Merge "Add SE policy for tv_ad_service" into main
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index e542c3a..5cc9c70 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -388,7 +388,7 @@
cmd.Flag("--strict")
}
- out := pathForModuleOut(ctx, "namespace_checked").Join(ctx, input.String())
+ out := pathForModuleOut(ctx, ctx.ModuleName()+"_namespace_checked")
rule.Command().Text("cp -f").Input(input).Output(out)
rule.Build("check_namespace", "checking namespace of "+ctx.ModuleName())
return out
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 607df5d..e19df98 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -309,7 +309,7 @@
"logd": EXCEPTION_NO_FUZZER,
"looper_stats": EXCEPTION_NO_FUZZER,
"lpdump_service": EXCEPTION_NO_FUZZER,
- "mdns": []string{"mdns_service_fuzzer"},
+ "mdns": EXCEPTION_NO_FUZZER,
"media.aaudio": EXCEPTION_NO_FUZZER,
"media.audio_flinger": []string{"audioflinger_aidl_fuzzer"},
"media.audio_policy": []string{"audiopolicy_aidl_fuzzer"},
diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index 50d9de4..d9767ed 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -538,6 +538,8 @@
/vendor/framework/test vendor_framework_file
/system/vendor/framework vendor_framework_file
/system/vendor/framework/test vendor_framework_file
+/vendor/etc/avf/microdroid vendor_microdroid_file
+/vendor/etc/avf/microdroid/test vendor_microdroid_file
/vendor/apex vendor_apex_file
/vendor/apex/test vendor_apex_file
diff --git a/flagging/te_macros b/flagging/te_macros
index a81ec1b..3464502 100644
--- a/flagging/te_macros
+++ b/flagging/te_macros
@@ -1,9 +1,9 @@
####################################
# is_flag_enabled(flag, rules)
# SELinux rules which apply only if given feature is turned on
-define(`is_flag_enabled', `ifelse(target_flag_$1, `true', $2, )')
+define(`is_flag_enabled', `ifelse(target_flag_$1, `true', `$2')')
####################################
# is_flag_disabled(flag, rules)
# SELinux rules which apply only if given feature is turned off
-define(`is_flag_disabled', `ifelse(target_flag_$1, `true', , $2)')
+define(`is_flag_disabled', `ifelse(target_flag_$1, `true', , `$2')')
diff --git a/prebuilts/api/34.0/private/attributes b/prebuilts/api/34.0/private/attributes
index fe50b0d..77143a3 100644
--- a/prebuilts/api/34.0/private/attributes
+++ b/prebuilts/api/34.0/private/attributes
@@ -13,5 +13,4 @@
# All SDK sandbox domains
attribute sdk_sandbox_all;
-# The SDK sandbox domains for the current SDK level.
-attribute sdk_sandbox_current;
+
diff --git a/prebuilts/api/34.0/private/sdk_sandbox_34.te b/prebuilts/api/34.0/private/sdk_sandbox_34.te
index bb15057..d45da88 100644
--- a/prebuilts/api/34.0/private/sdk_sandbox_34.te
+++ b/prebuilts/api/34.0/private/sdk_sandbox_34.te
@@ -3,7 +3,89 @@
###
### This file defines the security policy for the sdk sandbox processes
### for targetSdkVersion=34.
-type sdk_sandbox_34, domain, coredomain, sdk_sandbox_all, sdk_sandbox_current;
+type sdk_sandbox_34, domain, coredomain, sdk_sandbox_all;
net_domain(sdk_sandbox_34)
app_domain(sdk_sandbox_34)
+
+# Allow finding services. This is different from ephemeral_app policy.
+# Adding services manually to the allowlist is preferred hence app_api_service is not used.
