Merge "Fix zipfuse race condition"
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 64e14e2..5555469 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -81,6 +81,7 @@
"android.hardware.security.sharedsecret.ISharedSecret/default": []string{},
"android.hardware.sensors.ISensors/default": []string{},
"android.hardware.soundtrigger3.ISoundTriggerHw/default": []string{},
+ "android.hardware.thermal.IThermal/default": []string{},
"android.hardware.tv.input.ITvInput/default": []string{},
"android.hardware.tv.tuner.ITuner/default": []string{},
"android.hardware.usb.IUsb/default": []string{},
diff --git a/microdroid/system/private/compos_key_helper.te b/microdroid/system/private/compos_key_helper.te
index b117d0c..8ec131c 100644
--- a/microdroid/system/private/compos_key_helper.te
+++ b/microdroid/system/private/compos_key_helper.te
@@ -6,11 +6,10 @@
# Block crash dumps to ensure the secrets are not leaked.
typeattribute compos_key_helper no_crash_dump_domain;
-# Allow using DICE binder service
+# Allow use of vm_payload_binder_service
binder_use(compos_key_helper);
-allow compos_key_helper dice_node_service:service_manager find;
-binder_call(compos_key_helper, dice_service);
-allow compos_key_helper dice_service:diced { get_attestation_chain derive };
+allow compos_key_helper vm_payload_binder_service:service_manager find;
+binder_call(compos_key_helper, microdroid_manager);
# Communicate with compos via stdin/stdout pipes
allow compos_key_helper compos:fd use;
diff --git a/microdroid/system/private/dice_service.te b/microdroid/system/private/dice_service.te
deleted file mode 100644
index 341108c..0000000
--- a/microdroid/system/private/dice_service.te
+++ /dev/null
@@ -1,24 +0,0 @@
-type dice_service, domain, coredomain;
-type dice_service_exec, system_file_type, exec_type, file_type;
-
-# Block crash dumps to ensure the DICE secrets are not leaked.
-typeattribute dice_service no_crash_dump_domain;
-
-# dice_service can be started by init.
-init_daemon_domain(dice_service)
-
-# dice_service hosts AIDL services.
-binder_use(dice_service)
-binder_service(dice_service)
-add_service(dice_service, dice_node_service)
-add_service(dice_service, dice_maintenance_service)
-
-# dice_service can check SELinux permissions.
-selinux_check_access(dice_service)
-
-# dice_service is using bootstrap bionic.
-use_bootstrap_libs(dice_service)
-
-# Read config from the device tree and open-dice driver.
-allow dice_service sysfs_dt_avf:file r_file_perms;
-allow dice_service open_dice_device:chr_file rw_file_perms;
diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index a81bdc1..8406e55 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@@ -105,7 +105,6 @@
/system/bin/linkerconfig u:object_r:linkerconfig_exec:s0
/system/bin/bootstrap/linker(64)? u:object_r:system_linker_exec:s0
/system/bin/bootstrap/linkerconfig u:object_r:linkerconfig_exec:s0
-/system/bin/dice-service.microdroid u:object_r:dice_service_exec:s0
/system/bin/servicemanager.microdroid u:object_r:servicemanager_exec:s0
/system/bin/init u:object_r:init_exec:s0
/system/bin/logcat -- u:object_r:logcat_exec:s0
diff --git a/microdroid/system/private/microdroid_app.te b/microdroid/system/private/microdroid_app.te
index d9d533a..d26154a 100644
--- a/microdroid/system/private/microdroid_app.te
+++ b/microdroid/system/private/microdroid_app.te
@@ -8,10 +8,3 @@
type microdroid_app, domain, coredomain, microdroid_payload;
type microdroid_app_exec, exec_type, file_type, system_file_type;
-
-# Talk to binder services (for dice_service)
-binder_use(microdroid_app);
-
-allow microdroid_app dice_node_service:service_manager find;
-binder_call(microdroid_app, dice_service);
-allow microdroid_app dice_service:diced { get_attestation_chain derive };
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index 694f34e..d5b61dc 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -20,6 +20,12 @@
# microdroid_manager can query AVF flags in the device tree
allow microdroid_manager sysfs_dt_avf:file r_file_perms;
+# Read config from the open-dice driver.
