Merge "Camera: sepolicy for external camera"
diff --git a/Android.bp b/Android.bp
index 9952a8f..1785342 100644
--- a/Android.bp
+++ b/Android.bp
@@ -1 +1,4 @@
-subdirs = ["tests"]
+subdirs = [
+ "tests",
+ "build",
+]
diff --git a/Android.mk b/Android.mk
index 6756d40..0d4d67f 100644
--- a/Android.mk
+++ b/Android.mk
@@ -124,6 +124,13 @@
NEVERALLOW_ARG := -N
endif
+# BOARD_SEPOLICY_DIRS was used for vendor sepolicy customization before.
+# It has been replaced by BOARD_VENDOR_SEPOLICY_DIRS. BOARD_SEPOLICY_DIRS is
+# still allowed for backward compatibility, which will be merged into
+# BOARD_VENDOR_SEPOLICY_DIRS.
+ifdef BOARD_SEPOLICY_DIRS
+BOARD_VENDOR_SEPOLICY_DIRS += $(BOARD_SEPOLICY_DIRS)
+endif
platform_mapping_file := $(BOARD_SEPOLICY_VERS).cil
@@ -137,9 +144,9 @@
$(foreach type, $(1), $(foreach file, $(addsuffix /$(type), $(2)), $(sort $(wildcard $(file)))))
endef
-# Builds paths for all policy files found in BOARD_SEPOLICY_DIRS.
+# Builds paths for all policy files found in BOARD_VENDOR_SEPOLICY_DIRS.
# $(1): the set of policy name paths to build
-build_device_policy = $(call build_policy, $(1), $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS))
+build_vendor_policy = $(call build_policy, $(1), $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS))
# Add a file containing only a newline in-between each policy configuration
# 'contexts' file. This will allow OEM policy configuration files without a
@@ -209,11 +216,13 @@
LOCAL_REQUIRED_MODULES += \
$(platform_mapping_file) \
26.0.cil \
- nonplat_sepolicy.cil \
+ plat_pub_versioned.cil \
+ vendor_sepolicy.cil \
plat_sepolicy.cil \
plat_and_mapping_sepolicy.cil.sha256 \
secilc \
plat_sepolicy_vers.txt \
+ vendor_service_contexts \
# Include precompiled policy, unless told otherwise
ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
@@ -225,11 +234,12 @@
endif
LOCAL_REQUIRED_MODULES += \
- nonplat_file_contexts \
- nonplat_mac_permissions.xml \
- nonplat_property_contexts \
- nonplat_seapp_contexts \
- nonplat_hwservice_contexts \
+ build_sepolicy \
+ vendor_file_contexts \
+ vendor_mac_permissions.xml \
+ vendor_property_contexts \
+ vendor_seapp_contexts \
+ vendor_hwservice_contexts \
plat_file_contexts \
plat_mac_permissions.xml \
plat_property_contexts \
@@ -239,10 +249,6 @@
searchpolicy \
vndservice_contexts \
-ifneq ($(PRODUCT_SEPOLICY_SPLIT),true)
-LOCAL_REQUIRED_MODULES += nonplat_service_contexts
-endif
-
ifneq ($(TARGET_BUILD_VARIANT), user)
LOCAL_REQUIRED_MODULES += \
selinux_denial_metadata \
@@ -483,7 +489,9 @@
#################################
include $(CLEAR_VARS)
-LOCAL_MODULE := nonplat_sepolicy.cil
+# plat_pub_versioned.cil - the exported platform policy associated with the version
+# that non-platform policy targets.
+LOCAL_MODULE := plat_pub_versioned.cil
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_PROPRIETARY_MODULE := true
@@ -491,47 +499,62 @@
include $(BUILD_SYSTEM)/base_rules.mk
-# nonplat_policy.conf - A combination of the non-platform private, vendor and
-# the exported platform policy associated with the version the non-platform
-# policy targets. This needs attributization and to be combined with the
-# platform-provided policy. Like plat_pub_policy.conf, this needs to make use
-# of the reqd_policy_mask files from private policy in order to use checkpolicy.
-nonplat_policy.conf := $(intermediates)/nonplat_policy.conf
-$(nonplat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(nonplat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(nonplat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(nonplat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(nonplat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(nonplat_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
-$(nonplat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
-$(nonplat_policy.conf): $(call build_policy, $(sepolicy_build_files), \
-$(PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS))
- $(transform-policy-to-conf)
- $(hide) sed '/dontaudit/d' $@ > $@.dontaudit
-
-nonplat_policy_raw := $(intermediates)/nonplat_policy_raw.cil
-$(nonplat_policy_raw): PRIVATE_POL_CONF := $(nonplat_policy.conf)
-$(nonplat_policy_raw): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
-$(nonplat_policy_raw): $(HOST_OUT_EXECUTABLES)/checkpolicy $(nonplat_policy.conf) \
-$(reqd_policy_mask.cil)
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@.tmp $(PRIVATE_POL_CONF)
- $(hide) grep -Fxv -f $(PRIVATE_REQD_MASK) $@.tmp > $@
-
$(LOCAL_BUILT_MODULE) : PRIVATE_VERS := $(BOARD_SEPOLICY_VERS)
-$(LOCAL_BUILT_MODULE) : PRIVATE_TGT_POL := $(nonplat_policy_raw)
+$(LOCAL_BUILT_MODULE) : PRIVATE_TGT_POL := $(plat_pub_policy.cil)
$(LOCAL_BUILT_MODULE) : PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_mapping_cil)
-$(LOCAL_BUILT_MODULE) : $(plat_pub_policy.cil) $(nonplat_policy_raw) \
-$(HOST_OUT_EXECUTABLES)/version_policy $(HOST_OUT_EXECUTABLES)/secilc \
-$(built_plat_cil) $(built_mapping_cil)
+$(LOCAL_BUILT_MODULE) : $(plat_pub_policy.cil) $(HOST_OUT_EXECUTABLES)/version_policy \
+ $(HOST_OUT_EXECUTABLES)/secilc $(built_plat_cil) $(built_mapping_cil)
@mkdir -p $(dir $@)
$(HOST_OUT_EXECUTABLES)/version_policy -b $< -t $(PRIVATE_TGT_POL) -n $(PRIVATE_VERS) -o $@
$(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -N -c $(POLICYVERS) \
$(PRIVATE_DEP_CIL_FILES) $@ -o /dev/null -f /dev/null
-built_nonplat_cil := $(LOCAL_BUILT_MODULE)
-nonplat_policy.conf :=
-nonplat_policy_raw :=
+built_plat_pub_vers_cil := $(LOCAL_BUILT_MODULE)
+
+#################################
+include $(CLEAR_VARS)
+
+# vendor_policy.cil - the vendor sepolicy. This needs attributization and to be combined
+# with the platform-provided policy. It makes use of the reqd_policy_mask files from private
+# policy and the platform public policy files in order to use checkpolicy.
+LOCAL_MODULE := vendor_sepolicy.cil
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_PROPRIETARY_MODULE := true
+LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+vendor_policy.conf := $(intermediates)/vendor_policy.conf
+$(vendor_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(vendor_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(vendor_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(vendor_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(vendor_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(vendor_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
+$(vendor_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(vendor_policy.conf): $(call build_policy, $(sepolicy_build_files), \
+$(PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS))
+ $(transform-policy-to-conf)
+ $(hide) sed '/dontaudit/d' $@ > $@.dontaudit
+
+$(LOCAL_BUILT_MODULE): PRIVATE_POL_CONF := $(vendor_policy.conf)
+$(LOCAL_BUILT_MODULE): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
+$(LOCAL_BUILT_MODULE): PRIVATE_BASE_CIL := $(plat_pub_policy.cil)
+$(LOCAL_BUILT_MODULE): PRIVATE_VERS := $(BOARD_SEPOLICY_VERS)
+$(LOCAL_BUILT_MODULE): PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_plat_pub_vers_cil) $(built_mapping_cil)
+$(LOCAL_BUILT_MODULE): PRIVATE_FILTER_CIL := $(built_plat_pub_vers_cil)
+$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/build_sepolicy \
+ $(vendor_policy.conf) $(reqd_policy_mask.cil) $(plat_pub_policy.cil) \
+ $(built_plat_cil) $(built_plat_pub_vers_cil) $(built_mapping_cil)
+ @mkdir -p $(dir $@)
+ $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) build_cil \
+ -i $(PRIVATE_POL_CONF) -m $(PRIVATE_REQD_MASK) -c $(CHECKPOLICY_ASAN_OPTIONS) \
+ -b $(PRIVATE_BASE_CIL) -d $(PRIVATE_DEP_CIL_FILES) -f $(PRIVATE_FILTER_CIL) \
+ -t $(PRIVATE_VERS) -p $(POLICYVERS) -o $@
+
+built_vendor_cil := $(LOCAL_BUILT_MODULE)
+vendor_policy.conf :=
#################################
include $(CLEAR_VARS)
@@ -544,16 +567,20 @@
include $(BUILD_SYSTEM)/base_rules.mk
-$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := \
-$(built_plat_cil) $(built_mapping_cil) $(built_nonplat_cil)
+all_cil_files := \
+ $(built_plat_cil) \
+ $(built_mapping_cil) \
+ $(built_plat_pub_vers_cil) \
+ $(built_vendor_cil)
+
+$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(all_cil_files)
$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
-$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc \
-$(built_plat_cil) $(built_mapping_cil) $(built_nonplat_cil) \
-$(built_sepolicy_neverallows)
+$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(all_cil_files) $(built_sepolicy_neverallows)
$(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) \
$(PRIVATE_CIL_FILES) -o $@ -f /dev/null
built_precompiled_sepolicy := $(LOCAL_BUILT_MODULE)
+all_cil_files :=
#################################
# SHA-256 digest of the plat_sepolicy.cil and mapping_sepolicy.cil files against
@@ -586,7 +613,8 @@
all_cil_files := \
$(built_plat_cil) \
$(built_mapping_cil) \
- $(built_nonplat_cil)
+ $(built_plat_pub_vers_cil) \
+ $(built_vendor_cil)
$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(all_cil_files)
$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
@@ -630,7 +658,7 @@
$(sepolicy.recovery.conf): PRIVATE_TGT_RECOVERY := -D target_recovery=true
$(sepolicy.recovery.conf): $(call build_policy, $(sepolicy_build_files), \
$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) \
- $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS))
+ $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS))
$(transform-policy-to-conf)
$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
ifeq ($(SELINUX_IGNORE_NEVERALLOWS),true)
@@ -716,7 +744,7 @@
@mkdir -p $(dir $@)
$(hide) m4 -s $^ > $@
-device_fc_files := $(call build_device_policy, file_contexts)
+device_fc_files := $(call build_vendor_policy, file_contexts)
device_fcfiles_with_nl := $(call add_nl, $(device_fc_files), $(built_nl))
file_contexts.device.tmp := $(intermediates)/file_contexts.device.tmp
@@ -727,7 +755,8 @@
file_contexts.device.sorted.tmp := $(intermediates)/file_contexts.device.sorted.tmp
$(file_contexts.device.sorted.tmp): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(file_contexts.device.sorted.tmp): $(file_contexts.device.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/fc_sort $(HOST_OUT_EXECUTABLES)/checkfc
+$(file_contexts.device.sorted.tmp): $(file_contexts.device.tmp) $(built_sepolicy) \
+ $(HOST_OUT_EXECUTABLES)/fc_sort $(HOST_OUT_EXECUTABLES)/checkfc
@mkdir -p $(dir $@)
$(hide) $(HOST_OUT_EXECUTABLES)/checkfc -e $(PRIVATE_SEPOLICY) $<
$(hide) $(HOST_OUT_EXECUTABLES)/fc_sort $< $@
@@ -808,7 +837,7 @@
##################################
include $(CLEAR_VARS)
-LOCAL_MODULE := nonplat_file_contexts
+LOCAL_MODULE := vendor_file_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
@@ -819,22 +848,22 @@
include $(BUILD_SYSTEM)/base_rules.mk
-nonplat_fc_files := $(call build_device_policy, file_contexts)
-nonplat_fcfiles_with_nl := $(call add_nl, $(nonplat_fc_files), $(built_nl))
+vendor_fc_files := $(call build_vendor_policy, file_contexts)
+vendor_fcfiles_with_nl := $(call add_nl, $(vendor_fc_files), $(built_nl))
-$(LOCAL_BUILT_MODULE): PRIVATE_FC_FILES := $(nonplat_fcfiles_with_nl)
+$(LOCAL_BUILT_MODULE): PRIVATE_FC_FILES := $(vendor_fcfiles_with_nl)
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
$(LOCAL_BUILT_MODULE): PRIVATE_FC_SORT := $(HOST_OUT_EXECUTABLES)/fc_sort
$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/checkfc $(HOST_OUT_EXECUTABLES)/fc_sort \
-$(nonplat_fcfiles_with_nl) $(built_sepolicy)
+$(vendor_fcfiles_with_nl) $(built_sepolicy)
@mkdir -p $(dir $@)
$(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_FC_FILES) > $@.tmp
$(hide) $< $(PRIVATE_SEPOLICY) $@.tmp
$(hide) $(PRIVATE_FC_SORT) $@.tmp $@
-built_nonplat_fc := $(LOCAL_BUILT_MODULE)
-nonplat_fc_files :=
-nonplat_fcfiles_with_nl :=
+built_vendor_fc := $(LOCAL_BUILT_MODULE)
+vendor_fc_files :=
+vendor_fcfiles_with_nl :=
##################################
include $(CLEAR_VARS)
@@ -852,15 +881,15 @@
##################################
include $(CLEAR_VARS)
-LOCAL_MODULE := nonplat_file_contexts.recovery
-LOCAL_MODULE_STEM := nonplat_file_contexts
+LOCAL_MODULE := vendor_file_contexts.recovery
+LOCAL_MODULE_STEM := vendor_file_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT)
include $(BUILD_SYSTEM)/base_rules.mk
-$(LOCAL_BUILT_MODULE): $(built_nonplat_fc)
+$(LOCAL_BUILT_MODULE): $(built_vendor_fc)
$(hide) cp -f $< $@
##################################
@@ -889,7 +918,7 @@
##################################
include $(CLEAR_VARS)
-LOCAL_MODULE := nonplat_seapp_contexts
+LOCAL_MODULE := vendor_seapp_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
@@ -900,19 +929,19 @@
include $(BUILD_SYSTEM)/base_rules.mk
-nonplat_sc_files := $(call build_policy, seapp_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
+vendor_sc_files := $(call build_policy, seapp_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
plat_sc_neverallow_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY))
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(nonplat_sc_files)
+$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(vendor_sc_files)
$(LOCAL_BUILT_MODULE): PRIVATE_SC_NEVERALLOW_FILES := $(plat_sc_neverallow_files)
-$(LOCAL_BUILT_MODULE): $(built_sepolicy) $(nonplat_sc_files) $(HOST_OUT_EXECUTABLES)/checkseapp $(plat_sc_neverallow_files)
+$(LOCAL_BUILT_MODULE): $(built_sepolicy) $(vendor_sc_files) $(HOST_OUT_EXECUTABLES)/checkseapp $(plat_sc_neverallow_files)
