Add microdroid specific sepolicy Microdroid will have a separate sepolicy, apart from the core policy. This is the first step; For now it's a simple copy of system/sepolicy. For the future work, it will be stripped. Bug: 189165759 Test: boot microdroid and see selinux enforced Change-Id: I2fee39f7231560b49c93bd5e8d0feeffada40938

commit: ff43be2ca9dcc80711fc14e0bfb847951f677243 [log] [tgz]
author: Inseob Kim <inseob@google.com> Mon Jun 07 16:56:56 2021 +0900
committer: Inseob Kim <inseob@google.com> Mon Jun 07 18:44:35 2021 +0900
tree: bf5e839c17d58df2298c811dbf18624f24b48133
parent: b50e0fabe77f1f16a9d1fd79cd351bef3834c77c [diff]
diff --git a/microdroid/sepolicy/vendor/file.te b/microdroid/sepolicy/vendor/file.te
new file mode 100644
index 0000000..0b1fd74
--- /dev/null
+++ b/microdroid/sepolicy/vendor/file.te

@@ -0,0 +1,2 @@
+type hostapd_data_file, file_type, data_file_type;
+type wpa_data_file, file_type, data_file_type;

diff --git a/microdroid/sepolicy/vendor/file_contexts b/microdroid/sepolicy/vendor/file_contexts
new file mode 100644
index 0000000..71b4fcd
--- /dev/null
+++ b/microdroid/sepolicy/vendor/file_contexts

@@ -0,0 +1,38 @@
+# TODO(jiyong): clean this up
+#############################
+# Vendor files
+#
+(/.*)?                  u:object_r:vendor_file:s0
+/bin/sh                 u:object_r:vendor_shell_exec:s0
+/bin/toybox_vendor      u:object_r:vendor_toolbox_exec:s0
+/bin/toolbox            u:object_r:vendor_toolbox_exec:s0
+/etc(/.*)?              u:object_r:vendor_configs_file:s0
+/etc/cgroups\.json      u:object_r:vendor_cgroup_desc_file:s0
+/etc/task_profiles\.json    u:object_r:vendor_task_profiles_file:s0
+
+/lib(64)?/egl(/.*)?     u:object_r:same_process_hal_file:s0
+
+/lib(64)?/vndk-sp(/.*)? u:object_r:vndk_sp_file:s0
+
+/manifest\.xml           u:object_r:vendor_configs_file:s0
+/compatibility_matrix\.xml u:object_r:vendor_configs_file:s0
+/etc/vintf(/.*)?        u:object_r:vendor_configs_file:s0
+/app(/.*)?              u:object_r:vendor_app_file:s0
+/priv-app(/.*)?         u:object_r:vendor_app_file:s0
+/overlay(/.*)?          u:object_r:vendor_overlay_file:s0
+/framework(/.*)?        u:object_r:vendor_framework_file:s0
+
+/apex(/[^/]+){0,2}                      u:object_r:vendor_apex_file:s0
+/bin/misc_writer                        u:object_r:vendor_misc_writer_exec:s0
+/bin/boringssl_self_test(32|64)         u:object_r:vendor_boringssl_self_test_exec:s0
+
+# HAL location
+/lib(64)?/hw            u:object_r:vendor_hal_file:s0
+
+/etc/selinux/nonplat_service_contexts u:object_r:nonplat_service_contexts_file:s0
+
+/etc/selinux/vendor_service_contexts u:object_r:vendor_service_contexts_file:s0
+
+/bin/install-recovery\.sh u:object_r:vendor_install_recovery_exec:s0
+
+/bin/hw/android\.hardware\.security\.keymint-service u:object_r:hal_keymint_default_exec:s0

diff --git a/microdroid/sepolicy/vendor/hal_atrace_default.te b/microdroid/sepolicy/vendor/hal_atrace_default.te
new file mode 100644
index 0000000..55c9730
--- /dev/null
+++ b/microdroid/sepolicy/vendor/hal_atrace_default.te

@@ -0,0 +1,14 @@
+type hal_atrace_default, domain;
+hal_server_domain(hal_atrace_default, hal_atrace)
+
+type hal_atrace_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_atrace_default)
+
+# Allow atrace HAL to access tracefs.
+allow hal_atrace_default debugfs_tracing:dir r_dir_perms;
+allow hal_atrace_default debugfs_tracing:file rw_file_perms;
+
+userdebug_or_eng(`
+  allow hal_atrace_default debugfs_tracing_debug:dir r_dir_perms;
+  allow hal_atrace_default debugfs_tracing_debug:file rw_file_perms;
+')

diff --git a/microdroid/sepolicy/vendor/hal_audio_default.te b/microdroid/sepolicy/vendor/hal_audio_default.te
new file mode 100644
index 0000000..82cbf8e
--- /dev/null
+++ b/microdroid/sepolicy/vendor/hal_audio_default.te

@@ -0,0 +1,10 @@
+type hal_audio_default, domain;
+hal_server_domain(hal_audio_default, hal_audio)
+
+type hal_audio_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_audio_default)
+
+hal_client_domain(hal_audio_default, hal_allocator)
+
+# allow audioserver to call hal_audio dump with its own fd to retrieve status
+allow hal_audio_default audioserver:fifo_file write;

diff --git a/microdroid/sepolicy/vendor/hal_audiocontrol_default.te b/microdroid/sepolicy/vendor/hal_audiocontrol_default.te
new file mode 100644
index 0000000..d1940c9
--- /dev/null
+++ b/microdroid/sepolicy/vendor/hal_audiocontrol_default.te

@@ -0,0 +1,7 @@
+# audiocontrol subsystem
+type hal_audiocontrol_default, domain;
+hal_server_domain(hal_audiocontrol_default, hal_audiocontrol)
+
+# may be started by init
+type hal_audiocontrol_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_audiocontrol_default)

diff --git a/microdroid/sepolicy/vendor/hal_authsecret_default.te b/microdroid/sepolicy/vendor/hal_authsecret_default.te
new file mode 100644
index 0000000..46f5291
--- /dev/null
+++ b/microdroid/sepolicy/vendor/hal_authsecret_default.te

@@ -0,0 +1,5 @@
+type hal_authsecret_default, domain;
+hal_server_domain(hal_authsecret_default, hal_authsecret)
+
+type hal_authsecret_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_authsecret_default)

diff --git a/microdroid/sepolicy/vendor/hal_bluetooth_btlinux.te b/microdroid/sepolicy/vendor/hal_bluetooth_btlinux.te
new file mode 100644
index 0000000..22d9cf0
--- /dev/null
+++ b/microdroid/sepolicy/vendor/hal_bluetooth_btlinux.te