+allow microdroid_manager open_dice_device:chr_file rw_file_perms;
+
+# Block crash dumps to ensure the DICE secrets are not leaked.
+typeattribute microdroid_manager no_crash_dump_domain;
+
# Allow microdroid_manager to do blkflsbuf on instance disk image. The ioctl
# requires sys_admin cap as well.
allowxperm microdroid_manager vd_device:blk_file ioctl BLKFLSBUF;
@@ -45,11 +51,11 @@
# microdroid_manager is using bootstrap bionic
use_bootstrap_libs(microdroid_manager)
-# microdroid_manager can talk to dice_service over binder
+# microdroid_manager hosts binder services.
binder_use(microdroid_manager)
-binder_call(microdroid_manager, dice_service)
-allow microdroid_manager { dice_node_service dice_maintenance_service }:service_manager find;
-allow microdroid_manager dice_service:diced { derive demote_self };
+
+# microdroid_manager can add virtual_machine_payload_service
+add_service(microdroid_manager, vm_payload_binder_service)
# microdroid_manager create /apex/vm-payload-metadata for apexd
# TODO(b/199371341) create a new label for the file so that only microdroid_manager can create it.
diff --git a/microdroid/system/private/microdroid_payload.te b/microdroid/system/private/microdroid_payload.te
index 4ea187b..851a85a 100644
--- a/microdroid/system/private/microdroid_payload.te
+++ b/microdroid/system/private/microdroid_payload.te
@@ -47,3 +47,7 @@
# Read and write files authfs-proxied files.
allow microdroid_payload authfs_fuse:dir rw_dir_perms;
allow microdroid_payload authfs_fuse:file create_file_perms;
+
+# Allow use of virtual_machine_payload_service.
+allow microdroid_payload vm_payload_binder_service:service_manager find;
+binder_call(microdroid_payload, microdroid_manager)
diff --git a/microdroid/system/private/service_contexts b/microdroid/system/private/service_contexts
index 76bae22..2abd7e3 100644
--- a/microdroid/system/private/service_contexts
+++ b/microdroid/system/private/service_contexts
@@ -1,6 +1,5 @@
adb u:object_r:adb_service:s0
-android.security.dice.IDiceMaintenance u:object_r:dice_maintenance_service:s0
-android.security.dice.IDiceNode u:object_r:dice_node_service:s0
+virtual_machine_payload_service u:object_r:vm_payload_binder_service:s0
apexservice u:object_r:apex_service:s0
authfs_service u:object_r:authfs_binder_service:s0
manager u:object_r:service_manager_service:s0
diff --git a/microdroid/system/public/type.te b/microdroid/system/public/type.te
index b4c49c8..dbdafaf 100644
--- a/microdroid/system/public/type.te
+++ b/microdroid/system/public/type.te
@@ -3,9 +3,7 @@
type apex_service, service_manager_type;
type authfs_binder_service, service_manager_type;
type default_android_service, service_manager_type;
-type dice_maintenance_service, service_manager_type;
-type dice_node_service, service_manager_type;
-type hal_dice_service, service_manager_type;
+type vm_payload_binder_service, service_manager_type;
type service_manager_service, service_manager_type;
type system_linker;
type vm_payload_key;
diff --git a/prebuilts/api/33.0/private/app_zygote.te b/prebuilts/api/33.0/private/app_zygote.te
index 8a62341..8aa288e 100644
--- a/prebuilts/api/33.0/private/app_zygote.te
+++ b/prebuilts/api/33.0/private/app_zygote.te
@@ -159,6 +159,7 @@
neverallow app_zygote {
domain
-app_zygote
+ -prng_seeder
userdebug_or_eng(`-su')
userdebug_or_eng(`-heapprofd')
userdebug_or_eng(`-traced_perf')
diff --git a/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil b/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil
index c1fc736..b5aa501 100644
--- a/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil
+++ b/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil
@@ -61,6 +61,7 @@
persist_wm_debug_prop
proc_watermark_boost_factor
proc_watermark_scale_factor
+ prng_seeder
remotelyprovisionedkeypool_service
resources_manager_service
rootdisk_sysdev
diff --git a/prebuilts/api/33.0/private/domain.te b/prebuilts/api/33.0/private/domain.te