@mkdir -p $(dir $@)
$(hide) grep -ihe '^neverallow' $(PRIVATE_SC_NEVERALLOW_FILES) > $@.tmp
$(hide) $(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $(PRIVATE_SC_FILES) $@.tmp
-built_nonplat_sc := $(LOCAL_BUILT_MODULE)
-nonplat_sc_files :=
+built_vendor_sc := $(LOCAL_BUILT_MODULE)
+vendor_sc_files :=
##################################
include $(CLEAR_VARS)
@@ -965,7 +994,7 @@
##################################
include $(CLEAR_VARS)
-LOCAL_MODULE := nonplat_property_contexts
+LOCAL_MODULE := vendor_property_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
@@ -977,24 +1006,24 @@
include $(BUILD_SYSTEM)/base_rules.mk
-nonplat_pcfiles := $(call build_policy, property_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
+vendor_pcfiles := $(call build_policy, property_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
-nonplat_property_contexts.tmp := $(intermediates)/nonplat_property_contexts.tmp
-$(nonplat_property_contexts.tmp): PRIVATE_PC_FILES := $(nonplat_pcfiles)
-$(nonplat_property_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(nonplat_property_contexts.tmp): $(nonplat_pcfiles)
+vendor_property_contexts.tmp := $(intermediates)/vendor_property_contexts.tmp
+$(vendor_property_contexts.tmp): PRIVATE_PC_FILES := $(vendor_pcfiles)
+$(vendor_property_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(vendor_property_contexts.tmp): $(vendor_pcfiles)
@mkdir -p $(dir $@)
$(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_PC_FILES) > $@
-$(LOCAL_BUILT_MODULE): $(nonplat_property_contexts.tmp) $(HOST_OUT_EXECUTABLES)/property_info_checker
+$(LOCAL_BUILT_MODULE): $(vendor_property_contexts.tmp) $(HOST_OUT_EXECUTABLES)/property_info_checker
@mkdir -p $(dir $@)
$(hide) cp -f $< $@
$(hide) $(HOST_OUT_EXECUTABLES)/property_info_checker $@
-built_nonplat_pc := $(LOCAL_BUILT_MODULE)
-nonplat_pcfiles :=
-nonplat_property_contexts.tmp :=
+built_vendor_pc := $(LOCAL_BUILT_MODULE)
+vendor_pcfiles :=
+vendor_property_contexts.tmp :=
##################################
include $(CLEAR_VARS)
@@ -1012,15 +1041,15 @@
##################################
include $(CLEAR_VARS)
-LOCAL_MODULE := nonplat_property_contexts.recovery
-LOCAL_MODULE_STEM := nonplat_property_contexts
+LOCAL_MODULE := vendor_property_contexts.recovery
+LOCAL_MODULE_STEM := vendor_property_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT)
include $(BUILD_SYSTEM)/base_rules.mk
-$(LOCAL_BUILT_MODULE): $(built_nonplat_pc)
+$(LOCAL_BUILT_MODULE): $(built_vendor_pc)
$(hide) cp -f $< $@
##################################
@@ -1062,31 +1091,31 @@
include $(CLEAR_VARS)
-LOCAL_MODULE := nonplat_service_contexts
+LOCAL_MODULE := vendor_service_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
include $(BUILD_SYSTEM)/base_rules.mk
-nonplat_svcfiles := $(call build_policy, service_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
+vendor_svcfiles := $(call build_policy, service_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
-nonplat_service_contexts.tmp := $(intermediates)/nonplat_service_contexts.tmp
-$(nonplat_service_contexts.tmp): PRIVATE_SVC_FILES := $(nonplat_svcfiles)
-$(nonplat_service_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(nonplat_service_contexts.tmp): $(nonplat_svcfiles)
+vendor_service_contexts.tmp := $(intermediates)/vendor_service_contexts.tmp
+$(vendor_service_contexts.tmp): PRIVATE_SVC_FILES := $(vendor_svcfiles)
+$(vendor_service_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(vendor_service_contexts.tmp): $(vendor_svcfiles)
@mkdir -p $(dir $@)
$(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): $(nonplat_service_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
+$(LOCAL_BUILT_MODULE): $(vendor_service_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
@mkdir -p $(dir $@)
sed -e 's/#.*$$//' -e '/^$$/d' $< > $@
$(hide) $(HOST_OUT_EXECUTABLES)/checkfc -s $(PRIVATE_SEPOLICY) $@
-built_nonplat_svc := $(LOCAL_BUILT_MODULE)
-nonplat_svcfiles :=
-nonplat_service_contexts.tmp :=
+built_vendor_svc := $(LOCAL_BUILT_MODULE)
+vendor_svcfiles :=
+vendor_service_contexts.tmp :=
endif
@@ -1125,7 +1154,7 @@
##################################
include $(CLEAR_VARS)
-LOCAL_MODULE := nonplat_hwservice_contexts
+LOCAL_MODULE := vendor_hwservice_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
@@ -1136,23 +1165,24 @@
include $(BUILD_SYSTEM)/base_rules.mk
-nonplat_hwsvcfiles := $(call build_policy, hwservice_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
+vendor_hwsvcfiles := $(call build_policy, hwservice_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
-nonplat_hwservice_contexts.tmp := $(intermediates)/nonplat_hwservice_contexts.tmp
-$(nonplat_hwservice_contexts.tmp): PRIVATE_SVC_FILES := $(nonplat_hwsvcfiles)
-$(nonplat_hwservice_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(nonplat_hwservice_contexts.tmp): $(nonplat_hwsvcfiles)
+vendor_hwservice_contexts.tmp := $(intermediates)/vendor_hwservice_contexts.tmp
+$(vendor_hwservice_contexts.tmp): PRIVATE_SVC_FILES := $(vendor_hwsvcfiles)
+$(vendor_hwservice_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(vendor_hwservice_contexts.tmp): $(vendor_hwsvcfiles)
@mkdir -p $(dir $@)
$(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): $(nonplat_hwservice_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
+$(LOCAL_BUILT_MODULE): $(vendor_hwservice_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
@mkdir -p $(dir $@)
sed -e 's/#.*$$//' -e '/^$$/d' $< > $@
$(hide) $(HOST_OUT_EXECUTABLES)/checkfc -e -l $(PRIVATE_SEPOLICY) $@
-nonplat_hwsvcfiles :=
-nonplat_hwservice_contexts.tmp :=
+vendor_hwsvcfiles :=
+vendor_hwservice_contexts.tmp :=
+
##################################
include $(CLEAR_VARS)
@@ -1168,7 +1198,7 @@
include $(BUILD_SYSTEM)/base_rules.mk
-vnd_svcfiles := $(call build_policy, vndservice_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
+vnd_svcfiles := $(call build_policy, vndservice_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
vndservice_contexts.tmp := $(intermediates)/vndservice_contexts.tmp
$(vndservice_contexts.tmp): PRIVATE_SVC_FILES := $(vnd_svcfiles)
@@ -1222,7 +1252,7 @@
##################################
include $(CLEAR_VARS)
-LOCAL_MODULE := nonplat_mac_permissions.xml
+LOCAL_MODULE := vendor_mac_permissions.xml
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
@@ -1230,22 +1260,22 @@
include $(BUILD_SYSTEM)/base_rules.mk
# Build keys.conf
-nonplat_mac_perms_keys.tmp := $(intermediates)/nonplat_keys.tmp
-$(nonplat_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(nonplat_mac_perms_keys.tmp): $(call build_policy, keys.conf, $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
+vendor_mac_perms_keys.tmp := $(intermediates)/vendor_keys.tmp
+$(vendor_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(vendor_mac_perms_keys.tmp): $(call build_policy, keys.conf, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
@mkdir -p $(dir $@)
$(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@
-all_nonplat_mac_perms_files := $(call build_policy, mac_permissions.xml, $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
+all_vendor_mac_perms_files := $(call build_policy, mac_permissions.xml, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
-$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_nonplat_mac_perms_files)
-$(LOCAL_BUILT_MODULE): $(nonplat_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py \
-$(all_nonplat_mac_perms_files)
+$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_vendor_mac_perms_files)
+$(LOCAL_BUILT_MODULE): $(vendor_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py \
+$(all_vendor_mac_perms_files)
@mkdir -p $(dir $@)
$(hide) $(HOST_OUT_EXECUTABLES)/insertkeys.py -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
-nonplat_mac_perms_keys.tmp :=
-all_nonplat_mac_perms_files :=
+vendor_mac_perms_keys.tmp :=
+all_vendor_mac_perms_files :=
#################################
include $(CLEAR_VARS)
@@ -1255,15 +1285,16 @@
include $(BUILD_SYSTEM)/base_rules.mk
+all_fc_files := $(built_plat_fc) $(built_vendor_fc)
+all_fc_args := $(foreach file, $(all_fc_files), -f $(file))
+
sepolicy_tests := $(intermediates)/sepolicy_tests
-$(sepolicy_tests): PRIVATE_PLAT_FC := $(built_plat_fc)
-$(sepolicy_tests): PRIVATE_NONPLAT_FC := $(built_nonplat_fc)
+$(sepolicy_tests): ALL_FC_ARGS := $(all_fc_args)
$(sepolicy_tests): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(sepolicy_tests): $(HOST_OUT_EXECUTABLES)/sepolicy_tests \
-$(built_plat_fc) $(built_nonplat_fc) $(built_sepolicy)
+$(sepolicy_tests): $(HOST_OUT_EXECUTABLES)/sepolicy_tests $(all_fc_files) $(built_sepolicy)
@mkdir -p $(dir $@)
$(hide) $(HOST_OUT_EXECUTABLES)/sepolicy_tests -l $(HOST_OUT)/lib64/libsepolwrap.$(SHAREDLIB_EXT) \
- -f $(PRIVATE_PLAT_FC) -f $(PRIVATE_NONPLAT_FC) -p $(PRIVATE_SEPOLICY)
+ $(ALL_FC_ARGS) -p $(PRIVATE_SEPOLICY)
$(hide) touch $@
##################################
@@ -1368,9 +1399,11 @@
$(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@
$(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@ -o $@ -f /dev/null
+all_fc_files := $(built_plat_fc) $(built_vendor_fc)
+all_fc_args := $(foreach file, $(all_fc_files), -f $(file))
+
treble_sepolicy_tests := $(intermediates)/treble_sepolicy_tests
-$(treble_sepolicy_tests): PRIVATE_PLAT_FC := $(built_plat_fc)
-$(treble_sepolicy_tests): PRIVATE_NONPLAT_FC := $(built_nonplat_fc)
+$(treble_sepolicy_tests): ALL_FC_ARGS := $(all_fc_args)
$(treble_sepolicy_tests): PRIVATE_SEPOLICY := $(built_sepolicy)
$(treble_sepolicy_tests): PRIVATE_SEPOLICY_OLD := $(built_26.0_plat_sepolicy)
$(treble_sepolicy_tests): PRIVATE_COMBINED_MAPPING := $(26.0_mapping.combined.cil)
@@ -1381,12 +1414,11 @@
$(treble_sepolicy_tests): PRIVATE_FAKE_TREBLE :=
endif
$(treble_sepolicy_tests): $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests \
-$(built_plat_fc) $(built_nonplat_fc) $(built_sepolicy) $(built_plat_sepolicy) \
-$(built_26.0_plat_sepolicy) $(26.0_compat) $(26.0_mapping.combined.cil)
+ $(all_fc_files) $(built_sepolicy) $(built_plat_sepolicy) \
+ $(built_26.0_plat_sepolicy) $(26.0_compat) $(26.0_mapping.combined.cil)
@mkdir -p $(dir $@)
$(hide) $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests -l \
- $(HOST_OUT)/lib64/libsepolwrap.$(SHAREDLIB_EXT) \
- -f $(PRIVATE_PLAT_FC) -f $(PRIVATE_NONPLAT_FC) \
+ $(HOST_OUT)/lib64/libsepolwrap.$(SHAREDLIB_EXT) $(ALL_FC_ARGS) \
-b $(PRIVATE_PLAT_SEPOLICY) -m $(PRIVATE_COMBINED_MAPPING) \
-o $(PRIVATE_SEPOLICY_OLD) -p $(PRIVATE_SEPOLICY) \
$(PRIVATE_FAKE_TREBLE)
@@ -1409,23 +1441,24 @@
#################################
add_nl :=
-build_device_policy :=
+build_vendor_policy :=
build_policy :=
built_plat_fc :=
-built_nonplat_fc :=
+built_vendor_fc :=
built_nl :=
built_plat_cil :=
+built_plat_pub_vers_cil :=
built_mapping_cil :=
built_plat_pc :=
-built_nonplat_cil :=
-built_nonplat_pc :=
-built_nonplat_sc :=
+built_vendor_cil :=
+built_vendor_pc :=
+built_vendor_sc :=
built_plat_sc :=
built_precompiled_sepolicy :=
built_sepolicy :=
built_sepolicy_neverallows :=
built_plat_svc :=
-built_nonplat_svc :=
+built_vendor_svc :=
mapping_policy :=
my_target_arch :=
plat_pub_policy.cil :=
diff --git a/CleanSpec.mk b/CleanSpec.mk
index 42d451c..3a302bb 100644
--- a/CleanSpec.mk
+++ b/CleanSpec.mk
@@ -74,3 +74,12 @@
$(call add-clean-step, rm -rf $(PRODUCT_OUT)/vendor/etc/selinux/nonplat_service_contexts)
$(call add-clean-step, rm -rf $(PRODUCT_OUT)/obj/ETC/nonplat_service_contexts_intermediates)
$(call add-clean-step, rm -rf $(PRODUCT_OUT)/obj/NOTICE_FILES/src/vendor/etc/selinux/nonplat_service_contexts.txt)
+
+$(call add-clean-step, rm -rf $(TARGET_OUT_VENDOR)/etc/selinux/nonplat_sepolicy.cil)
+$(call add-clean-step, rm -rf $(TARGET_OUT_VENDOR)/etc/selinux/nonplat_file_contexts)
+$(call add-clean-step, rm -rf $(TARGET_OUT_VENDOR)/etc/selinux/nonplat_hwservice_contexts)
+$(call add-clean-step, rm -rf $(TARGET_OUT_VENDOR)/etc/selinux/nonplat_mac_permissions.xml)
+$(call add-clean-step, rm -rf $(TARGET_OUT_VENDOR)/etc/selinux/nonplat_property_contexts)
+$(call add-clean-step, rm -rf $(TARGET_OUT_VENDOR)/etc/selinux/nonplat_seapp_contexts)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/recovery/root/nonplat_file_contexts)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/recovery/root/nonplat_property_contexts)
diff --git a/OWNERS b/OWNERS
index c15fa63..b346293 100644
--- a/OWNERS
+++ b/OWNERS
@@ -1,7 +1,7 @@
-nnk@google.com
-jeffv@google.com
-klyubin@google.com
dcashman@google.com
jbires@google.com
-sspatil@google.com
+jeffv@google.com
jgalenson@google.com
+nnk@google.com
+sspatil@google.com
+trong@google.com
diff --git a/build/Android.bp b/build/Android.bp
new file mode 100644
index 0000000..d3f1fc3
--- /dev/null
+++ b/build/Android.bp
@@ -0,0 +1,34 @@
+// Copyright (C) 2018 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+python_binary_host {
+ name: "build_sepolicy",
+ srcs: [
+ "build_sepolicy.py",
+ "file_utils.py",
+ ],
+ required: [
+ "checkpolicy",
+ "secilc",
+ "version_policy",
+ ],
+ version: {
+ py2: {
+ enabled: true,
+ },
+ py3: {
+ enabled: false,
+ },
+ },
+}
diff --git a/build/build_sepolicy.py b/build/build_sepolicy.py
new file mode 100644
index 0000000..ff2ff07
--- /dev/null
+++ b/build/build_sepolicy.py
@@ -0,0 +1,140 @@
+# Copyright 2018 - The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""Command-line tool to build SEPolicy files."""
