Merge "Add rules for Lights AIDL HAL"
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 6248cab..5c8ad88 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -9,6 +9,7 @@
   untrusted_app
   untrusted_app_25
   untrusted_app_27
+  untrusted_app_29
   untrusted_app_all
 }')
 # Receive or send uevent messages.
@@ -111,6 +112,14 @@
   alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket xdp_socket
 } *;
 
+# Disallow sending RTM_GETLINK messages on netlink sockets.
+neverallow {
+  all_untrusted_apps
+  -untrusted_app_25
+  -untrusted_app_27
+  -untrusted_app_29
+} domain:netlink_route_socket { nlmsg_readpriv };
+
 # Do not allow untrusted apps access to /cache
 neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:dir ~{ r_dir_perms };
 neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:file ~{ read getattr };
diff --git a/private/atrace.te b/private/atrace.te
index 2545c8b..ad7d177 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -37,6 +37,7 @@
   -installd_service
   -vold_service
   -lpdump_service
+  -default_android_service
 }:service_manager { find };
 allow atrace servicemanager:service_manager list;
 
diff --git a/private/automotive_display_service.te b/private/automotive_display_service.te
new file mode 100644
index 0000000..e397d10
--- /dev/null
+++ b/private/automotive_display_service.te
@@ -0,0 +1,20 @@
+# Display service for Automotive
+type automotive_display, domain, coredomain;
+type automotive_display_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(automotive_display)
+
+# Allow to use Binder IPC for SurfaceFlinger.
+binder_use(automotive_display)
+
+# Allow to use HwBinder IPC for HAL implementations.
+hwbinder_use(automotive_display)
+
+# Allow to read the target property.
+get_prop(automotive_display, hwservicemanager_prop)
+
+# Allow to find SurfaceFlinger.
+allow automotive_display surfaceflinger_service:service_manager find;
+
+# Allow client domain to do binder IPC to serverdomain.
+binder_call(automotive_display, surfaceflinger)
diff --git a/private/automotive_display_service_server.te b/private/automotive_display_service_server.te
new file mode 100644
index 0000000..a916de8
--- /dev/null
+++ b/private/automotive_display_service_server.te
@@ -0,0 +1 @@
+add_hwservice(automotive_display, fwk_automotive_display_hwservice)
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 322360d..38d980e 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -14,6 +14,8 @@
     app_integrity_service
     app_search_service
     auth_service
+    automotive_display
+    automotive_display_exec
     ashmem_libcutils_device
     blob_store_service
     binder_cache_system_server_prop
@@ -30,6 +32,7 @@
     device_config_sys_traced_prop
     exported_camera_prop
     file_integrity_service
+    fwk_automotive_display_hwservice
     gmscore_app
     hal_can_bus_hwservice
     hal_can_controller_hwservice
@@ -42,6 +45,7 @@
     incfs
     incremental_service
     incremental_root_file
+    init_perf_lsm_hooks_prop
     init_svc_debug_prop
     iorap_prefetcherd
     iorap_prefetcherd_data_file
@@ -71,6 +75,7 @@
     system_unsolzygote_socket
     tethering_service
     timezonedetector_service
+    untrusted_app_29
     usb_serial_device
     userspace_reboot_prop
     userspace_reboot_config_prop
diff --git a/private/file_contexts b/private/file_contexts
index c98909e..c7729d8 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -343,6 +343,7 @@
 /system/bin/notify_traceur\.sh       u:object_r:notify_traceur_exec:s0
 /system/bin/migrate_legacy_obb_data\.sh u:object_r:migrate_legacy_obb_data_exec:s0
 /system/bin/aidl_lazy_test_server    u:object_r:aidl_lazy_test_server_exec:s0
+/system/bin/android\.frameworks\.automotive\.display@1\.0-service u:object_r:automotive_display_exec:s0
 
