Add microdroid specific sepolicy
Microdroid will have a separate sepolicy, apart from the core policy.
This is the first step; For now it's a simple copy of system/sepolicy.
For the future work, it will be stripped.
Bug: 189165759
Test: boot microdroid and see selinux enforced
Change-Id: I2fee39f7231560b49c93bd5e8d0feeffada40938
diff --git a/microdroid/sepolicy/system/public/adbd.te b/microdroid/sepolicy/system/public/adbd.te
new file mode 100644
index 0000000..5056b35
--- /dev/null
+++ b/microdroid/sepolicy/system/public/adbd.te
@@ -0,0 +1,13 @@
+# adbd seclabel is specified in init.rc since
+# it lives in the rootfs and has no unique file type.
+type adbd, domain;
+type adbd_exec, exec_type, file_type, system_file_type;
+
+# Only init is allowed to enter the adbd domain via exec()
+neverallow { domain -init } adbd:process transition;
+neverallow * adbd:process dyntransition;
+
+# Access /data/local/tests.
+allow adbd shell_test_data_file:dir create_dir_perms;
+allow adbd shell_test_data_file:file create_file_perms;
+allow adbd shell_test_data_file:lnk_file create_file_perms;
diff --git a/microdroid/sepolicy/system/public/aidl_lazy_test_server.te b/microdroid/sepolicy/system/public/aidl_lazy_test_server.te
new file mode 100644
index 0000000..626d008
--- /dev/null
+++ b/microdroid/sepolicy/system/public/aidl_lazy_test_server.te
@@ -0,0 +1,9 @@
+type aidl_lazy_test_server, domain;
+type aidl_lazy_test_server_exec, exec_type, file_type, system_file_type;
+
+userdebug_or_eng(`
+ binder_use(aidl_lazy_test_server)
+ binder_call(aidl_lazy_test_server, binderservicedomain)
+
+ add_service(aidl_lazy_test_server, aidl_lazy_test_service)
+')
diff --git a/microdroid/sepolicy/system/public/apexd.te b/microdroid/sepolicy/system/public/apexd.te
new file mode 100644
index 0000000..53bc569
--- /dev/null
+++ b/microdroid/sepolicy/system/public/apexd.te
@@ -0,0 +1,11 @@
+# apexd -- manager for APEX packages
+type apexd, domain;
+type apexd_exec, exec_type, file_type, system_file_type;
+
+binder_use(apexd)
+add_service(apexd, apex_service)
+
+neverallow { domain -init -apexd -system_server -update_engine } apex_service:service_manager find;
+neverallow { domain -init -apexd -system_server -servicemanager -update_engine } apexd:binder call;
+
+neverallow { domain userdebug_or_eng(`-crash_dump') } apexd:process ptrace;
diff --git a/microdroid/sepolicy/system/public/app.te b/microdroid/sepolicy/system/public/app.te
new file mode 100644
index 0000000..ae8d7fd
--- /dev/null
+++ b/microdroid/sepolicy/system/public/app.te
@@ -0,0 +1,597 @@
+###
+### Domain for all zygote spawned apps
+###
+### This file is the base policy for all zygote spawned apps.
+### Other policy files, such as isolated_app.te, untrusted_app.te, etc
+### extend from this policy. Only policies which should apply to ALL
+### zygote spawned apps should be added here.
+###
+type appdomain_tmpfs, file_type;
+
+# WebView and other application-specific JIT compilers
+allow appdomain self:process execmem;
+
+allow appdomain { ashmem_device ashmem_libcutils_device }:chr_file execute;
+
+# Receive and use open file descriptors inherited from zygote.
+allow appdomain zygote:fd use;
+
+# gdbserver for ndk-gdb reads the zygote.
+# valgrind needs mmap exec for zygote
+allow appdomain zygote_exec:file rx_file_perms;
+
+# Notify zygote of death;
+allow appdomain zygote:process sigchld;
+
+# Read /data/dalvik-cache.
+allow appdomain dalvikcache_data_file:dir { search getattr };
+allow appdomain dalvikcache_data_file:file r_file_perms;
+
+# Read the /sdcard and /mnt/sdcard symlinks
+allow { appdomain -isolated_app } rootfs:lnk_file r_file_perms;
+allow { appdomain -isolated_app } tmpfs:lnk_file r_file_perms;
+
+# Search /storage/emulated tmpfs mount.
+allow appdomain tmpfs:dir r_dir_perms;
+
+# Notify zygote of the wrapped process PID when using --invoke-with.
+allow appdomain zygote:fifo_file write;
+
+userdebug_or_eng(`
+ # Allow apps to create and write method traces in /data/misc/trace.
+ allow appdomain method_trace_data_file:dir w_dir_perms;
+ allow appdomain method_trace_data_file:file { create w_file_perms };
+')
+
+# Notify shell and adbd of death when spawned via runas for ndk-gdb.
+allow appdomain shell:process sigchld;
+allow appdomain adbd:process sigchld;
+
+# child shell or gdbserver pty access for runas.
+allow appdomain devpts:chr_file { getattr read write ioctl };
+
+# Use pipes and sockets provided by system_server via binder or local socket.
+allow appdomain system_server:fd use;
+allow appdomain system_server:fifo_file rw_file_perms;
+allow appdomain system_server:unix_stream_socket { read write setopt getattr getopt shutdown };
+allow appdomain system_server:tcp_socket { read write getattr getopt shutdown };
+
+# For AppFuse.
+allow appdomain vold:fd use;
+
+# Communication with other apps via fifos
+allow appdomain appdomain:fifo_file rw_file_perms;
+
+# Communicate with surfaceflinger.
+allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
+
+# App sandbox file accesses.
+allow { appdomain -isolated_app -mlstrustedsubject } { app_data_file privapp_data_file }:dir create_dir_perms;
+allow { appdomain -isolated_app -mlstrustedsubject } { app_data_file privapp_data_file }:file create_file_perms;
+
+# Access via already open fds is ok even for mlstrustedsubject.
+allow { appdomain -isolated_app } { app_data_file privapp_data_file }:file { getattr map read write };
+
+# Traverse into expanded storage
+allow appdomain mnt_expand_file:dir r_dir_perms;
+
+# Keychain and user-trusted credentials
+r_dir_file(appdomain, keychain_data_file)
+allow appdomain misc_user_data_file:dir r_dir_perms;
+allow appdomain misc_user_data_file:file r_file_perms;
+
+# TextClassifier
+r_dir_file({ appdomain -isolated_app }, textclassifier_data_file)
+
+# Access to OEM provided data and apps
+allow appdomain oemfs:dir r_dir_perms;
+allow appdomain oemfs:file rx_file_perms;
+
+# Execute the shell or other system executables.
+allow { appdomain -ephemeral_app } shell_exec:file rx_file_perms;
+allow { appdomain -ephemeral_app } toolbox_exec:file rx_file_perms;
+allow appdomain system_file:file x_file_perms;
+not_full_treble(`allow { appdomain -ephemeral_app } vendor_file:file x_file_perms;')
+
+# Renderscript needs the ability to read directories on /system
+allow appdomain system_file:dir r_dir_perms;
+allow appdomain system_file:lnk_file { getattr open read };
+# Renderscript specific permissions to open /system/vendor/lib64.
+not_full_treble(`
+ allow appdomain vendor_file_type:dir r_dir_perms;
+ allow appdomain vendor_file_type:lnk_file { getattr open read };
+')
+
+full_treble_only(`
+ # For looking up Renderscript vendor drivers
+ allow { appdomain -isolated_app } vendor_file:dir { open read };
+')
+
+# Allow apps access to /vendor/app except for privileged
+# apps which cannot be in /vendor.
+r_dir_file({ appdomain -ephemeral_app }, vendor_app_file)
+allow { appdomain -ephemeral_app } vendor_app_file:file execute;
+
+# Allow apps access to /vendor/overlay
+r_dir_file(appdomain, vendor_overlay_file)
+
+# Allow apps access to /vendor/framework
+# for vendor provided libraries.
+r_dir_file(appdomain, vendor_framework_file)
+
+# Allow apps read / execute access to vendor public libraries.
+allow appdomain {vendor_public_framework_file vendor_public_lib_file}:dir r_dir_perms;
+allow appdomain {vendor_public_framework_file vendor_public_lib_file}:file { execute read open getattr map };
+
+# Read/write wallpaper file (opened by system).
+allow appdomain wallpaper_file:file { getattr read write map };
+
+# Read/write cached ringtones (opened by system).
+allow appdomain ringtone_file:file { getattr read write map };
+
+# Read ShortcutManager icon files (opened by system).
+allow appdomain shortcut_manager_icons:file { getattr read map };
+
+# Read icon file (opened by system).
+allow appdomain icon_file:file { getattr read map };
+
+# Old stack dumping scheme : append to a global trace file (/data/anr/traces.txt).
+#
+# TODO: All of these permissions except for anr_data_file:file append can be
+# withdrawn once we've switched to the new stack dumping mechanism, see b/32064548
+# and the rules below.
+allow appdomain anr_data_file:dir search;
+allow appdomain anr_data_file:file { open append };
+
+# New stack dumping scheme : request an output FD from tombstoned via a unix
+# domain socket.
+#
+# Allow apps to connect and write to the tombstoned java trace socket in
+# order to dump their traces. Also allow them to append traces to pipes
+# created by dumptrace. (Also see the rules below where they are given
+# additional permissions to dumpstate pipes for other aspects of bug report
+# creation).
+unix_socket_connect(appdomain, tombstoned_java_trace, tombstoned)
+allow appdomain tombstoned:fd use;
+allow appdomain dumpstate:fifo_file append;
+allow appdomain incidentd:fifo_file append;
+
+# Allow apps to send dump information to dumpstate
+allow appdomain dumpstate:fd use;
+allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown };
+allow appdomain dumpstate:fifo_file { write getattr };
+allow appdomain shell_data_file:file { write getattr };
+
+# Allow apps to send dump information to incidentd
+allow appdomain incidentd:fd use;
+allow appdomain incidentd:fifo_file { write getattr };
+
+# Allow apps to send information to statsd socket.
+unix_socket_send(appdomain, statsdw, statsd)
+
+# Write profiles /data/misc/profiles
+allow appdomain user_profile_root_file:dir search;
+allow appdomain user_profile_data_file:dir { search write add_name };
+allow appdomain user_profile_data_file:file create_file_perms;
+
+# Send heap dumps to system_server via an already open file descriptor
+# % adb shell am set-watch-heap com.android.systemui 1048576
+# % adb shell dumpsys procstats --start-testing
+# debuggable builds only.
+userdebug_or_eng(`
+ allow appdomain heapdump_data_file:file append;
+')
+
+# /proc/net access.
+# TODO(b/9496886) Audit access for removal.
+# proc_net access for the negated domains below is granted (or not) in their
+# individual .te files.
+r_dir_file({
+ appdomain
+ -ephemeral_app
+ -isolated_app
+ -platform_app
+ -priv_app
+ -shell
+ -system_app
+ -untrusted_app_all
+}, proc_net_type)
+# audit access for all these non-core app domains.
+userdebug_or_eng(`
+ auditallow {
+ appdomain
+ -ephemeral_app
+ -isolated_app
+ -platform_app
+ -priv_app
+ -shell
+ -su
+ -system_app
+ -untrusted_app_all
+ } proc_net_type:{ dir file lnk_file } { getattr open read };
+')
+
+# Grant GPU access to all processes started by Zygote.
+# They need that to render the standard UI.
+allow { appdomain -isolated_app } gpu_device:chr_file rw_file_perms;
+
+# Use the Binder.
+binder_use(appdomain)
+# Perform binder IPC to binder services.
+binder_call(appdomain, binderservicedomain)
+# Perform binder IPC to other apps.
+binder_call(appdomain, appdomain)
+# Perform binder IPC to ephemeral apps.
+binder_call(appdomain, ephemeral_app)
+# Perform binder IPC to gpuservice.
+binder_call({ appdomain -isolated_app }, gpuservice)
+
+# Talk with graphics composer fences
+allow appdomain hal_graphics_composer:fd use;
+
+# Already connected, unnamed sockets being passed over some other IPC
+# hence no sock_file or connectto permission. This appears to be how
+# Chrome works, may need to be updated as more apps using isolated services
+# are examined.
+allow appdomain appdomain:unix_stream_socket { getopt getattr read write shutdown };
+
+# Backup ability for every app. BMS opens and passes the fd
+# to any app that has backup ability. Hence, no open permissions here.
+allow appdomain backup_data_file:file { read write getattr map };
+allow appdomain cache_backup_file:file { read write getattr map };
+allow appdomain cache_backup_file:dir getattr;
+# Backup ability using 'adb backup'
+allow appdomain system_data_file:lnk_file r_file_perms;
+allow appdomain system_data_file:file { getattr read map };
+
+# Allow read/stat of /data/media files passed by Binder or local socket IPC.
+allow { appdomain -isolated_app } media_rw_data_file:file { read getattr };
+
+# Read and write /data/data/com.android.providers.telephony files passed over Binder.
+allow { appdomain -isolated_app } radio_data_file:file { read write getattr };
+
+# Allow access to external storage; we have several visible mount points under /storage
+# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
+allow { appdomain -isolated_app -ephemeral_app } storage_file:dir r_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } storage_file:lnk_file r_file_perms;
+allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:dir r_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:lnk_file r_file_perms;
+
+# Read/write visible storage
+allow { appdomain -isolated_app -ephemeral_app } sdcard_type:dir create_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } sdcard_type:file create_file_perms;
+# This should be removed if sdcardfs is modified to alter the secontext for its
+# accesses to the underlying FS.
+allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:dir create_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:file create_file_perms;
+
+# Allow apps to use the USB Accessory interface.
+# http://developer.android.com/guide/topics/connectivity/usb/accessory.html
+#
+# USB devices are first opened by the system server (USBDeviceManagerService)
+# and the file descriptor is passed to the right Activity via binder.
+allow { appdomain -isolated_app -ephemeral_app } usb_device:chr_file { read write getattr ioctl };
+allow { appdomain -isolated_app -ephemeral_app } usbaccessory_device:chr_file { read write getattr };
+
+# For art.
+allow appdomain dalvikcache_data_file:file execute;
+allow appdomain dalvikcache_data_file:lnk_file r_file_perms;
+
+# Allow any app to read shared RELRO files.
+allow appdomain shared_relro_file:dir search;
+allow appdomain shared_relro_file:file r_file_perms;
+
+# Allow apps to read/execute installed binaries
+allow appdomain apk_data_file:dir r_dir_perms;
+allow appdomain apk_data_file:file rx_file_perms;
+
+# /data/resource-cache
+allow appdomain resourcecache_data_file:file r_file_perms;
+allow appdomain resourcecache_data_file:dir r_dir_perms;
+
+# logd access
+read_logd(appdomain)
+control_logd({ appdomain -ephemeral_app })
+# application inherit logd write socket (urge is to deprecate this long term)
+allow appdomain zygote:unix_dgram_socket write;
+
+allow { appdomain -isolated_app -ephemeral_app } keystore:keystore_key { get_state get insert delete exist list sign verify };
+allow { appdomain -isolated_app -ephemeral_app } keystore:keystore2_key { delete use get_info rebind update };
+
+allow { appdomain -isolated_app -ephemeral_app } keystore_maintenance_service:service_manager find;
+allow { appdomain -isolated_app -ephemeral_app } keystore:keystore2 get_state;
+
+use_keystore({ appdomain -isolated_app -ephemeral_app })
+
+use_credstore({ appdomain -isolated_app -ephemeral_app })
+
+allow appdomain console_device:chr_file { read write };
+
+# only allow unprivileged socket ioctl commands
+allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket }
+ ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
+
+allow { appdomain -isolated_app } ion_device:chr_file r_file_perms;
+allow { appdomain -isolated_app } dmabuf_system_heap_device:chr_file r_file_perms;
+allow { appdomain -isolated_app } dmabuf_system_secure_heap_device:chr_file r_file_perms;
+
+# Allow AAudio apps to use shared memory file descriptors from the HAL
+allow { appdomain -isolated_app } hal_audio:fd use;
+
+# Allow app to access shared memory created by camera HAL1
+allow { appdomain -isolated_app } hal_camera:fd use;
+
+# Allow apps to access shared memory file descriptor from the tuner HAL
+allow {appdomain -isolated_app} hal_tv_tuner_server:fd use;
+
+# RenderScript always-passthrough HAL
+allow { appdomain -isolated_app } hal_renderscript_hwservice:hwservice_manager find;
+allow appdomain same_process_hal_file:file { execute read open getattr map };
+
+# TODO: switch to meminfo service
+allow appdomain proc_meminfo:file r_file_perms;
+
+# For app fuse.
+allow appdomain app_fuse_file:file { getattr read append write map };
+
+pdx_client({ appdomain -isolated_app -ephemeral_app }, display_client)
+pdx_client({ appdomain -isolated_app -ephemeral_app }, display_manager)
+pdx_client({ appdomain -isolated_app -ephemeral_app }, display_vsync)
+pdx_client({ appdomain -isolated_app -ephemeral_app }, performance_client)
+# Apps do not directly open the IPC socket for bufferhubd.
+pdx_use({ appdomain -isolated_app -ephemeral_app }, bufferhub_client)
+
+###
+### CTS-specific rules
+###
+
+# For cts/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java.
+# testRunAsHasCorrectCapabilities
+allow appdomain runas_exec:file getattr;
+# Others are either allowed elsewhere or not desired.
+
+# Apps receive an open tun fd from the framework for
+# device traffic. Do not allow untrusted app to directly open tun_device
+allow { appdomain -isolated_app -ephemeral_app } tun_device:chr_file { read write getattr append ioctl };
+allowxperm { appdomain -isolated_app -ephemeral_app } tun_device:chr_file ioctl TUNGETIFF;
+
+# Connect to adbd and use a socket transferred from it.
+# This is used for e.g. adb backup/restore.
+allow appdomain adbd:unix_stream_socket connectto;
+allow appdomain adbd:fd use;
+allow appdomain adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
+
+allow appdomain cache_file:dir getattr;
+
+# Allow apps to run with asanwrapper.
+with_asan(`allow appdomain asanwrapper_exec:file rx_file_perms;')
+
+# Read access to FDs from the DropboxManagerService.
+allow appdomain dropbox_data_file:file { getattr read };
+
+# Read tmpfs types from these processes.
+allow appdomain audioserver_tmpfs:file { getattr map read write };
+allow appdomain system_server_tmpfs:file { getattr map read write };
+allow appdomain zygote_tmpfs:file { map read };
+
+###
+### Neverallow rules
+###
+### These are things that Android apps should NEVER be able to do
+###
+
+# Superuser capabilities.
+# bluetooth requires net_admin and wake_alarm. network stack app requires net_admin.
+neverallow { appdomain -bluetooth -network_stack } self:capability_class_set *;
+
+# Block device access.
+neverallow appdomain dev_type:blk_file { read write };
+
+# Access to any of the following character devices.
+neverallow appdomain {
+ audio_device
+ camera_device
+ dm_device
+ radio_device
+ rpmsg_device
+ video_device
+}:chr_file { read write };
+
+# Note: Try expanding list of app domains in the future.
+neverallow { untrusted_app isolated_app shell } graphics_device:chr_file { read write };
+
+neverallow { appdomain -nfc } nfc_device:chr_file
+ { read write };
+neverallow { appdomain -bluetooth } hci_attach_dev:chr_file
+ { read write };
+neverallow appdomain tee_device:chr_file { read write };
+
+# Privileged netlink socket interfaces.
+neverallow { appdomain -network_stack }
+ domain:{
+ netlink_tcpdiag_socket
+ netlink_nflog_socket
+ netlink_xfrm_socket
+ netlink_audit_socket
+ netlink_dnrt_socket
+ } *;
+
+# These messages are broadcast messages from the kernel to userspace.
+# Do not allow the writing of netlink messages, which has been a source
+# of rooting vulns in the past.
+neverallow appdomain domain:netlink_kobject_uevent_socket { write append };
+
+# Sockets under /dev/socket that are not specifically typed.
+neverallow appdomain socket_device:sock_file write;
+
+# Unix domain sockets.
+neverallow appdomain adbd_socket:sock_file write;
+neverallow { appdomain -radio } rild_socket:sock_file write;
+
+# ptrace access to non-app domains.
+neverallow appdomain { domain -appdomain }:process ptrace;
+
+# The Android security model guarantees the confidentiality and integrity
+# of application data and execution state. Ptrace bypasses those
+# confidentiality guarantees. Disallow ptrace access from system components
+# to apps. Crash_dump is excluded, as it needs ptrace access to
+# produce stack traces. llkd is excluded, as it needs ptrace access to
+# inspect stack traces for live lock conditions.
+
+neverallow {
+ domain
+ -appdomain
+ -crash_dump
+ userdebug_or_eng(`-llkd')
+} appdomain:process ptrace;
+
+# Read or write access to /proc/pid entries for any non-app domain.
+# A different form of hidepid=2 like protections
+neverallow appdomain { domain -appdomain }:file no_w_file_perms;
+neverallow { appdomain -shell } { domain -appdomain }:file no_rw_file_perms;
+
+# signal access to non-app domains.
+# sigchld allowed for parent death notification.
+# signull allowed for kill(pid, 0) existence test.
+# All others prohibited.
+# -perfetto is to allow shell (which is an appdomain) to kill perfetto
+# (see private/shell.te).
+neverallow appdomain { domain -appdomain -perfetto }:process
+ { sigkill sigstop signal };
+
+# Write to rootfs.
+neverallow appdomain rootfs:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+
+# Write to /system.
+neverallow appdomain system_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+
+# Write to entrypoint executables.
+neverallow appdomain exec_type:file
+ { create write setattr relabelfrom relabelto append unlink link rename };
+
+# Write to system-owned parts of /data.
+# This is the default type for anything under /data not otherwise
+# specified in file_contexts. Define a different type for portions
+# that should be writable by apps.
+neverallow appdomain system_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+
+# Write to various other parts of /data.
+neverallow appdomain drm_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -platform_app }
+ apk_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -platform_app }
+ apk_tmp_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -platform_app }
+ apk_private_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -platform_app }
+ apk_private_tmp_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -shell }
+ shell_data_file:dir_file_class_set
+ { create setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -bluetooth }
+ bluetooth_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { domain -credstore -init } credstore_data_file:dir_file_class_set *;
+neverallow appdomain
+ keystore_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow appdomain
+ systemkeys_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow appdomain
+ wifi_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow appdomain
+ dhcp_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+
+# access tmp apk files
+neverallow { appdomain -untrusted_app_all -platform_app -priv_app }
+ { apk_tmp_file apk_private_tmp_file }:dir_file_class_set *;
+
+neverallow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:{ devfile_class_set dir fifo_file lnk_file sock_file } *;
+neverallow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:file ~{ getattr read };
+
+# Access to factory files.
+neverallow appdomain efs_file:dir_file_class_set write;
+neverallow { appdomain -shell } efs_file:dir_file_class_set read;
+
+# Write to various pseudo file systems.
+neverallow { appdomain -bluetooth -nfc }
+ sysfs:dir_file_class_set write;
+neverallow appdomain
+ proc:dir_file_class_set write;
+
+# Access to syslog(2) or /proc/kmsg.
+neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console };
+
+# SELinux is not an API for apps to use
+neverallow { appdomain -shell } *:security { compute_av check_context };
+neverallow { appdomain -shell } *:netlink_selinux_socket *;
+
+# Ability to perform any filesystem operation other than statfs(2).
+# i.e. no mount(2), unmount(2), etc.
+neverallow appdomain fs_type:filesystem ~getattr;
+
+# prevent creation/manipulation of globally readable symlinks
+neverallow appdomain {
+ apk_data_file
+ cache_file
+ cache_recovery_file
+ dev_type
+ rootfs
+ system_file
+ tmpfs
+}:lnk_file no_w_file_perms;
+
+# Applications should use the activity model for receiving events
+neverallow {
+ appdomain
+ -shell # bugreport
+} input_device:chr_file ~getattr;
+
+# Do not allow access to Bluetooth-related system properties except for a few allowed domains.
+# neverallow rules for access to Bluetooth-related data files are above.
+neverallow {
+ appdomain
+ -bluetooth
+ -system_app
+} { bluetooth_audio_hal_prop bluetooth_a2dp_offload_prop bluetooth_prop exported_bluetooth_prop }:file create_file_perms;
+
+# Apps cannot access proc_uid_time_in_state
+neverallow appdomain proc_uid_time_in_state:file *;
+
+# Apps cannot access proc_uid_concurrent_active_time
+neverallow appdomain proc_uid_concurrent_active_time:file *;
+
+# Apps cannot access proc_uid_concurrent_policy_time
+neverallow appdomain proc_uid_concurrent_policy_time:file *;
+
+# Apps cannot access proc_uid_cpupower
+neverallow appdomain proc_uid_cpupower:file *;
+
+# Apps may not read /proc/net/{tcp,tcp6,udp,udp6}. These files leak information across the
+# application boundary. VPN apps may use the ConnectivityManager.getConnectionOwnerUid() API to
+# perform UID lookups.
+neverallow { appdomain -shell } proc_net_tcp_udp:file *;
+
+# Apps cannot access bootstrap files. The bootstrap files are only for
+# extremely early processes (like init, etc.) which are started before
+# the runtime APEX is activated and Bionic libs are provided from there.
+# If app process accesses (or even load/execute) the bootstrap files,
+# it might cause problems such as ODR violation, etc.
+neverallow appdomain system_bootstrap_lib_file:file
+ { open read write append execute execute_no_trans map };
+neverallow appdomain system_bootstrap_lib_file:dir
+ { open read getattr search };
+
+# Allow to ro.camerax.extensions.enabled
+get_prop(appdomain, camerax_extensions_prop)
diff --git a/microdroid/sepolicy/system/public/app_zygote.te b/microdroid/sepolicy/system/public/app_zygote.te
new file mode 100644
index 0000000..4c1ec96
--- /dev/null
+++ b/microdroid/sepolicy/system/public/app_zygote.te
@@ -0,0 +1,6 @@
+# app_zygote is an auxiliary zygote process that is used to spawn
+# isolated service processes for individual applications. It is
+# spawned from the regular zygote process as a "child zygote".
+
+type app_zygote, domain;
+type app_zygote_tmpfs, file_type;
diff --git a/microdroid/sepolicy/system/public/asan_extract.te b/microdroid/sepolicy/system/public/asan_extract.te
new file mode 100644
index 0000000..d8a1b73
--- /dev/null
+++ b/microdroid/sepolicy/system/public/asan_extract.te
@@ -0,0 +1,33 @@
+# asan_extract
+#
+# This command set moves the artifact corresponding to the current slot
+# from /data/ota to /data/dalvik-cache.
+
+with_asan(`
+ type asan_extract, domain, coredomain;
+ type asan_extract_exec, exec_type, file_type, system_file_type;
+
+ # Allow asan_extract to execute itself using #!/system/bin/sh
+ allow asan_extract shell_exec:file rx_file_perms;
+
+ # We execute log, rm, gzip and tar.
+ allow asan_extract toolbox_exec:file rx_file_perms;
+ allow asan_extract system_file:file execute_no_trans;
+
+ # asan_extract deletes old /data/lib.
+ allow asan_extract system_file:dir { open read remove_name rmdir write };
+ allow asan_extract system_file:file unlink;
+
+ # asan_extract untars ASAN libraries into /data.
+ allow asan_extract system_data_file:dir create_dir_perms ;
+ allow asan_extract system_data_file:{ file lnk_file } create_file_perms ;
+
+ # Relabel the libraries with restorecon.
+ allow asan_extract file_contexts_file:file r_file_perms;
+ allow asan_extract system_data_file:{ dir file } relabelfrom;
+ allow asan_extract system_file:dir { relabelto setattr };
+ allow asan_extract system_file:file relabelto;
+
+ # Restorecon will actually already try to run with sanitized libraries (libpackagelistparser).
+ allow asan_extract system_data_file:file execute;
+')
diff --git a/microdroid/sepolicy/system/public/atrace.te b/microdroid/sepolicy/system/public/atrace.te
new file mode 100644
index 0000000..7327f84
--- /dev/null
+++ b/microdroid/sepolicy/system/public/atrace.te
@@ -0,0 +1 @@
+type atrace, domain, coredomain;
diff --git a/microdroid/sepolicy/system/public/attributes b/microdroid/sepolicy/system/public/attributes
new file mode 100644
index 0000000..daef4bb
--- /dev/null
+++ b/microdroid/sepolicy/system/public/attributes
@@ -0,0 +1,394 @@
+######################################
+# Attribute declarations
+#
+
+# All types used for devices.
+# On change, update CHECK_FC_ASSERT_ATTRS
+# in tools/checkfc.c
+attribute dev_type;
+
+# All types used for processes.
+attribute domain;
+
+# All types used for filesystems.
+# On change, update CHECK_FC_ASSERT_ATTRS
+# definition in tools/checkfc.c.
+attribute fs_type;
+
+# All types used for context= mounts.
+attribute contextmount_type;
+
+# All types used for files that can exist on a labeled fs.
+# Do not use for pseudo file types.
+# On change, update CHECK_FC_ASSERT_ATTRS
+# definition in tools/checkfc.c.
+attribute file_type;
+
+# All types used for domain entry points.
+attribute exec_type;
+
+# All types used for /data files.
+attribute data_file_type;
+expandattribute data_file_type false;
+# All types in /data, not in /data/vendor
+attribute core_data_file_type;
+expandattribute core_data_file_type false;
+
+# All types used for app private data files in seapp_contexts.
+# Such types should not be applied to any other files.
+attribute app_data_file_type;
+expandattribute app_data_file_type false;
+
+# All types in /system
+attribute system_file_type;
+
+# All types in /vendor
+attribute vendor_file_type;
+
+# All types used for procfs files.
+attribute proc_type;
+expandattribute proc_type false;
+
+# Types in /proc/net, excluding qtaguid types.
+# TODO(b/9496886) Lock down access to /proc/net.
+# This attribute is used to audit access to proc_net. it is temporary and will
+# be removed.
+attribute proc_net_type;
+expandattribute proc_net_type true;
+
+# All types used for sysfs files.
+attribute sysfs_type;
+
+# All types use for debugfs files.
+attribute debugfs_type;
+
+# All types used for tracefs files.
+attribute tracefs_type;
+
+# Attribute used for all sdcards
+attribute sdcard_type;
+
+# All types used for nodes/hosts.
+attribute node_type;
+
+# All types used for network interfaces.
+attribute netif_type;
+
+# All types used for network ports.
+attribute port_type;
+
+# All types used for property service
+# On change, update CHECK_PC_ASSERT_ATTRS
+# definition in tools/checkfc.c.
+attribute property_type;
+
+# All properties defined in core SELinux policy. Should not be
+# used by device specific properties
+attribute core_property_type;
+
+# All properties used to configure log filtering.
+attribute log_property_type;
+
+# All properties that are not specific to device but are added from
+# outside of AOSP. (e.g. OEM-specific properties)
+# These properties are not accessible from device-specific domains
+attribute extended_core_property_type;
+
+# Properties used for representing ownership. All properties should have one
+# of: system_property_type, product_property_type, or vendor_property_type.
+
+# All properties defined by /system.
+attribute system_property_type;
+expandattribute system_property_type false;
+
+# All /system-defined properties used only in /system.
+attribute system_internal_property_type;
+expandattribute system_internal_property_type false;
+
+# All /system-defined properties which can't be written outside /system.
+attribute system_restricted_property_type;
+expandattribute system_restricted_property_type false;
+
+# All /system-defined properties with no restrictions.
+attribute system_public_property_type;
+expandattribute system_public_property_type false;
+
+# All keystore2_key labels.
+attribute keystore2_key_type;
+
+# All properties defined by /product.
+# Currently there are no enforcements between /system and /product, so for now
+# /product attributes are just replaced to /system attributes.
+define(`product_property_type', `system_property_type')
+define(`product_internal_property_type', `system_internal_property_type')
+define(`product_restricted_property_type', `system_restricted_property_type')
+define(`product_public_property_type', `system_public_property_type')
+
+# All properties defined by /vendor.
+attribute vendor_property_type;
+expandattribute vendor_property_type false;
+
+# All /vendor-defined properties used only in /vendor.
+attribute vendor_internal_property_type;
+expandattribute vendor_internal_property_type false;
+
+# All /vendor-defined properties which can't be written outside /vendor.
+attribute vendor_restricted_property_type;
+expandattribute vendor_restricted_property_type false;
+
+# All /vendor-defined properties with no restrictions.
+attribute vendor_public_property_type;
+expandattribute vendor_public_property_type false;
+
+# All service_manager types created by system_server
+attribute system_server_service;
+
+# services which should be available to all but isolated apps
+attribute app_api_service;
+
+# services which should be available to all ephemeral apps
+attribute ephemeral_app_api_service;
+
+# services which export only system_api
+attribute system_api_service;
+
+# services which are explicitly disallowed for untrusted apps to access
+attribute protected_service;
+
+# services which served by vendor and also using the copy of libbinder on
+# system (for instance via libbinder_ndk). services using a different copy
+# of libbinder currently need their own context manager (e.g.
+# vndservicemanager)
+attribute vendor_service;
+
+# All types used for services managed by servicemanager.
+# On change, update CHECK_SC_ASSERT_ATTRS
+# definition in tools/checkfc.c.
+attribute service_manager_type;
+
+# All types used for services managed by hwservicemanager
+attribute hwservice_manager_type;
+
+# All HwBinder services guaranteed to be passthrough. These services always run
+# in the process of their clients, and thus operate with the same access as
+# their clients.
+attribute same_process_hwservice;
+
+# All HwBinder services guaranteed to be offered only by core domain components
+attribute coredomain_hwservice;
+
+# All HwBinder services that untrusted apps can't directly access
+attribute protected_hwservice;
+
+# All types used for services managed by vndservicemanager
+attribute vndservice_manager_type;
+
+
+# All domains that can override MLS restrictions.
+# i.e. processes that can read up and write down.
+attribute mlstrustedsubject;
+
+# All types that can override MLS restrictions.
+# i.e. files that can be read by lower and written by higher
+attribute mlstrustedobject;
+
+# All domains used for apps.
+attribute appdomain;
+
+# All third party apps (except isolated_app and ephemeral_app)
+attribute untrusted_app_all;
+
+# All domains used for apps with network access.
+attribute netdomain;
+
+# All domains used for apps with bluetooth access.
+attribute bluetoothdomain;
+
+# All domains used for binder service domains.
+attribute binderservicedomain;
+
+# update_engine related domains that need to apply an update and run
+# postinstall. This includes the background daemon and the sideload tool from
+# recovery for A/B devices.
+attribute update_engine_common;
+
+# All core domains (as opposed to vendor/device-specific domains)
+attribute coredomain;
+
+# All vendor hwservice.
+attribute vendor_hwservice_type;
+
+# All socket devices owned by core domain components
+attribute coredomain_socket;
+expandattribute coredomain_socket false;
+
+# All vendor domains which violate the requirement of not using sockets for
+# communicating with core components
+# TODO(b/36577153): Remove this once there are no violations
+attribute socket_between_core_and_vendor_violators;
+expandattribute socket_between_core_and_vendor_violators false;
+
+# All vendor domains which violate the requirement of not executing
+# system processes
+# TODO(b/36463595)
+attribute vendor_executes_system_violators;
+expandattribute vendor_executes_system_violators false;
+
+# All domains which violate the requirement of not sharing files by path
+# between between vendor and core domains.
+# TODO(b/34980020)
+attribute data_between_core_and_vendor_violators;
+expandattribute data_between_core_and_vendor_violators false;
+
+# All system domains which violate the requirement of not executing vendor
+# binaries/libraries.
+# TODO(b/62041836)
+attribute system_executes_vendor_violators;
+expandattribute system_executes_vendor_violators false;
+
+# All system domains which violate the requirement of not writing vendor
+# properties.
+# TODO(b/78598545): Remove this once there are no violations
+attribute system_writes_vendor_properties_violators;
+expandattribute system_writes_vendor_properties_violators false;
+
+# All system domains which violate the requirement of not writing to
+# /mnt/vendor/*. Must not be used on devices launched with P or later.
+attribute system_writes_mnt_vendor_violators;
+expandattribute system_writes_mnt_vendor_violators false;
+
+# hwservices that are accessible from untrusted applications
+# WARNING: Use of this attribute should be avoided unless
+# absolutely necessary. It is a temporary allowance to aid the
+# transition to treble and will be removed in a future platform
+# version, requiring all hwservices that are labeled with this
+# attribute to be submitted to AOSP in order to maintain their
+# app-visibility.
+attribute untrusted_app_visible_hwservice_violators;
+expandattribute untrusted_app_visible_hwservice_violators false;
+
+# halserver domains that are accessible to untrusted applications. These
+# domains are typically those hosting hwservices attributed by the
+# untrusted_app_visible_hwservice_violators.
+# WARNING: Use of this attribute should be avoided unless absolutely necessary.
+# It is a temporary allowance to aid the transition to treble and will be
+# removed in the future platform version, requiring all halserver domains that
+# are labeled with this attribute to be submitted to AOSP in order to maintain
+# their app-visibility.
+attribute untrusted_app_visible_halserver_violators;
+expandattribute untrusted_app_visible_halserver_violators false;
+
+# PDX services
+attribute pdx_endpoint_dir_type;
+attribute pdx_endpoint_socket_type;
+expandattribute pdx_endpoint_socket_type false;
+attribute pdx_channel_socket_type;
+expandattribute pdx_channel_socket_type false;
+
+pdx_service_attributes(display_client)
+pdx_service_attributes(display_manager)
+pdx_service_attributes(display_screenshot)
+pdx_service_attributes(display_vsync)
+pdx_service_attributes(performance_client)
+pdx_service_attributes(bufferhub_client)
+
+# All HAL servers
+attribute halserverdomain;
+# All HAL clients
+attribute halclientdomain;
+expandattribute halclientdomain true;
+
+# Exempt for halserverdomain to access sockets. Only builds for automotive
+# device types are allowed to use this attribute (enforced by CTS).
+# Unlike phone, in a car many modules are external from Android perspective and
+# HALs should be able to communicate with those devices through sockets.
+attribute hal_automotive_socket_exemption;
+
+# HALs
+hal_attribute(allocator);
+hal_attribute(atrace);
+hal_attribute(audio);
+hal_attribute(audiocontrol);
+hal_attribute(authsecret);
+hal_attribute(bluetooth);
+hal_attribute(bootctl);
+hal_attribute(bufferhub);
+hal_attribute(broadcastradio);
+hal_attribute(camera);
+hal_attribute(can_bus);
+hal_attribute(can_controller);
+hal_attribute(cas);
+hal_attribute(codec2);
+hal_attribute(configstore);
+hal_attribute(confirmationui);
+hal_attribute(contexthub);
+hal_attribute(drm);
+hal_attribute(dumpstate);
+hal_attribute(evs);
+hal_attribute(face);
+hal_attribute(fingerprint);
+hal_attribute(gatekeeper);
+hal_attribute(gnss);
+hal_attribute(graphics_allocator);
+hal_attribute(graphics_composer);
+hal_attribute(health);
+hal_attribute(health_storage);
+hal_attribute(identity);
+hal_attribute(input_classifier);
+hal_attribute(ir);
+hal_attribute(keymaster);
+hal_attribute(keymint);
+hal_attribute(light);
+hal_attribute(lowpan);
+hal_attribute(memtrack);
+hal_attribute(neuralnetworks);
+hal_attribute(nfc);
+hal_attribute(oemlock);
+hal_attribute(omx);
+hal_attribute(power);
+hal_attribute(power_stats);
+hal_attribute(rebootescrow);
+hal_attribute(secure_element);
+hal_attribute(sensors);
+hal_attribute(telephony);
+hal_attribute(tetheroffload);
+hal_attribute(thermal);
+hal_attribute(tv_cec);
+hal_attribute(tv_input);
+hal_attribute(tv_tuner);
+hal_attribute(usb);
+hal_attribute(usb_gadget);
+hal_attribute(vehicle);
+hal_attribute(vibrator);
+hal_attribute(vr);
+hal_attribute(weaver);
+hal_attribute(wifi);
+hal_attribute(wifi_hostapd);
+hal_attribute(wifi_supplicant);
+
+# HwBinder services offered across the core-vendor boundary
+#
+# We annotate server domains with x_server to loosen the coupling between
+# system and vendor images. For example, it should be possible to move a service
+# from one core domain to another, without having to update the vendor image
+# which contains clients of this service.
+
+attribute automotive_display_service_server;
+attribute camera_service_server;
+attribute display_service_server;
+attribute scheduler_service_server;
+attribute sensor_service_server;
+attribute stats_service_server;
+attribute system_suspend_internal_server;
+attribute system_suspend_server;
+attribute wifi_keystore_service_server;
+
+# All types used for super partition block devices.
+attribute super_block_device_type;
+
+# All types used for DMA-BUF heaps
+attribute dmabuf_heap_device_type;
+expandattribute dmabuf_heap_device_type false;
+
+# All types used for DSU metadata files.
+attribute gsi_metadata_file_type;
diff --git a/microdroid/sepolicy/system/public/audioserver.te b/microdroid/sepolicy/system/public/audioserver.te
new file mode 100644
index 0000000..a8a33cc
--- /dev/null
+++ b/microdroid/sepolicy/system/public/audioserver.te
@@ -0,0 +1,6 @@
+# audioserver - audio services daemon
+type audioserver, domain;
+type audioserver_tmpfs, file_type;
+
+# Allow audioserver to signal audio HAL processes and dump their stacks.
+allow audioserver hal_audio_server:process signal;
diff --git a/microdroid/sepolicy/system/public/blkid.te b/microdroid/sepolicy/system/public/blkid.te
new file mode 100644
index 0000000..dabe014
--- /dev/null
+++ b/microdroid/sepolicy/system/public/blkid.te
@@ -0,0 +1,2 @@
+# blkid called from vold
+type blkid, domain;
diff --git a/microdroid/sepolicy/system/public/blkid_untrusted.te b/microdroid/sepolicy/system/public/blkid_untrusted.te
new file mode 100644
index 0000000..4be4c0c
--- /dev/null
+++ b/microdroid/sepolicy/system/public/blkid_untrusted.te
@@ -0,0 +1,2 @@
+# blkid for untrusted block devices
+type blkid_untrusted, domain;
diff --git a/microdroid/sepolicy/system/public/bluetooth.te b/microdroid/sepolicy/system/public/bluetooth.te
new file mode 100644
index 0000000..9b3442a
--- /dev/null
+++ b/microdroid/sepolicy/system/public/bluetooth.te
@@ -0,0 +1,2 @@
+# bluetooth subsystem
+type bluetooth, domain;
diff --git a/microdroid/sepolicy/system/public/bootanim.te b/microdroid/sepolicy/system/public/bootanim.te
new file mode 100644
index 0000000..88fe173
--- /dev/null
+++ b/microdroid/sepolicy/system/public/bootanim.te
@@ -0,0 +1,43 @@
+# bootanimation oneshot service
+type bootanim, domain;
+type bootanim_exec, system_file_type, exec_type, file_type;
+
+hal_client_domain(bootanim, hal_configstore)
+hal_client_domain(bootanim, hal_graphics_allocator)
+hal_client_domain(bootanim, hal_graphics_composer)
+
+binder_use(bootanim)
+binder_call(bootanim, surfaceflinger)
+binder_call(bootanim, audioserver)
+
+hwbinder_use(bootanim)
+
+allow bootanim gpu_device:chr_file rw_file_perms;
+
+# /oem access
+allow bootanim oemfs:dir search;
+allow bootanim oemfs:file r_file_perms;
+
+allow bootanim audio_device:dir r_dir_perms;
+allow bootanim audio_device:chr_file rw_file_perms;
+
+allow bootanim audioserver_service:service_manager find;
+allow bootanim surfaceflinger_service:service_manager find;
+allow bootanim surfaceflinger:unix_stream_socket { read write };
+
+# Allow access to ion memory allocation device
+allow bootanim ion_device:chr_file rw_file_perms;
+
+# Allow access to DMA-BUF system heap
+allow bootanim dmabuf_system_heap_device:chr_file r_file_perms;
+
+allow bootanim hal_graphics_allocator:fd use;
+
+# Fences
+allow bootanim hal_graphics_composer:fd use;
+
+# Read access to pseudo filesystems.
+allow bootanim proc_meminfo:file r_file_perms;
+
+# System file accesses.
+allow bootanim system_file:dir r_dir_perms;
diff --git a/microdroid/sepolicy/system/public/bootstat.te b/microdroid/sepolicy/system/public/bootstat.te
new file mode 100644
index 0000000..5079c28
--- /dev/null
+++ b/microdroid/sepolicy/system/public/bootstat.te
@@ -0,0 +1,32 @@
+# bootstat command
+type bootstat, domain;
+type bootstat_exec, system_file_type, exec_type, file_type;
+
+read_runtime_log_tags(bootstat)
+
+# Allow persistent storage in /data/misc/bootstat.
+allow bootstat bootstat_data_file:dir rw_dir_perms;
+allow bootstat bootstat_data_file:file create_file_perms;
+
+allow bootstat metadata_file:dir search;
+allow bootstat metadata_bootstat_file:dir rw_dir_perms;
+allow bootstat metadata_bootstat_file:file create_file_perms;
+
+# ToDo: TBI move access for the following to a system health HAL
+
+# Allow access to /sys/fs/pstore/ and syslog
+allow bootstat pstorefs:dir search;
+allow bootstat pstorefs:file r_file_perms;
+allow bootstat kernel:system syslog_read;
+
+# Allow access to reading the logs to read aspects of system health
+read_logd(bootstat)
+
+# Allow bootstat write to statsd.
+unix_socket_send(bootstat, statsdw, statsd)
+
+neverallow {
+ domain
+ -bootstat
+ -init
+} system_boot_reason_prop:property_service set;
diff --git a/microdroid/sepolicy/system/public/bufferhubd.te b/microdroid/sepolicy/system/public/bufferhubd.te
new file mode 100644
index 0000000..37edb5d
--- /dev/null
+++ b/microdroid/sepolicy/system/public/bufferhubd.te
@@ -0,0 +1,25 @@
+# bufferhubd
+type bufferhubd, domain, mlstrustedsubject;
+type bufferhubd_exec, system_file_type, exec_type, file_type;
+
+hal_client_domain(bufferhubd, hal_graphics_allocator)
+
+# TODO(b/112338294): remove these after migrate to Binder
+pdx_server(bufferhubd, bufferhub_client)
+pdx_client(bufferhubd, performance_client)
+
+# Access the GPU.
+allow bufferhubd gpu_device:chr_file rw_file_perms;
+
+# Access /dev/ion
+allow bufferhubd ion_device:chr_file r_file_perms;
+
+# Receive sync fence FDs from hal_omx_server. Note that hal_omx_server never directly
+# connects to bufferhubd via PDX. Instead, a VR app acts as a bridge between
+# those two: it talks to hal_omx_server via Binder and talks to bufferhubd via PDX.
+# Thus, there is no need to use pdx_client macro.
+allow bufferhubd hal_omx_server:fd use;
+
+# Codec2 is similar to OMX
+allow bufferhubd hal_codec2_server:fd use;
+
diff --git a/microdroid/sepolicy/system/public/camera_service_server.te b/microdroid/sepolicy/system/public/camera_service_server.te
new file mode 100644
index 0000000..352e1b7
--- /dev/null
+++ b/microdroid/sepolicy/system/public/camera_service_server.te
@@ -0,0 +1 @@
+add_hwservice(camera_service_server, fwk_camera_hwservice)
diff --git a/microdroid/sepolicy/system/public/cameraserver.te b/microdroid/sepolicy/system/public/cameraserver.te
new file mode 100644
index 0000000..7a29240
--- /dev/null
+++ b/microdroid/sepolicy/system/public/cameraserver.te
@@ -0,0 +1,76 @@
+# cameraserver - camera daemon
+type cameraserver, domain;
+type cameraserver_exec, system_file_type, exec_type, file_type;
+type cameraserver_tmpfs, file_type;
+
+binder_use(cameraserver)
+binder_call(cameraserver, binderservicedomain)
+binder_call(cameraserver, appdomain)
+binder_service(cameraserver)
+
+hal_client_domain(cameraserver, hal_camera)
+
+hal_client_domain(cameraserver, hal_graphics_allocator)
+
+allow cameraserver ion_device:chr_file rw_file_perms;
+allow cameraserver dmabuf_system_heap_device:chr_file r_file_perms;
+
+# Talk with graphics composer fences
+allow cameraserver hal_graphics_composer:fd use;
+
+add_service(cameraserver, cameraserver_service)
+add_hwservice(cameraserver, fwk_camera_hwservice)
+
+allow cameraserver activity_service:service_manager find;
+allow cameraserver appops_service:service_manager find;
+allow cameraserver audioserver_service:service_manager find;
+allow cameraserver batterystats_service:service_manager find;
+allow cameraserver cameraproxy_service:service_manager find;
+allow cameraserver mediaserver_service:service_manager find;
+allow cameraserver package_native_service:service_manager find;
+allow cameraserver processinfo_service:service_manager find;
+allow cameraserver scheduling_policy_service:service_manager find;
+allow cameraserver sensor_privacy_service:service_manager find;
+allow cameraserver surfaceflinger_service:service_manager find;
+
+allow cameraserver hidl_token_hwservice:hwservice_manager find;
+
+###
+### neverallow rules
+###
+
+# cameraserver should never execute any executable without a
+# domain transition
+neverallow cameraserver { file_type fs_type }:file execute_no_trans;
+
+# The goal of the mediaserver split is to place media processing code into
+# restrictive sandboxes with limited responsibilities and thus limited
+# permissions. Example: Audioserver is only responsible for controlling audio
+# hardware and processing audio content. Cameraserver does the same for camera
+# hardware/content. Etc.
+#
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
+neverallow cameraserver domain:{ tcp_socket udp_socket rawip_socket } *;
+
+# Allow shell commands from ADB for CTS testing/dumping
+allow cameraserver adbd:fd use;
+allow cameraserver adbd:unix_stream_socket { read write };
+allow cameraserver shell:fd use;
+allow cameraserver shell:unix_stream_socket { read write };
+allow cameraserver shell:fifo_file { read write };
+
+# Allow to talk with media codec
+allow cameraserver mediametrics_service:service_manager find;
+hal_client_domain(cameraserver, hal_codec2)
+hal_client_domain(cameraserver, hal_omx)
+hal_client_domain(cameraserver, hal_allocator)
+
+# Allow shell commands from ADB for CTS testing/dumping
+userdebug_or_eng(`
+ allow cameraserver su:fd use;
+ allow cameraserver su:fifo_file { read write };
+ allow cameraserver su:unix_stream_socket { read write };
+')
diff --git a/microdroid/sepolicy/system/public/charger.te b/microdroid/sepolicy/system/public/charger.te
new file mode 100644
index 0000000..37359e3
--- /dev/null
+++ b/microdroid/sepolicy/system/public/charger.te
@@ -0,0 +1,40 @@
+type charger, domain;
+type charger_exec, system_file_type, exec_type, file_type;
+
+# Write to /dev/kmsg
+allow charger kmsg_device:chr_file rw_file_perms;
+
+# Read access to pseudo filesystems.
+r_dir_file(charger, rootfs)
+r_dir_file(charger, cgroup)
+r_dir_file(charger, cgroup_v2)
+
+# Allow to read /sys/class/power_supply directory
+allow charger sysfs_type:dir r_dir_perms;
+
+allow charger self:global_capability_class_set { sys_tty_config };
+allow charger self:global_capability_class_set sys_boot;
+
+wakelock_use(charger)
+
+allow charger self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+# Read/write to /sys/power/state
+allow charger sysfs_power:file rw_file_perms;
+
+r_dir_file(charger, sysfs_batteryinfo)
+
+# Read /sys/fs/pstore/console-ramoops
+# Don't worry about overly broad permissions for now, as there's
+# only one file in /sys/fs/pstore
+allow charger pstorefs:dir r_dir_perms;
+allow charger pstorefs:file r_file_perms;
+
+allow charger graphics_device:dir r_dir_perms;
+allow charger graphics_device:chr_file rw_file_perms;
+allow charger input_device:dir r_dir_perms;
+allow charger input_device:chr_file r_file_perms;
+allow charger tty_device:chr_file rw_file_perms;
+allow charger proc_sysrq:file rw_file_perms;
+
+hal_client_domain(charger, hal_health)
diff --git a/microdroid/sepolicy/system/public/crash_dump.te b/microdroid/sepolicy/system/public/crash_dump.te
new file mode 100644
index 0000000..a6f0a94
--- /dev/null
+++ b/microdroid/sepolicy/system/public/crash_dump.te
@@ -0,0 +1,78 @@
+type crash_dump, domain;
+type crash_dump_exec, system_file_type, exec_type, file_type;
+
+# crash_dump might inherit CAP_SYS_PTRACE from a privileged process,
+# which will result in an audit log even when it's allowed to trace.
+dontaudit crash_dump self:global_capability_class_set { sys_ptrace };
+
+userdebug_or_eng(`
+ allow crash_dump logd:process { ptrace signal sigchld sigstop sigkill };
+
+ # Let crash_dump write to /dev/kmsg_debug crashes that happen before logd comes up.
+ allow crash_dump kmsg_debug_device:chr_file { open append };
+')
+
+# Use inherited file descriptors
+allow crash_dump domain:fd use;
+
+# Read/write IPC pipes inherited from crashing processes.
+allow crash_dump domain:fifo_file { read write };
+
+# Append to pipes given to us by processes requesting dumps (e.g. dumpstate)
+allow crash_dump domain:fifo_file { append };
+
+# Read information from /proc/$PID.
+allow crash_dump domain:process getattr;
+
+r_dir_file(crash_dump, domain)
+allow crash_dump exec_type:file r_file_perms;
+
+# Read /data/dalvik-cache.
+allow crash_dump dalvikcache_data_file:dir { search getattr };
+allow crash_dump dalvikcache_data_file:file r_file_perms;
+
+# Read APEX data directories.
+allow crash_dump apex_module_data_file:dir { getattr search };
+
+# Read APK files.
+r_dir_file(crash_dump, apk_data_file);
+
+# Read all /vendor
+r_dir_file(crash_dump, { vendor_file same_process_hal_file })
+
+# Talk to tombstoned
+unix_socket_connect(crash_dump, tombstoned_crash, tombstoned)
+
+# Talk to ActivityManager.
+unix_socket_connect(crash_dump, system_ndebug, system_server)
+
+# Append to ANR files.
+allow crash_dump anr_data_file:file { append getattr };
+
+# Append to tombstone files.
+allow crash_dump tombstone_data_file:file { append getattr };
+
+# crash_dump writes out logcat logs at the bottom of tombstones,
+# which is super useful in some cases.
+unix_socket_connect(crash_dump, logdr, logd)
+
+# Crash dump is not intended to access the following files. Since these
+# are WAI, suppress the denials to clean up the logs.
+dontaudit crash_dump {
+ core_data_file_type
+ vendor_file_type
+}:dir search;
+dontaudit crash_dump system_data_file:{ lnk_file file } read;
+dontaudit crash_dump property_type:file read;
+
+# Suppress denials for files in /proc that are passed
+# across exec().
+dontaudit crash_dump proc_type:file rw_file_perms;
+
+###
+### neverallow assertions
+###
+
+# A domain transition must occur for crash_dump to get the privileges needed to trace the process.
+# Do not allow the execution of crash_dump without a domain transition.
+neverallow domain crash_dump_exec:file execute_no_trans;
diff --git a/microdroid/sepolicy/system/public/credstore.te b/microdroid/sepolicy/system/public/credstore.te
new file mode 100644
index 0000000..97d942d
--- /dev/null
+++ b/microdroid/sepolicy/system/public/credstore.te
@@ -0,0 +1,19 @@
+type credstore, domain;
+type credstore_exec, system_file_type, exec_type, file_type;
+
+# credstore daemon
+binder_use(credstore)
+binder_service(credstore)
+binder_call(credstore, system_server)
+
+allow credstore credstore_data_file:dir create_dir_perms;
+allow credstore credstore_data_file:file create_file_perms;
+
+add_service(credstore, credstore_service)
+allow credstore sec_key_att_app_id_provider_service:service_manager find;
+allow credstore dropbox_service:service_manager find;
+allow credstore authorization_service:service_manager find;
+allow credstore keystore:keystore2 get_auth_token;
+
+r_dir_file(credstore, cgroup)
+r_dir_file(credstore, cgroup_v2)
diff --git a/microdroid/sepolicy/system/public/device.te b/microdroid/sepolicy/system/public/device.te
new file mode 100644
index 0000000..686f955
--- /dev/null
+++ b/microdroid/sepolicy/system/public/device.te
@@ -0,0 +1,123 @@
+# Device types
+type device, dev_type, fs_type;
+type ashmem_device, dev_type, mlstrustedobject;
+type ashmem_libcutils_device, dev_type, mlstrustedobject;
+type audio_device, dev_type;
+type binder_device, dev_type, mlstrustedobject;
+type hwbinder_device, dev_type, mlstrustedobject;
+type vndbinder_device, dev_type;
+type block_device, dev_type;
+type camera_device, dev_type;
+type dm_device, dev_type;
+type dm_user_device, dev_type;
+type keychord_device, dev_type;
+type loop_control_device, dev_type;
+type loop_device, dev_type;
+type pmsg_device, dev_type, mlstrustedobject;
+type radio_device, dev_type;
+type ram_device, dev_type;
+type rtc_device, dev_type;
+type vd_device, dev_type;
+type vold_device, dev_type;
+type console_device, dev_type;
+type fscklogs, dev_type;
+# GPU (used by most UI apps)
+type gpu_device, dev_type, mlstrustedobject;
+type graphics_device, dev_type;
+type hw_random_device, dev_type;
+type input_device, dev_type;
+type port_device, dev_type;
+type lowpan_device, dev_type;
+type mtp_device, dev_type, mlstrustedobject;
+type nfc_device, dev_type;
+type ptmx_device, dev_type, mlstrustedobject;
+type kmsg_device, dev_type, mlstrustedobject;
+type kmsg_debug_device, dev_type;
+type null_device, dev_type, mlstrustedobject;
+type random_device, dev_type, mlstrustedobject;
+type secure_element_device, dev_type;
+type sensors_device, dev_type;
+type serial_device, dev_type;
+type socket_device, dev_type;
+type owntty_device, dev_type, mlstrustedobject;
+type tty_device, dev_type;
+type video_device, dev_type;
+type zero_device, dev_type, mlstrustedobject;
+type fuse_device, dev_type, mlstrustedobject;
+type iio_device, dev_type;
+type ion_device, dev_type, mlstrustedobject;
+type dmabuf_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject;
+type dmabuf_system_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject;
+type dmabuf_system_secure_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject;
+type qtaguid_device, dev_type;
+type watchdog_device, dev_type;
+type uhid_device, dev_type, mlstrustedobject;
+type uio_device, dev_type;
+type tun_device, dev_type, mlstrustedobject;
+type usbaccessory_device, dev_type, mlstrustedobject;
+type usb_device, dev_type, mlstrustedobject;
+type usb_serial_device, dev_type;
+type gnss_device, dev_type;
+type properties_device, dev_type;
+type properties_serial, dev_type;
+type property_info, dev_type;
+
+# All devices have a uart for the hci
+# attach service. The uart dev node
+# varies per device. This type
+# is used in per device policy
+type hci_attach_dev, dev_type;
+
+# All devices have a rpmsg device for
+# achieving remoteproc and rpmsg modules
+type rpmsg_device, dev_type;
+
+# Partition layout block device
+type root_block_device, dev_type;
+
+# factory reset protection block device
+type frp_block_device, dev_type;
+
+# System block device mounted on /system.
+# Documented at https://source.android.com/devices/bootloader/partitions-images
+type system_block_device, dev_type;
+
+# Recovery block device.
+# Documented at https://source.android.com/devices/bootloader/partitions-images
+type recovery_block_device, dev_type;
+
+# boot block device.
+# Documented at https://source.android.com/devices/bootloader/partitions-images
+type boot_block_device, dev_type;
+
+# Userdata block device mounted on /data.
+# Documented at https://source.android.com/devices/bootloader/partitions-images
+type userdata_block_device, dev_type;
+
+# Cache block device mounted on /cache.
+# Documented at https://source.android.com/devices/bootloader/partitions-images
+type cache_block_device, dev_type;
+
+# Block device for any swap partition.
+type swap_block_device, dev_type;
+
+# Metadata block device used for encryption metadata.
+# Assign this type to the partition specified by the encryptable=
+# mount option in your fstab file in the entry for userdata.
+# Documented at https://source.android.com/devices/bootloader/partitions-images
+type metadata_block_device, dev_type;
+
+# The 'misc' partition used by recovery and A/B.
+# Documented at https://source.android.com/devices/bootloader/partitions-images
+type misc_block_device, dev_type;
+
+# 'super' partition to be used for logical partitioning.
+type super_block_device, super_block_device_type, dev_type;
+
+# sdcard devices; normally vold uses the vold_block_device label and creates a
+# separate device node. gsid, however, accesses the original devide node
+# created through uevents, so we use a separate label.
+type sdcard_block_device, dev_type;
+
+# Userdata device file for filesystem tunables
+type userdata_sysdev, dev_type;
diff --git a/microdroid/sepolicy/system/public/dhcp.te b/microdroid/sepolicy/system/public/dhcp.te
new file mode 100644
index 0000000..1d875ab
--- /dev/null
+++ b/microdroid/sepolicy/system/public/dhcp.te
@@ -0,0 +1,28 @@
+type dhcp, domain;
+type dhcp_exec, system_file_type, exec_type, file_type;
+
+net_domain(dhcp)
+
+allow dhcp cgroup:dir { create write add_name };
+allow dhcp cgroup_v2:dir { create write add_name };
+allow dhcp self:global_capability_class_set { setgid setuid net_admin net_raw net_bind_service };
+allow dhcp self:packet_socket create_socket_perms_no_ioctl;
+allow dhcp self:netlink_route_socket nlmsg_write;
+allow dhcp shell_exec:file rx_file_perms;
+allow dhcp system_file:file rx_file_perms;
+not_full_treble(`allow dhcp vendor_file:file rx_file_perms;')
+
+# dhcpcd runs dhcpcd-hooks/*, which runs getprop / setprop (toolbox_exec)
+allow dhcp toolbox_exec:file rx_file_perms;
+
+# For /proc/sys/net/ipv4/conf/*/promote_secondaries
+allow dhcp proc_net_type:file write;
+
+allow dhcp dhcp_data_file:dir create_dir_perms;
+allow dhcp dhcp_data_file:file create_file_perms;
+
+# PAN connections
+allow dhcp netd:fd use;
+allow dhcp netd:fifo_file rw_file_perms;
+allow dhcp netd:{ dgram_socket_class_set unix_stream_socket } { read write };
+allow dhcp netd:{ netlink_kobject_uevent_socket netlink_route_socket netlink_nflog_socket } { read write };
diff --git a/microdroid/sepolicy/system/public/display_service_server.te b/microdroid/sepolicy/system/public/display_service_server.te
new file mode 100644
index 0000000..c5839fa
--- /dev/null
+++ b/microdroid/sepolicy/system/public/display_service_server.te
@@ -0,0 +1 @@
+add_hwservice(display_service_server, fwk_display_hwservice)
diff --git a/microdroid/sepolicy/system/public/dnsmasq.te b/microdroid/sepolicy/system/public/dnsmasq.te
new file mode 100644
index 0000000..86f1eb1
--- /dev/null
+++ b/microdroid/sepolicy/system/public/dnsmasq.te
@@ -0,0 +1,28 @@
+# DNS, DHCP services
+type dnsmasq, domain;
+type dnsmasq_exec, system_file_type, exec_type, file_type;
+
+net_domain(dnsmasq)
+allowxperm dnsmasq self:udp_socket ioctl priv_sock_ioctls;
+
+# TODO: Run with dhcp group to avoid need for dac_override.
+allow dnsmasq self:global_capability_class_set { dac_override dac_read_search };
+
+allow dnsmasq self:global_capability_class_set { net_admin net_raw net_bind_service setgid setuid };
+
+allow dnsmasq dhcp_data_file:dir w_dir_perms;
+allow dnsmasq dhcp_data_file:file create_file_perms;
+
+# Inherit and use open files from netd.
+allow dnsmasq netd:fd use;
+allow dnsmasq netd:fifo_file { getattr read write };
+# TODO: Investigate whether these inherited sockets should be closed on exec.
+allow dnsmasq netd:netlink_kobject_uevent_socket { read write };
+allow dnsmasq netd:netlink_nflog_socket { read write };
+allow dnsmasq netd:netlink_route_socket { read write };
+allow dnsmasq netd:unix_stream_socket { getattr read write };
+allow dnsmasq netd:unix_dgram_socket { read write };
+allow dnsmasq netd:udp_socket { read write };
+
+# sometimes a network device vanishes and we try to load module netdev-{devicename}
+dontaudit dnsmasq kernel:system module_request;
diff --git a/microdroid/sepolicy/system/public/domain.te b/microdroid/sepolicy/system/public/domain.te
new file mode 100644
index 0000000..d84abf1
--- /dev/null
+++ b/microdroid/sepolicy/system/public/domain.te
@@ -0,0 +1,1400 @@
+# Rules for all domains.
+
+# Allow reaping by init.
+allow domain init:process sigchld;
+
+# Intra-domain accesses.
+allow domain self:process {
+ fork
+ sigchld
+ sigkill
+ sigstop
+ signull
+ signal
+ getsched
+ setsched
+ getsession
+ getpgid
+ setpgid
+ getcap
+ setcap
+ getattr
+ setrlimit
+};
+allow domain self:fd use;
+allow domain proc:dir r_dir_perms;
+allow domain proc_net_type:dir search;
+r_dir_file(domain, self)
+allow domain self:{ fifo_file file } rw_file_perms;
+allow domain self:unix_dgram_socket { create_socket_perms sendto };
+allow domain self:unix_stream_socket { create_stream_socket_perms connectto };
+
+# Inherit or receive open files from others.
+allow domain init:fd use;
+
+userdebug_or_eng(`
+ allow domain su:fd use;
+ allow domain su:unix_stream_socket { connectto getattr getopt read write shutdown };
+ allow domain su:unix_dgram_socket sendto;
+
+ allow { domain -init } su:binder { call transfer };
+
+ # Running something like "pm dump com.android.bluetooth" requires
+ # fifo writes
+ allow domain su:fifo_file { write getattr };
+
+ # allow "gdbserver --attach" to work for su.
+ allow domain su:process sigchld;
+
+ # Allow writing coredumps to /cores/*
+ allow domain coredump_file:file create_file_perms;
+ allow domain coredump_file:dir ra_dir_perms;
+')
+
+with_native_coverage(`
+ # Allow writing coverage information to /data/misc/trace
+ allow domain method_trace_data_file:dir create_dir_perms;
+ allow domain method_trace_data_file:file create_file_perms;
+')
+
+# Root fs.
+allow domain tmpfs:dir { getattr search };
+allow domain rootfs:dir search;
+allow domain rootfs:lnk_file { read getattr };
+
+# Device accesses.
+allow domain device:dir search;
+allow domain dev_type:lnk_file r_file_perms;
+allow domain devpts:dir search;
+allow domain dmabuf_heap_device:dir r_dir_perms;
+allow domain socket_device:dir r_dir_perms;
+allow domain owntty_device:chr_file rw_file_perms;
+allow domain null_device:chr_file rw_file_perms;
+allow domain zero_device:chr_file rw_file_perms;
+
+# /dev/ashmem is being deprecated by means of constraining and eventually
+# removing all "open" permissions. We preserve the other permissions.
+allow domain ashmem_device:chr_file { getattr read ioctl lock map append write };
+# This device is used by libcutils, which is accessible to everyone.
+allow domain ashmem_libcutils_device:chr_file rw_file_perms;
+
+# /dev/binder can be accessed by ... everyone! :)
+allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;
+
+# Restrict binder ioctls to an allowlist. Additional ioctl commands may be
+# added to individual domains, but this sets safe defaults for all processes.
+allowxperm domain binder_device:chr_file ioctl { unpriv_binder_ioctls };
+
+# /dev/binderfs needs to be accessed by everyone too!
+allow domain binderfs:dir { getattr search };
+allow domain binderfs_logs_proc:dir search;
+
+allow { domain -servicemanager -vndservicemanager -isolated_app } hwbinder_device:chr_file rw_file_perms;
+allow domain ptmx_device:chr_file rw_file_perms;
+allow domain random_device:chr_file rw_file_perms;
+allow domain proc_random:dir r_dir_perms;
+allow domain proc_random:file r_file_perms;
+allow domain properties_device:dir { search getattr };
+allow domain properties_serial:file r_file_perms;
+allow domain property_info:file r_file_perms;
+
+# Public readable properties
+get_prop(domain, aaudio_config_prop)
+get_prop(domain, arm64_memtag_prop)
+get_prop(domain, bootloader_prop)
+get_prop(domain, build_odm_prop)
+get_prop(domain, build_prop)
+get_prop(domain, build_vendor_prop)
+get_prop(domain, debug_prop)
+get_prop(domain, exported_config_prop)
+get_prop(domain, exported_default_prop)
+get_prop(domain, exported_dumpstate_prop)
+get_prop(domain, exported_secure_prop)
+get_prop(domain, exported_system_prop)
+get_prop(domain, fingerprint_prop)
+get_prop(domain, hal_instrumentation_prop)
+get_prop(domain, hw_timeout_multiplier_prop)
+get_prop(domain, init_service_status_prop)
+get_prop(domain, libc_debug_prop)
+get_prop(domain, logd_prop)
+get_prop(domain, mediadrm_config_prop)
+get_prop(domain, property_service_version_prop)
+get_prop(domain, soc_prop)
+get_prop(domain, socket_hook_prop)
+get_prop(domain, surfaceflinger_prop)
+get_prop(domain, telephony_status_prop)
+get_prop(domain, vendor_socket_hook_prop)
+get_prop(domain, vndk_prop)
+get_prop(domain, vold_status_prop)
+get_prop(domain, vts_config_prop)
+
+# Binder cache properties are world-readable
+get_prop(domain, binder_cache_bluetooth_server_prop)
+get_prop(domain, binder_cache_system_server_prop)
+get_prop(domain, binder_cache_telephony_server_prop)
+
+# Let everyone read log properties, so that liblog can avoid sending unloggable
+# messages to logd.
+get_prop(domain, log_property_type)
+dontaudit domain property_type:file audit_access;
+allow domain property_contexts_file:file r_file_perms;
+
+allow domain init:key search;
+allow domain vold:key search;
+
+# logd access
+write_logd(domain)
+
+# Directory/link file access for path resolution.
+allow domain {
+ system_file
+ system_lib_file
+ system_seccomp_policy_file
+ system_security_cacerts_file
+}:dir r_dir_perms;
+allow domain system_file:lnk_file { getattr read };
+
+# Global access to /system/etc/security/cacerts/*, /system/etc/seccomp_policy/*, /system/lib[64]/*,
+# /(system|product|system_ext)/etc/(group|passwd), linker and its config.
+allow domain system_seccomp_policy_file:file r_file_perms;
+# cacerts are accessible from public Java API.
+allow domain system_security_cacerts_file:file r_file_perms;
+allow domain system_group_file:file r_file_perms;
+allow domain system_passwd_file:file r_file_perms;
+allow domain system_linker_exec:file { execute read open getattr map };
+allow domain system_linker_config_file:file r_file_perms;
+allow domain system_lib_file:file { execute read open getattr map };
+# To allow following symlinks at /system/bin/linker, /system/lib/libc.so, etc.
+allow domain system_linker_exec:lnk_file { read open getattr };
+allow domain system_lib_file:lnk_file { read open getattr };
+
+allow domain system_event_log_tags_file:file r_file_perms;
+
+allow { appdomain coredomain } system_file:file { execute read open getattr map };
+
+# Make sure system/vendor split doesn not affect non-treble
+# devices
+not_full_treble(`
+ allow domain system_file:file { execute read open getattr map };
+ allow domain vendor_file_type:dir { search getattr };
+ allow domain vendor_file_type:file { execute read open getattr map };
+ allow domain vendor_file_type:lnk_file { getattr read };
+')
+
+# All domains are allowed to open and read directories
+# that contain HAL implementations (e.g. passthrough
+# HALs require clients to have these permissions)
+allow domain vendor_hal_file:dir r_dir_perms;
+
+# Everyone can read and execute all same process HALs
+allow domain same_process_hal_file:dir r_dir_perms;
+allow {
+ domain
+ -coredomain # access is explicitly granted to individual coredomains
+} same_process_hal_file:file { execute read open getattr map };
+
+# Any process can load vndk-sp libraries, which are system libraries
+# used by same process HALs
+allow domain vndk_sp_file:dir r_dir_perms;
+allow domain vndk_sp_file:file { execute read open getattr map };
+
+# All domains get access to /vendor/etc
+allow domain vendor_configs_file:dir r_dir_perms;
+allow domain vendor_configs_file:file { read open getattr map };
+
+full_treble_only(`
+ # Allow all domains to be able to follow /system/vendor and/or
+ # /vendor/odm symlinks.
+ allow domain vendor_file_type:lnk_file { getattr open read };
+
+ # This is required to be able to search & read /vendor/lib64
+ # in order to lookup vendor libraries. The execute permission
+ # for coredomains is granted *only* for same process HALs
+ allow domain vendor_file:dir { getattr search };
+
+ # Allow reading and executing out of /vendor to all vendor domains
+ allow { domain -coredomain } vendor_file_type:dir r_dir_perms;
+ allow { domain -coredomain } vendor_file_type:file { read open getattr execute map };
+ allow { domain -coredomain } vendor_file_type:lnk_file { getattr read };
+')
+
+# read and stat any sysfs symlinks
+allow domain sysfs:lnk_file { getattr read };
+
+# libc references /data/misc/zoneinfo and /system/usr/share/zoneinfo for
+# timezone related information.
+# This directory is considered to be a VNDK-stable
+allow domain { system_zoneinfo_file zoneinfo_data_file }:file r_file_perms;
+allow domain { system_zoneinfo_file zoneinfo_data_file }:dir r_dir_perms;
+
+# Lots of processes access current CPU information
+r_dir_file(domain, sysfs_devices_system_cpu)
+
+r_dir_file(domain, sysfs_usb);
+
+# If kernel CONFIG_TRANSPARENT_HUGEPAGE is enabled, libjemalloc5 (statically
+# included by libc) reads /sys/kernel/mm/transparent_hugepage/enabled.
+allow domain sysfs_transparent_hugepage:dir search;
+allow domain sysfs_transparent_hugepage:file r_file_perms;
+
+# files under /data.
+not_full_treble(`
+ allow domain system_data_file:dir getattr;
+')
+allow { coredomain appdomain } system_data_file:dir getattr;
+# /data has the label system_data_root_file. Vendor components need the search
+# permission on system_data_root_file for path traversal to /data/vendor.
+allow domain system_data_root_file:dir { search getattr } ;
+allow domain system_data_file:dir search;
+# TODO restrict this to non-coredomain
+allow domain vendor_data_file:dir { getattr search };
+
+# required by the dynamic linker
+allow domain proc:lnk_file { getattr read };
+
+# /proc/cpuinfo
+allow domain proc_cpuinfo:file r_file_perms;
+
+# /dev/cpu_variant:.*
+allow domain dev_cpu_variant:file r_file_perms;
+
+# profiling needs to read /proc/sys/kernel/perf_event_max_sample_rate
+allow domain proc_perf:file r_file_perms;
+
+# toybox loads libselinux which stats /sys/fs/selinux/
+allow domain selinuxfs:dir search;
+allow domain selinuxfs:file getattr;
+allow domain sysfs:dir search;
+allow domain selinuxfs:filesystem getattr;
+
+# Almost all processes log tracing information to
+# /sys/kernel/debug/tracing/trace_marker
+# The reason behind this is documented in b/6513400
+allow domain debugfs:dir search;
+allow domain debugfs_tracing:dir search;
+allow domain debugfs_tracing_debug:dir search;
+allow domain debugfs_trace_marker:file w_file_perms;
+
+# Linux lockdown mode offers coarse-grained definitions for access controls.
+# The "confidentiality" level detects access to tracefs or the perf subsystem.
+# This overlaps with more precise declarations in Android's policy. The
+# debugfs_trace_marker above is an example in which all processes should have
+# some access to tracefs. Therefore, allow all domains to access this level.
+# The "integrity" level is however enforced.
+allow domain self:lockdown confidentiality;
+
+# Filesystem access.
+allow domain fs_type:filesystem getattr;
+allow domain fs_type:dir getattr;
+
+# Restrict all domains to an allowlist for common socket types. Additional
+# ioctl commands may be added to individual domains, but this sets safe
+# defaults for all processes. Note that granting this allowlist to domain does
+# not grant the ioctl permission on these socket types. That must be granted
+# separately.
+allowxperm domain domain:{ icmp_socket rawip_socket tcp_socket udp_socket }
+ ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
+# default allowlist for unix sockets.
+allowxperm domain { domain pdx_channel_socket_type }:{ unix_dgram_socket unix_stream_socket }
+ ioctl unpriv_unix_sock_ioctls;
+
+# Restrict PTYs to only allowed ioctls.
+# Note that granting this allowlist to domain does
+# not grant the wider ioctl permission. That must be granted
+# separately.
+allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
+
+# All domains must clearly enumerate what ioctls they use
+# on filesystem objects (plain files, directories, symbolic links,
+# named pipes, and named sockets). We start off with a safe set.
+allowxperm domain { file_type fs_type domain dev_type }:{ dir notdevfile_class_set blk_file } ioctl { FIOCLEX FIONCLEX };
+
+# If a domain has ioctl access to tun_device, it must clearly enumerate the
+# ioctls used. Safe defaults are listed below.
+allowxperm domain tun_device:chr_file ioctl { FIOCLEX FIONCLEX };
+
+# Allow a process to make a determination whether a file descriptor
+# for a plain file or pipe (fifo_file) is a tty. Note that granting
+# this allowlist to domain does not grant the ioctl permission to
+# these files. That must be granted separately.
+allowxperm domain { file_type fs_type }:file ioctl { TCGETS };
+allowxperm domain domain:fifo_file ioctl { TCGETS };
+
+# If a domain has access to perform an ioctl on a block device, allow these
+# very common, benign ioctls
+allowxperm domain dev_type:blk_file ioctl { BLKGETSIZE64 BLKSSZGET };
+
+# Support sqlite F2FS specific optimizations
+# ioctl permission on the specific file type is still required
+# TODO: consider only compiling these rules if we know the
+# /data partition is F2FS
+allowxperm domain { file_type sdcard_type }:file ioctl {
+ F2FS_IOC_ABORT_VOLATILE_WRITE
+ F2FS_IOC_COMMIT_ATOMIC_WRITE
+ F2FS_IOC_GET_FEATURES
+ F2FS_IOC_GET_PIN_FILE
+ F2FS_IOC_SET_PIN_FILE
+ F2FS_IOC_START_ATOMIC_WRITE
+};
+
+# Workaround for policy compiler being too aggressive and removing hwservice_manager_type
+# when it's not explicitly used in allow rules
+allow { domain -domain } hwservice_manager_type:hwservice_manager { add find };
+# Workaround for policy compiler being too aggressive and removing vndservice_manager_type
+# when it's not explicitly used in allow rules
+allow { domain -domain } vndservice_manager_type:service_manager { add find };
+
+# Under ASAN, processes will try to read /data, as the sanitized libraries are there.
+with_asan(`allow domain system_data_file:dir getattr;')
+# Under ASAN, /system/asan.options needs to be globally accessible.
+with_asan(`allow domain system_asan_options_file:file r_file_perms;')
+
+# read APEX dir and stat any symlink pointing to APEXs.
+allow domain apex_mnt_dir:dir { getattr search };
+allow domain apex_mnt_dir:lnk_file r_file_perms;
+
+###
+### neverallow rules
+###
+
+# All ioctls on file-like objects (except chr_file and blk_file) and
+# sockets must be restricted to an allowlist.
+neverallowxperm * *:{ dir notdevfile_class_set socket_class_set blk_file } ioctl { 0 };
+
+# b/68014825 and https://android-review.googlesource.com/516535
+# rfc6093 says that processes should not use the TCP urgent mechanism
+neverallowxperm domain domain:socket_class_set ioctl { SIOCATMARK };
+
+# TIOCSTI is only ever used for exploits. Block it.
+# b/33073072, b/7530569
+# http://www.openwall.com/lists/oss-security/2016/09/26/14
+neverallowxperm * devpts:chr_file ioctl TIOCSTI;
+
+# Do not allow any domain other than init to create unlabeled files.
+neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
+
+# Limit device node creation to these allowed domains.
+neverallow {
+ domain
+ -kernel
+ -init
+ -ueventd
+ -vold
+} self:global_capability_class_set mknod;
+
+# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR).
+neverallow * self:memprotect mmap_zero;
+
+# No domain needs mac_override as it is unused by SELinux.
+neverallow * self:global_capability2_class_set mac_override;
+
+# Disallow attempts to set contexts not defined in current policy
+# This helps guarantee that unknown or dangerous contents will not ever
+# be set.
+neverallow * self:global_capability2_class_set mac_admin;
+
+# Once the policy has been loaded there shall be none to modify the policy.
+# It is sealed.
+neverallow * kernel:security load_policy;
+
+# Only init prior to switching context should be able to set enforcing mode.
+# init starts in kernel domain and switches to init domain via setcon in
+# the init.rc, so the setenforce occurs while still in kernel. After
+# switching domains, there is never any need to setenforce again by init.
+neverallow * kernel:security setenforce;
+neverallow { domain -kernel } kernel:security setcheckreqprot;
+
+# No booleans in AOSP policy, so no need to ever set them.
+neverallow * kernel:security setbool;
+
+# Adjusting the AVC cache threshold.
+# Not presently allowed to anything in policy, but possibly something
+# that could be set from init.rc.
+neverallow { domain -init } kernel:security setsecparam;
+
+# Only the kernel hwrng thread should be able to read from the HW RNG.
+neverallow {
+ domain
+ -shell # For CTS, restricted to just getattr in shell.te
+ -ueventd # To create the /dev/hw_random file
+} hw_random_device:chr_file *;
+# b/78174219 b/64114943
+neverallow {
+ domain
+ -shell # stat of /dev, getattr only
+ -ueventd
+} keychord_device:chr_file *;
+
+# Ensure that all entrypoint executables are in exec_type or postinstall_file.
+neverallow * { file_type -exec_type -postinstall_file }:file entrypoint;
+
+# The dynamic linker always calls access(2) on the path. Don't generate SElinux
+# denials since the linker does not actually access the path in case the path
+# does not exist or isn't accessible for the process.
+dontaudit domain postinstall_mnt_dir:dir audit_access;
+
+#Ensure that nothing in userspace can access /dev/port
+neverallow {
+ domain
+ -shell # Shell user should not have any abilities outside of getattr
+ -ueventd
+} port_device:chr_file *;
+neverallow * port_device:chr_file ~{ create relabelto unlink setattr getattr };
+# Only init should be able to configure kernel usermodehelpers or
+# security-sensitive proc settings.
+neverallow { domain -init } usermodehelper:file { append write };
+neverallow { domain -init -ueventd } sysfs_usermodehelper:file { append write };
+neverallow { domain -init -vendor_init } proc_security:file { append open read write };
+
+# Init can't do anything with binder calls. If this neverallow rule is being
+# triggered, it's probably due to a service with no SELinux domain.
+neverallow * init:binder *;
+neverallow * vendor_init:binder *;
+
+# Don't allow raw read/write/open access to block_device
+# Rather force a relabel to a more specific type
+neverallow { domain -kernel -init -recovery } block_device:blk_file { open read write };
+
+# Do not allow renaming of block files or character files
+# Ability to do so can lead to possible use in an exploit chain
+# e.g. https://googleprojectzero.blogspot.com/2016/12/chrome-os-exploit-one-byte-overflow-and.html
+neverallow * *:{ blk_file chr_file } rename;
+
+# Don't allow raw read/write/open access to generic devices.
+# Rather force a relabel to a more specific type.
+neverallow domain device:chr_file { open read write };
+
+# Files from cache should never be executed
+neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute;
+
+# The test files and executables MUST not be accessible to any domain
+neverallow { domain userdebug_or_eng(`-kernel') } nativetest_data_file:file_class_set no_w_file_perms;
+neverallow domain nativetest_data_file:dir no_w_dir_perms;
+neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms;
+
+neverallow { domain -shell -init -adbd } shell_test_data_file:file_class_set no_w_file_perms;
+neverallow { domain -shell -init -adbd } shell_test_data_file:dir no_w_dir_perms;
+neverallow { domain -shell -init -adbd -heapprofd } shell_test_data_file:file *;
+neverallow heapprofd shell_test_data_file:file { no_w_file_perms no_x_file_perms };
+neverallow { domain -shell -init -adbd } shell_test_data_file:sock_file *;
+
+# Only the init property service should write to /data/property and /dev/__properties__
+neverallow { domain -init } property_data_file:dir no_w_dir_perms;
+neverallow { domain -init } property_data_file:file { no_w_file_perms no_x_file_perms };
+neverallow { domain -init } property_type:file { no_w_file_perms no_x_file_perms };
+neverallow { domain -init } properties_device:file { no_w_file_perms no_x_file_perms };
+neverallow { domain -init } properties_serial:file { no_w_file_perms no_x_file_perms };
+
+# Nobody should be doing writes to /system & /vendor
+# These partitions are intended to be read-only and must never be
+# modified. Doing so would violate important Android security guarantees
+# and invalidate dm-verity signatures.
+neverallow {
+ domain
+ with_asan(`-asan_extract')
+ recovery_only(`userdebug_or_eng(`-fastbootd')')
+} {
+ system_file_type
+ vendor_file_type
+ exec_type
+}:dir_file_class_set { create write setattr relabelfrom append unlink link rename };
+
+neverallow { domain -kernel with_asan(`-asan_extract') } { system_file_type vendor_file_type exec_type }:dir_file_class_set relabelto;
+
+# Don't allow mounting on top of /system files or directories
+neverallow * exec_type:dir_file_class_set mounton;
+
+# Nothing should be writing to files in the rootfs.
+neverallow * rootfs:file { create write setattr relabelto append unlink link rename };
+
+# Restrict context mounts to specific types marked with
+# the contextmount_type attribute.
+neverallow * {fs_type -contextmount_type}:filesystem relabelto;
+
+# Ensure that context mount types are not writable, to ensure that
+# the write to /system restriction above is not bypassed via context=
+# mount to another type.
+neverallow * contextmount_type:dir_file_class_set
+ { create setattr relabelfrom relabelto append link rename };
+neverallow { domain recovery_only(`userdebug_or_eng(`-fastbootd')') } contextmount_type:dir_file_class_set { write unlink };
+
+# Do not allow service_manager add for default service labels.
+# Instead domains should use a more specific type such as
+# system_app_service rather than the generic type.
+# New service_types are defined in {,hw,vnd}service.te and new mappings
+# from service name to service_type are defined in {,hw,vnd}service_contexts.
+neverallow * default_android_service:service_manager *;
+neverallow * default_android_vndservice:service_manager *;
+neverallow * default_android_hwservice:hwservice_manager *;
+
+# Looking up the base class/interface of all HwBinder services is a bad idea.
+# hwservicemanager currently offer such lookups only to make it so that security
+# decisions are expressed in SELinux policy. However, it's unclear whether this
+# lookup has security implications. If it doesn't, hwservicemanager should be
+# modified to not offer this lookup.
+# This rule can be removed if hwservicemanager is modified to not permit these
+# lookups.
+neverallow * hidl_base_hwservice:hwservice_manager find;
+
+# Require that domains explicitly label unknown properties, and do not allow
+# anyone but init to modify unknown properties.
+neverallow { domain -init -vendor_init } mmc_prop:property_service set;
+neverallow { domain -init -vendor_init } vndk_prop:property_service set;
+
+compatible_property_only(`
+ neverallow { domain -init } mmc_prop:property_service set;
+ neverallow { domain -init -vendor_init } exported_default_prop:property_service set;
+ neverallow { domain -init } exported_secure_prop:property_service set;
+ neverallow { domain -init -vendor_init } vendor_default_prop:property_service set;
+ neverallow { domain -init -vendor_init } storage_config_prop:property_service set;
+ neverallow { domain -init -vendor_init } hw_timeout_multiplier_prop:property_service set;
+')
+
+compatible_property_only(`
+ neverallow { domain -init -system_server -vendor_init } exported_pm_prop:property_service set;
+ neverallow { domain -coredomain -vendor_init } exported_pm_prop:file no_rw_file_perms;
+')
+
+neverallow { domain -init } aac_drc_prop:property_service set;
+neverallow { domain -init } build_prop:property_service set;
+
+# Do not allow reading device's serial number from system properties except form
+# a few allowed domains.
+neverallow {
+ domain
+ -adbd
+ -dumpstate
+ -fastbootd
+ -hal_camera_server
+ -hal_cas_server
+ -hal_drm_server
+ userdebug_or_eng(`-incidentd')
+ -init
+ -mediadrmserver
+ -mediaserver
+ -recovery
+ -shell
+ -system_server
+ -vendor_init
+} serialno_prop:file r_file_perms;
+
+neverallow {
+ domain
+ -init
+ -recovery
+ -system_server
+ -shell # Shell is further restricted in shell.te
+ -ueventd # Further restricted in ueventd.te
+} frp_block_device:blk_file no_rw_file_perms;
+
+# The metadata block device is set aside for device encryption and
+# verified boot metadata. It may be reset at will and should not
+# be used by other domains.
+neverallow {
+ domain
+ -init
+ -recovery
+ -vold
+ -e2fs
+ -fsck
+ -fastbootd
+} metadata_block_device:blk_file { append link rename write open read ioctl lock };
+
+# No domain other than recovery, update_engine and fastbootd can write to system partition(s).
+neverallow {
+ domain
+ -fastbootd
+ userdebug_or_eng(`-fsck')
+ userdebug_or_eng(`-init')
+ -recovery
+ -update_engine
+} system_block_device:blk_file { write append };
+
+# No domains other than a select few can access the misc_block_device. This
+# block device is reserved for OTA use.
+# Do not assert this rule on userdebug/eng builds, due to some devices using
+# this partition for testing purposes.
