Merge changes from topic 'ipsec-service'
* changes:
Add IpSecService SEPolicy
Update Common NetD SEPolicy to allow Netlink XFRM
diff --git a/Android.mk b/Android.mk
index e288356..da58e53 100644
--- a/Android.mk
+++ b/Android.mk
@@ -1,7 +1,38 @@
LOCAL_PATH:= $(call my-dir)
include $(CLEAR_VARS)
+LOCAL_MODULE := selinux_policy
+LOCAL_MODULE_TAGS := optional
+# Include SELinux policy. We do this here because different modules
+# need to be included based on the value of PRODUCT_FULL_TREBLE. This
+# type of conditional inclusion cannot be done in top-level files such
+# as build/target/product/embedded.mk.
+# This conditional inclusion closely mimics the conditional logic
+# inside init/init.cpp for loading SELinux policy from files.
+ifeq ($(PRODUCT_FULL_TREBLE),true)
+# Use split SELinux policy
+LOCAL_REQUIRED_MODULES += \
+ mapping_sepolicy.cil \
+ nonplat_sepolicy.cil \
+ plat_sepolicy.cil \
+ plat_sepolicy.cil.sha256 \
+ secilc \
+ nonplat_file_contexts \
+ plat_file_contexts
+# Include precompiled policy, unless told otherwise
+ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
+LOCAL_REQUIRED_MODULES += precompiled_sepolicy precompiled_sepolicy.plat.sha256
+endif
+
+else
+# Use monolithic SELinux policy
+LOCAL_REQUIRED_MODULES += sepolicy \
+ file_contexts.bin
+endif
+include $(BUILD_PHONY_PACKAGE)
+
+include $(CLEAR_VARS)
# SELinux policy version.
# Must be <= /sys/fs/selinux/policyvers reported by the Android kernel.
# Must be within the compatibility range reported by checkpolicy -V.
@@ -124,6 +155,11 @@
genfs_contexts \
port_contexts
+# CIL files which contain workarounds for current limitation of human-readable
+# module policy language. These files are appended to the CIL files produced
+# from module language files.
+sepolicy_build_cil_workaround_files := technical_debt.cil
+
my_target_arch := $(TARGET_ARCH)
ifneq (,$(filter mips mips64,$(TARGET_ARCH)))
my_target_arch := mips
@@ -158,6 +194,7 @@
-D target_with_dexpreopt=$(WITH_DEXPREOPT) \
-D target_arch=$(PRIVATE_TGT_ARCH) \
-D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
+ -D target_full_treble=$(PRODUCT_FULL_TREBLE) \
-s $^ > $@
reqd_policy_mask.cil := $(intermediates)/reqd_policy_mask.cil
@@ -188,6 +225,7 @@
-D target_with_dexpreopt=$(WITH_DEXPREOPT) \
-D target_arch=$(PRIVATE_TGT_ARCH) \
-D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
+ -D target_full_treble=$(PRODUCT_FULL_TREBLE) \
-s $^ > $@
plat_pub_policy.cil := $(intermediates)/plat_pub_policy.cil
@@ -243,13 +281,18 @@
-D target_with_dexpreopt=$(WITH_DEXPREOPT) \
-D target_arch=$(PRIVATE_TGT_ARCH) \
-D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
+ -D target_full_treble=$(PRODUCT_FULL_TREBLE) \
-s $^ > $@
$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
plat_policy_nvr := $(intermediates)/plat_policy_nvr.cil
-$(plat_policy_nvr): $(plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
+$(plat_policy_nvr): PRIVATE_ADDITIONAL_CIL_FILES := \
+ $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY))
+$(plat_policy_nvr): $(plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
+ $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY))
@mkdir -p $(dir $@)
$(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c $(POLICYVERS) -o $@ $<
+ $(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@
$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(plat_policy_nvr)
$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(plat_policy_nvr)
@@ -342,6 +385,7 @@
-D target_with_dexpreopt=$(WITH_DEXPREOPT) \
-D target_arch=$(PRIVATE_TGT_ARCH) \
-D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
+ -D target_full_treble=$(PRODUCT_FULL_TREBLE) \
-s $^ > $@