@@ -0,0 +1,8 @@
+type hal_bluetooth_btlinux, domain;
+type hal_bluetooth_btlinux_exec, exec_type, file_type, vendor_file_type;
+
+hal_server_domain(hal_bluetooth_btlinux, hal_bluetooth)
+init_daemon_domain(hal_bluetooth_btlinux)
+
+allow hal_bluetooth_btlinux self:socket { create bind read write };
+allow hal_bluetooth_btlinux self:bluetooth_socket { create bind read write };

diff --git a/microdroid/sepolicy/vendor/hal_bluetooth_default.te b/microdroid/sepolicy/vendor/hal_bluetooth_default.te
new file mode 100644
index 0000000..01d60db
--- /dev/null
+++ b/microdroid/sepolicy/vendor/hal_bluetooth_default.te

@@ -0,0 +1,5 @@
+type hal_bluetooth_default, domain;
+hal_server_domain(hal_bluetooth_default, hal_bluetooth)
+
+type hal_bluetooth_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_bluetooth_default)

diff --git a/microdroid/sepolicy/vendor/hal_bootctl_default.te b/microdroid/sepolicy/vendor/hal_bootctl_default.te
new file mode 100644
index 0000000..2b94313
--- /dev/null
+++ b/microdroid/sepolicy/vendor/hal_bootctl_default.te

@@ -0,0 +1,16 @@
+# Boot control subsystem
+type hal_bootctl_default, domain;
+hal_server_domain(hal_bootctl_default, hal_bootctl)
+
+type hal_bootctl_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_bootctl_default)
+
+# Needed for ReadDefaultFstab.
+allow hal_bootctl_default proc_cmdline:file r_file_perms;
+allow hal_bootctl_default sysfs_dt_firmware_android:dir search;
+allow hal_bootctl_default sysfs_dt_firmware_android:file r_file_perms;
+read_fstab(hal_bootctl_default)
+
+# Needed for reading/writing misc partition.
+allow hal_bootctl_default block_device:dir search;
+allow hal_bootctl_default misc_block_device:blk_file rw_file_perms;

diff --git a/microdroid/sepolicy/vendor/hal_broadcastradio_default.te b/microdroid/sepolicy/vendor/hal_broadcastradio_default.te
new file mode 100644
index 0000000..37f65f4
--- /dev/null
+++ b/microdroid/sepolicy/vendor/hal_broadcastradio_default.te

@@ -0,0 +1,5 @@
+type hal_broadcastradio_default, domain;
+hal_server_domain(hal_broadcastradio_default, hal_broadcastradio)
+
+type hal_broadcastradio_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_broadcastradio_default)

diff --git a/microdroid/sepolicy/vendor/hal_camera_default.te b/microdroid/sepolicy/vendor/hal_camera_default.te
new file mode 100644
index 0000000..5bc4a61
--- /dev/null
+++ b/microdroid/sepolicy/vendor/hal_camera_default.te

@@ -0,0 +1,11 @@
+type hal_camera_default, domain;
+hal_server_domain(hal_camera_default, hal_camera)
+
+type hal_camera_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_camera_default)
+
+allow hal_camera_default fwk_sensor_hwservice:hwservice_manager find;
+
+# For collecting bugreports.
+allow hal_camera_default dumpstate:fd use;
+allow hal_camera_default dumpstate:fifo_file write;

diff --git a/microdroid/sepolicy/vendor/hal_can_socketcan.te b/microdroid/sepolicy/vendor/hal_can_socketcan.te
new file mode 100644
index 0000000..7498788
--- /dev/null
+++ b/microdroid/sepolicy/vendor/hal_can_socketcan.te

@@ -0,0 +1,38 @@
+type hal_can_socketcan, domain;
+hal_server_domain(hal_can_socketcan, hal_can_controller)
+hal_server_domain(hal_can_socketcan, hal_can_bus)
+
+type hal_can_socketcan_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_can_socketcan)
+
+# Managing SocketCAN interfaces
+allow hal_can_socketcan self:capability net_admin;
+allow hal_can_socketcan self:netlink_route_socket { create bind write nlmsg_write read };
+
+# Calling if_nametoindex(3) to open CAN sockets
+allow hal_can_socketcan self:udp_socket { create ioctl };
+allowxperm hal_can_socketcan self:udp_socket ioctl {
+    SIOCGIFINDEX
+};
+
+# Communicating with SocketCAN interfaces and bringing them up/down
+allow hal_can_socketcan self:can_socket { bind create read write ioctl setopt };
+allowxperm hal_can_socketcan self:can_socket ioctl {
+    SIOCGIFFLAGS
+    SIOCSIFFLAGS
+};
+
+# Un-publishing ICanBus interfaces
+allow hal_can_socketcan hidl_manager_hwservice:hwservice_manager find;
+
+allow hal_can_socketcan sysfs:dir r_dir_perms;
+
+allow hal_can_socketcan usb_serial_device:chr_file { ioctl read write open };
+allowxperm hal_can_socketcan usb_serial_device:chr_file ioctl {
+    TCGETS
+    TCSETSW
+    TIOCGSERIAL
+    TIOCSSERIAL
+    TIOCSETD
+    SIOCGIFNAME
+};

diff --git a/microdroid/sepolicy/vendor/hal_cas_default.te b/microdroid/sepolicy/vendor/hal_cas_default.te
new file mode 100644
index 0000000..cc1a2c8
--- /dev/null
+++ b/microdroid/sepolicy/vendor/hal_cas_default.te

@@ -0,0 +1,10 @@
+type hal_cas_default, domain;
+hal_server_domain(hal_cas_default, hal_cas)
+
+type hal_cas_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_cas_default)
+
+# Allow CAS HAL's default implementation to use vendor-binder service
+vndbinder_use(hal_cas_default);
+
+allow hal_cas_default hal_allocator:fd use;

diff --git a/microdroid/sepolicy/vendor/hal_configstore_default.te b/microdroid/sepolicy/vendor/hal_configstore_default.te
new file mode 100644
index 0000000..cc61a16
--- /dev/null
+++ b/microdroid/sepolicy/vendor/hal_configstore_default.te