index 2ef688c..bcb9d52 100644
--- a/prebuilts/api/33.0/private/domain.te
+++ b/prebuilts/api/33.0/private/domain.te
@@ -112,6 +112,9 @@
# Allow all processes to check for the existence of the boringssl_self_test_marker files.
allow domain boringssl_self_test_marker:dir search;
+# Allow all processes to connect to PRNG seeder daemon.
+unix_socket_connect(domain, prng_seeder, prng_seeder)
+
# No domains other than a select few can access the misc_block_device. This
# block device is reserved for OTA use.
# Do not assert this rule on userdebug/eng builds, due to some devices using
@@ -496,6 +499,7 @@
-logd # Logging by writing to logd Unix domain socket is public API
-netd # netdomain needs this
-mdnsd # netdomain needs this
+ -prng_seeder # Any process using libcrypto needs this
userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds
-init
-tombstoned # linker to tombstoned
diff --git a/prebuilts/api/33.0/private/file.te b/prebuilts/api/33.0/private/file.te
index c4ee2aa..cf9ea02 100644
--- a/prebuilts/api/33.0/private/file.te
+++ b/prebuilts/api/33.0/private/file.te
@@ -115,3 +115,8 @@
# /dev/selinux/test - used to verify that apex sepolicy is loaded and
# property labeled.
type sepolicy_test_file, file_type;
+
+# Filesystem entry for for PRNG seeder socket. Processes require
+# write permission on this to connect, and needs to be mlstrustedobject
+# in to satisfy MLS constraints for trusted domains.
+type prng_seeder_socket, file_type, coredomain_socket, mlstrustedobject;
diff --git a/prebuilts/api/33.0/private/file_contexts b/prebuilts/api/33.0/private/file_contexts
index e21c18c..65baa5d 100644
--- a/prebuilts/api/33.0/private/file_contexts
+++ b/prebuilts/api/33.0/private/file_contexts
@@ -149,6 +149,7 @@
/dev/socket/pdx/system/vr/display/manager u:object_r:pdx_display_manager_endpoint_socket:s0
/dev/socket/pdx/system/vr/display/screenshot u:object_r:pdx_display_screenshot_endpoint_socket:s0
/dev/socket/pdx/system/vr/display/vsync u:object_r:pdx_display_vsync_endpoint_socket:s0
+/dev/socket/prng_seeder u:object_r:prng_seeder_socket:s0
/dev/socket/property_service u:object_r:property_socket:s0
/dev/socket/racoon u:object_r:racoon_socket:s0
/dev/socket/recovery u:object_r:recovery_socket:s0
@@ -220,6 +221,7 @@
/system/bin/bcc u:object_r:rs_exec:s0
/system/bin/blank_screen u:object_r:blank_screen_exec:s0
/system/bin/boringssl_self_test(32|64) u:object_r:boringssl_self_test_exec:s0
+/system/bin/prng_seeder u:object_r:prng_seeder_exec:s0
/system/bin/charger u:object_r:charger_exec:s0
/system/bin/canhalconfigurator u:object_r:canhalconfigurator_exec:s0
/system/bin/e2fsdroid u:object_r:e2fs_exec:s0
diff --git a/prebuilts/api/33.0/private/init.te b/prebuilts/api/33.0/private/init.te
index 997a184..17e25f8 100644
--- a/prebuilts/api/33.0/private/init.te
+++ b/prebuilts/api/33.0/private/init.te
@@ -108,6 +108,9 @@
# Allow accessing /sys/kernel/tracing/instances/bootreceiver to set up tracing.
allow init debugfs_bootreceiver_tracing:file w_file_perms;
+# PRNG seeder daemon socket is created and listened on by init before forking.
