
-# Global access to /system/etc/security/cacerts/*, /system/etc/seccomp_policy/*, /system/lib[64]/*,
-# /(system|product|system_ext)/etc/(group|passwd), linker and its config.
-allow domain system_seccomp_policy_file:file r_file_perms;
-# cacerts are accessible from public Java API.
-allow domain system_security_cacerts_file:file r_file_perms;
-allow domain system_group_file:file r_file_perms;
-allow domain system_passwd_file:file r_file_perms;
-allow domain system_linker_exec:file { execute read open getattr map };
-allow domain system_linker_config_file:file r_file_perms;
-allow domain system_lib_file:file { execute read open getattr map };
-# To allow following symlinks at /system/bin/linker, /system/lib/libc.so, etc.
-allow domain system_linker_exec:lnk_file { read open getattr };
-allow domain system_lib_file:lnk_file { read open getattr };
-
-allow domain system_event_log_tags_file:file r_file_perms;
-
-allow { appdomain coredomain } system_file:file { execute read open getattr map };
-
-# Make sure system/vendor split doesn not affect non-treble
-# devices
-not_full_treble(`
- allow domain system_file:file { execute read open getattr map };
- allow domain vendor_file_type:dir { search getattr };
- allow domain vendor_file_type:file { execute read open getattr map };
- allow domain vendor_file_type:lnk_file { getattr read };
-')
-
-# All domains are allowed to open and read directories
-# that contain HAL implementations (e.g. passthrough
-# HALs require clients to have these permissions)
-allow domain vendor_hal_file:dir r_dir_perms;
-
-# Everyone can read and execute all same process HALs
-allow domain same_process_hal_file:dir r_dir_perms;
-allow {
- domain
- -coredomain # access is explicitly granted to individual coredomains
-} same_process_hal_file:file { execute read open getattr map };
-
-# Any process can load vndk-sp libraries, which are system libraries
-# used by same process HALs
-allow domain vndk_sp_file:dir r_dir_perms;
-allow domain vndk_sp_file:file { execute read open getattr map };
-
-# All domains get access to /vendor/etc
-allow domain vendor_configs_file:dir r_dir_perms;
-allow domain vendor_configs_file:file { read open getattr map };
-
-full_treble_only(`
- # Allow all domains to be able to follow /system/vendor and/or
- # /vendor/odm symlinks.
- allow domain vendor_file_type:lnk_file { getattr open read };
-
- # This is required to be able to search & read /vendor/lib64
- # in order to lookup vendor libraries. The execute permission
- # for coredomains is granted *only* for same process HALs
- allow domain vendor_file:dir { getattr search };
-
- # Allow reading and executing out of /vendor to all vendor domains
- allow { domain -coredomain } vendor_file_type:dir r_dir_perms;
- allow { domain -coredomain } vendor_file_type:file { read open getattr execute map };
- allow { domain -coredomain } vendor_file_type:lnk_file { getattr read };
-')
-
-# read and stat any sysfs symlinks
-allow domain sysfs:lnk_file { getattr read };
-
-# libc references /data/misc/zoneinfo and /system/usr/share/zoneinfo for
-# timezone related information.
-# This directory is considered to be a VNDK-stable
-allow domain { system_zoneinfo_file zoneinfo_data_file }:file r_file_perms;
-allow domain { system_zoneinfo_file zoneinfo_data_file }:dir r_dir_perms;
-
-# Lots of processes access current CPU information
-r_dir_file(domain, sysfs_devices_system_cpu)
-
-r_dir_file(domain, sysfs_usb);
-
-# If kernel CONFIG_TRANSPARENT_HUGEPAGE is enabled, libjemalloc5 (statically
-# included by libc) reads /sys/kernel/mm/transparent_hugepage/enabled.
-allow domain sysfs_transparent_hugepage:dir search;
-allow domain sysfs_transparent_hugepage:file r_file_perms;
-
-# files under /data.
-not_full_treble(`
- allow domain system_data_file:dir getattr;
-')
-allow { coredomain appdomain } system_data_file:dir getattr;
-# /data has the label system_data_root_file. Vendor components need the search
-# permission on system_data_root_file for path traversal to /data/vendor.
-allow domain system_data_root_file:dir { search getattr } ;
-allow domain system_data_file:dir search;
-# TODO restrict this to non-coredomain
-allow domain vendor_data_file:dir { getattr search };
-
-# required by the dynamic linker
-allow domain proc:lnk_file { getattr read };
-
-# /proc/cpuinfo
-allow domain proc_cpuinfo:file r_file_perms;
-
-# /dev/cpu_variant:.*
-allow domain dev_cpu_variant:file r_file_perms;
-
-# profiling needs to read /proc/sys/kernel/perf_event_max_sample_rate
-allow domain proc_perf:file r_file_perms;
-
-# toybox loads libselinux which stats /sys/fs/selinux/
-allow domain selinuxfs:dir search;
-allow domain selinuxfs:file getattr;
-allow domain sysfs:dir search;
-allow domain selinuxfs:filesystem getattr;
-
-# Almost all processes log tracing information to
-# /sys/kernel/debug/tracing/trace_marker
-# The reason behind this is documented in b/6513400
-allow domain debugfs:dir search;
-allow domain debugfs_tracing:dir search;
-allow domain debugfs_tracing_debug:dir search;
-allow domain debugfs_trace_marker:file w_file_perms;
-
-# Linux lockdown mode offers coarse-grained definitions for access controls.
-# The "confidentiality" level detects access to tracefs or the perf subsystem.
-# This overlaps with more precise declarations in Android's policy. The
-# debugfs_trace_marker above is an example in which all processes should have
-# some access to tracefs. Therefore, allow all domains to access this level.
-# The "integrity" level is however enforced.
-allow domain self:lockdown confidentiality;
-
-# Filesystem access.
-allow domain fs_type:filesystem getattr;
-allow domain fs_type:dir getattr;
-
-# Restrict all domains to an allowlist for common socket types. Additional
-# ioctl commands may be added to individual domains, but this sets safe
-# defaults for all processes. Note that granting this allowlist to domain does
-# not grant the ioctl permission on these socket types. That must be granted
-# separately.
-allowxperm domain domain:{ icmp_socket rawip_socket tcp_socket udp_socket }
- ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
-# default allowlist for unix sockets.
-allowxperm domain { domain pdx_channel_socket_type }:{ unix_dgram_socket unix_stream_socket }
- ioctl unpriv_unix_sock_ioctls;
-
-# Restrict PTYs to only allowed ioctls.
-# Note that granting this allowlist to domain does
-# not grant the wider ioctl permission. That must be granted
-# separately.
-allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
-
-# All domains must clearly enumerate what ioctls they use
-# on filesystem objects (plain files, directories, symbolic links,
-# named pipes, and named sockets). We start off with a safe set.
-allowxperm domain { file_type fs_type domain dev_type }:{ dir notdevfile_class_set blk_file } ioctl { FIOCLEX FIONCLEX };
-
-# If a domain has ioctl access to tun_device, it must clearly enumerate the
-# ioctls used. Safe defaults are listed below.
-allowxperm domain tun_device:chr_file ioctl { FIOCLEX FIONCLEX };
-
-# Allow a process to make a determination whether a file descriptor
-# for a plain file or pipe (fifo_file) is a tty. Note that granting
-# this allowlist to domain does not grant the ioctl permission to
-# these files. That must be granted separately.
-allowxperm domain { file_type fs_type }:file ioctl { TCGETS };
-allowxperm domain domain:fifo_file ioctl { TCGETS };
-
-# If a domain has access to perform an ioctl on a block device, allow these
-# very common, benign ioctls
-allowxperm domain dev_type:blk_file ioctl { BLKGETSIZE64 BLKSSZGET };
-
-# Support sqlite F2FS specific optimizations
-# ioctl permission on the specific file type is still required
-# TODO: consider only compiling these rules if we know the
-# /data partition is F2FS
-allowxperm domain { file_type sdcard_type }:file ioctl {
- F2FS_IOC_ABORT_VOLATILE_WRITE
- F2FS_IOC_COMMIT_ATOMIC_WRITE
- F2FS_IOC_GET_FEATURES
- F2FS_IOC_GET_PIN_FILE
- F2FS_IOC_SET_PIN_FILE
- F2FS_IOC_START_ATOMIC_WRITE
-};
-
-# Workaround for policy compiler being too aggressive and removing hwservice_manager_type
-# when it's not explicitly used in allow rules
-allow { domain -domain } hwservice_manager_type:hwservice_manager { add find };
-# Workaround for policy compiler being too aggressive and removing vndservice_manager_type
-# when it's not explicitly used in allow rules
-allow { domain -domain } vndservice_manager_type:service_manager { add find };
-
-# Under ASAN, processes will try to read /data, as the sanitized libraries are there.
-with_asan(`allow domain system_data_file:dir getattr;')
-# Under ASAN, /system/asan.options needs to be globally accessible.
-with_asan(`allow domain system_asan_options_file:file r_file_perms;')
-
-# read APEX dir and stat any symlink pointing to APEXs.
-allow domain apex_mnt_dir:dir { getattr search };
-allow domain apex_mnt_dir:lnk_file r_file_perms;
-
-###
-### neverallow rules
-###
-
-# All ioctls on file-like objects (except chr_file and blk_file) and
-# sockets must be restricted to an allowlist.
-neverallowxperm * *:{ dir notdevfile_class_set socket_class_set blk_file } ioctl { 0 };
-
-# b/68014825 and https://android-review.googlesource.com/516535
-# rfc6093 says that processes should not use the TCP urgent mechanism
-neverallowxperm domain domain:socket_class_set ioctl { SIOCATMARK };
-
-# TIOCSTI is only ever used for exploits. Block it.
-# b/33073072, b/7530569
-# http://www.openwall.com/lists/oss-security/2016/09/26/14
-neverallowxperm * devpts:chr_file ioctl TIOCSTI;
-
-# Do not allow any domain other than init to create unlabeled files.
-neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
-
-# Limit device node creation to these allowed domains.
-neverallow {
- domain
- -kernel
- -init
- -ueventd
- -vold
-} self:global_capability_class_set mknod;
-
-# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR).
-neverallow * self:memprotect mmap_zero;
-
-# No domain needs mac_override as it is unused by SELinux.
-neverallow * self:global_capability2_class_set mac_override;
-
-# Disallow attempts to set contexts not defined in current policy
-# This helps guarantee that unknown or dangerous contents will not ever
-# be set.
-neverallow * self:global_capability2_class_set mac_admin;
-
-# Once the policy has been loaded there shall be none to modify the policy.
-# It is sealed.
-neverallow * kernel:security load_policy;
-
-# Only init prior to switching context should be able to set enforcing mode.
-# init starts in kernel domain and switches to init domain via setcon in
-# the init.rc, so the setenforce occurs while still in kernel. After
-# switching domains, there is never any need to setenforce again by init.
-neverallow * kernel:security setenforce;
-neverallow { domain -kernel } kernel:security setcheckreqprot;
-
-# No booleans in AOSP policy, so no need to ever set them.
-neverallow * kernel:security setbool;
-
-# Adjusting the AVC cache threshold.
-# Not presently allowed to anything in policy, but possibly something
-# that could be set from init.rc.
-neverallow { domain -init } kernel:security setsecparam;
-
-# Only the kernel hwrng thread should be able to read from the HW RNG.
-neverallow {
- domain
- -shell # For CTS, restricted to just getattr in shell.te
- -ueventd # To create the /dev/hw_random file
-} hw_random_device:chr_file *;
-# b/78174219 b/64114943
-neverallow {
- domain
- -shell # stat of /dev, getattr only
- -ueventd
-} keychord_device:chr_file *;
-
-# Ensure that all entrypoint executables are in exec_type or postinstall_file.
-neverallow * { file_type -exec_type -postinstall_file }:file entrypoint;
-
-# The dynamic linker always calls access(2) on the path. Don't generate SElinux
-# denials since the linker does not actually access the path in case the path
-# does not exist or isn't accessible for the process.
-dontaudit domain postinstall_mnt_dir:dir audit_access;
-
-#Ensure that nothing in userspace can access /dev/port
-neverallow {
- domain
- -shell # Shell user should not have any abilities outside of getattr
- -ueventd
-} port_device:chr_file *;
-neverallow * port_device:chr_file ~{ create relabelto unlink setattr getattr };
-# Only init should be able to configure kernel usermodehelpers or
-# security-sensitive proc settings.
-neverallow { domain -init } usermodehelper:file { append write };
-neverallow { domain -init -ueventd } sysfs_usermodehelper:file { append write };
-neverallow { domain -init -vendor_init } proc_security:file { append open read write };
-
-# Init can't do anything with binder calls. If this neverallow rule is being
-# triggered, it's probably due to a service with no SELinux domain.
-neverallow * init:binder *;
-neverallow * vendor_init:binder *;
-
-# Don't allow raw read/write/open access to block_device
-# Rather force a relabel to a more specific type
-neverallow { domain -kernel -init -recovery } block_device:blk_file { open read write };
-
-# Do not allow renaming of block files or character files
-# Ability to do so can lead to possible use in an exploit chain
-# e.g. https://googleprojectzero.blogspot.com/2016/12/chrome-os-exploit-one-byte-overflow-and.html
-neverallow * *:{ blk_file chr_file } rename;
-
-# Don't allow raw read/write/open access to generic devices.
-# Rather force a relabel to a more specific type.
-neverallow domain device:chr_file { open read write };
-
-# Files from cache should never be executed
-neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute;
-
-# The test files and executables MUST not be accessible to any domain
-neverallow { domain userdebug_or_eng(`-kernel') } nativetest_data_file:file_class_set no_w_file_perms;
-neverallow domain nativetest_data_file:dir no_w_dir_perms;
-neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms;
-
-neverallow { domain -shell -init -adbd } shell_test_data_file:file_class_set no_w_file_perms;
-neverallow { domain -shell -init -adbd } shell_test_data_file:dir no_w_dir_perms;
-neverallow { domain -shell -init -adbd -heapprofd } shell_test_data_file:file *;
-neverallow heapprofd shell_test_data_file:file { no_w_file_perms no_x_file_perms };
-neverallow { domain -shell -init -adbd } shell_test_data_file:sock_file *;
-
-# Only the init property service should write to /data/property and /dev/__properties__
-neverallow { domain -init } property_data_file:dir no_w_dir_perms;
-neverallow { domain -init } property_data_file:file { no_w_file_perms no_x_file_perms };
-neverallow { domain -init } property_type:file { no_w_file_perms no_x_file_perms };
-neverallow { domain -init } properties_device:file { no_w_file_perms no_x_file_perms };
-neverallow { domain -init } properties_serial:file { no_w_file_perms no_x_file_perms };
-
-# Nobody should be doing writes to /system & /vendor
-# These partitions are intended to be read-only and must never be
-# modified. Doing so would violate important Android security guarantees
-# and invalidate dm-verity signatures.
-neverallow {
- domain
- with_asan(`-asan_extract')
- recovery_only(`userdebug_or_eng(`-fastbootd')')
-} {
- system_file_type
- vendor_file_type
- exec_type
-}:dir_file_class_set { create write setattr relabelfrom append unlink link rename };
-
-neverallow { domain -kernel with_asan(`-asan_extract') } { system_file_type vendor_file_type exec_type }:dir_file_class_set relabelto;
-
-# Don't allow mounting on top of /system files or directories
-neverallow * exec_type:dir_file_class_set mounton;
-
-# Nothing should be writing to files in the rootfs.
-neverallow * rootfs:file { create write setattr relabelto append unlink link rename };
-
-# Restrict context mounts to specific types marked with
-# the contextmount_type attribute.
-neverallow * {fs_type -contextmount_type}:filesystem relabelto;
-
-# Ensure that context mount types are not writable, to ensure that
-# the write to /system restriction above is not bypassed via context=
-# mount to another type.
-neverallow * contextmount_type:dir_file_class_set
- { create setattr relabelfrom relabelto append link rename };
-neverallow { domain recovery_only(`userdebug_or_eng(`-fastbootd')') } contextmount_type:dir_file_class_set { write unlink };
-
-# Do not allow service_manager add for default service labels.
-# Instead domains should use a more specific type such as
-# system_app_service rather than the generic type.
-# New service_types are defined in {,hw,vnd}service.te and new mappings
-# from service name to service_type are defined in {,hw,vnd}service_contexts.
-neverallow * default_android_service:service_manager *;
-neverallow * default_android_vndservice:service_manager *;
-neverallow * default_android_hwservice:hwservice_manager *;
-
-# Looking up the base class/interface of all HwBinder services is a bad idea.
-# hwservicemanager currently offer such lookups only to make it so that security
-# decisions are expressed in SELinux policy. However, it's unclear whether this
-# lookup has security implications. If it doesn't, hwservicemanager should be
-# modified to not offer this lookup.
-# This rule can be removed if hwservicemanager is modified to not permit these
-# lookups.
-neverallow * hidl_base_hwservice:hwservice_manager find;
-
-# Require that domains explicitly label unknown properties, and do not allow
-# anyone but init to modify unknown properties.
-neverallow { domain -init -vendor_init } mmc_prop:property_service set;
-neverallow { domain -init -vendor_init } vndk_prop:property_service set;
-
-compatible_property_only(`
- neverallow { domain -init } mmc_prop:property_service set;
- neverallow { domain -init -vendor_init } exported_default_prop:property_service set;
- neverallow { domain -init } exported_secure_prop:property_service set;
- neverallow { domain -init -vendor_init } vendor_default_prop:property_service set;
- neverallow { domain -init -vendor_init } storage_config_prop:property_service set;
- neverallow { domain -init -vendor_init } hw_timeout_multiplier_prop:property_service set;
-')
-
-compatible_property_only(`
- neverallow { domain -init -system_server -vendor_init } exported_pm_prop:property_service set;
- neverallow { domain -coredomain -vendor_init } exported_pm_prop:file no_rw_file_perms;
-')
-
-neverallow { domain -init } aac_drc_prop:property_service set;
-neverallow { domain -init } build_prop:property_service set;
-
-# Do not allow reading device's serial number from system properties except form
-# a few allowed domains.
-neverallow {
- domain
- -adbd
- -dumpstate
- -fastbootd
- -hal_camera_server
- -hal_cas_server
- -hal_drm_server
- userdebug_or_eng(`-incidentd')
- -init
- -mediadrmserver
- -mediaserver
- -recovery
- -shell
- -system_server
- -vendor_init
-} serialno_prop:file r_file_perms;
-
-neverallow {
- domain
- -init
- -recovery
- -system_server
- -shell # Shell is further restricted in shell.te
- -ueventd # Further restricted in ueventd.te
-} frp_block_device:blk_file no_rw_file_perms;
-
-# The metadata block device is set aside for device encryption and
-# verified boot metadata. It may be reset at will and should not
-# be used by other domains.
-neverallow {
- domain
- -init
- -recovery
- -vold
- -e2fs
- -fsck
- -fastbootd
-} metadata_block_device:blk_file { append link rename write open read ioctl lock };
-
-# No domain other than recovery, update_engine and fastbootd can write to system partition(s).
-neverallow {
- domain
- -fastbootd
- userdebug_or_eng(`-fsck')
- userdebug_or_eng(`-init')
- -recovery
- -update_engine
-} system_block_device:blk_file { write append };
-
-# No domains other than a select few can access the misc_block_device. This
-# block device is reserved for OTA use.
-# Do not assert this rule on userdebug/eng builds, due to some devices using
-# this partition for testing purposes.
-neverallow {
- domain
- userdebug_or_eng(`-domain') # exclude debuggable builds
- -fastbootd
- -hal_bootctl_server
- -init
- -uncrypt
- -update_engine
- -vendor_init
- -vendor_misc_writer
- -vold
- -recovery
- -ueventd
-} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };
-
-# Only (hw|vnd|)servicemanager should be able to register with binder as the context manager
-neverallow { domain -servicemanager -hwservicemanager -vndservicemanager } *:binder set_context_mgr;
-# The service managers are only allowed to access their own device node
-neverallow servicemanager hwbinder_device:chr_file no_rw_file_perms;
-neverallow servicemanager vndbinder_device:chr_file no_rw_file_perms;
-neverallow hwservicemanager binder_device:chr_file no_rw_file_perms;
-neverallow hwservicemanager vndbinder_device:chr_file no_rw_file_perms;
-neverallow vndservicemanager binder_device:chr_file no_rw_file_perms;
-neverallow vndservicemanager hwbinder_device:chr_file no_rw_file_perms;
-
-# system services cant add vendor services
-neverallow {
- coredomain
-} vendor_service:service_manager add;
-
-full_treble_only(`
- # vendor services cant add system services
- neverallow {
- domain
- -coredomain
- } {
- service_manager_type
- -vendor_service
- }:service_manager add;
-')
-
-full_treble_only(`
- # Vendor apps are permited to use only stable public services. If they were to use arbitrary
- # services which can change any time framework/core is updated, breakage is likely.
- #
- # Note, this same logic applies to untrusted apps, but neverallows for these are separate.
- neverallow {
- appdomain
- -coredomain
- } {
- service_manager_type
-
- -app_api_service
- -vendor_service # must be @VintfStability to be used by an app
- -ephemeral_app_api_service
-
- -apc_service
- -audioserver_service # TODO(b/36783122) remove exemptions below once app_api_service is fixed
- -cameraserver_service
- -drmserver_service
- -credstore_service
- -keystore_maintenance_service
- -keystore_service
- -legacykeystore_service
- -mediadrmserver_service
- -mediaextractor_service
- -mediametrics_service
- -mediaserver_service
- -nfc_service
- -radio_service
- -virtual_touchpad_service
- -vr_hwc_service
- -vr_manager_service
- userdebug_or_eng(`-hal_face_service')
- }:service_manager find;
-')
-
-# On full TREBLE devices, only vendor components, shell, and su can use VendorBinder.
-full_treble_only(`
- neverallow {
- coredomain
- -shell
- userdebug_or_eng(`-su')
- -ueventd # uevent is granted create for this device, but we still neverallow I/O below
- } vndbinder_device:chr_file rw_file_perms;
-')
-full_treble_only(`
- neverallow ueventd vndbinder_device:chr_file { read write append ioctl };
-')
-full_treble_only(`
- neverallow {
- coredomain
- -shell
- userdebug_or_eng(`-su')
- } vndservice_manager_type:service_manager *;
-')
-full_treble_only(`
- neverallow {
- coredomain
- -shell
- userdebug_or_eng(`-su')
- } vndservicemanager:binder *;
-')
-
-# On full TREBLE devices, socket communications between core components and vendor components are
-# not permitted.
- # Most general rules first, more specific rules below.
-
- # Core domains are not permitted to initiate communications to vendor domain sockets.
- # We are not restricting the use of already established sockets because it is fine for a process
- # to obtain an already established socket via some public/official/stable API and then exchange
- # data with its peer over that socket. The wire format in this scenario is dicatated by the API
- # and thus does not break the core-vendor separation.
-full_treble_only(`
- neverallow_establish_socket_comms({
- coredomain
- -init
- -adbd
- }, {
- domain
- -coredomain
- -socket_between_core_and_vendor_violators
- });
-')
-
- # Vendor domains are not permitted to initiate create/open sockets owned by core domains
-full_treble_only(`
- neverallow {
- domain
- -coredomain
- -appdomain # appdomain restrictions below
- -data_between_core_and_vendor_violators # b/70393317
- -socket_between_core_and_vendor_violators
- -vendor_init
- } {
- coredomain_socket
- core_data_file_type
- unlabeled # used only by core domains
- }:sock_file ~{ append getattr ioctl read write };
-')
-full_treble_only(`
- neverallow {
- appdomain
- -coredomain
- } {
- coredomain_socket
- unlabeled # used only by core domains
- core_data_file_type
- -app_data_file
- -privapp_data_file
- -pdx_endpoint_socket_type # used by VR layer
- -pdx_channel_socket_type # used by VR layer
- }:sock_file ~{ append getattr ioctl read write };
-')
-
- # Core domains are not permitted to create/open sockets owned by vendor domains
-full_treble_only(`
- neverallow {
- coredomain
- -init
- -ueventd
- -socket_between_core_and_vendor_violators
- } {
- file_type
- dev_type
- -coredomain_socket
- -core_data_file_type
- -app_data_file_type
- -unlabeled
- }:sock_file ~{ append getattr ioctl read write };
-')
-
-# On TREBLE devices, vendor and system components are only allowed to share
-# files by passing open FDs over hwbinder. Ban all directory access and all file
-# accesses other than what can be applied to an open FD such as
-# ioctl/stat/read/write/append. This is enforced by segregating /data.
-# Vendor domains may directly access file in /data/vendor by path, but may only
-# access files outside of /data/vendor via an open FD passed over hwbinder.
-# Likewise, core domains may only directly access files outside /data/vendor by
-# path and files in /data/vendor by open FD.
-full_treble_only(`
- # only coredomains may only access core_data_file_type, particularly not
- # /data/vendor
- neverallow {
- coredomain
- -appdomain # TODO(b/34980020) remove exemption for appdomain
- -data_between_core_and_vendor_violators
- -init
- -vold_prepare_subdirs
- } {
- data_file_type
- -core_data_file_type
- -app_data_file_type
- }:file_class_set ~{ append getattr ioctl read write map };
-')
-full_treble_only(`
- neverallow {
- coredomain
- -appdomain # TODO(b/34980020) remove exemption for appdomain
- -data_between_core_and_vendor_violators
- -init
- -vold_prepare_subdirs
- } {
- data_file_type
- -core_data_file_type
- -app_data_file_type
- # TODO(b/72998741) Remove exemption. Further restricted in a subsequent
- # neverallow. Currently only getattr and search are allowed.
- -vendor_data_file
- }:dir *;
-
-')
-full_treble_only(`
- # vendor domains may only access files in /data/vendor, never core_data_file_types
- neverallow {
- domain
- -appdomain # TODO(b/34980020) remove exemption for appdomain
- -coredomain
- -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
- -vendor_init
- } {
- core_data_file_type
- # libc includes functions like mktime and localtime which attempt to access
- # files in /data/misc/zoneinfo/tzdata and /system/usr/share/zoneinfo/tzdata.
- # These functions are considered vndk-stable and thus must be allowed for
- # all processes.
- -zoneinfo_data_file
- with_native_coverage(`-method_trace_data_file')
- }:file_class_set ~{ append getattr ioctl read write map };
- neverallow {
- vendor_init
- -data_between_core_and_vendor_violators
- } {
- core_data_file_type
- -unencrypted_data_file
- -zoneinfo_data_file
- with_native_coverage(`-method_trace_data_file')
- }:file_class_set ~{ append getattr ioctl read write map };
- # vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
- # The vendor init binary lives on the system partition so there is not a concern with stability.
- neverallow vendor_init unencrypted_data_file:file ~r_file_perms;
-')
-full_treble_only(`
- # vendor domains may only access dirs in /data/vendor, never core_data_file_types
- neverallow {
- domain
- -appdomain # TODO(b/34980020) remove exemption for appdomain
- -coredomain
- -data_between_core_and_vendor_violators
- -vendor_init
- } {
- core_data_file_type
- -system_data_file # default label for files on /data. Covered below...
- -system_data_root_file
- -vendor_data_file
- -zoneinfo_data_file
- with_native_coverage(`-method_trace_data_file')
- }:dir *;
- neverallow {
- vendor_init
- -data_between_core_and_vendor_violators
- } {
- core_data_file_type
- -unencrypted_data_file
- -system_data_file
- -system_data_root_file
- -vendor_data_file
- -zoneinfo_data_file
- with_native_coverage(`-method_trace_data_file')
- }:dir *;
- # vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
- # The vendor init binary lives on the system partition so there is not a concern with stability.
- neverallow vendor_init unencrypted_data_file:dir ~search;
-')
-full_treble_only(`
- # vendor domains may only access dirs in /data/vendor, never core_data_file_types
- neverallow {
- domain
- -appdomain # TODO(b/34980020) remove exemption for appdomain
- -coredomain
- -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
- } {
- system_data_file # default label for files on /data. Covered below
- }:dir ~{ getattr search };
-')
-
-full_treble_only(`
- # coredomains may not access dirs in /data/vendor.
- neverallow {
- coredomain
- -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
- -init
- -vold # vold creates per-user storage for both system and vendor
- -vold_prepare_subdirs
- } {
- vendor_data_file # default label for files on /data. Covered below
- }:dir ~{ getattr search };
-')
-
-full_treble_only(`
- # coredomains may not access dirs in /data/vendor.
- neverallow {
- coredomain
- -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
- -init
- } {
- vendor_data_file # default label for files on /data/vendor{,_ce,_de}.
- }:file_class_set ~{ append getattr ioctl read write map };
-')
-
-full_treble_only(`
- # Non-vendor domains are not allowed to file execute shell
- # from vendor
- neverallow {
- coredomain
- -init
- -shell
- -ueventd
- } vendor_shell_exec:file { execute execute_no_trans };
-')
-
-full_treble_only(`
- # Do not allow vendor components to execute files from system
- # except for the ones allowed here.
- neverallow {
- domain
- -coredomain
- -appdomain
- -vendor_executes_system_violators
- -vendor_init
- } {
- system_file_type
- -system_lib_file
- -system_linker_exec
- -crash_dump_exec
- -iorap_prefetcherd_exec
- -iorap_inode2filename_exec
- -netutils_wrapper_exec
- userdebug_or_eng(`-tcpdump_exec')
- }:file { entrypoint execute execute_no_trans };
-')
-
-full_treble_only(`
- # Do not allow coredomain to access entrypoint for files other
- # than system_file_type and postinstall_file
- neverallow coredomain {
- file_type
- -system_file_type
- -postinstall_file
- }:file entrypoint;
- # Do not allow domains other than coredomain to access entrypoint
- # for anything but vendor_file_type and init_exec for vendor_init.
- neverallow { domain -coredomain } {
- file_type
- -vendor_file_type
- -init_exec
- }:file entrypoint;
-')
-
-full_treble_only(`
- # Do not allow system components to execute files from vendor
- # except for the ones allowed here.
- neverallow {
- coredomain
- -init
- -shell
- -system_executes_vendor_violators
- -ueventd
- } {
- vendor_file_type
- -same_process_hal_file
- -vndk_sp_file
- -vendor_app_file
- -vendor_public_framework_file
- -vendor_public_lib_file
- }:file execute;
-')
-
-full_treble_only(`
- neverallow {
- coredomain
- -shell
- -system_executes_vendor_violators
- } {
- vendor_file_type
- -same_process_hal_file
- }:file execute_no_trans;
-')
-
-full_treble_only(`
- # Do not allow vendor components access to /system files except for the
- # ones allowed here.
- neverallow {
- domain
- -appdomain
- -coredomain
- -vendor_executes_system_violators
- # vendor_init needs access to init_exec for domain transition. vendor_init
- # neverallows are covered in public/vendor_init.te
- -vendor_init
- } {
- system_file_type
- -crash_dump_exec
- -file_contexts_file
- -iorap_inode2filename_exec
- -netutils_wrapper_exec
- -property_contexts_file
- -system_event_log_tags_file
- -system_group_file
- -system_lib_file
- with_asan(`-system_asan_options_file')
- -system_linker_exec
- -system_linker_config_file
- -system_passwd_file
- -system_seccomp_policy_file
- -system_security_cacerts_file
- -system_zoneinfo_file
- -task_profiles_api_file
- -task_profiles_file
- userdebug_or_eng(`-tcpdump_exec')
- }:file *;
-')
-
-# Only system_server should be able to send commands via the zygote socket
-neverallow { domain -zygote -system_server } zygote:unix_stream_socket connectto;
-neverallow { domain -system_server } zygote_socket:sock_file write;
-
-neverallow { domain -system_server -webview_zygote -app_zygote } webview_zygote:unix_stream_socket connectto;
-neverallow { domain -system_server } webview_zygote:sock_file write;
-neverallow { domain -system_server } app_zygote:sock_file write;
-
-neverallow {
- domain
- -tombstoned
- -crash_dump
- -dumpstate
- -incidentd
- -system_server
-
- # Processes that can't exec crash_dump
- -hal_codec2_server
- -hal_omx_server
- -mediaextractor
-} tombstoned_crash_socket:unix_stream_socket connectto;
-
-# Never allow anyone except dumpstate, incidentd, or the system server to connect or write to
-# the tombstoned intercept socket.
-neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:sock_file write;
-neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:unix_stream_socket connectto;
-
-# Never allow anyone but system_server to read heapdumps in /data/system/heapdump.
-neverallow { domain -init -system_server } heapdump_data_file:file read;
-
-# Android does not support System V IPCs.
-#
-# The reason for this is due to the fact that, by design, they lead to global
-# kernel resource leakage.
-#
-# For example, there is no way to automatically release a SysV semaphore
-# allocated in the kernel when:
-#
-# - a buggy or malicious process exits
-# - a non-buggy and non-malicious process crashes or is explicitly killed.
-#
-# Killing processes automatically to make room for new ones is an
-# important part of Android's application lifecycle implementation. This means
-# that, even assuming only non-buggy and non-malicious code, it is very likely
-# that over time, the kernel global tables used to implement SysV IPCs will fill
-# up.
-neverallow * *:{ shm sem msg msgq } *;
-
-# Do not mount on top of symlinks, fifos, or sockets.
-# Feature parity with Chromium LSM.
-neverallow * { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton;
-
-# Nobody should be able to execute su on user builds.
-# On userdebug/eng builds, only dumpstate, shell, and
-# su itself execute su.
-neverallow { domain userdebug_or_eng(`-dumpstate -shell -su') } su_exec:file no_x_file_perms;
-
-# Do not allow the introduction of new execmod rules. Text relocations
-# and modification of executable pages are unsafe.
-# The only exceptions are for NDK text relocations associated with
-# https://code.google.com/p/android/issues/detail?id=23203
-# which, long term, need to go away.
-neverallow * {
- file_type
- -apk_data_file
- -app_data_file
- -asec_public_file
-}:file execmod;
-
-# Do not allow making the stack or heap executable.
-# We would also like to minimize execmem but it seems to be
-# required by some device-specific service domains.
-neverallow * self:process { execstack execheap };
-
-# Do not allow the introduction of new execmod rules. Text relocations
-# and modification of executable pages are unsafe.
-neverallow { domain -untrusted_app_25 -untrusted_app_27 } file_type:file execmod;
-
-neverallow { domain -init } proc:{ file dir } mounton;
-
-# Ensure that all types assigned to processes are included
-# in the domain attribute, so that all allow and neverallow rules
-# written on domain are applied to all processes.
-# This is achieved by ensuring that it is impossible to transition
-# from a domain to a non-domain type and vice versa.
-# TODO - rework this: neverallow domain ~domain:process { transition dyntransition };
-neverallow ~domain domain:process { transition dyntransition };
-
-#
-# Only system_app and system_server should be creating or writing
-# their files. The proper way to share files is to setup
-# type transitions to a more specific type or assigning a type
-# to its parent directory via a file_contexts entry.
-# Example type transition:
-# mydomain.te:file_type_auto_trans(mydomain, system_data_file, new_file_type)
-#
-neverallow {
- domain
- -system_server
- -system_app
- -init
- -toolbox # TODO(b/141108496) We want to remove toolbox
- -installd # for relabelfrom and unlink, check for this in explicit neverallow
- -vold_prepare_subdirs # For unlink
- with_asan(`-asan_extract')
-} system_data_file:file no_w_file_perms;
-# do not grant anything greater than r_file_perms and relabelfrom unlink
-# to installd
-neverallow installd system_data_file:file ~{ r_file_perms relabelfrom unlink };
-
-# respect system_app sandboxes
-neverallow {
- domain
- -appdomain # finer-grained rules for appdomain are listed below
- -system_server #populate com.android.providers.settings/databases/settings.db.
- -installd # creation of app sandbox
- -iorap_inode2filename
- -traced_probes # resolve inodes for i/o tracing.
- # only needs open and read, the rest is neverallow in
- # traced_probes.te.
-} system_app_data_file:dir_file_class_set { create unlink open };
-neverallow {
- isolated_app
- untrusted_app_all # finer-grained rules for appdomain are listed below
- ephemeral_app
- priv_app
-} system_app_data_file:dir_file_class_set { create unlink open };
-
-#
-# Only these domains should transition to shell domain. This domain is
-# permissible for the "shell user". If you need a process to exec a shell
-# script with differing privilege, define a domain and set up a transition.
-#
-neverallow {
- domain
- -adbd
- -init
- -runas
- -zygote
-} shell:process { transition dyntransition };
-
-# Only domains spawned from zygote, runas and simpleperf_app_runner may have
-# the appdomain attribute. simpleperf is excluded as a domain transitioned to
-# when running an app-scoped profiling session.
-neverallow { domain -simpleperf_app_runner -runas -app_zygote -webview_zygote -zygote } {
- appdomain -shell -simpleperf userdebug_or_eng(`-su')
-}:process { transition dyntransition };
-
-# Minimize read access to shell- or app-writable symlinks.
-# This is to prevent malicious symlink attacks.
-neverallow {
- domain
- -appdomain
- -installd
-} { app_data_file privapp_data_file }:lnk_file read;
-
-neverallow {
- domain
- -shell
- userdebug_or_eng(`-uncrypt')
- -installd
-} shell_data_file:lnk_file read;
-
-# In addition to the symlink reading restrictions above, restrict
-# write access to shell owned directories. The /data/local/tmp
-# directory is untrustworthy, and non-allowed domains should
-# not be trusting any content in those directories.
-neverallow {
- domain
- -adbd
- -dumpstate
- -installd
- -init
- -shell
- -vold
-} shell_data_file:dir no_w_dir_perms;
-
-neverallow {
- domain
- -adbd
- -appdomain
- -dumpstate
- -init
- -installd
- -iorap_inode2filename
- -simpleperf_app_runner
- -system_server # why?
- userdebug_or_eng(`-uncrypt')
-} shell_data_file:dir { open search };
-
-# Same as above for /data/local/tmp files. We allow shell files
-# to be passed around by file descriptor, but not directly opened.
-neverallow {
- domain
- -adbd
- -appdomain
- -dumpstate
- -installd
- userdebug_or_eng(`-uncrypt')
-} shell_data_file:file open;
-
-# servicemanager and vndservicemanager are the only processes which handle the
-# service_manager list request
-neverallow * ~{
- servicemanager
- vndservicemanager
- }:service_manager list;
-
-# hwservicemanager is the only process which handles hw list requests
-neverallow * ~{
- hwservicemanager
- }:hwservice_manager list;
-
-# only service_manager_types can be added to service_manager
-# TODO - rework this: neverallow * ~service_manager_type:service_manager { add find };
-
-# Prevent assigning non property types to properties
-# TODO - rework this: neverallow * ~property_type:property_service set;
-
-# Domain types should never be assigned to any files other
-# than the /proc/pid files associated with a process. The
-# executable file used to enter a domain should be labeled
-# with its own _exec type, not with the domain type.
-# Conventionally, this looks something like:
-# $ cat mydaemon.te
-# type mydaemon, domain;
-# type mydaemon_exec, exec_type, file_type;
-# init_daemon_domain(mydaemon)
-# $ grep mydaemon file_contexts
-# /system/bin/mydaemon -- u:object_r:mydaemon_exec:s0
-neverallow * domain:file { execute execute_no_trans entrypoint };
-
-# Do not allow access to the generic debugfs label. This is too broad.
-# Instead, if access to part of debugfs is desired, it should have a
-# more specific label.
-# TODO: fix dumpstate
-neverallow { domain -init -vendor_init -dumpstate } debugfs:{ file lnk_file } no_rw_file_perms;
-
-# Do not allow executable files in debugfs.
-neverallow domain debugfs_type:file { execute execute_no_trans };
-
-# Don't allow access to the FUSE control filesystem, except to vold and init's
-neverallow { domain -vold -init -vendor_init } fusectlfs:file no_rw_file_perms;
-
-# Profiles contain untrusted data and profman parses that. We should only run
-# in from installd forked processes.
-neverallow {
- domain
- -installd
- -profman
-} profman_exec:file no_x_file_perms;
-
-# Enforce restrictions on kernel module origin.
-# Do not allow kernel module loading except from system,
-# vendor, and boot partitions.
-neverallow * ~{ system_file_type vendor_file_type rootfs }:system module_load;
-
-# Only allow filesystem caps to be set at build time. Runtime changes
-# to filesystem capabilities are not permitted.
-neverallow * self:global_capability_class_set setfcap;
-
-# Enforce AT_SECURE for executing crash_dump.
-neverallow domain crash_dump:process noatsecure;
-
-# Do not permit non-core domains to register HwBinder services which are
-# guaranteed to be provided by core domains only.
-neverallow ~coredomain coredomain_hwservice:hwservice_manager add;
-
-# Do not permit the registeration of HwBinder services which are guaranteed to
-# be passthrough only (i.e., run in the process of their clients instead of a
-# separate server process).
-neverallow * same_process_hwservice:hwservice_manager add;
-
-# If an already existing file is opened with O_CREAT, the kernel might generate
-# a false report of a create denial. Silence these denials and make sure that
-# inappropriate permissions are not granted.
-
-# These filesystems don't allow files or directories to be created, so the permission
-# to do so should never be granted.
-neverallow domain {
- proc_type
- sysfs_type
-}:dir { add_name create link remove_name rename reparent rmdir write };
-
-# cgroupfs directories can be created, but not files within them.
-neverallow domain cgroup:file create;
-neverallow domain cgroup_v2:file create;
-
-dontaudit domain proc_type:dir write;
-dontaudit domain sysfs_type:dir write;
-dontaudit domain cgroup:file create;
-dontaudit domain cgroup_v2:file create;
-
-# These are only needed in permissive mode - in enforcing mode the
-# directory write check fails and so these are never attempted.
-userdebug_or_eng(`
- dontaudit domain proc_type:dir add_name;
- dontaudit domain sysfs_type:dir add_name;
- dontaudit domain proc_type:file create;
- dontaudit domain sysfs_type:file create;
-')
-
-# Platform must not have access to /mnt/vendor.
-neverallow {
- coredomain
- -init
- -ueventd
- -vold
- -system_writes_mnt_vendor_violators
-} mnt_vendor_file:dir *;
-
-# Only apps are allowed access to vendor public libraries.
-full_treble_only(`
- neverallow {
- coredomain
- -appdomain
- } {vendor_public_framework_file vendor_public_lib_file}:file { execute execute_no_trans };
-')
-
-# Vendor domian must not have access to /mnt/product.
-neverallow {
- domain
- -coredomain
-} mnt_product_file:dir *;
-
-# Platform must not have access to sysfs_batteryinfo, but should do it via health HAL and healthd
-full_treble_only(`
- neverallow {
- coredomain
- -healthd
- -shell
- # Generate uevents for health info
- -ueventd
- # Recovery uses health HAL passthrough implementation.
- -recovery
- # Charger uses health HAL passthrough implementation.
- -charger
- # TODO(b/110891300): remove this exception
- -incidentd
- } sysfs_batteryinfo:file { open read };
-')
-
-neverallow {
- domain
- -hal_codec2_server
- -hal_omx_server
-} hal_codec2_hwservice:hwservice_manager add;
-
-# Only apps targetting < Q are allowed to open /dev/ashmem directly.
-# Apps must use ASharedMemory NDK API. Native code must use libcutils API.
-neverallow {
- domain
- -ephemeral_app # We don't distinguish ephemeral apps based on target API.
- -untrusted_app_25
- -untrusted_app_27
-} ashmem_device:chr_file open;
-
-neverallow { domain -traced_probes -init -vendor_init } debugfs_tracing_printk_formats:file *;
-
-# Linux lockdown "integrity" level is enforced for user builds.
-neverallow { domain userdebug_or_eng(`-domain') } self:lockdown integrity;
diff --git a/microdroid/sepolicy/system/public/drmserver.te b/microdroid/sepolicy/system/public/drmserver.te
deleted file mode 100644
index eede0fc..0000000
--- a/microdroid/sepolicy/system/public/drmserver.te
+++ /dev/null
@@ -1,65 +0,0 @@
-# drmserver - DRM service
-type drmserver, domain;
-type drmserver_exec, system_file_type, exec_type, file_type;
-
-typeattribute drmserver mlstrustedsubject;
-
-net_domain(drmserver)
-
-# Perform Binder IPC to system server.
-binder_use(drmserver)
-binder_call(drmserver, system_server)
-binder_call(drmserver, appdomain)
-binder_call(drmserver, mediametrics)
-binder_service(drmserver)
-# Inherit or receive open files from system_server.
-allow drmserver system_server:fd use;
-
-# Perform Binder IPC to mediaserver
-binder_call(drmserver, mediaserver)
-
-allow drmserver sdcard_type:dir search;
-allow drmserver drm_data_file:dir create_dir_perms;
-allow drmserver drm_data_file:file create_file_perms;
-allow drmserver { app_data_file privapp_data_file }:file { read write getattr map };
-allow drmserver sdcard_type:file { read write getattr map };
-r_dir_file(drmserver, efs_file)
-
-type drmserver_socket, file_type;
-
-# /data/app/tlcd_sock socket file.
-# Clearly, /data/app is the most logical place to create a socket. Not.
-allow drmserver apk_data_file:dir rw_dir_perms;
-auditallow drmserver apk_data_file:dir { add_name write };
-allow drmserver drmserver_socket:sock_file create_file_perms;
-auditallow drmserver drmserver_socket:sock_file create;
-# Delete old socket file if present.
-allow drmserver apk_data_file:sock_file unlink;
-
-# After taking a video, drmserver looks at the video file.
-r_dir_file(drmserver, media_rw_data_file)
-
-# Read resources from open apk files passed over Binder.
-allow drmserver apk_data_file:file { read getattr map };
-allow drmserver asec_apk_file:file { read getattr map };
-allow drmserver ringtone_file:file { read getattr map };
-
-# Read /data/data/com.android.providers.telephony files passed over Binder.
-allow drmserver radio_data_file:file { read getattr map };
-
-# /oem access
-allow drmserver oemfs:dir search;
-allow drmserver oemfs:file r_file_perms;
-
-# overlay package access
-allow drmserver vendor_overlay_file:file { read map };
-
-add_service(drmserver, drmserver_service)
-allow drmserver permission_service:service_manager find;
-allow drmserver mediametrics_service:service_manager find;
-
-selinux_check_access(drmserver)
-
-r_dir_file(drmserver, cgroup)
-r_dir_file(drmserver, cgroup_v2)
-r_dir_file(drmserver, system_file)
diff --git a/microdroid/sepolicy/system/public/dumpstate.te b/microdroid/sepolicy/system/public/dumpstate.te
deleted file mode 100644
index 85a5796..0000000
--- a/microdroid/sepolicy/system/public/dumpstate.te
+++ /dev/null
@@ -1,394 +0,0 @@
-# dumpstate
-type dumpstate, domain, mlstrustedsubject;
-type dumpstate_exec, system_file_type, exec_type, file_type;
-
-net_domain(dumpstate)
-binder_use(dumpstate)
-wakelock_use(dumpstate)
-
-# Allow setting process priority, protect from OOM killer, and dropping
-# privileges by switching UID / GID
-allow dumpstate self:global_capability_class_set { setuid setgid sys_resource };
-
-# Allow dumpstate to scan through /proc/pid for all processes
-r_dir_file(dumpstate, domain)
-
-allow dumpstate self:global_capability_class_set {
- # Send signals to processes
- kill
- # Run iptables
- net_raw
- net_admin
-};
-
-# Allow executing files on system, such as:
-# /system/bin/toolbox
-# /system/bin/logcat
-# /system/bin/dumpsys
-allow dumpstate system_file:file execute_no_trans;
-not_full_treble(`allow dumpstate vendor_file:file execute_no_trans;')
-allow dumpstate toolbox_exec:file rx_file_perms;
-
-# hidl searches for files in /system/lib(64)/hw/
-allow dumpstate system_file:dir r_dir_perms;
-
-# Create and write into /data/anr/
-allow dumpstate self:global_capability_class_set { dac_override dac_read_search chown fowner fsetid };
-allow dumpstate anr_data_file:dir rw_dir_perms;
-allow dumpstate anr_data_file:file create_file_perms;
-
-# Allow reading /data/system/uiderrors.txt
-# TODO: scope this down.
-allow dumpstate system_data_file:file r_file_perms;
-
-# Allow dumpstate to append into apps' private files.
-allow dumpstate { privapp_data_file app_data_file }:file append;
-
-# Read dmesg
-allow dumpstate self:global_capability2_class_set syslog;
-allow dumpstate kernel:system syslog_read;
-
-# Read /sys/fs/pstore/console-ramoops
-allow dumpstate pstorefs:dir r_dir_perms;
-allow dumpstate pstorefs:file r_file_perms;
-
-# Get process attributes
-allow dumpstate domain:process getattr;
-
-# Signal java processes to dump their stack
-allow dumpstate { appdomain system_server zygote }:process signal;
-
-# Signal native processes to dump their stack.
-allow dumpstate {
- # This list comes from native_processes_to_dump in dumputils/dump_utils.c
- audioserver
- cameraserver
- drmserver
- inputflinger
- mediadrmserver
- mediaextractor
- mediametrics
- mediaserver
- mediaswcodec
- sdcardd
- surfaceflinger
- vold
-
- # This list comes from hal_interfaces_to_dump in dumputils/dump_utils.c
- hal_audio_server
- hal_audiocontrol_server
- hal_bluetooth_server
- hal_camera_server
- hal_codec2_server
- hal_drm_server
- hal_evs_server
- hal_face_server
- hal_fingerprint_server
- hal_graphics_allocator_server
- hal_graphics_composer_server
- hal_health_server
- hal_neuralnetworks_server
- hal_omx_server
- hal_power_server
- hal_power_stats_server
- hal_sensors_server
- hal_thermal_server
- hal_vehicle_server
- hal_vr_server
- system_suspend_server
-}:process signal;
-
-# Connect to tombstoned to intercept dumps.
-unix_socket_connect(dumpstate, tombstoned_intercept, tombstoned)
-
-# Access to /sys
-allow dumpstate sysfs_type:dir r_dir_perms;
-
-allow dumpstate {
- sysfs_devices_block
- sysfs_dm
- sysfs_loop
- sysfs_usb
- sysfs_zram
-}:file r_file_perms;
-
-# Other random bits of data we want to collect
-no_debugfs_restriction(`
- allow dumpstate debugfs:file r_file_perms;
- auditallow dumpstate debugfs:file r_file_perms;
-
- allow dumpstate debugfs_mmc:file r_file_perms;
-')
-
-# df for
-allow dumpstate {
- block_device
- cache_file
- metadata_file
- rootfs
- selinuxfs
- storage_file
- tmpfs
-}:dir { search getattr };
-allow dumpstate fuse_device:chr_file getattr;
-allow dumpstate { dm_device cache_block_device }:blk_file getattr;
-allow dumpstate { cache_file rootfs }:lnk_file { getattr read };
-
-# Read /dev/cpuctl and /dev/cpuset
-r_dir_file(dumpstate, cgroup)
-r_dir_file(dumpstate, cgroup_v2)
-
-# Allow dumpstate to make binder calls to any binder service
-binder_call(dumpstate, binderservicedomain)
-binder_call(dumpstate, { appdomain netd wificond })
-
-dump_hal(hal_dumpstate)
-dump_hal(hal_wifi)
-dump_hal(hal_graphics_allocator)
-dump_hal(hal_light)
-dump_hal(hal_neuralnetworks)
-dump_hal(hal_thermal)
-dump_hal(hal_power)
-dump_hal(hal_power_stats)
-dump_hal(hal_identity)
-dump_hal(hal_face)
-dump_hal(hal_fingerprint)
-dump_hal(hal_gnss)
-
-# Vibrate the device after we are done collecting the bugreport
-hal_client_domain(dumpstate, hal_vibrator)
-
-# Reading /proc/PID/maps of other processes
-allow dumpstate self:global_capability_class_set sys_ptrace;
-
-# Allow the bugreport service to create a file in
-# /data/data/com.android.shell/files/bugreports/bugreport
-allow dumpstate shell_data_file:dir create_dir_perms;
-allow dumpstate shell_data_file:file create_file_perms;
-
-# Run a shell.