+allow sdk_sandbox_34 {
+ activity_service
+ activity_task_service
+ appops_service
+ audio_service
+ audioserver_service
+ batteryproperties_service
+ batterystats_service
+ cameraserver_service
+ connectivity_service
+ connmetrics_service
+ deviceidle_service
+ display_service
+ dropbox_service
+ ephemeral_app_api_service
+ font_service
+ game_service
+ gpu_service
+ graphicsstats_service
+ hardware_properties_service
+ hint_service
+ imms_service
+ input_method_service
+ input_service
+ IProxyService_service
+ ipsec_service
+ launcherapps_service
+ legacy_permission_service
+ light_service
+ locale_service
+ media_communication_service
+ mediadrmserver_service
+ mediaextractor_service
+ mediametrics_service
+ media_projection_service
+ media_router_service
+ mediaserver_service
+ media_session_service
+ memtrackproxy_service
+ midi_service
+ netpolicy_service
+ netstats_service
+ network_management_service
+ notification_service
+ package_service
+ permission_checker_service
+ permission_service
+ permissionmgr_service
+ platform_compat_service
+ power_service
+ procstats_service
+ radio_service
+ registry_service
+ restrictions_service
+ rttmanager_service
+ search_service
+ selection_toolbar_service
+ sensor_privacy_service
+ sensorservice_service
+ servicediscovery_service
+ settings_service
+ speech_recognition_service
+ statusbar_service
+ storagestats_service
+ surfaceflinger_service
+ telecom_service
+ tethering_service
+ textclassification_service
+ textservices_service
+ texttospeech_service
+ thermal_service
+ translation_service
+ tv_iapp_service
+ tv_input_service
+ uimode_service
+ vcn_management_service
+ webviewupdate_service
+}:service_manager find;
+
diff --git a/prebuilts/api/34.0/private/sdk_sandbox_audit.te b/prebuilts/api/34.0/private/sdk_sandbox_audit.te
deleted file mode 100644
index bb531ca..0000000
--- a/prebuilts/api/34.0/private/sdk_sandbox_audit.te
+++ /dev/null
@@ -1,34 +0,0 @@
-###
-### SDK Sandbox process.
-###
-### This file defines the audit sdk sandbox security policy for
-### the set of restrictions proposed for the next SDK level.
-###
-### The sdk_sandbox_audit domain has the same rules as the
-### sdk_sandbox_current domain and additional auditing rules
-### for the accesses we are considering forbidding in the upcoming
-### sdk_sandbox_next domain.
-type sdk_sandbox_audit, domain, coredomain, sdk_sandbox_all, sdk_sandbox_current;
-
-net_domain(sdk_sandbox_audit)
-app_domain(sdk_sandbox_audit)
-
-# Auditallow rules for accesses that are currently allowed but we
-# might remove in the future.
-
-auditallow sdk_sandbox_audit {
- cameraserver_service
- ephemeral_app_api_service
- mediadrmserver_service
- radio_service
-}:service_manager find;
-
-auditallow sdk_sandbox_audit {
- property_type
- -system_property_type
-}:file rw_file_perms;
-
-auditallow sdk_sandbox_audit {
- property_type
- -system_property_type
-}:dir rw_dir_perms;
diff --git a/prebuilts/api/34.0/private/sdk_sandbox_current.te b/prebuilts/api/34.0/private/sdk_sandbox_current.te
deleted file mode 100644
index 55e5bc1..0000000
--- a/prebuilts/api/34.0/private/sdk_sandbox_current.te
+++ /dev/null
@@ -1,87 +0,0 @@
-###
-### SDK Sandbox process.
-###
-### This file defines the security policy for the sdk sandbox processes
-### for the current SDK level.
-
-# Allow finding services. This is different from ephemeral_app policy.
-# Adding services manually to the allowlist is preferred hence app_api_service is not used.