+
+import argparse
+import os
+import subprocess
+import sys
+
+import file_utils
+
+
+# All supported commands in this module.
+# For each command, need to add two functions. Take 'build_cil' for example:
+# - setup_build_cil()
+# - Sets up command parsers and sets default function to do_build_cil().
+# - do_build_cil()
+_SUPPORTED_COMMANDS = ('build_cil',)
+
+
+def run_host_command(args, **kwargs):
+ """Runs a host command and prints output."""
+ if kwargs.get('shell'):
+ command_log = args
+ else:
+ command_log = ' '.join(args) # For args as a sequence.
+
+ try:
+ subprocess.check_call(args, **kwargs)
+ except subprocess.CalledProcessError as err:
+ sys.stderr.write(
+ 'build_sepolicy - failed to run command: {!r} (ret:{})\n'.format(
+ command_log, err.returncode))
+ sys.exit(err.returncode)
+
+
+def do_build_cil(args):
+ """Builds a sepolicy CIL (Common Intermediate Language) file.
+
+ This functions invokes some host utils (e.g., secilc, checkpolicy,
+ version_sepolicy) to generate a .cil file.
+
+ Args:
+ args: the parsed command arguments.
+ """
+ # Determines the raw CIL file name.
+ input_file_name = os.path.splitext(args.input_policy_conf)[0]
+ raw_cil_file = input_file_name + '_raw.cil'
+ # Builds the raw CIL.
+ file_utils.make_parent_dirs(raw_cil_file)
+ checkpolicy_cmd = [args.checkpolicy_env]
+ checkpolicy_cmd += [os.path.join(args.android_host_path, 'checkpolicy'),
+ '-C', '-M', '-c', args.policy_vers,
+ '-o', raw_cil_file, args.input_policy_conf]
+ # Using shell=True to setup args.checkpolicy_env variables.
+ run_host_command(' '.join(checkpolicy_cmd), shell=True)
+ file_utils.filter_out([args.reqd_mask], raw_cil_file)
+
+ # Builds the output CIL by versioning the above raw CIL.
+ output_file = args.output_cil
+ if output_file is None:
+ output_file = input_file_name + '.cil'
+ file_utils.make_parent_dirs(output_file)
+
+ run_host_command([os.path.join(args.android_host_path, 'version_policy'),
+ '-b', args.base_policy, '-t', raw_cil_file,
+ '-n', args.treble_sepolicy_vers, '-o', output_file])
+ if args.filter_out_files:
+ file_utils.filter_out(args.filter_out_files, output_file)
+
+ # Tests that the output file can be merged with the given CILs.
+ if args.dependent_cils:
+ merge_cmd = [os.path.join(args.android_host_path, 'secilc'),
+ '-m', '-M', 'true', '-G', '-N', '-c', args.policy_vers]
+ merge_cmd += args.dependent_cils # the give CILs to merge
+ merge_cmd += [output_file, '-o', '/dev/null', '-f', '/dev/null']
+ run_host_command(merge_cmd)
+
+
+def setup_build_cil(subparsers):
+ """Sets up command args for 'build_cil' command."""
+
+ # Required arguments.
+ parser = subparsers.add_parser('build_cil', help='build CIL files')
+ parser.add_argument('-i', '--input_policy_conf', required=True,
+ help='source policy.conf')
+ parser.add_argument('-m', '--reqd_mask', required=True,
+ help='the bare minimum policy.conf to use checkpolicy')
+ parser.add_argument('-b', '--base_policy', required=True,
+ help='base policy for versioning')
+ parser.add_argument('-t', '--treble_sepolicy_vers', required=True,
+ help='the version number to use for Treble-OTA')
+ parser.add_argument('-p', '--policy_vers', required=True,
+ help='SELinux policy version')
+
+ # Optional arguments.
+ parser.add_argument('-c', '--checkpolicy_env',
+ help='environment variables passed to checkpolicy')
+ parser.add_argument('-f', '--filter_out_files', nargs='+',
+ help='the pattern files to filter out the output cil')
+ parser.add_argument('-d', '--dependent_cils', nargs='+',
+ help=('check the output file can be merged with '
+ 'the dependent cil files'))
+ parser.add_argument('-o', '--output_cil', help='the output cil file')
+
+ # The function that performs the actual works.
+ parser.set_defaults(func=do_build_cil)
+
+
+def run(argv):
+ """Sets up command parser and execuates sub-command."""
+ parser = argparse.ArgumentParser()
+
+ # Adds top-level arguments.
+ parser.add_argument('-a', '--android_host_path', default='',
+ help='a path to host out executables')
+
+ # Adds subparsers for each COMMAND.
+ subparsers = parser.add_subparsers(title='COMMAND')
+ for command in _SUPPORTED_COMMANDS:
+ globals()['setup_' + command](subparsers)
+
+ args = parser.parse_args(argv[1:])
+ args.func(args)
+
+
+if __name__ == '__main__':
+ run(sys.argv)
diff --git a/build/file_utils.py b/build/file_utils.py
new file mode 100644
index 0000000..1559a9b
--- /dev/null
+++ b/build/file_utils.py
@@ -0,0 +1,49 @@
+# Copyright 2018 - The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""File-related utilities."""
+
+
+import os
+import shutil
+import tempfile
+
+
+def make_parent_dirs(file_path):
+ """Creates parent directories for the file_path."""
+ if os.path.exists(file_path):
+ return
+
+ parent_dir = os.path.dirname(file_path)
+ if parent_dir and not os.path.exists(parent_dir):
+ os.makedirs(parent_dir)
+
+
+def filter_out(pattern_files, input_file):
+ """"Removes lines in input_file that match any line in pattern_files."""
+
+ # Prepares patterns.
+ patterns = []
+ for f in pattern_files:
+ patterns.extend(open(f).readlines())
+
+ # Copy lines that are not in the pattern.
+ tmp_output = tempfile.NamedTemporaryFile()
+ with open(input_file, 'r') as in_file:
+ tmp_output.writelines(line for line in in_file.readlines()
+ if line not in patterns)
+ tmp_output.flush()
+
+ # Replaces the input_file.
+ shutil.copyfile(tmp_output.name, input_file)
diff --git a/private/adbd.te b/private/adbd.te
index 9dcfc81..77c0d73 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -36,6 +36,10 @@
allow adbd shell_data_file:dir create_dir_perms;
allow adbd shell_data_file:file create_file_perms;
+# adb pull /data/local/traces/*
+allow adbd trace_data_file:dir r_dir_perms;
+allow adbd trace_data_file:file r_file_perms;
+
# adb pull /data/misc/profman.
allow adbd profman_dump_data_file:dir r_dir_perms;
allow adbd profman_dump_data_file:file r_file_perms;
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 05ef5ed..df14019 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -183,6 +183,7 @@
hal_bluetooth_hwservice
hal_bootctl_hwservice
hal_camera_hwservice
+ hal_confirmationui_hwservice
hal_contexthub_hwservice
hal_drm_hwservice
hal_dumpstate_hwservice
@@ -198,6 +199,7 @@
hal_nfc_hwservice
hal_oemlock_hwservice
hal_power_hwservice
+ hal_secure_element_hwservice
hal_sensors_hwservice
hal_telephony_hwservice
hal_thermal_hwservice
@@ -243,3 +245,6 @@
-untrusted_app_visible_halserver
}:binder { call transfer };
')
+
+# Untrusted apps are not allowed to find mediaextractor update service.
