Merge "Allow vold to check apex files"
diff --git a/apex/com.android.art-file_contexts b/apex/com.android.art-file_contexts
index 1598afd..d2a8626 100644
--- a/apex/com.android.art-file_contexts
+++ b/apex/com.android.art-file_contexts
@@ -4,5 +4,6 @@
(/.*)? u:object_r:system_file:s0
/bin/dex2oat(32|64)? u:object_r:dex2oat_exec:s0
/bin/dexoptanalyzer u:object_r:dexoptanalyzer_exec:s0
+/bin/odrefresh u:object_r:odrefresh_exec:s0
/bin/profman u:object_r:profman_exec:s0
/lib(64)?(/.*)? u:object_r:system_lib_file:s0
diff --git a/apex/com.android.art.debug-file_contexts b/apex/com.android.art.debug-file_contexts
index e47402f..a0e9ea0 100644
--- a/apex/com.android.art.debug-file_contexts
+++ b/apex/com.android.art.debug-file_contexts
@@ -4,5 +4,6 @@
(/.*)? u:object_r:system_file:s0
/bin/dex2oat(d)?(32|64)? u:object_r:dex2oat_exec:s0
/bin/dexoptanalyzer(d)? u:object_r:dexoptanalyzer_exec:s0
+/bin/odrefresh u:object_r:odrefresh_exec:s0
/bin/profman(d)? u:object_r:profman_exec:s0
/lib(64)?(/.*)? u:object_r:system_lib_file:s0
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index 5b21d41..e07bbf0 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -382,11 +382,13 @@
var apiFiles android.Paths
ctx.VisitDirectDepsWithTag(syspropLibraryDepTag, func(c android.Module) {
- i, ok := c.(interface{ CurrentSyspropApiFile() android.Path })
+ i, ok := c.(interface{ CurrentSyspropApiFile() android.OptionalPath })
if !ok {
panic(fmt.Errorf("unknown dependency %q for %q", ctx.OtherModuleName(c), ctx.ModuleName()))
}
- apiFiles = append(apiFiles, i.CurrentSyspropApiFile())
+ if api := i.CurrentSyspropApiFile(); api.Valid() {
+ apiFiles = append(apiFiles, api.Path())
+ }
})
// check compatibility with sysprop_library
diff --git a/prebuilts/api/30.0/private/file_contexts b/prebuilts/api/30.0/private/file_contexts
index 9620b75..71a72b4 100644
--- a/prebuilts/api/30.0/private/file_contexts
+++ b/prebuilts/api/30.0/private/file_contexts
@@ -625,6 +625,7 @@
/data/incremental(/.*)? u:object_r:apk_data_file:s0
/data/incremental/MT_[^/]+/mount/.pending_reads u:object_r:incremental_control_file:s0
/data/incremental/MT_[^/]+/mount/.log u:object_r:incremental_control_file:s0
+/data/incremental/MT_[^/]+/mount/.blocks_written u:object_r:incremental_control_file:s0
#############################
# Expanded data files
diff --git a/private/apexd.te b/private/apexd.te
index 417504b..c3da0fe 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -12,6 +12,8 @@
allow apexd apex_metadata_file:file create_file_perms;
# Allow apexd to create files and directories for snapshots of apex data
+allow apexd apex_art_data_file:dir { create_dir_perms relabelto };
+allow apexd apex_art_data_file:file { create_file_perms relabelto };
allow apexd apex_permission_data_file:dir { create_dir_perms relabelto };
allow apexd apex_permission_data_file:file { create_file_perms relabelto };
allow apexd apex_module_data_file:dir { create_dir_perms relabelfrom };
diff --git a/private/app.te b/private/app.te
index dacea29..c635aed 100644
--- a/private/app.te
+++ b/private/app.te
@@ -62,3 +62,29 @@
# Allow to read db.log.detailed, db.log.slow_query_threshold*
get_prop(appdomain, sqlite_log_prop)
+
+# Allow font file read by apps.
+allow appdomain font_data_file:file r_file_perms;
+allow appdomain font_data_file:dir r_dir_perms;
+
+# Read /data/misc/apexdata/com.android.art
+allow appdomain { apex_art_data_file apex_module_data_file }:dir search;
+allow appdomain apex_art_data_file:file r_file_perms;
+
+# Sensitive app domains are not allowed to execute from /data
+# to prevent persistence attacks and ensure all code is executed
+# from read-only locations.
+neverallow {
+ bluetooth
+ isolated_app
+ nfc
+ radio
+ shared_relro
+ system_app
+} {
+ data_file_type
+ -apex_art_data_file
+ -dalvikcache_data_file
+ -system_data_file # shared libs in apks
+ -apk_data_file
+}:file no_x_file_perms;
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 954f863..b2e5992 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -4,7 +4,7 @@
typeattribute bpfloader coredomain;
# These permissions are required to pin ebpf maps & programs.
-allow bpfloader fs_bpf:dir { search write add_name };
+allow bpfloader fs_bpf:dir { create search write add_name };
allow bpfloader fs_bpf:file { create setattr read };