-allow sdk_sandbox_current {
- activity_service
- activity_task_service
- appops_service
- audio_service
- audioserver_service
- batteryproperties_service
- batterystats_service
- cameraserver_service
- connectivity_service
- connmetrics_service
- deviceidle_service
- display_service
- dropbox_service
- ephemeral_app_api_service
- font_service
- game_service
- gpu_service
- graphicsstats_service
- hardware_properties_service
- hint_service
- imms_service
- input_method_service
- input_service
- IProxyService_service
- ipsec_service
- launcherapps_service
- legacy_permission_service
- light_service
- locale_service
- media_communication_service
- mediadrmserver_service
- mediaextractor_service
- mediametrics_service
- media_projection_service
- media_router_service
- mediaserver_service
- media_session_service
- memtrackproxy_service
- midi_service
- netpolicy_service
- netstats_service
- network_management_service
- notification_service
- package_service
- permission_checker_service
- permission_service
- permissionmgr_service
- platform_compat_service
- power_service
- procstats_service
- radio_service
- registry_service
- restrictions_service
- rttmanager_service
- search_service
- selection_toolbar_service
- sensor_privacy_service
- sensorservice_service
- servicediscovery_service
- settings_service
- speech_recognition_service
- statusbar_service
- storagestats_service
- surfaceflinger_service
- telecom_service
- tethering_service
- textclassification_service
- textservices_service
- texttospeech_service
- thermal_service
- translation_service
- tv_iapp_service
- tv_input_service
- uimode_service
- vcn_management_service
- webviewupdate_service
-}:service_manager find;
-
diff --git a/prebuilts/api/34.0/private/seapp_contexts b/prebuilts/api/34.0/private/seapp_contexts
index 8f3cae9..4454bd7 100644
--- a/prebuilts/api/34.0/private/seapp_contexts
+++ b/prebuilts/api/34.0/private/seapp_contexts
@@ -13,7 +13,6 @@
# fromRunAs (boolean)
# isIsolatedComputeApp (boolean)
# isSdkSandboxNext (boolean)
-# isSdkSandboxAudit (boolean)
#
# All specified input selectors in an entry must match (i.e. logical AND).
# An unspecified string or boolean selector with no default will match any
@@ -49,19 +48,9 @@
# with user=_isolated. This selector should not be used unless it is intended
# to provide isolated processes with relaxed security restrictions.
#
-# The sdk_sandbox_next and sdk_sandbox_audit domains are special domains for the
-# SDK sandbox process. sdk_sandbox_next defines the set of restrictions proposed
-# for the upcoming dessert release. sdk_sandbox_audit uses the same restrictions
-# as the current dessert release, with additional auditing rules for the accesses
-# we are considering forbidding in the upcoming release.
-#
# isSdkSandboxNext=true means sdk sandbox processes will get
# sdk_sandbox_next sepolicy applied to them.
#
-# isSdkSandboxAudit=true means sdk sandbox processes will get
-# sdk_sandbox_audit sepolicy applied to them.
-# An unspecified isSdkSandboxAudit defaults to false.
-#
# Precedence: entries are compared using the following rules, in the order shown
# (see external/selinux/libselinux/src/android/android_platform.c,
# seapp_context_cmp()).
@@ -182,7 +171,6 @@
user=_isolated isIsolatedComputeApp=true domain=isolated_compute_app levelFrom=user
user=_sdksandbox domain=sdk_sandbox_34 type=sdk_sandbox_data_file levelFrom=all
user=_sdksandbox isSdkSandboxNext=true domain=sdk_sandbox_next type=sdk_sandbox_data_file levelFrom=all
-user=_sdksandbox isSdkSandboxAudit=true domain=sdk_sandbox_audit type=sdk_sandbox_data_file levelFrom=all
user=_app seinfo=app_zygote domain=app_zygote levelFrom=user
user=_app seinfo=media domain=mediaprovider type=app_data_file levelFrom=user
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
diff --git a/private/compat/34.0/34.0.ignore.cil b/private/compat/34.0/34.0.ignore.cil
index a9d4ae3..03887d8 100644
--- a/private/compat/34.0/34.0.ignore.cil
+++ b/private/compat/34.0/34.0.ignore.cil
@@ -18,6 +18,7 @@
ot_daemon_service
remote_auth_service
security_state_service
+ setupwizard_mode_prop
sysfs_sync_on_suspend
tv_ad_service
threadnetwork_service
@@ -28,4 +29,5 @@
binderfs_logs_stats
drm_forcel3_prop
proc_percpu_pagelist_high_fraction
+ vendor_microdroid_file
))
diff --git a/private/coredomain.te b/private/coredomain.te
index f9b47df..dfb08b1 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -15,6 +15,7 @@
get_prop(coredomain, radio_control_prop)
get_prop(coredomain, rollback_test_prop)
get_prop(coredomain, setupwizard_prop)
+get_prop(coredomain, setupwizard_mode_prop)
get_prop(coredomain, sqlite_log_prop)
get_prop(coredomain, storagemanager_config_prop)
get_prop(coredomain, surfaceflinger_color_prop)
diff --git a/private/crosvm.te b/private/crosvm.te
index afcaa3d..ed89b87 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -27,7 +27,7 @@
# Let crosvm read the composite disk images (virtualizationservice_data_file), APEXes
# (staging_data_file), APKs (apk_data_file and shell_data_file where the latter is for test apks in
-# /data/local/tmp), and instance.img (app_data_file).