+neverallow {
+ domain
+ userdebug_or_eng(`-domain') # exclude debuggable builds
+ -fastbootd
+ -hal_bootctl_server
+ -init
+ -uncrypt
+ -update_engine
+ -vendor_init
+ -vendor_misc_writer
+ -vold
+ -recovery
+ -ueventd
+} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };
+
+# Only (hw|vnd|)servicemanager should be able to register with binder as the context manager
+neverallow { domain -servicemanager -hwservicemanager -vndservicemanager } *:binder set_context_mgr;
+# The service managers are only allowed to access their own device node
+neverallow servicemanager hwbinder_device:chr_file no_rw_file_perms;
+neverallow servicemanager vndbinder_device:chr_file no_rw_file_perms;
+neverallow hwservicemanager binder_device:chr_file no_rw_file_perms;
+neverallow hwservicemanager vndbinder_device:chr_file no_rw_file_perms;
+neverallow vndservicemanager binder_device:chr_file no_rw_file_perms;
+neverallow vndservicemanager hwbinder_device:chr_file no_rw_file_perms;
+
+# system services cant add vendor services
+neverallow {
+ coredomain
+} vendor_service:service_manager add;
+
+full_treble_only(`
+ # vendor services cant add system services
+ neverallow {
+ domain
+ -coredomain
+ } {
+ service_manager_type
+ -vendor_service
+ }:service_manager add;
+')
+
+full_treble_only(`
+ # Vendor apps are permited to use only stable public services. If they were to use arbitrary
+ # services which can change any time framework/core is updated, breakage is likely.
+ #
+ # Note, this same logic applies to untrusted apps, but neverallows for these are separate.
+ neverallow {
+ appdomain
+ -coredomain
+ } {
+ service_manager_type
+
+ -app_api_service
+ -vendor_service # must be @VintfStability to be used by an app
+ -ephemeral_app_api_service
+
+ -apc_service
+ -audioserver_service # TODO(b/36783122) remove exemptions below once app_api_service is fixed
+ -cameraserver_service
+ -drmserver_service
+ -credstore_service
+ -keystore_maintenance_service
+ -keystore_service
+ -mediadrmserver_service
+ -mediaextractor_service
+ -mediametrics_service
+ -mediaserver_service
+ -nfc_service
+ -radio_service
+ -virtual_touchpad_service
+ -vpnprofilestore_service
+ -vr_hwc_service
+ -vr_manager_service
+ userdebug_or_eng(`-hal_face_service')
+ }:service_manager find;
+')
+
+# On full TREBLE devices, only vendor components, shell, and su can use VendorBinder.
+full_treble_only(`
+ neverallow {
+ coredomain
+ -shell
+ userdebug_or_eng(`-su')
+ -ueventd # uevent is granted create for this device, but we still neverallow I/O below
+ } vndbinder_device:chr_file rw_file_perms;
+')
+full_treble_only(`
+ neverallow ueventd vndbinder_device:chr_file { read write append ioctl };
+')
+full_treble_only(`
+ neverallow {
+ coredomain
+ -shell
+ userdebug_or_eng(`-su')
+ } vndservice_manager_type:service_manager *;
+')
+full_treble_only(`
+ neverallow {
+ coredomain
+ -shell
+ userdebug_or_eng(`-su')
+ } vndservicemanager:binder *;
+')
+
+# On full TREBLE devices, socket communications between core components and vendor components are
+# not permitted.
+ # Most general rules first, more specific rules below.
+
+ # Core domains are not permitted to initiate communications to vendor domain sockets.
+ # We are not restricting the use of already established sockets because it is fine for a process
+ # to obtain an already established socket via some public/official/stable API and then exchange
+ # data with its peer over that socket. The wire format in this scenario is dicatated by the API
+ # and thus does not break the core-vendor separation.
+full_treble_only(`
+ neverallow_establish_socket_comms({
+ coredomain
+ -init
+ -adbd
+ }, {
+ domain
+ -coredomain
+ -socket_between_core_and_vendor_violators
+ });
+')
+
+ # Vendor domains are not permitted to initiate create/open sockets owned by core domains
+full_treble_only(`
+ neverallow {
+ domain
+ -coredomain
+ -appdomain # appdomain restrictions below
+ -data_between_core_and_vendor_violators # b/70393317
+ -socket_between_core_and_vendor_violators
+ -vendor_init
+ } {
+ coredomain_socket
+ core_data_file_type
+ unlabeled # used only by core domains
+ }:sock_file ~{ append getattr ioctl read write };
+')
+full_treble_only(`
+ neverallow {
+ appdomain
+ -coredomain
+ } {
+ coredomain_socket
+ unlabeled # used only by core domains
+ core_data_file_type
+ -app_data_file
+ -privapp_data_file
+ -pdx_endpoint_socket_type # used by VR layer
+ -pdx_channel_socket_type # used by VR layer
+ }:sock_file ~{ append getattr ioctl read write };
+')
+
+ # Core domains are not permitted to create/open sockets owned by vendor domains
+full_treble_only(`
+ neverallow {
+ coredomain
+ -init
+ -ueventd
+ -socket_between_core_and_vendor_violators
+ } {
+ file_type
+ dev_type
+ -coredomain_socket
+ -core_data_file_type
+ -app_data_file_type
+ -unlabeled
+ }:sock_file ~{ append getattr ioctl read write };
+')
+
+# On TREBLE devices, vendor and system components are only allowed to share
+# files by passing open FDs over hwbinder. Ban all directory access and all file
+# accesses other than what can be applied to an open FD such as
+# ioctl/stat/read/write/append. This is enforced by segregating /data.
+# Vendor domains may directly access file in /data/vendor by path, but may only
+# access files outside of /data/vendor via an open FD passed over hwbinder.
+# Likewise, core domains may only directly access files outside /data/vendor by
+# path and files in /data/vendor by open FD.
+full_treble_only(`
+ # only coredomains may only access core_data_file_type, particularly not
+ # /data/vendor
+ neverallow {
+ coredomain
+ -appdomain # TODO(b/34980020) remove exemption for appdomain
+ -data_between_core_and_vendor_violators
+ -init
+ -vold_prepare_subdirs
+ } {
+ data_file_type
+ -core_data_file_type
+ -app_data_file_type
+ }:file_class_set ~{ append getattr ioctl read write map };
+')
+full_treble_only(`
+ neverallow {
+ coredomain
+ -appdomain # TODO(b/34980020) remove exemption for appdomain
+ -data_between_core_and_vendor_violators
+ -init
+ -vold_prepare_subdirs
+ } {
+ data_file_type
+ -core_data_file_type
+ -app_data_file_type
+ # TODO(b/72998741) Remove exemption. Further restricted in a subsequent
+ # neverallow. Currently only getattr and search are allowed.
+ -vendor_data_file
+ }:dir *;
+
+')
+full_treble_only(`
+ # vendor domains may only access files in /data/vendor, never core_data_file_types
+ neverallow {
+ domain
+ -appdomain # TODO(b/34980020) remove exemption for appdomain
+ -coredomain
+ -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
+ -vendor_init
+ } {
+ core_data_file_type
+ # libc includes functions like mktime and localtime which attempt to access
+ # files in /data/misc/zoneinfo/tzdata and /system/usr/share/zoneinfo/tzdata.
+ # These functions are considered vndk-stable and thus must be allowed for
+ # all processes.
+ -zoneinfo_data_file
+ with_native_coverage(`-method_trace_data_file')
+ }:file_class_set ~{ append getattr ioctl read write map };
+ neverallow {
+ vendor_init
+ -data_between_core_and_vendor_violators
+ } {
+ core_data_file_type
+ -unencrypted_data_file
+ -zoneinfo_data_file
+ with_native_coverage(`-method_trace_data_file')
+ }:file_class_set ~{ append getattr ioctl read write map };
+ # vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
+ # The vendor init binary lives on the system partition so there is not a concern with stability.
+ neverallow vendor_init unencrypted_data_file:file ~r_file_perms;
+')
+full_treble_only(`
+ # vendor domains may only access dirs in /data/vendor, never core_data_file_types
+ neverallow {
+ domain
+ -appdomain # TODO(b/34980020) remove exemption for appdomain
+ -coredomain
+ -data_between_core_and_vendor_violators
+ -vendor_init
+ } {
+ core_data_file_type
+ -system_data_file # default label for files on /data. Covered below...
+ -system_data_root_file
+ -vendor_data_file
+ -zoneinfo_data_file
+ with_native_coverage(`-method_trace_data_file')
+ }:dir *;
+ neverallow {
+ vendor_init
+ -data_between_core_and_vendor_violators
+ } {
+ core_data_file_type
+ -unencrypted_data_file
+ -system_data_file
+ -system_data_root_file
+ -vendor_data_file
+ -zoneinfo_data_file
+ with_native_coverage(`-method_trace_data_file')
+ }:dir *;
+ # vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
+ # The vendor init binary lives on the system partition so there is not a concern with stability.
+ neverallow vendor_init unencrypted_data_file:dir ~search;
+')
+full_treble_only(`
+ # vendor domains may only access dirs in /data/vendor, never core_data_file_types
+ neverallow {
+ domain
+ -appdomain # TODO(b/34980020) remove exemption for appdomain
+ -coredomain
+ -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
+ } {
+ system_data_file # default label for files on /data. Covered below
+ }:dir ~{ getattr search };
+')
+
+full_treble_only(`
+ # coredomains may not access dirs in /data/vendor.
+ neverallow {
+ coredomain
+ -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
+ -init
+ -vold # vold creates per-user storage for both system and vendor
+ -vold_prepare_subdirs
+ } {
+ vendor_data_file # default label for files on /data. Covered below
+ }:dir ~{ getattr search };
+')
+
+full_treble_only(`
+ # coredomains may not access dirs in /data/vendor.
+ neverallow {
+ coredomain
+ -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
+ -init
+ } {
+ vendor_data_file # default label for files on /data/vendor{,_ce,_de}.
+ }:file_class_set ~{ append getattr ioctl read write map };
+')
+
+full_treble_only(`
+ # Non-vendor domains are not allowed to file execute shell
+ # from vendor
+ neverallow {
+ coredomain
+ -init
+ -shell
+ -ueventd
+ } vendor_shell_exec:file { execute execute_no_trans };
+')
+
+full_treble_only(`
+ # Do not allow vendor components to execute files from system
+ # except for the ones allowed here.
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -vendor_executes_system_violators
+ -vendor_init
+ } {
+ system_file_type
+ -system_lib_file
+ -system_linker_exec
+ -crash_dump_exec
+ -iorap_prefetcherd_exec
+ -iorap_inode2filename_exec
+ -netutils_wrapper_exec
+ userdebug_or_eng(`-tcpdump_exec')
+ }:file { entrypoint execute execute_no_trans };
+')
+
+full_treble_only(`
+ # Do not allow coredomain to access entrypoint for files other
+ # than system_file_type and postinstall_file
+ neverallow coredomain {
+ file_type
+ -system_file_type
+ -postinstall_file
+ }:file entrypoint;
+ # Do not allow domains other than coredomain to access entrypoint
+ # for anything but vendor_file_type and init_exec for vendor_init.
+ neverallow { domain -coredomain } {
+ file_type
+ -vendor_file_type
+ -init_exec
+ }:file entrypoint;
+')
+
+full_treble_only(`
+ # Do not allow system components to execute files from vendor
+ # except for the ones allowed here.
+ neverallow {
+ coredomain
+ -init
+ -shell
+ -system_executes_vendor_violators
+ -ueventd
+ } {
+ vendor_file_type
+ -same_process_hal_file
+ -vndk_sp_file
+ -vendor_app_file
+ -vendor_public_framework_file
+ -vendor_public_lib_file
+ }:file execute;
+')
+
+full_treble_only(`
+ neverallow {
+ coredomain
+ -shell
+ -system_executes_vendor_violators
+ } {
+ vendor_file_type
+ -same_process_hal_file
+ }:file execute_no_trans;
+')
+
+full_treble_only(`
+ # Do not allow vendor components access to /system files except for the
+ # ones allowed here.
+ neverallow {
+ domain
+ -appdomain
+ -coredomain
+ -vendor_executes_system_violators
+ # vendor_init needs access to init_exec for domain transition. vendor_init
+ # neverallows are covered in public/vendor_init.te
+ -vendor_init
+ } {
+ system_file_type
+ -crash_dump_exec
+ -file_contexts_file
+ -iorap_inode2filename_exec
+ -netutils_wrapper_exec
+ -property_contexts_file
+ -system_event_log_tags_file
+ -system_group_file
+ -system_lib_file
+ with_asan(`-system_asan_options_file')
+ -system_linker_exec
+ -system_linker_config_file
+ -system_passwd_file
+ -system_seccomp_policy_file
+ -system_security_cacerts_file
+ -system_zoneinfo_file
+ -task_profiles_api_file
+ -task_profiles_file
+ userdebug_or_eng(`-tcpdump_exec')
+ }:file *;
+')
+
+# Only system_server should be able to send commands via the zygote socket
+neverallow { domain -zygote -system_server } zygote:unix_stream_socket connectto;
+neverallow { domain -system_server } zygote_socket:sock_file write;
+
+neverallow { domain -system_server -webview_zygote -app_zygote } webview_zygote:unix_stream_socket connectto;
+neverallow { domain -system_server } webview_zygote:sock_file write;
+neverallow { domain -system_server } app_zygote:sock_file write;
+
+neverallow {
+ domain
+ -tombstoned
+ -crash_dump
+ -dumpstate
+ -incidentd
+ -system_server
+
+ # Processes that can't exec crash_dump
+ -hal_codec2_server
+ -hal_omx_server
+ -mediaextractor
+} tombstoned_crash_socket:unix_stream_socket connectto;
+
+# Never allow anyone except dumpstate, incidentd, or the system server to connect or write to
+# the tombstoned intercept socket.
+neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:sock_file write;
+neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:unix_stream_socket connectto;
+
+# Never allow anyone but system_server to read heapdumps in /data/system/heapdump.
+neverallow { domain -init -system_server } heapdump_data_file:file read;
+
+# Android does not support System V IPCs.
+#
+# The reason for this is due to the fact that, by design, they lead to global
+# kernel resource leakage.
+#
+# For example, there is no way to automatically release a SysV semaphore
+# allocated in the kernel when:
+#
+# - a buggy or malicious process exits
+# - a non-buggy and non-malicious process crashes or is explicitly killed.
+#
+# Killing processes automatically to make room for new ones is an
+# important part of Android's application lifecycle implementation. This means
+# that, even assuming only non-buggy and non-malicious code, it is very likely
+# that over time, the kernel global tables used to implement SysV IPCs will fill
+# up.
+neverallow * *:{ shm sem msg msgq } *;
+
+# Do not mount on top of symlinks, fifos, or sockets.
+# Feature parity with Chromium LSM.
+neverallow * { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton;
+
+# Nobody should be able to execute su on user builds.
+# On userdebug/eng builds, only dumpstate, shell, and
+# su itself execute su.
+neverallow { domain userdebug_or_eng(`-dumpstate -shell -su') } su_exec:file no_x_file_perms;
+
+# Do not allow the introduction of new execmod rules. Text relocations
+# and modification of executable pages are unsafe.
+# The only exceptions are for NDK text relocations associated with
+# https://code.google.com/p/android/issues/detail?id=23203
+# which, long term, need to go away.
+neverallow * {
+ file_type
+ -apk_data_file
+ -app_data_file
+ -asec_public_file
+}:file execmod;
+
+# Do not allow making the stack or heap executable.
+# We would also like to minimize execmem but it seems to be
+# required by some device-specific service domains.
+neverallow * self:process { execstack execheap };
+
+# Do not allow the introduction of new execmod rules. Text relocations
+# and modification of executable pages are unsafe.
+neverallow { domain -untrusted_app_25 -untrusted_app_27 } file_type:file execmod;
+
+neverallow { domain -init } proc:{ file dir } mounton;
+
+# Ensure that all types assigned to processes are included
+# in the domain attribute, so that all allow and neverallow rules
+# written on domain are applied to all processes.
+# This is achieved by ensuring that it is impossible to transition
+# from a domain to a non-domain type and vice versa.
+# TODO - rework this: neverallow domain ~domain:process { transition dyntransition };
+neverallow ~domain domain:process { transition dyntransition };
+
+#
+# Only system_app and system_server should be creating or writing
+# their files. The proper way to share files is to setup
+# type transitions to a more specific type or assigning a type
+# to its parent directory via a file_contexts entry.
+# Example type transition:
+# mydomain.te:file_type_auto_trans(mydomain, system_data_file, new_file_type)
+#
+neverallow {
+ domain
+ -system_server
+ -system_app
+ -init
+ -toolbox # TODO(b/141108496) We want to remove toolbox
+ -installd # for relabelfrom and unlink, check for this in explicit neverallow
+ -vold_prepare_subdirs # For unlink
+ with_asan(`-asan_extract')
+} system_data_file:file no_w_file_perms;
+# do not grant anything greater than r_file_perms and relabelfrom unlink
+# to installd
+neverallow installd system_data_file:file ~{ r_file_perms relabelfrom unlink };
+
+# respect system_app sandboxes
+neverallow {
+ domain
+ -appdomain # finer-grained rules for appdomain are listed below
+ -system_server #populate com.android.providers.settings/databases/settings.db.
+ -installd # creation of app sandbox
+ -iorap_inode2filename
+ -traced_probes # resolve inodes for i/o tracing.
+ # only needs open and read, the rest is neverallow in
+ # traced_probes.te.
+} system_app_data_file:dir_file_class_set { create unlink open };
+neverallow {
+ isolated_app
+ untrusted_app_all # finer-grained rules for appdomain are listed below
+ ephemeral_app
+ priv_app
+} system_app_data_file:dir_file_class_set { create unlink open };
+
+#
+# Only these domains should transition to shell domain. This domain is
+# permissible for the "shell user". If you need a process to exec a shell
+# script with differing privilege, define a domain and set up a transition.
+#
+neverallow {
+ domain
+ -adbd
+ -init
+ -runas
+ -zygote
+} shell:process { transition dyntransition };
+
+# Only domains spawned from zygote, runas and simpleperf_app_runner may have
+# the appdomain attribute. simpleperf is excluded as a domain transitioned to
+# when running an app-scoped profiling session.
+neverallow { domain -simpleperf_app_runner -runas -app_zygote -webview_zygote -zygote } {
+ appdomain -shell -simpleperf userdebug_or_eng(`-su')
+}:process { transition dyntransition };
+
+# Minimize read access to shell- or app-writable symlinks.
+# This is to prevent malicious symlink attacks.
+neverallow {
+ domain
+ -appdomain
+ -installd
+} { app_data_file privapp_data_file }:lnk_file read;
+
+neverallow {
+ domain
+ -shell
+ userdebug_or_eng(`-uncrypt')
+ -installd
+} shell_data_file:lnk_file read;
+
+# In addition to the symlink reading restrictions above, restrict
+# write access to shell owned directories. The /data/local/tmp
+# directory is untrustworthy, and non-allowed domains should
+# not be trusting any content in those directories.
+neverallow {
+ domain
+ -adbd
+ -dumpstate
+ -installd
+ -init
+ -shell
+ -vold
+} shell_data_file:dir no_w_dir_perms;
+
+neverallow {
+ domain
+ -adbd
+ -appdomain
+ -dumpstate
+ -init
+ -installd
+ -iorap_inode2filename
+ -simpleperf_app_runner
+ -system_server # why?
+ userdebug_or_eng(`-uncrypt')
+} shell_data_file:dir { open search };
+
+# Same as above for /data/local/tmp files. We allow shell files
+# to be passed around by file descriptor, but not directly opened.
+neverallow {
+ domain
+ -adbd
+ -appdomain
+ -dumpstate
+ -installd
+ userdebug_or_eng(`-uncrypt')
+} shell_data_file:file open;
+
+# servicemanager and vndservicemanager are the only processes which handle the
+# service_manager list request
+neverallow * ~{
+ servicemanager
+ vndservicemanager
+ }:service_manager list;
+
+# hwservicemanager is the only process which handles hw list requests
+neverallow * ~{
+ hwservicemanager
+ }:hwservice_manager list;
+
+# only service_manager_types can be added to service_manager
+# TODO - rework this: neverallow * ~service_manager_type:service_manager { add find };
+
+# Prevent assigning non property types to properties
+# TODO - rework this: neverallow * ~property_type:property_service set;
+
+# Domain types should never be assigned to any files other
+# than the /proc/pid files associated with a process. The
+# executable file used to enter a domain should be labeled
+# with its own _exec type, not with the domain type.
+# Conventionally, this looks something like:
+# $ cat mydaemon.te
+# type mydaemon, domain;
+# type mydaemon_exec, exec_type, file_type;
+# init_daemon_domain(mydaemon)
+# $ grep mydaemon file_contexts
+# /system/bin/mydaemon -- u:object_r:mydaemon_exec:s0
+neverallow * domain:file { execute execute_no_trans entrypoint };
+
+# Do not allow access to the generic debugfs label. This is too broad.
+# Instead, if access to part of debugfs is desired, it should have a
+# more specific label.
+# TODO: fix dumpstate
+neverallow { domain -init -vendor_init -dumpstate } debugfs:{ file lnk_file } no_rw_file_perms;
+
+# Do not allow executable files in debugfs.
+neverallow domain debugfs_type:file { execute execute_no_trans };
+
+# Don't allow access to the FUSE control filesystem, except to vold and init's
+neverallow { domain -vold -init -vendor_init } fusectlfs:file no_rw_file_perms;
+
+# Profiles contain untrusted data and profman parses that. We should only run
+# in from installd forked processes.
+neverallow {
+ domain
+ -installd
+ -profman
+} profman_exec:file no_x_file_perms;
+
+# Enforce restrictions on kernel module origin.
+# Do not allow kernel module loading except from system,
+# vendor, and boot partitions.
+neverallow * ~{ system_file_type vendor_file_type rootfs }:system module_load;
+
+# Only allow filesystem caps to be set at build time. Runtime changes
+# to filesystem capabilities are not permitted.
+neverallow * self:global_capability_class_set setfcap;
+
+# Enforce AT_SECURE for executing crash_dump.
+neverallow domain crash_dump:process noatsecure;
+
+# Do not permit non-core domains to register HwBinder services which are
+# guaranteed to be provided by core domains only.
+neverallow ~coredomain coredomain_hwservice:hwservice_manager add;
+
+# Do not permit the registeration of HwBinder services which are guaranteed to
+# be passthrough only (i.e., run in the process of their clients instead of a
+# separate server process).
+neverallow * same_process_hwservice:hwservice_manager add;
+
+# If an already existing file is opened with O_CREAT, the kernel might generate
+# a false report of a create denial. Silence these denials and make sure that
+# inappropriate permissions are not granted.
+
+# These filesystems don't allow files or directories to be created, so the permission
+# to do so should never be granted.
+neverallow domain {
+ proc_type
+ sysfs_type
+}:dir { add_name create link remove_name rename reparent rmdir write };
+
+# cgroupfs directories can be created, but not files within them.
+neverallow domain cgroup:file create;
+neverallow domain cgroup_v2:file create;
+
+dontaudit domain proc_type:dir write;
+dontaudit domain sysfs_type:dir write;
+dontaudit domain cgroup:file create;
+dontaudit domain cgroup_v2:file create;
+
+# These are only needed in permissive mode - in enforcing mode the
+# directory write check fails and so these are never attempted.
+userdebug_or_eng(`
+ dontaudit domain proc_type:dir add_name;
+ dontaudit domain sysfs_type:dir add_name;
+ dontaudit domain proc_type:file create;
+ dontaudit domain sysfs_type:file create;
+')
+
+# Platform must not have access to /mnt/vendor.
+neverallow {
+ coredomain
+ -init
+ -ueventd
+ -vold
+ -system_writes_mnt_vendor_violators
+} mnt_vendor_file:dir *;
+
+# Only apps are allowed access to vendor public libraries.
+full_treble_only(`
+ neverallow {
+ coredomain
+ -appdomain
+ } {vendor_public_framework_file vendor_public_lib_file}:file { execute execute_no_trans };
+')
+
+# Vendor domian must not have access to /mnt/product.
+neverallow {
+ domain
+ -coredomain
+} mnt_product_file:dir *;
+
+# Platform must not have access to sysfs_batteryinfo, but should do it via health HAL and healthd
+full_treble_only(`
+ neverallow {
+ coredomain
+ -healthd
+ -shell
+ # Generate uevents for health info
+ -ueventd
+ # Recovery uses health HAL passthrough implementation.
+ -recovery
+ # Charger uses health HAL passthrough implementation.
+ -charger
+ # TODO(b/110891300): remove this exception
+ -incidentd
+ } sysfs_batteryinfo:file { open read };
+')
+
+neverallow {
+ domain
+ -hal_codec2_server
+ -hal_omx_server
+} hal_codec2_hwservice:hwservice_manager add;
+
+# Only apps targetting < Q are allowed to open /dev/ashmem directly.
+# Apps must use ASharedMemory NDK API. Native code must use libcutils API.
+neverallow {
+ domain
+ -ephemeral_app # We don't distinguish ephemeral apps based on target API.
+ -untrusted_app_25
+ -untrusted_app_27
+} ashmem_device:chr_file open;
+
+neverallow { domain -traced_probes -init -vendor_init } debugfs_tracing_printk_formats:file *;
+
+# Linux lockdown "integrity" level is enforced for user builds.
+neverallow { domain userdebug_or_eng(`-domain') } self:lockdown integrity;
diff --git a/microdroid/sepolicy/system/public/drmserver.te b/microdroid/sepolicy/system/public/drmserver.te
new file mode 100644
index 0000000..eede0fc
--- /dev/null
+++ b/microdroid/sepolicy/system/public/drmserver.te
@@ -0,0 +1,65 @@
+# drmserver - DRM service
+type drmserver, domain;
+type drmserver_exec, system_file_type, exec_type, file_type;
+
+typeattribute drmserver mlstrustedsubject;
+
+net_domain(drmserver)
+
+# Perform Binder IPC to system server.
+binder_use(drmserver)
+binder_call(drmserver, system_server)
+binder_call(drmserver, appdomain)
+binder_call(drmserver, mediametrics)
+binder_service(drmserver)
+# Inherit or receive open files from system_server.
+allow drmserver system_server:fd use;
+
+# Perform Binder IPC to mediaserver
+binder_call(drmserver, mediaserver)
+
+allow drmserver sdcard_type:dir search;
+allow drmserver drm_data_file:dir create_dir_perms;
+allow drmserver drm_data_file:file create_file_perms;
+allow drmserver { app_data_file privapp_data_file }:file { read write getattr map };
+allow drmserver sdcard_type:file { read write getattr map };
+r_dir_file(drmserver, efs_file)
+
+type drmserver_socket, file_type;
+
+# /data/app/tlcd_sock socket file.
+# Clearly, /data/app is the most logical place to create a socket. Not.
+allow drmserver apk_data_file:dir rw_dir_perms;
+auditallow drmserver apk_data_file:dir { add_name write };
+allow drmserver drmserver_socket:sock_file create_file_perms;
+auditallow drmserver drmserver_socket:sock_file create;
+# Delete old socket file if present.
+allow drmserver apk_data_file:sock_file unlink;
+
+# After taking a video, drmserver looks at the video file.
+r_dir_file(drmserver, media_rw_data_file)
+
+# Read resources from open apk files passed over Binder.
+allow drmserver apk_data_file:file { read getattr map };
+allow drmserver asec_apk_file:file { read getattr map };
+allow drmserver ringtone_file:file { read getattr map };
+
+# Read /data/data/com.android.providers.telephony files passed over Binder.
+allow drmserver radio_data_file:file { read getattr map };
+
+# /oem access
+allow drmserver oemfs:dir search;
+allow drmserver oemfs:file r_file_perms;
+
+# overlay package access
+allow drmserver vendor_overlay_file:file { read map };
+
+add_service(drmserver, drmserver_service)
+allow drmserver permission_service:service_manager find;
+allow drmserver mediametrics_service:service_manager find;
+
+selinux_check_access(drmserver)
+
+r_dir_file(drmserver, cgroup)
+r_dir_file(drmserver, cgroup_v2)
+r_dir_file(drmserver, system_file)
diff --git a/microdroid/sepolicy/system/public/dumpstate.te b/microdroid/sepolicy/system/public/dumpstate.te
new file mode 100644
index 0000000..85a5796
--- /dev/null
+++ b/microdroid/sepolicy/system/public/dumpstate.te
@@ -0,0 +1,394 @@
+# dumpstate
+type dumpstate, domain, mlstrustedsubject;
+type dumpstate_exec, system_file_type, exec_type, file_type;
+
+net_domain(dumpstate)
+binder_use(dumpstate)
+wakelock_use(dumpstate)
+
+# Allow setting process priority, protect from OOM killer, and dropping
+# privileges by switching UID / GID
+allow dumpstate self:global_capability_class_set { setuid setgid sys_resource };
+
+# Allow dumpstate to scan through /proc/pid for all processes
+r_dir_file(dumpstate, domain)
+
+allow dumpstate self:global_capability_class_set {
+ # Send signals to processes
+ kill
+ # Run iptables
+ net_raw
+ net_admin
+};
+
+# Allow executing files on system, such as:
+# /system/bin/toolbox
+# /system/bin/logcat
+# /system/bin/dumpsys
+allow dumpstate system_file:file execute_no_trans;
+not_full_treble(`allow dumpstate vendor_file:file execute_no_trans;')
+allow dumpstate toolbox_exec:file rx_file_perms;
+
+# hidl searches for files in /system/lib(64)/hw/
+allow dumpstate system_file:dir r_dir_perms;
+
+# Create and write into /data/anr/
+allow dumpstate self:global_capability_class_set { dac_override dac_read_search chown fowner fsetid };
+allow dumpstate anr_data_file:dir rw_dir_perms;
+allow dumpstate anr_data_file:file create_file_perms;
+
+# Allow reading /data/system/uiderrors.txt
+# TODO: scope this down.
+allow dumpstate system_data_file:file r_file_perms;
+
+# Allow dumpstate to append into apps' private files.
+allow dumpstate { privapp_data_file app_data_file }:file append;
+
+# Read dmesg
+allow dumpstate self:global_capability2_class_set syslog;
+allow dumpstate kernel:system syslog_read;
+
+# Read /sys/fs/pstore/console-ramoops
+allow dumpstate pstorefs:dir r_dir_perms;
+allow dumpstate pstorefs:file r_file_perms;
+
+# Get process attributes
+allow dumpstate domain:process getattr;
+
+# Signal java processes to dump their stack
+allow dumpstate { appdomain system_server zygote }:process signal;
+
+# Signal native processes to dump their stack.
+allow dumpstate {
+ # This list comes from native_processes_to_dump in dumputils/dump_utils.c
+ audioserver
+ cameraserver
+ drmserver
+ inputflinger
+ mediadrmserver
+ mediaextractor
+ mediametrics
+ mediaserver
+ mediaswcodec
+ sdcardd
+ surfaceflinger
+ vold
+
+ # This list comes from hal_interfaces_to_dump in dumputils/dump_utils.c
+ hal_audio_server
+ hal_audiocontrol_server
+ hal_bluetooth_server
+ hal_camera_server
+ hal_codec2_server
+ hal_drm_server
+ hal_evs_server
+ hal_face_server
+ hal_fingerprint_server
+ hal_graphics_allocator_server
+ hal_graphics_composer_server
+ hal_health_server
+ hal_neuralnetworks_server
+ hal_omx_server
+ hal_power_server
+ hal_power_stats_server
+ hal_sensors_server
+ hal_thermal_server
+ hal_vehicle_server
+ hal_vr_server
+ system_suspend_server
+}:process signal;
+
+# Connect to tombstoned to intercept dumps.
+unix_socket_connect(dumpstate, tombstoned_intercept, tombstoned)
+
+# Access to /sys
+allow dumpstate sysfs_type:dir r_dir_perms;
+
+allow dumpstate {
+ sysfs_devices_block
+ sysfs_dm
+ sysfs_loop
+ sysfs_usb
+ sysfs_zram
+}:file r_file_perms;
+
+# Other random bits of data we want to collect
+no_debugfs_restriction(`
+ allow dumpstate debugfs:file r_file_perms;
+ auditallow dumpstate debugfs:file r_file_perms;
+
+ allow dumpstate debugfs_mmc:file r_file_perms;
+')
+
+# df for
+allow dumpstate {
+ block_device
+ cache_file
+ metadata_file
+ rootfs
+ selinuxfs
+ storage_file
+ tmpfs
+}:dir { search getattr };
+allow dumpstate fuse_device:chr_file getattr;
+allow dumpstate { dm_device cache_block_device }:blk_file getattr;
+allow dumpstate { cache_file rootfs }:lnk_file { getattr read };
+
+# Read /dev/cpuctl and /dev/cpuset
+r_dir_file(dumpstate, cgroup)
+r_dir_file(dumpstate, cgroup_v2)
+
+# Allow dumpstate to make binder calls to any binder service
+binder_call(dumpstate, binderservicedomain)
+binder_call(dumpstate, { appdomain netd wificond })
+
+dump_hal(hal_dumpstate)
+dump_hal(hal_wifi)
+dump_hal(hal_graphics_allocator)
+dump_hal(hal_light)
+dump_hal(hal_neuralnetworks)
+dump_hal(hal_thermal)
+dump_hal(hal_power)
+dump_hal(hal_power_stats)
+dump_hal(hal_identity)
+dump_hal(hal_face)
+dump_hal(hal_fingerprint)
+dump_hal(hal_gnss)
+
+# Vibrate the device after we are done collecting the bugreport
+hal_client_domain(dumpstate, hal_vibrator)
+
+# Reading /proc/PID/maps of other processes
+allow dumpstate self:global_capability_class_set sys_ptrace;
+
+# Allow the bugreport service to create a file in
+# /data/data/com.android.shell/files/bugreports/bugreport
+allow dumpstate shell_data_file:dir create_dir_perms;
+allow dumpstate shell_data_file:file create_file_perms;
+
+# Run a shell.
+allow dumpstate shell_exec:file rx_file_perms;
+
+# For running am and similar framework commands.
+# Run /system/bin/app_process.
+allow dumpstate zygote_exec:file rx_file_perms;
+
+# For Bluetooth
+allow dumpstate bluetooth_data_file:dir search;
+allow dumpstate bluetooth_logs_data_file:dir r_dir_perms;
+allow dumpstate bluetooth_logs_data_file:file r_file_perms;
+
+# For Nfc
+allow dumpstate nfc_logs_data_file:dir r_dir_perms;
+allow dumpstate nfc_logs_data_file:file r_file_perms;
+
+# Dumpstate calls screencap, which grabs a screenshot. Needs gpu access
+allow dumpstate gpu_device:chr_file rw_file_perms;
+
+# logd access
+read_logd(dumpstate)
+control_logd(dumpstate)
+read_runtime_log_tags(dumpstate)
+
+# Read files in /proc
+allow dumpstate {
+ proc_buddyinfo
+ proc_cmdline
+ proc_meminfo
+ proc_modules
+ proc_net_type
+ proc_pipe_conf
+ proc_pagetypeinfo
+ proc_qtaguid_ctrl
+ proc_qtaguid_stat
+ proc_slabinfo
+ proc_version
+ proc_vmallocinfo
+ proc_vmstat
+}:file r_file_perms;
+
+# Read network state info files.
+allow dumpstate net_data_file:dir search;
+allow dumpstate net_data_file:file r_file_perms;
+
+# List sockets via ss.
+allow dumpstate self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read };
+
+# Access /data/tombstones.
+allow dumpstate tombstone_data_file:dir r_dir_perms;
+allow dumpstate tombstone_data_file:file r_file_perms;
+
+# Access /cache/recovery
+allow dumpstate cache_recovery_file:dir r_dir_perms;
+allow dumpstate cache_recovery_file:file r_file_perms;
+
+# Access /data/misc/recovery
+allow dumpstate recovery_data_file:dir r_dir_perms;
+allow dumpstate recovery_data_file:file r_file_perms;
+
+#Access /data/misc/update_engine_log
+allow dumpstate update_engine_log_data_file:dir r_dir_perms;
+allow dumpstate update_engine_log_data_file:file r_file_perms;
+
+# Access /data/misc/profiles/{cur,ref}/
+userdebug_or_eng(`
+ allow dumpstate { user_profile_root_file user_profile_data_file}:dir r_dir_perms;
+ allow dumpstate user_profile_data_file:file r_file_perms;
+')
+
+# Access /data/misc/logd
+allow dumpstate misc_logd_file:dir r_dir_perms;
+allow dumpstate misc_logd_file:file r_file_perms;
+
+# Access /data/misc/prereboot
+allow dumpstate prereboot_data_file:dir r_dir_perms;
+allow dumpstate prereboot_data_file:file r_file_perms;
+
+allow dumpstate app_fuse_file:dir r_dir_perms;
+allow dumpstate overlayfs_file:dir r_dir_perms;
+
+allow dumpstate {
+ service_manager_type
+ -apex_service
+ -dumpstate_service
+ -gatekeeper_service
+ -virtual_touchpad_service
+ -vold_service
+ -vr_hwc_service
+ -default_android_service
+}:service_manager find;
+# suppress denials for services dumpstate should not be accessing.
+dontaudit dumpstate {
+ apex_service
+ dumpstate_service
+ gatekeeper_service
+ virtual_touchpad_service
+ vold_service
+ vr_hwc_service
+}:service_manager find;
+
+# Most of these are neverallowed.
+dontaudit dumpstate hwservice_manager_type:hwservice_manager find;
+
+allow dumpstate servicemanager:service_manager list;
+allow dumpstate hwservicemanager:hwservice_manager list;
+
+allow dumpstate devpts:chr_file rw_file_perms;
+
+# Read any system properties
+get_prop(dumpstate, property_type)
+
+# Access to /data/media.
+# This should be removed if sdcardfs is modified to alter the secontext for its
+# accesses to the underlying FS.
+allow dumpstate media_rw_data_file:dir getattr;
+allow dumpstate proc_interrupts:file r_file_perms;
+allow dumpstate proc_zoneinfo:file r_file_perms;
+
+# Create a service for talking back to system_server
+add_service(dumpstate, dumpstate_service)
+
+# use /dev/ion for screen capture
+allow dumpstate ion_device:chr_file r_file_perms;
+
+# Allow dumpstate to run top
+allow dumpstate proc_stat:file r_file_perms;
+
+allow dumpstate proc_pressure_cpu:file r_file_perms;
+allow dumpstate proc_pressure_mem:file r_file_perms;
+allow dumpstate proc_pressure_io:file r_file_perms;
+
+# Allow dumpstate to run ps
+allow dumpstate proc_pid_max:file r_file_perms;
+
+# Allow dumpstate to talk to installd over binder
+binder_call(dumpstate, installd);
+
+# Allow dumpstate to talk to iorapd over binder.
+binder_call(dumpstate, iorapd)
+
+# Allow dumpstate to run ip xfrm policy
+allow dumpstate self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_read };
+
+# Allow dumpstate to run iotop
+allow dumpstate self:netlink_socket create_socket_perms_no_ioctl;
+# newer kernels (e.g. 4.4) have a new class for sockets
+allow dumpstate self:netlink_generic_socket create_socket_perms_no_ioctl;
+
+# Allow dumpstate to run ss
+allow dumpstate { domain pdx_channel_socket_type pdx_endpoint_socket_type }:socket_class_set getattr;
+
+# Allow dumpstate to read linkerconfig directory
+allow dumpstate linkerconfig_file:dir { read open };
+
+# For when dumpstate runs df
+dontaudit dumpstate {
+ mnt_vendor_file
+ mirror_data_file
+ mnt_user_file
+}:dir search;
+dontaudit dumpstate {
+ apex_mnt_dir
+ linkerconfig_file
+ mirror_data_file
+ mnt_user_file
+}:dir getattr;
+
+# Allow dumpstate to talk to bufferhubd over binder
+binder_call(dumpstate, bufferhubd);
+
+# Allow dumpstate to talk to mediaswcodec over binder
+binder_call(dumpstate, mediaswcodec);
+
+# Allow dumpstate to talk to these stable AIDL services over binder
+binder_call(dumpstate, hal_rebootescrow_server)
+allow hal_rebootescrow_server dumpstate:fifo_file write;
+allow hal_rebootescrow_server dumpstate:fd use;
+
+binder_call(dumpstate, hal_authsecret_server)
+allow hal_authsecret_server dumpstate:fifo_file write;
+allow hal_authsecret_server dumpstate:fd use;
+
+binder_call(dumpstate, hal_keymint_server)
+allow hal_keymint_server dumpstate:fifo_file write;
+allow hal_keymint_server dumpstate:fd use;
+
+binder_call(dumpstate, hal_memtrack_server)
+allow hal_memtrack_server dumpstate:fifo_file write;
+allow hal_memtrack_server dumpstate:fd use;
+
+binder_call(dumpstate, hal_oemlock_server)
+allow hal_oemlock_server dumpstate:fifo_file write;
+allow hal_oemlock_server dumpstate:fd use;
+
+binder_call(dumpstate, hal_weaver_server)
+allow hal_weaver_server dumpstate:fifo_file write;
+allow hal_weaver_server dumpstate:fd use;
+
+#Access /data/misc/snapshotctl_log
+allow dumpstate snapshotctl_log_data_file:dir r_dir_perms;
+allow dumpstate snapshotctl_log_data_file:file r_file_perms;
+
+#Allow access to /dev/binderfs/binder_logs
+allow dumpstate binderfs_logs:dir r_dir_perms;
+allow dumpstate binderfs_logs:file r_file_perms;
+allow dumpstate binderfs_logs_proc:file r_file_perms;
+
+allow dumpstate apex_info_file:file getattr;
+
+###
+### neverallow rules
+###
+
+# dumpstate has capability sys_ptrace, but should only use that capability for
+# accessing sensitive /proc/PID files, never for using ptrace attach.
+neverallow dumpstate *:process ptrace;
+
+# only system_server, dumpstate, traceur_app and shell can find the dumpstate service
+neverallow {
+ domain
+ -system_server
+ -shell
+ -traceur_app
+ -dumpstate
+} dumpstate_service:service_manager find;
diff --git a/microdroid/sepolicy/system/public/e2fs.te b/microdroid/sepolicy/system/public/e2fs.te
new file mode 100644
index 0000000..fe8b2ba
--- /dev/null
+++ b/microdroid/sepolicy/system/public/e2fs.te
@@ -0,0 +1,32 @@
+type e2fs, domain, coredomain;
+type e2fs_exec, system_file_type, exec_type, file_type;
+
+allow e2fs devpts:chr_file { read write getattr ioctl };
+
+allow e2fs dev_type:blk_file getattr;
+allow e2fs block_device:dir search;
+allow e2fs userdata_block_device:blk_file rw_file_perms;
+allow e2fs metadata_block_device:blk_file rw_file_perms;
+allow e2fs dm_device:blk_file rw_file_perms;
+allowxperm e2fs { userdata_block_device metadata_block_device dm_device }:blk_file ioctl {
+ BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET
+};
+
+# Allow e2fs to format /dev/block/vd*
+allow e2fs vd_device:blk_file rw_file_perms;
+allowxperm e2fs vd_device:blk_file ioctl {
+ BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET
+};
+
+allow e2fs {
+ proc_filesystems
+ proc_mounts
+ proc_swaps
+}:file r_file_perms;
+
+# access /sys/fs/ext4/features
+allow e2fs sysfs_fs_ext4_features:dir search;
+allow e2fs sysfs_fs_ext4_features:file r_file_perms;
+
+# access SELinux context files
+allow e2fs file_contexts_file:file r_file_perms;
diff --git a/microdroid/sepolicy/system/public/ephemeral_app.te b/microdroid/sepolicy/system/public/ephemeral_app.te
new file mode 100644
index 0000000..dc39a22
--- /dev/null
+++ b/microdroid/sepolicy/system/public/ephemeral_app.te
@@ -0,0 +1,14 @@
+###
+### Ephemeral apps.
+###
+### This file defines the security policy for apps with the ephemeral
+### feature.
+###
+### The ephemeral_app domain is a reduced permissions sandbox allowing
+### ephemeral applications to be safely installed and run. Non ephemeral
+### applications may also opt-in to ephemeral to take advantage of the
+### additional security features.
+###
+### PackageManager flags an app as ephemeral at install time.
+
+type ephemeral_app, domain;
diff --git a/microdroid/sepolicy/system/public/fastbootd.te b/microdroid/sepolicy/system/public/fastbootd.te
new file mode 100644
index 0000000..e167a5e
--- /dev/null
+++ b/microdroid/sepolicy/system/public/fastbootd.te
@@ -0,0 +1,118 @@
+# fastbootd (used in recovery init.rc for /sbin/fastbootd)
+
+# Declare the domain unconditionally so we can always reference it
+# in neverallow rules.
+type fastbootd, domain;
+
+# But the allow rules are only included in the recovery policy.
+# Otherwise fastbootd is only allowed the domain rules.
+recovery_only(`
+ # fastbootd can only use HALs in passthrough mode
+ passthrough_hal_client_domain(fastbootd, hal_bootctl)
+
+ # Access /dev/usb-ffs/fastbootd/ep0
+ allow fastbootd functionfs:dir search;
+ allow fastbootd functionfs:file rw_file_perms;
+
+ allowxperm fastbootd functionfs:file ioctl { FUNCTIONFS_ENDPOINT_DESC };
+ # Log to serial
+ allow fastbootd kmsg_device:chr_file { open getattr write };
+
+ # battery info
+ allow fastbootd sysfs_batteryinfo:file r_file_perms;
+
+ allow fastbootd device:dir r_dir_perms;
+
+ # For dev/block/by-name dir
+ allow fastbootd block_device:dir r_dir_perms;
+
+ # Needed for DM_DEV_CREATE ioctl call
+ allow fastbootd self:capability sys_admin;
+
+ unix_socket_connect(fastbootd, recovery, recovery)
+
+ # Required for flashing
+ allow fastbootd dm_device:chr_file rw_file_perms;
+ allow fastbootd dm_device:blk_file rw_file_perms;
+
+ allow fastbootd cache_block_device:blk_file rw_file_perms;
+ allow fastbootd super_block_device_type:blk_file rw_file_perms;
+ allow fastbootd {
+ boot_block_device
+ metadata_block_device
+ system_block_device
+ userdata_block_device
+ }:blk_file { w_file_perms getattr ioctl };
+
+ # For disabling/wiping GSI, and for modifying/deleting files created via
+ # libfiemap.
+ allow fastbootd metadata_block_device:blk_file r_file_perms;
+ allow fastbootd {rootfs tmpfs}:dir mounton;
+ allow fastbootd metadata_file:dir { search getattr mounton };
+ allow fastbootd gsi_metadata_file_type:dir rw_dir_perms;
+ allow fastbootd gsi_metadata_file_type:file create_file_perms;
+
+ allowxperm fastbootd super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
+
+ allowxperm fastbootd {
+ metadata_block_device
+ userdata_block_device
+ dm_device
+ cache_block_device
+ }:blk_file ioctl { BLKSECDISCARD BLKDISCARD };
+
+ allow fastbootd misc_block_device:blk_file rw_file_perms;
+
+ allow fastbootd proc_cmdline:file r_file_perms;
+ allow fastbootd rootfs:dir r_dir_perms;
+
+ # Needed to read fstab node from device tree.
+ allow fastbootd sysfs_dt_firmware_android:file r_file_perms;
+ allow fastbootd sysfs_dt_firmware_android:dir r_dir_perms;
+
+ # Needed because libdm reads sysfs to validate when a dm path is ready.
+ r_dir_file(fastbootd, sysfs_dm)
+
+ # Needed for realpath() call to resolve symlinks.
+ allow fastbootd block_device:dir getattr;
+ userdebug_or_eng(`
+ # Refined manipulation of /mnt/scratch, without these perms resorts
+ # to deleting scratch partition when partition(s) are flashed.
+ allow fastbootd self:process setfscreate;
+ allow fastbootd cache_file:dir search;
+ allow fastbootd proc_filesystems:file { getattr open read };
+ allow fastbootd self:capability sys_rawio;
+ dontaudit fastbootd kernel:system module_request;
+ allowxperm fastbootd dev_type:blk_file ioctl BLKROSET;
+ allow fastbootd overlayfs_file:dir { create_dir_perms mounton };
+ allow fastbootd {
+ system_file_type
+ unlabeled
+ vendor_file_type
+ }:dir { remove_name rmdir search write };
+ allow fastbootd {
+ overlayfs_file
+ system_file_type
+ unlabeled
+ vendor_file_type
+ }:{ file lnk_file } unlink;
+ allow fastbootd tmpfs:dir rw_dir_perms;
+ # Fetch vendor_boot partition
+ allow fastbootd boot_block_device:blk_file r_file_perms;
+ ')
+
+ # Allow using libfiemap/gsid directly (no binder in recovery).
+ allow fastbootd gsi_metadata_file_type:dir search;
+ allow fastbootd ota_metadata_file:dir rw_dir_perms;
+ allow fastbootd ota_metadata_file:file create_file_perms;
+')
+
+###
+### neverallow rules
+###
+
+# Write permission is required to wipe userdata
+# until recovery supports vold.
+neverallow fastbootd {
+ data_file_type
+}:file { no_x_file_perms };
diff --git a/microdroid/sepolicy/system/public/file.te b/microdroid/sepolicy/system/public/file.te
new file mode 100644
index 0000000..20348b5
--- /dev/null
+++ b/microdroid/sepolicy/system/public/file.te
@@ -0,0 +1,600 @@
+# Filesystem types
+type labeledfs, fs_type;
+type pipefs, fs_type;
+type sockfs, fs_type;
+type rootfs, fs_type;
+type proc, fs_type, proc_type;
+type binderfs, fs_type;
+type binderfs_logs, fs_type;
+type binderfs_logs_proc, fs_type;
+# Security-sensitive proc nodes that should not be writable to most.
+type proc_security, fs_type, proc_type;
+type proc_drop_caches, fs_type, proc_type;
+type proc_overcommit_memory, fs_type, proc_type;
+type proc_min_free_order_shift, fs_type, proc_type;
+type proc_kpageflags, fs_type, proc_type;
+# proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers.
+type usermodehelper, fs_type, proc_type;
+type sysfs_usermodehelper, fs_type, sysfs_type;
+type proc_qtaguid_ctrl, fs_type, mlstrustedobject, proc_type;
+type proc_qtaguid_stat, fs_type, mlstrustedobject, proc_type;
+type proc_bluetooth_writable, fs_type, proc_type;
+type proc_abi, fs_type, proc_type;
+type proc_asound, fs_type, proc_type;
+type proc_bootconfig, fs_type, proc_type;
+type proc_buddyinfo, fs_type, proc_type;
+type proc_cmdline, fs_type, proc_type;
+type proc_cpuinfo, fs_type, proc_type;
+type proc_dirty, fs_type, proc_type;
+type proc_diskstats, fs_type, proc_type;
+type proc_extra_free_kbytes, fs_type, proc_type;
+type proc_filesystems, fs_type, proc_type;
+type proc_fs_verity, fs_type, proc_type;
+type proc_hostname, fs_type, proc_type;
+type proc_hung_task, fs_type, proc_type;
+type proc_interrupts, fs_type, proc_type;
+type proc_iomem, fs_type, proc_type;
+type proc_kallsyms, fs_type, proc_type;
+type proc_keys, fs_type, proc_type;
+type proc_kmsg, fs_type, proc_type;
+type proc_loadavg, fs_type, proc_type;
+type proc_locks, fs_type, proc_type;
+type proc_lowmemorykiller, fs_type, proc_type;
+type proc_max_map_count, fs_type, proc_type;
+type proc_meminfo, fs_type, proc_type;
+type proc_misc, fs_type, proc_type;
+type proc_modules, fs_type, proc_type;
+type proc_mounts, fs_type, proc_type;
+type proc_net, fs_type, proc_type, proc_net_type;
+type proc_net_tcp_udp, fs_type, proc_type;
+type proc_page_cluster, fs_type, proc_type;
+type proc_pagetypeinfo, fs_type, proc_type;
+type proc_panic, fs_type, proc_type;
+type proc_perf, fs_type, proc_type;
+type proc_pid_max, fs_type, proc_type;
+type proc_pipe_conf, fs_type, proc_type;
+type proc_pressure_cpu, fs_type, proc_type;
+type proc_pressure_io, fs_type, proc_type;
+type proc_pressure_mem, fs_type, proc_type;
+type proc_random, fs_type, proc_type;
+type proc_sched, fs_type, proc_type;
+type proc_slabinfo, fs_type, proc_type;
+type proc_stat, fs_type, proc_type;
+type proc_swaps, fs_type, proc_type;
+type proc_sysrq, fs_type, proc_type;
+type proc_timer, fs_type, proc_type;
+type proc_tty_drivers, fs_type, proc_type;
+type proc_uid_cputime_showstat, fs_type, proc_type;
+type proc_uid_cputime_removeuid, fs_type, proc_type;
+type proc_uid_io_stats, fs_type, proc_type;
+type proc_uid_procstat_set, fs_type, proc_type;
+type proc_uid_time_in_state, fs_type, proc_type;
+type proc_uid_concurrent_active_time, fs_type, proc_type;
+type proc_uid_concurrent_policy_time, fs_type, proc_type;
+type proc_uid_cpupower, fs_type, proc_type;
+type proc_uptime, fs_type, proc_type;
+type proc_version, fs_type, proc_type;
+type proc_vmallocinfo, fs_type, proc_type;
+type proc_vmstat, fs_type, proc_type;
+type proc_zoneinfo, fs_type, proc_type;
+type selinuxfs, fs_type, mlstrustedobject;
+type fusectlfs, fs_type;
+type cgroup, fs_type, mlstrustedobject;
+type cgroup_v2, fs_type;
+type sysfs, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_android_usb, fs_type, sysfs_type;
+type sysfs_uio, sysfs_type, fs_type;
+type sysfs_batteryinfo, fs_type, sysfs_type;
+type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_devfreq_cur, fs_type, sysfs_type;
+type sysfs_devfreq_dir, fs_type, sysfs_type;
+type sysfs_devices_block, fs_type, sysfs_type;
+type sysfs_dm, fs_type, sysfs_type;
+type sysfs_dm_verity, fs_type, sysfs_type;
+type sysfs_dma_heap, fs_type, sysfs_type;
+type sysfs_dmabuf_stats, fs_type, sysfs_type;
+type sysfs_dt_firmware_android, fs_type, sysfs_type;
+type sysfs_extcon, fs_type, sysfs_type;
+type sysfs_ion, fs_type, sysfs_type;
+type sysfs_ipv4, fs_type, sysfs_type;
+type sysfs_kernel_notes, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_leds, fs_type, sysfs_type;
+type sysfs_loop, fs_type, sysfs_type;
+type sysfs_hwrandom, fs_type, sysfs_type;
+type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_wake_lock, fs_type, sysfs_type;
+type sysfs_net, fs_type, sysfs_type;
+type sysfs_power, fs_type, sysfs_type;
+type sysfs_rtc, fs_type, sysfs_type;
+type sysfs_suspend_stats, fs_type, sysfs_type;
+type sysfs_switch, fs_type, sysfs_type;
+type sysfs_transparent_hugepage, fs_type, sysfs_type;
+type sysfs_usb, fs_type, sysfs_type;
+type sysfs_wakeup, fs_type, sysfs_type;
+type sysfs_wakeup_reasons, fs_type, sysfs_type;
+type sysfs_fs_ext4_features, sysfs_type, fs_type;
+type sysfs_fs_f2fs, sysfs_type, fs_type;
+type sysfs_fs_incfs_features, sysfs_type, fs_type;
+type sysfs_fs_incfs_metrics, sysfs_type, fs_type;
+type fs_bpf, fs_type;
+type fs_bpf_tethering, fs_type;
+type configfs, fs_type;
+# /sys/devices/cs_etm
+type sysfs_devices_cs_etm, fs_type, sysfs_type;
+# /sys/devices/system/cpu
+type sysfs_devices_system_cpu, fs_type, sysfs_type;
+# /sys/module/lowmemorykiller
+type sysfs_lowmemorykiller, fs_type, sysfs_type;
+# /sys/module/wlan/parameters/fwpath
+type sysfs_wlan_fwpath, fs_type, sysfs_type;
+type sysfs_vibrator, fs_type, sysfs_type;
+type sysfs_uhid, fs_type, sysfs_type;
+type sysfs_thermal, sysfs_type, fs_type;
+
+type sysfs_zram, fs_type, sysfs_type;
+type sysfs_zram_uevent, fs_type, sysfs_type;
+type inotify, fs_type, mlstrustedobject;
+type devpts, fs_type, mlstrustedobject;
+type tmpfs, fs_type;
+type shm, fs_type;
+type mqueue, fs_type;
+type fuse, sdcard_type, fs_type, mlstrustedobject;
+type sdcardfs, sdcard_type, fs_type, mlstrustedobject;
+type vfat, sdcard_type, fs_type, mlstrustedobject;
+type exfat, sdcard_type, fs_type, mlstrustedobject;
+type debugfs, fs_type, debugfs_type;
+type debugfs_kprobes, fs_type, debugfs_type;
+type debugfs_mmc, fs_type, debugfs_type;
+type debugfs_mm_events_tracing, fs_type, debugfs_type, tracefs_type;
+type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject, tracefs_type;
+type debugfs_tracing, fs_type, debugfs_type, mlstrustedobject, tracefs_type;
+type debugfs_tracing_debug, fs_type, debugfs_type, mlstrustedobject, tracefs_type;
+type debugfs_tracing_instances, fs_type, debugfs_type, tracefs_type;
+type debugfs_tracing_printk_formats, fs_type, debugfs_type, tracefs_type;
+type debugfs_wakeup_sources, fs_type, debugfs_type;
+type debugfs_wifi_tracing, fs_type, debugfs_type, tracefs_type;
+type securityfs, fs_type;
+
+type pstorefs, fs_type;
+type functionfs, fs_type, mlstrustedobject;
+type oemfs, fs_type, contextmount_type;
+type usbfs, fs_type;
+type binfmt_miscfs, fs_type;
+type app_fusefs, fs_type, contextmount_type;
+
+# File types
+type unlabeled, file_type;
+
+# Default type for anything under /system.
+type system_file, system_file_type, file_type;
+# Default type for /system/asan.options
+type system_asan_options_file, system_file_type, file_type;
+# Type for /system/etc/event-log-tags (liblog implementation detail)
+type system_event_log_tags_file, system_file_type, file_type;
+# Default type for anything under /system/lib[64].
+type system_lib_file, system_file_type, file_type;
+# system libraries that are available only to bootstrap processes
+type system_bootstrap_lib_file, system_file_type, file_type;
+# Default type for the group file /system/etc/group.
+type system_group_file, system_file_type, file_type;
+# Default type for linker executable /system/bin/linker[64].
+type system_linker_exec, system_file_type, file_type;
+# Default type for linker config /system/etc/ld.config.*.
+type system_linker_config_file, system_file_type, file_type;
+# Default type for the passwd file /system/etc/passwd.
+type system_passwd_file, system_file_type, file_type;
+# Default type for linker config /system/etc/seccomp_policy/*.
+type system_seccomp_policy_file, system_file_type, file_type;
+# Default type for cacerts in /system/etc/security/cacerts/*.
+type system_security_cacerts_file, system_file_type, file_type;
+# Default type for /system/bin/tcpdump.
+type tcpdump_exec, system_file_type, exec_type, file_type;
+# Default type for zoneinfo files in /system/usr/share/zoneinfo/*.
+type system_zoneinfo_file, system_file_type, file_type;
+# Cgroups description file under /system/etc/cgroups.json
+type cgroup_desc_file, system_file_type, file_type;
+# Cgroups description file under /system/etc/task_profiles/cgroups_*.json
+type cgroup_desc_api_file, system_file_type, file_type;
+# Vendor cgroups description file under /vendor/etc/cgroups.json
+type vendor_cgroup_desc_file, vendor_file_type, file_type;
+# Task profiles file under /system/etc/task_profiles.json
+type task_profiles_file, system_file_type, file_type;
+# Task profiles file under /system/etc/task_profiles/task_profiles_*.json
+type task_profiles_api_file, system_file_type, file_type;
+# Vendor task profiles file under /vendor/etc/task_profiles.json
+type vendor_task_profiles_file, vendor_file_type, file_type;
+# Type for /system/apex/com.android.art
+type art_apex_dir, system_file_type, file_type;
+# /linkerconfig(/.*)?
+type linkerconfig_file, file_type;
+# Control files under /data/incremental
+type incremental_control_file, file_type, data_file_type, core_data_file_type;
+
+# Default type for directories search for
+# HAL implementations
+type vendor_hal_file, vendor_file_type, file_type;
+# Default type for under /vendor or /system/vendor
+type vendor_file, vendor_file_type, file_type;
+# Default type for everything in /vendor/app
+type vendor_app_file, vendor_file_type, file_type;
+# Default type for everything under /vendor/etc/
+type vendor_configs_file, vendor_file_type, file_type;
+# Default type for all *same process* HALs and their lib/bin dependencies.
+# e.g. libEGL_xxx.so, android.hardware.graphics.mapper@2.0-impl.so
+type same_process_hal_file, vendor_file_type, file_type;
+# Default type for vndk-sp libs. /vendor/lib/vndk-sp
+type vndk_sp_file, vendor_file_type, file_type;
+# Default type for everything in /vendor/framework
+type vendor_framework_file, vendor_file_type, file_type;
+# Default type for everything in /vendor/overlay
+type vendor_overlay_file, vendor_file_type, file_type;
+# Type for all vendor public libraries. These libs should only be exposed to
+# apps. ABI stability of these libs is vendor's responsibility.
+type vendor_public_lib_file, vendor_file_type, file_type;
+# Type for all vendor public libraries for system. These libs should only be exposed to
+# system. ABI stability of these libs is vendor's responsibility.
+type vendor_public_framework_file, vendor_file_type, file_type;
+
+# Input configuration
+type vendor_keylayout_file, vendor_file_type, file_type;
+type vendor_keychars_file, vendor_file_type, file_type;
+type vendor_idc_file, vendor_file_type, file_type;
+
+# /metadata partition itself
+type metadata_file, file_type;
+# Vold files within /metadata
+type vold_metadata_file, file_type;
+# GSI files within /metadata
+type gsi_metadata_file, gsi_metadata_file_type, file_type;
+# DSU (GSI) files within /metadata that are globally readable.
+type gsi_public_metadata_file, gsi_metadata_file_type, file_type;
+# system_server shares Weaver slot information in /metadata
+type password_slot_metadata_file, file_type;
+# APEX files within /metadata
+type apex_metadata_file, file_type;
+# libsnapshot files within /metadata
+type ota_metadata_file, file_type;
+# property files within /metadata/bootstat
+type metadata_bootstat_file, file_type;
+# userspace reboot files within /metadata/userspacereboot
+type userspace_reboot_metadata_file, file_type;
+# Staged install files within /metadata/staged-install
+type staged_install_file, file_type;
+# Metadata information within /metadata/watchdog
+type watchdog_metadata_file, file_type;
+
+# Type for /dev/cpu_variant:.*.
+type dev_cpu_variant, file_type;
+# Speedup access for trusted applications to the runtime event tags
+type runtime_event_log_tags_file, file_type;
+# Type for /system/bin/logcat.
+type logcat_exec, system_file_type, exec_type, file_type;
+# Speedup access to cgroup map file
+type cgroup_rc_file, file_type;
+# /cores for coredumps on userdebug / eng builds
+type coredump_file, file_type;
+# Type of /data itself
+type system_data_root_file, file_type, data_file_type, core_data_file_type;
+# Default type for anything under /data.
+type system_data_file, file_type, data_file_type, core_data_file_type;
+# Type for /data/system/packages.list.
+# TODO(b/129332765): Narrow down permissions to this.
+# Find out users of system_data_file that should be granted only this.
+type packages_list_file, file_type, data_file_type, core_data_file_type;
+# Default type for anything under /data/vendor{_ce,_de}.
+type vendor_data_file, file_type, data_file_type;
+# Unencrypted data
+type unencrypted_data_file, file_type, data_file_type, core_data_file_type;
+# installd-create files in /data/misc/installd such as layout_version
+type install_data_file, file_type, data_file_type, core_data_file_type;
+# /data/drm - DRM plugin data
+type drm_data_file, file_type, data_file_type, core_data_file_type;
+# /data/adb - adb debugging files
+type adb_data_file, file_type, data_file_type, core_data_file_type;
+# /data/anr - ANR traces
+type anr_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# /data/tombstones - core dumps
+type tombstone_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# /data/vendor/tombstones/wifi - vendor wifi dumps
+type tombstone_wifi_data_file, file_type, data_file_type;
+# /data/apex - APEX data files
+type apex_data_file, file_type, data_file_type, core_data_file_type;
+# /data/app - user-installed apps
+type apk_data_file, file_type, data_file_type, core_data_file_type;
+type apk_tmp_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# /data/app-private - forward-locked apps
+type apk_private_data_file, file_type, data_file_type, core_data_file_type;
+type apk_private_tmp_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# /data/dalvik-cache
+type dalvikcache_data_file, file_type, data_file_type, core_data_file_type;
+# /data/ota
+type ota_data_file, file_type, data_file_type, core_data_file_type;
+# /data/ota_package
+type ota_package_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# /data/misc/profiles
+type user_profile_root_file, file_type, data_file_type, core_data_file_type;
+type user_profile_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# /data/misc/profman
+type profman_dump_data_file, file_type, data_file_type, core_data_file_type;
+# /data/misc/prereboot
+type prereboot_data_file, file_type, data_file_type, core_data_file_type;
+# /data/resource-cache
+type resourcecache_data_file, file_type, data_file_type, core_data_file_type;
+# /data/local - writable by shell
+type shell_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type, mlstrustedobject;
+# /data/property
+type property_data_file, file_type, data_file_type, core_data_file_type;
+# /data/bootchart
+type bootchart_data_file, file_type, data_file_type, core_data_file_type;
+# /data/system/dropbox
+type dropbox_data_file, file_type, data_file_type, core_data_file_type;
+# /data/system/heapdump
+type heapdump_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# /data/nativetest
+type nativetest_data_file, file_type, data_file_type, core_data_file_type;
+# /data/local/tests
+type shell_test_data_file, file_type, data_file_type, core_data_file_type;
+# /data/system_de/0/ringtones
+type ringtone_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# /data/preloads
+type preloads_data_file, file_type, data_file_type, core_data_file_type;
+# /data/preloads/media
+type preloads_media_file, file_type, data_file_type, core_data_file_type;
+# /data/misc/dhcp and /data/misc/dhcp-6.8.2
+type dhcp_data_file, file_type, data_file_type, core_data_file_type;
+# /data/server_configurable_flags
+type server_configurable_flags_data_file, file_type, data_file_type, core_data_file_type;
+# /data/app-staging
+type staging_data_file, file_type, data_file_type, core_data_file_type;
+# /vendor/apex
+type vendor_apex_file, vendor_file_type, file_type;
+
+# Mount locations managed by vold
+type mnt_media_rw_file, file_type;
+type mnt_user_file, file_type;
+type mnt_pass_through_file, file_type;
+type mnt_expand_file, file_type;
+type mnt_sdcard_file, file_type;
+type storage_file, file_type;
+
+# Label for storage dirs which are just mount stubs
+type mnt_media_rw_stub_file, file_type;
+type storage_stub_file, file_type;
+
+# Mount location for read-write vendor partitions.
+type mnt_vendor_file, file_type;
+
+# Mount location for read-write product partitions.
+type mnt_product_file, file_type;
+
+# Mount point used for APEX images
+type apex_mnt_dir, file_type;
+
+# /apex/apex-info-list.xml created by apexd
+type apex_info_file, file_type;
+
+# /postinstall: Mount point used by update_engine to run postinstall.
+type postinstall_mnt_dir, file_type;
+# Files inside the /postinstall mountpoint are all labeled as postinstall_file.
+type postinstall_file, file_type;
+# /postinstall/apex: Mount point used for APEX images within /postinstall.
+type postinstall_apex_mnt_dir, file_type;
+
+# /data_mirror: Contains mirror directory for storing all apps data.
+type mirror_data_file, file_type, core_data_file_type;
+
+# /data/misc subdirectories
+type adb_keys_file, file_type, data_file_type, core_data_file_type;
+type apex_appsearch_data_file, file_type, data_file_type, core_data_file_type;
+type apex_module_data_file, file_type, data_file_type, core_data_file_type;
+type apex_ota_reserved_file, file_type, data_file_type, core_data_file_type;
+type apex_permission_data_file, file_type, data_file_type, core_data_file_type;
+type apex_rollback_data_file, file_type, data_file_type, core_data_file_type;
+type apex_scheduling_data_file, file_type, data_file_type, core_data_file_type;
+type apex_wifi_data_file, file_type, data_file_type, core_data_file_type;
+type appcompat_data_file, file_type, data_file_type, core_data_file_type;
+type audio_data_file, file_type, data_file_type, core_data_file_type;
+type audioserver_data_file, file_type, data_file_type, core_data_file_type;
+type bluetooth_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
+type bluetooth_logs_data_file, file_type, data_file_type, core_data_file_type;
+type bootstat_data_file, file_type, data_file_type, core_data_file_type;
+type boottrace_data_file, file_type, data_file_type, core_data_file_type;
+type camera_data_file, file_type, data_file_type, core_data_file_type;
+type credstore_data_file, file_type, data_file_type, core_data_file_type;
+type gatekeeper_data_file, file_type, data_file_type, core_data_file_type;
+type incident_data_file, file_type, data_file_type, core_data_file_type;
+type keychain_data_file, file_type, data_file_type, core_data_file_type;
+type keystore_data_file, file_type, data_file_type, core_data_file_type;
+type media_data_file, file_type, data_file_type, core_data_file_type;
+type media_rw_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+type misc_user_data_file, file_type, data_file_type, core_data_file_type;
+type net_data_file, file_type, data_file_type, core_data_file_type;
+type network_watchlist_data_file, file_type, data_file_type, core_data_file_type;
+type nfc_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
+type nfc_logs_data_file, file_type, data_file_type, core_data_file_type;
+type radio_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type, mlstrustedobject;
+type recovery_data_file, file_type, data_file_type, core_data_file_type;
+type shared_relro_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+type snapshotctl_log_data_file, file_type, data_file_type, core_data_file_type;
+type stats_data_file, file_type, data_file_type, core_data_file_type;
+type systemkeys_data_file, file_type, data_file_type, core_data_file_type;
+type textclassifier_data_file, file_type, data_file_type, core_data_file_type;
+type trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+type vpn_data_file, file_type, data_file_type, core_data_file_type;
+type wifi_data_file, file_type, data_file_type, core_data_file_type;
+type zoneinfo_data_file, file_type, data_file_type, core_data_file_type;
+type vold_data_file, file_type, data_file_type, core_data_file_type;
+type iorapd_data_file, file_type, data_file_type, core_data_file_type;
+type tee_data_file, file_type, data_file_type;
+type update_engine_data_file, file_type, data_file_type, core_data_file_type;
+type update_engine_log_data_file, file_type, data_file_type, core_data_file_type;
+# /data/misc/trace for method traces on userdebug / eng builds
+type method_trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+type gsi_data_file, file_type, data_file_type, core_data_file_type;
+type radio_core_data_file, file_type, data_file_type, core_data_file_type;
+
+# /data/data subdirectories - app sandboxes
+type app_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
+# /data/data subdirectories - priv-app sandboxes
+type privapp_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
+# /data/data subdirectory for system UID apps.
+type system_app_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type, mlstrustedobject;
+# Compatibility with type name used in Android 4.3 and 4.4.
+# Default type for anything under /cache
+type cache_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# Type for /cache/overlay /mnt/scratch/overlay
+type overlayfs_file, file_type, data_file_type, core_data_file_type;
+# Type for /cache/backup_stage/* (fd interchange with apps)
+type cache_backup_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# type for anything under /cache/backup (local transport storage)
+type cache_private_backup_file, file_type, data_file_type, core_data_file_type;
+# Type for anything under /cache/recovery
+type cache_recovery_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# Default type for anything under /efs
+type efs_file, file_type;
+# Type for wallpaper file.
+type wallpaper_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# Type for shortcut manager icon file.
+type shortcut_manager_icons, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# Type for user icon file.
+type icon_file, file_type, data_file_type, core_data_file_type;
+# /mnt/asec
+type asec_apk_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# Elements of asec files (/mnt/asec) that are world readable
+type asec_public_file, file_type, data_file_type, core_data_file_type;
+# /data/app-asec
+type asec_image_file, file_type, data_file_type, core_data_file_type;
+# /data/backup and /data/secure/backup
+type backup_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# All devices have bluetooth efs files. But they
+# vary per device, so this type is used in per
+# device policy
+type bluetooth_efs_file, file_type;
+# Type for fingerprint template file
+type fingerprintd_data_file, file_type, data_file_type, core_data_file_type;
+# Type for _new_ fingerprint template file
+type fingerprint_vendor_data_file, file_type, data_file_type;
+# Type for appfuse file.
+type app_fuse_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# Type for face template file
+type face_vendor_data_file, file_type, data_file_type;
+# Type for iris template file
+type iris_vendor_data_file, file_type, data_file_type;
+
+# Socket types
+type adbd_socket, file_type, coredomain_socket;
+type bluetooth_socket, file_type, data_file_type, core_data_file_type, coredomain_socket;
+type dnsproxyd_socket, file_type, coredomain_socket, mlstrustedobject;
+type dumpstate_socket, file_type, coredomain_socket;
+type fwmarkd_socket, file_type, coredomain_socket, mlstrustedobject;
+type lmkd_socket, file_type, coredomain_socket;
+type logd_socket, file_type, coredomain_socket, mlstrustedobject;
+type logdr_socket, file_type, coredomain_socket, mlstrustedobject;
+type logdw_socket, file_type, coredomain_socket, mlstrustedobject;
+type mdns_socket, file_type, coredomain_socket;
+type mdnsd_socket, file_type, coredomain_socket, mlstrustedobject;
+type misc_logd_file, coredomain_socket, file_type, data_file_type, core_data_file_type;
+type mtpd_socket, file_type, coredomain_socket;
+type property_socket, file_type, coredomain_socket, mlstrustedobject;
+type racoon_socket, file_type, coredomain_socket;
+type recovery_socket, file_type, coredomain_socket;
+type rild_socket, file_type;
+type rild_debug_socket, file_type;
+type snapuserd_socket, file_type, coredomain_socket;
+type statsdw_socket, file_type, coredomain_socket, mlstrustedobject;
+type system_wpa_socket, file_type, data_file_type, core_data_file_type, coredomain_socket;
+type system_ndebug_socket, file_type, data_file_type, core_data_file_type, coredomain_socket, mlstrustedobject;
+type system_unsolzygote_socket, file_type, data_file_type, core_data_file_type, coredomain_socket, mlstrustedobject;
+type tombstoned_crash_socket, file_type, coredomain_socket, mlstrustedobject;
+type tombstoned_java_trace_socket, file_type, mlstrustedobject;
+type tombstoned_intercept_socket, file_type, coredomain_socket;
+type traced_consumer_socket, file_type, coredomain_socket, mlstrustedobject;
+type traced_perf_socket, file_type, coredomain_socket, mlstrustedobject;
+type traced_producer_socket, file_type, coredomain_socket, mlstrustedobject;
+type uncrypt_socket, file_type, coredomain_socket;
+type wpa_socket, file_type, data_file_type, core_data_file_type;
+type zygote_socket, file_type, coredomain_socket;
+type heapprofd_socket, file_type, coredomain_socket, mlstrustedobject;
+# UART (for GPS) control proc file
+type gps_control, file_type;
+
+# PDX endpoint types
+type pdx_display_dir, pdx_endpoint_dir_type, file_type;
+type pdx_performance_dir, pdx_endpoint_dir_type, file_type;
+type pdx_bufferhub_dir, pdx_endpoint_dir_type, file_type;
+
+pdx_service_socket_types(display_client, pdx_display_dir)
+pdx_service_socket_types(display_manager, pdx_display_dir)
+pdx_service_socket_types(display_screenshot, pdx_display_dir)
+pdx_service_socket_types(display_vsync, pdx_display_dir)
+pdx_service_socket_types(performance_client, pdx_performance_dir)
+pdx_service_socket_types(bufferhub_client, pdx_bufferhub_dir)
+
+# file_contexts files
+type file_contexts_file, system_file_type, file_type;
+
+# mac_permissions file
+type mac_perms_file, system_file_type, file_type;
+
+# property_contexts file
+type property_contexts_file, system_file_type, file_type;
+
+# seapp_contexts file
+type seapp_contexts_file, system_file_type, file_type;
+
+# sepolicy files binary and others
+type sepolicy_file, system_file_type, file_type;
+
+# service_contexts file
+type service_contexts_file, system_file_type, file_type;
+
+# keystore2_key_contexts_file
+type keystore2_key_contexts_file, system_file_type, file_type;
+
+# vendor service_contexts file
+type vendor_service_contexts_file, vendor_file_type, file_type;
+
+# nonplat service_contexts file (only accessible on non full-treble devices)
+type nonplat_service_contexts_file, vendor_file_type, file_type;
+
+# hwservice_contexts file
+type hwservice_contexts_file, system_file_type, file_type;
+
+# vndservice_contexts file
+type vndservice_contexts_file, file_type;
+
+# /sys/kernel/tracing/instances/bootreceiver for monitoring kernel memory corruptions.
+type debugfs_bootreceiver_tracing, fs_type, debugfs_type, tracefs_type;
+
+# kernel modules
+type vendor_kernel_modules, vendor_file_type, file_type;
+
+# Allow files to be created in their appropriate filesystems.
+allow fs_type self:filesystem associate;
+allow cgroup tmpfs:filesystem associate;
+allow cgroup_v2 tmpfs:filesystem associate;
+allow cgroup_rc_file tmpfs:filesystem associate;
+allow sysfs_type sysfs:filesystem associate;
+allow debugfs_type { debugfs debugfs_tracing debugfs_tracing_debug }:filesystem associate;
+allow file_type labeledfs:filesystem associate;
+allow file_type tmpfs:filesystem associate;
+allow file_type rootfs:filesystem associate;
+allow dev_type tmpfs:filesystem associate;
+allow app_fuse_file app_fusefs:filesystem associate;
+allow postinstall_file self:filesystem associate;
+allow proc_net proc:filesystem associate;
+
+# asanwrapper (run a sanitized app_process, to be used with wrap properties)
+with_asan(`type asanwrapper_exec, exec_type, file_type;')
+
+# Deprecated in SDK version 28
+type audiohal_data_file, file_type, data_file_type, core_data_file_type;
+
+# It's a bug to assign the file_type attribute and fs_type attribute
+# to any type. Do not allow it.
+#
+# For example, the following is a bug:
+# type apk_data_file, file_type, data_file_type, fs_type;
+# Should be:
+# type apk_data_file, file_type, data_file_type;
+neverallow fs_type file_type:filesystem associate;
diff --git a/microdroid/sepolicy/system/public/fingerprintd.te b/microdroid/sepolicy/system/public/fingerprintd.te
new file mode 100644
index 0000000..8cf2411
--- /dev/null
+++ b/microdroid/sepolicy/system/public/fingerprintd.te
@@ -0,0 +1,27 @@
+type fingerprintd, domain;
+type fingerprintd_exec, system_file_type, exec_type, file_type;
+
+binder_use(fingerprintd)
+
+# Scan through /system/lib64/hw looking for installed HALs
+allow fingerprintd system_file:dir r_dir_perms;
+
+# need to find KeyStore and add self
+add_service(fingerprintd, fingerprintd_service)
+
+# allow HAL module to read dir contents
+allow fingerprintd fingerprintd_data_file:file { create_file_perms };
+
+# allow HAL module to read/write/unlink contents of this dir
+allow fingerprintd fingerprintd_data_file:dir rw_dir_perms;
+
+# Need to add auth tokens to KeyStore
+use_keystore(fingerprintd)
+allow fingerprintd keystore:keystore_key { add_auth };
+allow fingerprintd keystore:keystore2 { add_auth };
+
+# For permissions checking
+binder_call(fingerprintd, system_server);
+allow fingerprintd permission_service:service_manager find;
+
+allow fingerprintd ion_device:chr_file r_file_perms;
diff --git a/microdroid/sepolicy/system/public/flags_health_check.te b/microdroid/sepolicy/system/public/flags_health_check.te
new file mode 100644
index 0000000..25a7768
--- /dev/null
+++ b/microdroid/sepolicy/system/public/flags_health_check.te
@@ -0,0 +1,11 @@
+# The flags_health_check command run by init.
+type flags_health_check, domain, coredomain;
+type flags_health_check_exec, system_file_type, exec_type, file_type;
+
+allow flags_health_check server_configurable_flags_data_file:dir rw_dir_perms;
+allow flags_health_check server_configurable_flags_data_file:file create_file_perms;
+
+# server_configurable_flags_data_file is used for storing whether server configurable flags which
+# have been reset during current booting. Mistakenly modified by unrelated components can
+# cause bad server configurable flags synced back to device.
+neverallow { domain -init -flags_health_check } server_configurable_flags_data_file:file no_w_file_perms;
diff --git a/microdroid/sepolicy/system/public/fsck.te b/microdroid/sepolicy/system/public/fsck.te
new file mode 100644
index 0000000..7a9fbee
--- /dev/null
+++ b/microdroid/sepolicy/system/public/fsck.te
@@ -0,0 +1,68 @@
+# Any fsck program run by init
+type fsck, domain;
+type fsck_exec, system_file_type, exec_type, file_type;
+
+# /dev/__null__ created by init prior to policy load,
+# open fd inherited by fsck.
+allow fsck tmpfs:chr_file { read write ioctl };
+
+# Inherit and use pty created by android_fork_execvp_ext().
+allow fsck devpts:chr_file { read write ioctl getattr };
+
+# Allow stdin/out back to vold
+allow fsck vold:fd use;
+allow fsck vold:fifo_file { read write getattr };
+
+# Run fsck on certain block devices
+allow fsck block_device:dir search;
+allow fsck userdata_block_device:blk_file rw_file_perms;
+allow fsck cache_block_device:blk_file rw_file_perms;
+allow fsck dm_device:blk_file rw_file_perms;
+userdebug_or_eng(`
+allow fsck system_block_device:blk_file rw_file_perms;
+')
+
+# For the block devices where we have ioctl access,
+# allow at a minimum the following common fsck ioctls.
+allowxperm fsck dev_type:blk_file ioctl {
+ BLKDISCARDZEROES
+ BLKROGET
+};
+
+# To determine if it is safe to run fsck on a filesystem, e2fsck
+# must first determine if the filesystem is mounted. To do that,
+# e2fsck scans through /proc/mounts and collects all the mounted
+# block devices. With that information, it runs stat() on each block
+# device, comparing the major and minor numbers to the filesystem
+# passed in on the command line. If there is a match, then the filesystem
+# is currently mounted and running fsck is dangerous.
+# Allow stat access to all block devices so that fsck can compare
+# major/minor values.
+allow fsck dev_type:blk_file getattr;
+
+allow fsck {
+ proc_mounts
+ proc_swaps
+}:file r_file_perms;
+allow fsck rootfs:dir r_dir_perms;
+
+###
+### neverallow rules
+###
+
+# fsck should never be run on these block devices
+neverallow fsck {
+ boot_block_device
+ frp_block_device
+ recovery_block_device
+ root_block_device
+ swap_block_device
+ system_block_device
+ userdebug_or_eng(`-system_block_device')
+ vold_device
+}:blk_file no_rw_file_perms;
+
+# Only allow entry from init or vold via fsck binaries
+neverallow { domain -init -vold } fsck:process transition;
+neverallow * fsck:process dyntransition;
+neverallow fsck { file_type fs_type -fsck_exec }:file entrypoint;
diff --git a/microdroid/sepolicy/system/public/fsck_untrusted.te b/microdroid/sepolicy/system/public/fsck_untrusted.te
new file mode 100644
index 0000000..8510c94
--- /dev/null
+++ b/microdroid/sepolicy/system/public/fsck_untrusted.te
@@ -0,0 +1,49 @@
+# Any fsck program run on untrusted block devices
+type fsck_untrusted, domain;
+
+# Inherit and use pty created by android_fork_execvp_ext().
+allow fsck_untrusted devpts:chr_file { read write ioctl getattr };
+
+# Allow stdin/out back to vold
+allow fsck_untrusted vold:fd use;
+allow fsck_untrusted vold:fifo_file { read write getattr };
+
+# Run fsck on vold block devices
+allow fsck_untrusted block_device:dir search;
+allow fsck_untrusted vold_device:blk_file rw_file_perms;
+
+allow fsck_untrusted proc_mounts:file r_file_perms;
+
+# To determine if it is safe to run fsck on a filesystem, e2fsck
+# must first determine if the filesystem is mounted. To do that,
+# e2fsck scans through /proc/mounts and collects all the mounted
+# block devices. With that information, it runs stat() on each block
+# device, comparing the major and minor numbers to the filesystem
+# passed in on the command line. If there is a match, then the filesystem
+# is currently mounted and running fsck is dangerous.
+# Allow stat access to all block devices so that fsck can compare
+# major/minor values.
+allow fsck_untrusted dev_type:blk_file getattr;
+
+###
+### neverallow rules
+###
+
+# Untrusted fsck should never be run on block devices holding sensitive data
+neverallow fsck_untrusted {
+ boot_block_device
+ frp_block_device
+ metadata_block_device
+ recovery_block_device
+ root_block_device
+ swap_block_device
+ system_block_device
+ userdata_block_device
+ cache_block_device
+ dm_device
+}:blk_file no_rw_file_perms;
+
+# Only allow entry from vold via fsck binaries
+neverallow { domain -vold } fsck_untrusted:process transition;
+neverallow * fsck_untrusted:process dyntransition;
+neverallow fsck_untrusted { file_type fs_type -fsck_exec }:file entrypoint;
diff --git a/microdroid/sepolicy/system/public/fwk_bufferhub.te b/microdroid/sepolicy/system/public/fwk_bufferhub.te
new file mode 100644
index 0000000..03486bd
--- /dev/null
+++ b/microdroid/sepolicy/system/public/fwk_bufferhub.te
@@ -0,0 +1,4 @@
+binder_call(hal_bufferhub_client, hal_bufferhub_server)
+binder_call(hal_bufferhub_server, hal_bufferhub_client)
+
+hal_attribute_hwservice(hal_bufferhub, fwk_bufferhub_hwservice)
diff --git a/microdroid/sepolicy/system/public/gatekeeperd.te b/microdroid/sepolicy/system/public/gatekeeperd.te
new file mode 100644
index 0000000..d48c5f8
--- /dev/null
+++ b/microdroid/sepolicy/system/public/gatekeeperd.te
@@ -0,0 +1,42 @@
+type gatekeeperd, domain;
+type gatekeeperd_exec, system_file_type, exec_type, file_type;
+
+# gatekeeperd
+binder_service(gatekeeperd)
+binder_use(gatekeeperd)
+
+### Rules needed when Gatekeeper HAL runs inside gatekeeperd process.
+### These rules should eventually be granted only when needed.
+allow gatekeeperd ion_device:chr_file r_file_perms;
+# Load HAL implementation
+allow gatekeeperd system_file:dir r_dir_perms;
+###
+
+### Rules needed when Gatekeeper HAL runs outside of gatekeeperd process.
+### These rules should eventually be granted only when needed.
+hal_client_domain(gatekeeperd, hal_gatekeeper)
+###
+
+# need to find KeyStore and add self
+add_service(gatekeeperd, gatekeeper_service)
+
+# Need to add auth tokens to KeyStore
+use_keystore(gatekeeperd)
+allow gatekeeperd keystore:keystore_key { add_auth };
+allow gatekeeperd keystore:keystore2 { add_auth };
+allow gatekeeperd authorization_service:service_manager find;
+
+
+# For permissions checking
+allow gatekeeperd system_server:binder call;
+allow gatekeeperd permission_service:service_manager find;
+
+# for SID file access
+allow gatekeeperd gatekeeper_data_file:dir rw_dir_perms;
+allow gatekeeperd gatekeeper_data_file:file create_file_perms;
+
+# For hardware properties retrieval
+allow gatekeeperd hardware_properties_service:service_manager find;
+
+r_dir_file(gatekeeperd, cgroup)
+r_dir_file(gatekeeperd, cgroup_v2)
diff --git a/microdroid/sepolicy/system/public/global_macros b/microdroid/sepolicy/system/public/global_macros
new file mode 100644
index 0000000..2c87fde
--- /dev/null
+++ b/microdroid/sepolicy/system/public/global_macros
@@ -0,0 +1,51 @@
+#####################################
+# Common groupings of object classes.
+#
+define(`capability_class_set', `{ capability capability2 cap_userns cap2_userns }')
+define(`global_capability_class_set', `{ capability cap_userns }')
+define(`global_capability2_class_set', `{ capability2 cap2_userns }')
+
+define(`devfile_class_set', `{ chr_file blk_file }')
+define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }')
+define(`file_class_set', `{ devfile_class_set notdevfile_class_set }')
+define(`dir_file_class_set', `{ dir file_class_set }')
+
+define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket xdp_socket }')
+define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }')
+define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket sctp_socket }')
+define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket sctp_socket }')
+define(`network_socket_class_set', `{ icmp_socket rawip_socket tcp_socket udp_socket }')
+
+define(`ipc_class_set', `{ sem msgq shm ipc }')
+
+#####################################
+# Common groupings of permissions.
+#
+define(`x_file_perms', `{ getattr execute execute_no_trans map }')
+define(`r_file_perms', `{ getattr open read ioctl lock map watch watch_reads }')
+define(`w_file_perms', `{ open append write lock map }')
+define(`rx_file_perms', `{ r_file_perms x_file_perms }')
+define(`ra_file_perms', `{ r_file_perms append }')
+define(`rw_file_perms', `{ r_file_perms w_file_perms }')
+define(`rwx_file_perms', `{ rw_file_perms x_file_perms }')
+define(`create_file_perms', `{ create rename setattr unlink rw_file_perms }')
+
+define(`r_dir_perms', `{ open getattr read search ioctl lock watch watch_reads }')
+define(`w_dir_perms', `{ open search write add_name remove_name lock }')
+define(`ra_dir_perms', `{ r_dir_perms add_name write }')
+define(`rw_dir_perms', `{ r_dir_perms w_dir_perms }')
+define(`create_dir_perms', `{ create reparent rename rmdir setattr rw_dir_perms }')
+
+define(`r_ipc_perms', `{ getattr read associate unix_read }')
+define(`w_ipc_perms', `{ write unix_write }')
+define(`rw_ipc_perms', `{ r_ipc_perms w_ipc_perms }')
+define(`create_ipc_perms', `{ create setattr destroy rw_ipc_perms }')
+
+#####################################
+# Common socket permission sets.