-allow dumpstate shell_exec:file rx_file_perms;
-
-# For running am and similar framework commands.
-# Run /system/bin/app_process.
-allow dumpstate zygote_exec:file rx_file_perms;
-
-# For Bluetooth
-allow dumpstate bluetooth_data_file:dir search;
-allow dumpstate bluetooth_logs_data_file:dir r_dir_perms;
-allow dumpstate bluetooth_logs_data_file:file r_file_perms;
-
-# For Nfc
-allow dumpstate nfc_logs_data_file:dir r_dir_perms;
-allow dumpstate nfc_logs_data_file:file r_file_perms;
-
-# Dumpstate calls screencap, which grabs a screenshot. Needs gpu access
-allow dumpstate gpu_device:chr_file rw_file_perms;
-
-# logd access
-read_logd(dumpstate)
-control_logd(dumpstate)
-read_runtime_log_tags(dumpstate)
-
-# Read files in /proc
-allow dumpstate {
- proc_buddyinfo
- proc_cmdline
- proc_meminfo
- proc_modules
- proc_net_type
- proc_pipe_conf
- proc_pagetypeinfo
- proc_qtaguid_ctrl
- proc_qtaguid_stat
- proc_slabinfo
- proc_version
- proc_vmallocinfo
- proc_vmstat
-}:file r_file_perms;
-
-# Read network state info files.
-allow dumpstate net_data_file:dir search;
-allow dumpstate net_data_file:file r_file_perms;
-
-# List sockets via ss.
-allow dumpstate self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read };
-
-# Access /data/tombstones.
-allow dumpstate tombstone_data_file:dir r_dir_perms;
-allow dumpstate tombstone_data_file:file r_file_perms;
-
-# Access /cache/recovery
-allow dumpstate cache_recovery_file:dir r_dir_perms;
-allow dumpstate cache_recovery_file:file r_file_perms;
-
-# Access /data/misc/recovery
-allow dumpstate recovery_data_file:dir r_dir_perms;
-allow dumpstate recovery_data_file:file r_file_perms;
-
-#Access /data/misc/update_engine_log
-allow dumpstate update_engine_log_data_file:dir r_dir_perms;
-allow dumpstate update_engine_log_data_file:file r_file_perms;
-
-# Access /data/misc/profiles/{cur,ref}/
-userdebug_or_eng(`
- allow dumpstate { user_profile_root_file user_profile_data_file}:dir r_dir_perms;
- allow dumpstate user_profile_data_file:file r_file_perms;
-')
-
-# Access /data/misc/logd
-allow dumpstate misc_logd_file:dir r_dir_perms;
-allow dumpstate misc_logd_file:file r_file_perms;
-
-# Access /data/misc/prereboot
-allow dumpstate prereboot_data_file:dir r_dir_perms;
-allow dumpstate prereboot_data_file:file r_file_perms;
-
-allow dumpstate app_fuse_file:dir r_dir_perms;
-allow dumpstate overlayfs_file:dir r_dir_perms;
-
-allow dumpstate {
- service_manager_type
- -apex_service
- -dumpstate_service
- -gatekeeper_service
- -virtual_touchpad_service
- -vold_service
- -vr_hwc_service
- -default_android_service
-}:service_manager find;
-# suppress denials for services dumpstate should not be accessing.
-dontaudit dumpstate {
- apex_service
- dumpstate_service
- gatekeeper_service
- virtual_touchpad_service
- vold_service
- vr_hwc_service
-}:service_manager find;
-
-# Most of these are neverallowed.
-dontaudit dumpstate hwservice_manager_type:hwservice_manager find;
-
-allow dumpstate servicemanager:service_manager list;
-allow dumpstate hwservicemanager:hwservice_manager list;
-
-allow dumpstate devpts:chr_file rw_file_perms;
-
-# Read any system properties
-get_prop(dumpstate, property_type)
-
-# Access to /data/media.
-# This should be removed if sdcardfs is modified to alter the secontext for its
-# accesses to the underlying FS.
-allow dumpstate media_rw_data_file:dir getattr;
-allow dumpstate proc_interrupts:file r_file_perms;
-allow dumpstate proc_zoneinfo:file r_file_perms;
-
-# Create a service for talking back to system_server
-add_service(dumpstate, dumpstate_service)
-
-# use /dev/ion for screen capture
-allow dumpstate ion_device:chr_file r_file_perms;
-
-# Allow dumpstate to run top
-allow dumpstate proc_stat:file r_file_perms;
-
-allow dumpstate proc_pressure_cpu:file r_file_perms;
-allow dumpstate proc_pressure_mem:file r_file_perms;
-allow dumpstate proc_pressure_io:file r_file_perms;
-
-# Allow dumpstate to run ps
-allow dumpstate proc_pid_max:file r_file_perms;
-
-# Allow dumpstate to talk to installd over binder
-binder_call(dumpstate, installd);
-
-# Allow dumpstate to talk to iorapd over binder.
-binder_call(dumpstate, iorapd)
-
-# Allow dumpstate to run ip xfrm policy
-allow dumpstate self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_read };
-
-# Allow dumpstate to run iotop
-allow dumpstate self:netlink_socket create_socket_perms_no_ioctl;
-# newer kernels (e.g. 4.4) have a new class for sockets
-allow dumpstate self:netlink_generic_socket create_socket_perms_no_ioctl;
-
-# Allow dumpstate to run ss
-allow dumpstate { domain pdx_channel_socket_type pdx_endpoint_socket_type }:socket_class_set getattr;
-
-# Allow dumpstate to read linkerconfig directory
-allow dumpstate linkerconfig_file:dir { read open };
-
-# For when dumpstate runs df
-dontaudit dumpstate {
- mnt_vendor_file
- mirror_data_file
- mnt_user_file
-}:dir search;
-dontaudit dumpstate {
- apex_mnt_dir
- linkerconfig_file
- mirror_data_file
- mnt_user_file
-}:dir getattr;
-
-# Allow dumpstate to talk to bufferhubd over binder
-binder_call(dumpstate, bufferhubd);
-
-# Allow dumpstate to talk to mediaswcodec over binder
-binder_call(dumpstate, mediaswcodec);
-
-# Allow dumpstate to talk to these stable AIDL services over binder
-binder_call(dumpstate, hal_rebootescrow_server)
-allow hal_rebootescrow_server dumpstate:fifo_file write;
-allow hal_rebootescrow_server dumpstate:fd use;
-
-binder_call(dumpstate, hal_authsecret_server)
-allow hal_authsecret_server dumpstate:fifo_file write;
-allow hal_authsecret_server dumpstate:fd use;
-
-binder_call(dumpstate, hal_keymint_server)
-allow hal_keymint_server dumpstate:fifo_file write;
-allow hal_keymint_server dumpstate:fd use;
-
-binder_call(dumpstate, hal_memtrack_server)
-allow hal_memtrack_server dumpstate:fifo_file write;
-allow hal_memtrack_server dumpstate:fd use;
-
-binder_call(dumpstate, hal_oemlock_server)
-allow hal_oemlock_server dumpstate:fifo_file write;
-allow hal_oemlock_server dumpstate:fd use;
-
-binder_call(dumpstate, hal_weaver_server)
-allow hal_weaver_server dumpstate:fifo_file write;
-allow hal_weaver_server dumpstate:fd use;
-
-#Access /data/misc/snapshotctl_log
-allow dumpstate snapshotctl_log_data_file:dir r_dir_perms;
-allow dumpstate snapshotctl_log_data_file:file r_file_perms;
-
-#Allow access to /dev/binderfs/binder_logs
-allow dumpstate binderfs_logs:dir r_dir_perms;
-allow dumpstate binderfs_logs:file r_file_perms;
-allow dumpstate binderfs_logs_proc:file r_file_perms;
-
-allow dumpstate apex_info_file:file getattr;
-
-###
-### neverallow rules
-###
-
-# dumpstate has capability sys_ptrace, but should only use that capability for
-# accessing sensitive /proc/PID files, never for using ptrace attach.
-neverallow dumpstate *:process ptrace;
-
-# only system_server, dumpstate, traceur_app and shell can find the dumpstate service
-neverallow {
- domain
- -system_server
- -shell
- -traceur_app
- -dumpstate
-} dumpstate_service:service_manager find;
diff --git a/microdroid/sepolicy/system/public/e2fs.te b/microdroid/sepolicy/system/public/e2fs.te
deleted file mode 100644
index fe8b2ba..0000000
--- a/microdroid/sepolicy/system/public/e2fs.te
+++ /dev/null
@@ -1,32 +0,0 @@
-type e2fs, domain, coredomain;
-type e2fs_exec, system_file_type, exec_type, file_type;
-
-allow e2fs devpts:chr_file { read write getattr ioctl };
-
-allow e2fs dev_type:blk_file getattr;
-allow e2fs block_device:dir search;
-allow e2fs userdata_block_device:blk_file rw_file_perms;
-allow e2fs metadata_block_device:blk_file rw_file_perms;
-allow e2fs dm_device:blk_file rw_file_perms;
-allowxperm e2fs { userdata_block_device metadata_block_device dm_device }:blk_file ioctl {
- BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET
-};
-
-# Allow e2fs to format /dev/block/vd*
-allow e2fs vd_device:blk_file rw_file_perms;
-allowxperm e2fs vd_device:blk_file ioctl {
- BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET
-};
-
-allow e2fs {
- proc_filesystems
- proc_mounts
- proc_swaps
-}:file r_file_perms;
-
-# access /sys/fs/ext4/features
-allow e2fs sysfs_fs_ext4_features:dir search;
-allow e2fs sysfs_fs_ext4_features:file r_file_perms;
-
-# access SELinux context files
-allow e2fs file_contexts_file:file r_file_perms;
diff --git a/microdroid/sepolicy/system/public/ephemeral_app.te b/microdroid/sepolicy/system/public/ephemeral_app.te
deleted file mode 100644
index dc39a22..0000000
--- a/microdroid/sepolicy/system/public/ephemeral_app.te
+++ /dev/null
@@ -1,14 +0,0 @@
-###
-### Ephemeral apps.
-###
-### This file defines the security policy for apps with the ephemeral
-### feature.
-###
-### The ephemeral_app domain is a reduced permissions sandbox allowing
-### ephemeral applications to be safely installed and run. Non ephemeral
-### applications may also opt-in to ephemeral to take advantage of the
-### additional security features.
-###
-### PackageManager flags an app as ephemeral at install time.
-
-type ephemeral_app, domain;
diff --git a/microdroid/sepolicy/system/public/fastbootd.te b/microdroid/sepolicy/system/public/fastbootd.te
deleted file mode 100644
index e167a5e..0000000
--- a/microdroid/sepolicy/system/public/fastbootd.te
+++ /dev/null
@@ -1,118 +0,0 @@
-# fastbootd (used in recovery init.rc for /sbin/fastbootd)
-
-# Declare the domain unconditionally so we can always reference it
-# in neverallow rules.
-type fastbootd, domain;
-
-# But the allow rules are only included in the recovery policy.
-# Otherwise fastbootd is only allowed the domain rules.
-recovery_only(`
- # fastbootd can only use HALs in passthrough mode
- passthrough_hal_client_domain(fastbootd, hal_bootctl)
-
- # Access /dev/usb-ffs/fastbootd/ep0
- allow fastbootd functionfs:dir search;
- allow fastbootd functionfs:file rw_file_perms;
-
- allowxperm fastbootd functionfs:file ioctl { FUNCTIONFS_ENDPOINT_DESC };
- # Log to serial
- allow fastbootd kmsg_device:chr_file { open getattr write };
-
- # battery info
- allow fastbootd sysfs_batteryinfo:file r_file_perms;
-
- allow fastbootd device:dir r_dir_perms;
-
- # For dev/block/by-name dir
- allow fastbootd block_device:dir r_dir_perms;
-
- # Needed for DM_DEV_CREATE ioctl call
- allow fastbootd self:capability sys_admin;
-
- unix_socket_connect(fastbootd, recovery, recovery)
-
- # Required for flashing
- allow fastbootd dm_device:chr_file rw_file_perms;
- allow fastbootd dm_device:blk_file rw_file_perms;
-
- allow fastbootd cache_block_device:blk_file rw_file_perms;
- allow fastbootd super_block_device_type:blk_file rw_file_perms;
- allow fastbootd {
- boot_block_device
- metadata_block_device
- system_block_device
- userdata_block_device
- }:blk_file { w_file_perms getattr ioctl };
-
- # For disabling/wiping GSI, and for modifying/deleting files created via
- # libfiemap.
- allow fastbootd metadata_block_device:blk_file r_file_perms;
- allow fastbootd {rootfs tmpfs}:dir mounton;
- allow fastbootd metadata_file:dir { search getattr mounton };
- allow fastbootd gsi_metadata_file_type:dir rw_dir_perms;
- allow fastbootd gsi_metadata_file_type:file create_file_perms;
-
- allowxperm fastbootd super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
-
- allowxperm fastbootd {
- metadata_block_device
- userdata_block_device
- dm_device
- cache_block_device
- }:blk_file ioctl { BLKSECDISCARD BLKDISCARD };
-
- allow fastbootd misc_block_device:blk_file rw_file_perms;
-
- allow fastbootd proc_cmdline:file r_file_perms;
- allow fastbootd rootfs:dir r_dir_perms;
-
- # Needed to read fstab node from device tree.
- allow fastbootd sysfs_dt_firmware_android:file r_file_perms;
- allow fastbootd sysfs_dt_firmware_android:dir r_dir_perms;
-
- # Needed because libdm reads sysfs to validate when a dm path is ready.
- r_dir_file(fastbootd, sysfs_dm)
-
- # Needed for realpath() call to resolve symlinks.
- allow fastbootd block_device:dir getattr;
- userdebug_or_eng(`
- # Refined manipulation of /mnt/scratch, without these perms resorts
- # to deleting scratch partition when partition(s) are flashed.
- allow fastbootd self:process setfscreate;
- allow fastbootd cache_file:dir search;
- allow fastbootd proc_filesystems:file { getattr open read };
- allow fastbootd self:capability sys_rawio;
- dontaudit fastbootd kernel:system module_request;
- allowxperm fastbootd dev_type:blk_file ioctl BLKROSET;
- allow fastbootd overlayfs_file:dir { create_dir_perms mounton };
- allow fastbootd {
- system_file_type
- unlabeled
- vendor_file_type
- }:dir { remove_name rmdir search write };
- allow fastbootd {
- overlayfs_file
- system_file_type
- unlabeled
- vendor_file_type
- }:{ file lnk_file } unlink;
- allow fastbootd tmpfs:dir rw_dir_perms;
- # Fetch vendor_boot partition
- allow fastbootd boot_block_device:blk_file r_file_perms;
- ')
-
- # Allow using libfiemap/gsid directly (no binder in recovery).
- allow fastbootd gsi_metadata_file_type:dir search;
- allow fastbootd ota_metadata_file:dir rw_dir_perms;
- allow fastbootd ota_metadata_file:file create_file_perms;
-')
-
-###
-### neverallow rules
-###
-
-# Write permission is required to wipe userdata
-# until recovery supports vold.
-neverallow fastbootd {
- data_file_type
-}:file { no_x_file_perms };
diff --git a/microdroid/sepolicy/system/public/file.te b/microdroid/sepolicy/system/public/file.te
index 20348b5..67d5068 100644
--- a/microdroid/sepolicy/system/public/file.te
+++ b/microdroid/sepolicy/system/public/file.te
@@ -1,24 +1,92 @@
-# Filesystem types
-type labeledfs, fs_type;
-type pipefs, fs_type;
-type sockfs, fs_type;
-type rootfs, fs_type;
-type proc, fs_type, proc_type;
+type system_linker_exec, file_type, system_file_type;
+
+# file types
+type adbd_socket, file_type, coredomain_socket;
+type apc_service, service_manager_type;
+type anr_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+type apex_info_file, file_type;
+type apex_mnt_dir, file_type;
+type cgroup_desc_api_file, file_type, system_file_type;
+type cgroup_desc_file, file_type, system_file_type;
+type cgroup_rc_file, file_type;
+type file_contexts_file, file_type, system_file_type;
+type hwservice_contexts_file, file_type, system_file_type;
+type keystore2_key_contexts_file, file_type, system_file_type;
+type keystore_data_file, file_type, data_file_type, core_data_file_type;
+type linkerconfig_file, file_type;
+type logd_socket, file_type, mlstrustedobject, coredomain_socket;
+type logdr_socket, file_type, mlstrustedobject, coredomain_socket;
+type logdw_socket, file_type, mlstrustedobject, coredomain_socket;
+type mac_perms_file, file_type, system_file_type;
+type nativetest_data_file, file_type, data_file_type, core_data_file_type;
+type property_contexts_file, file_type, system_file_type;
+type property_socket, file_type, mlstrustedobject, coredomain_socket;
+type runtime_event_log_tags_file, file_type;
+type seapp_contexts_file, file_type, system_file_type;
+type sepolicy_file, file_type, system_file_type;
+type service_contexts_file, file_type, system_file_type;
+type shell_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type, mlstrustedobject;
+type shell_test_data_file, file_type, data_file_type, core_data_file_type;
+type statsdw_socket, file_type, coredomain_socket, mlstrustedobject;
+type system_bootstrap_lib_file, file_type, system_file_type;
+type system_data_file, file_type, data_file_type, core_data_file_type;
+type system_data_root_file, file_type, data_file_type, core_data_file_type;
+type system_event_log_tags_file, file_type, system_file_type;
+type system_file, file_type, system_file_type;
+type system_group_file, file_type, system_file_type;
+type system_lib_file, file_type, system_file_type;
+type system_linker_config_file, file_type, system_file_type;
+type system_passwd_file, file_type, system_file_type;
+type system_seccomp_policy_file, file_type, system_file_type;
+type system_security_cacerts_file, file_type, system_file_type;
+type task_profiles_api_file, file_type, system_file_type;
+type task_profiles_file, file_type, system_file_type;
+type tombstone_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+type tombstoned_crash_socket, file_type, mlstrustedobject, coredomain_socket;
+type tombstoned_intercept_socket, file_type, coredomain_socket;
+type tombstoned_java_trace_socket, file_type, mlstrustedobject;
+type trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+type unlabeled, file_type;
+type vendor_configs_file, file_type, vendor_file_type;
+type vendor_data_file, file_type, data_file_type;
+type vendor_file, file_type, vendor_file_type;
+type vendor_service_contexts_file, vendor_file_type, file_type;
+
+# file system types
type binderfs, fs_type;
type binderfs_logs, fs_type;
type binderfs_logs_proc, fs_type;
-# Security-sensitive proc nodes that should not be writable to most.
-type proc_security, fs_type, proc_type;
-type proc_drop_caches, fs_type, proc_type;
-type proc_overcommit_memory, fs_type, proc_type;
-type proc_min_free_order_shift, fs_type, proc_type;
-type proc_kpageflags, fs_type, proc_type;
-# proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers.
-type usermodehelper, fs_type, proc_type;
-type sysfs_usermodehelper, fs_type, sysfs_type;
-type proc_qtaguid_ctrl, fs_type, mlstrustedobject, proc_type;
-type proc_qtaguid_stat, fs_type, mlstrustedobject, proc_type;
-type proc_bluetooth_writable, fs_type, proc_type;
+type binfmt_miscfs, fs_type;
+type cgroup, fs_type, mlstrustedobject;
+type cgroup_v2, fs_type;
+type config_gz, fs_type, proc_type;
+type configfs, fs_type;
+type debugfs, fs_type, debugfs_type;
+type debugfs_bootreceiver_tracing, fs_type, debugfs_type, tracefs_type;
+type debugfs_kcov, fs_type, debugfs_type;
+type debugfs_kprobes, fs_type, debugfs_type;
+type debugfs_mm_events_tracing, fs_type, debugfs_type, tracefs_type;
+type debugfs_mmc, fs_type, debugfs_type;
+type debugfs_trace_marker, fs_type, debugfs_type, tracefs_type, mlstrustedobject;
+type debugfs_tracing, fs_type, debugfs_type, tracefs_type, mlstrustedobject;
+type debugfs_tracing_debug, fs_type, debugfs_type, tracefs_type, mlstrustedobject;
+type debugfs_tracing_instances, fs_type, debugfs_type, tracefs_type;
+type debugfs_tracing_printk_formats, fs_type, debugfs_type, tracefs_type;
+type debugfs_wakeup_sources, fs_type, debugfs_type;
+type debugfs_wifi_tracing, fs_type, debugfs_type, tracefs_type;
+type devpts, fs_type, mlstrustedobject;
+type devtmpfs;
+type exfat, fs_type, sdcard_type, mlstrustedobject;
+type fs_bpf, fs_type;
+type fs_bpf_tethering, fs_type;
+type functionfs, fs_type, mlstrustedobject;
+type fuse, fs_type, fusefs_type, mlstrustedobject;
+type fusectlfs, fs_type;
+type inotify, fs_type, mlstrustedobject;
+type labeledfs, fs_type;
+type mqueue, fs_type;
+type pipefs, fs_type;
+type proc, fs_type, proc_type;
type proc_abi, fs_type, proc_type;
type proc_asound, fs_type, proc_type;
type proc_bootconfig, fs_type, proc_type;
@@ -27,6 +95,7 @@
type proc_cpuinfo, fs_type, proc_type;
type proc_dirty, fs_type, proc_type;
type proc_diskstats, fs_type, proc_type;
+type proc_drop_caches, fs_type, proc_type;
type proc_extra_free_kbytes, fs_type, proc_type;
type proc_filesystems, fs_type, proc_type;
type proc_fs_verity, fs_type, proc_type;
@@ -37,16 +106,19 @@
type proc_kallsyms, fs_type, proc_type;
type proc_keys, fs_type, proc_type;
type proc_kmsg, fs_type, proc_type;
+type proc_kpageflags, fs_type, proc_type;
type proc_loadavg, fs_type, proc_type;
type proc_locks, fs_type, proc_type;
type proc_lowmemorykiller, fs_type, proc_type;
type proc_max_map_count, fs_type, proc_type;
type proc_meminfo, fs_type, proc_type;
+type proc_min_free_order_shift, fs_type, proc_type;
type proc_misc, fs_type, proc_type;
type proc_modules, fs_type, proc_type;
type proc_mounts, fs_type, proc_type;
type proc_net, fs_type, proc_type, proc_net_type;
type proc_net_tcp_udp, fs_type, proc_type;
+type proc_overcommit_memory, fs_type, proc_type;
type proc_page_cluster, fs_type, proc_type;
type proc_pagetypeinfo, fs_type, proc_type;
type proc_panic, fs_type, proc_type;
@@ -56,545 +128,77 @@
type proc_pressure_cpu, fs_type, proc_type;
type proc_pressure_io, fs_type, proc_type;
type proc_pressure_mem, fs_type, proc_type;
+type proc_qtaguid_ctrl, fs_type, proc_type, mlstrustedobject;
+type proc_qtaguid_stat, fs_type, proc_type, mlstrustedobject;
type proc_random, fs_type, proc_type;
type proc_sched, fs_type, proc_type;
+type proc_security, fs_type, proc_type;
type proc_slabinfo, fs_type, proc_type;
type proc_stat, fs_type, proc_type;
type proc_swaps, fs_type, proc_type;
type proc_sysrq, fs_type, proc_type;
type proc_timer, fs_type, proc_type;
type proc_tty_drivers, fs_type, proc_type;
-type proc_uid_cputime_showstat, fs_type, proc_type;
-type proc_uid_cputime_removeuid, fs_type, proc_type;
-type proc_uid_io_stats, fs_type, proc_type;
-type proc_uid_procstat_set, fs_type, proc_type;
-type proc_uid_time_in_state, fs_type, proc_type;
type proc_uid_concurrent_active_time, fs_type, proc_type;
type proc_uid_concurrent_policy_time, fs_type, proc_type;
type proc_uid_cpupower, fs_type, proc_type;
+type proc_uid_cputime_removeuid, fs_type, proc_type;
+type proc_uid_cputime_showstat, fs_type, proc_type;
+type proc_uid_io_stats, fs_type, proc_type;
+type proc_uid_procstat_set, fs_type, proc_type;
+type proc_uid_time_in_state, fs_type, proc_type;
type proc_uptime, fs_type, proc_type;
type proc_version, fs_type, proc_type;
type proc_vmallocinfo, fs_type, proc_type;
type proc_vmstat, fs_type, proc_type;
type proc_zoneinfo, fs_type, proc_type;
+type pstorefs, fs_type;
+type rootfs, fs_type;
+type sdcardfs, fs_type, sdcard_type, mlstrustedobject;
+type securityfs, fs_type;
type selinuxfs, fs_type, mlstrustedobject;
-type fusectlfs, fs_type;
-type cgroup, fs_type, mlstrustedobject;
-type cgroup_v2, fs_type;
+type shm, fs_type;
+type sockfs, fs_type;
type sysfs, fs_type, sysfs_type, mlstrustedobject;
type sysfs_android_usb, fs_type, sysfs_type;
-type sysfs_uio, sysfs_type, fs_type;
-type sysfs_batteryinfo, fs_type, sysfs_type;
type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
-type sysfs_devfreq_cur, fs_type, sysfs_type;
-type sysfs_devfreq_dir, fs_type, sysfs_type;
type sysfs_devices_block, fs_type, sysfs_type;
+type sysfs_devices_cs_etm, fs_type, sysfs_type;
+type sysfs_devices_system_cpu, fs_type, sysfs_type;
type sysfs_dm, fs_type, sysfs_type;
type sysfs_dm_verity, fs_type, sysfs_type;
type sysfs_dma_heap, fs_type, sysfs_type;
type sysfs_dmabuf_stats, fs_type, sysfs_type;
type sysfs_dt_firmware_android, fs_type, sysfs_type;
type sysfs_extcon, fs_type, sysfs_type;
+type sysfs_fs_ext4_features, fs_type, sysfs_type;
+type sysfs_fs_f2fs, fs_type, sysfs_type;
+type sysfs_fs_incfs_features, fs_type, sysfs_type;
+type sysfs_fs_incfs_metrics, fs_type, sysfs_type;
+type sysfs_hwrandom, fs_type, sysfs_type;
type sysfs_ion, fs_type, sysfs_type;
type sysfs_ipv4, fs_type, sysfs_type;
type sysfs_kernel_notes, fs_type, sysfs_type, mlstrustedobject;
type sysfs_leds, fs_type, sysfs_type;
type sysfs_loop, fs_type, sysfs_type;
-type sysfs_hwrandom, fs_type, sysfs_type;
-type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
-type sysfs_wake_lock, fs_type, sysfs_type;
+type sysfs_lowmemorykiller, fs_type, sysfs_type;
type sysfs_net, fs_type, sysfs_type;
+type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
type sysfs_power, fs_type, sysfs_type;
type sysfs_rtc, fs_type, sysfs_type;
type sysfs_suspend_stats, fs_type, sysfs_type;
type sysfs_switch, fs_type, sysfs_type;
type sysfs_transparent_hugepage, fs_type, sysfs_type;
-type sysfs_usb, fs_type, sysfs_type;
+type sysfs_uhid, fs_type, sysfs_type;
+type sysfs_usermodehelper, fs_type, sysfs_type;
+type sysfs_vibrator, fs_type, sysfs_type;
+type sysfs_wake_lock, fs_type, sysfs_type;
type sysfs_wakeup, fs_type, sysfs_type;
type sysfs_wakeup_reasons, fs_type, sysfs_type;
-type sysfs_fs_ext4_features, sysfs_type, fs_type;
-type sysfs_fs_f2fs, sysfs_type, fs_type;
-type sysfs_fs_incfs_features, sysfs_type, fs_type;
-type sysfs_fs_incfs_metrics, sysfs_type, fs_type;
-type fs_bpf, fs_type;
-type fs_bpf_tethering, fs_type;
-type configfs, fs_type;
-# /sys/devices/cs_etm
-type sysfs_devices_cs_etm, fs_type, sysfs_type;
-# /sys/devices/system/cpu
-type sysfs_devices_system_cpu, fs_type, sysfs_type;
-# /sys/module/lowmemorykiller
-type sysfs_lowmemorykiller, fs_type, sysfs_type;
-# /sys/module/wlan/parameters/fwpath
type sysfs_wlan_fwpath, fs_type, sysfs_type;
-type sysfs_vibrator, fs_type, sysfs_type;
-type sysfs_uhid, fs_type, sysfs_type;
-type sysfs_thermal, sysfs_type, fs_type;
-
type sysfs_zram, fs_type, sysfs_type;
type sysfs_zram_uevent, fs_type, sysfs_type;
-type inotify, fs_type, mlstrustedobject;
-type devpts, fs_type, mlstrustedobject;
type tmpfs, fs_type;
-type shm, fs_type;
-type mqueue, fs_type;
-type fuse, sdcard_type, fs_type, mlstrustedobject;
-type sdcardfs, sdcard_type, fs_type, mlstrustedobject;
-type vfat, sdcard_type, fs_type, mlstrustedobject;
-type exfat, sdcard_type, fs_type, mlstrustedobject;
-type debugfs, fs_type, debugfs_type;
-type debugfs_kprobes, fs_type, debugfs_type;
-type debugfs_mmc, fs_type, debugfs_type;
-type debugfs_mm_events_tracing, fs_type, debugfs_type, tracefs_type;
-type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject, tracefs_type;
-type debugfs_tracing, fs_type, debugfs_type, mlstrustedobject, tracefs_type;
-type debugfs_tracing_debug, fs_type, debugfs_type, mlstrustedobject, tracefs_type;
-type debugfs_tracing_instances, fs_type, debugfs_type, tracefs_type;
-type debugfs_tracing_printk_formats, fs_type, debugfs_type, tracefs_type;
-type debugfs_wakeup_sources, fs_type, debugfs_type;
-type debugfs_wifi_tracing, fs_type, debugfs_type, tracefs_type;
-type securityfs, fs_type;
-
-type pstorefs, fs_type;
-type functionfs, fs_type, mlstrustedobject;
-type oemfs, fs_type, contextmount_type;
type usbfs, fs_type;
-type binfmt_miscfs, fs_type;
-type app_fusefs, fs_type, contextmount_type;
-
-# File types
-type unlabeled, file_type;
-
-# Default type for anything under /system.
-type system_file, system_file_type, file_type;
-# Default type for /system/asan.options
-type system_asan_options_file, system_file_type, file_type;
-# Type for /system/etc/event-log-tags (liblog implementation detail)
-type system_event_log_tags_file, system_file_type, file_type;
-# Default type for anything under /system/lib[64].
-type system_lib_file, system_file_type, file_type;
-# system libraries that are available only to bootstrap processes
-type system_bootstrap_lib_file, system_file_type, file_type;
-# Default type for the group file /system/etc/group.
-type system_group_file, system_file_type, file_type;
-# Default type for linker executable /system/bin/linker[64].
-type system_linker_exec, system_file_type, file_type;
-# Default type for linker config /system/etc/ld.config.*.
-type system_linker_config_file, system_file_type, file_type;
-# Default type for the passwd file /system/etc/passwd.
-type system_passwd_file, system_file_type, file_type;
-# Default type for linker config /system/etc/seccomp_policy/*.
-type system_seccomp_policy_file, system_file_type, file_type;
-# Default type for cacerts in /system/etc/security/cacerts/*.
-type system_security_cacerts_file, system_file_type, file_type;
-# Default type for /system/bin/tcpdump.
-type tcpdump_exec, system_file_type, exec_type, file_type;
-# Default type for zoneinfo files in /system/usr/share/zoneinfo/*.
-type system_zoneinfo_file, system_file_type, file_type;
-# Cgroups description file under /system/etc/cgroups.json
-type cgroup_desc_file, system_file_type, file_type;
-# Cgroups description file under /system/etc/task_profiles/cgroups_*.json
-type cgroup_desc_api_file, system_file_type, file_type;
-# Vendor cgroups description file under /vendor/etc/cgroups.json
-type vendor_cgroup_desc_file, vendor_file_type, file_type;
-# Task profiles file under /system/etc/task_profiles.json
-type task_profiles_file, system_file_type, file_type;
-# Task profiles file under /system/etc/task_profiles/task_profiles_*.json
-type task_profiles_api_file, system_file_type, file_type;
-# Vendor task profiles file under /vendor/etc/task_profiles.json
-type vendor_task_profiles_file, vendor_file_type, file_type;
-# Type for /system/apex/com.android.art
-type art_apex_dir, system_file_type, file_type;
-# /linkerconfig(/.*)?
-type linkerconfig_file, file_type;
-# Control files under /data/incremental
-type incremental_control_file, file_type, data_file_type, core_data_file_type;
-
-# Default type for directories search for
-# HAL implementations
-type vendor_hal_file, vendor_file_type, file_type;
-# Default type for under /vendor or /system/vendor
-type vendor_file, vendor_file_type, file_type;
-# Default type for everything in /vendor/app
-type vendor_app_file, vendor_file_type, file_type;
-# Default type for everything under /vendor/etc/
-type vendor_configs_file, vendor_file_type, file_type;
-# Default type for all *same process* HALs and their lib/bin dependencies.
-# e.g. libEGL_xxx.so, android.hardware.graphics.mapper@2.0-impl.so
-type same_process_hal_file, vendor_file_type, file_type;
-# Default type for vndk-sp libs. /vendor/lib/vndk-sp
-type vndk_sp_file, vendor_file_type, file_type;
-# Default type for everything in /vendor/framework
-type vendor_framework_file, vendor_file_type, file_type;
-# Default type for everything in /vendor/overlay
-type vendor_overlay_file, vendor_file_type, file_type;
-# Type for all vendor public libraries. These libs should only be exposed to
-# apps. ABI stability of these libs is vendor's responsibility.
-type vendor_public_lib_file, vendor_file_type, file_type;
-# Type for all vendor public libraries for system. These libs should only be exposed to
-# system. ABI stability of these libs is vendor's responsibility.
-type vendor_public_framework_file, vendor_file_type, file_type;
-
-# Input configuration
-type vendor_keylayout_file, vendor_file_type, file_type;
-type vendor_keychars_file, vendor_file_type, file_type;
-type vendor_idc_file, vendor_file_type, file_type;
-
-# /metadata partition itself
-type metadata_file, file_type;
-# Vold files within /metadata
-type vold_metadata_file, file_type;
-# GSI files within /metadata
-type gsi_metadata_file, gsi_metadata_file_type, file_type;
-# DSU (GSI) files within /metadata that are globally readable.
-type gsi_public_metadata_file, gsi_metadata_file_type, file_type;
-# system_server shares Weaver slot information in /metadata
-type password_slot_metadata_file, file_type;
-# APEX files within /metadata
-type apex_metadata_file, file_type;
-# libsnapshot files within /metadata
-type ota_metadata_file, file_type;
-# property files within /metadata/bootstat
-type metadata_bootstat_file, file_type;
-# userspace reboot files within /metadata/userspacereboot
-type userspace_reboot_metadata_file, file_type;
-# Staged install files within /metadata/staged-install
-type staged_install_file, file_type;
-# Metadata information within /metadata/watchdog
-type watchdog_metadata_file, file_type;
-
-# Type for /dev/cpu_variant:.*.
-type dev_cpu_variant, file_type;
-# Speedup access for trusted applications to the runtime event tags
-type runtime_event_log_tags_file, file_type;
-# Type for /system/bin/logcat.
-type logcat_exec, system_file_type, exec_type, file_type;
-# Speedup access to cgroup map file
-type cgroup_rc_file, file_type;
-# /cores for coredumps on userdebug / eng builds
-type coredump_file, file_type;
-# Type of /data itself
-type system_data_root_file, file_type, data_file_type, core_data_file_type;
-# Default type for anything under /data.
-type system_data_file, file_type, data_file_type, core_data_file_type;
-# Type for /data/system/packages.list.
-# TODO(b/129332765): Narrow down permissions to this.
-# Find out users of system_data_file that should be granted only this.
-type packages_list_file, file_type, data_file_type, core_data_file_type;
-# Default type for anything under /data/vendor{_ce,_de}.
-type vendor_data_file, file_type, data_file_type;
-# Unencrypted data
-type unencrypted_data_file, file_type, data_file_type, core_data_file_type;
-# installd-create files in /data/misc/installd such as layout_version
-type install_data_file, file_type, data_file_type, core_data_file_type;
-# /data/drm - DRM plugin data
-type drm_data_file, file_type, data_file_type, core_data_file_type;
-# /data/adb - adb debugging files
-type adb_data_file, file_type, data_file_type, core_data_file_type;
-# /data/anr - ANR traces
-type anr_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# /data/tombstones - core dumps
-type tombstone_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# /data/vendor/tombstones/wifi - vendor wifi dumps
-type tombstone_wifi_data_file, file_type, data_file_type;
-# /data/apex - APEX data files
-type apex_data_file, file_type, data_file_type, core_data_file_type;
-# /data/app - user-installed apps
-type apk_data_file, file_type, data_file_type, core_data_file_type;
-type apk_tmp_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# /data/app-private - forward-locked apps
-type apk_private_data_file, file_type, data_file_type, core_data_file_type;
-type apk_private_tmp_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# /data/dalvik-cache
-type dalvikcache_data_file, file_type, data_file_type, core_data_file_type;
-# /data/ota
-type ota_data_file, file_type, data_file_type, core_data_file_type;
-# /data/ota_package
-type ota_package_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# /data/misc/profiles
-type user_profile_root_file, file_type, data_file_type, core_data_file_type;
-type user_profile_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# /data/misc/profman
-type profman_dump_data_file, file_type, data_file_type, core_data_file_type;
-# /data/misc/prereboot
-type prereboot_data_file, file_type, data_file_type, core_data_file_type;
-# /data/resource-cache
-type resourcecache_data_file, file_type, data_file_type, core_data_file_type;
-# /data/local - writable by shell
-type shell_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type, mlstrustedobject;
-# /data/property
-type property_data_file, file_type, data_file_type, core_data_file_type;
-# /data/bootchart
-type bootchart_data_file, file_type, data_file_type, core_data_file_type;
-# /data/system/dropbox
-type dropbox_data_file, file_type, data_file_type, core_data_file_type;
-# /data/system/heapdump
-type heapdump_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# /data/nativetest
-type nativetest_data_file, file_type, data_file_type, core_data_file_type;
-# /data/local/tests
-type shell_test_data_file, file_type, data_file_type, core_data_file_type;
-# /data/system_de/0/ringtones
-type ringtone_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# /data/preloads
-type preloads_data_file, file_type, data_file_type, core_data_file_type;
-# /data/preloads/media
-type preloads_media_file, file_type, data_file_type, core_data_file_type;
-# /data/misc/dhcp and /data/misc/dhcp-6.8.2
-type dhcp_data_file, file_type, data_file_type, core_data_file_type;
-# /data/server_configurable_flags
-type server_configurable_flags_data_file, file_type, data_file_type, core_data_file_type;
-# /data/app-staging
-type staging_data_file, file_type, data_file_type, core_data_file_type;
-# /vendor/apex
-type vendor_apex_file, vendor_file_type, file_type;
-
-# Mount locations managed by vold
-type mnt_media_rw_file, file_type;
-type mnt_user_file, file_type;
-type mnt_pass_through_file, file_type;
-type mnt_expand_file, file_type;
-type mnt_sdcard_file, file_type;
-type storage_file, file_type;
-
-# Label for storage dirs which are just mount stubs
-type mnt_media_rw_stub_file, file_type;
-type storage_stub_file, file_type;
-
-# Mount location for read-write vendor partitions.
-type mnt_vendor_file, file_type;
-
-# Mount location for read-write product partitions.
-type mnt_product_file, file_type;
-
-# Mount point used for APEX images
-type apex_mnt_dir, file_type;
-
-# /apex/apex-info-list.xml created by apexd
-type apex_info_file, file_type;
-
-# /postinstall: Mount point used by update_engine to run postinstall.
-type postinstall_mnt_dir, file_type;
-# Files inside the /postinstall mountpoint are all labeled as postinstall_file.
-type postinstall_file, file_type;
-# /postinstall/apex: Mount point used for APEX images within /postinstall.
-type postinstall_apex_mnt_dir, file_type;
-
-# /data_mirror: Contains mirror directory for storing all apps data.
-type mirror_data_file, file_type, core_data_file_type;
-
-# /data/misc subdirectories
-type adb_keys_file, file_type, data_file_type, core_data_file_type;
-type apex_appsearch_data_file, file_type, data_file_type, core_data_file_type;
-type apex_module_data_file, file_type, data_file_type, core_data_file_type;
-type apex_ota_reserved_file, file_type, data_file_type, core_data_file_type;
-type apex_permission_data_file, file_type, data_file_type, core_data_file_type;
-type apex_rollback_data_file, file_type, data_file_type, core_data_file_type;
-type apex_scheduling_data_file, file_type, data_file_type, core_data_file_type;
-type apex_wifi_data_file, file_type, data_file_type, core_data_file_type;
-type appcompat_data_file, file_type, data_file_type, core_data_file_type;
-type audio_data_file, file_type, data_file_type, core_data_file_type;
-type audioserver_data_file, file_type, data_file_type, core_data_file_type;
-type bluetooth_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
-type bluetooth_logs_data_file, file_type, data_file_type, core_data_file_type;
-type bootstat_data_file, file_type, data_file_type, core_data_file_type;
-type boottrace_data_file, file_type, data_file_type, core_data_file_type;
-type camera_data_file, file_type, data_file_type, core_data_file_type;
-type credstore_data_file, file_type, data_file_type, core_data_file_type;
-type gatekeeper_data_file, file_type, data_file_type, core_data_file_type;
-type incident_data_file, file_type, data_file_type, core_data_file_type;
-type keychain_data_file, file_type, data_file_type, core_data_file_type;
-type keystore_data_file, file_type, data_file_type, core_data_file_type;
-type media_data_file, file_type, data_file_type, core_data_file_type;
-type media_rw_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-type misc_user_data_file, file_type, data_file_type, core_data_file_type;
-type net_data_file, file_type, data_file_type, core_data_file_type;
-type network_watchlist_data_file, file_type, data_file_type, core_data_file_type;
-type nfc_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
-type nfc_logs_data_file, file_type, data_file_type, core_data_file_type;
-type radio_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type, mlstrustedobject;
-type recovery_data_file, file_type, data_file_type, core_data_file_type;
-type shared_relro_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-type snapshotctl_log_data_file, file_type, data_file_type, core_data_file_type;
-type stats_data_file, file_type, data_file_type, core_data_file_type;
-type systemkeys_data_file, file_type, data_file_type, core_data_file_type;
-type textclassifier_data_file, file_type, data_file_type, core_data_file_type;
-type trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-type vpn_data_file, file_type, data_file_type, core_data_file_type;
-type wifi_data_file, file_type, data_file_type, core_data_file_type;
-type zoneinfo_data_file, file_type, data_file_type, core_data_file_type;
-type vold_data_file, file_type, data_file_type, core_data_file_type;
-type iorapd_data_file, file_type, data_file_type, core_data_file_type;
-type tee_data_file, file_type, data_file_type;
-type update_engine_data_file, file_type, data_file_type, core_data_file_type;
-type update_engine_log_data_file, file_type, data_file_type, core_data_file_type;
-# /data/misc/trace for method traces on userdebug / eng builds
-type method_trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-type gsi_data_file, file_type, data_file_type, core_data_file_type;
-type radio_core_data_file, file_type, data_file_type, core_data_file_type;
-
-# /data/data subdirectories - app sandboxes
-type app_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
-# /data/data subdirectories - priv-app sandboxes
-type privapp_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
-# /data/data subdirectory for system UID apps.
-type system_app_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type, mlstrustedobject;
-# Compatibility with type name used in Android 4.3 and 4.4.
-# Default type for anything under /cache
-type cache_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# Type for /cache/overlay /mnt/scratch/overlay
-type overlayfs_file, file_type, data_file_type, core_data_file_type;
-# Type for /cache/backup_stage/* (fd interchange with apps)
-type cache_backup_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# type for anything under /cache/backup (local transport storage)
-type cache_private_backup_file, file_type, data_file_type, core_data_file_type;
-# Type for anything under /cache/recovery
-type cache_recovery_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# Default type for anything under /efs
-type efs_file, file_type;
-# Type for wallpaper file.
-type wallpaper_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# Type for shortcut manager icon file.
-type shortcut_manager_icons, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# Type for user icon file.
-type icon_file, file_type, data_file_type, core_data_file_type;
-# /mnt/asec
-type asec_apk_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# Elements of asec files (/mnt/asec) that are world readable
-type asec_public_file, file_type, data_file_type, core_data_file_type;
-# /data/app-asec
-type asec_image_file, file_type, data_file_type, core_data_file_type;
-# /data/backup and /data/secure/backup
-type backup_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# All devices have bluetooth efs files. But they
-# vary per device, so this type is used in per
-# device policy
-type bluetooth_efs_file, file_type;
-# Type for fingerprint template file
-type fingerprintd_data_file, file_type, data_file_type, core_data_file_type;
-# Type for _new_ fingerprint template file
-type fingerprint_vendor_data_file, file_type, data_file_type;
-# Type for appfuse file.
-type app_fuse_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# Type for face template file
-type face_vendor_data_file, file_type, data_file_type;
-# Type for iris template file
-type iris_vendor_data_file, file_type, data_file_type;
-
-# Socket types
-type adbd_socket, file_type, coredomain_socket;
-type bluetooth_socket, file_type, data_file_type, core_data_file_type, coredomain_socket;
-type dnsproxyd_socket, file_type, coredomain_socket, mlstrustedobject;
-type dumpstate_socket, file_type, coredomain_socket;
-type fwmarkd_socket, file_type, coredomain_socket, mlstrustedobject;
-type lmkd_socket, file_type, coredomain_socket;
-type logd_socket, file_type, coredomain_socket, mlstrustedobject;
-type logdr_socket, file_type, coredomain_socket, mlstrustedobject;
-type logdw_socket, file_type, coredomain_socket, mlstrustedobject;
-type mdns_socket, file_type, coredomain_socket;
-type mdnsd_socket, file_type, coredomain_socket, mlstrustedobject;
-type misc_logd_file, coredomain_socket, file_type, data_file_type, core_data_file_type;
-type mtpd_socket, file_type, coredomain_socket;
-type property_socket, file_type, coredomain_socket, mlstrustedobject;
-type racoon_socket, file_type, coredomain_socket;
-type recovery_socket, file_type, coredomain_socket;
-type rild_socket, file_type;
-type rild_debug_socket, file_type;
-type snapuserd_socket, file_type, coredomain_socket;
-type statsdw_socket, file_type, coredomain_socket, mlstrustedobject;
-type system_wpa_socket, file_type, data_file_type, core_data_file_type, coredomain_socket;
-type system_ndebug_socket, file_type, data_file_type, core_data_file_type, coredomain_socket, mlstrustedobject;
-type system_unsolzygote_socket, file_type, data_file_type, core_data_file_type, coredomain_socket, mlstrustedobject;
-type tombstoned_crash_socket, file_type, coredomain_socket, mlstrustedobject;
-type tombstoned_java_trace_socket, file_type, mlstrustedobject;
-type tombstoned_intercept_socket, file_type, coredomain_socket;
-type traced_consumer_socket, file_type, coredomain_socket, mlstrustedobject;
-type traced_perf_socket, file_type, coredomain_socket, mlstrustedobject;
-type traced_producer_socket, file_type, coredomain_socket, mlstrustedobject;
-type uncrypt_socket, file_type, coredomain_socket;
-type wpa_socket, file_type, data_file_type, core_data_file_type;
-type zygote_socket, file_type, coredomain_socket;
-type heapprofd_socket, file_type, coredomain_socket, mlstrustedobject;
-# UART (for GPS) control proc file
-type gps_control, file_type;
-
-# PDX endpoint types
-type pdx_display_dir, pdx_endpoint_dir_type, file_type;
-type pdx_performance_dir, pdx_endpoint_dir_type, file_type;
-type pdx_bufferhub_dir, pdx_endpoint_dir_type, file_type;
-
-pdx_service_socket_types(display_client, pdx_display_dir)
-pdx_service_socket_types(display_manager, pdx_display_dir)
-pdx_service_socket_types(display_screenshot, pdx_display_dir)
-pdx_service_socket_types(display_vsync, pdx_display_dir)
-pdx_service_socket_types(performance_client, pdx_performance_dir)
-pdx_service_socket_types(bufferhub_client, pdx_bufferhub_dir)
-
-# file_contexts files
-type file_contexts_file, system_file_type, file_type;
-
-# mac_permissions file
-type mac_perms_file, system_file_type, file_type;
-
-# property_contexts file
-type property_contexts_file, system_file_type, file_type;
-
-# seapp_contexts file
-type seapp_contexts_file, system_file_type, file_type;
-
-# sepolicy files binary and others
-type sepolicy_file, system_file_type, file_type;
-
-# service_contexts file
-type service_contexts_file, system_file_type, file_type;
-
-# keystore2_key_contexts_file
-type keystore2_key_contexts_file, system_file_type, file_type;
-
-# vendor service_contexts file
-type vendor_service_contexts_file, vendor_file_type, file_type;
-
-# nonplat service_contexts file (only accessible on non full-treble devices)
-type nonplat_service_contexts_file, vendor_file_type, file_type;
-
-# hwservice_contexts file
-type hwservice_contexts_file, system_file_type, file_type;
-
-# vndservice_contexts file
-type vndservice_contexts_file, file_type;
-
-# /sys/kernel/tracing/instances/bootreceiver for monitoring kernel memory corruptions.
-type debugfs_bootreceiver_tracing, fs_type, debugfs_type, tracefs_type;
-
-# kernel modules
-type vendor_kernel_modules, vendor_file_type, file_type;
-
-# Allow files to be created in their appropriate filesystems.
-allow fs_type self:filesystem associate;
-allow cgroup tmpfs:filesystem associate;
-allow cgroup_v2 tmpfs:filesystem associate;
-allow cgroup_rc_file tmpfs:filesystem associate;
-allow sysfs_type sysfs:filesystem associate;
-allow debugfs_type { debugfs debugfs_tracing debugfs_tracing_debug }:filesystem associate;
-allow file_type labeledfs:filesystem associate;
-allow file_type tmpfs:filesystem associate;
-allow file_type rootfs:filesystem associate;
-allow dev_type tmpfs:filesystem associate;
-allow app_fuse_file app_fusefs:filesystem associate;
-allow postinstall_file self:filesystem associate;
-allow proc_net proc:filesystem associate;
-
-# asanwrapper (run a sanitized app_process, to be used with wrap properties)
-with_asan(`type asanwrapper_exec, exec_type, file_type;')
-
-# Deprecated in SDK version 28
-type audiohal_data_file, file_type, data_file_type, core_data_file_type;
-
-# It's a bug to assign the file_type attribute and fs_type attribute
-# to any type. Do not allow it.