 #############################
 # Vendor files
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index 96b2760..238fd53 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -4,6 +4,7 @@
 android.frameworks.schedulerservice::ISchedulingPolicyService   u:object_r:fwk_scheduler_hwservice:s0
 android.frameworks.sensorservice::ISensorManager                u:object_r:fwk_sensor_hwservice:s0
 android.frameworks.stats::IStats                                u:object_r:fwk_stats_hwservice:s0
+android.frameworks.automotive.display::ICarWindowService        u:object_r:fwk_automotive_display_hwservice:s0
 android.hardware.atrace::IAtraceDevice                          u:object_r:hal_atrace_hwservice:s0
 android.hardware.audio.effect::IEffectsFactory                  u:object_r:hal_audio_hwservice:s0
 android.hardware.audio::IDevicesFactory                         u:object_r:hal_audio_hwservice:s0
diff --git a/private/init.te b/private/init.te
index 116eff4..42ec0f3 100644
--- a/private/init.te
+++ b/private/init.te
@@ -45,3 +45,18 @@
 set_prop(init, userspace_reboot_exported_prop)
 neverallow { domain -init } userspace_reboot_prop:property_service set;
 neverallow { domain -init } userspace_reboot_exported_prop:property_service set;
+
+# Second-stage init performs a test for whether the kernel has SELinux hooks
+# for the perf_event_open() syscall. This is done by testing for the syscall
+# outcomes corresponding to this policy.
+# TODO(b/137092007): this can be removed once the platform stops supporting
+# kernels that precede the perf_event_open hooks (Android common kernels 4.4
+# and 4.9).
+allow init self:perf_event { open cpu };
+neverallow init self:perf_event { kernel tracepoint read write };
+dontaudit init self:perf_event { kernel tracepoint read write };
+
+# Only init is allowed to set the sysprop indicating whether perf_event_open()
+# SELinux hooks were detected.
+set_prop(init, init_perf_lsm_hooks_prop)
+neverallow { domain -init } init_perf_lsm_hooks_prop:property_service set;
diff --git a/private/isolated_app.te b/private/isolated_app.te
index 15c0f3f..49e9065 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -13,6 +13,10 @@
 # Access already open app data files received over Binder or local socket IPC.
 allow isolated_app { app_data_file privapp_data_file }:file { append read write getattr lock map };
 
+# Allow access to network sockets received over IPC. New socket creation is not
+# permitted.
+allow isolated_app { ephemeral_app priv_app untrusted_app_all }:{ tcp_socket udp_socket } { rw_socket_perms_no_ioctl };
+
 allow isolated_app activity_service:service_manager find;
 allow isolated_app display_service:service_manager find;
 allow isolated_app webviewupdate_service:service_manager find;
@@ -130,7 +134,7 @@
 # excluding unix_stream_socket and unix_dgram_socket.
 # Many of these are socket families which have never and will never
 # be compiled into the Android kernel.
-neverallow isolated_app self:{
+neverallow isolated_app { self ephemeral_app priv_app untrusted_app_all }:{
   socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket
   key_socket appletalk_socket netlink_route_socket
   netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket
diff --git a/private/linkerconfig.te b/private/linkerconfig.te
index f82e05d..414b39f 100644
--- a/private/linkerconfig.te
+++ b/private/linkerconfig.te
@@ -4,7 +4,7 @@
 init_daemon_domain(linkerconfig)
 
 ## Read and write linkerconfig subdirectory.
-allow linkerconfig linkerconfig_file:dir rw_dir_perms;
+allow linkerconfig linkerconfig_file:dir create_dir_perms;
 allow linkerconfig linkerconfig_file:file create_file_perms;
 
 # Allow linkerconfig to log to the kernel.
@@ -13,4 +13,7 @@
 # Allow linkerconfig to be invoked with logwrapper from init.
 allow linkerconfig devpts:chr_file { read write };
 
+# Allow linkerconfig to scan for apex modules
+allow linkerconfig apex_mnt_dir:dir r_dir_perms;
+
 neverallow { domain -init -linkerconfig } linkerconfig_exec:file no_x_file_perms;
diff --git a/private/priv_app.te b/private/priv_app.te
index 6983840..c879c33 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -111,13 +111,6 @@
 allow priv_app preloads_media_file:file r_file_perms;
 allow priv_app preloads_media_file:dir r_dir_perms;
 