@@ -0,0 +1,5 @@
+type hal_configstore_default, domain;
+hal_server_domain(hal_configstore_default, hal_configstore)
+
+type hal_configstore_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_configstore_default)

diff --git a/microdroid/sepolicy/vendor/hal_confirmationui_default.te b/microdroid/sepolicy/vendor/hal_confirmationui_default.te
new file mode 100644
index 0000000..832c687
--- /dev/null
+++ b/microdroid/sepolicy/vendor/hal_confirmationui_default.te

@@ -0,0 +1,5 @@
+type hal_confirmationui_default, domain;
+hal_server_domain(hal_confirmationui_default, hal_confirmationui)
+
+type hal_confirmationui_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_confirmationui_default)

diff --git a/microdroid/sepolicy/vendor/hal_contexthub_default.te b/microdroid/sepolicy/vendor/hal_contexthub_default.te
new file mode 100644
index 0000000..b29808d
--- /dev/null
+++ b/microdroid/sepolicy/vendor/hal_contexthub_default.te

@@ -0,0 +1,5 @@
+type hal_contexthub_default, domain;
+hal_server_domain(hal_contexthub_default, hal_contexthub)
+
+type hal_contexthub_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_contexthub_default)

diff --git a/microdroid/sepolicy/vendor/hal_drm_default.te b/microdroid/sepolicy/vendor/hal_drm_default.te
new file mode 100644
index 0000000..e534762
--- /dev/null
+++ b/microdroid/sepolicy/vendor/hal_drm_default.te

@@ -0,0 +1,8 @@
+type hal_drm_default, domain;
+hal_server_domain(hal_drm_default, hal_drm)
+
+type hal_drm_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_drm_default)
+
+allow hal_drm_default hal_codec2_server:fd use;
+allow hal_drm_default hal_omx_server:fd use;

diff --git a/microdroid/sepolicy/vendor/hal_dumpstate_default.te b/microdroid/sepolicy/vendor/hal_dumpstate_default.te
new file mode 100644
index 0000000..6fbf40f
--- /dev/null
+++ b/microdroid/sepolicy/vendor/hal_dumpstate_default.te

@@ -0,0 +1,5 @@
+type hal_dumpstate_default, domain;
+hal_server_domain(hal_dumpstate_default, hal_dumpstate)
+
+type hal_dumpstate_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_dumpstate_default)

diff --git a/microdroid/sepolicy/vendor/hal_evs_default.te b/microdroid/sepolicy/vendor/hal_evs_default.te
new file mode 100644
index 0000000..57a0299
--- /dev/null
+++ b/microdroid/sepolicy/vendor/hal_evs_default.te

@@ -0,0 +1,15 @@
+# evs_mock mock hardware driver service
+type hal_evs_default, domain;
+hal_server_domain(hal_evs_default, hal_evs)
+
+# allow init to launch processes in this context
+type hal_evs_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_evs_default)
+
+allow hal_evs_default hal_graphics_allocator_server:fd use;
+
+# allow to use surface flinger
+allow hal_evs_default automotive_display_service_server:fd use;
+
+# allow to use automotive display service
+allow hal_evs_default fwk_automotive_display_hwservice:hwservice_manager find;

diff --git a/microdroid/sepolicy/vendor/hal_face_default.te b/microdroid/sepolicy/vendor/hal_face_default.te
new file mode 100644
index 0000000..891d1f4
--- /dev/null
+++ b/microdroid/sepolicy/vendor/hal_face_default.te

@@ -0,0 +1,5 @@
+type hal_face_default, domain;
+hal_server_domain(hal_face_default, hal_face)
+
+type hal_face_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_face_default)

diff --git a/microdroid/sepolicy/vendor/hal_fingerprint_default.te b/microdroid/sepolicy/vendor/hal_fingerprint_default.te
new file mode 100644
index 0000000..638b603
--- /dev/null
+++ b/microdroid/sepolicy/vendor/hal_fingerprint_default.te

@@ -0,0 +1,5 @@
+type hal_fingerprint_default, domain;
+hal_server_domain(hal_fingerprint_default, hal_fingerprint)
+
+type hal_fingerprint_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_fingerprint_default)

diff --git a/microdroid/sepolicy/vendor/hal_gatekeeper_default.te b/microdroid/sepolicy/vendor/hal_gatekeeper_default.te
new file mode 100644
index 0000000..a3654cc
--- /dev/null
+++ b/microdroid/sepolicy/vendor/hal_gatekeeper_default.te

@@ -0,0 +1,5 @@
+type hal_gatekeeper_default, domain;
+hal_server_domain(hal_gatekeeper_default, hal_gatekeeper)
+
+type hal_gatekeeper_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_gatekeeper_default);

diff --git a/microdroid/sepolicy/vendor/hal_gnss_default.te b/microdroid/sepolicy/vendor/hal_gnss_default.te
new file mode 100644
index 0000000..cea362f
--- /dev/null
+++ b/microdroid/sepolicy/vendor/hal_gnss_default.te

@@ -0,0 +1,7 @@
+type hal_gnss_default, domain;
+hal_server_domain(hal_gnss_default, hal_gnss)
+
+type hal_gnss_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_gnss_default)
+
+allow hal_gnss_default gnss_device:chr_file rw_file_perms;

diff --git a/microdroid/sepolicy/vendor/hal_graphics_allocator_default.te b/microdroid/sepolicy/vendor/hal_graphics_allocator_default.te
new file mode 100644
index 0000000..a129ad4
--- /dev/null
+++ b/microdroid/sepolicy/vendor/hal_graphics_allocator_default.te

@@ -0,0 +1,10 @@
+type hal_graphics_allocator_default, domain;
+type hal_graphics_allocator_default_tmpfs, file_type;
+hal_server_domain(hal_graphics_allocator_default, hal_graphics_allocator)
+
+type hal_graphics_allocator_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_graphics_allocator_default)
+tmpfs_domain(hal_graphics_allocator_default)
+
+# b/70180742
+dontaudit hal_graphics_allocator_default unlabeled:dir search;

diff --git a/microdroid/sepolicy/vendor/hal_graphics_composer_default.te b/microdroid/sepolicy/vendor/hal_graphics_composer_default.te
new file mode 100644
index 0000000..7dcd2b2
--- /dev/null
+++ b/microdroid/sepolicy/vendor/hal_graphics_composer_default.te