-#
-# For example, the following is a bug:
-# type apk_data_file, file_type, data_file_type, fs_type;
-# Should be:
-# type apk_data_file, file_type, data_file_type;
-neverallow fs_type file_type:filesystem associate;
+type usermodehelper, fs_type, proc_type;
+type vfat, fs_type, sdcard_type, mlstrustedobject;
diff --git a/microdroid/sepolicy/system/public/fingerprintd.te b/microdroid/sepolicy/system/public/fingerprintd.te
deleted file mode 100644
index 8cf2411..0000000
--- a/microdroid/sepolicy/system/public/fingerprintd.te
+++ /dev/null
@@ -1,27 +0,0 @@
-type fingerprintd, domain;
-type fingerprintd_exec, system_file_type, exec_type, file_type;
-
-binder_use(fingerprintd)
-
-# Scan through /system/lib64/hw looking for installed HALs
-allow fingerprintd system_file:dir r_dir_perms;
-
-# need to find KeyStore and add self
-add_service(fingerprintd, fingerprintd_service)
-
-# allow HAL module to read dir contents
-allow fingerprintd fingerprintd_data_file:file { create_file_perms };
-
-# allow HAL module to read/write/unlink contents of this dir
-allow fingerprintd fingerprintd_data_file:dir rw_dir_perms;
-
-# Need to add auth tokens to KeyStore
-use_keystore(fingerprintd)
-allow fingerprintd keystore:keystore_key { add_auth };
-allow fingerprintd keystore:keystore2 { add_auth };
-
-# For permissions checking
-binder_call(fingerprintd, system_server);
-allow fingerprintd permission_service:service_manager find;
-
-allow fingerprintd ion_device:chr_file r_file_perms;
diff --git a/microdroid/sepolicy/system/public/flags_health_check.te b/microdroid/sepolicy/system/public/flags_health_check.te
deleted file mode 100644
index 25a7768..0000000
--- a/microdroid/sepolicy/system/public/flags_health_check.te
+++ /dev/null
@@ -1,11 +0,0 @@
-# The flags_health_check command run by init.
-type flags_health_check, domain, coredomain;
-type flags_health_check_exec, system_file_type, exec_type, file_type;
-
-allow flags_health_check server_configurable_flags_data_file:dir rw_dir_perms;
-allow flags_health_check server_configurable_flags_data_file:file create_file_perms;
-
-# server_configurable_flags_data_file is used for storing whether server configurable flags which
-# have been reset during current booting. Mistakenly modified by unrelated components can
-# cause bad server configurable flags synced back to device.
-neverallow { domain -init -flags_health_check } server_configurable_flags_data_file:file no_w_file_perms;
diff --git a/microdroid/sepolicy/system/public/fsck.te b/microdroid/sepolicy/system/public/fsck.te
deleted file mode 100644
index 7a9fbee..0000000
--- a/microdroid/sepolicy/system/public/fsck.te
+++ /dev/null
@@ -1,68 +0,0 @@
-# Any fsck program run by init
-type fsck, domain;
-type fsck_exec, system_file_type, exec_type, file_type;
-
-# /dev/__null__ created by init prior to policy load,
-# open fd inherited by fsck.
-allow fsck tmpfs:chr_file { read write ioctl };
-
-# Inherit and use pty created by android_fork_execvp_ext().
-allow fsck devpts:chr_file { read write ioctl getattr };
-
-# Allow stdin/out back to vold
-allow fsck vold:fd use;
-allow fsck vold:fifo_file { read write getattr };
-
-# Run fsck on certain block devices
-allow fsck block_device:dir search;
-allow fsck userdata_block_device:blk_file rw_file_perms;
-allow fsck cache_block_device:blk_file rw_file_perms;
-allow fsck dm_device:blk_file rw_file_perms;
-userdebug_or_eng(`
-allow fsck system_block_device:blk_file rw_file_perms;
-')
-
-# For the block devices where we have ioctl access,
-# allow at a minimum the following common fsck ioctls.
-allowxperm fsck dev_type:blk_file ioctl {
- BLKDISCARDZEROES
- BLKROGET
-};
-
-# To determine if it is safe to run fsck on a filesystem, e2fsck
-# must first determine if the filesystem is mounted. To do that,
-# e2fsck scans through /proc/mounts and collects all the mounted
-# block devices. With that information, it runs stat() on each block
-# device, comparing the major and minor numbers to the filesystem
-# passed in on the command line. If there is a match, then the filesystem
-# is currently mounted and running fsck is dangerous.
-# Allow stat access to all block devices so that fsck can compare
-# major/minor values.
-allow fsck dev_type:blk_file getattr;
-
-allow fsck {
- proc_mounts
- proc_swaps
-}:file r_file_perms;
-allow fsck rootfs:dir r_dir_perms;
-
-###
-### neverallow rules
-###
-
-# fsck should never be run on these block devices
-neverallow fsck {
- boot_block_device
- frp_block_device
- recovery_block_device
- root_block_device
- swap_block_device
- system_block_device
- userdebug_or_eng(`-system_block_device')
- vold_device
-}:blk_file no_rw_file_perms;
-
-# Only allow entry from init or vold via fsck binaries
-neverallow { domain -init -vold } fsck:process transition;
-neverallow * fsck:process dyntransition;
-neverallow fsck { file_type fs_type -fsck_exec }:file entrypoint;
diff --git a/microdroid/sepolicy/system/public/fsck_untrusted.te b/microdroid/sepolicy/system/public/fsck_untrusted.te
deleted file mode 100644
index 8510c94..0000000
--- a/microdroid/sepolicy/system/public/fsck_untrusted.te
+++ /dev/null
@@ -1,49 +0,0 @@
-# Any fsck program run on untrusted block devices
-type fsck_untrusted, domain;
-
-# Inherit and use pty created by android_fork_execvp_ext().
-allow fsck_untrusted devpts:chr_file { read write ioctl getattr };
-
-# Allow stdin/out back to vold
-allow fsck_untrusted vold:fd use;
-allow fsck_untrusted vold:fifo_file { read write getattr };
-
-# Run fsck on vold block devices
-allow fsck_untrusted block_device:dir search;
-allow fsck_untrusted vold_device:blk_file rw_file_perms;
-
-allow fsck_untrusted proc_mounts:file r_file_perms;
-
-# To determine if it is safe to run fsck on a filesystem, e2fsck
-# must first determine if the filesystem is mounted. To do that,
-# e2fsck scans through /proc/mounts and collects all the mounted
-# block devices. With that information, it runs stat() on each block
-# device, comparing the major and minor numbers to the filesystem
-# passed in on the command line. If there is a match, then the filesystem
-# is currently mounted and running fsck is dangerous.
-# Allow stat access to all block devices so that fsck can compare
-# major/minor values.
-allow fsck_untrusted dev_type:blk_file getattr;
-
-###
-### neverallow rules
-###
-
-# Untrusted fsck should never be run on block devices holding sensitive data
-neverallow fsck_untrusted {
- boot_block_device
- frp_block_device
- metadata_block_device
- recovery_block_device
- root_block_device
- swap_block_device
- system_block_device
- userdata_block_device
- cache_block_device
- dm_device
-}:blk_file no_rw_file_perms;
-
-# Only allow entry from vold via fsck binaries
-neverallow { domain -vold } fsck_untrusted:process transition;
-neverallow * fsck_untrusted:process dyntransition;
-neverallow fsck_untrusted { file_type fs_type -fsck_exec }:file entrypoint;
diff --git a/microdroid/sepolicy/system/public/fwk_bufferhub.te b/microdroid/sepolicy/system/public/fwk_bufferhub.te
deleted file mode 100644
index 03486bd..0000000
--- a/microdroid/sepolicy/system/public/fwk_bufferhub.te
+++ /dev/null
@@ -1,4 +0,0 @@
-binder_call(hal_bufferhub_client, hal_bufferhub_server)
-binder_call(hal_bufferhub_server, hal_bufferhub_client)
-
-hal_attribute_hwservice(hal_bufferhub, fwk_bufferhub_hwservice)
diff --git a/microdroid/sepolicy/system/public/gatekeeperd.te b/microdroid/sepolicy/system/public/gatekeeperd.te
deleted file mode 100644
index d48c5f8..0000000
--- a/microdroid/sepolicy/system/public/gatekeeperd.te
+++ /dev/null
@@ -1,42 +0,0 @@
-type gatekeeperd, domain;
-type gatekeeperd_exec, system_file_type, exec_type, file_type;
-
-# gatekeeperd
-binder_service(gatekeeperd)
-binder_use(gatekeeperd)
-
-### Rules needed when Gatekeeper HAL runs inside gatekeeperd process.
-### These rules should eventually be granted only when needed.
-allow gatekeeperd ion_device:chr_file r_file_perms;
-# Load HAL implementation
-allow gatekeeperd system_file:dir r_dir_perms;
-###
-
-### Rules needed when Gatekeeper HAL runs outside of gatekeeperd process.
-### These rules should eventually be granted only when needed.
-hal_client_domain(gatekeeperd, hal_gatekeeper)
-###
-
-# need to find KeyStore and add self
-add_service(gatekeeperd, gatekeeper_service)
-
-# Need to add auth tokens to KeyStore
-use_keystore(gatekeeperd)
-allow gatekeeperd keystore:keystore_key { add_auth };
-allow gatekeeperd keystore:keystore2 { add_auth };
-allow gatekeeperd authorization_service:service_manager find;
-
-
-# For permissions checking
-allow gatekeeperd system_server:binder call;
-allow gatekeeperd permission_service:service_manager find;
-
-# for SID file access
-allow gatekeeperd gatekeeper_data_file:dir rw_dir_perms;
-allow gatekeeperd gatekeeper_data_file:file create_file_perms;
-
-# For hardware properties retrieval
-allow gatekeeperd hardware_properties_service:service_manager find;
-
-r_dir_file(gatekeeperd, cgroup)
-r_dir_file(gatekeeperd, cgroup_v2)
diff --git a/microdroid/sepolicy/system/public/gmscore_app.te b/microdroid/sepolicy/system/public/gmscore_app.te
deleted file mode 100644
index b574bf3..0000000
--- a/microdroid/sepolicy/system/public/gmscore_app.te
+++ /dev/null
@@ -1,5 +0,0 @@
-###
-### A domain for further sandboxing the PrebuiltGMSCore app.
-###
-
-type gmscore_app, domain;
diff --git a/microdroid/sepolicy/system/public/gpuservice.te b/microdroid/sepolicy/system/public/gpuservice.te
deleted file mode 100644
index c862d0b..0000000
--- a/microdroid/sepolicy/system/public/gpuservice.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# gpuservice - server for gpu stats and other gpu related services
-type gpuservice, domain;
diff --git a/microdroid/sepolicy/system/public/hal_allocator.te b/microdroid/sepolicy/system/public/hal_allocator.te
deleted file mode 100644
index 6417b62..0000000
--- a/microdroid/sepolicy/system/public/hal_allocator.te
+++ /dev/null
@@ -1,6 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_allocator_client, hal_allocator_server)
-
-hal_attribute_hwservice(hal_allocator, hidl_allocator_hwservice)
-allow hal_allocator_client hidl_memory_hwservice:hwservice_manager find;
-allow hal_allocator_client same_process_hal_file:file { execute read open getattr map };
diff --git a/microdroid/sepolicy/system/public/hal_atrace.te b/microdroid/sepolicy/system/public/hal_atrace.te
deleted file mode 100644
index 51d9237..0000000
--- a/microdroid/sepolicy/system/public/hal_atrace.te
+++ /dev/null
@@ -1,4 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_atrace_client, hal_atrace_server)
-
-hal_attribute_hwservice(hal_atrace, hal_atrace_hwservice)
diff --git a/microdroid/sepolicy/system/public/hal_audio.te b/microdroid/sepolicy/system/public/hal_audio.te
deleted file mode 100644
index d1970b9..0000000
--- a/microdroid/sepolicy/system/public/hal_audio.te
+++ /dev/null
@@ -1,39 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_audio_client, hal_audio_server)
-binder_call(hal_audio_server, hal_audio_client)
-
-hal_attribute_hwservice(hal_audio, hal_audio_hwservice)
-hal_attribute_service(hal_audio, hal_audio_service)
-
-allow hal_audio ion_device:chr_file r_file_perms;
-
-r_dir_file(hal_audio, proc)
-r_dir_file(hal_audio, proc_asound)
-allow hal_audio_server audio_device:dir r_dir_perms;
-allow hal_audio_server audio_device:chr_file rw_file_perms;
-
-# Needed to provide debug dump output via dumpsys' pipes.
-allow hal_audio shell:fd use;
-allow hal_audio shell:fifo_file write;
-allow hal_audio dumpstate:fd use;
-allow hal_audio dumpstate:fifo_file write;
-
-# Needed to allow sound trigger hal to access shared memory from apps.
-allow hal_audio_server appdomain:fd use;
-
-# allow hal audio to use vnbinder
-vndbinder_use(hal_audio)
-
-###
-### neverallow rules
-###
-
-# Should never execute any executable without a domain transition
-neverallow hal_audio_server { file_type fs_type }:file execute_no_trans;
-
-# Only audio HAL may directly access the audio hardware
-neverallow { halserverdomain -hal_audio_server -hal_omx_server } audio_device:chr_file *;
-
-get_prop(hal_audio, audio_config_prop)
-get_prop(hal_audio, bluetooth_a2dp_offload_prop)
-get_prop(hal_audio, bluetooth_audio_hal_prop)
diff --git a/microdroid/sepolicy/system/public/hal_audiocontrol.te b/microdroid/sepolicy/system/public/hal_audiocontrol.te
deleted file mode 100644
index 6f45b0e..0000000
--- a/microdroid/sepolicy/system/public/hal_audiocontrol.te
+++ /dev/null
@@ -1,8 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_audiocontrol_client, hal_audiocontrol_server)
-binder_call(hal_audiocontrol_server, hal_audiocontrol_client)
-
-hal_attribute_hwservice(hal_audiocontrol, hal_audiocontrol_hwservice)
-hal_attribute_service(hal_audiocontrol, hal_audiocontrol_service)
-
-binder_call(hal_audiocontrol_server, servicemanager)
diff --git a/microdroid/sepolicy/system/public/hal_authsecret.te b/microdroid/sepolicy/system/public/hal_authsecret.te
deleted file mode 100644
index bbcdb9a..0000000
--- a/microdroid/sepolicy/system/public/hal_authsecret.te
+++ /dev/null
@@ -1,7 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_authsecret_client, hal_authsecret_server)
-
-hal_attribute_hwservice(hal_authsecret, hal_authsecret_hwservice)
-hal_attribute_service(hal_authsecret, hal_authsecret_service)
-
-binder_call(hal_authsecret_server, servicemanager)
diff --git a/microdroid/sepolicy/system/public/hal_bluetooth.te b/microdroid/sepolicy/system/public/hal_bluetooth.te
deleted file mode 100644
index 97177ba..0000000
--- a/microdroid/sepolicy/system/public/hal_bluetooth.te
+++ /dev/null
@@ -1,32 +0,0 @@
-# HwBinder IPC from clients into server, and callbacks
-binder_call(hal_bluetooth_client, hal_bluetooth_server)
-binder_call(hal_bluetooth_server, hal_bluetooth_client)
-
-hal_attribute_hwservice(hal_bluetooth, hal_bluetooth_hwservice)
-
-wakelock_use(hal_bluetooth);
-
-# The HAL toggles rfkill to power the chip off/on.
-allow hal_bluetooth self:global_capability_class_set net_admin;
-
-# bluetooth factory file accesses.
-r_dir_file(hal_bluetooth, bluetooth_efs_file)
-
-allow hal_bluetooth { uhid_device hci_attach_dev }:chr_file rw_file_perms;
-
-# sysfs access.
-r_dir_file(hal_bluetooth, sysfs_type)
-allow hal_bluetooth sysfs_bluetooth_writable:file rw_file_perms;
-allow hal_bluetooth self:global_capability2_class_set wake_alarm;
-
-# Allow write access to bluetooth-specific properties
-set_prop(hal_bluetooth, bluetooth_a2dp_offload_prop)
-set_prop(hal_bluetooth, bluetooth_audio_hal_prop)
-set_prop(hal_bluetooth, bluetooth_prop)
-set_prop(hal_bluetooth, exported_bluetooth_prop)
-
-# /proc access (bluesleep etc.).
-allow hal_bluetooth proc_bluetooth_writable:file rw_file_perms;
-
-# allow to run with real-time scheduling policy
-allow hal_bluetooth self:global_capability_class_set sys_nice;
diff --git a/microdroid/sepolicy/system/public/hal_bootctl.te b/microdroid/sepolicy/system/public/hal_bootctl.te
deleted file mode 100644
index a1f3d7f..0000000
--- a/microdroid/sepolicy/system/public/hal_bootctl.te
+++ /dev/null
@@ -1,6 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_bootctl_client, hal_bootctl_server)
-binder_call(hal_bootctl_server, hal_bootctl_client)
-
-hal_attribute_hwservice(hal_bootctl, hal_bootctl_hwservice)
-allow hal_bootctl_server proc_bootconfig:file r_file_perms;
diff --git a/microdroid/sepolicy/system/public/hal_broadcastradio.te b/microdroid/sepolicy/system/public/hal_broadcastradio.te
deleted file mode 100644
index 84a2597..0000000
--- a/microdroid/sepolicy/system/public/hal_broadcastradio.te
+++ /dev/null
@@ -1,4 +0,0 @@
-binder_call(hal_broadcastradio_client, hal_broadcastradio_server)
-binder_call(hal_broadcastradio_server, hal_broadcastradio_client)
-
-hal_attribute_hwservice(hal_broadcastradio, hal_broadcastradio_hwservice)
diff --git a/microdroid/sepolicy/system/public/hal_camera.te b/microdroid/sepolicy/system/public/hal_camera.te
deleted file mode 100644
index 45fad56..0000000
--- a/microdroid/sepolicy/system/public/hal_camera.te
+++ /dev/null
@@ -1,38 +0,0 @@
-# HwBinder IPC from clients to server and callbacks
-binder_call(hal_camera_client, hal_camera_server)
-binder_call(hal_camera_server, hal_camera_client)
-
-hal_attribute_hwservice(hal_camera, hal_camera_hwservice)
-
-allow hal_camera device:dir r_dir_perms;
-allow hal_camera video_device:dir r_dir_perms;
-allow hal_camera video_device:chr_file rw_file_perms;
-allow hal_camera camera_device:chr_file rw_file_perms;
-allow hal_camera ion_device:chr_file rw_file_perms;
-allow hal_camera dmabuf_system_heap_device:chr_file r_file_perms;
-
-# Both the client and the server need to use the graphics allocator
-allow { hal_camera_client hal_camera_server } hal_graphics_allocator:fd use;
-
-# Allow hal_camera to use fd from app,gralloc,and ashmem HAL
-allow hal_camera { appdomain -isolated_app }:fd use;
-allow hal_camera surfaceflinger:fd use;
-allow hal_camera hal_allocator_server:fd use;
-
-# Needed to provide debug dump output via dumpsys' pipes.
-allow hal_camera shell:fd use;
-allow hal_camera shell:fifo_file write;
-
-###
-### neverallow rules
-###
-
-# hal_camera should never execute any executable without a
-# domain transition
-neverallow hal_camera_server { file_type fs_type }:file execute_no_trans;
-
-# hal_camera should never need network access. Disallow network sockets.
-neverallow hal_camera_server domain:{ tcp_socket udp_socket rawip_socket } *;
-
-# Only camera HAL may directly access the camera hardware
-neverallow { halserverdomain -hal_camera_server } camera_device:chr_file *;
diff --git a/microdroid/sepolicy/system/public/hal_can.te b/microdroid/sepolicy/system/public/hal_can.te
deleted file mode 100644
index 959d1d9..0000000
--- a/microdroid/sepolicy/system/public/hal_can.te
+++ /dev/null
@@ -1,9 +0,0 @@
-# CAN controller
-binder_call(hal_can_controller_client, hal_can_controller_server)
-binder_call(hal_can_controller_server, hal_can_controller_client)
-hal_attribute_hwservice(hal_can_controller, hal_can_controller_hwservice)
-
-# CAN bus
-binder_call(hal_can_bus_client, hal_can_bus_server)
-binder_call(hal_can_bus_server, hal_can_bus_client)
-hal_attribute_hwservice(hal_can_bus, hal_can_bus_hwservice)
diff --git a/microdroid/sepolicy/system/public/hal_cas.te b/microdroid/sepolicy/system/public/hal_cas.te
deleted file mode 100644
index e699a6b..0000000
--- a/microdroid/sepolicy/system/public/hal_cas.te
+++ /dev/null
@@ -1,38 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_cas_client, hal_cas_server)
-binder_call(hal_cas_server, hal_cas_client)
-
-hal_attribute_hwservice(hal_cas, hal_cas_hwservice)
-allow hal_cas_server hidl_memory_hwservice:hwservice_manager find;
-
-# Permit reading device's serial number from system properties
-get_prop(hal_cas_server, serialno_prop)
-
-# Read files already opened under /data
-allow hal_cas system_data_file:file { getattr read };
-
-# Read access to pseudo filesystems
-r_dir_file(hal_cas, cgroup)
-allow hal_cas cgroup:dir { search write };
-allow hal_cas cgroup:file w_file_perms;
-
-r_dir_file(hal_cas, cgroup_v2)
-allow hal_cas cgroup_v2:dir { search write };
-allow hal_cas cgroup_v2:file w_file_perms;
-
-# Allow access to ion memory allocation device
-allow hal_cas ion_device:chr_file rw_file_perms;
-allow hal_cas hal_graphics_allocator:fd use;
-
-allow hal_cas tee_device:chr_file rw_file_perms;
-
-###
-### neverallow rules
-###
-
-# hal_cas should never execute any executable without a
-# domain transition
-neverallow hal_cas_server { file_type fs_type }:file execute_no_trans;
-
-# do not allow privileged socket ioctl commands
-neverallowxperm hal_cas_server domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
diff --git a/microdroid/sepolicy/system/public/hal_codec2.te b/microdroid/sepolicy/system/public/hal_codec2.te
deleted file mode 100644
index a379bb3..0000000
--- a/microdroid/sepolicy/system/public/hal_codec2.te
+++ /dev/null
@@ -1,27 +0,0 @@
-get_prop(hal_codec2_client, media_variant_prop)
-get_prop(hal_codec2_server, media_variant_prop)
-get_prop(hal_codec2_client, codec2_config_prop)
-get_prop(hal_codec2_server, codec2_config_prop)
-
-binder_call(hal_codec2_client, hal_codec2_server)
-binder_call(hal_codec2_server, hal_codec2_client)
-
-hal_attribute_hwservice(hal_codec2, hal_codec2_hwservice)
-
-# The following permissions are added to hal_codec2_server because vendor and
-# vndk libraries provided for Codec2 implementation need them.
-
-# Allow server access to composer sync fences
-allow hal_codec2_server hal_graphics_composer:fd use;
-
-# Allow both server and client access to ion
-allow hal_codec2_server ion_device:chr_file r_file_perms;
-
-# Allow server access to camera HAL's fences
-allow hal_codec2_server hal_camera:fd use;
-
-# Receive gralloc buffer FDs from bufferhubd.
-allow hal_codec2_server bufferhubd:fd use;
-
-allow hal_codec2_client ion_device:chr_file r_file_perms;
-
diff --git a/microdroid/sepolicy/system/public/hal_configstore.te b/microdroid/sepolicy/system/public/hal_configstore.te
deleted file mode 100644
index 069da47..0000000
--- a/microdroid/sepolicy/system/public/hal_configstore.te
+++ /dev/null
@@ -1,69 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_configstore_client, hal_configstore_server)
-
-hal_attribute_hwservice(hal_configstore, hal_configstore_ISurfaceFlingerConfigs)
-
-# hal_configstore runs with a strict seccomp filter. Use crash_dump's
-# fallback path to collect crash data.
-crash_dump_fallback(hal_configstore_server)
-
-###
-### neverallow rules
-###
-
-# Should never execute an executable without a domain transition
-neverallow hal_configstore_server { file_type fs_type }:file execute_no_trans;
-
-# Should never need network access. Disallow sockets except for
-# for unix stream/dgram sockets used for logging/debugging.
-neverallow hal_configstore_server domain:{
- rawip_socket tcp_socket udp_socket
- netlink_route_socket netlink_selinux_socket
- socket netlink_socket packet_socket key_socket appletalk_socket
- netlink_tcpdiag_socket netlink_nflog_socket
- netlink_xfrm_socket netlink_audit_socket
- netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
- netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
- netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
- netlink_rdma_socket netlink_crypto_socket
-} *;
-neverallow hal_configstore_server {
- domain
- -hal_configstore_server
- -logd
- userdebug_or_eng(`-su')
- -tombstoned
- userdebug_or_eng(`-heapprofd')
- userdebug_or_eng(`-traced_perf')
-}:{ unix_dgram_socket unix_stream_socket } *;
-
-# Should never need access to anything on /data
-neverallow hal_configstore_server {
- data_file_type
- -anr_data_file # for crash dump collection
- -tombstone_data_file # for crash dump collection
- -zoneinfo_data_file # granted to domain
- with_native_coverage(`-method_trace_data_file')
-}:{ file fifo_file sock_file } *;
-
-# Should never need sdcard access
-neverallow hal_configstore_server {
- sdcard_type
- fuse sdcardfs vfat exfat # manual expansion for completeness
-}:dir ~getattr;
-neverallow hal_configstore_server {
- sdcard_type
- fuse sdcardfs vfat exfat # manual expansion for completeness
-}:file *;
-
-# Do not permit access to service_manager and vndservice_manager
-neverallow hal_configstore_server *:service_manager *;
-
-# No privileged capabilities
-neverallow hal_configstore_server self:capability_class_set *;
-
-# No ptracing other processes
-neverallow hal_configstore_server *:process ptrace;
-
-# no relabeling
-neverallow hal_configstore_server *:dir_file_class_set { relabelfrom relabelto };
diff --git a/microdroid/sepolicy/system/public/hal_confirmationui.te b/microdroid/sepolicy/system/public/hal_confirmationui.te
deleted file mode 100644
index 5d2e4b7..0000000
--- a/microdroid/sepolicy/system/public/hal_confirmationui.te
+++ /dev/null
@@ -1,4 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_confirmationui_client, hal_confirmationui_server)
-
-hal_attribute_hwservice(hal_confirmationui, hal_confirmationui_hwservice)
diff --git a/microdroid/sepolicy/system/public/hal_contexthub.te b/microdroid/sepolicy/system/public/hal_contexthub.te
deleted file mode 100644
index 34acb38..0000000
--- a/microdroid/sepolicy/system/public/hal_contexthub.te
+++ /dev/null
@@ -1,5 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_contexthub_client, hal_contexthub_server)
-binder_call(hal_contexthub_server, hal_contexthub_client)
-
-hal_attribute_hwservice(hal_contexthub, hal_contexthub_hwservice)
diff --git a/microdroid/sepolicy/system/public/hal_drm.te b/microdroid/sepolicy/system/public/hal_drm.te
deleted file mode 100644
index bb1bd91..0000000
--- a/microdroid/sepolicy/system/public/hal_drm.te
+++ /dev/null
@@ -1,56 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_drm_client, hal_drm_server)
-binder_call(hal_drm_server, hal_drm_client)
-
-hal_attribute_hwservice(hal_drm, hal_drm_hwservice)
-
-allow hal_drm hidl_memory_hwservice:hwservice_manager find;
-
-# Required by Widevine DRM (b/22990512)
-allow hal_drm self:process execmem;
-
-# Permit reading device's serial number from system properties
-get_prop(hal_drm, serialno_prop)
-
-# Read files already opened under /data
-allow hal_drm system_data_file:file { getattr read };
-
-# Read access to pseudo filesystems
-r_dir_file(hal_drm, cgroup)
-allow hal_drm cgroup:dir { search write };
-allow hal_drm cgroup:file w_file_perms;
-
-r_dir_file(hal_drm, cgroup_v2)
-allow hal_drm cgroup_v2:dir { search write };
-allow hal_drm cgroup_v2:file w_file_perms;
-
-# Allow access to ion memory allocation device
-allow hal_drm ion_device:chr_file rw_file_perms;
-allow hal_drm hal_graphics_allocator:fd use;
-
-# Allow access to hidl_memory allocation service
-allow hal_drm hal_allocator_server:fd use;
-
-# Allow access to fds allocated by mediaserver
-allow hal_drm mediaserver:fd use;
-
-allow hal_drm sysfs:file r_file_perms;
-
-allow hal_drm tee_device:chr_file rw_file_perms;
-
-allow hal_drm_server { appdomain -isolated_app }:fd use;
-
-# only allow unprivileged socket ioctl commands
-allowxperm hal_drm self:{ rawip_socket tcp_socket udp_socket }
- ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
-
-###
-### neverallow rules
-###
-
-# hal_drm should never execute any executable without a
-# domain transition
-neverallow hal_drm_server { file_type fs_type }:file execute_no_trans;
-
-# do not allow privileged socket ioctl commands
-neverallowxperm hal_drm_server domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
diff --git a/microdroid/sepolicy/system/public/hal_dumpstate.te b/microdroid/sepolicy/system/public/hal_dumpstate.te
deleted file mode 100644
index 9f854e3..0000000
--- a/microdroid/sepolicy/system/public/hal_dumpstate.te
+++ /dev/null
@@ -1,12 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_dumpstate_client, hal_dumpstate_server)
-binder_call(hal_dumpstate_server, hal_dumpstate_client)
-
-set_prop(hal_dumpstate_server, hal_dumpstate_config_prop)
-
-hal_attribute_hwservice(hal_dumpstate, hal_dumpstate_hwservice)
-
-# write bug reports in /data/data/com.android.shell/files/bugreports/bugreport
-allow hal_dumpstate shell_data_file:file write;
-# allow reading /proc/interrupts for all hal impls
-allow hal_dumpstate proc_interrupts:file r_file_perms;
diff --git a/microdroid/sepolicy/system/public/hal_evs.te b/microdroid/sepolicy/system/public/hal_evs.te
deleted file mode 100644
index 789333a..0000000
--- a/microdroid/sepolicy/system/public/hal_evs.te
+++ /dev/null
@@ -1,5 +0,0 @@
-hwbinder_use(hal_evs_client)
-hwbinder_use(hal_evs_server)
-binder_call(hal_evs_client, hal_evs_server)
-binder_call(hal_evs_server, hal_evs_client)
-hal_attribute_hwservice(hal_evs, hal_evs_hwservice)
diff --git a/microdroid/sepolicy/system/public/hal_face.te b/microdroid/sepolicy/system/public/hal_face.te
deleted file mode 100644
index 0134576..0000000
--- a/microdroid/sepolicy/system/public/hal_face.te
+++ /dev/null
@@ -1,15 +0,0 @@
-# Allow HwBinder IPC from client to server, and vice versa for callbacks.
-binder_call(hal_face_client, hal_face_server)
-binder_call(hal_face_server, hal_face_client)
-
-hal_attribute_hwservice(hal_face, hal_face_hwservice)
-hal_attribute_service(hal_face, hal_face_service)
-
-binder_call(hal_face_server, servicemanager)
-
-# Allow access to the ion memory allocation device.
-allow hal_face ion_device:chr_file r_file_perms;
-
-# Allow read/write access to the face template directory.
-allow hal_face face_vendor_data_file:file create_file_perms;
-allow hal_face face_vendor_data_file:dir rw_dir_perms;
diff --git a/microdroid/sepolicy/system/public/hal_fingerprint.te b/microdroid/sepolicy/system/public/hal_fingerprint.te
deleted file mode 100644
index 444cfda..0000000
--- a/microdroid/sepolicy/system/public/hal_fingerprint.te
+++ /dev/null
@@ -1,20 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_fingerprint_client, hal_fingerprint_server)
-binder_call(hal_fingerprint_server, hal_fingerprint_client)
-
-hal_attribute_hwservice(hal_fingerprint, hal_fingerprint_hwservice)
-hal_attribute_service(hal_fingerprint, hal_fingerprint_service)
-
-binder_call(hal_fingerprint_server, servicemanager)
-
-# For memory allocation
-allow hal_fingerprint ion_device:chr_file r_file_perms;
-
-allow hal_fingerprint fingerprint_vendor_data_file:file { create_file_perms };
-allow hal_fingerprint fingerprint_vendor_data_file:dir rw_dir_perms;
-
-r_dir_file(hal_fingerprint, cgroup)
-r_dir_file(hal_fingerprint, cgroup_v2)
-r_dir_file(hal_fingerprint, sysfs)
-
-
diff --git a/microdroid/sepolicy/system/public/hal_gatekeeper.te b/microdroid/sepolicy/system/public/hal_gatekeeper.te
deleted file mode 100644
index b918f88..0000000
--- a/microdroid/sepolicy/system/public/hal_gatekeeper.te
+++ /dev/null
@@ -1,7 +0,0 @@
-binder_call(hal_gatekeeper_client, hal_gatekeeper_server)
-
-hal_attribute_hwservice(hal_gatekeeper, hal_gatekeeper_hwservice)
-
-# TEE access.
-allow hal_gatekeeper tee_device:chr_file rw_file_perms;
-allow hal_gatekeeper ion_device:chr_file r_file_perms;
diff --git a/microdroid/sepolicy/system/public/hal_gnss.te b/microdroid/sepolicy/system/public/hal_gnss.te
deleted file mode 100644
index 832bc8d..0000000
--- a/microdroid/sepolicy/system/public/hal_gnss.te
+++ /dev/null
@@ -1,9 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_gnss_client, hal_gnss_server)
-binder_call(hal_gnss_server, hal_gnss_client)
-
-hal_attribute_hwservice(hal_gnss, hal_gnss_hwservice)
-hal_attribute_service(hal_gnss, hal_gnss_service)
-binder_call(hal_gnss_server, servicemanager)
-binder_call(hal_gnss_client, servicemanager)
-
diff --git a/microdroid/sepolicy/system/public/hal_graphics_allocator.te b/microdroid/sepolicy/system/public/hal_graphics_allocator.te
deleted file mode 100644
index 3ec6b96..0000000
--- a/microdroid/sepolicy/system/public/hal_graphics_allocator.te
+++ /dev/null
@@ -1,14 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_graphics_allocator_client, hal_graphics_allocator_server)
-
-hal_attribute_hwservice(hal_graphics_allocator, hal_graphics_allocator_hwservice)
-allow hal_graphics_allocator_client hal_graphics_mapper_hwservice:hwservice_manager find;
-allow hal_graphics_allocator_client same_process_hal_file:file { execute read open getattr map };
-
-# GPU device access
-allow hal_graphics_allocator gpu_device:chr_file rw_file_perms;
-allow hal_graphics_allocator ion_device:chr_file r_file_perms;
-allow hal_graphics_allocator dmabuf_system_heap_device:chr_file r_file_perms;
-
-# allow to run with real-time scheduling policy
-allow hal_graphics_allocator self:global_capability_class_set sys_nice;
diff --git a/microdroid/sepolicy/system/public/hal_graphics_composer.te b/microdroid/sepolicy/system/public/hal_graphics_composer.te
deleted file mode 100644
index 1c69c99..0000000
--- a/microdroid/sepolicy/system/public/hal_graphics_composer.te
+++ /dev/null
@@ -1,32 +0,0 @@
-type hal_graphics_composer_server_tmpfs, file_type;
-attribute hal_graphics_composer_client_tmpfs;
-expandattribute hal_graphics_composer_client_tmpfs true;
-
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_graphics_composer_client, hal_graphics_composer_server)
-binder_call(hal_graphics_composer_server, hal_graphics_composer_client)
-allow hal_graphics_composer_client hal_graphics_composer_server_tmpfs:file { getattr map read write };
-allow hal_graphics_composer_server hal_graphics_composer_client_tmpfs:file { getattr map read write };
-
-hal_attribute_hwservice(hal_graphics_composer, hal_graphics_composer_hwservice)
-
-# Coordinate with hal_graphics_mapper
-allow hal_graphics_composer_server hal_graphics_mapper_hwservice:hwservice_manager find;
-
-# GPU device access
-allow hal_graphics_composer gpu_device:chr_file rw_file_perms;
-allow hal_graphics_composer ion_device:chr_file r_file_perms;
-allow hal_graphics_composer dmabuf_system_heap_device:chr_file r_file_perms;
-allow hal_graphics_composer hal_graphics_allocator:fd use;
-
-# Access /dev/graphics/fb0.
-allow hal_graphics_composer graphics_device:dir search;
-allow hal_graphics_composer graphics_device:chr_file rw_file_perms;
-
-# Fences
-allow hal_graphics_composer system_server:fd use;
-allow hal_graphics_composer bootanim:fd use;
-allow hal_graphics_composer appdomain:fd use;
-
-# allow self to set SCHED_FIFO
-allow hal_graphics_composer self:global_capability_class_set sys_nice;
diff --git a/microdroid/sepolicy/system/public/hal_health.te b/microdroid/sepolicy/system/public/hal_health.te
deleted file mode 100644
index dc7d083..0000000
--- a/microdroid/sepolicy/system/public/hal_health.te
+++ /dev/null
@@ -1,27 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_health_client, hal_health_server)
-binder_call(hal_health_server, hal_health_client)
-
-hal_attribute_hwservice(hal_health, hal_health_hwservice)
-
-# Common rules for a health service.
-
-# Allow to listen to uevents for updates
-allow hal_health_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-
-# Allow to read /sys/class/power_supply directory
-allow hal_health_server sysfs:dir r_dir_perms;
-
-# Allow to read files under /sys/class/power_supply. Implementations typically have symlinks
-# to vendor specific files. Vendors should mark sysfs_batteryinfo on all files read by health
-# HAL service.
-r_dir_file(hal_health_server, sysfs_batteryinfo)
-
-# Allow to wake up to send periodic events
-wakelock_use(hal_health_server)
-
-# Write to /dev/kmsg
-allow hal_health_server kmsg_device:chr_file { getattr w_file_perms };
-
-# Allow to use timerfd to wake itself up periodically to send health info.
-allow hal_health_server self:capability2 wake_alarm;
diff --git a/microdroid/sepolicy/system/public/hal_health_storage.te b/microdroid/sepolicy/system/public/hal_health_storage.te
deleted file mode 100644
index 4938a16..0000000
--- a/microdroid/sepolicy/system/public/hal_health_storage.te
+++ /dev/null
@@ -1,11 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_health_storage_client, hal_health_storage_server)
-binder_call(hal_health_storage_server, hal_health_storage_client)
-
-binder_use(hal_health_storage_server)
-
-hal_attribute_hwservice(hal_health_storage, hal_health_storage_hwservice)
-hal_attribute_service(hal_health_storage, hal_health_storage_service)
-
-# Allow ReadDefaultFstab().
-read_fstab(hal_health_storage_server)
diff --git a/microdroid/sepolicy/system/public/hal_identity.te b/microdroid/sepolicy/system/public/hal_identity.te
deleted file mode 100644
index 8d558ad..0000000
--- a/microdroid/sepolicy/system/public/hal_identity.te
+++ /dev/null
@@ -1,6 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_identity_client, hal_identity_server)
-
-hal_attribute_service(hal_identity, hal_identity_service)
-
-binder_call(hal_identity_server, servicemanager)
diff --git a/microdroid/sepolicy/system/public/hal_input_classifier.te b/microdroid/sepolicy/system/public/hal_input_classifier.te
deleted file mode 100644
index 70a4b7d..0000000
--- a/microdroid/sepolicy/system/public/hal_input_classifier.te
+++ /dev/null
@@ -1,4 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_input_classifier_client, hal_input_classifier_server)
-
-hal_attribute_hwservice(hal_input_classifier, hal_input_classifier_hwservice)
diff --git a/microdroid/sepolicy/system/public/hal_ir.te b/microdroid/sepolicy/system/public/hal_ir.te
deleted file mode 100644
index 29555f7..0000000
--- a/microdroid/sepolicy/system/public/hal_ir.te
+++ /dev/null
@@ -1,5 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_ir_client, hal_ir_server)
-binder_call(hal_ir_server, hal_ir_client)
-
-hal_attribute_hwservice(hal_ir, hal_ir_hwservice)
diff --git a/microdroid/sepolicy/system/public/hal_keymaster.te b/microdroid/sepolicy/system/public/hal_keymaster.te
deleted file mode 100644
index 3e164ad..0000000
--- a/microdroid/sepolicy/system/public/hal_keymaster.te
+++ /dev/null
@@ -1,7 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_keymaster_client, hal_keymaster_server)
-
-hal_attribute_hwservice(hal_keymaster, hal_keymaster_hwservice)
-
-allow hal_keymaster tee_device:chr_file rw_file_perms;
-allow hal_keymaster ion_device:chr_file r_file_perms;
diff --git a/microdroid/sepolicy/system/public/hal_light.te b/microdroid/sepolicy/system/public/hal_light.te
deleted file mode 100644
index 40829b6..0000000
--- a/microdroid/sepolicy/system/public/hal_light.te
+++ /dev/null
@@ -1,15 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_light_client, hal_light_server)
-binder_call(hal_light_server, hal_light_client)
-
-hal_attribute_hwservice(hal_light, hal_light_hwservice)
-hal_attribute_service(hal_light, hal_light_service)
-
-binder_call(hal_light_server, servicemanager)
-binder_use(hal_light_client)
-
-allow hal_light_server dumpstate:fifo_file write;
-
-allow hal_light sysfs_leds:lnk_file read;
-allow hal_light sysfs_leds:file rw_file_perms;
-allow hal_light sysfs_leds:dir r_dir_perms;
diff --git a/microdroid/sepolicy/system/public/hal_lowpan.te b/microdroid/sepolicy/system/public/hal_lowpan.te
deleted file mode 100644
index 6fb95e9..0000000
--- a/microdroid/sepolicy/system/public/hal_lowpan.te
+++ /dev/null
@@ -1,20 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_lowpan_client, hal_lowpan_server)
-binder_call(hal_lowpan_server, hal_lowpan_client)
-
-
-# Allow hal_lowpan_client to be able to find the hal_lowpan_server
-hal_attribute_hwservice(hal_lowpan, hal_lowpan_hwservice)
-
-# hal_lowpan domain can write/read to/from lowpan_prop
-set_prop(hal_lowpan_server, lowpan_prop)
-
-# Allow hal_lowpan_server to open lowpan_devices
-allow hal_lowpan_server lowpan_device:chr_file rw_file_perms;
-
-###
-### neverallow rules
-###
-
-# Only LoWPAN HAL may directly access LoWPAN hardware
-neverallow { domain -hal_lowpan_server -init -ueventd } lowpan_device:chr_file ~getattr;
diff --git a/microdroid/sepolicy/system/public/hal_memtrack.te b/microdroid/sepolicy/system/public/hal_memtrack.te
deleted file mode 100644
index 30a4480..0000000
--- a/microdroid/sepolicy/system/public/hal_memtrack.te
+++ /dev/null
@@ -1,7 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_memtrack_client, hal_memtrack_server)
-
-hal_attribute_hwservice(hal_memtrack, hal_memtrack_hwservice)
-
-hal_attribute_service(hal_memtrack, hal_memtrack_service)
-binder_call(hal_memtrack_server, servicemanager)
diff --git a/microdroid/sepolicy/system/public/hal_neuralnetworks.te b/microdroid/sepolicy/system/public/hal_neuralnetworks.te
deleted file mode 100644
index 7497dec..0000000
--- a/microdroid/sepolicy/system/public/hal_neuralnetworks.te
+++ /dev/null
@@ -1,41 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_neuralnetworks_client, hal_neuralnetworks_server)
-binder_call(hal_neuralnetworks_server, hal_neuralnetworks_client)
-
-hal_attribute_hwservice(hal_neuralnetworks, hal_neuralnetworks_hwservice)
-allow hal_neuralnetworks hidl_memory_hwservice:hwservice_manager find;
-allow hal_neuralnetworks hal_allocator:fd use;
-allow hal_neuralnetworks hal_graphics_mapper_hwservice:hwservice_manager find;
-allow hal_neuralnetworks hal_graphics_allocator:fd use;
-
-# Allow NN HAL service to use a client-provided fd residing in /data/data/.
-allow hal_neuralnetworks_server app_data_file:file { read write getattr map };
-allow hal_neuralnetworks_server privapp_data_file:file { read write getattr map };
-
-# Allow NN HAL service to use a client-provided fd residing in /data/local/tmp/.
-allow hal_neuralnetworks_server shell_data_file:file { read write getattr map };
-
-# Allow NN HAL service to read a client-provided ION memory fd.
-allow hal_neuralnetworks_server ion_device:chr_file r_file_perms;
-
-# Allow NN HAL service to use a client-provided fd residing in /storage
-allow hal_neuralnetworks_server storage_file:file { getattr map read };
-
-# Allow NN HAL service to read a client-provided fd residing in /data/app/.
-allow hal_neuralnetworks_server apk_data_file:file { getattr map read };
-
-# Allow NN HAL client to check the ro.nnapi.extensions.deny_on_product
-# property to determine whether to deny NNAPI extensions use for apps
-# on product partition (apps in GSI are not allowed to use NNAPI extensions).
-get_prop(hal_neuralnetworks_client, nnapi_ext_deny_product_prop);
-# This property is only expected to be found in /product/build.prop,
-# allow to be set only by init.
-neverallow { domain -init } nnapi_ext_deny_product_prop:property_service set;
-
-# Define sepolicy for NN AIDL HAL service
-hal_attribute_service(hal_neuralnetworks, hal_neuralnetworks_service)
-binder_call(hal_neuralnetworks_server, servicemanager)
-
-binder_use(hal_neuralnetworks_server)
-
-allow hal_neuralnetworks_server dumpstate:fifo_file write;
diff --git a/microdroid/sepolicy/system/public/hal_neverallows.te b/microdroid/sepolicy/system/public/hal_neverallows.te
deleted file mode 100644
index 4117878..0000000
--- a/microdroid/sepolicy/system/public/hal_neverallows.te
+++ /dev/null
@@ -1,61 +0,0 @@
-# only HALs responsible for network hardware should have privileged
-# network capabilities
-neverallow {
- halserverdomain
- -hal_bluetooth_server
- -hal_can_controller_server
- -hal_wifi_server
- -hal_wifi_hostapd_server
- -hal_wifi_supplicant_server
- -hal_telephony_server
-} self:global_capability_class_set { net_admin net_raw };
-
-# Unless a HAL's job is to communicate over the network, or control network
-# hardware, it should not be using network sockets.
-# NOTE: HALs for automotive devices have an exemption from this rule because in
-# a car it is common to have external modules and HALs need to communicate to
-# those modules using network. Using this exemption for non-automotive builds
-# will result in CTS failure.
-neverallow {
- halserverdomain
- -hal_automotive_socket_exemption
- -hal_can_controller_server
- -hal_tetheroffload_server
- -hal_wifi_server
- -hal_wifi_hostapd_server
- -hal_wifi_supplicant_server
- -hal_telephony_server
-} domain:{ tcp_socket udp_socket rawip_socket } *;
-
-###
-# HALs are defined as an attribute and so a given domain could hypothetically
-# have multiple HALs in it (or even all of them) with the subsequent policy of
-# the domain comprised of the union of all the HALs.
-#
-# This is a problem because
-# 1) Security sensitive components should only be accessed by specific HALs.
-# 2) hwbinder_call and the restrictions it provides cannot be reasoned about in
-# the platform.
-# 3) The platform cannot reason about defense in depth if there are
-# monolithic domains etc.
-#
-# As an example, hal_keymaster and hal_gatekeeper can access the TEE and while
-# its OK for them to share a process its not OK with them to share processes
-# with other hals.
-#
-# The following neverallow rules, in conjuntion with CTS tests, assert that
-# these security principles are adhered to.
-#
-# Do not allow a hal to exec another process without a domain transition.
-# TODO remove exemptions.
-neverallow {
- halserverdomain
- -hal_dumpstate_server
- -hal_telephony_server
-} { file_type fs_type }:file execute_no_trans;
-# Do not allow a process other than init to transition into a HAL domain.
-neverallow { domain -init } halserverdomain:process transition;
-# Only allow transitioning to a domain by running its executable. Do not
-# allow transitioning into a HAL domain by use of seclabel in an
-# init.*.rc script.
-neverallow * halserverdomain:process dyntransition;
diff --git a/microdroid/sepolicy/system/public/hal_nfc.te b/microdroid/sepolicy/system/public/hal_nfc.te
deleted file mode 100644
index 7cef4a1..0000000
--- a/microdroid/sepolicy/system/public/hal_nfc.te
+++ /dev/null
@@ -1,11 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_nfc_client, hal_nfc_server)
-binder_call(hal_nfc_server, hal_nfc_client)
-
-hal_attribute_hwservice(hal_nfc, hal_nfc_hwservice)
-
-# Set NFC properties (used by bcm2079x HAL).
-set_prop(hal_nfc, nfc_prop)
-
-# NFC device access.
-allow hal_nfc nfc_device:chr_file rw_file_perms;
diff --git a/microdroid/sepolicy/system/public/hal_oemlock.te b/microdroid/sepolicy/system/public/hal_oemlock.te
deleted file mode 100644
index 9f38fa5..0000000
--- a/microdroid/sepolicy/system/public/hal_oemlock.te
+++ /dev/null
@@ -1,7 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_oemlock_client, hal_oemlock_server)
-
-hal_attribute_hwservice(hal_oemlock, hal_oemlock_hwservice)
-hal_attribute_service(hal_oemlock, hal_oemlock_service)
-
-binder_call(hal_oemlock_server, servicemanager)
diff --git a/microdroid/sepolicy/system/public/hal_omx.te b/microdroid/sepolicy/system/public/hal_omx.te
deleted file mode 100644
index 8e74383..0000000
--- a/microdroid/sepolicy/system/public/hal_omx.te
+++ /dev/null
@@ -1,49 +0,0 @@
-# applies all permissions to hal_omx NOT hal_omx_server
-# since OMX must always be in its own process.
-
-binder_call(hal_omx_server, binderservicedomain)
-binder_call(hal_omx_server, { appdomain -isolated_app })
-
-# Allow hal_omx_server access to composer sync fences
-allow hal_omx_server hal_graphics_composer:fd use;
-
-allow hal_omx_server ion_device:chr_file rw_file_perms;
-allow hal_omx_server hal_camera:fd use;
-
-crash_dump_fallback(hal_omx_server)
-
-# Recieve gralloc buffer FDs from bufferhubd. Note that hal_omx_server never
-# directly connects to bufferhubd via PDX. Instead, a VR app acts as a bridge
-# between those two: it talks to hal_omx_server via Binder and talks to bufferhubd
-# via PDX. Thus, there is no need to use pdx_client macro.
-allow hal_omx_server bufferhubd:fd use;
-
-hal_attribute_hwservice(hal_omx, hal_omx_hwservice)
-
-allow hal_omx_client hidl_token_hwservice:hwservice_manager find;
-
-get_prop(hal_omx_client, media_variant_prop)
-get_prop(hal_omx_server, media_variant_prop)
-
-binder_call(hal_omx_client, hal_omx_server)
-binder_call(hal_omx_server, hal_omx_client)
-
-###
-### neverallow rules
-###
-
-# hal_omx_server should never execute any executable without a
-# domain transition
-neverallow hal_omx_server { file_type fs_type }:file execute_no_trans;
-
-# The goal of the mediaserver split is to place media processing code into
-# restrictive sandboxes with limited responsibilities and thus limited
-# permissions. Example: Audioserver is only responsible for controlling audio
-# hardware and processing audio content. Cameraserver does the same for camera
-# hardware/content. Etc.