+neverallow all_untrusted_apps mediaextractor_update_service:service_manager find;
diff --git a/private/blank_screen.te b/private/blank_screen.te
new file mode 100644
index 0000000..43d273b
--- /dev/null
+++ b/private/blank_screen.te
@@ -0,0 +1,6 @@
+type blank_screen, domain, coredomain;
+type blank_screen_exec, exec_type, file_type;
+
+init_daemon_domain(blank_screen)
+
+hal_client_domain(blank_screen, hal_light)
diff --git a/private/bug_map b/private/bug_map
index 2b970dd..ce9ab81 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -1,11 +1,13 @@
-priv_app firstboot_prop file 63801215
-vold system_data_file file 62140539
-system_server vendor_framework_file dir 68826235
+bootanim unlabeled dir 68864350
crash_dump app_data_file dir 68319037
crash_dump bluetooth_data_file dir 68319037
+crash_dump resourcecache_data_file dir 68319037
crash_dump vendor_overlay_file dir 68319037
-statsd statsd capability 71537285
hal_graphics_allocator_default unlabeled dir 70180742
-surfaceflinger unlabeled dir 68864350
hal_graphics_composer_default unlabeled dir 68864350
-bootanim unlabeled dir 68864350
+priv_app sysfs dir 72749888
+surfaceflinger unlabeled dir 68864350
+system_server vendor_framework_file dir 68826235
+untrusted_app_27 system_data_file dir 72550646
+usbd usbd capability 72472544
+vold system_data_file file 62140539
diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index a587b4d..9dd2ee7 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -123,7 +123,10 @@
(typeattributeset dalvikcache_data_file_26_0 (dalvikcache_data_file))
(typeattributeset dalvik_prop_26_0 (dalvik_prop))
(typeattributeset dbinfo_service_26_0 (dbinfo_service))
-(typeattributeset debugfs_26_0 (debugfs))
+(typeattributeset debugfs_26_0
+ ( debugfs
+ debugfs_wakeup_sources
+ ))
(typeattributeset debugfs_mmc_26_0 (debugfs_mmc))
(typeattributeset debugfs_trace_marker_26_0 (debugfs_trace_marker))
(typeattributeset debugfs_tracing_26_0 (debugfs_tracing))
@@ -452,6 +455,7 @@
( proc
proc_abi
proc_asound
+ proc_buddyinfo
proc_cmdline
proc_dirty
proc_diskstats
@@ -462,6 +466,7 @@
proc_kmsg
proc_loadavg
proc_max_map_count
+ proc_min_free_order_shift
proc_mounts
proc_page_cluster
proc_pagetypeinfo
@@ -474,6 +479,7 @@
proc_uid_time_in_state
proc_uid_concurrent_active_time
proc_uid_concurrent_policy_time
+ proc_uid_cpupower
proc_uptime
proc_version
proc_vmallocinfo
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 95e617b..7769b65 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -5,6 +5,9 @@
(typeattributeset new_objects
( adbd_exec
bootloader_boot_reason_prop
+ blank_screen
+ blank_screen_exec
+ blank_screen_tmpfs
bpfloader
bpfloader_exec
broadcastradio_service
@@ -34,11 +37,15 @@
fs_bpf
hal_broadcastradio_hwservice
hal_cas_hwservice
+ hal_confirmationui_hwservice
hal_lowpan_hwservice
hal_neuralnetworks_hwservice
+ hal_secure_element_hwservice
hal_tetheroffload_hwservice
hal_usb_gadget_hwservice
hal_wifi_offload_hwservice
+ incident_helper
+ incident_helper_exec
kmsg_debug_device
last_boot_reason_prop
mediaprovider_tmpfs
@@ -47,13 +54,21 @@
lowpan_device
lowpan_prop
lowpan_service
+ mediaextractor_update_service
mediaprovider_tmpfs
netd_stable_secret_prop
network_watchlist_data_file
network_watchlist_service
package_native_service
+ perfetto
+ perfetto_exec
+ perfetto_tmpfs
+ perfetto_traces_data_file
perfprofd_service
property_info
+ secure_element
+ secure_element_tmpfs
+ secure_element_service
slice_service
stats
stats_data_file
@@ -76,6 +91,7 @@
timezone_service
tombstoned_java_trace_socket
tombstone_wifi_data_file
+ trace_data_file
traceur_app
traceur_app_tmpfs
traced
diff --git a/private/coredomain.te b/private/coredomain.te
index c8f2b1d..23224c3 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -4,14 +4,12 @@
full_treble_only(`
neverallow {
coredomain
+
+ # for chowning
-init
- -vendor_init
# generic access to sysfs_type
-ueventd
-vold
- -priv_app
- -storaged
- -system_app
} sysfs_leds:file *;
')
diff --git a/private/domain.te b/private/domain.te
index 8a41097..46d3189 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -24,19 +24,15 @@
# /proc
neverallow {
coredomain
- -dumpstate
-vold
- -vendor_init
} proc:file no_rw_file_perms;
# /sys
neverallow {
coredomain
- -dumpstate
-init
-ueventd
-vold
- -vendor_init
} sysfs:file no_rw_file_perms;
# /dev
@@ -45,7 +41,6 @@
-fsck
-init
-ueventd
- -vendor_init
} device:{ blk_file file } no_rw_file_perms;
# debugfs
@@ -54,7 +49,6 @@
-dumpstate
-init
-system_server
- -vendor_init
} debugfs:file no_rw_file_perms;
# tracefs
@@ -67,14 +61,12 @@
userdebug_or_eng(`-traced_probes')
-shell
userdebug_or_eng(`-traceur_app')
- -vendor_init
} debugfs_tracing:file no_rw_file_perms;
# inotifyfs
neverallow {
coredomain
-init
- -vendor_init
} inotify:file no_rw_file_perms;
# pstorefs
@@ -91,7 +83,6 @@
-recovery_refresh
-shell
-system_server
- -vendor_init
} pstorefs:file no_rw_file_perms;
# configfs
@@ -99,7 +90,6 @@
coredomain
-init
-system_server
- -vendor_init
} configfs:file no_rw_file_perms;
# functionfs
@@ -108,13 +98,11 @@
-adbd
-init
-mediaprovider
- -vendor_init
}functionfs:file no_rw_file_perms;
# usbfs and binfmt_miscfs
neverallow {
coredomain
-init
- -vendor_init
}{ usbfs binfmt_miscfs }:file no_rw_file_perms;
')
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 24a57de..0eafca6 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -27,5 +27,13 @@
# Allow dumpstate to make binder calls to storaged service
binder_call(dumpstate, storaged)
+# Allow dumpstate to make binder calls to statsd
+binder_call(dumpstate, statsd)
+
# Collect metrics on boot time created by init
get_prop(dumpstate, boottime_prop)
+
+# Signal native processes to dump their stack.
+allow dumpstate {
+ statsd
+}:process signal;
diff --git a/private/e2fs.te b/private/e2fs.te
new file mode 100644
index 0000000..2c4c013
--- /dev/null
+++ b/private/e2fs.te
@@ -0,0 +1,3 @@
+allow e2fs devpts:chr_file { read write };
+allow e2fs metadata_block_device:blk_file rw_file_perms;
+
diff --git a/private/file.te b/private/file.te
index 5ff7768..0dcf254 100644
--- a/private/file.te
+++ b/private/file.te
@@ -9,3 +9,6 @@
# /data/misc/wmtrace for wm traces
type wm_trace_data_file, file_type, data_file_type, core_data_file_type;
+
+# /data/misc/perfetto-traces for perfetto traces
+type perfetto_traces_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/private/file_contexts b/private/file_contexts
index 8dfec78..3c24ce5 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -38,6 +38,7 @@
/sdcard u:object_r:rootfs:s0
# SELinux policy files
+/vendor_file_contexts u:object_r:file_contexts_file:s0
/nonplat_file_contexts u:object_r:file_contexts_file:s0
/plat_file_contexts u:object_r:file_contexts_file:s0
/mapping_sepolicy\.cil u:object_r:sepolicy_file:s0
@@ -45,14 +46,18 @@
/plat_sepolicy\.cil u:object_r:sepolicy_file:s0
/plat_property_contexts u:object_r:property_contexts_file:s0
/nonplat_property_contexts u:object_r:property_contexts_file:s0
+/vendor_property_contexts u:object_r:property_contexts_file:s0
/seapp_contexts u:object_r:seapp_contexts_file:s0
/nonplat_seapp_contexts u:object_r:seapp_contexts_file:s0
+/vendor_seapp_contexts u:object_r:seapp_contexts_file:s0
/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
/sepolicy u:object_r:sepolicy_file:s0
/plat_service_contexts u:object_r:service_contexts_file:s0
/plat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
/nonplat_service_contexts u:object_r:nonplat_service_contexts_file:s0
+/vendor_service_contexts u:object_r:service_contexts_file:s0
/nonplat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
+/vendor_hwservice_contexts u:object_r:hwservice_contexts_file:s0
/vndservice_contexts u:object_r:vndservice_contexts_file:s0
##########################
@@ -166,6 +171,7 @@
/dev/uio[0-9]* u:object_r:uio_device:s0
/dev/urandom u:object_r:random_device:s0
/dev/usb_accessory u:object_r:usbaccessory_device:s0
+/dev/v4l-touch[0-9]* u:object_r:input_device:s0
/dev/vcs[0-9a-z]* u:object_r:vcs_device:s0
/dev/video[0-9]* u:object_r:video_device:s0
/dev/vndbinder u:object_r:vndbinder_device:s0
@@ -179,6 +185,7 @@
#
/system(/.*)? u:object_r:system_file:s0
/system/bin/atrace u:object_r:atrace_exec:s0
+/system/bin/blank_screen u:object_r:blank_screen_exec:s0
/system/bin/e2fsdroid u:object_r:e2fs_exec:s0
/system/bin/mke2fs u:object_r:e2fs_exec:s0
/system/bin/e2fsck -- u:object_r:fsck_exec:s0
@@ -206,6 +213,7 @@
/system/bin/dumpstate u:object_r:dumpstate_exec:s0
/system/bin/incident u:object_r:incident_exec:s0
/system/bin/incidentd u:object_r:incidentd_exec:s0
+/system/bin/incident_helper u:object_r:incident_helper_exec:s0
/system/bin/netutils-wrapper-1\.0 u:object_r:netutils_wrapper_exec:s0
/system/bin/vold u:object_r:vold_exec:s0
/system/bin/netd u:object_r:netd_exec:s0
@@ -243,6 +251,7 @@
/system/bin/usbd u:object_r:usbd_exec:s0
/system/bin/inputflinger u:object_r:inputflinger_exec:s0
/system/bin/logd u:object_r:logd_exec:s0
+/system/bin/perfetto u:object_r:perfetto_exec:s0
/system/bin/traced u:object_r:traced_exec:s0
/system/bin/traced_probes u:object_r:traced_probes_exec:s0
/system/bin/uncrypt u:object_r:uncrypt_exec:s0
@@ -322,6 +331,11 @@
#############################
+# Product files
+#
+/(product|system/product)(/.*)? u:object_r:system_file:s0
+
+#############################
# Data files
#
# NOTE: When modifying existing label rules, changes may also need to
@@ -349,6 +363,7 @@
/data/tombstones(/.*)? u:object_r:tombstone_data_file:s0
/data/vendor/tombstones/wifi(/.*)? u:object_r:tombstone_wifi_data_file:s0
/data/local/tmp(/.*)? u:object_r:shell_data_file:s0
+/data/local/traces(/.*)? u:object_r:trace_data_file:s0
/data/media(/.*)? u:object_r:media_rw_data_file:s0
/data/mediadrm(/.*)? u:object_r:media_data_file:s0
/data/nativetest(/.*)? u:object_r:nativetest_data_file:s0
@@ -382,6 +397,7 @@
/data/misc/media(/.*)? u:object_r:media_data_file:s0
/data/misc/net(/.*)? u:object_r:net_data_file:s0
/data/misc/network_watchlist(/.*)? u:object_r:network_watchlist_data_file:s0
+/data/misc/perfetto-traces(/.*)? u:object_r:perfetto_traces_data_file:s0
/data/misc/recovery(/.*)? u:object_r:recovery_data_file:s0
/data/misc/shared_relro(/.*)? u:object_r:shared_relro_file:s0
/data/misc/sms(/.*)? u:object_r:radio_data_file:s0
diff --git a/private/fsck.te b/private/fsck.te
index 3a36329..f8e09b6 100644
--- a/private/fsck.te
+++ b/private/fsck.te
@@ -1,3 +1,5 @@
typeattribute fsck coredomain;
init_daemon_domain(fsck)
+
+allow fsck metadata_block_device:blk_file rw_file_perms;
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 1fddb6e..8f0d489 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -3,6 +3,7 @@
# proc labeling can be further refined (longest matching prefix).
genfscon proc / u:object_r:proc:s0
genfscon proc /asound u:object_r:proc_asound:s0
+genfscon proc /buddyinfo u:object_r:proc_buddyinfo:s0
genfscon proc /cmdline u:object_r:proc_cmdline:s0
genfscon proc /config.gz u:object_r:config_gz:s0
genfscon proc /diskstats u:object_r:proc_diskstats:s0
@@ -65,6 +66,7 @@
genfscon proc /sys/vm/page-cluster u:object_r:proc_page_cluster:s0
genfscon proc /sys/vm/drop_caches u:object_r:proc_drop_caches:s0
genfscon proc /sys/vm/overcommit_memory u:object_r:proc_overcommit_memory:s0
+genfscon proc /sys/vm/min_free_order_shift u:object_r:proc_min_free_order_shift:s0
genfscon proc /timer_list u:object_r:proc_timer:s0
genfscon proc /timer_stats u:object_r:proc_timer:s0
genfscon proc /tty/drivers u:object_r:proc_tty_drivers:s0
@@ -76,6 +78,7 @@
genfscon proc /uid_time_in_state u:object_r:proc_uid_time_in_state:s0
genfscon proc /uid_concurrent_active_time u:object_r:proc_uid_concurrent_active_time:s0
genfscon proc /uid_concurrent_policy_time u:object_r:proc_uid_concurrent_policy_time:s0
+genfscon proc /uid_cpupower/ u:object_r:proc_uid_cpupower:s0
genfscon proc /uptime u:object_r:proc_uptime:s0
genfscon proc /version u:object_r:proc_version:s0
genfscon proc /vmallocinfo u:object_r:proc_vmallocinfo:s0
@@ -127,6 +130,7 @@
genfscon tracefs /instances/wifi u:object_r:debugfs_wifi_tracing:s0
genfscon debugfs /tracing/trace_marker u:object_r:debugfs_trace_marker:s0
genfscon tracefs /trace_marker u:object_r:debugfs_trace_marker:s0
+genfscon debugfs /wakeup_sources u:object_r:debugfs_wakeup_sources:s0
genfscon debugfs /tracing/events/sync/enable u:object_r:debugfs_tracing_debug:s0
genfscon debugfs /tracing/events/workqueue/enable u:object_r:debugfs_tracing_debug:s0
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index 661e2ae..96233fc 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -10,6 +10,7 @@
android.hardware.broadcastradio::IBroadcastRadioFactory u:object_r:hal_broadcastradio_hwservice:s0
android.hardware.camera.provider::ICameraProvider u:object_r:hal_camera_hwservice:s0
android.hardware.configstore::ISurfaceFlingerConfigs u:object_r:hal_configstore_ISurfaceFlingerConfigs:s0
+android.hardware.confirmationui::IConfirmationUI u:object_r:hal_confirmationui_hwservice:s0
android.hardware.contexthub::IContexthub u:object_r:hal_contexthub_hwservice:s0
android.hardware.cas::IMediaCasService u:object_r:hal_cas_hwservice:s0
android.hardware.drm::ICryptoFactory u:object_r:hal_drm_hwservice:s0
@@ -32,10 +33,12 @@
android.hardware.nfc::INfc u:object_r:hal_nfc_hwservice:s0
android.hardware.oemlock::IOemLock u:object_r:hal_oemlock_hwservice:s0
android.hardware.power::IPower u:object_r:hal_power_hwservice:s0
+android.hardware.radio.config::IRadioConfig u:object_r:hal_telephony_hwservice:s0
android.hardware.radio.deprecated::IOemHook u:object_r:hal_telephony_hwservice:s0
android.hardware.radio::IRadio u:object_r:hal_telephony_hwservice:s0
android.hardware.radio::ISap u:object_r:hal_telephony_hwservice:s0
android.hardware.renderscript::IDevice u:object_r:hal_renderscript_hwservice:s0
+android.hardware.secure_element::ISecureElement u:object_r:hal_secure_element_hwservice:s0
android.hardware.sensors::ISensors u:object_r:hal_sensors_hwservice:s0
android.hardware.soundtrigger::ISoundTriggerHw u:object_r:hal_audio_hwservice:s0
android.hardware.thermal::IThermal u:object_r:hal_thermal_hwservice:s0
diff --git a/private/incident.te b/private/incident.te
index b910dde..2038816 100644
--- a/private/incident.te
+++ b/private/incident.te
@@ -23,3 +23,5 @@
binder_call(incident, incidentd)
allow incident incidentd:fifo_file write;
+# only allow incident being called by shell
+neverallow { domain -su -shell -incident } incident_exec:file { execute execute_no_trans };
diff --git a/private/incident_helper.te b/private/incident_helper.te
new file mode 100644
index 0000000..e9bb511
--- /dev/null
+++ b/private/incident_helper.te
@@ -0,0 +1,13 @@
+typeattribute incident_helper coredomain;
+
+type incident_helper_exec, exec_type, file_type;
+
+# switch to incident_helper domain for incident_helper command
+domain_auto_trans(incidentd, incident_helper_exec, incident_helper)
+
+# use pipe to transmit data from/to incidentd/incident_helper for parsing
+allow incident_helper { shell incident incidentd }:fd use;
+allow incident_helper { shell incident incidentd }:fifo_file { getattr read write };
+
+# only allow incidentd and shell to call incident_helper
+neverallow { domain -incidentd -incident_helper -shell } incident_helper_exec:file { execute execute_no_trans };
diff --git a/private/incidentd.te b/private/incidentd.te
index 5810d9a..a887a61 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -1,21 +1,16 @@
typeattribute incidentd coredomain;
+typeattribute incidentd mlstrustedsubject;
init_daemon_domain(incidentd)
type incidentd_exec, exec_type, file_type;
binder_use(incidentd)
wakelock_use(incidentd)
-# Allow setting process priority, protect from OOM killer, and dropping
-# privileges by switching UID / GID
-# TODO allow incidentd self:global_capability_class_set { setuid setgid sys_resource };
-
# Allow incidentd to scan through /proc/pid for all processes
r_dir_file(incidentd, domain)
-allow incidentd self:global_capability_class_set {
- # Send signals to processes
- kill
-};
+# Allow incidentd to kill incident_helper when timeout
+allow incidentd incident_helper:process sigkill;
# Allow executing files on system, such as:
# /system/bin/toolbox
@@ -24,6 +19,22 @@
allow incidentd system_file:file execute_no_trans;
allow incidentd toolbox_exec:file rx_file_perms;
+# section id 2001, allow reading /proc/pagetypeinfo
+allow incidentd proc_pagetypeinfo:file r_file_perms;
+
+# section id 2002, allow reading /d/wakeup_sources
+allow incidentd debugfs_wakeup_sources:file r_file_perms;
+
+# section id 2003, allow executing top
+allow incidentd proc_meminfo:file { open read };
+
+# section id 2004, allow reading /sys/devices/system/cpu/cpufreq/all_time_in_state
+allow incidentd sysfs_devices_system_cpu:file r_file_perms;
+
+# section id 2006, allow reading /sys/class/power_supply/bms/battery_type
+allow incidentd sysfs_batteryinfo:dir { search };
+allow incidentd sysfs_batteryinfo:file r_file_perms;
+
# Create and write into /data/misc/incidents
allow incidentd incident_data_file:dir rw_dir_perms;
allow incidentd incident_data_file:file create_file_perms;
@@ -33,7 +44,7 @@
# Signal java processes to dump their stack and get the results
# TODO allow incidentd { appdomain ephemeral_app system_server }:process signal;
-# TODO allow incidentd anr_data_file:dir rw_dir_perms;
+# TODO allow incidentd anr_data_file:dir create_dir_perms;