+# /data/local/tmp), instance.img (app_data_file), and microdroid vendor image (vendor_microdroid_file).
# Allow crosvm to read the instance image of the service VM saved in apex_virt_data_file.
# Note that the open permission is not given as the files are passed as file descriptors.
allow crosvm {
@@ -39,6 +39,7 @@
apex_compos_data_file
apex_virt_data_file
shell_data_file
+ vendor_microdroid_file
}:file { getattr read ioctl lock };
# Allow searching the directory where the composite disk images are.
@@ -126,6 +127,7 @@
# These types are not required for crosvm, but the access is granted to globally in domain.te
# thus should be exempted here.
-vendor_configs_file
+ -vendor_microdroid_file
-vndk_sp_file
-vendor_task_profiles_file
}:file *;
diff --git a/private/domain.te b/private/domain.te
index 0861fa5..2f107dd 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -610,6 +610,7 @@
-vendor_apex_file
-vendor_apex_metadata_file
-vendor_configs_file
+ -vendor_microdroid_file
-vendor_service_contexts_file
-vendor_framework_file
-vendor_idc_file
diff --git a/private/file_contexts b/private/file_contexts
index b7f1a34..32092da 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -412,6 +412,7 @@
/(vendor|system/vendor)/etc(/.*)? u:object_r:vendor_configs_file:s0
/(vendor|system/vendor)/etc/cgroups\.json u:object_r:vendor_cgroup_desc_file:s0
/(vendor|system/vendor)/etc/task_profiles\.json u:object_r:vendor_task_profiles_file:s0
+/(vendor|system/vendor)/etc/avf/microdroid(/.*)? u:object_r:vendor_microdroid_file:s0
/(vendor|system/vendor)/lib(64)?/egl(/.*)? u:object_r:same_process_hal_file:s0
diff --git a/private/property.te b/private/property.te
index e1b42a0..9eed4de 100644
--- a/private/property.te
+++ b/private/property.te
@@ -605,6 +605,12 @@
neverallow {
domain
-init
+ -vendor_init
+} setupwizard_mode_prop:property_service set;
+
+neverallow {
+ domain
+ -init
} setupwizard_prop:property_service set;
# ro.product.property_source_order is useless after initialization of ro.product.* props.
diff --git a/private/property_contexts b/private/property_contexts
index 56ccb40..6d1c2f6 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -338,6 +338,10 @@
ro.virtual_ab.io_uring.enabled u:object_r:virtual_ab_prop:s0 exact bool
ro.virtual_ab.compression.threads u:object_r:virtual_ab_prop:s0 exact bool
ro.virtual_ab.batch_writes u:object_r:virtual_ab_prop:s0 exact bool
+# OEMs can set this prop at build time to configure how many seconds to delay
+# merge after installing a Virtual AB OTA. The default behavior is to start
+# merge immediately.