-#
-# Media processing code is inherently risky and thus should have limited
-# permissions and be isolated from the rest of the system and network.
-# Lengthier explanation here:
-# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow hal_omx_server domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/microdroid/sepolicy/system/public/hal_power.te b/microdroid/sepolicy/system/public/hal_power.te
deleted file mode 100644
index aae32a0..0000000
--- a/microdroid/sepolicy/system/public/hal_power.te
+++ /dev/null
@@ -1,9 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_power_client, hal_power_server)
-binder_call(hal_power_server, hal_power_client)
-
-hal_attribute_hwservice(hal_power, hal_power_hwservice)
-hal_attribute_service(hal_power, hal_power_service)
-
-binder_call(hal_power_server, servicemanager)
-binder_call(hal_power_client, servicemanager)
diff --git a/microdroid/sepolicy/system/public/hal_power_stats.te b/microdroid/sepolicy/system/public/hal_power_stats.te
deleted file mode 100644
index 4076eff..0000000
--- a/microdroid/sepolicy/system/public/hal_power_stats.te
+++ /dev/null
@@ -1,9 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_power_stats_client, hal_power_stats_server)
-binder_call(hal_power_stats_server, hal_power_stats_client)
-
-hal_attribute_hwservice(hal_power_stats, hal_power_stats_hwservice)
-hal_attribute_service(hal_power_stats, hal_power_stats_service)
-
-binder_call(hal_power_stats_server, servicemanager)
-binder_call(hal_power_stats_client, servicemanager)
diff --git a/microdroid/sepolicy/system/public/hal_rebootescrow.te b/microdroid/sepolicy/system/public/hal_rebootescrow.te
deleted file mode 100644
index d16333b..0000000
--- a/microdroid/sepolicy/system/public/hal_rebootescrow.te
+++ /dev/null
@@ -1,6 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_rebootescrow_client, hal_rebootescrow_server)
-
-hal_attribute_service(hal_rebootescrow, hal_rebootescrow_service)
-
-binder_use(hal_rebootescrow_server)
diff --git a/microdroid/sepolicy/system/public/hal_secure_element.te b/microdroid/sepolicy/system/public/hal_secure_element.te
deleted file mode 100644
index 3724d35..0000000
--- a/microdroid/sepolicy/system/public/hal_secure_element.te
+++ /dev/null
@@ -1,5 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_secure_element_client, hal_secure_element_server)
-binder_call(hal_secure_element_server, hal_secure_element_client)
-
-hal_attribute_hwservice(hal_secure_element, hal_secure_element_hwservice)
diff --git a/microdroid/sepolicy/system/public/hal_sensors.te b/microdroid/sepolicy/system/public/hal_sensors.te
deleted file mode 100644
index 06e76f1..0000000
--- a/microdroid/sepolicy/system/public/hal_sensors.te
+++ /dev/null
@@ -1,14 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_sensors_client, hal_sensors_server)
-
-hal_attribute_hwservice(hal_sensors, hal_sensors_hwservice)
-
-# Allow sensor hals to access ashmem memory allocated by apps
-allow hal_sensors { appdomain -isolated_app }:fd use;
-
-# Allow sensor hals to access ashmem memory allocated by android.hidl.allocator
-# fd is passed in from framework sensorservice HAL.
-allow hal_sensors hal_allocator:fd use;
-
-# allow to run with real-time scheduling policy
-allow hal_sensors self:global_capability_class_set sys_nice;
diff --git a/microdroid/sepolicy/system/public/hal_telephony.te b/microdroid/sepolicy/system/public/hal_telephony.te
deleted file mode 100644
index f0cf075..0000000
--- a/microdroid/sepolicy/system/public/hal_telephony.te
+++ /dev/null
@@ -1,44 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_telephony_client, hal_telephony_server)
-binder_call(hal_telephony_server, hal_telephony_client)
-
-hal_attribute_hwservice(hal_telephony, hal_telephony_hwservice)
-
-allowxperm hal_telephony_server self:udp_socket ioctl priv_sock_ioctls;
-
-allow hal_telephony_server self:netlink_route_socket nlmsg_write;
-allow hal_telephony_server kernel:system module_request;
-allow hal_telephony_server self:global_capability_class_set { setpcap setgid setuid net_admin net_raw };
-allow hal_telephony_server cgroup:dir create_dir_perms;
-allow hal_telephony_server cgroup:{ file lnk_file } r_file_perms;
-allow hal_telephony_server cgroup_v2:dir create_dir_perms;
-allow hal_telephony_server cgroup_v2:{ file lnk_file } r_file_perms;
-allow hal_telephony_server radio_device:chr_file rw_file_perms;
-allow hal_telephony_server radio_device:blk_file r_file_perms;
-allow hal_telephony_server efs_file:dir create_dir_perms;
-allow hal_telephony_server efs_file:file create_file_perms;
-allow hal_telephony_server vendor_shell_exec:file rx_file_perms;
-allow hal_telephony_server bluetooth_efs_file:file r_file_perms;
-allow hal_telephony_server bluetooth_efs_file:dir r_dir_perms;
-
-# property service
-get_prop(hal_telephony_server, telephony_config_prop)
-set_prop(hal_telephony_server, radio_control_prop)
-set_prop(hal_telephony_server, radio_prop)
-set_prop(hal_telephony_server, telephony_status_prop)
-
-allow hal_telephony_server tty_device:chr_file rw_file_perms;
-
-# Allow hal_telephony_server to create and use netlink sockets.
-allow hal_telephony_server self:netlink_socket create_socket_perms_no_ioctl;
-allow hal_telephony_server self:netlink_generic_socket create_socket_perms_no_ioctl;
-allow hal_telephony_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-
-# Access to wake locks
-wakelock_use(hal_telephony_server)
-
-r_dir_file(hal_telephony_server, proc_net_type)
-r_dir_file(hal_telephony_server, sysfs_type)
-
-# granting the ioctl permission for hal_telephony_server should be device specific
-allow hal_telephony_server self:socket create_socket_perms_no_ioctl;
diff --git a/microdroid/sepolicy/system/public/hal_tetheroffload.te b/microdroid/sepolicy/system/public/hal_tetheroffload.te
deleted file mode 100644
index cf51723..0000000
--- a/microdroid/sepolicy/system/public/hal_tetheroffload.te
+++ /dev/null
@@ -1,8 +0,0 @@
-## HwBinder IPC from client to server, and callbacks
-binder_call(hal_tetheroffload_client, hal_tetheroffload_server)
-binder_call(hal_tetheroffload_server, hal_tetheroffload_client)
-
-hal_attribute_hwservice(hal_tetheroffload, hal_tetheroffload_hwservice)
-
-# allow the client to pass the server already open netlink sockets
-allow hal_tetheroffload_server hal_tetheroffload_client:netlink_netfilter_socket { getattr read setopt write };
diff --git a/microdroid/sepolicy/system/public/hal_thermal.te b/microdroid/sepolicy/system/public/hal_thermal.te
deleted file mode 100644
index 2115da1..0000000
--- a/microdroid/sepolicy/system/public/hal_thermal.te
+++ /dev/null
@@ -1,5 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_thermal_client, hal_thermal_server)
-binder_call(hal_thermal_server, hal_thermal_client)
-
-hal_attribute_hwservice(hal_thermal, hal_thermal_hwservice)
diff --git a/microdroid/sepolicy/system/public/hal_tv_cec.te b/microdroid/sepolicy/system/public/hal_tv_cec.te
deleted file mode 100644
index 6584904..0000000
--- a/microdroid/sepolicy/system/public/hal_tv_cec.te
+++ /dev/null
@@ -1,5 +0,0 @@
-# HwBinder IPC from clients into server, and callbacks
-binder_call(hal_tv_cec_client, hal_tv_cec_server)
-binder_call(hal_tv_cec_server, hal_tv_cec_client)
-
-hal_attribute_hwservice(hal_tv_cec, hal_tv_cec_hwservice)
diff --git a/microdroid/sepolicy/system/public/hal_tv_input.te b/microdroid/sepolicy/system/public/hal_tv_input.te
deleted file mode 100644
index 5a5bdda..0000000
--- a/microdroid/sepolicy/system/public/hal_tv_input.te
+++ /dev/null
@@ -1,5 +0,0 @@
-# HwBinder IPC from clients into server, and callbacks
-binder_call(hal_tv_input_client, hal_tv_input_server)
-binder_call(hal_tv_input_server, hal_tv_input_client)
-
-hal_attribute_hwservice(hal_tv_input, hal_tv_input_hwservice)
diff --git a/microdroid/sepolicy/system/public/hal_tv_tuner.te b/microdroid/sepolicy/system/public/hal_tv_tuner.te
deleted file mode 100644
index 0da4ec7..0000000
--- a/microdroid/sepolicy/system/public/hal_tv_tuner.te
+++ /dev/null
@@ -1,4 +0,0 @@
-binder_call(hal_tv_tuner_client, hal_tv_tuner_server)
-binder_call(hal_tv_tuner_server, hal_tv_tuner_client)
-
-hal_attribute_hwservice(hal_tv_tuner, hal_tv_tuner_hwservice)
diff --git a/microdroid/sepolicy/system/public/hal_usb.te b/microdroid/sepolicy/system/public/hal_usb.te
deleted file mode 100644
index 38bc49a..0000000
--- a/microdroid/sepolicy/system/public/hal_usb.te
+++ /dev/null
@@ -1,18 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_usb_client, hal_usb_server)
-binder_call(hal_usb_server, hal_usb_client)
-
-hal_attribute_hwservice(hal_usb, hal_usb_hwservice)
-
-allow hal_usb self:netlink_kobject_uevent_socket create;
-allow hal_usb self:netlink_kobject_uevent_socket setopt;
-allow hal_usb self:netlink_kobject_uevent_socket getopt;
-allow hal_usb self:netlink_kobject_uevent_socket bind;
-allow hal_usb self:netlink_kobject_uevent_socket read;
-allow hal_usb sysfs:dir open;
-allow hal_usb sysfs:dir read;
-allow hal_usb sysfs:file read;
-allow hal_usb sysfs:file open;
-allow hal_usb sysfs:file write;
-allow hal_usb sysfs:file getattr;
-
diff --git a/microdroid/sepolicy/system/public/hal_usb_gadget.te b/microdroid/sepolicy/system/public/hal_usb_gadget.te
deleted file mode 100644
index a474652..0000000
--- a/microdroid/sepolicy/system/public/hal_usb_gadget.te
+++ /dev/null
@@ -1,13 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_usb_gadget_client, hal_usb_gadget_server)
-binder_call(hal_usb_gadget_server, hal_usb_gadget_client)
-
-hal_attribute_hwservice(hal_usb_gadget, hal_usb_gadget_hwservice)
-
-# Configuring usb gadget functions
-allow hal_usb_gadget_server configfs:lnk_file { read create unlink};
-allow hal_usb_gadget_server configfs:dir rw_dir_perms;
-allow hal_usb_gadget_server configfs:file create_file_perms;
-allow hal_usb_gadget_server functionfs:dir { read search };
-allow hal_usb_gadget_server functionfs:file read;
-
diff --git a/microdroid/sepolicy/system/public/hal_vehicle.te b/microdroid/sepolicy/system/public/hal_vehicle.te
deleted file mode 100644
index 6855d14..0000000
--- a/microdroid/sepolicy/system/public/hal_vehicle.te
+++ /dev/null
@@ -1,6 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_vehicle_client, hal_vehicle_server)
-binder_call(hal_vehicle_server, hal_vehicle_client)
-
-
-hal_attribute_hwservice(hal_vehicle, hal_vehicle_hwservice)
diff --git a/microdroid/sepolicy/system/public/hal_vibrator.te b/microdroid/sepolicy/system/public/hal_vibrator.te
deleted file mode 100644
index c902495..0000000
--- a/microdroid/sepolicy/system/public/hal_vibrator.te
+++ /dev/null
@@ -1,14 +0,0 @@
-# HwBinder IPC client/server
-binder_call(hal_vibrator_client, hal_vibrator_server)
-binder_call(hal_vibrator_server, hal_vibrator_client);
-
-hal_attribute_hwservice(hal_vibrator, hal_vibrator_hwservice)
-hal_attribute_service(hal_vibrator, hal_vibrator_service)
-
-binder_call(hal_vibrator_server, servicemanager)
-
-allow hal_vibrator_server dumpstate:fifo_file write;
-
-# vibrator sysfs rw access
-allow hal_vibrator sysfs_vibrator:file rw_file_perms;
-allow hal_vibrator sysfs_vibrator:dir search;
diff --git a/microdroid/sepolicy/system/public/hal_vr.te b/microdroid/sepolicy/system/public/hal_vr.te
deleted file mode 100644
index e52c77f..0000000
--- a/microdroid/sepolicy/system/public/hal_vr.te
+++ /dev/null
@@ -1,5 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_vr_client, hal_vr_server)
-binder_call(hal_vr_server, hal_vr_client)
-
-hal_attribute_hwservice(hal_vr, hal_vr_hwservice)
diff --git a/microdroid/sepolicy/system/public/hal_weaver.te b/microdroid/sepolicy/system/public/hal_weaver.te
deleted file mode 100644
index 2b34989..0000000
--- a/microdroid/sepolicy/system/public/hal_weaver.te
+++ /dev/null
@@ -1,7 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_weaver_client, hal_weaver_server)
-
-hal_attribute_hwservice(hal_weaver, hal_weaver_hwservice)
-hal_attribute_service(hal_weaver, hal_weaver_service)
-
-binder_call(hal_weaver_server, servicemanager)
diff --git a/microdroid/sepolicy/system/public/hal_wifi.te b/microdroid/sepolicy/system/public/hal_wifi.te
deleted file mode 100644
index 2e4fa78..0000000
--- a/microdroid/sepolicy/system/public/hal_wifi.te
+++ /dev/null
@@ -1,32 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_wifi_client, hal_wifi_server)
-binder_call(hal_wifi_server, hal_wifi_client)
-
-hal_attribute_hwservice(hal_wifi, hal_wifi_hwservice)
-
-r_dir_file(hal_wifi, proc_net_type)
-r_dir_file(hal_wifi, sysfs_type)
-
-set_prop(hal_wifi_server, wifi_hal_prop)
-set_prop(hal_wifi, wifi_prop)
-userdebug_or_eng(`get_prop(hal_wifi, persist_vendor_debug_wifi_prop)')
-
-# allow hal wifi set interfaces up and down and get the factory MAC
-allow hal_wifi self:udp_socket create_socket_perms;
-allowxperm hal_wifi self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFHWADDR SIOCETHTOOL };
-
-allow hal_wifi self:global_capability_class_set { net_admin net_raw };
-# allow hal_wifi to speak to nl80211 in the kernel
-allow hal_wifi self:netlink_socket create_socket_perms_no_ioctl;
-# newer kernels (e.g. 4.4 but not 4.1) have a new class for sockets
-allow hal_wifi self:netlink_generic_socket create_socket_perms_no_ioctl;
-# hal_wifi writes firmware paths to this file.
-allow hal_wifi sysfs_wlan_fwpath:file { w_file_perms };
-# allow hal_wifi to access /proc/modules to check if Wi-Fi driver is loaded
-allow hal_wifi proc_modules:file { getattr open read };
-# Allow hal_wifi to send dump info to dumpstate
-allow hal_wifi dumpstate:fifo_file write;
-
-# allow hal_wifi to write into /data/vendor/tombstones/wifi
-allow hal_wifi_server tombstone_wifi_data_file:dir rw_dir_perms;
-allow hal_wifi_server tombstone_wifi_data_file:file create_file_perms;
diff --git a/microdroid/sepolicy/system/public/hal_wifi_hostapd.te b/microdroid/sepolicy/system/public/hal_wifi_hostapd.te
deleted file mode 100644
index 12d72b6..0000000
--- a/microdroid/sepolicy/system/public/hal_wifi_hostapd.te
+++ /dev/null
@@ -1,27 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_wifi_hostapd_client, hal_wifi_hostapd_server)
-binder_call(hal_wifi_hostapd_server, hal_wifi_hostapd_client)
-
-hal_attribute_hwservice(hal_wifi_hostapd, hal_wifi_hostapd_hwservice)
-
-allow hal_wifi_hostapd_server self:global_capability_class_set { net_admin net_raw };
-
-allow hal_wifi_hostapd_server sysfs_net:dir search;
-
-# Allow hal_wifi_hostapd to access /proc/net/psched
-allow hal_wifi_hostapd_server proc_net_type:file { getattr open read };
-
-# Various socket permissions.
-allowxperm hal_wifi_hostapd_server self:udp_socket ioctl priv_sock_ioctls;
-allow hal_wifi_hostapd_server self:netlink_socket create_socket_perms_no_ioctl;
-allow hal_wifi_hostapd_server self:netlink_generic_socket create_socket_perms_no_ioctl;
-allow hal_wifi_hostapd_server self:packet_socket create_socket_perms_no_ioctl;
-allow hal_wifi_hostapd_server self:netlink_route_socket nlmsg_write;
-
-###
-### neverallow rules
-###
-
-# hal_wifi_hostapd should not trust any data from sdcards
-neverallow hal_wifi_hostapd_server sdcard_type:dir ~getattr;
-neverallow hal_wifi_hostapd_server sdcard_type:file *;
diff --git a/microdroid/sepolicy/system/public/hal_wifi_supplicant.te b/microdroid/sepolicy/system/public/hal_wifi_supplicant.te
deleted file mode 100644
index 7361af1..0000000
--- a/microdroid/sepolicy/system/public/hal_wifi_supplicant.te
+++ /dev/null
@@ -1,38 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_wifi_supplicant_client, hal_wifi_supplicant_server)
-binder_call(hal_wifi_supplicant_server, hal_wifi_supplicant_client)
-
-hal_attribute_hwservice(hal_wifi_supplicant, hal_wifi_supplicant_hwservice)
-
-# in addition to ioctls allowlisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
-allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls;
-
-r_dir_file(hal_wifi_supplicant, sysfs_type)
-r_dir_file(hal_wifi_supplicant, proc_net_type)
-
-allow hal_wifi_supplicant kernel:system module_request;
-allow hal_wifi_supplicant self:global_capability_class_set { setuid net_admin setgid net_raw };
-allow hal_wifi_supplicant cgroup:dir create_dir_perms;
-allow hal_wifi_supplicant cgroup_v2:dir create_dir_perms;
-allow hal_wifi_supplicant self:netlink_route_socket nlmsg_write;
-allow hal_wifi_supplicant self:netlink_socket create_socket_perms_no_ioctl;
-allow hal_wifi_supplicant self:netlink_generic_socket create_socket_perms_no_ioctl;
-allow hal_wifi_supplicant self:packet_socket create_socket_perms;
-allowxperm hal_wifi_supplicant self:packet_socket ioctl { unpriv_sock_ioctls priv_sock_ioctls unpriv_tty_ioctls };
-
-use_keystore(hal_wifi_supplicant)
-binder_use(hal_wifi_supplicant_server)
-
-# Allow the WI-FI HAL to use keys in the keystore namespace wifi_key.
-allow hal_wifi_supplicant wifi_key:keystore2_key {
- get_info
- use
-};
-
-###
-### neverallow rules
-###
-
-# wpa_supplicant should not trust any data from sdcards
-neverallow hal_wifi_supplicant_server sdcard_type:dir ~getattr;
-neverallow hal_wifi_supplicant_server sdcard_type:file *;
diff --git a/microdroid/sepolicy/system/public/healthd.te b/microdroid/sepolicy/system/public/healthd.te
deleted file mode 100644
index 05acb84..0000000
--- a/microdroid/sepolicy/system/public/healthd.te
+++ /dev/null
@@ -1,50 +0,0 @@
-# healthd - battery/charger monitoring service daemon
-type healthd, domain;
-type healthd_exec, system_file_type, exec_type, file_type;
-
-# Write to /dev/kmsg
-allow healthd kmsg_device:chr_file rw_file_perms;
-
-# Read access to pseudo filesystems.
-allow healthd sysfs_type:dir search;
-# Allow to read /sys/class/power_supply directory.
-allow healthd sysfs:dir r_dir_perms;
-r_dir_file(healthd, rootfs)
-r_dir_file(healthd, cgroup)
-r_dir_file(healthd, cgroup_v2)
-
-allow healthd self:global_capability_class_set { sys_tty_config };
-allow healthd self:global_capability_class_set sys_boot;
-dontaudit healthd self:global_capability_class_set sys_resource;
-
-allow healthd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-
-wakelock_use(healthd)
-
-hal_client_domain(healthd, hal_health)
-
-# Read/write to /sys/power/state
-allow healthd sysfs_power:file rw_file_perms;
-
-# TODO: added to match above sysfs rule. Remove me?
-allow healthd sysfs_usb:file write;
-
-r_dir_file(healthd, sysfs_batteryinfo)
-
-###
-### healthd: charger mode
-###
-
-# Read /sys/fs/pstore/console-ramoops
-# Don't worry about overly broad permissions for now, as there's
-# only one file in /sys/fs/pstore
-allow healthd pstorefs:dir r_dir_perms;
-allow healthd pstorefs:file r_file_perms;
-
-allow healthd graphics_device:dir r_dir_perms;
-allow healthd graphics_device:chr_file rw_file_perms;
-allow healthd input_device:dir r_dir_perms;
-allow healthd input_device:chr_file r_file_perms;
-allow healthd tty_device:chr_file rw_file_perms;
-allow healthd ashmem_device:chr_file execute;
-allow healthd proc_sysrq:file rw_file_perms;
diff --git a/microdroid/sepolicy/system/public/heapprofd.te b/microdroid/sepolicy/system/public/heapprofd.te
deleted file mode 100644
index 7ceb23f..0000000
--- a/microdroid/sepolicy/system/public/heapprofd.te
+++ /dev/null
@@ -1 +0,0 @@
-type heapprofd, domain, coredomain;
diff --git a/microdroid/sepolicy/system/public/hwservice.te b/microdroid/sepolicy/system/public/hwservice.te
deleted file mode 100644
index 11b77f0..0000000
--- a/microdroid/sepolicy/system/public/hwservice.te
+++ /dev/null
@@ -1,101 +0,0 @@
-# hwservice types. By default most of the HALs are protected_hwservice, which means
-# access from untrusted apps is prohibited.
-type default_android_hwservice, hwservice_manager_type, protected_hwservice;
-type fwk_camera_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
-type fwk_display_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
-type fwk_scheduler_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
-type fwk_sensor_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
-type fwk_stats_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
-type fwk_automotive_display_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
-type hal_atrace_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_audio_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_audiocontrol_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_authsecret_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_bluetooth_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_bootctl_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_broadcastradio_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_camera_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_can_bus_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_can_controller_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_confirmationui_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_contexthub_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_dumpstate_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_evs_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_face_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_fingerprint_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_gatekeeper_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_gnss_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_graphics_composer_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_health_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_health_storage_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_input_classifier_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_ir_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_keymaster_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_light_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_lowpan_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_memtrack_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_nfc_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_oemlock_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_power_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_power_stats_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_secure_element_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_sensors_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_telephony_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_tetheroffload_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_thermal_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_tv_cec_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_tv_input_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_tv_tuner_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_usb_gadget_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_usb_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_vehicle_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_vibrator_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_vr_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_weaver_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_wifi_hostapd_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_wifi_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_wifi_supplicant_hwservice, hwservice_manager_type, protected_hwservice;
-type system_net_netd_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
-type system_suspend_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
-type system_wifi_keystore_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
-
-# Following is the hwservices that are explicitly not marked with protected_hwservice.
-# These are directly accessible from untrusted apps.
-# - same process services: because they by definition run in the process
-# of the client and thus have the same access as the client domain in which
-# the process runs
-# - coredomain_hwservice: are considered safer than ordinary hwservices which
-# are from vendor partition
-# - hal_configstore_ISurfaceFlingerConfigs: becuase it has specifically been
-# designed for use by any domain.
-# - hal_graphics_allocator_hwservice: because these operations are also offered
-# by surfaceflinger Binder service, which apps are permitted to access
-# - hal_omx_hwservice: because this is a HwBinder version of the mediacodec
-# Binder service which apps were permitted to access.
-# - hal_codec2_hwservice: because this is a newer version of hal_omx_hwservice.
-# - hal_drm_hwservice: versions > API 29 are designed specifically with
-# untrusted app access in mind.
-type fwk_bufferhub_hwservice, hwservice_manager_type, coredomain_hwservice;
-type hal_cas_hwservice, hwservice_manager_type;
-type hal_codec2_hwservice, hwservice_manager_type;
-type hal_configstore_ISurfaceFlingerConfigs, hwservice_manager_type;
-type hal_drm_hwservice, hwservice_manager_type;
-type hal_graphics_allocator_hwservice, hwservice_manager_type;
-type hal_graphics_mapper_hwservice, hwservice_manager_type, same_process_hwservice;
-type hal_neuralnetworks_hwservice, hwservice_manager_type;
-type hal_omx_hwservice, hwservice_manager_type;
-type hal_renderscript_hwservice, hwservice_manager_type, same_process_hwservice;
-type hidl_allocator_hwservice, hwservice_manager_type, coredomain_hwservice;
-type hidl_base_hwservice, hwservice_manager_type;
-type hidl_manager_hwservice, hwservice_manager_type, coredomain_hwservice;
-type hidl_memory_hwservice, hwservice_manager_type, coredomain_hwservice;
-type hidl_token_hwservice, hwservice_manager_type, coredomain_hwservice;
-
-###
-### Neverallow rules
-###
-
-# hwservicemanager handles registering or looking up named services.
-# It does not make sense to register or lookup something which is not a
-# hwservice. Trigger a compile error if this occurs.
-neverallow domain ~hwservice_manager_type:hwservice_manager { add find };
diff --git a/microdroid/sepolicy/system/public/hwservicemanager.te b/microdroid/sepolicy/system/public/hwservicemanager.te
index 7ec1872..5421b11 100644
--- a/microdroid/sepolicy/system/public/hwservicemanager.te
+++ b/microdroid/sepolicy/system/public/hwservicemanager.te
@@ -1,20 +1,2 @@
-# hwservicemanager - the Binder context manager for HAL services
type hwservicemanager, domain, mlstrustedsubject;
-type hwservicemanager_exec, system_file_type, exec_type, file_type;
-
-# Note that we do not use the binder_* macros here.
-# hwservicemanager provides name service (aka context manager)
-# for hwbinder.
-# Additionally, it initiates binder IPC calls to
-# clients who request service notifications. The permission
-# to do this is granted in the hwbinder_use macro.
-allow hwservicemanager self:binder set_context_mgr;
-
-# Scan through /system/lib64/hw looking for installed HALs
-allow hwservicemanager system_file:dir r_dir_perms;
-
-# Read hwservice_contexts
-allow hwservicemanager hwservice_contexts_file:file r_file_perms;
-
-# Check SELinux permissions.
-selinux_check_access(hwservicemanager)
+type hwservicemanager_exec, file_type, exec_type, system_file_type;
diff --git a/microdroid/sepolicy/system/public/idmap.te b/microdroid/sepolicy/system/public/idmap.te
deleted file mode 100644
index f41f573..0000000
--- a/microdroid/sepolicy/system/public/idmap.te
+++ /dev/null
@@ -1,31 +0,0 @@
-# idmap, when executed by installd
-type idmap, domain;
-type idmap_exec, system_file_type, exec_type, file_type;
-
-# TODO remove /system/bin/idmap and the link between idmap and installd (b/118711077)
-# Use open file to /data/resource-cache file inherited from installd.
-allow idmap installd:fd use;
-allow idmap resourcecache_data_file:file create_file_perms;
-allow idmap resourcecache_data_file:dir rw_dir_perms;
-
-# Ignore reading /proc/<pid>/maps after a fork.
-dontaudit idmap installd:file read;
-
-# Open and read from target and overlay apk files passed by argument.
-allow idmap apk_data_file:file r_file_perms;
-allow idmap apk_data_file:dir search;
-
-# Allow /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files
-allow idmap { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
-allow idmap { apk_tmp_file apk_private_tmp_file }:dir search;
-
-# Allow apps access to /vendor/app
-r_dir_file(idmap, vendor_app_file)
-
-# Allow apps access to /vendor/overlay
-r_dir_file(idmap, vendor_overlay_file)
-
-# Allow the idmap2d binary to register as a service and communicate via AIDL
-binder_use(idmap)
-binder_service(idmap)
-add_service(idmap, idmap_service)
diff --git a/microdroid/sepolicy/system/public/incident.te b/microdroid/sepolicy/system/public/incident.te
deleted file mode 100644
index ce57bf6..0000000
--- a/microdroid/sepolicy/system/public/incident.te
+++ /dev/null
@@ -1,8 +0,0 @@
-# The incident command is used to call into the incidentd service to
-# take an incident report (binary, shared bugreport), download incident
-# reports that have already been taken, and monitor for new ones.
-# It doesn't do anything else.
-
-# incident
-type incident, domain;
-
diff --git a/microdroid/sepolicy/system/public/incident_helper.te b/microdroid/sepolicy/system/public/incident_helper.te
deleted file mode 100644
index bca1018..0000000
--- a/microdroid/sepolicy/system/public/incident_helper.te
+++ /dev/null
@@ -1,5 +0,0 @@
-# The incident_helper is called by incidentd and
-# can only read/write data from/to incidentd
-
-# incident_helper
-type incident_helper, domain;
diff --git a/microdroid/sepolicy/system/public/incidentd.te b/microdroid/sepolicy/system/public/incidentd.te
deleted file mode 100644
index b03249c..0000000
--- a/microdroid/sepolicy/system/public/incidentd.te
+++ /dev/null
@@ -1,3 +0,0 @@
-# incidentd
-type incidentd, domain;
-
diff --git a/microdroid/sepolicy/system/public/init.te b/microdroid/sepolicy/system/public/init.te
index ea5a979..bccdb70 100644
--- a/microdroid/sepolicy/system/public/init.te
+++ b/microdroid/sepolicy/system/public/init.te
@@ -3,657 +3,6 @@
type init_exec, system_file_type, exec_type, file_type;
type init_tmpfs, file_type;
-# /dev/__null__ node created by init.
-allow init tmpfs:chr_file { create setattr unlink rw_file_perms };
-
-#
-# init direct restorecon calls.
-#
-# /dev/kmsg
allow init tmpfs:chr_file relabelfrom;
allow init kmsg_device:chr_file { getattr write relabelto };
-# /dev/kmsg_debug
-userdebug_or_eng(`
- allow init kmsg_debug_device:chr_file { open write relabelto };
-')
-
-# allow init to mount and unmount debugfs in debug builds
-userdebug_or_eng(`
- allow init debugfs:dir mounton;
-')
-
-# /dev/__properties__
-allow init properties_device:dir relabelto;
-allow init properties_serial:file { write relabelto };
-allow init property_type:file { append create getattr map open read relabelto rename setattr unlink write };
-# /dev/__properties__/property_info
-allow init properties_device:file create_file_perms;
-allow init property_info:file relabelto;
-# /dev/event-log-tags
-allow init device:file relabelfrom;
-allow init runtime_event_log_tags_file:file { open write setattr relabelto create };
-# /dev/socket
-allow init { device socket_device dm_user_device }:dir relabelto;
-# allow init to establish connection and communicate with lmkd
-unix_socket_connect(init, lmkd, lmkd)
-# Relabel /dev nodes created in first stage init, /dev/null, /dev/ptmx, /dev/random, /dev/urandom
-allow init { null_device ptmx_device random_device } : chr_file relabelto;
-# /dev/device-mapper, /dev/block(/.*)?
-allow init tmpfs:{ chr_file blk_file } relabelfrom;
-allow init tmpfs:blk_file getattr;
-allow init block_device:{ dir blk_file lnk_file } relabelto;
-allow init dm_device:{ chr_file blk_file } relabelto;
-allow init dm_user_device:chr_file relabelto;
-allow init kernel:fd use;
-# restorecon for early mount device symlinks
-allow init tmpfs:lnk_file { getattr read relabelfrom };
-allow init {
- metadata_block_device
- misc_block_device
- recovery_block_device
- system_block_device
- userdata_block_device
-}:{ blk_file lnk_file } relabelto;
-
-allow init super_block_device:lnk_file relabelto;
-
-# Create /mnt/sdcard -> /storage/self/primary symlink.
-allow init mnt_sdcard_file:lnk_file create;
-
-# setrlimit
-allow init self:global_capability_class_set sys_resource;
-
-# Remove /dev/.booting and load /debug_ramdisk/* files
-allow init tmpfs:file { getattr unlink };
-
-# Access pty created for fsck.
-allow init devpts:chr_file { read write open };
-
-# Create /dev/fscklogs files.
-allow init fscklogs:file create_file_perms;
-
-# Access /dev/__null__ node created prior to initial policy load.
-allow init tmpfs:chr_file write;
-
-# Access /dev/console.
-allow init console_device:chr_file rw_file_perms;
-
-# Access /dev/tty0.
-allow init tty_device:chr_file rw_file_perms;
-
-# Call mount(2).
-allow init self:global_capability_class_set sys_admin;
-
-# Call setns(2).
-allow init self:global_capability_class_set sys_chroot;
-
-# Create and mount on directories in /.
-allow init rootfs:dir create_dir_perms;
-allow init {
- rootfs
- cache_file
- cgroup
- linkerconfig_file
- storage_file
- mnt_user_file
- system_data_file
- system_data_root_file
- system_file
- vendor_file
- postinstall_mnt_dir
- mirror_data_file
-}:dir mounton;
-
-# Mount bpf fs on sys/fs/bpf
-allow init fs_bpf:dir mounton;
-
-# Mount on /dev/usb-ffs/adb.
-allow init device:dir mounton;
-
-# Mount tmpfs on /apex
-allow init apex_mnt_dir:dir mounton;
-
-# Bind-mount on /system/apex/com.android.art
-allow init art_apex_dir:dir mounton;
-
-# Create and remove symlinks in /.
-allow init rootfs:lnk_file { create unlink };
-
-# Mount debugfs on /sys/kernel/debug.
-allow init sysfs:dir mounton;
-
-# Create cgroups mount points in tmpfs and mount cgroups on them.
-allow init tmpfs:dir create_dir_perms;
-allow init tmpfs:dir mounton;
-allow init cgroup:dir create_dir_perms;
-allow init cgroup:file rw_file_perms;
-allow init cgroup_rc_file:file rw_file_perms;
-allow init cgroup_desc_file:file r_file_perms;
-allow init cgroup_desc_api_file:file r_file_perms;
-allow init vendor_cgroup_desc_file:file r_file_perms;
-allow init cgroup_v2:dir { mounton create_dir_perms};
-allow init cgroup_v2:file rw_file_perms;
-
-# /config
-allow init configfs:dir mounton;
-allow init configfs:dir create_dir_perms;
-allow init configfs:{ file lnk_file } create_file_perms;
-
-# /metadata
-allow init metadata_file:dir mounton;
-
-# Use tmpfs as /data, used for booting when /data is encrypted
-allow init tmpfs:dir relabelfrom;
-
-# Create directories under /dev/cpuctl after chowning it to system.
-allow init self:global_capability_class_set { dac_override dac_read_search };
-
-# Set system clock.
-allow init self:global_capability_class_set sys_time;
-
-allow init self:global_capability_class_set { sys_rawio mknod };
-
-# Mounting filesystems from block devices.
-allow init dev_type:blk_file r_file_perms;
-allowxperm init dev_type:blk_file ioctl BLKROSET;
-
-# Mounting filesystems.
-# Only allow relabelto for types used in context= mount options,
-# which should all be assigned the contextmount_type attribute.
-# This can be done in device-specific policy via type or typeattribute
-# declarations.
-allow init {
- fs_type
- enforce_debugfs_restriction(`-debugfs_type')
-}:filesystem ~relabelto;
-
-# Allow init to mount/unmount debugfs in non-user builds.
-enforce_debugfs_restriction(`
- userdebug_or_eng(`allow init debugfs_type:filesystem { mount unmount };')
-')
-
-# Allow init to mount tracefs in /sys/kernel/tracing
-allow init debugfs_tracing_debug:filesystem mount;
-
-allow init unlabeled:filesystem ~relabelto;
-allow init contextmount_type:filesystem relabelto;
-
-# Allow read-only access to context= mounted filesystems.
-allow init contextmount_type:dir r_dir_perms;
-allow init contextmount_type:notdevfile_class_set r_file_perms;
-
-# restorecon /adb_keys or any other rootfs files and directories to a more
-# specific type.
-allow init rootfs:{ dir file } relabelfrom;
-
-# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
-# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
-# system/core/init.rc requires at least cache_file and data_file_type.
-# init.<board>.rc files often include device-specific types, so
-# we just allow all file types except /system files here.
-allow init self:global_capability_class_set { chown fowner fsetid };
-
-allow init {
- file_type
- -app_data_file
- -exec_type
- -misc_logd_file
- -nativetest_data_file
- -privapp_data_file
- -system_app_data_file
- -system_file_type
- -vendor_file_type
-}:dir { create search getattr open read setattr ioctl };
-
-allow init {
- file_type
- -app_data_file
- -exec_type
- -iorapd_data_file
- -credstore_data_file
- -keystore_data_file
- -misc_logd_file
- -nativetest_data_file
- -privapp_data_file
- -shell_data_file
- -system_app_data_file
- -system_file_type
- -vendor_file_type
- -vold_data_file
-}:dir { write add_name remove_name rmdir relabelfrom };
-
-allow init {
- file_type
- -apex_info_file
- -app_data_file
- -exec_type
- -gsi_data_file
- -iorapd_data_file
- -credstore_data_file
- -keystore_data_file
- -misc_logd_file
- -nativetest_data_file
- -privapp_data_file
- -runtime_event_log_tags_file
- -shell_data_file
- -system_app_data_file
- -system_file_type
- -vendor_file_type
- -vold_data_file
- enforce_debugfs_restriction(`-debugfs_type')
-}:file { create getattr open read write setattr relabelfrom unlink map };
-
-allow init tracefs_type:file { create_file_perms relabelfrom };
-
-allow init {
- file_type
- -app_data_file
- -exec_type
- -gsi_data_file
- -iorapd_data_file
- -credstore_data_file
- -keystore_data_file
- -misc_logd_file
- -nativetest_data_file
- -privapp_data_file
- -shell_data_file
- -system_app_data_file
- -system_file_type
- -vendor_file_type
- -vold_data_file
-}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
-
-allow init {
- file_type
- -apex_mnt_dir
- -app_data_file
- -exec_type
- -gsi_data_file
- -iorapd_data_file
- -credstore_data_file
- -keystore_data_file
- -misc_logd_file
- -nativetest_data_file
- -privapp_data_file
- -shell_data_file
- -system_app_data_file
- -system_file_type
- -vendor_file_type
- -vold_data_file
-}:lnk_file { create getattr setattr relabelfrom unlink };
-
-allow init cache_file:lnk_file r_file_perms;
-
-allow init {
- file_type
- -system_file_type
- -vendor_file_type
- -exec_type
- -app_data_file
- -privapp_data_file
-}:dir_file_class_set relabelto;
-
-allow init { sysfs no_debugfs_restriction(`debugfs') debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
-allow init { sysfs_type no_debugfs_restriction(`debugfs_type') tracefs_type }:{ dir file lnk_file } { relabelto getattr };
-allow init dev_type:dir create_dir_perms;
-allow init dev_type:lnk_file create;
-
-# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
-allow init debugfs_tracing:file w_file_perms;
-
-# Setup and control wifi event tracing (see wifi-events.rc)
-allow init debugfs_tracing_instances:dir create_dir_perms;
-allow init debugfs_tracing_instances:file w_file_perms;
-allow init debugfs_wifi_tracing:file w_file_perms;
-
-# chown/chmod on pseudo files.
-allow init {
- fs_type
- -contextmount_type
- -keychord_device
- -proc_type
- -sdcard_type
- -sysfs_type
- -rootfs
- enforce_debugfs_restriction(`-debugfs_type')
-}:file { open read setattr };
-allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir { open read setattr search };
-
-allow init {
- binder_device
- console_device
- devpts
- dm_device
- hwbinder_device
- input_device
- kmsg_device
- null_device
- owntty_device
- pmsg_device
- ptmx_device
- random_device
- tty_device
- zero_device
-}:chr_file { read open };
-
-# Unlabeled file access for upgrades from 4.2.
-allow init unlabeled:dir { create_dir_perms relabelfrom };
-allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
-
-# Any operation that can modify the kernel ring buffer, e.g. clear
-# or a read that consumes the messages that were read.
-allow init kernel:system syslog_mod;
-allow init self:global_capability2_class_set syslog;
-
-# init access to /proc.
-r_dir_file(init, proc_net_type)
-allow init proc_filesystems:file r_file_perms;
-
-userdebug_or_eng(`
- # Overlayfs workdir write access check during mount to permit remount,rw
- allow init overlayfs_file:dir { relabelfrom mounton write };
- allow init overlayfs_file:file { append };
- allow init system_block_device:blk_file { write };
-')
-
-allow init {
- proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
- proc_bootconfig
- proc_cmdline
- proc_diskstats
- proc_kmsg # Open /proc/kmsg for logd service.
- proc_meminfo
- proc_stat # Read /proc/stat for bootchart.
- proc_uptime
- proc_version
-}:file r_file_perms;
-
-allow init {
- proc_abi
- proc_dirty
- proc_hostname
- proc_hung_task
- proc_extra_free_kbytes
- proc_net_type
- proc_max_map_count
- proc_min_free_order_shift
- proc_overcommit_memory # /proc/sys/vm/overcommit_memory
- proc_panic
- proc_page_cluster
- proc_perf
- proc_sched
- proc_sysrq
-}:file w_file_perms;
-
-allow init {
- proc_security
-}:file rw_file_perms;
-
-# init chmod/chown access to /proc files.
-allow init {
- proc_cmdline
- proc_bootconfig
- proc_kmsg
- proc_net
- proc_pagetypeinfo
- proc_qtaguid_stat
- proc_slabinfo
- proc_sysrq
- proc_qtaguid_ctrl
- proc_vmallocinfo
-}:file setattr;
-
-# init access to /sys files.
-allow init {
- sysfs_android_usb
- sysfs_dm_verity
- sysfs_leds
- sysfs_power
- sysfs_fs_f2fs
- sysfs_dm
-}:file w_file_perms;
-
-allow init {
- sysfs_dt_firmware_android
- sysfs_fs_ext4_features
-}:file r_file_perms;
-
-allow init {
- sysfs_zram
-}:file rw_file_perms;
-
-# allow init to create loop devices with /dev/loop-control
-allow init loop_control_device:chr_file rw_file_perms;
-allow init loop_device:blk_file rw_file_perms;
-allowxperm init loop_device:blk_file ioctl {
- LOOP_SET_FD
- LOOP_CLR_FD
- LOOP_CTL_GET_FREE
- LOOP_SET_BLOCK_SIZE
- LOOP_SET_DIRECT_IO
- LOOP_GET_STATUS
-};
-
-# Allow init to write to vibrator/trigger
-allow init sysfs_vibrator:file w_file_perms;
-
-# init chmod/chown access to /sys files.
-allow init {
- sysfs_android_usb
- sysfs_devices_system_cpu
- sysfs_ipv4
- sysfs_leds
- sysfs_lowmemorykiller
- sysfs_power
- sysfs_vibrator
- sysfs_wake_lock
- sysfs_zram
-}:file setattr;
-
-# Set usermodehelpers.
-allow init { usermodehelper sysfs_usermodehelper }:file rw_file_perms;
-
-allow init self:global_capability_class_set net_admin;
-
-# Reboot.
-allow init self:global_capability_class_set sys_boot;
-
-# Init will create /data/misc/logd when the property persist.logd.logpersistd is "logcatd".
-# Init will also walk through the directory as part of a recursive restorecon.
-allow init misc_logd_file:dir { add_name open create read getattr setattr search write };
-allow init misc_logd_file:file { open create getattr setattr write };
-
-# Support "adb shell stop"
-allow init self:global_capability_class_set kill;
-allow init domain:process { getpgid sigkill signal };
-
-# Init creates credstore's directory on boot, and walks through
-# the directory as part of a recursive restorecon.
-allow init credstore_data_file:dir { open create read getattr setattr search };
-allow init credstore_data_file:file { getattr };
-
-# Init creates keystore's directory on boot, and walks through
-# the directory as part of a recursive restorecon.
-allow init keystore_data_file:dir { open create read getattr setattr search };
-allow init keystore_data_file:file { getattr };
-
-# Init creates vold's directory on boot, and walks through
-# the directory as part of a recursive restorecon.
-allow init vold_data_file:dir { open create read getattr setattr search };
-allow init vold_data_file:file { getattr };
-
-# Init creates /data/local/tmp at boot
-allow init shell_data_file:dir { open create read getattr setattr search };
-allow init shell_data_file:file { getattr };
-
-# Set UID, GID, and adjust capability bounding set for services.
-allow init self:global_capability_class_set { setuid setgid setpcap };
-
-# For bootchart to read the /proc/$pid/cmdline file of each process,
-# we need to have following line to allow init to have access
-# to different domains.
-r_dir_file(init, domain)
-
-# Use setexeccon(), setfscreatecon(), and setsockcreatecon().
-# setexec is for services with seclabel options.
-# setfscreate is for labeling directories and socket files.
-# setsockcreate is for labeling local/unix domain sockets.
-allow init self:process { setexec setfscreate setsockcreate };
-
-# Get file context
-allow init file_contexts_file:file r_file_perms;
-
-# sepolicy access
-allow init sepolicy_file:file r_file_perms;
-
-# Perform SELinux access checks on setting properties.
-selinux_check_access(init)
-
-# Ask the kernel for the new context on services to label their sockets.
-allow init kernel:security compute_create;
-
-# Create sockets for the services.
-allow init domain:unix_stream_socket { create bind setopt };
-allow init domain:unix_dgram_socket { create bind setopt };
-
-# Create /data/property and files within it.
-allow init property_data_file:dir create_dir_perms;
-allow init property_data_file:file create_file_perms;
-
-# Set any property.
-allow init property_type:property_service set;
-
-# Send an SELinux userspace denial to the kernel audit subsystem,
-# so it can be picked up and processed by logd. These denials are
-# generated when an attempt to set a property is denied by policy.
-allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay };
-allow init self:global_capability_class_set audit_write;
-
-# Run "ifup lo" to bring up the localhost interface
-allow init self:udp_socket { create ioctl };
-# in addition to unpriv ioctls granted to all domains, init also needs:
-allowxperm init self:udp_socket ioctl SIOCSIFFLAGS;
-allow init self:global_capability_class_set net_raw;
-
-# Set scheduling info for psi monitor thread.
-# TODO: delete or revise this line b/131761776
-allow init kernel:process { getsched setsched };
-
-# swapon() needs write access to swap device
-# system/core/fs_mgr/fs_mgr.c - fs_mgr_swapon_all
-allow init swap_block_device:blk_file rw_file_perms;
-
-# Create and access /dev files without a specific type,
-# e.g. /dev/.coldboot_done, /dev/.booting
-# TODO: Move these files into their own type unless they are
-# only ever accessed by init.
-allow init device:file create_file_perms;
-
-# keychord retrieval from /dev/input/ devices
-allow init input_device:dir r_dir_perms;
-allow init input_device:chr_file rw_file_perms;
-
-# Access device mapper for setting up dm-verity
-allow init dm_device:chr_file rw_file_perms;
-allow init dm_device:blk_file rw_file_perms;
-
-# Access dm-user for OTA boot
-allow init dm_user_device:chr_file rw_file_perms;
-
-# Access metadata block device for storing dm-verity state
-allow init metadata_block_device:blk_file rw_file_perms;
-
-# Read /sys/fs/pstore/console-ramoops to detect restarts caused
-# by dm-verity detecting corrupted blocks
-allow init pstorefs:dir search;
-allow init pstorefs:file r_file_perms;
-allow init kernel:system syslog_read;
-
-# linux keyring configuration
-allow init init:key { write search setattr };
-
-# Allow init to create /data/unencrypted
-allow init unencrypted_data_file:dir create_dir_perms;
-
-# Set encryption policy on dirs in /data
-allowxperm init { data_file_type unlabeled }:dir ioctl {
- FS_IOC_GET_ENCRYPTION_POLICY
- FS_IOC_SET_ENCRYPTION_POLICY
-};
-
-# Raw writes to misc block device
-allow init misc_block_device:blk_file w_file_perms;
-
-r_dir_file(init, system_file)
-r_dir_file(init, vendor_file_type)
-
-allow init system_data_file:file { getattr read };
-allow init system_data_file:lnk_file r_file_perms;
-
-# For init to be able to run shell scripts from vendor
-allow init vendor_shell_exec:file execute;
-
-# Metadata setup
-allow init vold_metadata_file:dir create_dir_perms;
-allow init vold_metadata_file:file getattr;
-allow init metadata_bootstat_file:dir create_dir_perms;
-allow init metadata_bootstat_file:file w_file_perms;
-allow init userspace_reboot_metadata_file:file w_file_perms;
-
-# Allow init to touch PSI monitors
-allow init proc_pressure_mem:file { rw_file_perms setattr };
-
-# init is using bootstrap bionic
-allow init system_bootstrap_lib_file:dir r_dir_perms;
-allow init system_bootstrap_lib_file:file { execute read open getattr map };
-
-# stat the root dir of fuse filesystems (for the mount handler)
-allow init fuse:dir { search getattr };
-
-# allow filesystem tuning
-allow init userdata_sysdev:file create_file_perms;
-
-###
-### neverallow rules
-###
-
-# The init domain is only entered via an exec based transition from the
-# kernel domain, never via setcon().
-neverallow domain init:process dyntransition;
-neverallow { domain -kernel } init:process transition;
-neverallow init { file_type fs_type -init_exec }:file entrypoint;
-
-# Never read/follow symlinks created by shell or untrusted apps.
-neverallow init shell_data_file:lnk_file read;
-neverallow init { app_data_file privapp_data_file }:lnk_file read;
-
-# init should never execute a program without changing to another domain.
-neverallow init { file_type fs_type }:file execute_no_trans;
-
-# The use of sensitive environment variables, such as LD_PRELOAD, is disallowed
-# when init is executing other binaries. The use of LD_PRELOAD for init spawned
-# services is generally considered a no-no, as it injects libraries which the
-# binary was not expecting. This is especially problematic for APEXes. The use
-# of LD_PRELOAD via APEXes is a layering violation, and inappropriately loads
-# code into a process which wasn't expecting that code, with potentially
-# unexpected side effects. (b/140789528)
-neverallow init *:process noatsecure;
-
-# init can never add binder services
-neverallow init service_manager_type:service_manager { add find };
-# init can never list binder services
-neverallow init servicemanager:service_manager list;
-
-# Init should not be creating subdirectories in /data/local/tmp
-neverallow init shell_data_file:dir { write add_name remove_name };
-
-# Init should not access sysfs node that are not explicitly labeled.