# Allow bpfloader to create bpf maps and programs.
@@ -18,7 +18,7 @@
# TODO: get rid of init & vendor_init
neverallow { domain -init -vendor_init } fs_bpf:dir setattr;
-neverallow { domain -bpfloader } fs_bpf:dir { write add_name };
+neverallow { domain -bpfloader } fs_bpf:dir { create write add_name };
neverallow domain fs_bpf:dir { reparent rename rmdir };
# TODO: get rid of init & vendor_init
diff --git a/private/bug_map b/private/bug_map
index a404de3..5b042ae 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -11,7 +11,6 @@
init shell_data_file lnk_file b/77873135
init shell_data_file sock_file b/77873135
init system_data_file chr_file b/77873135
-installd device file b/177187042
isolated_app privapp_data_file dir b/119596573
isolated_app app_data_file dir b/120394782
mediaextractor app_data_file file b/77923736
diff --git a/private/compat/30.0/30.0.cil b/private/compat/30.0/30.0.cil
index 6c95364..a2ae272 100644
--- a/private/compat/30.0/30.0.cil
+++ b/private/compat/30.0/30.0.cil
@@ -2000,7 +2000,7 @@
(typeattributeset surfaceflinger_service_30_0 (surfaceflinger_service))
(typeattributeset surfaceflinger_tmpfs_30_0 (surfaceflinger_tmpfs))
(typeattributeset swap_block_device_30_0 (swap_block_device))
-(typeattributeset sysfs_30_0 (sysfs))
+(typeattributeset sysfs_30_0 (sysfs sysfs_fs_incfs_features))
(typeattributeset sysfs_android_usb_30_0 (sysfs_android_usb))
(typeattributeset sysfs_batteryinfo_30_0 (sysfs_batteryinfo))
(typeattributeset sysfs_bluetooth_writable_30_0 (sysfs_bluetooth_writable))
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 2f154cd..dc679d1 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -8,6 +8,8 @@
ab_update_gki_prop
adbd_config_prop
apc_service
+ apex_art_data_file
+ apex_art_staging_data_file
apex_info_file
arm64_memtag_prop
authorization_service
@@ -24,29 +26,36 @@
dumpstate_tmpfs
framework_watchdog_config_prop
game_service
+ font_data_file
gki_apex_prepostinstall
gki_apex_prepostinstall_exec
hal_authsecret_service
hal_audiocontrol_service
hal_face_service
hal_fingerprint_service
+ hal_health_storage_service
hal_memtrack_service
hal_oemlock_service
gnss_device
hal_dumpstate_config_prop
hal_gnss_service
hal_keymint_service
+ hal_neuralnetworks_service
hal_power_stats_service
+ hal_weaver_service
keystore_compat_hal_service
keystore2_key_contexts_file
legacy_permission_service
location_time_zone_manager_service
+ media_communication_service
mediatuner_exec
mediatuner_service
mediatuner
mediatranscoding_tmpfs
music_recognition_service
nfc_logs_data_file
+ odrefresh
+ odrefresh_exec
people_service
persist_vendor_debug_wifi_prop
power_debug_prop
@@ -58,13 +67,17 @@
profcollectd_exec
profcollectd_service
radio_core_data_file
+ reboot_readiness_service
+ resolver_service
search_ui_service
shell_test_data_file
smartspace_service
snapuserd
snapuserd_exec
snapuserd_socket
+ speech_recognition_service
sysfs_devices_cs_etm
+ sysfs_uhid
system_server_dumper_service
system_suspend_control_internal_service
task_profiles_api_file
diff --git a/private/coredomain.te b/private/coredomain.te
index 516b49c..4209ac7 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -22,6 +22,7 @@
get_prop(coredomain, userspace_reboot_config_prop)
get_prop(coredomain, vold_config_prop)
get_prop(coredomain, vts_status_prop)
+get_prop(coredomain, zygote_config_prop)
get_prop(coredomain, zygote_wrap_prop)
# TODO(b/170590987): remove this after cleaning up default_prop
diff --git a/private/crash_dump.te b/private/crash_dump.te
index f130327..616f00c 100644
--- a/private/crash_dump.te
+++ b/private/crash_dump.te
@@ -47,3 +47,7 @@
neverallow crash_dump self:process ptrace;
neverallow crash_dump gpu_device:chr_file *;
+
+# Read ART APEX data directory
+allow crash_dump apex_art_data_file:dir { getattr search };
+allow crash_dump apex_art_data_file:file r_file_perms;
diff --git a/private/dex2oat.te b/private/dex2oat.te
index 50e43ad..27e4b0c 100644
--- a/private/dex2oat.te
+++ b/private/dex2oat.te
@@ -32,6 +32,21 @@
# the framework.
allow dex2oat { privapp_data_file app_data_file }:file { getattr read write lock map };
+# Allow dex2oat to find files and directories under /data/misc/apexdata/com.android.runtime.
+allow dex2oat apex_module_data_file:dir search;
+
+# Allow dex2oat to use file descriptors passed from odrefresh.
+allow dex2oat odrefresh:fd use;
+
+# Allow dex2oat to write to file descriptors from odrefresh for files
+# in the staging area.
+allow dex2oat apex_art_staging_data_file:dir r_dir_perms;
+allow dex2oat apex_art_staging_data_file:file { getattr map read write unlink };
+
+# Allow dex2oat to read artifacts from odrefresh.
+allow dex2oat apex_art_data_file:dir r_dir_perms;
+allow dex2oat apex_art_data_file:file r_file_perms;
+
##################
# A/B OTA Dexopt #
##################
diff --git a/private/dexoptanalyzer.te b/private/dexoptanalyzer.te
index b8b7b30..d5728d1 100644
--- a/private/dexoptanalyzer.te
+++ b/private/dexoptanalyzer.te
@@ -14,12 +14,21 @@
# processes.
tmpfs_domain(dexoptanalyzer)
-# Read symlinks in /data/dalvik-cache. This is required for PIC mode boot
-# app_data_file the oat file is symlinked to the original file in /system.
+# Allow dexoptanalyzer to read files in the dalvik cache.
allow dexoptanalyzer dalvikcache_data_file:dir { getattr search };
allow dexoptanalyzer dalvikcache_data_file:file r_file_perms;
+
+# Read symlinks in /data/dalvik-cache. This is required for PIC mode boot
+# app_data_file the oat file is symlinked to the original file in /system.
allow dexoptanalyzer dalvikcache_data_file:lnk_file read;
+# Allow dexoptanalyzer to read files in the ART APEX data directory.
+allow dexoptanalyzer { apex_art_data_file apex_module_data_file }:dir { getattr search };
+allow dexoptanalyzer apex_art_data_file:file r_file_perms;
+
+# Allow dexoptanalyzer to use file descriptors from odrefresh.