+allow init prng_seeder:unix_stream_socket { create bind listen };
+
# Devices with kernels where CONFIG_HIST_TRIGGERS isn't enabled will
# attempt to write a non exisiting 'synthetic_events' file, when setting
# up synthetic events. This is a no-op in tracefs.
diff --git a/prebuilts/api/33.0/private/prng_seeder.te b/prebuilts/api/33.0/private/prng_seeder.te
new file mode 100644
index 0000000..299e37b
--- /dev/null
+++ b/prebuilts/api/33.0/private/prng_seeder.te
@@ -0,0 +1,17 @@
+# PRNG seeder daemon
+# Started from early init, maintains a FIPS approved DRBG which it periodically reseeds from
+# /dev/hw_random. When BoringSSL (libcrypto) in other processes needs seeding data for its
+# internal DRBGs it will connect to /dev/socket/prng_seeder and the daemon will write a
+# fixed size block of entropy then disconnect. No other IO is performed.
+typeattribute prng_seeder coredomain;
+
+# mlstrustedsubject required in order to allow connections from trusted app domains.
+typeattribute prng_seeder mlstrustedsubject;
+
+type prng_seeder_exec, system_file_type, exec_type, file_type;
+init_daemon_domain(prng_seeder)
+
+# Socket open and listen are performed by init.
+allow prng_seeder prng_seeder:unix_stream_socket { read write getattr accept };
+allow prng_seeder hw_random_device:chr_file { read open };
+allow prng_seeder kmsg_debug_device:chr_file { w_file_perms getattr ioctl };
diff --git a/prebuilts/api/33.0/public/domain.te b/prebuilts/api/33.0/public/domain.te
index 8e1fcf7..de529f5 100644
--- a/prebuilts/api/33.0/public/domain.te
+++ b/prebuilts/api/33.0/public/domain.te
@@ -421,6 +421,7 @@
# Only the kernel hwrng thread should be able to read from the HW RNG.
neverallow {
domain
+ -prng_seeder # PRNG seeder daemon periodically reseeds itself from HW RNG
-shell # For CTS, restricted to just getattr in shell.te
-ueventd # To create the /dev/hw_random file
} hw_random_device:chr_file *;
diff --git a/prebuilts/api/33.0/public/hal_configstore.te b/prebuilts/api/33.0/public/hal_configstore.te
index 069da47..23b04c9 100644
--- a/prebuilts/api/33.0/public/hal_configstore.te
+++ b/prebuilts/api/33.0/public/hal_configstore.te
@@ -31,6 +31,7 @@
domain
-hal_configstore_server
-logd
+ -prng_seeder
userdebug_or_eng(`-su')
-tombstoned
userdebug_or_eng(`-heapprofd')
diff --git a/prebuilts/api/33.0/public/prng_seeder.te b/prebuilts/api/33.0/public/prng_seeder.te
new file mode 100644
index 0000000..7438452
--- /dev/null
+++ b/prebuilts/api/33.0/public/prng_seeder.te
@@ -0,0 +1,2 @@
+# PRNG seeder daemon
+type prng_seeder, domain;
diff --git a/prebuilts/api/33.0/public/vendor_init.te b/prebuilts/api/33.0/public/vendor_init.te
index 57df54c..1e221ae 100644
--- a/prebuilts/api/33.0/public/vendor_init.te
+++ b/prebuilts/api/33.0/public/vendor_init.te
@@ -281,7 +281,8 @@
###
# Vendor init shouldn't communicate with any vendor process, nor most system processes.
-neverallow_establish_socket_comms(vendor_init, { domain -init -logd -su -vendor_init });
+neverallow_establish_socket_comms(vendor_init, {
+ domain -init -logd -prng_seeder -su -vendor_init });