-neverallow init sysfs:file { open read write };
-
-# No domain should be allowed to ptrace init.
-neverallow * init:process ptrace;
-
-# init owns the root of /data
-# TODO(b/140259336) We want to remove vendor_init
-# TODO(b/141108496) We want to remove toolbox
-neverallow { domain -init -toolbox -vendor_init -vold } system_data_root_file:dir { write add_name remove_name };
+allow init kmsg_debug_device:chr_file { open write relabelto };
diff --git a/microdroid/sepolicy/system/public/inputflinger.te b/microdroid/sepolicy/system/public/inputflinger.te
deleted file mode 100644
index b62c06d..0000000
--- a/microdroid/sepolicy/system/public/inputflinger.te
+++ /dev/null
@@ -1,16 +0,0 @@
-# inputflinger
-type inputflinger, domain;
-type inputflinger_exec, system_file_type, exec_type, file_type;
-
-binder_use(inputflinger)
-binder_service(inputflinger)
-
-binder_call(inputflinger, system_server)
-
-wakelock_use(inputflinger)
-
-allow inputflinger input_device:dir r_dir_perms;
-allow inputflinger input_device:chr_file rw_file_perms;
-
-r_dir_file(inputflinger, cgroup)
-r_dir_file(inputflinger, cgroup_v2)
diff --git a/microdroid/sepolicy/system/public/installd.te b/microdroid/sepolicy/system/public/installd.te
deleted file mode 100644
index eb13cfa..0000000
--- a/microdroid/sepolicy/system/public/installd.te
+++ /dev/null
@@ -1,175 +0,0 @@
-# installer daemon
-type installd, domain;
-type installd_exec, system_file_type, exec_type, file_type;
-typeattribute installd mlstrustedsubject;
-allow installd self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid sys_admin };
-
-# Allow labeling of files under /data/app/com.example/oat/
-allow installd dalvikcache_data_file:dir relabelto;
-allow installd dalvikcache_data_file:file { relabelto link };
-
-# Allow movement of APK files between volumes
-allow installd apk_data_file:dir { create_dir_perms relabelfrom };
-allow installd apk_data_file:file { create_file_perms relabelfrom link };
-allow installd apk_data_file:lnk_file { create r_file_perms unlink };
-
-# FS_IOC_ENABLE_VERITY and FS_IOC_MEASURE_VERITY (or in old implementation used in installd,
-# FS_IOC_SET_VERITY_MEASUREMENT) ioctls on APKs in /data/app, to support fsverity.
-# TODO(b/120629632): this path is deprecated, remove when possible.
-allowxperm installd apk_data_file:file ioctl {
- FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
-};
-
-allow installd asec_apk_file:file r_file_perms;
-allow installd apk_tmp_file:file { r_file_perms unlink };
-allow installd apk_tmp_file:dir { relabelfrom create_dir_perms };
-allow installd oemfs:dir r_dir_perms;
-allow installd oemfs:file r_file_perms;
-allow installd cgroup:dir create_dir_perms;
-allow installd cgroup_v2:dir create_dir_perms;
-allow installd mnt_expand_file:dir { search getattr };
-# Check validity of SELinux context before use.
-selinux_check_context(installd)
-
-r_dir_file(installd, rootfs)
-# Scan through APKs in /system/app and /system/priv-app
-r_dir_file(installd, system_file)
-# Scan through APKs in /vendor/app
-r_dir_file(installd, vendor_app_file)
-# Scan through JARs in /vendor/framework
-r_dir_file(installd, vendor_framework_file)
-# Scan through Runtime Resource Overlay APKs in /vendor/overlay
-r_dir_file(installd, vendor_overlay_file)
-# Get file context
-allow installd file_contexts_file:file r_file_perms;
-# Get seapp_context
-allow installd seapp_contexts_file:file r_file_perms;
-
-# Search /data/app-asec and stat files in it.
-allow installd asec_image_file:dir search;
-allow installd asec_image_file:file getattr;
-
-# Create /data/user and /data/user/0 if necessary.
-# Also required to initially create /data/data subdirectories
-# and lib symlinks before the setfilecon call. May want to
-# move symlink creation after setfilecon in installd.
-allow installd system_data_file:dir create_dir_perms;
-# Also, allow read for lnk_file so that we can process /data/user/0 links when
-# optimizing application code.
-allow installd system_data_file:lnk_file { create getattr read setattr unlink };
-
-# Manage lower filesystem via pass_through mounts
-allow installd mnt_pass_through_file:dir r_dir_perms;
-
-# Upgrade /data/media for multi-user if necessary.
-allow installd media_rw_data_file:dir create_dir_perms;
-allow installd media_rw_data_file:file { getattr unlink };
-# restorecon new /data/media directory.
-allow installd system_data_file:dir relabelfrom;
-allow installd media_rw_data_file:dir relabelto;
-
-# Delete /data/media files through sdcardfs, instead of going behind its back
-allow installd tmpfs:dir r_dir_perms;
-allow installd storage_file:dir search;
-allow installd sdcard_type:dir { search open read write remove_name getattr rmdir };
-allow installd sdcard_type:file { getattr unlink };
-
-# Create app's mirror data directory in /data_mirror, and bind mount the real directory to it
-allow installd mirror_data_file:dir { create_dir_perms mounton };
-
-# Upgrade /data/misc/keychain for multi-user if necessary.
-allow installd misc_user_data_file:dir create_dir_perms;
-allow installd misc_user_data_file:file create_file_perms;
-allow installd keychain_data_file:dir create_dir_perms;
-allow installd keychain_data_file:file {r_file_perms unlink};
-
-# Create /data/misc/installd/layout_version.* file
-allow installd install_data_file:file create_file_perms;
-allow installd install_data_file:dir rw_dir_perms;
-
-# Create files under /data/dalvik-cache.
-allow installd dalvikcache_data_file:dir create_dir_perms;
-allow installd dalvikcache_data_file:file create_file_perms;
-allow installd dalvikcache_data_file:lnk_file getattr;
-
-# Create files under /data/resource-cache.
-allow installd resourcecache_data_file:dir rw_dir_perms;
-allow installd resourcecache_data_file:file create_file_perms;
-
-# Upgrade from unlabeled userdata.
-# Just need enough to remove and/or relabel it.
-allow installd unlabeled:dir { getattr search relabelfrom rw_dir_perms rmdir };
-allow installd unlabeled:notdevfile_class_set { getattr relabelfrom rename unlink setattr };
-# Read pkg.apk file for input during dexopt.
-allow installd unlabeled:file r_file_perms;
-
-# Upgrade from before system_app_data_file was used for system UID apps.
-# Just need enough to relabel it and to unlink removed package files.
-# Directory access covered by earlier rule above.
-allow installd system_data_file:notdevfile_class_set { getattr relabelfrom unlink };
-
-# Manage /data/data subdirectories, including initially labeling them
-# upon creation via setfilecon or running restorecon_recursive,
-# setting owner/mode, creating symlinks within them, and deleting them
-# upon package uninstall.
-allow installd app_data_file_type:dir { create_dir_perms relabelfrom relabelto };
-allow installd app_data_file_type:notdevfile_class_set { create_file_perms relabelfrom relabelto };
-
-# Similar for the files under /data/misc/profiles/
-allow installd user_profile_root_file:dir { create_dir_perms relabelfrom };
-allow installd user_profile_data_file:dir { create_dir_perms relabelto };
-allow installd user_profile_data_file:file create_file_perms;
-allow installd user_profile_data_file:file unlink;
-
-# Allow zygote to unmount mirror directories
-allow installd labeledfs:filesystem unmount;
-
-# Files created/updated by profman dumps.
-allow installd profman_dump_data_file:dir { search add_name write };
-allow installd profman_dump_data_file:file { create setattr open write };
-
-# Create and use pty created by android_fork_execvp().
-allow installd devpts:chr_file rw_file_perms;
-
-# execute toybox for app relocation
-allow installd toolbox_exec:file rx_file_perms;
-
-# Allow installd to publish a binder service and make binder calls.
-binder_use(installd)
-add_service(installd, installd_service)
-allow installd dumpstate:fifo_file { getattr write };
-
-# Allow installd to call into the system server so it can check permissions.
-binder_call(installd, system_server)
-allow installd permission_service:service_manager find;
-
-# Allow installd to read and write quotas
-allow installd block_device:dir { search };
-allow installd labeledfs:filesystem { quotaget quotamod };
-
-# Allow installd to delete from /data/preloads when trimming data caches
-# TODO b/34690396 Remove when time-based purge policy for preloads is implemented in system_server
-allow installd preloads_data_file:file { r_file_perms unlink };
-allow installd preloads_data_file:dir { r_dir_perms write remove_name rmdir };
-allow installd preloads_media_file:file { r_file_perms unlink };
-allow installd preloads_media_file:dir { r_dir_perms write remove_name rmdir };
-
-# Allow installd to read /proc/filesystems
-allow installd proc_filesystems:file r_file_perms;
-
-#add for move app to sd card
-get_prop(installd, storage_config_prop)
-
-###
-### Neverallow rules
-###
-
-# only system_server, installd, dumpstate, and servicemanager may interact with installd over binder
-neverallow { domain -system_server -dumpstate -installd } installd_service:service_manager find;
-neverallow { domain -system_server -dumpstate -servicemanager } installd:binder call;
-neverallow installd {
- domain
- -system_server
- -servicemanager
- userdebug_or_eng(`-su')
-}:binder call;
diff --git a/microdroid/sepolicy/system/public/iorap_inode2filename.te b/microdroid/sepolicy/system/public/iorap_inode2filename.te
deleted file mode 100644
index 6f119ee..0000000
--- a/microdroid/sepolicy/system/public/iorap_inode2filename.te
+++ /dev/null
@@ -1,70 +0,0 @@
-# iorap.inode2filename -> look up file paths from an inode
-type iorap_inode2filename, domain;
-type iorap_inode2filename_exec, exec_type, file_type, system_file_type;
-type iorap_inode2filename_tmpfs, file_type;
-
-r_dir_file(iorap_inode2filename, rootfs)
-
-# Allow usage of pipes (child stdout -> parent pipe).
-allow iorap_inode2filename iorapd:fd use;
-allow iorap_inode2filename iorapd:fifo_file { read write getattr };
-
-# Allow reading most files under / ignoring usual access controls.
-allow iorap_inode2filename self:capability dac_read_search;
-
-typeattribute iorap_inode2filename mlstrustedsubject;
-
-# Grant access to open most of the files under /
-allow iorap_inode2filename apex_data_file:dir { getattr open read search };
-allow iorap_inode2filename apex_data_file:file { getattr };
-allow iorap_inode2filename apex_mnt_dir:dir { getattr open read search };
-allow iorap_inode2filename apex_mnt_dir:file { getattr };
-allow iorap_inode2filename apk_data_file:dir { getattr open read search };
-allow iorap_inode2filename apk_data_file:file { getattr };
-allow iorap_inode2filename app_data_file_type:dir { getattr open read search };
-allow iorap_inode2filename app_data_file_type:file { getattr };
-allow iorap_inode2filename backup_data_file:dir { getattr open read search };
-allow iorap_inode2filename backup_data_file:file { getattr };
-allow iorap_inode2filename bootchart_data_file:dir { getattr open read search };
-allow iorap_inode2filename bootchart_data_file:file { getattr };
-allow iorap_inode2filename metadata_file:dir { getattr open read search search };
-allow iorap_inode2filename metadata_file:file { getattr };
-allow iorap_inode2filename packages_list_file:dir { getattr open read search };
-allow iorap_inode2filename packages_list_file:file { getattr };
-allow iorap_inode2filename property_data_file:dir { getattr open read search };
-allow iorap_inode2filename property_data_file:file { getattr };
-allow iorap_inode2filename resourcecache_data_file:dir { getattr open read search };
-allow iorap_inode2filename resourcecache_data_file:file { getattr };
-allow iorap_inode2filename recovery_data_file:dir { getattr open read search };
-allow iorap_inode2filename ringtone_file:dir { getattr open read search };
-allow iorap_inode2filename ringtone_file:file { getattr };
-allow iorap_inode2filename same_process_hal_file:dir { getattr open read search };
-allow iorap_inode2filename same_process_hal_file:file { getattr };
-allow iorap_inode2filename sepolicy_file:file { getattr };
-allow iorap_inode2filename staging_data_file:dir { getattr open read search };
-allow iorap_inode2filename staging_data_file:file { getattr };
-allow iorap_inode2filename system_bootstrap_lib_file:dir { getattr open read search };
-allow iorap_inode2filename system_bootstrap_lib_file:file { getattr };
-allow iorap_inode2filename system_data_file:dir { getattr open read search };
-allow iorap_inode2filename system_data_file:file { getattr };
-allow iorap_inode2filename system_data_file:lnk_file { getattr open read };
-allow iorap_inode2filename system_data_root_file:dir { getattr open read search };
-allow iorap_inode2filename textclassifier_data_file:dir { getattr open read search };
-allow iorap_inode2filename textclassifier_data_file:file { getattr };
-allow iorap_inode2filename toolbox_exec:file getattr;
-allow iorap_inode2filename user_profile_root_file:dir { getattr open read search };
-allow iorap_inode2filename user_profile_data_file:dir { getattr open read search };
-allow iorap_inode2filename user_profile_data_file:file { getattr };
-allow iorap_inode2filename unencrypted_data_file:dir { getattr open read search };
-allow iorap_inode2filename unlabeled:file { getattr };
-allow iorap_inode2filename vendor_file:dir { getattr open read search };
-allow iorap_inode2filename vendor_file:file { getattr };
-allow iorap_inode2filename vendor_overlay_file:file { getattr };
-allow iorap_inode2filename zygote_exec:file { getattr };
-
-###
-### neverallow rules
-###
-
-neverallow { domain -init -iorapd } iorap_inode2filename:process { transition dyntransition };
-neverallow iorap_inode2filename domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/microdroid/sepolicy/system/public/iorap_prefetcherd.te b/microdroid/sepolicy/system/public/iorap_prefetcherd.te
deleted file mode 100644
index 4b218fb..0000000
--- a/microdroid/sepolicy/system/public/iorap_prefetcherd.te
+++ /dev/null
@@ -1,55 +0,0 @@
-# volume manager
-type iorap_prefetcherd, domain;
-type iorap_prefetcherd_exec, exec_type, file_type, system_file_type;
-type iorap_prefetcherd_tmpfs, file_type;
-
-r_dir_file(iorap_prefetcherd, rootfs)
-
-# Allow read/write /proc/sys/vm/drop/caches
-allow iorap_prefetcherd proc_drop_caches:file rw_file_perms;
-
-# iorap_prefetcherd temporarily changes its priority when running benchmarks
-allow iorap_prefetcherd self:global_capability_class_set sys_nice;
-
-# Allow usage of pipes (--input-fd=# and --output-fd=# command line parameters).
-allow iorap_prefetcherd iorapd:fd use;
-allow iorap_prefetcherd iorapd:fifo_file { read write };
-
-# Allow reading most files under / ignoring usual access controls.
-allow iorap_prefetcherd self:capability dac_read_search;
-
-typeattribute iorap_prefetcherd mlstrustedsubject;
-
-# Grant logcat access
-allow iorap_prefetcherd logcat_exec:file { open read };
-
-# Grant access to open most of the files under /
-allow iorap_prefetcherd apk_data_file:dir { open read search };
-allow iorap_prefetcherd apk_data_file:file { open read };
-allow iorap_prefetcherd app_data_file:dir { open read search };
-allow iorap_prefetcherd app_data_file:file { open read };
-allow iorap_prefetcherd dalvikcache_data_file:dir { open read search };
-allow iorap_prefetcherd dalvikcache_data_file:file{ open read };
-allow iorap_prefetcherd packages_list_file:dir { open read search };
-allow iorap_prefetcherd packages_list_file:file { open read };
-allow iorap_prefetcherd privapp_data_file:dir { open read search };
-allow iorap_prefetcherd privapp_data_file:file { open read };
-allow iorap_prefetcherd same_process_hal_file:dir{ open read search };
-allow iorap_prefetcherd same_process_hal_file:file { open read };
-allow iorap_prefetcherd system_data_file:dir { open read search };
-allow iorap_prefetcherd system_data_file:file { open read };
-allow iorap_prefetcherd system_data_file:lnk_file { open read };
-allow iorap_prefetcherd user_profile_root_file:dir { open read search };
-allow iorap_prefetcherd user_profile_data_file:dir { open read search };
-allow iorap_prefetcherd user_profile_data_file:file { open read };
-allow iorap_prefetcherd vendor_overlay_file:dir { open read search };
-allow iorap_prefetcherd vendor_overlay_file:file { open read };
-# Note: Do not add any /vendor labels because they can be customized
-# by the vendor and we won't know about them beforehand.
-
-###
-### neverallow rules
-###
-
-neverallow { domain -init -iorapd } iorap_prefetcherd:process { transition dyntransition };
-neverallow iorap_prefetcherd domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/microdroid/sepolicy/system/public/iorapd.te b/microdroid/sepolicy/system/public/iorapd.te
deleted file mode 100644
index b772af8..0000000
--- a/microdroid/sepolicy/system/public/iorapd.te
+++ /dev/null
@@ -1,98 +0,0 @@
-# volume manager
-type iorapd, domain;
-type iorapd_exec, exec_type, file_type, system_file_type;
-type iorapd_tmpfs, file_type;
-
-r_dir_file(iorapd, rootfs)
-
-# Allow read/write /proc/sys/vm/drop/caches
-allow iorapd proc_drop_caches:file rw_file_perms;
-
-# Give iorapd a place where only iorapd can store files; everyone else is off limits
-allow iorapd iorapd_data_file:dir create_dir_perms;
-allow iorapd iorapd_data_file:file create_file_perms;
-
-# Allow iorapd to publish a binder service and make binder calls.
-binder_use(iorapd)
-add_service(iorapd, iorapd_service)
-
-# Allow iorapd to call into the system server so it can check permissions.
-binder_call(iorapd, system_server)
-allow iorapd permission_service:service_manager find;
-# IUserManager
-allow iorapd user_service:service_manager find;
-# IPackageManagerNative
-allow iorapd package_native_service:service_manager find;
-# Allow dumpstate (bugreport) to call into iorapd.
-allow iorapd dumpstate:fd use;
-allow iorapd dumpstate:fifo_file write;
-
-# talk to batteryservice
-binder_call(iorapd, healthd)
-
-# TODO: does each of the service_manager allow finds above need the binder_call?
-
-# iorapd temporarily changes its priority when running benchmarks
-allow iorapd self:global_capability_class_set sys_nice;
-
-# Allow to access Perfetto traced's privileged consumer socket to start/stop
-# tracing sessions and read trace data.
-unix_socket_connect(iorapd, traced_consumer, traced)
-
-# Allow iorapd to execute compilation (iorap.cmd.compiler) in idle time.
-allow iorapd system_file:file rx_file_perms;
-
-# Allow iorapd to send signull to iorap_inode2filename and iorap_prefetcherd.
-allow iorapd iorap_inode2filename:process signull;
-allow iorapd iorap_prefetcherd:process signull;
-
-# Allowing system_server to check for the existence and size of files under iorapd
-# dir without collecting any sensitive app data.
-# This is used to predict if iorapd is doing prefetching or not.
-allow system_server iorapd_data_file:dir { getattr open read search };
-allow system_server iorapd_data_file:file getattr;
-
-###
-### neverallow rules
-###
-
-neverallow {
- domain
- -iorapd
-} iorapd_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
-
-neverallow {
- domain
- -init
- -iorapd
- -system_server
-} iorapd_data_file:dir *;
-
-neverallow {
- domain
- -kernel
- -iorapd
-} iorapd_data_file:notdevfile_class_set ~{ relabelto getattr };
-
-neverallow {
- domain
- -init
- -kernel
- -vendor_init
- -iorapd
- -system_server
-} { iorapd_data_file }:notdevfile_class_set *;
-
-# Only system_server and shell (for dumpsys) can interact with iorapd over binder
-neverallow { domain -dumpstate -system_server -iorapd } iorapd_service:service_manager find;
-neverallow iorapd {
- domain
- -healthd
- -servicemanager
- -system_server
- userdebug_or_eng(`-su')
-}:binder call;
-
-neverallow { domain -init } iorapd:process { transition dyntransition };
-neverallow iorapd domain:{ udp_socket rawip_socket } *;
-neverallow iorapd { domain userdebug_or_eng(`-su') }:tcp_socket *;
diff --git a/microdroid/sepolicy/system/public/isolated_app.te b/microdroid/sepolicy/system/public/isolated_app.te
deleted file mode 100644
index a907dac..0000000
--- a/microdroid/sepolicy/system/public/isolated_app.te
+++ /dev/null
@@ -1,9 +0,0 @@
-###
-### Services with isolatedProcess=true in their manifest.
-###
-### This file defines the rules for isolated apps. An "isolated
-### app" is an APP with UID between AID_ISOLATED_START (99000)
-### and AID_ISOLATED_END (99999).
-###
-
-type isolated_app, domain;
diff --git a/microdroid/sepolicy/system/public/kernel.te b/microdroid/sepolicy/system/public/kernel.te
index 9aa40cc..c117a1a 100644
--- a/microdroid/sepolicy/system/public/kernel.te
+++ b/microdroid/sepolicy/system/public/kernel.te
@@ -1,141 +1,2 @@
# Life begins with the kernel.
type kernel, domain, mlstrustedsubject;
-
-allow kernel self:global_capability_class_set sys_nice;
-
-# Root fs.
-r_dir_file(kernel, rootfs)
-
-# Used to read androidboot.selinux property
-allow kernel {
- proc_bootconfig
- proc_cmdline
-}:file r_file_perms;
-
-# Get SELinux enforcing status.
-allow kernel selinuxfs:dir r_dir_perms;
-allow kernel selinuxfs:file r_file_perms;
-
-# Get file contexts during first stage
-allow kernel file_contexts_file:file r_file_perms;
-
-# Allow init relabel itself.
-allow kernel rootfs:file relabelfrom;
-allow kernel init_exec:file relabelto;
-# TODO: investigate why we need this.
-allow kernel init:process share;
-
-# cgroup filesystem initialization prior to setting the cgroup root directory label.
-allow kernel unlabeled:dir search;
-
-# Mount usbfs.
-allow kernel usbfs:filesystem mount;
-allow kernel usbfs:dir search;
-
-# Initial setenforce by init prior to switching to init domain.
-# We use dontaudit instead of allow to prevent a kernel spawned userspace
-# process from turning off SELinux once enabled.
-dontaudit kernel self:security setenforce;
-
-# Write to /proc/1/oom_adj prior to switching to init domain.
-allow kernel self:global_capability_class_set sys_resource;
-
-# Init reboot before switching selinux domains under certain error
-# conditions. Allow it.
-# As part of rebooting, init writes "u" to /proc/sysrq-trigger to
-# remount filesystems read-only. /data is not mounted at this point,
-# so we could ignore this. For now, we allow it.
-allow kernel self:global_capability_class_set sys_boot;
-allow kernel proc_sysrq:file w_file_perms;
-
-# Allow writing to /dev/kmsg which was created prior to loading policy.
-allow kernel tmpfs:chr_file write;
-
-# Set checkreqprot by init.rc prior to switching to init domain.
-allow kernel selinuxfs:file write;
-allow kernel self:security setcheckreqprot;
-
-# kernel thread "loop0", used by the loop block device, for ASECs (b/17158723)
-allow kernel sdcard_type:file { read write };
-
-# f_mtp driver accesses files from kernel context.
-allow kernel mediaprovider:fd use;
-
-# Allow the kernel to read OBB files from app directories. (b/17428116)
-# Kernel thread "loop0" reads a vold supplied file descriptor.
-# Fixes CTS tests:
-# * android.os.storage.cts.StorageManagerTest#testMountAndUnmountObbNormal
-# * android.os.storage.cts.StorageManagerTest#testMountAndUnmountTwoObbs
-allow kernel vold:fd use;
-allow kernel { app_data_file privapp_data_file }:file read;
-allow kernel asec_image_file:file read;
-
-# Allow mounting loop device in update_engine_unittests. (b/28319454)
-# and for LTP kernel tests (b/73220071)
-userdebug_or_eng(`
- allow kernel update_engine_data_file:file { read write };
- allow kernel nativetest_data_file:file { read write };
-')
-
-# Access to /data/media.
-# This should be removed if sdcardfs is modified to alter the secontext for its
-# accesses to the underlying FS.
-allow kernel media_rw_data_file:dir create_dir_perms;
-allow kernel media_rw_data_file:file create_file_perms;
-
-# Access to /data/misc/vold/virtual_disk.
-allow kernel vold_data_file:file { read write };
-
-# Allow the kernel to read APEX file descriptors and (staged) data files;
-# Needed because APEX uses the loopback driver, which issues requests from
-# a kernel thread in earlier kernel version.
-allow kernel apexd:fd use;
-allow kernel {
- apex_data_file
- staging_data_file
- vendor_apex_file
-}:file read;
-
-# Allow the first-stage init (which is running in the kernel domain) to execute the
-# dynamic linker when it re-executes /init to switch into the second stage.
-# Until Linux 4.8, the program interpreter (dynamic linker in this case) is executed
-# before the domain is switched to the target domain. So, we need to allow the kernel
-# domain (the source domain) to execute the dynamic linker (system_file type).
-# TODO(b/110147943) remove these allow rules when we no longer need to support Linux
-# kernel older than 4.8.
-allow kernel system_file:file execute;
-# The label for the dynamic linker is rootfs in the recovery partition. This is because
-# the recovery partition which is rootfs does not support xattr and thus labeling can't be
-# done at build-time. All files are by default labeled as rootfs upon booting.
-recovery_only(`
- allow kernel rootfs:file execute;
-')
-
-# required by VTS lidbm unit test
-allow kernel appdomain_tmpfs:file { read write };
-
-###
-### neverallow rules
-###
-
-# The initial task starts in the kernel domain (assigned via
-# initial_sid_contexts), but nothing ever transitions to it.
-neverallow * kernel:process { transition dyntransition };
-
-# The kernel domain is never entered via an exec, nor should it
-# ever execute a program outside the rootfs without changing to another domain.
-# If you encounter an execute_no_trans denial on the kernel domain, then
-# possible causes include:
-# - The program is a kernel usermodehelper. In this case, define a domain
-# for the program and domain_auto_trans() to it.
-# - You are running an exploit which switched to the init task credentials
-# and is then trying to exec a shell or other program. You lose!
-neverallow kernel *:file { entrypoint execute_no_trans };
-
-# the kernel should not be accessing files owned by other users.
-# Instead of adding dac_{read_search,override}, fix the unix permissions
-# on files being accessed.
-neverallow kernel self:global_capability_class_set { dac_override dac_read_search };
-
-# Nobody should be ptracing kernel threads
-neverallow * kernel:process ptrace;
diff --git a/microdroid/sepolicy/system/public/keystore.te b/microdroid/sepolicy/system/public/keystore.te
index 43ee28d..295d3d9 100644
--- a/microdroid/sepolicy/system/public/keystore.te
+++ b/microdroid/sepolicy/system/public/keystore.te
@@ -1,12 +1,10 @@
-type keystore, domain, keystore2_key_type;
-type keystore_exec, system_file_type, exec_type, file_type;
+type keystore, domain;
+type keystore_exec, file_type, exec_type, system_file_type;
# keystore daemon
typeattribute keystore mlstrustedsubject;
binder_use(keystore)
binder_service(keystore)
-binder_call(keystore, system_server)
-binder_call(keystore, wificond)
allow keystore keystore_data_file:dir create_dir_perms;
allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
@@ -14,12 +12,11 @@
add_service(keystore, keystore_service)
add_service(keystore, remoteprovisioning_service)
-allow keystore sec_key_att_app_id_provider_service:service_manager find;
-allow keystore dropbox_service:service_manager find;
add_service(keystore, apc_service)
add_service(keystore, keystore_compat_hal_service)
add_service(keystore, authorization_service)
add_service(keystore, keystore_maintenance_service)
+add_service(keystore, keystore_metrics_service)
add_service(keystore, legacykeystore_service)
# Check SELinux permissions.
@@ -27,18 +24,3 @@
r_dir_file(keystore, cgroup)
r_dir_file(keystore, cgroup_v2)
-
-###
-### Neverallow rules
-###
-### Protect ourself from others
-###
-
-neverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
-neverallow { domain -keystore } keystore_data_file:notdevfile_class_set ~{ relabelto getattr };
-
-neverallow { domain -keystore -init } keystore_data_file:dir *;
-neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *;
-
-# TODO(b/186868271): Remove the crash dump exception soon-ish (maybe by May 14, 2021?)
-neverallow { domain userdebug_or_eng(`-crash_dump') } keystore:process ptrace;
diff --git a/microdroid/sepolicy/system/public/keystore_keys.te b/microdroid/sepolicy/system/public/keystore_keys.te
deleted file mode 100644
index 3c35984..0000000
--- a/microdroid/sepolicy/system/public/keystore_keys.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# A keystore2 namespace for WI-FI.
-type wifi_key, keystore2_key_type;
diff --git a/microdroid/sepolicy/system/public/llkd.te b/microdroid/sepolicy/system/public/llkd.te
deleted file mode 100644
index 1faa429..0000000
--- a/microdroid/sepolicy/system/public/llkd.te
+++ /dev/null
@@ -1,3 +0,0 @@
-# llkd Live LocK Daemon
-type llkd, domain, mlstrustedsubject;
-type llkd_exec, system_file_type, exec_type, file_type;
diff --git a/microdroid/sepolicy/system/public/lmkd.te b/microdroid/sepolicy/system/public/lmkd.te
deleted file mode 100644
index de6052d..0000000
--- a/microdroid/sepolicy/system/public/lmkd.te
+++ /dev/null
@@ -1,72 +0,0 @@
-# lmkd low memory killer daemon
-type lmkd, domain, mlstrustedsubject;
-type lmkd_exec, system_file_type, exec_type, file_type;
-
-allow lmkd self:global_capability_class_set { dac_override dac_read_search sys_resource kill };
-
-# lmkd locks itself in memory, to prevent it from being
-# swapped out and unable to kill other memory hogs.
-# system/core commit b28ff9131363f7b4a698990da5748b2a88c3ed35
-# b/16236289
-allow lmkd self:global_capability_class_set ipc_lock;
-
-## Open and write to /proc/PID/oom_score_adj and /proc/PID/timerslack_ns
-## TODO: maybe scope this down?
-r_dir_file(lmkd, domain)
-allow lmkd domain:file write;
-
-## Writes to /sys/module/lowmemorykiller/parameters/minfree
-r_dir_file(lmkd, sysfs_lowmemorykiller)
-allow lmkd sysfs_lowmemorykiller:file w_file_perms;
-
-# setsched and send kill signals to any registered process
-allow lmkd domain:process { setsched sigkill };
-# TODO: delete this line b/131761776
-allow lmkd kernel:process { setsched };
-
-# Clean up old cgroups
-allow lmkd cgroup:dir { remove_name rmdir };
-allow lmkd cgroup_v2:dir { remove_name rmdir };
-
-# Allow to read memcg stats
-allow lmkd cgroup:file r_file_perms;
-allow lmkd cgroup_v2:file r_file_perms;
-
-# Set self to SCHED_FIFO
-allow lmkd self:global_capability_class_set sys_nice;
-
-allow lmkd proc_zoneinfo:file r_file_perms;
-allow lmkd proc_vmstat:file r_file_perms;
-
-# live lock watchdog process allowed to look through /proc/
-allow lmkd domain:dir { search open read };
-allow lmkd domain:file { open read };
-
-# live lock watchdog process allowed to dump process trace and
-# reboot because orderly shutdown may not be possible.
-allow lmkd proc_sysrq:file rw_file_perms;
-
-# Read /proc/lowmemorykiller
-allow lmkd proc_lowmemorykiller:file r_file_perms;
-
-# Read /proc/meminfo
-allow lmkd proc_meminfo:file r_file_perms;
-
-# Read /proc/pressure/cpu and /proc/pressure/io
-allow lmkd proc_pressure_cpu:file r_file_perms;
-allow lmkd proc_pressure_io:file r_file_perms;
-
-# Read/Write /proc/pressure/memory
-allow lmkd proc_pressure_mem:file rw_file_perms;
-
-# Allow lmkd to connect during reinit.
-allow lmkd lmkd_socket:sock_file write;
-
-# Allow lmkd to write to statsd.
-unix_socket_send(lmkd, statsdw, statsd)
-
-### neverallow rules
-
-# never honor LD_PRELOAD
-neverallow * lmkd:process noatsecure;
-neverallow lmkd self:global_capability_class_set sys_ptrace;
diff --git a/microdroid/sepolicy/system/public/logcat.te b/microdroid/sepolicy/system/public/logcat.te
new file mode 100644
index 0000000..902fd8a
--- /dev/null
+++ b/microdroid/sepolicy/system/public/logcat.te
@@ -0,0 +1,2 @@
+type logcat;
+type logcat_exec, file_type, exec_type, system_file_type;
diff --git a/microdroid/sepolicy/system/public/logd.te b/microdroid/sepolicy/system/public/logd.te
index 8187179..67f601c 100644
--- a/microdroid/sepolicy/system/public/logd.te
+++ b/microdroid/sepolicy/system/public/logd.te
@@ -1,74 +1,2 @@
-# android user-space log manager
-type logd, domain, mlstrustedsubject;
-type logd_exec, system_file_type, exec_type, file_type;
-
-# Read access to pseudo filesystems.
-r_dir_file(logd, cgroup)
-r_dir_file(logd, cgroup_v2)
-r_dir_file(logd, proc_kmsg)
-r_dir_file(logd, proc_meminfo)
-
-allow logd self:global_capability_class_set { setuid setgid setpcap sys_nice audit_control };
-allow logd self:global_capability2_class_set syslog;
-allow logd self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write };
-allow logd kernel:system syslog_read;
-allow logd kmsg_device:chr_file { getattr w_file_perms };
-allow logd system_data_file:{ file lnk_file } r_file_perms;
-allow logd packages_list_file:file r_file_perms;
-allow logd pstorefs:dir search;
-allow logd pstorefs:file r_file_perms;
-userdebug_or_eng(`
- # Access to /data/misc/logd/event-log-tags
- allow logd misc_logd_file:dir r_dir_perms;
- allow logd misc_logd_file:file rw_file_perms;
-')
-allow logd runtime_event_log_tags_file:file rw_file_perms;
-
-r_dir_file(logd, domain)
-
-allow logd kernel:system syslog_mod;
-
-control_logd(logd)
-read_runtime_log_tags(logd)
-
-allow runtime_event_log_tags_file tmpfs:filesystem associate;
-# Typically harmlessly blindly trying to access via liblog
-# event tag mapping while in the untrusted_app domain.
-# Access for that domain is controlled and gated via the
-# event log tag service (albeit at a performance penalty,
-# expected to be locally cached).
-dontaudit domain runtime_event_log_tags_file:file { map open read };
-
-# Logd sets defaults if certain properties are empty.
-set_prop(logd, logd_prop)
-
-###
-### Neverallow rules
-###
-### logd should NEVER do any of this
-
-# Block device access.
-neverallow logd dev_type:blk_file { read write };
-
-# ptrace any other app
-neverallow logd domain:process ptrace;
-
-# ... and nobody may ptrace me (except on userdebug or eng builds)
-neverallow { domain userdebug_or_eng(`-crash_dump -llkd') } logd:process ptrace;
-
-# Write to /system.
-neverallow logd system_file:dir_file_class_set write;
-
-# Write to files in /data/data or system files on /data
-neverallow logd { app_data_file privapp_data_file system_data_file packages_list_file }:dir_file_class_set write;
-
-# Only init is allowed to enter the logd domain via exec()
-neverallow { domain -init } logd:process transition;
-neverallow * logd:process dyntransition;
-
-# protect the event-log-tags file
-neverallow {
- domain
- -init
- -logd
-} runtime_event_log_tags_file:file no_w_file_perms;
+type logd, domain;
+type logd_exec, file_type, exec_type, system_file_type;
diff --git a/microdroid/sepolicy/system/public/logpersist.te b/microdroid/sepolicy/system/public/logpersist.te
deleted file mode 100644
index c8e6af4..0000000
--- a/microdroid/sepolicy/system/public/logpersist.te
+++ /dev/null
@@ -1,30 +0,0 @@
-# android debug logging, logpersist domains
-type logpersist, domain;
-
-# logcatd is a shell script that execs logcat with various parameters.
-allow logpersist shell_exec:file rx_file_perms;
-allow logpersist logcat_exec:file rx_file_perms;
-
-###
-### Neverallow rules
-###
-### logpersist should NEVER do any of this
-
-# Block device access.
-neverallow logpersist dev_type:blk_file { read write };
-
-# ptrace any other app
-neverallow logpersist domain:process ptrace;
-
-# Write to files in /data/data or system files on /data except misc_logd_file
-neverallow logpersist { privapp_data_file app_data_file system_data_file }:dir_file_class_set write;
-
-# Only init should be allowed to enter the logpersist domain via exec()
-# Following is a list of debug domains we know that transition to logpersist
-# neverallow_with_undefined_domains {
-# domain
-# -init # goldfish, logcatd, raft
-# -mmi # bat, mtp8996, msmcobalt
-# -system_app # Smith.apk
-# } logpersist:process transition;
-neverallow * logpersist:process dyntransition;
diff --git a/microdroid/sepolicy/system/public/mdnsd.te b/microdroid/sepolicy/system/public/mdnsd.te
deleted file mode 100644
index ef7b065..0000000
--- a/microdroid/sepolicy/system/public/mdnsd.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# mdns daemon
-type mdnsd, domain;
diff --git a/microdroid/sepolicy/system/public/mediadrmserver.te b/microdroid/sepolicy/system/public/mediadrmserver.te
deleted file mode 100644
index a52295e..0000000
--- a/microdroid/sepolicy/system/public/mediadrmserver.te
+++ /dev/null
@@ -1,33 +0,0 @@
-# mediadrmserver - mediadrm daemon
-type mediadrmserver, domain;
-type mediadrmserver_exec, system_file_type, exec_type, file_type;
-
-typeattribute mediadrmserver mlstrustedsubject;
-
-net_domain(mediadrmserver)
-binder_use(mediadrmserver)
-binder_call(mediadrmserver, binderservicedomain)
-binder_call(mediadrmserver, appdomain)
-binder_service(mediadrmserver)
-hal_client_domain(mediadrmserver, hal_drm)
-
-add_service(mediadrmserver, mediadrmserver_service)
-allow mediadrmserver mediaserver_service:service_manager find;
-allow mediadrmserver mediametrics_service:service_manager find;
-allow mediadrmserver processinfo_service:service_manager find;
-allow mediadrmserver surfaceflinger_service:service_manager find;
-allow mediadrmserver system_file:dir r_dir_perms;
-
-# TODO(b/80317992): remove
-binder_call(mediadrmserver, hal_omx_server)
-
-###
-### neverallow rules
-###
-
-# mediadrmserver should never execute any executable without a
-# domain transition
-neverallow mediadrmserver { file_type fs_type }:file execute_no_trans;
-
-# do not allow privileged socket ioctl commands
-neverallowxperm mediadrmserver domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
diff --git a/microdroid/sepolicy/system/public/mediaextractor.te b/microdroid/sepolicy/system/public/mediaextractor.te
deleted file mode 100644
index a29e5dc..0000000
--- a/microdroid/sepolicy/system/public/mediaextractor.te
+++ /dev/null
@@ -1,73 +0,0 @@
-# mediaextractor - multimedia daemon
-type mediaextractor, domain;
-type mediaextractor_exec, system_file_type, exec_type, file_type;
-type mediaextractor_tmpfs, file_type;
-
-typeattribute mediaextractor mlstrustedsubject;
-
-binder_use(mediaextractor)
-binder_call(mediaextractor, binderservicedomain)
-binder_call(mediaextractor, appdomain)
-binder_service(mediaextractor)
-
-add_service(mediaextractor, mediaextractor_service)
-allow mediaextractor mediametrics_service:service_manager find;
-allow mediaextractor hidl_token_hwservice:hwservice_manager find;
-
-allow mediaextractor system_server:fd use;
-
-hal_client_domain(mediaextractor, hal_cas)
-hal_client_domain(mediaextractor, hal_allocator)
-
-r_dir_file(mediaextractor, cgroup)
-r_dir_file(mediaextractor, cgroup_v2)
-allow mediaextractor proc_meminfo:file r_file_perms;
-
-crash_dump_fallback(mediaextractor)
-
-# allow mediaextractor read permissions for file sources
-allow mediaextractor sdcard_type:file { getattr read };
-allow mediaextractor media_rw_data_file:file { getattr read };
-allow mediaextractor { app_data_file privapp_data_file }:file { getattr read };
-
-# Read resources from open apk files passed over Binder
-allow mediaextractor apk_data_file:file { read getattr };
-allow mediaextractor asec_apk_file:file { read getattr };
-allow mediaextractor ringtone_file:file { read getattr };
-
-# overlay package access
-allow mediaextractor vendor_overlay_file:file { read map };
-
-# scan extractor library directory to dynamically load extractors
-allow mediaextractor system_file:dir { read open };
-
-###
-### neverallow rules
-###
-
-# mediaextractor should never execute any executable without a
-# domain transition
-neverallow mediaextractor { file_type fs_type }:file execute_no_trans;
-
-# The goal of the mediaserver split is to place media processing code into
-# restrictive sandboxes with limited responsibilities and thus limited
-# permissions. Example: Audioserver is only responsible for controlling audio
-# hardware and processing audio content. Cameraserver does the same for camera
-# hardware/content. Etc.
-#
-# Media processing code is inherently risky and thus should have limited
-# permissions and be isolated from the rest of the system and network.
-# Lengthier explanation here:
-# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediaextractor domain:{ udp_socket rawip_socket } *;
-neverallow mediaextractor { domain userdebug_or_eng(`-su') }:tcp_socket *;
-
-# mediaextractor should not be opening /data files directly. Any files
-# it touches (with a few exceptions) need to be passed to it via a file
-# descriptor opened outside the process.
-neverallow mediaextractor {
- data_file_type
- -zoneinfo_data_file # time zone data from /data/misc/zoneinfo
- userdebug_or_eng(`-apk_data_file') # for loading media extractor plugins
- with_native_coverage(`-method_trace_data_file')
-}:file open;
diff --git a/microdroid/sepolicy/system/public/mediametrics.te b/microdroid/sepolicy/system/public/mediametrics.te
deleted file mode 100644
index 76f819e..0000000
--- a/microdroid/sepolicy/system/public/mediametrics.te
+++ /dev/null
@@ -1,46 +0,0 @@
-# mediametrics - daemon for collecting media.metrics data
-type mediametrics, domain;
-type mediametrics_exec, system_file_type, exec_type, file_type;
-
-
-binder_use(mediametrics)
-binder_call(mediametrics, binderservicedomain)
-binder_service(mediametrics)
-
-add_service(mediametrics, mediametrics_service)
-
-allow mediametrics system_server:fd use;
-
-r_dir_file(mediametrics, cgroup)
-r_dir_file(mediametrics, cgroup_v2)
-allow mediametrics proc_meminfo:file r_file_perms;
-
-# allows interactions with dumpsys to GMScore
-allow mediametrics { app_data_file privapp_data_file }:file write;
-
-# allow access to package manager for uid->apk mapping
-allow mediametrics package_native_service:service_manager find;
-
-# Allow metrics service to send information to statsd socket.
-unix_socket_send(mediametrics, statsdw, statsd)
-
-###
-### neverallow rules
-###
-
-# mediametrics should never execute any executable without a
-# domain transition
-neverallow mediametrics { file_type fs_type }:file execute_no_trans;
-
-# The goal of the mediaserver split is to place media processing code into
-# restrictive sandboxes with limited responsibilities and thus limited
-# permissions. Example: Audioserver is only responsible for controlling audio
-# hardware and processing audio content. Cameraserver does the same for camera
-# hardware/content. Etc.
-#
-# Media processing code is inherently risky and thus should have limited
-# permissions and be isolated from the rest of the system and network.
-# Lengthier explanation here:
-# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediametrics domain:{ udp_socket rawip_socket } *;
-neverallow mediametrics { domain userdebug_or_eng(`-su') }:tcp_socket *;
diff --git a/microdroid/sepolicy/system/public/mediaprovider.te b/microdroid/sepolicy/system/public/mediaprovider.te
deleted file mode 100644
index 24170a5..0000000
--- a/microdroid/sepolicy/system/public/mediaprovider.te
+++ /dev/null
@@ -1,6 +0,0 @@
-###
-### A domain for android.process.media, which contains both
-### MediaProvider and DownloadProvider and associated services.
-###
-
-type mediaprovider, domain;
diff --git a/microdroid/sepolicy/system/public/mediaserver.te b/microdroid/sepolicy/system/public/mediaserver.te
deleted file mode 100644
index ad460e1..0000000
--- a/microdroid/sepolicy/system/public/mediaserver.te
+++ /dev/null
@@ -1,149 +0,0 @@
-# mediaserver - multimedia daemon
-type mediaserver, domain;
-type mediaserver_exec, system_file_type, exec_type, file_type;
-type mediaserver_tmpfs, file_type;
-
-typeattribute mediaserver mlstrustedsubject;
-
-net_domain(mediaserver)
-
-r_dir_file(mediaserver, sdcard_type)
-r_dir_file(mediaserver, cgroup)
-r_dir_file(mediaserver, cgroup_v2)
-
-# stat /proc/self
-allow mediaserver proc:lnk_file getattr;
-
-# open /vendor/lib/mediadrm
-allow mediaserver system_file:dir r_dir_perms;
-
-userdebug_or_eng(`
- # ptrace to processes in the same domain for memory leak detection
- allow mediaserver self:process ptrace;
-')
-
-binder_use(mediaserver)
-binder_call(mediaserver, binderservicedomain)
-binder_call(mediaserver, appdomain)
-binder_service(mediaserver)
-
-allow mediaserver media_data_file:dir create_dir_perms;
-allow mediaserver media_data_file:file create_file_perms;
-allow mediaserver { app_data_file privapp_data_file }:file { append getattr ioctl lock map read write };
-allow mediaserver sdcard_type:file write;
-allow mediaserver gpu_device:chr_file rw_file_perms;
-allow mediaserver video_device:dir r_dir_perms;
-allow mediaserver video_device:chr_file rw_file_perms;
-
-# Read resources from open apk files passed over Binder.
-allow mediaserver apk_data_file:file { read getattr };
-allow mediaserver asec_apk_file:file { read getattr };
-allow mediaserver ringtone_file:file { read getattr };
-
-# Read /data/data/com.android.providers.telephony files passed over Binder.
-allow mediaserver radio_data_file:file { read getattr };
-
-# Use pipes passed over Binder from app domains.
-allow mediaserver appdomain:fifo_file { getattr read write };
-
-allow mediaserver rpmsg_device:chr_file rw_file_perms;
-
-# Inter System processes communicate over named pipe (FIFO)
-allow mediaserver system_server:fifo_file r_file_perms;
-
-r_dir_file(mediaserver, media_rw_data_file)
-
-# Grant access to read files on appfuse.
-allow mediaserver app_fuse_file:file { read getattr };
-
-# Needed on some devices for playing DRM protected content,
-# but seems expected and appropriate for all devices.
-unix_socket_connect(mediaserver, drmserver, drmserver)
-
-# Needed on some devices for playing audio on paired BT device,
-# but seems appropriate for all devices.
-unix_socket_connect(mediaserver, bluetooth, bluetooth)
-
-add_service(mediaserver, mediaserver_service)
-allow mediaserver activity_service:service_manager find;
-allow mediaserver appops_service:service_manager find;
-allow mediaserver audio_service:service_manager find;
-allow mediaserver audioserver_service:service_manager find;
-allow mediaserver cameraserver_service:service_manager find;
-allow mediaserver batterystats_service:service_manager find;
-allow mediaserver drmserver_service:service_manager find;
-allow mediaserver mediaextractor_service:service_manager find;
-allow mediaserver mediametrics_service:service_manager find;
-allow mediaserver media_session_service:service_manager find;
-allow mediaserver permission_service:service_manager find;
-allow mediaserver permission_checker_service:service_manager find;
-allow mediaserver power_service:service_manager find;
-allow mediaserver processinfo_service:service_manager find;
-allow mediaserver scheduling_policy_service:service_manager find;
-allow mediaserver surfaceflinger_service:service_manager find;
-
-# for ModDrm/MediaPlayer
-allow mediaserver mediadrmserver_service:service_manager find;
-
-# For hybrid interfaces
-allow mediaserver hidl_token_hwservice:hwservice_manager find;
-
-# /oem access
-allow mediaserver oemfs:dir search;
-allow mediaserver oemfs:file r_file_perms;
-
-# /vendor apk access
-allow mediaserver vendor_app_file:file { read map getattr };
-
-use_drmservice(mediaserver)
-allow mediaserver drmserver:drmservice {
- consumeRights
- setPlaybackStatus
- openDecryptSession
- closeDecryptSession
- initializeDecryptUnit
- decrypt
- finalizeDecryptUnit
- pread
-};
-
-# only allow unprivileged socket ioctl commands
-allowxperm mediaserver self:{ rawip_socket tcp_socket udp_socket }
- ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
-
-# Access to /data/media.
-# This should be removed if sdcardfs is modified to alter the secontext for its
-# accesses to the underlying FS.
-allow mediaserver media_rw_data_file:dir create_dir_perms;
-allow mediaserver media_rw_data_file:file create_file_perms;
-
-# Access to media in /data/preloads
-allow mediaserver preloads_media_file:file { getattr read ioctl };
-
-allow mediaserver ion_device:chr_file r_file_perms;
-allow mediaserver dmabuf_system_heap_device:chr_file r_file_perms;
-allow mediaserver dmabuf_system_secure_heap_device:chr_file r_file_perms;
-allow mediaserver hal_graphics_allocator:fd use;
-allow mediaserver hal_graphics_composer:fd use;
-allow mediaserver hal_camera:fd use;
-
-allow mediaserver system_server:fd use;
-
-# b/120491318 allow mediaserver to access void:fd
-allow mediaserver vold:fd use;
-
-# overlay package access
-allow mediaserver vendor_overlay_file:file { read getattr map };
-
-hal_client_domain(mediaserver, hal_allocator)
-
-###
-### neverallow rules
-###
-
-# mediaserver should never execute any executable without a
-# domain transition
-neverallow mediaserver { file_type fs_type }:file execute_no_trans;
-
-# do not allow privileged socket ioctl commands
-neverallowxperm mediaserver domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
diff --git a/microdroid/sepolicy/system/public/mediaswcodec.te b/microdroid/sepolicy/system/public/mediaswcodec.te
deleted file mode 100644
index 5726842..0000000
--- a/microdroid/sepolicy/system/public/mediaswcodec.te
+++ /dev/null
@@ -1,27 +0,0 @@
-type mediaswcodec, domain;
-type mediaswcodec_exec, system_file_type, exec_type, file_type;
-
-hal_server_domain(mediaswcodec, hal_codec2)
-
-# mediaswcodec may use an input surface from a different Codec2 service or an
-# OMX service
-hal_client_domain(mediaswcodec, hal_codec2)
-hal_client_domain(mediaswcodec, hal_omx)
-
-hal_client_domain(mediaswcodec, hal_allocator)
-hal_client_domain(mediaswcodec, hal_graphics_allocator)
-
-crash_dump_fallback(mediaswcodec)
-
-# mediaswcodec_server should never execute any executable without a
-# domain transition
-neverallow mediaswcodec { file_type fs_type }:file execute_no_trans;
-
-# Media processing code is inherently risky and thus should have limited
-# permissions and be isolated from the rest of the system and network.