+allow dexoptanalyzer odrefresh:fd use;
+
allow dexoptanalyzer installd:fd use;
allow dexoptanalyzer installd:fifo_file { getattr write };
diff --git a/private/domain.te b/private/domain.te
index e6b26f4..062a51e 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -271,6 +271,40 @@
-otapreopt_slot
} dalvikcache_data_file:dir no_w_dir_perms;
+# Only authorized processes should be writing to /data/misc/apexdata/com.android.art as it
+# contains boot class path and system server AOT artifacts following an ART APEX Mainline update.
+neverallow {
+ domain
+ # art processes
+ -odrefresh
+ # others
+ -apexd
+ -init
+ -vold_prepare_subdirs
+} apex_art_data_file:file no_w_file_perms;
+
+neverallow {
+ domain
+ # art processes
+ -odrefresh
+ # others
+ -apexd
+ -init
+ -vold_prepare_subdirs
+} apex_art_data_file:dir no_w_dir_perms;
+
+# Protect most domains from executing arbitrary content from /data.
+neverallow {
+ domain
+ -appdomain
+} {
+ data_file_type
+ -apex_art_data_file
+ -dalvikcache_data_file
+ -system_data_file # shared libs in apks
+ -apk_data_file
+}:file no_x_file_perms;
+
# Minimize dac_override and dac_read_search.
# Instead of granting them it is usually better to add the domain to
# a Unix group or change the permissions of a file.
diff --git a/private/file.te b/private/file.te
index 1a53c33..87443ef 100644
--- a/private/file.te
+++ b/private/file.te
@@ -35,3 +35,12 @@
# /data/misc/profcollectd
type profcollectd_data_file, file_type, data_file_type, core_data_file_type;
+
+# /data/misc/apexdata/com.android.art
+type apex_art_data_file, file_type, data_file_type, core_data_file_type;
+
+# /data/misc/apexdata/com.android.art/staging
+type apex_art_staging_data_file, file_type, data_file_type, core_data_file_type;
+
+# /data/font/files
+type font_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/private/file_contexts b/private/file_contexts
index d361fd7..89c67fc 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -551,10 +551,12 @@
# to avoid restorecon conflicts
/data/rollback/\d+/[^/]+/.*\.apk u:object_r:apk_data_file:s0
/data/rollback/\d+/[^/]+/.*\.apex u:object_r:staging_data_file:s0
+/data/fonts/files(/.*)? u:object_r:font_data_file:s0
# Misc data
/data/misc/adb(/.*)? u:object_r:adb_keys_file:s0
/data/misc/apexdata(/.*)? u:object_r:apex_module_data_file:s0
+/data/misc/apexdata/com\.android\.art(/.*)? u:object_r:apex_art_data_file:s0
/data/misc/apexdata/com\.android\.permission(/.*)? u:object_r:apex_permission_data_file:s0
/data/misc/apexdata/com\.android\.wifi(/.*)? u:object_r:apex_wifi_data_file:s0
/data/misc/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0
@@ -667,6 +669,7 @@
/data/incremental(/.*)? u:object_r:apk_data_file:s0
/data/incremental/MT_[^/]+/mount/.pending_reads u:object_r:incremental_control_file:s0
/data/incremental/MT_[^/]+/mount/.log u:object_r:incremental_control_file:s0
+/data/incremental/MT_[^/]+/mount/.blocks_written u:object_r:incremental_control_file:s0
#############################
# Expanded data files
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 900b25b..ecde711 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -140,6 +140,7 @@
genfscon sysfs /firmware/devicetree/base/firmware/android u:object_r:sysfs_dt_firmware_android:s0
genfscon sysfs /fs/ext4/features u:object_r:sysfs_fs_ext4_features:s0
genfscon sysfs /fs/f2fs u:object_r:sysfs_fs_f2fs:s0
+genfscon sysfs /fs/incremental-fs/features u:object_r:sysfs_fs_incfs_features:s0
genfscon sysfs /power/autosleep u:object_r:sysfs_power:s0
genfscon sysfs /power/state u:object_r:sysfs_power:s0
genfscon sysfs /power/suspend_stats u:object_r:sysfs_suspend_stats:s0
@@ -158,6 +159,7 @@
genfscon sysfs /module/tcp_cubic/parameters u:object_r:sysfs_net:s0
genfscon sysfs /module/wlan/parameters/fwpath u:object_r:sysfs_wlan_fwpath:s0
genfscon sysfs /devices/virtual/timed_output/vibrator/enable u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/virtual/misc/uhid u:object_r:sysfs_uhid:s0
genfscon debugfs /kprobes u:object_r:debugfs_kprobes:s0
genfscon debugfs /mmc0 u:object_r:debugfs_mmc:s0
diff --git a/private/heapprofd.te b/private/heapprofd.te
index 50039c2..d34830c 100644
--- a/private/heapprofd.te
+++ b/private/heapprofd.te
@@ -41,6 +41,7 @@
# executables/libraries/etc to do stack unwinding.
r_dir_file(heapprofd, nativetest_data_file)
r_dir_file(heapprofd, system_file_type)
+r_dir_file(heapprofd, apex_art_data_file)
r_dir_file(heapprofd, apk_data_file)
r_dir_file(heapprofd, dalvikcache_data_file)
r_dir_file(heapprofd, vendor_file_type)
diff --git a/private/incidentd.te b/private/incidentd.te
index 0731dec..eda55e3 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -136,6 +136,8 @@
allow incidentd system_file:file lock;
# Incidentd should never exec from the memory (e.g. JIT cache). These denials are expected.
dontaudit incidentd dalvikcache_data_file:dir r_dir_perms;
+dontaudit incidentd apex_module_data_file:dir r_dir_perms;
+dontaudit incidentd apex_art_data_file:dir r_dir_perms;
dontaudit incidentd tmpfs:file rwx_file_perms;