+define(`rw_socket_perms', `{ ioctl read getattr write setattr lock append bind connect getopt setopt shutdown map }')
+define(`rw_socket_perms_no_ioctl', `{ read getattr write setattr lock append bind connect getopt setopt shutdown map }')
+define(`create_socket_perms', `{ create rw_socket_perms }')
+define(`create_socket_perms_no_ioctl', `{ create rw_socket_perms_no_ioctl }')
+define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }')
+define(`create_stream_socket_perms', `{ create rw_stream_socket_perms }')
diff --git a/microdroid/sepolicy/system/public/gmscore_app.te b/microdroid/sepolicy/system/public/gmscore_app.te
new file mode 100644
index 0000000..b574bf3
--- /dev/null
+++ b/microdroid/sepolicy/system/public/gmscore_app.te
@@ -0,0 +1,5 @@
+###
+### A domain for further sandboxing the PrebuiltGMSCore app.
+###
+
+type gmscore_app, domain;
diff --git a/microdroid/sepolicy/system/public/gpuservice.te b/microdroid/sepolicy/system/public/gpuservice.te
new file mode 100644
index 0000000..c862d0b
--- /dev/null
+++ b/microdroid/sepolicy/system/public/gpuservice.te
@@ -0,0 +1,2 @@
+# gpuservice - server for gpu stats and other gpu related services
+type gpuservice, domain;
diff --git a/microdroid/sepolicy/system/public/hal_allocator.te b/microdroid/sepolicy/system/public/hal_allocator.te
new file mode 100644
index 0000000..6417b62
--- /dev/null
+++ b/microdroid/sepolicy/system/public/hal_allocator.te
@@ -0,0 +1,6 @@
+# HwBinder IPC from client to server
+binder_call(hal_allocator_client, hal_allocator_server)
+
+hal_attribute_hwservice(hal_allocator, hidl_allocator_hwservice)
+allow hal_allocator_client hidl_memory_hwservice:hwservice_manager find;
+allow hal_allocator_client same_process_hal_file:file { execute read open getattr map };
diff --git a/microdroid/sepolicy/system/public/hal_atrace.te b/microdroid/sepolicy/system/public/hal_atrace.te
new file mode 100644
index 0000000..51d9237
--- /dev/null
+++ b/microdroid/sepolicy/system/public/hal_atrace.te
@@ -0,0 +1,4 @@
+# HwBinder IPC from client to server
+binder_call(hal_atrace_client, hal_atrace_server)
+
+hal_attribute_hwservice(hal_atrace, hal_atrace_hwservice)
diff --git a/microdroid/sepolicy/system/public/hal_audio.te b/microdroid/sepolicy/system/public/hal_audio.te
new file mode 100644
index 0000000..d1970b9
--- /dev/null
+++ b/microdroid/sepolicy/system/public/hal_audio.te
@@ -0,0 +1,39 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_audio_client, hal_audio_server)
+binder_call(hal_audio_server, hal_audio_client)
+
+hal_attribute_hwservice(hal_audio, hal_audio_hwservice)
+hal_attribute_service(hal_audio, hal_audio_service)
+
+allow hal_audio ion_device:chr_file r_file_perms;
+
+r_dir_file(hal_audio, proc)
+r_dir_file(hal_audio, proc_asound)
+allow hal_audio_server audio_device:dir r_dir_perms;
+allow hal_audio_server audio_device:chr_file rw_file_perms;
+
+# Needed to provide debug dump output via dumpsys' pipes.
+allow hal_audio shell:fd use;
+allow hal_audio shell:fifo_file write;
+allow hal_audio dumpstate:fd use;
+allow hal_audio dumpstate:fifo_file write;
+
+# Needed to allow sound trigger hal to access shared memory from apps.
+allow hal_audio_server appdomain:fd use;
+
+# allow hal audio to use vnbinder
+vndbinder_use(hal_audio)
+
+###
+### neverallow rules
+###
+
+# Should never execute any executable without a domain transition
+neverallow hal_audio_server { file_type fs_type }:file execute_no_trans;
+
+# Only audio HAL may directly access the audio hardware
+neverallow { halserverdomain -hal_audio_server -hal_omx_server } audio_device:chr_file *;
+
+get_prop(hal_audio, audio_config_prop)
+get_prop(hal_audio, bluetooth_a2dp_offload_prop)
+get_prop(hal_audio, bluetooth_audio_hal_prop)
diff --git a/microdroid/sepolicy/system/public/hal_audiocontrol.te b/microdroid/sepolicy/system/public/hal_audiocontrol.te
new file mode 100644
index 0000000..6f45b0e
--- /dev/null
+++ b/microdroid/sepolicy/system/public/hal_audiocontrol.te
@@ -0,0 +1,8 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_audiocontrol_client, hal_audiocontrol_server)
+binder_call(hal_audiocontrol_server, hal_audiocontrol_client)
+
+hal_attribute_hwservice(hal_audiocontrol, hal_audiocontrol_hwservice)
+hal_attribute_service(hal_audiocontrol, hal_audiocontrol_service)
+
+binder_call(hal_audiocontrol_server, servicemanager)
diff --git a/microdroid/sepolicy/system/public/hal_authsecret.te b/microdroid/sepolicy/system/public/hal_authsecret.te
new file mode 100644
index 0000000..bbcdb9a
--- /dev/null
+++ b/microdroid/sepolicy/system/public/hal_authsecret.te
@@ -0,0 +1,7 @@
+# HwBinder IPC from client to server
+binder_call(hal_authsecret_client, hal_authsecret_server)
+
+hal_attribute_hwservice(hal_authsecret, hal_authsecret_hwservice)
+hal_attribute_service(hal_authsecret, hal_authsecret_service)
+
+binder_call(hal_authsecret_server, servicemanager)
diff --git a/microdroid/sepolicy/system/public/hal_bluetooth.te b/microdroid/sepolicy/system/public/hal_bluetooth.te
new file mode 100644
index 0000000..97177ba
--- /dev/null
+++ b/microdroid/sepolicy/system/public/hal_bluetooth.te
@@ -0,0 +1,32 @@
+# HwBinder IPC from clients into server, and callbacks
+binder_call(hal_bluetooth_client, hal_bluetooth_server)
+binder_call(hal_bluetooth_server, hal_bluetooth_client)
+
+hal_attribute_hwservice(hal_bluetooth, hal_bluetooth_hwservice)
+
+wakelock_use(hal_bluetooth);
+
+# The HAL toggles rfkill to power the chip off/on.
+allow hal_bluetooth self:global_capability_class_set net_admin;
+
+# bluetooth factory file accesses.
+r_dir_file(hal_bluetooth, bluetooth_efs_file)
+
+allow hal_bluetooth { uhid_device hci_attach_dev }:chr_file rw_file_perms;
+
+# sysfs access.
+r_dir_file(hal_bluetooth, sysfs_type)
+allow hal_bluetooth sysfs_bluetooth_writable:file rw_file_perms;
+allow hal_bluetooth self:global_capability2_class_set wake_alarm;
+
+# Allow write access to bluetooth-specific properties
+set_prop(hal_bluetooth, bluetooth_a2dp_offload_prop)
+set_prop(hal_bluetooth, bluetooth_audio_hal_prop)
+set_prop(hal_bluetooth, bluetooth_prop)
+set_prop(hal_bluetooth, exported_bluetooth_prop)
+
+# /proc access (bluesleep etc.).
+allow hal_bluetooth proc_bluetooth_writable:file rw_file_perms;
+
+# allow to run with real-time scheduling policy
+allow hal_bluetooth self:global_capability_class_set sys_nice;
diff --git a/microdroid/sepolicy/system/public/hal_bootctl.te b/microdroid/sepolicy/system/public/hal_bootctl.te
new file mode 100644
index 0000000..a1f3d7f
--- /dev/null
+++ b/microdroid/sepolicy/system/public/hal_bootctl.te
@@ -0,0 +1,6 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_bootctl_client, hal_bootctl_server)
+binder_call(hal_bootctl_server, hal_bootctl_client)
+
+hal_attribute_hwservice(hal_bootctl, hal_bootctl_hwservice)
+allow hal_bootctl_server proc_bootconfig:file r_file_perms;
diff --git a/microdroid/sepolicy/system/public/hal_broadcastradio.te b/microdroid/sepolicy/system/public/hal_broadcastradio.te
new file mode 100644
index 0000000..84a2597
--- /dev/null
+++ b/microdroid/sepolicy/system/public/hal_broadcastradio.te
@@ -0,0 +1,4 @@
+binder_call(hal_broadcastradio_client, hal_broadcastradio_server)
+binder_call(hal_broadcastradio_server, hal_broadcastradio_client)
+
+hal_attribute_hwservice(hal_broadcastradio, hal_broadcastradio_hwservice)
diff --git a/microdroid/sepolicy/system/public/hal_camera.te b/microdroid/sepolicy/system/public/hal_camera.te
new file mode 100644
index 0000000..45fad56
--- /dev/null
+++ b/microdroid/sepolicy/system/public/hal_camera.te
@@ -0,0 +1,38 @@
+# HwBinder IPC from clients to server and callbacks
+binder_call(hal_camera_client, hal_camera_server)
+binder_call(hal_camera_server, hal_camera_client)
+
+hal_attribute_hwservice(hal_camera, hal_camera_hwservice)
+
+allow hal_camera device:dir r_dir_perms;
+allow hal_camera video_device:dir r_dir_perms;
+allow hal_camera video_device:chr_file rw_file_perms;
+allow hal_camera camera_device:chr_file rw_file_perms;
+allow hal_camera ion_device:chr_file rw_file_perms;
+allow hal_camera dmabuf_system_heap_device:chr_file r_file_perms;
+
+# Both the client and the server need to use the graphics allocator
+allow { hal_camera_client hal_camera_server } hal_graphics_allocator:fd use;
+
+# Allow hal_camera to use fd from app,gralloc,and ashmem HAL
+allow hal_camera { appdomain -isolated_app }:fd use;
+allow hal_camera surfaceflinger:fd use;
+allow hal_camera hal_allocator_server:fd use;
+
+# Needed to provide debug dump output via dumpsys' pipes.
+allow hal_camera shell:fd use;
+allow hal_camera shell:fifo_file write;
+
+###
+### neverallow rules
+###
+
+# hal_camera should never execute any executable without a
+# domain transition
+neverallow hal_camera_server { file_type fs_type }:file execute_no_trans;
+
+# hal_camera should never need network access. Disallow network sockets.
+neverallow hal_camera_server domain:{ tcp_socket udp_socket rawip_socket } *;
+
+# Only camera HAL may directly access the camera hardware
+neverallow { halserverdomain -hal_camera_server } camera_device:chr_file *;
diff --git a/microdroid/sepolicy/system/public/hal_can.te b/microdroid/sepolicy/system/public/hal_can.te
new file mode 100644
index 0000000..959d1d9
--- /dev/null
+++ b/microdroid/sepolicy/system/public/hal_can.te
@@ -0,0 +1,9 @@
+# CAN controller
+binder_call(hal_can_controller_client, hal_can_controller_server)
+binder_call(hal_can_controller_server, hal_can_controller_client)
+hal_attribute_hwservice(hal_can_controller, hal_can_controller_hwservice)
+
+# CAN bus
+binder_call(hal_can_bus_client, hal_can_bus_server)
+binder_call(hal_can_bus_server, hal_can_bus_client)
+hal_attribute_hwservice(hal_can_bus, hal_can_bus_hwservice)
diff --git a/microdroid/sepolicy/system/public/hal_cas.te b/microdroid/sepolicy/system/public/hal_cas.te
new file mode 100644
index 0000000..e699a6b
--- /dev/null
+++ b/microdroid/sepolicy/system/public/hal_cas.te
@@ -0,0 +1,38 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_cas_client, hal_cas_server)
+binder_call(hal_cas_server, hal_cas_client)
+
+hal_attribute_hwservice(hal_cas, hal_cas_hwservice)
+allow hal_cas_server hidl_memory_hwservice:hwservice_manager find;
+
+# Permit reading device's serial number from system properties
+get_prop(hal_cas_server, serialno_prop)
+
+# Read files already opened under /data
+allow hal_cas system_data_file:file { getattr read };
+
+# Read access to pseudo filesystems
+r_dir_file(hal_cas, cgroup)
+allow hal_cas cgroup:dir { search write };
+allow hal_cas cgroup:file w_file_perms;
+
+r_dir_file(hal_cas, cgroup_v2)
+allow hal_cas cgroup_v2:dir { search write };
+allow hal_cas cgroup_v2:file w_file_perms;
+
+# Allow access to ion memory allocation device
+allow hal_cas ion_device:chr_file rw_file_perms;
+allow hal_cas hal_graphics_allocator:fd use;
+
+allow hal_cas tee_device:chr_file rw_file_perms;
+
+###
+### neverallow rules
+###
+
+# hal_cas should never execute any executable without a
+# domain transition
+neverallow hal_cas_server { file_type fs_type }:file execute_no_trans;
+
+# do not allow privileged socket ioctl commands
+neverallowxperm hal_cas_server domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
diff --git a/microdroid/sepolicy/system/public/hal_codec2.te b/microdroid/sepolicy/system/public/hal_codec2.te
new file mode 100644
index 0000000..a379bb3
--- /dev/null
+++ b/microdroid/sepolicy/system/public/hal_codec2.te
@@ -0,0 +1,27 @@
+get_prop(hal_codec2_client, media_variant_prop)
+get_prop(hal_codec2_server, media_variant_prop)
+get_prop(hal_codec2_client, codec2_config_prop)
+get_prop(hal_codec2_server, codec2_config_prop)
+
+binder_call(hal_codec2_client, hal_codec2_server)
+binder_call(hal_codec2_server, hal_codec2_client)
+
+hal_attribute_hwservice(hal_codec2, hal_codec2_hwservice)
+
+# The following permissions are added to hal_codec2_server because vendor and
+# vndk libraries provided for Codec2 implementation need them.
+
+# Allow server access to composer sync fences
+allow hal_codec2_server hal_graphics_composer:fd use;
+
+# Allow both server and client access to ion
+allow hal_codec2_server ion_device:chr_file r_file_perms;
+
+# Allow server access to camera HAL's fences
+allow hal_codec2_server hal_camera:fd use;
+
+# Receive gralloc buffer FDs from bufferhubd.
+allow hal_codec2_server bufferhubd:fd use;
+
+allow hal_codec2_client ion_device:chr_file r_file_perms;
+
diff --git a/microdroid/sepolicy/system/public/hal_configstore.te b/microdroid/sepolicy/system/public/hal_configstore.te
new file mode 100644
index 0000000..069da47
--- /dev/null
+++ b/microdroid/sepolicy/system/public/hal_configstore.te
@@ -0,0 +1,69 @@
+# HwBinder IPC from client to server
+binder_call(hal_configstore_client, hal_configstore_server)
+
+hal_attribute_hwservice(hal_configstore, hal_configstore_ISurfaceFlingerConfigs)
+
+# hal_configstore runs with a strict seccomp filter. Use crash_dump's
+# fallback path to collect crash data.
+crash_dump_fallback(hal_configstore_server)
+
+###
+### neverallow rules
+###
+
+# Should never execute an executable without a domain transition
+neverallow hal_configstore_server { file_type fs_type }:file execute_no_trans;
+
+# Should never need network access. Disallow sockets except for
+# for unix stream/dgram sockets used for logging/debugging.
+neverallow hal_configstore_server domain:{
+ rawip_socket tcp_socket udp_socket
+ netlink_route_socket netlink_selinux_socket
+ socket netlink_socket packet_socket key_socket appletalk_socket
+ netlink_tcpdiag_socket netlink_nflog_socket
+ netlink_xfrm_socket netlink_audit_socket
+ netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
+ netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
+ netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
+ netlink_rdma_socket netlink_crypto_socket
+} *;
+neverallow hal_configstore_server {
+ domain
+ -hal_configstore_server
+ -logd
+ userdebug_or_eng(`-su')
+ -tombstoned
+ userdebug_or_eng(`-heapprofd')
+ userdebug_or_eng(`-traced_perf')
+}:{ unix_dgram_socket unix_stream_socket } *;
+
+# Should never need access to anything on /data
+neverallow hal_configstore_server {
+ data_file_type
+ -anr_data_file # for crash dump collection
+ -tombstone_data_file # for crash dump collection
+ -zoneinfo_data_file # granted to domain
+ with_native_coverage(`-method_trace_data_file')
+}:{ file fifo_file sock_file } *;
+
+# Should never need sdcard access
+neverallow hal_configstore_server {
+ sdcard_type
+ fuse sdcardfs vfat exfat # manual expansion for completeness
+}:dir ~getattr;
+neverallow hal_configstore_server {
+ sdcard_type
+ fuse sdcardfs vfat exfat # manual expansion for completeness
+}:file *;
+
+# Do not permit access to service_manager and vndservice_manager
+neverallow hal_configstore_server *:service_manager *;
+
+# No privileged capabilities
+neverallow hal_configstore_server self:capability_class_set *;
+
+# No ptracing other processes
+neverallow hal_configstore_server *:process ptrace;
+
+# no relabeling
+neverallow hal_configstore_server *:dir_file_class_set { relabelfrom relabelto };
diff --git a/microdroid/sepolicy/system/public/hal_confirmationui.te b/microdroid/sepolicy/system/public/hal_confirmationui.te
new file mode 100644
index 0000000..5d2e4b7
--- /dev/null
+++ b/microdroid/sepolicy/system/public/hal_confirmationui.te
@@ -0,0 +1,4 @@
+# HwBinder IPC from client to server
+binder_call(hal_confirmationui_client, hal_confirmationui_server)
+
+hal_attribute_hwservice(hal_confirmationui, hal_confirmationui_hwservice)
diff --git a/microdroid/sepolicy/system/public/hal_contexthub.te b/microdroid/sepolicy/system/public/hal_contexthub.te
new file mode 100644
index 0000000..34acb38
--- /dev/null
+++ b/microdroid/sepolicy/system/public/hal_contexthub.te
@@ -0,0 +1,5 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_contexthub_client, hal_contexthub_server)
+binder_call(hal_contexthub_server, hal_contexthub_client)
+
+hal_attribute_hwservice(hal_contexthub, hal_contexthub_hwservice)
diff --git a/microdroid/sepolicy/system/public/hal_drm.te b/microdroid/sepolicy/system/public/hal_drm.te
new file mode 100644
index 0000000..bb1bd91
--- /dev/null
+++ b/microdroid/sepolicy/system/public/hal_drm.te
@@ -0,0 +1,56 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_drm_client, hal_drm_server)
+binder_call(hal_drm_server, hal_drm_client)
+
+hal_attribute_hwservice(hal_drm, hal_drm_hwservice)
+
+allow hal_drm hidl_memory_hwservice:hwservice_manager find;
+
+# Required by Widevine DRM (b/22990512)
+allow hal_drm self:process execmem;
+
+# Permit reading device's serial number from system properties
+get_prop(hal_drm, serialno_prop)
+
+# Read files already opened under /data
+allow hal_drm system_data_file:file { getattr read };
+
+# Read access to pseudo filesystems
+r_dir_file(hal_drm, cgroup)
+allow hal_drm cgroup:dir { search write };
+allow hal_drm cgroup:file w_file_perms;
+
+r_dir_file(hal_drm, cgroup_v2)
+allow hal_drm cgroup_v2:dir { search write };
+allow hal_drm cgroup_v2:file w_file_perms;
+
+# Allow access to ion memory allocation device
+allow hal_drm ion_device:chr_file rw_file_perms;
+allow hal_drm hal_graphics_allocator:fd use;
+
+# Allow access to hidl_memory allocation service
+allow hal_drm hal_allocator_server:fd use;
+
+# Allow access to fds allocated by mediaserver
+allow hal_drm mediaserver:fd use;
+
+allow hal_drm sysfs:file r_file_perms;
+
+allow hal_drm tee_device:chr_file rw_file_perms;
+
+allow hal_drm_server { appdomain -isolated_app }:fd use;
+
+# only allow unprivileged socket ioctl commands
+allowxperm hal_drm self:{ rawip_socket tcp_socket udp_socket }
+ ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
+
+###
+### neverallow rules
+###
+
+# hal_drm should never execute any executable without a
+# domain transition
+neverallow hal_drm_server { file_type fs_type }:file execute_no_trans;
+
+# do not allow privileged socket ioctl commands
+neverallowxperm hal_drm_server domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
diff --git a/microdroid/sepolicy/system/public/hal_dumpstate.te b/microdroid/sepolicy/system/public/hal_dumpstate.te
new file mode 100644
index 0000000..9f854e3
--- /dev/null
+++ b/microdroid/sepolicy/system/public/hal_dumpstate.te
@@ -0,0 +1,12 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_dumpstate_client, hal_dumpstate_server)
+binder_call(hal_dumpstate_server, hal_dumpstate_client)
+
+set_prop(hal_dumpstate_server, hal_dumpstate_config_prop)
+
+hal_attribute_hwservice(hal_dumpstate, hal_dumpstate_hwservice)
+
+# write bug reports in /data/data/com.android.shell/files/bugreports/bugreport
+allow hal_dumpstate shell_data_file:file write;
+# allow reading /proc/interrupts for all hal impls
+allow hal_dumpstate proc_interrupts:file r_file_perms;
diff --git a/microdroid/sepolicy/system/public/hal_evs.te b/microdroid/sepolicy/system/public/hal_evs.te
new file mode 100644
index 0000000..789333a
--- /dev/null
+++ b/microdroid/sepolicy/system/public/hal_evs.te
@@ -0,0 +1,5 @@
+hwbinder_use(hal_evs_client)
+hwbinder_use(hal_evs_server)
+binder_call(hal_evs_client, hal_evs_server)
+binder_call(hal_evs_server, hal_evs_client)
+hal_attribute_hwservice(hal_evs, hal_evs_hwservice)
diff --git a/microdroid/sepolicy/system/public/hal_face.te b/microdroid/sepolicy/system/public/hal_face.te
new file mode 100644
index 0000000..0134576
--- /dev/null
+++ b/microdroid/sepolicy/system/public/hal_face.te
@@ -0,0 +1,15 @@
+# Allow HwBinder IPC from client to server, and vice versa for callbacks.
+binder_call(hal_face_client, hal_face_server)
+binder_call(hal_face_server, hal_face_client)
+
+hal_attribute_hwservice(hal_face, hal_face_hwservice)
+hal_attribute_service(hal_face, hal_face_service)
+
+binder_call(hal_face_server, servicemanager)
+
+# Allow access to the ion memory allocation device.
+allow hal_face ion_device:chr_file r_file_perms;
+
+# Allow read/write access to the face template directory.
+allow hal_face face_vendor_data_file:file create_file_perms;
+allow hal_face face_vendor_data_file:dir rw_dir_perms;
diff --git a/microdroid/sepolicy/system/public/hal_fingerprint.te b/microdroid/sepolicy/system/public/hal_fingerprint.te
new file mode 100644
index 0000000..444cfda
--- /dev/null
+++ b/microdroid/sepolicy/system/public/hal_fingerprint.te
@@ -0,0 +1,20 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_fingerprint_client, hal_fingerprint_server)
+binder_call(hal_fingerprint_server, hal_fingerprint_client)
+
+hal_attribute_hwservice(hal_fingerprint, hal_fingerprint_hwservice)
+hal_attribute_service(hal_fingerprint, hal_fingerprint_service)
+
+binder_call(hal_fingerprint_server, servicemanager)
+
+# For memory allocation
+allow hal_fingerprint ion_device:chr_file r_file_perms;
+
+allow hal_fingerprint fingerprint_vendor_data_file:file { create_file_perms };
+allow hal_fingerprint fingerprint_vendor_data_file:dir rw_dir_perms;
+
+r_dir_file(hal_fingerprint, cgroup)
+r_dir_file(hal_fingerprint, cgroup_v2)
+r_dir_file(hal_fingerprint, sysfs)
+
+
diff --git a/microdroid/sepolicy/system/public/hal_gatekeeper.te b/microdroid/sepolicy/system/public/hal_gatekeeper.te
new file mode 100644
index 0000000..b918f88
--- /dev/null
+++ b/microdroid/sepolicy/system/public/hal_gatekeeper.te
@@ -0,0 +1,7 @@
+binder_call(hal_gatekeeper_client, hal_gatekeeper_server)
+
+hal_attribute_hwservice(hal_gatekeeper, hal_gatekeeper_hwservice)
+
+# TEE access.
+allow hal_gatekeeper tee_device:chr_file rw_file_perms;
+allow hal_gatekeeper ion_device:chr_file r_file_perms;
diff --git a/microdroid/sepolicy/system/public/hal_gnss.te b/microdroid/sepolicy/system/public/hal_gnss.te
new file mode 100644
index 0000000..832bc8d
--- /dev/null
+++ b/microdroid/sepolicy/system/public/hal_gnss.te
@@ -0,0 +1,9 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_gnss_client, hal_gnss_server)
+binder_call(hal_gnss_server, hal_gnss_client)
+
+hal_attribute_hwservice(hal_gnss, hal_gnss_hwservice)
+hal_attribute_service(hal_gnss, hal_gnss_service)
+binder_call(hal_gnss_server, servicemanager)
+binder_call(hal_gnss_client, servicemanager)
+
diff --git a/microdroid/sepolicy/system/public/hal_graphics_allocator.te b/microdroid/sepolicy/system/public/hal_graphics_allocator.te
new file mode 100644
index 0000000..3ec6b96
--- /dev/null
+++ b/microdroid/sepolicy/system/public/hal_graphics_allocator.te
@@ -0,0 +1,14 @@
+# HwBinder IPC from client to server
+binder_call(hal_graphics_allocator_client, hal_graphics_allocator_server)
+
+hal_attribute_hwservice(hal_graphics_allocator, hal_graphics_allocator_hwservice)
+allow hal_graphics_allocator_client hal_graphics_mapper_hwservice:hwservice_manager find;
+allow hal_graphics_allocator_client same_process_hal_file:file { execute read open getattr map };
+
+# GPU device access
+allow hal_graphics_allocator gpu_device:chr_file rw_file_perms;
+allow hal_graphics_allocator ion_device:chr_file r_file_perms;
+allow hal_graphics_allocator dmabuf_system_heap_device:chr_file r_file_perms;
+
+# allow to run with real-time scheduling policy
+allow hal_graphics_allocator self:global_capability_class_set sys_nice;
diff --git a/microdroid/sepolicy/system/public/hal_graphics_composer.te b/microdroid/sepolicy/system/public/hal_graphics_composer.te
new file mode 100644
index 0000000..1c69c99
--- /dev/null
+++ b/microdroid/sepolicy/system/public/hal_graphics_composer.te
@@ -0,0 +1,32 @@
+type hal_graphics_composer_server_tmpfs, file_type;
+attribute hal_graphics_composer_client_tmpfs;
+expandattribute hal_graphics_composer_client_tmpfs true;
+
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_graphics_composer_client, hal_graphics_composer_server)
+binder_call(hal_graphics_composer_server, hal_graphics_composer_client)
+allow hal_graphics_composer_client hal_graphics_composer_server_tmpfs:file { getattr map read write };
+allow hal_graphics_composer_server hal_graphics_composer_client_tmpfs:file { getattr map read write };
+
+hal_attribute_hwservice(hal_graphics_composer, hal_graphics_composer_hwservice)
+
+# Coordinate with hal_graphics_mapper
+allow hal_graphics_composer_server hal_graphics_mapper_hwservice:hwservice_manager find;
+
+# GPU device access
+allow hal_graphics_composer gpu_device:chr_file rw_file_perms;
+allow hal_graphics_composer ion_device:chr_file r_file_perms;
+allow hal_graphics_composer dmabuf_system_heap_device:chr_file r_file_perms;
+allow hal_graphics_composer hal_graphics_allocator:fd use;
+
+# Access /dev/graphics/fb0.
+allow hal_graphics_composer graphics_device:dir search;
+allow hal_graphics_composer graphics_device:chr_file rw_file_perms;
+
+# Fences
+allow hal_graphics_composer system_server:fd use;
+allow hal_graphics_composer bootanim:fd use;
+allow hal_graphics_composer appdomain:fd use;
+
+# allow self to set SCHED_FIFO
+allow hal_graphics_composer self:global_capability_class_set sys_nice;
diff --git a/microdroid/sepolicy/system/public/hal_health.te b/microdroid/sepolicy/system/public/hal_health.te
new file mode 100644
index 0000000..dc7d083
--- /dev/null
+++ b/microdroid/sepolicy/system/public/hal_health.te
@@ -0,0 +1,27 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_health_client, hal_health_server)
+binder_call(hal_health_server, hal_health_client)
+
+hal_attribute_hwservice(hal_health, hal_health_hwservice)
+
+# Common rules for a health service.
+
+# Allow to listen to uevents for updates
+allow hal_health_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+# Allow to read /sys/class/power_supply directory
+allow hal_health_server sysfs:dir r_dir_perms;
+
+# Allow to read files under /sys/class/power_supply. Implementations typically have symlinks
+# to vendor specific files. Vendors should mark sysfs_batteryinfo on all files read by health
+# HAL service.
+r_dir_file(hal_health_server, sysfs_batteryinfo)
+
+# Allow to wake up to send periodic events
+wakelock_use(hal_health_server)
+
+# Write to /dev/kmsg
+allow hal_health_server kmsg_device:chr_file { getattr w_file_perms };
+
+# Allow to use timerfd to wake itself up periodically to send health info.
+allow hal_health_server self:capability2 wake_alarm;
diff --git a/microdroid/sepolicy/system/public/hal_health_storage.te b/microdroid/sepolicy/system/public/hal_health_storage.te
new file mode 100644
index 0000000..4938a16
--- /dev/null
+++ b/microdroid/sepolicy/system/public/hal_health_storage.te
@@ -0,0 +1,11 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_health_storage_client, hal_health_storage_server)
+binder_call(hal_health_storage_server, hal_health_storage_client)
+
+binder_use(hal_health_storage_server)
+
+hal_attribute_hwservice(hal_health_storage, hal_health_storage_hwservice)
+hal_attribute_service(hal_health_storage, hal_health_storage_service)
+
+# Allow ReadDefaultFstab().
+read_fstab(hal_health_storage_server)
diff --git a/microdroid/sepolicy/system/public/hal_identity.te b/microdroid/sepolicy/system/public/hal_identity.te
new file mode 100644
index 0000000..8d558ad
--- /dev/null
+++ b/microdroid/sepolicy/system/public/hal_identity.te
@@ -0,0 +1,6 @@
+# HwBinder IPC from client to server
+binder_call(hal_identity_client, hal_identity_server)
+
+hal_attribute_service(hal_identity, hal_identity_service)
+
+binder_call(hal_identity_server, servicemanager)
diff --git a/microdroid/sepolicy/system/public/hal_input_classifier.te b/microdroid/sepolicy/system/public/hal_input_classifier.te
new file mode 100644
index 0000000..70a4b7d
--- /dev/null
+++ b/microdroid/sepolicy/system/public/hal_input_classifier.te
@@ -0,0 +1,4 @@
+# HwBinder IPC from client to server
+binder_call(hal_input_classifier_client, hal_input_classifier_server)
+
+hal_attribute_hwservice(hal_input_classifier, hal_input_classifier_hwservice)
diff --git a/microdroid/sepolicy/system/public/hal_ir.te b/microdroid/sepolicy/system/public/hal_ir.te
new file mode 100644
index 0000000..29555f7
--- /dev/null
+++ b/microdroid/sepolicy/system/public/hal_ir.te
@@ -0,0 +1,5 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_ir_client, hal_ir_server)
+binder_call(hal_ir_server, hal_ir_client)
+
+hal_attribute_hwservice(hal_ir, hal_ir_hwservice)
diff --git a/microdroid/sepolicy/system/public/hal_keymaster.te b/microdroid/sepolicy/system/public/hal_keymaster.te
new file mode 100644
index 0000000..3e164ad
--- /dev/null
+++ b/microdroid/sepolicy/system/public/hal_keymaster.te
@@ -0,0 +1,7 @@
+# HwBinder IPC from client to server
+binder_call(hal_keymaster_client, hal_keymaster_server)
+
+hal_attribute_hwservice(hal_keymaster, hal_keymaster_hwservice)
+
+allow hal_keymaster tee_device:chr_file rw_file_perms;
+allow hal_keymaster ion_device:chr_file r_file_perms;
diff --git a/microdroid/sepolicy/system/public/hal_keymint.te b/microdroid/sepolicy/system/public/hal_keymint.te
new file mode 100644
index 0000000..e56ab99
--- /dev/null
+++ b/microdroid/sepolicy/system/public/hal_keymint.te
@@ -0,0 +1,5 @@
+binder_call(hal_keymint_client, hal_keymint_server)
+
+hal_attribute_service(hal_keymint, hal_keymint_service)
+hal_attribute_service(hal_keymint, hal_remotelyprovisionedcomponent_service)
+binder_call(hal_keymint_server, servicemanager)
diff --git a/microdroid/sepolicy/system/public/hal_light.te b/microdroid/sepolicy/system/public/hal_light.te
new file mode 100644
index 0000000..40829b6
--- /dev/null
+++ b/microdroid/sepolicy/system/public/hal_light.te
@@ -0,0 +1,15 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_light_client, hal_light_server)
+binder_call(hal_light_server, hal_light_client)
+
+hal_attribute_hwservice(hal_light, hal_light_hwservice)
+hal_attribute_service(hal_light, hal_light_service)
+
+binder_call(hal_light_server, servicemanager)
+binder_use(hal_light_client)
+
+allow hal_light_server dumpstate:fifo_file write;
+
+allow hal_light sysfs_leds:lnk_file read;
+allow hal_light sysfs_leds:file rw_file_perms;
+allow hal_light sysfs_leds:dir r_dir_perms;
diff --git a/microdroid/sepolicy/system/public/hal_lowpan.te b/microdroid/sepolicy/system/public/hal_lowpan.te
new file mode 100644
index 0000000..6fb95e9
--- /dev/null
+++ b/microdroid/sepolicy/system/public/hal_lowpan.te
@@ -0,0 +1,20 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_lowpan_client, hal_lowpan_server)
+binder_call(hal_lowpan_server, hal_lowpan_client)
+
+
+# Allow hal_lowpan_client to be able to find the hal_lowpan_server
+hal_attribute_hwservice(hal_lowpan, hal_lowpan_hwservice)
+
+# hal_lowpan domain can write/read to/from lowpan_prop
+set_prop(hal_lowpan_server, lowpan_prop)
+
+# Allow hal_lowpan_server to open lowpan_devices
+allow hal_lowpan_server lowpan_device:chr_file rw_file_perms;
+
+###
+### neverallow rules
+###
+
+# Only LoWPAN HAL may directly access LoWPAN hardware
+neverallow { domain -hal_lowpan_server -init -ueventd } lowpan_device:chr_file ~getattr;
diff --git a/microdroid/sepolicy/system/public/hal_memtrack.te b/microdroid/sepolicy/system/public/hal_memtrack.te
new file mode 100644
index 0000000..30a4480
--- /dev/null
+++ b/microdroid/sepolicy/system/public/hal_memtrack.te
@@ -0,0 +1,7 @@
+# HwBinder IPC from client to server
+binder_call(hal_memtrack_client, hal_memtrack_server)
+
+hal_attribute_hwservice(hal_memtrack, hal_memtrack_hwservice)
+
+hal_attribute_service(hal_memtrack, hal_memtrack_service)
+binder_call(hal_memtrack_server, servicemanager)
diff --git a/microdroid/sepolicy/system/public/hal_neuralnetworks.te b/microdroid/sepolicy/system/public/hal_neuralnetworks.te
new file mode 100644
index 0000000..7497dec
--- /dev/null
+++ b/microdroid/sepolicy/system/public/hal_neuralnetworks.te
@@ -0,0 +1,41 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_neuralnetworks_client, hal_neuralnetworks_server)
+binder_call(hal_neuralnetworks_server, hal_neuralnetworks_client)
+
+hal_attribute_hwservice(hal_neuralnetworks, hal_neuralnetworks_hwservice)
+allow hal_neuralnetworks hidl_memory_hwservice:hwservice_manager find;
+allow hal_neuralnetworks hal_allocator:fd use;
+allow hal_neuralnetworks hal_graphics_mapper_hwservice:hwservice_manager find;
+allow hal_neuralnetworks hal_graphics_allocator:fd use;
+
+# Allow NN HAL service to use a client-provided fd residing in /data/data/.
+allow hal_neuralnetworks_server app_data_file:file { read write getattr map };
+allow hal_neuralnetworks_server privapp_data_file:file { read write getattr map };
+
+# Allow NN HAL service to use a client-provided fd residing in /data/local/tmp/.
+allow hal_neuralnetworks_server shell_data_file:file { read write getattr map };
+
+# Allow NN HAL service to read a client-provided ION memory fd.
+allow hal_neuralnetworks_server ion_device:chr_file r_file_perms;
+
+# Allow NN HAL service to use a client-provided fd residing in /storage
+allow hal_neuralnetworks_server storage_file:file { getattr map read };
+
+# Allow NN HAL service to read a client-provided fd residing in /data/app/.
+allow hal_neuralnetworks_server apk_data_file:file { getattr map read };
+
+# Allow NN HAL client to check the ro.nnapi.extensions.deny_on_product
+# property to determine whether to deny NNAPI extensions use for apps
+# on product partition (apps in GSI are not allowed to use NNAPI extensions).
+get_prop(hal_neuralnetworks_client, nnapi_ext_deny_product_prop);
+# This property is only expected to be found in /product/build.prop,
+# allow to be set only by init.
+neverallow { domain -init } nnapi_ext_deny_product_prop:property_service set;
+
+# Define sepolicy for NN AIDL HAL service
+hal_attribute_service(hal_neuralnetworks, hal_neuralnetworks_service)
+binder_call(hal_neuralnetworks_server, servicemanager)
+
+binder_use(hal_neuralnetworks_server)
+
+allow hal_neuralnetworks_server dumpstate:fifo_file write;
diff --git a/microdroid/sepolicy/system/public/hal_neverallows.te b/microdroid/sepolicy/system/public/hal_neverallows.te
new file mode 100644
index 0000000..4117878
--- /dev/null
+++ b/microdroid/sepolicy/system/public/hal_neverallows.te
@@ -0,0 +1,61 @@
+# only HALs responsible for network hardware should have privileged
+# network capabilities
+neverallow {
+ halserverdomain
+ -hal_bluetooth_server
+ -hal_can_controller_server
+ -hal_wifi_server
+ -hal_wifi_hostapd_server
+ -hal_wifi_supplicant_server
+ -hal_telephony_server
+} self:global_capability_class_set { net_admin net_raw };
+
+# Unless a HAL's job is to communicate over the network, or control network
+# hardware, it should not be using network sockets.
+# NOTE: HALs for automotive devices have an exemption from this rule because in
+# a car it is common to have external modules and HALs need to communicate to
+# those modules using network. Using this exemption for non-automotive builds
+# will result in CTS failure.
+neverallow {
+ halserverdomain
+ -hal_automotive_socket_exemption
+ -hal_can_controller_server
+ -hal_tetheroffload_server
+ -hal_wifi_server
+ -hal_wifi_hostapd_server
+ -hal_wifi_supplicant_server
+ -hal_telephony_server
+} domain:{ tcp_socket udp_socket rawip_socket } *;
+
+###
+# HALs are defined as an attribute and so a given domain could hypothetically
+# have multiple HALs in it (or even all of them) with the subsequent policy of
+# the domain comprised of the union of all the HALs.
+#
+# This is a problem because
+# 1) Security sensitive components should only be accessed by specific HALs.
+# 2) hwbinder_call and the restrictions it provides cannot be reasoned about in
+# the platform.
+# 3) The platform cannot reason about defense in depth if there are
+# monolithic domains etc.
+#
+# As an example, hal_keymaster and hal_gatekeeper can access the TEE and while
+# its OK for them to share a process its not OK with them to share processes
+# with other hals.
+#
+# The following neverallow rules, in conjuntion with CTS tests, assert that
+# these security principles are adhered to.
+#
+# Do not allow a hal to exec another process without a domain transition.
+# TODO remove exemptions.
+neverallow {
+ halserverdomain
+ -hal_dumpstate_server
+ -hal_telephony_server
+} { file_type fs_type }:file execute_no_trans;
+# Do not allow a process other than init to transition into a HAL domain.
+neverallow { domain -init } halserverdomain:process transition;
+# Only allow transitioning to a domain by running its executable. Do not
+# allow transitioning into a HAL domain by use of seclabel in an
+# init.*.rc script.
+neverallow * halserverdomain:process dyntransition;
diff --git a/microdroid/sepolicy/system/public/hal_nfc.te b/microdroid/sepolicy/system/public/hal_nfc.te
new file mode 100644
index 0000000..7cef4a1
--- /dev/null
+++ b/microdroid/sepolicy/system/public/hal_nfc.te
@@ -0,0 +1,11 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_nfc_client, hal_nfc_server)
+binder_call(hal_nfc_server, hal_nfc_client)
+
+hal_attribute_hwservice(hal_nfc, hal_nfc_hwservice)
+
+# Set NFC properties (used by bcm2079x HAL).
+set_prop(hal_nfc, nfc_prop)
+
+# NFC device access.
+allow hal_nfc nfc_device:chr_file rw_file_perms;
diff --git a/microdroid/sepolicy/system/public/hal_oemlock.te b/microdroid/sepolicy/system/public/hal_oemlock.te
new file mode 100644
index 0000000..9f38fa5
--- /dev/null
+++ b/microdroid/sepolicy/system/public/hal_oemlock.te
@@ -0,0 +1,7 @@
+# HwBinder IPC from client to server
+binder_call(hal_oemlock_client, hal_oemlock_server)
+
+hal_attribute_hwservice(hal_oemlock, hal_oemlock_hwservice)
+hal_attribute_service(hal_oemlock, hal_oemlock_service)
+
+binder_call(hal_oemlock_server, servicemanager)
diff --git a/microdroid/sepolicy/system/public/hal_omx.te b/microdroid/sepolicy/system/public/hal_omx.te
new file mode 100644
index 0000000..8e74383
--- /dev/null
+++ b/microdroid/sepolicy/system/public/hal_omx.te
@@ -0,0 +1,49 @@
+# applies all permissions to hal_omx NOT hal_omx_server
+# since OMX must always be in its own process.
+
+binder_call(hal_omx_server, binderservicedomain)
+binder_call(hal_omx_server, { appdomain -isolated_app })
+
+# Allow hal_omx_server access to composer sync fences
+allow hal_omx_server hal_graphics_composer:fd use;
+
+allow hal_omx_server ion_device:chr_file rw_file_perms;
+allow hal_omx_server hal_camera:fd use;
+
+crash_dump_fallback(hal_omx_server)
+
+# Recieve gralloc buffer FDs from bufferhubd. Note that hal_omx_server never
+# directly connects to bufferhubd via PDX. Instead, a VR app acts as a bridge
+# between those two: it talks to hal_omx_server via Binder and talks to bufferhubd
+# via PDX. Thus, there is no need to use pdx_client macro.
+allow hal_omx_server bufferhubd:fd use;
+
+hal_attribute_hwservice(hal_omx, hal_omx_hwservice)
+
+allow hal_omx_client hidl_token_hwservice:hwservice_manager find;
+
+get_prop(hal_omx_client, media_variant_prop)
+get_prop(hal_omx_server, media_variant_prop)
+
+binder_call(hal_omx_client, hal_omx_server)
+binder_call(hal_omx_server, hal_omx_client)
+
+###
+### neverallow rules
+###
+
+# hal_omx_server should never execute any executable without a
+# domain transition
+neverallow hal_omx_server { file_type fs_type }:file execute_no_trans;
+
+# The goal of the mediaserver split is to place media processing code into
+# restrictive sandboxes with limited responsibilities and thus limited
+# permissions. Example: Audioserver is only responsible for controlling audio
+# hardware and processing audio content. Cameraserver does the same for camera
+# hardware/content. Etc.
+#
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
+neverallow hal_omx_server domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/microdroid/sepolicy/system/public/hal_power.te b/microdroid/sepolicy/system/public/hal_power.te
new file mode 100644
index 0000000..aae32a0
--- /dev/null
+++ b/microdroid/sepolicy/system/public/hal_power.te
@@ -0,0 +1,9 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_power_client, hal_power_server)
+binder_call(hal_power_server, hal_power_client)
+
+hal_attribute_hwservice(hal_power, hal_power_hwservice)
+hal_attribute_service(hal_power, hal_power_service)
+
+binder_call(hal_power_server, servicemanager)
+binder_call(hal_power_client, servicemanager)
diff --git a/microdroid/sepolicy/system/public/hal_power_stats.te b/microdroid/sepolicy/system/public/hal_power_stats.te
new file mode 100644
index 0000000..4076eff
--- /dev/null
+++ b/microdroid/sepolicy/system/public/hal_power_stats.te
@@ -0,0 +1,9 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_power_stats_client, hal_power_stats_server)
+binder_call(hal_power_stats_server, hal_power_stats_client)
+
+hal_attribute_hwservice(hal_power_stats, hal_power_stats_hwservice)
+hal_attribute_service(hal_power_stats, hal_power_stats_service)
+
+binder_call(hal_power_stats_server, servicemanager)
+binder_call(hal_power_stats_client, servicemanager)
diff --git a/microdroid/sepolicy/system/public/hal_rebootescrow.te b/microdroid/sepolicy/system/public/hal_rebootescrow.te
new file mode 100644
index 0000000..d16333b
--- /dev/null
+++ b/microdroid/sepolicy/system/public/hal_rebootescrow.te
@@ -0,0 +1,6 @@
+# HwBinder IPC from client to server
+binder_call(hal_rebootescrow_client, hal_rebootescrow_server)
+
+hal_attribute_service(hal_rebootescrow, hal_rebootescrow_service)
+
+binder_use(hal_rebootescrow_server)
diff --git a/microdroid/sepolicy/system/public/hal_secure_element.te b/microdroid/sepolicy/system/public/hal_secure_element.te
new file mode 100644
index 0000000..3724d35
--- /dev/null
+++ b/microdroid/sepolicy/system/public/hal_secure_element.te
@@ -0,0 +1,5 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_secure_element_client, hal_secure_element_server)
+binder_call(hal_secure_element_server, hal_secure_element_client)
+
+hal_attribute_hwservice(hal_secure_element, hal_secure_element_hwservice)
diff --git a/microdroid/sepolicy/system/public/hal_sensors.te b/microdroid/sepolicy/system/public/hal_sensors.te
new file mode 100644
index 0000000..06e76f1
--- /dev/null
+++ b/microdroid/sepolicy/system/public/hal_sensors.te
@@ -0,0 +1,14 @@
+# HwBinder IPC from client to server
+binder_call(hal_sensors_client, hal_sensors_server)
+
+hal_attribute_hwservice(hal_sensors, hal_sensors_hwservice)
+
+# Allow sensor hals to access ashmem memory allocated by apps
+allow hal_sensors { appdomain -isolated_app }:fd use;
+
+# Allow sensor hals to access ashmem memory allocated by android.hidl.allocator
+# fd is passed in from framework sensorservice HAL.
+allow hal_sensors hal_allocator:fd use;
+
+# allow to run with real-time scheduling policy
+allow hal_sensors self:global_capability_class_set sys_nice;
diff --git a/microdroid/sepolicy/system/public/hal_telephony.te b/microdroid/sepolicy/system/public/hal_telephony.te
new file mode 100644
index 0000000..f0cf075
--- /dev/null
+++ b/microdroid/sepolicy/system/public/hal_telephony.te
@@ -0,0 +1,44 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_telephony_client, hal_telephony_server)
+binder_call(hal_telephony_server, hal_telephony_client)
+
+hal_attribute_hwservice(hal_telephony, hal_telephony_hwservice)
+
+allowxperm hal_telephony_server self:udp_socket ioctl priv_sock_ioctls;
+
+allow hal_telephony_server self:netlink_route_socket nlmsg_write;
+allow hal_telephony_server kernel:system module_request;
+allow hal_telephony_server self:global_capability_class_set { setpcap setgid setuid net_admin net_raw };
+allow hal_telephony_server cgroup:dir create_dir_perms;
+allow hal_telephony_server cgroup:{ file lnk_file } r_file_perms;
+allow hal_telephony_server cgroup_v2:dir create_dir_perms;
+allow hal_telephony_server cgroup_v2:{ file lnk_file } r_file_perms;
+allow hal_telephony_server radio_device:chr_file rw_file_perms;
+allow hal_telephony_server radio_device:blk_file r_file_perms;
+allow hal_telephony_server efs_file:dir create_dir_perms;
+allow hal_telephony_server efs_file:file create_file_perms;
+allow hal_telephony_server vendor_shell_exec:file rx_file_perms;
+allow hal_telephony_server bluetooth_efs_file:file r_file_perms;
+allow hal_telephony_server bluetooth_efs_file:dir r_dir_perms;
+
+# property service
+get_prop(hal_telephony_server, telephony_config_prop)
+set_prop(hal_telephony_server, radio_control_prop)
+set_prop(hal_telephony_server, radio_prop)
+set_prop(hal_telephony_server, telephony_status_prop)
+
+allow hal_telephony_server tty_device:chr_file rw_file_perms;
+
+# Allow hal_telephony_server to create and use netlink sockets.
+allow hal_telephony_server self:netlink_socket create_socket_perms_no_ioctl;
+allow hal_telephony_server self:netlink_generic_socket create_socket_perms_no_ioctl;
+allow hal_telephony_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+# Access to wake locks
+wakelock_use(hal_telephony_server)
+
+r_dir_file(hal_telephony_server, proc_net_type)
+r_dir_file(hal_telephony_server, sysfs_type)
+
+# granting the ioctl permission for hal_telephony_server should be device specific
+allow hal_telephony_server self:socket create_socket_perms_no_ioctl;
diff --git a/microdroid/sepolicy/system/public/hal_tetheroffload.te b/microdroid/sepolicy/system/public/hal_tetheroffload.te
new file mode 100644
index 0000000..cf51723
--- /dev/null
+++ b/microdroid/sepolicy/system/public/hal_tetheroffload.te
@@ -0,0 +1,8 @@
+## HwBinder IPC from client to server, and callbacks
+binder_call(hal_tetheroffload_client, hal_tetheroffload_server)
+binder_call(hal_tetheroffload_server, hal_tetheroffload_client)
+
+hal_attribute_hwservice(hal_tetheroffload, hal_tetheroffload_hwservice)
+
+# allow the client to pass the server already open netlink sockets
+allow hal_tetheroffload_server hal_tetheroffload_client:netlink_netfilter_socket { getattr read setopt write };
diff --git a/microdroid/sepolicy/system/public/hal_thermal.te b/microdroid/sepolicy/system/public/hal_thermal.te
new file mode 100644
index 0000000..2115da1
--- /dev/null
+++ b/microdroid/sepolicy/system/public/hal_thermal.te
@@ -0,0 +1,5 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_thermal_client, hal_thermal_server)
+binder_call(hal_thermal_server, hal_thermal_client)
+
+hal_attribute_hwservice(hal_thermal, hal_thermal_hwservice)
diff --git a/microdroid/sepolicy/system/public/hal_tv_cec.te b/microdroid/sepolicy/system/public/hal_tv_cec.te
new file mode 100644
index 0000000..6584904
--- /dev/null
+++ b/microdroid/sepolicy/system/public/hal_tv_cec.te
@@ -0,0 +1,5 @@
+# HwBinder IPC from clients into server, and callbacks
+binder_call(hal_tv_cec_client, hal_tv_cec_server)
+binder_call(hal_tv_cec_server, hal_tv_cec_client)
+
+hal_attribute_hwservice(hal_tv_cec, hal_tv_cec_hwservice)
diff --git a/microdroid/sepolicy/system/public/hal_tv_input.te b/microdroid/sepolicy/system/public/hal_tv_input.te
new file mode 100644
index 0000000..5a5bdda
--- /dev/null
+++ b/microdroid/sepolicy/system/public/hal_tv_input.te
@@ -0,0 +1,5 @@
+# HwBinder IPC from clients into server, and callbacks
+binder_call(hal_tv_input_client, hal_tv_input_server)
+binder_call(hal_tv_input_server, hal_tv_input_client)
+
+hal_attribute_hwservice(hal_tv_input, hal_tv_input_hwservice)
diff --git a/microdroid/sepolicy/system/public/hal_tv_tuner.te b/microdroid/sepolicy/system/public/hal_tv_tuner.te
new file mode 100644
index 0000000..0da4ec7
--- /dev/null
+++ b/microdroid/sepolicy/system/public/hal_tv_tuner.te
@@ -0,0 +1,4 @@
+binder_call(hal_tv_tuner_client, hal_tv_tuner_server)
+binder_call(hal_tv_tuner_server, hal_tv_tuner_client)
+
+hal_attribute_hwservice(hal_tv_tuner, hal_tv_tuner_hwservice)
diff --git a/microdroid/sepolicy/system/public/hal_usb.te b/microdroid/sepolicy/system/public/hal_usb.te
new file mode 100644
index 0000000..38bc49a
--- /dev/null
+++ b/microdroid/sepolicy/system/public/hal_usb.te
@@ -0,0 +1,18 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_usb_client, hal_usb_server)
+binder_call(hal_usb_server, hal_usb_client)
+
+hal_attribute_hwservice(hal_usb, hal_usb_hwservice)
+
+allow hal_usb self:netlink_kobject_uevent_socket create;
+allow hal_usb self:netlink_kobject_uevent_socket setopt;
+allow hal_usb self:netlink_kobject_uevent_socket getopt;
+allow hal_usb self:netlink_kobject_uevent_socket bind;
+allow hal_usb self:netlink_kobject_uevent_socket read;
+allow hal_usb sysfs:dir open;
+allow hal_usb sysfs:dir read;
+allow hal_usb sysfs:file read;
+allow hal_usb sysfs:file open;
+allow hal_usb sysfs:file write;
+allow hal_usb sysfs:file getattr;
+
diff --git a/microdroid/sepolicy/system/public/hal_usb_gadget.te b/microdroid/sepolicy/system/public/hal_usb_gadget.te
new file mode 100644
index 0000000..a474652
--- /dev/null
+++ b/microdroid/sepolicy/system/public/hal_usb_gadget.te
@@ -0,0 +1,13 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_usb_gadget_client, hal_usb_gadget_server)
+binder_call(hal_usb_gadget_server, hal_usb_gadget_client)
+
+hal_attribute_hwservice(hal_usb_gadget, hal_usb_gadget_hwservice)
+
+# Configuring usb gadget functions
+allow hal_usb_gadget_server configfs:lnk_file { read create unlink};
+allow hal_usb_gadget_server configfs:dir rw_dir_perms;
+allow hal_usb_gadget_server configfs:file create_file_perms;
+allow hal_usb_gadget_server functionfs:dir { read search };
+allow hal_usb_gadget_server functionfs:file read;
+
diff --git a/microdroid/sepolicy/system/public/hal_vehicle.te b/microdroid/sepolicy/system/public/hal_vehicle.te
new file mode 100644
index 0000000..6855d14
--- /dev/null
+++ b/microdroid/sepolicy/system/public/hal_vehicle.te
@@ -0,0 +1,6 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_vehicle_client, hal_vehicle_server)
+binder_call(hal_vehicle_server, hal_vehicle_client)
+
+
+hal_attribute_hwservice(hal_vehicle, hal_vehicle_hwservice)
diff --git a/microdroid/sepolicy/system/public/hal_vibrator.te b/microdroid/sepolicy/system/public/hal_vibrator.te
new file mode 100644
index 0000000..c902495
--- /dev/null
+++ b/microdroid/sepolicy/system/public/hal_vibrator.te
@@ -0,0 +1,14 @@
+# HwBinder IPC client/server
+binder_call(hal_vibrator_client, hal_vibrator_server)
+binder_call(hal_vibrator_server, hal_vibrator_client);
+
+hal_attribute_hwservice(hal_vibrator, hal_vibrator_hwservice)
+hal_attribute_service(hal_vibrator, hal_vibrator_service)
+
+binder_call(hal_vibrator_server, servicemanager)
+
+allow hal_vibrator_server dumpstate:fifo_file write;
+
+# vibrator sysfs rw access
+allow hal_vibrator sysfs_vibrator:file rw_file_perms;
+allow hal_vibrator sysfs_vibrator:dir search;
diff --git a/microdroid/sepolicy/system/public/hal_vr.te b/microdroid/sepolicy/system/public/hal_vr.te
new file mode 100644
index 0000000..e52c77f
--- /dev/null
+++ b/microdroid/sepolicy/system/public/hal_vr.te
@@ -0,0 +1,5 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_vr_client, hal_vr_server)
+binder_call(hal_vr_server, hal_vr_client)
+
+hal_attribute_hwservice(hal_vr, hal_vr_hwservice)
diff --git a/microdroid/sepolicy/system/public/hal_weaver.te b/microdroid/sepolicy/system/public/hal_weaver.te
new file mode 100644
index 0000000..2b34989
--- /dev/null
+++ b/microdroid/sepolicy/system/public/hal_weaver.te
@@ -0,0 +1,7 @@
+# HwBinder IPC from client to server
+binder_call(hal_weaver_client, hal_weaver_server)
+
+hal_attribute_hwservice(hal_weaver, hal_weaver_hwservice)
+hal_attribute_service(hal_weaver, hal_weaver_service)
+
+binder_call(hal_weaver_server, servicemanager)
diff --git a/microdroid/sepolicy/system/public/hal_wifi.te b/microdroid/sepolicy/system/public/hal_wifi.te
new file mode 100644
index 0000000..2e4fa78
--- /dev/null
+++ b/microdroid/sepolicy/system/public/hal_wifi.te
@@ -0,0 +1,32 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_wifi_client, hal_wifi_server)
+binder_call(hal_wifi_server, hal_wifi_client)
+
+hal_attribute_hwservice(hal_wifi, hal_wifi_hwservice)
+
+r_dir_file(hal_wifi, proc_net_type)
+r_dir_file(hal_wifi, sysfs_type)
+
+set_prop(hal_wifi_server, wifi_hal_prop)
+set_prop(hal_wifi, wifi_prop)
+userdebug_or_eng(`get_prop(hal_wifi, persist_vendor_debug_wifi_prop)')
+
+# allow hal wifi set interfaces up and down and get the factory MAC
+allow hal_wifi self:udp_socket create_socket_perms;
+allowxperm hal_wifi self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFHWADDR SIOCETHTOOL };
+
+allow hal_wifi self:global_capability_class_set { net_admin net_raw };
+# allow hal_wifi to speak to nl80211 in the kernel
+allow hal_wifi self:netlink_socket create_socket_perms_no_ioctl;
+# newer kernels (e.g. 4.4 but not 4.1) have a new class for sockets
+allow hal_wifi self:netlink_generic_socket create_socket_perms_no_ioctl;
+# hal_wifi writes firmware paths to this file.
+allow hal_wifi sysfs_wlan_fwpath:file { w_file_perms };
+# allow hal_wifi to access /proc/modules to check if Wi-Fi driver is loaded
+allow hal_wifi proc_modules:file { getattr open read };
+# Allow hal_wifi to send dump info to dumpstate
+allow hal_wifi dumpstate:fifo_file write;
+
+# allow hal_wifi to write into /data/vendor/tombstones/wifi
+allow hal_wifi_server tombstone_wifi_data_file:dir rw_dir_perms;
+allow hal_wifi_server tombstone_wifi_data_file:file create_file_perms;
diff --git a/microdroid/sepolicy/system/public/hal_wifi_hostapd.te b/microdroid/sepolicy/system/public/hal_wifi_hostapd.te
new file mode 100644
index 0000000..12d72b6
--- /dev/null
+++ b/microdroid/sepolicy/system/public/hal_wifi_hostapd.te
@@ -0,0 +1,27 @@
+# HwBinder IPC from client to server
+binder_call(hal_wifi_hostapd_client, hal_wifi_hostapd_server)
+binder_call(hal_wifi_hostapd_server, hal_wifi_hostapd_client)
+
+hal_attribute_hwservice(hal_wifi_hostapd, hal_wifi_hostapd_hwservice)
+
+allow hal_wifi_hostapd_server self:global_capability_class_set { net_admin net_raw };
+
+allow hal_wifi_hostapd_server sysfs_net:dir search;
+
+# Allow hal_wifi_hostapd to access /proc/net/psched
+allow hal_wifi_hostapd_server proc_net_type:file { getattr open read };
+
+# Various socket permissions.
+allowxperm hal_wifi_hostapd_server self:udp_socket ioctl priv_sock_ioctls;
+allow hal_wifi_hostapd_server self:netlink_socket create_socket_perms_no_ioctl;
+allow hal_wifi_hostapd_server self:netlink_generic_socket create_socket_perms_no_ioctl;
+allow hal_wifi_hostapd_server self:packet_socket create_socket_perms_no_ioctl;
+allow hal_wifi_hostapd_server self:netlink_route_socket nlmsg_write;
+
+###
+### neverallow rules
+###
+
+# hal_wifi_hostapd should not trust any data from sdcards
+neverallow hal_wifi_hostapd_server sdcard_type:dir ~getattr;
+neverallow hal_wifi_hostapd_server sdcard_type:file *;
diff --git a/microdroid/sepolicy/system/public/hal_wifi_supplicant.te b/microdroid/sepolicy/system/public/hal_wifi_supplicant.te
new file mode 100644
index 0000000..7361af1
--- /dev/null
+++ b/microdroid/sepolicy/system/public/hal_wifi_supplicant.te
@@ -0,0 +1,38 @@
+# HwBinder IPC from client to server
+binder_call(hal_wifi_supplicant_client, hal_wifi_supplicant_server)
+binder_call(hal_wifi_supplicant_server, hal_wifi_supplicant_client)
+
+hal_attribute_hwservice(hal_wifi_supplicant, hal_wifi_supplicant_hwservice)
+
+# in addition to ioctls allowlisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
+allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls;
+
+r_dir_file(hal_wifi_supplicant, sysfs_type)
+r_dir_file(hal_wifi_supplicant, proc_net_type)
+
+allow hal_wifi_supplicant kernel:system module_request;
+allow hal_wifi_supplicant self:global_capability_class_set { setuid net_admin setgid net_raw };
+allow hal_wifi_supplicant cgroup:dir create_dir_perms;
+allow hal_wifi_supplicant cgroup_v2:dir create_dir_perms;
+allow hal_wifi_supplicant self:netlink_route_socket nlmsg_write;
+allow hal_wifi_supplicant self:netlink_socket create_socket_perms_no_ioctl;
+allow hal_wifi_supplicant self:netlink_generic_socket create_socket_perms_no_ioctl;
+allow hal_wifi_supplicant self:packet_socket create_socket_perms;
+allowxperm hal_wifi_supplicant self:packet_socket ioctl { unpriv_sock_ioctls priv_sock_ioctls unpriv_tty_ioctls };
+
+use_keystore(hal_wifi_supplicant)
+binder_use(hal_wifi_supplicant_server)
+
+# Allow the WI-FI HAL to use keys in the keystore namespace wifi_key.
+allow hal_wifi_supplicant wifi_key:keystore2_key {
+ get_info
+ use
+};
+
+###
+### neverallow rules
+###
+
+# wpa_supplicant should not trust any data from sdcards
+neverallow hal_wifi_supplicant_server sdcard_type:dir ~getattr;
+neverallow hal_wifi_supplicant_server sdcard_type:file *;
diff --git a/microdroid/sepolicy/system/public/healthd.te b/microdroid/sepolicy/system/public/healthd.te
new file mode 100644
index 0000000..05acb84
--- /dev/null
+++ b/microdroid/sepolicy/system/public/healthd.te
@@ -0,0 +1,50 @@
+# healthd - battery/charger monitoring service daemon
+type healthd, domain;
+type healthd_exec, system_file_type, exec_type, file_type;
+
+# Write to /dev/kmsg
+allow healthd kmsg_device:chr_file rw_file_perms;
+
+# Read access to pseudo filesystems.
+allow healthd sysfs_type:dir search;
+# Allow to read /sys/class/power_supply directory.
+allow healthd sysfs:dir r_dir_perms;
+r_dir_file(healthd, rootfs)
+r_dir_file(healthd, cgroup)
+r_dir_file(healthd, cgroup_v2)
+
+allow healthd self:global_capability_class_set { sys_tty_config };
+allow healthd self:global_capability_class_set sys_boot;
+dontaudit healthd self:global_capability_class_set sys_resource;
+
+allow healthd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+wakelock_use(healthd)
+
+hal_client_domain(healthd, hal_health)
+
+# Read/write to /sys/power/state
+allow healthd sysfs_power:file rw_file_perms;
+
+# TODO: added to match above sysfs rule. Remove me?
+allow healthd sysfs_usb:file write;
+
+r_dir_file(healthd, sysfs_batteryinfo)
+
+###
+### healthd: charger mode
+###
+
+# Read /sys/fs/pstore/console-ramoops
+# Don't worry about overly broad permissions for now, as there's
+# only one file in /sys/fs/pstore
+allow healthd pstorefs:dir r_dir_perms;
+allow healthd pstorefs:file r_file_perms;
+
+allow healthd graphics_device:dir r_dir_perms;
+allow healthd graphics_device:chr_file rw_file_perms;
+allow healthd input_device:dir r_dir_perms;
+allow healthd input_device:chr_file r_file_perms;
+allow healthd tty_device:chr_file rw_file_perms;
+allow healthd ashmem_device:chr_file execute;
+allow healthd proc_sysrq:file rw_file_perms;
diff --git a/microdroid/sepolicy/system/public/heapprofd.te b/microdroid/sepolicy/system/public/heapprofd.te
new file mode 100644
index 0000000..7ceb23f
--- /dev/null
+++ b/microdroid/sepolicy/system/public/heapprofd.te
@@ -0,0 +1 @@
+type heapprofd, domain, coredomain;
diff --git a/microdroid/sepolicy/system/public/hwservice.te b/microdroid/sepolicy/system/public/hwservice.te
new file mode 100644
index 0000000..11b77f0
--- /dev/null
+++ b/microdroid/sepolicy/system/public/hwservice.te
@@ -0,0 +1,101 @@
+# hwservice types. By default most of the HALs are protected_hwservice, which means
+# access from untrusted apps is prohibited.
+type default_android_hwservice, hwservice_manager_type, protected_hwservice;
+type fwk_camera_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
+type fwk_display_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
+type fwk_scheduler_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
+type fwk_sensor_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
+type fwk_stats_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
+type fwk_automotive_display_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
+type hal_atrace_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_audio_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_audiocontrol_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_authsecret_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_bluetooth_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_bootctl_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_broadcastradio_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_camera_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_can_bus_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_can_controller_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_confirmationui_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_contexthub_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_dumpstate_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_evs_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_face_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_fingerprint_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_gatekeeper_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_gnss_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_graphics_composer_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_health_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_health_storage_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_input_classifier_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_ir_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_keymaster_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_light_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_lowpan_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_memtrack_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_nfc_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_oemlock_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_power_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_power_stats_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_secure_element_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_sensors_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_telephony_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_tetheroffload_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_thermal_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_tv_cec_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_tv_input_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_tv_tuner_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_usb_gadget_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_usb_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_vehicle_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_vibrator_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_vr_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_weaver_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_wifi_hostapd_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_wifi_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_wifi_supplicant_hwservice, hwservice_manager_type, protected_hwservice;
+type system_net_netd_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
+type system_suspend_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
+type system_wifi_keystore_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
+
+# Following is the hwservices that are explicitly not marked with protected_hwservice.
+# These are directly accessible from untrusted apps.
+# - same process services: because they by definition run in the process
+# of the client and thus have the same access as the client domain in which
+# the process runs
+# - coredomain_hwservice: are considered safer than ordinary hwservices which
+# are from vendor partition
+# - hal_configstore_ISurfaceFlingerConfigs: becuase it has specifically been
+# designed for use by any domain.
+# - hal_graphics_allocator_hwservice: because these operations are also offered
+# by surfaceflinger Binder service, which apps are permitted to access
+# - hal_omx_hwservice: because this is a HwBinder version of the mediacodec
+# Binder service which apps were permitted to access.
+# - hal_codec2_hwservice: because this is a newer version of hal_omx_hwservice.
+# - hal_drm_hwservice: versions > API 29 are designed specifically with
+# untrusted app access in mind.
+type fwk_bufferhub_hwservice, hwservice_manager_type, coredomain_hwservice;
+type hal_cas_hwservice, hwservice_manager_type;
+type hal_codec2_hwservice, hwservice_manager_type;
+type hal_configstore_ISurfaceFlingerConfigs, hwservice_manager_type;
+type hal_drm_hwservice, hwservice_manager_type;
+type hal_graphics_allocator_hwservice, hwservice_manager_type;
+type hal_graphics_mapper_hwservice, hwservice_manager_type, same_process_hwservice;
+type hal_neuralnetworks_hwservice, hwservice_manager_type;
+type hal_omx_hwservice, hwservice_manager_type;
+type hal_renderscript_hwservice, hwservice_manager_type, same_process_hwservice;
+type hidl_allocator_hwservice, hwservice_manager_type, coredomain_hwservice;
+type hidl_base_hwservice, hwservice_manager_type;
+type hidl_manager_hwservice, hwservice_manager_type, coredomain_hwservice;
+type hidl_memory_hwservice, hwservice_manager_type, coredomain_hwservice;
+type hidl_token_hwservice, hwservice_manager_type, coredomain_hwservice;
+
+###
+### Neverallow rules
+###
+
+# hwservicemanager handles registering or looking up named services.
+# It does not make sense to register or lookup something which is not a
+# hwservice. Trigger a compile error if this occurs.
+neverallow domain ~hwservice_manager_type:hwservice_manager { add find };
diff --git a/microdroid/sepolicy/system/public/hwservicemanager.te b/microdroid/sepolicy/system/public/hwservicemanager.te
new file mode 100644
index 0000000..7ec1872
--- /dev/null
+++ b/microdroid/sepolicy/system/public/hwservicemanager.te
@@ -0,0 +1,20 @@
+# hwservicemanager - the Binder context manager for HAL services
+type hwservicemanager, domain, mlstrustedsubject;
+type hwservicemanager_exec, system_file_type, exec_type, file_type;
+
+# Note that we do not use the binder_* macros here.
+# hwservicemanager provides name service (aka context manager)
+# for hwbinder.
+# Additionally, it initiates binder IPC calls to
+# clients who request service notifications. The permission
+# to do this is granted in the hwbinder_use macro.
+allow hwservicemanager self:binder set_context_mgr;
+
+# Scan through /system/lib64/hw looking for installed HALs
+allow hwservicemanager system_file:dir r_dir_perms;
+
+# Read hwservice_contexts
+allow hwservicemanager hwservice_contexts_file:file r_file_perms;
+
+# Check SELinux permissions.
+selinux_check_access(hwservicemanager)
diff --git a/microdroid/sepolicy/system/public/idmap.te b/microdroid/sepolicy/system/public/idmap.te
new file mode 100644
index 0000000..f41f573
--- /dev/null
+++ b/microdroid/sepolicy/system/public/idmap.te
@@ -0,0 +1,31 @@
+# idmap, when executed by installd
+type idmap, domain;
+type idmap_exec, system_file_type, exec_type, file_type;
+
+# TODO remove /system/bin/idmap and the link between idmap and installd (b/118711077)
+# Use open file to /data/resource-cache file inherited from installd.
+allow idmap installd:fd use;
+allow idmap resourcecache_data_file:file create_file_perms;
+allow idmap resourcecache_data_file:dir rw_dir_perms;
+
+# Ignore reading /proc/<pid>/maps after a fork.
+dontaudit idmap installd:file read;
+
+# Open and read from target and overlay apk files passed by argument.
+allow idmap apk_data_file:file r_file_perms;
+allow idmap apk_data_file:dir search;
+
+# Allow /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files
+allow idmap { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
+allow idmap { apk_tmp_file apk_private_tmp_file }:dir search;
+
+# Allow apps access to /vendor/app
+r_dir_file(idmap, vendor_app_file)
+
+# Allow apps access to /vendor/overlay
+r_dir_file(idmap, vendor_overlay_file)
+
+# Allow the idmap2d binary to register as a service and communicate via AIDL
+binder_use(idmap)
+binder_service(idmap)
+add_service(idmap, idmap_service)
diff --git a/microdroid/sepolicy/system/public/incident.te b/microdroid/sepolicy/system/public/incident.te
new file mode 100644
index 0000000..ce57bf6
--- /dev/null
+++ b/microdroid/sepolicy/system/public/incident.te
@@ -0,0 +1,8 @@
+# The incident command is used to call into the incidentd service to
+# take an incident report (binary, shared bugreport), download incident
+# reports that have already been taken, and monitor for new ones.
+# It doesn't do anything else.
+
+# incident
+type incident, domain;
+
diff --git a/microdroid/sepolicy/system/public/incident_helper.te b/microdroid/sepolicy/system/public/incident_helper.te
new file mode 100644
index 0000000..bca1018
--- /dev/null
+++ b/microdroid/sepolicy/system/public/incident_helper.te
@@ -0,0 +1,5 @@
+# The incident_helper is called by incidentd and
+# can only read/write data from/to incidentd
+
+# incident_helper
+type incident_helper, domain;
diff --git a/microdroid/sepolicy/system/public/incidentd.te b/microdroid/sepolicy/system/public/incidentd.te
new file mode 100644
index 0000000..b03249c
--- /dev/null
+++ b/microdroid/sepolicy/system/public/incidentd.te
@@ -0,0 +1,3 @@
+# incidentd
+type incidentd, domain;
+
diff --git a/microdroid/sepolicy/system/public/init.te b/microdroid/sepolicy/system/public/init.te
new file mode 100644
index 0000000..ea5a979
--- /dev/null
+++ b/microdroid/sepolicy/system/public/init.te
@@ -0,0 +1,659 @@
+# init is its own domain.
+type init, domain, mlstrustedsubject;
+type init_exec, system_file_type, exec_type, file_type;
+type init_tmpfs, file_type;
+
+# /dev/__null__ node created by init.
+allow init tmpfs:chr_file { create setattr unlink rw_file_perms };
+
+#
+# init direct restorecon calls.
+#
+# /dev/kmsg
+allow init tmpfs:chr_file relabelfrom;
+allow init kmsg_device:chr_file { getattr write relabelto };
+# /dev/kmsg_debug
+userdebug_or_eng(`
+ allow init kmsg_debug_device:chr_file { open write relabelto };
+')
+
+# allow init to mount and unmount debugfs in debug builds
+userdebug_or_eng(`
+ allow init debugfs:dir mounton;
+')
+
+# /dev/__properties__
+allow init properties_device:dir relabelto;
+allow init properties_serial:file { write relabelto };
+allow init property_type:file { append create getattr map open read relabelto rename setattr unlink write };
+# /dev/__properties__/property_info
+allow init properties_device:file create_file_perms;
+allow init property_info:file relabelto;
+# /dev/event-log-tags
+allow init device:file relabelfrom;
+allow init runtime_event_log_tags_file:file { open write setattr relabelto create };
+# /dev/socket
+allow init { device socket_device dm_user_device }:dir relabelto;
+# allow init to establish connection and communicate with lmkd
+unix_socket_connect(init, lmkd, lmkd)
+# Relabel /dev nodes created in first stage init, /dev/null, /dev/ptmx, /dev/random, /dev/urandom
+allow init { null_device ptmx_device random_device } : chr_file relabelto;
+# /dev/device-mapper, /dev/block(/.*)?
+allow init tmpfs:{ chr_file blk_file } relabelfrom;
+allow init tmpfs:blk_file getattr;
+allow init block_device:{ dir blk_file lnk_file } relabelto;
+allow init dm_device:{ chr_file blk_file } relabelto;
+allow init dm_user_device:chr_file relabelto;
+allow init kernel:fd use;
+# restorecon for early mount device symlinks
+allow init tmpfs:lnk_file { getattr read relabelfrom };
+allow init {
+ metadata_block_device
+ misc_block_device
+ recovery_block_device
+ system_block_device
+ userdata_block_device
+}:{ blk_file lnk_file } relabelto;
+
+allow init super_block_device:lnk_file relabelto;
+
+# Create /mnt/sdcard -> /storage/self/primary symlink.
+allow init mnt_sdcard_file:lnk_file create;
+
+# setrlimit
+allow init self:global_capability_class_set sys_resource;
+
+# Remove /dev/.booting and load /debug_ramdisk/* files
+allow init tmpfs:file { getattr unlink };
+
+# Access pty created for fsck.
+allow init devpts:chr_file { read write open };
+
+# Create /dev/fscklogs files.
+allow init fscklogs:file create_file_perms;
+
+# Access /dev/__null__ node created prior to initial policy load.
+allow init tmpfs:chr_file write;
+
+# Access /dev/console.
+allow init console_device:chr_file rw_file_perms;
+
+# Access /dev/tty0.
+allow init tty_device:chr_file rw_file_perms;
+
+# Call mount(2).
+allow init self:global_capability_class_set sys_admin;
+
+# Call setns(2).
+allow init self:global_capability_class_set sys_chroot;
+
+# Create and mount on directories in /.
+allow init rootfs:dir create_dir_perms;
+allow init {
+ rootfs
+ cache_file
+ cgroup
+ linkerconfig_file
+ storage_file
+ mnt_user_file
+ system_data_file
+ system_data_root_file
+ system_file
+ vendor_file
+ postinstall_mnt_dir
+ mirror_data_file
+}:dir mounton;
+
+# Mount bpf fs on sys/fs/bpf
+allow init fs_bpf:dir mounton;
+
+# Mount on /dev/usb-ffs/adb.
+allow init device:dir mounton;
+
+# Mount tmpfs on /apex
+allow init apex_mnt_dir:dir mounton;
+
+# Bind-mount on /system/apex/com.android.art
+allow init art_apex_dir:dir mounton;
+
+# Create and remove symlinks in /.
+allow init rootfs:lnk_file { create unlink };
+
+# Mount debugfs on /sys/kernel/debug.
+allow init sysfs:dir mounton;
+
+# Create cgroups mount points in tmpfs and mount cgroups on them.
+allow init tmpfs:dir create_dir_perms;
+allow init tmpfs:dir mounton;
+allow init cgroup:dir create_dir_perms;
+allow init cgroup:file rw_file_perms;
+allow init cgroup_rc_file:file rw_file_perms;
+allow init cgroup_desc_file:file r_file_perms;
+allow init cgroup_desc_api_file:file r_file_perms;
+allow init vendor_cgroup_desc_file:file r_file_perms;
+allow init cgroup_v2:dir { mounton create_dir_perms};
+allow init cgroup_v2:file rw_file_perms;
+
+# /config
+allow init configfs:dir mounton;
+allow init configfs:dir create_dir_perms;
+allow init configfs:{ file lnk_file } create_file_perms;
+
+# /metadata
+allow init metadata_file:dir mounton;
+
+# Use tmpfs as /data, used for booting when /data is encrypted
+allow init tmpfs:dir relabelfrom;
+
+# Create directories under /dev/cpuctl after chowning it to system.
+allow init self:global_capability_class_set { dac_override dac_read_search };
+
+# Set system clock.
+allow init self:global_capability_class_set sys_time;
+
+allow init self:global_capability_class_set { sys_rawio mknod };
+
+# Mounting filesystems from block devices.
+allow init dev_type:blk_file r_file_perms;
+allowxperm init dev_type:blk_file ioctl BLKROSET;
+
+# Mounting filesystems.
+# Only allow relabelto for types used in context= mount options,
+# which should all be assigned the contextmount_type attribute.
+# This can be done in device-specific policy via type or typeattribute
+# declarations.
+allow init {
+ fs_type
+ enforce_debugfs_restriction(`-debugfs_type')
+}:filesystem ~relabelto;
+
+# Allow init to mount/unmount debugfs in non-user builds.
+enforce_debugfs_restriction(`
+ userdebug_or_eng(`allow init debugfs_type:filesystem { mount unmount };')
+')
+
+# Allow init to mount tracefs in /sys/kernel/tracing
+allow init debugfs_tracing_debug:filesystem mount;
+
+allow init unlabeled:filesystem ~relabelto;
+allow init contextmount_type:filesystem relabelto;
+
+# Allow read-only access to context= mounted filesystems.
+allow init contextmount_type:dir r_dir_perms;
+allow init contextmount_type:notdevfile_class_set r_file_perms;
+
+# restorecon /adb_keys or any other rootfs files and directories to a more
+# specific type.
+allow init rootfs:{ dir file } relabelfrom;
+
+# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
+# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
+# system/core/init.rc requires at least cache_file and data_file_type.
+# init.<board>.rc files often include device-specific types, so
+# we just allow all file types except /system files here.
+allow init self:global_capability_class_set { chown fowner fsetid };
+
+allow init {
+ file_type
+ -app_data_file
+ -exec_type
+ -misc_logd_file
+ -nativetest_data_file
+ -privapp_data_file
+ -system_app_data_file
+ -system_file_type
+ -vendor_file_type
+}:dir { create search getattr open read setattr ioctl };
+
+allow init {
+ file_type
+ -app_data_file
+ -exec_type
+ -iorapd_data_file
+ -credstore_data_file
+ -keystore_data_file
+ -misc_logd_file
+ -nativetest_data_file
+ -privapp_data_file
+ -shell_data_file
+ -system_app_data_file
+ -system_file_type
+ -vendor_file_type
+ -vold_data_file
+}:dir { write add_name remove_name rmdir relabelfrom };
+
+allow init {
+ file_type
+ -apex_info_file
+ -app_data_file
+ -exec_type
+ -gsi_data_file
+ -iorapd_data_file
+ -credstore_data_file
+ -keystore_data_file
+ -misc_logd_file
+ -nativetest_data_file
+ -privapp_data_file
+ -runtime_event_log_tags_file
+ -shell_data_file
+ -system_app_data_file
+ -system_file_type
+ -vendor_file_type
+ -vold_data_file
+ enforce_debugfs_restriction(`-debugfs_type')
+}:file { create getattr open read write setattr relabelfrom unlink map };
+
+allow init tracefs_type:file { create_file_perms relabelfrom };
+
+allow init {
+ file_type
+ -app_data_file
+ -exec_type
+ -gsi_data_file
+ -iorapd_data_file
+ -credstore_data_file
+ -keystore_data_file
+ -misc_logd_file
+ -nativetest_data_file
+ -privapp_data_file
+ -shell_data_file
+ -system_app_data_file
+ -system_file_type
+ -vendor_file_type
+ -vold_data_file
+}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
+
+allow init {
+ file_type
+ -apex_mnt_dir
+ -app_data_file
+ -exec_type
+ -gsi_data_file
+ -iorapd_data_file
+ -credstore_data_file
+ -keystore_data_file
+ -misc_logd_file
+ -nativetest_data_file
+ -privapp_data_file
+ -shell_data_file
+ -system_app_data_file
+ -system_file_type
+ -vendor_file_type
+ -vold_data_file
+}:lnk_file { create getattr setattr relabelfrom unlink };
+
+allow init cache_file:lnk_file r_file_perms;
+
+allow init {
+ file_type
+ -system_file_type
+ -vendor_file_type
+ -exec_type
+ -app_data_file
+ -privapp_data_file
+}:dir_file_class_set relabelto;
+
+allow init { sysfs no_debugfs_restriction(`debugfs') debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
+allow init { sysfs_type no_debugfs_restriction(`debugfs_type') tracefs_type }:{ dir file lnk_file } { relabelto getattr };
+allow init dev_type:dir create_dir_perms;
+allow init dev_type:lnk_file create;
+
+# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
+allow init debugfs_tracing:file w_file_perms;
+
+# Setup and control wifi event tracing (see wifi-events.rc)
+allow init debugfs_tracing_instances:dir create_dir_perms;
+allow init debugfs_tracing_instances:file w_file_perms;
+allow init debugfs_wifi_tracing:file w_file_perms;
+
+# chown/chmod on pseudo files.
+allow init {
+ fs_type
+ -contextmount_type
+ -keychord_device
+ -proc_type
+ -sdcard_type
+ -sysfs_type
+ -rootfs
+ enforce_debugfs_restriction(`-debugfs_type')
+}:file { open read setattr };
+allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir { open read setattr search };
+
+allow init {
+ binder_device
+ console_device
+ devpts
+ dm_device
+ hwbinder_device
+ input_device
+ kmsg_device
+ null_device
+ owntty_device
+ pmsg_device
+ ptmx_device
+ random_device
+ tty_device
+ zero_device
+}:chr_file { read open };
+
+# Unlabeled file access for upgrades from 4.2.
+allow init unlabeled:dir { create_dir_perms relabelfrom };
+allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
+
+# Any operation that can modify the kernel ring buffer, e.g. clear
+# or a read that consumes the messages that were read.
+allow init kernel:system syslog_mod;
+allow init self:global_capability2_class_set syslog;
+
+# init access to /proc.
+r_dir_file(init, proc_net_type)
+allow init proc_filesystems:file r_file_perms;
+
+userdebug_or_eng(`
+ # Overlayfs workdir write access check during mount to permit remount,rw
+ allow init overlayfs_file:dir { relabelfrom mounton write };
+ allow init overlayfs_file:file { append };
+ allow init system_block_device:blk_file { write };
+')
+
+allow init {
+ proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
+ proc_bootconfig
+ proc_cmdline
+ proc_diskstats
+ proc_kmsg # Open /proc/kmsg for logd service.
+ proc_meminfo
+ proc_stat # Read /proc/stat for bootchart.
+ proc_uptime
+ proc_version
+}:file r_file_perms;
+
+allow init {
+ proc_abi
+ proc_dirty
+ proc_hostname
+ proc_hung_task
+ proc_extra_free_kbytes
+ proc_net_type
+ proc_max_map_count
+ proc_min_free_order_shift
+ proc_overcommit_memory # /proc/sys/vm/overcommit_memory
+ proc_panic
+ proc_page_cluster
+ proc_perf
+ proc_sched
+ proc_sysrq
+}:file w_file_perms;
+
+allow init {
+ proc_security
+}:file rw_file_perms;
+
+# init chmod/chown access to /proc files.
+allow init {
+ proc_cmdline
+ proc_bootconfig
+ proc_kmsg
+ proc_net
+ proc_pagetypeinfo
+ proc_qtaguid_stat
+ proc_slabinfo
+ proc_sysrq
+ proc_qtaguid_ctrl
+ proc_vmallocinfo
+}:file setattr;
+
+# init access to /sys files.
+allow init {
+ sysfs_android_usb
+ sysfs_dm_verity
+ sysfs_leds
+ sysfs_power
+ sysfs_fs_f2fs
+ sysfs_dm
+}:file w_file_perms;
+
+allow init {
+ sysfs_dt_firmware_android
+ sysfs_fs_ext4_features
+}:file r_file_perms;
+
+allow init {
+ sysfs_zram
+}:file rw_file_perms;
+
+# allow init to create loop devices with /dev/loop-control
+allow init loop_control_device:chr_file rw_file_perms;
+allow init loop_device:blk_file rw_file_perms;
+allowxperm init loop_device:blk_file ioctl {
+ LOOP_SET_FD
+ LOOP_CLR_FD
+ LOOP_CTL_GET_FREE
+ LOOP_SET_BLOCK_SIZE
+ LOOP_SET_DIRECT_IO
+ LOOP_GET_STATUS
+};
+
+# Allow init to write to vibrator/trigger
+allow init sysfs_vibrator:file w_file_perms;
+
+# init chmod/chown access to /sys files.
+allow init {
+ sysfs_android_usb
+ sysfs_devices_system_cpu
+ sysfs_ipv4
+ sysfs_leds
+ sysfs_lowmemorykiller
+ sysfs_power
+ sysfs_vibrator
+ sysfs_wake_lock
+ sysfs_zram
+}:file setattr;
+
+# Set usermodehelpers.
+allow init { usermodehelper sysfs_usermodehelper }:file rw_file_perms;
+
+allow init self:global_capability_class_set net_admin;
+
+# Reboot.
+allow init self:global_capability_class_set sys_boot;
+
+# Init will create /data/misc/logd when the property persist.logd.logpersistd is "logcatd".
+# Init will also walk through the directory as part of a recursive restorecon.
+allow init misc_logd_file:dir { add_name open create read getattr setattr search write };
+allow init misc_logd_file:file { open create getattr setattr write };
+
+# Support "adb shell stop"
+allow init self:global_capability_class_set kill;
+allow init domain:process { getpgid sigkill signal };
+
+# Init creates credstore's directory on boot, and walks through
+# the directory as part of a recursive restorecon.
+allow init credstore_data_file:dir { open create read getattr setattr search };
+allow init credstore_data_file:file { getattr };
+
+# Init creates keystore's directory on boot, and walks through
+# the directory as part of a recursive restorecon.
+allow init keystore_data_file:dir { open create read getattr setattr search };
+allow init keystore_data_file:file { getattr };
+
+# Init creates vold's directory on boot, and walks through
+# the directory as part of a recursive restorecon.
+allow init vold_data_file:dir { open create read getattr setattr search };
+allow init vold_data_file:file { getattr };
+
+# Init creates /data/local/tmp at boot
+allow init shell_data_file:dir { open create read getattr setattr search };
+allow init shell_data_file:file { getattr };
+
+# Set UID, GID, and adjust capability bounding set for services.
+allow init self:global_capability_class_set { setuid setgid setpcap };
+
+# For bootchart to read the /proc/$pid/cmdline file of each process,
+# we need to have following line to allow init to have access
+# to different domains.
+r_dir_file(init, domain)
+
+# Use setexeccon(), setfscreatecon(), and setsockcreatecon().
+# setexec is for services with seclabel options.
+# setfscreate is for labeling directories and socket files.
+# setsockcreate is for labeling local/unix domain sockets.
+allow init self:process { setexec setfscreate setsockcreate };
+
+# Get file context
+allow init file_contexts_file:file r_file_perms;
+
+# sepolicy access
+allow init sepolicy_file:file r_file_perms;
+
+# Perform SELinux access checks on setting properties.