$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
@@ -434,7 +478,7 @@
$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(all_cil_files)
$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $(all_cil_files)
@mkdir -p $(dir $@)
- $(hide) $< -M true -c $(POLICYVERS) $(PRIVATE_CIL_FILES) -o $@.tmp
+ $(hide) $< -M true -c $(POLICYVERS) $(PRIVATE_CIL_FILES) -o $@.tmp -f /dev/null
$(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $@.tmp permissive > $@.permissivedomains
$(hide) if [ "$(TARGET_BUILD_VARIANT)" = "user" -a -s $@.permissivedomains ]; then \
echo "==========" 1>&2; \
@@ -586,7 +630,7 @@
$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(all_cil_files.recovery)
$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $(all_cil_files.recovery)
@mkdir -p $(dir $@)
- $(hide) $< -M true -c $(POLICYVERS) $(PRIVATE_CIL_FILES) -o $@.tmp
+ $(hide) $< -M true -c $(POLICYVERS) $(PRIVATE_CIL_FILES) -o $@.tmp -f /dev/null
$(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $@.tmp permissive > $@.permissivedomains
$(hide) if [ "$(TARGET_BUILD_VARIANT)" = "user" -a -s $@.permissivedomains ]; then \
echo "==========" 1>&2; \
@@ -1110,6 +1154,7 @@
plat_pub_policy.cil :=
reqd_policy_mask.cil :=
sepolicy_build_files :=
+sepolicy_build_cil_workaround_files :=
with_asan :=
include $(call all-makefiles-under,$(LOCAL_PATH))
diff --git a/private/adbd.te b/private/adbd.te
index 1865b2a..73302ac 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -1,5 +1,6 @@
### ADB daemon
+typeattribute adbd coredomain;
typeattribute adbd mlstrustedsubject;
domain_auto_trans(adbd, shell_exec, shell)
@@ -70,9 +71,9 @@
allow adbd gpu_device:chr_file rw_file_perms;
allow adbd ion_device:chr_file rw_file_perms;
r_dir_file(adbd, system_file)
-# Needed for Android Studio screenshot
-hwbinder_use(adbd)
-allow adbd hal_graphics_allocator:fd use;
+
+# Needed for various screenshots
+hal_client_domain(adbd, hal_graphics_allocator)
# Read /data/misc/adb/adb_keys.
allow adbd adb_keys_file:dir search;
diff --git a/private/app.te b/private/app.te
index ed2d8b6..81de403 100644
--- a/private/app.te
+++ b/private/app.te
@@ -155,7 +155,6 @@
# hidl access for mediacodec
# TODO(b/34454312): only allow getting and talking to mediacodec service
hwbinder_use(appdomain)
-hwallocator_use(appdomain)
# Already connected, unnamed sockets being passed over some other IPC
# hence no sock_file or connectto permission. This appears to be how
@@ -244,6 +243,9 @@
# TODO is write really necessary ?
auditallow { appdomain userdebug_or_eng(`-su') } ion_device:chr_file { write append };
+# TODO(b/36375899) replace with hal_client_domain for mediacodec (hal_omx)
+get_prop({ appdomain -isolated_app }, hwservicemanager_prop);
+
# Allow app to access the graphic allocator HAL
binder_call({ appdomain -isolated_app }, hal_graphics_allocator)
diff --git a/private/atrace.te b/private/atrace.te
index 9c4f342..94d8483 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -3,7 +3,7 @@
type atrace_exec, exec_type, file_type;
userdebug_or_eng(`
- type atrace, domain, domain_deprecated;
+ type atrace, domain, coredomain, domain_deprecated;
init_daemon_domain(atrace)
diff --git a/private/audioserver.te b/private/audioserver.te
index 95a7521..61ccefc 100644
--- a/private/audioserver.te
+++ b/private/audioserver.te
@@ -1,5 +1,7 @@
# audioserver - audio services daemon
+typeattribute audioserver coredomain;
+
type audioserver_exec, exec_type, file_type;
init_daemon_domain(audioserver)
@@ -10,10 +12,9 @@
binder_call(audioserver, appdomain)
binder_service(audioserver)
+hal_client_domain(audioserver, hal_allocator)
hal_client_domain(audioserver, hal_audio)
-allow audioserver system_file:dir r_dir_perms;