-# Allow GMS core to access /sys/fs/selinux/policyvers for compatibility check
-allow priv_app selinuxfs:file r_file_perms;
-# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
-userdebug_or_eng(`
-  auditallow priv_app selinuxfs:file r_file_perms;
-')
-
 read_runtime_log_tags(priv_app)
 
 # Write app-specific trace data to the Perfetto traced damon. This requires
diff --git a/private/property_contexts b/private/property_contexts
index 625bf37..2db46a0 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -23,6 +23,7 @@
 ro.hw.                  u:object_r:system_prop:s0
 sys.                    u:object_r:system_prop:s0
 sys.init.userspace_reboot   u:object_r:userspace_reboot_prop:s0
+sys.init.perf_lsm_hooks u:object_r:init_perf_lsm_hooks_prop:s0
 sys.cppreopt            u:object_r:cppreopt_prop:s0
 sys.linker.             u:object_r:linker_prop:s0
 sys.lpdumpd             u:object_r:lpdumpd_prop:s0
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 3838578..fed4325 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -163,7 +163,8 @@
 user=_app isPrivApp=true name=com.google.android.gms domain=gmscore_app type=privapp_data_file levelFrom=user
 user=_app isPrivApp=true name=com.google.android.gms.* domain=gmscore_app type=privapp_data_file levelFrom=user
 user=_app isPrivApp=true name=com.google.android.gms:* domain=gmscore_app type=privapp_data_file levelFrom=user
-user=_app minTargetSdkVersion=29 domain=untrusted_app type=app_data_file levelFrom=all
+user=_app minTargetSdkVersion=30 domain=untrusted_app type=app_data_file levelFrom=all
+user=_app minTargetSdkVersion=29 domain=untrusted_app_29 type=app_data_file levelFrom=all
 user=_app minTargetSdkVersion=28 domain=untrusted_app_27 type=app_data_file levelFrom=all
 user=_app minTargetSdkVersion=26 domain=untrusted_app_27 type=app_data_file levelFrom=user
 user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user
diff --git a/private/system_app.te b/private/system_app.te
index ee18ab2..e5d7d18 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -93,6 +93,7 @@
   -virtual_touchpad_service
   -vold_service
   -vr_hwc_service
+  -default_android_service
 }:service_manager find;
 # suppress denials for services system_app should not be accessing.
 dontaudit system_app {
diff --git a/private/untrusted_app.te b/private/untrusted_app.te
index c15fa22..6e7a99c 100644
--- a/private/untrusted_app.te
+++ b/private/untrusted_app.te
@@ -1,20 +1,11 @@
 ###
 ### Untrusted apps.
 ###
-### This file defines the rules for untrusted apps.
-### Apps are labeled based on mac_permissions.xml (maps signer and
-### optionally package name to seinfo value) and seapp_contexts (maps UID
-### and optionally seinfo value to domain for process and type for data
-### directory).  The untrusted_app domain is the default assignment in
-### seapp_contexts for any app with UID between APP_AID (10000)
-### and AID_ISOLATED_START (99000) if the app has no specific seinfo
-### value as determined from mac_permissions.xml.  In current AOSP, this
-### domain is assigned to all non-system apps as well as to any system apps
-### that are not signed by the platform key.  To move
-### a system app into a specific domain, add a signer entry for it to
-### mac_permissions.xml and assign it one of the pre-existing seinfo values
-### or define and use a new seinfo value in both mac_permissions.xml and
-### seapp_contexts.
+### This file defines the rules for untrusted apps running with
+### targetSdkVersion >= 30.
+###
+### See public/untrusted_app.te for more information about which apps are
+### placed in this selinux domain.
 ###
 