# The vendor_init domain is only entered via an exec based transition from the
# init domain, never via setcon().
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index 121daeb..39a4bdc 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -13,6 +13,7 @@
devicelock_service
hal_bootctl_service
hal_remoteaccess_service
+ hal_thermal_service
hal_tv_input_service
healthconnect_service
keystore_config_prop
diff --git a/private/crosvm.te b/private/crosvm.te
index f3fc9a8..034107f 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -38,6 +38,12 @@
# Allow searching the directory where the composite disk images are.
allow crosvm virtualizationservice_data_file:dir search;
+# Let crosvm access its control socket as created by VS.
+# read, write, getattr: listener socket polling
+# accept: listener socket accepting new connection
+# Note that the open permission is not given as the socket is passed by FD.
+allow crosvm virtualizationservice:unix_stream_socket { accept read write getattr };
+
# Don't allow crosvm to open files that it doesn't own.
# This is important because a malicious application could try to start a VM with a composite disk
# image referring by name to files which it doesn't have permission to open, trying to get crosvm to
diff --git a/private/flags_health_check.te b/private/flags_health_check.te
index 64b595d..a26726d 100644
--- a/private/flags_health_check.te
+++ b/private/flags_health_check.te
@@ -27,6 +27,7 @@
set_prop(flags_health_check, device_config_vendor_system_native_boot_prop)
set_prop(flags_health_check, device_config_virtualization_framework_native_prop)
set_prop(flags_health_check, device_config_memory_safety_native_prop)
+set_prop(flags_health_check, device_config_remote_key_provisioning_native_prop)
# system property device_config_boot_count_prop is used for deciding when to perform server
# configurable flags related disaster recovery. Mistakenly set up by unrelated components can, at a
diff --git a/private/keystore.te b/private/keystore.te
index 8e681b1..b69477c 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -20,6 +20,9 @@
# Allow keystore to check if the system is rkp only.
get_prop(keystore, remote_prov_prop)
+# Allow keystore to check rkpd feature flags
+get_prop(keystore, device_config_remote_key_provisioning_native_prop)
+
# Allow keystore to write to statsd.
unix_socket_send(keystore, statsdw, statsd)
diff --git a/private/property.te b/private/property.te
index 61144be..cac04d3 100644
--- a/private/property.te
+++ b/private/property.te
@@ -5,6 +5,7 @@
system_internal_prop(device_config_lmkd_native_prop)
system_internal_prop(device_config_mglru_native_prop)
system_internal_prop(device_config_profcollect_native_boot_prop)
+system_internal_prop(device_config_remote_key_provisioning_native_prop)
system_internal_prop(device_config_statsd_native_prop)
system_internal_prop(device_config_statsd_native_boot_prop)
system_internal_prop(device_config_storage_native_boot_prop)
diff --git a/private/property_contexts b/private/property_contexts
index 515c007..d1a4ecf 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -255,6 +255,7 @@
persist.device_config.netd_native. u:object_r:device_config_netd_native_prop:s0
persist.device_config.nnapi_native. u:object_r:device_config_nnapi_native_prop:s0
persist.device_config.profcollect_native_boot. u:object_r:device_config_profcollect_native_boot_prop:s0
+persist.device_config.remote_key_provisioning_native. u:object_r:device_config_remote_key_provisioning_native_prop:s0
persist.device_config.runtime_native. u:object_r:device_config_runtime_native_prop:s0
persist.device_config.runtime_native_boot. u:object_r:device_config_runtime_native_boot_prop:s0
persist.device_config.statsd_native. u:object_r:device_config_statsd_native_prop:s0
diff --git a/private/rkpd.te b/private/rkpd.te
index d75638a..45e3e8d 100644
--- a/private/rkpd.te
+++ b/private/rkpd.te
@@ -12,4 +12,4 @@
add_service(rkpd, rkpd_registrar_service)
add_service(rkpd, rkpd_refresh_service)
-
+get_prop(rkpd, device_config_remote_key_provisioning_native_prop)
diff --git a/private/service_contexts b/private/service_contexts
