Define smc_socket security class. am: 2be9799bcc am: 52909aca44 am: ad01d1f6ab
am: 06a22e41fe
Change-Id: Ib3549463537470e9af49cc4b1e6b2a526c2a9c76
diff --git a/Android.mk b/Android.mk
index a61b252..e9f8853 100644
--- a/Android.mk
+++ b/Android.mk
@@ -190,8 +190,13 @@
plat_sepolicy.cil \
plat_and_mapping_sepolicy.cil.sha256 \
secilc \
- plat_sepolicy_vers.txt \
- treble_sepolicy_tests
+ plat_sepolicy_vers.txt
+
+ifneq ($(with_asan),true)
+LOCAL_REQUIRED_MODULES += \
+ treble_sepolicy_tests \
+ sepolicy_tests
+endif
# Include precompiled policy, unless told otherwise
ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
@@ -1158,6 +1163,24 @@
nonplat_mac_perms_keys.tmp :=
all_nonplat_mac_perms_files :=
+#################################
+include $(CLEAR_VARS)
+LOCAL_MODULE := sepolicy_tests
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := tests
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+sepolicy_tests := $(intermediates)/sepolicy_tests
+$(sepolicy_tests): PRIVATE_PLAT_FC := $(built_plat_fc)
+$(sepolicy_tests): PRIVATE_NONPLAT_FC := $(built_nonplat_fc)
+$(sepolicy_tests): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(sepolicy_tests): $(HOST_OUT_EXECUTABLES)/sepolicy_tests.py \
+$(built_plat_fc) $(built_nonplat_fc) $(built_sepolicy)
+ @mkdir -p $(dir $@)
+ $(hide) python $(HOST_OUT_EXECUTABLES)/sepolicy_tests.py -l $(HOST_OUT)/lib64 -f $(PRIVATE_PLAT_FC) -f $(PRIVATE_NONPLAT_FC) -p $(PRIVATE_SEPOLICY)
+ $(hide) touch $@
+
##################################
ifeq ($(PRODUCT_FULL_TREBLE),true)
include $(CLEAR_VARS)
diff --git a/prebuilts/api/26.0/26.0.cil b/prebuilts/api/26.0/26.0.cil
new file mode 100644
index 0000000..4e35ce8
--- /dev/null
+++ b/prebuilts/api/26.0/26.0.cil
@@ -0,0 +1,693 @@
+(typeattributeset accessibility_service_26_0 (accessibility_service))
+(typeattributeset account_service_26_0 (account_service))
+(typeattributeset activity_service_26_0 (activity_service))
+(typeattributeset adbd_26_0 (adbd))
+(typeattributeset adb_data_file_26_0 (adb_data_file))
+(typeattributeset adbd_socket_26_0 (adbd_socket))
+(typeattributeset adb_keys_file_26_0 (adb_keys_file))
+(typeattributeset alarm_device_26_0 (alarm_device))
+(typeattributeset alarm_service_26_0 (alarm_service))
+(typeattributeset anr_data_file_26_0 (anr_data_file))
+(typeattributeset apk_data_file_26_0 (apk_data_file))
+(typeattributeset apk_private_data_file_26_0 (apk_private_data_file))
+(typeattributeset apk_private_tmp_file_26_0 (apk_private_tmp_file))
+(typeattributeset apk_tmp_file_26_0 (apk_tmp_file))
+(typeattributeset app_data_file_26_0 (app_data_file))
+(typeattributeset app_fuse_file_26_0 (app_fuse_file))
+(typeattributeset app_fusefs_26_0 (app_fusefs))
+(typeattributeset appops_service_26_0 (appops_service))
+(typeattributeset appwidget_service_26_0 (appwidget_service))
+(typeattributeset asan_reboot_prop_26_0 (asan_reboot_prop))
+(typeattributeset asec_apk_file_26_0 (asec_apk_file))
+(typeattributeset asec_image_file_26_0 (asec_image_file))
+(typeattributeset asec_public_file_26_0 (asec_public_file))
+(typeattributeset ashmem_device_26_0 (ashmem_device))
+(typeattributeset assetatlas_service_26_0 (assetatlas_service))
+(typeattributeset audio_data_file_26_0 (audio_data_file))
+(typeattributeset audio_device_26_0 (audio_device))
+(typeattributeset audiohal_data_file_26_0 (audiohal_data_file))
+(typeattributeset audio_prop_26_0 (audio_prop))
+(typeattributeset audio_seq_device_26_0 (audio_seq_device))
+(typeattributeset audioserver_26_0 (audioserver))
+(typeattributeset audioserver_data_file_26_0 (audioserver_data_file))
+(typeattributeset audioserver_service_26_0 (audioserver_service))
+(typeattributeset audio_service_26_0 (audio_service))
+(typeattributeset audio_timer_device_26_0 (audio_timer_device))
+(typeattributeset autofill_service_26_0 (autofill_service))
+(typeattributeset backup_data_file_26_0 (backup_data_file))
+(typeattributeset backup_service_26_0 (backup_service))
+(typeattributeset batteryproperties_service_26_0 (batteryproperties_service))
+(typeattributeset battery_service_26_0 (battery_service))
+(typeattributeset batterystats_service_26_0 (batterystats_service))
+(typeattributeset binder_device_26_0 (binder_device))
+(typeattributeset binfmt_miscfs_26_0 (binfmt_miscfs))
+(typeattributeset blkid_26_0 (blkid))
+(typeattributeset blkid_untrusted_26_0 (blkid_untrusted))
+(typeattributeset block_device_26_0 (block_device))
+(typeattributeset bluetooth_26_0 (bluetooth))
+(typeattributeset bluetooth_data_file_26_0 (bluetooth_data_file))
+(typeattributeset bluetooth_efs_file_26_0 (bluetooth_efs_file))
+(typeattributeset bluetooth_logs_data_file_26_0 (bluetooth_logs_data_file))
+(typeattributeset bluetooth_manager_service_26_0 (bluetooth_manager_service))
+(typeattributeset bluetooth_prop_26_0 (bluetooth_prop))
+(typeattributeset bluetooth_service_26_0 (bluetooth_service))
+(typeattributeset bluetooth_socket_26_0 (bluetooth_socket))
+(typeattributeset bootanim_26_0 (bootanim))
+(typeattributeset bootanim_exec_26_0 (bootanim_exec))
+(typeattributeset boot_block_device_26_0 (boot_block_device))
+(typeattributeset bootchart_data_file_26_0 (bootchart_data_file))
+(typeattributeset bootstat_26_0 (bootstat))
+(typeattributeset bootstat_data_file_26_0 (bootstat_data_file))
+(typeattributeset bootstat_exec_26_0 (bootstat_exec))
+(typeattributeset boottime_prop_26_0 (boottime_prop))
+(typeattributeset boottrace_data_file_26_0 (boottrace_data_file))
+(typeattributeset bufferhubd_26_0 (bufferhubd))
+(typeattributeset bufferhubd_exec_26_0 (bufferhubd_exec))
+(typeattributeset cache_backup_file_26_0 (cache_backup_file))
+(typeattributeset cache_block_device_26_0 (cache_block_device))
+(typeattributeset cache_file_26_0 (cache_file))
+(typeattributeset cache_private_backup_file_26_0 (cache_private_backup_file))
+(typeattributeset cache_recovery_file_26_0 (cache_recovery_file))
+(typeattributeset camera_data_file_26_0 (camera_data_file))
+(typeattributeset camera_device_26_0 (camera_device))
+(typeattributeset cameraproxy_service_26_0 (cameraproxy_service))
+(typeattributeset cameraserver_26_0 (cameraserver))
+(typeattributeset cameraserver_exec_26_0 (cameraserver_exec))
+(typeattributeset cameraserver_service_26_0 (cameraserver_service))
+(typeattributeset cgroup_26_0 (cgroup))
+(typeattributeset charger_26_0 (charger))
+(typeattributeset clatd_26_0 (clatd))
+(typeattributeset clatd_exec_26_0 (clatd_exec))
+(typeattributeset clipboard_service_26_0 (clipboard_service))
+(typeattributeset commontime_management_service_26_0 (commontime_management_service))
+(typeattributeset companion_device_service_26_0 (companion_device_service))
+(typeattributeset configfs_26_0 (configfs))
+(typeattributeset config_prop_26_0 (config_prop))
+(typeattributeset connectivity_service_26_0 (connectivity_service))
+(typeattributeset connmetrics_service_26_0 (connmetrics_service))
+(typeattributeset console_device_26_0 (console_device))
+(typeattributeset consumer_ir_service_26_0 (consumer_ir_service))
+(typeattributeset content_service_26_0 (content_service))
+(typeattributeset contexthub_service_26_0 (contexthub_service))
+(typeattributeset coredump_file_26_0 (coredump_file))
+(typeattributeset country_detector_service_26_0 (country_detector_service))
+(typeattributeset coverage_service_26_0 (coverage_service))
+(typeattributeset cppreopt_prop_26_0 (cppreopt_prop))
+(typeattributeset cppreopts_26_0 (cppreopts))
+(typeattributeset cppreopts_exec_26_0 (cppreopts_exec))
+(typeattributeset cpuctl_device_26_0 (cpuctl_device))
+(typeattributeset cpuinfo_service_26_0 (cpuinfo_service))
+(typeattributeset crash_dump_26_0 (crash_dump))
+(typeattributeset crash_dump_exec_26_0 (crash_dump_exec))
+(typeattributeset ctl_bootanim_prop_26_0 (ctl_bootanim_prop))
+(typeattributeset ctl_bugreport_prop_26_0 (ctl_bugreport_prop))
+(typeattributeset ctl_console_prop_26_0 (ctl_console_prop))
+(typeattributeset ctl_default_prop_26_0 (ctl_default_prop))
+(typeattributeset ctl_dumpstate_prop_26_0 (ctl_dumpstate_prop))
+(typeattributeset ctl_fuse_prop_26_0 (ctl_fuse_prop))
+(typeattributeset ctl_mdnsd_prop_26_0 (ctl_mdnsd_prop))
+(typeattributeset ctl_rildaemon_prop_26_0 (ctl_rildaemon_prop))
+(typeattributeset dalvikcache_data_file_26_0 (dalvikcache_data_file))
+(typeattributeset dalvik_prop_26_0 (dalvik_prop))
+(typeattributeset dbinfo_service_26_0 (dbinfo_service))
+(typeattributeset debugfs_26_0 (debugfs))
+(typeattributeset debugfs_mmc_26_0 (debugfs_mmc))
+(typeattributeset debugfs_trace_marker_26_0 (debugfs_trace_marker))
+(typeattributeset debugfs_tracing_26_0 (debugfs_tracing))
+(typeattributeset debugfs_tracing_instances_26_0 (debugfs_tracing_instances))
+(typeattributeset debugfs_wifi_tracing_26_0 (debugfs_wifi_tracing))
+(typeattributeset debuggerd_prop_26_0 (debuggerd_prop))
+(typeattributeset debug_prop_26_0 (debug_prop))
+(typeattributeset default_android_hwservice_26_0 (default_android_hwservice))
+(typeattributeset default_android_service_26_0 (default_android_service))
+(typeattributeset default_android_vndservice_26_0 (default_android_vndservice))
+(typeattributeset default_prop_26_0 (default_prop))
+(typeattributeset device_26_0 (device))
+(typeattributeset device_identifiers_service_26_0 (device_identifiers_service))
+(typeattributeset deviceidle_service_26_0 (deviceidle_service))
+(typeattributeset device_logging_prop_26_0 (device_logging_prop))
+(typeattributeset device_policy_service_26_0 (device_policy_service))
+(typeattributeset devicestoragemonitor_service_26_0 (devicestoragemonitor_service))
+(typeattributeset devpts_26_0 (devpts))
+(typeattributeset dex2oat_26_0 (dex2oat))
+(typeattributeset dex2oat_exec_26_0 (dex2oat_exec))
+(typeattributeset dhcp_26_0 (dhcp))
+(typeattributeset dhcp_data_file_26_0 (dhcp_data_file))
+(typeattributeset dhcp_exec_26_0 (dhcp_exec))
+(typeattributeset dhcp_prop_26_0 (dhcp_prop))
+(typeattributeset diskstats_service_26_0 (diskstats_service))
+(typeattributeset display_service_26_0 (display_service))
+(typeattributeset dm_device_26_0 (dm_device))
+(typeattributeset dnsmasq_26_0 (dnsmasq))
+(typeattributeset dnsmasq_exec_26_0 (dnsmasq_exec))
+(typeattributeset dnsproxyd_socket_26_0 (dnsproxyd_socket))
+(typeattributeset DockObserver_service_26_0 (DockObserver_service))
+(typeattributeset dreams_service_26_0 (dreams_service))
+(typeattributeset drm_data_file_26_0 (drm_data_file))
+(typeattributeset drmserver_26_0 (drmserver))
+(typeattributeset drmserver_exec_26_0 (drmserver_exec))
+(typeattributeset drmserver_service_26_0 (drmserver_service))
+(typeattributeset drmserver_socket_26_0 (drmserver_socket))
+(typeattributeset dropbox_service_26_0 (dropbox_service))
+(typeattributeset dumpstate_26_0 (dumpstate))
+(typeattributeset dumpstate_exec_26_0 (dumpstate_exec))
+(typeattributeset dumpstate_options_prop_26_0 (dumpstate_options_prop))
+(typeattributeset dumpstate_prop_26_0 (dumpstate_prop))
+(typeattributeset dumpstate_service_26_0 (dumpstate_service))
+(typeattributeset dumpstate_socket_26_0 (dumpstate_socket))
+(typeattributeset efs_file_26_0 (efs_file))
+(typeattributeset ephemeral_app_26_0 (ephemeral_app))
+(typeattributeset ethernet_service_26_0 (ethernet_service))