 typeattribute untrusted_app coredomain;
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index 2091f2e..a1abc41 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -4,19 +4,8 @@
 ### This file defines the rules for untrusted apps running with
 ### targetSdkVersion <= 25.
 ###
-### Apps are labeled based on mac_permissions.xml (maps signer and
-### optionally package name to seinfo value) and seapp_contexts (maps UID
-### and optionally seinfo value to domain for process and type for data
-### directory).  The untrusted_app domain is the default assignment in
-### seapp_contexts for any app with UID between APP_AID (10000)
-### and AID_ISOLATED_START (99000) if the app has no specific seinfo
-### value as determined from mac_permissions.xml.  In current AOSP, this
-### domain is assigned to all non-system apps as well as to any system apps
-### that are not signed by the platform key.  To move
-### a system app into a specific domain, add a signer entry for it to
-### mac_permissions.xml and assign it one of the pre-existing seinfo values
-### or define and use a new seinfo value in both mac_permissions.xml and
-### seapp_contexts.
+### See public/untrusted_app.te for more information about which apps are
+### placed in this selinux domain.
 ###
 
 typeattribute untrusted_app_25 coredomain;
@@ -59,3 +48,6 @@
 
 # Read /mnt/sdcard symlink.
 allow untrusted_app_25 mnt_sdcard_file:lnk_file r_file_perms;
+
+# allow binding to netlink route sockets and sending RTM_GETLINK messages.
+allow untrusted_app_25 self:netlink_route_socket { bind nlmsg_readpriv };
diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te
index 03b3013..b7b6d72 100644
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@@ -4,20 +4,8 @@
 ### This file defines the rules for untrusted apps running with
 ### 25 < targetSdkVersion <= 28.
 ###
-### This file defines the rules for untrusted apps.
-### Apps are labeled based on mac_permissions.xml (maps signer and
-### optionally package name to seinfo value) and seapp_contexts (maps UID
-### and optionally seinfo value to domain for process and type for data
-### directory).  The untrusted_app_27 domain is the default assignment in
-### seapp_contexts for any app with UID between APP_AID (10000)
-### and AID_ISOLATED_START (99000) if the app has no specific seinfo
-### value as determined from mac_permissions.xml.  In current AOSP, this
-### domain is assigned to all non-system apps as well as to any system apps
-### that are not signed by the platform key.  To move
-### a system app into a specific domain, add a signer entry for it to
-### mac_permissions.xml and assign it one of the pre-existing seinfo values
-### or define and use a new seinfo value in both mac_permissions.xml and
-### seapp_contexts.
+### See public/untrusted_app.te for more information about which apps are
+### placed in this selinux domain.
 ###
 
 typeattribute untrusted_app_27 coredomain;
@@ -48,3 +36,6 @@
 
 # Read /mnt/sdcard symlink.
 allow untrusted_app_27 mnt_sdcard_file:lnk_file r_file_perms;
+
+# allow binding to netlink route sockets and sending RTM_GETLINK messages.
+allow untrusted_app_27 self:netlink_route_socket { bind nlmsg_readpriv };
diff --git a/private/untrusted_app_29.te b/private/untrusted_app_29.te
new file mode 100644
index 0000000..344ae89
--- /dev/null
+++ b/private/untrusted_app_29.te
@@ -0,0 +1,19 @@
+###
+### Untrusted_29.
+###
+### This file defines the rules for untrusted apps running with
+### targetSdkVersion = 29.
+###
+### See public/untrusted_app.te for more information about which apps are
+### placed in this selinux domain.
+###
+
+typeattribute untrusted_app_29 coredomain;
+
+app_domain(untrusted_app_29)
+untrusted_app_domain(untrusted_app_29)
+net_domain(untrusted_app_29)
+bluetooth_domain(untrusted_app_29)
+
+# allow binding to netlink route sockets and sending RTM_GETLINK messages.
+allow untrusted_app_29 self:netlink_route_socket { bind nlmsg_readpriv };
diff --git a/public/attributes b/public/attributes
index dcbe9c0..a3728cf 100644
--- a/public/attributes
+++ b/public/attributes
@@ -353,6 +353,7 @@
 # from one core domain to another, without having to update the vendor image
 # which contains clients of this service.
 