-
userdebug_or_eng(`
# used for TEE sink - pcm capture for debug.
allow audioserver media_data_file:dir create_dir_perms;
diff --git a/private/binder_in_vendor_violators.te b/private/binder_in_vendor_violators.te
new file mode 100644
index 0000000..4a1218e
--- /dev/null
+++ b/private/binder_in_vendor_violators.te
@@ -0,0 +1 @@
+allow binder_in_vendor_violators binder_device:chr_file rw_file_perms;
diff --git a/private/blkid.te b/private/blkid.te
index 9c4cfcc..090912b 100644
--- a/private/blkid.te
+++ b/private/blkid.te
@@ -1,5 +1,7 @@
# blkid called from vold
+typeattribute blkid coredomain;
+
type blkid_exec, exec_type, file_type;
# Allowed read-only access to encrypted devices to extract UUID/label
diff --git a/private/blkid_untrusted.te b/private/blkid_untrusted.te
index ae18e68..1256771 100644
--- a/private/blkid_untrusted.te
+++ b/private/blkid_untrusted.te
@@ -1,5 +1,7 @@
# blkid for untrusted block devices
+typeattribute blkid_untrusted coredomain;
+
# Allowed read-only access to vold block devices to extract UUID/label
allow blkid_untrusted block_device:dir search;
allow blkid_untrusted vold_device:blk_file r_file_perms;
diff --git a/private/bluetooth.te b/private/bluetooth.te
index 9c7182e..628f971 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -1,5 +1,6 @@
# bluetooth subsystem
+typeattribute bluetooth coredomain;
typeattribute bluetooth domain_deprecated;
app_domain(bluetooth)
diff --git a/private/bootanim.te b/private/bootanim.te
index 94fbc1f..8c9f6c7 100644
--- a/private/bootanim.te
+++ b/private/bootanim.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute bootanim coredomain;
+
init_daemon_domain(bootanim)
diff --git a/private/bootstat.te b/private/bootstat.te
index caa82fd..806144c 100644
--- a/private/bootstat.te
+++ b/private/bootstat.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute bootstat coredomain;
+
init_daemon_domain(bootstat)
diff --git a/private/bufferhubd.te b/private/bufferhubd.te
index 4fa77a5..012eb20 100644
--- a/private/bufferhubd.te
+++ b/private/bufferhubd.te
@@ -1 +1,3 @@
+typeattribute bufferhubd coredomain;
+
init_daemon_domain(bufferhubd)
diff --git a/private/cameraserver.te b/private/cameraserver.te
index b34d746..c16c132 100644
--- a/private/cameraserver.te
+++ b/private/cameraserver.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute cameraserver coredomain;
+
init_daemon_domain(cameraserver)
diff --git a/private/charger.te b/private/charger.te
new file mode 100644
index 0000000..65109de
--- /dev/null
+++ b/private/charger.te
@@ -0,0 +1 @@
+typeattribute charger coredomain;
diff --git a/private/clatd.te b/private/clatd.te
new file mode 100644
index 0000000..5ba0fc5
--- /dev/null
+++ b/private/clatd.te
@@ -0,0 +1 @@
+typeattribute clatd coredomain;
diff --git a/private/cppreopts.te b/private/cppreopts.te
index 02c13b3..34f0d66 100644
--- a/private/cppreopts.te
+++ b/private/cppreopts.te
@@ -1,5 +1,5 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute cppreopts coredomain;