+(typeattributeset ffs_prop_26_0 (ffs_prop))
+(typeattributeset file_contexts_file_26_0 (file_contexts_file))
+(typeattributeset fingerprintd_26_0 (fingerprintd))
+(typeattributeset fingerprintd_data_file_26_0 (fingerprintd_data_file))
+(typeattributeset fingerprintd_exec_26_0 (fingerprintd_exec))
+(typeattributeset fingerprintd_service_26_0 (fingerprintd_service))
+(typeattributeset fingerprint_prop_26_0 (fingerprint_prop))
+(typeattributeset fingerprint_service_26_0 (fingerprint_service))
+(typeattributeset firstboot_prop_26_0 (firstboot_prop))
+(typeattributeset font_service_26_0 (font_service))
+(typeattributeset frp_block_device_26_0 (frp_block_device))
+(typeattributeset fsck_26_0 (fsck))
+(typeattributeset fsck_exec_26_0 (fsck_exec))
+(typeattributeset fscklogs_26_0 (fscklogs))
+(typeattributeset fsck_untrusted_26_0 (fsck_untrusted))
+(typeattributeset full_device_26_0 (full_device))
+(typeattributeset functionfs_26_0 (functionfs))
+(typeattributeset fuse_26_0 (fuse))
+(typeattributeset fuse_device_26_0 (fuse_device))
+(typeattributeset fwk_display_hwservice_26_0 (fwk_display_hwservice))
+(typeattributeset fwk_scheduler_hwservice_26_0 (fwk_scheduler_hwservice))
+(typeattributeset fwk_sensor_hwservice_26_0 (fwk_sensor_hwservice))
+(typeattributeset fwmarkd_socket_26_0 (fwmarkd_socket))
+(typeattributeset gatekeeperd_26_0 (gatekeeperd))
+(typeattributeset gatekeeper_data_file_26_0 (gatekeeper_data_file))
+(typeattributeset gatekeeperd_exec_26_0 (gatekeeperd_exec))
+(typeattributeset gatekeeper_service_26_0 (gatekeeper_service))
+(typeattributeset gfxinfo_service_26_0 (gfxinfo_service))
+(typeattributeset gps_control_26_0 (gps_control))
+(typeattributeset gpu_device_26_0 (gpu_device))
+(typeattributeset gpu_service_26_0 (gpu_service))
+(typeattributeset graphics_device_26_0 (graphics_device))
+(typeattributeset graphicsstats_service_26_0 (graphicsstats_service))
+(typeattributeset hal_audio_hwservice_26_0 (hal_audio_hwservice))
+(typeattributeset hal_bluetooth_hwservice_26_0 (hal_bluetooth_hwservice))
+(typeattributeset hal_bootctl_hwservice_26_0 (hal_bootctl_hwservice))
+(typeattributeset hal_camera_hwservice_26_0 (hal_camera_hwservice))
+(typeattributeset hal_configstore_ISurfaceFlingerConfigs_26_0 (hal_configstore_ISurfaceFlingerConfigs))
+(typeattributeset hal_contexthub_hwservice_26_0 (hal_contexthub_hwservice))
+(typeattributeset hal_drm_hwservice_26_0 (hal_drm_hwservice))
+(typeattributeset hal_dumpstate_hwservice_26_0 (hal_dumpstate_hwservice))
+(typeattributeset hal_fingerprint_hwservice_26_0 (hal_fingerprint_hwservice))
+(typeattributeset hal_fingerprint_service_26_0 (hal_fingerprint_service))
+(typeattributeset hal_gatekeeper_hwservice_26_0 (hal_gatekeeper_hwservice))
+(typeattributeset hal_gnss_hwservice_26_0 (hal_gnss_hwservice))
+(typeattributeset hal_graphics_allocator_hwservice_26_0 (hal_graphics_allocator_hwservice))
+(typeattributeset hal_graphics_composer_hwservice_26_0 (hal_graphics_composer_hwservice))
+(typeattributeset hal_graphics_mapper_hwservice_26_0 (hal_graphics_mapper_hwservice))
+(typeattributeset hal_health_hwservice_26_0 (hal_health_hwservice))
+(typeattributeset hal_ir_hwservice_26_0 (hal_ir_hwservice))
+(typeattributeset hal_keymaster_hwservice_26_0 (hal_keymaster_hwservice))
+(typeattributeset hal_light_hwservice_26_0 (hal_light_hwservice))
+(typeattributeset hal_memtrack_hwservice_26_0 (hal_memtrack_hwservice))
+(typeattributeset hal_nfc_hwservice_26_0 (hal_nfc_hwservice))
+(typeattributeset hal_oemlock_hwservice_26_0 (hal_oemlock_hwservice))
+(typeattributeset hal_omx_hwservice_26_0 (hal_omx_hwservice))
+(typeattributeset hal_power_hwservice_26_0 (hal_power_hwservice))
+(typeattributeset hal_renderscript_hwservice_26_0 (hal_renderscript_hwservice))
+(typeattributeset hal_sensors_hwservice_26_0 (hal_sensors_hwservice))
+(typeattributeset hal_telephony_hwservice_26_0 (hal_telephony_hwservice))
+(typeattributeset hal_thermal_hwservice_26_0 (hal_thermal_hwservice))
+(typeattributeset hal_tv_cec_hwservice_26_0 (hal_tv_cec_hwservice))
+(typeattributeset hal_tv_input_hwservice_26_0 (hal_tv_input_hwservice))
+(typeattributeset hal_usb_hwservice_26_0 (hal_usb_hwservice))
+(typeattributeset hal_vibrator_hwservice_26_0 (hal_vibrator_hwservice))
+(typeattributeset hal_vr_hwservice_26_0 (hal_vr_hwservice))
+(typeattributeset hal_weaver_hwservice_26_0 (hal_weaver_hwservice))
+(typeattributeset hal_wifi_hwservice_26_0 (hal_wifi_hwservice))
+(typeattributeset hal_wifi_supplicant_hwservice_26_0 (hal_wifi_supplicant_hwservice))
+(typeattributeset hardware_properties_service_26_0 (hardware_properties_service))
+(typeattributeset hardware_service_26_0 (hardware_service))
+(typeattributeset hci_attach_dev_26_0 (hci_attach_dev))
+(typeattributeset hdmi_control_service_26_0 (hdmi_control_service))
+(typeattributeset healthd_26_0 (healthd))
+(typeattributeset healthd_exec_26_0 (healthd_exec))
+(typeattributeset heapdump_data_file_26_0 (heapdump_data_file))
+(typeattributeset hidl_allocator_hwservice_26_0 (hidl_allocator_hwservice))
+(typeattributeset hidl_base_hwservice_26_0 (hidl_base_hwservice))
+(typeattributeset hidl_manager_hwservice_26_0 (hidl_manager_hwservice))
+(typeattributeset hidl_memory_hwservice_26_0 (hidl_memory_hwservice))
+(typeattributeset hidl_token_hwservice_26_0 (hidl_token_hwservice))
+(typeattributeset hwbinder_device_26_0 (hwbinder_device))
+(typeattributeset hw_random_device_26_0 (hw_random_device))
+(typeattributeset hwservice_contexts_file_26_0 (hwservice_contexts_file))
+(typeattributeset hwservicemanager_26_0 (hwservicemanager))
+(typeattributeset hwservicemanager_exec_26_0 (hwservicemanager_exec))
+(typeattributeset hwservicemanager_prop_26_0 (hwservicemanager_prop))
+(typeattributeset i2c_device_26_0 (i2c_device))
+(typeattributeset icon_file_26_0 (icon_file))
+(typeattributeset idmap_26_0 (idmap))
+(typeattributeset idmap_exec_26_0 (idmap_exec))
+(typeattributeset iio_device_26_0 (iio_device))
+(typeattributeset imms_service_26_0 (imms_service))
+(typeattributeset incident_26_0 (incident))
+(typeattributeset incidentd_26_0 (incidentd))
+(typeattributeset incident_data_file_26_0 (incident_data_file))
+(typeattributeset incident_service_26_0 (incident_service))
+(typeattributeset init_26_0 (init))
+(typeattributeset init_exec_26_0 (init_exec))
+(typeattributeset inotify_26_0 (inotify))
+(typeattributeset input_device_26_0 (input_device))
+(typeattributeset inputflinger_26_0 (inputflinger))
+(typeattributeset inputflinger_exec_26_0 (inputflinger_exec))
+(typeattributeset inputflinger_service_26_0 (inputflinger_service))
+(typeattributeset input_method_service_26_0 (input_method_service))
+(typeattributeset input_service_26_0 (input_service))
+(typeattributeset installd_26_0 (installd))
+(typeattributeset install_data_file_26_0 (install_data_file))
+(typeattributeset installd_exec_26_0 (installd_exec))
+(typeattributeset installd_service_26_0 (installd_service))
+(typeattributeset install_recovery_26_0 (install_recovery))
+(typeattributeset install_recovery_exec_26_0 (install_recovery_exec))
+(typeattributeset ion_device_26_0 (ion_device))
+(typeattributeset IProxyService_service_26_0 (IProxyService_service))
+(typeattributeset ipsec_service_26_0 (ipsec_service))
+(typeattributeset isolated_app_26_0 (isolated_app))
+(typeattributeset jobscheduler_service_26_0 (jobscheduler_service))
+(typeattributeset kernel_26_0 (kernel))
+(typeattributeset keychain_data_file_26_0 (keychain_data_file))
+(typeattributeset keychord_device_26_0 (keychord_device))
+(typeattributeset keystore_26_0 (keystore))
+(typeattributeset keystore_data_file_26_0 (keystore_data_file))
+(typeattributeset keystore_exec_26_0 (keystore_exec))
+(typeattributeset keystore_service_26_0 (keystore_service))
+(typeattributeset kmem_device_26_0 (kmem_device))
+(typeattributeset kmsg_device_26_0 (kmsg_device))
+(typeattributeset labeledfs_26_0 (labeledfs))
+(typeattributeset launcherapps_service_26_0 (launcherapps_service))
+(typeattributeset lmkd_26_0 (lmkd))
+(typeattributeset lmkd_exec_26_0 (lmkd_exec))
+(typeattributeset lmkd_socket_26_0 (lmkd_socket))
+(typeattributeset location_service_26_0 (location_service))
+(typeattributeset lock_settings_service_26_0 (lock_settings_service))
+(typeattributeset logcat_exec_26_0 (logcat_exec))
+(typeattributeset logd_26_0 (logd))
+(typeattributeset log_device_26_0 (log_device))
+(typeattributeset logd_exec_26_0 (logd_exec))
+(typeattributeset logd_prop_26_0 (logd_prop))
+(typeattributeset logdr_socket_26_0 (logdr_socket))
+(typeattributeset logd_socket_26_0 (logd_socket))
+(typeattributeset logdw_socket_26_0 (logdw_socket))
+(typeattributeset logpersist_26_0 (logpersist))
+(typeattributeset logpersistd_logging_prop_26_0 (logpersistd_logging_prop))
+(typeattributeset log_prop_26_0 (log_prop))
+(typeattributeset log_tag_prop_26_0 (log_tag_prop))
+(typeattributeset loop_control_device_26_0 (loop_control_device))
+(typeattributeset loop_device_26_0 (loop_device))
+(typeattributeset mac_perms_file_26_0 (mac_perms_file))
+(typeattributeset mdnsd_26_0 (mdnsd))
+(typeattributeset mdnsd_socket_26_0 (mdnsd_socket))
+(typeattributeset mdns_socket_26_0 (mdns_socket))
+(typeattributeset mediacasserver_service_26_0 (mediacasserver_service))
+(typeattributeset mediacodec_26_0 (mediacodec))
+(typeattributeset mediacodec_exec_26_0 (mediacodec_exec))
+(typeattributeset mediacodec_service_26_0 (mediacodec_service))
+(typeattributeset media_data_file_26_0 (media_data_file))
+(typeattributeset mediadrmserver_26_0 (mediadrmserver))
+(typeattributeset mediadrmserver_exec_26_0 (mediadrmserver_exec))
+(typeattributeset mediadrmserver_service_26_0 (mediadrmserver_service))
+(typeattributeset mediaextractor_26_0 (mediaextractor))
+(typeattributeset mediaextractor_exec_26_0 (mediaextractor_exec))
+(typeattributeset mediaextractor_service_26_0 (mediaextractor_service))
+(typeattributeset mediametrics_26_0 (mediametrics))
+(typeattributeset mediametrics_exec_26_0 (mediametrics_exec))
+(typeattributeset mediametrics_service_26_0 (mediametrics_service))
+(typeattributeset media_projection_service_26_0 (media_projection_service))
+(typeattributeset media_router_service_26_0 (media_router_service))
+(typeattributeset media_rw_data_file_26_0 (media_rw_data_file))
+(typeattributeset mediaserver_26_0 (mediaserver))
+(typeattributeset mediaserver_exec_26_0 (mediaserver_exec))
+(typeattributeset mediaserver_service_26_0 (mediaserver_service))
+(typeattributeset media_session_service_26_0 (media_session_service))
+(typeattributeset meminfo_service_26_0 (meminfo_service))
+(typeattributeset metadata_block_device_26_0 (metadata_block_device))
+(typeattributeset method_trace_data_file_26_0 (method_trace_data_file))
+(typeattributeset midi_service_26_0 (midi_service))
+(typeattributeset misc_block_device_26_0 (misc_block_device))
+(typeattributeset misc_logd_file_26_0 (misc_logd_file))
+(typeattributeset misc_user_data_file_26_0 (misc_user_data_file))
+(typeattributeset mmc_prop_26_0 (mmc_prop))
+(typeattributeset mnt_expand_file_26_0 (mnt_expand_file))
+(typeattributeset mnt_media_rw_file_26_0 (mnt_media_rw_file))
+(typeattributeset mnt_media_rw_stub_file_26_0 (mnt_media_rw_stub_file))