+selinux_check_access(init)
+
+# Ask the kernel for the new context on services to label their sockets.
+allow init kernel:security compute_create;
+
+# Create sockets for the services.
+allow init domain:unix_stream_socket { create bind setopt };
+allow init domain:unix_dgram_socket { create bind setopt };
+
+# Create /data/property and files within it.
+allow init property_data_file:dir create_dir_perms;
+allow init property_data_file:file create_file_perms;
+
+# Set any property.
+allow init property_type:property_service set;
+
+# Send an SELinux userspace denial to the kernel audit subsystem,
+# so it can be picked up and processed by logd. These denials are
+# generated when an attempt to set a property is denied by policy.
+allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay };
+allow init self:global_capability_class_set audit_write;
+
+# Run "ifup lo" to bring up the localhost interface
+allow init self:udp_socket { create ioctl };
+# in addition to unpriv ioctls granted to all domains, init also needs:
+allowxperm init self:udp_socket ioctl SIOCSIFFLAGS;
+allow init self:global_capability_class_set net_raw;
+
+# Set scheduling info for psi monitor thread.
+# TODO: delete or revise this line b/131761776
+allow init kernel:process { getsched setsched };
+
+# swapon() needs write access to swap device
+# system/core/fs_mgr/fs_mgr.c - fs_mgr_swapon_all
+allow init swap_block_device:blk_file rw_file_perms;
+
+# Create and access /dev files without a specific type,
+# e.g. /dev/.coldboot_done, /dev/.booting
+# TODO: Move these files into their own type unless they are
+# only ever accessed by init.
+allow init device:file create_file_perms;
+
+# keychord retrieval from /dev/input/ devices
+allow init input_device:dir r_dir_perms;
+allow init input_device:chr_file rw_file_perms;
+
+# Access device mapper for setting up dm-verity
+allow init dm_device:chr_file rw_file_perms;
+allow init dm_device:blk_file rw_file_perms;
+
+# Access dm-user for OTA boot
+allow init dm_user_device:chr_file rw_file_perms;
+
+# Access metadata block device for storing dm-verity state
+allow init metadata_block_device:blk_file rw_file_perms;
+
+# Read /sys/fs/pstore/console-ramoops to detect restarts caused
+# by dm-verity detecting corrupted blocks
+allow init pstorefs:dir search;
+allow init pstorefs:file r_file_perms;
+allow init kernel:system syslog_read;
+
+# linux keyring configuration
+allow init init:key { write search setattr };
+
+# Allow init to create /data/unencrypted
+allow init unencrypted_data_file:dir create_dir_perms;
+
+# Set encryption policy on dirs in /data
+allowxperm init { data_file_type unlabeled }:dir ioctl {
+ FS_IOC_GET_ENCRYPTION_POLICY
+ FS_IOC_SET_ENCRYPTION_POLICY
+};
+
+# Raw writes to misc block device
+allow init misc_block_device:blk_file w_file_perms;
+
+r_dir_file(init, system_file)
+r_dir_file(init, vendor_file_type)
+
+allow init system_data_file:file { getattr read };
+allow init system_data_file:lnk_file r_file_perms;
+
+# For init to be able to run shell scripts from vendor
+allow init vendor_shell_exec:file execute;
+
+# Metadata setup
+allow init vold_metadata_file:dir create_dir_perms;
+allow init vold_metadata_file:file getattr;
+allow init metadata_bootstat_file:dir create_dir_perms;
+allow init metadata_bootstat_file:file w_file_perms;
+allow init userspace_reboot_metadata_file:file w_file_perms;
+
+# Allow init to touch PSI monitors
+allow init proc_pressure_mem:file { rw_file_perms setattr };
+
+# init is using bootstrap bionic
+allow init system_bootstrap_lib_file:dir r_dir_perms;
+allow init system_bootstrap_lib_file:file { execute read open getattr map };
+
+# stat the root dir of fuse filesystems (for the mount handler)
+allow init fuse:dir { search getattr };
+
+# allow filesystem tuning
+allow init userdata_sysdev:file create_file_perms;
+
+###
+### neverallow rules
+###
+
+# The init domain is only entered via an exec based transition from the
+# kernel domain, never via setcon().
+neverallow domain init:process dyntransition;
+neverallow { domain -kernel } init:process transition;
+neverallow init { file_type fs_type -init_exec }:file entrypoint;
+
+# Never read/follow symlinks created by shell or untrusted apps.
+neverallow init shell_data_file:lnk_file read;
+neverallow init { app_data_file privapp_data_file }:lnk_file read;
+
+# init should never execute a program without changing to another domain.
+neverallow init { file_type fs_type }:file execute_no_trans;
+
+# The use of sensitive environment variables, such as LD_PRELOAD, is disallowed
+# when init is executing other binaries. The use of LD_PRELOAD for init spawned
+# services is generally considered a no-no, as it injects libraries which the
+# binary was not expecting. This is especially problematic for APEXes. The use
+# of LD_PRELOAD via APEXes is a layering violation, and inappropriately loads
+# code into a process which wasn't expecting that code, with potentially
+# unexpected side effects. (b/140789528)
+neverallow init *:process noatsecure;
+
+# init can never add binder services
+neverallow init service_manager_type:service_manager { add find };
+# init can never list binder services
+neverallow init servicemanager:service_manager list;
+
+# Init should not be creating subdirectories in /data/local/tmp
+neverallow init shell_data_file:dir { write add_name remove_name };
+
+# Init should not access sysfs node that are not explicitly labeled.
+neverallow init sysfs:file { open read write };
+
+# No domain should be allowed to ptrace init.
+neverallow * init:process ptrace;
+
+# init owns the root of /data
+# TODO(b/140259336) We want to remove vendor_init
+# TODO(b/141108496) We want to remove toolbox
+neverallow { domain -init -toolbox -vendor_init -vold } system_data_root_file:dir { write add_name remove_name };
diff --git a/microdroid/sepolicy/system/public/inputflinger.te b/microdroid/sepolicy/system/public/inputflinger.te
new file mode 100644
index 0000000..b62c06d
--- /dev/null
+++ b/microdroid/sepolicy/system/public/inputflinger.te
@@ -0,0 +1,16 @@
+# inputflinger
+type inputflinger, domain;
+type inputflinger_exec, system_file_type, exec_type, file_type;
+
+binder_use(inputflinger)
+binder_service(inputflinger)
+
+binder_call(inputflinger, system_server)
+
+wakelock_use(inputflinger)
+
+allow inputflinger input_device:dir r_dir_perms;
+allow inputflinger input_device:chr_file rw_file_perms;
+
+r_dir_file(inputflinger, cgroup)
+r_dir_file(inputflinger, cgroup_v2)
diff --git a/microdroid/sepolicy/system/public/installd.te b/microdroid/sepolicy/system/public/installd.te
new file mode 100644
index 0000000..eb13cfa
--- /dev/null
+++ b/microdroid/sepolicy/system/public/installd.te
@@ -0,0 +1,175 @@
+# installer daemon
+type installd, domain;
+type installd_exec, system_file_type, exec_type, file_type;
+typeattribute installd mlstrustedsubject;
+allow installd self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid sys_admin };
+
+# Allow labeling of files under /data/app/com.example/oat/
+allow installd dalvikcache_data_file:dir relabelto;
+allow installd dalvikcache_data_file:file { relabelto link };
+
+# Allow movement of APK files between volumes
+allow installd apk_data_file:dir { create_dir_perms relabelfrom };
+allow installd apk_data_file:file { create_file_perms relabelfrom link };
+allow installd apk_data_file:lnk_file { create r_file_perms unlink };
+
+# FS_IOC_ENABLE_VERITY and FS_IOC_MEASURE_VERITY (or in old implementation used in installd,
+# FS_IOC_SET_VERITY_MEASUREMENT) ioctls on APKs in /data/app, to support fsverity.
+# TODO(b/120629632): this path is deprecated, remove when possible.
+allowxperm installd apk_data_file:file ioctl {
+ FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
+};
+
+allow installd asec_apk_file:file r_file_perms;
+allow installd apk_tmp_file:file { r_file_perms unlink };
+allow installd apk_tmp_file:dir { relabelfrom create_dir_perms };
+allow installd oemfs:dir r_dir_perms;
+allow installd oemfs:file r_file_perms;
+allow installd cgroup:dir create_dir_perms;
+allow installd cgroup_v2:dir create_dir_perms;
+allow installd mnt_expand_file:dir { search getattr };
+# Check validity of SELinux context before use.
+selinux_check_context(installd)
+
+r_dir_file(installd, rootfs)
+# Scan through APKs in /system/app and /system/priv-app
+r_dir_file(installd, system_file)
+# Scan through APKs in /vendor/app
+r_dir_file(installd, vendor_app_file)
+# Scan through JARs in /vendor/framework
+r_dir_file(installd, vendor_framework_file)
+# Scan through Runtime Resource Overlay APKs in /vendor/overlay
+r_dir_file(installd, vendor_overlay_file)
+# Get file context
+allow installd file_contexts_file:file r_file_perms;
+# Get seapp_context
+allow installd seapp_contexts_file:file r_file_perms;
+
+# Search /data/app-asec and stat files in it.
+allow installd asec_image_file:dir search;
+allow installd asec_image_file:file getattr;
+
+# Create /data/user and /data/user/0 if necessary.
+# Also required to initially create /data/data subdirectories
+# and lib symlinks before the setfilecon call. May want to
+# move symlink creation after setfilecon in installd.
+allow installd system_data_file:dir create_dir_perms;
+# Also, allow read for lnk_file so that we can process /data/user/0 links when
+# optimizing application code.
+allow installd system_data_file:lnk_file { create getattr read setattr unlink };
+
+# Manage lower filesystem via pass_through mounts
+allow installd mnt_pass_through_file:dir r_dir_perms;
+
+# Upgrade /data/media for multi-user if necessary.
+allow installd media_rw_data_file:dir create_dir_perms;
+allow installd media_rw_data_file:file { getattr unlink };
+# restorecon new /data/media directory.
+allow installd system_data_file:dir relabelfrom;
+allow installd media_rw_data_file:dir relabelto;
+
+# Delete /data/media files through sdcardfs, instead of going behind its back
+allow installd tmpfs:dir r_dir_perms;
+allow installd storage_file:dir search;
+allow installd sdcard_type:dir { search open read write remove_name getattr rmdir };
+allow installd sdcard_type:file { getattr unlink };
+
+# Create app's mirror data directory in /data_mirror, and bind mount the real directory to it
+allow installd mirror_data_file:dir { create_dir_perms mounton };
+
+# Upgrade /data/misc/keychain for multi-user if necessary.
+allow installd misc_user_data_file:dir create_dir_perms;
+allow installd misc_user_data_file:file create_file_perms;
+allow installd keychain_data_file:dir create_dir_perms;
+allow installd keychain_data_file:file {r_file_perms unlink};
+
+# Create /data/misc/installd/layout_version.* file
+allow installd install_data_file:file create_file_perms;
+allow installd install_data_file:dir rw_dir_perms;
+
+# Create files under /data/dalvik-cache.
+allow installd dalvikcache_data_file:dir create_dir_perms;
+allow installd dalvikcache_data_file:file create_file_perms;
+allow installd dalvikcache_data_file:lnk_file getattr;
+
+# Create files under /data/resource-cache.
+allow installd resourcecache_data_file:dir rw_dir_perms;
+allow installd resourcecache_data_file:file create_file_perms;
+
+# Upgrade from unlabeled userdata.
+# Just need enough to remove and/or relabel it.
+allow installd unlabeled:dir { getattr search relabelfrom rw_dir_perms rmdir };
+allow installd unlabeled:notdevfile_class_set { getattr relabelfrom rename unlink setattr };
+# Read pkg.apk file for input during dexopt.
+allow installd unlabeled:file r_file_perms;
+
+# Upgrade from before system_app_data_file was used for system UID apps.
+# Just need enough to relabel it and to unlink removed package files.
+# Directory access covered by earlier rule above.
+allow installd system_data_file:notdevfile_class_set { getattr relabelfrom unlink };
+
+# Manage /data/data subdirectories, including initially labeling them
+# upon creation via setfilecon or running restorecon_recursive,
+# setting owner/mode, creating symlinks within them, and deleting them
+# upon package uninstall.
+allow installd app_data_file_type:dir { create_dir_perms relabelfrom relabelto };
+allow installd app_data_file_type:notdevfile_class_set { create_file_perms relabelfrom relabelto };
+
+# Similar for the files under /data/misc/profiles/
+allow installd user_profile_root_file:dir { create_dir_perms relabelfrom };
+allow installd user_profile_data_file:dir { create_dir_perms relabelto };
+allow installd user_profile_data_file:file create_file_perms;
+allow installd user_profile_data_file:file unlink;
+
+# Allow zygote to unmount mirror directories
+allow installd labeledfs:filesystem unmount;
+
+# Files created/updated by profman dumps.
+allow installd profman_dump_data_file:dir { search add_name write };
+allow installd profman_dump_data_file:file { create setattr open write };
+
+# Create and use pty created by android_fork_execvp().
+allow installd devpts:chr_file rw_file_perms;
+
+# execute toybox for app relocation
+allow installd toolbox_exec:file rx_file_perms;
+
+# Allow installd to publish a binder service and make binder calls.
+binder_use(installd)
+add_service(installd, installd_service)
+allow installd dumpstate:fifo_file { getattr write };
+
+# Allow installd to call into the system server so it can check permissions.
+binder_call(installd, system_server)
+allow installd permission_service:service_manager find;
+
+# Allow installd to read and write quotas
+allow installd block_device:dir { search };
+allow installd labeledfs:filesystem { quotaget quotamod };
+
+# Allow installd to delete from /data/preloads when trimming data caches
+# TODO b/34690396 Remove when time-based purge policy for preloads is implemented in system_server
+allow installd preloads_data_file:file { r_file_perms unlink };
+allow installd preloads_data_file:dir { r_dir_perms write remove_name rmdir };
+allow installd preloads_media_file:file { r_file_perms unlink };
+allow installd preloads_media_file:dir { r_dir_perms write remove_name rmdir };
+
+# Allow installd to read /proc/filesystems
+allow installd proc_filesystems:file r_file_perms;
+
+#add for move app to sd card
+get_prop(installd, storage_config_prop)
+
+###
+### Neverallow rules
+###
+
+# only system_server, installd, dumpstate, and servicemanager may interact with installd over binder
+neverallow { domain -system_server -dumpstate -installd } installd_service:service_manager find;
+neverallow { domain -system_server -dumpstate -servicemanager } installd:binder call;
+neverallow installd {
+ domain
+ -system_server
+ -servicemanager
+ userdebug_or_eng(`-su')
+}:binder call;
diff --git a/microdroid/sepolicy/system/public/ioctl_defines b/microdroid/sepolicy/system/public/ioctl_defines
new file mode 100644
index 0000000..5ac4d94
--- /dev/null
+++ b/microdroid/sepolicy/system/public/ioctl_defines
@@ -0,0 +1,2751 @@
+define(`ADD_NEW_DISK', `0x40140921')
+define(`ADV7842_CMD_RAM_TEST', `0x000056c0')
+define(`AGPIOC_ACQUIRE', `0x00004101')
+define(`AGPIOC_ALLOCATE', `0xc0084106')
+define(`AGPIOC_BIND', `0x40084108')
+define(`AGPIOC_CHIPSET_FLUSH', `0x0000410a')
+define(`AGPIOC_DEALLOCATE', `0x40044107')
+define(`AGPIOC_INFO', `0x80084100')
+define(`AGPIOC_PROTECT', `0x40084105')
+define(`AGPIOC_RELEASE', `0x00004102')
+define(`AGPIOC_RESERVE', `0x40084104')
+define(`AGPIOC_SETUP', `0x40084103')
+define(`AGPIOC_UNBIND', `0x40084109')
+define(`AMDKFD_IOC_CREATE_QUEUE', `0xc0584b02')
+define(`AMDKFD_IOC_DESTROY_QUEUE', `0xc0084b03')
+define(`AMDKFD_IOC_GET_CLOCK_COUNTERS', `0xc0284b05')
+define(`AMDKFD_IOC_GET_PROCESS_APERTURES', `0x81904b06')
+define(`AMDKFD_IOC_GET_VERSION', `0x80084b01')
+define(`AMDKFD_IOC_SET_MEMORY_POLICY', `0x40204b04')
+define(`AMDKFD_IOC_UPDATE_QUEUE', `0x40184b07')
+define(`ANDROID_ALARM_SET_RTC', `0x40106105')
+define(`ANDROID_ALARM_WAIT', `0x00006101')
+define(`APEI_ERST_CLEAR_RECORD', `0x40084501')
+define(`APEI_ERST_GET_RECORD_COUNT', `0x80044502')
+define(`APM_IOC_STANDBY', `0x00004101')
+define(`APM_IOC_SUSPEND', `0x00004102')
+define(`ASHMEM_GET_NAME', `0x81007702')
+define(`ASHMEM_GET_PIN_STATUS', `0x00007709')
+define(`ASHMEM_GET_PROT_MASK', `0x00007706')
+define(`ASHMEM_GET_SIZE', `0x00007704')
+define(`ASHMEM_PIN', `0x40087707')
+define(`ASHMEM_PURGE_ALL_CACHES', `0x0000770a')
+define(`ASHMEM_SET_NAME', `0x41007701')
+define(`ASHMEM_SET_PROT_MASK', `0x40087705')
+define(`ASHMEM_SET_SIZE', `0x40087703')
+define(`ASHMEM_UNPIN', `0x40087708')
+define(`ATM_ADDADDR', `0x40106188')
+define(`ATM_ADDLECSADDR', `0x4010618e')
+define(`ATM_ADDPARTY', `0x401061f4')
+define(`ATMARPD_CTRL', `0x000061e1')
+define(`ATMARP_ENCAP', `0x000061e5')
+define(`ATMARP_MKIP', `0x000061e2')
+define(`ATMARP_SETENTRY', `0x000061e3')
+define(`ATM_DELADDR', `0x40106189')
+define(`ATM_DELLECSADDR', `0x4010618f')
+define(`ATM_DROPPARTY', `0x400461f5')
+define(`ATM_GETADDR', `0x40106186')
+define(`ATM_GETCIRANGE', `0x4010618a')
+define(`ATM_GETESI', `0x40106185')
+define(`ATM_GETLECSADDR', `0x40106190')
+define(`ATM_GETLINKRATE', `0x40106181')
+define(`ATM_GETLOOP', `0x40106152')
+define(`ATM_GETNAMES', `0x40106183')
+define(`ATM_GETSTAT', `0x40106150')
+define(`ATM_GETSTATZ', `0x40106151')
+define(`ATM_GETTYPE', `0x40106184')
+define(`ATMLEC_CTRL', `0x000061d0')
+define(`ATMLEC_DATA', `0x000061d1')
+define(`ATMLEC_MCAST', `0x000061d2')
+define(`ATMMPC_CTRL', `0x000061d8')
+define(`ATMMPC_DATA', `0x000061d9')
+define(`ATM_NEWBACKENDIF', `0x400261f3')
+define(`ATM_QUERYLOOP', `0x40106154')
+define(`ATM_RSTADDR', `0x40106187')
+define(`ATM_SETBACKEND', `0x400261f2')
+define(`ATM_SETCIRANGE', `0x4010618b')
+define(`ATM_SETESI', `0x4010618c')
+define(`ATM_SETESIF', `0x4010618d')
+define(`ATM_SETLOOP', `0x40106153')
+define(`ATM_SETSC', `0x400461f1')
+define(`ATMSIGD_CTRL', `0x000061f0')
+define(`ATMTCP_CREATE', `0x0000618e')
+define(`ATMTCP_REMOVE', `0x0000618f')
+define(`AUDIO_BILINGUAL_CHANNEL_SELECT', `0x00006f14')
+define(`AUDIO_CHANNEL_SELECT', `0x00006f09')
+define(`AUDIO_CLEAR_BUFFER', `0x00006f0c')
+define(`AUDIO_CONTINUE', `0x00006f04')
+define(`AUDIO_GET_CAPABILITIES', `0x80046f0b')
+define(`AUDIO_GET_PTS', `0x80086f13')
+define(`AUDIO_GET_STATUS', `0x80206f0a')
+define(`AUDIO_PAUSE', `0x00006f03')
+define(`AUDIO_PLAY', `0x00006f02')
+define(`AUDIO_SELECT_SOURCE', `0x00006f05')
+define(`AUDIO_SET_ATTRIBUTES', `0x40026f11')
+define(`AUDIO_SET_AV_SYNC', `0x00006f07')
+define(`AUDIO_SET_BYPASS_MODE', `0x00006f08')
+define(`AUDIO_SET_EXT_ID', `0x00006f10')
+define(`AUDIO_SET_ID', `0x00006f0d')
+define(`AUDIO_SET_KARAOKE', `0x400c6f12')
+define(`AUDIO_SET_MIXER', `0x40086f0e')
+define(`AUDIO_SET_MUTE', `0x00006f06')
+define(`AUDIO_SET_STREAMTYPE', `0x00006f0f')
+define(`AUDIO_STOP', `0x00006f01')
+define(`AUTOFS_DEV_IOCTL_ASKUMOUNT', `0xc018937d')
+define(`AUTOFS_DEV_IOCTL_CATATONIC', `0xc0189379')
+define(`AUTOFS_DEV_IOCTL_CLOSEMOUNT', `0xc0189375')
+define(`AUTOFS_DEV_IOCTL_EXPIRE', `0xc018937c')
+define(`AUTOFS_DEV_IOCTL_FAIL', `0xc0189377')
+define(`AUTOFS_DEV_IOCTL_ISMOUNTPOINT', `0xc018937e')
+define(`AUTOFS_DEV_IOCTL_OPENMOUNT', `0xc0189374')
+define(`AUTOFS_DEV_IOCTL_PROTOSUBVER', `0xc0189373')
+define(`AUTOFS_DEV_IOCTL_PROTOVER', `0xc0189372')
+define(`AUTOFS_DEV_IOCTL_READY', `0xc0189376')
+define(`AUTOFS_DEV_IOCTL_REQUESTER', `0xc018937b')
+define(`AUTOFS_DEV_IOCTL_SETPIPEFD', `0xc0189378')
+define(`AUTOFS_DEV_IOCTL_TIMEOUT', `0xc018937a')
+define(`AUTOFS_DEV_IOCTL_VERSION', `0xc0189371')
+define(`AUTOFS_IOC_ASKUMOUNT', `0x80049370')
+define(`AUTOFS_IOC_CATATONIC', `0x00009362')
+define(`AUTOFS_IOC_EXPIRE', `0x810c9365')
+define(`AUTOFS_IOC_EXPIRE_MULTI', `0x40049366')
+define(`AUTOFS_IOC_FAIL', `0x00009361')
+define(`AUTOFS_IOC_PROTOSUBVER', `0x80049367')
+define(`AUTOFS_IOC_PROTOVER', `0x80049363')
+define(`AUTOFS_IOC_READY', `0x00009360')
+define(`AUTOFS_IOC_SETTIMEOUT', `0xc0089364')
+define(`AUTOFS_IOC_SETTIMEOUT32', `0xc0049364')
+define(`BC_ACQUIRE', `0x40046305')
+define(`BC_ACQUIRE_DONE', `0x40106309')
+define(`BC_ACQUIRE_RESULT', `0x40046302')
+define(`BC_ATTEMPT_ACQUIRE', `0x4008630a')
+define(`BC_CLEAR_DEATH_NOTIFICATION', `0x400c630f')
+define(`BC_DEAD_BINDER_DONE', `0x40086310')
+define(`BC_DECREFS', `0x40046307')
+define(`BC_ENTER_LOOPER', `0x0000630c')
+define(`BC_EXIT_LOOPER', `0x0000630d')
+define(`BC_FREE_BUFFER', `0x40086303')
+define(`BC_INCREFS', `0x40046304')
+define(`BC_INCREFS_DONE', `0x40106308')
+define(`BC_REGISTER_LOOPER', `0x0000630b')
+define(`BC_RELEASE', `0x40046306')
+define(`BC_REPLY', `0x40406301')
+define(`BC_REQUEST_DEATH_NOTIFICATION', `0x400c630e')
+define(`BC_TRANSACTION', `0x40406300')
+define(`BINDER_ENABLE_ONEWAY_SPAM_DETECTION', `0x40046210')
+define(`BINDER_FREEZE', `0x400c620e')
+define(`BINDER_GET_FROZEN_INFO', `0xc00c620f')
+define(`BINDER_GET_NODE_DEBUG_INFO', `0xc018620b')
+define(`BINDER_GET_NODE_INFO_FOR_REF', `0xc018620c')
+define(`BINDER_SET_CONTEXT_MGR', `0x40046207')
+define(`BINDER_SET_CONTEXT_MGR_EXT', `0x4018620d')
+define(`BINDER_SET_IDLE_PRIORITY', `0x40046206')
+define(`BINDER_SET_IDLE_TIMEOUT', `0x40086203')
+define(`BINDER_SET_MAX_THREADS', `0x40046205')
+define(`BINDER_THREAD_EXIT', `0x40046208')
+define(`BINDER_VERSION', `0xc0046209')
+define(`BINDER_WRITE_READ', `0xc0306201')
+define(`BLKALIGNOFF', `0x0000127a')
+define(`BLKBSZGET', `0x80081270')
+define(`BLKBSZSET', `0x40081271')
+define(`BLKDISCARD', `0x00001277')
+define(`BLKDISCARDZEROES', `0x0000127c')
+define(`BLKFLSBUF', `0x00001261')
+define(`BLKFRAGET', `0x00001265')
+define(`BLKFRASET', `0x00001264')
+define(`BLKGETSIZE', `0x00001260')
+define(`BLKGETSIZE64', `0x80081272')
+define(`BLKI2OGRSTRAT', `0x80043201')
+define(`BLKI2OGWSTRAT', `0x80043202')
+define(`BLKI2OSRSTRAT', `0x40043203')
+define(`BLKI2OSWSTRAT', `0x40043204')
+define(`BLKIOMIN', `0x00001278')
+define(`BLKIOOPT', `0x00001279')
+define(`BLKPBSZGET', `0x0000127b')
+define(`BLKPG', `0x00001269')
+define(`BLKRAGET', `0x00001263')
+define(`BLKRASET', `0x00001262')
+define(`BLKROGET', `0x0000125e')
+define(`BLKROSET', `0x0000125d')
+define(`BLKROTATIONAL', `0x0000127e')
+define(`BLKRRPART', `0x0000125f')
+define(`BLKSECDISCARD', `0x0000127d')
+define(`BLKSECTGET', `0x00001267')
+define(`BLKSECTSET', `0x00001266')
+define(`BLKSSZGET', `0x00001268')
+define(`BLKTRACESETUP', `0xc0481273')
+define(`BLKTRACESTART', `0x00001274')
+define(`BLKTRACESTOP', `0x00001275')
+define(`BLKTRACETEARDOWN', `0x00001276')
+define(`BLKZEROOUT', `0x0000127f')
+define(`BR2684_SETFILT', `0x401c6190')
+define(`BR_ACQUIRE', `0x80107208')
+define(`BR_ACQUIRE_RESULT', `0x80047204')
+define(`BR_ATTEMPT_ACQUIRE', `0x8018720b')
+define(`BR_CLEAR_DEATH_NOTIFICATION_DONE', `0x80087210')
+define(`BR_DEAD_BINDER', `0x8008720f')
+define(`BR_DEAD_REPLY', `0x00007205')
+define(`BR_DECREFS', `0x8010720a')
+define(`BR_ERROR', `0x80047200')
+define(`BR_FAILED_REPLY', `0x00007211')
+define(`BR_FINISHED', `0x0000720e')
+define(`BR_INCREFS', `0x80107207')
+define(`BR_NOOP', `0x0000720c')
+define(`BR_OK', `0x00007201')
+define(`BR_ONEWAY_SPAM_SUSPECT', `0x00007213')
+define(`BR_RELEASE', `0x80107209')
+define(`BR_REPLY', `0x80407203')
+define(`BR_SPAWN_LOOPER', `0x0000720d')
+define(`BR_TRANSACTION', `0x80407202')
+define(`BR_TRANSACTION_COMPLETE', `0x00007206')
+define(`BT819_FIFO_RESET_HIGH', `0x00006201')
+define(`BT819_FIFO_RESET_LOW', `0x00006200')
+define(`BTRFS_IOC_ADD_DEV', `0x5000940a')
+define(`BTRFS_IOC_BALANCE', `0x5000940c')
+define(`BTRFS_IOC_BALANCE_CTL', `0x40049421')
+define(`BTRFS_IOC_BALANCE_PROGRESS', `0x84009422')
+define(`BTRFS_IOC_BALANCE_V2', `0xc4009420')
+define(`BTRFS_IOC_CLONE', `0x40049409')
+define(`BTRFS_IOC_CLONE_RANGE', `0x4020940d')
+define(`BTRFS_IOC_DEFAULT_SUBVOL', `0x40089413')
+define(`BTRFS_IOC_DEFRAG', `0x50009402')
+define(`BTRFS_IOC_DEFRAG_RANGE', `0x40309410')
+define(`BTRFS_IOC_DEVICES_READY', `0x90009427')
+define(`BTRFS_IOC_DEV_INFO', `0xd000941e')
+define(`BTRFS_IOC_DEV_REPLACE', `0xca289435')
+define(`BTRFS_IOC_FILE_EXTENT_SAME', `0xc0189436')
+define(`BTRFS_IOC_FS_INFO', `0x8400941f')
+define(`BTRFS_IOC_GET_DEV_STATS', `0xc4089434')
+define(`BTRFS_IOC_GET_FEATURES', `0x80189439')
+define(`BTRFS_IOC_GET_FSLABEL', `0x81009431')
+define(`BTRFS_IOC_GET_SUPPORTED_FEATURES', `0x80489439')
+define(`BTRFS_IOC_INO_LOOKUP', `0xd0009412')
+define(`BTRFS_IOC_INO_PATHS', `0xc0389423')
+define(`BTRFS_IOC_LOGICAL_INO', `0xc0389424')
+define(`BTRFS_IOC_QGROUP_ASSIGN', `0x40189429')
+define(`BTRFS_IOC_QGROUP_CREATE', `0x4010942a')
+define(`BTRFS_IOC_QGROUP_LIMIT', `0x8030942b')
+define(`BTRFS_IOC_QUOTA_CTL', `0xc0109428')
+define(`BTRFS_IOC_QUOTA_RESCAN', `0x4040942c')
+define(`BTRFS_IOC_QUOTA_RESCAN_STATUS', `0x8040942d')
+define(`BTRFS_IOC_QUOTA_RESCAN_WAIT', `0x0000942e')
+define(`BTRFS_IOC_RESIZE', `0x50009403')
+define(`BTRFS_IOC_RM_DEV', `0x5000940b')
+define(`BTRFS_IOC_SCAN_DEV', `0x50009404')
+define(`BTRFS_IOC_SCRUB', `0xc400941b')
+define(`BTRFS_IOC_SCRUB_CANCEL', `0x0000941c')
+define(`BTRFS_IOC_SCRUB_PROGRESS', `0xc400941d')
+define(`BTRFS_IOC_SEND', `0x40489426')
+define(`BTRFS_IOC_SET_FEATURES', `0x40309439')
+define(`BTRFS_IOC_SET_FSLABEL', `0x41009432')
+define(`BTRFS_IOC_SET_RECEIVED_SUBVOL', `0xc0c89425')
+define(`BTRFS_IOC_SNAP_CREATE', `0x50009401')
+define(`BTRFS_IOC_SNAP_CREATE_V2', `0x50009417')
+define(`BTRFS_IOC_SNAP_DESTROY', `0x5000940f')
+define(`BTRFS_IOC_SPACE_INFO', `0xc0109414')
+define(`BTRFS_IOC_START_SYNC', `0x80089418')
+define(`BTRFS_IOC_SUBVOL_CREATE', `0x5000940e')
+define(`BTRFS_IOC_SUBVOL_CREATE_V2', `0x50009418')
+define(`BTRFS_IOC_SUBVOL_GETFLAGS', `0x80089419')
+define(`BTRFS_IOC_SUBVOL_SETFLAGS', `0x4008941a')
+define(`BTRFS_IOC_SYNC', `0x00009408')
+define(`BTRFS_IOC_TRANS_END', `0x00009407')
+define(`BTRFS_IOC_TRANS_START', `0x00009406')
+define(`BTRFS_IOC_TREE_SEARCH', `0xd0009411')
+define(`BTRFS_IOC_TREE_SEARCH_V2', `0xc0709411')
+define(`BTRFS_IOC_WAIT_SYNC', `0x40089416')
+define(`CA_GET_CAP', `0x80106f81')
+define(`CA_GET_DESCR_INFO', `0x80086f83')
+define(`CA_GET_MSG', `0x810c6f84')
+define(`CA_GET_SLOT_INFO', `0x800c6f82')
+define(`CAPI_CLR_FLAGS', `0x80044325')
+define(`CAPI_GET_ERRCODE', `0x80024321')
+define(`CAPI_GET_FLAGS', `0x80044323')
+define(`CAPI_GET_MANUFACTURER', `0xc0044306')
+define(`CAPI_GET_PROFILE', `0xc0404309')
+define(`CAPI_GET_SERIAL', `0xc0044308')
+define(`CAPI_GET_VERSION', `0xc0104307')
+define(`CAPI_INSTALLED', `0x80024322')
+define(`CAPI_MANUFACTURER_CMD', `0xc0104320')
+define(`CAPI_NCCI_GETUNIT', `0x80044327')
+define(`CAPI_NCCI_OPENCOUNT', `0x80044326')
+define(`CAPI_REGISTER', `0x400c4301')
+define(`CAPI_SET_FLAGS', `0x80044324')
+define(`CA_RESET', `0x00006f80')
+define(`CA_SEND_MSG', `0x410c6f85')
+define(`CA_SET_DESCR', `0x40106f86')
+define(`CA_SET_PID', `0x40086f87')
+define(`CCISS_BIG_PASSTHRU', `0xc0604212')
+define(`CCISS_DEREGDISK', `0x0000420c')
+define(`CCISS_GETBUSTYPES', `0x80044207')
+define(`CCISS_GETDRIVVER', `0x80044209')
+define(`CCISS_GETFIRMVER', `0x80044208')
+define(`CCISS_GETHEARTBEAT', `0x80044206')
+define(`CCISS_GETINTINFO', `0x80084202')
+define(`CCISS_GETLUNINFO', `0x800c4211')
+define(`CCISS_GETNODENAME', `0x80104204')
+define(`CCISS_GETPCIINFO', `0x80084201')
+define(`CCISS_PASSTHRU', `0xc058420b')
+define(`CCISS_REGNEWD', `0x0000420e')
+define(`CCISS_REGNEWDISK', `0x4004420d')
+define(`CCISS_RESCANDISK', `0x00004210')
+define(`CCISS_REVALIDVOLS', `0x0000420a')
+define(`CCISS_SETINTINFO', `0x40084203')
+define(`CCISS_SETNODENAME', `0x40104205')
+define(`CDROMAUDIOBUFSIZ', `0x00005382')
+define(`CDROM_CHANGER_NSLOTS', `0x00005328')
+define(`CDROM_CLEAR_OPTIONS', `0x00005321')
+define(`CDROMCLOSETRAY', `0x00005319')
+define(`CDROM_DEBUG', `0x00005330')
+define(`CDROM_DISC_STATUS', `0x00005327')
+define(`CDROM_DRIVE_STATUS', `0x00005326')
+define(`CDROMEJECT', `0x00005309')
+define(`CDROMEJECT_SW', `0x0000530f')
+define(`CDROM_GET_CAPABILITY', `0x00005331')
+define(`CDROM_GET_MCN', `0x00005311')
+define(`CDROMGETSPINDOWN', `0x0000531d')
+define(`CDROM_LAST_WRITTEN', `0x00005395')
+define(`CDROM_LOCKDOOR', `0x00005329')
+define(`CDROM_MEDIA_CHANGED', `0x00005325')
+define(`CDROMMULTISESSION', `0x00005310')
+define(`CDROM_NEXT_WRITABLE', `0x00005394')
+define(`CDROMPAUSE', `0x00005301')
+define(`CDROMPLAYBLK', `0x00005317')
+define(`CDROMPLAYMSF', `0x00005303')
+define(`CDROMPLAYTRKIND', `0x00005304')
+define(`CDROMREADALL', `0x00005318')
+define(`CDROMREADAUDIO', `0x0000530e')
+define(`CDROMREADCOOKED', `0x00005315')
+define(`CDROMREADMODE1', `0x0000530d')
+define(`CDROMREADMODE2', `0x0000530c')
+define(`CDROMREADRAW', `0x00005314')
+define(`CDROMREADTOCENTRY', `0x00005306')
+define(`CDROMREADTOCHDR', `0x00005305')
+define(`CDROMRESET', `0x00005312')
+define(`CDROMRESUME', `0x00005302')
+define(`CDROMSEEK', `0x00005316')
+define(`CDROM_SELECT_DISC', `0x00005323')
+define(`CDROM_SELECT_SPEED', `0x00005322')
+define(`CDROM_SEND_PACKET', `0x00005393')
+define(`CDROM_SET_OPTIONS', `0x00005320')
+define(`CDROMSETSPINDOWN', `0x0000531e')
+define(`CDROMSTART', `0x00005308')
+define(`CDROMSTOP', `0x00005307')
+define(`CDROMSUBCHNL', `0x0000530b')
+define(`CDROMVOLCTRL', `0x0000530a')
+define(`CDROMVOLREAD', `0x00005313')
+define(`CHIOEXCHANGE', `0x401c6302')
+define(`CHIOGELEM', `0x406c6310')
+define(`CHIOGPARAMS', `0x80146306')
+define(`CHIOGPICKER', `0x80046304')
+define(`CHIOGSTATUS', `0x40106308')
+define(`CHIOGVPARAMS', `0x80706313')
+define(`CHIOINITELEM', `0x00006311')
+define(`CHIOMOVE', `0x40146301')
+define(`CHIOPOSITION', `0x400c6303')
+define(`CHIOSPICKER', `0x40046305')
+define(`CHIOSVOLTAG', `0x40306312')
+define(`CIOC_KERNEL_VERSION', `0xc008630a')
+define(`CLEAR_ARRAY', `0x00000920')
+define(`CM_IOCARDOFF', `0x00006304')
+define(`CM_IOCGATR', `0xc0086301')
+define(`CM_IOCGSTATUS', `0x80086300')
+define(`CM_IOCSPTS', `0x40086302')
+define(`CM_IOCSRDR', `0x00006303')
+define(`CM_IOSDBGLVL', `0x400863fa')
+define(`CXL_IOCTL_GET_PROCESS_ELEMENT', `0x8004ca01')
+define(`CXL_IOCTL_START_WORK', `0x4040ca00')
+define(`DM_DEV_CREATE', `0xc138fd03')
+define(`DM_DEV_REMOVE', `0xc138fd04')
+define(`DM_DEV_RENAME', `0xc138fd05')
+define(`DM_DEV_SET_GEOMETRY', `0xc138fd0f')
+define(`DM_DEV_STATUS', `0xc138fd07')
+define(`DM_DEV_SUSPEND', `0xc138fd06')
+define(`DM_DEV_WAIT', `0xc138fd08')
+define(`DM_LIST_DEVICES', `0xc138fd02')
+define(`DM_LIST_VERSIONS', `0xc138fd0d')
+define(`DM_REMOVE_ALL', `0xc138fd01')
+define(`DM_TABLE_CLEAR', `0xc138fd0a')
+define(`DM_TABLE_DEPS', `0xc138fd0b')
+define(`DM_TABLE_LOAD', `0xc138fd09')
+define(`DM_TABLE_STATUS', `0xc138fd0c')
+define(`DM_TARGET_MSG', `0xc138fd0e')
+define(`DM_VERSION', `0xc138fd00')
+define(`DMX_ADD_PID', `0x40026f33')
+define(`DMX_GET_CAPS', `0x80086f30')
+define(`DMX_GET_PES_PIDS', `0x800a6f2f')
+define(`DMX_GET_STC', `0xc0106f32')
+define(`DMX_REMOVE_PID', `0x40026f34')
+define(`DMX_SET_BUFFER_SIZE', `0x00006f2d')
+define(`DMX_SET_FILTER', `0x403c6f2b')
+define(`DMX_SET_PES_FILTER', `0x40146f2c')
+define(`DMX_SET_SOURCE', `0x40046f31')
+define(`DMX_START', `0x00006f29')
+define(`DMX_STOP', `0x00006f2a')
+define(`DRM_IOCTL_ADD_BUFS', `0xc0206416')
+define(`DRM_IOCTL_ADD_CTX', `0xc0086420')
+define(`DRM_IOCTL_ADD_DRAW', `0xc0046427')
+define(`DRM_IOCTL_ADD_MAP', `0xc0286415')
+define(`DRM_IOCTL_AGP_ACQUIRE', `0x00006430')
+define(`DRM_IOCTL_AGP_ALLOC', `0xc0206434')
+define(`DRM_IOCTL_AGP_BIND', `0x40106436')
+define(`DRM_IOCTL_AGP_ENABLE', `0x40086432')
+define(`DRM_IOCTL_AGP_FREE', `0x40206435')
+define(`DRM_IOCTL_AGP_INFO', `0x80386433')
+define(`DRM_IOCTL_AGP_RELEASE', `0x00006431')
+define(`DRM_IOCTL_AGP_UNBIND', `0x40106437')
+define(`DRM_IOCTL_AUTH_MAGIC', `0x40046411')
+define(`DRM_IOCTL_BLOCK', `0xc0046412')
+define(`DRM_IOCTL_CONTROL', `0x40086414')
+define(`DRM_IOCTL_DMA', `0xc0406429')
+define(`DRM_IOCTL_DROP_MASTER', `0x0000641f')
+define(`DRM_IOCTL_EXYNOS_G2D_EXEC', `0xc0086462')
+define(`DRM_IOCTL_EXYNOS_G2D_GET_VER', `0xc0086460')
+define(`DRM_IOCTL_EXYNOS_G2D_SET_CMDLIST', `0xc0286461')
+define(`DRM_IOCTL_EXYNOS_GEM_CREATE', `0xc0106440')
+define(`DRM_IOCTL_EXYNOS_GEM_GET', `0xc0106444')
+define(`DRM_IOCTL_EXYNOS_IPP_CMD_CTRL', `0xc0086473')
+define(`DRM_IOCTL_EXYNOS_IPP_GET_PROPERTY', `0xc0506470')
+define(`DRM_IOCTL_EXYNOS_IPP_QUEUE_BUF', `0xc0286472')
+define(`DRM_IOCTL_EXYNOS_IPP_SET_PROPERTY', `0xc0606471')
+define(`DRM_IOCTL_EXYNOS_VIDI_CONNECTION', `0xc0106447')
+define(`DRM_IOCTL_FINISH', `0x4008642c')
+define(`DRM_IOCTL_FREE_BUFS', `0x4010641a')
+define(`DRM_IOCTL_GEM_CLOSE', `0x40086409')
+define(`DRM_IOCTL_GEM_FLINK', `0xc008640a')
+define(`DRM_IOCTL_GEM_OPEN', `0xc010640b')
+define(`DRM_IOCTL_GET_CAP', `0xc010640c')
+define(`DRM_IOCTL_GET_CLIENT', `0xc0286405')
+define(`DRM_IOCTL_GET_CTX', `0xc0086423')
+define(`DRM_IOCTL_GET_MAGIC', `0x80046402')
+define(`DRM_IOCTL_GET_MAP', `0xc0286404')
+define(`DRM_IOCTL_GET_SAREA_CTX', `0xc010641d')
+define(`DRM_IOCTL_GET_STATS', `0x80f86406')
+define(`DRM_IOCTL_GET_UNIQUE', `0xc0106401')
+define(`DRM_IOCTL_I810_CLEAR', `0x400c6442')
+define(`DRM_IOCTL_I810_COPY', `0x40106447')
+define(`DRM_IOCTL_I810_DOCOPY', `0x00006448')
+define(`DRM_IOCTL_I810_FLIP', `0x0000644e')
+define(`DRM_IOCTL_I810_FLUSH', `0x00006443')
+define(`DRM_IOCTL_I810_FSTATUS', `0x0000644a')
+define(`DRM_IOCTL_I810_GETAGE', `0x00006444')
+define(`DRM_IOCTL_I810_GETBUF', `0xc0186445')
+define(`DRM_IOCTL_I810_INIT', `0x40406440')
+define(`DRM_IOCTL_I810_MC', `0x4020644c')
+define(`DRM_IOCTL_I810_OV0FLIP', `0x0000644b')
+define(`DRM_IOCTL_I810_OV0INFO', `0x80086449')
+define(`DRM_IOCTL_I810_RSTATUS', `0x0000644d')
+define(`DRM_IOCTL_I810_SWAP', `0x00006446')
+define(`DRM_IOCTL_I810_VERTEX', `0x400c6441')
+define(`DRM_IOCTL_I915_ALLOC', `0xc0186448')
+define(`DRM_IOCTL_I915_BATCHBUFFER', `0x40206443')
+define(`DRM_IOCTL_I915_CMDBUFFER', `0x4020644b')
+define(`DRM_IOCTL_I915_DESTROY_HEAP', `0x4004644c')
+define(`DRM_IOCTL_I915_FLIP', `0x00006442')
+define(`DRM_IOCTL_I915_FLUSH', `0x00006441')
+define(`DRM_IOCTL_I915_FREE', `0x40086449')
+define(`DRM_IOCTL_I915_GEM_BUSY', `0xc0086457')
+define(`DRM_IOCTL_I915_GEM_CONTEXT_CREATE', `0xc008646d')
+define(`DRM_IOCTL_I915_GEM_CONTEXT_DESTROY', `0x4008646e')
+define(`DRM_IOCTL_I915_GEM_CREATE', `0xc010645b')
+define(`DRM_IOCTL_I915_GEM_ENTERVT', `0x00006459')
+define(`DRM_IOCTL_I915_GEM_EXECBUFFER', `0x40286454')
+define(`DRM_IOCTL_I915_GEM_EXECBUFFER2', `0x40406469')
+define(`DRM_IOCTL_I915_GEM_GET_APERTURE', `0x80106463')
+define(`DRM_IOCTL_I915_GEM_GET_CACHING', `0xc0086470')
+define(`DRM_IOCTL_I915_GEM_GET_TILING', `0xc0106462')
+define(`DRM_IOCTL_I915_GEM_INIT', `0x40106453')
+define(`DRM_IOCTL_I915_GEM_LEAVEVT', `0x0000645a')
+define(`DRM_IOCTL_I915_GEM_MADVISE', `0xc00c6466')
+define(`DRM_IOCTL_I915_GEM_MMAP', `0xc020645e')
+define(`DRM_IOCTL_I915_GEM_MMAP_GTT', `0xc0106464')
+define(`DRM_IOCTL_I915_GEM_PIN', `0xc0186455')
+define(`DRM_IOCTL_I915_GEM_PREAD', `0x4020645c')
+define(`DRM_IOCTL_I915_GEM_PWRITE', `0x4020645d')
+define(`DRM_IOCTL_I915_GEM_SET_CACHING', `0x4008646f')
+define(`DRM_IOCTL_I915_GEM_SET_DOMAIN', `0x400c645f')
+define(`DRM_IOCTL_I915_GEM_SET_TILING', `0xc0106461')
+define(`DRM_IOCTL_I915_GEM_SW_FINISH', `0x40046460')
+define(`DRM_IOCTL_I915_GEM_THROTTLE', `0x00006458')
+define(`DRM_IOCTL_I915_GEM_UNPIN', `0x40086456')
+define(`DRM_IOCTL_I915_GEM_USERPTR', `0xc0186473')
+define(`DRM_IOCTL_I915_GEM_WAIT', `0xc010646c')
+define(`DRM_IOCTL_I915_GETPARAM', `0xc0106446')
+define(`DRM_IOCTL_I915_GET_PIPE_FROM_CRTC_ID', `0xc0086465')
+define(`DRM_IOCTL_I915_GET_RESET_STATS', `0xc0186472')
+define(`DRM_IOCTL_I915_GET_SPRITE_COLORKEY', `0xc014646b')
+define(`DRM_IOCTL_I915_GET_VBLANK_PIPE', `0x8004644e')
+define(`DRM_IOCTL_I915_HWS_ADDR', `0x40106451')
+define(`DRM_IOCTL_I915_INIT', `0x40446440')
+define(`DRM_IOCTL_I915_INIT_HEAP', `0x400c644a')
+define(`DRM_IOCTL_I915_IRQ_EMIT', `0xc0086444')
+define(`DRM_IOCTL_I915_IRQ_WAIT', `0x40046445')
+define(`DRM_IOCTL_I915_OVERLAY_ATTRS', `0xc02c6468')
+define(`DRM_IOCTL_I915_OVERLAY_PUT_IMAGE', `0x402c6467')
+define(`DRM_IOCTL_I915_REG_READ', `0xc0106471')
+define(`DRM_IOCTL_I915_SETPARAM', `0x40086447')
+define(`DRM_IOCTL_I915_SET_SPRITE_COLORKEY', `0xc014646b')
+define(`DRM_IOCTL_I915_SET_VBLANK_PIPE', `0x4004644d')
+define(`DRM_IOCTL_I915_VBLANK_SWAP', `0xc00c644f')
+define(`DRM_IOCTL_INFO_BUFS', `0xc0106418')
+define(`DRM_IOCTL_IRQ_BUSID', `0xc0106403')
+define(`DRM_IOCTL_LOCK', `0x4008642a')
+define(`DRM_IOCTL_MAP_BUFS', `0xc0186419')
+define(`DRM_IOCTL_MARK_BUFS', `0x40206417')
+define(`DRM_IOCTL_MGA_BLIT', `0x40346448')
+define(`DRM_IOCTL_MGA_CLEAR', `0x40146444')
+define(`DRM_IOCTL_MGA_DMA_BOOTSTRAP', `0xc020644c')
+define(`DRM_IOCTL_MGA_FLUSH', `0x40086441')
+define(`DRM_IOCTL_MGA_GETPARAM', `0xc0106449')
+define(`DRM_IOCTL_MGA_ILOAD', `0x400c6447')
+define(`DRM_IOCTL_MGA_INDICES', `0x40106446')
+define(`DRM_IOCTL_MGA_INIT', `0x40806440')
+define(`DRM_IOCTL_MGA_RESET', `0x00006442')
+define(`DRM_IOCTL_MGA_SET_FENCE', `0x4004644a')
+define(`DRM_IOCTL_MGA_SWAP', `0x00006443')
+define(`DRM_IOCTL_MGA_VERTEX', `0x400c6445')
+define(`DRM_IOCTL_MGA_WAIT_FENCE', `0xc004644b')
+define(`DRM_IOCTL_MOD_CTX', `0x40086422')
+define(`DRM_IOCTL_MODE_ADDFB', `0xc01c64ae')
+define(`DRM_IOCTL_MODE_ADDFB2', `0xc04464b8')
+define(`DRM_IOCTL_MODE_ATTACHMODE', `0xc04864a8')
+define(`DRM_IOCTL_MODE_CREATE_DUMB', `0xc02064b2')
+define(`DRM_IOCTL_MODE_CURSOR', `0xc01c64a3')
+define(`DRM_IOCTL_MODE_CURSOR2', `0xc02464bb')
+define(`DRM_IOCTL_MODE_DESTROY_DUMB', `0xc00464b4')
+define(`DRM_IOCTL_MODE_DETACHMODE', `0xc04864a9')
+define(`DRM_IOCTL_MODE_DIRTYFB', `0xc01864b1')
+define(`DRM_IOCTL_MODE_GETCONNECTOR', `0xc05064a7')
+define(`DRM_IOCTL_MODE_GETCRTC', `0xc06864a1')
+define(`DRM_IOCTL_MODE_GETENCODER', `0xc01464a6')
+define(`DRM_IOCTL_MODE_GETFB', `0xc01c64ad')
+define(`DRM_IOCTL_MODE_GETGAMMA', `0xc02064a4')
+define(`DRM_IOCTL_MODE_GETPLANE', `0xc02064b6')
+define(`DRM_IOCTL_MODE_GETPLANERESOURCES', `0xc01064b5')
+define(`DRM_IOCTL_MODE_GETPROPBLOB', `0xc01064ac')
+define(`DRM_IOCTL_MODE_GETPROPERTY', `0xc04064aa')
+define(`DRM_IOCTL_MODE_GETRESOURCES', `0xc04064a0')
+define(`DRM_IOCTL_MODE_MAP_DUMB', `0xc01064b3')
+define(`DRM_IOCTL_MODE_OBJ_GETPROPERTIES', `0xc02064b9')
+define(`DRM_IOCTL_MODE_OBJ_SETPROPERTY', `0xc01864ba')
+define(`DRM_IOCTL_MODE_PAGE_FLIP', `0xc01864b0')
+define(`DRM_IOCTL_MODE_RMFB', `0xc00464af')
+define(`DRM_IOCTL_MODE_SETCRTC', `0xc06864a2')
+define(`DRM_IOCTL_MODESET_CTL', `0x40086408')
+define(`DRM_IOCTL_MODE_SETGAMMA', `0xc02064a5')
+define(`DRM_IOCTL_MODE_SETPLANE', `0xc03064b7')
+define(`DRM_IOCTL_MODE_SETPROPERTY', `0xc01064ab')
+define(`DRM_IOCTL_MSM_GEM_CPU_FINI', `0x40046445')
+define(`DRM_IOCTL_MSM_GEM_CPU_PREP', `0x40186444')
+define(`DRM_IOCTL_MSM_GEM_INFO', `0xc0106443')
+define(`DRM_IOCTL_MSM_GEM_NEW', `0xc0106442')
+define(`DRM_IOCTL_MSM_GEM_SUBMIT', `0xc0206446')
+define(`DRM_IOCTL_MSM_GET_PARAM', `0xc0106440')
+define(`DRM_IOCTL_MSM_WAIT_FENCE', `0x40186447')
+define(`DRM_IOCTL_NEW_CTX', `0x40086425')
+define(`DRM_IOCTL_NOUVEAU_GEM_CPU_FINI', `0x40046483')
+define(`DRM_IOCTL_NOUVEAU_GEM_CPU_PREP', `0x40086482')
+define(`DRM_IOCTL_NOUVEAU_GEM_INFO', `0xc0286484')
+define(`DRM_IOCTL_NOUVEAU_GEM_NEW', `0xc0306480')
+define(`DRM_IOCTL_NOUVEAU_GEM_PUSHBUF', `0xc0406481')
+define(`DRM_IOCTL_OMAP_GEM_CPU_FINI', `0x40106445')
+define(`DRM_IOCTL_OMAP_GEM_CPU_PREP', `0x40086444')
+define(`DRM_IOCTL_OMAP_GEM_INFO', `0xc0186446')
+define(`DRM_IOCTL_OMAP_GEM_NEW', `0xc0106443')
+define(`DRM_IOCTL_OMAP_GET_PARAM', `0xc0106440')
+define(`DRM_IOCTL_OMAP_SET_PARAM', `0x40106441')
+define(`DRM_IOCTL_PRIME_FD_TO_HANDLE', `0xc00c642e')
+define(`DRM_IOCTL_PRIME_HANDLE_TO_FD', `0xc00c642d')
+define(`DRM_IOCTL_QXL_ALLOC', `0xc0086440')
+define(`DRM_IOCTL_QXL_ALLOC_SURF', `0xc0186446')
+define(`DRM_IOCTL_QXL_CLIENTCAP', `0x40086445')
+define(`DRM_IOCTL_QXL_EXECBUFFER', `0x40106442')
+define(`DRM_IOCTL_QXL_GETPARAM', `0xc0106444')
+define(`DRM_IOCTL_QXL_MAP', `0xc0106441')
+define(`DRM_IOCTL_QXL_UPDATE_AREA', `0x40186443')
+define(`DRM_IOCTL_R128_BLIT', `0x4018644b')
+define(`DRM_IOCTL_R128_CCE_IDLE', `0x00006444')
+define(`DRM_IOCTL_R128_CCE_RESET', `0x00006443')
+define(`DRM_IOCTL_R128_CCE_START', `0x00006441')
+define(`DRM_IOCTL_R128_CCE_STOP', `0x40086442')
+define(`DRM_IOCTL_R128_CLEAR', `0x40146448')
+define(`DRM_IOCTL_R128_DEPTH', `0x4028644c')
+define(`DRM_IOCTL_R128_FLIP', `0x00006453')
+define(`DRM_IOCTL_R128_FULLSCREEN', `0x40046450')
+define(`DRM_IOCTL_R128_GETPARAM', `0xc0106452')
+define(`DRM_IOCTL_R128_INDICES', `0x4014644a')
+define(`DRM_IOCTL_R128_INDIRECT', `0xc010644f')
+define(`DRM_IOCTL_R128_INIT', `0x40786440')
+define(`DRM_IOCTL_R128_RESET', `0x00006446')
+define(`DRM_IOCTL_R128_STIPPLE', `0x4008644d')
+define(`DRM_IOCTL_R128_SWAP', `0x00006447')
+define(`DRM_IOCTL_R128_VERTEX', `0x40106449')
+define(`DRM_IOCTL_RADEON_ALLOC', `0xc0186453')
+define(`DRM_IOCTL_RADEON_CLEAR', `0x40206448')
+define(`DRM_IOCTL_RADEON_CMDBUF', `0x40206450')
+define(`DRM_IOCTL_RADEON_CP_IDLE', `0x00006444')
+define(`DRM_IOCTL_RADEON_CP_INIT', `0x40786440')
+define(`DRM_IOCTL_RADEON_CP_RESET', `0x00006443')
+define(`DRM_IOCTL_RADEON_CP_RESUME', `0x00006458')
+define(`DRM_IOCTL_RADEON_CP_START', `0x00006441')
+define(`DRM_IOCTL_RADEON_CP_STOP', `0x40086442')
+define(`DRM_IOCTL_RADEON_CS', `0xc0206466')
+define(`DRM_IOCTL_RADEON_FLIP', `0x00006452')
+define(`DRM_IOCTL_RADEON_FREE', `0x40086454')
+define(`DRM_IOCTL_RADEON_FULLSCREEN', `0x40046446')
+define(`DRM_IOCTL_RADEON_GEM_BUSY', `0xc008646a')
+define(`DRM_IOCTL_RADEON_GEM_CREATE', `0xc020645d')
+define(`DRM_IOCTL_RADEON_GEM_GET_TILING', `0xc00c6469')
+define(`DRM_IOCTL_RADEON_GEM_INFO', `0xc018645c')
+define(`DRM_IOCTL_RADEON_GEM_MMAP', `0xc020645e')
+define(`DRM_IOCTL_RADEON_GEM_OP', `0xc010646c')
+define(`DRM_IOCTL_RADEON_GEM_PREAD', `0xc0206461')
+define(`DRM_IOCTL_RADEON_GEM_PWRITE', `0xc0206462')
+define(`DRM_IOCTL_RADEON_GEM_SET_DOMAIN', `0xc00c6463')
+define(`DRM_IOCTL_RADEON_GEM_SET_TILING', `0xc00c6468')
+define(`DRM_IOCTL_RADEON_GEM_USERPTR', `0xc018646d')
+define(`DRM_IOCTL_RADEON_GEM_VA', `0xc018646b')
+define(`DRM_IOCTL_RADEON_GEM_WAIT_IDLE', `0x40086464')
+define(`DRM_IOCTL_RADEON_GETPARAM', `0xc0106451')
+define(`DRM_IOCTL_RADEON_INDICES', `0x4014644a')
+define(`DRM_IOCTL_RADEON_INDIRECT', `0xc010644d')
+define(`DRM_IOCTL_RADEON_INFO', `0xc0106467')
+define(`DRM_IOCTL_RADEON_INIT_HEAP', `0x400c6455')
+define(`DRM_IOCTL_RADEON_IRQ_EMIT', `0xc0086456')
+define(`DRM_IOCTL_RADEON_IRQ_WAIT', `0x40046457')
+define(`DRM_IOCTL_RADEON_RESET', `0x00006445')
+define(`DRM_IOCTL_RADEON_SETPARAM', `0x40106459')
+define(`DRM_IOCTL_RADEON_STIPPLE', `0x4008644c')
+define(`DRM_IOCTL_RADEON_SURF_ALLOC', `0x400c645a')
+define(`DRM_IOCTL_RADEON_SURF_FREE', `0x4004645b')
+define(`DRM_IOCTL_RADEON_SWAP', `0x00006447')
+define(`DRM_IOCTL_RADEON_TEXTURE', `0xc020644e')
+define(`DRM_IOCTL_RADEON_VERTEX', `0x40106449')
+define(`DRM_IOCTL_RADEON_VERTEX2', `0x4028644f')
+define(`DRM_IOCTL_RES_CTX', `0xc0106426')
+define(`DRM_IOCTL_RM_CTX', `0xc0086421')
+define(`DRM_IOCTL_RM_DRAW', `0xc0046428')
+define(`DRM_IOCTL_RM_MAP', `0x4028641b')
+define(`DRM_IOCTL_SAVAGE_BCI_CMDBUF', `0x40386441')
+define(`DRM_IOCTL_SAVAGE_BCI_EVENT_EMIT', `0xc0086442')
+define(`DRM_IOCTL_SAVAGE_BCI_EVENT_WAIT', `0x40086443')
+define(`DRM_IOCTL_SAVAGE_BCI_INIT', `0x40606440')
+define(`DRM_IOCTL_SET_CLIENT_CAP', `0x4010640d')
+define(`DRM_IOCTL_SET_MASTER', `0x0000641e')
+define(`DRM_IOCTL_SET_SAREA_CTX', `0x4010641c')
+define(`DRM_IOCTL_SET_UNIQUE', `0x40106410')
+define(`DRM_IOCTL_SET_VERSION', `0xc0106407')
+define(`DRM_IOCTL_SG_ALLOC', `0xc0106438')
+define(`DRM_IOCTL_SG_FREE', `0x40106439')
+define(`DRM_IOCTL_SIS_AGP_ALLOC', `0xc0206454')
+define(`DRM_IOCTL_SIS_AGP_FREE', `0x40206455')
+define(`DRM_IOCTL_SIS_AGP_INIT', `0xc0106453')
+define(`DRM_IOCTL_SIS_FB_ALLOC', `0xc0206444')
+define(`DRM_IOCTL_SIS_FB_FREE', `0x40206445')
+define(`DRM_IOCTL_SIS_FB_INIT', `0x40106456')
+define(`DRM_IOCTL_SWITCH_CTX', `0x40086424')
+define(`DRM_IOCTL_TEGRA_CLOSE_CHANNEL', `0xc0106446')
+define(`DRM_IOCTL_TEGRA_GEM_CREATE', `0xc0106440')
+define(`DRM_IOCTL_TEGRA_GEM_GET_FLAGS', `0xc008644d')
+define(`DRM_IOCTL_TEGRA_GEM_GET_TILING', `0xc010644b')
+define(`DRM_IOCTL_TEGRA_GEM_MMAP', `0xc0086441')
+define(`DRM_IOCTL_TEGRA_GEM_SET_FLAGS', `0xc008644c')
+define(`DRM_IOCTL_TEGRA_GEM_SET_TILING', `0xc010644a')
+define(`DRM_IOCTL_TEGRA_GET_SYNCPT', `0xc0106447')
+define(`DRM_IOCTL_TEGRA_GET_SYNCPT_BASE', `0xc0106449')
+define(`DRM_IOCTL_TEGRA_OPEN_CHANNEL', `0xc0106445')
+define(`DRM_IOCTL_TEGRA_SUBMIT', `0xc0586448')
+define(`DRM_IOCTL_TEGRA_SYNCPT_INCR', `0xc0086443')
+define(`DRM_IOCTL_TEGRA_SYNCPT_READ', `0xc0086442')
+define(`DRM_IOCTL_TEGRA_SYNCPT_WAIT', `0xc0106444')
+define(`DRM_IOCTL_UNBLOCK', `0xc0046413')
+define(`DRM_IOCTL_UNLOCK', `0x4008642b')
+define(`DRM_IOCTL_UPDATE_DRAW', `0x4018643f')
+define(`DRM_IOCTL_VERSION', `0xc0406400')
+define(`DRM_IOCTL_VIA_AGP_INIT', `0xc0086442')
+define(`DRM_IOCTL_VIA_ALLOCMEM', `0xc0206440')
+define(`DRM_IOCTL_VIA_BLIT_SYNC', `0x4008644f')
+define(`DRM_IOCTL_VIA_CMDBUFFER', `0x40106448')
+define(`DRM_IOCTL_VIA_CMDBUF_SIZE', `0xc00c644b')
+define(`DRM_IOCTL_VIA_DEC_FUTEX', `0x40106445')
+define(`DRM_IOCTL_VIA_DMA_BLIT', `0x4030644e')
+define(`DRM_IOCTL_VIA_DMA_INIT', `0xc0206447')
+define(`DRM_IOCTL_VIA_FB_INIT', `0xc0086443')
+define(`DRM_IOCTL_VIA_FLUSH', `0x00006449')
+define(`DRM_IOCTL_VIA_FREEMEM', `0x40206441')
+define(`DRM_IOCTL_VIA_MAP_INIT', `0xc0286444')
+define(`DRM_IOCTL_VIA_PCICMD', `0x4010644a')
+define(`DRM_IOCTL_VIA_WAIT_IRQ', `0xc018644d')
+define(`DRM_IOCTL_WAIT_VBLANK', `0xc018643a')
+define(`DVD_AUTH', `0x00005392')
+define(`DVD_READ_STRUCT', `0x00005390')
+define(`DVD_WRITE_STRUCT', `0x00005391')
+define(`ECCGETLAYOUT', `0x81484d11')
+define(`ECCGETSTATS', `0x80104d12')
+define(`ENI_MEMDUMP', `0x40106160')
+define(`ENI_SETMULT', `0x40106167')
+define(`EVIOCGEFFECTS', `0x80044584')
+define(`EVIOCGID', `0x80084502')
+define(`EVIOCGKEYCODE', `0x80084504')
+define(`EVIOCGKEYCODE_V2', `0x80284504')
+define(`EVIOCGRAB', `0x40044590')
+define(`EVIOCGREP', `0x80084503')
+define(`EVIOCGVERSION', `0x80044501')
+define(`EVIOCREVOKE', `0x40044591')
+define(`EVIOCRMFF', `0x40044581')
+define(`EVIOCSCLOCKID', `0x400445a0')
+define(`EVIOCSFF', `0x40304580')
+define(`EVIOCSKEYCODE', `0x40084504')
+define(`EVIOCSKEYCODE_V2', `0x40284504')
+define(`EVIOCSREP', `0x40084503')
+define(`F2FS_IOC_START_ATOMIC_WRITE', `0xf501')
+define(`F2FS_IOC_COMMIT_ATOMIC_WRITE', `0xf502')
+define(`F2FS_IOC_START_VOLATILE_WRITE', `0xf503')
+define(`F2FS_IOC_RELEASE_VOLATILE_WRITE', `0xf504')
+define(`F2FS_IOC_ABORT_VOLATILE_WRITE', `0xf505')
+define(`F2FS_IOC_GARBAGE_COLLECT', `0xf506')
+define(`F2FS_IOC_WRITE_CHECKPOINT', `0xf507')
+define(`F2FS_IOC_DEFRAGMENT', `0xf508')
+define(`F2FS_IOC_MOVE_RANGE', `0xf509')
+define(`F2FS_IOC_FLUSH_DEVICE', `0xf50a')
+define(`F2FS_IOC_GARBAGE_COLLECT_RANGE', `0xf50b')
+define(`F2FS_IOC_GET_FEATURES', `0xf50c')
+define(`F2FS_IOC_SET_PIN_FILE', `0xf50d')
+define(`F2FS_IOC_GET_PIN_FILE', `0xf50e')
+define(`F2FS_IOC_PRECACHE_EXTENTS', `0xf50f')
+define(`F2FS_IOC_RESIZE_FS', `0xf510')
+define(`F2FS_IOC_GET_COMPRESS_BLOCKS', `0xf511')
+define(`F2FS_IOC_RELEASE_COMPRESS_BLOCKS', `0xf512')
+define(`F2FS_IOC_RESERVE_COMPRESS_BLOCKS', `0xf513')
+define(`F2FS_IOC_SEC_TRIM_FILE', `0xf514')
+define(`F2FS_IOC_GET_COMPRESS_OPTION', `0xf515')
+define(`F2FS_IOC_SET_COMPRESS_OPTION', `0xf516')
+define(`F2FS_IOC_DECOMPRESS_FILE', `0xf517')
+define(`F2FS_IOC_COMPRESS_FILE', `0xf518')
+define(`FAT_IOCTL_GET_ATTRIBUTES', `0x80047210')
+define(`FAT_IOCTL_GET_VOLUME_ID', `0x80047213')
+define(`FAT_IOCTL_SET_ATTRIBUTES', `0x40047211')
+define(`FBIGET_BRIGHTNESS', `0x80044603')
+define(`FBIGET_COLOR', `0x80044605')
+define(`FBIO_ALLOC', `0x00004613')
+define(`FBIOBLANK', `0x00004611')
+define(`FBIO_CURSOR', `0xc0684608')
+define(`FBIO_FREE', `0x00004614')
+define(`FBIOGETCMAP', `0x00004604')
+define(`FBIOGET_CON2FBMAP', `0x0000460f')
+define(`FBIOGET_CONTRAST', `0x80044601')
+define(`FBIO_GETCONTROL2', `0x80084689')
+define(`FBIOGET_DISPINFO', `0x00004618')
+define(`FBIOGET_FSCREENINFO', `0x00004602')
+define(`FBIOGET_GLYPH', `0x00004615')
+define(`FBIOGET_HWCINFO', `0x00004616')
+define(`FBIOGET_VBLANK', `0x80204612')
+define(`FBIOGET_VSCREENINFO', `0x00004600')
+define(`FBIOPAN_DISPLAY', `0x00004606')
+define(`FBIOPUTCMAP', `0x00004605')
+define(`FBIOPUT_CON2FBMAP', `0x00004610')
+define(`FBIOPUT_CONTRAST', `0x40044602')
+define(`FBIOPUT_MODEINFO', `0x00004617')
+define(`FBIOPUT_VSCREENINFO', `0x00004601')
+define(`FBIO_RADEON_GET_MIRROR', `0x80084003')
+define(`FBIO_RADEON_SET_MIRROR', `0x40084004')
+define(`FBIO_WAITEVENT', `0x00004688')
+define(`FBIO_WAITFORVSYNC', `0x40044620')
+define(`FBIPUT_BRIGHTNESS', `0x40044603')
+define(`FBIPUT_COLOR', `0x40044606')
+define(`FBIPUT_HSYNC', `0x40044609')
+define(`FBIPUT_VSYNC', `0x4004460a')
+define(`FDCLRPRM', `0x00000241')
+define(`FDDEFPRM', `0x40200243')
+define(`FDEJECT', `0x0000025a')
+define(`FDFLUSH', `0x0000024b')
+define(`FDFMTBEG', `0x00000247')
+define(`FDFMTEND', `0x00000249')
+define(`FDFMTTRK', `0x400c0248')
+define(`FDGETDRVPRM', `0x80800211')
+define(`FDGETDRVSTAT', `0x80500212')
+define(`FDGETDRVTYP', `0x8010020f')
+define(`FDGETFDCSTAT', `0x80280215')
+define(`FDGETMAXERRS', `0x8014020e')
+define(`FDGETPRM', `0x80200204')
+define(`FDMSGOFF', `0x00000246')
+define(`FDMSGON', `0x00000245')
+define(`FDPOLLDRVSTAT', `0x80500213')
+define(`FDRAWCMD', `0x00000258')
+define(`FDRESET', `0x00000254')
+define(`FDSETDRVPRM', `0x40800290')
+define(`FDSETEMSGTRESH', `0x0000024a')
+define(`FDSETMAXERRS', `0x4014024c')
+define(`FDSETPRM', `0x40200242')
+define(`FDTWADDLE', `0x00000259')
+define(`FDWERRORCLR', `0x00000256')
+define(`FDWERRORGET', `0x80280217')
+define(`FE_DISEQC_RECV_SLAVE_REPLY', `0x800c6f40')
+define(`FE_DISEQC_RESET_OVERLOAD', `0x00006f3e')
+define(`FE_DISEQC_SEND_BURST', `0x00006f41')
+define(`FE_DISEQC_SEND_MASTER_CMD', `0x40076f3f')
+define(`FE_DISHNETWORK_SEND_LEGACY_CMD', `0x00006f50')
+define(`FE_ENABLE_HIGH_LNB_VOLTAGE', `0x00006f44')
+define(`FE_GET_EVENT', `0x80286f4e')
+define(`FE_GET_FRONTEND', `0x80246f4d')
+define(`FE_GET_INFO', `0x80a86f3d')
+define(`FE_GET_PROPERTY', `0x80106f53')
+define(`FE_READ_BER', `0x80046f46')
+define(`FE_READ_SIGNAL_STRENGTH', `0x80026f47')
+define(`FE_READ_SNR', `0x80026f48')
+define(`FE_READ_STATUS', `0x80046f45')
+define(`FE_READ_UNCORRECTED_BLOCKS', `0x80046f49')
+define(`FE_SET_FRONTEND', `0x40246f4c')
+define(`FE_SET_FRONTEND_TUNE_MODE', `0x00006f51')
+define(`FE_SET_PROPERTY', `0x40106f52')
+define(`FE_SET_TONE', `0x00006f42')
+define(`FE_SET_VOLTAGE', `0x00006f43')
+define(`FIBMAP', `0x00000001')
+define(`FIFREEZE', `0xc0045877')
+define(`FIGETBSZ', `0x00000002')
+define(`FIOASYNC', `0x00005452')
+define(`FIOCLEX', ifelse(target_arch, mips, 0x00006601, 0x00005451))
+define(`FIOGETOWN', `0x00008903')
+define(`FIONBIO', `0x00005421')
+define(`FIONCLEX', ifelse(target_arch, mips, 0x00006602, 0x00005450))
+define(`FIONREAD', ifelse(target_arch, mips, 0x0000467f, 0x0000541b))
+define(`FIOQSIZE', `0x00005460')
+define(`FIOSETOWN', `0x00008901')
+define(`FITHAW', `0xc0045878')
+define(`FITRIM', `0xc0185879')
+define(`FS_IOC32_GETFLAGS', `0x80046601')
+define(`FS_IOC32_GETVERSION', `0x80047601')
+define(`FS_IOC32_SETFLAGS', `0x40046602')
+define(`FS_IOC32_SETVERSION', `0x40047602')
+define(`FS_IOC_ADD_ENCRYPTION_KEY', `0xc0506617')
+define(`FS_IOC_ENABLE_VERITY', `0x6685')
+define(`FS_IOC_FIEMAP', `0xc020660b')
+define(`FS_IOC_FSGETXATTR', `0x801c581f')
+define(`FS_IOC_FSSETXATTR', `0x401c5820')
+define(`FS_IOC_GET_ENCRYPTION_POLICY', `0x400c6615')
+define(`FS_IOC_GET_ENCRYPTION_POLICY_EX', `0xc0096616')
+define(`FS_IOC_GET_ENCRYPTION_PWSALT', `0x40106614')
+define(`FS_IOC_GETFLAGS', `0x80086601')
+define(`FS_IOC_GETVERSION', `0x80087601')
+define(`FS_IOC_MEASURE_VERITY', `0x6686')
+define(`FS_IOC_REMOVE_ENCRYPTION_KEY', `0xc0406618')
+define(`FS_IOC_SET_ENCRYPTION_POLICY', `0x800c6613')
+define(`FS_IOC_SETFLAGS', `0x40086602')
+define(`FS_IOC_SETVERSION', `0x40087602')
+define(`FSL_HV_IOCTL_DOORBELL', `0xc008af06')
+define(`FSL_HV_IOCTL_GETPROP', `0xc028af07')
+define(`FSL_HV_IOCTL_MEMCPY', `0xc028af05')
+define(`FSL_HV_IOCTL_PARTITION_GET_STATUS', `0xc00caf02')
+define(`FSL_HV_IOCTL_PARTITION_RESTART', `0xc008af01')
+define(`FSL_HV_IOCTL_PARTITION_START', `0xc010af03')
+define(`FSL_HV_IOCTL_PARTITION_STOP', `0xc008af04')
+define(`FSL_HV_IOCTL_SETPROP', `0xc028af08')
+define(`FUNCTIONFS_CLEAR_HALT', `0x00006703')
+define(`FUNCTIONFS_ENDPOINT_DESC', `0x80096782')
+define(`FUNCTIONFS_ENDPOINT_REVMAP', `0x00006781')
+define(`FUNCTIONFS_FIFO_FLUSH', `0x00006702')
+define(`FUNCTIONFS_FIFO_STATUS', `0x00006701')
+define(`FUNCTIONFS_INTERFACE_REVMAP', `0x00006780')
+define(`FW_CDEV_IOC_ADD_DESCRIPTOR', `0xc0182306')
+define(`FW_CDEV_IOC_ALLOCATE', `0xc0202302')
+define(`FW_CDEV_IOC_ALLOCATE_ISO_RESOURCE', `0xc018230d')
+define(`FW_CDEV_IOC_ALLOCATE_ISO_RESOURCE_ONCE', `0x4018230f')
+define(`FW_CDEV_IOC_CREATE_ISO_CONTEXT', `0xc0202308')
+define(`FW_CDEV_IOC_DEALLOCATE', `0x40042303')
+define(`FW_CDEV_IOC_DEALLOCATE_ISO_RESOURCE', `0x4004230e')
+define(`FW_CDEV_IOC_DEALLOCATE_ISO_RESOURCE_ONCE', `0x40182310')
+define(`FW_CDEV_IOC_FLUSH_ISO', `0x40042318')
+define(`FW_CDEV_IOC_GET_CYCLE_TIMER', `0x8010230c')
+define(`FW_CDEV_IOC_GET_CYCLE_TIMER2', `0xc0182314')
+define(`FW_CDEV_IOC_GET_INFO', `0xc0282300')
+define(`FW_CDEV_IOC_GET_SPEED', `0x00002311')
+define(`FW_CDEV_IOC_INITIATE_BUS_RESET', `0x40042305')
+define(`FW_CDEV_IOC_QUEUE_ISO', `0xc0182309')
+define(`FW_CDEV_IOC_RECEIVE_PHY_PACKETS', `0x40082316')
+define(`FW_CDEV_IOC_REMOVE_DESCRIPTOR', `0x40042307')
+define(`FW_CDEV_IOC_SEND_BROADCAST_REQUEST', `0x40282312')
+define(`FW_CDEV_IOC_SEND_PHY_PACKET', `0xc0182315')
+define(`FW_CDEV_IOC_SEND_REQUEST', `0x40282301')
+define(`FW_CDEV_IOC_SEND_RESPONSE', `0x40182304')
+define(`FW_CDEV_IOC_SEND_STREAM_PACKET', `0x40282313')
+define(`FW_CDEV_IOC_SET_ISO_CHANNELS', `0x40102317')
+define(`FW_CDEV_IOC_START_ISO', `0x4010230a')
+define(`FW_CDEV_IOC_STOP_ISO', `0x4004230b')
+define(`GADGETFS_CLEAR_HALT', `0x00006703')
+define(`GADGETFS_FIFO_FLUSH', `0x00006702')
+define(`GADGETFS_FIFO_STATUS', `0x00006701')
+define(`GADGET_GET_PRINTER_STATUS', `0x80016721')
+define(`GADGET_SET_PRINTER_STATUS', `0xc0016722')
+define(`GENWQE_EXECUTE_DDCB', `0xc0e8a532')
+define(`GENWQE_EXECUTE_RAW_DDCB', `0xc0e8a533')
+define(`GENWQE_GET_CARD_STATE', `0x8004a524')
+define(`GENWQE_PIN_MEM', `0xc020a528')
+define(`GENWQE_READ_REG16', `0x8010a522')
+define(`GENWQE_READ_REG32', `0x8010a520')
+define(`GENWQE_READ_REG64', `0x8010a51e')
+define(`GENWQE_SLU_READ', `0xc038a551')
+define(`GENWQE_SLU_UPDATE', `0xc038a550')
+define(`GENWQE_UNPIN_MEM', `0xc020a529')
+define(`GENWQE_WRITE_REG16', `0x4010a523')
+define(`GENWQE_WRITE_REG32', `0x4010a521')
+define(`GENWQE_WRITE_REG64', `0x4010a51f')
+define(`GET_ARRAY_INFO', `0x80480911')
+define(`GET_BITMAP_FILE', `0x90000915')
+define(`GET_DISK_INFO', `0x80140912')
+define(`GIGASET_BRKCHARS', `0x40064702')
+define(`GIGASET_CONFIG', `0xc0044701')
+define(`GIGASET_REDIR', `0xc0044700')
+define(`GIGASET_VERSION', `0xc0104703')
+define(`GIO_CMAP', `0x00004b70')
+define(`GIO_FONT', `0x00004b60')
+define(`GIO_FONTX', `0x00004b6b')
+define(`GIO_SCRNMAP', `0x00004b40')
+define(`GIO_UNIMAP', `0x00004b66')
+define(`GIO_UNISCRNMAP', `0x00004b69')
+define(`GSMIOC_DISABLE_NET', `0x00004703')
+define(`GSMIOC_ENABLE_NET', `0x40344702')
+define(`GSMIOC_GETCONF', `0x804c4700')
+define(`GSMIOC_SETCONF', `0x404c4701')
+define(`HCIBLOCKADDR', `0x400448e6')
+define(`HCIDEVDOWN', `0x400448ca')
+define(`HCIDEVRESET', `0x400448cb')
+define(`HCIDEVRESTAT', `0x400448cc')
+define(`HCIDEVUP', `0x400448c9')
+define(`HCIGETAUTHINFO', `0x800448d7')
+define(`HCIGETCONNINFO', `0x800448d5')
+define(`HCIGETCONNLIST', `0x800448d4')
+define(`HCIGETDEVINFO', `0x800448d3')
+define(`HCIGETDEVLIST', `0x800448d2')
+define(`HCIINQUIRY', `0x800448f0')
+define(`HCISETACLMTU', `0x400448e3')
+define(`HCISETAUTH', `0x400448de')
+define(`HCISETENCRYPT', `0x400448df')
+define(`HCISETLINKMODE', `0x400448e2')
+define(`HCISETLINKPOL', `0x400448e1')
+define(`HCISETPTYPE', `0x400448e0')
+define(`HCISETRAW', `0x400448dc')
+define(`HCISETSCAN', `0x400448dd')
+define(`HCISETSCOMTU', `0x400448e4')
+define(`HCIUNBLOCKADDR', `0x400448e7')
+define(`HDA_IOCTL_GET_WCAP', `0xc0084812')
+define(`HDA_IOCTL_PVERSION', `0x80044810')
+define(`HDA_IOCTL_VERB_WRITE', `0xc0084811')
+define(`HDIO_DRIVE_CMD', `0x0000031f')
+define(`HDIO_DRIVE_RESET', `0x0000031c')
+define(`HDIO_DRIVE_TASK', `0x0000031e')
+define(`HDIO_DRIVE_TASKFILE', `0x0000031d')
+define(`HDIO_GET_32BIT', `0x00000309')
+define(`HDIO_GET_ACOUSTIC', `0x0000030f')
+define(`HDIO_GET_ADDRESS', `0x00000310')
+define(`HDIO_GET_BUSSTATE', `0x0000031a')
+define(`HDIO_GET_DMA', `0x0000030b')
+define(`HDIO_GETGEO', `0x00000301')
+define(`HDIO_GET_IDENTITY', `0x0000030d')
+define(`HDIO_GET_KEEPSETTINGS', `0x00000308')
+define(`HDIO_GET_MULTCOUNT', `0x00000304')
+define(`HDIO_GET_NICE', `0x0000030c')
+define(`HDIO_GET_NOWERR', `0x0000030a')
+define(`HDIO_GET_QDMA', `0x00000305')
+define(`HDIO_GET_UNMASKINTR', `0x00000302')
+define(`HDIO_GET_WCACHE', `0x0000030e')
+define(`HDIO_OBSOLETE_IDENTITY', `0x00000307')
+define(`HDIO_SCAN_HWIF', `0x00000328')
+define(`HDIO_SET_32BIT', `0x00000324')
+define(`HDIO_SET_ACOUSTIC', `0x0000032c')
+define(`HDIO_SET_ADDRESS', `0x0000032f')
+define(`HDIO_SET_BUSSTATE', `0x0000032d')
+define(`HDIO_SET_DMA', `0x00000326')
+define(`HDIO_SET_KEEPSETTINGS', `0x00000323')
+define(`HDIO_SET_MULTCOUNT', `0x00000321')
+define(`HDIO_SET_NICE', `0x00000329')
+define(`HDIO_SET_NOWERR', `0x00000325')
+define(`HDIO_SET_PIO_MODE', `0x00000327')
+define(`HDIO_SET_QDMA', `0x0000032e')
+define(`HDIO_SET_UNMASKINTR', `0x00000322')
+define(`HDIO_SET_WCACHE', `0x0000032b')
+define(`HDIO_SET_XFER', `0x00000306')
+define(`HDIO_TRISTATE_HWIF', `0x0000031b')
+define(`HDIO_UNREGISTER_HWIF', `0x0000032a')
+define(`HE_GET_REG', `0x40106160')
+define(`HIDIOCAPPLICATION', `0x00004802')
+define(`HIDIOCGCOLLECTIONINDEX', `0x40184810')
+define(`HIDIOCGCOLLECTIONINFO', `0xc0104811')
+define(`HIDIOCGDEVINFO', `0x801c4803')
+define(`HIDIOCGFIELDINFO', `0xc038480a')
+define(`HIDIOCGFLAG', `0x8004480e')
+define(`HIDIOCGRAWINFO', `0x80084803')
+define(`HIDIOCGRDESC', `0x90044802')
+define(`HIDIOCGRDESCSIZE', `0x80044801')
+define(`HIDIOCGREPORT', `0x400c4807')
+define(`HIDIOCGREPORTINFO', `0xc00c4809')
+define(`HIDIOCGSTRING', `0x81044804')
+define(`HIDIOCGUCODE', `0xc018480d')
+define(`HIDIOCGUSAGE', `0xc018480b')
+define(`HIDIOCGUSAGES', `0xd01c4813')
+define(`HIDIOCGVERSION', `0x80044801')
+define(`HIDIOCINITREPORT', `0x00004805')
+define(`HIDIOCSFLAG', `0x4004480f')
+define(`HIDIOCSREPORT', `0x400c4808')
+define(`HIDIOCSUSAGE', `0x4018480c')
+define(`HIDIOCSUSAGES', `0x501c4814')
+define(`HOT_ADD_DISK', `0x00000928')
+define(`HOT_GENERATE_ERROR', `0x0000092a')
+define(`HOT_REMOVE_DISK', `0x00000922')
+define(`HPET_DPI', `0x00006805')
+define(`HPET_EPI', `0x00006804')
+define(`HPET_IE_OFF', `0x00006802')
+define(`HPET_IE_ON', `0x00006801')
+define(`HPET_INFO', `0x80186803')
+define(`HPET_IRQFREQ', `0x40086806')
+define(`HSC_GET_RX', `0x400c6b14')
+define(`HSC_GET_TX', `0x40106b16')
+define(`HSC_RESET', `0x00006b10')
+define(`HSC_SEND_BREAK', `0x00006b12')
+define(`HSC_SET_PM', `0x00006b11')
+define(`HSC_SET_RX', `0x400c6b13')
+define(`HSC_SET_TX', `0x40106b15')
+define(`I2OEVTGET', `0x8068690b')
+define(`I2OEVTREG', `0x400c690a')
+define(`I2OGETIOPS', `0x80206900')
+define(`I2OHRTGET', `0xc0186901')
+define(`I2OHTML', `0xc0306909')
+define(`I2OLCTGET', `0xc0186902')
+define(`I2OPARMGET', `0xc0286904')
+define(`I2OPARMSET', `0xc0286903')
+define(`I2OPASSTHRU', `0x8010690c')
+define(`I2OPASSTHRU32', `0x8008690c')
+define(`I2OSWDEL', `0xc0306907')
+define(`I2OSWDL', `0xc0306905')
+define(`I2OSWUL', `0xc0306906')
+define(`I2OVALIDATE', `0x80046908')
+define(`I8K_BIOS_VERSION', `0x80046980')
+define(`I8K_FN_STATUS', `0x80086983')
+define(`I8K_GET_FAN', `0xc0086986')
+define(`I8K_GET_SPEED', `0xc0086985')
+define(`I8K_GET_TEMP', `0x80086984')
+define(`I8K_MACHINE_ID', `0x80046981')
+define(`I8K_POWER_STATUS', `0x80086982')
+define(`I8K_SET_FAN', `0xc0086987')
+define(`IB_USER_MAD_ENABLE_PKEY', `0x00001b03')
+define(`IB_USER_MAD_REGISTER_AGENT', `0xc01c1b01')
+define(`IB_USER_MAD_REGISTER_AGENT2', `0xc0281b04')
+define(`IB_USER_MAD_UNREGISTER_AGENT', `0x40041b02')
+define(`IDT77105_GETSTAT', `0x40106132')
+define(`IDT77105_GETSTATZ', `0x40106133')
+define(`IIOCDBGVAR', `0x0000497f')
+define(`IIOCDRVCTL', `0x00004980')
+define(`IIOCGETCPS', `0x00004915')
+define(`IIOCGETDVR', `0x00004916')
+define(`IIOCGETMAP', `0x00004911')
+define(`IIOCGETPRF', `0x0000490f')
+define(`IIOCGETSET', `0x00004908')
+define(`IIOCNETAIF', `0x00004901')
+define(`IIOCNETALN', `0x00004920')
+define(`IIOCNETANM', `0x00004905')
+define(`IIOCNETASL', `0x00004913')
+define(`IIOCNETDIF', `0x00004902')
+define(`IIOCNETDIL', `0x00004914')
+define(`IIOCNETDLN', `0x00004921')
+define(`IIOCNETDNM', `0x00004906')
+define(`IIOCNETDWRSET', `0x00004918')
+define(`IIOCNETGCF', `0x00004904')
+define(`IIOCNETGNM', `0x00004907')
+define(`IIOCNETGPN', `0x00004922')
+define(`IIOCNETHUP', `0x0000490b')
+define(`IIOCNETLCR', `0x00004917')
+define(`IIOCNETSCF', `0x00004903')
+define(`IIOCSETBRJ', `0x0000490d')
+define(`IIOCSETGST', `0x0000490c')
+define(`IIOCSETMAP', `0x00004912')
+define(`IIOCSETPRF', `0x00004910')
+define(`IIOCSETSET', `0x00004909')
+define(`IIOCSETVER', `0x0000490a')
+define(`IIOCSIGPRF', `0x0000490e')
+define(`IIO_GET_EVENT_FD_IOCTL', `0x80046990')
+define(`IMADDTIMER', `0x80044940')
+define(`IMCLEAR_L2', `0x80044946')
+define(`IMCTRLREQ', `0x80044945')
+define(`IMDELTIMER', `0x80044941')
+define(`IMGETCOUNT', `0x80044943')
+define(`IMGETDEVINFO', `0x80044944')
+define(`IMGETVERSION', `0x80044942')
+define(`IMHOLD_L1', `0x80044948')
+define(`IMSETDEVNAME', `0x80184947')
+define(`INCFS_IOCTL_CREATE_FILE', `0x0000671e')
+define(`INCFS_IOCTL_READ_SIGNATURE', `0x0000671f')
+define(`INCFS_IOCTL_FILL_BLOCKS', `0x00006720')
+define(`INCFS_IOCTL_PERMIT_FILL', `0x00006721')
+define(`INCFS_IOCTL_GET_FILLED_BLOCKS', `0x00006722')
+define(`INCFS_IOCTL_CREATE_MAPPED_FILE', `0x00006723')
+define(`INCFS_IOCTL_GET_BLOCK_COUNT', `0x00006724')
+define(`INCFS_IOCTL_GET_READ_TIMEOUTS', `0x00006725')
+define(`INCFS_IOCTL_SET_READ_TIMEOUTS', `0x00006726')
+define(`INCFS_IOCTL_GET_LAST_READ_ERROR', `0x00006727')
+define(`IOCTL_EVTCHN_BIND_INTERDOMAIN', `0x00084501')
+define(`IOCTL_EVTCHN_BIND_UNBOUND_PORT', `0x00044502')
+define(`IOCTL_EVTCHN_BIND_VIRQ', `0x00044500')
+define(`IOCTL_EVTCHN_NOTIFY', `0x00044504')
+define(`IOCTL_EVTCHN_RESET', `0x00004505')
+define(`IOCTL_EVTCHN_UNBIND', `0x00044503')
+define(`IOCTL_MEI_CONNECT_CLIENT', `0xc0104801')
+define(`IOCTL_VMCI_CTX_ADD_NOTIFICATION', `0x000007af')