+
# Technically not a daemon but we do want the transition from init domain to
# cppreopts to occur.
init_daemon_domain(cppreopts)
diff --git a/private/crash_dump.te b/private/crash_dump.te
new file mode 100644
index 0000000..fb73f08
--- /dev/null
+++ b/private/crash_dump.te
@@ -0,0 +1 @@
+typeattribute crash_dump coredomain;
diff --git a/private/dex2oat.te b/private/dex2oat.te
new file mode 100644
index 0000000..fd45484
--- /dev/null
+++ b/private/dex2oat.te
@@ -0,0 +1 @@
+typeattribute dex2oat coredomain;
diff --git a/private/dexoptanalyzer.te b/private/dexoptanalyzer.te
index 2239d2a..db81d0d 100644
--- a/private/dexoptanalyzer.te
+++ b/private/dexoptanalyzer.te
@@ -1,5 +1,5 @@
# dexoptanalyzer
-type dexoptanalyzer, domain, mlstrustedsubject;
+type dexoptanalyzer, domain, coredomain, mlstrustedsubject;
type dexoptanalyzer_exec, exec_type, file_type;
# Reading an APK opens a ZipArchive, which unpack to tmpfs.
diff --git a/private/dhcp.te b/private/dhcp.te
index 6745189..b2f8ac7 100644
--- a/private/dhcp.te
+++ b/private/dhcp.te
@@ -1,4 +1,4 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute dhcp coredomain;
+
init_daemon_domain(dhcp)
type_transition dhcp system_data_file:{ dir file } dhcp_data_file;
diff --git a/private/dnsmasq.te b/private/dnsmasq.te
new file mode 100644
index 0000000..96084b4
--- /dev/null
+++ b/private/dnsmasq.te
@@ -0,0 +1 @@
+typeattribute dnsmasq coredomain;
diff --git a/private/drmserver.te b/private/drmserver.te
index cc96afd..45663bb 100644
--- a/private/drmserver.te
+++ b/private/drmserver.te
@@ -1,5 +1,5 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute drmserver coredomain;
+
init_daemon_domain(drmserver)
type_transition drmserver apk_data_file:sock_file drmserver_socket;
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 62628dd..cbdfbc6 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -1,5 +1,5 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute dumpstate coredomain;
+
init_daemon_domain(dumpstate)
# Execute and transition to the vdc domain
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 2b0515a..9289027 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -11,6 +11,8 @@
###
### PackageManager flags an app as ephemeral at install time.
+typeattribute ephemeral_app coredomain;
+
net_domain(ephemeral_app)
app_domain(ephemeral_app)
diff --git a/private/file_contexts b/private/file_contexts
index 94a2a53..bd111b8 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -92,6 +92,7 @@
/dev/keychord u:object_r:keychord_device:s0
/dev/kmem u:object_r:kmem_device:s0
/dev/log(/.*)? u:object_r:log_device:s0
+/dev/loop-control u:object_r:loop_control_device:s0
/dev/mem u:object_r:kmem_device:s0
/dev/modem.* u:object_r:radio_device:s0
/dev/mtd(/.*)? u:object_r:mtd_device:s0
@@ -155,6 +156,7 @@
/dev/usb_accessory u:object_r:usbaccessory_device:s0
/dev/vcs[0-9a-z]* u:object_r:vcs_device:s0
/dev/video[0-9]* u:object_r:video_device:s0
+/dev/vndbinder u:object_r:vndbinder_device:s0
/dev/watchdog u:object_r:watchdog_device:s0
/dev/xt_qtaguid u:object_r:qtaguid_device:s0
/dev/zero u:object_r:zero_device:s0
diff --git a/private/fingerprintd.te b/private/fingerprintd.te
index a733cab..eb73ef8 100644
--- a/private/fingerprintd.te
+++ b/private/fingerprintd.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute fingerprintd coredomain;
+
init_daemon_domain(fingerprintd)
diff --git a/private/fsck.te b/private/fsck.te
index f3f4c52..3a36329 100644
--- a/private/fsck.te
+++ b/private/fsck.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute fsck coredomain;
+
init_daemon_domain(fsck)
diff --git a/private/fsck_untrusted.te b/private/fsck_untrusted.te
new file mode 100644
index 0000000..9a57bf0
--- /dev/null
+++ b/private/fsck_untrusted.te
@@ -0,0 +1 @@
+typeattribute fsck_untrusted coredomain;