# TODO allow incidentd anr_data_file:file create_file_perms;
# Signal native processes to dump their stack.
@@ -52,7 +63,7 @@
}:process signal;
# Allow incidentd to make binder calls to any binder service
-binder_call(incidentd, binderservicedomain)
+binder_call(incidentd, system_server)
binder_call(incidentd, appdomain)
# Reading /proc/PID/maps of other processes
@@ -62,7 +73,7 @@
allow incidentd shell_exec:file rx_file_perms;
# logd access - work to be done is a PII safe log (possibly an event log?)
-# TODO read_logd(incidentd)
+userdebug_or_eng(`read_logd(incidentd)')
# TODO control_logd(incidentd)
# Allow incidentd to find these standard groups of services.
@@ -88,7 +99,14 @@
###
# only system_server, system_app and incident command can find the incident service
-neverallow { domain -system_server -system_app -incident -incidentd } incident_service:service_manager find;
+neverallow {
+ domain
+ -incident
+ -incidentd
+ -statsd
+ -system_app
+ -system_server
+} incident_service:service_manager find;
# only incidentd and the other root services in limited circumstances
# can get to the files in /data/misc/incidents
diff --git a/private/keystore.te b/private/keystore.te
index a9647c6..7f71028 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -5,6 +5,15 @@
# talk to keymaster
hal_client_domain(keystore, hal_keymaster)
+# talk to confirmationui
+hal_client_domain(keystore, hal_confirmationui)
+
+# This is used for the ConfirmationUI async callback.
+allow keystore platform_app:binder call;
+
# Offer the Wifi Keystore HwBinder service
typeattribute keystore wifi_keystore_service_server;
add_hwservice(keystore, system_wifi_keystore_hwservice)
+
+# Allow to check whether security logging is enabled.
+get_prop(keystore, device_logging_prop)
diff --git a/private/nfc.te b/private/nfc.te
index 56446f4..5e85672 100644
--- a/private/nfc.te
+++ b/private/nfc.te
@@ -24,6 +24,7 @@
allow nfc app_api_service:service_manager find;
allow nfc system_api_service:service_manager find;
allow nfc vr_manager_service:service_manager find;
+allow nfc secure_element_service:service_manager find;
set_prop(nfc, nfc_prop);
diff --git a/private/perfetto.te b/private/perfetto.te
new file mode 100644
index 0000000..389fdf4
--- /dev/null
+++ b/private/perfetto.te
@@ -0,0 +1,60 @@
+# Perfetto command-line client. Can be used only from the domains that are
+# explicitly whitelisted with a domain_auto_trans(X, perfetto_exec, perfetto).
+# This command line client accesses the privileged socket of the traced
+# daemon.
+
+type perfetto, domain, coredomain;
+type perfetto_exec, exec_type, file_type;
+
+tmpfs_domain(perfetto);
+
+# Allow to access traced's privileged consumer socket.
+unix_socket_connect(perfetto, traced_consumer, traced)
+
+# Allow to write and unlink traces into /data/misc/perfetto-traces.
+allow perfetto perfetto_traces_data_file:dir rw_dir_perms;
+allow perfetto perfetto_traces_data_file:file create_file_perms;
+
+# Allow to access binder to pass the traces to Dropbox.
+binder_use(perfetto)
+binder_call(perfetto, system_server)
+allow perfetto dropbox_service:service_manager find;
+
+# Allow statsd and shell to pipe the trace config to perfetto on stdin and to
+# print out on stdout/stderr.
+allow perfetto statsd:fd use;
+allow perfetto statsd:fifo_file { getattr read write };
+allow perfetto shell:fd use;
+allow perfetto shell:fifo_file { getattr read write };
+
+# Allow to communicate use, read and write over the adb connection.
+allow perfetto adbd:fd use;
+allow perfetto adbd:unix_stream_socket { read write };
+
+# allow adbd to reap perfetto
+allow perfetto adbd:process { sigchld };
+
+# Allow to access /dev/pts when launched in an adb shell.
+allow perfetto devpts:chr_file rw_file_perms;
+
+###
+### Neverallow rules
+###
+### perfetto should NEVER do any of this
+
+# Disallow mapping executable memory (execstack and exec are already disallowed
+# globally in domain.te).
+neverallow perfetto self:process execmem;
+
+# Block device access.
+neverallow perfetto dev_type:blk_file { read write };
+
+# ptrace any other process
+neverallow perfetto domain:process ptrace;
+
+# Disallows access to other /data files.
+neverallow perfetto { data_file_type -system_data_file -zoneinfo_data_file -perfetto_traces_data_file }:dir *;
+neverallow perfetto { system_data_file -perfetto_traces_data_file }:dir ~{ getattr search };
+neverallow perfetto zoneinfo_data_file:dir ~r_dir_perms;
+neverallow perfetto { data_file_type -zoneinfo_data_file -perfetto_traces_data_file }:lnk_file *;
+neverallow perfetto { data_file_type -zoneinfo_data_file -perfetto_traces_data_file }:file ~write;
diff --git a/private/priv_app.te b/private/priv_app.te
index dcf7572..565aa4a 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -140,6 +140,7 @@
dontaudit priv_app proc:file read;
dontaudit priv_app proc_interrupts:file read;
dontaudit priv_app proc_modules:file read;
+dontaudit priv_app proc_stat:file read;
dontaudit priv_app proc_version:file read;
dontaudit priv_app wifi_prop:file read;
dontaudit priv_app net_dns_prop:file read;
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 76f2998..6efd59f 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -99,6 +99,7 @@
user=system seinfo=platform domain=system_app type=system_app_data_file
user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
user=nfc seinfo=platform domain=nfc type=nfc_data_file
+user=secure_element seinfo=platform domain=secure_element levelFrom=all
user=radio seinfo=platform domain=radio type=radio_data_file
user=shared_relro domain=shared_relro
user=shell seinfo=platform domain=shell type=shell_data_file
diff --git a/private/secure_element.te b/private/secure_element.te
new file mode 100644
index 0000000..57f512b
--- /dev/null
+++ b/private/secure_element.te
@@ -0,0 +1,14 @@
+# secure element subsystem
+typeattribute secure_element coredomain;
+app_domain(secure_element)
+
+binder_service(secure_element)
+add_service(secure_element, secure_element_service)
+
+allow secure_element app_api_service:service_manager find;
+hal_client_domain(secure_element, hal_secure_element)
+
+# already open bugreport file descriptors may be shared with
+# the secure element process, from a file in
+# /data/data/com.android.shell/files/bugreports/bugreport-*.
+allow secure_element shell_data_file:file read;
diff --git a/private/service_contexts b/private/service_contexts
index c1ea51a..71d4845 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -88,6 +88,7 @@
media.player u:object_r:mediaserver_service:s0
media.metrics u:object_r:mediametrics_service:s0
media.extractor u:object_r:mediaextractor_service:s0
+media.extractor.update u:object_r:mediaextractor_update_service:s0
media.codec u:object_r:mediacodec_service:s0
media.resource_manager u:object_r:mediaserver_service:s0
media.sound_trigger_hw u:object_r:audioserver_service:s0
@@ -133,6 +134,7 @@
samplingprofiler u:object_r:samplingprofiler_service:s0
scheduling_policy u:object_r:scheduling_policy_service:s0
search u:object_r:search_service:s0
+secure_element u:object_r:secure_element_service:s0
sec_key_att_app_id_provider u:object_r:sec_key_att_app_id_provider_service:s0
sensorservice u:object_r:sensorservice_service:s0
serial u:object_r:serial_service:s0
diff --git a/private/shell.te b/private/shell.te
index ded9d1f..7a7ebf4 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -38,3 +38,12 @@
unix_socket_connect(shell, traced_producer, traced)
domain_auto_trans(shell, vendor_shell_exec, vendor_shell)
+
+# Allow shell binaries to exec the perfetto cmdline util and have that
+# transition into its own domain, so that it behaves consistently to
+# when exec()-d by statsd.
+domain_auto_trans(shell, perfetto_exec, perfetto)
+
+# Allow shell to read and unlink traces stored in /data/misc/perfetto-traces.
+allow shell perfetto_traces_data_file:dir rw_dir_perms;
+allow shell perfetto_traces_data_file:file r_file_perms;
diff --git a/private/statsd.te b/private/statsd.te
index fee1881..a51a547 100644
--- a/private/statsd.te
+++ b/private/statsd.te
@@ -28,6 +28,7 @@
# Allow statsd to make binder calls to any binder service.
binder_call(statsd, appdomain)
+binder_call(statsd, healthd)
binder_call(statsd, incidentd)
binder_call(statsd, statscompanion_service)
binder_call(statsd, system_server)
@@ -36,16 +37,23 @@
read_logd(statsd)
control_logd(statsd)
-# Allow to control Perfetto traced and consume its traces.
-unix_socket_connect(statsd, traced_consumer, traced)
+# Allow to exec the perfetto cmdline client and pass it the trace config on
+# stdint through a pipe. It allows statsd to capture traces and hand them
+# to Android dropbox.
+allow statsd perfetto_exec:file rx_file_perms;
+domain_auto_trans(statsd, perfetto_exec, perfetto)
# Grant statsd with permissions to register the services.
allow statsd {
- statscompanion_service
app_api_service
+ incident_service
+ statscompanion_service
system_api_service
}:service_manager find;
+# Grant statsd to access health hal to access battery metrics.
+allow statsd hal_health_hwservice:hwservice_manager find;
+
# Only statsd can publish the binder service.
add_service(statsd, stats_service)
@@ -53,6 +61,10 @@
allow statsd stats:fd use;
allow statsd stats:fifo_file write;
+# Allow statsd to send dump info to dumpstate
+allow statsd dumpstate:fd use;
+allow statsd dumpstate:fifo_file { getattr write };
+
# Allow statsd to call back to stats with status updates.
binder_call(statsd, stats)
@@ -80,7 +92,7 @@
# Only statsd and the other root services in limited circumstances.
# can get to the files in /data/misc/stats-data, /data/misc/stats-service.
# Other services are prohibitted from accessing the file.
-neverallow { domain -statsd -init -vold -vendor_init } stats_data_file:file *;
+neverallow { domain -statsd -init -vold } stats_data_file:file *;
# Limited access to the directory itself.
-neverallow { domain -statsd -init -vold -vendor_init } stats_data_file:dir *;
+neverallow { domain -statsd -init -vold } stats_data_file:dir *;
diff --git a/private/su.te b/private/su.te
index 6e7fc37..16e47bb 100644
--- a/private/su.te
+++ b/private/su.te
@@ -13,6 +13,9 @@
# Put the incident command into its domain so it is the same on user, userdebug and eng.
domain_auto_trans(su, incident_exec, incident)
+ # Put the perfetto command into its domain so it is the same on user, userdebug and eng.