+define(`IOCTL_VMCI_CTX_GET_CPT_STATE', `0x000007b1')
+define(`IOCTL_VMCI_CTX_REMOVE_NOTIFICATION', `0x000007b0')
+define(`IOCTL_VMCI_CTX_SET_CPT_STATE', `0x000007b2')
+define(`IOCTL_VMCI_DATAGRAM_RECEIVE', `0x000007ac')
+define(`IOCTL_VMCI_DATAGRAM_SEND', `0x000007ab')
+define(`IOCTL_VMCI_GET_CONTEXT_ID', `0x000007b3')
+define(`IOCTL_VMCI_INIT_CONTEXT', `0x000007a0')
+define(`IOCTL_VMCI_NOTIFICATIONS_RECEIVE', `0x000007a6')
+define(`IOCTL_VMCI_NOTIFY_RESOURCE', `0x000007a5')
+define(`IOCTL_VMCI_QUEUEPAIR_ALLOC', `0x000007a8')
+define(`IOCTL_VMCI_QUEUEPAIR_DETACH', `0x000007aa')
+define(`IOCTL_VMCI_QUEUEPAIR_SETPAGEFILE', `0x000007a9')
+define(`IOCTL_VMCI_QUEUEPAIR_SETVA', `0x000007a4')
+define(`IOCTL_VMCI_SET_NOTIFY', `0x000007cb')
+define(`IOCTL_VMCI_SOCKETS_GET_AF_VALUE', `0x000007b8')
+define(`IOCTL_VMCI_SOCKETS_GET_LOCAL_CID', `0x000007b9')
+define(`IOCTL_VMCI_SOCKETS_VERSION', `0x000007b4')
+define(`IOCTL_VMCI_VERSION', `0x0000079f')
+define(`IOCTL_VMCI_VERSION2', `0x000007a7')
+define(`IOCTL_VM_SOCKETS_GET_LOCAL_CID', `0x000007b9')
+define(`IOCTL_WDM_MAX_COMMAND', `0x800248a0')
+define(`IOCTL_XENBUS_BACKEND_EVTCHN', `0x00004200')
+define(`IOCTL_XENBUS_BACKEND_SETUP', `0x00004201')
+define(`ION_IOC_ALLOC', `0xc0204900')
+define(`ION_IOC_CUSTOM', `0xc0104906')
+define(`ION_IOC_FREE', `0xc0044901')
+define(`ION_IOC_IMPORT', `0xc0084905')
+define(`ION_IOC_MAP', `0xc0084902')
+define(`ION_IOC_SHARE', `0xc0084904')
+define(`ION_IOC_SYNC', `0xc0084907')
+define(`ION_IOC_TEST_DMA_MAPPING', `0x402049f1')
+define(`ION_IOC_TEST_KERNEL_MAPPING', `0x402049f2')
+define(`ION_IOC_TEST_SET_FD', `0x000049f0')
+define(`IOW_GETINFO', `0x8028c003')
+define(`IOW_READ', `0x4008c002')
+define(`IOW_WRITE', `0x4008c001')
+define(`IPMICTL_GET_MAINTENANCE_MODE_CMD', `0x8004691e')
+define(`IPMICTL_GET_MY_ADDRESS_CMD', `0x80046912')
+define(`IPMICTL_GET_MY_CHANNEL_ADDRESS_CMD', `0x80046919')
+define(`IPMICTL_GET_MY_CHANNEL_LUN_CMD', `0x8004691b')
+define(`IPMICTL_GET_MY_LUN_CMD', `0x80046914')
+define(`IPMICTL_GET_TIMING_PARMS_CMD', `0x80086917')
+define(`IPMICTL_RECEIVE_MSG', `0xc030690c')
+define(`IPMICTL_RECEIVE_MSG_TRUNC', `0xc030690b')
+define(`IPMICTL_REGISTER_FOR_CMD', `0x8002690e')
+define(`IPMICTL_REGISTER_FOR_CMD_CHANS', `0x800c691c')
+define(`IPMICTL_SEND_COMMAND', `0x8028690d')
+define(`IPMICTL_SEND_COMMAND_SETTIME', `0x80306915')
+define(`IPMICTL_SET_GETS_EVENTS_CMD', `0x80046910')
+define(`IPMICTL_SET_MAINTENANCE_MODE_CMD', `0x4004691f')
+define(`IPMICTL_SET_MY_ADDRESS_CMD', `0x80046911')
+define(`IPMICTL_SET_MY_CHANNEL_ADDRESS_CMD', `0x80046918')
+define(`IPMICTL_SET_MY_CHANNEL_LUN_CMD', `0x8004691a')
+define(`IPMICTL_SET_MY_LUN_CMD', `0x80046913')
+define(`IPMICTL_SET_TIMING_PARMS_CMD', `0x80086916')
+define(`IPMICTL_UNREGISTER_FOR_CMD', `0x8002690f')
+define(`IPMICTL_UNREGISTER_FOR_CMD_CHANS', `0x800c691d')
+define(`IVTVFB_IOC_DMA_FRAME', `0x401856c0')
+define(`IVTV_IOC_DMA_FRAME', `0x404056c0')
+define(`IVTV_IOC_PASSTHROUGH_MODE', `0x400456c1')
+define(`IXJCTL_AEC_GET_LEVEL', `0x000071cd')
+define(`IXJCTL_AEC_START', `0x400471cb')
+define(`IXJCTL_AEC_STOP', `0x000071cc')
+define(`IXJCTL_CARDTYPE', `0x800471c1')
+define(`IXJCTL_CID', `0x800871d4')
+define(`IXJCTL_CIDCW', `0x400871d9')
+define(`IXJCTL_DAA_AGAIN', `0x400471d2')
+define(`IXJCTL_DAA_COEFF_SET', `0x400471d0')
+define(`IXJCTL_DRYBUFFER_CLEAR', `0x000071e7')
+define(`IXJCTL_DRYBUFFER_READ', `0x800871e6')
+define(`IXJCTL_DSP_IDLE', `0x000071c5')
+define(`IXJCTL_DSP_RESET', `0x000071c0')
+define(`IXJCTL_DSP_TYPE', `0x800471c3')
+define(`IXJCTL_DSP_VERSION', `0x800471c4')
+define(`IXJCTL_DTMF_PRESCALE', `0x400471e8')
+define(`IXJCTL_FILTER_CADENCE', `0x400871d6')
+define(`IXJCTL_FRAMES_READ', `0x800871e2')
+define(`IXJCTL_FRAMES_WRITTEN', `0x800871e3')
+define(`IXJCTL_GET_FILTER_HIST', `0x400471c8')
+define(`IXJCTL_HZ', `0x400471e0')
+define(`IXJCTL_INIT_TONE', `0x400871c9')
+define(`IXJCTL_INTERCOM_START', `0x400471fd')
+define(`IXJCTL_INTERCOM_STOP', `0x400471fe')
+define(`IXJCTL_MIXER', `0x400471cf')
+define(`IXJCTL_PLAY_CID', `0x000071d7')
+define(`IXJCTL_PORT', `0x400471d1')
+define(`IXJCTL_POTS_PSTN', `0x400471d5')
+define(`IXJCTL_PSTN_LINETEST', `0x000071d3')
+define(`IXJCTL_RATE', `0x400471e1')
+define(`IXJCTL_READ_WAIT', `0x800871e4')
+define(`IXJCTL_SC_RXG', `0x400471ea')
+define(`IXJCTL_SC_TXG', `0x400471eb')
+define(`IXJCTL_SERIAL', `0x800471c2')
+define(`IXJCTL_SET_FILTER', `0x400871c7')
+define(`IXJCTL_SET_FILTER_RAW', `0x400871dd')
+define(`IXJCTL_SET_LED', `0x400471ce')
+define(`IXJCTL_SIGCTL', `0x400871e9')
+define(`IXJCTL_TESTRAM', `0x000071c6')
+define(`IXJCTL_TONE_CADENCE', `0x400871ca')
+define(`IXJCTL_VERSION', `0x800871da')
+define(`IXJCTL_VMWI', `0x800471d8')
+define(`IXJCTL_WRITE_WAIT', `0x800871e5')
+define(`JSIOCGAXES', `0x80016a11')
+define(`JSIOCGAXMAP', `0x80406a32')
+define(`JSIOCGBTNMAP', `0x84006a34')
+define(`JSIOCGBUTTONS', `0x80016a12')
+define(`JSIOCGCORR', `0x80246a22')
+define(`JSIOCGVERSION', `0x80046a01')
+define(`JSIOCSAXMAP', `0x40406a31')
+define(`JSIOCSBTNMAP', `0x44006a33')
+define(`JSIOCSCORR', `0x40246a21')
+define(`KCOV_DISABLE', `0x00006365')
+define(`KCOV_ENABLE', `0x00006364')
+define(`KCOV_INIT_TRACE', `0x80086301')
+define(`KDADDIO', `0x00004b34')
+define(`KDDELIO', `0x00004b35')
+define(`KDDISABIO', `0x00004b37')
+define(`KDENABIO', `0x00004b36')
+define(`KDFONTOP', `0x00004b72')
+define(`KDGETKEYCODE', `0x00004b4c')
+define(`KDGETLED', `0x00004b31')
+define(`KDGETMODE', `0x00004b3b')
+define(`KDGKBDIACR', `0x00004b4a')
+define(`KDGKBDIACRUC', `0x00004bfa')
+define(`KDGKBENT', `0x00004b46')
+define(`KDGKBLED', `0x00004b64')
+define(`KDGKBMETA', `0x00004b62')
+define(`KDGKBMODE', `0x00004b44')
+define(`KDGKBSENT', `0x00004b48')
+define(`KDGKBTYPE', `0x00004b33')
+define(`KDKBDREP', `0x00004b52')
+define(`KDMAPDISP', `0x00004b3c')
+define(`KDMKTONE', `0x00004b30')
+define(`KDSETKEYCODE', `0x00004b4d')
+define(`KDSETLED', `0x00004b32')
+define(`KDSETMODE', `0x00004b3a')
+define(`KDSIGACCEPT', `0x00004b4e')
+define(`KDSKBDIACR', `0x00004b4b')
+define(`KDSKBDIACRUC', `0x00004bfb')
+define(`KDSKBENT', `0x00004b47')
+define(`KDSKBLED', `0x00004b65')
+define(`KDSKBMETA', `0x00004b63')
+define(`KDSKBMODE', `0x00004b45')
+define(`KDSKBSENT', `0x00004b49')
+define(`KDUNMAPDISP', `0x00004b3d')
+define(`KIOCSOUND', `0x00004b2f')
+define(`KVM_ALLOCATE_RMA', `0x8008aea9')
+define(`KVM_ARM_PREFERRED_TARGET', `0x8020aeaf')
+define(`KVM_ARM_SET_DEVICE_ADDR', `0x4010aeab')
+define(`KVM_ARM_VCPU_INIT', `0x4020aeae')
+define(`KVM_ASSIGN_DEV_IRQ', `0x4040ae70')
+define(`KVM_ASSIGN_PCI_DEVICE', `0x8040ae69')
+define(`KVM_ASSIGN_SET_INTX_MASK', `0x4040aea4')
+define(`KVM_ASSIGN_SET_MSIX_ENTRY', `0x4010ae74')
+define(`KVM_ASSIGN_SET_MSIX_NR', `0x4008ae73')
+define(`KVM_CHECK_EXTENSION', `0x0000ae03')
+define(`KVM_CREATE_DEVICE', `0xc00caee0')
+define(`KVM_CREATE_IRQCHIP', `0x0000ae60')
+define(`KVM_CREATE_PIT', `0x0000ae64')
+define(`KVM_CREATE_PIT2', `0x4040ae77')
+define(`KVM_CREATE_SPAPR_TCE', `0x400caea8')
+define(`KVM_CREATE_VCPU', `0x0000ae41')
+define(`KVM_CREATE_VM', `0x0000ae01')
+define(`KVM_DEASSIGN_DEV_IRQ', `0x4040ae75')
+define(`KVM_DEASSIGN_PCI_DEVICE', `0x4040ae72')
+define(`KVM_DIRTY_TLB', `0x4010aeaa')
+define(`KVM_ENABLE_CAP', `0x4068aea3')
+define(`KVM_GET_API_VERSION', `0x0000ae00')
+define(`KVM_GET_CLOCK', `0x8030ae7c')
+define(`KVM_GET_CPUID2', `0xc008ae91')
+define(`KVM_GET_DEBUGREGS', `0x8080aea1')
+define(`KVM_GET_DEVICE_ATTR', `0x4018aee2')
+define(`KVM_GET_DIRTY_LOG', `0x4010ae42')
+define(`KVM_GET_EMULATED_CPUID', `0xc008ae09')
+define(`KVM_GET_FPU', `0x81a0ae8c')
+define(`KVM_GET_IRQCHIP', `0xc208ae62')
+define(`KVM_GET_LAPIC', `0x8400ae8e')
+define(`KVM_GET_MP_STATE', `0x8004ae98')
+define(`KVM_GET_MSR_INDEX_LIST', `0xc004ae02')
+define(`KVM_GET_MSRS', `0xc008ae88')
+define(`KVM_GET_NR_MMU_PAGES', `0x0000ae45')
+define(`KVM_GET_ONE_REG', `0x4010aeab')
+define(`KVM_GET_PIT', `0xc048ae65')
+define(`KVM_GET_PIT2', `0x8070ae9f')
+define(`KVM_GET_REG_LIST', `0xc008aeb0')
+define(`KVM_GET_REGS', `0x8090ae81')
+define(`KVM_GET_SREGS', `0x8138ae83')
+define(`KVM_GET_SUPPORTED_CPUID', `0xc008ae05')
+define(`KVM_GET_TSC_KHZ', `0x0000aea3')
+define(`KVM_GET_VCPU_EVENTS', `0x8040ae9f')
+define(`KVM_GET_VCPU_MMAP_SIZE', `0x0000ae04')
+define(`KVM_GET_XCRS', `0x8188aea6')
+define(`KVM_GET_XSAVE', `0x9000aea4')
+define(`KVM_HAS_DEVICE_ATTR', `0x4018aee3')
+define(`KVM_INTERRUPT', `0x4004ae86')
+define(`KVM_IOEVENTFD', `0x4040ae79')
+define(`KVM_IRQFD', `0x4020ae76')
+define(`KVM_IRQ_LINE', `0x4008ae61')
+define(`KVM_IRQ_LINE_STATUS', `0xc008ae67')
+define(`KVM_KVMCLOCK_CTRL', `0x0000aead')
+define(`KVM_NMI', `0x0000ae9a')
+define(`KVM_PPC_ALLOCATE_HTAB', `0xc004aea7')
+define(`KVM_PPC_GET_HTAB_FD', `0x4020aeaa')
+define(`KVM_PPC_GET_PVINFO', `0x4080aea1')
+define(`KVM_PPC_GET_SMMU_INFO', `0x8250aea6')
+define(`KVM_PPC_RTAS_DEFINE_TOKEN', `0x4080aeac')
+define(`KVM_REGISTER_COALESCED_MMIO', `0x4010ae67')
+define(`KVM_REINJECT_CONTROL', `0x0000ae71')
+define(`KVM_RUN', `0x0000ae80')
+define(`KVM_S390_ENABLE_SIE', `0x0000ae06')
+define(`KVM_S390_INITIAL_RESET', `0x0000ae97')
+define(`KVM_S390_INTERRUPT', `0x4010ae94')
+define(`KVM_S390_SET_INITIAL_PSW', `0x4010ae96')
+define(`KVM_S390_STORE_STATUS', `0x4008ae95')
+define(`KVM_S390_UCAS_MAP', `0x4018ae50')
+define(`KVM_S390_UCAS_UNMAP', `0x4018ae51')
+define(`KVM_S390_VCPU_FAULT', `0x4008ae52')
+define(`KVM_SET_BOOT_CPU_ID', `0x0000ae78')
+define(`KVM_SET_CLOCK', `0x4030ae7b')
+define(`KVM_SET_CPUID', `0x4008ae8a')
+define(`KVM_SET_CPUID2', `0x4008ae90')
+define(`KVM_SET_DEBUGREGS', `0x4080aea2')
+define(`KVM_SET_DEVICE_ATTR', `0x4018aee1')
+define(`KVM_SET_FPU', `0x41a0ae8d')
+define(`KVM_SET_GSI_ROUTING', `0x4008ae6a')
+define(`KVM_SET_GUEST_DEBUG', `0x4048ae9b')
+define(`KVM_SET_IDENTITY_MAP_ADDR', `0x4008ae48')
+define(`KVM_SET_IRQCHIP', `0x8208ae63')
+define(`KVM_SET_LAPIC', `0x4400ae8f')
+define(`KVM_SET_MEMORY_ALIAS', `0x4020ae43')
+define(`KVM_SET_MEMORY_REGION', `0x4018ae40')
+define(`KVM_SET_MP_STATE', `0x4004ae99')
+define(`KVM_SET_MSRS', `0x4008ae89')
+define(`KVM_SET_NR_MMU_PAGES', `0x0000ae44')
+define(`KVM_SET_ONE_REG', `0x4010aeac')
+define(`KVM_SET_PIT', `0x8048ae66')
+define(`KVM_SET_PIT2', `0x4070aea0')
+define(`KVM_SET_REGS', `0x4090ae82')
+define(`KVM_SET_SIGNAL_MASK', `0x4004ae8b')
+define(`KVM_SET_SREGS', `0x4138ae84')
+define(`KVM_SET_TSC_KHZ', `0x0000aea2')
+define(`KVM_SET_TSS_ADDR', `0x0000ae47')
+define(`KVM_SET_USER_MEMORY_REGION', `0x4020ae46')
+define(`KVM_SET_VAPIC_ADDR', `0x4008ae93')
+define(`KVM_SET_VCPU_EVENTS', `0x4040aea0')
+define(`KVM_SET_XCRS', `0x4188aea7')
+define(`KVM_SET_XSAVE', `0x5000aea5')
+define(`KVM_SIGNAL_MSI', `0x4020aea5')
+define(`KVM_TPR_ACCESS_REPORTING', `0xc028ae92')
+define(`KVM_TRANSLATE', `0xc018ae85')
+define(`KVM_UNREGISTER_COALESCED_MMIO', `0x4010ae68')
+define(`KVM_X86_GET_MCE_CAP_SUPPORTED', `0x8008ae9d')
+define(`KVM_X86_SET_MCE', `0x4040ae9e')
+define(`KVM_X86_SETUP_MCE', `0x4008ae9c')
+define(`KVM_XEN_HVM_CONFIG', `0x4038ae7a')
+define(`KYRO_IOCTL_OVERLAY_CREATE', `0x00006b00')
+define(`KYRO_IOCTL_OVERLAY_OFFSET', `0x00006b04')
+define(`KYRO_IOCTL_OVERLAY_VIEWPORT_SET', `0x00006b01')
+define(`KYRO_IOCTL_SET_VIDEO_MODE', `0x00006b02')
+define(`KYRO_IOCTL_STRIDE', `0x00006b05')
+define(`KYRO_IOCTL_UVSTRIDE', `0x00006b03')
+define(`LIRC_GET_FEATURES', `0x80046900')
+define(`LIRC_GET_LENGTH', `0x8004690f')
+define(`LIRC_GET_MAX_FILTER_PULSE', `0x8004690b')
+define(`LIRC_GET_MAX_FILTER_SPACE', `0x8004690d')
+define(`LIRC_GET_MAX_TIMEOUT', `0x80046909')
+define(`LIRC_GET_MIN_FILTER_PULSE', `0x8004690a')
+define(`LIRC_GET_MIN_FILTER_SPACE', `0x8004690c')
+define(`LIRC_GET_MIN_TIMEOUT', `0x80046908')
+define(`LIRC_GET_REC_CARRIER', `0x80046904')
+define(`LIRC_GET_REC_DUTY_CYCLE', `0x80046906')
+define(`LIRC_GET_REC_MODE', `0x80046902')
+define(`LIRC_GET_REC_RESOLUTION', `0x80046907')
+define(`LIRC_GET_SEND_CARRIER', `0x80046903')
+define(`LIRC_GET_SEND_DUTY_CYCLE', `0x80046905')
+define(`LIRC_GET_SEND_MODE', `0x80046901')
+define(`LIRC_NOTIFY_DECODE', `0x00006920')
+define(`LIRC_SET_MEASURE_CARRIER_MODE', `0x4004691d')
+define(`LIRC_SET_REC_CARRIER', `0x40046914')
+define(`LIRC_SET_REC_CARRIER_RANGE', `0x4004691f')
+define(`LIRC_SET_REC_DUTY_CYCLE', `0x40046916')
+define(`LIRC_SET_REC_DUTY_CYCLE_RANGE', `0x4004691e')
+define(`LIRC_SET_REC_FILTER', `0x4004691c')
+define(`LIRC_SET_REC_FILTER_PULSE', `0x4004691a')
+define(`LIRC_SET_REC_FILTER_SPACE', `0x4004691b')
+define(`LIRC_SET_REC_MODE', `0x40046912')
+define(`LIRC_SET_REC_TIMEOUT', `0x40046918')
+define(`LIRC_SET_REC_TIMEOUT_REPORTS', `0x40046919')
+define(`LIRC_SET_SEND_CARRIER', `0x40046913')
+define(`LIRC_SET_SEND_DUTY_CYCLE', `0x40046915')
+define(`LIRC_SET_SEND_MODE', `0x40046911')
+define(`LIRC_SET_TRANSMITTER_MASK', `0x40046917')
+define(`LIRC_SETUP_END', `0x00006922')
+define(`LIRC_SETUP_START', `0x00006921')
+define(`LIRC_SET_WIDEBAND_RECEIVER', `0x40046923')
+define(`LOGGER_FLUSH_LOG', `0x0000ae04')
+define(`LOGGER_GET_LOG_BUF_SIZE', `0x0000ae01')
+define(`LOGGER_GET_LOG_LEN', `0x0000ae02')
+define(`LOGGER_GET_NEXT_ENTRY_LEN', `0x0000ae03')
+define(`LOGGER_GET_VERSION', `0x0000ae05')
+define(`LOGGER_SET_VERSION', `0x0000ae06')
+define(`LOOP_CHANGE_FD', `0x00004c06')
+define(`LOOP_CLR_FD', `0x00004c01')
+define(`LOOP_CONFIGURE', `0x00004c0a')
+define(`LOOP_CTL_ADD', `0x00004c80')
+define(`LOOP_CTL_GET_FREE', `0x00004c82')
+define(`LOOP_CTL_REMOVE', `0x00004c81')
+define(`LOOP_GET_STATUS', `0x00004c03')
+define(`LOOP_GET_STATUS64', `0x00004c05')
+define(`LOOP_SET_BLOCK_SIZE', `0x00004c09')
+define(`LOOP_SET_CAPACITY', `0x00004c07')
+define(`LOOP_SET_DIRECT_IO', `0x00004c08')
+define(`LOOP_SET_FD', `0x00004c00')
+define(`LOOP_SET_STATUS', `0x00004c02')
+define(`LOOP_SET_STATUS64', `0x00004c04')
+define(`MATROXFB_GET_ALL_OUTPUTS', `0x80086efb')
+define(`MATROXFB_GET_AVAILABLE_OUTPUTS', `0x80086ef9')
+define(`MATROXFB_GET_OUTPUT_CONNECTION', `0x80086ef8')
+define(`MATROXFB_GET_OUTPUT_MODE', `0xc0086efa')
+define(`MATROXFB_SET_OUTPUT_CONNECTION', `0x40086ef8')
+define(`MATROXFB_SET_OUTPUT_MODE', `0x40086efa')
+define(`MBXFB_IOCG_ALPHA', `0x8018f401')
+define(`MBXFB_IOCS_ALPHA', `0x4018f402')
+define(`MBXFB_IOCS_PLANEORDER', `0x8002f403')
+define(`MBXFB_IOCS_REG', `0x400cf404')
+define(`MBXFB_IOCX_OVERLAY', `0xc030f400')
+define(`MBXFB_IOCX_REG', `0xc00cf405')
+define(`MCE_GETCLEAR_FLAGS', `0x80044d03')
+define(`MCE_GET_LOG_LEN', `0x80044d02')
+define(`MCE_GET_RECORD_LEN', `0x80044d01')
+define(`MEDIA_IOC_DEVICE_INFO', `0xc1007c00')
+define(`MEDIA_IOC_ENUM_ENTITIES', `0xc1007c01')
+define(`MEDIA_IOC_ENUM_LINKS', `0xc0287c02')
+define(`MEDIA_IOC_SETUP_LINK', `0xc0347c03')
+define(`MEMERASE', `0x40084d02')
+define(`MEMERASE64', `0x40104d14')
+define(`MEMGETBADBLOCK', `0x40084d0b')
+define(`MEMGETINFO', `0x80204d01')
+define(`MEMGETOOBSEL', `0x80c84d0a')
+define(`MEMGETREGIONCOUNT', `0x80044d07')
+define(`MEMGETREGIONINFO', `0xc0104d08')
+define(`MEMISLOCKED', `0x80084d17')
+define(`MEMLOCK', `0x40084d05')
+define(`MEMREADOOB', `0xc0104d04')
+define(`MEMREADOOB64', `0xc0184d16')
+define(`MEMSETBADBLOCK', `0x40084d0c')
+define(`MEMUNLOCK', `0x40084d06')
+define(`MEMWRITE', `0xc0304d18')
+define(`MEMWRITEOOB', `0xc0104d03')
+define(`MEMWRITEOOB64', `0xc0184d15')
+define(`MEYEIOC_G_PARAMS', `0x800676c0')
+define(`MEYEIOC_QBUF_CAPT', `0x400476c2')
+define(`MEYEIOC_S_PARAMS', `0x400676c1')
+define(`MEYEIOC_STILLCAPT', `0x000076c4')
+define(`MEYEIOC_STILLJCAPT', `0x800476c5')
+define(`MEYEIOC_SYNC', `0xc00476c3')
+define(`MFB_GET_ALPHA', `0x80014d00')
+define(`MFB_GET_AOID', `0x80084d04')
+define(`MFB_GET_GAMMA', `0x80014d01')
+define(`MFB_GET_PIXFMT', `0x80044d08')
+define(`MFB_SET_ALPHA', `0x40014d00')
+define(`MFB_SET_AOID', `0x40084d04')
+define(`MFB_SET_BRIGHTNESS', `0x40014d03')
+define(`MFB_SET_CHROMA_KEY', `0x400c4d01')
+define(`MFB_SET_GAMMA', `0x40014d01')
+define(`MFB_SET_PIXFMT', `0x40044d08')
+define(`MGSL_IOCCLRMODCOUNT', `0x00006d0f')
+define(`MGSL_IOCGGPIO', `0x80106d11')
+define(`MGSL_IOCGIF', `0x00006d0b')
+define(`MGSL_IOCGPARAMS', `0x80306d01')
+define(`MGSL_IOCGSTATS', `0x00006d07')
+define(`MGSL_IOCGTXIDLE', `0x00006d03')
+define(`MGSL_IOCGXCTRL', `0x00006d16')
+define(`MGSL_IOCGXSYNC', `0x00006d14')
+define(`MGSL_IOCLOOPTXDONE', `0x00006d09')
+define(`MGSL_IOCRXENABLE', `0x00006d05')
+define(`MGSL_IOCSGPIO', `0x40106d10')
+define(`MGSL_IOCSIF', `0x00006d0a')
+define(`MGSL_IOCSPARAMS', `0x40306d00')
+define(`MGSL_IOCSTXIDLE', `0x00006d02')
+define(`MGSL_IOCSXCTRL', `0x00006d15')
+define(`MGSL_IOCSXSYNC', `0x00006d13')
+define(`MGSL_IOCTXABORT', `0x00006d06')
+define(`MGSL_IOCTXENABLE', `0x00006d04')
+define(`MGSL_IOCWAITEVENT', `0xc0046d08')
+define(`MGSL_IOCWAITGPIO', `0xc0106d12')
+define(`MIC_VIRTIO_ADD_DEVICE', `0xc0087301')
+define(`MIC_VIRTIO_CONFIG_CHANGE', `0xc0087305')
+define(`MIC_VIRTIO_COPY_DESC', `0xc0087302')
+define(`MMC_IOC_CMD', `0xc048b300')
+define(`MMTIMER_GETBITS', `0x00006d04')
+define(`MMTIMER_GETCOUNTER', `0x80086d09')
+define(`MMTIMER_GETFREQ', `0x80086d02')
+define(`MMTIMER_GETOFFSET', `0x00006d00')
+define(`MMTIMER_GETRES', `0x80086d01')
+define(`MMTIMER_MMAPAVAIL', `0x00006d06')
+define(`MSMFB_BLIT', `0x40046d02')
+define(`MSMFB_GRP_DISP', `0x40046d01')
+define(`MTDFILEMODE', `0x00004d13')
+define(`MTIOCGET', `0x80306d02')
+define(`MTIOCPOS', `0x80086d03')
+define(`MTIOCTOP', `0x40086d01')
+define(`MTRRIOC_ADD_ENTRY', `0x40104d00')
+define(`MTRRIOC_ADD_PAGE_ENTRY', `0x40104d05')
+define(`MTRRIOC_DEL_ENTRY', `0x40104d02')
+define(`MTRRIOC_DEL_PAGE_ENTRY', `0x40104d07')
+define(`MTRRIOC_GET_ENTRY', `0xc0184d03')
+define(`MTRRIOC_GET_PAGE_ENTRY', `0xc0184d08')
+define(`MTRRIOC_KILL_ENTRY', `0x40104d04')
+define(`MTRRIOC_KILL_PAGE_ENTRY', `0x40104d09')
+define(`MTRRIOC_SET_ENTRY', `0x40104d01')
+define(`MTRRIOC_SET_PAGE_ENTRY', `0x40104d06')
+define(`NBD_CLEAR_QUE', `0x0000ab05')
+define(`NBD_CLEAR_SOCK', `0x0000ab04')
+define(`NBD_DISCONNECT', `0x0000ab08')
+define(`NBD_DO_IT', `0x0000ab03')
+define(`NBD_PRINT_DEBUG', `0x0000ab06')
+define(`NBD_SET_BLKSIZE', `0x0000ab01')
+define(`NBD_SET_FLAGS', `0x0000ab0a')
+define(`NBD_SET_SIZE', `0x0000ab02')
+define(`NBD_SET_SIZE_BLOCKS', `0x0000ab07')
+define(`NBD_SET_SOCK', `0x0000ab00')
+define(`NBD_SET_TIMEOUT', `0x0000ab09')
+define(`NCP_IOC_CONN_LOGGED_IN', `0x00006e03')
+define(`NCP_IOC_GETCHARSETS', `0xc02a6e0b')
+define(`NCP_IOC_GETDENTRYTTL', `0x40046e0c')
+define(`NCP_IOC_GET_FS_INFO', `0xc0286e04')
+define(`NCP_IOC_GET_FS_INFO_V2', `0xc0306e04')
+define(`NCP_IOC_GETMOUNTUID', `0x40026e02')
+define(`NCP_IOC_GETMOUNTUID2', `0x40086e02')
+define(`NCP_IOC_GETOBJECTNAME', `0xc0186e09')
+define(`NCP_IOC_GETPRIVATEDATA', `0xc0106e0a')
+define(`NCP_IOC_GETROOT', `0x400c6e08')
+define(`NCP_IOC_LOCKUNLOCK', `0x80146e07')
+define(`NCP_IOC_NCPREQUEST', `0x80106e01')
+define(`NCP_IOC_SETCHARSETS', `0x802a6e0b')
+define(`NCP_IOC_SETDENTRYTTL', `0x80046e0c')
+define(`NCP_IOC_SETOBJECTNAME', `0x80186e09')
+define(`NCP_IOC_SETPRIVATEDATA', `0x80106e0a')
+define(`NCP_IOC_SETROOT', `0x800c6e08')
+define(`NCP_IOC_SET_SIGN_WANTED', `0x40046e06')
+define(`NCP_IOC_SIGN_INIT', `0x80186e05')
+define(`NCP_IOC_SIGN_WANTED', `0x80046e06')
+define(`NET_ADD_IF', `0xc0066f34')
+define(`NET_GET_IF', `0xc0066f36')
+define(`NET_REMOVE_IF', `0x00006f35')
+define(`NILFS_IOCTL_CHANGE_CPMODE', `0x40106e80')
+define(`NILFS_IOCTL_CLEAN_SEGMENTS', `0x40786e88')
+define(`NILFS_IOCTL_DELETE_CHECKPOINT', `0x40086e81')
+define(`NILFS_IOCTL_GET_BDESCS', `0xc0186e87')
+define(`NILFS_IOCTL_GET_CPINFO', `0x80186e82')
+define(`NILFS_IOCTL_GET_CPSTAT', `0x80186e83')
+define(`NILFS_IOCTL_GET_SUINFO', `0x80186e84')
+define(`NILFS_IOCTL_GET_SUSTAT', `0x80306e85')
+define(`NILFS_IOCTL_GET_VINFO', `0xc0186e86')
+define(`NILFS_IOCTL_RESIZE', `0x40086e8b')
+define(`NILFS_IOCTL_SET_ALLOC_RANGE', `0x40106e8c')
+define(`NILFS_IOCTL_SET_SUINFO', `0x40186e8d')
+define(`NILFS_IOCTL_SYNC', `0x80086e8a')
+define(`NS_ADJBUFLEV', `0x00006163')
+define(`NS_GETPSTAT', `0xc0106161')
+define(`NS_SETBUFLEV', `0x40106162')
+define(`NVME_IOCTL_ADMIN_CMD', `0xc0484e41')
+define(`NVME_IOCTL_ID', `0x00004e40')
+define(`NVME_IOCTL_IO_CMD', `0xc0484e43')
+define(`NVME_IOCTL_SUBMIT_IO', `0x40304e42')
+define(`NVRAM_INIT', `0x00007040')
+define(`NVRAM_SETCKS', `0x00007041')
+define(`OLD_PHONE_RING_START', `0x00007187')
+define(`OMAPFB_CTRL_TEST', `0x40044f2e')
+define(`OMAPFB_GET_CAPS', `0x800c4f2a')
+define(`OMAPFB_GET_COLOR_KEY', `0x40104f33')
+define(`OMAPFB_GET_DISPLAY_INFO', `0x80204f3f')
+define(`OMAPFB_GET_OVERLAY_COLORMODE', `0x803c4f3b')
+define(`OMAPFB_GET_UPDATE_MODE', `0x40044f2b')
+define(`OMAPFB_GET_VRAM_INFO', `0x80204f3d')
+define(`OMAPFB_LCD_TEST', `0x40044f2d')
+define(`OMAPFB_MEMORY_READ', `0x80184f3a')
+define(`OMAPFB_MIRROR', `0x40044f1f')
+define(`OMAPFB_QUERY_MEM', `0x40084f38')
+define(`OMAPFB_QUERY_PLANE', `0x40444f35')
+define(`OMAPFB_SET_COLOR_KEY', `0x40104f32')
+define(`OMAPFB_SET_TEARSYNC', `0x40084f3e')
+define(`OMAPFB_SET_UPDATE_MODE', `0x40044f28')
+define(`OMAPFB_SETUP_MEM', `0x40084f37')
+define(`OMAPFB_SETUP_PLANE', `0x40444f34')
+define(`OMAPFB_SYNC_GFX', `0x00004f25')
+define(`OMAPFB_UPDATE_WINDOW', `0x40444f36')
+define(`OMAPFB_UPDATE_WINDOW_OLD', `0x40144f2f')
+define(`OMAPFB_VSYNC', `0x00004f26')
+define(`OMAPFB_WAITFORGO', `0x00004f3c')
+define(`OMAPFB_WAITFORVSYNC', `0x00004f39')
+define(`OSD_GET_CAPABILITY', `0x80106fa1')
+define(`OSD_SEND_CMD', `0x40206fa0')
+define(`OSIOCGNETADDR', `0x800489e1')
+define(`OSIOCSNETADDR', `0x400489e0')
+define(`OSS_GETVERSION', `0x80044d76')
+define(`OTPGETREGIONCOUNT', `0x40044d0e')
+define(`OTPGETREGIONINFO', `0x400c4d0f')
+define(`OTPLOCK', `0x800c4d10')
+define(`OTPSELECT', `0x80044d0d')
+define(`PACKET_CTRL_CMD', `0xc0185801')
+define(`PERF_EVENT_IOC_DISABLE', `0x00002401')
+define(`PERF_EVENT_IOC_ENABLE', `0x00002400')
+define(`PERF_EVENT_IOC_ID', `0x80082407')
+define(`PERF_EVENT_IOC_PERIOD', `0x40082404')
+define(`PERF_EVENT_IOC_REFRESH', `0x00002402')
+define(`PERF_EVENT_IOC_RESET', `0x00002403')
+define(`PERF_EVENT_IOC_SET_FILTER', `0x40082406')
+define(`PERF_EVENT_IOC_SET_OUTPUT', `0x00002405')
+define(`PHN_GET_REG', `0xc0087000')
+define(`PHN_GETREG', `0xc0087005')
+define(`PHN_GET_REGS', `0xc0087002')
+define(`PHN_GETREGS', `0xc0287007')
+define(`PHN_NOT_OH', `0x00007004')
+define(`PHN_SET_REG', `0x40087001')
+define(`PHN_SETREG', `0x40087006')
+define(`PHN_SET_REGS', `0x40087003')
+define(`PHN_SETREGS', `0x40287008')
+define(`PHONE_BUSY', `0x000071a1')
+define(`PHONE_CAPABILITIES', `0x00007180')
+define(`PHONE_CAPABILITIES_CHECK', `0x40087182')
+define(`PHONE_CAPABILITIES_LIST', `0x80087181')
+define(`PHONE_CPT_STOP', `0x000071a4')
+define(`PHONE_DIALTONE', `0x000071a3')
+define(`PHONE_DTMF_OOB', `0x40047199')
+define(`PHONE_DTMF_READY', `0x80047196')
+define(`PHONE_EXCEPTION', `0x8004719a')
+define(`PHONE_FRAME', `0x4004718d')
+define(`PHONE_GET_DTMF', `0x80047197')
+define(`PHONE_GET_DTMF_ASCII', `0x80047198')
+define(`PHONE_GET_TONE_OFF_TIME', `0x0000719f')
+define(`PHONE_GET_TONE_ON_TIME', `0x0000719e')
+define(`PHONE_GET_TONE_STATE', `0x000071a0')
+define(`PHONE_HOOKSTATE', `0x00007184')
+define(`PHONE_MAXRINGS', `0x40017185')
+define(`PHONE_PLAY_CODEC', `0x40047190')
+define(`PHONE_PLAY_DEPTH', `0x40047193')
+define(`PHONE_PLAY_LEVEL', `0x00007195')
+define(`PHONE_PLAY_START', `0x00007191')
+define(`PHONE_PLAY_STOP', `0x00007192')
+define(`PHONE_PLAY_TONE', `0x4001719b')
+define(`PHONE_PLAY_VOLUME', `0x40047194')
+define(`PHONE_PLAY_VOLUME_LINEAR', `0x400471dc')
+define(`PHONE_PSTN_GET_STATE', `0x000071a5')
+define(`PHONE_PSTN_LINETEST', `0x000071a8')
+define(`PHONE_PSTN_SET_STATE', `0x400471a4')
+define(`PHONE_QUERY_CODEC', `0xc00871a7')
+define(`PHONE_REC_CODEC', `0x40047189')
+define(`PHONE_REC_DEPTH', `0x4004718c')
+define(`PHONE_REC_LEVEL', `0x0000718f')
+define(`PHONE_REC_START', `0x0000718a')
+define(`PHONE_REC_STOP', `0x0000718b')
+define(`PHONE_REC_VOLUME', `0x4004718e')
+define(`PHONE_REC_VOLUME_LINEAR', `0x400471db')
+define(`PHONE_RING', `0x00007183')
+define(`PHONE_RINGBACK', `0x000071a2')
+define(`PHONE_RING_CADENCE', `0x40027186')
+define(`PHONE_RING_START', `0x40087187')
+define(`PHONE_RING_STOP', `0x00007188')
+define(`PHONE_SET_TONE_OFF_TIME', `0x4004719d')
+define(`PHONE_SET_TONE_ON_TIME', `0x4004719c')
+define(`PHONE_VAD', `0x400471a9')
+define(`PHONE_WINK', `0x400471aa')
+define(`PHONE_WINK_DURATION', `0x400471a6')
+define(`PIO_CMAP', `0x00004b71')
+define(`PIO_FONT', `0x00004b61')
+define(`PIO_FONTRESET', `0x00004b6d')
+define(`PIO_FONTX', `0x00004b6c')
+define(`PIO_SCRNMAP', `0x00004b41')
+define(`PIO_UNIMAP', `0x00004b67')
+define(`PIO_UNIMAPCLR', `0x00004b68')
+define(`PIO_UNISCRNMAP', `0x00004b6a')
+define(`PMU_IOC_CAN_SLEEP', `0x80084205')
+define(`PMU_IOC_GET_BACKLIGHT', `0x80084201')
+define(`PMU_IOC_GET_MODEL', `0x80084203')
+define(`PMU_IOC_GRAB_BACKLIGHT', `0x80084206')
+define(`PMU_IOC_HAS_ADB', `0x80084204')
+define(`PMU_IOC_SET_BACKLIGHT', `0x40084202')
+define(`PMU_IOC_SLEEP', `0x00004200')
+define(`PPCLAIM', `0x0000708b')
+define(`PPCLRIRQ', `0x80047093')
+define(`PPDATADIR', `0x40047090')
+define(`PPEXCL', `0x0000708f')
+define(`PPFCONTROL', `0x4002708e')
+define(`PPGETFLAGS', `0x8004709a')
+define(`PPGETMODE', `0x80047098')
+define(`PPGETMODES', `0x80047097')
+define(`PPGETPHASE', `0x80047099')
+define(`PPGETTIME', `0x80107095')
+define(`PPNEGOT', `0x40047091')
+define(`PPPIOCATTACH', `0x743d')
+define(`PPPIOCATTCHAN', `0x7438')
+define(`PPPIOCBUNDLE', `0x7481')
+define(`PPPIOCCONNECT', `0x743a')
+define(`PPPIOCDETACH', `0x743c')
+define(`PPPIOCDISCONN', `0x7439')
+define(`PPPIOCGASYNCMAP', `0x7458')
+define(`PPPIOCGCALLINFO', `0x7480')
+define(`PPPIOCGCHAN', `0x7437')
+define(`PPPIOCGCOMPRESSORS', `0x7486')
+define(`PPPIOCGDEBUG', `0x7441')
+define(`PPPIOCGFLAGS', `0x745a')
+define(`PPPIOCGIDLE', `0x743f')
+define(`PPPIOCGIFNAME', `0x7488')
+define(`PPPIOCGL2TPSTATS', `0x7436')
+define(`PPPIOCGMPFLAGS', `0x7482')
+define(`PPPIOCGMRU', `0x7453')
+define(`PPPIOCGNPMODE', `0x744c')
+define(`PPPIOCGRASYNCMAP', `0x7455')
+define(`PPPIOCGUNIT', `0x7456')
+define(`PPPIOCGXASYNCMAP', `0x7450')
+define(`PPPIOCNEWUNIT', `0x743e')
+define(`PPPIOCSACTIVE', `0x7446')
+define(`PPPIOCSASYNCMAP', `0x7457')
+define(`PPPIOCSCOMPRESS', `0x744d')
+define(`PPPIOCSCOMPRESSOR', `0x7487')
+define(`PPPIOCSDEBUG', `0x7440')
+define(`PPPIOCSFLAGS', `0x7459')
+define(`PPPIOCSMAXCID', `0x7451')
+define(`PPPIOCSMPFLAGS', `0x7483')
+define(`PPPIOCSMPMRU', `0x7485')
+define(`PPPIOCSMPMTU', `0x7484')
+define(`PPPIOCSMRRU', `0x743b')
+define(`PPPIOCSMRU', `0x7452')
+define(`PPPIOCSNPMODE', `0x744b')
+define(`PPPIOCSPASS', `0x7447')
+define(`PPPIOCSRASYNCMAP', `0x7454')
+define(`PPPIOCSXASYNCMAP', `0x744f')
+define(`PPPIOCXFERUNIT', `0x744e')
+define(`PPPOEIOCDFWD', `0x0000b101')
+define(`PPPOEIOCSFWD', `0x4008b100')
+define(`PPRCONTROL', `0x80017083')
+define(`PPRDATA', `0x80017085')
+define(`PPRELEASE', `0x0000708c')
+define(`PPRSTATUS', `0x80017081')
+define(`PPSETFLAGS', `0x4004709b')
+define(`PPSETMODE', `0x40047080')
+define(`PPSETPHASE', `0x40047094')
+define(`PPSETTIME', `0x40107096')
+define(`PPS_FETCH', `0xc00870a4')
+define(`PPS_GETCAP', `0x800870a3')
+define(`PPS_GETPARAMS', `0x800870a1')
+define(`PPS_KC_BIND', `0x400870a5')
+define(`PPS_SETPARAMS', `0x400870a2')
+define(`PPWCONTROL', `0x40017084')
+define(`PPWCTLONIRQ', `0x40017092')
+define(`PPWDATA', `0x40017086')
+define(`PPYIELD', `0x0000708d')
+define(`PROTECT_ARRAY', `0x00000927')
+define(`PTP_CLOCK_GETCAPS', `0x80503d01')
+define(`PTP_ENABLE_PPS', `0x40043d04')
+define(`PTP_EXTTS_REQUEST', `0x40103d02')
+define(`PTP_PEROUT_REQUEST', `0x40383d03')
+define(`PTP_PIN_GETFUNC', `0xc0603d06')
+define(`PTP_PIN_SETFUNC', `0x40603d07')
+define(`PTP_SYS_OFFSET', `0x43403d05')
+define(`RAID_AUTORUN', `0x00000914')
+define(`RAID_VERSION', `0x800c0910')
+define(`RAW_GETBIND', `0x0000ac01')
+define(`RAW_SETBIND', `0x0000ac00')
+define(`REISERFS_IOC_UNPACK', `0x4008cd01')
+define(`RESTART_ARRAY_RW', `0x00000934')
+define(`RFCOMMCREATEDEV', `0x400452c8')
+define(`RFCOMMGETDEVINFO', `0x800452d3')
+define(`RFCOMMGETDEVLIST', `0x800452d2')
+define(`RFCOMMRELEASEDEV', `0x400452c9')
+define(`RFCOMMSTEALDLC', `0x400452dc')
+define(`RFKILL_IOCTL_NOINPUT', `0x00005201')
+define(`RNDADDENTROPY', `0x40085203')
+define(`RNDADDTOENTCNT', `0x40045201')
+define(`RNDCLEARPOOL', `0x00005206')
+define(`RNDGETENTCNT', `0x80045200')
+define(`RNDGETPOOL', `0x80085202')
+define(`RNDZAPENTCNT', `0x00005204')
+define(`ROCCATIOCGREPSIZE', `0x800448f1')
+define(`RTC_AIE_OFF', `0x00007002')
+define(`RTC_AIE_ON', `0x00007001')
+define(`RTC_ALM_READ', `0x80247008')
+define(`RTC_ALM_SET', `0x40247007')
+define(`RTC_EPOCH_READ', `0x8008700d')
+define(`RTC_EPOCH_SET', `0x4008700e')
+define(`RTC_IRQP_READ', `0x8008700b')
+define(`RTC_IRQP_SET', `0x4008700c')
+define(`RTC_PIE_OFF', `0x00007006')
+define(`RTC_PIE_ON', `0x00007005')
+define(`RTC_PLL_GET', `0x80207011')
+define(`RTC_PLL_SET', `0x40207012')
+define(`RTC_RD_TIME', `0x80247009')
+define(`RTC_SET_TIME', `0x4024700a')
+define(`RTC_UIE_OFF', `0x00007004')
+define(`RTC_UIE_ON', `0x00007003')
+define(`RTC_VL_CLR', `0x00007014')
+define(`RTC_VL_READ', `0x80047013')
+define(`RTC_WIE_OFF', `0x00007010')
+define(`RTC_WIE_ON', `0x0000700f')
+define(`RTC_WKALM_RD', `0x80287010')
+define(`RTC_WKALM_SET', `0x4028700f')
+define(`RUN_ARRAY', `0x400c0930')
+define(`S5P_FIMC_TX_END_NOTIFY', `0x00006500')
+define(`SAA6588_CMD_CLOSE', `0x40045202')
+define(`SAA6588_CMD_POLL', `0x80045204')
+define(`SAA6588_CMD_READ', `0x80045203')
+define(`SCSI_IOCTL_DOORLOCK', `0x00005380')
+define(`SCSI_IOCTL_DOORUNLOCK', `0x00005381')
+define(`SCSI_IOCTL_GET_BUS_NUMBER', `0x00005386')
+define(`SCSI_IOCTL_GET_IDLUN', `0x00005382')
+define(`SCSI_IOCTL_GET_PCI', `0x00005387')
+define(`SCSI_IOCTL_PROBE_HOST', `0x00005385')
+define(`SET_ARRAY_INFO', `0x40480923')
+define(`SET_BITMAP_FILE', `0x4004092b')
+define(`SET_DISK_FAULTY', `0x00000929')
+define(`SET_DISK_INFO', `0x00000924')
+define(`SG_EMULATED_HOST', `0x00002203')
+define(`SG_GET_ACCESS_COUNT', `0x00002289')
+define(`SG_GET_COMMAND_Q', `0x00002270')
+define(`SG_GET_KEEP_ORPHAN', `0x00002288')
+define(`SG_GET_LOW_DMA', `0x0000227a')
+define(`SG_GET_NUM_WAITING', `0x0000227d')
+define(`SG_GET_PACK_ID', `0x0000227c')
+define(`SG_GET_REQUEST_TABLE', `0x00002286')
+define(`SG_GET_RESERVED_SIZE', `0x00002272')
+define(`SG_GET_SCSI_ID', `0x00002276')
+define(`SG_GET_SG_TABLESIZE', `0x0000227f')
+define(`SG_GET_TIMEOUT', `0x00002202')
+define(`SG_GET_TRANSFORM', `0x00002205')
+define(`SG_GET_VERSION_NUM', `0x00002282')
+define(`SG_IO', `0x00002285')
+define(`SG_NEXT_CMD_LEN', `0x00002283')
+define(`SG_SCSI_RESET', `0x00002284')
+define(`SG_SET_COMMAND_Q', `0x00002271')
+define(`SG_SET_DEBUG', `0x0000227e')
+define(`SG_SET_FORCE_LOW_DMA', `0x00002279')
+define(`SG_SET_FORCE_PACK_ID', `0x0000227b')
+define(`SG_SET_KEEP_ORPHAN', `0x00002287')
+define(`SG_SET_RESERVED_SIZE', `0x00002275')
+define(`SG_SET_TIMEOUT', `0x00002201')
+define(`SG_SET_TRANSFORM', `0x00002204')
+define(`SI4713_IOC_MEASURE_RNL', `0xc01c56c0')
+define(`SIOCADDDLCI', `0x00008980')
+define(`SIOCADDMULTI', `0x00008931')
+define(`SIOCADDRT', `0x0000890b')
+define(`SIOCATMARK', `0x00008905')
+define(`SIOCBONDCHANGEACTIVE', `0x00008995')
+define(`SIOCBONDENSLAVE', `0x00008990')
+define(`SIOCBONDINFOQUERY', `0x00008994')
+define(`SIOCBONDRELEASE', `0x00008991')
+define(`SIOCBONDSETHWADDR', `0x00008992')
+define(`SIOCBONDSLAVEINFOQUERY', `0x00008993')
+define(`SIOCBRADDBR', `0x000089a0')
+define(`SIOCBRADDIF', `0x000089a2')
+define(`SIOCBRDELBR', `0x000089a1')
+define(`SIOCBRDELIF', `0x000089a3')
+define(`SIOCDARP', `0x00008953')
+define(`SIOCDELDLCI', `0x00008981')
+define(`SIOCDELMULTI', `0x00008932')
+define(`SIOCDELRT', `0x0000890c')
+define(`SIOCDEVPRIVATE', `0x000089f0')
+define(`SIOCDEVPRIVATE_1', `0x000089f1')
+define(`SIOCDEVPRIVATE_2', `0x000089f2')
+define(`SIOCDEVPRIVATE_3', `0x000089f3')
+define(`SIOCDEVPRIVATE_4', `0x000089f4')
+define(`SIOCDEVPRIVATE_5', `0x000089f5')
+define(`SIOCDEVPRIVATE_6', `0x000089f6')
+define(`SIOCDEVPRIVATE_7', `0x000089f7')
+define(`SIOCDEVPRIVATE_8', `0x000089f8')
+define(`SIOCDEVPRIVATE_9', `0x000089f9')
+define(`SIOCDEVPRIVATE_A', `0x000089fa')
+define(`SIOCDEVPRIVATE_B', `0x000089fb')
+define(`SIOCDEVPRIVATE_C', `0x000089fc')
+define(`SIOCDEVPRIVATE_D', `0x000089fd')
+define(`SIOCDEVPRIVATE_E', `0x000089fe')
+define(`SIOCDEVPRIVLAST', `0x000089ff')
+define(`SIOCDIFADDR', `0x00008936')
+define(`SIOCDRARP', `0x00008960')
+define(`SIOCETHTOOL', `0x00008946')
+define(`SIOCGARP', `0x00008954')
+define(`SIOCGHWTSTAMP', `0x000089b1')
+define(`SIOCGIFADDR', `0x00008915')
+define(`SIOCGIFBR', `0x00008940')
+define(`SIOCGIFBRDADDR', `0x00008919')
+define(`SIOCGIFCONF', `0x00008912')
+define(`SIOCGIFCOUNT', `0x00008938')
+define(`SIOCGIFDSTADDR', `0x00008917')
+define(`SIOCGIFENCAP', `0x00008925')
+define(`SIOCGIFFLAGS', `0x00008913')
+define(`SIOCGIFHWADDR', `0x00008927')
+define(`SIOCGIFINDEX', `0x00008933')
+define(`SIOCGIFMAP', `0x00008970')
+define(`SIOCGIFMEM', `0x0000891f')
+define(`SIOCGIFMETRIC', `0x0000891d')
+define(`SIOCGIFMTU', `0x00008921')
+define(`SIOCGIFNAME', `0x00008910')
+define(`SIOCGIFNETMASK', `0x0000891b')
+define(`SIOCGIFPFLAGS', `0x00008935')
+define(`SIOCGIFSLAVE', `0x00008929')
+define(`SIOCGIFTXQLEN', `0x00008942')
+define(`SIOCGIFVLAN', `0x00008982')
+define(`SIOCGIWAP', `0x00008b15')
+define(`SIOCGIWAPLIST', `0x00008b17')
+define(`SIOCGIWAUTH', `0x00008b33')
+define(`SIOCGIWENCODE', `0x00008b2b')
+define(`SIOCGIWENCODEEXT', `0x00008b35')
+define(`SIOCGIWESSID', `0x00008b1b')
+define(`SIOCGIWFRAG', `0x00008b25')
+define(`SIOCGIWFREQ', `0x00008b05')
+define(`SIOCGIWGENIE', `0x00008b31')
+define(`SIOCGIWMODE', `0x00008b07')
+define(`SIOCGIWNAME', `0x00008b01')
+define(`SIOCGIWNICKN', `0x00008b1d')
+define(`SIOCGIWNWID', `0x00008b03')
+define(`SIOCGIWPOWER', `0x00008b2d')
+define(`SIOCGIWPRIV', `0x00008b0d')
+define(`SIOCGIWRANGE', `0x00008b0b')
+define(`SIOCGIWRATE', `0x00008b21')
+define(`SIOCGIWRETRY', `0x00008b29')
+define(`SIOCGIWRTS', `0x00008b23')
+define(`SIOCGIWSCAN', `0x00008b19')
+define(`SIOCGIWSENS', `0x00008b09')
+define(`SIOCGIWSPY', `0x00008b11')
+define(`SIOCGIWSTATS', `0x00008b0f')
+define(`SIOCGIWTHRSPY', `0x00008b13')
+define(`SIOCGIWTXPOW', `0x00008b27')
+define(`SIOCGMIIPHY', `0x00008947')
+define(`SIOCGMIIREG', `0x00008948')
+define(`SIOCGNETADDR', `0x800489e1')
+define(`SIOCGPGRP', `0x00008904')
+define(`SIOCGRARP', `0x00008961')
+define(`SIOCGSTAMP', `0x00008906')
+define(`SIOCGSTAMPNS', `0x00008907')
+define(`SIOCIWFIRST', `0x00008b00')
+define(`SIOCIWFIRSTPRIV_01', `0x00008be1')
+define(`SIOCIWFIRSTPRIV_02', `0x00008be2')
+define(`SIOCIWFIRSTPRIV_03', `0x00008be3')
+define(`SIOCIWFIRSTPRIV_04', `0x00008be4')
+define(`SIOCIWFIRSTPRIV_05', `0x00008be5')
+define(`SIOCIWFIRSTPRIV_06', `0x00008be6')
+define(`SIOCIWFIRSTPRIV_07', `0x00008be7')
+define(`SIOCIWFIRSTPRIV_08', `0x00008be8')
+define(`SIOCIWFIRSTPRIV_09', `0x00008be9')
+define(`SIOCIWFIRSTPRIV_0A', `0x00008bea')
+define(`SIOCIWFIRSTPRIV_0B', `0x00008beb')
+define(`SIOCIWFIRSTPRIV_0C', `0x00008bec')
+define(`SIOCIWFIRSTPRIV_0D', `0x00008bed')
+define(`SIOCIWFIRSTPRIV_0E', `0x00008bee')
+define(`SIOCIWFIRSTPRIV_0F', `0x00008bef')
+define(`SIOCIWFIRSTPRIV', `0x00008be0')
+define(`SIOCIWFIRSTPRIV_10', `0x00008bf0')
+define(`SIOCIWFIRSTPRIV_11', `0x00008bf1')
+define(`SIOCIWFIRSTPRIV_12', `0x00008bf2')
+define(`SIOCIWFIRSTPRIV_13', `0x00008bf3')
+define(`SIOCIWFIRSTPRIV_14', `0x00008bf4')
+define(`SIOCIWFIRSTPRIV_15', `0x00008bf5')
+define(`SIOCIWFIRSTPRIV_16', `0x00008bf6')
+define(`SIOCIWFIRSTPRIV_17', `0x00008bf7')
+define(`SIOCIWFIRSTPRIV_18', `0x00008bf8')
+define(`SIOCIWFIRSTPRIV_19', `0x00008bf9')
+define(`SIOCIWFIRSTPRIV_1A', `0x00008bfa')
+define(`SIOCIWFIRSTPRIV_1B', `0x00008bfb')
+define(`SIOCIWFIRSTPRIV_1C', `0x00008bfc')
+define(`SIOCIWFIRSTPRIV_1D', `0x00008bfd')
+define(`SIOCIWFIRSTPRIV_1E', `0x00008bfe')
+define(`SIOCIWLASTPRIV', `0x00008bff')
+define(`SIOCKILLADDR', `0x00008939')
+define(`SIOCMKCLIP', `0x000061e0')
+define(`SIOCOUTQNSD', `0x0000894b')
+define(`SIOCPROTOPRIVATE', `0x000089e0')
+define(`SIOCPROTOPRIVATE_1', `0x000089e1')
+define(`SIOCPROTOPRIVATE_2', `0x000089e2')
+define(`SIOCPROTOPRIVATE_3', `0x000089e3')
+define(`SIOCPROTOPRIVATE_4', `0x000089e4')
+define(`SIOCPROTOPRIVATE_5', `0x000089e5')
+define(`SIOCPROTOPRIVATE_6', `0x000089e6')
+define(`SIOCPROTOPRIVATE_7', `0x000089e7')
+define(`SIOCPROTOPRIVATE_8', `0x000089e8')
+define(`SIOCPROTOPRIVATE_9', `0x000089e9')
+define(`SIOCPROTOPRIVATE_A', `0x000089ea')
+define(`SIOCPROTOPRIVATE_B', `0x000089eb')
+define(`SIOCPROTOPRIVATE_C', `0x000089ec')
+define(`SIOCPROTOPRIVATE_D', `0x000089ed')
+define(`SIOCPROTOPRIVATE_E', `0x000089ee')
+define(`SIOCPROTOPRIVLAST', `0x000089ef')
+define(`SIOCRTMSG', `0x0000890d')
+define(`SIOCSARP', `0x00008955')
+define(`SIOCSHWTSTAMP', `0x000089b0')
+define(`SIOCSIFADDR', `0x00008916')
+define(`SIOCSIFATMTCP', `0x00006180')
+define(`SIOCSIFBR', `0x00008941')
+define(`SIOCSIFBRDADDR', `0x0000891a')
+define(`SIOCSIFDSTADDR', `0x00008918')
+define(`SIOCSIFENCAP', `0x00008926')
+define(`SIOCSIFFLAGS', `0x00008914')
+define(`SIOCSIFHWADDR', `0x00008924')
+define(`SIOCSIFHWBROADCAST', `0x00008937')
+define(`SIOCSIFLINK', `0x00008911')
+define(`SIOCSIFMAP', `0x00008971')
+define(`SIOCSIFMEM', `0x00008920')
+define(`SIOCSIFMETRIC', `0x0000891e')
+define(`SIOCSIFMTU', `0x00008922')
+define(`SIOCSIFNAME', `0x00008923')
+define(`SIOCSIFNETMASK', `0x0000891c')
+define(`SIOCSIFPFLAGS', `0x00008934')
+define(`SIOCSIFSLAVE', `0x00008930')
+define(`SIOCSIFTXQLEN', `0x00008943')
+define(`SIOCSIFVLAN', `0x00008983')
+define(`SIOCSIWAP', `0x00008b14')
+define(`SIOCSIWAUTH', `0x00008b32')
+define(`SIOCSIWCOMMIT', `0x00008b00')
+define(`SIOCSIWENCODE', `0x00008b2a')
+define(`SIOCSIWENCODEEXT', `0x00008b34')
+define(`SIOCSIWESSID', `0x00008b1a')
+define(`SIOCSIWFRAG', `0x00008b24')
+define(`SIOCSIWFREQ', `0x00008b04')
+define(`SIOCSIWGENIE', `0x00008b30')
+define(`SIOCSIWMLME', `0x00008b16')
+define(`SIOCSIWMODE', `0x00008b06')
+define(`SIOCSIWNICKN', `0x00008b1c')
+define(`SIOCSIWNWID', `0x00008b02')
+define(`SIOCSIWPMKSA', `0x00008b36')
+define(`SIOCSIWPOWER', `0x00008b2c')
+define(`SIOCSIWPRIV', `0x00008b0c')
+define(`SIOCSIWRANGE', `0x00008b0a')
+define(`SIOCSIWRATE', `0x00008b20')
+define(`SIOCSIWRETRY', `0x00008b28')
+define(`SIOCSIWRTS', `0x00008b22')
+define(`SIOCSIWSCAN', `0x00008b18')
+define(`SIOCSIWSENS', `0x00008b08')
+define(`SIOCSIWSPY', `0x00008b10')
+define(`SIOCSIWSTATS', `0x00008b0e')
+define(`SIOCSIWTHRSPY', `0x00008b12')
+define(`SIOCSIWTXPOW', `0x00008b26')
+define(`SIOCSMIIREG', `0x00008949')
+define(`SIOCSNETADDR', `0x400489e0')
+define(`SIOCSPGRP', `0x00008902')
+define(`SIOCSRARP', `0x00008962')
+define(`SIOCWANDEV', `0x0000894a')
+define(`SISFB_COMMAND', `0xc054f305')
+define(`SISFB_GET_AUTOMAXIMIZE', `0x8004f303')
+define(`SISFB_GET_AUTOMAXIMIZE_OLD', `0x80046efa')
+define(`SISFB_GET_INFO', `0x811cf301')
+define(`SISFB_GET_INFO_OLD', `0x80046ef8')
+define(`SISFB_GET_INFO_SIZE', `0x8004f300')
+define(`SISFB_GET_TVPOSOFFSET', `0x8004f304')
+define(`SISFB_GET_VBRSTATUS', `0x8004f302')
+define(`SISFB_GET_VBRSTATUS_OLD', `0x80046ef9')
+define(`SISFB_SET_AUTOMAXIMIZE', `0x4004f303')
+define(`SISFB_SET_AUTOMAXIMIZE_OLD', `0x40046efa')
+define(`SISFB_SET_LOCK', `0x4004f306')
+define(`SISFB_SET_TVPOSOFFSET', `0x4004f304')
+define(`SNAPSHOT_ALLOC_SWAP_PAGE', `0x80083314')
+define(`SNAPSHOT_ATOMIC_RESTORE', `0x00003304')
+define(`SNAPSHOT_AVAIL_SWAP_SIZE', `0x80083313')
+define(`SNAPSHOT_CREATE_IMAGE', `0x40043311')
+define(`SNAPSHOT_FREE', `0x00003305')
+define(`SNAPSHOT_FREE_SWAP_PAGES', `0x00003309')
+define(`SNAPSHOT_FREEZE', `0x00003301')
+define(`SNAPSHOT_GET_IMAGE_SIZE', `0x8008330e')
+define(`SNAPSHOT_PLATFORM_SUPPORT', `0x0000330f')
+define(`SNAPSHOT_POWER_OFF', `0x00003310')
+define(`SNAPSHOT_PREF_IMAGE_SIZE', `0x00003312')
+define(`SNAPSHOT_S2RAM', `0x0000330b')
+define(`SNAPSHOT_SET_SWAP_AREA', `0x400c330d')
+define(`SNAPSHOT_UNFREEZE', `0x00003302')
+define(`SNDCTL_COPR_HALT', `0xc0144307')
+define(`SNDCTL_COPR_LOAD', `0xcfb04301')
+define(`SNDCTL_COPR_RCODE', `0xc0144303')
+define(`SNDCTL_COPR_RCVMSG', `0x8fa44309')
+define(`SNDCTL_COPR_RDATA', `0xc0144302')
+define(`SNDCTL_COPR_RESET', `0x00004300')
+define(`SNDCTL_COPR_RUN', `0xc0144306')
+define(`SNDCTL_COPR_SENDMSG', `0xcfa44308')
+define(`SNDCTL_COPR_WCODE', `0x40144305')
+define(`SNDCTL_COPR_WDATA', `0x40144304')
+define(`SNDCTL_DSP_BIND_CHANNEL', `0xc0045041')
+define(`SNDCTL_DSP_CHANNELS', `0xc0045006')
+define(`SNDCTL_DSP_GETBLKSIZE', `0xc0045004')
+define(`SNDCTL_DSP_GETCAPS', `0x8004500f')
+define(`SNDCTL_DSP_GETCHANNELMASK', `0xc0045040')
+define(`SNDCTL_DSP_GETFMTS', `0x8004500b')
+define(`SNDCTL_DSP_GETIPTR', `0x800c5011')
+define(`SNDCTL_DSP_GETISPACE', `0x8010500d')
+define(`SNDCTL_DSP_GETODELAY', `0x80045017')
+define(`SNDCTL_DSP_GETOPTR', `0x800c5012')
+define(`SNDCTL_DSP_GETOSPACE', `0x8010500c')
+define(`SNDCTL_DSP_GETSPDIF', `0x80045043')
+define(`SNDCTL_DSP_GETTRIGGER', `0x80045010')
+define(`SNDCTL_DSP_MAPINBUF', `0x80105013')
+define(`SNDCTL_DSP_MAPOUTBUF', `0x80105014')
+define(`SNDCTL_DSP_NONBLOCK', `0x0000500e')
+define(`SNDCTL_DSP_POST', `0x00005008')
+define(`SNDCTL_DSP_PROFILE', `0x40045017')
+define(`SNDCTL_DSP_RESET', `0x00005000')
+define(`SNDCTL_DSP_SETDUPLEX', `0x00005016')
+define(`SNDCTL_DSP_SETFMT', `0xc0045005')
+define(`SNDCTL_DSP_SETFRAGMENT', `0xc004500a')
+define(`SNDCTL_DSP_SETSPDIF', `0x40045042')
+define(`SNDCTL_DSP_SETSYNCRO', `0x00005015')
+define(`SNDCTL_DSP_SETTRIGGER', `0x40045010')
+define(`SNDCTL_DSP_SPEED', `0xc0045002')
+define(`SNDCTL_DSP_STEREO', `0xc0045003')
+define(`SNDCTL_DSP_SUBDIVIDE', `0xc0045009')
+define(`SNDCTL_DSP_SYNC', `0x00005001')
+define(`SNDCTL_FM_4OP_ENABLE', `0x4004510f')
+define(`SNDCTL_FM_LOAD_INSTR', `0x40285107')
+define(`SNDCTL_MIDI_INFO', `0xc074510c')
+define(`SNDCTL_MIDI_MPUCMD', `0xc0216d02')
+define(`SNDCTL_MIDI_MPUMODE', `0xc0046d01')
+define(`SNDCTL_MIDI_PRETIME', `0xc0046d00')
+define(`SNDCTL_SEQ_CTRLRATE', `0xc0045103')
+define(`SNDCTL_SEQ_GETINCOUNT', `0x80045105')
+define(`SNDCTL_SEQ_GETOUTCOUNT', `0x80045104')
+define(`SNDCTL_SEQ_GETTIME', `0x80045113')
+define(`SNDCTL_SEQ_NRMIDIS', `0x8004510b')
+define(`SNDCTL_SEQ_NRSYNTHS', `0x8004510a')
+define(`SNDCTL_SEQ_OUTOFBAND', `0x40085112')
+define(`SNDCTL_SEQ_PANIC', `0x00005111')
+define(`SNDCTL_SEQ_PERCMODE', `0x40045106')
+define(`SNDCTL_SEQ_RESET', `0x00005100')
+define(`SNDCTL_SEQ_RESETSAMPLES', `0x40045109')
+define(`SNDCTL_SEQ_SYNC', `0x00005101')
+define(`SNDCTL_SEQ_TESTMIDI', `0x40045108')
+define(`SNDCTL_SEQ_THRESHOLD', `0x4004510d')
+define(`SNDCTL_SYNTH_CONTROL', `0xcfa45115')
+define(`SNDCTL_SYNTH_ID', `0xc08c5114')
+define(`SNDCTL_SYNTH_INFO', `0xc08c5102')
+define(`SNDCTL_SYNTH_MEMAVL', `0xc004510e')
+define(`SNDCTL_SYNTH_REMOVESAMPLE', `0xc00c5116')
+define(`SNDCTL_TMR_CONTINUE', `0x00005404')
+define(`SNDCTL_TMR_METRONOME', `0x40045407')
+define(`SNDCTL_TMR_SELECT', `0x40045408')
+define(`SNDCTL_TMR_SOURCE', `0xc0045406')
+define(`SNDCTL_TMR_START', `0x00005402')
+define(`SNDCTL_TMR_STOP', `0x00005403')
+define(`SNDCTL_TMR_TEMPO', `0xc0045405')
+define(`SNDCTL_TMR_TIMEBASE', `0xc0045401')
+define(`SNDRV_COMPRESS_AVAIL', `0x801c4321')
+define(`SNDRV_COMPRESS_DRAIN', `0x00004334')
+define(`SNDRV_COMPRESS_GET_CAPS', `0xc0c44310')
+define(`SNDRV_COMPRESS_GET_CODEC_CAPS', `0xeb884311')
+define(`SNDRV_COMPRESS_GET_METADATA', `0xc0244315')
+define(`SNDRV_COMPRESS_GET_PARAMS', `0x80784313')
+define(`SNDRV_COMPRESS_IOCTL_VERSION', `0x80044300')
+define(`SNDRV_COMPRESS_NEXT_TRACK', `0x00004335')
+define(`SNDRV_COMPRESS_PARTIAL_DRAIN', `0x00004336')
+define(`SNDRV_COMPRESS_PAUSE', `0x00004330')
+define(`SNDRV_COMPRESS_RESUME', `0x00004331')
+define(`SNDRV_COMPRESS_SET_METADATA', `0x40244314')
+define(`SNDRV_COMPRESS_SET_PARAMS', `0x40844312')
+define(`SNDRV_COMPRESS_START', `0x00004332')
+define(`SNDRV_COMPRESS_STOP', `0x00004333')
+define(`SNDRV_COMPRESS_TSTAMP', `0x80144320')
+define(`SNDRV_CTL_IOCTL_CARD_INFO', `0x81785501')
+define(`SNDRV_CTL_IOCTL_ELEM_ADD', `0xc1105517')
+define(`SNDRV_CTL_IOCTL_ELEM_INFO', `0xc1105511')
+define(`SNDRV_CTL_IOCTL_ELEM_LIST', `0xc0505510')
+define(`SNDRV_CTL_IOCTL_ELEM_LOCK', `0x40405514')
+define(`SNDRV_CTL_IOCTL_ELEM_READ', `0xc4c85512')
+define(`SNDRV_CTL_IOCTL_ELEM_REMOVE', `0xc0405519')
+define(`SNDRV_CTL_IOCTL_ELEM_REPLACE', `0xc1105518')
+define(`SNDRV_CTL_IOCTL_ELEM_UNLOCK', `0x40405515')
+define(`SNDRV_CTL_IOCTL_ELEM_WRITE', `0xc4c85513')
+define(`SNDRV_CTL_IOCTL_HWDEP_INFO', `0x80dc5521')
+define(`SNDRV_CTL_IOCTL_HWDEP_NEXT_DEVICE', `0xc0045520')
+define(`SNDRV_CTL_IOCTL_PCM_INFO', `0xc1205531')
+define(`SNDRV_CTL_IOCTL_PCM_NEXT_DEVICE', `0x80045530')
+define(`SNDRV_CTL_IOCTL_PCM_PREFER_SUBDEVICE', `0x40045532')
+define(`SNDRV_CTL_IOCTL_POWER', `0xc00455d0')
+define(`SNDRV_CTL_IOCTL_POWER_STATE', `0x800455d1')
+define(`SNDRV_CTL_IOCTL_PVERSION', `0x80045500')
+define(`SNDRV_CTL_IOCTL_RAWMIDI_INFO', `0xc10c5541')
+define(`SNDRV_CTL_IOCTL_RAWMIDI_NEXT_DEVICE', `0xc0045540')
+define(`SNDRV_CTL_IOCTL_RAWMIDI_PREFER_SUBDEVICE', `0x40045542')
+define(`SNDRV_CTL_IOCTL_SUBSCRIBE_EVENTS', `0xc0045516')
+define(`SNDRV_CTL_IOCTL_TLV_COMMAND', `0xc008551c')
+define(`SNDRV_CTL_IOCTL_TLV_READ', `0xc008551a')
+define(`SNDRV_CTL_IOCTL_TLV_WRITE', `0xc008551b')
+define(`SNDRV_DM_FM_IOCTL_CLEAR_PATCHES', `0x00004840')
+define(`SNDRV_DM_FM_IOCTL_INFO', `0x80024820')
+define(`SNDRV_DM_FM_IOCTL_PLAY_NOTE', `0x400c4822')
+define(`SNDRV_DM_FM_IOCTL_RESET', `0x00004821')
+define(`SNDRV_DM_FM_IOCTL_SET_CONNECTION', `0x40044826')
+define(`SNDRV_DM_FM_IOCTL_SET_MODE', `0x40044825')
+define(`SNDRV_DM_FM_IOCTL_SET_PARAMS', `0x40094824')
+define(`SNDRV_DM_FM_IOCTL_SET_VOICE', `0x40124823')
+define(`SNDRV_EMU10K1_IOCTL_CODE_PEEK', `0xc1b04812')
+define(`SNDRV_EMU10K1_IOCTL_CODE_POKE', `0x41b04811')
+define(`SNDRV_EMU10K1_IOCTL_CONTINUE', `0x00004881')
+define(`SNDRV_EMU10K1_IOCTL_DBG_READ', `0x80044884')
+define(`SNDRV_EMU10K1_IOCTL_INFO', `0x880c4810')
+define(`SNDRV_EMU10K1_IOCTL_PCM_PEEK', `0xc0484831')
+define(`SNDRV_EMU10K1_IOCTL_PCM_POKE', `0x40484830')
+define(`SNDRV_EMU10K1_IOCTL_PVERSION', `0x80044840')
+define(`SNDRV_EMU10K1_IOCTL_SINGLE_STEP', `0x40044883')
+define(`SNDRV_EMU10K1_IOCTL_STOP', `0x00004880')
+define(`SNDRV_EMU10K1_IOCTL_TRAM_PEEK', `0xc0104822')
+define(`SNDRV_EMU10K1_IOCTL_TRAM_POKE', `0x40104821')
+define(`SNDRV_EMU10K1_IOCTL_TRAM_SETUP', `0x40044820')
+define(`SNDRV_EMU10K1_IOCTL_ZERO_TRAM_COUNTER', `0x00004882')
+define(`SNDRV_EMUX_IOCTL_LOAD_PATCH', `0xc0104881')
+define(`SNDRV_EMUX_IOCTL_MEM_AVAIL', `0x40044884')
+define(`SNDRV_EMUX_IOCTL_MISC_MODE', `0xc0104884')
+define(`SNDRV_EMUX_IOCTL_REMOVE_LAST_SAMPLES', `0x00004883')
+define(`SNDRV_EMUX_IOCTL_RESET_SAMPLES', `0x00004882')
+define(`SNDRV_EMUX_IOCTL_VERSION', `0x80044880')
+define(`SNDRV_FIREWIRE_IOCTL_GET_INFO', `0x802048f8')
+define(`SNDRV_FIREWIRE_IOCTL_LOCK', `0x000048f9')
+define(`SNDRV_FIREWIRE_IOCTL_UNLOCK', `0x000048fa')
+define(`SNDRV_HDSP_IOCTL_GET_9632_AEB', `0x80084845')
+define(`SNDRV_HDSP_IOCTL_GET_CONFIG_INFO', `0x80244841')
+define(`SNDRV_HDSP_IOCTL_GET_MIXER', `0x90004844')
+define(`SNDRV_HDSP_IOCTL_GET_PEAK_RMS', `0x83b04840')
+define(`SNDRV_HDSP_IOCTL_GET_VERSION', `0x80084843')
+define(`SNDRV_HDSP_IOCTL_UPLOAD_FIRMWARE', `0x40084842')
+define(`SNDRV_HDSPM_IOCTL_GET_CONFIG', `0x80184841')
+define(`SNDRV_HDSPM_IOCTL_GET_LTC', `0x80104846')
+define(`SNDRV_HDSPM_IOCTL_GET_MIXER', `0x80084844')
+define(`SNDRV_HDSPM_IOCTL_GET_PEAK_RMS', `0x89084842')
+define(`SNDRV_HDSPM_IOCTL_GET_STATUS', `0x80204847')
+define(`SNDRV_HDSPM_IOCTL_GET_VERSION', `0x80244848')
+define(`SNDRV_HWDEP_IOCTL_DSP_LOAD', `0x40604803')
+define(`SNDRV_HWDEP_IOCTL_DSP_STATUS', `0x80404802')
+define(`SNDRV_HWDEP_IOCTL_INFO', `0x80dc4801')
+define(`SNDRV_HWDEP_IOCTL_PVERSION', `0x80044800')
+define(`SNDRV_PCM_IOCTL_CHANNEL_INFO', `0x80184132')
+define(`SNDRV_PCM_IOCTL_DELAY', `0x80084121')
+define(`SNDRV_PCM_IOCTL_DRAIN', `0x00004144')
+define(`SNDRV_PCM_IOCTL_DROP', `0x00004143')
+define(`SNDRV_PCM_IOCTL_FORWARD', `0x40084149')
+define(`SNDRV_PCM_IOCTL_HW_FREE', `0x00004112')
+define(`SNDRV_PCM_IOCTL_HW_PARAMS', `0xc2604111')
+define(`SNDRV_PCM_IOCTL_HW_REFINE', `0xc2604110')
+define(`SNDRV_PCM_IOCTL_HWSYNC', `0x00004122')
+define(`SNDRV_PCM_IOCTL_INFO', `0x81204101')
+define(`SNDRV_PCM_IOCTL_LINK', `0x40044160')
+define(`SNDRV_PCM_IOCTL_PAUSE', `0x40044145')
+define(`SNDRV_PCM_IOCTL_PREPARE', `0x00004140')
+define(`SNDRV_PCM_IOCTL_PVERSION', `0x80044100')
+define(`SNDRV_PCM_IOCTL_READI_FRAMES', `0x80184151')
+define(`SNDRV_PCM_IOCTL_READN_FRAMES', `0x80184153')
+define(`SNDRV_PCM_IOCTL_RESET', `0x00004141')
+define(`SNDRV_PCM_IOCTL_RESUME', `0x00004147')
+define(`SNDRV_PCM_IOCTL_REWIND', `0x40084146')
+define(`SNDRV_PCM_IOCTL_START', `0x00004142')
+define(`SNDRV_PCM_IOCTL_STATUS', `0x80984120')
+define(`SNDRV_PCM_IOCTL_SW_PARAMS', `0xc0884113')
+define(`SNDRV_PCM_IOCTL_SYNC_PTR', `0xc0884123')
+define(`SNDRV_PCM_IOCTL_TSTAMP', `0x40044102')
+define(`SNDRV_PCM_IOCTL_TTSTAMP', `0x40044103')
+define(`SNDRV_PCM_IOCTL_UNLINK', `0x00004161')
+define(`SNDRV_PCM_IOCTL_WRITEI_FRAMES', `0x40184150')
+define(`SNDRV_PCM_IOCTL_WRITEN_FRAMES', `0x40184152')
+define(`SNDRV_PCM_IOCTL_XRUN', `0x00004148')
+define(`SNDRV_RAWMIDI_IOCTL_DRAIN', `0x40045731')
+define(`SNDRV_RAWMIDI_IOCTL_DROP', `0x40045730')
+define(`SNDRV_RAWMIDI_IOCTL_INFO', `0x810c5701')
+define(`SNDRV_RAWMIDI_IOCTL_PARAMS', `0xc0305710')
+define(`SNDRV_RAWMIDI_IOCTL_PVERSION', `0x80045700')
+define(`SNDRV_RAWMIDI_IOCTL_STATUS', `0xc0385720')
+define(`SNDRV_SB_CSP_IOCTL_INFO', `0x80284810')
+define(`SNDRV_SB_CSP_IOCTL_LOAD_CODE', `0x70124811')
+define(`SNDRV_SB_CSP_IOCTL_PAUSE', `0x00004815')
+define(`SNDRV_SB_CSP_IOCTL_RESTART', `0x00004816')
+define(`SNDRV_SB_CSP_IOCTL_START', `0x40084813')
+define(`SNDRV_SB_CSP_IOCTL_STOP', `0x00004814')
+define(`SNDRV_SB_CSP_IOCTL_UNLOAD_CODE', `0x00004812')
+define(`SNDRV_SEQ_IOCTL_CLIENT_ID', `0x80045301')
+define(`SNDRV_SEQ_IOCTL_CREATE_PORT', `0xc0a85320')
+define(`SNDRV_SEQ_IOCTL_CREATE_QUEUE', `0xc08c5332')
+define(`SNDRV_SEQ_IOCTL_DELETE_PORT', `0x40a85321')
+define(`SNDRV_SEQ_IOCTL_DELETE_QUEUE', `0x408c5333')
+define(`SNDRV_SEQ_IOCTL_GET_CLIENT_INFO', `0xc0bc5310')
+define(`SNDRV_SEQ_IOCTL_GET_CLIENT_POOL', `0xc058534b')
+define(`SNDRV_SEQ_IOCTL_GET_NAMED_QUEUE', `0xc08c5336')
+define(`SNDRV_SEQ_IOCTL_GET_PORT_INFO', `0xc0a85322')
+define(`SNDRV_SEQ_IOCTL_GET_QUEUE_CLIENT', `0xc04c5349')
+define(`SNDRV_SEQ_IOCTL_GET_QUEUE_INFO', `0xc08c5334')
+define(`SNDRV_SEQ_IOCTL_GET_QUEUE_OWNER', `0xc0005343')
+define(`SNDRV_SEQ_IOCTL_GET_QUEUE_STATUS', `0xc05c5340')
+define(`SNDRV_SEQ_IOCTL_GET_QUEUE_TEMPO', `0xc02c5341')
+define(`SNDRV_SEQ_IOCTL_GET_QUEUE_TIMER', `0xc0605345')
+define(`SNDRV_SEQ_IOCTL_GET_SUBSCRIPTION', `0xc0505350')
+define(`SNDRV_SEQ_IOCTL_PVERSION', `0x80045300')
+define(`SNDRV_SEQ_IOCTL_QUERY_NEXT_CLIENT', `0xc0bc5351')
+define(`SNDRV_SEQ_IOCTL_QUERY_NEXT_PORT', `0xc0a85352')
+define(`SNDRV_SEQ_IOCTL_QUERY_SUBS', `0xc058534f')
+define(`SNDRV_SEQ_IOCTL_REMOVE_EVENTS', `0x4040534e')
+define(`SNDRV_SEQ_IOCTL_RUNNING_MODE', `0xc0105303')
+define(`SNDRV_SEQ_IOCTL_SET_CLIENT_INFO', `0x40bc5311')
+define(`SNDRV_SEQ_IOCTL_SET_CLIENT_POOL', `0x4058534c')
+define(`SNDRV_SEQ_IOCTL_SET_PORT_INFO', `0x40a85323')
+define(`SNDRV_SEQ_IOCTL_SET_QUEUE_CLIENT', `0x404c534a')
+define(`SNDRV_SEQ_IOCTL_SET_QUEUE_INFO', `0xc08c5335')
+define(`SNDRV_SEQ_IOCTL_SET_QUEUE_OWNER', `0x40005344')
+define(`SNDRV_SEQ_IOCTL_SET_QUEUE_TEMPO', `0x402c5342')
+define(`SNDRV_SEQ_IOCTL_SET_QUEUE_TIMER', `0x40605346')
+define(`SNDRV_SEQ_IOCTL_SUBSCRIBE_PORT', `0x40505330')
+define(`SNDRV_SEQ_IOCTL_SYSTEM_INFO', `0xc0305302')
+define(`SNDRV_SEQ_IOCTL_UNSUBSCRIBE_PORT', `0x40505331')
+define(`SNDRV_TIMER_IOCTL_CONTINUE', `0x000054a2')
+define(`SNDRV_TIMER_IOCTL_GINFO', `0xc0f85403')
+define(`SNDRV_TIMER_IOCTL_GPARAMS', `0x40485404')
+define(`SNDRV_TIMER_IOCTL_GSTATUS', `0xc0505405')
+define(`SNDRV_TIMER_IOCTL_INFO', `0x80e85411')
+define(`SNDRV_TIMER_IOCTL_NEXT_DEVICE', `0xc0145401')
+define(`SNDRV_TIMER_IOCTL_PARAMS', `0x40505412')
+define(`SNDRV_TIMER_IOCTL_PAUSE', `0x000054a3')
+define(`SNDRV_TIMER_IOCTL_PVERSION', `0x80045400')
+define(`SNDRV_TIMER_IOCTL_SELECT', `0x40345410')
+define(`SNDRV_TIMER_IOCTL_START', `0x000054a0')
+define(`SNDRV_TIMER_IOCTL_STATUS', `0x80605414')
+define(`SNDRV_TIMER_IOCTL_STOP', `0x000054a1')
+define(`SNDRV_TIMER_IOCTL_TREAD', `0x40045402')
+define(`SONET_CLRDIAG', `0xc0046113')
+define(`SONET_GETDIAG', `0x80046114')
+define(`SONET_GETFRAMING', `0x80046116')
+define(`SONET_GETFRSENSE', `0x80066117')
+define(`SONET_GETSTAT', `0x80246110')
+define(`SONET_GETSTATZ', `0x80246111')
+define(`SONET_SETDIAG', `0xc0046112')
+define(`SONET_SETFRAMING', `0x40046115')
+define(`SONYPI_IOCGBAT1CAP', `0x80027602')
+define(`SONYPI_IOCGBAT1REM', `0x80027603')
+define(`SONYPI_IOCGBAT2CAP', `0x80027604')
+define(`SONYPI_IOCGBAT2REM', `0x80027605')
+define(`SONYPI_IOCGBATFLAGS', `0x80017607')
+define(`SONYPI_IOCGBLUE', `0x80017608')
+define(`SONYPI_IOCGBRT', `0x80017600')
+define(`SONYPI_IOCGFAN', `0x8001760a')
+define(`SONYPI_IOCGTEMP', `0x8001760c')
+define(`SONYPI_IOCSBLUE', `0x40017609')
+define(`SONYPI_IOCSBRT', `0x40017600')
+define(`SONYPI_IOCSFAN', `0x4001760b')
+define(`SOUND_MIXER_3DSE', `0xc0044d68')
+define(`SOUND_MIXER_ACCESS', `0xc0804d66')
+define(`SOUND_MIXER_AGC', `0xc0044d67')
+define(`SOUND_MIXER_GETLEVELS', `0xc0a44d74')
+define(`SOUND_MIXER_INFO', `0x805c4d65')
+define(`SOUND_MIXER_PRIVATE1', `0xc0044d6f')
+define(`SOUND_MIXER_PRIVATE2', `0xc0044d70')
+define(`SOUND_MIXER_PRIVATE3', `0xc0044d71')
+define(`SOUND_MIXER_PRIVATE4', `0xc0044d72')
+define(`SOUND_MIXER_PRIVATE5', `0xc0044d73')
+define(`SOUND_MIXER_SETLEVELS', `0xc0a44d75')
+define(`SOUND_OLD_MIXER_INFO', `0x80304d65')
+define(`SOUND_PCM_READ_BITS', `0x80045005')
+define(`SOUND_PCM_READ_CHANNELS', `0x80045006')
+define(`SOUND_PCM_READ_FILTER', `0x80045007')
+define(`SOUND_PCM_READ_RATE', `0x80045002')
+define(`SOUND_PCM_WRITE_FILTER', `0xc0045007')
+define(`SPI_IOC_RD_BITS_PER_WORD', `0x80016b03')
+define(`SPI_IOC_RD_LSB_FIRST', `0x80016b02')
+define(`SPI_IOC_RD_MAX_SPEED_HZ', `0x80046b04')
+define(`SPI_IOC_RD_MODE', `0x80016b01')
+define(`SPI_IOC_RD_MODE32', `0x80046b05')
+define(`SPI_IOC_WR_BITS_PER_WORD', `0x40016b03')
+define(`SPI_IOC_WR_LSB_FIRST', `0x40016b02')
+define(`SPI_IOC_WR_MAX_SPEED_HZ', `0x40046b04')
+define(`SPI_IOC_WR_MODE', `0x40016b01')
+define(`SPI_IOC_WR_MODE32', `0x40046b05')
+define(`SPIOCSTYPE', `0x40087101')
+define(`SSTFB_GET_VGAPASS', `0x800446dd')
+define(`SSTFB_SET_VGAPASS', `0x400446dd')
+define(`STOP_ARRAY', `0x00000932')
+define(`STOP_ARRAY_RO', `0x00000933')
+define(`SW_SYNC_IOC_CREATE_FENCE', `0xc0285700')
+define(`SW_SYNC_IOC_INC', `0x40045701')
+define(`SYNC_IOC_FENCE_INFO', `0xc0283e02')
+define(`SYNC_IOC_MERGE', `0xc0283e01')
+define(`SYNC_IOC_WAIT', `0x40043e00')
+define(`TCFLSH', `0x0000540b')
+define(`TCGETA', `0x00005405')
+define(`TCGETS2', `0x802c542a')
+define(`TCGETS', ifelse(target_arch, mips, 0x0000540d, 0x00005401))
+define(`TCGETX', `0x00005432')
+define(`TCSBRK', `0x00005409')
+define(`TCSBRKP', `0x00005425')
+define(`TCSETA', `0x00005406')
+define(`TCSETAF', `0x00005408')
+define(`TCSETAW', `0x00005407')
+define(`TCSETS', `0x00005402')
+define(`TCSETS2', `0x402c542b')
+define(`TCSETSF', `0x00005404')
+define(`TCSETSF2', `0x402c542d')
+define(`TCSETSW', `0x00005403')
+define(`TCSETSW2', `0x402c542c')
+define(`TCSETX', `0x00005433')
+define(`TCSETXF', `0x00005434')
+define(`TCSETXW', `0x00005435')
+define(`TCXONC', `0x0000540a')
+define(`TFD_IOC_SET_TICKS', `0x40085400')
+define(`TIOCCBRK', `0x00005428')
+define(`TIOCCONS', `0x0000541d')
+define(`TIOCEXCL', `0x0000540c')
+define(`TIOCGDEV', `0x80045432')
+define(`TIOCGETD', `0x00005424')
+define(`TIOCGEXCL', `0x80045440')
+define(`TIOCGICOUNT', `0x0000545d')
+define(`TIOCGLCKTRMIOS', `0x00005456')
+define(`TIOCGPGRP', `0x0000540f')
+define(`TIOCGPKT', `0x80045438')
+define(`TIOCGPTLCK', `0x80045439')
+define(`TIOCGPTN', `0x80045430')
+define(`TIOCGRS485', `0x0000542e')
+define(`TIOCGSERIAL', `0x0000541e')
+define(`TIOCGSID', `0x00005429')
+define(`TIOCGSOFTCAR', `0x00005419')
+define(`TIOCGWINSZ', ifelse(target_arch, mips, 0x80087468, 0x00005413))
+define(`TIOCLINUX', `0x0000541c')
+define(`TIOCMBIC', `0x00005417')
+define(`TIOCMBIS', `0x00005416')
+define(`TIOCMGET', `0x00005415')
+define(`TIOCMIWAIT', `0x0000545c')
+define(`TIOCMSET', `0x00005418')
+define(`TIOCNOTTY', `0x00005422')
+define(`TIOCNXCL', `0x0000540d')
+define(`TIOCOUTQ', ifelse(target_arch, mips, 0x00007472, 0x00005411))
+define(`TIOCPKT', `0x00005420')
+define(`TIOCSBRK', `0x00005427')
+define(`TIOCSCTTY', ifelse(target_arch, mips, 0x00005480, 0x0000540e))
+define(`TIOCSERCONFIG', `0x00005453')
+define(`TIOCSERGETLSR', `0x00005459')
+define(`TIOCSERGETMULTI', `0x0000545a')
+define(`TIOCSERGSTRUCT', `0x00005458')
+define(`TIOCSERGWILD', `0x00005454')
+define(`TIOCSERSETMULTI', `0x0000545b')
+define(`TIOCSERSWILD', `0x00005455')
+define(`TIOCSETD', `0x00005423')
+define(`TIOCSIG', `0x40045436')
+define(`TIOCSLCKTRMIOS', `0x00005457')
+define(`TIOCSPGRP', `0x00005410')
+define(`TIOCSPTLCK', `0x40045431')
+define(`TIOCSRS485', `0x0000542f')
+define(`TIOCSSERIAL', `0x0000541f')
+define(`TIOCSSOFTCAR', `0x0000541a')
+define(`TIOCSTI', `0x00005412')
+define(`TIOCSWINSZ', ifelse(target_arch, mips, 0x40087467, 0x00005414))
+define(`TIOCVHANGUP', `0x00005437')
+define(`TOSH_SMM', `0xc0047490')
+define(`TUNATTACHFILTER', `0x401054d5')
+define(`TUNDETACHFILTER', `0x401054d6')
+define(`TUNER_SET_CONFIG', `0x4010645c')
+define(`TUNGETFEATURES', `0x800454cf')
+define(`TUNGETFILTER', `0x801054db')
+define(`TUNGETIFF', `0x800454d2')
+define(`TUNGETSNDBUF', `0x800454d3')
+define(`TUNGETVNETHDRSZ', `0x800454d7')
+define(`TUNGETVNETLE', `0x800454dd')
+define(`TUNSETDEBUG', `0x400454c9')
+define(`TUNSETGROUP', `0x400454ce')
+define(`TUNSETIFF', `0x400454ca')
+define(`TUNSETIFINDEX', `0x400454da')
+define(`TUNSETLINK', `0x400454cd')
+define(`TUNSETNOCSUM', `0x400454c8')
+define(`TUNSETOFFLOAD', `0x400454d0')
+define(`TUNSETOWNER', `0x400454cc')
+define(`TUNSETPERSIST', `0x400454cb')
+define(`TUNSETQUEUE', `0x400454d9')
+define(`TUNSETSNDBUF', `0x400454d4')
+define(`TUNSETTXFILTER', `0x400454d1')
+define(`TUNSETVNETHDRSZ', `0x400454d8')
+define(`TUNSETVNETLE', `0x400454dc')
+define(`UBI_IOCATT', `0x40186f40')
+define(`UBI_IOCDET', `0x40046f41')
+define(`UBI_IOCEBCH', `0x40044f02')
+define(`UBI_IOCEBER', `0x40044f01')
+define(`UBI_IOCEBISMAP', `0x80044f05')
+define(`UBI_IOCEBMAP', `0x40084f03')
+define(`UBI_IOCEBUNMAP', `0x40044f04')
+define(`UBI_IOCMKVOL', `0x40986f00')
+define(`UBI_IOCRMVOL', `0x40046f01')
+define(`UBI_IOCRNVOL', `0x51106f03')
+define(`UBI_IOCRSVOL', `0x400c6f02')
+define(`UBI_IOCSETVOLPROP', `0x40104f06')
+define(`UBI_IOCVOLCRBLK', `0x40804f07')
+define(`UBI_IOCVOLRMBLK', `0x00004f08')
+define(`UBI_IOCVOLUP', `0x40084f00')
+define(`UDF_GETEABLOCK', `0x80086c41')
+define(`UDF_GETEASIZE', `0x80046c40')
+define(`UDF_GETVOLIDENT', `0x80086c42')
+define(`UDF_RELOCATE_BLOCKS', `0xc0086c43')
+define(`UI_BEGIN_FF_ERASE', `0xc00c55ca')
+define(`UI_BEGIN_FF_UPLOAD', `0xc06855c8')
+define(`UI_DEV_CREATE', `0x00005501')
+define(`UI_DEV_DESTROY', `0x00005502')
+define(`UI_END_FF_ERASE', `0x400c55cb')
+define(`UI_END_FF_UPLOAD', `0x406855c9')
+define(`UI_GET_VERSION', `0x8004552d')
+define(`UI_SET_ABSBIT', `0x40045567')
+define(`UI_SET_EVBIT', `0x40045564')
+define(`UI_SET_FFBIT', `0x4004556b')
+define(`UI_SET_KEYBIT', `0x40045565')
+define(`UI_SET_LEDBIT', `0x40045569')
+define(`UI_SET_MSCBIT', `0x40045568')
+define(`UI_SET_PHYS', `0x4008556c')
+define(`UI_SET_PROPBIT', `0x4004556e')
+define(`UI_SET_RELBIT', `0x40045566')
+define(`UI_SET_SNDBIT', `0x4004556a')
+define(`UI_SET_SWBIT', `0x4004556d')
+define(`UNPROTECT_ARRAY', `0x00000926')
+define(`USBDEVFS_ALLOC_STREAMS', `0x8008551c')
+define(`USBDEVFS_BULK', `0xc0185502')
+define(`USBDEVFS_BULK32', `0xc0105502')
+define(`USBDEVFS_CLAIMINTERFACE', `0x8004550f')
+define(`USBDEVFS_CLAIM_PORT', `0x80045518')
+define(`USBDEVFS_CLEAR_HALT', `0x80045515')
+define(`USBDEVFS_CONNECT', `0x00005517')
+define(`USBDEVFS_CONNECTINFO', `0x40085511')
+define(`USBDEVFS_CONTROL', `0xc0185500')
+define(`USBDEVFS_CONTROL32', `0xc0105500')
+define(`USBDEVFS_DISCARDURB', `0x0000550b')
+define(`USBDEVFS_DISCONNECT', `0x00005516')
+define(`USBDEVFS_DISCONNECT_CLAIM', `0x8108551b')
+define(`USBDEVFS_DISCSIGNAL', `0x8010550e')
+define(`USBDEVFS_DISCSIGNAL32', `0x8008550e')
+define(`USBDEVFS_FREE_STREAMS', `0x8008551d')
+define(`USBDEVFS_GET_CAPABILITIES', `0x8004551a')
+define(`USBDEVFS_GETDRIVER', `0x41045508')
+define(`USBDEVFS_HUB_PORTINFO', `0x80805513')
+define(`USBDEVFS_IOCTL', `0xc0105512')
+define(`USBDEVFS_IOCTL32', `0xc00c5512')
+define(`USBDEVFS_REAPURB', `0x4008550c')
+define(`USBDEVFS_REAPURB32', `0x4004550c')
+define(`USBDEVFS_REAPURBNDELAY', `0x4008550d')
+define(`USBDEVFS_REAPURBNDELAY32', `0x4004550d')
+define(`USBDEVFS_RELEASEINTERFACE', `0x80045510')
+define(`USBDEVFS_RELEASE_PORT', `0x80045519')
+define(`USBDEVFS_RESET', `0x00005514')
+define(`USBDEVFS_RESETEP', `0x80045503')
+define(`USBDEVFS_SETCONFIGURATION', `0x80045505')
+define(`USBDEVFS_SETINTERFACE', `0x80085504')
+define(`USBDEVFS_SUBMITURB', `0x8038550a')
+define(`USBDEVFS_SUBMITURB32', `0x802a550a')
+define(`USBTMC_IOCTL_ABORT_BULK_IN', `0x00005b04')
+define(`USBTMC_IOCTL_ABORT_BULK_OUT', `0x00005b03')
+define(`USBTMC_IOCTL_CLEAR', `0x00005b02')
+define(`USBTMC_IOCTL_CLEAR_IN_HALT', `0x00005b07')
+define(`USBTMC_IOCTL_CLEAR_OUT_HALT', `0x00005b06')
+define(`USBTMC_IOCTL_INDICATOR_PULSE', `0x00005b01')
+define(`UVCIOC_CTRL_MAP', `0xc0607520')
+define(`UVCIOC_CTRL_QUERY', `0xc0107521')
+define(`V4L2_SUBDEV_IR_RX_NOTIFY', `0x40047600')
+define(`V4L2_SUBDEV_IR_TX_NOTIFY', `0x40047601')
+define(`VFAT_IOCTL_READDIR_BOTH', `0x82307201')
+define(`VFAT_IOCTL_READDIR_SHORT', `0x82307202')
+define(`VFIO_CHECK_EXTENSION', `0x00003b65')
+define(`VFIO_DEVICE_GET_INFO', `0x00003b6b')
+define(`VFIO_DEVICE_GET_IRQ_INFO', `0x00003b6d')
+define(`VFIO_DEVICE_GET_PCI_HOT_RESET_INFO', `0x00003b70')
+define(`VFIO_DEVICE_GET_REGION_INFO', `0x00003b6c')
+define(`VFIO_DEVICE_PCI_HOT_RESET', `0x00003b71')
+define(`VFIO_DEVICE_RESET', `0x00003b6f')
+define(`VFIO_DEVICE_SET_IRQS', `0x00003b6e')
+define(`VFIO_EEH_PE_OP', `0x00003b79')
+define(`VFIO_GET_API_VERSION', `0x00003b64')
+define(`VFIO_GROUP_GET_DEVICE_FD', `0x00003b6a')
+define(`VFIO_GROUP_GET_STATUS', `0x00003b67')
+define(`VFIO_GROUP_SET_CONTAINER', `0x00003b68')
+define(`VFIO_GROUP_UNSET_CONTAINER', `0x00003b69')