+(typeattributeset mnt_user_file_26_0 (mnt_user_file))
+(typeattributeset modprobe_26_0 (modprobe))
+(typeattributeset mount_service_26_0 (mount_service))
+(typeattributeset mqueue_26_0 (mqueue))
+(typeattributeset mtd_device_26_0 (mtd_device))
+(typeattributeset mtp_26_0 (mtp))
+(typeattributeset mtp_device_26_0 (mtp_device))
+(typeattributeset mtpd_socket_26_0 (mtpd_socket))
+(typeattributeset mtp_exec_26_0 (mtp_exec))
+(typeattributeset nativetest_data_file_26_0 (nativetest_data_file))
+(typeattributeset netd_26_0 (netd))
+(typeattributeset net_data_file_26_0 (net_data_file))
+(typeattributeset netd_exec_26_0 (netd_exec))
+(typeattributeset netd_listener_service_26_0 (netd_listener_service))
+(typeattributeset net_dns_prop_26_0 (net_dns_prop))
+(typeattributeset netd_service_26_0 (netd_service))
+(typeattributeset netd_socket_26_0 (netd_socket))
+(typeattributeset netif_26_0 (netif))
+(typeattributeset netpolicy_service_26_0 (netpolicy_service))
+(typeattributeset net_radio_prop_26_0 (net_radio_prop))
+(typeattributeset netstats_service_26_0 (netstats_service))
+(typeattributeset netutils_wrapper_26_0 (netutils_wrapper))
+(typeattributeset netutils_wrapper_exec_26_0 (netutils_wrapper_exec))
+(typeattributeset network_management_service_26_0 (network_management_service))
+(typeattributeset network_score_service_26_0 (network_score_service))
+(typeattributeset network_time_update_service_26_0 (network_time_update_service))
+(typeattributeset nfc_26_0 (nfc))
+(typeattributeset nfc_data_file_26_0 (nfc_data_file))
+(typeattributeset nfc_device_26_0 (nfc_device))
+(typeattributeset nfc_prop_26_0 (nfc_prop))
+(typeattributeset nfc_service_26_0 (nfc_service))
+(typeattributeset node_26_0 (node))
+(typeattributeset notification_service_26_0 (notification_service))
+(typeattributeset null_device_26_0 (null_device))
+(typeattributeset oemfs_26_0 (oemfs))
+(typeattributeset oem_lock_service_26_0 (oem_lock_service))
+(typeattributeset ota_data_file_26_0 (ota_data_file))
+(typeattributeset otadexopt_service_26_0 (otadexopt_service))
+(typeattributeset ota_package_file_26_0 (ota_package_file))
+(typeattributeset otapreopt_chroot_26_0 (otapreopt_chroot))
+(typeattributeset otapreopt_chroot_exec_26_0 (otapreopt_chroot_exec))
+(typeattributeset otapreopt_slot_26_0 (otapreopt_slot))
+(typeattributeset otapreopt_slot_exec_26_0 (otapreopt_slot_exec))
+(typeattributeset overlay_prop_26_0 (overlay_prop))
+(typeattributeset overlay_service_26_0 (overlay_service))
+(typeattributeset owntty_device_26_0 (owntty_device))
+(typeattributeset package_service_26_0 (package_service))
+(typeattributeset pan_result_prop_26_0 (pan_result_prop))
+(typeattributeset pdx_bufferhub_client_channel_socket_26_0 (pdx_bufferhub_client_channel_socket))
+(typeattributeset pdx_bufferhub_client_endpoint_socket_26_0 (pdx_bufferhub_client_endpoint_socket))
+(typeattributeset pdx_bufferhub_dir_26_0 (pdx_bufferhub_dir))
+(typeattributeset pdx_display_client_channel_socket_26_0 (pdx_display_client_channel_socket))
+(typeattributeset pdx_display_client_endpoint_socket_26_0 (pdx_display_client_endpoint_socket))
+(typeattributeset pdx_display_dir_26_0 (pdx_display_dir))
+(typeattributeset pdx_display_manager_channel_socket_26_0 (pdx_display_manager_channel_socket))
+(typeattributeset pdx_display_manager_endpoint_socket_26_0 (pdx_display_manager_endpoint_socket))
+(typeattributeset pdx_display_screenshot_channel_socket_26_0 (pdx_display_screenshot_channel_socket))
+(typeattributeset pdx_display_screenshot_endpoint_socket_26_0 (pdx_display_screenshot_endpoint_socket))
+(typeattributeset pdx_display_vsync_channel_socket_26_0 (pdx_display_vsync_channel_socket))
+(typeattributeset pdx_display_vsync_endpoint_socket_26_0 (pdx_display_vsync_endpoint_socket))
+(typeattributeset pdx_performance_client_channel_socket_26_0 (pdx_performance_client_channel_socket))
+(typeattributeset pdx_performance_client_endpoint_socket_26_0 (pdx_performance_client_endpoint_socket))
+(typeattributeset pdx_performance_dir_26_0 (pdx_performance_dir))
+(typeattributeset performanced_26_0 (performanced))
+(typeattributeset performanced_exec_26_0 (performanced_exec))
+(typeattributeset perfprofd_26_0 (perfprofd))
+(typeattributeset perfprofd_data_file_26_0 (perfprofd_data_file))
+(typeattributeset perfprofd_exec_26_0 (perfprofd_exec))
+(typeattributeset permission_service_26_0 (permission_service))
+(typeattributeset persist_debug_prop_26_0 (persist_debug_prop))
+(typeattributeset persistent_data_block_service_26_0 (persistent_data_block_service))
+(typeattributeset persistent_properties_ready_prop_26_0 (persistent_properties_ready_prop))
+(typeattributeset pinner_service_26_0 (pinner_service))
+(typeattributeset pipefs_26_0 (pipefs))
+(typeattributeset platform_app_26_0 (platform_app))
+(typeattributeset pmsg_device_26_0 (pmsg_device))
+(typeattributeset port_26_0 (port))
+(typeattributeset port_device_26_0 (port_device))
+(typeattributeset postinstall_26_0 (postinstall))
+(typeattributeset postinstall_dexopt_26_0 (postinstall_dexopt))
+(typeattributeset postinstall_file_26_0 (postinstall_file))
+(typeattributeset postinstall_mnt_dir_26_0 (postinstall_mnt_dir))
+(typeattributeset powerctl_prop_26_0 (powerctl_prop))
+(typeattributeset power_service_26_0 (power_service))
+(typeattributeset ppp_26_0 (ppp))
+(typeattributeset ppp_device_26_0 (ppp_device))
+(typeattributeset ppp_exec_26_0 (ppp_exec))
+(typeattributeset preloads_data_file_26_0 (preloads_data_file))
+(typeattributeset preloads_media_file_26_0 (preloads_media_file))
+(typeattributeset preopt2cachename_26_0 (preopt2cachename))
+(typeattributeset preopt2cachename_exec_26_0 (preopt2cachename_exec))
+(typeattributeset print_service_26_0 (print_service))
+(typeattributeset priv_app_26_0 (priv_app))
+(typeattributeset proc_26_0 (proc))
+(typeattributeset proc_bluetooth_writable_26_0 (proc_bluetooth_writable))
+(typeattributeset proc_cpuinfo_26_0 (proc_cpuinfo))
+(typeattributeset proc_drop_caches_26_0 (proc_drop_caches))
+(typeattributeset processinfo_service_26_0 (processinfo_service))
+(typeattributeset proc_interrupts_26_0 (proc_interrupts))
+(typeattributeset proc_iomem_26_0 (proc_iomem))
+(typeattributeset proc_meminfo_26_0 (proc_meminfo))
+(typeattributeset proc_misc_26_0 (proc_misc))
+(typeattributeset proc_modules_26_0 (proc_modules))
+(typeattributeset proc_net_26_0 (proc_net))
+(typeattributeset proc_overcommit_memory_26_0 (proc_overcommit_memory))
+(typeattributeset proc_perf_26_0 (proc_perf))
+(typeattributeset proc_security_26_0 (proc_security))
+(typeattributeset proc_stat_26_0 (proc_stat))
+(typeattributeset procstats_service_26_0 (procstats_service))
+(typeattributeset proc_sysrq_26_0 (proc_sysrq))
+(typeattributeset proc_timer_26_0 (proc_timer))
+(typeattributeset proc_tty_drivers_26_0 (proc_tty_drivers))
+(typeattributeset proc_uid_cputime_removeuid_26_0 (proc_uid_cputime_removeuid))
+(typeattributeset proc_uid_cputime_showstat_26_0 (proc_uid_cputime_showstat))
+(typeattributeset proc_uid_io_stats_26_0 (proc_uid_io_stats))
+(typeattributeset proc_uid_procstat_set_26_0 (proc_uid_procstat_set))
+(typeattributeset proc_zoneinfo_26_0 (proc_zoneinfo))
+(typeattributeset profman_26_0 (profman))
+(typeattributeset profman_dump_data_file_26_0 (profman_dump_data_file))
+(typeattributeset profman_exec_26_0 (profman_exec))
+(typeattributeset properties_device_26_0 (properties_device))
+(typeattributeset properties_serial_26_0 (properties_serial))
+(typeattributeset property_contexts_file_26_0 (property_contexts_file))
+(typeattributeset property_data_file_26_0 (property_data_file))
+(typeattributeset property_socket_26_0 (property_socket))
+(typeattributeset pstorefs_26_0 (pstorefs))
+(typeattributeset ptmx_device_26_0 (ptmx_device))
+(typeattributeset qtaguid_device_26_0 (qtaguid_device))
+(typeattributeset qtaguid_proc_26_0 (qtaguid_proc))
+(typeattributeset racoon_26_0 (racoon))
+(typeattributeset racoon_exec_26_0 (racoon_exec))
+(typeattributeset racoon_socket_26_0 (racoon_socket))
+(typeattributeset radio_26_0 (radio))
+(typeattributeset radio_data_file_26_0 (radio_data_file))
+(typeattributeset radio_device_26_0 (radio_device))
+(typeattributeset radio_prop_26_0 (radio_prop))
+(typeattributeset radio_service_26_0 (radio_service))
+(typeattributeset ram_device_26_0 (ram_device))
+(typeattributeset random_device_26_0 (random_device))
+(typeattributeset reboot_data_file_26_0 (reboot_data_file))
+(typeattributeset recovery_26_0 (recovery))
+(typeattributeset recovery_block_device_26_0 (recovery_block_device))
+(typeattributeset recovery_data_file_26_0 (recovery_data_file))
+(typeattributeset recovery_persist_26_0 (recovery_persist))
+(typeattributeset recovery_persist_exec_26_0 (recovery_persist_exec))
+(typeattributeset recovery_refresh_26_0 (recovery_refresh))
+(typeattributeset recovery_refresh_exec_26_0 (recovery_refresh_exec))
+(typeattributeset recovery_service_26_0 (recovery_service))
+(typeattributeset registry_service_26_0 (registry_service))
+(typeattributeset resourcecache_data_file_26_0 (resourcecache_data_file))
+(typeattributeset restorecon_prop_26_0 (restorecon_prop))
+(typeattributeset restrictions_service_26_0 (restrictions_service))
+(typeattributeset rild_26_0 (rild))
+(typeattributeset rild_debug_socket_26_0 (rild_debug_socket))
+(typeattributeset rild_socket_26_0 (rild_socket))
+(typeattributeset ringtone_file_26_0 (ringtone_file))
+(typeattributeset root_block_device_26_0 (root_block_device))
+(typeattributeset rootfs_26_0 (rootfs))
+(typeattributeset rpmsg_device_26_0 (rpmsg_device))
+(typeattributeset rtc_device_26_0 (rtc_device))
+(typeattributeset rttmanager_service_26_0 (rttmanager_service))
+(typeattributeset runas_26_0 (runas))
+(typeattributeset runas_exec_26_0 (runas_exec))
+(typeattributeset runtime_event_log_tags_file_26_0 (runtime_event_log_tags_file))
+(typeattributeset safemode_prop_26_0 (safemode_prop))
+(typeattributeset same_process_hal_file_26_0 (same_process_hal_file))
+(typeattributeset samplingprofiler_service_26_0 (samplingprofiler_service))
+(typeattributeset scheduling_policy_service_26_0 (scheduling_policy_service))
+(typeattributeset sdcardd_26_0 (sdcardd))
+(typeattributeset sdcardd_exec_26_0 (sdcardd_exec))
+(typeattributeset sdcardfs_26_0 (sdcardfs))
+(typeattributeset seapp_contexts_file_26_0 (seapp_contexts_file))
+(typeattributeset search_service_26_0 (search_service))
+(typeattributeset sec_key_att_app_id_provider_service_26_0 (sec_key_att_app_id_provider_service))
+(typeattributeset selinuxfs_26_0 (selinuxfs))
+(typeattributeset sensors_device_26_0 (sensors_device))
+(typeattributeset sensorservice_service_26_0 (sensorservice_service))
+(typeattributeset sepolicy_file_26_0 (sepolicy_file))
+(typeattributeset serial_device_26_0 (serial_device))
+(typeattributeset serialno_prop_26_0 (serialno_prop))
+(typeattributeset serial_service_26_0 (serial_service))
+(typeattributeset service_contexts_file_26_0 (service_contexts_file))
+(typeattributeset servicediscovery_service_26_0 (servicediscovery_service))
+(typeattributeset servicemanager_26_0 (servicemanager))
+(typeattributeset servicemanager_exec_26_0 (servicemanager_exec))
+(typeattributeset settings_service_26_0 (settings_service))