@@ -0,0 +1,10 @@
+type hal_graphics_composer_default, domain;
+hal_server_domain(hal_graphics_composer_default, hal_graphics_composer)
+
+type hal_graphics_composer_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_graphics_composer_default)
+type_transition hal_graphics_composer_default tmpfs:file hal_graphics_composer_server_tmpfs;
+allow hal_graphics_composer_default hal_graphics_composer_server_tmpfs:file { getattr map read write };
+
+# b/68864350
+dontaudit hal_graphics_composer_default unlabeled:dir search;

diff --git a/microdroid/sepolicy/vendor/hal_health_default.te b/microdroid/sepolicy/vendor/hal_health_default.te
new file mode 100644
index 0000000..9b2b921
--- /dev/null
+++ b/microdroid/sepolicy/vendor/hal_health_default.te

@@ -0,0 +1,6 @@
+# health info abstraction
+type hal_health_default, domain;
+hal_server_domain(hal_health_default, hal_health)
+
+type hal_health_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_health_default)

diff --git a/microdroid/sepolicy/vendor/hal_health_storage_default.te b/microdroid/sepolicy/vendor/hal_health_storage_default.te
new file mode 100644
index 0000000..37b3e24
--- /dev/null
+++ b/microdroid/sepolicy/vendor/hal_health_storage_default.te

@@ -0,0 +1,6 @@
+type hal_health_storage_default, domain;
+hal_server_domain(hal_health_storage_default, hal_health_storage)
+
+type hal_health_storage_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_health_storage_default)
+

diff --git a/microdroid/sepolicy/vendor/hal_identity_default.te b/microdroid/sepolicy/vendor/hal_identity_default.te
new file mode 100644
index 0000000..7f84687
--- /dev/null
+++ b/microdroid/sepolicy/vendor/hal_identity_default.te

@@ -0,0 +1,5 @@
+type hal_identity_default, domain;
+hal_server_domain(hal_identity_default, hal_identity)
+
+type hal_identity_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_identity_default)

diff --git a/microdroid/sepolicy/vendor/hal_input_classifier_default.te b/microdroid/sepolicy/vendor/hal_input_classifier_default.te
new file mode 100644
index 0000000..915cc78
--- /dev/null
+++ b/microdroid/sepolicy/vendor/hal_input_classifier_default.te

@@ -0,0 +1,5 @@
+type hal_input_classifier_default, domain;
+hal_server_domain(hal_input_classifier_default, hal_input_classifier)
+
+type hal_input_classifier_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_input_classifier_default)

diff --git a/microdroid/sepolicy/vendor/hal_ir_default.te b/microdroid/sepolicy/vendor/hal_ir_default.te
new file mode 100644
index 0000000..943aab0
--- /dev/null
+++ b/microdroid/sepolicy/vendor/hal_ir_default.te

@@ -0,0 +1,5 @@
+type hal_ir_default, domain;
+hal_server_domain(hal_ir_default, hal_ir)
+
+type hal_ir_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_ir_default)

diff --git a/microdroid/sepolicy/vendor/hal_keymaster_default.te b/microdroid/sepolicy/vendor/hal_keymaster_default.te
new file mode 100644
index 0000000..6f0d82a
--- /dev/null
+++ b/microdroid/sepolicy/vendor/hal_keymaster_default.te

@@ -0,0 +1,7 @@
+type hal_keymaster_default, domain;
+hal_server_domain(hal_keymaster_default, hal_keymaster)
+
+type hal_keymaster_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_keymaster_default)
+
+get_prop(hal_keymaster_default, vendor_security_patch_level_prop);

diff --git a/microdroid/sepolicy/vendor/hal_keymint_default.te b/microdroid/sepolicy/vendor/hal_keymint_default.te
new file mode 100644
index 0000000..3b86a1b
--- /dev/null
+++ b/microdroid/sepolicy/vendor/hal_keymint_default.te

@@ -0,0 +1,10 @@
+type hal_keymint_default, domain;
+hal_server_domain(hal_keymint_default, hal_keymint)
+
+type hal_keymint_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_keymint_default)
+
+hal_attribute_service(hal_keymint, hal_secureclock_service)
+hal_attribute_service(hal_keymint, hal_sharedsecret_service)
+
+get_prop(hal_keymint_default, vendor_security_patch_level_prop);

diff --git a/microdroid/sepolicy/vendor/hal_light_default.te b/microdroid/sepolicy/vendor/hal_light_default.te
new file mode 100644
index 0000000..c7fa9a1
--- /dev/null
+++ b/microdroid/sepolicy/vendor/hal_light_default.te

@@ -0,0 +1,5 @@
+type hal_light_default, domain;
+hal_server_domain(hal_light_default, hal_light)
+
+type hal_light_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_light_default)

diff --git a/microdroid/sepolicy/vendor/hal_lowpan_default.te b/microdroid/sepolicy/vendor/hal_lowpan_default.te
new file mode 100644
index 0000000..a49bf24
--- /dev/null
+++ b/microdroid/sepolicy/vendor/hal_lowpan_default.te

@@ -0,0 +1,5 @@
+type hal_lowpan_default, domain;
+type hal_lowpan_default_exec, exec_type, vendor_file_type, file_type;
+
+hal_server_domain(hal_lowpan_default, hal_lowpan)
+init_daemon_domain(hal_lowpan_default)

diff --git a/microdroid/sepolicy/vendor/hal_memtrack_default.te b/microdroid/sepolicy/vendor/hal_memtrack_default.te
new file mode 100644
index 0000000..c547699
--- /dev/null
+++ b/microdroid/sepolicy/vendor/hal_memtrack_default.te

@@ -0,0 +1,5 @@
+type hal_memtrack_default, domain;
+hal_server_domain(hal_memtrack_default, hal_memtrack)
+
+type hal_memtrack_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_memtrack_default)

diff --git a/microdroid/sepolicy/vendor/hal_nfc_default.te b/microdroid/sepolicy/vendor/hal_nfc_default.te
new file mode 100644
index 0000000..c13baa7
--- /dev/null
+++ b/microdroid/sepolicy/vendor/hal_nfc_default.te

@@ -0,0 +1,5 @@
+type hal_nfc_default, domain;
+hal_server_domain(hal_nfc_default, hal_nfc)
+
+type hal_nfc_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_nfc_default)

diff --git a/microdroid/sepolicy/vendor/hal_oemlock_default.te b/microdroid/sepolicy/vendor/hal_oemlock_default.te
new file mode 100644
index 0000000..8597f2c
--- /dev/null
+++ b/microdroid/sepolicy/vendor/hal_oemlock_default.te