+define(`VFIO_IOMMU_DISABLE', `0x00003b74')
+define(`VFIO_IOMMU_ENABLE', `0x00003b73')
+define(`VFIO_IOMMU_GET_INFO', `0x00003b70')
+define(`VFIO_IOMMU_MAP_DMA', `0x00003b71')
+define(`VFIO_IOMMU_SPAPR_TCE_GET_INFO', `0x00003b70')
+define(`VFIO_IOMMU_UNMAP_DMA', `0x00003b72')
+define(`VFIO_SET_IOMMU', `0x00003b66')
+define(`VHOST_GET_FEATURES', `0x8008af00')
+define(`VHOST_GET_VRING_BASE', `0xc008af12')
+define(`VHOST_NET_SET_BACKEND', `0x4008af30')
+define(`VHOST_RESET_OWNER', `0x0000af02')
+define(`VHOST_SCSI_CLEAR_ENDPOINT', `0x40e8af41')
+define(`VHOST_SCSI_GET_ABI_VERSION', `0x4004af42')
+define(`VHOST_SCSI_GET_EVENTS_MISSED', `0x4004af44')
+define(`VHOST_SCSI_SET_ENDPOINT', `0x40e8af40')
+define(`VHOST_SCSI_SET_EVENTS_MISSED', `0x4004af43')
+define(`VHOST_SET_FEATURES', `0x4008af00')
+define(`VHOST_SET_LOG_BASE', `0x4008af04')
+define(`VHOST_SET_LOG_FD', `0x4004af07')
+define(`VHOST_SET_MEM_TABLE', `0x4008af03')
+define(`VHOST_SET_OWNER', `0x0000af01')
+define(`VHOST_SET_VRING_ADDR', `0x4028af11')
+define(`VHOST_SET_VRING_BASE', `0x4008af12')
+define(`VHOST_SET_VRING_CALL', `0x4008af21')
+define(`VHOST_SET_VRING_ERR', `0x4008af22')
+define(`VHOST_SET_VRING_KICK', `0x4008af20')
+define(`VHOST_SET_VRING_NUM', `0x4008af10')
+define(`VIDEO_CLEAR_BUFFER', `0x00006f22')
+define(`VIDEO_COMMAND', `0xc0486f3b')
+define(`VIDEO_CONTINUE', `0x00006f18')
+define(`VIDEO_FAST_FORWARD', `0x00006f1f')
+define(`VIDEO_FREEZE', `0x00006f17')
+define(`VIDEO_GET_CAPABILITIES', `0x80046f21')
+define(`VIDEO_GET_EVENT', `0x80206f1c')
+define(`VIDEO_GET_FRAME_COUNT', `0x80086f3a')
+define(`VIDEO_GET_FRAME_RATE', `0x80046f38')
+define(`VIDEO_GET_NAVI', `0x84046f34')
+define(`VIDEO_GET_PTS', `0x80086f39')
+define(`VIDEO_GET_SIZE', `0x800c6f37')
+define(`VIDEO_GET_STATUS', `0x80146f1b')
+define(`VIDEO_PLAY', `0x00006f16')
+define(`VIDEO_SELECT_SOURCE', `0x00006f19')
+define(`VIDEO_SET_ATTRIBUTES', `0x00006f35')
+define(`VIDEO_SET_BLANK', `0x00006f1a')
+define(`VIDEO_SET_DISPLAY_FORMAT', `0x00006f1d')
+define(`VIDEO_SET_FORMAT', `0x00006f25')
+define(`VIDEO_SET_HIGHLIGHT', `0x40106f27')
+define(`VIDEO_SET_ID', `0x00006f23')
+define(`VIDEO_SET_SPU', `0x40086f32')
+define(`VIDEO_SET_SPU_PALETTE', `0x40106f33')
+define(`VIDEO_SET_STREAMTYPE', `0x00006f24')
+define(`VIDEO_SET_SYSTEM', `0x00006f26')
+define(`VIDEO_SLOWMOTION', `0x00006f20')
+define(`VIDEO_STILLPICTURE', `0x40106f1e')
+define(`VIDEO_STOP', `0x00006f15')
+define(`VIDEO_TRY_COMMAND', `0xc0486f3c')
+define(`VIDIOC_CREATE_BUFS', `0xc100565c')
+define(`VIDIOC_CROPCAP', `0xc02c563a')
+define(`VIDIOC_DBG_G_CHIP_INFO', `0xc0c85666')
+define(`VIDIOC_DBG_G_REGISTER', `0xc0385650')
+define(`VIDIOC_DBG_S_REGISTER', `0x4038564f')
+define(`VIDIOC_DECODER_CMD', `0xc0485660')
+define(`VIDIOC_DQBUF', `0xc0585611')
+define(`VIDIOC_DQEVENT', `0x80885659')
+define(`VIDIOC_DV_TIMINGS_CAP', `0xc0905664')
+define(`VIDIOC_ENCODER_CMD', `0xc028564d')
+define(`VIDIOC_ENUMAUDIO', `0xc0345641')
+define(`VIDIOC_ENUMAUDOUT', `0xc0345642')
+define(`VIDIOC_ENUM_DV_TIMINGS', `0xc0945662')
+define(`VIDIOC_ENUM_FMT', `0xc0405602')
+define(`VIDIOC_ENUM_FRAMEINTERVALS', `0xc034564b')
+define(`VIDIOC_ENUM_FRAMESIZES', `0xc02c564a')
+define(`VIDIOC_ENUM_FREQ_BANDS', `0xc0405665')
+define(`VIDIOC_ENUMINPUT', `0xc050561a')
+define(`VIDIOC_ENUMOUTPUT', `0xc0485630')
+define(`VIDIOC_ENUMSTD', `0xc0485619')
+define(`VIDIOC_EXPBUF', `0xc0405610')
+define(`VIDIOC_G_AUDIO', `0x80345621')
+define(`VIDIOC_G_AUDOUT', `0x80345631')
+define(`VIDIOC_G_CROP', `0xc014563b')
+define(`VIDIOC_G_CTRL', `0xc008561b')
+define(`VIDIOC_G_DV_TIMINGS', `0xc0845658')
+define(`VIDIOC_G_EDID', `0xc0285628')
+define(`VIDIOC_G_ENC_INDEX', `0x8818564c')
+define(`VIDIOC_G_EXT_CTRLS', `0xc0205647')
+define(`VIDIOC_G_FBUF', `0x8030560a')
+define(`VIDIOC_G_FMT', `0xc0d05604')
+define(`VIDIOC_G_FREQUENCY', `0xc02c5638')
+define(`VIDIOC_G_INPUT', `0x80045626')
+define(`VIDIOC_G_JPEGCOMP', `0x808c563d')
+define(`VIDIOC_G_MODULATOR', `0xc0445636')
+define(`VIDIOC_G_OUTPUT', `0x8004562e')
+define(`VIDIOC_G_PARM', `0xc0cc5615')
+define(`VIDIOC_G_PRIORITY', `0x80045643')
+define(`VIDIOC_G_SELECTION', `0xc040565e')
+define(`VIDIOC_G_SLICED_VBI_CAP', `0xc0745645')
+define(`VIDIOC_G_STD', `0x80085617')
+define(`VIDIOC_G_TUNER', `0xc054561d')
+define(`VIDIOC_INT_RESET', `0x40046466')
+define(`VIDIOC_LOG_STATUS', `0x00005646')
+define(`VIDIOC_OMAP3ISP_AEWB_CFG', `0xc02056c3')
+define(`VIDIOC_OMAP3ISP_AF_CFG', `0xc04c56c5')
+define(`VIDIOC_OMAP3ISP_CCDC_CFG', `0xc03856c1')
+define(`VIDIOC_OMAP3ISP_HIST_CFG', `0xc03056c4')
+define(`VIDIOC_OMAP3ISP_PRV_CFG', `0xc07056c2')
+define(`VIDIOC_OMAP3ISP_STAT_EN', `0xc00856c7')
+define(`VIDIOC_OMAP3ISP_STAT_REQ', `0xc02856c6')
+define(`VIDIOC_OVERLAY', `0x4004560e')
+define(`VIDIOC_PREPARE_BUF', `0xc058565d')
+define(`VIDIOC_QBUF', `0xc058560f')
+define(`VIDIOC_QUERYBUF', `0xc0585609')
+define(`VIDIOC_QUERYCAP', `0x80685600')
+define(`VIDIOC_QUERYCTRL', `0xc0445624')
+define(`VIDIOC_QUERY_DV_TIMINGS', `0x80845663')
+define(`VIDIOC_QUERY_EXT_CTRL', `0xc0e85667')
+define(`VIDIOC_QUERYMENU', `0xc02c5625')
+define(`VIDIOC_QUERYSTD', `0x8008563f')
+define(`VIDIOC_REQBUFS', `0xc0145608')
+define(`VIDIOC_RESERVED', `0x00005601')
+define(`VIDIOC_S_AUDIO', `0x40345622')
+define(`VIDIOC_S_AUDOUT', `0x40345632')
+define(`VIDIOC_S_CROP', `0x4014563c')
+define(`VIDIOC_S_CTRL', `0xc008561c')
+define(`VIDIOC_S_DV_TIMINGS', `0xc0845657')
+define(`VIDIOC_S_EDID', `0xc0285629')
+define(`VIDIOC_S_EXT_CTRLS', `0xc0205648')
+define(`VIDIOC_S_FBUF', `0x4030560b')
+define(`VIDIOC_S_FMT', `0xc0d05605')
+define(`VIDIOC_S_FREQUENCY', `0x402c5639')
+define(`VIDIOC_S_HW_FREQ_SEEK', `0x40305652')
+define(`VIDIOC_S_INPUT', `0xc0045627')
+define(`VIDIOC_S_JPEGCOMP', `0x408c563e')
+define(`VIDIOC_S_MODULATOR', `0x40445637')
+define(`VIDIOC_S_OUTPUT', `0xc004562f')
+define(`VIDIOC_S_PARM', `0xc0cc5616')
+define(`VIDIOC_S_PRIORITY', `0x40045644')
+define(`VIDIOC_S_SELECTION', `0xc040565f')
+define(`VIDIOC_S_STD', `0x40085618')
+define(`VIDIOC_STREAMOFF', `0x40045613')
+define(`VIDIOC_STREAMON', `0x40045612')
+define(`VIDIOC_S_TUNER', `0x4054561e')
+define(`VIDIOC_SUBDEV_DV_TIMINGS_CAP', `0xc0905664')
+define(`VIDIOC_SUBDEV_ENUM_DV_TIMINGS', `0xc0945662')
+define(`VIDIOC_SUBDEV_ENUM_FRAME_INTERVAL', `0xc040564b')
+define(`VIDIOC_SUBDEV_ENUM_FRAME_SIZE', `0xc040564a')
+define(`VIDIOC_SUBDEV_ENUM_MBUS_CODE', `0xc0305602')
+define(`VIDIOC_SUBDEV_G_CROP', `0xc038563b')
+define(`VIDIOC_SUBDEV_G_DV_TIMINGS', `0xc0845658')
+define(`VIDIOC_SUBDEV_G_EDID', `0xc0285628')
+define(`VIDIOC_SUBDEV_G_FMT', `0xc0585604')
+define(`VIDIOC_SUBDEV_G_FRAME_INTERVAL', `0xc0305615')
+define(`VIDIOC_SUBDEV_G_SELECTION', `0xc040563d')
+define(`VIDIOC_SUBDEV_QUERY_DV_TIMINGS', `0x80845663')
+define(`VIDIOC_SUBDEV_S_CROP', `0xc038563c')
+define(`VIDIOC_SUBDEV_S_DV_TIMINGS', `0xc0845657')
+define(`VIDIOC_SUBDEV_S_EDID', `0xc0285629')
+define(`VIDIOC_SUBDEV_S_FMT', `0xc0585605')
+define(`VIDIOC_SUBDEV_S_FRAME_INTERVAL', `0xc0305616')
+define(`VIDIOC_SUBDEV_S_SELECTION', `0xc040563e')
+define(`VIDIOC_SUBSCRIBE_EVENT', `0x4020565a')
+define(`VIDIOC_TRY_DECODER_CMD', `0xc0485661')
+define(`VIDIOC_TRY_ENCODER_CMD', `0xc028564e')
+define(`VIDIOC_TRY_EXT_CTRLS', `0xc0205649')
+define(`VIDIOC_TRY_FMT', `0xc0d05640')
+define(`VIDIOC_UNSUBSCRIBE_EVENT', `0x4020565b')
+define(`VIDIOC_VSP1_LUT_CONFIG', `0xc40056c1')
+define(`VPFE_CMD_S_CCDC_RAW_PARAMS', `0x400856c1')
+define(`VT_ACTIVATE', `0x00005606')
+define(`VT_DISALLOCATE', `0x00005608')
+define(`VT_GETHIFONTMASK', `0x0000560d')
+define(`VT_GETMODE', `0x00005601')
+define(`VT_GETSTATE', `0x00005603')
+define(`VT_LOCKSWITCH', `0x0000560b')
+define(`VT_OPENQRY', `0x00005600')
+define(`VT_RELDISP', `0x00005605')
+define(`VT_RESIZE', `0x00005609')
+define(`VT_RESIZEX', `0x0000560a')
+define(`VT_SENDSIG', `0x00005604')
+define(`VT_SETACTIVATE', `0x0000560f')
+define(`VT_SETMODE', `0x00005602')
+define(`VT_UNLOCKSWITCH', `0x0000560c')
+define(`VT_WAITACTIVE', `0x00005607')
+define(`VT_WAITEVENT', `0x0000560e')
+define(`WAN_IOC_ADD_FLT_INDEX', `0x00006902')
+define(`WAN_IOC_ADD_FLT_RULE', `0x00006900')
+define(`WDIOC_GETBOOTSTATUS', `0x80045702')
+define(`WDIOC_GETPRETIMEOUT', `0x80045709')
+define(`WDIOC_GETSTATUS', `0x80045701')
+define(`WDIOC_GETSUPPORT', `0x80285700')
+define(`WDIOC_GETTEMP', `0x80045703')
+define(`WDIOC_GETTIMELEFT', `0x8004570a')
+define(`WDIOC_GETTIMEOUT', `0x80045707')
+define(`WDIOC_KEEPALIVE', `0x80045705')
+define(`WDIOC_SETOPTIONS', `0x80045704')
+define(`WDIOC_SETPRETIMEOUT', `0xc0045708')
+define(`WDIOC_SETTIMEOUT', `0xc0045706')
+define(`WRITE_RAID_INFO', `0x00000925')
+define(`X86_IOC_RDMSR_REGS', `0xc02063a0')
+define(`X86_IOC_WRMSR_REGS', `0xc02063a1')
+define(`ZATM_GETPOOL', `0x40106161')
+define(`ZATM_GETPOOLZ', `0x40106162')
+define(`ZATM_SETPOOL', `0x40106163')
diff --git a/microdroid/sepolicy/system/public/ioctl_macros b/microdroid/sepolicy/system/public/ioctl_macros
new file mode 100644
index 0000000..47a5157
--- /dev/null
+++ b/microdroid/sepolicy/system/public/ioctl_macros
@@ -0,0 +1,76 @@
+# socket ioctls allowed to unprivileged apps
+define(`unpriv_sock_ioctls', `
+{
+# Socket ioctls for gathering information about the interface
+SIOCGSTAMP SIOCGSTAMPNS
+SIOCGIFNAME SIOCGIFCONF SIOCGIFFLAGS SIOCGIFADDR SIOCGIFDSTADDR SIOCGIFBRDADDR
+SIOCGIFNETMASK SIOCGIFMTU SIOCGIFINDEX SIOCGIFCOUNT SIOCGIFTXQLEN
+# Wireless extension ioctls. Primarily get functions.
+SIOCGIWNAME SIOCGIWFREQ SIOCGIWMODE SIOCGIWSENS SIOCGIWRANGE SIOCGIWPRIV
+SIOCGIWSTATS SIOCGIWSPY SIOCSIWTHRSPY SIOCGIWTHRSPY SIOCGIWRATE SIOCGIWRTS
+SIOCGIWFRAG SIOCGIWTXPOW SIOCGIWRETRY SIOCGIWPOWER
+}')
+
+# socket ioctls never allowed to unprivileged apps
+define(`priv_sock_ioctls', `
+{
+# qualcomm rmnet ioctls
+WAN_IOC_ADD_FLT_RULE WAN_IOC_ADD_FLT_INDEX
+# socket ioctls
+SIOCADDRT SIOCDELRT SIOCRTMSG SIOCSIFLINK SIOCSIFFLAGS SIOCSIFADDR
+SIOCSIFDSTADDR SIOCSIFBRDADDR SIOCSIFNETMASK SIOCGIFMETRIC SIOCSIFMETRIC SIOCGIFMEM
+SIOCSIFMEM SIOCSIFMTU SIOCSIFNAME SIOCSIFHWADDR SIOCGIFENCAP SIOCSIFENCAP
+SIOCGIFHWADDR SIOCGIFSLAVE SIOCSIFSLAVE SIOCADDMULTI SIOCDELMULTI
+SIOCSIFPFLAGS SIOCGIFPFLAGS SIOCDIFADDR SIOCSIFHWBROADCAST SIOCKILLADDR SIOCGIFBR SIOCSIFBR
+SIOCSIFTXQLEN SIOCETHTOOL SIOCGMIIPHY SIOCGMIIREG SIOCSMIIREG SIOCWANDEV
+SIOCOUTQNSD SIOCDARP SIOCGARP SIOCSARP SIOCDRARP SIOCGRARP SIOCSRARP SIOCGIFMAP
+SIOCSIFMAP SIOCADDDLCI SIOCDELDLCI SIOCGIFVLAN SIOCSIFVLAN SIOCBONDENSLAVE
+SIOCBONDRELEASE SIOCBONDSETHWADDR SIOCBONDSLAVEINFOQUERY SIOCBONDINFOQUERY
+SIOCBONDCHANGEACTIVE SIOCBRADDBR SIOCBRDELBR SIOCBRADDIF SIOCBRDELIF SIOCSHWTSTAMP
+# device and protocol specific ioctls
+SIOCDEVPRIVATE-SIOCDEVPRIVLAST
+SIOCPROTOPRIVATE-SIOCPROTOPRIVLAST
+# Wireless extension ioctls
+SIOCSIWCOMMIT SIOCSIWNWID SIOCSIWFREQ SIOCSIWMODE SIOCSIWSENS SIOCSIWRANGE
+SIOCSIWPRIV SIOCSIWSTATS SIOCSIWSPY SIOCSIWAP SIOCGIWAP SIOCSIWMLME SIOCGIWAPLIST
+SIOCSIWSCAN SIOCGIWSCAN SIOCSIWESSID SIOCGIWESSID SIOCSIWNICKN SIOCGIWNICKN
+SIOCSIWRATE SIOCSIWRTS SIOCSIWFRAG SIOCSIWTXPOW SIOCSIWRETRY SIOCSIWENCODE
+SIOCGIWENCODE SIOCSIWPOWER SIOCSIWGENIE SIOCGIWGENIE SIOCSIWAUTH SIOCGIWAUTH
+SIOCSIWENCODEEXT SIOCGIWENCODEEXT SIOCSIWPMKSA
+# Dev private ioctl i.e. hardware specific ioctls
+SIOCIWFIRSTPRIV-SIOCIWLASTPRIV
+}')
+
+# commonly used ioctls on unix sockets
+define(`unpriv_unix_sock_ioctls', `{
+ TIOCOUTQ FIOCLEX FIONCLEX TCGETS TIOCGWINSZ TIOCSWINSZ FIONREAD
+}')
+
+# commonly used TTY ioctls
+# merge with unpriv_unix_sock_ioctls?
+define(`unpriv_tty_ioctls', `{
+ TIOCOUTQ FIOCLEX FIONCLEX TCGETS TCSETS TCSETSW TCSETSF TIOCGWINSZ TIOCSWINSZ
+ TIOCSCTTY TCFLSH TIOCSPGRP TIOCGPGRP
+}')
+
+# point to point ioctls
+define(`ppp_ioctls', `{
+PPPIOCGL2TPSTATS PPPIOCGCHAN PPPIOCATTCHAN PPPIOCDISCONN
+PPPIOCCONNECT PPPIOCSMRRU PPPIOCDETACH PPPIOCATTACH
+PPPIOCNEWUNIT PPPIOCGIDLE PPPIOCSDEBUG PPPIOCGDEBUG
+PPPIOCSACTIVE PPPIOCSPASS PPPIOCSNPMODE PPPIOCGNPMODE
+PPPIOCSCOMPRESS PPPIOCXFERUNIT PPPIOCSXASYNCMAP
+PPPIOCGXASYNCMAP PPPIOCSMAXCID PPPIOCSMRU PPPIOCGMRU
+PPPIOCSRASYNCMAP PPPIOCGRASYNCMAP PPPIOCGUNIT PPPIOCSASYNCMAP
+PPPIOCGASYNCMAP PPPIOCSFLAGS PPPIOCGFLAGS PPPIOCGCALLINFO
+PPPIOCBUNDLE PPPIOCGMPFLAGS PPPIOCSMPFLAGS PPPIOCSMPMTU
+PPPIOCSMPMRU PPPIOCGCOMPRESSORS PPPIOCSCOMPRESSOR PPPIOCGIFNAME
+}')
+
+# unprivileged binder ioctls
+define(`unpriv_binder_ioctls', `{
+BINDER_WRITE_READ BINDER_SET_IDLE_TIMEOUT BINDER_SET_MAX_THREADS
+BINDER_SET_IDLE_PRIORITY BINDER_SET_CONTEXT_MGR BINDER_THREAD_EXIT
+BINDER_VERSION BINDER_GET_NODE_DEBUG_INFO BINDER_GET_NODE_INFO_FOR_REF
+BINDER_SET_CONTEXT_MGR_EXT BINDER_ENABLE_ONEWAY_SPAM_DETECTION
+}')
diff --git a/microdroid/sepolicy/system/public/iorap_inode2filename.te b/microdroid/sepolicy/system/public/iorap_inode2filename.te
new file mode 100644
index 0000000..6f119ee
--- /dev/null
+++ b/microdroid/sepolicy/system/public/iorap_inode2filename.te
@@ -0,0 +1,70 @@
+# iorap.inode2filename -> look up file paths from an inode
+type iorap_inode2filename, domain;
+type iorap_inode2filename_exec, exec_type, file_type, system_file_type;
+type iorap_inode2filename_tmpfs, file_type;
+
+r_dir_file(iorap_inode2filename, rootfs)
+
+# Allow usage of pipes (child stdout -> parent pipe).
+allow iorap_inode2filename iorapd:fd use;
+allow iorap_inode2filename iorapd:fifo_file { read write getattr };
+
+# Allow reading most files under / ignoring usual access controls.
+allow iorap_inode2filename self:capability dac_read_search;
+
+typeattribute iorap_inode2filename mlstrustedsubject;
+
+# Grant access to open most of the files under /
+allow iorap_inode2filename apex_data_file:dir { getattr open read search };
+allow iorap_inode2filename apex_data_file:file { getattr };
+allow iorap_inode2filename apex_mnt_dir:dir { getattr open read search };
+allow iorap_inode2filename apex_mnt_dir:file { getattr };
+allow iorap_inode2filename apk_data_file:dir { getattr open read search };
+allow iorap_inode2filename apk_data_file:file { getattr };
+allow iorap_inode2filename app_data_file_type:dir { getattr open read search };
+allow iorap_inode2filename app_data_file_type:file { getattr };
+allow iorap_inode2filename backup_data_file:dir { getattr open read search };
+allow iorap_inode2filename backup_data_file:file { getattr };
+allow iorap_inode2filename bootchart_data_file:dir { getattr open read search };
+allow iorap_inode2filename bootchart_data_file:file { getattr };
+allow iorap_inode2filename metadata_file:dir { getattr open read search search };
+allow iorap_inode2filename metadata_file:file { getattr };
+allow iorap_inode2filename packages_list_file:dir { getattr open read search };
+allow iorap_inode2filename packages_list_file:file { getattr };
+allow iorap_inode2filename property_data_file:dir { getattr open read search };
+allow iorap_inode2filename property_data_file:file { getattr };
+allow iorap_inode2filename resourcecache_data_file:dir { getattr open read search };
+allow iorap_inode2filename resourcecache_data_file:file { getattr };
+allow iorap_inode2filename recovery_data_file:dir { getattr open read search };
+allow iorap_inode2filename ringtone_file:dir { getattr open read search };
+allow iorap_inode2filename ringtone_file:file { getattr };
+allow iorap_inode2filename same_process_hal_file:dir { getattr open read search };
+allow iorap_inode2filename same_process_hal_file:file { getattr };
+allow iorap_inode2filename sepolicy_file:file { getattr };
+allow iorap_inode2filename staging_data_file:dir { getattr open read search };
+allow iorap_inode2filename staging_data_file:file { getattr };
+allow iorap_inode2filename system_bootstrap_lib_file:dir { getattr open read search };
+allow iorap_inode2filename system_bootstrap_lib_file:file { getattr };
+allow iorap_inode2filename system_data_file:dir { getattr open read search };
+allow iorap_inode2filename system_data_file:file { getattr };
+allow iorap_inode2filename system_data_file:lnk_file { getattr open read };
+allow iorap_inode2filename system_data_root_file:dir { getattr open read search };
+allow iorap_inode2filename textclassifier_data_file:dir { getattr open read search };
+allow iorap_inode2filename textclassifier_data_file:file { getattr };
+allow iorap_inode2filename toolbox_exec:file getattr;
+allow iorap_inode2filename user_profile_root_file:dir { getattr open read search };
+allow iorap_inode2filename user_profile_data_file:dir { getattr open read search };
+allow iorap_inode2filename user_profile_data_file:file { getattr };
+allow iorap_inode2filename unencrypted_data_file:dir { getattr open read search };
+allow iorap_inode2filename unlabeled:file { getattr };
+allow iorap_inode2filename vendor_file:dir { getattr open read search };
+allow iorap_inode2filename vendor_file:file { getattr };
+allow iorap_inode2filename vendor_overlay_file:file { getattr };
+allow iorap_inode2filename zygote_exec:file { getattr };
+
+###
+### neverallow rules
+###
+
+neverallow { domain -init -iorapd } iorap_inode2filename:process { transition dyntransition };
+neverallow iorap_inode2filename domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/microdroid/sepolicy/system/public/iorap_prefetcherd.te b/microdroid/sepolicy/system/public/iorap_prefetcherd.te
new file mode 100644
index 0000000..4b218fb
--- /dev/null
+++ b/microdroid/sepolicy/system/public/iorap_prefetcherd.te
@@ -0,0 +1,55 @@
+# volume manager
+type iorap_prefetcherd, domain;
+type iorap_prefetcherd_exec, exec_type, file_type, system_file_type;
+type iorap_prefetcherd_tmpfs, file_type;
+
+r_dir_file(iorap_prefetcherd, rootfs)
+
+# Allow read/write /proc/sys/vm/drop/caches
+allow iorap_prefetcherd proc_drop_caches:file rw_file_perms;
+
+# iorap_prefetcherd temporarily changes its priority when running benchmarks
+allow iorap_prefetcherd self:global_capability_class_set sys_nice;
+
+# Allow usage of pipes (--input-fd=# and --output-fd=# command line parameters).
+allow iorap_prefetcherd iorapd:fd use;
+allow iorap_prefetcherd iorapd:fifo_file { read write };
+
+# Allow reading most files under / ignoring usual access controls.
+allow iorap_prefetcherd self:capability dac_read_search;
+
+typeattribute iorap_prefetcherd mlstrustedsubject;
+
+# Grant logcat access
+allow iorap_prefetcherd logcat_exec:file { open read };
+
+# Grant access to open most of the files under /
+allow iorap_prefetcherd apk_data_file:dir { open read search };
+allow iorap_prefetcherd apk_data_file:file { open read };
+allow iorap_prefetcherd app_data_file:dir { open read search };
+allow iorap_prefetcherd app_data_file:file { open read };
+allow iorap_prefetcherd dalvikcache_data_file:dir { open read search };
+allow iorap_prefetcherd dalvikcache_data_file:file{ open read };
+allow iorap_prefetcherd packages_list_file:dir { open read search };
+allow iorap_prefetcherd packages_list_file:file { open read };
+allow iorap_prefetcherd privapp_data_file:dir { open read search };
+allow iorap_prefetcherd privapp_data_file:file { open read };
+allow iorap_prefetcherd same_process_hal_file:dir{ open read search };
+allow iorap_prefetcherd same_process_hal_file:file { open read };
+allow iorap_prefetcherd system_data_file:dir { open read search };
+allow iorap_prefetcherd system_data_file:file { open read };
+allow iorap_prefetcherd system_data_file:lnk_file { open read };
+allow iorap_prefetcherd user_profile_root_file:dir { open read search };
+allow iorap_prefetcherd user_profile_data_file:dir { open read search };
+allow iorap_prefetcherd user_profile_data_file:file { open read };
+allow iorap_prefetcherd vendor_overlay_file:dir { open read search };
+allow iorap_prefetcherd vendor_overlay_file:file { open read };
+# Note: Do not add any /vendor labels because they can be customized
+# by the vendor and we won't know about them beforehand.
+
+###
+### neverallow rules
+###
+
+neverallow { domain -init -iorapd } iorap_prefetcherd:process { transition dyntransition };
+neverallow iorap_prefetcherd domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/microdroid/sepolicy/system/public/iorapd.te b/microdroid/sepolicy/system/public/iorapd.te
new file mode 100644
index 0000000..b970699
--- /dev/null
+++ b/microdroid/sepolicy/system/public/iorapd.te
@@ -0,0 +1,97 @@
+# volume manager
+type iorapd, domain;
+type iorapd_exec, exec_type, file_type, system_file_type;
+type iorapd_tmpfs, file_type;
+
+r_dir_file(iorapd, rootfs)
+
+# Allow read/write /proc/sys/vm/drop/caches
+allow iorapd proc_drop_caches:file rw_file_perms;
+
+# Give iorapd a place where only iorapd can store files; everyone else is off limits
+allow iorapd iorapd_data_file:dir create_dir_perms;
+allow iorapd iorapd_data_file:file create_file_perms;
+
+# Allow iorapd to publish a binder service and make binder calls.
+binder_use(iorapd)
+add_service(iorapd, iorapd_service)
+
+# Allow iorapd to call into the system server so it can check permissions.
+binder_call(iorapd, system_server)
+allow iorapd permission_service:service_manager find;
+# IUserManager
+allow iorapd user_service:service_manager find;
+# IPackageManagerNative
+allow iorapd package_native_service:service_manager find;
+# Allow dumpstate (bugreport) to call into iorapd.
+allow iorapd dumpstate:fd use;
+allow iorapd dumpstate:fifo_file write;
+
+# talk to batteryservice
+binder_call(iorapd, healthd)
+
+# TODO: does each of the service_manager allow finds above need the binder_call?
+
+# iorapd temporarily changes its priority when running benchmarks
+allow iorapd self:global_capability_class_set sys_nice;
+
+# Allow to access Perfetto traced's privileged consumer socket to start/stop
+# tracing sessions and read trace data.
+unix_socket_connect(iorapd, traced_consumer, traced)
+
+# Allow iorapd to execute compilation (iorap.cmd.compiler) in idle time.
+allow iorapd system_file:file rx_file_perms;
+
+# Allow iorapd to send signull to iorap_inode2filename and iorap_prefetcherd.
+allow iorapd iorap_inode2filename:process signull;
+allow iorapd iorap_prefetcherd:process signull;
+
+# Allowing system_server to check for the existence and size of files under iorapd
+# dir without collecting any sensitive app data.
+# This is used to predict if iorapd is doing prefetching or not.
+allow system_server iorapd_data_file:dir { getattr open read search };
+allow system_server iorapd_data_file:file getattr;
+
+###
+### neverallow rules
+###
+
+neverallow {
+ domain
+ -iorapd
+} iorapd_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
+
+neverallow {
+ domain
+ -init
+ -iorapd
+ -system_server
+} iorapd_data_file:dir *;
+
+neverallow {
+ domain
+ -kernel
+ -iorapd
+} iorapd_data_file:notdevfile_class_set ~{ relabelto getattr };
+
+neverallow {
+ domain
+ -init
+ -kernel
+ -vendor_init
+ -iorapd
+ -system_server
+} { iorapd_data_file }:notdevfile_class_set *;
+
+# Only system_server and shell (for dumpsys) can interact with iorapd over binder
+neverallow { domain -dumpstate -system_server -iorapd } iorapd_service:service_manager find;
+neverallow iorapd {
+ domain
+ -healthd
+ -servicemanager
+ -system_server
+ userdebug_or_eng(`-su')
+}:binder call;
+
+neverallow { domain -init } iorapd:process { transition dyntransition };
+neverallow iorapd domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/microdroid/sepolicy/system/public/isolated_app.te b/microdroid/sepolicy/system/public/isolated_app.te
new file mode 100644
index 0000000..a907dac
--- /dev/null
+++ b/microdroid/sepolicy/system/public/isolated_app.te
@@ -0,0 +1,9 @@
+###
+### Services with isolatedProcess=true in their manifest.
+###
+### This file defines the rules for isolated apps. An "isolated
+### app" is an APP with UID between AID_ISOLATED_START (99000)
+### and AID_ISOLATED_END (99999).
+###
+
+type isolated_app, domain;
diff --git a/microdroid/sepolicy/system/public/kernel.te b/microdroid/sepolicy/system/public/kernel.te
new file mode 100644
index 0000000..9aa40cc
--- /dev/null
+++ b/microdroid/sepolicy/system/public/kernel.te
@@ -0,0 +1,141 @@
+# Life begins with the kernel.
+type kernel, domain, mlstrustedsubject;
+
+allow kernel self:global_capability_class_set sys_nice;
+
+# Root fs.
+r_dir_file(kernel, rootfs)
+
+# Used to read androidboot.selinux property
+allow kernel {
+ proc_bootconfig
+ proc_cmdline
+}:file r_file_perms;
+
+# Get SELinux enforcing status.
+allow kernel selinuxfs:dir r_dir_perms;
+allow kernel selinuxfs:file r_file_perms;
+
+# Get file contexts during first stage
+allow kernel file_contexts_file:file r_file_perms;
+
+# Allow init relabel itself.
+allow kernel rootfs:file relabelfrom;
+allow kernel init_exec:file relabelto;
+# TODO: investigate why we need this.
+allow kernel init:process share;
+
+# cgroup filesystem initialization prior to setting the cgroup root directory label.
+allow kernel unlabeled:dir search;
+
+# Mount usbfs.
+allow kernel usbfs:filesystem mount;
+allow kernel usbfs:dir search;
+
+# Initial setenforce by init prior to switching to init domain.
+# We use dontaudit instead of allow to prevent a kernel spawned userspace
+# process from turning off SELinux once enabled.
+dontaudit kernel self:security setenforce;
+
+# Write to /proc/1/oom_adj prior to switching to init domain.
+allow kernel self:global_capability_class_set sys_resource;
+
+# Init reboot before switching selinux domains under certain error
+# conditions. Allow it.
+# As part of rebooting, init writes "u" to /proc/sysrq-trigger to
+# remount filesystems read-only. /data is not mounted at this point,
+# so we could ignore this. For now, we allow it.
+allow kernel self:global_capability_class_set sys_boot;
+allow kernel proc_sysrq:file w_file_perms;
+
+# Allow writing to /dev/kmsg which was created prior to loading policy.
+allow kernel tmpfs:chr_file write;
+
+# Set checkreqprot by init.rc prior to switching to init domain.
+allow kernel selinuxfs:file write;
+allow kernel self:security setcheckreqprot;
+
+# kernel thread "loop0", used by the loop block device, for ASECs (b/17158723)
+allow kernel sdcard_type:file { read write };
+
+# f_mtp driver accesses files from kernel context.
+allow kernel mediaprovider:fd use;
+
+# Allow the kernel to read OBB files from app directories. (b/17428116)
+# Kernel thread "loop0" reads a vold supplied file descriptor.
+# Fixes CTS tests:
+# * android.os.storage.cts.StorageManagerTest#testMountAndUnmountObbNormal
+# * android.os.storage.cts.StorageManagerTest#testMountAndUnmountTwoObbs
+allow kernel vold:fd use;
+allow kernel { app_data_file privapp_data_file }:file read;
+allow kernel asec_image_file:file read;
+
+# Allow mounting loop device in update_engine_unittests. (b/28319454)
+# and for LTP kernel tests (b/73220071)
+userdebug_or_eng(`
+ allow kernel update_engine_data_file:file { read write };
+ allow kernel nativetest_data_file:file { read write };
+')
+
+# Access to /data/media.
+# This should be removed if sdcardfs is modified to alter the secontext for its
+# accesses to the underlying FS.
+allow kernel media_rw_data_file:dir create_dir_perms;
+allow kernel media_rw_data_file:file create_file_perms;
+
+# Access to /data/misc/vold/virtual_disk.
+allow kernel vold_data_file:file { read write };
+
+# Allow the kernel to read APEX file descriptors and (staged) data files;
+# Needed because APEX uses the loopback driver, which issues requests from
+# a kernel thread in earlier kernel version.
+allow kernel apexd:fd use;
+allow kernel {
+ apex_data_file
+ staging_data_file
+ vendor_apex_file
+}:file read;
+
+# Allow the first-stage init (which is running in the kernel domain) to execute the
+# dynamic linker when it re-executes /init to switch into the second stage.
+# Until Linux 4.8, the program interpreter (dynamic linker in this case) is executed
+# before the domain is switched to the target domain. So, we need to allow the kernel
+# domain (the source domain) to execute the dynamic linker (system_file type).
+# TODO(b/110147943) remove these allow rules when we no longer need to support Linux
+# kernel older than 4.8.
+allow kernel system_file:file execute;
+# The label for the dynamic linker is rootfs in the recovery partition. This is because
+# the recovery partition which is rootfs does not support xattr and thus labeling can't be
+# done at build-time. All files are by default labeled as rootfs upon booting.
+recovery_only(`
+ allow kernel rootfs:file execute;
+')
+
+# required by VTS lidbm unit test
+allow kernel appdomain_tmpfs:file { read write };
+
+###
+### neverallow rules
+###
+
+# The initial task starts in the kernel domain (assigned via
+# initial_sid_contexts), but nothing ever transitions to it.
+neverallow * kernel:process { transition dyntransition };
+
+# The kernel domain is never entered via an exec, nor should it
+# ever execute a program outside the rootfs without changing to another domain.
+# If you encounter an execute_no_trans denial on the kernel domain, then
+# possible causes include:
+# - The program is a kernel usermodehelper. In this case, define a domain
+# for the program and domain_auto_trans() to it.
+# - You are running an exploit which switched to the init task credentials
+# and is then trying to exec a shell or other program. You lose!
+neverallow kernel *:file { entrypoint execute_no_trans };
+
+# the kernel should not be accessing files owned by other users.
+# Instead of adding dac_{read_search,override}, fix the unix permissions
+# on files being accessed.
+neverallow kernel self:global_capability_class_set { dac_override dac_read_search };
+
+# Nobody should be ptracing kernel threads
+neverallow * kernel:process ptrace;
diff --git a/microdroid/sepolicy/system/public/keystore.te b/microdroid/sepolicy/system/public/keystore.te
new file mode 100644
index 0000000..155322c
--- /dev/null
+++ b/microdroid/sepolicy/system/public/keystore.te
@@ -0,0 +1,44 @@
+type keystore, domain, keystore2_key_type;
+type keystore_exec, system_file_type, exec_type, file_type;
+
+# keystore daemon
+typeattribute keystore mlstrustedsubject;
+binder_use(keystore)
+binder_service(keystore)
+binder_call(keystore, system_server)
+binder_call(keystore, wificond)
+
+allow keystore keystore_data_file:dir create_dir_perms;
+allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
+allow keystore keystore_exec:file { getattr };
+
+add_service(keystore, keystore_service)
+add_service(keystore, remoteprovisioning_service)
+allow keystore sec_key_att_app_id_provider_service:service_manager find;
+allow keystore dropbox_service:service_manager find;
+add_service(keystore, apc_service)
+add_service(keystore, keystore_compat_hal_service)
+add_service(keystore, authorization_service)
+add_service(keystore, keystore_maintenance_service)
+add_service(keystore, vpnprofilestore_service)
+
+# Check SELinux permissions.
+selinux_check_access(keystore)
+
+r_dir_file(keystore, cgroup)
+r_dir_file(keystore, cgroup_v2)
+
+###
+### Neverallow rules
+###
+### Protect ourself from others
+###
+
+neverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
+neverallow { domain -keystore } keystore_data_file:notdevfile_class_set ~{ relabelto getattr };
+
+neverallow { domain -keystore -init } keystore_data_file:dir *;
+neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *;
+
+# TODO(b/186868271): Remove the crash dump exception soon-ish (maybe by May 14, 2021?)
+neverallow { domain userdebug_or_eng(`-crash_dump') } keystore:process ptrace;
diff --git a/microdroid/sepolicy/system/public/keystore_keys.te b/microdroid/sepolicy/system/public/keystore_keys.te
new file mode 100644
index 0000000..3c35984
--- /dev/null
+++ b/microdroid/sepolicy/system/public/keystore_keys.te
@@ -0,0 +1,2 @@
+# A keystore2 namespace for WI-FI.
+type wifi_key, keystore2_key_type;
diff --git a/microdroid/sepolicy/system/public/llkd.te b/microdroid/sepolicy/system/public/llkd.te
new file mode 100644
index 0000000..1faa429
--- /dev/null
+++ b/microdroid/sepolicy/system/public/llkd.te
@@ -0,0 +1,3 @@
+# llkd Live LocK Daemon
+type llkd, domain, mlstrustedsubject;
+type llkd_exec, system_file_type, exec_type, file_type;
diff --git a/microdroid/sepolicy/system/public/lmkd.te b/microdroid/sepolicy/system/public/lmkd.te
new file mode 100644
index 0000000..de6052d
--- /dev/null
+++ b/microdroid/sepolicy/system/public/lmkd.te
@@ -0,0 +1,72 @@
+# lmkd low memory killer daemon
+type lmkd, domain, mlstrustedsubject;
+type lmkd_exec, system_file_type, exec_type, file_type;
+
+allow lmkd self:global_capability_class_set { dac_override dac_read_search sys_resource kill };
+
+# lmkd locks itself in memory, to prevent it from being
+# swapped out and unable to kill other memory hogs.
+# system/core commit b28ff9131363f7b4a698990da5748b2a88c3ed35
+# b/16236289
+allow lmkd self:global_capability_class_set ipc_lock;
+
+## Open and write to /proc/PID/oom_score_adj and /proc/PID/timerslack_ns
+## TODO: maybe scope this down?
+r_dir_file(lmkd, domain)
+allow lmkd domain:file write;
+
+## Writes to /sys/module/lowmemorykiller/parameters/minfree
+r_dir_file(lmkd, sysfs_lowmemorykiller)
+allow lmkd sysfs_lowmemorykiller:file w_file_perms;
+
+# setsched and send kill signals to any registered process
+allow lmkd domain:process { setsched sigkill };
+# TODO: delete this line b/131761776
+allow lmkd kernel:process { setsched };
+
+# Clean up old cgroups
+allow lmkd cgroup:dir { remove_name rmdir };
+allow lmkd cgroup_v2:dir { remove_name rmdir };
+
+# Allow to read memcg stats
+allow lmkd cgroup:file r_file_perms;
+allow lmkd cgroup_v2:file r_file_perms;
+
+# Set self to SCHED_FIFO
+allow lmkd self:global_capability_class_set sys_nice;
+
+allow lmkd proc_zoneinfo:file r_file_perms;
+allow lmkd proc_vmstat:file r_file_perms;
+
+# live lock watchdog process allowed to look through /proc/
+allow lmkd domain:dir { search open read };
+allow lmkd domain:file { open read };
+
+# live lock watchdog process allowed to dump process trace and
+# reboot because orderly shutdown may not be possible.
+allow lmkd proc_sysrq:file rw_file_perms;
+
+# Read /proc/lowmemorykiller
+allow lmkd proc_lowmemorykiller:file r_file_perms;
+
+# Read /proc/meminfo
+allow lmkd proc_meminfo:file r_file_perms;
+
+# Read /proc/pressure/cpu and /proc/pressure/io
+allow lmkd proc_pressure_cpu:file r_file_perms;
+allow lmkd proc_pressure_io:file r_file_perms;
+
+# Read/Write /proc/pressure/memory
+allow lmkd proc_pressure_mem:file rw_file_perms;
+
+# Allow lmkd to connect during reinit.
+allow lmkd lmkd_socket:sock_file write;
+
+# Allow lmkd to write to statsd.
+unix_socket_send(lmkd, statsdw, statsd)
+
+### neverallow rules
+
+# never honor LD_PRELOAD
+neverallow * lmkd:process noatsecure;
+neverallow lmkd self:global_capability_class_set sys_ptrace;
diff --git a/microdroid/sepolicy/system/public/logd.te b/microdroid/sepolicy/system/public/logd.te
new file mode 100644
index 0000000..8187179
--- /dev/null
+++ b/microdroid/sepolicy/system/public/logd.te
@@ -0,0 +1,74 @@
+# android user-space log manager
+type logd, domain, mlstrustedsubject;
+type logd_exec, system_file_type, exec_type, file_type;
+
+# Read access to pseudo filesystems.
+r_dir_file(logd, cgroup)
+r_dir_file(logd, cgroup_v2)
+r_dir_file(logd, proc_kmsg)
+r_dir_file(logd, proc_meminfo)
+
+allow logd self:global_capability_class_set { setuid setgid setpcap sys_nice audit_control };
+allow logd self:global_capability2_class_set syslog;
+allow logd self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write };
+allow logd kernel:system syslog_read;
+allow logd kmsg_device:chr_file { getattr w_file_perms };
+allow logd system_data_file:{ file lnk_file } r_file_perms;
+allow logd packages_list_file:file r_file_perms;
+allow logd pstorefs:dir search;
+allow logd pstorefs:file r_file_perms;
+userdebug_or_eng(`
+ # Access to /data/misc/logd/event-log-tags
+ allow logd misc_logd_file:dir r_dir_perms;
+ allow logd misc_logd_file:file rw_file_perms;
+')
+allow logd runtime_event_log_tags_file:file rw_file_perms;
+
+r_dir_file(logd, domain)
+
+allow logd kernel:system syslog_mod;
+
+control_logd(logd)
+read_runtime_log_tags(logd)
+
+allow runtime_event_log_tags_file tmpfs:filesystem associate;
+# Typically harmlessly blindly trying to access via liblog
+# event tag mapping while in the untrusted_app domain.
+# Access for that domain is controlled and gated via the
+# event log tag service (albeit at a performance penalty,
+# expected to be locally cached).
+dontaudit domain runtime_event_log_tags_file:file { map open read };
+
+# Logd sets defaults if certain properties are empty.
+set_prop(logd, logd_prop)
+
+###
+### Neverallow rules
+###
+### logd should NEVER do any of this
+
+# Block device access.
+neverallow logd dev_type:blk_file { read write };
+
+# ptrace any other app
+neverallow logd domain:process ptrace;
+
+# ... and nobody may ptrace me (except on userdebug or eng builds)
+neverallow { domain userdebug_or_eng(`-crash_dump -llkd') } logd:process ptrace;
+
+# Write to /system.
+neverallow logd system_file:dir_file_class_set write;
+
+# Write to files in /data/data or system files on /data
+neverallow logd { app_data_file privapp_data_file system_data_file packages_list_file }:dir_file_class_set write;
+
+# Only init is allowed to enter the logd domain via exec()
+neverallow { domain -init } logd:process transition;
+neverallow * logd:process dyntransition;
+
+# protect the event-log-tags file
+neverallow {
+ domain
+ -init
+ -logd
+} runtime_event_log_tags_file:file no_w_file_perms;
diff --git a/microdroid/sepolicy/system/public/logpersist.te b/microdroid/sepolicy/system/public/logpersist.te
new file mode 100644
index 0000000..c8e6af4
--- /dev/null
+++ b/microdroid/sepolicy/system/public/logpersist.te
@@ -0,0 +1,30 @@
+# android debug logging, logpersist domains
+type logpersist, domain;
+
+# logcatd is a shell script that execs logcat with various parameters.
+allow logpersist shell_exec:file rx_file_perms;
+allow logpersist logcat_exec:file rx_file_perms;
+
+###
+### Neverallow rules
+###
+### logpersist should NEVER do any of this
+
+# Block device access.
+neverallow logpersist dev_type:blk_file { read write };
+
+# ptrace any other app
+neverallow logpersist domain:process ptrace;
+
+# Write to files in /data/data or system files on /data except misc_logd_file
+neverallow logpersist { privapp_data_file app_data_file system_data_file }:dir_file_class_set write;
+
+# Only init should be allowed to enter the logpersist domain via exec()
+# Following is a list of debug domains we know that transition to logpersist
+# neverallow_with_undefined_domains {
+# domain
+# -init # goldfish, logcatd, raft
+# -mmi # bat, mtp8996, msmcobalt
+# -system_app # Smith.apk
+# } logpersist:process transition;
+neverallow * logpersist:process dyntransition;
diff --git a/microdroid/sepolicy/system/public/mdnsd.te b/microdroid/sepolicy/system/public/mdnsd.te
new file mode 100644
index 0000000..ef7b065
--- /dev/null
+++ b/microdroid/sepolicy/system/public/mdnsd.te
@@ -0,0 +1,2 @@
+# mdns daemon
+type mdnsd, domain;
diff --git a/microdroid/sepolicy/system/public/mediadrmserver.te b/microdroid/sepolicy/system/public/mediadrmserver.te
new file mode 100644
index 0000000..a52295e
--- /dev/null
+++ b/microdroid/sepolicy/system/public/mediadrmserver.te
@@ -0,0 +1,33 @@
+# mediadrmserver - mediadrm daemon
+type mediadrmserver, domain;
+type mediadrmserver_exec, system_file_type, exec_type, file_type;
+
+typeattribute mediadrmserver mlstrustedsubject;
+
+net_domain(mediadrmserver)
+binder_use(mediadrmserver)
+binder_call(mediadrmserver, binderservicedomain)
+binder_call(mediadrmserver, appdomain)
+binder_service(mediadrmserver)
+hal_client_domain(mediadrmserver, hal_drm)
+
+add_service(mediadrmserver, mediadrmserver_service)
+allow mediadrmserver mediaserver_service:service_manager find;
+allow mediadrmserver mediametrics_service:service_manager find;
+allow mediadrmserver processinfo_service:service_manager find;
+allow mediadrmserver surfaceflinger_service:service_manager find;
+allow mediadrmserver system_file:dir r_dir_perms;
+
+# TODO(b/80317992): remove
+binder_call(mediadrmserver, hal_omx_server)
+
+###
+### neverallow rules
+###
+
+# mediadrmserver should never execute any executable without a
+# domain transition
+neverallow mediadrmserver { file_type fs_type }:file execute_no_trans;
+
+# do not allow privileged socket ioctl commands
+neverallowxperm mediadrmserver domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
diff --git a/microdroid/sepolicy/system/public/mediaextractor.te b/microdroid/sepolicy/system/public/mediaextractor.te
new file mode 100644
index 0000000..06f7928
--- /dev/null
+++ b/microdroid/sepolicy/system/public/mediaextractor.te
@@ -0,0 +1,72 @@
+# mediaextractor - multimedia daemon
+type mediaextractor, domain;
+type mediaextractor_exec, system_file_type, exec_type, file_type;
+type mediaextractor_tmpfs, file_type;
+
+typeattribute mediaextractor mlstrustedsubject;
+
+binder_use(mediaextractor)
+binder_call(mediaextractor, binderservicedomain)
+binder_call(mediaextractor, appdomain)
+binder_service(mediaextractor)
+
+add_service(mediaextractor, mediaextractor_service)
+allow mediaextractor mediametrics_service:service_manager find;
+allow mediaextractor hidl_token_hwservice:hwservice_manager find;
+
+allow mediaextractor system_server:fd use;
+
+hal_client_domain(mediaextractor, hal_cas)
+hal_client_domain(mediaextractor, hal_allocator)
+
+r_dir_file(mediaextractor, cgroup)
+r_dir_file(mediaextractor, cgroup_v2)
+allow mediaextractor proc_meminfo:file r_file_perms;
+
+crash_dump_fallback(mediaextractor)
+
+# allow mediaextractor read permissions for file sources
+allow mediaextractor sdcard_type:file { getattr read };
+allow mediaextractor media_rw_data_file:file { getattr read };
+allow mediaextractor { app_data_file privapp_data_file }:file { getattr read };
+
+# Read resources from open apk files passed over Binder
+allow mediaextractor apk_data_file:file { read getattr };
+allow mediaextractor asec_apk_file:file { read getattr };
+allow mediaextractor ringtone_file:file { read getattr };
+
+# overlay package access
+allow mediaextractor vendor_overlay_file:file { read map };
+
+# scan extractor library directory to dynamically load extractors
+allow mediaextractor system_file:dir { read open };
+
+###
+### neverallow rules
+###
+
+# mediaextractor should never execute any executable without a
+# domain transition
+neverallow mediaextractor { file_type fs_type }:file execute_no_trans;
+
+# The goal of the mediaserver split is to place media processing code into
+# restrictive sandboxes with limited responsibilities and thus limited
+# permissions. Example: Audioserver is only responsible for controlling audio
+# hardware and processing audio content. Cameraserver does the same for camera
+# hardware/content. Etc.
+#
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
+neverallow mediaextractor domain:{ tcp_socket udp_socket rawip_socket } *;
+
+# mediaextractor should not be opening /data files directly. Any files
+# it touches (with a few exceptions) need to be passed to it via a file
+# descriptor opened outside the process.
+neverallow mediaextractor {
+ data_file_type
+ -zoneinfo_data_file # time zone data from /data/misc/zoneinfo
+ userdebug_or_eng(`-apk_data_file') # for loading media extractor plugins
+ with_native_coverage(`-method_trace_data_file')
+}:file open;
diff --git a/microdroid/sepolicy/system/public/mediametrics.te b/microdroid/sepolicy/system/public/mediametrics.te
new file mode 100644
index 0000000..468c0d0
--- /dev/null
+++ b/microdroid/sepolicy/system/public/mediametrics.te
@@ -0,0 +1,45 @@
+# mediametrics - daemon for collecting media.metrics data
+type mediametrics, domain;
+type mediametrics_exec, system_file_type, exec_type, file_type;
+
+
+binder_use(mediametrics)
+binder_call(mediametrics, binderservicedomain)
+binder_service(mediametrics)
+
+add_service(mediametrics, mediametrics_service)
+
+allow mediametrics system_server:fd use;
+
+r_dir_file(mediametrics, cgroup)
+r_dir_file(mediametrics, cgroup_v2)
+allow mediametrics proc_meminfo:file r_file_perms;
+
+# allows interactions with dumpsys to GMScore
+allow mediametrics { app_data_file privapp_data_file }:file write;
+
+# allow access to package manager for uid->apk mapping
+allow mediametrics package_native_service:service_manager find;
+
+# Allow metrics service to send information to statsd socket.
+unix_socket_send(mediametrics, statsdw, statsd)
+
+###
+### neverallow rules
+###
+
+# mediametrics should never execute any executable without a
+# domain transition
+neverallow mediametrics { file_type fs_type }:file execute_no_trans;
+
+# The goal of the mediaserver split is to place media processing code into
+# restrictive sandboxes with limited responsibilities and thus limited
+# permissions. Example: Audioserver is only responsible for controlling audio
+# hardware and processing audio content. Cameraserver does the same for camera
+# hardware/content. Etc.
+#
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
+neverallow mediametrics domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/microdroid/sepolicy/system/public/mediaprovider.te b/microdroid/sepolicy/system/public/mediaprovider.te
new file mode 100644
index 0000000..24170a5
--- /dev/null
+++ b/microdroid/sepolicy/system/public/mediaprovider.te
@@ -0,0 +1,6 @@
+###
+### A domain for android.process.media, which contains both
+### MediaProvider and DownloadProvider and associated services.
+###
+
+type mediaprovider, domain;
diff --git a/microdroid/sepolicy/system/public/mediaserver.te b/microdroid/sepolicy/system/public/mediaserver.te
new file mode 100644
index 0000000..ad460e1
--- /dev/null
+++ b/microdroid/sepolicy/system/public/mediaserver.te
@@ -0,0 +1,149 @@
+# mediaserver - multimedia daemon
+type mediaserver, domain;
+type mediaserver_exec, system_file_type, exec_type, file_type;
+type mediaserver_tmpfs, file_type;
+
+typeattribute mediaserver mlstrustedsubject;
+
+net_domain(mediaserver)
+
+r_dir_file(mediaserver, sdcard_type)
+r_dir_file(mediaserver, cgroup)
+r_dir_file(mediaserver, cgroup_v2)
+
+# stat /proc/self
+allow mediaserver proc:lnk_file getattr;
+
+# open /vendor/lib/mediadrm
+allow mediaserver system_file:dir r_dir_perms;
+
+userdebug_or_eng(`
+ # ptrace to processes in the same domain for memory leak detection
+ allow mediaserver self:process ptrace;
+')
+
+binder_use(mediaserver)
+binder_call(mediaserver, binderservicedomain)
+binder_call(mediaserver, appdomain)
+binder_service(mediaserver)
+
+allow mediaserver media_data_file:dir create_dir_perms;
+allow mediaserver media_data_file:file create_file_perms;
+allow mediaserver { app_data_file privapp_data_file }:file { append getattr ioctl lock map read write };
+allow mediaserver sdcard_type:file write;
+allow mediaserver gpu_device:chr_file rw_file_perms;
+allow mediaserver video_device:dir r_dir_perms;
+allow mediaserver video_device:chr_file rw_file_perms;
+
+# Read resources from open apk files passed over Binder.
+allow mediaserver apk_data_file:file { read getattr };
+allow mediaserver asec_apk_file:file { read getattr };
+allow mediaserver ringtone_file:file { read getattr };
+
+# Read /data/data/com.android.providers.telephony files passed over Binder.
+allow mediaserver radio_data_file:file { read getattr };
+
+# Use pipes passed over Binder from app domains.
+allow mediaserver appdomain:fifo_file { getattr read write };
+
+allow mediaserver rpmsg_device:chr_file rw_file_perms;
+
+# Inter System processes communicate over named pipe (FIFO)
+allow mediaserver system_server:fifo_file r_file_perms;
+
+r_dir_file(mediaserver, media_rw_data_file)
+
+# Grant access to read files on appfuse.
+allow mediaserver app_fuse_file:file { read getattr };
+
+# Needed on some devices for playing DRM protected content,
+# but seems expected and appropriate for all devices.
+unix_socket_connect(mediaserver, drmserver, drmserver)
+
+# Needed on some devices for playing audio on paired BT device,
+# but seems appropriate for all devices.
+unix_socket_connect(mediaserver, bluetooth, bluetooth)
+
+add_service(mediaserver, mediaserver_service)
+allow mediaserver activity_service:service_manager find;
+allow mediaserver appops_service:service_manager find;
+allow mediaserver audio_service:service_manager find;
+allow mediaserver audioserver_service:service_manager find;
+allow mediaserver cameraserver_service:service_manager find;
+allow mediaserver batterystats_service:service_manager find;
+allow mediaserver drmserver_service:service_manager find;
+allow mediaserver mediaextractor_service:service_manager find;
+allow mediaserver mediametrics_service:service_manager find;
+allow mediaserver media_session_service:service_manager find;
+allow mediaserver permission_service:service_manager find;
+allow mediaserver permission_checker_service:service_manager find;
+allow mediaserver power_service:service_manager find;
+allow mediaserver processinfo_service:service_manager find;
+allow mediaserver scheduling_policy_service:service_manager find;
+allow mediaserver surfaceflinger_service:service_manager find;
+
+# for ModDrm/MediaPlayer
+allow mediaserver mediadrmserver_service:service_manager find;
+
+# For hybrid interfaces
+allow mediaserver hidl_token_hwservice:hwservice_manager find;
+
+# /oem access
+allow mediaserver oemfs:dir search;
+allow mediaserver oemfs:file r_file_perms;
+
+# /vendor apk access
+allow mediaserver vendor_app_file:file { read map getattr };
+
+use_drmservice(mediaserver)
+allow mediaserver drmserver:drmservice {
+ consumeRights
+ setPlaybackStatus
+ openDecryptSession
+ closeDecryptSession
+ initializeDecryptUnit
+ decrypt
+ finalizeDecryptUnit
+ pread
+};
+
+# only allow unprivileged socket ioctl commands
+allowxperm mediaserver self:{ rawip_socket tcp_socket udp_socket }
+ ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
+
+# Access to /data/media.
+# This should be removed if sdcardfs is modified to alter the secontext for its
+# accesses to the underlying FS.
+allow mediaserver media_rw_data_file:dir create_dir_perms;
+allow mediaserver media_rw_data_file:file create_file_perms;
+
+# Access to media in /data/preloads
+allow mediaserver preloads_media_file:file { getattr read ioctl };
+
+allow mediaserver ion_device:chr_file r_file_perms;
+allow mediaserver dmabuf_system_heap_device:chr_file r_file_perms;
+allow mediaserver dmabuf_system_secure_heap_device:chr_file r_file_perms;
+allow mediaserver hal_graphics_allocator:fd use;
+allow mediaserver hal_graphics_composer:fd use;
+allow mediaserver hal_camera:fd use;
+
+allow mediaserver system_server:fd use;
+
+# b/120491318 allow mediaserver to access void:fd
+allow mediaserver vold:fd use;
+
+# overlay package access
+allow mediaserver vendor_overlay_file:file { read getattr map };
+
+hal_client_domain(mediaserver, hal_allocator)
+
+###
+### neverallow rules
+###
+
+# mediaserver should never execute any executable without a
+# domain transition
+neverallow mediaserver { file_type fs_type }:file execute_no_trans;
+
+# do not allow privileged socket ioctl commands
+neverallowxperm mediaserver domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
diff --git a/microdroid/sepolicy/system/public/mediaswcodec.te b/microdroid/sepolicy/system/public/mediaswcodec.te
new file mode 100644
index 0000000..5726842
--- /dev/null
+++ b/microdroid/sepolicy/system/public/mediaswcodec.te
@@ -0,0 +1,27 @@
+type mediaswcodec, domain;
+type mediaswcodec_exec, system_file_type, exec_type, file_type;
+
+hal_server_domain(mediaswcodec, hal_codec2)
+
+# mediaswcodec may use an input surface from a different Codec2 service or an
+# OMX service
+hal_client_domain(mediaswcodec, hal_codec2)
+hal_client_domain(mediaswcodec, hal_omx)
+
+hal_client_domain(mediaswcodec, hal_allocator)
+hal_client_domain(mediaswcodec, hal_graphics_allocator)
+
+crash_dump_fallback(mediaswcodec)
+
+# mediaswcodec_server should never execute any executable without a
+# domain transition
+neverallow mediaswcodec { file_type fs_type }:file execute_no_trans;
+
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
+neverallow mediaswcodec domain:{ tcp_socket udp_socket rawip_socket } *;
+
+allow mediaswcodec dmabuf_system_heap_device:chr_file r_file_perms;
+allow mediaswcodec dmabuf_system_secure_heap_device:chr_file r_file_perms;
diff --git a/microdroid/sepolicy/system/public/modprobe.te b/microdroid/sepolicy/system/public/modprobe.te
new file mode 100644
index 0000000..2c7d64b
--- /dev/null
+++ b/microdroid/sepolicy/system/public/modprobe.te
@@ -0,0 +1,10 @@
+type modprobe, domain;
+
+allow modprobe proc_modules:file r_file_perms;
+allow modprobe proc_cmdline:file r_file_perms;
+allow modprobe self:global_capability_class_set sys_module;
+allow modprobe kernel:key search;
+recovery_only(`
+ allow modprobe rootfs:system module_load;
+ allow modprobe rootfs:file r_file_perms;
+')
diff --git a/microdroid/sepolicy/system/public/mtp.te b/microdroid/sepolicy/system/public/mtp.te
new file mode 100644
index 0000000..add63c0
--- /dev/null
+++ b/microdroid/sepolicy/system/public/mtp.te
@@ -0,0 +1,11 @@
+# vpn tunneling protocol manager
+type mtp, domain;
+type mtp_exec, system_file_type, exec_type, file_type;
+
+net_domain(mtp)
+
+# pptp policy
+allow mtp self:{ socket pppox_socket } create_socket_perms_no_ioctl;
+allow mtp self:global_capability_class_set net_raw;
+allow mtp ppp:process signal;
+allow mtp vpn_data_file:dir search;
diff --git a/microdroid/sepolicy/system/public/net.te b/microdroid/sepolicy/system/public/net.te
new file mode 100644
index 0000000..e90715e
--- /dev/null
+++ b/microdroid/sepolicy/system/public/net.te
@@ -0,0 +1,39 @@
+## Network types
+type node, node_type;
+type netif, netif_type;
+type port, port_type;
+
+###
+### Domain with network access
+###
+
+# Use network sockets.
+allow netdomain self:tcp_socket create_stream_socket_perms;
+allow netdomain self:{ icmp_socket udp_socket rawip_socket } create_socket_perms;
+
+# Connect to ports.
+allow netdomain port_type:tcp_socket name_connect;
+# Bind to ports.
+allow {netdomain -ephemeral_app} node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind;
+allow {netdomain -ephemeral_app} port_type:udp_socket name_bind;
+allow {netdomain -ephemeral_app} port_type:tcp_socket name_bind;
+# See changes to the routing table.
+allow netdomain self:netlink_route_socket { create read getattr write setattr lock append connect getopt setopt shutdown nlmsg_read };
+# b/141455849 gate RTM_GETLINK with a new permission nlmsg_readpriv and block access from
+# untrusted_apps. Some untrusted apps (e.g. untrusted_app_25-29) are granted access elsewhere
+# to avoid app-compat breakage.
+allow {
+ netdomain
+ -ephemeral_app
+ -mediaprovider
+ -untrusted_app_all
+} self:netlink_route_socket { bind nlmsg_readpriv };
+
+# Talks to netd via dnsproxyd socket.
+unix_socket_connect(netdomain, dnsproxyd, netd)
+
+# Talks to netd via fwmarkd socket.
+unix_socket_connect(netdomain, fwmarkd, netd)
+
+# Connect to mdnsd via mdnsd socket.
+unix_socket_connect(netdomain, mdnsd, mdnsd)
diff --git a/microdroid/sepolicy/system/public/netd.te b/microdroid/sepolicy/system/public/netd.te
new file mode 100644
index 0000000..ff0bff6
--- /dev/null
+++ b/microdroid/sepolicy/system/public/netd.te
@@ -0,0 +1,176 @@
+# network manager
+type netd, domain, mlstrustedsubject;
+type netd_exec, system_file_type, exec_type, file_type;
+
+net_domain(netd)
+# in addition to ioctls allowlisted for all domains, grant netd priv_sock_ioctls.
+allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
+
+r_dir_file(netd, cgroup)
+
+allow netd system_server:fd use;
+
+allow netd self:global_capability_class_set { net_admin net_raw kill };
+# Note: fsetid is deliberately not included above. fsetid checks are
+# triggered by chmod on a directory or file owned by a group other
+# than one of the groups assigned to the current process to see if
+# the setgid bit should be cleared, regardless of whether the setgid
+# bit was even set. We do not appear to truly need this capability
+# for netd to operate.
+dontaudit netd self:global_capability_class_set fsetid;
+
+# Allow netd to open /dev/tun, set it up and pass it to clatd
+allow netd tun_device:chr_file rw_file_perms;
+allowxperm netd tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF };
+allow netd self:tun_socket create;
+
+allow netd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+allow netd self:netlink_route_socket nlmsg_write;
+allow netd self:netlink_nflog_socket create_socket_perms_no_ioctl;
+allow netd self:netlink_socket create_socket_perms_no_ioctl;
+allow netd self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
+allow netd self:netlink_generic_socket create_socket_perms_no_ioctl;
+allow netd self:netlink_netfilter_socket create_socket_perms_no_ioctl;
+allow netd shell_exec:file rx_file_perms;
+allow netd system_file:file x_file_perms;
+not_full_treble(`allow netd vendor_file:file x_file_perms;')
+allow netd devpts:chr_file rw_file_perms;
+
+# Acquire advisory lock on /system/etc/xtables.lock. If this file doesn't
+# exist, suppress the denial.
+allow netd system_file:file lock;
+dontaudit netd system_file:dir write;
+
+# Allow netd to write to qtaguid ctrl file.
+# TODO: Add proper rules to prevent other process to access qtaguid_proc file
+# after migration complete
+allow netd proc_qtaguid_ctrl:file rw_file_perms;
+# Allow netd to read /dev/qtaguid. This is the same privilege level that normal apps have.
+allow netd qtaguid_device:chr_file r_file_perms;
+
+r_dir_file(netd, proc_net_type)
+# For /proc/sys/net/ipv[46]/route/flush.
+allow netd proc_net_type:file rw_file_perms;
+
+# Enables PppController and interface enumeration (among others)
+allow netd sysfs:dir r_dir_perms;
+r_dir_file(netd, sysfs_net)
+
+# Allows setting interface MTU
+allow netd sysfs_net:file w_file_perms;
+
+# TODO: added to match above sysfs rule. Remove me?
+allow netd sysfs_usb:file write;
+
+r_dir_file(netd, cgroup_v2)
+
+allow netd fs_bpf:dir search;
+allow netd fs_bpf:file { read write };
+
+# TODO: netd previously thought it needed these permissions to do WiFi related
+# work. However, after all the WiFi stuff is gone, we still need them.
+# Why?
+allow netd self:global_capability_class_set { dac_override dac_read_search chown };
+
+# Needed to update /data/misc/net/rt_tables
+allow netd net_data_file:file create_file_perms;
+allow netd net_data_file:dir rw_dir_perms;
+allow netd self:global_capability_class_set fowner;
+
+# Needed to lock the iptables lock.
+allow netd system_file:file lock;
+
+# Allow netd to spawn dnsmasq in it's own domain
+allow netd dnsmasq:process signal;
+
+# Allow netd to publish a binder service and make binder calls.
+binder_use(netd)
+add_service(netd, netd_service)
+add_service(netd, dnsresolver_service)
+allow netd dumpstate:fifo_file { getattr write };
+
+# Allow netd to call into the system server so it can check permissions.
+allow netd system_server:binder call;
+allow netd permission_service:service_manager find;
+
+# Allow netd to talk to the framework service which collects netd events.
+allow netd netd_listener_service:service_manager find;
+
+# Allow netd to operate on sockets that are passed to it.
+allow netd netdomain:{
+ icmp_socket
+ tcp_socket
+ udp_socket
+ rawip_socket
+ tun_socket
+} { read write getattr setattr getopt setopt };
+allow netd netdomain:fd use;
+
+# give netd permission to read and write netlink xfrm
+allow netd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
+
+# Allow netd to register as hal server.
+add_hwservice(netd, system_net_netd_hwservice)
+hwbinder_use(netd)
+
+###
+### Neverallow rules
+###
+### netd should NEVER do any of this
+
+# Block device access.
+neverallow netd dev_type:blk_file { read write };
+
+# ptrace any other app
+neverallow netd { domain }:process ptrace;
+
+# Write to /system.
+neverallow netd system_file:dir_file_class_set write;
+
+# Write to files in /data/data or system files on /data
+neverallow netd { app_data_file_type system_data_file }:dir_file_class_set write;
+
+# only system_server, dumpstate and network stack app may find netd service
+neverallow {
+ domain
+ -system_server
+ -dumpstate
+ -network_stack
+ -netd
+ -netutils_wrapper
+} netd_service:service_manager find;
+
+# only system_server, dumpstate and network stack app may find dnsresolver service
+neverallow {
+ domain
+ -system_server
+ -dumpstate
+ -network_stack
+ -netd
+ -netutils_wrapper
+} dnsresolver_service:service_manager find;
+
+# apps may not interact with netd over binder.
+neverallow { appdomain -network_stack } netd:binder call;
+neverallow netd { appdomain -network_stack userdebug_or_eng(`-su') }:binder call;
+
+# If an already existing file is opened with O_CREATE, the kernel might generate
+# a false report of a create denial. Silence these denials and make sure that
+# inappropriate permissions are not granted.
+neverallow netd proc_net:dir no_w_dir_perms;
+dontaudit netd proc_net:dir write;
+
+neverallow netd sysfs_net:dir no_w_dir_perms;
+dontaudit netd sysfs_net:dir write;
+
+# Netd should not have SYS_ADMIN privs.
+neverallow netd self:capability sys_admin;
+dontaudit netd self:capability sys_admin;
+
+# Netd should not have SYS_MODULE privs, nor should it be requesting module loads
+# (things it requires should be built directly into the kernel)
+dontaudit netd self:capability sys_module;
+
+dontaudit netd kernel:system module_request;
+
+dontaudit netd appdomain:unix_stream_socket { read write };
diff --git a/microdroid/sepolicy/system/public/netutils_wrapper.te b/microdroid/sepolicy/system/public/netutils_wrapper.te
new file mode 100644
index 0000000..27aa749
--- /dev/null
+++ b/microdroid/sepolicy/system/public/netutils_wrapper.te
@@ -0,0 +1,4 @@
+type netutils_wrapper, domain;
+type netutils_wrapper_exec, system_file_type, exec_type, file_type;
+
+neverallow domain netutils_wrapper_exec:file execute_no_trans;
diff --git a/microdroid/sepolicy/system/public/network_stack.te b/microdroid/sepolicy/system/public/network_stack.te
new file mode 100644
index 0000000..feff664
--- /dev/null
+++ b/microdroid/sepolicy/system/public/network_stack.te
@@ -0,0 +1,2 @@
+# Network stack service app
+type network_stack, domain;
diff --git a/microdroid/sepolicy/system/public/neverallow_macros b/microdroid/sepolicy/system/public/neverallow_macros
new file mode 100644
index 0000000..59fa441
--- /dev/null
+++ b/microdroid/sepolicy/system/public/neverallow_macros
@@ -0,0 +1,15 @@
+#
+# Common neverallow permissions
+define(`no_w_file_perms', `{ append create link unlink relabelfrom rename setattr write }')
+define(`no_rw_file_perms', `{ no_w_file_perms open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }')
+define(`no_x_file_perms', `{ execute execute_no_trans }')
+define(`no_w_dir_perms', `{ add_name create link relabelfrom remove_name rename reparent rmdir setattr write }')
+
+#####################################
+# neverallow_establish_socket_comms(src, dst)
+# neverallow src domain establishing socket connections to dst domain.