diff --git a/private/gatekeeperd.te b/private/gatekeeperd.te
index d050c2e..5e4d0a2 100644
--- a/private/gatekeeperd.te
+++ b/private/gatekeeperd.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute gatekeeperd coredomain;
+
init_daemon_domain(gatekeeperd)
diff --git a/private/hal_allocator_default.te b/private/hal_allocator_default.te
index ff407d5..49ef178 100644
--- a/private/hal_allocator_default.te
+++ b/private/hal_allocator_default.te
@@ -1,4 +1,4 @@
-type hal_allocator_default, domain;
+type hal_allocator_default, domain, coredomain;
hal_server_domain(hal_allocator_default, hal_allocator)
type hal_allocator_default_exec, exec_type, file_type;
diff --git a/private/halclientdomain.te b/private/halclientdomain.te
index aa224ec..d4bdef9 100644
--- a/private/halclientdomain.te
+++ b/private/halclientdomain.te
@@ -5,3 +5,6 @@
# Find out whether a HAL in passthrough/in-process mode or
# binderized/out-of-process mode
hwbinder_use(halclientdomain)
+
+# Used to wait for hwservicemanager
+get_prop(halclientdomain, hwservicemanager_prop)
diff --git a/private/halserverdomain.te b/private/halserverdomain.te
index 7be8360..f36e0e7 100644
--- a/private/halserverdomain.te
+++ b/private/halserverdomain.te
@@ -7,3 +7,6 @@
# Find HAL implementations
allow halserverdomain system_file:dir r_dir_perms;
+
+# Used to wait for hwservicemanager
+get_prop(halserverdomain, hwservicemanager_prop)
diff --git a/private/healthd.te b/private/healthd.te
index fc13e28..0693a3a 100644
--- a/private/healthd.te
+++ b/private/healthd.te
@@ -1,5 +1,5 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute healthd coredomain;
+
init_daemon_domain(healthd)
# Allow callback to storaged batteryproperties listener
diff --git a/private/hwservicemanager.te b/private/hwservicemanager.te
index e15d13d..627b93f 100644
--- a/private/hwservicemanager.te
+++ b/private/hwservicemanager.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute hwservicemanager coredomain;
+
init_daemon_domain(hwservicemanager)
diff --git a/private/idmap.te b/private/idmap.te
new file mode 100644
index 0000000..73abf35
--- /dev/null
+++ b/private/idmap.te
@@ -0,0 +1 @@
+typeattribute idmap coredomain;
diff --git a/private/incident.te b/private/incident.te
index 084bd5d..b910dde 100644
--- a/private/incident.te
+++ b/private/incident.te
@@ -1,3 +1,5 @@
+typeattribute incident coredomain;
+
type incident_exec, exec_type, file_type;
# switch to incident domain for incident command
diff --git a/private/incidentd.te b/private/incidentd.te
index 49830f4..efd23bd 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -1,3 +1,5 @@
+typeattribute incidentd coredomain;
+
init_daemon_domain(incidentd)
type incidentd_exec, exec_type, file_type;
binder_use(incidentd)
diff --git a/private/init.te b/private/init.te
index f491d00..fb4335a 100644
--- a/private/init.te
+++ b/private/init.te
@@ -1,5 +1,5 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute init coredomain;
+
tmpfs_domain(init)
# Transitions to seclabel processes in init.rc
diff --git a/private/inputflinger.te b/private/inputflinger.te
index dae01f8..9696b49 100644
--- a/private/inputflinger.te
+++ b/private/inputflinger.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute inputflinger coredomain;
+
init_daemon_domain(inputflinger)
diff --git a/private/install_recovery.te b/private/install_recovery.te
index b9b402b..b79d683 100644
--- a/private/install_recovery.te
+++ b/private/install_recovery.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute install_recovery coredomain;
+
init_daemon_domain(install_recovery)
diff --git a/private/installd.te b/private/installd.te
index e18d841..f74843d 100644
--- a/private/installd.te
+++ b/private/installd.te
@@ -1,5 +1,5 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute installd coredomain;
+
init_daemon_domain(installd)