@@ -0,0 +1,5 @@
+type hal_oemlock_default, domain;
+hal_server_domain(hal_oemlock_default, hal_oemlock)
+
+type hal_oemlock_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_oemlock_default)

diff --git a/microdroid/sepolicy/vendor/hal_power_default.te b/microdroid/sepolicy/vendor/hal_power_default.te
new file mode 100644
index 0000000..3be4f22
--- /dev/null
+++ b/microdroid/sepolicy/vendor/hal_power_default.te

@@ -0,0 +1,5 @@
+type hal_power_default, domain;
+hal_server_domain(hal_power_default, hal_power)
+
+type hal_power_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_power_default)

diff --git a/microdroid/sepolicy/vendor/hal_power_stats_default.te b/microdroid/sepolicy/vendor/hal_power_stats_default.te
new file mode 100644
index 0000000..b7a2c02
--- /dev/null
+++ b/microdroid/sepolicy/vendor/hal_power_stats_default.te

@@ -0,0 +1,5 @@
+type hal_power_stats_default, domain;
+hal_server_domain(hal_power_stats_default, hal_power_stats)
+
+type hal_power_stats_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_power_stats_default)

diff --git a/microdroid/sepolicy/vendor/hal_radio_config_default.te b/microdroid/sepolicy/vendor/hal_radio_config_default.te
new file mode 100644
index 0000000..ccbe5bf
--- /dev/null
+++ b/microdroid/sepolicy/vendor/hal_radio_config_default.te

@@ -0,0 +1,6 @@
+type hal_radio_config_default, domain;
+hal_server_domain(hal_radio_config_default, hal_telephony)
+
+type hal_radio_config_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_radio_config_default)
+

diff --git a/microdroid/sepolicy/vendor/hal_radio_default.te b/microdroid/sepolicy/vendor/hal_radio_default.te
new file mode 100644
index 0000000..82fd40e
--- /dev/null
+++ b/microdroid/sepolicy/vendor/hal_radio_default.te

@@ -0,0 +1,6 @@
+type hal_radio_default, domain;
+hal_server_domain(hal_radio_default, hal_telephony)
+
+type hal_radio_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_radio_default)
+

diff --git a/microdroid/sepolicy/vendor/hal_rebootescrow_default.te b/microdroid/sepolicy/vendor/hal_rebootescrow_default.te
new file mode 100644
index 0000000..2625693
--- /dev/null
+++ b/microdroid/sepolicy/vendor/hal_rebootescrow_default.te

@@ -0,0 +1,10 @@
+type hal_rebootescrow_default, domain;
+hal_server_domain(hal_rebootescrow_default, hal_rebootescrow)
+get_prop(hal_rebootescrow_default, rebootescrow_hal_prop);
+
+type hal_rebootescrow_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_rebootescrow_default)
+
+type rebootescrow_device, dev_type;
+allow hal_rebootescrow_default rebootescrow_device:{ chr_file blk_file } rw_file_perms;
+allow hal_rebootescrow_default block_device:dir search;

diff --git a/microdroid/sepolicy/vendor/hal_secure_element_default.te b/microdroid/sepolicy/vendor/hal_secure_element_default.te
new file mode 100644
index 0000000..b1a94a1
--- /dev/null
+++ b/microdroid/sepolicy/vendor/hal_secure_element_default.te

@@ -0,0 +1,7 @@
+type hal_secure_element_default, domain;
+hal_server_domain(hal_secure_element_default, hal_secure_element)
+type hal_secure_element_default_exec, exec_type, vendor_file_type, file_type;
+
+allow hal_secure_element_default secure_element_device:chr_file rw_file_perms;
+
+init_daemon_domain(hal_secure_element_default)

diff --git a/microdroid/sepolicy/vendor/hal_sensors_default.te b/microdroid/sepolicy/vendor/hal_sensors_default.te
new file mode 100644
index 0000000..8752364
--- /dev/null
+++ b/microdroid/sepolicy/vendor/hal_sensors_default.te

@@ -0,0 +1,23 @@
+type hal_sensors_default, domain;
+hal_server_domain(hal_sensors_default, hal_sensors)
+
+type hal_sensors_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_sensors_default)
+
+allow hal_sensors_default fwk_scheduler_hwservice:hwservice_manager find;
+
+allow hal_sensors_default input_device:dir r_dir_perms;
+allow hal_sensors_default input_device:chr_file r_file_perms;
+
+# Allow sensor hals to access and use gralloc memory allocated by
+# android.hardware.graphics.allocator
+allow hal_sensors_default hal_graphics_allocator_default:fd use;
+allow hal_sensors_default ion_device:chr_file r_file_perms;
+allow hal_sensors_default dmabuf_system_heap_device:chr_file r_file_perms;
+
+# allow sensor hal to use lock for keeping system awake for wake up
+# events delivery.
+wakelock_use(hal_sensors_default);
+
+# allow sensor hal to use ashmem fd from system_server.
+allow hal_sensors_default system_server:fd use;

diff --git a/microdroid/sepolicy/vendor/hal_tetheroffload_default.te b/microdroid/sepolicy/vendor/hal_tetheroffload_default.te
new file mode 100644
index 0000000..03c542b
--- /dev/null
+++ b/microdroid/sepolicy/vendor/hal_tetheroffload_default.te

@@ -0,0 +1,5 @@
+type hal_tetheroffload_default, domain;
+hal_server_domain(hal_tetheroffload_default, hal_tetheroffload)
+
+type hal_tetheroffload_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_tetheroffload_default)

diff --git a/microdroid/sepolicy/vendor/hal_thermal_default.te b/microdroid/sepolicy/vendor/hal_thermal_default.te
new file mode 100644
index 0000000..73b2eff
--- /dev/null
+++ b/microdroid/sepolicy/vendor/hal_thermal_default.te

@@ -0,0 +1,5 @@
+type hal_thermal_default, domain;
+hal_server_domain(hal_thermal_default, hal_thermal)
+
+type hal_thermal_default_exec, exec_type, vendor_file_type, vendor_file_type, file_type;
+init_daemon_domain(hal_thermal_default)

diff --git a/microdroid/sepolicy/vendor/hal_tv_cec_default.te b/microdroid/sepolicy/vendor/hal_tv_cec_default.te
new file mode 100644
index 0000000..080e73b
--- /dev/null
+++ b/microdroid/sepolicy/vendor/hal_tv_cec_default.te