+#
+define(`neverallow_establish_socket_comms', `
+ neverallow $1 $2:socket_class_set { connect sendto };
+ neverallow $1 $2:unix_stream_socket connectto;
+')
diff --git a/microdroid/sepolicy/system/public/nfc.te b/microdroid/sepolicy/system/public/nfc.te
new file mode 100644
index 0000000..e3a03e7
--- /dev/null
+++ b/microdroid/sepolicy/system/public/nfc.te
@@ -0,0 +1,2 @@
+# nfc subsystem
+type nfc, domain;
diff --git a/microdroid/sepolicy/system/public/otapreopt_chroot.te b/microdroid/sepolicy/system/public/otapreopt_chroot.te
new file mode 100644
index 0000000..db8dd1a
--- /dev/null
+++ b/microdroid/sepolicy/system/public/otapreopt_chroot.te
@@ -0,0 +1,4 @@
+# otapreopt_chroot seclabel
+
+# TODO: Only present to allow mediatek/wembley-sepolicy to see it for validation reasons.
+type otapreopt_chroot, domain;
diff --git a/microdroid/sepolicy/system/public/perfetto.te b/microdroid/sepolicy/system/public/perfetto.te
new file mode 100644
index 0000000..cec0e6f
--- /dev/null
+++ b/microdroid/sepolicy/system/public/perfetto.te
@@ -0,0 +1 @@
+type perfetto, domain, coredomain;
diff --git a/microdroid/sepolicy/system/public/performanced.te b/microdroid/sepolicy/system/public/performanced.te
new file mode 100644
index 0000000..d694fda
--- /dev/null
+++ b/microdroid/sepolicy/system/public/performanced.te
@@ -0,0 +1,31 @@
+# performanced
+type performanced, domain, mlstrustedsubject;
+type performanced_exec, system_file_type, exec_type, file_type;
+
+# Needed to check for app permissions.
+binder_use(performanced)
+binder_call(performanced, system_server)
+allow performanced permission_service:service_manager find;
+
+pdx_server(performanced, performance_client)
+
+# TODO: use file caps to obtain sys_nice instead of setuid / setgid.
+allow performanced self:global_capability_class_set { setuid setgid sys_nice };
+
+# Access /proc to validate we're only affecting threads in the same thread group.
+# Performanced also shields unbound kernel threads. It scans every task in the
+# root cpu set, but only affects the kernel threads.
+r_dir_file(performanced, { appdomain bufferhubd kernel surfaceflinger })
+dontaudit performanced domain:dir read;
+allow performanced { appdomain bufferhubd kernel surfaceflinger }:process setsched;
+
+# These /proc accesses only show up in permissive mode but they
+# generate a lot of noise in the log.
+userdebug_or_eng(`
+ dontaudit performanced domain:dir open;
+ dontaudit performanced domain:file { open read getattr };
+')
+
+# Access /dev/cpuset/cpuset.cpus
+r_dir_file(performanced, cgroup)
+r_dir_file(performanced, cgroup_v2)
diff --git a/microdroid/sepolicy/system/public/platform_app.te b/microdroid/sepolicy/system/public/platform_app.te
new file mode 100644
index 0000000..9b1faf0
--- /dev/null
+++ b/microdroid/sepolicy/system/public/platform_app.te
@@ -0,0 +1,5 @@
+###
+### Apps signed with the platform key.
+###
+
+type platform_app, domain;
diff --git a/microdroid/sepolicy/system/public/postinstall.te b/microdroid/sepolicy/system/public/postinstall.te
new file mode 100644
index 0000000..bcea2dc
--- /dev/null
+++ b/microdroid/sepolicy/system/public/postinstall.te
@@ -0,0 +1,45 @@
+# Domain where the postinstall program runs during the update.
+# Extend the permissions in this domain to allow this program to access other
+# files needed by the specific device on your device's sepolicy directory.
+type postinstall, domain;
+
+# Allow postinstall to write to its stdout/stderr when redirected via pipes to
+# update_engine.
+allow postinstall update_engine_common:fd use;
+allow postinstall update_engine_common:fifo_file rw_file_perms;
+
+# Allow postinstall to read and execute directories and files in the same
+# mounted location.
+allow postinstall postinstall_file:file rx_file_perms;
+allow postinstall postinstall_file:lnk_file r_file_perms;
+allow postinstall postinstall_file:dir r_dir_perms;
+
+# Allow postinstall to execute the shell or other system executables.
+allow postinstall shell_exec:file rx_file_perms;
+allow postinstall system_file:file rx_file_perms;
+allow postinstall toolbox_exec:file rx_file_perms;
+
+# Allow postinstall to execute shell in recovery.
+recovery_only(`
+ allow postinstall rootfs:file rx_file_perms;
+')
+
+#
+# For OTA dexopt.
+#
+
+# Allow postinstall scripts to talk to the system server.
+binder_use(postinstall)
+binder_call(postinstall, system_server)
+
+# Need to talk to the otadexopt service.
+allow postinstall otadexopt_service:service_manager find;
+
+# Allow postinstall scripts to trigger f2fs garbage collection
+allow postinstall sysfs_fs_f2fs:file rw_file_perms;
+allow postinstall sysfs_fs_f2fs:dir r_dir_perms;
+
+# No domain other than update_engine and recovery (via update_engine_sideload)
+# should transition to postinstall, as it is only meant to run during the
+# update.
+neverallow { domain -update_engine -recovery } postinstall:process { transition dyntransition };
diff --git a/microdroid/sepolicy/system/public/ppp.te b/microdroid/sepolicy/system/public/ppp.te
new file mode 100644
index 0000000..b736def
--- /dev/null
+++ b/microdroid/sepolicy/system/public/ppp.te
@@ -0,0 +1,23 @@
+# Point to Point Protocol daemon
+type ppp, domain;
+type ppp_device, dev_type;
+type ppp_exec, system_file_type, exec_type, file_type;
+
+net_domain(ppp)
+
+r_dir_file(ppp, proc_net_type)
+
+allow ppp mtp:{ socket pppox_socket } rw_socket_perms;
+
+# ioctls needed for VPN.
+allowxperm ppp self:udp_socket ioctl priv_sock_ioctls;
+allowxperm ppp mtp:{ socket pppox_socket } ioctl ppp_ioctls;
+
+allow ppp mtp:unix_dgram_socket rw_socket_perms;
+allow ppp ppp_device:chr_file rw_file_perms;
+allow ppp self:global_capability_class_set net_admin;
+allow ppp system_file:file rx_file_perms;
+not_full_treble(`allow ppp vendor_file:file rx_file_perms;')
+allow ppp vpn_data_file:dir w_dir_perms;
+allow ppp vpn_data_file:file create_file_perms;
+allow ppp mtp:fd use;
diff --git a/microdroid/sepolicy/system/public/priv_app.te b/microdroid/sepolicy/system/public/priv_app.te
new file mode 100644
index 0000000..0761fc3
--- /dev/null
+++ b/microdroid/sepolicy/system/public/priv_app.te
@@ -0,0 +1,5 @@
+###
+### A domain for further sandboxing privileged apps.
+###
+
+type priv_app, domain;
diff --git a/microdroid/sepolicy/system/public/profman.te b/microdroid/sepolicy/system/public/profman.te
new file mode 100644
index 0000000..c014d79
--- /dev/null
+++ b/microdroid/sepolicy/system/public/profman.te
@@ -0,0 +1,33 @@
+# profman
+type profman, domain;
+type profman_exec, system_file_type, exec_type, file_type;
+
+allow profman user_profile_data_file:file { getattr read write lock map };
+
+# Dumping profile info opens the application APK file for pretty printing.
+allow profman asec_apk_file:file { read map };
+allow profman apk_data_file:file { getattr read map };
+allow profman apk_data_file:dir { getattr read search };
+
+allow profman oemfs:file { read map };
+# Reading an APK opens a ZipArchive, which unpack to tmpfs.
+allow profman tmpfs:file { read map };
+allow profman profman_dump_data_file:file { write map };
+
+allow profman installd:fd use;
+
+# Allow profman to analyze profiles for the secondary dex files. These
+# are application dex files reported back to the framework when using
+# BaseDexClassLoader.
+allow profman { privapp_data_file app_data_file }:file { getattr read write lock map };
+allow profman { privapp_data_file app_data_file }:dir { getattr read search };
+
+# Allow query ART device config properties
+get_prop(profman, device_config_runtime_native_prop)
+get_prop(profman, device_config_runtime_native_boot_prop)
+
+###
+### neverallow rules
+###
+
+neverallow profman { privapp_data_file app_data_file }:notdevfile_class_set open;
diff --git a/microdroid/sepolicy/system/public/property.te b/microdroid/sepolicy/system/public/property.te
new file mode 100644
index 0000000..57146a4
--- /dev/null
+++ b/microdroid/sepolicy/system/public/property.te
@@ -0,0 +1,329 @@
+# Properties used only in /system
+#
+# DO NOT ADD system_internal_prop here.
+# Instead, add to private/property.te.
+# TODO(b/150331497): move these to private/property.te
+system_internal_prop(apexd_prop)
+system_internal_prop(bootloader_boot_reason_prop)
+system_internal_prop(device_config_activity_manager_native_boot_prop)
+system_internal_prop(device_config_boot_count_prop)
+system_internal_prop(device_config_input_native_boot_prop)
+system_internal_prop(device_config_media_native_prop)
+system_internal_prop(device_config_netd_native_prop)
+system_internal_prop(device_config_reset_performed_prop)
+system_internal_prop(firstboot_prop)
+
+compatible_property_only(`
+ # DO NOT ADD ANY PROPERTIES HERE
+ system_internal_prop(boottime_prop)
+ system_internal_prop(bpf_progs_loaded_prop)
+ system_internal_prop(charger_prop)
+ system_internal_prop(cold_boot_done_prop)
+ system_internal_prop(ctl_adbd_prop)
+ system_internal_prop(ctl_apexd_prop)
+ system_internal_prop(ctl_bootanim_prop)
+ system_internal_prop(ctl_bugreport_prop)
+ system_internal_prop(ctl_console_prop)
+ system_internal_prop(ctl_dumpstate_prop)
+ system_internal_prop(ctl_fuse_prop)
+ system_internal_prop(ctl_gsid_prop)
+ system_internal_prop(ctl_interface_restart_prop)
+ system_internal_prop(ctl_interface_stop_prop)
+ system_internal_prop(ctl_mdnsd_prop)
+ system_internal_prop(ctl_restart_prop)
+ system_internal_prop(ctl_rildaemon_prop)
+ system_internal_prop(ctl_sigstop_prop)
+ system_internal_prop(dynamic_system_prop)
+ system_internal_prop(heapprofd_enabled_prop)
+ system_internal_prop(llkd_prop)
+ system_internal_prop(lpdumpd_prop)
+ system_internal_prop(mmc_prop)
+ system_internal_prop(mock_ota_prop)
+ system_internal_prop(net_dns_prop)
+ system_internal_prop(overlay_prop)
+ system_internal_prop(persistent_properties_ready_prop)
+ system_internal_prop(safemode_prop)
+ system_internal_prop(system_lmk_prop)
+ system_internal_prop(system_trace_prop)
+ system_internal_prop(test_boot_reason_prop)
+ system_internal_prop(time_prop)
+ system_internal_prop(traced_enabled_prop)
+ system_internal_prop(traced_lazy_prop)
+')
+
+# Properties which can't be written outside system
+system_restricted_prop(aac_drc_prop)
+system_restricted_prop(arm64_memtag_prop)
+system_restricted_prop(binder_cache_bluetooth_server_prop)
+system_restricted_prop(binder_cache_system_server_prop)
+system_restricted_prop(binder_cache_telephony_server_prop)
+system_restricted_prop(boot_status_prop)
+system_restricted_prop(bootanim_system_prop)
+system_restricted_prop(bootloader_prop)
+system_restricted_prop(boottime_public_prop)
+system_restricted_prop(bq_config_prop)
+system_restricted_prop(build_bootimage_prop)
+system_restricted_prop(build_prop)
+system_restricted_prop(charger_status_prop)
+system_restricted_prop(device_config_runtime_native_boot_prop)
+system_restricted_prop(device_config_runtime_native_prop)
+system_restricted_prop(fingerprint_prop)
+system_restricted_prop(hal_instrumentation_prop)
+system_restricted_prop(init_service_status_prop)
+system_restricted_prop(libc_debug_prop)
+system_restricted_prop(module_sdkextensions_prop)
+system_restricted_prop(nnapi_ext_deny_product_prop)
+system_restricted_prop(power_debug_prop)
+system_restricted_prop(property_service_version_prop)
+system_restricted_prop(provisioned_prop)
+system_restricted_prop(restorecon_prop)
+system_restricted_prop(retaildemo_prop)
+system_restricted_prop(socket_hook_prop)
+system_restricted_prop(sqlite_log_prop)
+system_restricted_prop(surfaceflinger_display_prop)
+system_restricted_prop(system_boot_reason_prop)
+system_restricted_prop(system_jvmti_agent_prop)
+system_restricted_prop(ab_update_gki_prop)
+system_restricted_prop(usb_prop)
+system_restricted_prop(userspace_reboot_exported_prop)
+system_restricted_prop(vold_status_prop)
+system_restricted_prop(vts_status_prop)
+
+compatible_property_only(`
+ # DO NOT ADD ANY PROPERTIES HERE
+ system_restricted_prop(config_prop)
+ system_restricted_prop(cppreopt_prop)
+ system_restricted_prop(dalvik_prop)
+ system_restricted_prop(debuggerd_prop)
+ system_restricted_prop(device_logging_prop)
+ system_restricted_prop(dhcp_prop)
+ system_restricted_prop(dumpstate_prop)
+ system_restricted_prop(exported3_system_prop)
+ system_restricted_prop(exported_dumpstate_prop)
+ system_restricted_prop(exported_secure_prop)
+ system_restricted_prop(heapprofd_prop)
+ system_restricted_prop(net_radio_prop)
+ system_restricted_prop(pan_result_prop)
+ system_restricted_prop(persist_debug_prop)
+ system_restricted_prop(shell_prop)
+ system_restricted_prop(test_harness_prop)
+ system_restricted_prop(theme_prop)
+ system_restricted_prop(use_memfd_prop)
+ system_restricted_prop(vold_prop)
+')
+
+# Properties which can be written only by vendor_init
+system_vendor_config_prop(apexd_config_prop)
+system_vendor_config_prop(aaudio_config_prop)
+system_vendor_config_prop(apk_verity_prop)
+system_vendor_config_prop(audio_config_prop)
+system_vendor_config_prop(bootanim_config_prop)
+system_vendor_config_prop(build_config_prop)
+system_vendor_config_prop(build_odm_prop)
+system_vendor_config_prop(build_vendor_prop)
+system_vendor_config_prop(camera_calibration_prop)
+system_vendor_config_prop(camera_config_prop)
+system_vendor_config_prop(camerax_extensions_prop)
+system_vendor_config_prop(charger_config_prop)
+system_vendor_config_prop(codec2_config_prop)
+system_vendor_config_prop(cpu_variant_prop)
+system_vendor_config_prop(dalvik_config_prop)
+system_vendor_config_prop(debugfs_restriction_prop)
+system_vendor_config_prop(drm_service_config_prop)
+system_vendor_config_prop(exported_camera_prop)
+system_vendor_config_prop(exported_config_prop)
+system_vendor_config_prop(exported_default_prop)
+system_vendor_config_prop(ffs_config_prop)
+system_vendor_config_prop(framework_watchdog_config_prop)
+system_vendor_config_prop(graphics_config_prop)
+system_vendor_config_prop(hdmi_config_prop)
+system_vendor_config_prop(hw_timeout_multiplier_prop)
+system_vendor_config_prop(incremental_prop)
+system_vendor_config_prop(keyguard_config_prop)
+system_vendor_config_prop(lmkd_config_prop)
+system_vendor_config_prop(media_config_prop)
+system_vendor_config_prop(media_variant_prop)
+system_vendor_config_prop(mediadrm_config_prop)
+system_vendor_config_prop(mm_events_config_prop)
+system_vendor_config_prop(oem_unlock_prop)
+system_vendor_config_prop(packagemanager_config_prop)
+system_vendor_config_prop(recovery_config_prop)
+system_vendor_config_prop(sendbug_config_prop)
+system_vendor_config_prop(soc_prop)
+system_vendor_config_prop(storage_config_prop)
+system_vendor_config_prop(storagemanager_config_prop)
+system_vendor_config_prop(surfaceflinger_prop)
+system_vendor_config_prop(suspend_prop)
+system_vendor_config_prop(systemsound_config_prop)
+system_vendor_config_prop(telephony_config_prop)
+system_vendor_config_prop(tombstone_config_prop)
+system_vendor_config_prop(usb_config_prop)
+system_vendor_config_prop(userspace_reboot_config_prop)
+system_vendor_config_prop(vehicle_hal_prop)
+system_vendor_config_prop(vendor_security_patch_level_prop)
+system_vendor_config_prop(vendor_socket_hook_prop)
+system_vendor_config_prop(virtual_ab_prop)
+system_vendor_config_prop(vndk_prop)
+system_vendor_config_prop(vts_config_prop)
+system_vendor_config_prop(vold_config_prop)
+system_vendor_config_prop(wifi_config_prop)
+system_vendor_config_prop(zram_config_prop)
+system_vendor_config_prop(zygote_config_prop)
+system_vendor_config_prop(dck_prop)
+
+# Properties with no restrictions
+system_public_prop(adbd_config_prop)
+system_public_prop(audio_prop)
+system_public_prop(bluetooth_a2dp_offload_prop)
+system_public_prop(bluetooth_audio_hal_prop)
+system_public_prop(bluetooth_prop)
+system_public_prop(ctl_default_prop)
+system_public_prop(ctl_interface_start_prop)
+system_public_prop(ctl_start_prop)
+system_public_prop(ctl_stop_prop)
+system_public_prop(dalvik_runtime_prop)
+system_public_prop(debug_prop)
+system_public_prop(dumpstate_options_prop)
+system_public_prop(exported_system_prop)
+system_public_prop(exported_bluetooth_prop)
+system_public_prop(exported_overlay_prop)
+system_public_prop(exported_pm_prop)
+system_public_prop(ffs_control_prop)
+system_public_prop(hal_dumpstate_config_prop)
+system_public_prop(sota_prop)
+system_public_prop(hwservicemanager_prop)
+system_public_prop(lmkd_prop)
+system_public_prop(logd_prop)
+system_public_prop(logpersistd_logging_prop)
+system_public_prop(log_prop)
+system_public_prop(log_tag_prop)
+system_public_prop(lowpan_prop)
+system_public_prop(nfc_prop)
+system_public_prop(ota_prop)
+system_public_prop(powerctl_prop)
+system_public_prop(qemu_hw_prop)
+system_public_prop(qemu_sf_lcd_density_prop)
+system_public_prop(radio_control_prop)
+system_public_prop(radio_prop)
+system_public_prop(serialno_prop)
+system_public_prop(surfaceflinger_color_prop)
+system_public_prop(system_prop)
+system_public_prop(telephony_status_prop)
+system_public_prop(usb_control_prop)
+system_public_prop(vold_post_fs_data_prop)
+system_public_prop(wifi_hal_prop)
+system_public_prop(wifi_log_prop)
+system_public_prop(wifi_prop)
+system_public_prop(zram_control_prop)
+
+# Properties which don't have entries on property_contexts
+system_internal_prop(default_prop)
+
+# Properties used in default HAL implementations
+vendor_internal_prop(rebootescrow_hal_prop)
+
+vendor_public_prop(persist_vendor_debug_wifi_prop)
+
+# Properties which are public for devices launching with Android O or earlier
+# This should not be used for any new properties.
+not_compatible_property(`
+ # DO NOT ADD ANY PROPERTIES HERE
+ system_public_prop(boottime_prop)
+ system_public_prop(bpf_progs_loaded_prop)
+ system_public_prop(charger_prop)
+ system_public_prop(cold_boot_done_prop)
+ system_public_prop(ctl_adbd_prop)
+ system_public_prop(ctl_apexd_prop)
+ system_public_prop(ctl_bootanim_prop)
+ system_public_prop(ctl_bugreport_prop)
+ system_public_prop(ctl_console_prop)
+ system_public_prop(ctl_dumpstate_prop)
+ system_public_prop(ctl_fuse_prop)
+ system_public_prop(ctl_gsid_prop)
+ system_public_prop(ctl_interface_restart_prop)
+ system_public_prop(ctl_interface_stop_prop)
+ system_public_prop(ctl_mdnsd_prop)
+ system_public_prop(ctl_restart_prop)
+ system_public_prop(ctl_rildaemon_prop)
+ system_public_prop(ctl_sigstop_prop)
+ system_public_prop(dynamic_system_prop)
+ system_public_prop(heapprofd_enabled_prop)
+ system_public_prop(llkd_prop)
+ system_public_prop(lpdumpd_prop)
+ system_public_prop(mmc_prop)
+ system_public_prop(mock_ota_prop)
+ system_public_prop(net_dns_prop)
+ system_public_prop(overlay_prop)
+ system_public_prop(persistent_properties_ready_prop)
+ system_public_prop(safemode_prop)
+ system_public_prop(system_lmk_prop)
+ system_public_prop(system_trace_prop)
+ system_public_prop(test_boot_reason_prop)
+ system_public_prop(time_prop)
+ system_public_prop(traced_enabled_prop)
+ system_public_prop(traced_lazy_prop)
+
+ system_public_prop(config_prop)
+ system_public_prop(cppreopt_prop)
+ system_public_prop(dalvik_prop)
+ system_public_prop(debuggerd_prop)
+ system_public_prop(device_logging_prop)
+ system_public_prop(dhcp_prop)
+ system_public_prop(dumpstate_prop)
+ system_public_prop(exported3_system_prop)
+ system_public_prop(exported_dumpstate_prop)
+ system_public_prop(exported_secure_prop)
+ system_public_prop(heapprofd_prop)
+ system_public_prop(net_radio_prop)
+ system_public_prop(pan_result_prop)
+ system_public_prop(persist_debug_prop)
+ system_public_prop(shell_prop)
+ system_public_prop(test_harness_prop)
+ system_public_prop(theme_prop)
+ system_public_prop(use_memfd_prop)
+ system_public_prop(vold_prop)
+')
+
+not_compatible_property(`
+ vendor_public_prop(vendor_default_prop)
+')
+
+compatible_property_only(`
+ vendor_internal_prop(vendor_default_prop)
+')
+
+typeattribute log_prop log_property_type;
+typeattribute log_tag_prop log_property_type;
+typeattribute wifi_log_prop log_property_type;
+
+allow property_type tmpfs:filesystem associate;
+
+# core_property_type should not be used for new properties or
+# device specific properties. Properties with this attribute
+# are readable to everyone, which is overly broad and should
+# be avoided.
+# New properties should have appropriate read / write access
+# control rules written.
+
+typeattribute audio_prop core_property_type;
+typeattribute config_prop core_property_type;
+typeattribute cppreopt_prop core_property_type;
+typeattribute dalvik_prop core_property_type;
+typeattribute debuggerd_prop core_property_type;
+typeattribute debug_prop core_property_type;
+typeattribute dhcp_prop core_property_type;
+typeattribute dumpstate_prop core_property_type;
+typeattribute logd_prop core_property_type;
+typeattribute net_radio_prop core_property_type;
+typeattribute nfc_prop core_property_type;
+typeattribute ota_prop core_property_type;
+typeattribute pan_result_prop core_property_type;
+typeattribute persist_debug_prop core_property_type;
+typeattribute powerctl_prop core_property_type;
+typeattribute radio_prop core_property_type;
+typeattribute restorecon_prop core_property_type;
+typeattribute shell_prop core_property_type;
+typeattribute system_prop core_property_type;
+typeattribute usb_prop core_property_type;
+typeattribute vold_prop core_property_type;
+
diff --git a/microdroid/sepolicy/system/public/racoon.te b/microdroid/sepolicy/system/public/racoon.te
new file mode 100644
index 0000000..e4b299e
--- /dev/null
+++ b/microdroid/sepolicy/system/public/racoon.te
@@ -0,0 +1,35 @@
+# IKE key management daemon
+type racoon, domain;
+type racoon_exec, system_file_type, exec_type, file_type;
+
+typeattribute racoon mlstrustedsubject;
+
+net_domain(racoon)
+allowxperm racoon self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFADDR SIOCSIFNETMASK };
+
+binder_use(racoon)
+
+allow racoon tun_device:chr_file r_file_perms;
+allowxperm racoon tun_device:chr_file ioctl TUNSETIFF;
+allow racoon cgroup:dir { add_name create };
+allow racoon cgroup_v2:dir { add_name create };
+allow racoon kernel:system module_request;
+
+allow racoon self:key_socket create_socket_perms_no_ioctl;
+allow racoon self:tun_socket create_socket_perms_no_ioctl;
+allow racoon self:global_capability_class_set { net_admin net_bind_service net_raw };
+
+# XXX: should we give ip-up-vpn its own label (currently racoon domain)
+allow racoon system_file:file rx_file_perms;
+not_full_treble(`allow racoon vendor_file:file rx_file_perms;')
+allow racoon vpn_data_file:file create_file_perms;
+allow racoon vpn_data_file:dir w_dir_perms;
+
+use_keystore(racoon)
+
+# Racoon (VPN) has a restricted set of permissions from the default.
+allow racoon keystore:keystore_key {
+ get
+ sign
+ verify
+};
diff --git a/microdroid/sepolicy/system/public/radio.te b/microdroid/sepolicy/system/public/radio.te
new file mode 100644
index 0000000..e03b706
--- /dev/null
+++ b/microdroid/sepolicy/system/public/radio.te
@@ -0,0 +1,36 @@
+# phone subsystem
+type radio, domain, mlstrustedsubject;
+
+net_domain(radio)
+bluetooth_domain(radio)
+binder_service(radio)
+
+# Talks to hal_telephony_server via the rild socket only for devices without full treble
+not_full_treble(`unix_socket_connect(radio, rild, hal_telephony_server)')
+
+# Data file accesses.
+allow radio radio_data_file:dir create_dir_perms;
+allow radio radio_data_file:notdevfile_class_set create_file_perms;
+allow radio radio_core_data_file:dir r_dir_perms;
+allow radio radio_core_data_file:file r_file_perms;
+
+allow radio net_data_file:dir search;
+allow radio net_data_file:file r_file_perms;
+
+add_service(radio, radio_service)
+allow radio audioserver_service:service_manager find;
+allow radio cameraserver_service:service_manager find;
+allow radio drmserver_service:service_manager find;
+allow radio mediaserver_service:service_manager find;
+allow radio nfc_service:service_manager find;
+allow radio app_api_service:service_manager find;
+allow radio system_api_service:service_manager find;
+allow radio timedetector_service:service_manager find;
+allow radio timezonedetector_service:service_manager find;
+
+# Perform HwBinder IPC.
+hwbinder_use(radio)
+hal_client_domain(radio, hal_telephony)
+
+# Used by TelephonyManager
+allow radio proc_cmdline:file r_file_perms;
diff --git a/microdroid/sepolicy/system/public/recovery.te b/microdroid/sepolicy/system/public/recovery.te
new file mode 100644
index 0000000..3649888
--- /dev/null
+++ b/microdroid/sepolicy/system/public/recovery.te
@@ -0,0 +1,163 @@
+# recovery console (used in recovery init.rc for /sbin/recovery)
+
+# Declare the domain unconditionally so we can always reference it
+# in neverallow rules.
+type recovery, domain;
+
+# But the allow rules are only included in the recovery policy.
+# Otherwise recovery is only allowed the domain rules.
+recovery_only(`
+ # Allow recovery to perform an update as update_engine would do.
+ typeattribute recovery update_engine_common;
+ # Recovery can only use HALs in passthrough mode
+ passthrough_hal_client_domain(recovery, hal_bootctl)
+
+ allow recovery self:global_capability_class_set {
+ chown
+ dac_override
+ dac_read_search
+ fowner
+ setuid
+ setgid
+ sys_admin
+ sys_tty_config
+ };
+
+ # Run helpers from / or /system without changing domain.
+ r_dir_file(recovery, rootfs)
+ allow recovery rootfs:file execute_no_trans;
+ allow recovery system_file:file execute_no_trans;
+ allow recovery toolbox_exec:file rx_file_perms;
+
+ # Mount filesystems.
+ allow recovery rootfs:dir mounton;
+ allow recovery tmpfs:dir mounton;
+ allow recovery { fs_type enforce_debugfs_restriction(`-debugfs_type') }:filesystem ~relabelto;
+ allow recovery unlabeled:filesystem ~relabelto;
+ allow recovery contextmount_type:filesystem relabelto;
+
+ # We may be asked to set an SELinux label for a type not known to the
+ # currently loaded policy. Allow it.
+ allow recovery unlabeled:{ file lnk_file } { create_file_perms relabelfrom relabelto };
+ allow recovery unlabeled:dir { create_dir_perms relabelfrom relabelto };
+
+ # Get file contexts
+ allow recovery file_contexts_file:file r_file_perms;
+
+ # Write to /proc/sys/vm/drop_caches
+ allow recovery proc_drop_caches:file w_file_perms;
+
+ # Read /proc/swaps
+ allow recovery proc_swaps:file r_file_perms;
+
+ # Read kernel config through libvintf for OTA matching
+ allow recovery config_gz:file { open read getattr };
+
+ # Write to /sys/class/android_usb/android0/enable.
+ r_dir_file(recovery, sysfs_android_usb)
+ allow recovery sysfs_android_usb:file w_file_perms;
+
+ # Write to /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq.
+ allow recovery sysfs_devices_system_cpu:file w_file_perms;
+
+ allow recovery sysfs_batteryinfo:file r_file_perms;
+
+ # Read /sysfs/fs/ext4/features
+ r_dir_file(recovery, sysfs_fs_ext4_features)
+
+ # Read from /sys/class/leds/lcd-backlight/max_brightness and write to /s/c/l/l/brightness to
+ # control backlight brightness.
+ allow recovery sysfs_leds:dir r_dir_perms;
+ allow recovery sysfs_leds:file rw_file_perms;
+ allow recovery sysfs_leds:lnk_file read;
+
+ allow recovery kernel:system syslog_read;
+
+ # Access /dev/usb-ffs/adb/ep0
+ allow recovery functionfs:dir search;
+ allow recovery functionfs:file rw_file_perms;
+ allowxperm recovery functionfs:file ioctl FUNCTIONFS_ENDPOINT_DESC;
+
+ # Access to /sys/fs/selinux/policyvers for compatibility check
+ allow recovery selinuxfs:file r_file_perms;
+
+ # Required to e.g. wipe userdata/cache.
+ allow recovery device:dir r_dir_perms;
+ allow recovery block_device:dir r_dir_perms;
+ allow recovery dev_type:blk_file rw_file_perms;
+ allowxperm recovery { userdata_block_device metadata_block_device cache_block_device }:blk_file ioctl BLKPBSZGET;
+
+ # GUI
+ allow recovery graphics_device:chr_file rw_file_perms;
+ allow recovery graphics_device:dir r_dir_perms;
+ allow recovery input_device:dir r_dir_perms;
+ allow recovery input_device:chr_file r_file_perms;
+ allow recovery tty_device:chr_file rw_file_perms;
+
+ # Create /tmp/recovery.log and execute /tmp/update_binary.
+ allow recovery tmpfs:file { create_file_perms x_file_perms };
+ allow recovery tmpfs:dir create_dir_perms;
+
+ # Manage files on /cache and /cache/recovery
+ allow recovery { cache_file cache_recovery_file }:dir create_dir_perms;
+ allow recovery { cache_file cache_recovery_file }:file create_file_perms;
+
+ # Read /sys/class/thermal/*/temp for thermal info.
+ r_dir_file(recovery, sysfs_thermal)
+
+ # Read files on /oem.
+ r_dir_file(recovery, oemfs);
+
+ # Use setfscreatecon() to label files for OTA updates.
+ allow recovery self:process setfscreate;
+
+ # Allow recovery to create a fuse filesystem, and read files from it.
+ allow recovery fuse_device:chr_file rw_file_perms;
+ allow recovery fuse:dir r_dir_perms;
+ allow recovery fuse:file r_file_perms;
+
+ wakelock_use(recovery)
+
+ # This line seems suspect, as it should not really need to
+ # set scheduling parameters for a kernel domain task.
+ allow recovery kernel:process setsched;
+
+ # These are needed to update dynamic partitions in recovery.
+ r_dir_file(recovery, sysfs_dm)
+ allowxperm recovery super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
+
+ # Allow using libfiemap/gsid directly (no binder in recovery).
+ allow recovery gsi_metadata_file_type:dir search;
+ allow recovery ota_metadata_file:dir rw_dir_perms;
+ allow recovery ota_metadata_file:file create_file_perms;
+
+ # Allow mounting /metadata for writing update states
+ allow recovery metadata_file:dir { getattr mounton };
+')
+
+###
+### neverallow rules
+###
+
+# Recovery should never touch /data.
+#
+# In particular, if /data is encrypted, it is not accessible
+# to recovery anyway.
+#
+# For now, we only enforce write/execute restrictions, as domain.te
+# contains a number of read-only rules that apply to all
+# domains, including recovery.
+#
+# TODO: tighten this up further.
+neverallow recovery {
+ data_file_type
+ -cache_file
+ -cache_recovery_file
+ with_native_coverage(`-method_trace_data_file')
+}:file { no_w_file_perms no_x_file_perms };
+neverallow recovery {
+ data_file_type
+ -cache_file
+ -cache_recovery_file
+ with_native_coverage(`-method_trace_data_file')
+}:dir no_w_dir_perms;
diff --git a/microdroid/sepolicy/system/public/recovery_persist.te b/microdroid/sepolicy/system/public/recovery_persist.te
new file mode 100644
index 0000000..d4b4562
--- /dev/null
+++ b/microdroid/sepolicy/system/public/recovery_persist.te
@@ -0,0 +1,32 @@
+# android recovery persistent log manager
+type recovery_persist, domain;
+type recovery_persist_exec, system_file_type, exec_type, file_type;
+
+allow recovery_persist pstorefs:dir search;
+allow recovery_persist pstorefs:file r_file_perms;
+
+allow recovery_persist recovery_data_file:file create_file_perms;
+allow recovery_persist recovery_data_file:dir create_dir_perms;
+
+allow recovery_persist cache_file:dir search;
+allow recovery_persist cache_file:lnk_file read;
+allow recovery_persist cache_recovery_file:dir rw_dir_perms;
+allow recovery_persist cache_recovery_file:file { r_file_perms unlink };
+
+###
+### Neverallow rules
+###
+### recovery_persist should NEVER do any of this
+
+# Block device access.
+neverallow recovery_persist dev_type:blk_file { read write };
+
+# ptrace any other app
+neverallow recovery_persist domain:process ptrace;
+
+# Write to /system.
+neverallow recovery_persist system_file:dir_file_class_set write;
+
+# Write to files in /data/data
+neverallow recovery_persist { privapp_data_file app_data_file system_data_file }:dir_file_class_set write;
+
diff --git a/microdroid/sepolicy/system/public/recovery_refresh.te b/microdroid/sepolicy/system/public/recovery_refresh.te
new file mode 100644
index 0000000..d6870dc
--- /dev/null
+++ b/microdroid/sepolicy/system/public/recovery_refresh.te
@@ -0,0 +1,24 @@
+# android recovery refresh log manager
+type recovery_refresh, domain;
+type recovery_refresh_exec, system_file_type, exec_type, file_type;
+
+allow recovery_refresh pstorefs:dir search;
+allow recovery_refresh pstorefs:file r_file_perms;
+# NB: domain inherits write_logd which hands us write to pmsg_device
+
+###
+### Neverallow rules
+###
+### recovery_refresh should NEVER do any of this
+
+# Block device access.
+neverallow recovery_refresh dev_type:blk_file { read write };
+
+# ptrace any other app
+neverallow recovery_refresh domain:process ptrace;
+
+# Write to /system.
+neverallow recovery_refresh system_file:dir_file_class_set write;
+
+# Write to files in /data/data or system files on /data
+neverallow recovery_refresh { app_data_file privapp_data_file system_data_file }:dir_file_class_set write;
diff --git a/microdroid/sepolicy/system/public/roles b/microdroid/sepolicy/system/public/roles
new file mode 100644
index 0000000..ca92934
--- /dev/null
+++ b/microdroid/sepolicy/system/public/roles
@@ -0,0 +1 @@
+role r types domain;
diff --git a/microdroid/sepolicy/system/public/rs.te b/microdroid/sepolicy/system/public/rs.te
new file mode 100644
index 0000000..16b6e96
--- /dev/null
+++ b/microdroid/sepolicy/system/public/rs.te
@@ -0,0 +1,2 @@
+type rs, domain, coredomain;
+type rs_exec, system_file_type, exec_type, file_type;
diff --git a/microdroid/sepolicy/system/public/rss_hwm_reset.te b/microdroid/sepolicy/system/public/rss_hwm_reset.te
new file mode 100644
index 0000000..163e1ac
--- /dev/null
+++ b/microdroid/sepolicy/system/public/rss_hwm_reset.te
@@ -0,0 +1,2 @@
+# rss_hwm_reset resets RSS high-water mark counters for all procesess.
+type rss_hwm_reset, domain, coredomain, mlstrustedsubject;
diff --git a/microdroid/sepolicy/system/public/runas.te b/microdroid/sepolicy/system/public/runas.te
new file mode 100644
index 0000000..356a019
--- /dev/null
+++ b/microdroid/sepolicy/system/public/runas.te
@@ -0,0 +1,43 @@
+type runas, domain, mlstrustedsubject;
+type runas_exec, system_file_type, exec_type, file_type;
+
+allow runas adbd:fd use;
+allow runas adbd:process sigchld;
+allow runas adbd:unix_stream_socket { read write };
+allow runas shell:fd use;
+allow runas shell:fifo_file { read write };
+allow runas shell:unix_stream_socket { read write };
+allow runas devpts:chr_file { read write ioctl };
+allow runas shell_data_file:file { read write };
+
+# run-as reads package information.
+allow runas system_data_file:file r_file_perms;
+allow runas system_data_file:lnk_file getattr;
+allow runas packages_list_file:file r_file_perms;
+
+# The app's data dir may be accessed through a symlink.
+allow runas system_data_file:lnk_file read;
+
+# run-as checks and changes to the app data dir.
+dontaudit runas self:global_capability_class_set { dac_override dac_read_search };
+allow runas app_data_file:dir { getattr search };
+
+# run-as switches to the app UID/GID.
+allow runas self:global_capability_class_set { setuid setgid };
+
+# run-as switches to the app security context.
+selinux_check_context(runas) # validate context
+allow runas self:process setcurrent;
+allow runas non_system_app_set:process dyntransition; # setcon
+
+# runas/libselinux needs access to seapp_contexts_file to
+# determine which domain to transition to.
+allow runas seapp_contexts_file:file r_file_perms;
+
+###
+### neverallow rules
+###
+
+# run-as cannot have capabilities other than CAP_SETUID and CAP_SETGID
+neverallow runas self:global_capability_class_set ~{ setuid setgid };
+neverallow runas self:global_capability2_class_set *;
diff --git a/microdroid/sepolicy/system/public/runas_app.te b/microdroid/sepolicy/system/public/runas_app.te
new file mode 100644
index 0000000..cdaa799
--- /dev/null
+++ b/microdroid/sepolicy/system/public/runas_app.te
@@ -0,0 +1 @@
+type runas_app, domain;
diff --git a/microdroid/sepolicy/system/public/scheduler_service_server.te b/microdroid/sepolicy/system/public/scheduler_service_server.te
new file mode 100644
index 0000000..b3cede1
--- /dev/null
+++ b/microdroid/sepolicy/system/public/scheduler_service_server.te
@@ -0,0 +1 @@
+add_hwservice(scheduler_service_server, fwk_scheduler_hwservice)
diff --git a/microdroid/sepolicy/system/public/sdcardd.te b/microdroid/sepolicy/system/public/sdcardd.te
new file mode 100644
index 0000000..bb1c919
--- /dev/null
+++ b/microdroid/sepolicy/system/public/sdcardd.te
@@ -0,0 +1,46 @@
+type sdcardd, domain;
+type sdcardd_exec, system_file_type, exec_type, file_type;
+
+allow sdcardd cgroup:dir create_dir_perms;
+allow sdcardd cgroup_v2:dir create_dir_perms;
+allow sdcardd fuse_device:chr_file rw_file_perms;
+allow sdcardd rootfs:dir mounton; # TODO: deprecated in M
+allow sdcardd sdcardfs:filesystem remount;
+allow sdcardd tmpfs:dir r_dir_perms;
+allow sdcardd mnt_media_rw_file:dir r_dir_perms;
+allow sdcardd storage_file:dir search;
+allow sdcardd storage_stub_file:dir { search mounton };
+allow sdcardd sdcard_type:filesystem { mount unmount };
+allow sdcardd self:global_capability_class_set { setuid setgid dac_override dac_read_search sys_admin sys_resource };
+
+allow sdcardd sdcard_type:dir create_dir_perms;
+allow sdcardd sdcard_type:file create_file_perms;
+
+allow sdcardd media_rw_data_file:dir create_dir_perms;
+allow sdcardd media_rw_data_file:file create_file_perms;
+
+# Read /data/system/packages.list.
+allow sdcardd system_data_file:file r_file_perms;
+allow sdcardd packages_list_file:file r_file_perms;
+
+# Read /data/misc/installd/layout_version
+allow sdcardd install_data_file:file r_file_perms;
+allow sdcardd install_data_file:dir search;
+
+# Allow stdin/out back to vold
+allow sdcardd vold:fd use;
+allow sdcardd vold:fifo_file { read write getattr };
+
+# Allow running on top of expanded storage
+allow sdcardd mnt_expand_file:dir search;
+
+# access /proc/filesystems
+allow sdcardd proc_filesystems:file r_file_perms;
+
+###
+### neverallow rules
+###
+
+# The sdcard daemon should no longer be started from init
+neverallow init sdcardd_exec:file execute;
+neverallow init sdcardd:process { transition dyntransition };
diff --git a/microdroid/sepolicy/system/public/secure_element.te b/microdroid/sepolicy/system/public/secure_element.te
new file mode 100644
index 0000000..4ce6714
--- /dev/null
+++ b/microdroid/sepolicy/system/public/secure_element.te
@@ -0,0 +1,2 @@
+# secure_element subsystem
+type secure_element, domain;
diff --git a/microdroid/sepolicy/system/public/sensor_service_server.te b/microdroid/sepolicy/system/public/sensor_service_server.te
new file mode 100644
index 0000000..7c526a5
--- /dev/null
+++ b/microdroid/sepolicy/system/public/sensor_service_server.te
@@ -0,0 +1 @@
+add_hwservice(sensor_service_server, fwk_sensor_hwservice)
diff --git a/microdroid/sepolicy/system/public/service.te b/microdroid/sepolicy/system/public/service.te
new file mode 100644
index 0000000..74dc104
--- /dev/null
+++ b/microdroid/sepolicy/system/public/service.te
@@ -0,0 +1,278 @@
+type aidl_lazy_test_service, service_manager_type;
+type apc_service, service_manager_type;
+type apex_service, service_manager_type;
+type artd_service, service_manager_type;
+type audioserver_service, service_manager_type;
+type authorization_service, service_manager_type;
+type batteryproperties_service, app_api_service, ephemeral_app_api_service, service_manager_type;
+type bluetooth_service, service_manager_type;
+type cameraserver_service, service_manager_type;
+type default_android_service, service_manager_type;
+type dnsresolver_service, service_manager_type;
+type drmserver_service, service_manager_type;
+type dumpstate_service, service_manager_type;
+type fingerprintd_service, service_manager_type;
+type gatekeeper_service, app_api_service, service_manager_type;
+type gpu_service, app_api_service, ephemeral_app_api_service, service_manager_type;
+type idmap_service, service_manager_type;
+type iorapd_service, service_manager_type;
+type incident_service, service_manager_type;
+type installd_service, service_manager_type;
+type credstore_service, app_api_service, service_manager_type;
+type keystore_compat_hal_service, service_manager_type;
+type keystore_maintenance_service, service_manager_type;
+type keystore_service, service_manager_type;
+type lpdump_service, service_manager_type;
+type mediaserver_service, service_manager_type;
+type mediametrics_service, service_manager_type;
+type mediaextractor_service, service_manager_type;
+type mediadrmserver_service, service_manager_type;
+type mediatranscoding_service, app_api_service, service_manager_type;
+type netd_service, service_manager_type;
+type nfc_service, service_manager_type;
+type radio_service, service_manager_type;
+type remoteprovisioning_service, service_manager_type;
+type secure_element_service, service_manager_type;
+type service_manager_service, service_manager_type;
+type storaged_service, service_manager_type;
+type surfaceflinger_service, app_api_service, ephemeral_app_api_service, service_manager_type;
+type system_app_service, service_manager_type;
+type system_suspend_control_internal_service, service_manager_type;
+type system_suspend_control_service, service_manager_type;
+type update_engine_service, service_manager_type;
+type update_engine_stable_service, service_manager_type;
+type virtualization_service, service_manager_type;
+type virtual_touchpad_service, service_manager_type;
+type vold_service, service_manager_type;
+type vpnprofilestore_service, service_manager_type;
+type vr_hwc_service, service_manager_type;
+type vrflinger_vsync_service, service_manager_type;
+
+# system_server_services broken down
+type accessibility_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type account_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type activity_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type activity_task_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type adb_service, system_api_service, system_server_service, service_manager_type;
+type alarm_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type app_binding_service, system_server_service, service_manager_type;
+type app_hibernation_service, system_api_service, system_server_service, service_manager_type;
+type app_integrity_service, system_api_service, system_server_service, service_manager_type;
+type app_prediction_service, app_api_service, system_server_service, service_manager_type;
+type app_search_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type appops_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type appwidget_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type assetatlas_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type audio_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type auth_service, app_api_service, system_server_service, service_manager_type;
+type autofill_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type backup_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type batterystats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type battery_service, system_server_service, service_manager_type;
+type binder_calls_stats_service, system_server_service, service_manager_type;
+type blob_store_service, app_api_service, system_server_service, service_manager_type;
+type bluetooth_manager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type broadcastradio_service, system_server_service, service_manager_type;
+type cacheinfo_service, system_api_service, system_server_service, service_manager_type;
+type cameraproxy_service, system_server_service, service_manager_type;
+type clipboard_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type contexthub_service, app_api_service, system_server_service, service_manager_type;
+type crossprofileapps_service, app_api_service, system_server_service, service_manager_type;
+type IProxyService_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type companion_device_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type connectivity_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type connmetrics_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type consumer_ir_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type content_capture_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type content_suggestions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type content_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type country_detector_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+# Note: The coverage_service should only be enabled for userdebug / eng builds that were compiled
+# with EMMA_INSTRUMENT=true. We should consider locking this down in the future.
+type coverage_service, system_server_service, service_manager_type;
+type cpuinfo_service, system_api_service, system_server_service, service_manager_type;
+type dataloader_manager_service, system_server_service, service_manager_type;
+type dbinfo_service, system_api_service, system_server_service, service_manager_type;
+type device_config_service, system_server_service, service_manager_type;
+type device_policy_service, app_api_service, system_server_service, service_manager_type;
+type device_state_service, app_api_service, system_api_service, system_server_service, service_manager_type;
+type deviceidle_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type device_identifiers_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type devicestoragemonitor_service, system_server_service, service_manager_type;
+type diskstats_service, system_api_service, system_server_service, service_manager_type;
+type display_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type domain_verification_service, app_api_service, system_server_service, service_manager_type;
+type color_display_service, system_api_service, system_server_service, service_manager_type;
+type external_vibrator_service, system_server_service, service_manager_type;
+type file_integrity_service, app_api_service, system_server_service, service_manager_type;
+type font_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type netd_listener_service, system_server_service, service_manager_type;
+type network_watchlist_service, system_server_service, service_manager_type;
+type DockObserver_service, system_server_service, service_manager_type;
+type dreams_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type dropbox_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type lowpan_service, system_api_service, system_server_service, service_manager_type;
+type ethernet_service, app_api_service, system_server_service, service_manager_type;
+type biometric_service, app_api_service, system_server_service, service_manager_type;
+type bugreport_service, app_api_service, system_server_service, service_manager_type;
+type platform_compat_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type face_service, app_api_service, system_server_service, service_manager_type;
+type fingerprint_service, app_api_service, system_server_service, service_manager_type;
+type fwk_stats_service, app_api_service, system_server_service, service_manager_type;
+type game_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
+type graphicsstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type hardware_service, system_server_service, service_manager_type;
+type hardware_properties_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type hdmi_control_service, app_api_service, system_server_service, service_manager_type;
+type hint_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type imms_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type incremental_service, system_server_service, service_manager_type;
+type input_method_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type ipsec_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type iris_service, app_api_service, system_server_service, service_manager_type;
+type jobscheduler_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type launcherapps_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type legacy_permission_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type light_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type location_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type location_time_zone_manager_service, system_server_service, service_manager_type;
+type lock_settings_service, app_api_service, system_api_service, system_server_service, service_manager_type;
+type looper_stats_service, system_server_service, service_manager_type;
+type media_communication_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type media_metrics_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type media_projection_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type media_router_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type media_session_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type meminfo_service, system_api_service, system_server_service, service_manager_type;
+type memtrackproxy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type midi_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type mount_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type music_recognition_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type netpolicy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type netstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type network_management_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type network_score_service, system_api_service, system_server_service, service_manager_type;
+type network_stack_service, system_server_service, service_manager_type;
+type network_time_update_service, system_server_service, service_manager_type;
+type notification_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type oem_lock_service, system_api_service, system_server_service, service_manager_type;
+type otadexopt_service, system_server_service, service_manager_type;
+type overlay_service, system_api_service, system_server_service, service_manager_type;
+type pac_proxy_service, system_server_service, service_manager_type;
+type package_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type package_native_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type people_service, app_api_service, system_server_service, service_manager_type;
+type permission_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type permissionmgr_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type permission_checker_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type persistent_data_block_service, system_api_service, system_server_service, service_manager_type;
+type pinner_service, system_server_service, service_manager_type;
+type power_stats_service, app_api_service, system_server_service, service_manager_type;
+type power_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type print_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type processinfo_service, system_server_service, service_manager_type;
+type procstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type reboot_readiness_service, app_api_service, system_server_service, service_manager_type;
+type recovery_service, system_server_service, service_manager_type;
+type registry_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type restrictions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type role_service, app_api_service, system_server_service, service_manager_type;
+type rollback_service, app_api_service, system_server_service, service_manager_type;
+type runtime_service, system_server_service, service_manager_type;
+type rttmanager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type samplingprofiler_service, system_server_service, service_manager_type;
+type scheduling_policy_service, system_server_service, service_manager_type;
+type search_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type search_ui_service, app_api_service, system_server_service, service_manager_type;
+type sec_key_att_app_id_provider_service, app_api_service, system_server_service, service_manager_type;
+type sensorservice_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type sensor_privacy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type serial_service, system_api_service, system_server_service, service_manager_type;
+type servicediscovery_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type settings_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type shortcut_service, app_api_service, system_server_service, service_manager_type;
+type slice_service, app_api_service, system_server_service, service_manager_type;
+type smartspace_service, app_api_service, system_server_service, service_manager_type;
+type statusbar_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type storagestats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type system_config_service, system_api_service, system_server_service, service_manager_type;
+type system_server_dumper_service, system_api_service, system_server_service, service_manager_type;
+type system_update_service, system_server_service, service_manager_type;
+type soundtrigger_middleware_service, system_server_service, service_manager_type;
+type speech_recognition_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type task_service, system_server_service, service_manager_type;
+type testharness_service, system_server_service, service_manager_type;
+type textclassification_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type textservices_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type texttospeech_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type telecom_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type thermal_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type timedetector_service, app_api_service, system_server_service, service_manager_type;
+type timezone_service, system_server_service, service_manager_type;
+type timezonedetector_service, app_api_service, system_server_service, service_manager_type;
+type transformer_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type trust_service, app_api_service, system_server_service, service_manager_type;
+type tv_input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type tv_tuner_resource_mgr_service, app_api_service, system_server_service, service_manager_type;
+type uimode_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type updatelock_service, system_api_service, system_server_service, service_manager_type;
+type uri_grants_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type usagestats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type usb_service, app_api_service, system_server_service, service_manager_type;
+type user_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type uwb_service, app_api_service, system_server_service, service_manager_type;
+type vcn_management_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type vibrator_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type vibrator_manager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type voiceinteraction_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type vpn_management_service, app_api_service, system_server_service, service_manager_type;
+type vr_manager_service, system_server_service, service_manager_type;
+type wallpaper_service, app_api_service, system_server_service, service_manager_type;
+type webviewupdate_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type wifip2p_service, app_api_service, system_server_service, service_manager_type;
+type wifiscanner_service, system_api_service, system_server_service, service_manager_type;
+type wifi_service, app_api_service, system_server_service, service_manager_type;
+type wifinl80211_service, service_manager_type;
+type wifiaware_service, app_api_service, system_server_service, service_manager_type;
+type window_service, system_api_service, system_server_service, service_manager_type;
+type inputflinger_service, system_api_service, system_server_service, service_manager_type;
+type wpantund_service, system_api_service, service_manager_type;
+type tethering_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type emergency_affordance_service, system_server_service, service_manager_type;
+
+###
+### HAL Services
+###
+
+type hal_audio_service, vendor_service, protected_service, service_manager_type;
+type hal_audiocontrol_service, vendor_service, service_manager_type;
+type hal_authsecret_service, vendor_service, protected_service, service_manager_type;
+type hal_face_service, vendor_service, protected_service, service_manager_type;
+type hal_fingerprint_service, vendor_service, protected_service, service_manager_type;
+type hal_gnss_service, vendor_service, protected_service, service_manager_type;
+type hal_health_storage_service, vendor_service, protected_service, service_manager_type;
+type hal_identity_service, vendor_service, protected_service, service_manager_type;
+type hal_keymint_service, vendor_service, protected_service, service_manager_type;
+type hal_light_service, vendor_service, protected_service, service_manager_type;
+type hal_memtrack_service, vendor_service, protected_service, service_manager_type;
+type hal_neuralnetworks_service, vendor_service, service_manager_type;
+type hal_oemlock_service, vendor_service, protected_service, service_manager_type;
+type hal_power_service, vendor_service, protected_service, service_manager_type;
+type hal_power_stats_service, vendor_service, protected_service, service_manager_type;
+type hal_rebootescrow_service, vendor_service, protected_service, service_manager_type;
+type hal_remotelyprovisionedcomponent_service, vendor_service, protected_service, service_manager_type;
+type hal_secureclock_service, vendor_service, protected_service, service_manager_type;
+type hal_sharedsecret_service, vendor_service, protected_service, service_manager_type;
+type hal_vibrator_service, vendor_service, protected_service, service_manager_type;
+type hal_weaver_service, vendor_service, protected_service, service_manager_type;
+
+###
+### Neverallow rules
+###
+
+# servicemanager handles registering or looking up named services.
+# It does not make sense to register or lookup something which is not a service.
+# Trigger a compile error if this occurs.
+neverallow domain ~{ service_manager_type vndservice_manager_type }:service_manager { add find };
diff --git a/microdroid/sepolicy/system/public/servicemanager.te b/microdroid/sepolicy/system/public/servicemanager.te
new file mode 100644
index 0000000..63fc227
--- /dev/null
+++ b/microdroid/sepolicy/system/public/servicemanager.te
@@ -0,0 +1,32 @@
+# servicemanager - the Binder context manager
+type servicemanager, domain, mlstrustedsubject;
+type servicemanager_exec, system_file_type, exec_type, file_type;
+
+# Note that we do not use the binder_* macros here.
+# servicemanager is unique in that it only provides
+# name service (aka context manager) for Binder.
+# As such, it only ever receives and transfers other references
+# created by other domains. It never passes its own references
+# or initiates a Binder IPC.
+allow servicemanager self:binder set_context_mgr;
+allow servicemanager {
+ domain
+ -init
+ -vendor_init
+ -hwservicemanager
+ -vndservicemanager
+}:binder transfer;
+
+allow servicemanager service_contexts_file:file r_file_perms;
+
+allow servicemanager vendor_service_contexts_file:file r_file_perms;
+
+# nonplat_service_contexts only accessible on non full-treble devices
+not_full_treble(`allow servicemanager nonplat_service_contexts_file:file r_file_perms;')
+
+add_service(servicemanager, service_manager_service)
+allow servicemanager dumpstate:fd use;
+allow servicemanager dumpstate:fifo_file write;
+
+# Check SELinux permissions.
+selinux_check_access(servicemanager)
diff --git a/microdroid/sepolicy/system/public/sgdisk.te b/microdroid/sepolicy/system/public/sgdisk.te
new file mode 100644
index 0000000..e5a9152
--- /dev/null
+++ b/microdroid/sepolicy/system/public/sgdisk.te
@@ -0,0 +1,36 @@
+# sgdisk called from vold
+type sgdisk, domain;
+type sgdisk_exec, system_file_type, exec_type, file_type;
+
+# Allowed to read/write low-level partition tables
+allow sgdisk block_device:dir search;
+allow sgdisk vold_device:blk_file rw_file_perms;
+# HDIO_GETGEO needed to get the number of disk heads
+# on vold_device. How quaint.
+allowxperm sgdisk vold_device:blk_file ioctl { HDIO_GETGEO };
+# sgdisk also uses BLKGETSIZE and BLKGETSIZE64. BLKGETSIZE64
+# is granted to all block device users in domain.te, so
+# no need to mention it here. sgdisk should not be
+# using the BLKGETSIZE ioctl as it is useless for devices over
+# 2T in size, but we allow it for now and hope that sgdisk
+# will fix their bug.
+allowxperm sgdisk vold_device:blk_file ioctl { BLKGETSIZE };
+# Force a re-read of the partition table.
+allowxperm sgdisk vold_device:blk_file ioctl { BLKRRPART };
+# Allow reading of the physical block size.
+allowxperm sgdisk vold_device:blk_file ioctl { BLKPBSZGET };
+
+# Inherit and use pty created by android_fork_execvp()
+allow sgdisk devpts:chr_file { read write ioctl getattr };
+
+# Allow stdin/out back to vold
+allow sgdisk vold:fd use;
+allow sgdisk vold:fifo_file { read write getattr };
+
+# Used to probe kernel to reload partition tables
+allow sgdisk self:global_capability_class_set sys_admin;
+
+# Only allow entry from vold
+neverallow { domain -vold } sgdisk:process transition;
+neverallow * sgdisk:process dyntransition;
+neverallow sgdisk { file_type fs_type -sgdisk_exec }:file entrypoint;
diff --git a/microdroid/sepolicy/system/public/shared_relro.te b/microdroid/sepolicy/system/public/shared_relro.te
new file mode 100644
index 0000000..6dd5bd7
--- /dev/null
+++ b/microdroid/sepolicy/system/public/shared_relro.te
@@ -0,0 +1,2 @@
+# Process which creates/updates shared RELRO files to be used by other apps.
+type shared_relro, domain;
diff --git a/microdroid/sepolicy/system/public/shell.te b/microdroid/sepolicy/system/public/shell.te
new file mode 100644
index 0000000..29c07a4
--- /dev/null
+++ b/microdroid/sepolicy/system/public/shell.te
@@ -0,0 +1,229 @@
+# Domain for shell processes spawned by ADB or console service.
+type shell, domain, mlstrustedsubject;
+type shell_exec, system_file_type, exec_type, file_type;
+
+# Create and use network sockets.
+net_domain(shell)
+
+# logcat
+read_logd(shell)
+control_logd(shell)
+# logcat -L (directly, or via dumpstate)
+allow shell pstorefs:dir search;
+allow shell pstorefs:file r_file_perms;
+
+# Root fs.
+allow shell rootfs:dir r_dir_perms;
+
+# read files in /data/anr
+allow shell anr_data_file:dir r_dir_perms;
+allow shell anr_data_file:file r_file_perms;
+
+# Access /data/local/tmp.
+allow shell shell_data_file:dir create_dir_perms;
+allow shell shell_data_file:file create_file_perms;
+allow shell shell_data_file:file rx_file_perms;
+allow shell shell_data_file:lnk_file create_file_perms;
+
+# Access /data/local/tests.
+allow shell shell_test_data_file:dir create_dir_perms;
+allow shell shell_test_data_file:file create_file_perms;
+allow shell shell_test_data_file:file rx_file_perms;
+allow shell shell_test_data_file:lnk_file create_file_perms;
+allow shell shell_test_data_file:sock_file create_file_perms;
+
+# Read and delete from /data/local/traces.
+allow shell trace_data_file:file { r_file_perms unlink };
+allow shell trace_data_file:dir { r_dir_perms remove_name write };
+
+# Access /data/misc/profman.
+allow shell profman_dump_data_file:dir { write remove_name r_dir_perms };
+allow shell profman_dump_data_file:file { unlink r_file_perms };
+
+# Read/execute files in /data/nativetest
+userdebug_or_eng(`
+ allow shell nativetest_data_file:dir r_dir_perms;
+ allow shell nativetest_data_file:file rx_file_perms;
+')
+
+# adb bugreport
+unix_socket_connect(shell, dumpstate, dumpstate)
+
+allow shell devpts:chr_file rw_file_perms;
+allow shell tty_device:chr_file rw_file_perms;
+allow shell console_device:chr_file rw_file_perms;
+
+allow shell input_device:dir r_dir_perms;
+allow shell input_device:chr_file r_file_perms;
+
+r_dir_file(shell, system_file)
+allow shell system_file:file x_file_perms;
+allow shell toolbox_exec:file rx_file_perms;
+allow shell tzdatacheck_exec:file rx_file_perms;
+allow shell shell_exec:file rx_file_perms;
+allow shell zygote_exec:file rx_file_perms;
+
+r_dir_file(shell, apk_data_file)
+
+userdebug_or_eng(`
+ # "systrace --boot" support - allow boottrace service to run
+ allow shell boottrace_data_file:dir rw_dir_perms;
+ allow shell boottrace_data_file:file create_file_perms;
+')
+
+# allow shell access to services
+allow shell servicemanager:service_manager list;
+# don't allow shell to access GateKeeper service
+# TODO: why is this so broad? Tightening candidate? It needs at list:
+# - dumpstate_service (so it can receive dumpstate progress updates)
+allow shell {
+ service_manager_type
+ -apex_service
+ -dnsresolver_service
+ -gatekeeper_service
+ -incident_service
+ -installd_service
+ -iorapd_service
+ -netd_service
+ -system_suspend_control_internal_service
+ -system_suspend_control_service
+ -virtual_touchpad_service
+ -vold_service
+ -vr_hwc_service
+ -default_android_service
+}:service_manager find;
+allow shell dumpstate:binder call;
+
+# allow shell to get information from hwservicemanager
+# for instance, listing hardware services with lshal
+hwbinder_use(shell)
+allow shell hwservicemanager:hwservice_manager list;
+
+# allow shell to look through /proc/ for lsmod, ps, top, netstat, vmstat.
+r_dir_file(shell, proc_net_type)
+
+allow shell {
+ proc_asound
+ proc_filesystems
+ proc_interrupts
+ proc_loadavg # b/124024827
+ proc_meminfo
+ proc_modules
+ proc_pid_max
+ proc_slabinfo
+ proc_stat
+ proc_timer
+ proc_uptime
+ proc_version
+ proc_vmstat
+ proc_zoneinfo
+}:file r_file_perms;
+
+# allow listing network interfaces under /sys/class/net.
+allow shell sysfs_net:dir r_dir_perms;
+
+r_dir_file(shell, cgroup)
+allow shell cgroup_desc_file:file r_file_perms;
+allow shell cgroup_desc_api_file:file r_file_perms;
+allow shell vendor_cgroup_desc_file:file r_file_perms;
+r_dir_file(shell, cgroup_v2)
+allow shell domain:dir { search open read getattr };
+allow shell domain:{ file lnk_file } { open read getattr };
+
+# statvfs() of /proc and other labeled filesystems
+# (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs, overlay)
+allow shell { proc labeledfs }:filesystem getattr;
+
+# stat() of /dev
+allow shell device:dir getattr;
+
+# allow shell to read /proc/pid/attr/current for ps -Z
+allow shell domain:process getattr;
+
+# Allow pulling the SELinux policy for CTS purposes
+allow shell selinuxfs:dir r_dir_perms;
+allow shell selinuxfs:file r_file_perms;
+
+# enable shell domain to read/write files/dirs for bootchart data
+# User will creates the start and stop file via adb shell
+# and read other files created by init process under /data/bootchart
+allow shell bootchart_data_file:dir rw_dir_perms;
+allow shell bootchart_data_file:file create_file_perms;
+
+# Make sure strace works for the non-privileged shell user
+allow shell self:process ptrace;
+
+# allow shell to get battery info
+allow shell sysfs:dir r_dir_perms;
+allow shell sysfs_batteryinfo:dir r_dir_perms;
+allow shell sysfs_batteryinfo:file r_file_perms;
+
+# Allow access to ion memory allocation device.
+allow shell ion_device:chr_file rw_file_perms;
+
+#
+# filesystem test for insecure chr_file's is done
+# via a host side test
+#
+allow shell dev_type:dir r_dir_perms;
+allow shell dev_type:chr_file getattr;
+
+# /dev/fd is a symlink
+allow shell proc:lnk_file getattr;
+
+#
+# filesystem test for insucre blk_file's is done
+# via hostside test
+#
+allow shell dev_type:blk_file getattr;
+
+# read selinux policy files
+allow shell file_contexts_file:file r_file_perms;
+allow shell property_contexts_file:file r_file_perms;
+allow shell seapp_contexts_file:file r_file_perms;
+allow shell service_contexts_file:file r_file_perms;
+allow shell sepolicy_file:file r_file_perms;
+
+# Allow shell to start up vendor shell
+allow shell vendor_shell_exec:file rx_file_perms;
+
+# Everything is labeled as rootfs in recovery mode. Allow shell to
+# execute them.
+recovery_only(`
+ allow shell rootfs:file rx_file_perms;
+')
+
+###
+### Neverallow rules
+###
+
+# Do not allow shell to hard link to any files.
+# In particular, if shell hard links to app data
+# files, installd will not be able to guarantee the deletion
+# of the linked to file. Hard links also contribute to security
+# bugs, so we want to ensure the shell user never has this
+# capability.
+neverallow shell file_type:file link;
+
+# Do not allow privileged socket ioctl commands
+neverallowxperm shell domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+
+# limit shell access to sensitive char drivers to
+# only getattr required for host side test.
+neverallow shell {
+ fuse_device
+ hw_random_device
+ port_device
+}:chr_file ~getattr;
+
+# Limit shell to only getattr on blk devices for host side tests.
+neverallow shell dev_type:blk_file ~getattr;
+
+# b/30861057: Shell access to existing input devices is an abuse
+# vector. The shell user can inject events that look like they
+# originate from the touchscreen etc.
+# Everyone should have already moved to UiAutomation#injectInputEvent
+# if they are running instrumentation tests (i.e. CTS), Monkey for
+# their stress tests, and the input command (adb shell input ...) for
+# injecting swipes and things.
+neverallow shell input_device:chr_file no_w_file_perms;
diff --git a/microdroid/sepolicy/system/public/simpleperf.te b/microdroid/sepolicy/system/public/simpleperf.te
new file mode 100644
index 0000000..218fee7
--- /dev/null
+++ b/microdroid/sepolicy/system/public/simpleperf.te
@@ -0,0 +1 @@
+type simpleperf, domain;
diff --git a/microdroid/sepolicy/system/public/simpleperf_app_runner.te b/microdroid/sepolicy/system/public/simpleperf_app_runner.te
new file mode 100644
index 0000000..2ed007e
--- /dev/null
+++ b/microdroid/sepolicy/system/public/simpleperf_app_runner.te
@@ -0,0 +1,44 @@
+type simpleperf_app_runner, domain, mlstrustedsubject;
+type simpleperf_app_runner_exec, system_file_type, exec_type, file_type;
+
+# run simpleperf_app_runner in adb shell.
+allow simpleperf_app_runner adbd:fd use;
+allow simpleperf_app_runner shell:fd use;
+allow simpleperf_app_runner devpts:chr_file { read write ioctl };
+
+# simpleperf_app_runner reads package information.
+allow simpleperf_app_runner system_data_file:file r_file_perms;
+allow simpleperf_app_runner system_data_file:lnk_file getattr;
+allow simpleperf_app_runner packages_list_file:file r_file_perms;
+
+# The app's data dir may be accessed through a symlink.
+allow simpleperf_app_runner system_data_file:lnk_file read;
+
+# simpleperf_app_runner switches to the app UID/GID.
+allow simpleperf_app_runner self:global_capability_class_set { setuid setgid };
+
+# simpleperf_app_runner switches to the app security context.
+selinux_check_context(simpleperf_app_runner) # validate context
+allow simpleperf_app_runner self:process setcurrent;
+allow simpleperf_app_runner untrusted_app_all:process dyntransition; # setcon
+
+# simpleperf_app_runner/libselinux needs access to seapp_contexts_file to
+# determine which domain to transition to.
+allow simpleperf_app_runner seapp_contexts_file:file r_file_perms;
+
+# simpleperf_app_runner passes pipe fds.
+# simpleperf_app_runner writes app type (debuggable or profileable) to pipe fds.
+allow simpleperf_app_runner shell:fifo_file { read write };
+
+# simpleperf_app_runner checks shell data paths.
+# simpleperf_app_runner passes shell data fds.
+allow simpleperf_app_runner shell_data_file:dir { getattr search };
+allow simpleperf_app_runner shell_data_file:file { getattr write };
+
+###
+### neverallow rules
+###
+
+# simpleperf_app_runner cannot have capabilities other than CAP_SETUID and CAP_SETGID
+neverallow simpleperf_app_runner self:global_capability_class_set ~{ setuid setgid };
+neverallow simpleperf_app_runner self:global_capability2_class_set *;
diff --git a/microdroid/sepolicy/system/public/slideshow.te b/microdroid/sepolicy/system/public/slideshow.te
new file mode 100644
index 0000000..10fbbb8
--- /dev/null
+++ b/microdroid/sepolicy/system/public/slideshow.te
@@ -0,0 +1,14 @@
+# slideshow seclabel is specified in init.rc since
+# it lives in the rootfs and has no unique file type.
+type slideshow, domain;
+
+allow slideshow kmsg_device:chr_file rw_file_perms;
+wakelock_use(slideshow)
+allow slideshow device:dir r_dir_perms;
+allow slideshow self:global_capability_class_set sys_tty_config;
+allow slideshow graphics_device:dir r_dir_perms;
+allow slideshow graphics_device:chr_file rw_file_perms;
+allow slideshow input_device:dir r_dir_perms;
+allow slideshow input_device:chr_file r_file_perms;
+allow slideshow tty_device:chr_file rw_file_perms;
+
diff --git a/microdroid/sepolicy/system/public/stats_service_server.te b/microdroid/sepolicy/system/public/stats_service_server.te
new file mode 100644
index 0000000..ab8e58a
--- /dev/null
+++ b/microdroid/sepolicy/system/public/stats_service_server.te
@@ -0,0 +1,4 @@
+add_hwservice(stats_service_server, fwk_stats_hwservice)
+add_service(stats_service_server, fwk_stats_service)
+
+binder_use(stats_service_server)
diff --git a/microdroid/sepolicy/system/public/statsd.te b/microdroid/sepolicy/system/public/statsd.te
new file mode 100644
index 0000000..670f4c7
--- /dev/null
+++ b/microdroid/sepolicy/system/public/statsd.te
@@ -0,0 +1,86 @@
+type statsd, domain, mlstrustedsubject;
+
+type statsd_exec, system_file_type, exec_type, file_type;
+binder_use(statsd)
+
+# Allow statsd to scan through /proc/pid for all processes.
+r_dir_file(statsd, domain)
+
+# Allow executing files on system, such as running a shell or running:
+# /system/bin/toolbox
+# /system/bin/logcat
+# /system/bin/dumpsys
+allow statsd devpts:chr_file { getattr ioctl read write };
+allow statsd shell_exec:file rx_file_perms;
+allow statsd system_file:file execute_no_trans;
+allow statsd toolbox_exec:file rx_file_perms;
+
+userdebug_or_eng(`
+ allow statsd su:fifo_file read;
+')
+
+# Create, read, and write into /data/misc/stats-data, /data/misc/stats-system.
+allow statsd stats_data_file:dir create_dir_perms;
+allow statsd stats_data_file:file create_file_perms;
+
+# Allow statsd to make binder calls to any binder service.
+binder_call(statsd, appdomain)
+binder_call(statsd, healthd)
+binder_call(statsd, incidentd)
+binder_call(statsd, system_server)
+
+# Allow statsd to interact with gpuservice
+allow statsd gpu_service:service_manager find;
+binder_call(statsd, gpuservice)
+
+# Allow statsd to interact with keystore to pull atoms
+allow statsd keystore_service:service_manager find;
+binder_call(statsd, keystore)
+
+# Allow statsd to interact with mediametrics
+allow statsd mediametrics_service:service_manager find;
+binder_call(statsd, mediametrics)
+
+# Allow logd access.
+read_logd(statsd)
+control_logd(statsd)
+
+# Grant statsd with permissions to register the services.
+allow statsd {
+ app_api_service
+ incident_service
+ system_api_service
+}:service_manager find;
+
+# Grant statsd to access health hal to access battery metrics.
+allow statsd hal_health_hwservice:hwservice_manager find;
+
+# Allow statsd to send dump info to dumpstate
+allow statsd dumpstate:fd use;
+allow statsd dumpstate:fifo_file { getattr write };
+
+# Allow access to with hardware layer and process stats.
+allow statsd proc_uid_cputime_showstat:file { getattr open read };
+hal_client_domain(statsd, hal_health)
+hal_client_domain(statsd, hal_power)
+hal_client_domain(statsd, hal_power_stats)
+hal_client_domain(statsd, hal_thermal)
+
+# Allow 'adb shell cmd' to upload configs and download output.
+allow statsd adbd:fd use;
+allow statsd adbd:unix_stream_socket { getattr read write };
+allow statsd shell:fifo_file { getattr read write };
+
+unix_socket_send(statsd, statsdw, statsd)
+
+###
+### neverallow rules
+###
+
+# Only statsd and the other root services in limited circumstances.
+# can get to the files in /data/misc/stats-data, /data/misc/stats-service.
+# Other services are prohibitted from accessing the file.
+neverallow { domain -statsd -system_server -init -vold } stats_data_file:file *;
+
+# Limited access to the directory itself.
+neverallow { domain -statsd -system_server -init -vold } stats_data_file:dir *;
diff --git a/microdroid/sepolicy/system/public/su.te b/microdroid/sepolicy/system/public/su.te
new file mode 100644
index 0000000..074ff2e
--- /dev/null
+++ b/microdroid/sepolicy/system/public/su.te
@@ -0,0 +1,108 @@
+# All types must be defined regardless of build variant to ensure
+# policy compilation succeeds with userdebug/user combination at boot
+type su, domain;
+
+# File types must be defined for file_contexts.
+type su_exec, system_file_type, exec_type, file_type;
+
+userdebug_or_eng(`
+ # Domain used for su processes, as well as for adbd and adb shell
+ # after performing an adb root command. The domain definition is
+ # wrapped to ensure that it does not exist at all on -user builds.
+ typeattribute su mlstrustedsubject;
+
+ # Add su to various domains
+ net_domain(su)
+
+ # grant su access to vndbinder
+ vndbinder_use(su)
+
+ dontaudit su self:capability_class_set *;
+ dontaudit su self:capability2 *;
+ dontaudit su kernel:security *;
+ dontaudit su { kernel file_type }:system *;
+ dontaudit su self:memprotect *;
+ dontaudit su domain:{ process process2 } *;
+ dontaudit su domain:fd *;
+ dontaudit su domain:dir *;
+ dontaudit su domain:lnk_file *;
+ dontaudit su domain:{ fifo_file file } *;
+ dontaudit su domain:socket_class_set *;
+ dontaudit su domain:ipc_class_set *;
+ dontaudit su domain:key *;
+ dontaudit su fs_type:filesystem *;
+ dontaudit su {fs_type dev_type file_type}:dir_file_class_set *;
+ dontaudit su node_type:node *;
+ dontaudit su node_type:{ tcp_socket udp_socket rawip_socket } *;
+ dontaudit su netif_type:netif *;
+ dontaudit su port_type:socket_class_set *;
+ dontaudit su port_type:{ tcp_socket dccp_socket } *;
+ dontaudit su domain:peer *;
+ dontaudit su domain:binder *;
+ dontaudit su property_type:property_service *;
+ dontaudit su property_type:file *;
+ dontaudit su service_manager_type:service_manager *;
+ dontaudit su hwservice_manager_type:hwservice_manager *;
+ dontaudit su vndservice_manager_type:service_manager *;
+ dontaudit su servicemanager:service_manager list;
+ dontaudit su hwservicemanager:hwservice_manager list;
+ dontaudit su vndservicemanager:service_manager list;
+ dontaudit su keystore:keystore_key *;
+ dontaudit su keystore:keystore2 *;
+ dontaudit su domain:drmservice *;
+ dontaudit su unlabeled:filesystem *;
+ dontaudit su postinstall_file:filesystem *;
+ dontaudit su domain:bpf *;
+ dontaudit su unlabeled:vsock_socket *;
+ dontaudit su self:perf_event *;
+
+ # VTS tests run in the permissive su domain on debug builds, but the HALs
+ # being tested run in enforcing mode. Because hal_foo_server is enforcing
+ # su needs to be declared as hal_foo_client to grant hal_foo_server
+ # permission to interact with it.
+ typeattribute su halclientdomain;
+ typeattribute su hal_allocator_client;
+ typeattribute su hal_atrace_client;
+ typeattribute su hal_audio_client;
+ typeattribute su hal_authsecret_client;
+ typeattribute su hal_bluetooth_client;
+ typeattribute su hal_bootctl_client;
+ typeattribute su hal_camera_client;
+ typeattribute su hal_configstore_client;
+ typeattribute su hal_confirmationui_client;
+ typeattribute su hal_contexthub_client;
+ typeattribute su hal_drm_client;
+ typeattribute su hal_cas_client;
+ typeattribute su hal_dumpstate_client;
+ typeattribute su hal_fingerprint_client;
+ typeattribute su hal_gatekeeper_client;
+ typeattribute su hal_gnss_client;
+ typeattribute su hal_graphics_allocator_client;
+ typeattribute su hal_graphics_composer_client;
+ typeattribute su hal_health_client;
+ typeattribute su hal_input_classifier_client;
+ typeattribute su hal_ir_client;
+ typeattribute su hal_keymaster_client;
+ typeattribute su hal_light_client;
+ typeattribute su hal_memtrack_client;
+ typeattribute su hal_neuralnetworks_client;
+ typeattribute su hal_nfc_client;
+ typeattribute su hal_oemlock_client;
+ typeattribute su hal_power_client;
+ typeattribute su hal_rebootescrow_client;
+ typeattribute su hal_secure_element_client;
+ typeattribute su hal_sensors_client;
+ typeattribute su hal_telephony_client;
+ typeattribute su hal_tetheroffload_client;
+ typeattribute su hal_thermal_client;
+ typeattribute su hal_tv_cec_client;
+ typeattribute su hal_tv_input_client;
+ typeattribute su hal_tv_tuner_client;
+ typeattribute su hal_usb_client;
+ typeattribute su hal_vibrator_client;
+ typeattribute su hal_vr_client;
+ typeattribute su hal_weaver_client;
+ typeattribute su hal_wifi_client;
+ typeattribute su hal_wifi_hostapd_client;
+ typeattribute su hal_wifi_supplicant_client;
+')
diff --git a/microdroid/sepolicy/system/public/surfaceflinger.te b/microdroid/sepolicy/system/public/surfaceflinger.te
new file mode 100644
index 0000000..c1e4844
--- /dev/null
+++ b/microdroid/sepolicy/system/public/surfaceflinger.te
@@ -0,0 +1,3 @@
+# surfaceflinger - display compositor service
+type surfaceflinger, domain;
+type surfaceflinger_tmpfs, file_type;
diff --git a/microdroid/sepolicy/system/public/system_app.te b/microdroid/sepolicy/system/public/system_app.te
new file mode 100644
index 0000000..023058e
--- /dev/null
+++ b/microdroid/sepolicy/system/public/system_app.te
@@ -0,0 +1,7 @@
+###
+### Apps that run with the system UID, e.g. com.android.system.ui,
+### com.android.settings. These are not as privileged as the system
+### server.
+###
+
+type system_app, domain;
diff --git a/microdroid/sepolicy/system/public/system_server.te b/microdroid/sepolicy/system/public/system_server.te
new file mode 100644
index 0000000..edefadf
--- /dev/null
+++ b/microdroid/sepolicy/system/public/system_server.te
@@ -0,0 +1,17 @@
+#
+# System Server aka system_server spawned by zygote.
+# Most of the framework services run in this process.
+#
+type system_server, domain;
+type system_server_tmpfs, file_type, mlstrustedobject;
+
+# Power controls for debugging/diagnostics
+get_prop(system_server, power_debug_prop)
+set_prop(system_server, power_debug_prop)
+
+neverallow {
+ domain
+ -init
+ -vendor_init
+ -system_server
+} power_debug_prop:property_service set;
diff --git a/microdroid/sepolicy/system/public/system_suspend_internal_server.te b/microdroid/sepolicy/system/public/system_suspend_internal_server.te
new file mode 100644
index 0000000..67bff77
--- /dev/null
+++ b/microdroid/sepolicy/system/public/system_suspend_internal_server.te
@@ -0,0 +1,11 @@
+# To serve ISuspendControlServiceInternal.
+add_service(system_suspend_internal_server, system_suspend_control_internal_service)
+
+neverallow {
+ domain
+ -atrace # tracing
+ -dumpstate # bug reports
+ -system_suspend_internal_server # implements system_suspend_control_internal_service
+ -system_server # configures system_suspend via ISuspendControlServiceInternal
+ -traceur_app # tracing
+} system_suspend_control_internal_service:service_manager find;
diff --git a/microdroid/sepolicy/system/public/system_suspend_server.te b/microdroid/sepolicy/system/public/system_suspend_server.te
new file mode 100644
index 0000000..8e8310d
--- /dev/null
+++ b/microdroid/sepolicy/system/public/system_suspend_server.te
@@ -0,0 +1,6 @@
+# Required to export a HIDL interface.
+hwbinder_use(system_suspend_server)
+get_prop(system_suspend_server, hwservicemanager_prop)
+
+# To serve ISystemSuspend.hal.
+add_hwservice(system_suspend_server, system_suspend_hwservice)
diff --git a/microdroid/sepolicy/system/public/te_macros b/microdroid/sepolicy/system/public/te_macros
new file mode 100644
index 0000000..8d15d47
--- /dev/null
+++ b/microdroid/sepolicy/system/public/te_macros
@@ -0,0 +1,993 @@
+#####################################
+# domain_trans(olddomain, type, newdomain)
+# Allow a transition from olddomain to newdomain
+# upon executing a file labeled with type.
+# This only allows the transition; it does not
+# cause it to occur automatically - use domain_auto_trans
+# if that is what you want.
+#
+define(`domain_trans', `
+# Old domain may exec the file and transition to the new domain.
+allow $1 $2:file { getattr open read execute map };
+allow $1 $3:process transition;
+# New domain is entered by executing the file.
+allow $3 $2:file { entrypoint open read execute getattr map };
+# New domain can send SIGCHLD to its caller.
+ifelse($1, `init', `', `allow $3 $1:process sigchld;')
+# Enable AT_SECURE, i.e. libc secure mode.
+dontaudit $1 $3:process noatsecure;
+# XXX dontaudit candidate but requires further study.
+allow $1 $3:process { siginh rlimitinh };
+')
+
+#####################################
+# domain_auto_trans(olddomain, type, newdomain)
+# Automatically transition from olddomain to newdomain
+# upon executing a file labeled with type.
+#
+define(`domain_auto_trans', `
+# Allow the necessary permissions.
+domain_trans($1,$2,$3)
+# Make the transition occur by default.
+type_transition $1 $2:process $3;
+')
+
+#####################################
+# file_type_trans(domain, dir_type, file_type)
+# Allow domain to create a file labeled file_type in a
+# directory labeled dir_type.
+# This only allows the transition; it does not
+# cause it to occur automatically - use file_type_auto_trans
+# if that is what you want.
+#
+define(`file_type_trans', `
+# Allow the domain to add entries to the directory.
+allow $1 $2:dir ra_dir_perms;
+# Allow the domain to create the file.
+allow $1 $3:notdevfile_class_set create_file_perms;
+allow $1 $3:dir create_dir_perms;
+')
+
+#####################################
+# file_type_auto_trans(domain, dir_type, file_type)
+# Automatically label new files with file_type when
+# they are created by domain in directories labeled dir_type.
+#
+define(`file_type_auto_trans', `
+# Allow the necessary permissions.
+file_type_trans($1, $2, $3)
+# Make the transition occur by default.
+type_transition $1 $2:dir $3;
+type_transition $1 $2:notdevfile_class_set $3;
+')
+
+#####################################
+# r_dir_file(domain, type)
+# Allow the specified domain to read directories, files
+# and symbolic links of the specified type.
+define(`r_dir_file', `
+allow $1 $2:dir r_dir_perms;
+allow $1 $2:{ file lnk_file } r_file_perms;
+')
+
+#####################################
+# tmpfs_domain(domain)
+# Allow access to a unique type for this domain when creating tmpfs / ashmem files.
+define(`tmpfs_domain', `
+type_transition $1 tmpfs:file $1_tmpfs;
+allow $1 $1_tmpfs:file { read write getattr map };
+')
+
+# pdx macros for IPC. pdx is a high-level name which contains transport-specific
+# rules from underlying transport (e.g. UDS-based implementation).
+
+#####################################
+# pdx_service_attributes(service)
+# Defines type attribute used to identify various service-related types.
+define(`pdx_service_attributes', `
+attribute pdx_$1_endpoint_dir_type;
+attribute pdx_$1_endpoint_socket_type;
+attribute pdx_$1_channel_socket_type;
+attribute pdx_$1_server_type;
+')
+
+#####################################
+# pdx_service_socket_types(service, endpoint_dir_t)
+# Define types for endpoint and channel sockets.
+define(`pdx_service_socket_types', `
+typeattribute $2 pdx_$1_endpoint_dir_type;
+type pdx_$1_endpoint_socket, pdx_$1_endpoint_socket_type, pdx_endpoint_socket_type, file_type, coredomain_socket, mlstrustedobject, mlstrustedsubject;
+type pdx_$1_channel_socket, pdx_$1_channel_socket_type, pdx_channel_socket_type, coredomain_socket;
+userdebug_or_eng(`
+dontaudit su pdx_$1_endpoint_socket:unix_stream_socket *;
+dontaudit su pdx_$1_channel_socket:unix_stream_socket *;
+')
+')
+
+#####################################
+# pdx_server(server_domain, service)
+define(`pdx_server', `
+# Mark the server domain as a PDX server.
+typeattribute $1 pdx_$2_server_type;
+# Allow the init process to create the initial endpoint socket.
+allow init pdx_$2_endpoint_socket_type:unix_stream_socket { create bind };
+# Allow the server domain to use the endpoint socket and accept connections on it.
+# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights
+# than we need (e.g. we don"t need "bind" or "connect").
+allow $1 pdx_$2_endpoint_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown listen accept };
+# Allow the server domain to apply security context label to the channel socket pair (allow process to use setsockcreatecon_raw()).
+allow $1 self:process setsockcreate;
+# Allow the server domain to create a client channel socket.
+allow $1 pdx_$2_channel_socket_type:unix_stream_socket create_stream_socket_perms;
+# Prevent other processes from claiming to be a server for the same service.
+neverallow {domain -$1} pdx_$2_endpoint_socket_type:unix_stream_socket { listen accept };
+')
+
+#####################################
+# pdx_connect(client, service)
+define(`pdx_connect', `
+# Allow client to open the service endpoint file.
+allow $1 pdx_$2_endpoint_dir_type:dir r_dir_perms;
+allow $1 pdx_$2_endpoint_socket_type:sock_file rw_file_perms;
+# Allow the client to connect to endpoint socket.
+allow $1 pdx_$2_endpoint_socket_type:unix_stream_socket { connectto read write shutdown };
+')
+
+#####################################
+# pdx_use(client, service)
+define(`pdx_use', `
+# Allow the client to use the PDX channel socket.
+# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights
+# than we need (e.g. we don"t need "bind" or "connect").
+allow $1 pdx_$2_channel_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown };
+# Client needs to use an channel event fd from the server.
+allow $1 pdx_$2_server_type:fd use;
+# Servers may receive sync fences, gralloc buffers, etc, from clients.
+# This could be tightened on a per-server basis, but keeping track of service
+# clients is error prone.
+allow pdx_$2_server_type $1:fd use;
+')
+
+#####################################
+# pdx_client(client, service)
+define(`pdx_client', `
+pdx_connect($1, $2)
+pdx_use($1, $2)
+')
+
+#####################################
+# init_daemon_domain(domain)
+# Set up a transition from init to the daemon domain
+# upon executing its binary.
+define(`init_daemon_domain', `
+domain_auto_trans(init, $1_exec, $1)
+')
+
+####################################
+# userfaultfd_use(domain)
+# Allow domain to create/use userfaultfd.
+define(`userfaultfd_use', `
+# Set up a type_transition to "userfaultfd" named anonymous inode object.
+type $1_userfaultfd;
+type_transition $1 $1:anon_inode $1_userfaultfd "[userfaultfd]";
+# Allow domain to create/use userfaultfd anon_inode.
+allow $1 $1_userfaultfd:anon_inode { create ioctl read };
+# Other domains may not use userfaultfd anon_inodes created by this domain.
+neverallow { domain -$1 } $1_userfaultfd:anon_inode *;
+# This domain may not use userfaultfd anon_inodes created by other domains.
+neverallow $1 ~$1_userfaultfd:anon_inode *;
+')
+
+#####################################
+# app_domain(domain)
+# Allow a base set of permissions required for all apps.
+define(`app_domain', `
+typeattribute $1 appdomain;
+# Label tmpfs objects for all apps.