-# Lengthier explanation here:
-# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediaswcodec domain:{ tcp_socket udp_socket rawip_socket } *;
-
-allow mediaswcodec dmabuf_system_heap_device:chr_file r_file_perms;
-allow mediaswcodec dmabuf_system_secure_heap_device:chr_file r_file_perms;
diff --git a/microdroid/sepolicy/system/public/modprobe.te b/microdroid/sepolicy/system/public/modprobe.te
deleted file mode 100644
index 2c7d64b..0000000
--- a/microdroid/sepolicy/system/public/modprobe.te
+++ /dev/null
@@ -1,10 +0,0 @@
-type modprobe, domain;
-
-allow modprobe proc_modules:file r_file_perms;
-allow modprobe proc_cmdline:file r_file_perms;
-allow modprobe self:global_capability_class_set sys_module;
-allow modprobe kernel:key search;
-recovery_only(`
- allow modprobe rootfs:system module_load;
- allow modprobe rootfs:file r_file_perms;
-')
diff --git a/microdroid/sepolicy/system/public/mtp.te b/microdroid/sepolicy/system/public/mtp.te
deleted file mode 100644
index add63c0..0000000
--- a/microdroid/sepolicy/system/public/mtp.te
+++ /dev/null
@@ -1,11 +0,0 @@
-# vpn tunneling protocol manager
-type mtp, domain;
-type mtp_exec, system_file_type, exec_type, file_type;
-
-net_domain(mtp)
-
-# pptp policy
-allow mtp self:{ socket pppox_socket } create_socket_perms_no_ioctl;
-allow mtp self:global_capability_class_set net_raw;
-allow mtp ppp:process signal;
-allow mtp vpn_data_file:dir search;
diff --git a/microdroid/sepolicy/system/public/net.te b/microdroid/sepolicy/system/public/net.te
deleted file mode 100644
index e90715e..0000000
--- a/microdroid/sepolicy/system/public/net.te
+++ /dev/null
@@ -1,39 +0,0 @@
-## Network types
-type node, node_type;
-type netif, netif_type;
-type port, port_type;
-
-###
-### Domain with network access
-###
-
-# Use network sockets.
-allow netdomain self:tcp_socket create_stream_socket_perms;
-allow netdomain self:{ icmp_socket udp_socket rawip_socket } create_socket_perms;
-
-# Connect to ports.
-allow netdomain port_type:tcp_socket name_connect;
-# Bind to ports.
-allow {netdomain -ephemeral_app} node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind;
-allow {netdomain -ephemeral_app} port_type:udp_socket name_bind;
-allow {netdomain -ephemeral_app} port_type:tcp_socket name_bind;
-# See changes to the routing table.
-allow netdomain self:netlink_route_socket { create read getattr write setattr lock append connect getopt setopt shutdown nlmsg_read };
-# b/141455849 gate RTM_GETLINK with a new permission nlmsg_readpriv and block access from
-# untrusted_apps. Some untrusted apps (e.g. untrusted_app_25-29) are granted access elsewhere
-# to avoid app-compat breakage.
-allow {
- netdomain
- -ephemeral_app
- -mediaprovider
- -untrusted_app_all
-} self:netlink_route_socket { bind nlmsg_readpriv };
-
-# Talks to netd via dnsproxyd socket.
-unix_socket_connect(netdomain, dnsproxyd, netd)
-
-# Talks to netd via fwmarkd socket.
-unix_socket_connect(netdomain, fwmarkd, netd)
-
-# Connect to mdnsd via mdnsd socket.
-unix_socket_connect(netdomain, mdnsd, mdnsd)
diff --git a/microdroid/sepolicy/system/public/netd.te b/microdroid/sepolicy/system/public/netd.te
deleted file mode 100644
index ff0bff6..0000000
--- a/microdroid/sepolicy/system/public/netd.te
+++ /dev/null
@@ -1,176 +0,0 @@
-# network manager
-type netd, domain, mlstrustedsubject;
-type netd_exec, system_file_type, exec_type, file_type;
-
-net_domain(netd)
-# in addition to ioctls allowlisted for all domains, grant netd priv_sock_ioctls.
-allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
-
-r_dir_file(netd, cgroup)
-
-allow netd system_server:fd use;
-
-allow netd self:global_capability_class_set { net_admin net_raw kill };
-# Note: fsetid is deliberately not included above. fsetid checks are
-# triggered by chmod on a directory or file owned by a group other
-# than one of the groups assigned to the current process to see if
-# the setgid bit should be cleared, regardless of whether the setgid
-# bit was even set. We do not appear to truly need this capability
-# for netd to operate.
-dontaudit netd self:global_capability_class_set fsetid;
-
-# Allow netd to open /dev/tun, set it up and pass it to clatd
-allow netd tun_device:chr_file rw_file_perms;
-allowxperm netd tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF };
-allow netd self:tun_socket create;
-
-allow netd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-allow netd self:netlink_route_socket nlmsg_write;
-allow netd self:netlink_nflog_socket create_socket_perms_no_ioctl;
-allow netd self:netlink_socket create_socket_perms_no_ioctl;
-allow netd self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
-allow netd self:netlink_generic_socket create_socket_perms_no_ioctl;
-allow netd self:netlink_netfilter_socket create_socket_perms_no_ioctl;
-allow netd shell_exec:file rx_file_perms;
-allow netd system_file:file x_file_perms;
-not_full_treble(`allow netd vendor_file:file x_file_perms;')
-allow netd devpts:chr_file rw_file_perms;
-
-# Acquire advisory lock on /system/etc/xtables.lock. If this file doesn't
-# exist, suppress the denial.
-allow netd system_file:file lock;
-dontaudit netd system_file:dir write;
-
-# Allow netd to write to qtaguid ctrl file.
-# TODO: Add proper rules to prevent other process to access qtaguid_proc file
-# after migration complete
-allow netd proc_qtaguid_ctrl:file rw_file_perms;
-# Allow netd to read /dev/qtaguid. This is the same privilege level that normal apps have.
-allow netd qtaguid_device:chr_file r_file_perms;
-
-r_dir_file(netd, proc_net_type)
-# For /proc/sys/net/ipv[46]/route/flush.
-allow netd proc_net_type:file rw_file_perms;
-
-# Enables PppController and interface enumeration (among others)
-allow netd sysfs:dir r_dir_perms;
-r_dir_file(netd, sysfs_net)
-
-# Allows setting interface MTU
-allow netd sysfs_net:file w_file_perms;
-
-# TODO: added to match above sysfs rule. Remove me?
-allow netd sysfs_usb:file write;
-
-r_dir_file(netd, cgroup_v2)
-
-allow netd fs_bpf:dir search;
-allow netd fs_bpf:file { read write };
-
-# TODO: netd previously thought it needed these permissions to do WiFi related
-# work. However, after all the WiFi stuff is gone, we still need them.
-# Why?
-allow netd self:global_capability_class_set { dac_override dac_read_search chown };
-
-# Needed to update /data/misc/net/rt_tables
-allow netd net_data_file:file create_file_perms;
-allow netd net_data_file:dir rw_dir_perms;
-allow netd self:global_capability_class_set fowner;
-
-# Needed to lock the iptables lock.
-allow netd system_file:file lock;
-
-# Allow netd to spawn dnsmasq in it's own domain
-allow netd dnsmasq:process signal;
-
-# Allow netd to publish a binder service and make binder calls.
-binder_use(netd)
-add_service(netd, netd_service)
-add_service(netd, dnsresolver_service)
-allow netd dumpstate:fifo_file { getattr write };
-
-# Allow netd to call into the system server so it can check permissions.
-allow netd system_server:binder call;
-allow netd permission_service:service_manager find;
-
-# Allow netd to talk to the framework service which collects netd events.
-allow netd netd_listener_service:service_manager find;
-
-# Allow netd to operate on sockets that are passed to it.
-allow netd netdomain:{
- icmp_socket
- tcp_socket
- udp_socket
- rawip_socket
- tun_socket
-} { read write getattr setattr getopt setopt };
-allow netd netdomain:fd use;
-
-# give netd permission to read and write netlink xfrm
-allow netd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
-
-# Allow netd to register as hal server.
-add_hwservice(netd, system_net_netd_hwservice)
-hwbinder_use(netd)
-
-###
-### Neverallow rules
-###
-### netd should NEVER do any of this
-
-# Block device access.
-neverallow netd dev_type:blk_file { read write };
-
-# ptrace any other app
-neverallow netd { domain }:process ptrace;
-
-# Write to /system.
-neverallow netd system_file:dir_file_class_set write;
-
-# Write to files in /data/data or system files on /data
-neverallow netd { app_data_file_type system_data_file }:dir_file_class_set write;
-
-# only system_server, dumpstate and network stack app may find netd service
-neverallow {
- domain
- -system_server
- -dumpstate
- -network_stack
- -netd
- -netutils_wrapper
-} netd_service:service_manager find;
-
-# only system_server, dumpstate and network stack app may find dnsresolver service
-neverallow {
- domain
- -system_server
- -dumpstate
- -network_stack
- -netd
- -netutils_wrapper
-} dnsresolver_service:service_manager find;
-
-# apps may not interact with netd over binder.
-neverallow { appdomain -network_stack } netd:binder call;
-neverallow netd { appdomain -network_stack userdebug_or_eng(`-su') }:binder call;
-
-# If an already existing file is opened with O_CREATE, the kernel might generate
-# a false report of a create denial. Silence these denials and make sure that
-# inappropriate permissions are not granted.
-neverallow netd proc_net:dir no_w_dir_perms;
-dontaudit netd proc_net:dir write;
-
-neverallow netd sysfs_net:dir no_w_dir_perms;
-dontaudit netd sysfs_net:dir write;
-
-# Netd should not have SYS_ADMIN privs.
-neverallow netd self:capability sys_admin;
-dontaudit netd self:capability sys_admin;
-
-# Netd should not have SYS_MODULE privs, nor should it be requesting module loads
-# (things it requires should be built directly into the kernel)
-dontaudit netd self:capability sys_module;
-
-dontaudit netd kernel:system module_request;
-
-dontaudit netd appdomain:unix_stream_socket { read write };
diff --git a/microdroid/sepolicy/system/public/netutils_wrapper.te b/microdroid/sepolicy/system/public/netutils_wrapper.te
deleted file mode 100644
index 27aa749..0000000
--- a/microdroid/sepolicy/system/public/netutils_wrapper.te
+++ /dev/null
@@ -1,4 +0,0 @@
-type netutils_wrapper, domain;
-type netutils_wrapper_exec, system_file_type, exec_type, file_type;
-
-neverallow domain netutils_wrapper_exec:file execute_no_trans;
diff --git a/microdroid/sepolicy/system/public/network_stack.te b/microdroid/sepolicy/system/public/network_stack.te
deleted file mode 100644
index feff664..0000000
--- a/microdroid/sepolicy/system/public/network_stack.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# Network stack service app
-type network_stack, domain;
diff --git a/microdroid/sepolicy/system/public/nfc.te b/microdroid/sepolicy/system/public/nfc.te
deleted file mode 100644
index e3a03e7..0000000
--- a/microdroid/sepolicy/system/public/nfc.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# nfc subsystem
-type nfc, domain;
diff --git a/microdroid/sepolicy/system/public/otapreopt_chroot.te b/microdroid/sepolicy/system/public/otapreopt_chroot.te
deleted file mode 100644
index db8dd1a..0000000
--- a/microdroid/sepolicy/system/public/otapreopt_chroot.te
+++ /dev/null
@@ -1,4 +0,0 @@
-# otapreopt_chroot seclabel
-
-# TODO: Only present to allow mediatek/wembley-sepolicy to see it for validation reasons.
-type otapreopt_chroot, domain;
diff --git a/microdroid/sepolicy/system/public/perfetto.te b/microdroid/sepolicy/system/public/perfetto.te
deleted file mode 100644
index cec0e6f..0000000
--- a/microdroid/sepolicy/system/public/perfetto.te
+++ /dev/null
@@ -1 +0,0 @@
-type perfetto, domain, coredomain;
diff --git a/microdroid/sepolicy/system/public/performanced.te b/microdroid/sepolicy/system/public/performanced.te
deleted file mode 100644
index d694fda..0000000
--- a/microdroid/sepolicy/system/public/performanced.te
+++ /dev/null
@@ -1,31 +0,0 @@
-# performanced
-type performanced, domain, mlstrustedsubject;
-type performanced_exec, system_file_type, exec_type, file_type;
-
-# Needed to check for app permissions.
-binder_use(performanced)
-binder_call(performanced, system_server)
-allow performanced permission_service:service_manager find;
-
-pdx_server(performanced, performance_client)
-
-# TODO: use file caps to obtain sys_nice instead of setuid / setgid.
-allow performanced self:global_capability_class_set { setuid setgid sys_nice };
-
-# Access /proc to validate we're only affecting threads in the same thread group.
-# Performanced also shields unbound kernel threads. It scans every task in the
-# root cpu set, but only affects the kernel threads.
-r_dir_file(performanced, { appdomain bufferhubd kernel surfaceflinger })
-dontaudit performanced domain:dir read;
-allow performanced { appdomain bufferhubd kernel surfaceflinger }:process setsched;
-
-# These /proc accesses only show up in permissive mode but they
-# generate a lot of noise in the log.
-userdebug_or_eng(`
- dontaudit performanced domain:dir open;
- dontaudit performanced domain:file { open read getattr };
-')
-
-# Access /dev/cpuset/cpuset.cpus
-r_dir_file(performanced, cgroup)
-r_dir_file(performanced, cgroup_v2)
diff --git a/microdroid/sepolicy/system/public/platform_app.te b/microdroid/sepolicy/system/public/platform_app.te
deleted file mode 100644
index 9b1faf0..0000000
--- a/microdroid/sepolicy/system/public/platform_app.te
+++ /dev/null
@@ -1,5 +0,0 @@
-###
-### Apps signed with the platform key.
-###
-
-type platform_app, domain;
diff --git a/microdroid/sepolicy/system/public/postinstall.te b/microdroid/sepolicy/system/public/postinstall.te
deleted file mode 100644
index bcea2dc..0000000
--- a/microdroid/sepolicy/system/public/postinstall.te
+++ /dev/null
@@ -1,45 +0,0 @@
-# Domain where the postinstall program runs during the update.
-# Extend the permissions in this domain to allow this program to access other
-# files needed by the specific device on your device's sepolicy directory.
-type postinstall, domain;
-
-# Allow postinstall to write to its stdout/stderr when redirected via pipes to
-# update_engine.
-allow postinstall update_engine_common:fd use;
-allow postinstall update_engine_common:fifo_file rw_file_perms;
-
-# Allow postinstall to read and execute directories and files in the same
-# mounted location.
-allow postinstall postinstall_file:file rx_file_perms;
-allow postinstall postinstall_file:lnk_file r_file_perms;
-allow postinstall postinstall_file:dir r_dir_perms;
-
-# Allow postinstall to execute the shell or other system executables.
-allow postinstall shell_exec:file rx_file_perms;
-allow postinstall system_file:file rx_file_perms;
-allow postinstall toolbox_exec:file rx_file_perms;
-
-# Allow postinstall to execute shell in recovery.
-recovery_only(`
- allow postinstall rootfs:file rx_file_perms;
-')
-
-#
-# For OTA dexopt.
-#
-
-# Allow postinstall scripts to talk to the system server.
-binder_use(postinstall)
-binder_call(postinstall, system_server)
-
-# Need to talk to the otadexopt service.
-allow postinstall otadexopt_service:service_manager find;
-
-# Allow postinstall scripts to trigger f2fs garbage collection
-allow postinstall sysfs_fs_f2fs:file rw_file_perms;
-allow postinstall sysfs_fs_f2fs:dir r_dir_perms;
-
-# No domain other than update_engine and recovery (via update_engine_sideload)
-# should transition to postinstall, as it is only meant to run during the
-# update.
-neverallow { domain -update_engine -recovery } postinstall:process { transition dyntransition };
diff --git a/microdroid/sepolicy/system/public/ppp.te b/microdroid/sepolicy/system/public/ppp.te
deleted file mode 100644
index b736def..0000000
--- a/microdroid/sepolicy/system/public/ppp.te
+++ /dev/null
@@ -1,23 +0,0 @@
-# Point to Point Protocol daemon
-type ppp, domain;
-type ppp_device, dev_type;
-type ppp_exec, system_file_type, exec_type, file_type;
-
-net_domain(ppp)
-
-r_dir_file(ppp, proc_net_type)
-
-allow ppp mtp:{ socket pppox_socket } rw_socket_perms;
-
-# ioctls needed for VPN.
-allowxperm ppp self:udp_socket ioctl priv_sock_ioctls;
-allowxperm ppp mtp:{ socket pppox_socket } ioctl ppp_ioctls;
-
-allow ppp mtp:unix_dgram_socket rw_socket_perms;
-allow ppp ppp_device:chr_file rw_file_perms;
-allow ppp self:global_capability_class_set net_admin;
-allow ppp system_file:file rx_file_perms;
-not_full_treble(`allow ppp vendor_file:file rx_file_perms;')
-allow ppp vpn_data_file:dir w_dir_perms;
-allow ppp vpn_data_file:file create_file_perms;
-allow ppp mtp:fd use;
diff --git a/microdroid/sepolicy/system/public/priv_app.te b/microdroid/sepolicy/system/public/priv_app.te
deleted file mode 100644
index 0761fc3..0000000
--- a/microdroid/sepolicy/system/public/priv_app.te
+++ /dev/null
@@ -1,5 +0,0 @@
-###
-### A domain for further sandboxing privileged apps.
-###
-
-type priv_app, domain;
diff --git a/microdroid/sepolicy/system/public/profman.te b/microdroid/sepolicy/system/public/profman.te
deleted file mode 100644
index c014d79..0000000
--- a/microdroid/sepolicy/system/public/profman.te
+++ /dev/null
@@ -1,33 +0,0 @@
-# profman
-type profman, domain;
-type profman_exec, system_file_type, exec_type, file_type;
-
-allow profman user_profile_data_file:file { getattr read write lock map };
-
-# Dumping profile info opens the application APK file for pretty printing.
-allow profman asec_apk_file:file { read map };
-allow profman apk_data_file:file { getattr read map };
-allow profman apk_data_file:dir { getattr read search };
-
-allow profman oemfs:file { read map };
-# Reading an APK opens a ZipArchive, which unpack to tmpfs.
-allow profman tmpfs:file { read map };
-allow profman profman_dump_data_file:file { write map };
-
-allow profman installd:fd use;
-
-# Allow profman to analyze profiles for the secondary dex files. These
-# are application dex files reported back to the framework when using
-# BaseDexClassLoader.
-allow profman { privapp_data_file app_data_file }:file { getattr read write lock map };
-allow profman { privapp_data_file app_data_file }:dir { getattr read search };
-
-# Allow query ART device config properties
-get_prop(profman, device_config_runtime_native_prop)
-get_prop(profman, device_config_runtime_native_boot_prop)
-
-###
-### neverallow rules
-###
-
-neverallow profman { privapp_data_file app_data_file }:notdevfile_class_set open;
diff --git a/microdroid/sepolicy/system/public/property.te b/microdroid/sepolicy/system/public/property.te
index 57146a4..2f3255b 100644
--- a/microdroid/sepolicy/system/public/property.te
+++ b/microdroid/sepolicy/system/public/property.te
@@ -1,329 +1,39 @@
-# Properties used only in /system
-#
-# DO NOT ADD system_internal_prop here.
-# Instead, add to private/property.te.
-# TODO(b/150331497): move these to private/property.te
-system_internal_prop(apexd_prop)
-system_internal_prop(bootloader_boot_reason_prop)
-system_internal_prop(device_config_activity_manager_native_boot_prop)
-system_internal_prop(device_config_boot_count_prop)
-system_internal_prop(device_config_input_native_boot_prop)
-system_internal_prop(device_config_media_native_prop)
-system_internal_prop(device_config_netd_native_prop)
-system_internal_prop(device_config_reset_performed_prop)
-system_internal_prop(firstboot_prop)
-
-compatible_property_only(`
- # DO NOT ADD ANY PROPERTIES HERE
- system_internal_prop(boottime_prop)
- system_internal_prop(bpf_progs_loaded_prop)
- system_internal_prop(charger_prop)
- system_internal_prop(cold_boot_done_prop)
- system_internal_prop(ctl_adbd_prop)
- system_internal_prop(ctl_apexd_prop)
- system_internal_prop(ctl_bootanim_prop)
- system_internal_prop(ctl_bugreport_prop)
- system_internal_prop(ctl_console_prop)
- system_internal_prop(ctl_dumpstate_prop)
- system_internal_prop(ctl_fuse_prop)
- system_internal_prop(ctl_gsid_prop)
- system_internal_prop(ctl_interface_restart_prop)
- system_internal_prop(ctl_interface_stop_prop)
- system_internal_prop(ctl_mdnsd_prop)
- system_internal_prop(ctl_restart_prop)
- system_internal_prop(ctl_rildaemon_prop)
- system_internal_prop(ctl_sigstop_prop)
- system_internal_prop(dynamic_system_prop)
- system_internal_prop(heapprofd_enabled_prop)
- system_internal_prop(llkd_prop)
- system_internal_prop(lpdumpd_prop)
- system_internal_prop(mmc_prop)
- system_internal_prop(mock_ota_prop)
- system_internal_prop(net_dns_prop)
- system_internal_prop(overlay_prop)
- system_internal_prop(persistent_properties_ready_prop)
- system_internal_prop(safemode_prop)
- system_internal_prop(system_lmk_prop)
- system_internal_prop(system_trace_prop)
- system_internal_prop(test_boot_reason_prop)
- system_internal_prop(time_prop)
- system_internal_prop(traced_enabled_prop)
- system_internal_prop(traced_lazy_prop)
-')
-
-# Properties which can't be written outside system
-system_restricted_prop(aac_drc_prop)
-system_restricted_prop(arm64_memtag_prop)
-system_restricted_prop(binder_cache_bluetooth_server_prop)
-system_restricted_prop(binder_cache_system_server_prop)
-system_restricted_prop(binder_cache_telephony_server_prop)
-system_restricted_prop(boot_status_prop)
-system_restricted_prop(bootanim_system_prop)
-system_restricted_prop(bootloader_prop)
-system_restricted_prop(boottime_public_prop)
-system_restricted_prop(bq_config_prop)
-system_restricted_prop(build_bootimage_prop)
-system_restricted_prop(build_prop)
-system_restricted_prop(charger_status_prop)
-system_restricted_prop(device_config_runtime_native_boot_prop)
-system_restricted_prop(device_config_runtime_native_prop)
-system_restricted_prop(fingerprint_prop)
-system_restricted_prop(hal_instrumentation_prop)
-system_restricted_prop(init_service_status_prop)
-system_restricted_prop(libc_debug_prop)
-system_restricted_prop(module_sdkextensions_prop)
-system_restricted_prop(nnapi_ext_deny_product_prop)
-system_restricted_prop(power_debug_prop)
-system_restricted_prop(property_service_version_prop)
-system_restricted_prop(provisioned_prop)
-system_restricted_prop(restorecon_prop)
-system_restricted_prop(retaildemo_prop)
-system_restricted_prop(socket_hook_prop)
-system_restricted_prop(sqlite_log_prop)
-system_restricted_prop(surfaceflinger_display_prop)
-system_restricted_prop(system_boot_reason_prop)
-system_restricted_prop(system_jvmti_agent_prop)
-system_restricted_prop(ab_update_gki_prop)
-system_restricted_prop(usb_prop)
-system_restricted_prop(userspace_reboot_exported_prop)
-system_restricted_prop(vold_status_prop)
-system_restricted_prop(vts_status_prop)
-
-compatible_property_only(`
- # DO NOT ADD ANY PROPERTIES HERE
- system_restricted_prop(config_prop)
- system_restricted_prop(cppreopt_prop)
- system_restricted_prop(dalvik_prop)
- system_restricted_prop(debuggerd_prop)
- system_restricted_prop(device_logging_prop)
- system_restricted_prop(dhcp_prop)
- system_restricted_prop(dumpstate_prop)
- system_restricted_prop(exported3_system_prop)
- system_restricted_prop(exported_dumpstate_prop)
- system_restricted_prop(exported_secure_prop)
- system_restricted_prop(heapprofd_prop)
- system_restricted_prop(net_radio_prop)
- system_restricted_prop(pan_result_prop)
- system_restricted_prop(persist_debug_prop)
- system_restricted_prop(shell_prop)
- system_restricted_prop(test_harness_prop)
- system_restricted_prop(theme_prop)
- system_restricted_prop(use_memfd_prop)
- system_restricted_prop(vold_prop)
-')
-
-# Properties which can be written only by vendor_init
-system_vendor_config_prop(apexd_config_prop)
-system_vendor_config_prop(aaudio_config_prop)
-system_vendor_config_prop(apk_verity_prop)
-system_vendor_config_prop(audio_config_prop)
-system_vendor_config_prop(bootanim_config_prop)
-system_vendor_config_prop(build_config_prop)
-system_vendor_config_prop(build_odm_prop)
-system_vendor_config_prop(build_vendor_prop)
-system_vendor_config_prop(camera_calibration_prop)
-system_vendor_config_prop(camera_config_prop)
-system_vendor_config_prop(camerax_extensions_prop)
-system_vendor_config_prop(charger_config_prop)
-system_vendor_config_prop(codec2_config_prop)
-system_vendor_config_prop(cpu_variant_prop)
-system_vendor_config_prop(dalvik_config_prop)
-system_vendor_config_prop(debugfs_restriction_prop)
-system_vendor_config_prop(drm_service_config_prop)
-system_vendor_config_prop(exported_camera_prop)
-system_vendor_config_prop(exported_config_prop)
-system_vendor_config_prop(exported_default_prop)
-system_vendor_config_prop(ffs_config_prop)
-system_vendor_config_prop(framework_watchdog_config_prop)
-system_vendor_config_prop(graphics_config_prop)
-system_vendor_config_prop(hdmi_config_prop)
-system_vendor_config_prop(hw_timeout_multiplier_prop)
-system_vendor_config_prop(incremental_prop)
-system_vendor_config_prop(keyguard_config_prop)
-system_vendor_config_prop(lmkd_config_prop)
-system_vendor_config_prop(media_config_prop)
-system_vendor_config_prop(media_variant_prop)
-system_vendor_config_prop(mediadrm_config_prop)
-system_vendor_config_prop(mm_events_config_prop)
-system_vendor_config_prop(oem_unlock_prop)
-system_vendor_config_prop(packagemanager_config_prop)
-system_vendor_config_prop(recovery_config_prop)
-system_vendor_config_prop(sendbug_config_prop)
-system_vendor_config_prop(soc_prop)
-system_vendor_config_prop(storage_config_prop)
-system_vendor_config_prop(storagemanager_config_prop)
-system_vendor_config_prop(surfaceflinger_prop)
-system_vendor_config_prop(suspend_prop)
-system_vendor_config_prop(systemsound_config_prop)
-system_vendor_config_prop(telephony_config_prop)
-system_vendor_config_prop(tombstone_config_prop)
-system_vendor_config_prop(usb_config_prop)
-system_vendor_config_prop(userspace_reboot_config_prop)
-system_vendor_config_prop(vehicle_hal_prop)
-system_vendor_config_prop(vendor_security_patch_level_prop)
-system_vendor_config_prop(vendor_socket_hook_prop)
-system_vendor_config_prop(virtual_ab_prop)
-system_vendor_config_prop(vndk_prop)
-system_vendor_config_prop(vts_config_prop)
-system_vendor_config_prop(vold_config_prop)
-system_vendor_config_prop(wifi_config_prop)
-system_vendor_config_prop(zram_config_prop)
-system_vendor_config_prop(zygote_config_prop)
-system_vendor_config_prop(dck_prop)
-
-# Properties with no restrictions
-system_public_prop(adbd_config_prop)
-system_public_prop(audio_prop)
-system_public_prop(bluetooth_a2dp_offload_prop)
-system_public_prop(bluetooth_audio_hal_prop)
-system_public_prop(bluetooth_prop)
-system_public_prop(ctl_default_prop)
-system_public_prop(ctl_interface_start_prop)
-system_public_prop(ctl_start_prop)
-system_public_prop(ctl_stop_prop)
-system_public_prop(dalvik_runtime_prop)
-system_public_prop(debug_prop)
-system_public_prop(dumpstate_options_prop)
-system_public_prop(exported_system_prop)
-system_public_prop(exported_bluetooth_prop)
-system_public_prop(exported_overlay_prop)
-system_public_prop(exported_pm_prop)
-system_public_prop(ffs_control_prop)
-system_public_prop(hal_dumpstate_config_prop)
-system_public_prop(sota_prop)
-system_public_prop(hwservicemanager_prop)
-system_public_prop(lmkd_prop)
-system_public_prop(logd_prop)
-system_public_prop(logpersistd_logging_prop)
-system_public_prop(log_prop)
-system_public_prop(log_tag_prop)
-system_public_prop(lowpan_prop)
-system_public_prop(nfc_prop)
-system_public_prop(ota_prop)
-system_public_prop(powerctl_prop)
-system_public_prop(qemu_hw_prop)
-system_public_prop(qemu_sf_lcd_density_prop)
-system_public_prop(radio_control_prop)
-system_public_prop(radio_prop)
-system_public_prop(serialno_prop)
-system_public_prop(surfaceflinger_color_prop)
-system_public_prop(system_prop)
-system_public_prop(telephony_status_prop)
-system_public_prop(usb_control_prop)
-system_public_prop(vold_post_fs_data_prop)
-system_public_prop(wifi_hal_prop)
-system_public_prop(wifi_log_prop)
-system_public_prop(wifi_prop)
-system_public_prop(zram_control_prop)
-
-# Properties which don't have entries on property_contexts
-system_internal_prop(default_prop)
-
-# Properties used in default HAL implementations
-vendor_internal_prop(rebootescrow_hal_prop)
-
-vendor_public_prop(persist_vendor_debug_wifi_prop)
-
-# Properties which are public for devices launching with Android O or earlier
-# This should not be used for any new properties.
-not_compatible_property(`
- # DO NOT ADD ANY PROPERTIES HERE
- system_public_prop(boottime_prop)
- system_public_prop(bpf_progs_loaded_prop)
- system_public_prop(charger_prop)
- system_public_prop(cold_boot_done_prop)
- system_public_prop(ctl_adbd_prop)
- system_public_prop(ctl_apexd_prop)
- system_public_prop(ctl_bootanim_prop)
- system_public_prop(ctl_bugreport_prop)
- system_public_prop(ctl_console_prop)
- system_public_prop(ctl_dumpstate_prop)
- system_public_prop(ctl_fuse_prop)
- system_public_prop(ctl_gsid_prop)
- system_public_prop(ctl_interface_restart_prop)
- system_public_prop(ctl_interface_stop_prop)
- system_public_prop(ctl_mdnsd_prop)
- system_public_prop(ctl_restart_prop)
- system_public_prop(ctl_rildaemon_prop)
- system_public_prop(ctl_sigstop_prop)
- system_public_prop(dynamic_system_prop)
- system_public_prop(heapprofd_enabled_prop)
- system_public_prop(llkd_prop)
- system_public_prop(lpdumpd_prop)
- system_public_prop(mmc_prop)
- system_public_prop(mock_ota_prop)
- system_public_prop(net_dns_prop)
- system_public_prop(overlay_prop)
- system_public_prop(persistent_properties_ready_prop)
- system_public_prop(safemode_prop)
- system_public_prop(system_lmk_prop)
- system_public_prop(system_trace_prop)
- system_public_prop(test_boot_reason_prop)
- system_public_prop(time_prop)
- system_public_prop(traced_enabled_prop)
- system_public_prop(traced_lazy_prop)
-
- system_public_prop(config_prop)
- system_public_prop(cppreopt_prop)
- system_public_prop(dalvik_prop)
- system_public_prop(debuggerd_prop)
- system_public_prop(device_logging_prop)
- system_public_prop(dhcp_prop)
- system_public_prop(dumpstate_prop)
- system_public_prop(exported3_system_prop)
- system_public_prop(exported_dumpstate_prop)
- system_public_prop(exported_secure_prop)
- system_public_prop(heapprofd_prop)
- system_public_prop(net_radio_prop)
- system_public_prop(pan_result_prop)
- system_public_prop(persist_debug_prop)
- system_public_prop(shell_prop)
- system_public_prop(test_harness_prop)
- system_public_prop(theme_prop)
- system_public_prop(use_memfd_prop)
- system_public_prop(vold_prop)
-')
-
-not_compatible_property(`
- vendor_public_prop(vendor_default_prop)
-')
-
-compatible_property_only(`
- vendor_internal_prop(vendor_default_prop)
-')
-
-typeattribute log_prop log_property_type;
-typeattribute log_tag_prop log_property_type;
-typeattribute wifi_log_prop log_property_type;
+type apexd_prop, property_type;
+type bootloader_prop, property_type;
+type boottime_prop, property_type;
+type build_prop, property_type;
+type cold_boot_done_prop, property_type;
+type ctl_adbd_prop, property_type;
+type ctl_apexd_prop, property_type;
+type ctl_console_prop, property_type;
+type ctl_default_prop, property_type;
+type ctl_fuse_prop, property_type;
+type ctl_interface_restart_prop, property_type;
+type ctl_interface_start_prop, property_type;
+type ctl_interface_stop_prop, property_type;
+type ctl_restart_prop, property_type;
+type ctl_sigstop_prop, property_type;
+type ctl_start_prop, property_type;
+type ctl_stop_prop, property_type;
+type debug_prop, property_type;
+type default_prop, property_type;
+type exported_default_prop, property_type;
+type fingerprint_prop, property_type;
+type hwservicemanager_prop, property_type;
+type init_perf_lsm_hooks_prop, property_type;
+type init_service_status_private_prop, property_type;
+type init_service_status_prop, property_type;
+type init_svc_debug_prop, property_type;
+type keystore_listen_prop, property_type;
+type logd_prop, property_type;
+type property_service_version_prop, property_type;
+type shell_prop, property_type;
+type usb_control_prop, property_type;
+type vendor_default_prop, property_type;
allow property_type tmpfs:filesystem associate;
-# core_property_type should not be used for new properties or
-# device specific properties. Properties with this attribute
-# are readable to everyone, which is overly broad and should
-# be avoided.
-# New properties should have appropriate read / write access
-# control rules written.
+#----------------------------------------
+type adbd_config_prop, property_type;
-typeattribute audio_prop core_property_type;
-typeattribute config_prop core_property_type;
-typeattribute cppreopt_prop core_property_type;
-typeattribute dalvik_prop core_property_type;
-typeattribute debuggerd_prop core_property_type;
-typeattribute debug_prop core_property_type;
-typeattribute dhcp_prop core_property_type;
-typeattribute dumpstate_prop core_property_type;
-typeattribute logd_prop core_property_type;
-typeattribute net_radio_prop core_property_type;
-typeattribute nfc_prop core_property_type;
-typeattribute ota_prop core_property_type;
-typeattribute pan_result_prop core_property_type;
-typeattribute persist_debug_prop core_property_type;
-typeattribute powerctl_prop core_property_type;
-typeattribute radio_prop core_property_type;
-typeattribute restorecon_prop core_property_type;
-typeattribute shell_prop core_property_type;
-typeattribute system_prop core_property_type;
-typeattribute usb_prop core_property_type;
-typeattribute vold_prop core_property_type;
-
+type module_sdkextensions_prop, property_type;
diff --git a/microdroid/sepolicy/system/public/racoon.te b/microdroid/sepolicy/system/public/racoon.te
deleted file mode 100644
index e4b299e..0000000
--- a/microdroid/sepolicy/system/public/racoon.te
+++ /dev/null
@@ -1,35 +0,0 @@
-# IKE key management daemon
-type racoon, domain;
-type racoon_exec, system_file_type, exec_type, file_type;
-
-typeattribute racoon mlstrustedsubject;
-
-net_domain(racoon)
-allowxperm racoon self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFADDR SIOCSIFNETMASK };
-
-binder_use(racoon)
-
-allow racoon tun_device:chr_file r_file_perms;
-allowxperm racoon tun_device:chr_file ioctl TUNSETIFF;
-allow racoon cgroup:dir { add_name create };
-allow racoon cgroup_v2:dir { add_name create };
-allow racoon kernel:system module_request;
-
-allow racoon self:key_socket create_socket_perms_no_ioctl;
-allow racoon self:tun_socket create_socket_perms_no_ioctl;
-allow racoon self:global_capability_class_set { net_admin net_bind_service net_raw };
-
-# XXX: should we give ip-up-vpn its own label (currently racoon domain)
-allow racoon system_file:file rx_file_perms;
-not_full_treble(`allow racoon vendor_file:file rx_file_perms;')
-allow racoon vpn_data_file:file create_file_perms;
-allow racoon vpn_data_file:dir w_dir_perms;
-
-use_keystore(racoon)
-
-# Racoon (VPN) has a restricted set of permissions from the default.
-allow racoon keystore:keystore_key {
- get
- sign
- verify
-};
diff --git a/microdroid/sepolicy/system/public/radio.te b/microdroid/sepolicy/system/public/radio.te
deleted file mode 100644
index e03b706..0000000
--- a/microdroid/sepolicy/system/public/radio.te
+++ /dev/null
@@ -1,36 +0,0 @@
-# phone subsystem
-type radio, domain, mlstrustedsubject;
-
-net_domain(radio)
-bluetooth_domain(radio)
-binder_service(radio)
-
-# Talks to hal_telephony_server via the rild socket only for devices without full treble
-not_full_treble(`unix_socket_connect(radio, rild, hal_telephony_server)')
-
-# Data file accesses.
-allow radio radio_data_file:dir create_dir_perms;
-allow radio radio_data_file:notdevfile_class_set create_file_perms;
-allow radio radio_core_data_file:dir r_dir_perms;
-allow radio radio_core_data_file:file r_file_perms;
-
-allow radio net_data_file:dir search;
-allow radio net_data_file:file r_file_perms;
-
-add_service(radio, radio_service)
-allow radio audioserver_service:service_manager find;
-allow radio cameraserver_service:service_manager find;
-allow radio drmserver_service:service_manager find;
-allow radio mediaserver_service:service_manager find;
-allow radio nfc_service:service_manager find;
-allow radio app_api_service:service_manager find;
-allow radio system_api_service:service_manager find;
-allow radio timedetector_service:service_manager find;
-allow radio timezonedetector_service:service_manager find;
-
-# Perform HwBinder IPC.
-hwbinder_use(radio)
-hal_client_domain(radio, hal_telephony)
-
-# Used by TelephonyManager
-allow radio proc_cmdline:file r_file_perms;
diff --git a/microdroid/sepolicy/system/public/recovery.te b/microdroid/sepolicy/system/public/recovery.te
deleted file mode 100644
index 3649888..0000000
--- a/microdroid/sepolicy/system/public/recovery.te
+++ /dev/null
@@ -1,163 +0,0 @@
-# recovery console (used in recovery init.rc for /sbin/recovery)
-
-# Declare the domain unconditionally so we can always reference it
-# in neverallow rules.
-type recovery, domain;
-
-# But the allow rules are only included in the recovery policy.
-# Otherwise recovery is only allowed the domain rules.
-recovery_only(`
- # Allow recovery to perform an update as update_engine would do.
- typeattribute recovery update_engine_common;
- # Recovery can only use HALs in passthrough mode
- passthrough_hal_client_domain(recovery, hal_bootctl)
-
- allow recovery self:global_capability_class_set {
- chown
- dac_override
- dac_read_search
- fowner
- setuid
- setgid
- sys_admin
- sys_tty_config
- };
-
- # Run helpers from / or /system without changing domain.
- r_dir_file(recovery, rootfs)
- allow recovery rootfs:file execute_no_trans;
- allow recovery system_file:file execute_no_trans;
- allow recovery toolbox_exec:file rx_file_perms;
-
- # Mount filesystems.
- allow recovery rootfs:dir mounton;
- allow recovery tmpfs:dir mounton;
- allow recovery { fs_type enforce_debugfs_restriction(`-debugfs_type') }:filesystem ~relabelto;
- allow recovery unlabeled:filesystem ~relabelto;
- allow recovery contextmount_type:filesystem relabelto;
-
- # We may be asked to set an SELinux label for a type not known to the
- # currently loaded policy. Allow it.
- allow recovery unlabeled:{ file lnk_file } { create_file_perms relabelfrom relabelto };
- allow recovery unlabeled:dir { create_dir_perms relabelfrom relabelto };
-
- # Get file contexts
- allow recovery file_contexts_file:file r_file_perms;
-
- # Write to /proc/sys/vm/drop_caches
- allow recovery proc_drop_caches:file w_file_perms;
-
- # Read /proc/swaps
- allow recovery proc_swaps:file r_file_perms;
-
- # Read kernel config through libvintf for OTA matching
- allow recovery config_gz:file { open read getattr };
-
- # Write to /sys/class/android_usb/android0/enable.
- r_dir_file(recovery, sysfs_android_usb)
- allow recovery sysfs_android_usb:file w_file_perms;
-
- # Write to /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq.
- allow recovery sysfs_devices_system_cpu:file w_file_perms;
-
- allow recovery sysfs_batteryinfo:file r_file_perms;
-
- # Read /sysfs/fs/ext4/features
- r_dir_file(recovery, sysfs_fs_ext4_features)
-
- # Read from /sys/class/leds/lcd-backlight/max_brightness and write to /s/c/l/l/brightness to
- # control backlight brightness.
- allow recovery sysfs_leds:dir r_dir_perms;
- allow recovery sysfs_leds:file rw_file_perms;
- allow recovery sysfs_leds:lnk_file read;
-
- allow recovery kernel:system syslog_read;
-
- # Access /dev/usb-ffs/adb/ep0
- allow recovery functionfs:dir search;
- allow recovery functionfs:file rw_file_perms;
- allowxperm recovery functionfs:file ioctl FUNCTIONFS_ENDPOINT_DESC;
-
- # Access to /sys/fs/selinux/policyvers for compatibility check
- allow recovery selinuxfs:file r_file_perms;
-
- # Required to e.g. wipe userdata/cache.
- allow recovery device:dir r_dir_perms;
- allow recovery block_device:dir r_dir_perms;
- allow recovery dev_type:blk_file rw_file_perms;
- allowxperm recovery { userdata_block_device metadata_block_device cache_block_device }:blk_file ioctl BLKPBSZGET;
-
- # GUI
- allow recovery graphics_device:chr_file rw_file_perms;
- allow recovery graphics_device:dir r_dir_perms;
- allow recovery input_device:dir r_dir_perms;
- allow recovery input_device:chr_file r_file_perms;
- allow recovery tty_device:chr_file rw_file_perms;
-
- # Create /tmp/recovery.log and execute /tmp/update_binary.
- allow recovery tmpfs:file { create_file_perms x_file_perms };
- allow recovery tmpfs:dir create_dir_perms;
-
- # Manage files on /cache and /cache/recovery
- allow recovery { cache_file cache_recovery_file }:dir create_dir_perms;
- allow recovery { cache_file cache_recovery_file }:file create_file_perms;
-
- # Read /sys/class/thermal/*/temp for thermal info.
- r_dir_file(recovery, sysfs_thermal)
-
- # Read files on /oem.
- r_dir_file(recovery, oemfs);
-
- # Use setfscreatecon() to label files for OTA updates.
- allow recovery self:process setfscreate;
-
- # Allow recovery to create a fuse filesystem, and read files from it.
- allow recovery fuse_device:chr_file rw_file_perms;
- allow recovery fuse:dir r_dir_perms;
- allow recovery fuse:file r_file_perms;
-
- wakelock_use(recovery)
-
- # This line seems suspect, as it should not really need to
- # set scheduling parameters for a kernel domain task.
- allow recovery kernel:process setsched;
-
- # These are needed to update dynamic partitions in recovery.
- r_dir_file(recovery, sysfs_dm)
- allowxperm recovery super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
-
- # Allow using libfiemap/gsid directly (no binder in recovery).
- allow recovery gsi_metadata_file_type:dir search;
- allow recovery ota_metadata_file:dir rw_dir_perms;
- allow recovery ota_metadata_file:file create_file_perms;
-
- # Allow mounting /metadata for writing update states
- allow recovery metadata_file:dir { getattr mounton };
-')
-
-###
-### neverallow rules
-###
-
-# Recovery should never touch /data.
-#
-# In particular, if /data is encrypted, it is not accessible
-# to recovery anyway.
-#
-# For now, we only enforce write/execute restrictions, as domain.te
-# contains a number of read-only rules that apply to all
-# domains, including recovery.
-#
-# TODO: tighten this up further.
-neverallow recovery {
- data_file_type
- -cache_file
- -cache_recovery_file
- with_native_coverage(`-method_trace_data_file')
-}:file { no_w_file_perms no_x_file_perms };
-neverallow recovery {
- data_file_type
- -cache_file
- -cache_recovery_file
- with_native_coverage(`-method_trace_data_file')
-}:dir no_w_dir_perms;
diff --git a/microdroid/sepolicy/system/public/recovery_persist.te b/microdroid/sepolicy/system/public/recovery_persist.te
deleted file mode 100644
index d4b4562..0000000
--- a/microdroid/sepolicy/system/public/recovery_persist.te
+++ /dev/null
@@ -1,32 +0,0 @@
-# android recovery persistent log manager
-type recovery_persist, domain;
-type recovery_persist_exec, system_file_type, exec_type, file_type;
-
-allow recovery_persist pstorefs:dir search;
-allow recovery_persist pstorefs:file r_file_perms;
-
-allow recovery_persist recovery_data_file:file create_file_perms;
-allow recovery_persist recovery_data_file:dir create_dir_perms;
-
-allow recovery_persist cache_file:dir search;
-allow recovery_persist cache_file:lnk_file read;
-allow recovery_persist cache_recovery_file:dir rw_dir_perms;
-allow recovery_persist cache_recovery_file:file { r_file_perms unlink };
-
-###
-### Neverallow rules
-###
-### recovery_persist should NEVER do any of this
-
-# Block device access.
-neverallow recovery_persist dev_type:blk_file { read write };
-
-# ptrace any other app
-neverallow recovery_persist domain:process ptrace;
-
-# Write to /system.
-neverallow recovery_persist system_file:dir_file_class_set write;
-
-# Write to files in /data/data
-neverallow recovery_persist { privapp_data_file app_data_file system_data_file }:dir_file_class_set write;
-
diff --git a/microdroid/sepolicy/system/public/recovery_refresh.te b/microdroid/sepolicy/system/public/recovery_refresh.te
deleted file mode 100644
index d6870dc..0000000
--- a/microdroid/sepolicy/system/public/recovery_refresh.te
+++ /dev/null
@@ -1,24 +0,0 @@
-# android recovery refresh log manager
-type recovery_refresh, domain;
-type recovery_refresh_exec, system_file_type, exec_type, file_type;
-
-allow recovery_refresh pstorefs:dir search;
-allow recovery_refresh pstorefs:file r_file_perms;
-# NB: domain inherits write_logd which hands us write to pmsg_device
-
-###
-### Neverallow rules
-###
-### recovery_refresh should NEVER do any of this
-
-# Block device access.
-neverallow recovery_refresh dev_type:blk_file { read write };
-
-# ptrace any other app
-neverallow recovery_refresh domain:process ptrace;
-
-# Write to /system.
-neverallow recovery_refresh system_file:dir_file_class_set write;
-
-# Write to files in /data/data or system files on /data
-neverallow recovery_refresh { app_data_file privapp_data_file system_data_file }:dir_file_class_set write;
diff --git a/microdroid/sepolicy/system/public/rs.te b/microdroid/sepolicy/system/public/rs.te
deleted file mode 100644
index 16b6e96..0000000
--- a/microdroid/sepolicy/system/public/rs.te
+++ /dev/null
@@ -1,2 +0,0 @@
-type rs, domain, coredomain;
-type rs_exec, system_file_type, exec_type, file_type;
diff --git a/microdroid/sepolicy/system/public/rss_hwm_reset.te b/microdroid/sepolicy/system/public/rss_hwm_reset.te
deleted file mode 100644
index 163e1ac..0000000
--- a/microdroid/sepolicy/system/public/rss_hwm_reset.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# rss_hwm_reset resets RSS high-water mark counters for all procesess.
-type rss_hwm_reset, domain, coredomain, mlstrustedsubject;
diff --git a/microdroid/sepolicy/system/public/runas.te b/microdroid/sepolicy/system/public/runas.te
index 356a019..4d8a6b3 100644
--- a/microdroid/sepolicy/system/public/runas.te
+++ b/microdroid/sepolicy/system/public/runas.te
@@ -1,43 +1,2 @@
-type runas, domain, mlstrustedsubject;
-type runas_exec, system_file_type, exec_type, file_type;
-
-allow runas adbd:fd use;
-allow runas adbd:process sigchld;
-allow runas adbd:unix_stream_socket { read write };
-allow runas shell:fd use;
-allow runas shell:fifo_file { read write };
-allow runas shell:unix_stream_socket { read write };
-allow runas devpts:chr_file { read write ioctl };
-allow runas shell_data_file:file { read write };
-
-# run-as reads package information.
-allow runas system_data_file:file r_file_perms;
-allow runas system_data_file:lnk_file getattr;
-allow runas packages_list_file:file r_file_perms;
-
-# The app's data dir may be accessed through a symlink.
-allow runas system_data_file:lnk_file read;
-
-# run-as checks and changes to the app data dir.
-dontaudit runas self:global_capability_class_set { dac_override dac_read_search };
-allow runas app_data_file:dir { getattr search };
-
-# run-as switches to the app UID/GID.
-allow runas self:global_capability_class_set { setuid setgid };
-
-# run-as switches to the app security context.
-selinux_check_context(runas) # validate context
-allow runas self:process setcurrent;
-allow runas non_system_app_set:process dyntransition; # setcon
-
-# runas/libselinux needs access to seapp_contexts_file to
-# determine which domain to transition to.