@@ -0,0 +1,5 @@
+type hal_tv_cec_default, domain;
+hal_server_domain(hal_tv_cec_default, hal_tv_cec)
+
+type hal_tv_cec_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_tv_cec_default)

diff --git a/microdroid/sepolicy/vendor/hal_tv_input_default.te b/microdroid/sepolicy/vendor/hal_tv_input_default.te
new file mode 100644
index 0000000..12d9743
--- /dev/null
+++ b/microdroid/sepolicy/vendor/hal_tv_input_default.te

@@ -0,0 +1,6 @@
+type hal_tv_input_default, domain;
+hal_server_domain(hal_tv_input_default, hal_tv_input)
+
+type hal_tv_input_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_tv_input_default)
+

diff --git a/microdroid/sepolicy/vendor/hal_tv_tuner_default.te b/microdroid/sepolicy/vendor/hal_tv_tuner_default.te
new file mode 100644
index 0000000..639c7bd
--- /dev/null
+++ b/microdroid/sepolicy/vendor/hal_tv_tuner_default.te

@@ -0,0 +1,10 @@
+type hal_tv_tuner_default, domain;
+hal_server_domain(hal_tv_tuner_default, hal_tv_tuner)
+
+type hal_tv_tuner_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_tv_tuner_default)
+
+allow hal_tv_tuner_default ion_device:chr_file r_file_perms;
+
+# Access to /dev/dma_heap/system
+allow hal_tv_tuner_default dmabuf_system_heap_device:chr_file r_file_perms;

diff --git a/microdroid/sepolicy/vendor/hal_usb_default.te b/microdroid/sepolicy/vendor/hal_usb_default.te
new file mode 100644
index 0000000..5642a2a
--- /dev/null
+++ b/microdroid/sepolicy/vendor/hal_usb_default.te

@@ -0,0 +1,5 @@
+type hal_usb_default, domain;
+hal_server_domain(hal_usb_default, hal_usb)
+
+type hal_usb_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_usb_default)

diff --git a/microdroid/sepolicy/vendor/hal_usb_gadget_default.te b/microdroid/sepolicy/vendor/hal_usb_gadget_default.te
new file mode 100644
index 0000000..f1486b9
--- /dev/null
+++ b/microdroid/sepolicy/vendor/hal_usb_gadget_default.te

@@ -0,0 +1,5 @@
+type hal_usb_gadget_default, domain;
+hal_server_domain(hal_usb_gadget_default, hal_usb_gadget)
+
+type hal_usb_gadget_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_usb_gadget_default)

diff --git a/microdroid/sepolicy/vendor/hal_vehicle_default.te b/microdroid/sepolicy/vendor/hal_vehicle_default.te
new file mode 100644
index 0000000..56a47b7
--- /dev/null
+++ b/microdroid/sepolicy/vendor/hal_vehicle_default.te

@@ -0,0 +1,10 @@
+# vehicle subsystem
+type hal_vehicle_default, domain;
+hal_server_domain(hal_vehicle_default, hal_vehicle)
+
+# may be started by init
+type hal_vehicle_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_vehicle_default)
+
+# communication with CAN bus HAL
+hal_client_domain(hal_vehicle_default, hal_can_bus)

diff --git a/microdroid/sepolicy/vendor/hal_vibrator_default.te b/microdroid/sepolicy/vendor/hal_vibrator_default.te
new file mode 100644
index 0000000..6c10d8a
--- /dev/null
+++ b/microdroid/sepolicy/vendor/hal_vibrator_default.te

@@ -0,0 +1,5 @@
+type hal_vibrator_default, domain;
+hal_server_domain(hal_vibrator_default, hal_vibrator)
+
+type hal_vibrator_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_vibrator_default)

diff --git a/microdroid/sepolicy/vendor/hal_vr_default.te b/microdroid/sepolicy/vendor/hal_vr_default.te
new file mode 100644
index 0000000..6a60192
--- /dev/null
+++ b/microdroid/sepolicy/vendor/hal_vr_default.te

@@ -0,0 +1,5 @@
+type hal_vr_default, domain;
+hal_server_domain(hal_vr_default, hal_vr)
+
+type hal_vr_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_vr_default)

diff --git a/microdroid/sepolicy/vendor/hal_weaver_default.te b/microdroid/sepolicy/vendor/hal_weaver_default.te
new file mode 100644
index 0000000..0dd7679
--- /dev/null
+++ b/microdroid/sepolicy/vendor/hal_weaver_default.te

@@ -0,0 +1,5 @@
+type hal_weaver_default, domain;
+hal_server_domain(hal_weaver_default, hal_weaver)
+
+type hal_weaver_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_weaver_default)

diff --git a/microdroid/sepolicy/vendor/hal_wifi_default.te b/microdroid/sepolicy/vendor/hal_wifi_default.te
new file mode 100644
index 0000000..75a9842
--- /dev/null
+++ b/microdroid/sepolicy/vendor/hal_wifi_default.te

@@ -0,0 +1,5 @@
+type hal_wifi_default, domain;
+hal_server_domain(hal_wifi_default, hal_wifi)
+
+type hal_wifi_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_wifi_default)

diff --git a/microdroid/sepolicy/vendor/hal_wifi_hostapd_default.te b/microdroid/sepolicy/vendor/hal_wifi_hostapd_default.te
new file mode 100644
index 0000000..1e0dcb8
--- /dev/null
+++ b/microdroid/sepolicy/vendor/hal_wifi_hostapd_default.te

@@ -0,0 +1,12 @@
+# hostapd or equivalent
+type hal_wifi_hostapd_default, domain;
+hal_server_domain(hal_wifi_hostapd_default, hal_wifi_hostapd)
+type hal_wifi_hostapd_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_wifi_hostapd_default)
+
+net_domain(hal_wifi_hostapd_default)
+
+# Allow hostapd to access it's data folder
+allow hal_wifi_hostapd_default hostapd_data_file:dir create_dir_perms;
+allow hal_wifi_hostapd_default hostapd_data_file:file create_file_perms;
+allow hal_wifi_hostapd_default hostapd_data_file:sock_file create_file_perms;

diff --git a/microdroid/sepolicy/vendor/hal_wifi_supplicant_default.te b/microdroid/sepolicy/vendor/hal_wifi_supplicant_default.te
new file mode 100644
index 0000000..b6b9e09
--- /dev/null
+++ b/microdroid/sepolicy/vendor/hal_wifi_supplicant_default.te