# Run dex2oat in its own sandbox.
diff --git a/private/isolated_app.te b/private/isolated_app.te
index f98b1d1..418a322 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -6,6 +6,8 @@
### and AID_ISOLATED_END (99999).
###
+typeattribute isolated_app coredomain;
+
app_domain(isolated_app)
# Access already open app data files received over Binder or local socket IPC.
diff --git a/private/kernel.te b/private/kernel.te
index 1c2223e..a4e6ebe 100644
--- a/private/kernel.te
+++ b/private/kernel.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute kernel coredomain;
+
domain_auto_trans(kernel, init_exec, init)
diff --git a/private/keystore.te b/private/keystore.te
index 70ad3b2..6aa8884 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute keystore coredomain;
+
init_daemon_domain(keystore)
diff --git a/private/lmkd.te b/private/lmkd.te
index a5d0d77..a07ce87 100644
--- a/private/lmkd.te
+++ b/private/lmkd.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute lmkd coredomain;
+
init_daemon_domain(lmkd)
diff --git a/private/logd.te b/private/logd.te
index aea6654..4338e40 100644
--- a/private/logd.te
+++ b/private/logd.te
@@ -1,5 +1,5 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute logd coredomain;
+
init_daemon_domain(logd)
# logd is not allowed to write anywhere other than /data/misc/logd, and then
diff --git a/private/logpersist.te b/private/logpersist.te
index dbace69..70e3198 100644
--- a/private/logpersist.te
+++ b/private/logpersist.te
@@ -1,3 +1,5 @@
+typeattribute logpersist coredomain;
+
# android debug log storage in logpersist domains (eng and userdebug only)
userdebug_or_eng(`
diff --git a/private/mdnsd.te b/private/mdnsd.te
index 2fefc32..96259e2 100644
--- a/private/mdnsd.te
+++ b/private/mdnsd.te
@@ -1,5 +1,6 @@
# mdns daemon
+typeattribute mdnsd coredomain;
typeattribute mdnsd mlstrustedsubject;
type mdnsd_exec, exec_type, file_type;
diff --git a/private/mediacodec.te b/private/mediacodec.te
index 7f88433..ff290bc 100644
--- a/private/mediacodec.te
+++ b/private/mediacodec.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute mediacodec coredomain;
+
init_daemon_domain(mediacodec)
diff --git a/private/mediadrmserver.te b/private/mediadrmserver.te
index 5a8e744..def8759 100644
--- a/private/mediadrmserver.te
+++ b/private/mediadrmserver.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute mediadrmserver coredomain;
+
init_daemon_domain(mediadrmserver)
diff --git a/private/mediaextractor.te b/private/mediaextractor.te
index 8596c14..c1a8521 100644
--- a/private/mediaextractor.te
+++ b/private/mediaextractor.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute mediaextractor coredomain;
+
init_daemon_domain(mediaextractor)
diff --git a/private/mediametrics.te b/private/mediametrics.te
index 11f17d2..f8b2fa5 100644
--- a/private/mediametrics.te
+++ b/private/mediametrics.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute mediametrics coredomain;
+
init_daemon_domain(mediametrics)
diff --git a/private/mediaserver.te b/private/mediaserver.te
index 74b11b0..4b510a5 100644
--- a/private/mediaserver.te
+++ b/private/mediaserver.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute mediaserver coredomain;
+
init_daemon_domain(mediaserver)
diff --git a/private/modprobe.te b/private/modprobe.te