+(typeattributeset sgdisk_26_0 (sgdisk))
+(typeattributeset sgdisk_exec_26_0 (sgdisk_exec))
+(typeattributeset shared_relro_26_0 (shared_relro))
+(typeattributeset shared_relro_file_26_0 (shared_relro_file))
+(typeattributeset shell_26_0 (shell))
+(typeattributeset shell_data_file_26_0 (shell_data_file))
+(typeattributeset shell_exec_26_0 (shell_exec))
+(typeattributeset shell_prop_26_0 (shell_prop))
+(typeattributeset shm_26_0 (shm))
+(typeattributeset shortcut_manager_icons_26_0 (shortcut_manager_icons))
+(typeattributeset shortcut_service_26_0 (shortcut_service))
+(typeattributeset slideshow_26_0 (slideshow))
+(typeattributeset socket_device_26_0 (socket_device))
+(typeattributeset sockfs_26_0 (sockfs))
+(typeattributeset statusbar_service_26_0 (statusbar_service))
+(typeattributeset storaged_service_26_0 (storaged_service))
+(typeattributeset storage_file_26_0 (storage_file))
+(typeattributeset storagestats_service_26_0 (storagestats_service))
+(typeattributeset storage_stub_file_26_0 (storage_stub_file))
+(typeattributeset su_26_0 (su))
+(typeattributeset su_exec_26_0 (su_exec))
+(typeattributeset surfaceflinger_26_0 (surfaceflinger))
+(typeattributeset surfaceflinger_service_26_0 (surfaceflinger_service))
+(typeattributeset swap_block_device_26_0 (swap_block_device))
+(typeattributeset sysfs_26_0 (sysfs))
+(typeattributeset sysfs_batteryinfo_26_0 (sysfs_batteryinfo))
+(typeattributeset sysfs_bluetooth_writable_26_0 (sysfs_bluetooth_writable))
+(typeattributeset sysfs_devices_system_cpu_26_0 (sysfs_devices_system_cpu))
+(typeattributeset sysfs_hwrandom_26_0 (sysfs_hwrandom))
+(typeattributeset sysfs_leds_26_0 (sysfs_leds))
+(typeattributeset sysfs_lowmemorykiller_26_0 (sysfs_lowmemorykiller))
+(typeattributeset sysfs_mac_address_26_0 (sysfs_mac_address))
+(typeattributeset sysfs_nfc_power_writable_26_0 (sysfs_nfc_power_writable))
+(typeattributeset sysfs_thermal_26_0 (sysfs_thermal))
+(typeattributeset sysfs_uio_26_0 (sysfs_uio))
+(typeattributeset sysfs_usb_26_0 (sysfs_usb))
+(typeattributeset sysfs_vibrator_26_0 (sysfs_vibrator))
+(typeattributeset sysfs_wake_lock_26_0 (sysfs_wake_lock))
+(typeattributeset sysfs_wlan_fwpath_26_0 (sysfs_wlan_fwpath))
+(typeattributeset sysfs_zram_26_0 (sysfs_zram))
+(typeattributeset sysfs_zram_uevent_26_0 (sysfs_zram_uevent))
+(typeattributeset system_app_26_0 (system_app))
+(typeattributeset system_app_data_file_26_0 (system_app_data_file))
+(typeattributeset system_app_service_26_0 (system_app_service))
+(typeattributeset system_block_device_26_0 (system_block_device))
+(typeattributeset system_data_file_26_0 (system_data_file))
+(typeattributeset system_file_26_0 (system_file))
+(typeattributeset systemkeys_data_file_26_0 (systemkeys_data_file))
+(typeattributeset system_ndebug_socket_26_0 (system_ndebug_socket))
+(typeattributeset system_prop_26_0 (system_prop))
+(typeattributeset system_radio_prop_26_0 (system_radio_prop))
+(typeattributeset system_server_26_0 (system_server))
+(typeattributeset system_wifi_keystore_hwservice_26_0 (system_wifi_keystore_hwservice))
+(typeattributeset system_wpa_socket_26_0 (system_wpa_socket))
+(typeattributeset task_service_26_0 (task_service))
+(typeattributeset tee_26_0 (tee))
+(typeattributeset tee_data_file_26_0 (tee_data_file))
+(typeattributeset tee_device_26_0 (tee_device))
+(typeattributeset telecom_service_26_0 (telecom_service))
+(typeattributeset textclassification_service_26_0 (textclassification_service))
+(typeattributeset textclassifier_data_file_26_0 (textclassifier_data_file))
+(typeattributeset textservices_service_26_0 (textservices_service))
+(typeattributeset tmpfs_26_0 (tmpfs))
+(typeattributeset tombstoned_26_0 (tombstoned))
+(typeattributeset tombstone_data_file_26_0 (tombstone_data_file))
+(typeattributeset tombstoned_crash_socket_26_0 (tombstoned_crash_socket))
+(typeattributeset tombstoned_exec_26_0 (tombstoned_exec))
+(typeattributeset tombstoned_intercept_socket_26_0 (tombstoned_intercept_socket))
+(typeattributeset toolbox_26_0 (toolbox))
+(typeattributeset toolbox_exec_26_0 (toolbox_exec))
+(typeattributeset tracing_shell_writable_26_0 (tracing_shell_writable))
+(typeattributeset tracing_shell_writable_debug_26_0 (tracing_shell_writable_debug))
+(typeattributeset trust_service_26_0 (trust_service))
+(typeattributeset tty_device_26_0 (tty_device))
+(typeattributeset tun_device_26_0 (tun_device))
+(typeattributeset tv_input_service_26_0 (tv_input_service))
+(typeattributeset tzdatacheck_26_0 (tzdatacheck))
+(typeattributeset tzdatacheck_exec_26_0 (tzdatacheck_exec))
+(typeattributeset ueventd_26_0 (ueventd))
+(typeattributeset uhid_device_26_0 (uhid_device))
+(typeattributeset uimode_service_26_0 (uimode_service))
+(typeattributeset uio_device_26_0 (uio_device))
+(typeattributeset uncrypt_26_0 (uncrypt))
+(typeattributeset uncrypt_exec_26_0 (uncrypt_exec))
+(typeattributeset uncrypt_socket_26_0 (uncrypt_socket))
+(typeattributeset unencrypted_data_file_26_0 (unencrypted_data_file))
+(typeattributeset unlabeled_26_0 (unlabeled))
+(typeattributeset untrusted_app_25_26_0 (untrusted_app_25))
+(typeattributeset untrusted_app_26_0 (untrusted_app))
+(typeattributeset untrusted_v2_app_26_0 (untrusted_v2_app))
+(typeattributeset update_engine_26_0 (update_engine))
+(typeattributeset update_engine_data_file_26_0 (update_engine_data_file))
+(typeattributeset update_engine_exec_26_0 (update_engine_exec))
+(typeattributeset update_engine_service_26_0 (update_engine_service))
+(typeattributeset updatelock_service_26_0 (updatelock_service))
+(typeattributeset update_verifier_26_0 (update_verifier))
+(typeattributeset update_verifier_exec_26_0 (update_verifier_exec))
+(typeattributeset usagestats_service_26_0 (usagestats_service))
+(typeattributeset usbaccessory_device_26_0 (usbaccessory_device))
+(typeattributeset usb_device_26_0 (usb_device))
+(typeattributeset usbfs_26_0 (usbfs))
+(typeattributeset usb_service_26_0 (usb_service))
+(typeattributeset userdata_block_device_26_0 (userdata_block_device))
+(typeattributeset usermodehelper_26_0 (usermodehelper))
+(typeattributeset user_profile_data_file_26_0 (user_profile_data_file))
+(typeattributeset user_service_26_0 (user_service))
+(typeattributeset vcs_device_26_0 (vcs_device))
+(typeattributeset vdc_26_0 (vdc))
+(typeattributeset vdc_exec_26_0 (vdc_exec))
+(typeattributeset vendor_app_file_26_0 (vendor_app_file))
+(typeattributeset vendor_configs_file_26_0 (vendor_configs_file))
+(typeattributeset vendor_file_26_0 (vendor_file))
+(typeattributeset vendor_framework_file_26_0 (vendor_framework_file))
+(typeattributeset vendor_hal_file_26_0 (vendor_hal_file))
+(typeattributeset vendor_overlay_file_26_0 (vendor_overlay_file))
+(typeattributeset vendor_shell_exec_26_0 (vendor_shell_exec))
+(typeattributeset vendor_toolbox_exec_26_0 (vendor_toolbox_exec))
+(typeattributeset vfat_26_0 (vfat))
+(typeattributeset vibrator_service_26_0 (vibrator_service))
+(typeattributeset video_device_26_0 (video_device))
+(typeattributeset virtual_touchpad_26_0 (virtual_touchpad))
+(typeattributeset virtual_touchpad_exec_26_0 (virtual_touchpad_exec))
+(typeattributeset virtual_touchpad_service_26_0 (virtual_touchpad_service))
+(typeattributeset vndbinder_device_26_0 (vndbinder_device))
+(typeattributeset vndk_sp_file_26_0 (vndk_sp_file))
+(typeattributeset vndservice_contexts_file_26_0 (vndservice_contexts_file))
+(typeattributeset vndservicemanager_26_0 (vndservicemanager))
+(typeattributeset voiceinteraction_service_26_0 (voiceinteraction_service))
+(typeattributeset vold_26_0 (vold))
+(typeattributeset vold_data_file_26_0 (vold_data_file))
+(typeattributeset vold_device_26_0 (vold_device))
+(typeattributeset vold_exec_26_0 (vold_exec))
+(typeattributeset vold_prop_26_0 (vold_prop))
+(typeattributeset vold_socket_26_0 (vold_socket))
+(typeattributeset vpn_data_file_26_0 (vpn_data_file))
+(typeattributeset vr_hwc_26_0 (vr_hwc))
+(typeattributeset vr_hwc_exec_26_0 (vr_hwc_exec))
+(typeattributeset vr_hwc_service_26_0 (vr_hwc_service))
+(typeattributeset vr_manager_service_26_0 (vr_manager_service))
+(typeattributeset wallpaper_file_26_0 (wallpaper_file))
+(typeattributeset wallpaper_service_26_0 (wallpaper_service))
+(typeattributeset watchdogd_26_0 (watchdogd))
+(typeattributeset watchdog_device_26_0 (watchdog_device))
+(typeattributeset webviewupdate_service_26_0 (webviewupdate_service))
+(typeattributeset webview_zygote_26_0 (webview_zygote))
+(typeattributeset webview_zygote_exec_26_0 (webview_zygote_exec))
+(typeattributeset webview_zygote_socket_26_0 (webview_zygote_socket))
+(typeattributeset wifiaware_service_26_0 (wifiaware_service))
+(typeattributeset wificond_26_0 (wificond))
+(typeattributeset wificond_exec_26_0 (wificond_exec))
+(typeattributeset wificond_service_26_0 (wificond_service))
+(typeattributeset wifi_data_file_26_0 (wifi_data_file))
+(typeattributeset wifi_log_prop_26_0 (wifi_log_prop))
+(typeattributeset wifip2p_service_26_0 (wifip2p_service))
+(typeattributeset wifi_prop_26_0 (wifi_prop))
+(typeattributeset wifiscanner_service_26_0 (wifiscanner_service))
+(typeattributeset wifi_service_26_0 (wifi_service))
+(typeattributeset window_service_26_0 (window_service))
+(typeattributeset wpa_socket_26_0 (wpa_socket))
+(typeattributeset zero_device_26_0 (zero_device))
+(typeattributeset zoneinfo_data_file_26_0 (zoneinfo_data_file))
+(typeattributeset zygote_26_0 (zygote))
+(typeattributeset zygote_exec_26_0 (zygote_exec))
+(typeattributeset zygote_socket_26_0 (zygote_socket))
diff --git a/prebuilts/api/26.0/private/app.te b/prebuilts/api/26.0/private/app.te
index 4b9d87d..6f2b820 100644
--- a/prebuilts/api/26.0/private/app.te
+++ b/prebuilts/api/26.0/private/app.te
@@ -225,8 +225,8 @@
allow { appdomain -isolated_app -ephemeral_app } sdcardfs:file create_file_perms;
# This should be removed if sdcardfs is modified to alter the secontext for its
# accesses to the underlying FS.
-allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:dir create_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:file create_file_perms;
+allow { appdomain -isolated_app -ephemeral_app } { media_rw_data_file vfat }:dir create_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } { media_rw_data_file vfat }:file create_file_perms;
# Access OBBs (vfat images) mounted by vold (b/17633509)
# File write access allowed for FDs returned through Storage Access Framework
diff --git a/prebuilts/api/26.0/private/app_neverallows.te b/prebuilts/api/26.0/private/app_neverallows.te
index 0917724..3c159d5 100644
--- a/prebuilts/api/26.0/private/app_neverallows.te
+++ b/prebuilts/api/26.0/private/app_neverallows.te
@@ -132,20 +132,63 @@
# incidence rate of security issues than system/core components and have
# access to lower layes of the stack (all the way down to hardware) thus
# increasing opportunities for bypassing the Android security model.
+#
+# Safe services include:
+# - same process services: because they by definition run in the process
+# of the client and thus have the same access as the client domain in which
+# the process runs
+# - coredomain_hwservice: are considered safe because they do not pose risks
+# associated with reason #2 above.