-allow runas seapp_contexts_file:file r_file_perms;
-
-###
-### neverallow rules
-###
-
-# run-as cannot have capabilities other than CAP_SETUID and CAP_SETGID
-neverallow runas self:global_capability_class_set ~{ setuid setgid };
-neverallow runas self:global_capability2_class_set *;
+type runas, domain, mlstrustedsubject, coredomain;
+type runas_exec, file_type, exec_type, system_file_type;
diff --git a/microdroid/sepolicy/system/public/runas_app.te b/microdroid/sepolicy/system/public/runas_app.te
deleted file mode 100644
index cdaa799..0000000
--- a/microdroid/sepolicy/system/public/runas_app.te
+++ /dev/null
@@ -1 +0,0 @@
-type runas_app, domain;
diff --git a/microdroid/sepolicy/system/public/scheduler_service_server.te b/microdroid/sepolicy/system/public/scheduler_service_server.te
deleted file mode 100644
index b3cede1..0000000
--- a/microdroid/sepolicy/system/public/scheduler_service_server.te
+++ /dev/null
@@ -1 +0,0 @@
-add_hwservice(scheduler_service_server, fwk_scheduler_hwservice)
diff --git a/microdroid/sepolicy/system/public/sdcardd.te b/microdroid/sepolicy/system/public/sdcardd.te
deleted file mode 100644
index bb1c919..0000000
--- a/microdroid/sepolicy/system/public/sdcardd.te
+++ /dev/null
@@ -1,46 +0,0 @@
-type sdcardd, domain;
-type sdcardd_exec, system_file_type, exec_type, file_type;
-
-allow sdcardd cgroup:dir create_dir_perms;
-allow sdcardd cgroup_v2:dir create_dir_perms;
-allow sdcardd fuse_device:chr_file rw_file_perms;
-allow sdcardd rootfs:dir mounton; # TODO: deprecated in M
-allow sdcardd sdcardfs:filesystem remount;
-allow sdcardd tmpfs:dir r_dir_perms;
-allow sdcardd mnt_media_rw_file:dir r_dir_perms;
-allow sdcardd storage_file:dir search;
-allow sdcardd storage_stub_file:dir { search mounton };
-allow sdcardd sdcard_type:filesystem { mount unmount };
-allow sdcardd self:global_capability_class_set { setuid setgid dac_override dac_read_search sys_admin sys_resource };
-
-allow sdcardd sdcard_type:dir create_dir_perms;
-allow sdcardd sdcard_type:file create_file_perms;
-
-allow sdcardd media_rw_data_file:dir create_dir_perms;
-allow sdcardd media_rw_data_file:file create_file_perms;
-
-# Read /data/system/packages.list.
-allow sdcardd system_data_file:file r_file_perms;
-allow sdcardd packages_list_file:file r_file_perms;
-
-# Read /data/misc/installd/layout_version
-allow sdcardd install_data_file:file r_file_perms;
-allow sdcardd install_data_file:dir search;
-
-# Allow stdin/out back to vold
-allow sdcardd vold:fd use;
-allow sdcardd vold:fifo_file { read write getattr };
-
-# Allow running on top of expanded storage
-allow sdcardd mnt_expand_file:dir search;
-
-# access /proc/filesystems
-allow sdcardd proc_filesystems:file r_file_perms;
-
-###
-### neverallow rules
-###
-
-# The sdcard daemon should no longer be started from init
-neverallow init sdcardd_exec:file execute;
-neverallow init sdcardd:process { transition dyntransition };
diff --git a/microdroid/sepolicy/system/public/secure_element.te b/microdroid/sepolicy/system/public/secure_element.te
deleted file mode 100644
index 4ce6714..0000000
--- a/microdroid/sepolicy/system/public/secure_element.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# secure_element subsystem
-type secure_element, domain;
diff --git a/microdroid/sepolicy/system/public/sensor_service_server.te b/microdroid/sepolicy/system/public/sensor_service_server.te
deleted file mode 100644
index 7c526a5..0000000
--- a/microdroid/sepolicy/system/public/sensor_service_server.te
+++ /dev/null
@@ -1 +0,0 @@
-add_hwservice(sensor_service_server, fwk_sensor_hwservice)
diff --git a/microdroid/sepolicy/system/public/service.te b/microdroid/sepolicy/system/public/service.te
deleted file mode 100644
index 365515a..0000000
--- a/microdroid/sepolicy/system/public/service.te
+++ /dev/null
@@ -1,278 +0,0 @@
-type aidl_lazy_test_service, service_manager_type;
-type apc_service, service_manager_type;
-type apex_service, service_manager_type;
-type artd_service, service_manager_type;
-type audioserver_service, service_manager_type;
-type authorization_service, service_manager_type;
-type batteryproperties_service, app_api_service, ephemeral_app_api_service, service_manager_type;
-type bluetooth_service, service_manager_type;
-type cameraserver_service, service_manager_type;
-type default_android_service, service_manager_type;
-type dnsresolver_service, service_manager_type;
-type drmserver_service, service_manager_type;
-type dumpstate_service, service_manager_type;
-type fingerprintd_service, service_manager_type;
-type gatekeeper_service, app_api_service, service_manager_type;
-type gpu_service, app_api_service, ephemeral_app_api_service, service_manager_type;
-type idmap_service, service_manager_type;
-type iorapd_service, service_manager_type;
-type incident_service, service_manager_type;
-type installd_service, service_manager_type;
-type credstore_service, app_api_service, service_manager_type;
-type keystore_compat_hal_service, service_manager_type;
-type keystore_maintenance_service, service_manager_type;
-type keystore_service, service_manager_type;
-type legacykeystore_service, service_manager_type;
-type lpdump_service, service_manager_type;
-type mediaserver_service, service_manager_type;
-type mediametrics_service, service_manager_type;
-type mediaextractor_service, service_manager_type;
-type mediadrmserver_service, service_manager_type;
-type mediatranscoding_service, app_api_service, service_manager_type;
-type netd_service, service_manager_type;
-type nfc_service, service_manager_type;
-type radio_service, service_manager_type;
-type remoteprovisioning_service, service_manager_type;
-type secure_element_service, service_manager_type;
-type service_manager_service, service_manager_type;
-type storaged_service, service_manager_type;
-type surfaceflinger_service, app_api_service, ephemeral_app_api_service, service_manager_type;
-type system_app_service, service_manager_type;
-type system_suspend_control_internal_service, service_manager_type;
-type system_suspend_control_service, service_manager_type;
-type update_engine_service, service_manager_type;
-type update_engine_stable_service, service_manager_type;
-type virtualization_service, service_manager_type;
-type virtual_touchpad_service, service_manager_type;
-type vold_service, service_manager_type;
-type vr_hwc_service, service_manager_type;
-type vrflinger_vsync_service, service_manager_type;
-
-# system_server_services broken down
-type accessibility_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type account_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type activity_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type activity_task_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type adb_service, system_api_service, system_server_service, service_manager_type;
-type alarm_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type app_binding_service, system_server_service, service_manager_type;
-type app_hibernation_service, system_api_service, system_server_service, service_manager_type;
-type app_integrity_service, system_api_service, system_server_service, service_manager_type;
-type app_prediction_service, app_api_service, system_server_service, service_manager_type;
-type app_search_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type appops_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type appwidget_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type assetatlas_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type audio_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type auth_service, app_api_service, system_server_service, service_manager_type;
-type autofill_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type backup_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type batterystats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type battery_service, system_server_service, service_manager_type;
-type binder_calls_stats_service, system_server_service, service_manager_type;
-type blob_store_service, app_api_service, system_server_service, service_manager_type;
-type bluetooth_manager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type broadcastradio_service, system_server_service, service_manager_type;
-type cacheinfo_service, system_api_service, system_server_service, service_manager_type;
-type cameraproxy_service, system_server_service, service_manager_type;
-type clipboard_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type contexthub_service, app_api_service, system_server_service, service_manager_type;
-type crossprofileapps_service, app_api_service, system_server_service, service_manager_type;
-type IProxyService_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type companion_device_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type connectivity_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type connmetrics_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type consumer_ir_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type content_capture_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type content_suggestions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type content_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type country_detector_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-# Note: The coverage_service should only be enabled for userdebug / eng builds that were compiled
-# with EMMA_INSTRUMENT=true. We should consider locking this down in the future.
-type coverage_service, system_server_service, service_manager_type;
-type cpuinfo_service, system_api_service, system_server_service, service_manager_type;
-type dataloader_manager_service, system_server_service, service_manager_type;
-type dbinfo_service, system_api_service, system_server_service, service_manager_type;
-type device_config_service, system_server_service, service_manager_type;
-type device_policy_service, app_api_service, system_server_service, service_manager_type;
-type device_state_service, app_api_service, system_api_service, system_server_service, service_manager_type;
-type deviceidle_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type device_identifiers_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type devicestoragemonitor_service, system_server_service, service_manager_type;
-type diskstats_service, system_api_service, system_server_service, service_manager_type;
-type display_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type domain_verification_service, app_api_service, system_server_service, service_manager_type;
-type color_display_service, system_api_service, system_server_service, service_manager_type;
-type external_vibrator_service, system_server_service, service_manager_type;
-type file_integrity_service, app_api_service, system_server_service, service_manager_type;
-type font_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type netd_listener_service, system_server_service, service_manager_type;
-type network_watchlist_service, system_server_service, service_manager_type;
-type DockObserver_service, system_server_service, service_manager_type;
-type dreams_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type dropbox_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type lowpan_service, system_api_service, system_server_service, service_manager_type;
-type ethernet_service, app_api_service, system_server_service, service_manager_type;
-type biometric_service, app_api_service, system_server_service, service_manager_type;
-type bugreport_service, app_api_service, system_server_service, service_manager_type;
-type platform_compat_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type face_service, app_api_service, system_server_service, service_manager_type;
-type fingerprint_service, app_api_service, system_server_service, service_manager_type;
-type fwk_stats_service, app_api_service, system_server_service, service_manager_type;
-type game_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
-type graphicsstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type hardware_service, system_server_service, service_manager_type;
-type hardware_properties_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type hdmi_control_service, app_api_service, system_server_service, service_manager_type;
-type hint_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type imms_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type incremental_service, system_server_service, service_manager_type;
-type input_method_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type ipsec_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type iris_service, app_api_service, system_server_service, service_manager_type;
-type jobscheduler_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type launcherapps_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type legacy_permission_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type light_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type location_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type location_time_zone_manager_service, system_server_service, service_manager_type;
-type lock_settings_service, app_api_service, system_api_service, system_server_service, service_manager_type;
-type looper_stats_service, system_server_service, service_manager_type;
-type media_communication_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type media_metrics_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type media_projection_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type media_router_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type media_session_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type meminfo_service, system_api_service, system_server_service, service_manager_type;
-type memtrackproxy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type midi_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type mount_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type music_recognition_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type netpolicy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type netstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type network_management_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type network_score_service, system_api_service, system_server_service, service_manager_type;
-type network_stack_service, system_server_service, service_manager_type;
-type network_time_update_service, system_server_service, service_manager_type;
-type notification_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type oem_lock_service, system_api_service, system_server_service, service_manager_type;
-type otadexopt_service, system_server_service, service_manager_type;
-type overlay_service, system_api_service, system_server_service, service_manager_type;
-type pac_proxy_service, system_server_service, service_manager_type;
-type package_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type package_native_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type people_service, app_api_service, system_server_service, service_manager_type;
-type permission_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type permissionmgr_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type permission_checker_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type persistent_data_block_service, system_api_service, system_server_service, service_manager_type;
-type pinner_service, system_server_service, service_manager_type;
-type power_stats_service, app_api_service, system_server_service, service_manager_type;
-type power_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type print_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type processinfo_service, system_server_service, service_manager_type;
-type procstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type reboot_readiness_service, app_api_service, system_server_service, service_manager_type;
-type recovery_service, system_server_service, service_manager_type;
-type registry_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type restrictions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type role_service, app_api_service, system_server_service, service_manager_type;
-type rollback_service, app_api_service, system_server_service, service_manager_type;
-type runtime_service, system_server_service, service_manager_type;
-type rttmanager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type samplingprofiler_service, system_server_service, service_manager_type;
-type scheduling_policy_service, system_server_service, service_manager_type;
-type search_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type search_ui_service, app_api_service, system_server_service, service_manager_type;
-type sec_key_att_app_id_provider_service, app_api_service, system_server_service, service_manager_type;
-type sensorservice_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type sensor_privacy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type serial_service, system_api_service, system_server_service, service_manager_type;
-type servicediscovery_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type settings_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type shortcut_service, app_api_service, system_server_service, service_manager_type;
-type slice_service, app_api_service, system_server_service, service_manager_type;
-type smartspace_service, app_api_service, system_server_service, service_manager_type;
-type statusbar_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type storagestats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type system_config_service, system_api_service, system_server_service, service_manager_type;
-type system_server_dumper_service, system_api_service, system_server_service, service_manager_type;
-type system_update_service, system_server_service, service_manager_type;
-type soundtrigger_middleware_service, system_server_service, service_manager_type;
-type speech_recognition_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type task_service, system_server_service, service_manager_type;
-type testharness_service, system_server_service, service_manager_type;
-type textclassification_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type textservices_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type texttospeech_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type telecom_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type thermal_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type timedetector_service, app_api_service, system_server_service, service_manager_type;
-type timezone_service, system_server_service, service_manager_type;
-type timezonedetector_service, app_api_service, system_server_service, service_manager_type;
-type transformer_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type trust_service, app_api_service, system_server_service, service_manager_type;
-type tv_input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type tv_tuner_resource_mgr_service, app_api_service, system_server_service, service_manager_type;
-type uimode_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type updatelock_service, system_api_service, system_server_service, service_manager_type;
-type uri_grants_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type usagestats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type usb_service, app_api_service, system_server_service, service_manager_type;
-type user_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type uwb_service, app_api_service, system_server_service, service_manager_type;
-type vcn_management_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type vibrator_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type vibrator_manager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type voiceinteraction_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type vpn_management_service, app_api_service, system_server_service, service_manager_type;
-type vr_manager_service, system_server_service, service_manager_type;
-type wallpaper_service, app_api_service, system_server_service, service_manager_type;
-type webviewupdate_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type wifip2p_service, app_api_service, system_server_service, service_manager_type;
-type wifiscanner_service, system_api_service, system_server_service, service_manager_type;
-type wifi_service, app_api_service, system_server_service, service_manager_type;
-type wifinl80211_service, service_manager_type;
-type wifiaware_service, app_api_service, system_server_service, service_manager_type;
-type window_service, system_api_service, system_server_service, service_manager_type;
-type inputflinger_service, system_api_service, system_server_service, service_manager_type;
-type wpantund_service, system_api_service, service_manager_type;
-type tethering_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type emergency_affordance_service, system_server_service, service_manager_type;
-
-###
-### HAL Services
-###
-
-type hal_audio_service, vendor_service, protected_service, service_manager_type;
-type hal_audiocontrol_service, vendor_service, service_manager_type;
-type hal_authsecret_service, vendor_service, protected_service, service_manager_type;
-type hal_face_service, vendor_service, protected_service, service_manager_type;
-type hal_fingerprint_service, vendor_service, protected_service, service_manager_type;
-type hal_gnss_service, vendor_service, protected_service, service_manager_type;
-type hal_health_storage_service, vendor_service, protected_service, service_manager_type;
-type hal_identity_service, vendor_service, protected_service, service_manager_type;
-type hal_keymint_service, vendor_service, protected_service, service_manager_type;
-type hal_light_service, vendor_service, protected_service, service_manager_type;
-type hal_memtrack_service, vendor_service, protected_service, service_manager_type;
-type hal_neuralnetworks_service, vendor_service, service_manager_type;
-type hal_oemlock_service, vendor_service, protected_service, service_manager_type;
-type hal_power_service, vendor_service, protected_service, service_manager_type;
-type hal_power_stats_service, vendor_service, protected_service, service_manager_type;
-type hal_rebootescrow_service, vendor_service, protected_service, service_manager_type;
-type hal_remotelyprovisionedcomponent_service, vendor_service, protected_service, service_manager_type;
-type hal_secureclock_service, vendor_service, protected_service, service_manager_type;
-type hal_sharedsecret_service, vendor_service, protected_service, service_manager_type;
-type hal_vibrator_service, vendor_service, protected_service, service_manager_type;
-type hal_weaver_service, vendor_service, protected_service, service_manager_type;
-
-###
-### Neverallow rules
-###
-
-# servicemanager handles registering or looking up named services.
-# It does not make sense to register or lookup something which is not a service.
-# Trigger a compile error if this occurs.
-neverallow domain ~{ service_manager_type vndservice_manager_type }:service_manager { add find };
diff --git a/microdroid/sepolicy/system/public/servicemanager.te b/microdroid/sepolicy/system/public/servicemanager.te
index 63fc227..41a1096 100644
--- a/microdroid/sepolicy/system/public/servicemanager.te
+++ b/microdroid/sepolicy/system/public/servicemanager.te
@@ -1,32 +1,2 @@
-# servicemanager - the Binder context manager
-type servicemanager, domain, mlstrustedsubject;
-type servicemanager_exec, system_file_type, exec_type, file_type;
-
-# Note that we do not use the binder_* macros here.
-# servicemanager is unique in that it only provides
-# name service (aka context manager) for Binder.
-# As such, it only ever receives and transfers other references
-# created by other domains. It never passes its own references
-# or initiates a Binder IPC.
-allow servicemanager self:binder set_context_mgr;
-allow servicemanager {
- domain
- -init
- -vendor_init
- -hwservicemanager
- -vndservicemanager
-}:binder transfer;
-
-allow servicemanager service_contexts_file:file r_file_perms;
-
-allow servicemanager vendor_service_contexts_file:file r_file_perms;
-
-# nonplat_service_contexts only accessible on non full-treble devices
-not_full_treble(`allow servicemanager nonplat_service_contexts_file:file r_file_perms;')
-
-add_service(servicemanager, service_manager_service)
-allow servicemanager dumpstate:fd use;
-allow servicemanager dumpstate:fifo_file write;
-
-# Check SELinux permissions.
-selinux_check_access(servicemanager)
+type servicemanager, domain;
+type servicemanager_exec, file_type, exec_type, system_file_type;
diff --git a/microdroid/sepolicy/system/public/sgdisk.te b/microdroid/sepolicy/system/public/sgdisk.te
deleted file mode 100644
index e5a9152..0000000
--- a/microdroid/sepolicy/system/public/sgdisk.te
+++ /dev/null
@@ -1,36 +0,0 @@
-# sgdisk called from vold
-type sgdisk, domain;
-type sgdisk_exec, system_file_type, exec_type, file_type;
-
-# Allowed to read/write low-level partition tables
-allow sgdisk block_device:dir search;
-allow sgdisk vold_device:blk_file rw_file_perms;
-# HDIO_GETGEO needed to get the number of disk heads
-# on vold_device. How quaint.
-allowxperm sgdisk vold_device:blk_file ioctl { HDIO_GETGEO };
-# sgdisk also uses BLKGETSIZE and BLKGETSIZE64. BLKGETSIZE64
-# is granted to all block device users in domain.te, so
-# no need to mention it here. sgdisk should not be
-# using the BLKGETSIZE ioctl as it is useless for devices over
-# 2T in size, but we allow it for now and hope that sgdisk
-# will fix their bug.
-allowxperm sgdisk vold_device:blk_file ioctl { BLKGETSIZE };
-# Force a re-read of the partition table.
-allowxperm sgdisk vold_device:blk_file ioctl { BLKRRPART };
-# Allow reading of the physical block size.
-allowxperm sgdisk vold_device:blk_file ioctl { BLKPBSZGET };
-
-# Inherit and use pty created by android_fork_execvp()
-allow sgdisk devpts:chr_file { read write ioctl getattr };
-
-# Allow stdin/out back to vold
-allow sgdisk vold:fd use;
-allow sgdisk vold:fifo_file { read write getattr };
-
-# Used to probe kernel to reload partition tables
-allow sgdisk self:global_capability_class_set sys_admin;
-
-# Only allow entry from vold
-neverallow { domain -vold } sgdisk:process transition;
-neverallow * sgdisk:process dyntransition;
-neverallow sgdisk { file_type fs_type -sgdisk_exec }:file entrypoint;
diff --git a/microdroid/sepolicy/system/public/shared_relro.te b/microdroid/sepolicy/system/public/shared_relro.te
deleted file mode 100644
index 6dd5bd7..0000000
--- a/microdroid/sepolicy/system/public/shared_relro.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# Process which creates/updates shared RELRO files to be used by other apps.
-type shared_relro, domain;
diff --git a/microdroid/sepolicy/system/public/shell.te b/microdroid/sepolicy/system/public/shell.te
index 29c07a4..c84e377 100644
--- a/microdroid/sepolicy/system/public/shell.te
+++ b/microdroid/sepolicy/system/public/shell.te
@@ -8,96 +8,24 @@
# logcat
read_logd(shell)
control_logd(shell)
-# logcat -L (directly, or via dumpstate)
-allow shell pstorefs:dir search;
-allow shell pstorefs:file r_file_perms;
# Root fs.
allow shell rootfs:dir r_dir_perms;
-# read files in /data/anr
-allow shell anr_data_file:dir r_dir_perms;
-allow shell anr_data_file:file r_file_perms;
-
# Access /data/local/tmp.
allow shell shell_data_file:dir create_dir_perms;
allow shell shell_data_file:file create_file_perms;
allow shell shell_data_file:file rx_file_perms;
allow shell shell_data_file:lnk_file create_file_perms;
-# Access /data/local/tests.
-allow shell shell_test_data_file:dir create_dir_perms;
-allow shell shell_test_data_file:file create_file_perms;
-allow shell shell_test_data_file:file rx_file_perms;
-allow shell shell_test_data_file:lnk_file create_file_perms;
-allow shell shell_test_data_file:sock_file create_file_perms;
-
-# Read and delete from /data/local/traces.
-allow shell trace_data_file:file { r_file_perms unlink };
-allow shell trace_data_file:dir { r_dir_perms remove_name write };
-
-# Access /data/misc/profman.
-allow shell profman_dump_data_file:dir { write remove_name r_dir_perms };
-allow shell profman_dump_data_file:file { unlink r_file_perms };
-
-# Read/execute files in /data/nativetest
-userdebug_or_eng(`
- allow shell nativetest_data_file:dir r_dir_perms;
- allow shell nativetest_data_file:file rx_file_perms;
-')
-
-# adb bugreport
-unix_socket_connect(shell, dumpstate, dumpstate)
-
allow shell devpts:chr_file rw_file_perms;
allow shell tty_device:chr_file rw_file_perms;
allow shell console_device:chr_file rw_file_perms;
-allow shell input_device:dir r_dir_perms;
-allow shell input_device:chr_file r_file_perms;
-
r_dir_file(shell, system_file)
allow shell system_file:file x_file_perms;
allow shell toolbox_exec:file rx_file_perms;
-allow shell tzdatacheck_exec:file rx_file_perms;
allow shell shell_exec:file rx_file_perms;
-allow shell zygote_exec:file rx_file_perms;
-
-r_dir_file(shell, apk_data_file)
-
-userdebug_or_eng(`
- # "systrace --boot" support - allow boottrace service to run
- allow shell boottrace_data_file:dir rw_dir_perms;
- allow shell boottrace_data_file:file create_file_perms;
-')
-
-# allow shell access to services
-allow shell servicemanager:service_manager list;
-# don't allow shell to access GateKeeper service
-# TODO: why is this so broad? Tightening candidate? It needs at list:
-# - dumpstate_service (so it can receive dumpstate progress updates)
-allow shell {
- service_manager_type
- -apex_service
- -dnsresolver_service
- -gatekeeper_service
- -incident_service
- -installd_service
- -iorapd_service
- -netd_service
- -system_suspend_control_internal_service
- -system_suspend_control_service
- -virtual_touchpad_service
- -vold_service
- -vr_hwc_service
- -default_android_service
-}:service_manager find;
-allow shell dumpstate:binder call;
-
-# allow shell to get information from hwservicemanager
-# for instance, listing hardware services with lshal
-hwbinder_use(shell)
-allow shell hwservicemanager:hwservice_manager list;
# allow shell to look through /proc/ for lsmod, ps, top, netstat, vmstat.
r_dir_file(shell, proc_net_type)
@@ -125,7 +53,6 @@
r_dir_file(shell, cgroup)
allow shell cgroup_desc_file:file r_file_perms;
allow shell cgroup_desc_api_file:file r_file_perms;
-allow shell vendor_cgroup_desc_file:file r_file_perms;
r_dir_file(shell, cgroup_v2)
allow shell domain:dir { search open read getattr };
allow shell domain:{ file lnk_file } { open read getattr };
@@ -144,86 +71,12 @@
allow shell selinuxfs:dir r_dir_perms;
allow shell selinuxfs:file r_file_perms;
-# enable shell domain to read/write files/dirs for bootchart data
-# User will creates the start and stop file via adb shell
-# and read other files created by init process under /data/bootchart
-allow shell bootchart_data_file:dir rw_dir_perms;
-allow shell bootchart_data_file:file create_file_perms;
-
-# Make sure strace works for the non-privileged shell user
-allow shell self:process ptrace;
-
-# allow shell to get battery info
-allow shell sysfs:dir r_dir_perms;
-allow shell sysfs_batteryinfo:dir r_dir_perms;
-allow shell sysfs_batteryinfo:file r_file_perms;
-
-# Allow access to ion memory allocation device.
-allow shell ion_device:chr_file rw_file_perms;
-
-#
-# filesystem test for insecure chr_file's is done
-# via a host side test
-#
-allow shell dev_type:dir r_dir_perms;
-allow shell dev_type:chr_file getattr;
-
# /dev/fd is a symlink
allow shell proc:lnk_file getattr;
-#
-# filesystem test for insucre blk_file's is done
-# via hostside test
-#
-allow shell dev_type:blk_file getattr;
-
# read selinux policy files
allow shell file_contexts_file:file r_file_perms;
allow shell property_contexts_file:file r_file_perms;
allow shell seapp_contexts_file:file r_file_perms;
allow shell service_contexts_file:file r_file_perms;
allow shell sepolicy_file:file r_file_perms;
-
-# Allow shell to start up vendor shell
-allow shell vendor_shell_exec:file rx_file_perms;
-
-# Everything is labeled as rootfs in recovery mode. Allow shell to
-# execute them.
-recovery_only(`
- allow shell rootfs:file rx_file_perms;
-')
-
-###
-### Neverallow rules
-###
-
-# Do not allow shell to hard link to any files.
-# In particular, if shell hard links to app data
-# files, installd will not be able to guarantee the deletion
-# of the linked to file. Hard links also contribute to security
-# bugs, so we want to ensure the shell user never has this
-# capability.
-neverallow shell file_type:file link;
-
-# Do not allow privileged socket ioctl commands
-neverallowxperm shell domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
-
-# limit shell access to sensitive char drivers to
-# only getattr required for host side test.
-neverallow shell {
- fuse_device
- hw_random_device
- port_device
-}:chr_file ~getattr;
-
-# Limit shell to only getattr on blk devices for host side tests.
-neverallow shell dev_type:blk_file ~getattr;
-
-# b/30861057: Shell access to existing input devices is an abuse
-# vector. The shell user can inject events that look like they
-# originate from the touchscreen etc.
-# Everyone should have already moved to UiAutomation#injectInputEvent
-# if they are running instrumentation tests (i.e. CTS), Monkey for
-# their stress tests, and the input command (adb shell input ...) for
-# injecting swipes and things.
-neverallow shell input_device:chr_file no_w_file_perms;
diff --git a/microdroid/sepolicy/system/public/simpleperf.te b/microdroid/sepolicy/system/public/simpleperf.te
deleted file mode 100644
index 218fee7..0000000
--- a/microdroid/sepolicy/system/public/simpleperf.te
+++ /dev/null
@@ -1 +0,0 @@
-type simpleperf, domain;
diff --git a/microdroid/sepolicy/system/public/simpleperf_app_runner.te b/microdroid/sepolicy/system/public/simpleperf_app_runner.te
deleted file mode 100644
index 2ed007e..0000000
--- a/microdroid/sepolicy/system/public/simpleperf_app_runner.te
+++ /dev/null
@@ -1,44 +0,0 @@
-type simpleperf_app_runner, domain, mlstrustedsubject;
-type simpleperf_app_runner_exec, system_file_type, exec_type, file_type;
-
-# run simpleperf_app_runner in adb shell.
-allow simpleperf_app_runner adbd:fd use;
-allow simpleperf_app_runner shell:fd use;
-allow simpleperf_app_runner devpts:chr_file { read write ioctl };
-
-# simpleperf_app_runner reads package information.
-allow simpleperf_app_runner system_data_file:file r_file_perms;
-allow simpleperf_app_runner system_data_file:lnk_file getattr;
-allow simpleperf_app_runner packages_list_file:file r_file_perms;
-
-# The app's data dir may be accessed through a symlink.
-allow simpleperf_app_runner system_data_file:lnk_file read;
-
-# simpleperf_app_runner switches to the app UID/GID.
-allow simpleperf_app_runner self:global_capability_class_set { setuid setgid };
-
-# simpleperf_app_runner switches to the app security context.
-selinux_check_context(simpleperf_app_runner) # validate context
-allow simpleperf_app_runner self:process setcurrent;
-allow simpleperf_app_runner untrusted_app_all:process dyntransition; # setcon
-
-# simpleperf_app_runner/libselinux needs access to seapp_contexts_file to
-# determine which domain to transition to.
-allow simpleperf_app_runner seapp_contexts_file:file r_file_perms;
-
-# simpleperf_app_runner passes pipe fds.
-# simpleperf_app_runner writes app type (debuggable or profileable) to pipe fds.
-allow simpleperf_app_runner shell:fifo_file { read write };
-
-# simpleperf_app_runner checks shell data paths.
-# simpleperf_app_runner passes shell data fds.
-allow simpleperf_app_runner shell_data_file:dir { getattr search };
-allow simpleperf_app_runner shell_data_file:file { getattr write };
-
-###
-### neverallow rules
-###
-
-# simpleperf_app_runner cannot have capabilities other than CAP_SETUID and CAP_SETGID
-neverallow simpleperf_app_runner self:global_capability_class_set ~{ setuid setgid };
-neverallow simpleperf_app_runner self:global_capability2_class_set *;
diff --git a/microdroid/sepolicy/system/public/slideshow.te b/microdroid/sepolicy/system/public/slideshow.te
deleted file mode 100644
index 10fbbb8..0000000
--- a/microdroid/sepolicy/system/public/slideshow.te
+++ /dev/null
@@ -1,14 +0,0 @@
-# slideshow seclabel is specified in init.rc since
-# it lives in the rootfs and has no unique file type.
-type slideshow, domain;
-
-allow slideshow kmsg_device:chr_file rw_file_perms;
-wakelock_use(slideshow)
-allow slideshow device:dir r_dir_perms;
-allow slideshow self:global_capability_class_set sys_tty_config;
-allow slideshow graphics_device:dir r_dir_perms;
-allow slideshow graphics_device:chr_file rw_file_perms;
-allow slideshow input_device:dir r_dir_perms;
-allow slideshow input_device:chr_file r_file_perms;
-allow slideshow tty_device:chr_file rw_file_perms;
-
diff --git a/microdroid/sepolicy/system/public/stats_service_server.te b/microdroid/sepolicy/system/public/stats_service_server.te
deleted file mode 100644
index ab8e58a..0000000
--- a/microdroid/sepolicy/system/public/stats_service_server.te
+++ /dev/null
@@ -1,4 +0,0 @@
-add_hwservice(stats_service_server, fwk_stats_hwservice)
-add_service(stats_service_server, fwk_stats_service)
-
-binder_use(stats_service_server)
diff --git a/microdroid/sepolicy/system/public/statsd.te b/microdroid/sepolicy/system/public/statsd.te
index 670f4c7..5da3ec9 100644
--- a/microdroid/sepolicy/system/public/statsd.te
+++ b/microdroid/sepolicy/system/public/statsd.te
@@ -15,72 +15,17 @@
allow statsd system_file:file execute_no_trans;
allow statsd toolbox_exec:file rx_file_perms;
-userdebug_or_eng(`
- allow statsd su:fifo_file read;
-')
-
-# Create, read, and write into /data/misc/stats-data, /data/misc/stats-system.
-allow statsd stats_data_file:dir create_dir_perms;
-allow statsd stats_data_file:file create_file_perms;
-
-# Allow statsd to make binder calls to any binder service.
-binder_call(statsd, appdomain)
-binder_call(statsd, healthd)
-binder_call(statsd, incidentd)
-binder_call(statsd, system_server)
-
-# Allow statsd to interact with gpuservice
-allow statsd gpu_service:service_manager find;
-binder_call(statsd, gpuservice)
-
# Allow statsd to interact with keystore to pull atoms
allow statsd keystore_service:service_manager find;
binder_call(statsd, keystore)
-# Allow statsd to interact with mediametrics
-allow statsd mediametrics_service:service_manager find;
-binder_call(statsd, mediametrics)
-
# Allow logd access.
read_logd(statsd)
control_logd(statsd)
-# Grant statsd with permissions to register the services.
-allow statsd {
- app_api_service
- incident_service
- system_api_service
-}:service_manager find;
-
-# Grant statsd to access health hal to access battery metrics.
-allow statsd hal_health_hwservice:hwservice_manager find;
-
-# Allow statsd to send dump info to dumpstate
-allow statsd dumpstate:fd use;
-allow statsd dumpstate:fifo_file { getattr write };
-
-# Allow access to with hardware layer and process stats.
-allow statsd proc_uid_cputime_showstat:file { getattr open read };
-hal_client_domain(statsd, hal_health)
-hal_client_domain(statsd, hal_power)
-hal_client_domain(statsd, hal_power_stats)
-hal_client_domain(statsd, hal_thermal)
-
# Allow 'adb shell cmd' to upload configs and download output.
allow statsd adbd:fd use;
allow statsd adbd:unix_stream_socket { getattr read write };
allow statsd shell:fifo_file { getattr read write };
unix_socket_send(statsd, statsdw, statsd)
-
-###
-### neverallow rules
-###
-
-# Only statsd and the other root services in limited circumstances.
-# can get to the files in /data/misc/stats-data, /data/misc/stats-service.
-# Other services are prohibitted from accessing the file.
-neverallow { domain -statsd -system_server -init -vold } stats_data_file:file *;
-
-# Limited access to the directory itself.
-neverallow { domain -statsd -system_server -init -vold } stats_data_file:dir *;
diff --git a/microdroid/sepolicy/system/public/su.te b/microdroid/sepolicy/system/public/su.te
index 074ff2e..a440c21 100644
--- a/microdroid/sepolicy/system/public/su.te
+++ b/microdroid/sepolicy/system/public/su.te
@@ -14,9 +14,6 @@
# Add su to various domains
net_domain(su)
- # grant su access to vndbinder
- vndbinder_use(su)
-
dontaudit su self:capability_class_set *;
dontaudit su self:capability2 *;
dontaudit su kernel:security *;
@@ -43,66 +40,13 @@
dontaudit su property_type:file *;
dontaudit su service_manager_type:service_manager *;
dontaudit su hwservice_manager_type:hwservice_manager *;
- dontaudit su vndservice_manager_type:service_manager *;
dontaudit su servicemanager:service_manager list;
dontaudit su hwservicemanager:hwservice_manager list;
- dontaudit su vndservicemanager:service_manager list;
dontaudit su keystore:keystore_key *;
dontaudit su keystore:keystore2 *;
dontaudit su domain:drmservice *;
dontaudit su unlabeled:filesystem *;
- dontaudit su postinstall_file:filesystem *;
dontaudit su domain:bpf *;
dontaudit su unlabeled:vsock_socket *;
dontaudit su self:perf_event *;
-
- # VTS tests run in the permissive su domain on debug builds, but the HALs
- # being tested run in enforcing mode. Because hal_foo_server is enforcing
- # su needs to be declared as hal_foo_client to grant hal_foo_server
- # permission to interact with it.
- typeattribute su halclientdomain;
- typeattribute su hal_allocator_client;
- typeattribute su hal_atrace_client;
- typeattribute su hal_audio_client;
- typeattribute su hal_authsecret_client;
- typeattribute su hal_bluetooth_client;
- typeattribute su hal_bootctl_client;
- typeattribute su hal_camera_client;
- typeattribute su hal_configstore_client;
- typeattribute su hal_confirmationui_client;
- typeattribute su hal_contexthub_client;
- typeattribute su hal_drm_client;
- typeattribute su hal_cas_client;
- typeattribute su hal_dumpstate_client;
- typeattribute su hal_fingerprint_client;
- typeattribute su hal_gatekeeper_client;
- typeattribute su hal_gnss_client;
- typeattribute su hal_graphics_allocator_client;
- typeattribute su hal_graphics_composer_client;
- typeattribute su hal_health_client;
- typeattribute su hal_input_classifier_client;
- typeattribute su hal_ir_client;
- typeattribute su hal_keymaster_client;
- typeattribute su hal_light_client;
- typeattribute su hal_memtrack_client;
- typeattribute su hal_neuralnetworks_client;
- typeattribute su hal_nfc_client;
- typeattribute su hal_oemlock_client;
- typeattribute su hal_power_client;
- typeattribute su hal_rebootescrow_client;
- typeattribute su hal_secure_element_client;
- typeattribute su hal_sensors_client;
- typeattribute su hal_telephony_client;
- typeattribute su hal_tetheroffload_client;
- typeattribute su hal_thermal_client;
- typeattribute su hal_tv_cec_client;
- typeattribute su hal_tv_input_client;
- typeattribute su hal_tv_tuner_client;
- typeattribute su hal_usb_client;
- typeattribute su hal_vibrator_client;
- typeattribute su hal_vr_client;
- typeattribute su hal_weaver_client;
- typeattribute su hal_wifi_client;
- typeattribute su hal_wifi_hostapd_client;
- typeattribute su hal_wifi_supplicant_client;
')
diff --git a/microdroid/sepolicy/system/public/surfaceflinger.te b/microdroid/sepolicy/system/public/surfaceflinger.te
deleted file mode 100644
index c1e4844..0000000
--- a/microdroid/sepolicy/system/public/surfaceflinger.te
+++ /dev/null
@@ -1,3 +0,0 @@
-# surfaceflinger - display compositor service
-type surfaceflinger, domain;
-type surfaceflinger_tmpfs, file_type;
diff --git a/microdroid/sepolicy/system/public/system_app.te b/microdroid/sepolicy/system/public/system_app.te
deleted file mode 100644
index 023058e..0000000
--- a/microdroid/sepolicy/system/public/system_app.te
+++ /dev/null
@@ -1,7 +0,0 @@
-###
-### Apps that run with the system UID, e.g. com.android.system.ui,
-### com.android.settings. These are not as privileged as the system
-### server.
-###
-
-type system_app, domain;
diff --git a/microdroid/sepolicy/system/public/system_server.te b/microdroid/sepolicy/system/public/system_server.te
deleted file mode 100644
index edefadf..0000000
--- a/microdroid/sepolicy/system/public/system_server.te
+++ /dev/null
@@ -1,17 +0,0 @@
-#
-# System Server aka system_server spawned by zygote.
-# Most of the framework services run in this process.
-#
-type system_server, domain;
-type system_server_tmpfs, file_type, mlstrustedobject;
-
-# Power controls for debugging/diagnostics
-get_prop(system_server, power_debug_prop)
-set_prop(system_server, power_debug_prop)
-
-neverallow {
- domain
- -init
- -vendor_init
- -system_server
-} power_debug_prop:property_service set;
diff --git a/microdroid/sepolicy/system/public/system_suspend_internal_server.te b/microdroid/sepolicy/system/public/system_suspend_internal_server.te
deleted file mode 100644
index 67bff77..0000000
--- a/microdroid/sepolicy/system/public/system_suspend_internal_server.te
+++ /dev/null
@@ -1,11 +0,0 @@
-# To serve ISuspendControlServiceInternal.
-add_service(system_suspend_internal_server, system_suspend_control_internal_service)
-
-neverallow {
- domain
- -atrace # tracing
- -dumpstate # bug reports
- -system_suspend_internal_server # implements system_suspend_control_internal_service
- -system_server # configures system_suspend via ISuspendControlServiceInternal
- -traceur_app # tracing
-} system_suspend_control_internal_service:service_manager find;
diff --git a/microdroid/sepolicy/system/public/system_suspend_server.te b/microdroid/sepolicy/system/public/system_suspend_server.te
deleted file mode 100644
index 8e8310d..0000000
--- a/microdroid/sepolicy/system/public/system_suspend_server.te
+++ /dev/null
@@ -1,6 +0,0 @@
-# Required to export a HIDL interface.
-hwbinder_use(system_suspend_server)
-get_prop(system_suspend_server, hwservicemanager_prop)
-
-# To serve ISystemSuspend.hal.
-add_hwservice(system_suspend_server, system_suspend_hwservice)
diff --git a/microdroid/sepolicy/system/public/te_macros b/microdroid/sepolicy/system/public/te_macros
index 7dc5062..9e73292 100644
--- a/microdroid/sepolicy/system/public/te_macros
+++ b/microdroid/sepolicy/system/public/te_macros
@@ -721,12 +721,7 @@
domain
-$1_client
-$1_server
- # some services are allowed to find all services
- -atrace
- -dumpstate
-shell
- -system_app
- -traceur_app
} $2:service_manager find;
')
')
diff --git a/microdroid/sepolicy/system/public/tee.te b/microdroid/sepolicy/system/public/tee.te
deleted file mode 100644
index 0f9b32d..0000000
--- a/microdroid/sepolicy/system/public/tee.te
+++ /dev/null
@@ -1,11 +0,0 @@
-##
-# trusted execution environment (tee) daemon
-#
-type tee, domain;
-
-# Device(s) for communicating with the TEE
-type tee_device, dev_type;
-
-allow tee fingerprint_vendor_data_file:dir rw_dir_perms;
-allow tee fingerprint_vendor_data_file:file create_file_perms;
-
diff --git a/microdroid/sepolicy/system/public/tombstoned.te b/microdroid/sepolicy/system/public/tombstoned.te
index ea2abbb..bd1626d 100644
--- a/microdroid/sepolicy/system/public/tombstoned.te
+++ b/microdroid/sepolicy/system/public/tombstoned.te
@@ -1,17 +1,2 @@
-# debugger interface
-type tombstoned, domain, mlstrustedsubject;
-type tombstoned_exec, system_file_type, exec_type, file_type;
-
-# Write to arbitrary pipes given to us.
-allow tombstoned domain:fd use;
-allow tombstoned domain:fifo_file write;
-
-allow tombstoned domain:dir r_dir_perms;
-allow tombstoned domain:file r_file_perms;
-allow tombstoned tombstone_data_file:dir rw_dir_perms;
-allow tombstoned tombstone_data_file:file { create_file_perms link };
-
-# Changes for the new stack dumping mechanism. Each trace goes into a
-# separate file, and these files are managed by tombstoned.
-allow tombstoned anr_data_file:dir rw_dir_perms;
-allow tombstoned anr_data_file:file { append create getattr open link unlink };
+type tombstoned, domain;
+type tombstoned_exec, file_type, exec_type, system_file_type;
diff --git a/microdroid/sepolicy/system/public/toolbox.te b/microdroid/sepolicy/system/public/toolbox.te
index 4c2cc3e..0a6e649 100644
--- a/microdroid/sepolicy/system/public/toolbox.te
+++ b/microdroid/sepolicy/system/public/toolbox.te
@@ -1,38 +1,2 @@
-# Any toolbox command run by init.
-# At present, the only known usage is for running mkswap via fs_mgr.
-# Do NOT use this domain for toolbox when run by any other domain.
type toolbox, domain;
-type toolbox_exec, system_file_type, exec_type, file_type;
-
-# /dev/__null__ created by init prior to policy load,
-# open fd inherited by fsck.
-allow toolbox tmpfs:chr_file { read write ioctl };
-
-# Inherit and use pty created by android_fork_execvp_ext().
-allow toolbox devpts:chr_file { read write getattr ioctl };
-
-# mkswap-specific.
-# Read/write block devices used for swap partitions.
-# Assign swap_block_device type any such partition in your
-# device/<vendor>/<product>/sepolicy/file_contexts file.
-allow toolbox block_device:dir search;
-allow toolbox swap_block_device:blk_file rw_file_perms;
-
-# Only allow entry from init via the toolbox binary.
-neverallow { domain -init } toolbox:process transition;
-neverallow * toolbox:process dyntransition;
-neverallow toolbox { file_type fs_type -toolbox_exec}:file entrypoint;
-
-# rm -rf directories in /data
-allow toolbox system_data_root_file:dir { remove_name write };
-allow toolbox system_data_file:dir { rmdir rw_dir_perms };
-allow toolbox system_data_file:file { getattr unlink };
-
-# chattr +F and chattr +P /data/media in init
-allow toolbox media_rw_data_file:dir { r_dir_perms setattr };
-allowxperm toolbox media_rw_data_file:dir ioctl {
- FS_IOC_FSGETXATTR
- FS_IOC_FSSETXATTR
- FS_IOC_GETFLAGS
- FS_IOC_SETFLAGS
-};
+type toolbox_exec, file_type, exec_type, system_file_type;
diff --git a/microdroid/sepolicy/system/public/traced.te b/microdroid/sepolicy/system/public/traced.te
deleted file mode 100644
index 922d46e..0000000
--- a/microdroid/sepolicy/system/public/traced.te
+++ /dev/null
@@ -1,3 +0,0 @@
-type traced, domain, coredomain, mlstrustedsubject;
-type traced_tmpfs, file_type;
-
diff --git a/microdroid/sepolicy/system/public/traced_perf.te b/microdroid/sepolicy/system/public/traced_perf.te
deleted file mode 100644
index f9a0324..0000000
--- a/microdroid/sepolicy/system/public/traced_perf.te
+++ /dev/null
@@ -1 +0,0 @@
-type traced_perf, domain;
diff --git a/microdroid/sepolicy/system/public/traced_probes.te b/microdroid/sepolicy/system/public/traced_probes.te
deleted file mode 100644
index 3e587c8..0000000
--- a/microdroid/sepolicy/system/public/traced_probes.te
+++ /dev/null
@@ -1 +0,0 @@
-type traced_probes, domain, coredomain, mlstrustedsubject;
diff --git a/microdroid/sepolicy/system/public/traceur_app.te b/microdroid/sepolicy/system/public/traceur_app.te
deleted file mode 100644
index ce9b844..0000000
--- a/microdroid/sepolicy/system/public/traceur_app.te
+++ /dev/null
@@ -1,27 +0,0 @@
-type traceur_app, domain;
-
-allow traceur_app servicemanager:service_manager list;
-allow traceur_app hwservicemanager:hwservice_manager list;
-
-allow traceur_app {
- service_manager_type
- -apex_service
- -dnsresolver_service
- -gatekeeper_service
- -incident_service
- -installd_service
- -iorapd_service
- -lpdump_service
- -netd_service
- -virtual_touchpad_service
- -vold_service
- -vr_hwc_service
- -default_android_service
-}:service_manager find;
-
-# Allow traceur_app to use atrace HAL
-hal_client_domain(traceur_app, hal_atrace)
-
-dontaudit traceur_app service_manager_type:service_manager find;
-dontaudit traceur_app hwservice_manager_type:hwservice_manager find;
-dontaudit traceur_app domain:binder call;
diff --git a/microdroid/sepolicy/system/public/type.te b/microdroid/sepolicy/system/public/type.te
new file mode 100644
index 0000000..c31509c
--- /dev/null
+++ b/microdroid/sepolicy/system/public/type.te
@@ -0,0 +1,23 @@
+# Miscellaneous types
+type adb_service, system_server_service, system_api_service, service_manager_type;
+type apex_service, service_manager_type;
+type authorization_service, service_manager_type;
+type credstore_service, app_api_service, service_manager_type;
+type default_android_hwservice, hwservice_manager_type, protected_hwservice;
+type default_android_service, service_manager_type;
+type hal_keymint_service, protected_service, vendor_service, service_manager_type;
+type hal_remotelyprovisionedcomponent_service, protected_service, vendor_service, service_manager_type;
+type hidl_allocator_hwservice, hwservice_manager_type, coredomain_hwservice;
+type hidl_base_hwservice, hwservice_manager_type;
+type hidl_manager_hwservice, hwservice_manager_type, coredomain_hwservice;
+type hidl_memory_hwservice, hwservice_manager_type, coredomain_hwservice;
+type hidl_token_hwservice, hwservice_manager_type, coredomain_hwservice;
+type hal_keymaster_hwservice, hwservice_manager_type, protected_hwservice;
+type keystore_compat_hal_service, service_manager_type;
+type keystore_maintenance_service, service_manager_type;
+type keystore_metrics_service, service_manager_type;
+type keystore_service, service_manager_type;
+type legacykeystore_service, service_manager_type;
+type remoteprovisioning_service, service_manager_type;
+type system_linker;
+type vm_payload_key;
diff --git a/microdroid/sepolicy/system/public/tzdatacheck.te b/microdroid/sepolicy/system/public/tzdatacheck.te
deleted file mode 100644
index cf9b95d..0000000
--- a/microdroid/sepolicy/system/public/tzdatacheck.te
+++ /dev/null
@@ -1,18 +0,0 @@
-# The tzdatacheck command run by init.
-type tzdatacheck, domain;
-type tzdatacheck_exec, system_file_type, exec_type, file_type;
-
-allow tzdatacheck zoneinfo_data_file:dir create_dir_perms;
-allow tzdatacheck zoneinfo_data_file:file unlink;
-
-# Below are strong assertion that only init, system_server and tzdatacheck
-# can modify the /data time zone rules directories. This is to make it very
-# clear that only these domains should modify the actual time zone rules data.
-# The tzdatacheck binary itself may be executed by shell for tests but it must
-# not be able to modify the real rules.
-# If other users / binaries could modify time zone rules on device this might
-# have negative implications for users (who may get incorrect local times)
-# or break assumptions made / invalidate data held by the components actually
-# responsible for updating time zone rules.
-neverallow { domain -system_server -init -tzdatacheck } zoneinfo_data_file:file no_w_file_perms;
-neverallow { domain -system_server -init -tzdatacheck } zoneinfo_data_file:dir no_w_dir_perms;
diff --git a/microdroid/sepolicy/system/public/ueventd.te b/microdroid/sepolicy/system/public/ueventd.te
index d5d4301..7bf7888 100644
--- a/microdroid/sepolicy/system/public/ueventd.te
+++ b/microdroid/sepolicy/system/public/ueventd.te
@@ -2,82 +2,3 @@
# it lives in the rootfs and has no unique file type.
type ueventd, domain;
type ueventd_tmpfs, file_type;
-
-# Write to /dev/kmsg.
-allow ueventd kmsg_device:chr_file rw_file_perms;
-
-allow ueventd self:global_capability_class_set { chown mknod net_admin setgid fsetid sys_rawio dac_override dac_read_search fowner setuid };
-allow ueventd device:file create_file_perms;
-
-r_dir_file(ueventd, rootfs)
-
-# ueventd needs write access to files in /sys to regenerate uevents
-allow ueventd sysfs_type:file w_file_perms;
-r_dir_file(ueventd, sysfs_type)
-allow ueventd sysfs_type:{ file lnk_file } { relabelfrom relabelto setattr };
-allow ueventd sysfs_type:dir { relabelfrom relabelto setattr };
-allow ueventd tmpfs:chr_file rw_file_perms;
-allow ueventd dev_type:dir create_dir_perms;
-allow ueventd dev_type:lnk_file { create unlink };
-allow ueventd dev_type:chr_file { getattr create setattr unlink };
-allow ueventd dev_type:blk_file { getattr relabelfrom relabelto create setattr unlink };
-allow ueventd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-allow ueventd efs_file:dir search;
-allow ueventd efs_file:file r_file_perms;
-
-# Get SELinux enforcing status.
-r_dir_file(ueventd, selinuxfs)
-
-# Access for /vendor/ueventd.rc and /vendor/firmware
-r_dir_file(ueventd, { vendor_file_type -vendor_app_file -vendor_overlay_file })
-
-# Access for /apex/*/firmware
-allow ueventd apex_mnt_dir:dir r_dir_perms;
-
-# Get file contexts for new device nodes
-allow ueventd file_contexts_file:file r_file_perms;
-
-# Use setfscreatecon() to label /dev directories and files.
-allow ueventd self:process setfscreate;
-
-# Allow ueventd to read androidboot.android_dt_dir from kernel cmdline or bootconfig.