+ro.virtual_ab.merge_delay_seconds u:object_r:virtual_ab_prop:s0 exact int
snapuserd.ready u:object_r:snapuserd_prop:s0 exact bool
snapuserd.proxy_ready u:object_r:snapuserd_prop:s0 exact bool
snapuserd.test.dm.snapshots u:object_r:snapuserd_prop:s0 exact bool
@@ -1430,6 +1434,8 @@
ro.cpuvulkan.version u:object_r:graphics_config_prop:s0 exact int
+ro.vulkan.apex u:object_r:graphics_config_prop:s0 exact string
+
# surfaceflinger-settable
graphics.display.kernel_idle_timer.enabled u:object_r:surfaceflinger_display_prop:s0 exact bool
@@ -1480,6 +1486,8 @@
ro.setupwizard.rotation_locked u:object_r:setupwizard_prop:s0 exact bool
ro.setupwizard.wifi_on_exit u:object_r:setupwizard_prop:s0 exact bool
+ro.setupwizard.mode u:object_r:setupwizard_mode_prop:s0 exact string
+
setupwizard.enable_assist_gesture_training u:object_r:setupwizard_prop:s0 exact bool
setupwizard.feature.avoid_duplicate_tos u:object_r:setupwizard_prop:s0 exact bool
setupwizard.feature.baseline_setupwizard_enabled u:object_r:setupwizard_prop:s0 exact bool
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 74701df..9a76f69 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -56,6 +56,12 @@
# as the current dessert release, with additional auditing rules for the accesses
# we are considering forbidding in the upcoming release.
#
+# The sdk_sandbox_next and sdk_sandbox_audit domains are special domains for the
+# SDK sandbox process. sdk_sandbox_next defines the set of restrictions proposed
+# for the upcoming dessert release. sdk_sandbox_audit uses the same restrictions
+# as the current dessert release, with additional auditing rules for the accesses
+# we are considering forbidding in the upcoming release.
+#
# isSdkSandboxNext=true means sdk sandbox processes will get
# sdk_sandbox_next sepolicy applied to them.
# An unspecified isSdkSandboxNext defaults to false.
@@ -64,6 +70,10 @@
# sdk_sandbox_audit sepolicy applied to them.
# An unspecified isSdkSandboxAudit defaults to false.
#
+# isSdkSandboxAudit=true means sdk sandbox processes will get
+# sdk_sandbox_audit sepolicy applied to them.
+# An unspecified isSdkSandboxAudit defaults to false.
+#
# Precedence: entries are compared using the following rules, in the order shown
# (see external/selinux/libselinux/src/android/android_platform.c,
# seapp_context_cmp()).
diff --git a/private/shell.te b/private/shell.te
index aa6bef8..e410862 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -132,6 +132,9 @@
allow shell self:perf_event { open read write kernel };
neverallow shell self:perf_event ~{ open read write kernel };
+# Allow shell to read microdroid vendor image
+r_dir_file(shell, vendor_microdroid_file)
+
# Allow shell to read /apex/apex-info-list.xml and the vendor apexes
allow shell apex_info_file:file r_file_perms;
allow shell vendor_apex_file:file r_file_perms;
diff --git a/private/virtualizationmanager.te b/private/virtualizationmanager.te
index d6f0e19..871d3f2 100644
--- a/private/virtualizationmanager.te
+++ b/private/virtualizationmanager.te
@@ -94,6 +94,9 @@
allow virtualizationmanager shell_data_file:file open;
')
+# Allow virtualizationmanager to read microdroid related files in vendor partition
+r_dir_file(virtualizationmanager, vendor_microdroid_file)
+
# Allow reading files under /proc/[crosvm pid]/, for collecting CPU & memory usage inside VM.
r_dir_file(virtualizationmanager, crosvm);
diff --git a/public/file.te b/public/file.te
index 091c557..142e167 100644
--- a/public/file.te
+++ b/public/file.te
@@ -255,6 +255,8 @@
# Type for all vendor public libraries for system. These libs should only be exposed to
# system. ABI stability of these libs is vendor's responsibility.
type vendor_public_framework_file, vendor_file_type, file_type;
+# Type for all microdroid related files in the vendor partition.