+# - hal_configstore_ISurfaceFlingerConfigs: becuase it has specifically been
+# designed for use by any domain.
+# - hal_graphics_allocator_hwservice: because these operations are also offered
+# by surfaceflinger Binder service, which apps are permitted to access
+# - hal_omx_hwservice: because this is a HwBinder version of the mediacodec
+# Binder service which apps were permitted to access.
neverallow all_untrusted_apps {
hwservice_manager_type
- # Same process services are safe because they by definition run in the process
- # of the client and thus have the same access as the client domain in which
- # the process runs
-same_process_hwservice
- -coredomain_hwservice # neverallows for coredomain HwBinder services are below
- -hal_configstore_ISurfaceFlingerConfigs # Designed for use by any domain
- # These operations are also offered by surfaceflinger Binder service which
- # apps are permitted to access
+ -coredomain_hwservice
+ -hal_configstore_ISurfaceFlingerConfigs
-hal_graphics_allocator_hwservice
- # HwBinder version of mediacodec Binder service which apps were permitted to
- # access
-hal_omx_hwservice
+ -untrusted_app_visible_hwservice
+}:hwservice_manager find;
+neverallow untrusted_app_visible_hwservice unlabeled:service_manager list; #TODO: b/62658302
+# Make sure that the following services are never accessible by untrusted_apps
+neverallow all_untrusted_apps {
+ default_android_hwservice
+ hal_audio_hwservice
+ hal_bluetooth_hwservice
+ hal_bootctl_hwservice
+ hal_camera_hwservice
+ hal_contexthub_hwservice
+ hal_drm_hwservice
+ hal_dumpstate_hwservice
+ hal_fingerprint_hwservice
+ hal_gatekeeper_hwservice
+ hal_gnss_hwservice
+ hal_graphics_composer_hwservice
+ hal_health_hwservice
+ hal_ir_hwservice
+ hal_keymaster_hwservice
+ hal_light_hwservice
+ hal_memtrack_hwservice
+ hal_nfc_hwservice
+ hal_oemlock_hwservice
+ hal_power_hwservice
+ hal_sensors_hwservice
+ hal_telephony_hwservice
+ hal_thermal_hwservice
+ hal_tv_cec_hwservice
+ hal_tv_input_hwservice
+ hal_usb_hwservice
+ hal_vibrator_hwservice
+ hal_vr_hwservice
+ hal_weaver_hwservice
+ hal_wifi_hwservice
+ hal_wifi_supplicant_hwservice
+ hidl_base_hwservice
}:hwservice_manager find;
# HwBinder services offered by core components (as opposed to vendor components)
# are considered somewhat safer due to point #2 above.
diff --git a/prebuilts/api/26.0/private/file_contexts b/prebuilts/api/26.0/private/file_contexts
index aefd95f..4485b95 100644
--- a/prebuilts/api/26.0/private/file_contexts
+++ b/prebuilts/api/26.0/private/file_contexts
@@ -38,7 +38,6 @@
/sdcard u:object_r:rootfs:s0
# SELinux policy files
-/file_contexts\.bin u:object_r:file_contexts_file:s0
/nonplat_file_contexts u:object_r:file_contexts_file:s0
/plat_file_contexts u:object_r:file_contexts_file:s0
/mapping_sepolicy\.cil u:object_r:sepolicy_file:s0
@@ -523,6 +522,7 @@
/sys/kernel/debug/tracing/events/ext4/ext4_sync_file_exit/enable u:object_r:tracing_shell_writable_debug:s0
/sys/kernel/debug/tracing/events/block/block_rq_issue/enable u:object_r:tracing_shell_writable_debug:s0
/sys/kernel/debug/tracing/events/block/block_rq_complete/enable u:object_r:tracing_shell_writable_debug:s0
+/sys/kernel/debug/tracing/saved_cmdlines_size u:object_r:tracing_shell_writable_debug:s0
#############################
# asec containers
diff --git a/prebuilts/api/26.0/public/attributes b/prebuilts/api/26.0/public/attributes
index 90740d4..cde55da 100644
--- a/prebuilts/api/26.0/public/attributes
+++ b/prebuilts/api/26.0/public/attributes
@@ -144,6 +144,15 @@
# TODO(b/36463595)
attribute vendor_executes_system_violators;
+# hwservices that are accessible from untrusted applications
+# WARNING: Use of this attribute should be avoided unless
+# absolutely necessary. It is a temporary allowance to aid the
+# transition to treble and will be removed in a future platform
+# version, requiring all hwservices that are labeled with this
+# attribute to be submitted to AOSP in order to maintain their
+# app-visibility.
+attribute untrusted_app_visible_hwservice;
+
# PDX services
attribute pdx_endpoint_dir_type;
attribute pdx_endpoint_socket_type;
diff --git a/prebuilts/api/26.0/public/domain.te b/prebuilts/api/26.0/public/domain.te
index 34cbadc..d2b370a 100644
--- a/prebuilts/api/26.0/public/domain.te
+++ b/prebuilts/api/26.0/public/domain.te
@@ -497,6 +497,7 @@
-recovery
-ueventd
} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };
+neverallow hal_bootctl unlabeled:service_manager list; #TODO: b/62658302
# Only (hw|vnd|)servicemanager should be able to register with binder as the context manager
neverallow { domain -servicemanager -hwservicemanager -vndservicemanager } *:binder set_context_mgr;
@@ -555,6 +556,7 @@
-appdomain
-binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
} servicemanager:binder { call transfer };
+ neverallow binder_in_vendor_violators unlabeled:service_manager list ; #TODO: b/62658302
')
# On full TREBLE devices, only vendor components, shell, and su can use VendorBinder.
@@ -613,6 +615,7 @@
-incidentd # TODO(b/35870313): Remove incidentd from this list once vendor domains no longer declare Binder services
-tombstoned # TODO(b/36604251): Remove tombstoned from this list once mediacodec (OMX HAL) no longer declares Binder services
});
+ neverallow socket_between_core_and_vendor_violators unlabeled:service_manager list ; #TODO: b/62658302
# Vendor domains (except netdomain) are not permitted to initiate communications to netd sockets
neverallow_establish_socket_comms({
@@ -644,6 +647,10 @@
-pdx_endpoint_socket_type # used by VR layer
-pdx_channel_socket_type # used by VR layer
}:sock_file ~{ append getattr ioctl read write };
+ neverallow {
+ pdx_endpoint_socket_type
+ pdx_channel_socket_type
+ } unlabeled:service_manager list; #TODO: b/62658302
# Core domains are not permitted to create/open sockets owned by vendor domains
neverallow {
@@ -728,6 +735,7 @@
-crash_dump_exec
-netutils_wrapper_exec
}:file { entrypoint execute execute_no_trans };
+ neverallow vendor_executes_system_violators unlabeled:service_manager list; #TODO: b/62658302
')
# Only authorized processes should be writing to files in /data/dalvik-cache
diff --git a/prebuilts/api/26.0/public/hal_neverallows.te b/prebuilts/api/26.0/public/hal_neverallows.te
index feadcda..036e1d2 100644
--- a/prebuilts/api/26.0/public/hal_neverallows.te
+++ b/prebuilts/api/26.0/public/hal_neverallows.te
@@ -8,10 +8,11 @@
-rild
} self:capability { net_admin net_raw };
-# Unless a HAL's job is to manage network hardware, it should not be
-# using network sockets.
+# Unless a HAL's job is to communicate over the network, or control network
+# hardware, it should not be using network sockets.
neverallow {
halserverdomain
+ -hal_tetheroffload_server
-hal_wifi_server
-hal_wifi_supplicant_server
-rild
diff --git a/prebuilts/api/26.0/public/radio.te b/prebuilts/api/26.0/public/radio.te
index 87329d9..6f29a70 100644
--- a/prebuilts/api/26.0/public/radio.te
+++ b/prebuilts/api/26.0/public/radio.te
@@ -5,9 +5,8 @@
bluetooth_domain(radio)
binder_service(radio)
-# TODO(b/36613472): Remove this once radio no longer communicates with rild over sockets.
-# Talks to rild via the rild socket.
-unix_socket_connect(radio, rild, rild)
+# Talks to rild via the rild socket only for devices without full treble
+not_full_treble(`unix_socket_connect(radio, rild, rild)')
# Data file accesses.
allow radio radio_data_file:dir create_dir_perms;
diff --git a/prebuilts/api/26.0/public/runas.te b/prebuilts/api/26.0/public/runas.te
index cda02ef..7a7febf 100644
--- a/prebuilts/api/26.0/public/runas.te
+++ b/prebuilts/api/26.0/public/runas.te
@@ -2,6 +2,7 @@
type runas_exec, exec_type, file_type;
allow runas adbd:process sigchld;
+allow runas adbd:unix_stream_socket { read write };
allow runas shell:fd use;
allow runas shell:fifo_file { read write };
allow runas shell:unix_stream_socket { read write };
diff --git a/prebuilts/api/26.0/public/te_macros b/prebuilts/api/26.0/public/te_macros
index b1937d8..d65eb88 100644
--- a/prebuilts/api/26.0/public/te_macros
+++ b/prebuilts/api/26.0/public/te_macros
@@ -550,6 +550,7 @@
define(`add_service', `
allow $1 $2:service_manager { add find };
neverallow { domain -$1 } $2:service_manager add;
+ neverallow $1 unlabeled:service_manager add; #TODO: b/62658302
')
###########################################
@@ -561,6 +562,7 @@
allow $1 $2:hwservice_manager { add find };
allow $1 hidl_base_hwservice:hwservice_manager add;
neverallow { domain -$1 } $2:hwservice_manager add;
+ neverallow $1 unlabeled:hwservice_manager add; #TODO: b/62658302
')
##########################################
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index ecca70a..b050e52 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -140,63 +140,20 @@
# incidence rate of security issues than system/core components and have
# access to lower layes of the stack (all the way down to hardware) thus
# increasing opportunities for bypassing the Android security model.
-#
-# Safe services include:
-# - same process services: because they by definition run in the process
-# of the client and thus have the same access as the client domain in which
-# the process runs
-# - coredomain_hwservice: are considered safe because they do not pose risks
-# associated with reason #2 above.
-# - hal_configstore_ISurfaceFlingerConfigs: becuase it has specifically been
-# designed for use by any domain.
-# - hal_graphics_allocator_hwservice: because these operations are also offered
-# by surfaceflinger Binder service, which apps are permitted to access
-# - hal_omx_hwservice: because this is a HwBinder version of the mediacodec
-# Binder service which apps were permitted to access.
neverallow all_untrusted_apps {
hwservice_manager_type
+ # Same process services are safe because they by definition run in the process
+ # of the client and thus have the same access as the client domain in which
+ # the process runs
-same_process_hwservice
- -coredomain_hwservice
- -hal_configstore_ISurfaceFlingerConfigs
+ -coredomain_hwservice # neverallows for coredomain HwBinder services are below
+ -hal_configstore_ISurfaceFlingerConfigs # Designed for use by any domain
+ # These operations are also offered by surfaceflinger Binder service which
+ # apps are permitted to access
-hal_graphics_allocator_hwservice
+ # HwBinder version of mediacodec Binder service which apps were permitted to
+ # access
-hal_omx_hwservice
- -untrusted_app_visible_hwservice
-}:hwservice_manager find;
-neverallow untrusted_app_visible_hwservice unlabeled:service_manager list; #TODO: b/62658302
-# Make sure that the following services are never accessible by untrusted_apps
-neverallow all_untrusted_apps {
- default_android_hwservice
- hal_audio_hwservice
- hal_bluetooth_hwservice
- hal_bootctl_hwservice
- hal_camera_hwservice
- hal_contexthub_hwservice
- hal_drm_hwservice
- hal_dumpstate_hwservice
- hal_fingerprint_hwservice
- hal_gatekeeper_hwservice
- hal_gnss_hwservice
- hal_graphics_composer_hwservice
- hal_health_hwservice
- hal_ir_hwservice
- hal_keymaster_hwservice
- hal_light_hwservice
- hal_memtrack_hwservice
- hal_nfc_hwservice
- hal_oemlock_hwservice
- hal_power_hwservice
- hal_sensors_hwservice
- hal_telephony_hwservice
- hal_thermal_hwservice
- hal_tv_cec_hwservice
- hal_tv_input_hwservice
- hal_usb_hwservice
- hal_vibrator_hwservice
- hal_vr_hwservice
- hal_weaver_hwservice
- hal_wifi_hwservice
- hal_wifi_supplicant_hwservice
- hidl_base_hwservice
}:hwservice_manager find;
# HwBinder services offered by core components (as opposed to vendor components)
# are considered somewhat safer due to point #2 above.
diff --git a/private/atrace.te b/private/atrace.te
index 94d8483..5de9f99 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -11,8 +11,11 @@
allow atrace boottrace_data_file:dir search;
allow atrace boottrace_data_file:file r_file_perms;
- # atrace reads the files in /sys/kernel/debug/tracing/
- allow atrace debugfs_tracing:file r_file_perms;
+ # Allow atrace to access tracefs.