new file mode 100644
index 0000000..9858675
--- /dev/null
+++ b/private/modprobe.te
@@ -0,0 +1 @@
+typeattribute modprobe coredomain;
diff --git a/private/mtp.te b/private/mtp.te
index 69e1353..732e111 100644
--- a/private/mtp.te
+++ b/private/mtp.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute mtp coredomain;
+
init_daemon_domain(mtp)
diff --git a/private/netd.te b/private/netd.te
index cc87dcb..f501f25 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -1,5 +1,5 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute netd coredomain;
+
init_daemon_domain(netd)
# Allow netd to spawn dnsmasq in it's own domain
diff --git a/private/nfc.te b/private/nfc.te
index bcfae5b..25ad702 100644
--- a/private/nfc.te
+++ b/private/nfc.te
@@ -1 +1,31 @@
+# nfc subsystem
+typeattribute nfc coredomain;
app_domain(nfc)
+net_domain(nfc)
+
+binder_service(nfc)
+add_service(nfc, nfc_service)
+
+hal_client_domain(nfc, hal_nfc)
+
+# Data file accesses.
+allow nfc nfc_data_file:dir create_dir_perms;
+allow nfc nfc_data_file:notdevfile_class_set create_file_perms;
+
+# SoundPool loading and playback
+allow nfc audioserver_service:service_manager find;
+allow nfc drmserver_service:service_manager find;
+allow nfc mediacodec_service:service_manager find;
+allow nfc mediametrics_service:service_manager find;
+allow nfc mediaextractor_service:service_manager find;
+allow nfc mediaserver_service:service_manager find;
+
+allow nfc radio_service:service_manager find;
+allow nfc surfaceflinger_service:service_manager find;
+allow nfc app_api_service:service_manager find;
+allow nfc system_api_service:service_manager find;
+
+# already open bugreport file descriptors may be shared with
+# the nfc process, from a file in
+# /data/data/com.android.shell/files/bugreports/bugreport-*.
+allow nfc shell_data_file:file read;
diff --git a/private/otapreopt_chroot.te b/private/otapreopt_chroot.te
index 8e54a79..1f69931 100644
--- a/private/otapreopt_chroot.te
+++ b/private/otapreopt_chroot.te
@@ -1,4 +1,4 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute otapreopt_chroot coredomain;
+
# Allow to transition to postinstall_ota, to run otapreopt in its own sandbox.
domain_auto_trans(otapreopt_chroot, postinstall_file, postinstall_dexopt)
diff --git a/private/otapreopt_slot.te b/private/otapreopt_slot.te
index 519c342..98b93d4 100644
--- a/private/otapreopt_slot.te
+++ b/private/otapreopt_slot.te
@@ -1,5 +1,5 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute otapreopt_slot coredomain;
+
# Technically not a daemon but we do want the transition from init domain to
# cppreopts to occur.
init_daemon_domain(otapreopt_slot)
diff --git a/private/performanced.te b/private/performanced.te
index 9544f66..792826e 100644
--- a/private/performanced.te
+++ b/private/performanced.te
@@ -1 +1,3 @@
+typeattribute performanced coredomain;
+
init_daemon_domain(performanced)
diff --git a/private/perfprofd.te b/private/perfprofd.te
index 2b06cd9..9c249fd 100644
--- a/private/perfprofd.te
+++ b/private/perfprofd.te
@@ -1,3 +1,4 @@
userdebug_or_eng(`
+ typeattribute perfprofd coredomain;
init_daemon_domain(perfprofd)
')
diff --git a/private/platform_app.te b/private/platform_app.te
index 6b18d8f..984bb7b 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -2,6 +2,7 @@