+ domain_auto_trans(su, perfetto_exec, perfetto)
+
# su is also permissive to permit setenforce.
permissive su;
diff --git a/private/system_server.te b/private/system_server.te
index 2054d99..6ba98f5 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -135,6 +135,7 @@
# Read /sys/kernel/debug/wakeup_sources.
allow system_server debugfs:file r_file_perms;
+allow system_server debugfs_wakeup_sources:file r_file_perms;
# The DhcpClient and WifiWatchdog use packet_sockets
allow system_server self:packet_socket create_socket_perms_no_ioctl;
@@ -238,6 +239,7 @@
mediaserver
mediametrics
sdcardd
+ statsd
surfaceflinger
# This list comes from HAL_INTERFACES_OF_INTEREST in
@@ -369,6 +371,11 @@
# with no DAC access to it, for dropbox to read.
allow system_server incident_data_file:file read;
+# Allow dropbox to read /data/misc/perfetto-traces. Only the fd is sent over
+# binder.
+allow system_server perfetto_traces_data_file:file read;
+allow system_server perfetto:fd use;
+
# Manage /data/backup.
allow system_server backup_data_file:dir create_dir_perms;
allow system_server backup_data_file:file create_file_perms;
@@ -717,6 +724,7 @@
}:file r_file_perms;
allow system_server proc_uid_time_in_state:dir r_dir_perms;
+allow system_server proc_uid_cpupower:file r_file_perms;
r_dir_file(system_server, rootfs)
@@ -745,6 +753,11 @@
allow system_server user_profile_data_file:dir { search };
allow system_server user_profile_data_file:file { getattr open read };
+userdebug_or_eng(`
+ # Allow system server to notify mediaextractor of the plugin update.
+ allow system_server mediaextractor_update_service:service_manager find;
+')
+
###
### Neverallow rules
###
@@ -813,4 +826,3 @@
# CAP_SYS_RESOURCE was traditionally needed for sensitive /proc/PID
# file read access. However, that is now unnecessary (b/34951864)
neverallow system_server system_server:global_capability_class_set sys_resource;
-
diff --git a/private/traceur_app.te b/private/traceur_app.te
index 194a28f..539e8bc 100644
--- a/private/traceur_app.te
+++ b/private/traceur_app.te
@@ -2,6 +2,9 @@
userdebug_or_eng(`
app_domain(traceur_app);
- allow traceur_app debugfs_tracing:file r_file_perms;
+ allow traceur_app debugfs_tracing:file rw_file_perms;
+ allow traceur_app debugfs_tracing_debug:file rw_file_perms;
+ allow traceur_app trace_data_file:file create_file_perms;
+ allow traceur_app trace_data_file:dir { add_name getattr search write };
allow traceur_app atrace_exec:file rx_file_perms;
')
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index a43f04c..5918f63 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -41,6 +41,15 @@
allow untrusted_app_all shell_data_file:file r_file_perms;
allow untrusted_app_all shell_data_file:dir r_dir_perms;
+# Allow traceur to pass file descriptors through a content provider to untrusted apps
+# for the purpose of sharing files through e.g. gmail
+allow untrusted_app_all trace_data_file:file { getattr read };
+
+# untrusted apps should not be able to open trace data files, they should depend
+# upon traceur to pass a file descriptor
+neverallow untrusted_app_all trace_data_file:dir *;
+neverallow untrusted_app_all trace_data_file:file { no_w_file_perms open };
+
# Allow to read staged apks.
allow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:file {read getattr};
diff --git a/private/vendor_init.te b/private/vendor_init.te
index 5d97f72..50efc22 100644
--- a/private/vendor_init.te
+++ b/private/vendor_init.te
@@ -1,5 +1,3 @@
-typeattribute vendor_init coredomain;
-
# Creating files on sysfs is impossible so this isn't a threat
# Sometimes we have to write to non-existent files to avoid conditional
# init behavior. See b/35303861 for an example.
diff --git a/public/app.te b/public/app.te
index 582995a..3c29946 100644
--- a/public/app.te
+++ b/public/app.te
@@ -547,3 +547,6 @@
# Apps cannot access proc_uid_concurrent_policy_time
neverallow appdomain proc_uid_concurrent_policy_time:file *;
+
+# Apps cannot access proc_uid_cpupower
+neverallow appdomain proc_uid_cpupower:file *;
diff --git a/public/attributes b/public/attributes
index 11ffd2e..77823cf 100644
--- a/public/attributes
+++ b/public/attributes
@@ -32,6 +32,7 @@
expandattribute data_file_type false;
# All types in /data, not in /data/vendor
attribute core_data_file_type;
+expandattribute core_data_file_type false;
# All types in /vendor
attribute vendor_file_type;
@@ -130,6 +131,7 @@
# All socket devices owned by core domain components
attribute coredomain_socket;
+expandattribute coredomain_socket false;
# All vendor domains which violate the requirement of not using Binder
# TODO(b/35870313): Remove this once there are no violations
@@ -209,6 +211,7 @@
hal_attribute(broadcastradio);
hal_attribute(camera);
hal_attribute(configstore);
+hal_attribute(confirmationui);
hal_attribute(contexthub);
hal_attribute(drm);
hal_attribute(cas);
@@ -228,6 +231,7 @@
hal_attribute(nfc);
hal_attribute(oemlock);
hal_attribute(power);
+hal_attribute(secure_element);
hal_attribute(sensors);
hal_attribute(telephony);
hal_attribute(tetheroffload);
diff --git a/public/cameraserver.te b/public/cameraserver.te
index ebf0992..15a8244 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -53,6 +53,8 @@
# Allow shell commands from ADB for CTS testing/dumping
allow cameraserver adbd:fd use;
allow cameraserver adbd:unix_stream_socket { read write };
+allow cameraserver shell:fd use;
+allow cameraserver shell:unix_stream_socket { read write };
# Allow shell commands from ADB for CTS testing/dumping
userdebug_or_eng(`
diff --git a/public/domain.te b/public/domain.te
index 76318ec..24514bf 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -416,6 +416,7 @@
userdebug_or_eng(`-su')
-webview_zygote
-zygote
+ userdebug_or_eng(`-mediaextractor')
} {
file_type
-system_file
@@ -506,10 +507,12 @@
# Require that domains explicitly label unknown properties, and do not allow
# anyone but init to modify unknown properties.
-neverallow { domain -init } default_prop:property_service set;
-neverallow { domain -init } mmc_prop:property_service set;
+neverallow { domain -init -vendor_init } default_prop:property_service set;
+neverallow { domain -init -vendor_init } mmc_prop:property_service set;
compatible_property_only(`
+ neverallow { domain -init } default_prop:property_service set;
+ neverallow { domain -init } mmc_prop:property_service set;
neverallow { domain -init -vendor_init } exported_default_prop:property_service set;
neverallow { domain -init -vendor_init } exported2_default_prop:property_service set;
neverallow { domain -init -vendor_init } exported3_default_prop:property_service set;
@@ -556,8 +559,14 @@
# The metadata block device is set aside for device encryption and
# verified boot metadata. It may be reset at will and should not
# be used by other domains.
-neverallow { domain -init -recovery -vold } metadata_block_device:blk_file
- { append link rename write open read ioctl lock };
+neverallow {
+ domain
+ -init
+ -recovery
+ -vold
+ -e2fs
+ -fsck
+} metadata_block_device:blk_file { append link rename write open read ioctl lock };
# No domain other than recovery and update_engine can write to system partition(s).
neverallow { domain -recovery -update_engine } system_block_device:blk_file { write append };
@@ -661,7 +670,6 @@
# On full TREBLE devices, socket communications between core components and vendor components are
# not permitted.
-full_treble_only(`
# Most general rules first, more specific rules below.
# Core domains are not permitted to initiate communications to vendor domain sockets.
@@ -669,6 +677,7 @@
# to obtain an already established socket via some public/official/stable API and then exchange
# data with its peer over that socket. The wire format in this scenario is dicatated by the API
# and thus does not break the core-vendor separation.
+full_treble_only(`
neverallow_establish_socket_comms({
coredomain
-init
@@ -678,7 +687,9 @@
-coredomain
-socket_between_core_and_vendor_violators
});
+')
# Vendor domains are not permitted to initiate communications to core domain sockets
+full_treble_only(`
neverallow_establish_socket_comms({
domain
-coredomain
@@ -694,26 +705,34 @@
-incidentd # TODO(b/35870313): Remove incidentd from this list once vendor domains no longer declare Binder services
-tombstoned # TODO(b/36604251): Remove tombstoned from this list once mediacodec (OMX HAL) no longer declares Binder services
});
+')
# Vendor domains (except netdomain) are not permitted to initiate communications to netd sockets
+full_treble_only(`
neverallow_establish_socket_comms({
domain
-coredomain
-netdomain
-socket_between_core_and_vendor_violators
}, netd);
+')
# Vendor domains are not permitted to initiate create/open sockets owned by core domains
+full_treble_only(`
neverallow {
domain
-coredomain
-appdomain # appdomain restrictions below
+ -data_between_core_and_vendor_violators # b/70393317
-socket_between_core_and_vendor_violators
+ -vendor_init
} {
coredomain_socket
core_data_file_type
unlabeled # used only by core domains
}:sock_file ~{ append getattr ioctl read write };
+')
+full_treble_only(`
neverallow {
appdomain
-coredomain
@@ -725,14 +744,15 @@
-pdx_endpoint_socket_type # used by VR layer
-pdx_channel_socket_type # used by VR layer
}:sock_file ~{ append getattr ioctl read write };
+')
# Core domains are not permitted to create/open sockets owned by vendor domains
+full_treble_only(`
neverallow {
coredomain
-init
-ueventd
-socket_between_core_and_vendor_violators
- -vendor_init
} {
file_type
dev_type
@@ -758,7 +778,6 @@
-appdomain # TODO(b/34980020) remove exemption for appdomain
-data_between_core_and_vendor_violators
-init
- -vendor_init
} {
data_file_type
-core_data_file_type
@@ -768,7 +787,6 @@
-appdomain # TODO(b/34980020) remove exemption for appdomain
-data_between_core_and_vendor_violators
-init
- -vendor_init
} {
data_file_type
-core_data_file_type
@@ -829,7 +847,6 @@
userdebug_or_eng(`-perfprofd')
-postinstall_dexopt
-system_server
- -vendor_init
} vendor_app_file:dir { open read getattr search };
neverallow {
@@ -842,7 +859,6 @@
userdebug_or_eng(`-perfprofd')
-postinstall_dexopt
-system_server
- -vendor_init
} vendor_app_file:{ file lnk_file } r_file_perms;
# Limit access to /vendor/overlay
@@ -854,7 +870,6 @@
-installd
-system_server
-zygote
- -vendor_init
} vendor_overlay_file:dir { getattr open read search };
neverallow {
@@ -865,7 +880,6 @@
-installd
-system_server
-zygote
- -vendor_init
} vendor_overlay_file:{ file lnk_file } r_file_perms;
# Non-vendor domains are not allowed to file execute shell
@@ -873,7 +887,6 @@
neverallow {
coredomain
-init
- -vendor_init
-shell
} vendor_shell_exec:file { execute execute_no_trans };
@@ -899,7 +912,6 @@
coredomain
-init
-system_executes_vendor_violators
- -vendor_init
} {
vendor_file_type
-same_process_hal_file
@@ -1031,7 +1043,6 @@
-system_server
-system_app
-init
- -vendor_init
-installd # for relabelfrom and unlink, check for this in explicit neverallow
with_asan(`-asan_extract')
} system_data_file:file no_w_file_perms;
@@ -1209,6 +1220,31 @@
-ueventd
-crash_dump
-perfprofd
- -vendor_init
} vendor_file:file { create_file_perms x_file_perms };
')
+
+# Minimize dac_override and dac_read_search.
+# Instead of granting them it is usually better to add the domain to
+# a Unix group or change the permissions of a file.
+neverallow {
+ domain
+ -dnsmasq
+ -dumpstate
+ -init
+ -installd
+ -install_recovery
+ -lmkd
+ -netd
+ -perfprofd
+ -postinstall_dexopt
+ -recovery
+ -sdcardd
+ -tee
+ -ueventd
+ -uncrypt
+ -vendor_init
+ -vold
+ -vold_prepare_subdirs
+ -zygote
+} self:capability dac_override;
+neverallow domain self:capability dac_read_search;
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 3a9701d..5f6e5f7 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -82,8 +82,14 @@
# Connect to tombstoned to intercept dumps.
unix_socket_connect(dumpstate, tombstoned_intercept, tombstoned)
-# TODO: added to match above sysfs rule. Remove me?
-allow dumpstate sysfs_usb:file w_file_perms;
+# Access to /sys
+allow dumpstate sysfs_type:dir r_dir_perms;
+
+allow dumpstate {
+ sysfs_dm
+ sysfs_usb
+ sysfs_zram
+}:file r_file_perms;
# Other random bits of data we want to collect
allow dumpstate qtaguid_proc:file r_file_perms;
@@ -113,8 +119,6 @@
hal_client_domain(dumpstate, hal_graphics_allocator)
# Vibrate the device after we are done collecting the bugreport
hal_client_domain(dumpstate, hal_vibrator)
-# For passthrough mode:
-allow dumpstate sysfs_vibrator:file { rw_file_perms getattr };
# Reading /proc/PID/maps of other processes
allow dumpstate self:global_capability_class_set sys_ptrace;
@@ -153,15 +157,18 @@
# Read files in /proc
allow dumpstate {
+ proc_buddyinfo
proc_cmdline
proc_meminfo
+ proc_modules
proc_net
proc_pipe_conf
proc_pagetypeinfo
+ proc_qtaguid_stat
proc_version
proc_vmallocinfo
+ proc_vmstat
}:file r_file_perms;
-r_dir_file(dumpstate, proc)
# Read network state info files.
allow dumpstate net_data_file:dir search;
@@ -249,9 +256,6 @@
# use /dev/ion for screen capture
allow dumpstate ion_device:chr_file r_file_perms;
-# read default labeled files in /sys
-r_dir_file(dumpstate, sysfs)
-
# Allow dumpstate to run top
allow dumpstate proc_stat:file r_file_perms;
@@ -282,7 +286,3 @@
userdebug_or_eng(`-traceur_app')
-dumpstate
} dumpstate_service:service_manager find;
-
-# Dumpstate should not be writing to any generically labeled sysfs files.