+type_transition $1 tmpfs:file appdomain_tmpfs;
+userfaultfd_use($1)
+allow $1 appdomain_tmpfs:file { execute getattr map read write };
+neverallow { $1 -runas_app -shell -simpleperf } { domain -$1 }:file no_rw_file_perms;
+neverallow { appdomain -runas_app -shell -simpleperf -$1 } $1:file no_rw_file_perms;
+# The Android security model guarantees the confidentiality and integrity
+# of application data and execution state. Ptrace bypasses those
+# confidentiality guarantees. Disallow ptrace access from system components to
+# apps. crash_dump is excluded, as it needs ptrace access to produce stack
+# traces. runas_app is excluded, as it operates only on debuggable apps.
+# simpleperf is excluded, as it operates only on debuggable or profileable
+# apps. llkd is excluded, as it needs ptrace access to inspect stack traces for
+# live lock conditions.
+neverallow { domain -$1 -crash_dump userdebug_or_eng(`-llkd') -runas_app -simpleperf } $1:process ptrace;
+')
+
+#####################################
+# untrusted_app_domain(domain)
+# Allow a base set of permissions required for all untrusted apps.
+define(`untrusted_app_domain', `
+typeattribute $1 untrusted_app_all;
+')
+
+#####################################
+# net_domain(domain)
+# Allow a base set of permissions required for network access.
+define(`net_domain', `
+typeattribute $1 netdomain;
+')
+
+#####################################
+# bluetooth_domain(domain)
+# Allow a base set of permissions required for bluetooth access.
+define(`bluetooth_domain', `
+typeattribute $1 bluetoothdomain;
+')
+
+#####################################
+# hal_attribute(hal_name)
+# Add an attribute for hal implementations along with necessary
+# restrictions.
+define(`hal_attribute', `
+attribute hal_$1;
+expandattribute hal_$1 true;
+attribute hal_$1_client;
+expandattribute hal_$1_client true;
+attribute hal_$1_server;
+expandattribute hal_$1_server false;
+
+neverallow { hal_$1_server -halserverdomain } domain:process fork;
+# hal_*_client and halclientdomain attributes are always expanded for
+# performance reasons. Neverallow rules targeting expanded attributes can not be
+# verified by CTS since these attributes are already expanded by that time.
+build_test_only(`
+neverallow { hal_$1_server -hal_$1 } domain:process fork;
+neverallow { hal_$1_client -halclientdomain } domain:process fork;
+')
+')
+
+#####################################
+# hal_server_domain(domain, hal_type)
+# Allow a base set of permissions required for a domain to offer a
+# HAL implementation of the specified type over HwBinder.
+#
+# For example, default implementation of Foo HAL:
+# type hal_foo_default, domain;
+# hal_server_domain(hal_foo_default, hal_foo)
+#
+define(`hal_server_domain', `
+typeattribute $1 halserverdomain;
+typeattribute $1 $2_server;
+typeattribute $1 $2;
+')
+
+#####################################
+# hal_client_domain(domain, hal_type)
+# Allow a base set of permissions required for a domain to be a
+# client of a HAL of the specified type.
+#
+# For example, make some_domain a client of Foo HAL:
+# hal_client_domain(some_domain, hal_foo)
+#
+define(`hal_client_domain', `
+typeattribute $1 halclientdomain;
+typeattribute $1 $2_client;
+
+# TODO(b/34170079): Make the inclusion of the rules below conditional also on
+# non-Treble devices. For now, on non-Treble device, always grant clients of a
+# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
+not_full_treble(`
+typeattribute $1 $2;
+# Find passthrough HAL implementations
+allow $2 system_file:dir r_dir_perms;
+allow $2 vendor_file:dir r_dir_perms;
+allow $2 vendor_file:file { read open getattr execute map };
+')
+')
+
+#####################################
+# passthrough_hal_client_domain(domain, hal_type)
+# Allow a base set of permissions required for a domain to be a
+# client of a passthrough HAL of the specified type.
+#
+# For example, make some_domain a client of passthrough Foo HAL:
+# passthrough_hal_client_domain(some_domain, hal_foo)
+#
+define(`passthrough_hal_client_domain', `
+typeattribute $1 halclientdomain;
+typeattribute $1 $2_client;
+typeattribute $1 $2;
+# Find passthrough HAL implementations
+allow $2 system_file:dir r_dir_perms;
+allow $2 vendor_file:dir r_dir_perms;
+allow $2 vendor_file:file { read open getattr execute map };
+')
+
+#####################################
+# unix_socket_connect(clientdomain, socket, serverdomain)
+# Allow a local socket connection from clientdomain via
+# socket to serverdomain.
+#
+# Note: If you see denial records that distill to the
+# following allow rules:
+# allow clientdomain property_socket:sock_file write;
+# allow clientdomain init:unix_stream_socket connectto;
+# allow clientdomain something_prop:property_service set;
+#
+# This sequence is indicative of attempting to set a property.
+# use set_prop(sourcedomain, targetproperty)
+#
+define(`unix_socket_connect', `
+allow $1 $2_socket:sock_file write;
+allow $1 $3:unix_stream_socket connectto;
+')
+
+#####################################
+# set_prop(sourcedomain, targetproperty)
+# Allows source domain to set the
+# targetproperty.
+#
+define(`set_prop', `
+unix_socket_connect($1, property, init)
+allow $1 $2:property_service set;
+get_prop($1, $2)
+')
+
+#####################################
+# get_prop(sourcedomain, targetproperty)
+# Allows source domain to read the
+# targetproperty.
+#
+define(`get_prop', `
+allow $1 $2:file { getattr open read map };
+')
+
+#####################################
+# unix_socket_send(clientdomain, socket, serverdomain)
+# Allow a local socket send from clientdomain via
+# socket to serverdomain.
+define(`unix_socket_send', `
+allow $1 $2_socket:sock_file write;
+allow $1 $3:unix_dgram_socket sendto;
+')
+
+#####################################
+# binder_use(domain)
+# Allow domain to use Binder IPC.
+define(`binder_use', `
+# Call the servicemanager and transfer references to it.
+allow $1 servicemanager:binder { call transfer };
+# Allow servicemanager to send out callbacks
+allow servicemanager $1:binder { call transfer };
+# servicemanager performs getpidcon on clients.
+allow servicemanager $1:dir search;
+allow servicemanager $1:file { read open };
+allow servicemanager $1:process getattr;
+# rw access to /dev/binder and /dev/ashmem is presently granted to
+# all domains in domain.te.
+')
+
+#####################################
+# hwbinder_use(domain)
+# Allow domain to use HwBinder IPC.
+define(`hwbinder_use', `
+# Call the hwservicemanager and transfer references to it.
+allow $1 hwservicemanager:binder { call transfer };
+# Allow hwservicemanager to send out callbacks
+allow hwservicemanager $1:binder { call transfer };
+# hwservicemanager performs getpidcon on clients.
+allow hwservicemanager $1:dir search;
+allow hwservicemanager $1:file { read open map };
+allow hwservicemanager $1:process getattr;
+# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
+# all domains in domain.te.
+')
+
+#####################################
+# vndbinder_use(domain)
+# Allow domain to use Binder IPC.
+define(`vndbinder_use', `
+# Talk to the vndbinder device node
+allow $1 vndbinder_device:chr_file rw_file_perms;
+# Call the vndservicemanager and transfer references to it.
+allow $1 vndservicemanager:binder { call transfer };
+# vndservicemanager performs getpidcon on clients.
+allow vndservicemanager $1:dir search;
+allow vndservicemanager $1:file { read open map };
+allow vndservicemanager $1:process getattr;
+')
+
+#####################################
+# binder_call(clientdomain, serverdomain)
+# Allow clientdomain to perform binder IPC to serverdomain.
+define(`binder_call', `
+# Call the server domain and optionally transfer references to it.
+allow $1 $2:binder { call transfer };
+# Allow the serverdomain to transfer references to the client on the reply.
+allow $2 $1:binder transfer;
+# Receive and use open files from the server.
+allow $1 $2:fd use;
+')
+
+#####################################
+# binder_service(domain)
+# Mark a domain as being a Binder service domain.
+# Used to allow binder IPC to the various system services.
+define(`binder_service', `
+typeattribute $1 binderservicedomain;
+')
+
+#####################################
+# wakelock_use(domain)
+# Allow domain to manage wake locks
+define(`wakelock_use', `
+# TODO(b/115946999): Remove /sys/power/* permissions once CONFIG_PM_WAKELOCKS is
+# deprecated.
+# Access /sys/power/wake_lock and /sys/power/wake_unlock
+allow $1 sysfs_wake_lock:file rw_file_perms;
+# Accessing these files requires CAP_BLOCK_SUSPEND
+allow $1 self:global_capability2_class_set block_suspend;
+# system_suspend permissions
+binder_call($1, system_suspend_server)
+allow $1 system_suspend_hwservice:hwservice_manager find;
+# halclientdomain permissions
+hwbinder_use($1)
+get_prop($1, hwservicemanager_prop)
+allow $1 hidl_manager_hwservice:hwservice_manager find;
+')
+
+#####################################
+# selinux_check_access(domain)
+# Allow domain to check SELinux permissions via selinuxfs.
+define(`selinux_check_access', `
+r_dir_file($1, selinuxfs)
+allow $1 selinuxfs:file w_file_perms;
+allow $1 kernel:security compute_av;
+allow $1 self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind };
+')
+
+#####################################
+# selinux_check_context(domain)
+# Allow domain to check SELinux contexts via selinuxfs.
+define(`selinux_check_context', `
+r_dir_file($1, selinuxfs)
+allow $1 selinuxfs:file w_file_perms;
+allow $1 kernel:security check_context;
+')
+
+#####################################
+# create_pty(domain)
+# Allow domain to create and use a pty, isolated from any other domain ptys.
+define(`create_pty', `
+# Each domain gets a unique devpts type.
+type $1_devpts, fs_type;
+# Label the pty with the unique type when created.
+type_transition $1 devpts:chr_file $1_devpts;
+# Allow use of the pty after creation.
+allow $1 $1_devpts:chr_file { open getattr read write ioctl };
+allowxperm $1 $1_devpts:chr_file ioctl unpriv_tty_ioctls;
+# TIOCSTI is only ever used for exploits. Block it.
+# b/33073072, b/7530569
+# http://www.openwall.com/lists/oss-security/2016/09/26/14
+neverallowxperm * $1_devpts:chr_file ioctl TIOCSTI;
+# Note: devpts:dir search and ptmx_device:chr_file rw_file_perms
+# allowed to everyone via domain.te.
+')
+
+#####################################
+# Non system_app application set
+#
+define(`non_system_app_set', `{ appdomain -system_app }')
+
+#####################################
+# Recovery only
+# SELinux rules which apply only to recovery mode
+#
+define(`recovery_only', ifelse(target_recovery, `true', $1, ))
+
+#####################################
+# Not recovery
+# SELinux rules which apply only to non-recovery (normal) mode
+#
+define(`not_recovery', ifelse(target_recovery, `true', , $1))
+
+#####################################
+# Full TREBLE only
+# SELinux rules which apply only to full TREBLE devices
+#
+define(`full_treble_only', ifelse(target_full_treble, `true', $1,
+ifelse(target_full_treble, `cts',
+# BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify
+$1
+# END_TREBLE_ONLY -- this marker is used by CTS -- do not modify
+, )))
+
+#####################################
+# Not full TREBLE
+# SELinux rules which apply only to devices which are not full TREBLE devices
+#
+define(`not_full_treble', ifelse(target_full_treble, `true', , $1))
+
+#####################################
+# enforce_debugfs_restriction
+# SELinux rules which apply to devices that enable debugfs restrictions.
+# The keyword "cts" is used to insert markers to only CTS test the neverallows
+# added by the macro for S-launch devices and newer.
+define(`enforce_debugfs_restriction', ifelse(target_enforce_debugfs_restriction, `true', $1,
+ifelse(target_enforce_debugfs_restriction, `cts',
+# BEGIN_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
+$1
+# END_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
+, )))
+
+#####################################
+# no_debugfs_restriction
+# SELinux rules which apply to devices that do not have debugfs restrictions in non-user builds.
+define(`no_debugfs_restriction', ifelse(target_enforce_debugfs_restriction, `true', , $1))
+
+#####################################
+# Compatible property only
+# SELinux rules which apply only to devices with compatible property
+#
+define(`compatible_property_only', ifelse(target_compatible_property, `true', $1,
+ifelse(target_compatible_property, `cts',
+# BEGIN_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify
+$1
+# END_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify
+, )))
+
+#####################################
+# Not compatible property
+# SELinux rules which apply only to devices without compatible property
+#
+define(`not_compatible_property', ifelse(target_compatible_property, `true', , $1))
+
+#####################################
+# Userdebug or eng builds
+# SELinux rules which apply only to userdebug or eng builds
+#
+define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1)))
+
+#####################################
+# asan builds
+# SELinux rules which apply only to asan builds
+#
+define(`with_asan', ifelse(target_with_asan, `true', userdebug_or_eng(`$1'), ))
+
+#####################################
+# native coverage builds
+# SELinux rules which apply only to builds with native coverage
+#
+define(`with_native_coverage', ifelse(target_with_native_coverage, `true', userdebug_or_eng(`$1'), ))
+
+#####################################
+# Build-time-only test
+# SELinux rules which are verified during build, but not as part of *TS testing.
+#
+define(`build_test_only', ifelse(target_exclude_build_test, `true', , $1))
+
+####################################
+# Fallback crash handling for processes that can't exec crash_dump (e.g. because of seccomp).
+#
+define(`crash_dump_fallback', `
+userdebug_or_eng(`
+ allow $1 su:fifo_file append;
+')
+allow $1 anr_data_file:file append;
+allow $1 dumpstate:fd use;
+allow $1 incidentd:fd use;
+# TODO: Figure out why write is needed.
+allow $1 dumpstate:fifo_file { append write };
+allow $1 incidentd:fifo_file { append write };
+allow $1 system_server:fifo_file { append write };
+allow $1 tombstoned:unix_stream_socket connectto;
+allow $1 tombstoned:fd use;
+allow $1 tombstoned_crash_socket:sock_file write;
+allow $1 tombstone_data_file:file append;
+')
+
+#####################################
+# WITH_DEXPREOPT builds
+# SELinux rules which apply only when pre-opting.
+#
+define(`with_dexpreopt', ifelse(target_with_dexpreopt, `true', $1))
+
+#####################################
+# write_logd(domain)
+# Ability to write to android log
+# daemon via sockets
+define(`write_logd', `
+unix_socket_send($1, logdw, logd)
+allow $1 pmsg_device:chr_file w_file_perms;
+')
+
+#####################################
+# read_logd(domain)
+# Ability to run logcat and read from android
+# log daemon via sockets
+define(`read_logd', `
+allow $1 logcat_exec:file rx_file_perms;
+unix_socket_connect($1, logdr, logd)
+')
+
+#####################################
+# read_runtime_log_tags(domain)
+# ability to directly map the runtime event log tags
+define(`read_runtime_log_tags', `
+allow $1 runtime_event_log_tags_file:file r_file_perms;
+')
+
+#####################################
+# control_logd(domain)
+# Ability to control
+# android log daemon via sockets
+define(`control_logd', `
+# Group AID_LOG checked by filesystem & logd
+# to permit control commands
+unix_socket_connect($1, logd, logd)
+')
+
+#####################################
+# use_keystore(domain)
+# Ability to use keystore.
+# Keystore is requires the following permissions
+# to call getpidcon.
+define(`use_keystore', `
+ allow keystore $1:dir search;
+ allow keystore $1:file { read open };
+ allow keystore $1:process getattr;
+ allow $1 apc_service:service_manager find;
+ allow $1 keystore_service:service_manager find;
+ allow $1 vpnprofilestore_service:service_manager find;
+ binder_call($1, keystore)
+ binder_call(keystore, $1)
+')
+
+#####################################
+# use_credstore(domain)
+# Ability to use credstore.
+define(`use_credstore', `
+ allow credstore $1:dir search;
+ allow credstore $1:file { read open };
+ allow credstore $1:process getattr;
+ allow $1 credstore_service:service_manager find;
+ binder_call($1, credstore)
+ binder_call(credstore, $1)
+')
+
+###########################################
+# use_drmservice(domain)
+# Ability to use DrmService which requires
+# DrmService to call getpidcon.
+define(`use_drmservice', `
+ allow drmserver $1:dir search;
+ allow drmserver $1:file { read open };
+ allow drmserver $1:process getattr;
+')
+
+###########################################
+# add_service(domain, service)
+# Ability for domain to add a service to service_manager
+# and find it. It also creates a neverallow preventing
+# others from adding it.
+define(`add_service', `
+ allow $1 $2:service_manager { add find };
+ neverallow { domain -$1 } $2:service_manager add;
+')
+
+###########################################
+# add_hwservice(domain, service)
+# Ability for domain to add a service to hwservice_manager
+# and find it. It also creates a neverallow preventing
+# others from adding it.
+define(`add_hwservice', `
+ allow $1 $2:hwservice_manager { add find };
+ allow $1 hidl_base_hwservice:hwservice_manager add;
+ neverallow { domain -$1 } $2:hwservice_manager add;
+')
+
+###########################################
+# hal_attribute_hwservice(attribute, service)
+# Ability for domain to get a service to hwservice_manager
+# and find it. It also creates a neverallow preventing
+# others from adding it.
+#
+# Used to pair hal_foo_client with hal_foo_hwservice
+define(`hal_attribute_hwservice', `
+ allow $1_client $2:hwservice_manager find;
+ add_hwservice($1_server, $2)
+
+ build_test_only(`
+ # if you are hitting this neverallow, try using:
+ # hal_client_domain(<your domain>, hal_<foo>)
+ # instead
+ neverallow { domain -$1_client -$1_server } $2:hwservice_manager find;
+ ')
+')
+
+###########################################
+# hal_attribute_service(attribute, service)
+# Ability for domain to get a service to service_manager
+# and find it. It also creates a neverallow preventing
+# others from adding it.
+#
+# Used to pair hal_foo_client with hal_foo_service
+define(`hal_attribute_service', `
+ allow $1_client $2:service_manager find;
+ add_service($1_server, $2)
+
+ build_test_only(`
+ # if you are hitting this neverallow, try using:
+ # hal_client_domain(<your domain>, hal_<foo>)
+ # instead
+ neverallow {
+ domain
+ -$1_client
+ -$1_server
+ # some services are allowed to find all services
+ -atrace
+ -dumpstate
+ -shell
+ -system_app
+ -traceur_app
+ } $2:service_manager find;
+ ')
+')
+
+###################################
+# can_profile_heap(domain)
+# Allow processes within the domain to have their heap profiled by central
+# heapprofd.
+define(`can_profile_heap', `
+ # Allow central daemon to send signal for client initialization.
+ allow heapprofd $1:process signal;
+ # Allow connecting to the daemon.
+ unix_socket_connect($1, heapprofd, heapprofd)
+ # Allow daemon to use the passed fds.
+ allow heapprofd $1:fd use;
+ # Allow to read and write to heapprofd shmem.
+ # The client needs to read the read and write pointers in order to write.
+ allow $1 heapprofd_tmpfs:file { read write getattr map };
+ # Use shared memory received over the unix socket.
+ allow $1 heapprofd:fd use;
+
+ # To read and write from the received file descriptors.
+ # /proc/[pid]/maps and /proc/[pid]/mem have the same SELinux label as the
+ # process they relate to.
+ # We need to write to /proc/$PID/page_idle to find idle allocations.
+ # The client only opens /proc/self/page_idle with RDWR, everything else
+ # with RDONLY.
+ # heapprofd cannot open /proc/$PID/mem itself, as it does not have
+ # sys_ptrace.
+ allow heapprofd $1:file rw_file_perms;
+ # Allow searching the /proc/[pid] directory for cmdline.
+ allow heapprofd $1:dir r_dir_perms;
+')
+
+###################################
+# never_profile_heap(domain)
+# Opt out of heap profiling by heapprofd.
+define(`never_profile_heap', `
+ neverallow heapprofd $1:file read;
+ neverallow heapprofd $1:process signal;
+')
+
+###################################
+# can_profile_perf(domain)
+# Allow processes within the domain to be profiled, and have their stacks
+# sampled, by traced_perf.
+define(`can_profile_perf', `
+ # Allow directory & file read to traced_perf, as it stat(2)s /proc/[pid], and
+ # reads /proc/[pid]/cmdline.
+ allow traced_perf $1:file r_file_perms;
+ allow traced_perf $1:dir r_dir_perms;
+
+ # Allow central daemon to send signal to request /proc/[pid]/maps and
+ # /proc/[pid]/mem fds from this process.
+ allow traced_perf $1:process signal;
+
+ # Allow connecting to the daemon.
+ unix_socket_connect($1, traced_perf, traced_perf)
+ # Allow daemon to use the passed fds.
+ allow traced_perf $1:fd use;
+')
+
+###################################
+# never_profile_perf(domain)
+# Opt out of profiling by traced_perf.
+define(`never_profile_perf', `
+ neverallow traced_perf $1:file read;
+ neverallow traced_perf $1:process signal;
+')
+
+###################################
+# perfetto_producer(domain)
+# Allow processes within the domain to write data to Perfetto.
+# When applying this macro, you might need to also allow traced to use the
+# producer tmpfs domain, if the producer will be the one creating the shared
+# memory.
+define(`perfetto_producer', `
+ allow $1 traced:fd use;
+ allow $1 traced_tmpfs:file { read write getattr map };
+ unix_socket_connect($1, traced_producer, traced)
+
+ # Also allow the service to use the producer file descriptors. This is
+ # necessary when the producer is creating the shared memory, as it will be
+ # passed to the service as a file descriptor (obtained from memfd_create).
+ allow traced $1:fd use;
+')
+
+###########################################
+# dump_hal(hal_type)
+# Ability to dump the hal debug info
+#
+define(`dump_hal', `
+ hal_client_domain(dumpstate, $1);
+ allow $1_server dumpstate:fifo_file write;
+ allow $1_server dumpstate:fd use;
+')
+
+#####################################
+# treble_sysprop_neverallow(rules)
+# SELinux neverallow rules which enforces the accessibility of each property
+# outside the owner.
+#
+# For devices launching with R or later, exported properties must be explicitly marked as
+# "restricted" or "public", depending on the accessibility outside the owner.
+# For devices launching with Q or eariler, this neverallow rules can be relaxed with defining
+# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true on BoardConfig.mk.
+# See {partition}_{accessibility}_prop macros below.
+#
+# CTS uses these rules only for devices launching with R or later.
+#
+# TODO(b/131162102): deprecate BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW
+#
+define(`treble_sysprop_neverallow', ifelse(target_treble_sysprop_neverallow, `true', $1,
+ifelse(target_treble_sysprop_neverallow, `cts',
+# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
+$1
+# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
+, )))
+
+#####################################
+# enforce_sysprop_owner(rules)
+# SELinux neverallow rules which enforces the owner of each property.
+#
+# For devices launching with S or later, all properties must be explicitly marked as one of:
+# system_property_type, vendor_property_type, or product_property_type.
+# For devices launching with R or eariler, this neverallow rules can be relaxed with defining
+# BUILD_BROKEN_ENFORCE_SYSPROP_OWNER := true on BoardConfig.mk.
+# See {partition}_{accessibility}_prop macros below.
+#
+# CTS uses these ules only for devices launching with S or later.
+#
+define(`enforce_sysprop_owner', ifelse(target_enforce_sysprop_owner, `true', $1,
+ifelse(target_enforce_sysprop_owner, `cts',
+# BEGIN_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
+$1
+# END_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
+, )))
+
+###########################################
+# define_prop(name, owner, scope)
+# Define a property with given owner and scope
+#
+define(`define_prop', `
+ type $1, property_type, $2_property_type, $2_$3_property_type;
+')
+
+###########################################
+# system_internal_prop(name)
+# Define a /system-owned property used only in /system
+# For devices launching with Q or eariler, this restriction can be relaxed with
+# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
+#
+define(`system_internal_prop', `
+ define_prop($1, system, internal)
+ treble_sysprop_neverallow(`
+ neverallow { domain -coredomain } $1:file no_rw_file_perms;
+ ')
+')
+
+###########################################
+# system_restricted_prop(name)
+# Define a /system-owned property which can't be written outside /system
+# For devices launching with Q or eariler, this restriction can be relaxed with
+# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
+#
+define(`system_restricted_prop', `
+ define_prop($1, system, restricted)
+ treble_sysprop_neverallow(`
+ neverallow { domain -coredomain } $1:property_service set;
+ ')
+')
+
+###########################################
+# system_public_prop(name)
+# Define a /system-owned property with no restrictions
+#
+define(`system_public_prop', `define_prop($1, system, public)')
+
+###########################################
+# system_vendor_config_prop(name)
+# Define a /system-owned property which can only be written by vendor_init
+# This is a macro for vendor-specific configuration properties which is meant
+# to be set once from vendor_init.
+#
+define(`system_vendor_config_prop', `
+ system_public_prop($1)
+ set_prop(vendor_init, $1)
+ neverallow { domain -init -vendor_init } $1:property_service set;
+')
+
+###########################################
+# product_internal_prop(name)
+# Define a /product-owned property used only in /product
+# For devices launching with Q or eariler, this restriction can be relaxed with
+# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
+#
+define(`product_internal_prop', `
+ define_prop($1, product, internal)
+ treble_sysprop_neverallow(`
+ neverallow { domain -coredomain } $1:file no_rw_file_perms;
+ ')
+')
+
+###########################################
+# product_restricted_prop(name)
+# Define a /product-owned property which can't be written outside /product
+# For devices launching with Q or eariler, this restriction can be relaxed with
+# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
+#
+define(`product_restricted_prop', `
+ define_prop($1, product, restricted)
+ treble_sysprop_neverallow(`
+ neverallow { domain -coredomain } $1:property_service set;
+ ')
+')
+
+###########################################
+# product_public_prop(name)
+# Define a /product-owned property with no restrictions
+#
+define(`product_public_prop', `define_prop($1, product, public)')
+
+###########################################
+# vendor_internal_prop(name)
+# Define a /vendor-owned property used only in /vendor
+# For devices launching with Q or eariler, this restriction can be relaxed with
+# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
+#
+define(`vendor_internal_prop', `
+ define_prop($1, vendor, internal)
+ treble_sysprop_neverallow(`
+# init and dumpstate are in coredomain, but should be able to read all props.
+ neverallow { coredomain -init -dumpstate } $1:file no_rw_file_perms;
+ ')
+')
+
+###########################################
+# vendor_restricted_prop(name)
+# Define a /vendor-owned property which can't be written outside /vendor
+# For devices launching with Q or eariler, this restriction can be relaxed with
+# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
+#
+define(`vendor_restricted_prop', `
+ define_prop($1, vendor, restricted)
+ treble_sysprop_neverallow(`
+# init is in coredomain, but should be able to write all props.
+ neverallow { coredomain -init } $1:property_service set;
+ ')
+')
+
+###########################################
+# vendor_public_prop(name)
+# Define a /vendor-owned property with no restrictions
+#
+define(`vendor_public_prop', `define_prop($1, vendor, public)')
+
+#####################################
+# read_fstab(domain)
+# Ability to call ReadDefaultFstab() and ReadFstabFromFile().
+#
+define(`read_fstab', `
+ allow $1 { metadata_file gsi_metadata_file_type }:dir search;
+ allow $1 gsi_public_metadata_file:file r_file_perms;
+')
diff --git a/microdroid/sepolicy/system/public/tee.te b/microdroid/sepolicy/system/public/tee.te
new file mode 100644
index 0000000..0f9b32d
--- /dev/null
+++ b/microdroid/sepolicy/system/public/tee.te
@@ -0,0 +1,11 @@
+##
+# trusted execution environment (tee) daemon
+#
+type tee, domain;
+
+# Device(s) for communicating with the TEE
+type tee_device, dev_type;
+
+allow tee fingerprint_vendor_data_file:dir rw_dir_perms;
+allow tee fingerprint_vendor_data_file:file create_file_perms;
+
diff --git a/microdroid/sepolicy/system/public/tombstoned.te b/microdroid/sepolicy/system/public/tombstoned.te
new file mode 100644
index 0000000..ea2abbb
--- /dev/null
+++ b/microdroid/sepolicy/system/public/tombstoned.te
@@ -0,0 +1,17 @@
+# debugger interface
+type tombstoned, domain, mlstrustedsubject;
+type tombstoned_exec, system_file_type, exec_type, file_type;
+
+# Write to arbitrary pipes given to us.
+allow tombstoned domain:fd use;
+allow tombstoned domain:fifo_file write;
+
+allow tombstoned domain:dir r_dir_perms;
+allow tombstoned domain:file r_file_perms;
+allow tombstoned tombstone_data_file:dir rw_dir_perms;
+allow tombstoned tombstone_data_file:file { create_file_perms link };
+
+# Changes for the new stack dumping mechanism. Each trace goes into a
+# separate file, and these files are managed by tombstoned.
+allow tombstoned anr_data_file:dir rw_dir_perms;
+allow tombstoned anr_data_file:file { append create getattr open link unlink };
diff --git a/microdroid/sepolicy/system/public/toolbox.te b/microdroid/sepolicy/system/public/toolbox.te
new file mode 100644
index 0000000..4c2cc3e
--- /dev/null
+++ b/microdroid/sepolicy/system/public/toolbox.te
@@ -0,0 +1,38 @@
+# Any toolbox command run by init.
+# At present, the only known usage is for running mkswap via fs_mgr.
+# Do NOT use this domain for toolbox when run by any other domain.
+type toolbox, domain;
+type toolbox_exec, system_file_type, exec_type, file_type;
+
+# /dev/__null__ created by init prior to policy load,
+# open fd inherited by fsck.
+allow toolbox tmpfs:chr_file { read write ioctl };
+
+# Inherit and use pty created by android_fork_execvp_ext().
+allow toolbox devpts:chr_file { read write getattr ioctl };
+
+# mkswap-specific.
+# Read/write block devices used for swap partitions.
+# Assign swap_block_device type any such partition in your
+# device/<vendor>/<product>/sepolicy/file_contexts file.
+allow toolbox block_device:dir search;
+allow toolbox swap_block_device:blk_file rw_file_perms;
+
+# Only allow entry from init via the toolbox binary.
+neverallow { domain -init } toolbox:process transition;
+neverallow * toolbox:process dyntransition;
+neverallow toolbox { file_type fs_type -toolbox_exec}:file entrypoint;
+
+# rm -rf directories in /data
+allow toolbox system_data_root_file:dir { remove_name write };
+allow toolbox system_data_file:dir { rmdir rw_dir_perms };
+allow toolbox system_data_file:file { getattr unlink };
+
+# chattr +F and chattr +P /data/media in init
+allow toolbox media_rw_data_file:dir { r_dir_perms setattr };
+allowxperm toolbox media_rw_data_file:dir ioctl {
+ FS_IOC_FSGETXATTR
+ FS_IOC_FSSETXATTR
+ FS_IOC_GETFLAGS
+ FS_IOC_SETFLAGS
+};
diff --git a/microdroid/sepolicy/system/public/traced.te b/microdroid/sepolicy/system/public/traced.te
new file mode 100644
index 0000000..922d46e
--- /dev/null
+++ b/microdroid/sepolicy/system/public/traced.te
@@ -0,0 +1,3 @@
+type traced, domain, coredomain, mlstrustedsubject;
+type traced_tmpfs, file_type;
+
diff --git a/microdroid/sepolicy/system/public/traced_perf.te b/microdroid/sepolicy/system/public/traced_perf.te
new file mode 100644
index 0000000..f9a0324
--- /dev/null
+++ b/microdroid/sepolicy/system/public/traced_perf.te
@@ -0,0 +1 @@
+type traced_perf, domain;
diff --git a/microdroid/sepolicy/system/public/traced_probes.te b/microdroid/sepolicy/system/public/traced_probes.te
new file mode 100644
index 0000000..3e587c8
--- /dev/null
+++ b/microdroid/sepolicy/system/public/traced_probes.te
@@ -0,0 +1 @@
+type traced_probes, domain, coredomain, mlstrustedsubject;
diff --git a/microdroid/sepolicy/system/public/traceur_app.te b/microdroid/sepolicy/system/public/traceur_app.te
new file mode 100644
index 0000000..ce9b844
--- /dev/null
+++ b/microdroid/sepolicy/system/public/traceur_app.te
@@ -0,0 +1,27 @@
+type traceur_app, domain;
+
+allow traceur_app servicemanager:service_manager list;
+allow traceur_app hwservicemanager:hwservice_manager list;
+
+allow traceur_app {
+ service_manager_type
+ -apex_service
+ -dnsresolver_service
+ -gatekeeper_service
+ -incident_service
+ -installd_service
+ -iorapd_service
+ -lpdump_service
+ -netd_service
+ -virtual_touchpad_service
+ -vold_service
+ -vr_hwc_service
+ -default_android_service
+}:service_manager find;
+
+# Allow traceur_app to use atrace HAL
+hal_client_domain(traceur_app, hal_atrace)
+
+dontaudit traceur_app service_manager_type:service_manager find;
+dontaudit traceur_app hwservice_manager_type:hwservice_manager find;
+dontaudit traceur_app domain:binder call;
diff --git a/microdroid/sepolicy/system/public/tzdatacheck.te b/microdroid/sepolicy/system/public/tzdatacheck.te
new file mode 100644
index 0000000..cf9b95d
--- /dev/null
+++ b/microdroid/sepolicy/system/public/tzdatacheck.te
@@ -0,0 +1,18 @@
+# The tzdatacheck command run by init.
+type tzdatacheck, domain;
+type tzdatacheck_exec, system_file_type, exec_type, file_type;
+
+allow tzdatacheck zoneinfo_data_file:dir create_dir_perms;
+allow tzdatacheck zoneinfo_data_file:file unlink;
+
+# Below are strong assertion that only init, system_server and tzdatacheck
+# can modify the /data time zone rules directories. This is to make it very
+# clear that only these domains should modify the actual time zone rules data.
+# The tzdatacheck binary itself may be executed by shell for tests but it must
+# not be able to modify the real rules.
+# If other users / binaries could modify time zone rules on device this might
+# have negative implications for users (who may get incorrect local times)
+# or break assumptions made / invalidate data held by the components actually
+# responsible for updating time zone rules.
+neverallow { domain -system_server -init -tzdatacheck } zoneinfo_data_file:file no_w_file_perms;
+neverallow { domain -system_server -init -tzdatacheck } zoneinfo_data_file:dir no_w_dir_perms;
diff --git a/microdroid/sepolicy/system/public/ueventd.te b/microdroid/sepolicy/system/public/ueventd.te
new file mode 100644
index 0000000..d5d4301
--- /dev/null
+++ b/microdroid/sepolicy/system/public/ueventd.te
@@ -0,0 +1,83 @@
+# ueventd seclabel is specified in init.rc since
+# it lives in the rootfs and has no unique file type.
+type ueventd, domain;
+type ueventd_tmpfs, file_type;
+
+# Write to /dev/kmsg.
+allow ueventd kmsg_device:chr_file rw_file_perms;
+
+allow ueventd self:global_capability_class_set { chown mknod net_admin setgid fsetid sys_rawio dac_override dac_read_search fowner setuid };
+allow ueventd device:file create_file_perms;
+
+r_dir_file(ueventd, rootfs)
+
+# ueventd needs write access to files in /sys to regenerate uevents
+allow ueventd sysfs_type:file w_file_perms;
+r_dir_file(ueventd, sysfs_type)
+allow ueventd sysfs_type:{ file lnk_file } { relabelfrom relabelto setattr };
+allow ueventd sysfs_type:dir { relabelfrom relabelto setattr };
+allow ueventd tmpfs:chr_file rw_file_perms;
+allow ueventd dev_type:dir create_dir_perms;
+allow ueventd dev_type:lnk_file { create unlink };
+allow ueventd dev_type:chr_file { getattr create setattr unlink };
+allow ueventd dev_type:blk_file { getattr relabelfrom relabelto create setattr unlink };
+allow ueventd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+allow ueventd efs_file:dir search;
+allow ueventd efs_file:file r_file_perms;
+
+# Get SELinux enforcing status.
+r_dir_file(ueventd, selinuxfs)
+
+# Access for /vendor/ueventd.rc and /vendor/firmware
+r_dir_file(ueventd, { vendor_file_type -vendor_app_file -vendor_overlay_file })
+
+# Access for /apex/*/firmware
+allow ueventd apex_mnt_dir:dir r_dir_perms;
+
+# Get file contexts for new device nodes
+allow ueventd file_contexts_file:file r_file_perms;
+
+# Use setfscreatecon() to label /dev directories and files.
+allow ueventd self:process setfscreate;
+
+# Allow ueventd to read androidboot.android_dt_dir from kernel cmdline or bootconfig.
+allow ueventd proc_cmdline:file r_file_perms;
+allow ueventd proc_bootconfig:file r_file_perms;
+
+# Everything is labeled as rootfs in recovery mode. ueventd has to execute
+# the dynamic linker and shared libraries.
+recovery_only(`
+ allow ueventd rootfs:file { r_file_perms execute };
+')
+
+# Suppress denials for ueventd to getattr /postinstall. This occurs when the
+# linker tries to resolve paths in ld.config.txt.
+dontaudit ueventd postinstall_mnt_dir:dir getattr;
+
+# ueventd loads modules in response to modalias events.
+allow ueventd self:global_capability_class_set sys_module;
+allow ueventd vendor_file:system module_load;
+allow ueventd kernel:key search;
+
+# ueventd is using bootstrap bionic
+allow ueventd system_bootstrap_lib_file:dir r_dir_perms;
+allow ueventd system_bootstrap_lib_file:file { execute read open getattr map };
+
+# Allow ueventd to run shell scripts from vendor
+allow ueventd vendor_shell_exec:file execute;
+
+#####
+##### neverallow rules
+#####
+
+# Restrict ueventd access on block devices to maintenence operations.
+neverallow ueventd dev_type:blk_file ~{ getattr relabelfrom relabelto create setattr unlink };
+
+# Only relabelto as we would never want to relabelfrom port_device
+neverallow ueventd port_device:chr_file ~{ getattr create setattr unlink relabelto };
+
+# Nobody should be able to ptrace ueventd
+neverallow * ueventd:process ptrace;
+
+# ueventd should never execute a program without changing to another domain.
+neverallow ueventd { file_type fs_type }:file execute_no_trans;
diff --git a/microdroid/sepolicy/system/public/uncrypt.te b/microdroid/sepolicy/system/public/uncrypt.te
new file mode 100644
index 0000000..3b04671
--- /dev/null
+++ b/microdroid/sepolicy/system/public/uncrypt.te
@@ -0,0 +1,46 @@
+# uncrypt
+type uncrypt, domain, mlstrustedsubject;
+type uncrypt_exec, system_file_type, exec_type, file_type;
+
+allow uncrypt self:global_capability_class_set { dac_override dac_read_search };
+
+userdebug_or_eng(`
+ # For debugging, allow /data/local/tmp access
+ r_dir_file(uncrypt, shell_data_file)
+')
+
+# Read /cache/recovery/command
+# Read /cache/recovery/uncrypt_file
+allow uncrypt cache_file:dir search;
+allow uncrypt cache_recovery_file:dir rw_dir_perms;
+allow uncrypt cache_recovery_file:file create_file_perms;
+
+# Read and write(for f2fs_pin_file) on OTA zip file at /data/ota_package/.
+allow uncrypt ota_package_file:dir r_dir_perms;
+allow uncrypt ota_package_file:file rw_file_perms;
+
+# Write to /dev/socket/uncrypt
+unix_socket_connect(uncrypt, uncrypt, uncrypt)
+
+# Raw writes to block device
+allow uncrypt self:global_capability_class_set sys_rawio;
+allow uncrypt misc_block_device:blk_file w_file_perms;
+allow uncrypt block_device:dir r_dir_perms;
+
+# Access userdata block device.
+allow uncrypt userdata_block_device:blk_file w_file_perms;
+
+r_dir_file(uncrypt, rootfs)
+
+# Access to bootconfig is needed when calling ReadDefaultFstab.
+allow uncrypt {
+ proc_bootconfig
+ proc_cmdline
+
+}:file r_file_perms;
+
+# Read files in /sys
+r_dir_file(uncrypt, sysfs_dt_firmware_android)
+
+# Allow ReadDefaultFstab().
+read_fstab(uncrypt)
diff --git a/microdroid/sepolicy/system/public/untrusted_app.te b/microdroid/sepolicy/system/public/untrusted_app.te
new file mode 100644
index 0000000..43fe19a
--- /dev/null
+++ b/microdroid/sepolicy/system/public/untrusted_app.te
@@ -0,0 +1,30 @@
+###
+### Untrusted apps.
+###
+### Apps are labeled based on mac_permissions.xml (maps signer and
+### optionally package name to seinfo value) and seapp_contexts (maps UID
+### and optionally seinfo value to domain for process and type for data
+### directory). The untrusted_app domain is the default assignment in
+### seapp_contexts for any app with UID between APP_AID (10000)
+### and AID_ISOLATED_START (99000) if the app has no specific seinfo
+### value as determined from mac_permissions.xml. In current AOSP, this
+### domain is assigned to all non-system apps as well as to any system apps
+### that are not signed by the platform key. To move
+### a system app into a specific domain, add a signer entry for it to
+### mac_permissions.xml and assign it one of the pre-existing seinfo values
+### or define and use a new seinfo value in both mac_permissions.xml and
+### seapp_contexts.
+###
+
+# This file defines the rules for untrusted apps running with
+# targetSdkVersion >= 30.
+type untrusted_app, domain;
+# This file defines the rules for untrusted apps running with
+# targetSdkVersion = 29.
+type untrusted_app_29, domain;
+# This file defines the rules for untrusted apps running with
+# 25 < targetSdkVersion <= 28.
+type untrusted_app_27, domain;
+# This file defines the rules for untrusted apps running with
+# targetSdkVersion <= 25.
+type untrusted_app_25, domain;
diff --git a/microdroid/sepolicy/system/public/update_engine.te b/microdroid/sepolicy/system/public/update_engine.te
new file mode 100644
index 0000000..ab7090b
--- /dev/null
+++ b/microdroid/sepolicy/system/public/update_engine.te
@@ -0,0 +1,78 @@
+# Domain for update_engine daemon.
+type update_engine, domain, update_engine_common;
+type update_engine_exec, system_file_type, exec_type, file_type;
+
+net_domain(update_engine);
+
+# Following permissions are needed for update_engine.
+allow update_engine self:process { setsched };
+allow update_engine self:global_capability_class_set { fowner sys_admin };
+# Note: fsetid checks are triggered when creating a file in a directory with
+# the setgid bit set to determine if the file should inherit setgid. In this
+# case, setgid on the file is undesirable so we should just suppress the
+# denial.
+dontaudit update_engine self:global_capability_class_set fsetid;
+
+allow update_engine kmsg_device:chr_file { getattr w_file_perms };
+allow update_engine update_engine_exec:file rx_file_perms;
+wakelock_use(update_engine);
+
+# Ignore these denials.
+dontaudit update_engine kernel:process setsched;
+dontaudit update_engine self:global_capability_class_set sys_rawio;
+
+# Allow using persistent storage in /data/misc/update_engine.
+allow update_engine update_engine_data_file:dir create_dir_perms;
+allow update_engine update_engine_data_file:file create_file_perms;
+
+# Allow using persistent storage in /data/misc/update_engine_log.
+allow update_engine update_engine_log_data_file:dir create_dir_perms;
+allow update_engine update_engine_log_data_file:file create_file_perms;
+
+# Don't allow kernel module loading, just silence the logs.
+dontaudit update_engine kernel:system module_request;
+
+# Register the service to perform Binder IPC.
+binder_use(update_engine)
+add_service(update_engine, update_engine_service)
+add_service(update_engine, update_engine_stable_service)
+
+# Allow update_engine to call the callback function provided by priv_app/GMS core.
+binder_call(update_engine, priv_app)
+# b/142672293: No other priv-app should need this rule now that GMS core runs in its own domain.
+userdebug_or_eng(`
+ auditallow update_engine priv_app:binder { call transfer };
+ auditallow priv_app update_engine:binder transfer;
+ auditallow update_engine priv_app:fd use;
+')
+
+binder_call(update_engine, gmscore_app)
+
+# Allow update_engine to call the callback function provided by system_server.
+binder_call(update_engine, system_server)
+
+# Read OTA zip file at /data/ota_package/.
+allow update_engine ota_package_file:file r_file_perms;
+allow update_engine ota_package_file:dir r_dir_perms;
+
+# Use Boot Control HAL
+hal_client_domain(update_engine, hal_bootctl)
+
+# access /proc/misc
+allow update_engine proc_misc:file r_file_perms;
+
+# read directories on /system and /vendor
+allow update_engine system_file:dir r_dir_perms;
+
+# Allow ReadDefaultFstab().
+# update_engine tries to determine the parent path for all devices (e.g.
+# /dev/block/by-name) by reading the default fstab and looking for the misc
+# device.
+read_fstab(update_engine)
+
+# Allow to write to snapshotctl_log logs.
+# TODO(b/148818798) revert when parent bug is fixed.
+userdebug_or_eng(`
+allow update_engine snapshotctl_log_data_file:dir rw_dir_perms;
+allow update_engine snapshotctl_log_data_file:file create_file_perms;
+')
diff --git a/microdroid/sepolicy/system/public/update_engine_common.te b/microdroid/sepolicy/system/public/update_engine_common.te
new file mode 100644
index 0000000..e8fd29e
--- /dev/null
+++ b/microdroid/sepolicy/system/public/update_engine_common.te
@@ -0,0 +1,98 @@
+# update_engine payload application permissions. These are shared between the
+# background daemon and the recovery tool to sideload an update.
+
+# Allow update_engine to reach block devices in /dev/block.
+allow update_engine_common block_device:dir search;
+
+# Allow read/write on system and boot partitions.
+allow update_engine_common boot_block_device:blk_file rw_file_perms;
+allow update_engine_common system_block_device:blk_file rw_file_perms;
+
+# Where ioctls are granted via standard allow rules to block devices,
+# automatically allow common ioctls that are generally needed by
+# update_engine.
+allowxperm update_engine_common dev_type:blk_file ioctl {
+ BLKDISCARD
+ BLKDISCARDZEROES
+ BLKROGET
+ BLKROSET
+ BLKSECDISCARD
+ BLKZEROOUT
+};
+
+# Allow to set recovery options in the BCB. Used to trigger factory reset when
+# the update to an older version (channel change) or incompatible version
+# requires it.
+allow update_engine_common misc_block_device:blk_file rw_file_perms;
+
+# read fstab
+allow update_engine_common rootfs:dir getattr;
+allow update_engine_common rootfs:file r_file_perms;
+
+# Allow update_engine_common to mount on the /postinstall directory and reset the
+# labels on the mounted filesystem to postinstall_file.
+allow update_engine_common postinstall_mnt_dir:dir { mounton getattr search };
+allow update_engine_common postinstall_file:filesystem { mount unmount relabelfrom relabelto };
+allow update_engine_common labeledfs:filesystem { mount unmount relabelfrom };
+
+# Allow update_engine_common to read and execute postinstall_file.
+allow update_engine_common postinstall_file:file rx_file_perms;
+allow update_engine_common postinstall_file:lnk_file r_file_perms;
+allow update_engine_common postinstall_file:dir r_dir_perms;
+
+# install update.zip from cache
+r_dir_file(update_engine_common, cache_file)
+
+# A postinstall program is typically a shell script (with a #!), so we allow
+# to execute those.
+allow update_engine_common shell_exec:file rx_file_perms;
+
+# Allow update_engine_common to suspend, resume and kill the postinstall program.
+allow update_engine_common postinstall:process { signal sigstop sigkill };
+
+# access /proc/cmdline
+allow update_engine_common proc_cmdline:file r_file_perms;
+
+# Read files in /sys/firmware/devicetree/base/firmware/android/
+r_dir_file(update_engine_common, sysfs_dt_firmware_android)
+
+# Needed because libdm reads sysfs to validate when a dm path is ready.
+r_dir_file(update_engine_common, sysfs_dm)
+
+# Scan files in /sys/fs/ext4 and /sys/fs/f2fs for device-mapper diagnostics.
+allow update_engine_common sysfs:dir r_dir_perms;
+allow update_engine_common sysfs_fs_f2fs:dir r_dir_perms;
+
+# read / write on /dev/device-mapper to map / unmap devices
+allow update_engine_common dm_device:chr_file rw_file_perms;
+
+# apply / verify updates on devices mapped via device mapper
+allow update_engine_common dm_device:blk_file rw_file_perms;
+
+# read /dev/dm-user, so that we can inotify wait for control devices to be
+# asynchronously created by ueventd.
+allow update_engine dm_user_device:dir r_dir_perms;
+
+# read / write metadata on super device to resize partitions
+allow update_engine_common super_block_device_type:blk_file rw_file_perms;
+
+# ioctl on super device to get block device alignment and alignment offset
+allowxperm update_engine_common super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
+
+# get physical block device to map logical partitions on device mapper
+allow update_engine_common block_device:dir r_dir_perms;
+
+# Allow update_engine_common to write to statsd socket.
+unix_socket_send(update_engine_common, statsdw, statsd)
+
+# Allow to read Virtual A/B feature flags.
+get_prop(update_engine_common, virtual_ab_prop)
+
+# Allow to read GKI related flags.
+get_prop(update_engine_common, ab_update_gki_prop)
+get_prop(update_engine_common, build_bootimage_prop)
+
+# Allow to read/write/create OTA metadata files for snapshot status and COW file status.
+allow update_engine_common metadata_file:dir search;
+allow update_engine_common ota_metadata_file:dir rw_dir_perms;
+allow update_engine_common ota_metadata_file:file create_file_perms;
diff --git a/microdroid/sepolicy/system/public/update_verifier.te b/microdroid/sepolicy/system/public/update_verifier.te
new file mode 100644
index 0000000..68b43f0
--- /dev/null
+++ b/microdroid/sepolicy/system/public/update_verifier.te
@@ -0,0 +1,33 @@
+# update_verifier
+type update_verifier, domain;
+type update_verifier_exec, system_file_type, exec_type, file_type;
+
+# Allow update_verifier to reach block devices in /dev/block.
+allow update_verifier block_device:dir search;
+
+# Read care map in /data/ota_package/.
+allow update_verifier ota_package_file:dir r_dir_perms;
+allow update_verifier ota_package_file:file r_file_perms;
+
+# Read /sys/block to find all the DM directories like (/sys/block/dm-X).
+allow update_verifier sysfs:dir r_dir_perms;
+
+# Read /sys/block/dm-X/dm/name (which is a symlink to
+# /sys/devices/virtual/block/dm-X/dm/name) to identify the mapping between
+# dm-X and system/vendor partitions.
+allow update_verifier sysfs_dm:dir r_dir_perms;
+allow update_verifier sysfs_dm:file r_file_perms;
+
+# Read all blocks in DM wrapped system partition.
+allow update_verifier dm_device:blk_file r_file_perms;
+
+# Write to kernel message.
+allow update_verifier kmsg_device:chr_file { getattr w_file_perms };
+
+# Use Boot Control HAL
+hal_client_domain(update_verifier, hal_bootctl)
+
+# Access Checkpoint commands over binder
+allow update_verifier vold_service:service_manager find;
+binder_call(update_verifier, servicemanager)
+binder_call(update_verifier, vold)
diff --git a/microdroid/sepolicy/system/public/usbd.te b/microdroid/sepolicy/system/public/usbd.te
new file mode 100644
index 0000000..6f34954
--- /dev/null
+++ b/microdroid/sepolicy/system/public/usbd.te
@@ -0,0 +1,2 @@
+type usbd, domain;
+type usbd_exec, system_file_type, exec_type, file_type;
diff --git a/microdroid/sepolicy/system/public/userdata_sysdev.te b/microdroid/sepolicy/system/public/userdata_sysdev.te
new file mode 100644
index 0000000..9974f36
--- /dev/null
+++ b/microdroid/sepolicy/system/public/userdata_sysdev.te
@@ -0,0 +1 @@
+allow userdata_sysdev sysfs:filesystem associate;
diff --git a/microdroid/sepolicy/system/public/vdc.te b/microdroid/sepolicy/system/public/vdc.te
new file mode 100644
index 0000000..e638e50
--- /dev/null
+++ b/microdroid/sepolicy/system/public/vdc.te
@@ -0,0 +1,20 @@
+# vdc spawned from init for the following services:
+# defaultcrypto
+# encrypt
+#
+# We also transition into this domain from dumpstate, when
+# collecting bug reports.
+
+type vdc, domain;
+type vdc_exec, system_file_type, exec_type, file_type;
+
+# vdc can be invoked with logwrapper, so let it write to pty
+allow vdc devpts:chr_file rw_file_perms;
+
+# vdc writes directly to kmsg during the boot process
+allow vdc kmsg_device:chr_file { getattr w_file_perms };
+
+# vdc talks to vold over Binder
+binder_use(vdc)
+binder_call(vdc, vold)
+allow vdc vold_service:service_manager find;
diff --git a/microdroid/sepolicy/system/public/vendor_init.te b/microdroid/sepolicy/system/public/vendor_init.te
new file mode 100644
index 0000000..b0e1da5
--- /dev/null
+++ b/microdroid/sepolicy/system/public/vendor_init.te
@@ -0,0 +1,295 @@
+# vendor_init is its own domain.
+type vendor_init, domain, mlstrustedsubject;
+
+# Communication to the main init process
+allow vendor_init init:unix_stream_socket { read write };
+
+# Logging to kmsg
+allow vendor_init kmsg_device:chr_file { open getattr write };
+
+# Mount on /dev/usb-ffs/adb.
+allow vendor_init device:dir mounton;
+
+# Create and remove symlinks in /.
+allow vendor_init rootfs:lnk_file { create unlink };
+
+# Create cgroups mount points in tmpfs and mount cgroups on them.
+allow vendor_init cgroup:dir create_dir_perms;
+allow vendor_init cgroup:file w_file_perms;
+allow vendor_init cgroup_v2:dir create_dir_perms;
+allow vendor_init cgroup_v2:file w_file_perms;
+
+# /config
+allow vendor_init configfs:dir mounton;
+allow vendor_init configfs:dir create_dir_perms;
+allow vendor_init configfs:{ file lnk_file } create_file_perms;
+
+# Create directories under /dev/cpuctl after chowning it to system.
+allow vendor_init self:global_capability_class_set { dac_override dac_read_search };
+
+# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
+# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
+# system/core/init.rc requires at least cache_file and data_file_type.
+# init.<board>.rc files often include device-specific types, so
+# we just allow all file types except /system files here.
+allow vendor_init self:global_capability_class_set { chown fowner fsetid };
+
+# mkdir with FBE requires reading /data/unencrypted/{ref,mode}.
+allow vendor_init unencrypted_data_file:dir search;
+allow vendor_init unencrypted_data_file:file r_file_perms;
+
+# Set encryption policy on dirs in /data
+allowxperm vendor_init data_file_type:dir ioctl {
+ FS_IOC_GET_ENCRYPTION_POLICY
+ FS_IOC_SET_ENCRYPTION_POLICY
+};
+
+allow vendor_init system_data_file:dir getattr;
+
+allow vendor_init {
+ file_type
+ -core_data_file_type
+ -exec_type
+ -system_file_type
+ -mnt_product_file
+ -password_slot_metadata_file
+ -ota_metadata_file
+ -unlabeled
+ -vendor_file_type
+ -vold_metadata_file
+ -gsi_metadata_file_type
+ -apex_metadata_file
+ -userspace_reboot_metadata_file
+}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
+
+allow vendor_init unlabeled:{ dir notdevfile_class_set } { getattr relabelfrom };
+
+allow vendor_init {
+ file_type
+ -core_data_file_type
+ -exec_type
+ -password_slot_metadata_file
+ -ota_metadata_file
+ -runtime_event_log_tags_file
+ -system_file_type
+ -unlabeled
+ -vendor_file_type
+ -vold_metadata_file
+ -gsi_metadata_file_type
+ -apex_metadata_file
+ -apex_info_file
+ -userspace_reboot_metadata_file
+ enforce_debugfs_restriction(`-debugfs_type')
+}:file { create getattr open read write setattr relabelfrom unlink map };
+
+allow vendor_init {
+ file_type
+ -core_data_file_type
+ -exec_type
+ -password_slot_metadata_file
+ -ota_metadata_file
+ -system_file_type
+ -unlabeled
+ -vendor_file_type
+ -vold_metadata_file
+ -gsi_metadata_file_type
+ -apex_metadata_file
+ -userspace_reboot_metadata_file
+}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
+
+allow vendor_init {
+ file_type
+ -apex_mnt_dir
+ -core_data_file_type
+ -exec_type
+ -password_slot_metadata_file
+ -ota_metadata_file
+ -system_file_type
+ -unlabeled
+ -vendor_file_type
+ -vold_metadata_file
+ -gsi_metadata_file_type
+ -apex_metadata_file
+ -userspace_reboot_metadata_file
+}:lnk_file { create getattr setattr relabelfrom unlink };
+
+allow vendor_init {
+ file_type
+ -core_data_file_type
+ -exec_type
+ -mnt_product_file
+ -password_slot_metadata_file
+ -ota_metadata_file
+ -system_file_type
+ -vendor_file_type
+ -vold_metadata_file
+ -gsi_metadata_file_type
+ -apex_metadata_file
+ -userspace_reboot_metadata_file
+}:dir_file_class_set relabelto;
+
+allow vendor_init dev_type:dir create_dir_perms;
+allow vendor_init dev_type:lnk_file create;
+
+# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
+allow vendor_init debugfs_tracing:file w_file_perms;
+
+# chown/chmod on pseudo files.
+allow vendor_init {
+ fs_type
+ -contextmount_type
+ -keychord_device
+ -sdcard_type
+ -rootfs
+ -proc_uid_time_in_state
+ -proc_uid_concurrent_active_time
+ -proc_uid_concurrent_policy_time
+ enforce_debugfs_restriction(`-debugfs_type')
+}:file { open read setattr map };
+
+allow vendor_init tracefs_type:file { open read setattr map };
+
+allow vendor_init {
+ fs_type
+ -contextmount_type
+ -sdcard_type
+ -rootfs
+ -proc_uid_time_in_state
+ -proc_uid_concurrent_active_time
+ -proc_uid_concurrent_policy_time
+}:dir { open read setattr search };
+
+allow vendor_init dev_type:blk_file getattr;
+
+# Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.
+r_dir_file(vendor_init, proc_net_type)
+allow vendor_init proc_net_type:file w_file_perms;
+allow vendor_init self:global_capability_class_set net_admin;
+
+# Write to /proc/sys/vm/page-cluster
+allow vendor_init proc_page_cluster:file w_file_perms;
+
+# Write to sysfs nodes.
+allow vendor_init sysfs_type:dir r_dir_perms;
+allow vendor_init sysfs_type:lnk_file read;
+allow vendor_init { sysfs_type -sysfs_usermodehelper }:file rw_file_perms;
+
+# setfscreatecon() for labeling directories and socket files.
+allow vendor_init self:process { setfscreate };
+
+r_dir_file(vendor_init, vendor_file_type)
+
+# Vendor init can read properties
+allow vendor_init serialno_prop:file { getattr open read map };
+
+# Vendor init can perform operations on trusted and security Extended Attributes
+allow vendor_init self:global_capability_class_set sys_admin;
+
+# Raw writes to misc block device
+allow vendor_init misc_block_device:blk_file w_file_perms;
+
+# vendor_init is using bootstrap bionic
+allow vendor_init system_bootstrap_lib_file:dir r_dir_perms;
+allow vendor_init system_bootstrap_lib_file:file { execute read open getattr map };
+
+# allow filesystem tuning
+allow vendor_init userdata_sysdev:file create_file_perms;
+
+# Everything is labeled as rootfs in recovery mode. Vendor init has to execute
+# the dynamic linker and shared libraries.
+recovery_only(`
+ allow vendor_init rootfs:file { r_file_perms execute };
+')
+
+not_compatible_property(`
+ set_prop(vendor_init, {
+ property_type
+ -system_internal_property_type
+ -system_restricted_property_type
+ })
+')
+
+# Get file context
+allow vendor_init file_contexts_file:file r_file_perms;
+
+# Allow vendor_init to (re)set nice
+allow vendor_init self:capability sys_nice;
+
+set_prop(vendor_init, apk_verity_prop)
+set_prop(vendor_init, bluetooth_a2dp_offload_prop)
+set_prop(vendor_init, bluetooth_audio_hal_prop)
+set_prop(vendor_init, camerax_extensions_prop)
+set_prop(vendor_init, cpu_variant_prop)
+set_prop(vendor_init, dalvik_runtime_prop)
+set_prop(vendor_init, debug_prop)
+set_prop(vendor_init, exported_bluetooth_prop)
+set_prop(vendor_init, exported_camera_prop)
+set_prop(vendor_init, exported_config_prop)
+set_prop(vendor_init, exported_default_prop)
+set_prop(vendor_init, exported_overlay_prop)
+set_prop(vendor_init, exported_pm_prop)
+set_prop(vendor_init, ffs_control_prop)
+set_prop(vendor_init, hw_timeout_multiplier_prop)
+set_prop(vendor_init, incremental_prop)
+set_prop(vendor_init, lmkd_prop)
+set_prop(vendor_init, logd_prop)
+set_prop(vendor_init, log_tag_prop)
+set_prop(vendor_init, log_prop)
+set_prop(vendor_init, qemu_hw_prop)
+set_prop(vendor_init, radio_control_prop)
+set_prop(vendor_init, rebootescrow_hal_prop)
+set_prop(vendor_init, serialno_prop)
+set_prop(vendor_init, soc_prop)
+set_prop(vendor_init, surfaceflinger_color_prop)
+set_prop(vendor_init, usb_control_prop)
+set_prop(vendor_init, userspace_reboot_config_prop)
+set_prop(vendor_init, vehicle_hal_prop)
+set_prop(vendor_init, vendor_default_prop)
+set_prop(vendor_init, vendor_security_patch_level_prop)
+set_prop(vendor_init, vndk_prop)
+set_prop(vendor_init, virtual_ab_prop)
+set_prop(vendor_init, vold_post_fs_data_prop)
+set_prop(vendor_init, wifi_hal_prop)
+set_prop(vendor_init, wifi_log_prop)
+set_prop(vendor_init, zram_control_prop)
+
+get_prop(vendor_init, boot_status_prop)
+get_prop(vendor_init, exported3_system_prop)
+get_prop(vendor_init, ota_prop)
+get_prop(vendor_init, power_debug_prop)
+get_prop(vendor_init, provisioned_prop)
+get_prop(vendor_init, retaildemo_prop)
+get_prop(vendor_init, surfaceflinger_display_prop)
+get_prop(vendor_init, test_harness_prop)
+get_prop(vendor_init, theme_prop)
+set_prop(vendor_init, dck_prop)
+
+
+###
+### neverallow rules
+###
+
+# Vendor init shouldn't communicate with any vendor process, nor most system processes.
+neverallow_establish_socket_comms(vendor_init, { domain -init -logd -su -vendor_init });
+
+# The vendor_init domain is only entered via an exec based transition from the
+# init domain, never via setcon().
+neverallow domain vendor_init:process dyntransition;
+neverallow { domain -init } vendor_init:process transition;
+neverallow vendor_init { file_type fs_type -init_exec }:file entrypoint;
+
+# Never read/follow symlinks created by shell or untrusted apps.
+neverallow vendor_init { app_data_file privapp_data_file }:lnk_file read;
+neverallow vendor_init shell_data_file:lnk_file read;
+# Init should not be creating subdirectories in /data/local/tmp
+neverallow vendor_init shell_data_file:dir { write add_name remove_name };
+
+# init should never execute a program without changing to another domain.
+neverallow vendor_init { file_type fs_type }:file execute_no_trans;
+
+# Init never adds or uses services via service_manager.
+neverallow vendor_init service_manager_type:service_manager { add find };
+neverallow vendor_init servicemanager:service_manager list;
+
+# vendor_init should never be ptraced
+neverallow * vendor_init:process ptrace;
diff --git a/microdroid/sepolicy/system/public/vendor_misc_writer.te b/microdroid/sepolicy/system/public/vendor_misc_writer.te
new file mode 100644
index 0000000..3bc3a9f
--- /dev/null
+++ b/microdroid/sepolicy/system/public/vendor_misc_writer.te
@@ -0,0 +1,16 @@
+# vendor_misc_writer
+type vendor_misc_writer, domain;
+type vendor_misc_writer_exec, vendor_file_type, exec_type, file_type;
+
+# Raw writes to misc_block_device
+allow vendor_misc_writer misc_block_device:blk_file w_file_perms;
+allow vendor_misc_writer block_device:dir r_dir_perms;
+
+# Silence the denial when calling libfstab's ReadDefaultFstab, which tries to
+# load DT fstab.
+dontaudit vendor_misc_writer proc_cmdline:file r_file_perms;
+dontaudit vendor_misc_writer sysfs_dt_firmware_android:dir search;
+dontaudit vendor_misc_writer proc_bootconfig:file r_file_perms;
+
+# Allow ReadDefaultFstab().
+read_fstab(vendor_misc_writer)
diff --git a/microdroid/sepolicy/system/public/vendor_modprobe.te b/microdroid/sepolicy/system/public/vendor_modprobe.te
new file mode 100644
index 0000000..529c4aa
--- /dev/null
+++ b/microdroid/sepolicy/system/public/vendor_modprobe.te
@@ -0,0 +1 @@
+type vendor_modprobe, domain;
diff --git a/microdroid/sepolicy/system/public/vendor_shell.te b/microdroid/sepolicy/system/public/vendor_shell.te
new file mode 100644
index 0000000..5d7cb31
--- /dev/null
+++ b/microdroid/sepolicy/system/public/vendor_shell.te
@@ -0,0 +1,21 @@
+type vendor_shell, domain;
+type vendor_shell_exec, exec_type, vendor_file_type, file_type;
+
+allow vendor_shell vendor_shell_exec:file rx_file_perms;
+allow vendor_shell vendor_toolbox_exec:file rx_file_perms;
+
+# Use fd from shell when vendor_shell is started from shell
+allow vendor_shell shell:fd use;
+
+# adbd: allow `adb shell /vendor/bin/sh` and `adb shell` then `/vendor/bin/sh`
+allow vendor_shell adbd:fd use;
+allow vendor_shell adbd:process sigchld;
+allow vendor_shell adbd:unix_stream_socket { getattr ioctl read write };
+
+allow vendor_shell devpts:chr_file rw_file_perms;
+allow vendor_shell tty_device:chr_file rw_file_perms;
+allow vendor_shell console_device:chr_file rw_file_perms;
+allow vendor_shell input_device:dir r_dir_perms;
+allow vendor_shell input_device:chr_file rw_file_perms;
+
+userdebug_or_eng(`set_prop(vendor_shell, persist_vendor_debug_wifi_prop)')
diff --git a/microdroid/sepolicy/system/public/vendor_toolbox.te b/microdroid/sepolicy/system/public/vendor_toolbox.te
new file mode 100644
index 0000000..63f938d
--- /dev/null
+++ b/microdroid/sepolicy/system/public/vendor_toolbox.te
@@ -0,0 +1,16 @@
+# Toolbox installation for vendor binaries / scripts
+# Non-vendor processes are not allowed to execute the binary
+# and is always executed without transition.
+type vendor_toolbox_exec, exec_type, vendor_file_type, file_type;
+
+# Do not allow domains to transition to vendor toolbox
+# or read, execute the vendor_toolbox file.
+full_treble_only(`
+ # Do not allow non-vendor domains to transition
+ # to vendor toolbox except for the allowlisted domains.
+ neverallow {
+ coredomain
+ -init
+ -modprobe
+ } vendor_toolbox_exec:file { entrypoint execute execute_no_trans };
+')
diff --git a/microdroid/sepolicy/system/public/virtual_touchpad.te b/microdroid/sepolicy/system/public/virtual_touchpad.te
new file mode 100644
index 0000000..49c8704
--- /dev/null
+++ b/microdroid/sepolicy/system/public/virtual_touchpad.te
@@ -0,0 +1,16 @@
+type virtual_touchpad, domain;
+type virtual_touchpad_exec, system_file_type, exec_type, file_type;
+
+binder_use(virtual_touchpad)
+binder_service(virtual_touchpad)
+add_service(virtual_touchpad, virtual_touchpad_service)
+
+# Needed to check app permissions.
+binder_call(virtual_touchpad, system_server)
+
+# Requires access to /dev/uinput to create and feed the virtual device.
+allow virtual_touchpad uhid_device:chr_file { w_file_perms ioctl };
+
+# Requires access to the permission service to validate that clients have the
+# appropriate VR permissions.
+allow virtual_touchpad permission_service:service_manager find;
diff --git a/microdroid/sepolicy/system/public/vndservice.te b/microdroid/sepolicy/system/public/vndservice.te
new file mode 100644
index 0000000..efd9adf
--- /dev/null
+++ b/microdroid/sepolicy/system/public/vndservice.te
@@ -0,0 +1,2 @@
+type service_manager_vndservice, vndservice_manager_type;
+type default_android_vndservice, vndservice_manager_type;
diff --git a/microdroid/sepolicy/system/public/vndservicemanager.te b/microdroid/sepolicy/system/public/vndservicemanager.te
new file mode 100644
index 0000000..6b9f73d
--- /dev/null
+++ b/microdroid/sepolicy/system/public/vndservicemanager.te
@@ -0,0 +1,2 @@
+# vndservicemanager - the Binder context manager for vendor processes
+type vndservicemanager, domain;
diff --git a/microdroid/sepolicy/system/public/vold.te b/microdroid/sepolicy/system/public/vold.te
new file mode 100644
index 0000000..7796ba8
--- /dev/null
+++ b/microdroid/sepolicy/system/public/vold.te
@@ -0,0 +1,361 @@
+# volume manager
+type vold, domain;
+type vold_exec, exec_type, file_type, system_file_type;
+
+# Read already opened /cache files.
+allow vold cache_file:dir r_dir_perms;
+allow vold cache_file:file { getattr read };
+allow vold cache_file:lnk_file r_file_perms;
+
+r_dir_file(vold, { sysfs_type -sysfs_batteryinfo })
+# XXX Label sysfs files with a specific type?
+allow vold {
+ sysfs # writing to /sys/*/uevent during coldboot.
+ sysfs_devices_block
+ sysfs_dm
+ sysfs_loop # writing to /sys/block/loop*/uevent during coldboot.
+ sysfs_usb
+ sysfs_zram_uevent
+ sysfs_fs_f2fs
+}:file w_file_perms;
+
+r_dir_file(vold, rootfs)
+r_dir_file(vold, metadata_file)
+allow vold {
+ proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
+ proc_bootconfig
+ proc_cmdline
+ proc_drop_caches
+ proc_filesystems
+ proc_meminfo
+ proc_mounts
+}:file r_file_perms;
+
+#Get file contexts
+allow vold file_contexts_file:file r_file_perms;
+
+# Allow us to jump into execution domains of above tools
+allow vold self:process setexec;
+
+# For formatting adoptable storage devices
+allow vold e2fs_exec:file rx_file_perms;
+
+# Run fstrim on mounted partitions
+# allowxperm still requires the ioctl permission for the individual type
+allowxperm vold { fs_type file_type }:dir ioctl FITRIM;
+
+# Get/set file-based encryption policies on dirs in /data and adoptable storage,
+# and add/remove file-based encryption keys.
+allowxperm vold data_file_type:dir ioctl {
+ FS_IOC_GET_ENCRYPTION_POLICY
+ FS_IOC_SET_ENCRYPTION_POLICY
+ FS_IOC_ADD_ENCRYPTION_KEY
+ FS_IOC_REMOVE_ENCRYPTION_KEY
+};
+
+# Only vold and init should ever set file-based encryption policies.
+neverallowxperm {
+ domain
+ -vold
+ -init
+ -vendor_init
+} data_file_type:dir ioctl { FS_IOC_SET_ENCRYPTION_POLICY };
+
+# Only vold should ever add/remove file-based encryption keys.
+neverallowxperm {
+ domain
+ -vold
+} data_file_type:dir ioctl { FS_IOC_ADD_ENCRYPTION_KEY FS_IOC_REMOVE_ENCRYPTION_KEY };
+
+# Allow securely erasing crypto key files. F2FS_IOC_SEC_TRIM_FILE is
+# tried first. Otherwise, FS_IOC_FIEMAP is needed to get the
+# location of the file's blocks on the raw block device to erase.
+allowxperm vold {
+ vold_data_file
+ vold_metadata_file
+}:file ioctl {
+ F2FS_IOC_SEC_TRIM_FILE
+ FS_IOC_FIEMAP
+};
+
+typeattribute vold mlstrustedsubject;
+allow vold self:process setfscreate;
+allow vold system_file:file x_file_perms;
+not_full_treble(`allow vold vendor_file:file x_file_perms;')
+allow vold block_device:dir create_dir_perms;
+allow vold device:dir write;
+allow vold devpts:chr_file rw_file_perms;
+allow vold rootfs:dir mounton;
+allow vold sdcard_type:dir mounton; # TODO: deprecated in M
+allow vold sdcard_type:filesystem { mount remount unmount }; # TODO: deprecated in M
+allow vold sdcard_type:dir create_dir_perms; # TODO: deprecated in M
+allow vold sdcard_type:file create_file_perms; # TODO: deprecated in M
+
+# Manage locations where storage is mounted
+allow vold { mnt_media_rw_file storage_file sdcard_type }:dir create_dir_perms;
+allow vold { mnt_media_rw_file storage_file sdcard_type }:file create_file_perms;
+
+# Access to storage that backs emulated FUSE daemons for migration optimization
+allow vold media_rw_data_file:dir create_dir_perms;
+allow vold media_rw_data_file:file create_file_perms;
+# Allow mounting (lower filesystem) on parts of media for performance
+allow vold media_rw_data_file:dir mounton;
+
+# Allow setting extended attributes (for project quota IDs) on files and dirs
+# and to enable project ID inheritance through FS_IOC_SETFLAGS
+allowxperm vold media_rw_data_file:{ dir file } ioctl {
+ FS_IOC_FSGETXATTR
+ FS_IOC_FSSETXATTR
+ FS_IOC_GETFLAGS
+ FS_IOC_SETFLAGS
+};
+
+# Allow mounting of storage devices
+allow vold { mnt_media_rw_stub_file storage_stub_file }:dir { mounton create rmdir getattr setattr };
+
+# Manage per-user primary symlinks
+allow vold mnt_user_file:dir { create_dir_perms mounton };
+allow vold mnt_user_file:lnk_file create_file_perms;
+allow vold mnt_user_file:file create_file_perms;
+
+# Manage per-user pass_through primary symlinks
+allow vold mnt_pass_through_file:dir { create_dir_perms mounton };
+allow vold mnt_pass_through_file:lnk_file create_file_perms;
+
+# Allow to create and mount expanded storage
+allow vold mnt_expand_file:dir { create_dir_perms mounton };
+allow vold apk_data_file:dir { create getattr setattr };
+allow vold shell_data_file:dir { create getattr setattr };
+
+# Allow to mount incremental file system on /data/incremental and create files
+allow vold apk_data_file:dir { mounton rw_dir_perms };
+# Allow to create and write files in /data/incremental
+allow vold apk_data_file:file { rw_file_perms unlink };
+# Allow to bind-mount incremental file system on /data/app/vmdl*.tmp and read files
+allow vold apk_tmp_file:dir { mounton r_dir_perms };
+# Allow to read incremental control file and call selinux restorecon on it
+allow vold incremental_control_file:file { r_file_perms relabelto };
+
+allow vold tmpfs:filesystem { mount unmount };
+allow vold tmpfs:dir create_dir_perms;
+allow vold tmpfs:dir mounton;
+allow vold self:global_capability_class_set { net_admin dac_override dac_read_search mknod sys_admin chown fowner fsetid };
+allow vold self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+allow vold loop_control_device:chr_file rw_file_perms;
+allow vold loop_device:blk_file { create setattr unlink rw_file_perms };
+allowxperm vold loop_device:blk_file ioctl {
+ LOOP_CLR_FD
+ LOOP_CTL_GET_FREE
+ LOOP_GET_STATUS64
+ LOOP_SET_FD
+ LOOP_SET_STATUS64
+};
+allow vold vold_device:blk_file { create setattr unlink rw_file_perms };
+allowxperm vold vold_device:blk_file ioctl { BLKDISCARD BLKGETSIZE };
+allow vold dm_device:chr_file rw_file_perms;
+allow vold dm_device:blk_file rw_file_perms;
+allowxperm vold dm_device:blk_file ioctl { BLKDISCARD BLKSECDISCARD };
+# For vold Process::killProcessesWithOpenFiles function.
+allow vold domain:dir r_dir_perms;
+allow vold domain:{ file lnk_file } r_file_perms;
+allow vold domain:process { signal sigkill };
+allow vold self:global_capability_class_set { sys_ptrace kill };
+
+allow vold kmsg_device:chr_file rw_file_perms;
+
+# Run fsck in the fsck domain.
+allow vold fsck_exec:file { r_file_perms execute };
+
+# Log fsck results
+allow vold fscklogs:dir rw_dir_perms;
+allow vold fscklogs:file create_file_perms;
+
+#
+# Rules to support encrypted fs support.
+#
+
+# Unmount and mount the fs.
+allow vold labeledfs:filesystem { mount unmount remount };
+
+# Access /efs/userdata_footer.
+# XXX Split into a separate type?
+allow vold efs_file:file rw_file_perms;
+
+# Create and mount on /data/tmp_mnt and management of expansion mounts
+allow vold {
+ system_data_file
+ system_data_root_file
+}:dir { create rw_dir_perms mounton setattr rmdir };
+allow vold system_data_file:lnk_file getattr;
+
+# Vold create users in /data/vendor_{ce,de}/[0-9]+
+allow vold vendor_data_file:dir create_dir_perms;
+
+# for secdiscard
+allow vold system_data_file:file read;
+
+# Set scheduling policy of kernel processes
+allow vold kernel:process setsched;
+
+# ASEC
+allow vold asec_image_file:file create_file_perms;
+allow vold asec_image_file:dir rw_dir_perms;
+allow vold asec_apk_file:dir { create_dir_perms mounton relabelfrom relabelto };
+allow vold asec_public_file:dir { relabelto setattr };
+allow vold asec_apk_file:file { r_file_perms setattr relabelfrom relabelto };
+allow vold asec_public_file:file { relabelto setattr };
+# restorecon files in asec containers created on 4.2 or earlier.
+allow vold unlabeled:dir { r_dir_perms setattr relabelfrom };
+allow vold unlabeled:file { r_file_perms setattr relabelfrom };
+
+# Access to FUSE control filesystem to hard-abort FUSE mounts
+allow vold fusectlfs:file rw_file_perms;
+allow vold fusectlfs:dir rw_dir_perms;
+
+# Handle wake locks (used for device encryption)
+wakelock_use(vold)
+
+# Allow vold to publish a binder service and make binder calls.
+binder_use(vold)
+add_service(vold, vold_service)
+
+# Allow vold to call into the system server so it can check permissions.
+binder_call(vold, system_server)
+allow vold permission_service:service_manager find;
+
+# talk to batteryservice
+binder_call(vold, healthd)
+
+# talk to keymaster
+hal_client_domain(vold, hal_keymaster)
+
+# talk to health storage HAL
+hal_client_domain(vold, hal_health_storage)
+
+# talk to bootloader HAL
+full_treble_only(`hal_client_domain(vold, hal_bootctl)')
+
+# Access userdata block device.
+allow vold userdata_block_device:blk_file rw_file_perms;
+allowxperm vold userdata_block_device:blk_file ioctl BLKSECDISCARD;
+
+# Access metadata block device used for encryption meta-data.
+allow vold metadata_block_device:blk_file rw_file_perms;
+allowxperm vold metadata_block_device:blk_file ioctl BLKSECDISCARD;
+
+# Allow vold to manipulate /data/unencrypted
+allow vold unencrypted_data_file:{ file } create_file_perms;
+allow vold unencrypted_data_file:dir create_dir_perms;
+
+# Write to /proc/sys/vm/drop_caches
+allow vold proc_drop_caches:file w_file_perms;
+
+# Give vold a place where only vold can store files; everyone else is off limits
+allow vold vold_data_file:dir create_dir_perms;
+allow vold vold_data_file:file create_file_perms;
+
+# And a similar place in the metadata partition
+allow vold vold_metadata_file:dir create_dir_perms;
+allow vold vold_metadata_file:file create_file_perms;
+
+# linux keyring configuration
+allow vold init:key { write search setattr };
+allow vold vold:key { write search setattr };
+
+# vold temporarily changes its priority when running benchmarks
+allow vold self:global_capability_class_set sys_nice;
+
+# vold needs to chroot into app namespaces to remount when runtime permissions change
+allow vold self:global_capability_class_set sys_chroot;
+allow vold storage_file:dir mounton;
+
+# For AppFuse.
+allow vold fuse_device:chr_file rw_file_perms;
+allow vold fuse:filesystem { relabelfrom };
+allow vold app_fusefs:filesystem { relabelfrom relabelto };
+allow vold app_fusefs:filesystem { mount unmount };
+allow vold app_fuse_file:dir rw_dir_perms;
+allow vold app_fuse_file:file { read write open getattr append };
+
+# MoveTask.cpp executes cp and rm
+allow vold toolbox_exec:file rx_file_perms;
+
+# Prepare profile dir for users.
+allow vold { user_profile_data_file user_profile_root_file }:dir create_dir_perms;
+
+# Raw writes to misc block device
+allow vold misc_block_device:blk_file w_file_perms;
+
+# vold might need to search or mount /mnt/vendor/*
+allow vold mnt_vendor_file:dir search;
+
+dontaudit vold self:global_capability_class_set sys_resource;
+
+# Allow ReadDefaultFstab().
+read_fstab(vold)
+
+# vold might need to search loopback apex files
+allow vold vendor_apex_file:file r_file_perms;
+
+neverallow {
+ domain
+ -vold
+ -vold_prepare_subdirs
+} vold_data_file:dir ~{ open create read getattr setattr search relabelfrom relabelto ioctl };
+
+neverallow {
+ domain
+ -init
+ -vold
+ -vold_prepare_subdirs
+} vold_data_file:dir *;
+
+neverallow {
+ domain
+ -init
+ -vold
+} vold_metadata_file:dir *;
+
+neverallow {
+ domain
+ -kernel
+ -vold
+ -vold_prepare_subdirs
+} vold_data_file:notdevfile_class_set ~{ relabelto getattr };
+
+neverallow {
+ domain
+ -init
+ -vold
+ -vold_prepare_subdirs
+} vold_metadata_file:notdevfile_class_set ~{ relabelto getattr };
+
+neverallow {
+ domain
+ -init
+ -kernel
+ -vold
+ -vold_prepare_subdirs
+} { vold_data_file vold_metadata_file }:notdevfile_class_set *;
+
+neverallow { domain -vold -init } restorecon_prop:property_service set;
+
+neverallow vold {
+ domain
+ -hal_health_storage_server
+ -hal_keymaster_server
+ -system_suspend_server
+ -hal_bootctl_server
+ -healthd
+ -hwservicemanager
+ -iorapd_service
+ -keystore
+ -servicemanager
+ -system_server
+ userdebug_or_eng(`-su')
+}:binder call;
+
+neverallow vold fsck_exec:file execute_no_trans;
+neverallow { domain -init } vold:process { transition dyntransition };
+neverallow vold *:process ptrace;
+neverallow vold *:rawip_socket *;
diff --git a/microdroid/sepolicy/system/public/vold_prepare_subdirs.te b/microdroid/sepolicy/system/public/vold_prepare_subdirs.te
new file mode 100644
index 0000000..3087fa8
--- /dev/null
+++ b/microdroid/sepolicy/system/public/vold_prepare_subdirs.te
@@ -0,0 +1,6 @@
+# SELinux directory creation and labelling for vold-managed directories
+
+type vold_prepare_subdirs, domain;
+type vold_prepare_subdirs_exec, system_file_type, exec_type, file_type;
+
+typeattribute vold_prepare_subdirs coredomain;
diff --git a/microdroid/sepolicy/system/public/vr_hwc.te b/microdroid/sepolicy/system/public/vr_hwc.te
new file mode 100644
index 0000000..c146887
--- /dev/null
+++ b/microdroid/sepolicy/system/public/vr_hwc.te
@@ -0,0 +1,33 @@
+type vr_hwc, domain;
+type vr_hwc_exec, system_file_type, exec_type, file_type;
+
+# Get buffer metadata.
+hal_client_domain(vr_hwc, hal_graphics_allocator)
+
+binder_use(vr_hwc)
+binder_service(vr_hwc)
+
+binder_call(vr_hwc, surfaceflinger)
+# Needed to check for app permissions.
+binder_call(vr_hwc, system_server)
+
+add_service(vr_hwc, vr_hwc_service)
+
+# Hosts the VR HWC implementation and provides a simple Binder interface for VR
+# Window Manager to receive the layers/buffers.
+hwbinder_use(vr_hwc)
+
+# Load vendor libraries.
+allow vr_hwc system_file:dir r_dir_perms;
+
+allow vr_hwc ion_device:chr_file r_file_perms;
+
+# Allow connection to VR DisplayClient to get the primary display metadata
+# (ie: size).
+pdx_client(vr_hwc, display_client)
+
+# Requires access to the permission service to validate that clients have the
+# appropriate VR permissions.
+allow vr_hwc permission_service:service_manager find;
+
+allow vr_hwc vrflinger_vsync_service:service_manager find;
diff --git a/microdroid/sepolicy/system/public/watchdogd.te b/microdroid/sepolicy/system/public/watchdogd.te
new file mode 100644
index 0000000..72e3685
--- /dev/null
+++ b/microdroid/sepolicy/system/public/watchdogd.te
@@ -0,0 +1,6 @@
+# watchdogd seclabel is specified in init.<board>.rc
+type watchdogd, domain;
+type watchdogd_exec, system_file_type, exec_type, file_type;
+
+allow watchdogd watchdog_device:chr_file rw_file_perms;
+allow watchdogd kmsg_device:chr_file rw_file_perms;
diff --git a/microdroid/sepolicy/system/public/webview_zygote.te b/microdroid/sepolicy/system/public/webview_zygote.te
new file mode 100644
index 0000000..ace3a01
--- /dev/null
+++ b/microdroid/sepolicy/system/public/webview_zygote.te
@@ -0,0 +1,6 @@
+# webview_zygote is an auxiliary zygote process that is used to spawn
+# isolated_app processes for rendering untrusted web content.
+
+type webview_zygote, domain;
+type webview_zygote_exec, exec_type, file_type;
+type webview_zygote_tmpfs, file_type;
diff --git a/microdroid/sepolicy/system/public/wificond.te b/microdroid/sepolicy/system/public/wificond.te
new file mode 100644
index 0000000..254fcbc
--- /dev/null
+++ b/microdroid/sepolicy/system/public/wificond.te
@@ -0,0 +1,43 @@
+# wificond
+type wificond, domain;
+type wificond_exec, system_file_type, exec_type, file_type;
+
+binder_use(wificond)
+binder_call(wificond, system_server)
+binder_call(wificond, keystore)
+
+add_service(wificond, wifinl80211_service)
+
+# create sockets to set interfaces up and down
+allow wificond self:udp_socket create_socket_perms;
+# setting interface state up/down is a privileged ioctl
+allowxperm wificond self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFHWADDR };
+allow wificond self:global_capability_class_set { net_admin net_raw };
+# allow wificond to speak to nl80211 in the kernel
+allow wificond self:netlink_socket create_socket_perms_no_ioctl;
+# newer kernels (e.g. 4.4 but not 4.1) have a new class for sockets
+allow wificond self:netlink_generic_socket create_socket_perms_no_ioctl;
+
+r_dir_file(wificond, proc_net_type)
+
+# allow wificond to check permission for dumping logs
+allow wificond permission_service:service_manager find;
+
+# dumpstate support
+allow wificond dumpstate:fd use;
+allow wificond dumpstate:fifo_file write;
+
+#### Offer the Wifi Keystore HwBinder service ###
+hwbinder_use(wificond)
+typeattribute wificond wifi_keystore_service_server;
+add_hwservice(wificond, system_wifi_keystore_hwservice)
+
+# Allow keystore binder access to serve the HwBinder service.
+allow wificond keystore_service:service_manager find;
+allow wificond keystore:keystore_key get;
+
+# Allow keystore2 binder access to serve the HwBinder service.
+allow wificond wifi_key:keystore2_key {
+ get_info
+ use
+};
diff --git a/microdroid/sepolicy/system/public/wpantund.te b/microdroid/sepolicy/system/public/wpantund.te
new file mode 100644
index 0000000..8ddd693
--- /dev/null
+++ b/microdroid/sepolicy/system/public/wpantund.te
@@ -0,0 +1,29 @@
+type wpantund, domain;
+type wpantund_exec, system_file_type, exec_type, file_type;
+
+hal_client_domain(wpantund, hal_lowpan)
+net_domain(wpantund)
+
+binder_use(wpantund)
+binder_call(wpantund, system_server)
+
+# wpantund needs to be able to check in with the lowpan_service
+allow wpantund lowpan_service:service_manager find;
+
+# Allow wpantund to call any callbacks that have been registered with it.
+# Generally, only privileged apps are able to register callbacks with
+# wpantund, so we are limiting the scope for callbacks to only privileged
+# apps. We also add shell to allow the command-line utility `lowpanctl`
+# to work properly from `adb shell`.
+allow wpantund {priv_app shell}:binder call;
+
+# create sockets to set interfaces up and down, add multicast groups, etc.
+allow wpantund self:udp_socket create_socket_perms;
+
+# setting interface state up/down and changing MTU are privileged ioctls
+allowxperm wpantund self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFMTU };
+
+# Allow us to bring up a TUN network interface.
+allow wpantund tun_device:chr_file rw_file_perms;
+allow wpantund self:global_capability_class_set { net_admin net_raw };
+allow wpantund self:tun_socket create;
diff --git a/microdroid/sepolicy/system/public/zygote.te b/microdroid/sepolicy/system/public/zygote.te
new file mode 100644
index 0000000..071354e
--- /dev/null
+++ b/microdroid/sepolicy/system/public/zygote.te
@@ -0,0 +1,4 @@
+# zygote
+type zygote, domain;
+type zygote_tmpfs, file_type;
+type zygote_exec, system_file_type, exec_type, file_type;