-allow ueventd proc_cmdline:file r_file_perms;
-allow ueventd proc_bootconfig:file r_file_perms;
-
-# Everything is labeled as rootfs in recovery mode. ueventd has to execute
-# the dynamic linker and shared libraries.
-recovery_only(`
- allow ueventd rootfs:file { r_file_perms execute };
-')
-
-# Suppress denials for ueventd to getattr /postinstall. This occurs when the
-# linker tries to resolve paths in ld.config.txt.
-dontaudit ueventd postinstall_mnt_dir:dir getattr;
-
-# ueventd loads modules in response to modalias events.
-allow ueventd self:global_capability_class_set sys_module;
-allow ueventd vendor_file:system module_load;
-allow ueventd kernel:key search;
-
-# ueventd is using bootstrap bionic
-allow ueventd system_bootstrap_lib_file:dir r_dir_perms;
-allow ueventd system_bootstrap_lib_file:file { execute read open getattr map };
-
-# Allow ueventd to run shell scripts from vendor
-allow ueventd vendor_shell_exec:file execute;
-
-#####
-##### neverallow rules
-#####
-
-# Restrict ueventd access on block devices to maintenence operations.
-neverallow ueventd dev_type:blk_file ~{ getattr relabelfrom relabelto create setattr unlink };
-
-# Only relabelto as we would never want to relabelfrom port_device
-neverallow ueventd port_device:chr_file ~{ getattr create setattr unlink relabelto };
-
-# Nobody should be able to ptrace ueventd
-neverallow * ueventd:process ptrace;
-
-# ueventd should never execute a program without changing to another domain.
-neverallow ueventd { file_type fs_type }:file execute_no_trans;
diff --git a/microdroid/sepolicy/system/public/uncrypt.te b/microdroid/sepolicy/system/public/uncrypt.te
deleted file mode 100644
index 3b04671..0000000
--- a/microdroid/sepolicy/system/public/uncrypt.te
+++ /dev/null
@@ -1,46 +0,0 @@
-# uncrypt
-type uncrypt, domain, mlstrustedsubject;
-type uncrypt_exec, system_file_type, exec_type, file_type;
-
-allow uncrypt self:global_capability_class_set { dac_override dac_read_search };
-
-userdebug_or_eng(`
- # For debugging, allow /data/local/tmp access
- r_dir_file(uncrypt, shell_data_file)
-')
-
-# Read /cache/recovery/command
-# Read /cache/recovery/uncrypt_file
-allow uncrypt cache_file:dir search;
-allow uncrypt cache_recovery_file:dir rw_dir_perms;
-allow uncrypt cache_recovery_file:file create_file_perms;
-
-# Read and write(for f2fs_pin_file) on OTA zip file at /data/ota_package/.
-allow uncrypt ota_package_file:dir r_dir_perms;
-allow uncrypt ota_package_file:file rw_file_perms;
-
-# Write to /dev/socket/uncrypt
-unix_socket_connect(uncrypt, uncrypt, uncrypt)
-
-# Raw writes to block device
-allow uncrypt self:global_capability_class_set sys_rawio;
-allow uncrypt misc_block_device:blk_file w_file_perms;
-allow uncrypt block_device:dir r_dir_perms;
-
-# Access userdata block device.
-allow uncrypt userdata_block_device:blk_file w_file_perms;
-
-r_dir_file(uncrypt, rootfs)
-
-# Access to bootconfig is needed when calling ReadDefaultFstab.
-allow uncrypt {
- proc_bootconfig
- proc_cmdline
-
-}:file r_file_perms;
-
-# Read files in /sys
-r_dir_file(uncrypt, sysfs_dt_firmware_android)
-
-# Allow ReadDefaultFstab().
-read_fstab(uncrypt)
diff --git a/microdroid/sepolicy/system/public/untrusted_app.te b/microdroid/sepolicy/system/public/untrusted_app.te
deleted file mode 100644
index 43fe19a..0000000
--- a/microdroid/sepolicy/system/public/untrusted_app.te
+++ /dev/null
@@ -1,30 +0,0 @@
-###
-### Untrusted apps.
-###
-### Apps are labeled based on mac_permissions.xml (maps signer and
-### optionally package name to seinfo value) and seapp_contexts (maps UID
-### and optionally seinfo value to domain for process and type for data
-### directory). The untrusted_app domain is the default assignment in
-### seapp_contexts for any app with UID between APP_AID (10000)
-### and AID_ISOLATED_START (99000) if the app has no specific seinfo
-### value as determined from mac_permissions.xml. In current AOSP, this
-### domain is assigned to all non-system apps as well as to any system apps
-### that are not signed by the platform key. To move
-### a system app into a specific domain, add a signer entry for it to
-### mac_permissions.xml and assign it one of the pre-existing seinfo values
-### or define and use a new seinfo value in both mac_permissions.xml and
-### seapp_contexts.
-###
-
-# This file defines the rules for untrusted apps running with
-# targetSdkVersion >= 30.
-type untrusted_app, domain;
-# This file defines the rules for untrusted apps running with
-# targetSdkVersion = 29.
-type untrusted_app_29, domain;
-# This file defines the rules for untrusted apps running with
-# 25 < targetSdkVersion <= 28.
-type untrusted_app_27, domain;
-# This file defines the rules for untrusted apps running with
-# targetSdkVersion <= 25.
-type untrusted_app_25, domain;
diff --git a/microdroid/sepolicy/system/public/update_engine.te b/microdroid/sepolicy/system/public/update_engine.te
deleted file mode 100644
index ab7090b..0000000
--- a/microdroid/sepolicy/system/public/update_engine.te
+++ /dev/null
@@ -1,78 +0,0 @@
-# Domain for update_engine daemon.
-type update_engine, domain, update_engine_common;
-type update_engine_exec, system_file_type, exec_type, file_type;
-
-net_domain(update_engine);
-
-# Following permissions are needed for update_engine.
-allow update_engine self:process { setsched };
-allow update_engine self:global_capability_class_set { fowner sys_admin };
-# Note: fsetid checks are triggered when creating a file in a directory with
-# the setgid bit set to determine if the file should inherit setgid. In this
-# case, setgid on the file is undesirable so we should just suppress the
-# denial.
-dontaudit update_engine self:global_capability_class_set fsetid;
-
-allow update_engine kmsg_device:chr_file { getattr w_file_perms };
-allow update_engine update_engine_exec:file rx_file_perms;
-wakelock_use(update_engine);
-
-# Ignore these denials.
-dontaudit update_engine kernel:process setsched;
-dontaudit update_engine self:global_capability_class_set sys_rawio;
-
-# Allow using persistent storage in /data/misc/update_engine.
-allow update_engine update_engine_data_file:dir create_dir_perms;
-allow update_engine update_engine_data_file:file create_file_perms;
-
-# Allow using persistent storage in /data/misc/update_engine_log.
-allow update_engine update_engine_log_data_file:dir create_dir_perms;
-allow update_engine update_engine_log_data_file:file create_file_perms;
-
-# Don't allow kernel module loading, just silence the logs.
-dontaudit update_engine kernel:system module_request;
-
-# Register the service to perform Binder IPC.
-binder_use(update_engine)
-add_service(update_engine, update_engine_service)
-add_service(update_engine, update_engine_stable_service)
-
-# Allow update_engine to call the callback function provided by priv_app/GMS core.
-binder_call(update_engine, priv_app)
-# b/142672293: No other priv-app should need this rule now that GMS core runs in its own domain.
-userdebug_or_eng(`
- auditallow update_engine priv_app:binder { call transfer };
- auditallow priv_app update_engine:binder transfer;
- auditallow update_engine priv_app:fd use;
-')
-
-binder_call(update_engine, gmscore_app)
-
-# Allow update_engine to call the callback function provided by system_server.
-binder_call(update_engine, system_server)
-
-# Read OTA zip file at /data/ota_package/.
-allow update_engine ota_package_file:file r_file_perms;
-allow update_engine ota_package_file:dir r_dir_perms;
-
-# Use Boot Control HAL
-hal_client_domain(update_engine, hal_bootctl)
-
-# access /proc/misc
-allow update_engine proc_misc:file r_file_perms;
-
-# read directories on /system and /vendor
-allow update_engine system_file:dir r_dir_perms;
-
-# Allow ReadDefaultFstab().
-# update_engine tries to determine the parent path for all devices (e.g.
-# /dev/block/by-name) by reading the default fstab and looking for the misc
-# device.
-read_fstab(update_engine)
-
-# Allow to write to snapshotctl_log logs.
-# TODO(b/148818798) revert when parent bug is fixed.
-userdebug_or_eng(`
-allow update_engine snapshotctl_log_data_file:dir rw_dir_perms;
-allow update_engine snapshotctl_log_data_file:file create_file_perms;
-')
diff --git a/microdroid/sepolicy/system/public/update_engine_common.te b/microdroid/sepolicy/system/public/update_engine_common.te
deleted file mode 100644
index e8fd29e..0000000
--- a/microdroid/sepolicy/system/public/update_engine_common.te
+++ /dev/null
@@ -1,98 +0,0 @@
-# update_engine payload application permissions. These are shared between the
-# background daemon and the recovery tool to sideload an update.
-
-# Allow update_engine to reach block devices in /dev/block.
-allow update_engine_common block_device:dir search;
-
-# Allow read/write on system and boot partitions.
-allow update_engine_common boot_block_device:blk_file rw_file_perms;
-allow update_engine_common system_block_device:blk_file rw_file_perms;
-
-# Where ioctls are granted via standard allow rules to block devices,
-# automatically allow common ioctls that are generally needed by
-# update_engine.
-allowxperm update_engine_common dev_type:blk_file ioctl {
- BLKDISCARD
- BLKDISCARDZEROES
- BLKROGET
- BLKROSET
- BLKSECDISCARD
- BLKZEROOUT
-};
-
-# Allow to set recovery options in the BCB. Used to trigger factory reset when
-# the update to an older version (channel change) or incompatible version
-# requires it.
-allow update_engine_common misc_block_device:blk_file rw_file_perms;
-
-# read fstab
-allow update_engine_common rootfs:dir getattr;
-allow update_engine_common rootfs:file r_file_perms;
-
-# Allow update_engine_common to mount on the /postinstall directory and reset the
-# labels on the mounted filesystem to postinstall_file.
-allow update_engine_common postinstall_mnt_dir:dir { mounton getattr search };
-allow update_engine_common postinstall_file:filesystem { mount unmount relabelfrom relabelto };
-allow update_engine_common labeledfs:filesystem { mount unmount relabelfrom };
-
-# Allow update_engine_common to read and execute postinstall_file.
-allow update_engine_common postinstall_file:file rx_file_perms;
-allow update_engine_common postinstall_file:lnk_file r_file_perms;
-allow update_engine_common postinstall_file:dir r_dir_perms;
-
-# install update.zip from cache
-r_dir_file(update_engine_common, cache_file)
-
-# A postinstall program is typically a shell script (with a #!), so we allow
-# to execute those.
-allow update_engine_common shell_exec:file rx_file_perms;
-
-# Allow update_engine_common to suspend, resume and kill the postinstall program.
-allow update_engine_common postinstall:process { signal sigstop sigkill };
-
-# access /proc/cmdline
-allow update_engine_common proc_cmdline:file r_file_perms;
-
-# Read files in /sys/firmware/devicetree/base/firmware/android/
-r_dir_file(update_engine_common, sysfs_dt_firmware_android)
-
-# Needed because libdm reads sysfs to validate when a dm path is ready.
-r_dir_file(update_engine_common, sysfs_dm)
-
-# Scan files in /sys/fs/ext4 and /sys/fs/f2fs for device-mapper diagnostics.
-allow update_engine_common sysfs:dir r_dir_perms;
-allow update_engine_common sysfs_fs_f2fs:dir r_dir_perms;
-
-# read / write on /dev/device-mapper to map / unmap devices
-allow update_engine_common dm_device:chr_file rw_file_perms;
-
-# apply / verify updates on devices mapped via device mapper
-allow update_engine_common dm_device:blk_file rw_file_perms;
-
-# read /dev/dm-user, so that we can inotify wait for control devices to be
-# asynchronously created by ueventd.
-allow update_engine dm_user_device:dir r_dir_perms;
-
-# read / write metadata on super device to resize partitions
-allow update_engine_common super_block_device_type:blk_file rw_file_perms;
-
-# ioctl on super device to get block device alignment and alignment offset
-allowxperm update_engine_common super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
-
-# get physical block device to map logical partitions on device mapper
-allow update_engine_common block_device:dir r_dir_perms;
-
-# Allow update_engine_common to write to statsd socket.
-unix_socket_send(update_engine_common, statsdw, statsd)
-
-# Allow to read Virtual A/B feature flags.
-get_prop(update_engine_common, virtual_ab_prop)
-
-# Allow to read GKI related flags.
-get_prop(update_engine_common, ab_update_gki_prop)
-get_prop(update_engine_common, build_bootimage_prop)
-
-# Allow to read/write/create OTA metadata files for snapshot status and COW file status.
-allow update_engine_common metadata_file:dir search;
-allow update_engine_common ota_metadata_file:dir rw_dir_perms;
-allow update_engine_common ota_metadata_file:file create_file_perms;
diff --git a/microdroid/sepolicy/system/public/update_verifier.te b/microdroid/sepolicy/system/public/update_verifier.te
deleted file mode 100644
index 68b43f0..0000000
--- a/microdroid/sepolicy/system/public/update_verifier.te
+++ /dev/null
@@ -1,33 +0,0 @@
-# update_verifier
-type update_verifier, domain;
-type update_verifier_exec, system_file_type, exec_type, file_type;
-
-# Allow update_verifier to reach block devices in /dev/block.
-allow update_verifier block_device:dir search;
-
-# Read care map in /data/ota_package/.
-allow update_verifier ota_package_file:dir r_dir_perms;
-allow update_verifier ota_package_file:file r_file_perms;
-
-# Read /sys/block to find all the DM directories like (/sys/block/dm-X).
-allow update_verifier sysfs:dir r_dir_perms;
-
-# Read /sys/block/dm-X/dm/name (which is a symlink to
-# /sys/devices/virtual/block/dm-X/dm/name) to identify the mapping between
-# dm-X and system/vendor partitions.
-allow update_verifier sysfs_dm:dir r_dir_perms;
-allow update_verifier sysfs_dm:file r_file_perms;
-
-# Read all blocks in DM wrapped system partition.
-allow update_verifier dm_device:blk_file r_file_perms;
-
-# Write to kernel message.
-allow update_verifier kmsg_device:chr_file { getattr w_file_perms };
-
-# Use Boot Control HAL
-hal_client_domain(update_verifier, hal_bootctl)
-
-# Access Checkpoint commands over binder
-allow update_verifier vold_service:service_manager find;
-binder_call(update_verifier, servicemanager)
-binder_call(update_verifier, vold)
diff --git a/microdroid/sepolicy/system/public/usbd.te b/microdroid/sepolicy/system/public/usbd.te
deleted file mode 100644
index 6f34954..0000000
--- a/microdroid/sepolicy/system/public/usbd.te
+++ /dev/null
@@ -1,2 +0,0 @@
-type usbd, domain;
-type usbd_exec, system_file_type, exec_type, file_type;
diff --git a/microdroid/sepolicy/system/public/userdata_sysdev.te b/microdroid/sepolicy/system/public/userdata_sysdev.te
deleted file mode 100644
index 9974f36..0000000
--- a/microdroid/sepolicy/system/public/userdata_sysdev.te
+++ /dev/null
@@ -1 +0,0 @@
-allow userdata_sysdev sysfs:filesystem associate;
diff --git a/microdroid/sepolicy/system/public/vdc.te b/microdroid/sepolicy/system/public/vdc.te
deleted file mode 100644
index e638e50..0000000
--- a/microdroid/sepolicy/system/public/vdc.te
+++ /dev/null
@@ -1,20 +0,0 @@
-# vdc spawned from init for the following services:
-# defaultcrypto
-# encrypt
-#
-# We also transition into this domain from dumpstate, when
-# collecting bug reports.
-
-type vdc, domain;
-type vdc_exec, system_file_type, exec_type, file_type;
-
-# vdc can be invoked with logwrapper, so let it write to pty
-allow vdc devpts:chr_file rw_file_perms;
-
-# vdc writes directly to kmsg during the boot process
-allow vdc kmsg_device:chr_file { getattr w_file_perms };
-
-# vdc talks to vold over Binder
-binder_use(vdc)
-binder_call(vdc, vold)
-allow vdc vold_service:service_manager find;
diff --git a/microdroid/sepolicy/system/public/vendor_init.te b/microdroid/sepolicy/system/public/vendor_init.te
index b0e1da5..b66caa9 100644
--- a/microdroid/sepolicy/system/public/vendor_init.te
+++ b/microdroid/sepolicy/system/public/vendor_init.te
@@ -34,98 +34,51 @@
# we just allow all file types except /system files here.
allow vendor_init self:global_capability_class_set { chown fowner fsetid };
-# mkdir with FBE requires reading /data/unencrypted/{ref,mode}.
-allow vendor_init unencrypted_data_file:dir search;
-allow vendor_init unencrypted_data_file:file r_file_perms;
-
-# Set encryption policy on dirs in /data
-allowxperm vendor_init data_file_type:dir ioctl {
- FS_IOC_GET_ENCRYPTION_POLICY
- FS_IOC_SET_ENCRYPTION_POLICY
-};
-
allow vendor_init system_data_file:dir getattr;
allow vendor_init {
file_type
- -core_data_file_type
-exec_type
-system_file_type
- -mnt_product_file
- -password_slot_metadata_file
- -ota_metadata_file
-unlabeled
-vendor_file_type
- -vold_metadata_file
- -gsi_metadata_file_type
- -apex_metadata_file
- -userspace_reboot_metadata_file
}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
allow vendor_init unlabeled:{ dir notdevfile_class_set } { getattr relabelfrom };
allow vendor_init {
file_type
- -core_data_file_type
-exec_type
- -password_slot_metadata_file
- -ota_metadata_file
-runtime_event_log_tags_file
-system_file_type
-unlabeled
-vendor_file_type
- -vold_metadata_file
- -gsi_metadata_file_type
- -apex_metadata_file
-apex_info_file
- -userspace_reboot_metadata_file
enforce_debugfs_restriction(`-debugfs_type')
}:file { create getattr open read write setattr relabelfrom unlink map };
allow vendor_init {
file_type
- -core_data_file_type
-exec_type
- -password_slot_metadata_file
- -ota_metadata_file
-system_file_type
-unlabeled
-vendor_file_type
- -vold_metadata_file
- -gsi_metadata_file_type
- -apex_metadata_file
- -userspace_reboot_metadata_file
}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
allow vendor_init {
file_type
-apex_mnt_dir
- -core_data_file_type
-exec_type
- -password_slot_metadata_file
- -ota_metadata_file
-system_file_type
-unlabeled
-vendor_file_type
- -vold_metadata_file
- -gsi_metadata_file_type
- -apex_metadata_file
- -userspace_reboot_metadata_file
}:lnk_file { create getattr setattr relabelfrom unlink };
allow vendor_init {
file_type
- -core_data_file_type
-exec_type
- -mnt_product_file
- -password_slot_metadata_file
- -ota_metadata_file
-system_file_type
-vendor_file_type
- -vold_metadata_file
- -gsi_metadata_file_type
- -apex_metadata_file
- -userspace_reboot_metadata_file
}:dir_file_class_set relabelto;
allow vendor_init dev_type:dir create_dir_perms;
@@ -137,9 +90,7 @@
# chown/chmod on pseudo files.
allow vendor_init {
fs_type
- -contextmount_type
- -keychord_device
- -sdcard_type
+ -fusefs_type
-rootfs
-proc_uid_time_in_state
-proc_uid_concurrent_active_time
@@ -151,8 +102,7 @@
allow vendor_init {
fs_type
- -contextmount_type
- -sdcard_type
+ -fusefs_type
-rootfs
-proc_uid_time_in_state
-proc_uid_concurrent_active_time
@@ -179,117 +129,22 @@
r_dir_file(vendor_init, vendor_file_type)
-# Vendor init can read properties
-allow vendor_init serialno_prop:file { getattr open read map };
-
# Vendor init can perform operations on trusted and security Extended Attributes
allow vendor_init self:global_capability_class_set sys_admin;
-# Raw writes to misc block device
-allow vendor_init misc_block_device:blk_file w_file_perms;
-
# vendor_init is using bootstrap bionic
allow vendor_init system_bootstrap_lib_file:dir r_dir_perms;
allow vendor_init system_bootstrap_lib_file:file { execute read open getattr map };
-# allow filesystem tuning
-allow vendor_init userdata_sysdev:file create_file_perms;
-
-# Everything is labeled as rootfs in recovery mode. Vendor init has to execute
-# the dynamic linker and shared libraries.
-recovery_only(`
- allow vendor_init rootfs:file { r_file_perms execute };
-')
-
-not_compatible_property(`
- set_prop(vendor_init, {
- property_type
- -system_internal_property_type
- -system_restricted_property_type
- })
-')
-
# Get file context
allow vendor_init file_contexts_file:file r_file_perms;
# Allow vendor_init to (re)set nice
allow vendor_init self:capability sys_nice;
-set_prop(vendor_init, apk_verity_prop)
-set_prop(vendor_init, bluetooth_a2dp_offload_prop)
-set_prop(vendor_init, bluetooth_audio_hal_prop)
-set_prop(vendor_init, camerax_extensions_prop)
-set_prop(vendor_init, cpu_variant_prop)
-set_prop(vendor_init, dalvik_runtime_prop)
-set_prop(vendor_init, debug_prop)
-set_prop(vendor_init, exported_bluetooth_prop)
-set_prop(vendor_init, exported_camera_prop)
-set_prop(vendor_init, exported_config_prop)
-set_prop(vendor_init, exported_default_prop)
-set_prop(vendor_init, exported_overlay_prop)
-set_prop(vendor_init, exported_pm_prop)
-set_prop(vendor_init, ffs_control_prop)
-set_prop(vendor_init, hw_timeout_multiplier_prop)
-set_prop(vendor_init, incremental_prop)
-set_prop(vendor_init, lmkd_prop)
-set_prop(vendor_init, logd_prop)
-set_prop(vendor_init, log_tag_prop)
-set_prop(vendor_init, log_prop)
-set_prop(vendor_init, qemu_hw_prop)
-set_prop(vendor_init, radio_control_prop)
-set_prop(vendor_init, rebootescrow_hal_prop)
-set_prop(vendor_init, serialno_prop)
-set_prop(vendor_init, soc_prop)
-set_prop(vendor_init, surfaceflinger_color_prop)
-set_prop(vendor_init, usb_control_prop)
-set_prop(vendor_init, userspace_reboot_config_prop)
-set_prop(vendor_init, vehicle_hal_prop)
-set_prop(vendor_init, vendor_default_prop)
-set_prop(vendor_init, vendor_security_patch_level_prop)
-set_prop(vendor_init, vndk_prop)
-set_prop(vendor_init, virtual_ab_prop)
-set_prop(vendor_init, vold_post_fs_data_prop)
-set_prop(vendor_init, wifi_hal_prop)
-set_prop(vendor_init, wifi_log_prop)
-set_prop(vendor_init, zram_control_prop)
-
-get_prop(vendor_init, boot_status_prop)
-get_prop(vendor_init, exported3_system_prop)
-get_prop(vendor_init, ota_prop)
-get_prop(vendor_init, power_debug_prop)
-get_prop(vendor_init, provisioned_prop)
-get_prop(vendor_init, retaildemo_prop)
-get_prop(vendor_init, surfaceflinger_display_prop)
-get_prop(vendor_init, test_harness_prop)
-get_prop(vendor_init, theme_prop)
-set_prop(vendor_init, dck_prop)
-
-
-###
-### neverallow rules
-###
-
-# Vendor init shouldn't communicate with any vendor process, nor most system processes.
-neverallow_establish_socket_comms(vendor_init, { domain -init -logd -su -vendor_init });
-
-# The vendor_init domain is only entered via an exec based transition from the
-# init domain, never via setcon().
-neverallow domain vendor_init:process dyntransition;
-neverallow { domain -init } vendor_init:process transition;
-neverallow vendor_init { file_type fs_type -init_exec }:file entrypoint;
-
-# Never read/follow symlinks created by shell or untrusted apps.
-neverallow vendor_init { app_data_file privapp_data_file }:lnk_file read;
-neverallow vendor_init shell_data_file:lnk_file read;
-# Init should not be creating subdirectories in /data/local/tmp
-neverallow vendor_init shell_data_file:dir { write add_name remove_name };
-
-# init should never execute a program without changing to another domain.
-neverallow vendor_init { file_type fs_type }:file execute_no_trans;
-
-# Init never adds or uses services via service_manager.
-neverallow vendor_init service_manager_type:service_manager { add find };
-neverallow vendor_init servicemanager:service_manager list;
-
-# vendor_init should never be ptraced
-neverallow * vendor_init:process ptrace;
+# chown/chmod on devices, e.g. /dev/ttyHS0
+allow vendor_init {
+ dev_type
+ -kvm_device
+ -hw_random_device
+}:chr_file setattr;
diff --git a/microdroid/sepolicy/system/public/vendor_misc_writer.te b/microdroid/sepolicy/system/public/vendor_misc_writer.te
deleted file mode 100644
index 3bc3a9f..0000000
--- a/microdroid/sepolicy/system/public/vendor_misc_writer.te
+++ /dev/null
@@ -1,16 +0,0 @@
-# vendor_misc_writer
-type vendor_misc_writer, domain;
-type vendor_misc_writer_exec, vendor_file_type, exec_type, file_type;
-
-# Raw writes to misc_block_device
-allow vendor_misc_writer misc_block_device:blk_file w_file_perms;
-allow vendor_misc_writer block_device:dir r_dir_perms;
-
-# Silence the denial when calling libfstab's ReadDefaultFstab, which tries to
-# load DT fstab.
-dontaudit vendor_misc_writer proc_cmdline:file r_file_perms;
-dontaudit vendor_misc_writer sysfs_dt_firmware_android:dir search;
-dontaudit vendor_misc_writer proc_bootconfig:file r_file_perms;
-
-# Allow ReadDefaultFstab().
-read_fstab(vendor_misc_writer)
diff --git a/microdroid/sepolicy/system/public/vendor_modprobe.te b/microdroid/sepolicy/system/public/vendor_modprobe.te
deleted file mode 100644
index 529c4aa..0000000
--- a/microdroid/sepolicy/system/public/vendor_modprobe.te
+++ /dev/null
@@ -1 +0,0 @@
-type vendor_modprobe, domain;
diff --git a/microdroid/sepolicy/system/public/vendor_shell.te b/microdroid/sepolicy/system/public/vendor_shell.te
deleted file mode 100644
index 5d7cb31..0000000
--- a/microdroid/sepolicy/system/public/vendor_shell.te
+++ /dev/null
@@ -1,21 +0,0 @@
-type vendor_shell, domain;
-type vendor_shell_exec, exec_type, vendor_file_type, file_type;
-
-allow vendor_shell vendor_shell_exec:file rx_file_perms;
-allow vendor_shell vendor_toolbox_exec:file rx_file_perms;
-
-# Use fd from shell when vendor_shell is started from shell
-allow vendor_shell shell:fd use;
-
-# adbd: allow `adb shell /vendor/bin/sh` and `adb shell` then `/vendor/bin/sh`
-allow vendor_shell adbd:fd use;
-allow vendor_shell adbd:process sigchld;
-allow vendor_shell adbd:unix_stream_socket { getattr ioctl read write };
-
-allow vendor_shell devpts:chr_file rw_file_perms;
-allow vendor_shell tty_device:chr_file rw_file_perms;
-allow vendor_shell console_device:chr_file rw_file_perms;
-allow vendor_shell input_device:dir r_dir_perms;
-allow vendor_shell input_device:chr_file rw_file_perms;
-
-userdebug_or_eng(`set_prop(vendor_shell, persist_vendor_debug_wifi_prop)')
diff --git a/microdroid/sepolicy/system/public/vendor_toolbox.te b/microdroid/sepolicy/system/public/vendor_toolbox.te
deleted file mode 100644
index 63f938d..0000000
--- a/microdroid/sepolicy/system/public/vendor_toolbox.te
+++ /dev/null
@@ -1,16 +0,0 @@
-# Toolbox installation for vendor binaries / scripts
-# Non-vendor processes are not allowed to execute the binary
-# and is always executed without transition.
-type vendor_toolbox_exec, exec_type, vendor_file_type, file_type;
-
-# Do not allow domains to transition to vendor toolbox
-# or read, execute the vendor_toolbox file.
-full_treble_only(`
- # Do not allow non-vendor domains to transition
- # to vendor toolbox except for the allowlisted domains.
- neverallow {
- coredomain
- -init
- -modprobe
- } vendor_toolbox_exec:file { entrypoint execute execute_no_trans };
-')
diff --git a/microdroid/sepolicy/system/public/virtual_touchpad.te b/microdroid/sepolicy/system/public/virtual_touchpad.te
deleted file mode 100644
index 49c8704..0000000
--- a/microdroid/sepolicy/system/public/virtual_touchpad.te
+++ /dev/null
@@ -1,16 +0,0 @@
-type virtual_touchpad, domain;
-type virtual_touchpad_exec, system_file_type, exec_type, file_type;
-
-binder_use(virtual_touchpad)
-binder_service(virtual_touchpad)
-add_service(virtual_touchpad, virtual_touchpad_service)
-
-# Needed to check app permissions.
-binder_call(virtual_touchpad, system_server)
-
-# Requires access to /dev/uinput to create and feed the virtual device.
-allow virtual_touchpad uhid_device:chr_file { w_file_perms ioctl };
-
-# Requires access to the permission service to validate that clients have the
-# appropriate VR permissions.
-allow virtual_touchpad permission_service:service_manager find;
diff --git a/microdroid/sepolicy/system/public/vndservice.te b/microdroid/sepolicy/system/public/vndservice.te
deleted file mode 100644
index efd9adf..0000000
--- a/microdroid/sepolicy/system/public/vndservice.te
+++ /dev/null
@@ -1,2 +0,0 @@
-type service_manager_vndservice, vndservice_manager_type;
-type default_android_vndservice, vndservice_manager_type;
diff --git a/microdroid/sepolicy/system/public/vndservicemanager.te b/microdroid/sepolicy/system/public/vndservicemanager.te
deleted file mode 100644
index 6b9f73d..0000000
--- a/microdroid/sepolicy/system/public/vndservicemanager.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# vndservicemanager - the Binder context manager for vendor processes
-type vndservicemanager, domain;
diff --git a/microdroid/sepolicy/system/public/vold.te b/microdroid/sepolicy/system/public/vold.te
deleted file mode 100644
index 7796ba8..0000000
--- a/microdroid/sepolicy/system/public/vold.te
+++ /dev/null
@@ -1,361 +0,0 @@
-# volume manager
-type vold, domain;
-type vold_exec, exec_type, file_type, system_file_type;
-
-# Read already opened /cache files.
-allow vold cache_file:dir r_dir_perms;
-allow vold cache_file:file { getattr read };
-allow vold cache_file:lnk_file r_file_perms;
-
-r_dir_file(vold, { sysfs_type -sysfs_batteryinfo })
-# XXX Label sysfs files with a specific type?
-allow vold {
- sysfs # writing to /sys/*/uevent during coldboot.
- sysfs_devices_block
- sysfs_dm
- sysfs_loop # writing to /sys/block/loop*/uevent during coldboot.
- sysfs_usb
- sysfs_zram_uevent
- sysfs_fs_f2fs
-}:file w_file_perms;
-
-r_dir_file(vold, rootfs)
-r_dir_file(vold, metadata_file)
-allow vold {
- proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
- proc_bootconfig
- proc_cmdline
- proc_drop_caches
- proc_filesystems
- proc_meminfo
- proc_mounts
-}:file r_file_perms;
-
-#Get file contexts
-allow vold file_contexts_file:file r_file_perms;
-
-# Allow us to jump into execution domains of above tools
-allow vold self:process setexec;
-
-# For formatting adoptable storage devices
-allow vold e2fs_exec:file rx_file_perms;
-
-# Run fstrim on mounted partitions
-# allowxperm still requires the ioctl permission for the individual type
-allowxperm vold { fs_type file_type }:dir ioctl FITRIM;
-
-# Get/set file-based encryption policies on dirs in /data and adoptable storage,
-# and add/remove file-based encryption keys.
-allowxperm vold data_file_type:dir ioctl {
- FS_IOC_GET_ENCRYPTION_POLICY
- FS_IOC_SET_ENCRYPTION_POLICY
- FS_IOC_ADD_ENCRYPTION_KEY
- FS_IOC_REMOVE_ENCRYPTION_KEY
-};
-
-# Only vold and init should ever set file-based encryption policies.
-neverallowxperm {
- domain
- -vold
- -init
- -vendor_init
-} data_file_type:dir ioctl { FS_IOC_SET_ENCRYPTION_POLICY };
-
-# Only vold should ever add/remove file-based encryption keys.
-neverallowxperm {
- domain
- -vold
-} data_file_type:dir ioctl { FS_IOC_ADD_ENCRYPTION_KEY FS_IOC_REMOVE_ENCRYPTION_KEY };
-
-# Allow securely erasing crypto key files. F2FS_IOC_SEC_TRIM_FILE is
-# tried first. Otherwise, FS_IOC_FIEMAP is needed to get the
-# location of the file's blocks on the raw block device to erase.
-allowxperm vold {
- vold_data_file
- vold_metadata_file
-}:file ioctl {
- F2FS_IOC_SEC_TRIM_FILE
- FS_IOC_FIEMAP
-};
-
-typeattribute vold mlstrustedsubject;
-allow vold self:process setfscreate;
-allow vold system_file:file x_file_perms;
-not_full_treble(`allow vold vendor_file:file x_file_perms;')
-allow vold block_device:dir create_dir_perms;
-allow vold device:dir write;
-allow vold devpts:chr_file rw_file_perms;
-allow vold rootfs:dir mounton;
-allow vold sdcard_type:dir mounton; # TODO: deprecated in M
-allow vold sdcard_type:filesystem { mount remount unmount }; # TODO: deprecated in M
-allow vold sdcard_type:dir create_dir_perms; # TODO: deprecated in M
-allow vold sdcard_type:file create_file_perms; # TODO: deprecated in M
-
-# Manage locations where storage is mounted
-allow vold { mnt_media_rw_file storage_file sdcard_type }:dir create_dir_perms;
-allow vold { mnt_media_rw_file storage_file sdcard_type }:file create_file_perms;
-
-# Access to storage that backs emulated FUSE daemons for migration optimization
-allow vold media_rw_data_file:dir create_dir_perms;
-allow vold media_rw_data_file:file create_file_perms;
-# Allow mounting (lower filesystem) on parts of media for performance
-allow vold media_rw_data_file:dir mounton;
-
-# Allow setting extended attributes (for project quota IDs) on files and dirs
-# and to enable project ID inheritance through FS_IOC_SETFLAGS
-allowxperm vold media_rw_data_file:{ dir file } ioctl {
- FS_IOC_FSGETXATTR
- FS_IOC_FSSETXATTR
- FS_IOC_GETFLAGS
- FS_IOC_SETFLAGS
-};
-
-# Allow mounting of storage devices
-allow vold { mnt_media_rw_stub_file storage_stub_file }:dir { mounton create rmdir getattr setattr };
-
-# Manage per-user primary symlinks
-allow vold mnt_user_file:dir { create_dir_perms mounton };
-allow vold mnt_user_file:lnk_file create_file_perms;
-allow vold mnt_user_file:file create_file_perms;
-
-# Manage per-user pass_through primary symlinks
-allow vold mnt_pass_through_file:dir { create_dir_perms mounton };
-allow vold mnt_pass_through_file:lnk_file create_file_perms;
-
-# Allow to create and mount expanded storage
-allow vold mnt_expand_file:dir { create_dir_perms mounton };
-allow vold apk_data_file:dir { create getattr setattr };
-allow vold shell_data_file:dir { create getattr setattr };
-
-# Allow to mount incremental file system on /data/incremental and create files
-allow vold apk_data_file:dir { mounton rw_dir_perms };
-# Allow to create and write files in /data/incremental
-allow vold apk_data_file:file { rw_file_perms unlink };
-# Allow to bind-mount incremental file system on /data/app/vmdl*.tmp and read files
-allow vold apk_tmp_file:dir { mounton r_dir_perms };
-# Allow to read incremental control file and call selinux restorecon on it
-allow vold incremental_control_file:file { r_file_perms relabelto };
-
-allow vold tmpfs:filesystem { mount unmount };
-allow vold tmpfs:dir create_dir_perms;
-allow vold tmpfs:dir mounton;
-allow vold self:global_capability_class_set { net_admin dac_override dac_read_search mknod sys_admin chown fowner fsetid };
-allow vold self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-allow vold loop_control_device:chr_file rw_file_perms;
-allow vold loop_device:blk_file { create setattr unlink rw_file_perms };
-allowxperm vold loop_device:blk_file ioctl {
- LOOP_CLR_FD
- LOOP_CTL_GET_FREE
- LOOP_GET_STATUS64
- LOOP_SET_FD
- LOOP_SET_STATUS64
-};
-allow vold vold_device:blk_file { create setattr unlink rw_file_perms };
-allowxperm vold vold_device:blk_file ioctl { BLKDISCARD BLKGETSIZE };
-allow vold dm_device:chr_file rw_file_perms;
-allow vold dm_device:blk_file rw_file_perms;
-allowxperm vold dm_device:blk_file ioctl { BLKDISCARD BLKSECDISCARD };
-# For vold Process::killProcessesWithOpenFiles function.
-allow vold domain:dir r_dir_perms;
-allow vold domain:{ file lnk_file } r_file_perms;
-allow vold domain:process { signal sigkill };
-allow vold self:global_capability_class_set { sys_ptrace kill };
-
-allow vold kmsg_device:chr_file rw_file_perms;
-
-# Run fsck in the fsck domain.
-allow vold fsck_exec:file { r_file_perms execute };
-
-# Log fsck results
-allow vold fscklogs:dir rw_dir_perms;
-allow vold fscklogs:file create_file_perms;
-
-#
-# Rules to support encrypted fs support.
-#
-
-# Unmount and mount the fs.
-allow vold labeledfs:filesystem { mount unmount remount };
-
-# Access /efs/userdata_footer.
-# XXX Split into a separate type?
-allow vold efs_file:file rw_file_perms;
-
-# Create and mount on /data/tmp_mnt and management of expansion mounts
-allow vold {
- system_data_file
- system_data_root_file
-}:dir { create rw_dir_perms mounton setattr rmdir };
-allow vold system_data_file:lnk_file getattr;
-
-# Vold create users in /data/vendor_{ce,de}/[0-9]+
-allow vold vendor_data_file:dir create_dir_perms;
-
-# for secdiscard
-allow vold system_data_file:file read;
-
-# Set scheduling policy of kernel processes
-allow vold kernel:process setsched;
-
-# ASEC
-allow vold asec_image_file:file create_file_perms;
-allow vold asec_image_file:dir rw_dir_perms;
-allow vold asec_apk_file:dir { create_dir_perms mounton relabelfrom relabelto };
-allow vold asec_public_file:dir { relabelto setattr };
-allow vold asec_apk_file:file { r_file_perms setattr relabelfrom relabelto };
-allow vold asec_public_file:file { relabelto setattr };
-# restorecon files in asec containers created on 4.2 or earlier.
-allow vold unlabeled:dir { r_dir_perms setattr relabelfrom };
-allow vold unlabeled:file { r_file_perms setattr relabelfrom };
-
-# Access to FUSE control filesystem to hard-abort FUSE mounts
-allow vold fusectlfs:file rw_file_perms;
-allow vold fusectlfs:dir rw_dir_perms;
-
-# Handle wake locks (used for device encryption)
-wakelock_use(vold)
-
-# Allow vold to publish a binder service and make binder calls.
-binder_use(vold)
-add_service(vold, vold_service)
-
-# Allow vold to call into the system server so it can check permissions.
-binder_call(vold, system_server)
-allow vold permission_service:service_manager find;
-
-# talk to batteryservice
-binder_call(vold, healthd)
-
-# talk to keymaster
-hal_client_domain(vold, hal_keymaster)
-
-# talk to health storage HAL
-hal_client_domain(vold, hal_health_storage)
-
-# talk to bootloader HAL
-full_treble_only(`hal_client_domain(vold, hal_bootctl)')
-
-# Access userdata block device.
-allow vold userdata_block_device:blk_file rw_file_perms;
-allowxperm vold userdata_block_device:blk_file ioctl BLKSECDISCARD;
-
-# Access metadata block device used for encryption meta-data.
-allow vold metadata_block_device:blk_file rw_file_perms;
-allowxperm vold metadata_block_device:blk_file ioctl BLKSECDISCARD;
-
-# Allow vold to manipulate /data/unencrypted
-allow vold unencrypted_data_file:{ file } create_file_perms;
-allow vold unencrypted_data_file:dir create_dir_perms;
-
-# Write to /proc/sys/vm/drop_caches
-allow vold proc_drop_caches:file w_file_perms;
-
-# Give vold a place where only vold can store files; everyone else is off limits
-allow vold vold_data_file:dir create_dir_perms;
-allow vold vold_data_file:file create_file_perms;
-
-# And a similar place in the metadata partition
-allow vold vold_metadata_file:dir create_dir_perms;
-allow vold vold_metadata_file:file create_file_perms;
-
-# linux keyring configuration
-allow vold init:key { write search setattr };
-allow vold vold:key { write search setattr };
-
-# vold temporarily changes its priority when running benchmarks
-allow vold self:global_capability_class_set sys_nice;
-
-# vold needs to chroot into app namespaces to remount when runtime permissions change
-allow vold self:global_capability_class_set sys_chroot;
-allow vold storage_file:dir mounton;
-
-# For AppFuse.
-allow vold fuse_device:chr_file rw_file_perms;
-allow vold fuse:filesystem { relabelfrom };
-allow vold app_fusefs:filesystem { relabelfrom relabelto };
-allow vold app_fusefs:filesystem { mount unmount };
-allow vold app_fuse_file:dir rw_dir_perms;
-allow vold app_fuse_file:file { read write open getattr append };
-
-# MoveTask.cpp executes cp and rm
-allow vold toolbox_exec:file rx_file_perms;
-
-# Prepare profile dir for users.
-allow vold { user_profile_data_file user_profile_root_file }:dir create_dir_perms;
-
-# Raw writes to misc block device
-allow vold misc_block_device:blk_file w_file_perms;
-
-# vold might need to search or mount /mnt/vendor/*
-allow vold mnt_vendor_file:dir search;
-
-dontaudit vold self:global_capability_class_set sys_resource;
-
-# Allow ReadDefaultFstab().
-read_fstab(vold)
-
-# vold might need to search loopback apex files
-allow vold vendor_apex_file:file r_file_perms;
-
-neverallow {
- domain
- -vold
- -vold_prepare_subdirs
-} vold_data_file:dir ~{ open create read getattr setattr search relabelfrom relabelto ioctl };
-
-neverallow {
- domain
- -init
- -vold
- -vold_prepare_subdirs
-} vold_data_file:dir *;
-
-neverallow {
- domain
- -init
- -vold
-} vold_metadata_file:dir *;
-
-neverallow {
- domain
- -kernel
- -vold
- -vold_prepare_subdirs
-} vold_data_file:notdevfile_class_set ~{ relabelto getattr };
-
-neverallow {
- domain
- -init
- -vold
- -vold_prepare_subdirs
-} vold_metadata_file:notdevfile_class_set ~{ relabelto getattr };
-
-neverallow {
- domain
- -init
- -kernel
- -vold
- -vold_prepare_subdirs
-} { vold_data_file vold_metadata_file }:notdevfile_class_set *;
-
-neverallow { domain -vold -init } restorecon_prop:property_service set;
-
-neverallow vold {
- domain
- -hal_health_storage_server
- -hal_keymaster_server
- -system_suspend_server
- -hal_bootctl_server
- -healthd
- -hwservicemanager
- -iorapd_service
- -keystore
- -servicemanager
- -system_server
- userdebug_or_eng(`-su')
-}:binder call;
-
-neverallow vold fsck_exec:file execute_no_trans;
-neverallow { domain -init } vold:process { transition dyntransition };
-neverallow vold *:process ptrace;
-neverallow vold *:rawip_socket *;
diff --git a/microdroid/sepolicy/system/public/vold_prepare_subdirs.te b/microdroid/sepolicy/system/public/vold_prepare_subdirs.te
deleted file mode 100644
index 3087fa8..0000000
--- a/microdroid/sepolicy/system/public/vold_prepare_subdirs.te
+++ /dev/null
@@ -1,6 +0,0 @@
-# SELinux directory creation and labelling for vold-managed directories
-
-type vold_prepare_subdirs, domain;
-type vold_prepare_subdirs_exec, system_file_type, exec_type, file_type;
-
-typeattribute vold_prepare_subdirs coredomain;
diff --git a/microdroid/sepolicy/system/public/vr_hwc.te b/microdroid/sepolicy/system/public/vr_hwc.te
deleted file mode 100644
index c146887..0000000
--- a/microdroid/sepolicy/system/public/vr_hwc.te
+++ /dev/null
@@ -1,33 +0,0 @@
-type vr_hwc, domain;
-type vr_hwc_exec, system_file_type, exec_type, file_type;
-
-# Get buffer metadata.
-hal_client_domain(vr_hwc, hal_graphics_allocator)
-
-binder_use(vr_hwc)
-binder_service(vr_hwc)
-
-binder_call(vr_hwc, surfaceflinger)
-# Needed to check for app permissions.
-binder_call(vr_hwc, system_server)
-
-add_service(vr_hwc, vr_hwc_service)
-
-# Hosts the VR HWC implementation and provides a simple Binder interface for VR
-# Window Manager to receive the layers/buffers.
-hwbinder_use(vr_hwc)
-
-# Load vendor libraries.
-allow vr_hwc system_file:dir r_dir_perms;
-
-allow vr_hwc ion_device:chr_file r_file_perms;
-
-# Allow connection to VR DisplayClient to get the primary display metadata
-# (ie: size).
-pdx_client(vr_hwc, display_client)
-
-# Requires access to the permission service to validate that clients have the
-# appropriate VR permissions.
-allow vr_hwc permission_service:service_manager find;
-
-allow vr_hwc vrflinger_vsync_service:service_manager find;
diff --git a/microdroid/sepolicy/system/public/watchdogd.te b/microdroid/sepolicy/system/public/watchdogd.te
deleted file mode 100644
index 72e3685..0000000
--- a/microdroid/sepolicy/system/public/watchdogd.te
+++ /dev/null
@@ -1,6 +0,0 @@
-# watchdogd seclabel is specified in init.<board>.rc
-type watchdogd, domain;
-type watchdogd_exec, system_file_type, exec_type, file_type;
-
-allow watchdogd watchdog_device:chr_file rw_file_perms;
-allow watchdogd kmsg_device:chr_file rw_file_perms;
diff --git a/microdroid/sepolicy/system/public/webview_zygote.te b/microdroid/sepolicy/system/public/webview_zygote.te
deleted file mode 100644
index ace3a01..0000000
--- a/microdroid/sepolicy/system/public/webview_zygote.te
+++ /dev/null
@@ -1,6 +0,0 @@
-# webview_zygote is an auxiliary zygote process that is used to spawn
-# isolated_app processes for rendering untrusted web content.
-
-type webview_zygote, domain;
-type webview_zygote_exec, exec_type, file_type;
-type webview_zygote_tmpfs, file_type;
diff --git a/microdroid/sepolicy/system/public/wificond.te b/microdroid/sepolicy/system/public/wificond.te
deleted file mode 100644
index 254fcbc..0000000
--- a/microdroid/sepolicy/system/public/wificond.te
+++ /dev/null
@@ -1,43 +0,0 @@
-# wificond
-type wificond, domain;
-type wificond_exec, system_file_type, exec_type, file_type;
-
-binder_use(wificond)
-binder_call(wificond, system_server)
-binder_call(wificond, keystore)
-
-add_service(wificond, wifinl80211_service)
-
-# create sockets to set interfaces up and down
-allow wificond self:udp_socket create_socket_perms;
-# setting interface state up/down is a privileged ioctl
-allowxperm wificond self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFHWADDR };
-allow wificond self:global_capability_class_set { net_admin net_raw };
-# allow wificond to speak to nl80211 in the kernel
-allow wificond self:netlink_socket create_socket_perms_no_ioctl;
-# newer kernels (e.g. 4.4 but not 4.1) have a new class for sockets
-allow wificond self:netlink_generic_socket create_socket_perms_no_ioctl;
-
-r_dir_file(wificond, proc_net_type)
-
-# allow wificond to check permission for dumping logs
-allow wificond permission_service:service_manager find;
-
-# dumpstate support
-allow wificond dumpstate:fd use;
-allow wificond dumpstate:fifo_file write;
-
-#### Offer the Wifi Keystore HwBinder service ###
-hwbinder_use(wificond)
-typeattribute wificond wifi_keystore_service_server;
-add_hwservice(wificond, system_wifi_keystore_hwservice)
-
-# Allow keystore binder access to serve the HwBinder service.
-allow wificond keystore_service:service_manager find;
-allow wificond keystore:keystore_key get;
-
-# Allow keystore2 binder access to serve the HwBinder service.
-allow wificond wifi_key:keystore2_key {
- get_info
- use
-};
diff --git a/microdroid/sepolicy/system/public/wpantund.te b/microdroid/sepolicy/system/public/wpantund.te
deleted file mode 100644
index 8ddd693..0000000
--- a/microdroid/sepolicy/system/public/wpantund.te
+++ /dev/null
@@ -1,29 +0,0 @@
-type wpantund, domain;
-type wpantund_exec, system_file_type, exec_type, file_type;
-
-hal_client_domain(wpantund, hal_lowpan)
-net_domain(wpantund)
-
-binder_use(wpantund)
-binder_call(wpantund, system_server)
-
-# wpantund needs to be able to check in with the lowpan_service
-allow wpantund lowpan_service:service_manager find;
-
-# Allow wpantund to call any callbacks that have been registered with it.
-# Generally, only privileged apps are able to register callbacks with
-# wpantund, so we are limiting the scope for callbacks to only privileged
-# apps. We also add shell to allow the command-line utility `lowpanctl`
-# to work properly from `adb shell`.
-allow wpantund {priv_app shell}:binder call;
-
-# create sockets to set interfaces up and down, add multicast groups, etc.
-allow wpantund self:udp_socket create_socket_perms;
-
-# setting interface state up/down and changing MTU are privileged ioctls
-allowxperm wpantund self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFMTU };
-
-# Allow us to bring up a TUN network interface.
-allow wpantund tun_device:chr_file rw_file_perms;
-allow wpantund self:global_capability_class_set { net_admin net_raw };
-allow wpantund self:tun_socket create;
diff --git a/microdroid/sepolicy/system/public/zygote.te b/microdroid/sepolicy/system/public/zygote.te
deleted file mode 100644
index 071354e..0000000
--- a/microdroid/sepolicy/system/public/zygote.te
+++ /dev/null
@@ -1,4 +0,0 @@
-# zygote
-type zygote, domain;
-type zygote_tmpfs, file_type;
-type zygote_exec, system_file_type, exec_type, file_type;