# logd access - work to be done is a PII safe log (possibly an event log?)
diff --git a/private/iorap_inode2filename.te b/private/iorap_inode2filename.te
index 96b7bc2..5acb262 100644
--- a/private/iorap_inode2filename.te
+++ b/private/iorap_inode2filename.te
@@ -1,6 +1,8 @@
typeattribute iorap_inode2filename coredomain;
# Grant access to open most of the files under /
+allow iorap_inode2filename { apex_module_data_file apex_art_data_file }:dir r_dir_perms;
+allow iorap_inode2filename apex_data_file:file { getattr };
allow iorap_inode2filename dalvikcache_data_file:dir { getattr open read search };
allow iorap_inode2filename dalvikcache_data_file:file { getattr };
allow iorap_inode2filename dex2oat_exec:lnk_file { getattr open read };
diff --git a/private/mediatranscoding.te b/private/mediatranscoding.te
index b2f6cea..5f4a943 100644
--- a/private/mediatranscoding.te
+++ b/private/mediatranscoding.te
@@ -24,6 +24,7 @@
allow mediatranscoding mediametrics_service:service_manager find;
allow mediatranscoding mediaextractor_service:service_manager find;
allow mediatranscoding package_native_service:service_manager find;
+allow mediatranscoding thermal_service:service_manager find;
allow mediatranscoding system_server:fd use;
allow mediatranscoding activity_service:service_manager find;
diff --git a/private/odrefresh.te b/private/odrefresh.te
new file mode 100644
index 0000000..c1ccc38
--- /dev/null
+++ b/private/odrefresh.te
@@ -0,0 +1,32 @@
+# odrefresh
+type odrefresh, domain, coredomain;
+type odrefresh_exec, system_file_type, exec_type, file_type;
+
+# Allow odrefresh to create files and directories for on device signing.
+allow odrefresh apex_module_data_file:dir { getattr search };
+allow odrefresh apex_art_data_file:dir { create_dir_perms relabelfrom };
+allow odrefresh apex_art_data_file:file { open create write read getattr unlink };
+
+# Staging area labels (/data/misc/apexdata/com.android.art/staging). odrefresh
+# sets up files here and passes file descriptors for dex2oat to write to.
+allow odrefresh apex_art_staging_data_file:dir { create_dir_perms relabelto };
+allow odrefresh apex_art_staging_data_file:file create_file_perms;
+
+# Run dex2oat in its own sandbox.
+domain_auto_trans(odrefresh, dex2oat_exec, dex2oat)
+
+# Run dexoptanalyzer in its own sandbox.
+domain_auto_trans(odrefresh, dexoptanalyzer_exec, dexoptanalyzer)
+
+# Do not audit unused resources from parent processes (adb, shell, su).
+# These appear to be unnecessary for odrefresh.
+dontaudit odrefresh { adbd shell }:fd use;
+dontaudit odrefresh devpts:chr_file rw_file_perms;
+dontaudit odrefresh adbd:unix_stream_socket { getattr read write };
+
+# Allow odrefresh to read /apex/apex-info-list.xml to determine
+# whether current apex is in /system or /data.
+allow odrefresh apex_info_file:file r_file_perms;
+
+# No other processes should be creating files in the staging area.
+neverallow { domain -init -odrefresh } apex_art_staging_data_file:file open;
diff --git a/private/priv_app.te b/private/priv_app.te
index dde8f09..9fd319f 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -72,6 +72,8 @@
# in progress.
allow priv_app perfetto_traces_bugreport_data_file:dir r_dir_perms;
allow priv_app perfetto_traces_bugreport_data_file:file { getattr };
+# Required to traverse the parent dir (/data/misc/perfetto-traces).
+allow priv_app perfetto_traces_data_file:dir { search };
# Allow verifier to access staged apks.
allow priv_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
@@ -150,9 +152,16 @@
allow priv_app system_server:udp_socket {
connect getattr read recvfrom sendto write getopt setopt };
+# Access the IncFS list of features
+r_dir_file(priv_app, sysfs_fs_incfs_features)
+
# allow apps like Phonesky to check the file signature of an apk installed on
-# the Incremental File System, and fill missing blocks in the apk
-allowxperm priv_app apk_data_file:file ioctl { INCFS_IOCTL_READ_SIGNATURE INCFS_IOCTL_FILL_BLOCKS };
+# the Incremental File System, fill missing blocks and get the app status
+allowxperm priv_app apk_data_file:file ioctl {
+ INCFS_IOCTL_READ_SIGNATURE
+ INCFS_IOCTL_FILL_BLOCKS
+ INCFS_IOCTL_GET_BLOCK_COUNT
+};
# allow privileged data loader apps (e.g. com.android.vending) to read logs from Incremental File System
allow priv_app incremental_control_file:file { read getattr ioctl };
diff --git a/private/property_contexts b/private/property_contexts
index 55f1c1c..6b2b883 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -111,6 +111,7 @@