+ allow atrace debugfs_tracing:dir r_dir_perms;
+ allow atrace debugfs_tracing:file rw_file_perms;
+ allow atrace debugfs_tracing_debug:file rw_file_perms;
+ allow atrace debugfs_trace_marker:file getattr;
# atrace sets debug.atrace.* properties
set_prop(atrace, debug_prop)
diff --git a/private/domain_deprecated.te b/private/domain_deprecated.te
index 5973485..3a84629 100644
--- a/private/domain_deprecated.te
+++ b/private/domain_deprecated.te
@@ -7,6 +7,7 @@
domain_deprecated
-appdomain
-installd
+ -recovery
-sdcardd
-surfaceflinger
-system_server
@@ -38,6 +39,7 @@
-fsck
-healthd
-installd
+ -recovery
-servicemanager
-system_server
-ueventd
@@ -49,6 +51,7 @@
domain_deprecated
-healthd
-installd
+ -recovery
-servicemanager
-system_server
-ueventd
@@ -61,6 +64,7 @@
-appdomain
-healthd
-installd
+ -recovery
-servicemanager
-system_server
-ueventd
@@ -141,17 +145,20 @@
userdebug_or_eng(`
auditallow {
domain_deprecated
+ -recovery
-system_server
-vold
} cache_file:dir { open read search ioctl lock };
auditallow {
domain_deprecated
-appdomain
+ -recovery
-system_server
-vold
} cache_file:dir getattr;
auditallow {
domain_deprecated
+ -recovery
-system_server
-vold
} cache_file:file { getattr read };
@@ -190,6 +197,7 @@
userdebug_or_eng(`
auditallow {
domain_deprecated
+ -dumpstate
-fsck
-fsck_untrusted
-sdcardd
@@ -199,6 +207,7 @@
} proc:file r_file_perms;
auditallow {
domain_deprecated
+ -dumpstate
-fsck
-fsck_untrusted
-system_server
@@ -206,9 +215,11 @@
} proc:lnk_file { open ioctl lock }; # getattr read granted in domain
auditallow {
domain_deprecated
+ -dumpstate
-fingerprintd
-healthd
-netd
+ -recovery
-system_app
-surfaceflinger
-system_server
@@ -221,6 +232,7 @@
-fingerprintd
-healthd
-netd
+ -recovery
-system_app
-surfaceflinger
-system_server
@@ -233,6 +245,7 @@
-fingerprintd
-healthd
-netd
+ -recovery
-system_app
-surfaceflinger
-system_server
@@ -253,7 +266,7 @@
-surfaceflinger
-system_server
-zygote
-} cgroup:dir r_dir_perms;
+} cgroup:dir { open getattr read ioctl lock }; # search granted to domain
auditallow {
domain_deprecated
-appdomain
@@ -267,7 +280,21 @@
-surfaceflinger
-system_server
-zygote
-} cgroup:{ file lnk_file } r_file_perms;
+} cgroup:file { getattr read ioctl }; # open and lock granted to domain
+auditallow {
+ domain_deprecated
+ -appdomain
+ -dumpstate
+ -fingerprintd
+ -healthd
+ -inputflinger
+ -installd
+ -keystore
+ -netd
+ -surfaceflinger
+ -system_server
+ -zygote
+} cgroup:lnk_file r_file_perms;
auditallow {
domain_deprecated
-appdomain
diff --git a/private/file_contexts b/private/file_contexts
index e541a7d..40b66cd 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -17,8 +17,6 @@
/charger u:object_r:rootfs:s0
/init u:object_r:init_exec:s0
/sbin(/.*)? u:object_r:rootfs:s0
-/sbin/e2fsdroid u:object_r:e2fs_exec:s0
-/sbin/mke2fs u:object_r:e2fs_exec:s0
# For kernel modules
/lib(/.*)? u:object_r:rootfs:s0
@@ -80,6 +78,7 @@
/dev/cam u:object_r:camera_device:s0
/dev/console u:object_r:console_device:s0
/dev/cpuctl(/.*)? u:object_r:cpuctl_device:s0
+/dev/memcg(/.*)? u:object_r:memcg_device:s0
/dev/device-mapper u:object_r:dm_device:s0
/dev/eac u:object_r:audio_device:s0
/dev/event-log-tags u:object_r:runtime_event_log_tags_file:s0
@@ -177,6 +176,8 @@
#
/system(/.*)? u:object_r:system_file:s0
/system/bin/atrace u:object_r:atrace_exec:s0
+/system/bin/e2fsdroid u:object_r:e2fs_exec:s0
+/system/bin/mke2fs u:object_r:e2fs_exec:s0
/system/bin/e2fsck -- u:object_r:fsck_exec:s0
/system/bin/fsck\.f2fs -- u:object_r:fsck_exec:s0
/system/bin/fsck_msdos -- u:object_r:fsck_exec:s0
@@ -452,82 +453,61 @@
/data/cache/backup(/.*)? u:object_r:cache_private_backup_file:s0
#############################
-# sysfs files
-#
-/sys/class/leds(/.*)? u:object_r:sysfs_leds:s0
-/sys/devices/platform/nfc-power/nfc_power -- u:object_r:sysfs_nfc_power_writable:s0
-/sys/devices/virtual/block/zram\d+(/.*)? u:object_r:sysfs_zram:s0
-/sys/devices/virtual/block/zram\d+/uevent u:object_r:sysfs_zram_uevent:s0
-/sys/devices/virtual/misc/hw_random(/.*)? u:object_r:sysfs_hwrandom:s0
-/sys/fs/ext4/features(/.*)? u:object_r:sysfs_fs_ext4_features:s0
-/sys/power/wake_lock -- u:object_r:sysfs_wake_lock:s0
-/sys/power/wake_unlock -- u:object_r:sysfs_wake_lock:s0
-/sys/kernel/uevent_helper -- u:object_r:usermodehelper:s0
-/sys/module/lowmemorykiller(/.*)? -- u:object_r:sysfs_lowmemorykiller:s0
-/sys/module/wlan/parameters/fwpath u:object_r:sysfs_wlan_fwpath:s0
-/sys/devices/virtual/timed_output/vibrator/enable u:object_r:sysfs_vibrator:s0
-
-#############################
-# debugfs files
-#
-/sys/kernel/debug/mmc0(/.*)? u:object_r:debugfs_mmc:s0
-
-#############################
# tracefs files
#
-/sys/kernel(/debug)?/tracing/buffer_size_kb u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/events/binder/binder_locked/enable u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/events/binder/binder_lock/enable u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/events/binder/binder_transaction/enable u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/events/binder/binder_transaction_received/enable u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/events/binder/binder_unlock/enable u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/events/cpufreq_interactive/enable u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/events/power/clock_set_rate/enable u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/events/power/cpu_frequency/enable u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/events/power/cpu_frequency_limits/enable u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/events/power/cpu_idle/enable u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/events/sched/sched_blocked_reason/enable u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/events/sched/sched_cpu_hotplug/enable u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/events/sched/sched_switch/enable u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/events/sched/sched_wakeup/enable u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/events/vmscan/mm_vmscan_direct_reclaim_begin/enable u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/events/vmscan/mm_vmscan_direct_reclaim_end/enable u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/events/vmscan/mm_vmscan_kswapd_sleep/enable u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/events/vmscan/mm_vmscan_kswapd_wake/enable u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/events/lowmemorykiller/enable u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/buffer_size_kb u:object_r:debugfs_tracing:s0
+/sys/kernel(/debug)?/tracing/events/binder/binder_locked/enable u:object_r:debugfs_tracing:s0
+/sys/kernel(/debug)?/tracing/events/binder/binder_lock/enable u:object_r:debugfs_tracing:s0
+/sys/kernel(/debug)?/tracing/events/binder/binder_transaction/enable u:object_r:debugfs_tracing:s0
+/sys/kernel(/debug)?/tracing/events/binder/binder_transaction_received/enable u:object_r:debugfs_tracing:s0
+/sys/kernel(/debug)?/tracing/events/binder/binder_unlock/enable u:object_r:debugfs_tracing:s0
+/sys/kernel(/debug)?/tracing/events/cpufreq_interactive/enable u:object_r:debugfs_tracing:s0
+/sys/kernel(/debug)?/tracing/events/power/clock_set_rate/enable u:object_r:debugfs_tracing:s0
+/sys/kernel(/debug)?/tracing/events/power/cpu_frequency/enable u:object_r:debugfs_tracing:s0
+/sys/kernel(/debug)?/tracing/events/power/cpu_frequency_limits/enable u:object_r:debugfs_tracing:s0
+/sys/kernel(/debug)?/tracing/events/power/cpu_idle/enable u:object_r:debugfs_tracing:s0
+/sys/kernel(/debug)?/tracing/events/sched/sched_blocked_reason/enable u:object_r:debugfs_tracing:s0
+/sys/kernel(/debug)?/tracing/events/sched/sched_cpu_hotplug/enable u:object_r:debugfs_tracing:s0
+/sys/kernel(/debug)?/tracing/events/sched/sched_switch/enable u:object_r:debugfs_tracing:s0
+/sys/kernel(/debug)?/tracing/events/sched/sched_wakeup/enable u:object_r:debugfs_tracing:s0
+/sys/kernel(/debug)?/tracing/events/vmscan/mm_vmscan_direct_reclaim_begin/enable u:object_r:debugfs_tracing:s0
+/sys/kernel(/debug)?/tracing/events/vmscan/mm_vmscan_direct_reclaim_end/enable u:object_r:debugfs_tracing:s0
+/sys/kernel(/debug)?/tracing/events/vmscan/mm_vmscan_kswapd_sleep/enable u:object_r:debugfs_tracing:s0
+/sys/kernel(/debug)?/tracing/events/vmscan/mm_vmscan_kswapd_wake/enable u:object_r:debugfs_tracing:s0
+/sys/kernel(/debug)?/tracing/events/lowmemorykiller/enable u:object_r:debugfs_tracing:s0
/sys/kernel(/debug)?/tracing/instances(/.*)? u:object_r:debugfs_tracing_instances:s0
/sys/kernel(/debug)?/tracing/instances/wifi/free_buffer u:object_r:debugfs_wifi_tracing:s0
/sys/kernel(/debug)?/tracing/instances/wifi/trace u:object_r:debugfs_wifi_tracing:s0
/sys/kernel(/debug)?/tracing/instances/wifi/tracing_on u:object_r:debugfs_wifi_tracing:s0
-/sys/kernel(/debug)?/tracing/options/overwrite u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/options/print-tgid u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/trace u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/trace_clock u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/options/overwrite u:object_r:debugfs_tracing:s0
+/sys/kernel(/debug)?/tracing/options/print-tgid u:object_r:debugfs_tracing:s0
+/sys/kernel(/debug)?/tracing/trace u:object_r:debugfs_tracing:s0
+/sys/kernel(/debug)?/tracing/trace_clock u:object_r:debugfs_tracing:s0
/sys/kernel(/debug)?/tracing/trace_marker u:object_r:debugfs_trace_marker:s0
-/sys/kernel(/debug)?/tracing/tracing_on u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/tracing_on u:object_r:debugfs_tracing:s0
###########################################
# debug-only tracing
#
-/sys/kernel/debug/tracing/events/sync/enable u:object_r:tracing_shell_writable_debug:s0
-/sys/kernel/debug/tracing/events/workqueue/enable u:object_r:tracing_shell_writable_debug:s0
-/sys/kernel/debug/tracing/events/regulator/enable u:object_r:tracing_shell_writable_debug:s0
-/sys/kernel/debug/tracing/events/pagecache/enable u:object_r:tracing_shell_writable_debug:s0
+/sys/kernel/debug/tracing/events/sync/enable u:object_r:debugfs_tracing_debug:s0
+/sys/kernel/debug/tracing/events/workqueue/enable u:object_r:debugfs_tracing_debug:s0
+/sys/kernel/debug/tracing/events/regulator/enable u:object_r:debugfs_tracing_debug:s0
+/sys/kernel/debug/tracing/events/pagecache/enable u:object_r:debugfs_tracing_debug:s0
-/sys/kernel/debug/tracing/events/irq/enable u:object_r:tracing_shell_writable_debug:s0
-/sys/kernel/debug/tracing/events/ipi/enable u:object_r:tracing_shell_writable_debug:s0
+/sys/kernel/debug/tracing/events/irq/enable u:object_r:debugfs_tracing_debug:s0
+/sys/kernel/debug/tracing/events/ipi/enable u:object_r:debugfs_tracing_debug:s0
-/sys/kernel/debug/tracing/events/f2fs/f2fs_sync_file_enter/enable u:object_r:tracing_shell_writable_debug:s0
-/sys/kernel/debug/tracing/events/f2fs/f2fs_sync_file_exit/enable u:object_r:tracing_shell_writable_debug:s0
-/sys/kernel/debug/tracing/events/f2fs/f2fs_write_begin/enable u:object_r:tracing_shell_writable_debug:s0
-/sys/kernel/debug/tracing/events/f2fs/f2fs_write_end/enable u:object_r:tracing_shell_writable_debug:s0
-/sys/kernel/debug/tracing/events/ext4/ext4_da_write_begin/enable u:object_r:tracing_shell_writable_debug:s0
-/sys/kernel/debug/tracing/events/ext4/ext4_da_write_end/enable u:object_r:tracing_shell_writable_debug:s0
-/sys/kernel/debug/tracing/events/ext4/ext4_sync_file_enter/enable u:object_r:tracing_shell_writable_debug:s0
-/sys/kernel/debug/tracing/events/ext4/ext4_sync_file_exit/enable u:object_r:tracing_shell_writable_debug:s0
-/sys/kernel/debug/tracing/events/block/block_rq_issue/enable u:object_r:tracing_shell_writable_debug:s0
-/sys/kernel/debug/tracing/events/block/block_rq_complete/enable u:object_r:tracing_shell_writable_debug:s0
-/sys/kernel/debug/tracing/saved_cmdlines_size u:object_r:tracing_shell_writable_debug:s0
+/sys/kernel/debug/tracing/events/f2fs/f2fs_sync_file_enter/enable u:object_r:debugfs_tracing_debug:s0
+/sys/kernel/debug/tracing/events/f2fs/f2fs_sync_file_exit/enable u:object_r:debugfs_tracing_debug:s0
+/sys/kernel/debug/tracing/events/f2fs/f2fs_write_begin/enable u:object_r:debugfs_tracing_debug:s0
+/sys/kernel/debug/tracing/events/f2fs/f2fs_write_end/enable u:object_r:debugfs_tracing_debug:s0
+/sys/kernel/debug/tracing/events/ext4/ext4_da_write_begin/enable u:object_r:debugfs_tracing_debug:s0
+/sys/kernel/debug/tracing/events/ext4/ext4_da_write_end/enable u:object_r:debugfs_tracing_debug:s0
+/sys/kernel/debug/tracing/events/ext4/ext4_sync_file_enter/enable u:object_r:debugfs_tracing_debug:s0
+/sys/kernel/debug/tracing/events/ext4/ext4_sync_file_exit/enable u:object_r:debugfs_tracing_debug:s0
+/sys/kernel/debug/tracing/events/block/block_rq_issue/enable u:object_r:debugfs_tracing_debug:s0
+/sys/kernel/debug/tracing/events/block/block_rq_complete/enable u:object_r:debugfs_tracing_debug:s0
+/sys/kernel/debug/tracing/saved_cmdlines_size u:object_r:debugfs_tracing_debug:s0
#############################
# asec containers
diff --git a/private/genfs_contexts b/private/genfs_contexts
index a2d9b89..b3fbd0b 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -40,6 +40,7 @@
genfscon proc /uid_cputime/remove_uid_range u:object_r:proc_uid_cputime_removeuid:s0