@@ -0,0 +1,32 @@
+# wpa supplicant or equivalent
+type hal_wifi_supplicant_default, domain;
+hal_server_domain(hal_wifi_supplicant_default, hal_wifi_supplicant)
+type hal_wifi_supplicant_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_wifi_supplicant_default)
+
+net_domain(hal_wifi_supplicant_default)
+# Create a socket for receiving info from wpa
+type_transition hal_wifi_supplicant_default wifi_data_file:dir wpa_socket "sockets";
+
+# Allow wpa_supplicant to configure nl80211
+allow hal_wifi_supplicant_default proc_net_type:file write;
+
+# Allow wpa_supplicant to talk to Wifi Keystore HwBinder service.
+hwbinder_use(hal_wifi_supplicant_default)
+allow hal_wifi_supplicant_default system_wifi_keystore_hwservice:hwservice_manager find;
+binder_call(hal_wifi_supplicant_default, wifi_keystore_service_server)
+
+allow hal_wifi_supplicant_default wpa_data_file:dir create_dir_perms;
+allow hal_wifi_supplicant_default wpa_data_file:file create_file_perms;
+allow hal_wifi_supplicant_default wpa_data_file:sock_file create_file_perms;
+
+# Write to security logs for audit.
+get_prop(hal_wifi_supplicant_default, device_logging_prop)
+
+# Devices upgrading to P may grant this permission in device-specific
+# policy along with the data_between_core_and_vendor_violators
+# attribute needed for an exemption.  However, devices that launch with
+# P should use /data/vendor/wifi, which is already granted in core
+# policy.  This is dontaudited here to avoid conditional
+# device-specific behavior in wpa_supplicant.
+dontaudit hal_wifi_supplicant_default wifi_data_file:dir search;

diff --git a/microdroid/sepolicy/vendor/keys.conf b/microdroid/sepolicy/vendor/keys.conf
new file mode 100644
index 0000000..71ad2c9
--- /dev/null
+++ b/microdroid/sepolicy/vendor/keys.conf

@@ -0,0 +1,19 @@
+#
+# Maps an arbitrary tag [TAGNAME] with the string contents found in
+# TARGET_BUILD_VARIANT. Common convention is to start TAGNAME with an @ and
+# name it after the base file name of the pem file.
+#
+# Each tag (section) then allows one to specify any string found in
+# TARGET_BUILD_VARIANT. Typcially this is user, eng, and userdebug. Another
+# option is to use ALL which will match ANY TARGET_BUILD_VARIANT string.
+#
+
+# Some vendor apps are using platform key for signing.
+# This moves them to untrusted_app domain when the system partition is
+# switched to a Generic System Image (GSI), because the value of platform's
+# seinfo in /system/etc/selinux/plat_mac_permissions.xml has been changed.
+# Duplicating the device-specific platform seinfo into
+# /vendor/etc/selinux/vendor_mac_permissions.xml to make it self-contained
+# within the vendor partition.
+[@PLATFORM]
+ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/platform.x509.pem

diff --git a/microdroid/sepolicy/vendor/mac_permissions.xml b/microdroid/sepolicy/vendor/mac_permissions.xml
new file mode 100644
index 0000000..2d6fab0
--- /dev/null
+++ b/microdroid/sepolicy/vendor/mac_permissions.xml

@@ -0,0 +1,53 @@
+<?xml version="1.0" encoding="utf-8"?>
+<policy>
+
+<!--
+
+    * A signature is a hex encoded X.509 certificate or a tag defined in
+      keys.conf and is required for each signer tag. The signature can
+      either appear as a set of attached cert child tags or as an attribute.
+    * A signer tag must contain a seinfo tag XOR multiple package stanzas.
+    * Each signer/package tag is allowed to contain one seinfo tag. This tag
+      represents additional info that each app can use in setting a SELinux security
+      context on the eventual process as well as the apps data directory.
+    * seinfo assignments are made according to the following rules:
+      - Stanzas with package name refinements will be checked first.
+      - Stanzas w/o package name refinements will be checked second.
+      - The "default" seinfo label is automatically applied.
+
+    * valid stanzas can take one of the following forms:
+
+     // single cert protecting seinfo
+     <signer signature="@PLATFORM" >
+       <seinfo value="platform" />
+     </signer>
+
+     // multiple certs protecting seinfo (all contained certs must match)
+     <signer>
+       <cert signature="@PLATFORM1"/>
+       <cert signature="@PLATFORM2"/>
+       <seinfo value="platform" />
+     </signer>
+
+     // single cert protecting explicitly named app
+     <signer signature="@PLATFORM" >
+       <package name="com.android.foo">
+         <seinfo value="bar" />
+       </package>
+     </signer>
+
+     // multiple certs protecting explicitly named app (all certs must match)
+     <signer>
+       <cert signature="@PLATFORM1"/>
+       <cert signature="@PLATFORM2"/>
+       <package name="com.android.foo">
+         <seinfo value="bar" />
+       </package>
+     </signer>
+-->
+
+    <!-- Vendor dev key in AOSP -->
+    <signer signature="@PLATFORM" >
+      <seinfo value="platform" />
+    </signer>
+</policy>

diff --git a/microdroid/sepolicy/vendor/mediacodec.te b/microdroid/sepolicy/vendor/mediacodec.te
new file mode 100644
index 0000000..f78b58f
--- /dev/null
+++ b/microdroid/sepolicy/vendor/mediacodec.te

@@ -0,0 +1,38 @@
+type mediacodec, domain, mlstrustedsubject;
+type mediacodec_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(mediacodec)
+
+# can route /dev/binder traffic to /dev/vndbinder
+vndbinder_use(mediacodec)
+
+hal_server_domain(mediacodec, hal_codec2)
+hal_server_domain(mediacodec, hal_omx)
+
+# mediacodec may use an input surface from a different Codec2 or OMX service
+hal_client_domain(mediacodec, hal_codec2)
+hal_client_domain(mediacodec, hal_omx)
+
+hal_client_domain(mediacodec, hal_allocator)
+hal_client_domain(mediacodec, hal_graphics_allocator)
+
+allow mediacodec gpu_device:chr_file rw_file_perms;
+allow mediacodec ion_device:chr_file rw_file_perms;
+allow mediacodec dmabuf_system_heap_device:chr_file r_file_perms;
+allow mediacodec video_device:chr_file rw_file_perms;
+allow mediacodec video_device:dir search;
+
+crash_dump_fallback(mediacodec)
+
+# get aac_drc_* properties
+get_prop(mediacodec, aac_drc_prop)
+
+# mediacodec should never execute any executable without a domain transition
+neverallow mediacodec { file_type fs_type }:file execute_no_trans;
+
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
+neverallow mediacodec domain:{ tcp_socket udp_socket rawip_socket } *;
+

diff --git a/microdroid/sepolicy/vendor/rild.te b/microdroid/sepolicy/vendor/rild.te
new file mode 100644
index 0000000..fc84ef7
--- /dev/null
+++ b/microdroid/sepolicy/vendor/rild.te