-# Create a specific label for the file type
-neverallow dumpstate sysfs:file no_w_file_perms;
diff --git a/public/file.te b/public/file.te
index d668746..932ecbf 100644
--- a/public/file.te
+++ b/public/file.te
@@ -8,6 +8,7 @@
type proc_security, fs_type;
type proc_drop_caches, fs_type;
type proc_overcommit_memory, fs_type;
+type proc_min_free_order_shift, fs_type;
# proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers.
type usermodehelper, fs_type;
type sysfs_usermodehelper, fs_type, sysfs_type;
@@ -16,6 +17,7 @@
type proc_bluetooth_writable, fs_type;
type proc_abi, fs_type;
type proc_asound, fs_type;
+type proc_buddyinfo, fs_type;
type proc_cmdline, fs_type;
type proc_cpuinfo, fs_type;
type proc_dirty, fs_type;
@@ -54,6 +56,7 @@
type proc_uid_time_in_state, fs_type;
type proc_uid_concurrent_active_time, fs_type;
type proc_uid_concurrent_policy_time, fs_type;
+type proc_uid_cpupower, fs_type;
type proc_uptime, fs_type;
type proc_version, fs_type;
type proc_vmallocinfo, fs_type;
@@ -108,9 +111,10 @@
type debugfs, fs_type, debugfs_type;
type debugfs_mmc, fs_type, debugfs_type;
type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
-type debugfs_tracing, fs_type, debugfs_type;
-type debugfs_tracing_debug, fs_type, debugfs_type;
+type debugfs_tracing, fs_type, debugfs_type, mlstrustedobject;
+type debugfs_tracing_debug, fs_type, debugfs_type, mlstrustedobject;
type debugfs_tracing_instances, fs_type, debugfs_type;
+type debugfs_wakeup_sources, fs_type, debugfs_type;
type debugfs_wifi_tracing, fs_type, debugfs_type;
type pstorefs, fs_type;
@@ -244,6 +248,7 @@
type shared_relro_file, file_type, data_file_type, core_data_file_type;
type systemkeys_data_file, file_type, data_file_type, core_data_file_type;
type textclassifier_data_file, file_type, data_file_type, core_data_file_type;
+type trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
type vpn_data_file, file_type, data_file_type, core_data_file_type;
type wifi_data_file, file_type, data_file_type, core_data_file_type;
type zoneinfo_data_file, file_type, data_file_type, core_data_file_type;
@@ -312,7 +317,7 @@
type racoon_socket, file_type, coredomain_socket;
type rild_socket, file_type;
type rild_debug_socket, file_type;
-type system_wpa_socket, file_type, data_file_type, coredomain_socket;
+type system_wpa_socket, file_type, data_file_type, core_data_file_type, coredomain_socket;
type system_ndebug_socket, file_type, data_file_type, core_data_file_type, coredomain_socket, mlstrustedobject;
type tombstoned_crash_socket, file_type, coredomain_socket, mlstrustedobject;
type tombstoned_java_trace_socket, file_type, mlstrustedobject;
@@ -322,7 +327,7 @@
type uncrypt_socket, file_type, coredomain_socket;
type vold_socket, file_type, coredomain_socket;
type webview_zygote_socket, file_type, coredomain_socket;
-type wpa_socket, file_type, data_file_type;
+type wpa_socket, file_type, data_file_type, core_data_file_type;
type zygote_socket, file_type, coredomain_socket;
# UART (for GPS) control proc file
type gps_control, file_type;
diff --git a/public/fsck.te b/public/fsck.te
index 7cc7e8b..c5219d8 100644
--- a/public/fsck.te
+++ b/public/fsck.te
@@ -44,7 +44,6 @@
neverallow fsck {
boot_block_device
frp_block_device
- metadata_block_device
recovery_block_device
root_block_device
swap_block_device
diff --git a/public/hal_confirmationui.te b/public/hal_confirmationui.te
new file mode 100644
index 0000000..228e864
--- /dev/null
+++ b/public/hal_confirmationui.te
@@ -0,0 +1,5 @@
+# HwBinder IPC from client to server
+binder_call(hal_confirmationui_client, hal_confirmationui_server)
+
+add_hwservice(hal_confirmationui_server, hal_confirmationui_hwservice)
+allow hal_confirmationui_client hal_confirmationui_hwservice:hwservice_manager find;
diff --git a/public/hal_secure_element.te b/public/hal_secure_element.te
new file mode 100644
index 0000000..e3046d1
--- /dev/null
+++ b/public/hal_secure_element.te
@@ -0,0 +1,6 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_secure_element_client, hal_secure_element_server)
+binder_call(hal_secure_element_server, hal_secure_element_client)
+
+add_hwservice(hal_secure_element_server, hal_secure_element_hwservice)
+allow hal_secure_element_client hal_secure_element_hwservice:hwservice_manager find;
diff --git a/public/hwservice.te b/public/hwservice.te
index 09e3068..436ec68 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -8,6 +8,7 @@
type hal_broadcastradio_hwservice, hwservice_manager_type;
type hal_camera_hwservice, hwservice_manager_type;
type hal_configstore_ISurfaceFlingerConfigs, hwservice_manager_type;
+type hal_confirmationui_hwservice, hwservice_manager_type;
type hal_contexthub_hwservice, hwservice_manager_type;
type hal_drm_hwservice, hwservice_manager_type;
type hal_cas_hwservice, hwservice_manager_type;
@@ -30,6 +31,7 @@
type hal_omx_hwservice, hwservice_manager_type;
type hal_power_hwservice, hwservice_manager_type;
type hal_renderscript_hwservice, hwservice_manager_type, same_process_hwservice;
+type hal_secure_element_hwservice, hwservice_manager_type;
type hal_sensors_hwservice, hwservice_manager_type;
type hal_telephony_hwservice, hwservice_manager_type;
type hal_tetheroffload_hwservice, hwservice_manager_type;
diff --git a/public/idmap.te b/public/idmap.te
index 1c32f8f..3f336a3 100644
--- a/public/idmap.te
+++ b/public/idmap.te
@@ -6,6 +6,9 @@
allow idmap installd:fd use;
allow idmap resourcecache_data_file:file { getattr read write };
+# Ignore reading /proc/<pid>/maps after a fork.
+dontaudit idmap installd:file read;
+
# Open and read from target and overlay apk files passed by argument.
allow idmap apk_data_file:file r_file_perms;
allow idmap apk_data_file:dir search;
diff --git a/public/incident_helper.te b/public/incident_helper.te
new file mode 100644
index 0000000..bca1018
--- /dev/null
+++ b/public/incident_helper.te
@@ -0,0 +1,5 @@
+# The incident_helper is called by incidentd and
+# can only read/write data from/to incidentd
+
+# incident_helper
+type incident_helper, domain;
diff --git a/public/init.te b/public/init.te
index ddbe323..c3e36ea 100644
--- a/public/init.te
+++ b/public/init.te
@@ -287,6 +287,7 @@
proc_extra_free_kbytes
proc_net
proc_max_map_count
+ proc_min_free_order_shift
proc_overcommit_memory
proc_panic
proc_page_cluster
diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index f8e8a6b..44387fd 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -34,6 +34,18 @@
allow mediaextractor asec_apk_file:file { read getattr };
allow mediaextractor ringtone_file:file { read getattr };
+# scan extractor library directory to dynamically load extractors
+allow mediaextractor system_file:dir { read open };
+
+userdebug_or_eng(`
+ # Allow extractor to add update service.
+ add_service(mediaextractor, mediaextractor_update_service)
+
+ # Allow extractor to load media extractor plugins from update apk.
+ allow mediaextractor apk_data_file:dir search;
+ allow mediaextractor apk_data_file:file { execute open };
+')
+
###
### neverallow rules
###
@@ -60,4 +72,5 @@
neverallow mediaextractor {
data_file_type
-zoneinfo_data_file # time zone data from /data/misc/zoneinfo
+ userdebug_or_eng(`-apk_data_file') # for loading media extractor plugins
}:file open;
diff --git a/public/property.te b/public/property.te
index 0578ed6..f5ca4d8 100644
--- a/public/property.te
+++ b/public/property.te
@@ -116,6 +116,7 @@
}:file no_rw_file_perms;
compatible_property_only(`
+# Prevent properties from being set
neverallow {
domain
-coredomain
@@ -129,23 +130,47 @@
exported_dumpstate_prop
exported_ffs_prop
exported_fingerprint_prop
- exported_radio_prop
exported_system_prop
exported_system_radio_prop
exported_vold_prop
exported2_config_prop
exported2_default_prop
- exported2_radio_prop
exported2_system_prop
exported2_vold_prop
exported3_default_prop
exported3_system_prop
- }:file no_w_file_perms;
+ -nfc_prop
+ -powerctl_prop
+ -radio_prop
+ }:property_service set;
neverallow {
domain
-coredomain
-appdomain
+ -hal_nfc
+ -vendor_init
+ } {
+ nfc_prop
+ }:property_service set;
+
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -rild
+ -vendor_init
+ } {
+ exported_radio_prop
+ exported2_radio_prop
+ radio_prop
+ }:property_service set;
+
+# Prevent properties from being read
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
-vendor_init
} {
core_property_type
diff --git a/public/secure_element.te b/public/secure_element.te
new file mode 100644
index 0000000..4ce6714
--- /dev/null
+++ b/public/secure_element.te
@@ -0,0 +1,2 @@
+# secure_element subsystem
+type secure_element, domain;
diff --git a/public/service.te b/public/service.te
index 44c3ef6..e13b6d5 100644
--- a/public/service.te
+++ b/public/service.te
@@ -16,12 +16,14 @@
type mediaserver_service, service_manager_type;
type mediametrics_service, service_manager_type;
type mediaextractor_service, service_manager_type;
+type mediaextractor_update_service, service_manager_type;
type mediacodec_service, service_manager_type;
type mediadrmserver_service, service_manager_type;
type netd_service, service_manager_type;
type nfc_service, service_manager_type;
type perfprofd_service, service_manager_type;
type radio_service, service_manager_type;
+type secure_element_service, service_manager_type;
type storaged_service, service_manager_type;
type surfaceflinger_service, app_api_service, ephemeral_app_api_service, service_manager_type;
type system_app_service, service_manager_type;
diff --git a/public/shell.te b/public/shell.te
index 719036c..32ad770 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -25,6 +25,10 @@
allow shell shell_data_file:file rx_file_perms;
allow shell shell_data_file:lnk_file create_file_perms;
+# Read and delete from /data/local/traces.
+allow shell trace_data_file:file { r_file_perms unlink };
+allow shell trace_data_file:dir { r_dir_perms remove_name write };