+attribute automotive_display_service_server;
 attribute camera_service_server;
 attribute display_service_server;
 attribute scheduler_service_server;
diff --git a/public/domain.te b/public/domain.te
index 4dc218a..604df89 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -500,9 +500,9 @@
 # system_app_service rather than the generic type.
 # New service_types are defined in {,hw,vnd}service.te and new mappings
 # from service name to service_type are defined in {,hw,vnd}service_contexts.
-neverallow * default_android_service:service_manager add;
-neverallow * default_android_vndservice:service_manager { add find };
-neverallow * default_android_hwservice:hwservice_manager { add find };
+neverallow * default_android_service:service_manager *;
+neverallow * default_android_vndservice:service_manager *;
+neverallow * default_android_hwservice:hwservice_manager *;
 
 # Looking up the base class/interface of all HwBinder services is a bad idea.
 # hwservicemanager currently offer such lookups only to make it so that security
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 7342856..824be5d 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -230,6 +230,7 @@
   -virtual_touchpad_service
   -vold_service
   -vr_hwc_service
+  -default_android_service
 }:service_manager find;
 # suppress denials for services dumpstate should not be accessing.
 dontaudit dumpstate {
diff --git a/public/hwservice.te b/public/hwservice.te
index 5085ea5..3619a63 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -6,6 +6,7 @@
 type fwk_scheduler_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
 type fwk_sensor_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
 type fwk_stats_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
+type fwk_automotive_display_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
 type hal_atrace_hwservice, hwservice_manager_type, protected_hwservice;
 type hal_audio_hwservice, hwservice_manager_type, protected_hwservice;
 type hal_audiocontrol_hwservice, hwservice_manager_type, protected_hwservice;
diff --git a/public/ioctl_defines b/public/ioctl_defines
index 15cf7d5..b2a6fbf 100644
--- a/public/ioctl_defines
+++ b/public/ioctl_defines
@@ -804,6 +804,8 @@
 define(`FS_IOC_ADD_ENCRYPTION_KEY', `0xc0506617')
 define(`FS_IOC_ENABLE_VERITY', `0x6685')
 define(`FS_IOC_FIEMAP', `0xc020660b')
+define(`FS_IOC_FSGETXATTR', `0x801c581f')
+define(`FS_IOC_FSSETXATTR', `0x401c5820')
 define(`FS_IOC_GET_ENCRYPTION_POLICY', `0x400c6615')
 define(`FS_IOC_GET_ENCRYPTION_POLICY_EX', `0xc0096616')
 define(`FS_IOC_GET_ENCRYPTION_PWSALT', `0x40106614')
diff --git a/public/net.te b/public/net.te
index bdef072..100363a 100644
--- a/public/net.te
+++ b/public/net.te
@@ -19,9 +19,15 @@
 allow {netdomain -ephemeral_app} port_type:tcp_socket name_bind;
 # See changes to the routing table.
 allow netdomain self:netlink_route_socket { create read getattr write setattr lock append bind connect getopt setopt shutdown nlmsg_read };
-# b/141455849 gate RTM_GETLINK with a new permission nlmsg_readpriv and initially grant
-# this permission to everything that previously had the nlmsg_read permission.
-allow netdomain self:netlink_route_socket nlmsg_readpriv;
+# b/141455849 gate RTM_GETLINK with a new permission nlmsg_readpriv and block access from
+# untrusted_apps. Some untrusted apps (e.g. untrusted_app_25-29) are granted access elsewhere
+# to avoid app-compat breakage.
+allow {
+  netdomain
+  -ephemeral_app
+  -mediaprovider
+  -untrusted_app_all
+} self:netlink_route_socket { nlmsg_readpriv };
 