@@ -0,0 +1,9 @@
+# rild - radio interface layer daemon
+type rild, domain;
+hal_server_domain(rild, hal_telephony)
+net_domain(rild)
+
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+type rild_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(rild)

diff --git a/microdroid/sepolicy/vendor/tee.te b/microdroid/sepolicy/vendor/tee.te
new file mode 100644
index 0000000..4b2e6c7
--- /dev/null
+++ b/microdroid/sepolicy/vendor/tee.te

@@ -0,0 +1,17 @@
+##
+# trusted execution environment (tee) daemon
+#
+type tee_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(tee)
+
+allow tee self:global_capability_class_set { dac_override };
+allow tee tee_device:chr_file rw_file_perms;
+allow tee tee_data_file:dir rw_dir_perms;
+allow tee tee_data_file:file create_file_perms;
+allow tee self:netlink_socket create_socket_perms_no_ioctl;
+allow tee self:netlink_generic_socket create_socket_perms_no_ioctl;
+allow tee ion_device:chr_file r_file_perms;
+r_dir_file(tee, sysfs_type)
+
+allow tee system_data_file:file { getattr read };
+allow tee system_data_file:lnk_file { getattr read };

diff --git a/microdroid/sepolicy/vendor/vendor_install_recovery.te b/microdroid/sepolicy/vendor/vendor_install_recovery.te
new file mode 100644
index 0000000..ff63f75
--- /dev/null
+++ b/microdroid/sepolicy/vendor/vendor_install_recovery.te

@@ -0,0 +1,24 @@
+init_daemon_domain(vendor_install_recovery)
+
+# service vendor_flash_recovery in
+# bootable/recovery/applypatch/vendor_flash_recovery.rc
+type vendor_install_recovery, domain;
+type vendor_install_recovery_exec, vendor_file_type, exec_type, file_type;
+
+# /vendor/bin/install-recovery.sh is a shell script.
+# Needs to execute /vendor/bin/sh
+allow vendor_install_recovery vendor_shell_exec:file rx_file_perms;
+
+# Execute /vendor/bin/applypatch
+allow vendor_install_recovery vendor_file:file rx_file_perms;
+not_full_treble(`allow vendor_install_recovery vendor_file:file rx_file_perms;')
+
+allow vendor_install_recovery vendor_toolbox_exec:file rx_file_perms;
+
+# Update the recovery block device based off a diff of the boot block device
+allow vendor_install_recovery block_device:dir search;
+allow vendor_install_recovery boot_block_device:blk_file r_file_perms;
+allow vendor_install_recovery recovery_block_device:blk_file rw_file_perms;
+
+# Write to /proc/sys/vm/drop_caches
+allow vendor_install_recovery proc_drop_caches:file w_file_perms;

diff --git a/microdroid/sepolicy/vendor/vendor_misc_writer.te b/microdroid/sepolicy/vendor/vendor_misc_writer.te
new file mode 100644
index 0000000..245749e
--- /dev/null
+++ b/microdroid/sepolicy/vendor/vendor_misc_writer.te

@@ -0,0 +1 @@
+init_daemon_domain(vendor_misc_writer)

diff --git a/microdroid/sepolicy/vendor/vendor_modprobe.te b/microdroid/sepolicy/vendor/vendor_modprobe.te
new file mode 100644
index 0000000..3f5918c
--- /dev/null
+++ b/microdroid/sepolicy/vendor/vendor_modprobe.te

@@ -0,0 +1,11 @@
+# For the use of /vendor/bin/modprobe from vendor init.rc fragments
+domain_trans(init, vendor_toolbox_exec, vendor_modprobe)
+
+allow vendor_modprobe proc_modules:file r_file_perms;
+allow vendor_modprobe proc_cmdline:file r_file_perms;
+allow vendor_modprobe kmsg_device:chr_file w_file_perms;
+allow vendor_modprobe self:global_capability_class_set sys_module;
+allow vendor_modprobe kernel:key search;
+
+allow vendor_modprobe { vendor_file }:system module_load;
+r_dir_file(vendor_modprobe, { vendor_file })

diff --git a/microdroid/sepolicy/vendor/vndservice_contexts b/microdroid/sepolicy/vendor/vndservice_contexts
new file mode 100644
index 0000000..068056f
--- /dev/null
+++ b/microdroid/sepolicy/vendor/vndservice_contexts

@@ -0,0 +1,2 @@
+manager                 u:object_r:service_manager_vndservice:s0
+*                       u:object_r:default_android_vndservice:s0

diff --git a/microdroid/sepolicy/vendor/vndservicemanager.te b/microdroid/sepolicy/vendor/vndservicemanager.te
new file mode 100644
index 0000000..497e027
--- /dev/null
+++ b/microdroid/sepolicy/vendor/vndservicemanager.te

@@ -0,0 +1,22 @@
+# vndservicemanager - the Binder context manager for vendor processes
+type vndservicemanager_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(vndservicemanager);
+
+allow vndservicemanager self:binder set_context_mgr;
+
+# transfer binder objects to other processes (TODO b/35870313 limit this to vendor-only)
+allow vndservicemanager { domain -coredomain -init -vendor_init }:binder transfer;
+
+allow vndservicemanager vndbinder_device:chr_file rw_file_perms;
+
+# Read vndservice_contexts
+allow vndservicemanager vndservice_contexts_file:file r_file_perms;
+
+add_service(vndservicemanager, service_manager_vndservice)
+
+# Start lazy services
+set_prop(vndservicemanager, ctl_interface_start_prop)
+
+# Check SELinux permissions.
+selinux_check_access(vndservicemanager)
commit	ff43be2ca9dcc80711fc14e0bfb847951f677243	[log] [tgz]
author	Inseob Kim <inseob@google.com>	Mon Jun 07 16:56:56 2021 +0900
committer	Inseob Kim <inseob@google.com>	Mon Jun 07 18:44:35 2021 +0900
tree	bf5e839c17d58df2298c811dbf18624f24b48133
parent	b50e0fabe77f1f16a9d1fd79cd351bef3834c77c [diff]