genfscon proc /uid_io/stats u:object_r:proc_uid_io_stats:s0
genfscon proc /uid_procstat/set u:object_r:proc_uid_procstat_set:s0
+genfscon proc /uid_time_in_state u:object_r:proc_uid_time_in_state:s0
genfscon proc /zoneinfo u:object_r:proc_zoneinfo:s0
# selinuxfs booleans can be individually labeled.
@@ -48,6 +49,23 @@
# sysfs labels can be set by userspace.
genfscon sysfs / u:object_r:sysfs:s0
genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0
+genfscon sysfs /class/leds u:object_r:sysfs_leds:s0
+genfscon sysfs /devices/platform/nfc-power/nfc_power u:object_r:sysfs_nfc_power_writable:s0
+genfscon sysfs /devices/virtual/block/zram0 u:object_r:sysfs_zram:s0
+genfscon sysfs /devices/virtual/block/zram1 u:object_r:sysfs_zram:s0
+genfscon sysfs /devices/virtual/block/zram0/uevent u:object_r:sysfs_zram_uevent:s0
+genfscon sysfs /devices/virtual/block/zram1/uevent u:object_r:sysfs_zram_uevent:s0
+genfscon sysfs /devices/virtual/misc/hw_random u:object_r:sysfs_hwrandom:s0
+genfscon sysfs /fs/ext4/features u:object_r:sysfs_fs_ext4_features:s0
+genfscon sysfs /power/wake_lock u:object_r:sysfs_wake_lock:s0
+genfscon sysfs /power/wake_unlock u:object_r:sysfs_wake_lock:s0
+genfscon sysfs /kernel/uevent_helper u:object_r:usermodehelper:s0
+genfscon sysfs /module/lowmemorykiller u:object_r:sysfs_lowmemorykiller:s0
+genfscon sysfs /module/wlan/parameters/fwpath u:object_r:sysfs_wlan_fwpath:s0
+genfscon sysfs /devices/virtual/timed_output/vibrator/enable u:object_r:sysfs_vibrator:s0
+
+genfscon debugfs /mmc0 u:object_r:debugfs_mmc:s0
+
genfscon inotifyfs / u:object_r:inotify:s0
genfscon vfat / u:object_r:vfat:s0
genfscon debugfs / u:object_r:debugfs:s0
diff --git a/private/service_contexts b/private/service_contexts
index dc77cb9..955f300 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -16,6 +16,7 @@
battery u:object_r:battery_service:s0
bluetooth_manager u:object_r:bluetooth_manager_service:s0
bluetooth u:object_r:bluetooth_service:s0
+broadcastradio u:object_r:broadcastradio_service:s0
carrier_config u:object_r:radio_service:s0
clipboard u:object_r:clipboard_service:s0
com.android.net.IProxyService u:object_r:IProxyService_service:s0
@@ -86,7 +87,6 @@
media.extractor u:object_r:mediaextractor_service:s0
media.codec u:object_r:mediacodec_service:s0
media.resource_manager u:object_r:mediaserver_service:s0
-media.radio u:object_r:audioserver_service:s0
media.sound_trigger_hw u:object_r:audioserver_service:s0
media.drm u:object_r:mediadrmserver_service:s0
media.cas u:object_r:mediacasserver_service:s0
diff --git a/private/shell.te b/private/shell.te
index 90bed27..5299532 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -5,8 +5,7 @@
# systrace support - allow atrace to run
allow shell debugfs_tracing:dir r_dir_perms;
-allow shell debugfs_tracing:file r_file_perms;
-allow shell tracing_shell_writable:file rw_file_perms;
+allow shell debugfs_tracing:file rw_file_perms;
allow shell debugfs_trace_marker:file getattr;
allow shell atrace_exec:file rx_file_perms;
@@ -14,7 +13,7 @@
allow shell config_gz:file r_file_perms;
userdebug_or_eng(`
- allow shell tracing_shell_writable_debug:file rw_file_perms;
+ allow shell debugfs_tracing_debug:file rw_file_perms;
')
# Run app_process.
diff --git a/private/system_server.te b/private/system_server.te
index 3c3f82d..d109cc2 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -130,6 +130,9 @@
# Write /proc/uid_procstat/set.
allow system_server proc_uid_procstat_set:file { w_file_perms getattr };
+# Read /proc/uid_time_in_state.
+allow system_server proc_uid_time_in_state:file r_file_perms;
+
# Write to /proc/sysrq-trigger.
allow system_server proc_sysrq:file rw_file_perms;
diff --git a/public/attributes b/public/attributes
index 1fe3826..f41c54d 100644
--- a/public/attributes
+++ b/public/attributes
@@ -29,6 +29,7 @@
# All types used for /data files.
attribute data_file_type;
+expandattribute data_file_type false;
# All types in /data, not in /data/vendor
attribute core_data_file_type;
# All types in /vendor
@@ -144,15 +145,6 @@
# TODO(b/36463595)
attribute vendor_executes_system_violators;
-# hwservices that are accessible from untrusted applications
-# WARNING: Use of this attribute should be avoided unless
-# absolutely necessary. It is a temporary allowance to aid the
-# transition to treble and will be removed in a future platform
-# version, requiring all hwservices that are labeled with this
-# attribute to be submitted to AOSP in order to maintain their
-# app-visibility.
-attribute untrusted_app_visible_hwservice;
-
# PDX services
attribute pdx_endpoint_dir_type;
attribute pdx_endpoint_socket_type;
@@ -370,12 +362,6 @@
expandattribute hal_wifi_client true;
attribute hal_wifi_server;
expandattribute hal_wifi_server true;
-attribute hal_wifi_keystore;
-expandattribute hal_wifi_keystore true;
-attribute hal_wifi_keystore_client;
-expandattribute hal_wifi_keystore_client true;
-attribute hal_wifi_keystore_server;
-expandattribute hal_wifi_keystore_server true;
attribute hal_wifi_offload;
expandattribute hal_wifi_offload true;
attribute hal_wifi_offload_client;
diff --git a/public/device.te b/public/device.te
index 4a3bec9..15799b8 100644
--- a/public/device.te
+++ b/public/device.te
@@ -21,6 +21,7 @@
type vold_device, dev_type;
type console_device, dev_type;
type cpuctl_device, dev_type;
+type memcg_device, dev_type;
type fscklogs, dev_type;
type full_device, dev_type;
# GPU (used by most UI apps)
diff --git a/public/domain.te b/public/domain.te
index 67e792b..00de3db 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -226,6 +226,10 @@
### neverallow rules
###
+# Don't allow others to access memcg.
+neverallow { domain -init -lmkd -shell -ueventd } memcg_device:dir *;
+neverallow { domain -init -lmkd -ueventd } memcg_device:file *;
+
# All socket ioctls must be restricted to a whitelist.
neverallowxperm domain domain:socket_class_set ioctl { 0 };
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 4f66ffb..e069fd2 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -137,8 +137,9 @@
control_logd(dumpstate)
read_runtime_log_tags(dumpstate)
-# Read /proc/net
+# Read /proc and /proc/net
allow dumpstate proc_net:file r_file_perms;
+r_dir_file(dumpstate, proc)
# Read network state info files.
allow dumpstate net_data_file:dir search;
diff --git a/public/file.te b/public/file.te
index bf8223a..611500c 100644
--- a/public/file.te
+++ b/public/file.te
@@ -28,6 +28,7 @@
type proc_uid_cputime_removeuid, fs_type;
type proc_uid_io_stats, fs_type;
type proc_uid_procstat_set, fs_type;
+type proc_uid_time_in_state, fs_type;
type proc_zoneinfo, fs_type;
type selinuxfs, fs_type, mlstrustedobject;
type cgroup, fs_type, mlstrustedobject;
@@ -67,10 +68,9 @@
type debugfs_mmc, fs_type, debugfs_type;
type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
type debugfs_tracing, fs_type, debugfs_type;
+type debugfs_tracing_debug, fs_type, debugfs_type;
type debugfs_tracing_instances, fs_type, debugfs_type;
type debugfs_wifi_tracing, fs_type, debugfs_type;
-type tracing_shell_writable, fs_type, debugfs_type;
-type tracing_shell_writable_debug, fs_type, debugfs_type;
type pstorefs, fs_type;
type functionfs, fs_type, mlstrustedobject;
@@ -218,13 +218,13 @@
type system_app_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# Compatibility with type name used in Android 4.3 and 4.4.
# Default type for anything under /cache
-type cache_file, file_type, mlstrustedobject;
+type cache_file, file_type, data_file_type, mlstrustedobject;
# Type for /cache/backup_stage/* (fd interchange with apps)
-type cache_backup_file, file_type, mlstrustedobject;
+type cache_backup_file, file_type, data_file_type, mlstrustedobject;
# type for anything under /cache/backup (local transport storage)
-type cache_private_backup_file, file_type;
+type cache_private_backup_file, file_type, data_file_type;
# Type for anything under /cache/recovery
-type cache_recovery_file, file_type, mlstrustedobject;
+type cache_recovery_file, file_type, data_file_type, mlstrustedobject;
# Default type for anything under /efs
type efs_file, file_type;
# Type for wallpaper file.
@@ -252,7 +252,7 @@
# Socket types
type adbd_socket, file_type, coredomain_socket;
-type bluetooth_socket, file_type, coredomain_socket;
+type bluetooth_socket, file_type, data_file_type, coredomain_socket;
type dnsproxyd_socket, file_type, coredomain_socket, mlstrustedobject;
type dumpstate_socket, file_type, coredomain_socket;
type fwmarkd_socket, file_type, coredomain_socket, mlstrustedobject;
@@ -262,22 +262,22 @@
type logdw_socket, file_type, coredomain_socket, mlstrustedobject;
type mdns_socket, file_type, coredomain_socket;
type mdnsd_socket, file_type, coredomain_socket, mlstrustedobject;
-type misc_logd_file, coredomain_socket, file_type;
+type misc_logd_file, coredomain_socket, file_type, data_file_type;
type mtpd_socket, file_type, coredomain_socket;
type netd_socket, file_type, coredomain_socket;
type property_socket, file_type, coredomain_socket, mlstrustedobject;
type racoon_socket, file_type, coredomain_socket;
type rild_socket, file_type;
type rild_debug_socket, file_type;
-type system_wpa_socket, file_type, coredomain_socket;
-type system_ndebug_socket, file_type, coredomain_socket, mlstrustedobject;
+type system_wpa_socket, file_type, data_file_type, coredomain_socket;
+type system_ndebug_socket, file_type, data_file_type, coredomain_socket, mlstrustedobject;
type tombstoned_crash_socket, file_type, coredomain_socket, mlstrustedobject;
type tombstoned_java_trace_socket, file_type, mlstrustedobject;
type tombstoned_intercept_socket, file_type, coredomain_socket;
type uncrypt_socket, file_type, coredomain_socket;
type vold_socket, file_type, coredomain_socket;
type webview_zygote_socket, file_type, coredomain_socket;
-type wpa_socket, file_type;
+type wpa_socket, file_type, data_file_type;
type zygote_socket, file_type, coredomain_socket;
# UART (for GPS) control proc file
type gps_control, file_type;
diff --git a/public/init.te b/public/init.te
index 0e9c769..01d308a 100644
--- a/public/init.te
+++ b/public/init.te
@@ -77,6 +77,7 @@
allow init cgroup:dir create_dir_perms;
r_dir_file(init, cgroup)
allow init cpuctl_device:dir { create mounton };
+allow init memcg_device:dir { create mounton };
# /config
allow init configfs:dir mounton;
@@ -193,7 +194,7 @@
allow init dev_type:lnk_file create;
# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
-allow init tracing_shell_writable:file w_file_perms;
+allow init debugfs_tracing:file w_file_perms;
# Setup and control wifi event tracing (see wifi-events.rc)
allow init debugfs_tracing_instances:dir create_dir_perms;
diff --git a/public/lmkd.te b/public/lmkd.te
index f4e6c2d..c2dcadd 100644
--- a/public/lmkd.te
+++ b/public/lmkd.te
@@ -21,6 +21,9 @@
r_dir_file(lmkd, sysfs_type)
allow lmkd sysfs_lowmemorykiller:file w_file_perms;
+allow lmkd memcg_device:dir search;
+allow lmkd memcg_device:file rw_file_perms;
+
# Send kill signals
allow lmkd appdomain:process sigkill;
@@ -32,6 +35,8 @@
allow lmkd proc_zoneinfo:file r_file_perms;
+r_dir_file(lmkd, cgroup)
+
### neverallow rules
# never honor LD_PRELOAD
diff --git a/public/recovery.te b/public/recovery.te
index 99d792c..6e1cc2b 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -18,6 +18,7 @@
allow recovery self:capability2 mac_admin;