# adbd protoctl configuration property
service.adb.tcp.port u:object_r:adbd_config_prop:s0 exact int
+service.adb.transport u:object_r:adbd_config_prop:s0 exact string
# Boolean property set by system server upon boot indicating
# if device is fully owned by organization instead of being
@@ -1055,6 +1056,8 @@
# zygote config property
zygote.critical_window.minute u:object_r:zygote_config_prop:s0 exact int
+ro.zygote.disable_gl_preload u:object_r:zygote_config_prop:s0 exact bool
+
# Enable Keystore 2.0.
# TODO remove this propertye when Keystore 2.0 migration is complete b/171563717
ro.android.security.keystore2.enable u:object_r:keystore2_enable_prop:s0 exact bool
diff --git a/private/service.te b/private/service.te
index f17fe86..821b740 100644
--- a/private/service.te
+++ b/private/service.te
@@ -4,6 +4,7 @@
type incidentcompanion_service, system_api_service, system_server_service, service_manager_type;
type mediatuner_service, app_api_service, service_manager_type;
type profcollectd_service, service_manager_type;
+type resolver_service, system_server_service, service_manager_type;
type stats_service, service_manager_type;
type statscompanion_service, system_server_service, service_manager_type;
type statsmanager_service, system_api_service, system_server_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index 0b027ed..c90d48e 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -3,6 +3,7 @@
android.hardware.biometrics.face.IFace/default u:object_r:hal_face_service:s0
android.hardware.biometrics.fingerprint.IFingerprint/default u:object_r:hal_fingerprint_service:s0
android.hardware.gnss.IGnss/default u:object_r:hal_gnss_service:s0
+android.hardware.health.storage.IStorage/default u:object_r:hal_health_storage_service:s0
android.hardware.identity.IIdentityCredentialStore/default u:object_r:hal_identity_service:s0
android.hardware.light.ILights/default u:object_r:hal_light_service:s0
android.hardware.memtrack.IMemtrack/default u:object_r:hal_memtrack_service:s0
@@ -13,6 +14,7 @@
android.hardware.security.keymint.IKeyMintDevice/default u:object_r:hal_keymint_service:s0
android.hardware.vibrator.IVibrator/default u:object_r:hal_vibrator_service:s0
android.hardware.vibrator.IVibratorManager/default u:object_r:hal_vibrator_service:s0
+android.hardware.weaver.IWeaver/default u:object_r:hal_weaver_service:s0
accessibility u:object_r:accessibility_service:s0
account u:object_r:account_service:s0
@@ -157,6 +159,7 @@
media.sound_trigger_hw u:object_r:audioserver_service:s0
media.drm u:object_r:mediadrmserver_service:s0
media.tuner u:object_r:mediatuner_service:s0
+media_communication u:object_r:media_communication_service:s0
media_projection u:object_r:media_projection_service:s0
media_resource_monitor u:object_r:media_session_service:s0
media_router u:object_r:media_router_service:s0
@@ -198,7 +201,9 @@
radio.phone u:object_r:radio_service:s0
radio.sms u:object_r:radio_service:s0
rcs u:object_r:radio_service:s0
+reboot_readiness u:object_r:reboot_readiness_service:s0
recovery u:object_r:recovery_service:s0
+resolver u:object_r:resolver_service:s0
restrictions u:object_r:restrictions_service:s0
role u:object_r:role_service:s0
rollback u:object_r:rollback_service:s0
@@ -223,6 +228,7 @@
sip u:object_r:radio_service:s0
slice u:object_r:slice_service:s0
smartspace u:object_r:smartspace_service:s0
+speech_recognition u:object_r:speech_recognition_service:s0
stats u:object_r:stats_service:s0
statscompanion u:object_r:statscompanion_service:s0
statsmanager u:object_r:statsmanager_service:s0
diff --git a/private/shell.te b/private/shell.te
index 73aac1d..e6038b1 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -51,6 +51,9 @@
# Allow shell to read and unlink traces stored in /data/misc/perfetto-traces.
allow shell perfetto_traces_data_file:dir rw_dir_perms;
allow shell perfetto_traces_data_file:file { r_file_perms unlink };
+# ... and /data/misc/perfetto-traces/bugreport/ .
+allow shell perfetto_traces_bugreport_data_file:dir rw_dir_perms;
+allow shell perfetto_traces_bugreport_data_file:file { r_file_perms unlink };
# Allow shell to create/remove configs stored in /data/misc/perfetto-configs.
allow shell perfetto_configs_data_file:dir rw_dir_perms;
diff --git a/private/su.te b/private/su.te
index 072e8db..587f449 100644
--- a/private/su.te
+++ b/private/su.te
@@ -13,6 +13,9 @@
# Put the incident command into its domain so it is the same on user, userdebug and eng.
domain_auto_trans(su, incident_exec, incident)
+ # Put the odrefresh command into its domain.
+ domain_auto_trans(su, odrefresh_exec, odrefresh)
+
# Put the perfetto command into its domain so it is the same on user, userdebug and eng.
domain_auto_trans(su, perfetto_exec, perfetto)
diff --git a/private/system_server.te b/private/system_server.te
index 893ea11..6767cd1 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -24,16 +24,31 @@
# For Incremental Service to check if incfs is available
allow system_server proc_filesystems:file r_file_perms;
-# To create files and get permission to fill blocks on Incremental File System
-allow system_server incremental_control_file:file { ioctl r_file_perms };
-allowxperm system_server incremental_control_file:file ioctl { INCFS_IOCTL_CREATE_FILE INCFS_IOCTL_PERMIT_FILL };
+# Access the IncFS list of features
+r_dir_file(system_server, sysfs_fs_incfs_features);
-# To get signature of an APK installed on Incremental File System and fill in data blocks
-allowxperm system_server apk_data_file:file ioctl { INCFS_IOCTL_READ_SIGNATURE INCFS_IOCTL_FILL_BLOCKS INCFS_IOCTL_GET_FILLED_BLOCKS };
+# To create files, get permission to fill blocks, and configure Incremental File System
+allow system_server incremental_control_file:file { ioctl r_file_perms };
+allowxperm system_server incremental_control_file:file ioctl {
+ INCFS_IOCTL_CREATE_FILE
+ INCFS_IOCTL_CREATE_MAPPED_FILE
+ INCFS_IOCTL_PERMIT_FILL
+ INCFS_IOCTL_GET_READ_TIMEOUTS
+ INCFS_IOCTL_SET_READ_TIMEOUTS
+};
+
+# To get signature of an APK installed on Incremental File System, and fill in data
+# blocks and get the filesystem state
+allowxperm system_server apk_data_file:file ioctl {
+ INCFS_IOCTL_READ_SIGNATURE
+ INCFS_IOCTL_FILL_BLOCKS
+ INCFS_IOCTL_GET_FILLED_BLOCKS
+ INCFS_IOCTL_GET_BLOCK_COUNT
+};