 # Talks to netd via dnsproxyd socket.
 unix_socket_connect(netdomain, dnsproxyd, netd)
diff --git a/public/property.te b/public/property.te
index 7a1e4dd..8142aa2 100644
--- a/public/property.te
+++ b/public/property.te
@@ -13,6 +13,7 @@
 system_internal_prop(device_config_sys_traced_prop)
 system_internal_prop(firstboot_prop)
 system_internal_prop(gsid_prop)
+system_internal_prop(init_perf_lsm_hooks_prop)
 system_internal_prop(init_svc_debug_prop)
 system_internal_prop(last_boot_reason_prop)
 system_internal_prop(netd_stable_secret_prop)
diff --git a/public/recovery.te b/public/recovery.te
index 1193354..3bac03d 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -85,7 +85,7 @@
   allow recovery device:dir r_dir_perms;
   allow recovery block_device:dir r_dir_perms;
   allow recovery dev_type:blk_file rw_file_perms;
-  allowxperm recovery { userdata_block_device metadata_block_device }:blk_file ioctl BLKPBSZGET;
+  allowxperm recovery { userdata_block_device metadata_block_device cache_block_device }:blk_file ioctl BLKPBSZGET;
 
   # GUI
   allow recovery graphics_device:chr_file rw_file_perms;
diff --git a/public/shell.te b/public/shell.te
index 532d05f..0a97465 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -106,6 +106,9 @@
 get_prop(shell, last_boot_reason_prop)
 get_prop(shell, system_boot_reason_prop)
 
+# Allow reading the outcome of perf_event_open LSM support test for CTS.
+get_prop(shell, init_perf_lsm_hooks_prop)
+
 # allow shell access to services
 allow shell servicemanager:service_manager list;
 # don't allow shell to access GateKeeper service
@@ -124,6 +127,7 @@
   -virtual_touchpad_service
   -vold_service
   -vr_hwc_service
+  -default_android_service
 }:service_manager find;
 allow shell dumpstate:binder call;
 
diff --git a/public/traceur_app.te b/public/traceur_app.te
index 5333015..7e2cc84 100644
--- a/public/traceur_app.te
+++ b/public/traceur_app.te
@@ -21,6 +21,7 @@
   -virtual_touchpad_service
   -vold_service
   -vr_hwc_service
+  -default_android_service
 }:service_manager find;
 
 # Allow traceur_app to use atrace HAL
diff --git a/public/untrusted_app.te b/public/untrusted_app.te
index 5289bf9..43fe19a 100644
--- a/public/untrusted_app.te
+++ b/public/untrusted_app.te
@@ -16,6 +16,15 @@
 ### seapp_contexts.
 ###
 
+# This file defines the rules for untrusted apps running with
+# targetSdkVersion >= 30.
 type untrusted_app, domain;
+# This file defines the rules for untrusted apps running with
+# targetSdkVersion = 29.
+type untrusted_app_29, domain;
+# This file defines the rules for untrusted apps running with
+# 25 < targetSdkVersion <= 28.
 type untrusted_app_27, domain;
+# This file defines the rules for untrusted apps running with
+# targetSdkVersion <= 25.
 type untrusted_app_25, domain;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 6a20bf2..609821f 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -220,6 +220,7 @@
       -apexd_prop
       -gsid_prop
       -nnapi_ext_deny_product_prop
+      -init_perf_lsm_hooks_prop
       -init_svc_debug_prop
       -linker_prop
       -module_sdkextensions_prop
diff --git a/public/vold.te b/public/vold.te
index 9f4489d..c1509f1 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -95,6 +95,12 @@
 # Allow mounting (lower filesystem) on parts of media for performance
 allow vold media_rw_data_file:dir mounton;
 
+# Allow setting extended attributes (for project quota IDs) on files and dirs
+allowxperm vold media_rw_data_file:{ dir file } ioctl {
+  FS_IOC_FSGETXATTR
+  FS_IOC_FSSETXATTR
+};
+
 # Allow mounting of storage devices
 allow vold { mnt_media_rw_stub_file storage_stub_file }:dir { mounton create rmdir getattr setattr };