# Run helpers from / or /system without changing domain.
+ r_dir_file(recovery, rootfs)
allow recovery rootfs:file execute_no_trans;
allow recovery system_file:file execute_no_trans;
allow recovery toolbox_exec:file rx_file_perms;
@@ -28,6 +29,9 @@
allow recovery unlabeled:filesystem ~relabelto;
allow recovery contextmount_type:filesystem relabelto;
+ # Format ext4 filesystem
+ allow recovery e2fs_exec:file rx_file_perms;
+
# Create and relabel files and directories under /system.
allow recovery exec_type:{ file lnk_file } { create_file_perms relabelfrom relabelto };
allow recovery { system_file }:{ file lnk_file } { create_file_perms relabelfrom relabelto };
@@ -56,6 +60,7 @@
# Write to /sys/class/android_usb/android0/enable.
# TODO: create more specific label?
+ r_dir_file(recovery, sysfs)
allow recovery sysfs:file w_file_perms;
# Write to /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq.
@@ -145,5 +150,13 @@
# domains, including recovery.
#
# TODO: tighten this up further.
-neverallow recovery data_file_type:file { no_w_file_perms no_x_file_perms };
-neverallow recovery data_file_type:dir no_w_dir_perms;
+neverallow recovery {
+ data_file_type
+ -cache_file
+ -cache_recovery_file
+}:file { no_w_file_perms no_x_file_perms };
+neverallow recovery {
+ data_file_type
+ -cache_file
+ -cache_recovery_file
+}:dir no_w_dir_perms;
diff --git a/public/service.te b/public/service.te
index ee3ffe5..28222a5 100644
--- a/public/service.te
+++ b/public/service.te
@@ -43,6 +43,7 @@
type batterystats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type battery_service, system_server_service, service_manager_type;
type bluetooth_manager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type broadcastradio_service, system_server_service, service_manager_type;
type cameraproxy_service, system_server_service, service_manager_type;
type clipboard_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type contexthub_service, app_api_service, system_server_service, service_manager_type;
diff --git a/public/vold.te b/public/vold.te
index 81ee28c..836db5f 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -28,6 +28,9 @@
# For sgdisk launched through popen()
allow vold shell_exec:file rx_file_perms;
+# For formatting adoptable storage devices
+allow vold e2fs_exec:file rx_file_perms;
+
typeattribute vold mlstrustedsubject;
allow vold self:process setfscreate;
allow vold system_file:file x_file_perms;
diff --git a/tests/Android.bp b/tests/Android.bp
index 2c70f36..e875497 100644
--- a/tests/Android.bp
+++ b/tests/Android.bp
@@ -19,3 +19,10 @@
host_supported: true,
required: ["policy.py"],
}
+
+cc_prebuilt_binary {
+ name: "sepolicy_tests.py",
+ srcs: ["sepolicy_tests.py"],
+ host_supported: true,
+ required: ["policy.py"],
+}
diff --git a/tests/policy.py b/tests/policy.py
index e307656..b70b836 100644
--- a/tests/policy.py
+++ b/tests/policy.py
@@ -3,6 +3,33 @@
import os
import sys
+###
+# Check whether the regex will match a file path starting with the provided
+# prefix
+#
+# Compares regex entries in file_contexts with a path prefix. Regex entries
+# are often more specific than this file prefix. For example, the regex could
+# be /system/bin/foo\.sh and the prefix could be /system. This function
+# loops over the regex removing characters from the end until
+# 1) there is a match - return True or 2) run out of characters - return
+# False.
+#
+def MatchPathPrefix(pathregex, prefix):
+ for i in range(len(pathregex), 0, -1):
+ try:
+ pattern = re.compile('^' + pathregex[0:i] + "$")
+ except:
+ continue
+ if pattern.match(prefix):
+ return True
+ return False
+
+def MatchPathPrefixes(pathregex, Prefixes):
+ for Prefix in Prefixes:
+ if MatchPathPrefix(pathregex, Prefix):
+ return True
+ return False
+
class TERule:
def __init__(self, rule):
data = rule.split(',')
@@ -20,6 +47,27 @@
__policydbP = None
__BUFSIZE = 2048
+ # Check that path prefixes that match MatchPrefix, and do not Match
+ # DoNotMatchPrefix have the attribute Attr.
+ # For example assert that all types in /sys, and not in /sys/kernel/debugfs
+ # have the sysfs_type attribute.
+ def AssertPathTypesHaveAttr(self, MatchPrefix, DoNotMatchPrefix, Attr):
+ # Query policy for the types associated with Attr
+ TypesPol = self.QueryTypeAttribute(Attr, True)
+ # Search file_contexts to find paths/types that should be associated with
+ # Attr.
+ TypesFc = self.__GetTypesByFilePathPrefix(MatchPrefix, DoNotMatchPrefix)
+ violators = TypesFc.difference(TypesPol)
+
+ ret = ""
+ if len(violators) > 0:
+ ret += "The following types on "
+ ret += " ".join(str(x) for x in sorted(MatchPrefix))
+ ret += " must be associated with the "
+ ret += "\"" + Attr + "\" attribute: "
+ ret += " ".join(str(x) for x in sorted(violators)) + "\n"
+ return ret
+
# Return all file_contexts entries that map to the input Type.
def QueryFc(self, Type):
if Type in self.__FcDict:
@@ -35,18 +83,19 @@
if (TypeIterP == None):
sys.exit("Failed to initialize type iterator")
buf = create_string_buffer(self.__BUFSIZE)
-
+ TypeAttr = set()
while True:
ret = self.__libsepolwrap.get_type(buf, self.__BUFSIZE,
self.__policydbP, TypeIterP)
if ret == 0:
- yield buf.value
+ TypeAttr.add(buf.value)
continue
if ret == 1:
break;
# We should never get here.
sys.exit("Failed to import policy")
self.__libsepolwrap.destroy_type_iter(TypeIterP)
+ return TypeAttr
# Return all TERules that match:
# (any scontext) or (any tcontext) or (any tclass) or (any perms),
@@ -74,6 +123,17 @@
continue
yield Rule
+ def __GetTypesByFilePathPrefix(self, MatchPrefixes, DoNotMatchPrefixes):
+ Types = set()
+ for Type in self.__FcDict:
+ for pathregex in self.__FcDict[Type]:
+ if not MatchPathPrefixes(pathregex, MatchPrefixes):
+ continue
+ if MatchPathPrefixes(pathregex, DoNotMatchPrefixes):
+ continue
+ Types.add(Type)
+ return Types
+
def __GetTERules(self, policydbP, avtabIterP):
if self.__Rules is None:
diff --git a/tests/sepolicy_tests.py b/tests/sepolicy_tests.py
new file mode 100644
index 0000000..3f93ff4
--- /dev/null
+++ b/tests/sepolicy_tests.py
@@ -0,0 +1,85 @@
+from optparse import OptionParser
+from optparse import Option, OptionValueError
+import os
+import policy
+import re
+import sys
+
+#############################################################
+# Tests
+#############################################################
+def TestDataTypeViolations(pol):
+ return pol.AssertPathTypesHaveAttr(["/data/"], [], "data_file_type")
+
+def TestSysfsTypeViolations(pol):
+ return pol.AssertPathTypesHaveAttr(["/sys/"], ["/sys/kernel/debug/",
+ "/sys/kernel/tracing"], "sysfs_type")
+
+def TestDebugfsTypeViolations(pol):
+ # TODO: this should apply to genfs_context entries as well
+ return pol.AssertPathTypesHaveAttr(["/sys/kernel/debug/",
+ "/sys/kernel/tracing"], [], "debugfs_type")
+###
+# extend OptionParser to allow the same option flag to be used multiple times.
+# This is used to allow multiple file_contexts files and tests to be
+# specified.
+#
+class MultipleOption(Option):
+ ACTIONS = Option.ACTIONS + ("extend",)
+ STORE_ACTIONS = Option.STORE_ACTIONS + ("extend",)
+ TYPED_ACTIONS = Option.TYPED_ACTIONS + ("extend",)
+ ALWAYS_TYPED_ACTIONS = Option.ALWAYS_TYPED_ACTIONS + ("extend",)
+
+ def take_action(self, action, dest, opt, value, values, parser):
+ if action == "extend":
+ values.ensure_value(dest, []).append(value)
+ else:
+ Option.take_action(self, action, dest, opt, value, values, parser)
+
+Tests = ["TestDataTypeViolators"]
+
+if __name__ == '__main__':
+ usage = "sepolicy_tests.py -f nonplat_file_contexts -f "
+ usage +="plat_file_contexts -p policy [--test test] [--help]"
+ parser = OptionParser(option_class=MultipleOption, usage=usage)
+ parser.add_option("-f", "--file_contexts", dest="file_contexts",
+ metavar="FILE", action="extend", type="string")
+ parser.add_option("-p", "--policy", dest="policy", metavar="FILE")
+ parser.add_option("-l", "--library-path", dest="libpath", metavar="FILE")
+ parser.add_option("-t", "--test", dest="test", action="extend",
+ help="Test options include "+str(Tests))
+
+ (options, args) = parser.parse_args()
+
+ if not options.libpath:
+ sys.exit("Must specify path to host libraries\n" + parser.usage)
+ if not os.path.exists(options.libpath):
+ sys.exit("Error: library-path " + options.libpath + " does not exist\n"
+ + parser.usage)
+
+ if not options.policy:
+ sys.exit("Must specify monolithic policy file\n" + parser.usage)
+ if not os.path.exists(options.policy):
+ sys.exit("Error: policy file " + options.policy + " does not exist\n"
+ + parser.usage)
+
+ if not options.file_contexts:
+ sys.exit("Error: Must specify file_contexts file(s)\n" + parser.usage)
+ for f in options.file_contexts:
+ if not os.path.exists(f):
+ sys.exit("Error: File_contexts file " + f + " does not exist\n" +
+ parser.usage)
+
+ pol = policy.Policy(options.policy, options.file_contexts, options.libpath)
+
+ results = ""
+ # If an individual test is not specified, run all tests.
+ if options.test is None or "TestDataTypeViolations" in options.tests:
+ results += TestDataTypeViolations(pol)
+ if options.test is None or "TestSysfsTypeViolations" in options.tests:
+ results += TestSysfsTypeViolations(pol)
+ if options.test is None or "TestDebugfsTypeViolations" in options.tests:
+ results += TestDebugfsTypeViolations(pol)
+
+ if len(results) > 0:
+ sys.exit(results)
diff --git a/tests/treble_sepolicy_tests.py b/tests/treble_sepolicy_tests.py
index ddccaba..770ff97 100644
--- a/tests/treble_sepolicy_tests.py
+++ b/tests/treble_sepolicy_tests.py
@@ -2,6 +2,7 @@
from optparse import Option, OptionValueError
import os
import policy
+from policy import MatchPathPrefix
import re
import sys
@@ -69,27 +70,6 @@
appdomains = set()
vendordomains = set()
-###
-# Check whether the regex will match a file path starting with the provided
-# prefix
-#
-# Compares regex entries in file_contexts with a path prefix. Regex entries
-# are often more specific than this file prefix. For example, the regex could
-# be /system/bin/foo\.sh and the prefix could be /system. This function
-# loops over the regex removing characters from the end until
-# 1) there is a match - return True or 2) run out of characters - return
-# False.
-#
-def MatchPathPrefix(pathregex, prefix):
- for i in range(len(pathregex), 0, -1):
- try:
- pattern = re.compile('^' + pathregex[0:i] + "$")
- except:
- continue
- if pattern.match(prefix):
- return True
- return False
-
def GetAllDomains(pol):
global alldomains
for result in pol.QueryTypeAttribute("domain", True):
diff --git a/vendor/file.te b/vendor/file.te
index aeafb4a..3350b1e 100644
--- a/vendor/file.te
+++ b/vendor/file.te
@@ -1,2 +1,2 @@
# Socket types
-type hostapd_socket, file_type;
+type hostapd_socket, file_type, data_file_type;