# For art.
-allow system_server dalvikcache_data_file:dir r_dir_perms;
-allow system_server dalvikcache_data_file:file r_file_perms;
+allow system_server { apex_art_data_file dalvikcache_data_file }:dir r_dir_perms;
+allow system_server { apex_art_data_file dalvikcache_data_file }:file r_file_perms;
# When running system server under --invoke-with, we'll try to load the boot image under the
# system server domain, following links to the system partition.
@@ -260,6 +275,10 @@
hal_client_domain(system_server, hal_wifi)
hal_client_domain(system_server, hal_wifi_hostapd)
hal_client_domain(system_server, hal_wifi_supplicant)
+# The bootctl is a pass through HAL mode under recovery mode. So we skip the
+# permission for recovery in order not to give system server the access to
+# the low level block devices.
+not_recovery(`hal_client_domain(system_server, hal_bootctl)')
# Talk with graphics composer fences
allow system_server hal_graphics_composer:fd use;
@@ -355,6 +374,8 @@
allow system_server sysfs_power:file rw_file_perms;
allow system_server sysfs_thermal:dir search;
allow system_server sysfs_thermal:file r_file_perms;
+allow system_server sysfs_uhid:dir r_dir_perms;
+allow system_server sysfs_uhid:file rw_file_perms;
# TODO: Remove when HALs are forced into separate processes
allow system_server sysfs_vibrator:file { write append };
@@ -1024,6 +1045,13 @@
# Watchdog reads sysprops framework_watchdog.fatal_* to handle watchdog timeout loop.
get_prop(system_server, framework_watchdog_config_prop)
+
+# Font files are written by system server
+allow system_server font_data_file:file create_file_perms;
+allow system_server font_data_file:dir create_dir_perms;
+# Allow system process to setup fs-verity for font files
+allowxperm system_server font_data_file:file ioctl FS_IOC_ENABLE_VERITY;
+
###
### Neverallow rules
###
@@ -1181,6 +1209,9 @@
allow system_server watchdog_metadata_file:dir rw_dir_perms;
allow system_server watchdog_metadata_file:file create_file_perms;
+# Allow system server r access to /system/bin/surfaceflinger for PinnerService.
+allow system_server surfaceflinger_exec:file r_file_perms;
+
# Allow init to set sysprop used to compute stats about userspace reboot.
set_prop(system_server, userspace_reboot_log_prop)
@@ -1247,8 +1278,21 @@
-system_server
} wifi_config_prop:file no_rw_file_perms;
+# Only allow system server to write uhid sysfs files
+neverallow {
+ domain
+ -init
+ -system_server
+ -ueventd
+ -vendor_init
+} sysfs_uhid:file no_w_file_perms;
+
# BINDER_FREEZE is used to block ipc transactions to frozen processes, so it
# can be accessed by system_server only (b/143717177)
# BINDER_GET_FROZEN_INFO is used by system_server to determine the state of a frozen binder
# interface
neverallowxperm { domain -system_server } binder_device:chr_file ioctl { BINDER_FREEZE BINDER_GET_FROZEN_INFO };
+
+# Only system server can write the font files.
+neverallow { domain -init -system_server } font_data_file:file no_w_file_perms;
+neverallow { domain -init -system_server } font_data_file:dir no_w_dir_perms;
diff --git a/private/traced_perf.te b/private/traced_perf.te
index 55d86fb..e5760f0 100644
--- a/private/traced_perf.te
+++ b/private/traced_perf.te
@@ -28,6 +28,7 @@
# Allow reading files for stack unwinding and symbolization.
r_dir_file(traced_perf, nativetest_data_file)
r_dir_file(traced_perf, system_file_type)
+r_dir_file(traced_perf, apex_art_data_file)
r_dir_file(traced_perf, apk_data_file)
r_dir_file(traced_perf, dalvikcache_data_file)
r_dir_file(traced_perf, vendor_file_type)
diff --git a/private/traced_probes.te b/private/traced_probes.te
index 9da4d94..d192bfd 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -48,6 +48,7 @@
allow traced_probes self:global_capability_class_set dac_read_search;
allow traced_probes apk_data_file:dir { getattr open read search };
+allow traced_probes { apex_art_data_file apex_module_data_file }:dir { getattr open read search };
allow traced_probes dalvikcache_data_file:dir { getattr open read search };
userdebug_or_eng(`
# search and getattr are granted via domain and coredomain, respectively.
@@ -104,6 +105,8 @@
# Disallows access to /data files.
neverallow traced_probes {
data_file_type
+ -apex_module_data_file
+ -apex_art_data_file
-apk_data_file
-dalvikcache_data_file
-system_data_file
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index 9bea43c..b4e95b8 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -16,6 +16,7 @@
vendor_data_file
}:dir { open read write add_name remove_name rmdir relabelfrom };
allow vold_prepare_subdirs {
+ apex_art_data_file
apex_module_data_file
apex_permission_data_file
apex_rollback_data_file
@@ -30,6 +31,8 @@
vold_data_file
}:dir { create_dir_perms relabelto };
allow vold_prepare_subdirs {
+ apex_art_data_file
+ apex_art_staging_data_file
apex_module_data_file
apex_permission_data_file
apex_rollback_data_file
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index bdad219..bfdad06 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -28,9 +28,10 @@
allow webview_zygote isolated_app:process dyntransition;
# For art.
-allow webview_zygote dalvikcache_data_file:dir r_dir_perms;
+allow webview_zygote { apex_art_data_file dalvikcache_data_file }:dir r_dir_perms;
allow webview_zygote dalvikcache_data_file:lnk_file r_file_perms;
-allow webview_zygote dalvikcache_data_file:file { r_file_perms execute };
+allow webview_zygote { apex_art_data_file dalvikcache_data_file }:file { r_file_perms execute };
+allow webview_zygote apex_module_data_file:dir search;
# Allow webview_zygote to create JIT memory.
allow webview_zygote self:process execmem;
diff --git a/private/zygote.te b/private/zygote.te
index 577ace8..23fed52 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -50,6 +50,13 @@
# is ensured by fsverity protection (checked in art_apex_boot_integrity).
allow zygote dalvikcache_data_file:file execute;
+# Allow zygote to find files in APEX data directories.