+type vendor_microdroid_file, vendor_file_type, file_type;
# Input configuration
type vendor_keylayout_file, vendor_file_type, file_type;
diff --git a/public/property.te b/public/property.te
index 1a5b105..44b0aef 100644
--- a/public/property.te
+++ b/public/property.te
@@ -197,6 +197,7 @@
system_vendor_config_prop(dck_prop)
system_vendor_config_prop(tuner_config_prop)
system_vendor_config_prop(usb_uvc_enabled_prop)
+system_vendor_config_prop(setupwizard_mode_prop)
# Properties with no restrictions
system_public_prop(adbd_config_prop)
diff --git a/tests/apex_sepolicy_tests.py b/tests/apex_sepolicy_tests.py
index 3c51b67..ab01745 100644
--- a/tests/apex_sepolicy_tests.py
+++ b/tests/apex_sepolicy_tests.py
@@ -59,10 +59,11 @@
Matcher = Is | Glob | Regex
@dataclass
-class AllowRead:
- """Rule checking if scontext can read the entity"""
+class AllowPerm:
+ """Rule checking if scontext has 'perm' to the entity"""
tclass: str
scontext: set[str]
+ perm: str
@dataclass
@@ -71,7 +72,12 @@
pass
-Rule = AllowRead | ResolveType
+Rule = AllowPerm | ResolveType
+
+
+# Helper for 'read'
+def AllowRead(tclass, scontext):
+ return AllowPerm(tclass, scontext, 'read')
def match_path(path: str, matcher: Matcher) -> bool:
@@ -89,17 +95,17 @@
"""Returns error message if scontext can't read the target"""
errors = []
match rule:
- case AllowRead(tclass, scontext):
+ case AllowPerm(tclass, scontext, perm):
# Test every source in scontext(set)
for s in scontext:
te_rules = list(pol.QueryTERule(scontext={s},
tcontext={tcontext},
tclass={tclass},
- perms={'read'}))
+ perms={perm}))
if len(te_rules) > 0:
continue # no errors
- errors.append(f"Error: {path}: {s} can't read. (tcontext={tcontext})")
+ errors.append(f"Error: {path}: {s} can't {perm}. (tcontext={tcontext})")
case ResolveType():
if tcontext not in pol.GetAllTypes(False):
errors.append(f"Error: {path}: tcontext({tcontext}) is unknown")
@@ -122,7 +128,7 @@
(Glob('./etc/vintf/*.xml'), AllowRead('file', {'servicemanager', 'apexd'})),
# ./ and apex_manifest.pb
(Is('./apex_manifest.pb'), AllowRead('file', {'linkerconfig', 'apexd'})),
- (Is('./'), AllowRead('dir', {'linkerconfig', 'apexd'})),
+ (Is('./'), AllowPerm('dir', {'linkerconfig', 'apexd'}, 'search')),
# linker.config.pb
(Is('./etc/linker.config.pb'), AllowRead('file', {'linkerconfig'})),
]
diff --git a/tests/apex_sepolicy_tests_test.py b/tests/apex_sepolicy_tests_test.py
index 6e719ed..3fee43d 100644
--- a/tests/apex_sepolicy_tests_test.py
+++ b/tests/apex_sepolicy_tests_test.py
@@ -96,7 +96,7 @@
self.assert_error('./etc/linker.config.pb u:object_r:vendor_file:s0',
r'Error: .*linkerconfig.* can\'t read')
self.assert_error('./ u:object_r:apex_data_file:s0',
- r'Error: .*linkerconfig.* can\'t read')
+ r'Error: .*linkerconfig.* can\'t search')
def test_unknown_label(self):
self.assert_error('./bin/hw/foo u:object_r:foo_exec:s0',
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 28613c9..1c393f1 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -171,7 +171,7 @@
/(vendor|system/vendor)/lib(64)?/android\.hardware\.graphics\.mapper@4\.0\.so u:object_r:same_process_hal_file:s0
/(vendor|system/vendor)/lib(64)?/android\.hardware\.renderscript@1\.0\.so u:object_r:same_process_hal_file:s0
/(vendor|system/vendor)/lib(64)?/android\.hidl\.memory\.token@1\.0\.so u:object_r:same_process_hal_file:s0
-/(vendor|system/vendor)/lib(64)?/android\.hidl\.memory@1\.0-impl\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/hw/android\.hidl\.memory@1\.0-impl\.so u:object_r:same_process_hal_file:s0
/(vendor|system/vendor)/lib(64)?/android\.hidl\.memory@1\.0\.so u:object_r:same_process_hal_file:s0
/(vendor|system/vendor)/lib(64)?/android\.hidl\.safe_union@1\.0\.so u:object_r:same_process_hal_file:s0
/(vendor|system/vendor)/lib(64)?/libRSCpuRef\.so u:object_r:same_process_hal_file:s0