index fe4e021..7d980f2 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -66,6 +66,7 @@
android.hardware.security.sharedsecret.ISharedSecret/default u:object_r:hal_sharedsecret_service:s0
android.hardware.sensors.ISensors/default u:object_r:hal_sensors_service:s0
android.hardware.soundtrigger3.ISoundTriggerHw/default u:object_r:hal_audio_service:s0
+android.hardware.thermal.IThermal/default u:object_r:hal_thermal_service:s0
android.hardware.tv.tuner.ITuner/default u:object_r:hal_tv_tuner_service:s0
android.hardware.tv.input.ITvInput/default u:object_r:hal_tv_input_service:s0
android.hardware.usb.IUsb/default u:object_r:hal_usb_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index eb1e46a..375158f 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -755,6 +755,7 @@
set_prop(system_server, device_config_vendor_system_native_boot_prop)
set_prop(system_server, device_config_virtualization_framework_native_prop)
set_prop(system_server, device_config_memory_safety_native_prop)
+set_prop(system_server, device_config_remote_key_provisioning_native_prop)
set_prop(system_server, smart_idle_maint_enabled_prop)
# Allow query ART device config properties
@@ -1288,6 +1289,7 @@
device_config_runtime_native_prop
device_config_media_native_prop
device_config_mglru_native_prop
+ device_config_remote_key_provisioning_native_prop
device_config_storage_native_boot_prop
device_config_surface_flinger_native_boot_prop
device_config_sys_traced_prop
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index 9ae5308..6e6b459 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -29,6 +29,9 @@
allow virtualizationservice virtualizationservice_data_file:file create_file_perms;
allow virtualizationservice virtualizationservice_data_file:dir create_dir_perms;
+# Let virtualizationservice manage crosvm control sockets.
+allow virtualizationservice virtualizationservice_data_file:sock_file create_file_perms;
+
# Allow to use fd (e.g. /dev/pts/0) inherited from adbd so that we can redirect output from
# crosvm to the console
allow virtualizationservice adbd:fd use;
diff --git a/public/hal_thermal.te b/public/hal_thermal.te
index 2115da1..13fed00 100644
--- a/public/hal_thermal.te
+++ b/public/hal_thermal.te
@@ -3,3 +3,8 @@
binder_call(hal_thermal_server, hal_thermal_client)
hal_attribute_hwservice(hal_thermal, hal_thermal_hwservice)
+hal_attribute_service(hal_thermal, hal_thermal_service)
+
+add_service(hal_thermal_server, hal_thermal_service)
+binder_call(hal_thermal_server, servicemanager)
+binder_call(hal_thermal_client, servicemanager)
diff --git a/public/service.te b/public/service.te
index 25b0731..70ddf94 100644
--- a/public/service.te
+++ b/public/service.te
@@ -305,6 +305,7 @@
type hal_secureclock_service, protected_service, hal_service_type, service_manager_type;
type hal_sharedsecret_service, protected_service, hal_service_type, service_manager_type;
type hal_system_suspend_service, protected_service, hal_service_type, service_manager_type;
+type hal_thermal_service, protected_service, hal_service_type, service_manager_type;
type hal_tv_input_service, protected_service, hal_service_type, service_manager_type;
type hal_tv_tuner_service, protected_service, hal_service_type, service_manager_type;
type hal_usb_service, protected_service, hal_service_type, service_manager_type;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index ceb1492..c214f4e 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -92,6 +92,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.keymint-service u:object_r:hal_keymint_default_exec:s0
/(vendor|system/vendor)/bin/hw/rild u:object_r:rild_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@1\.[01]-service u:object_r:hal_thermal_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal-service\.example u:object_r:hal_thermal_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.cec@1\.[01]-service u:object_r:hal_tv_cec_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.input@1\.0-service u:object_r:hal_tv_input_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.input-service\.example u:object_r:hal_tv_input_default_exec:s0