+allow zygote apex_module_data_file:dir search;
+
+# Allow zygote to find and map files created by on device signing.
+allow zygote apex_art_data_file:dir { getattr search };
+allow zygote apex_art_data_file:file { r_file_perms execute };
+
# Bind mount on /data/data and mounted volumes
allow zygote { system_data_file mnt_expand_file }:dir mounton;
@@ -225,9 +232,12 @@
app_zygote
}:process dyntransition;
-# Zygote should never execute anything from /data except for /data/dalvik-cache files.
+# Zygote should never execute anything from /data except for
+# /data/dalvik-cache files or files generated during on-device
+# signing under /data/misc/apexdata/com.android.art/.
neverallow zygote {
data_file_type
+ -apex_art_data_file # map PROT_EXEC
-dalvikcache_data_file # map PROT_EXEC
}:file no_x_file_perms;
diff --git a/public/app.te b/public/app.te
index f9c0d95..5eb20d8 100644
--- a/public/app.te
+++ b/public/app.te
@@ -546,23 +546,6 @@
tmpfs
}:lnk_file no_w_file_perms;
-# Sensitive app domains are not allowed to execute from /data
-# to prevent persistence attacks and ensure all code is executed
-# from read-only locations.
-neverallow {
- bluetooth
- isolated_app
- nfc
- radio
- shared_relro
- system_app
-} {
- data_file_type
- -dalvikcache_data_file
- -system_data_file # shared libs in apks
- -apk_data_file
-}:file no_x_file_perms;
-
# Applications should use the activity model for receiving events
neverallow {
appdomain
diff --git a/public/crash_dump.te b/public/crash_dump.te
index 4c6d96c..2bb104a 100644
--- a/public/crash_dump.te
+++ b/public/crash_dump.te
@@ -28,6 +28,9 @@
allow crash_dump dalvikcache_data_file:dir { search getattr };
allow crash_dump dalvikcache_data_file:file r_file_perms;
+# Read APEX data directories.
+allow crash_dump apex_module_data_file:dir { getattr search };
+
# Read APK files.
r_dir_file(crash_dump, apk_data_file);
diff --git a/public/domain.te b/public/domain.te
index a530267..3f33b5b 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -470,17 +470,6 @@
# Files from cache should never be executed
neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute;
-# Protect most domains from executing arbitrary content from /data.
-neverallow {
- domain
- -appdomain
-} {
- data_file_type
- -dalvikcache_data_file
- -system_data_file # shared libs in apks
- -apk_data_file
-}:file no_x_file_perms;
-
# The test files and executables MUST not be accessible to any domain
neverallow { domain userdebug_or_eng(`-kernel') } nativetest_data_file:file_class_set no_w_file_perms;
neverallow domain nativetest_data_file:dir no_w_dir_perms;
diff --git a/public/file.te b/public/file.te
index ccd65e2..c1c69b9 100644
--- a/public/file.te
+++ b/public/file.te
@@ -109,6 +109,7 @@
type sysfs_wakeup_reasons, fs_type, sysfs_type;
type sysfs_fs_ext4_features, sysfs_type, fs_type;
type sysfs_fs_f2fs, sysfs_type, fs_type;
+type sysfs_fs_incfs_features, sysfs_type, fs_type;
type fs_bpf, fs_type;
type configfs, fs_type;
# /sys/devices/cs_etm
@@ -120,7 +121,7 @@
# /sys/module/wlan/parameters/fwpath
type sysfs_wlan_fwpath, fs_type, sysfs_type;
type sysfs_vibrator, fs_type, sysfs_type;
-
+type sysfs_uhid, fs_type, sysfs_type;
type sysfs_thermal, sysfs_type, fs_type;
type sysfs_zram, fs_type, sysfs_type;
diff --git a/public/hal_health_storage.te b/public/hal_health_storage.te
index 61e609b..cb7c01d 100644
--- a/public/hal_health_storage.te
+++ b/public/hal_health_storage.te
@@ -2,4 +2,7 @@
binder_call(hal_health_storage_client, hal_health_storage_server)
binder_call(hal_health_storage_server, hal_health_storage_client)
+binder_use(hal_health_storage_server)
+
hal_attribute_hwservice(hal_health_storage, hal_health_storage_hwservice)
+hal_attribute_service(hal_health_storage, hal_health_storage_service)