+
# Access /data/misc/profman.
allow shell profman_dump_data_file:dir { search getattr write remove_name };
allow shell profman_dump_data_file:file { getattr unlink };
diff --git a/public/su.te b/public/su.te
index 88065f6..fd90ebe 100644
--- a/public/su.te
+++ b/public/su.te
@@ -62,6 +62,7 @@
typeattribute su hal_bootctl_client;
typeattribute su hal_camera_client;
typeattribute su hal_configstore_client;
+ typeattribute su hal_confirmationui_client;
typeattribute su hal_contexthub_client;
typeattribute su hal_drm_client;
typeattribute su hal_cas_client;
@@ -80,6 +81,7 @@
typeattribute su hal_nfc_client;
typeattribute su hal_oemlock_client;
typeattribute su hal_power_client;
+ typeattribute su hal_secure_element_client;
typeattribute su hal_sensors_client;
typeattribute su hal_telephony_client;
typeattribute su hal_tetheroffload_client;
diff --git a/public/traceur_app.te b/public/traceur_app.te
index ab08c62..46826d4 100644
--- a/public/traceur_app.te
+++ b/public/traceur_app.te
@@ -17,5 +17,7 @@
-vr_hwc_service
}:service_manager find;
+ dontaudit traceur_app service_manager_type:service_manager find;
+ dontaudit traceur_app hwservice_manager_type:hwservice_manager find;
dontaudit traceur_app domain:binder call;
')
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 01e30a8..c56b45c 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -33,127 +33,47 @@
allow vendor_init {
file_type
- -app_data_file
- -bluetooth_data_file
- -dalvikcache_data_file
+ -core_data_file_type
-exec_type
- -incident_data_file
- -keystore_data_file
- -misc_logd_file
- -network_watchlist_data_file
- -nfc_data_file
- -property_data_file
- -radio_data_file
- -shell_data_file
- -system_app_data_file
-system_file
- -system_ndebug_socket
-unlabeled
-vendor_file_type
- -vold_data_file
- -zoneinfo_data_file
-}:dir { create search getattr open read setattr ioctl };
+}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
allow vendor_init {
file_type
- -app_data_file
- -bluetooth_data_file
- -dalvikcache_data_file
+ -core_data_file_type
-exec_type
- -incident_data_file
- -keystore_data_file
- -misc_logd_file
- -network_watchlist_data_file
- -nfc_data_file
- -property_data_file
- -radio_data_file
- -shell_data_file
- -system_app_data_file
- -system_file
- -system_ndebug_socket
- -unlabeled
- -vendor_file_type
- -vold_data_file
- -zoneinfo_data_file
-}:dir { write add_name remove_name rmdir relabelfrom };
-
-allow vendor_init {
- file_type
- -app_data_file
- -bluetooth_data_file
- -dalvikcache_data_file
-runtime_event_log_tags_file
- -exec_type
- -incident_data_file
- -keystore_data_file
- -misc_logd_file
- -network_watchlist_data_file
- -nfc_data_file
- -property_data_file
- -radio_data_file
- -shell_data_file
- -system_app_data_file
-system_file
- -system_ndebug_socket
-unlabeled
-vendor_file_type
- -vold_data_file
- -zoneinfo_data_file
}:file { create getattr open read write setattr relabelfrom unlink };
allow vendor_init {
file_type
- -app_data_file
- -bluetooth_data_file
- -dalvikcache_data_file
+ -core_data_file_type
-exec_type
- -incident_data_file
- -keystore_data_file
- -misc_logd_file
- -network_watchlist_data_file
- -nfc_data_file
- -property_data_file
- -radio_data_file
- -shell_data_file
- -system_app_data_file
-system_file
- -system_ndebug_socket
-unlabeled
-vendor_file_type
- -vold_data_file
- -zoneinfo_data_file
}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
allow vendor_init {
file_type
- -app_data_file
- -bluetooth_data_file
- -dalvikcache_data_file
+ -core_data_file_type
-exec_type
- -incident_data_file
- -keystore_data_file
- -misc_logd_file
- -network_watchlist_data_file
- -nfc_data_file
- -property_data_file
- -radio_data_file
- -shell_data_file
- -system_app_data_file
-system_file
- -system_ndebug_socket
-unlabeled
-vendor_file_type
- -vold_data_file
- -zoneinfo_data_file
}:lnk_file { create getattr setattr relabelfrom unlink };
allow vendor_init {
file_type
+ -core_data_file_type
+ -exec_type
-system_file
-vendor_file_type
- -exec_type
- -vold_data_file
- -keystore_data_file
}:dir_file_class_set relabelto;
allow vendor_init dev_type:dir create_dir_perms;
@@ -218,6 +138,19 @@
# Vendor init can perform operations on trusted and security Extended Attributes
allow vendor_init self:global_capability_class_set sys_admin;
+not_compatible_property(`
+ set_prop(vendor_init, {
+ property_type
+ -restorecon_prop
+ -netd_stable_secret_prop
+ -firstboot_prop
+ -pm_prop
+ -system_boot_reason_prop
+ -bootloader_boot_reason_prop
+ -last_boot_reason_prop
+ })
+')
+
set_prop(vendor_init, debug_prop)
set_prop(vendor_init, exported_config_prop)
set_prop(vendor_init, exported_dalvik_prop)
diff --git a/public/vold.te b/public/vold.te
index f754db7..a490e06 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -11,7 +11,7 @@
r_dir_file(vold, proc_net)
r_dir_file(vold, sysfs_type)
# XXX Label sysfs files with a specific type?
-allow vold sysfs:file w_file_perms;
+allow vold sysfs:file w_file_perms; # writing to /sys/*/uevent during coldboot.
allow vold sysfs_dm:file w_file_perms;
allow vold sysfs_usb:file w_file_perms;
allow vold sysfs_zram_uevent:file w_file_perms;
@@ -89,9 +89,6 @@
allow vold domain:process { signal sigkill };
allow vold self:global_capability_class_set { sys_ptrace kill };
-# XXX Label sysfs files with a specific type?
-allow vold sysfs:file rw_file_perms;
-
allow vold kmsg_device:chr_file rw_file_perms;
# Run fsck in the fsck domain.
diff --git a/public/wificond.te b/public/wificond.te
index 8eeb8c8..f4990b2 100644
--- a/public/wificond.te
+++ b/public/wificond.te
@@ -13,7 +13,7 @@
# create sockets to set interfaces up and down
allow wificond self:udp_socket create_socket_perms;
# setting interface state up/down is a privileged ioctl
-allowxperm wificond self:udp_socket ioctl { SIOCSIFFLAGS };
+allowxperm wificond self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFHWADDR };
allow wificond self:global_capability_class_set { net_admin net_raw };
# allow wificond to speak to nl80211 in the kernel
allow wificond self:netlink_socket create_socket_perms_no_ioctl;
diff --git a/tests/sepolicy_tests.py b/tests/sepolicy_tests.py
index 275debb..ea9ba10 100644
--- a/tests/sepolicy_tests.py
+++ b/tests/sepolicy_tests.py
@@ -23,6 +23,10 @@
def TestVendorTypeViolations(pol):
return pol.AssertPathTypesHaveAttr(["/vendor/"], [], "vendor_file_type")
+def TestCoreDataTypeViolations(pol):
+ return pol.AssertPathTypesHaveAttr(["/data/"], ["/data/vendor/",
+ "/data/vendor_ce/", "/data/vendor_de/"], "core_data_file_type")
+
###
# extend OptionParser to allow the same option flag to be used multiple times.
# This is used to allow multiple file_contexts files and tests to be
@@ -40,7 +44,9 @@
else:
Option.take_action(self, action, dest, opt, value, values, parser)
-Tests = ["TestDataTypeViolators"]
+Tests = ["TestDataTypeViolators", "TestSysfsTypeViolations",
+ "TestDebugfsTypeViolations", "TestVendorTypeViolations",
+ "TestCoreDataTypeViolations"]
if __name__ == '__main__':
usage = "sepolicy_tests -l $(ANDROID_HOST_OUT)/lib64/libsepolwrap.so "
@@ -87,6 +93,8 @@
results += TestDebugfsTypeViolations(pol)
if options.test is None or "TestVendorTypeViolations" in options.test:
results += TestVendorTypeViolations(pol)
+ if options.test is None or "TestCoreDataTypeViolations" in options.test:
+ results += TestCoreDataTypeViolations(pol)
if len(results) > 0:
sys.exit(results)
diff --git a/tests/treble_sepolicy_tests.py b/tests/treble_sepolicy_tests.py
index 9f2526e..2f9e994 100644
--- a/tests/treble_sepolicy_tests.py
+++ b/tests/treble_sepolicy_tests.py
@@ -38,6 +38,7 @@
'postinstall_dexopt',
'recovery',
'system_server',
+ 'vendor_init',
}
coredomainWhitelist |= coreAppdomain
@@ -236,7 +237,7 @@
ret += "SELinux: The following types were found added to the policy "
ret += "without an entry into the compatibility mapping file(s) found "
ret += "in private/compat/" + compatMapping.apiLevel + "/"
- ret += compatMapping.apiLevel + "[.ignore].cil/n"
+ ret += compatMapping.apiLevel + "[.ignore].cil\n"
ret += " ".join(str(x) for x in sorted(violators)) + "\n"
return ret
diff --git a/tools/README b/tools/README
index 6035c03..5e340a0 100644
--- a/tools/README
+++ b/tools/README
@@ -3,6 +3,15 @@
available for help in auditing and analyzing policy. The tools are
described further below.
+build_policies.sh
+ A tool to build SELinux policy for multiple targets in parallel.
+ This is useful for quickly testing a new test or neverallow rule
+ on multiple targets.
+
+ Usage:
+ ./build_policies.sh ~/android/master ~/tmp/build_policies
+ ./build_policies.sh ~/android/master ~/tmp/build_policies sailfish-eng walleye-eng
+
checkfc
A utility for checking the validity of a file_contexts or a
property_contexts configuration file. Used as part of the policy
diff --git a/tools/build_policies.sh b/tools/build_policies.sh
new file mode 100755
index 0000000..77f0fc6
--- /dev/null
+++ b/tools/build_policies.sh
@@ -0,0 +1,90 @@
+#!/bin/bash
+
+# Ensure that GNU parallel is installed.
+# We use this to build multiple targets at the same time.
+if [[ -z $(command -v parallel) ]]; then
+ echo "Please install GNU Parallel."
+ exit
+fi
+
+if [[ $# -lt 2 ]]; then
+ echo "Usage: $0 <Android root directory> <output directory> [specific targets to build]"
+ exit
+fi
+
+android_root_dir=$1
+export out_dir=$2
+shift 2
+all_targets="$@"
+
+echo "Android tree: $android_root_dir"
+echo "Output directory: $out_dir"
+
+mkdir -p $out_dir
+
+cd $android_root_dir
+source build/envsetup.sh > /dev/null
+
+# Collect the list of targets by parsing the output of lunch.
+# TODO: This misses some targets.
+if [[ "$all_targets" = "" ]]; then
+ all_targets=`lunch 2>/dev/null <<< _ | grep "[0-9]" | sed 's/^.* //'`
+fi
+
+# Clean up targets by replacing eng with userdebug using non-aosp variants.
+declare -A targets_map
+for target in $all_targets; do
+ targets_map[$target]=$target
+done
+targets=""
+for target in $all_targets; do
+ clean_target=$(echo $target | sed 's/-eng/-userdebug/' | sed 's/aosp_//')
+ if [[ $clean_target != $target ]] && [[ ${targets_map[$clean_target]} == $clean_target ]]; then
+ echo "Ignoring $target in favor of $clean_target"
+ else
+ if [[ -z $targets ]]; then
+ targets=$target
+ else
+ targets="$targets $target"
+ fi
+ fi
+done
+
+# Calculate the number of targets to build at once.
+# This heuristic could probably be improved.
+cores=$(nproc --all)
+num_targets=$(echo "$targets" | sed 's/ /\n/g' | wc -l)
+parallel_jobs=$(expr $cores / 2)
+if [[ $num_targets -lt $parallel_jobs ]]; then
+ export mmma_jobs=$(expr $cores / $num_targets \* 2)
+else
+ export mmma_jobs=4
+fi
+
+echo "$num_targets target(s): $(echo $targets | paste -sd' ')"
+
+compile_target () {
+ target=$1
+ source build/envsetup.sh > /dev/null
+ lunch $target &> /dev/null
+ # Some targets can't lunch properly.
+ if [ $? -ne 0 ]; then
+ echo "$target cannot be lunched"
+ return 1
+ fi
+ my_out_file="$out_dir/log.$target"
+ rm -f $my_out_file
+ # Build the policy.
+ OUT_DIR=$out_dir/out.$target mmma -j$mmma_jobs system/sepolicy &>> $my_out_file
+ if [ $? -ne 0 ]; then
+ echo "$target failed to build"
+ return 2
+ fi
+ return 0
+}
+export -f compile_target
+
+parallel --no-notice -j $parallel_jobs --bar --joblog $out_dir/joblog compile_target ::: $targets
+
+echo "Failed to lunch: $(grep "\s1\s0\scompile_target" $out_dir/joblog | sed 's/^.* //' | sort | paste -sd' ')"
+echo "Failed to build: $(grep "\s2\s0\scompile_target" $out_dir/joblog | sed 's/^.* //' | sort | paste -sd' ')"
diff --git a/vendor/bug_map b/vendor/bug_map
index 708e32e..e69de29 100644
--- a/vendor/bug_map
+++ b/vendor/bug_map
@@ -1 +0,0 @@
-system_server vendor_framework_file dir 67860706
diff --git a/vendor/file.te b/vendor/file.te
index 3350b1e..6bebfb5 100644
--- a/vendor/file.te
+++ b/vendor/file.te
@@ -1,2 +1,2 @@
# Socket types
-type hostapd_socket, file_type, data_file_type;
+type hostapd_socket, file_type, data_file_type, core_data_file_type;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index b4961d7..cdaf695 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -9,6 +9,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.4-service u:object_r:hal_camera_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.4-external-service u:object_r:hal_camera_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.configstore@1\.[0-9]+-service u:object_r:hal_configstore_default_exec:s0
+/(vendor|sustem/vendor)/bin/hw/android\.hardware\.confirmationui@1\.0-service u:object_r:hal_confirmationui_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub@1\.0-service u:object_r:hal_contexthub_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service u:object_r:hal_drm_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.0-service u:object_r:hal_cas_default_exec:s0
@@ -26,9 +27,12 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.lowpan@1\.0-service u:object_r:hal_lowpan_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack@1\.0-service u:object_r:hal_memtrack_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.0-service u:object_r:hal_nfc_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.1-service u:object_r:hal_nfc_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.media\.omx@1\.0-service u:object_r:mediacodec_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.power@1\.0-service u:object_r:hal_power_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.radio\.config@1\.0-service u:object_r:hal_radio_config_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors@1\.0-service u:object_r:hal_sensors_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.0-service u:object_r:hal_secure_element_default_exec:s0
/(vendor|system/vendor)/bin/hw/rild u:object_r:rild_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@1\.[01]-service u:object_r:hal_thermal_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.cec@1\.0-service u:object_r:hal_tv_cec_default_exec:s0
diff --git a/vendor/hal_confirmationui_default.te b/vendor/hal_confirmationui_default.te
new file mode 100644
index 0000000..832c687
--- /dev/null
+++ b/vendor/hal_confirmationui_default.te
@@ -0,0 +1,5 @@
+type hal_confirmationui_default, domain;
+hal_server_domain(hal_confirmationui_default, hal_confirmationui)
+
+type hal_confirmationui_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_confirmationui_default)
diff --git a/vendor/hal_radio_config_default.te b/vendor/hal_radio_config_default.te
new file mode 100644
index 0000000..ccbe5bf
--- /dev/null
+++ b/vendor/hal_radio_config_default.te
@@ -0,0 +1,6 @@
+type hal_radio_config_default, domain;
+hal_server_domain(hal_radio_config_default, hal_telephony)
+
+type hal_radio_config_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_radio_config_default)
+
diff --git a/vendor/hal_secure_element_default.te b/vendor/hal_secure_element_default.te
new file mode 100644
index 0000000..86fe0b9
--- /dev/null
+++ b/vendor/hal_secure_element_default.te
@@ -0,0 +1,5 @@
+type hal_secure_element_default, domain;
+hal_server_domain(hal_secure_element_default, hal_secure_element)
+type hal_secure_element_default_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(hal_secure_element_default)