diff --git a/public/hal_neuralnetworks.te b/public/hal_neuralnetworks.te
index 228d990..416448a 100644
--- a/public/hal_neuralnetworks.te
+++ b/public/hal_neuralnetworks.te
@@ -28,3 +28,9 @@
# This property is only expected to be found in /product/build.prop,
# allow to be set only by init.
neverallow { domain -init } nnapi_ext_deny_product_prop:property_service set;
+
+# Define sepolicy for NN AIDL HAL service
+hal_attribute_service(hal_neuralnetworks, hal_neuralnetworks_service)
+binder_call(hal_neuralnetworks_server, servicemanager)
+
+allow hal_neuralnetworks_server dumpstate:fifo_file write;
diff --git a/public/hal_weaver.te b/public/hal_weaver.te
index 36d1306..2b34989 100644
--- a/public/hal_weaver.te
+++ b/public/hal_weaver.te
@@ -2,3 +2,6 @@
binder_call(hal_weaver_client, hal_weaver_server)
hal_attribute_hwservice(hal_weaver, hal_weaver_hwservice)
+hal_attribute_service(hal_weaver, hal_weaver_service)
+
+binder_call(hal_weaver_server, servicemanager)
diff --git a/public/ioctl_defines b/public/ioctl_defines
index a2e2c4e..62c4e66 100644
--- a/public/ioctl_defines
+++ b/public/ioctl_defines
@@ -1066,6 +1066,10 @@
define(`INCFS_IOCTL_FILL_BLOCKS', `0x00006720')
define(`INCFS_IOCTL_PERMIT_FILL', `0x00006721')
define(`INCFS_IOCTL_GET_FILLED_BLOCKS', `0x00006722')
+define(`INCFS_IOCTL_CREATE_MAPPED_FILE', `0x00006723')
+define(`INCFS_IOCTL_GET_BLOCK_COUNT', `0x00006724')
+define(`INCFS_IOCTL_GET_READ_TIMEOUTS', `0x00006725')
+define(`INCFS_IOCTL_SET_READ_TIMEOUTS', `0x00006726')
define(`IOCTL_EVTCHN_BIND_INTERDOMAIN', `0x00084501')
define(`IOCTL_EVTCHN_BIND_UNBOUND_PORT', `0x00044502')
define(`IOCTL_EVTCHN_BIND_VIRQ', `0x00044500')
diff --git a/public/service.te b/public/service.te
index ef7fff5..3d91b73 100644
--- a/public/service.te
+++ b/public/service.te
@@ -116,7 +116,7 @@
type graphicsstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type hardware_service, system_server_service, service_manager_type;
type hardware_properties_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type hdmi_control_service, system_api_service, system_server_service, service_manager_type;
+type hdmi_control_service, app_api_service, system_server_service, service_manager_type;
type imms_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type incremental_service, system_server_service, service_manager_type;
type input_method_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -131,6 +131,7 @@
type location_time_zone_manager_service, system_server_service, service_manager_type;
type lock_settings_service, system_api_service, system_server_service, service_manager_type;
type looper_stats_service, system_server_service, service_manager_type;
+type media_communication_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type media_projection_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type media_router_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type media_session_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -160,6 +161,7 @@
type print_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type processinfo_service, system_server_service, service_manager_type;
type procstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type reboot_readiness_service, app_api_service, system_server_service, service_manager_type;
type recovery_service, system_server_service, service_manager_type;
type registry_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type restrictions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -186,6 +188,7 @@
type system_server_dumper_service, system_api_service, system_server_service, service_manager_type;
type system_update_service, system_server_service, service_manager_type;
type soundtrigger_middleware_service, system_server_service, service_manager_type;
+type speech_recognition_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type task_service, system_server_service, service_manager_type;
type testharness_service, system_server_service, service_manager_type;
type textclassification_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -232,15 +235,18 @@
type hal_face_service, vendor_service, protected_service, service_manager_type;
type hal_fingerprint_service, vendor_service, protected_service, service_manager_type;
type hal_gnss_service, vendor_service, protected_service, service_manager_type;
+type hal_health_storage_service, vendor_service, protected_service, service_manager_type;
type hal_identity_service, vendor_service, protected_service, service_manager_type;
type hal_keymint_service, vendor_service, protected_service, service_manager_type;
type hal_light_service, vendor_service, protected_service, service_manager_type;
type hal_memtrack_service, vendor_service, protected_service, service_manager_type;
+type hal_neuralnetworks_service, vendor_service, service_manager_type;
type hal_oemlock_service, vendor_service, protected_service, service_manager_type;
type hal_power_service, vendor_service, protected_service, service_manager_type;
type hal_power_stats_service, vendor_service, protected_service, service_manager_type;
type hal_rebootescrow_service, vendor_service, protected_service, service_manager_type;
type hal_vibrator_service, vendor_service, protected_service, service_manager_type;
+type hal_weaver_service, vendor_service, protected_service, service_manager_type;
###
### Neverallow rules
diff --git a/public/te_macros b/public/te_macros
index 1966f20..c6035f8 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -467,6 +467,12 @@
define(`recovery_only', ifelse(target_recovery, `true', $1, ))
#####################################
+# Not recovery
+# SELinux rules which apply only to non-recovery (normal) mode
+#
+define(`not_recovery', ifelse(target_recovery, `true', , $1))
+
+#####################################
# Full TREBLE only
# SELinux rules which apply only to full TREBLE devices
#
diff --git a/public/vold.te b/public/vold.te
index 9c06433..030e572 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -126,6 +126,8 @@
allow vold apk_data_file:dir { create getattr setattr };
allow vold shell_data_file:dir { create getattr setattr };
+# Access the IncFS list of features
+r_dir_file(vold, sysfs_fs_incfs_features);
# Allow to mount incremental file system on /data/incremental and create files
allow vold apk_data_file:dir { mounton rw_dir_perms };
# Allow to create and write files in /data/incremental
diff --git a/vendor/file_contexts b/vendor/file_contexts
index dd351cf..d05431c 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -43,6 +43,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@2\.0-service u:object_r:hal_health_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@2\.1-service u:object_r:hal_health_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health\.storage@1\.0-service u:object_r:hal_health_storage_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.health\.storage-service\.default u:object_r:hal_health_storage_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.identity-service.example u:object_r:hal_identity_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.input\.classifier@1\.0-service u:object_r:hal_input_classifier_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.ir@1\.0-service u:object_r:hal_ir_default_exec:s0
diff --git a/vendor/hal_weaver_default.te b/vendor/hal_weaver_default.te
new file mode 100644
index 0000000..0dd7679
--- /dev/null
+++ b/vendor/hal_weaver_default.te
@@ -0,0 +1,5 @@
+type hal_weaver_default, domain;
+hal_server_domain(hal_weaver_default, hal_weaver)
+
+type hal_weaver_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_weaver_default)