### Apps signed with the platform key.
###
+typeattribute platform_app coredomain;
typeattribute platform_app domain_deprecated;
app_domain(platform_app)
diff --git a/private/postinstall.te b/private/postinstall.te
index 47bf320..363e362 100644
--- a/private/postinstall.te
+++ b/private/postinstall.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute postinstall coredomain;
+
domain_auto_trans(postinstall, otapreopt_chroot_exec, otapreopt_chroot)
diff --git a/private/postinstall_dexopt.te b/private/postinstall_dexopt.te
index 7596465..ff5fe87 100644
--- a/private/postinstall_dexopt.te
+++ b/private/postinstall_dexopt.te
@@ -1,5 +1,5 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute postinstall_dexopt coredomain;
+
# Run dex2oat/patchoat in its own sandbox.
# We have to manually transition, as we don't have an entrypoint.
domain_auto_trans(postinstall_dexopt, postinstall_file, dex2oat)
diff --git a/private/ppp.te b/private/ppp.te
index befc20e..968b221 100644
--- a/private/ppp.te
+++ b/private/ppp.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute ppp coredomain;
+
domain_auto_trans(mtp, ppp_exec, ppp)
diff --git a/private/preopt2cachename.te b/private/preopt2cachename.te
new file mode 100644
index 0000000..d10f767
--- /dev/null
+++ b/private/preopt2cachename.te
@@ -0,0 +1 @@
+typeattribute preopt2cachename coredomain;
diff --git a/private/priv_app.te b/private/priv_app.te
index 83a4b3f..38ce673 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -2,6 +2,7 @@
### A domain for further sandboxing privileged apps.
###
+typeattribute priv_app coredomain;
app_domain(priv_app)
# Access the network.
diff --git a/private/profman.te b/private/profman.te
new file mode 100644
index 0000000..f61d05e
--- /dev/null
+++ b/private/profman.te
@@ -0,0 +1 @@
+typeattribute profman coredomain;
diff --git a/private/racoon.te b/private/racoon.te
index 3eeb815..42ea7c9 100644
--- a/private/racoon.te
+++ b/private/racoon.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute racoon coredomain;
+
init_daemon_domain(racoon)
diff --git a/private/radio.te b/private/radio.te
index 95e7f0a..b4f5390 100644
--- a/private/radio.te
+++ b/private/radio.te
@@ -1,3 +1,5 @@
+typeattribute radio coredomain;
+
app_domain(radio)
read_runtime_log_tags(radio)
diff --git a/private/recovery.te b/private/recovery.te
new file mode 100644
index 0000000..2a7fdc7
--- /dev/null
+++ b/private/recovery.te
@@ -0,0 +1 @@
+typeattribute recovery coredomain;
diff --git a/private/recovery_persist.te b/private/recovery_persist.te
index 3c37d2b..1fdd758 100644
--- a/private/recovery_persist.te
+++ b/private/recovery_persist.te
@@ -1,5 +1,5 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute recovery_persist coredomain;
+
init_daemon_domain(recovery_persist)
# recovery_persist is not allowed to write anywhere other than recovery_data_file
diff --git a/private/recovery_refresh.te b/private/recovery_refresh.te
index d1cfbfe..327098d 100644
--- a/private/recovery_refresh.te
+++ b/private/recovery_refresh.te
@@ -1,5 +1,5 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute recovery_refresh coredomain;
+
init_daemon_domain(recovery_refresh)
# recovery_refresh is not allowed to write anywhere
diff --git a/private/runas.te b/private/runas.te
index d791501..ef31aac 100644
--- a/private/runas.te
+++ b/private/runas.te
@@ -1,4 +1,4 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute runas coredomain;
+
# ndk-gdb invokes adb shell run-as.
domain_auto_trans(shell, runas_exec, runas)
diff --git a/private/sdcardd.te b/private/sdcardd.te
index 55915fe..126d643 100644
--- a/private/sdcardd.te
+++ b/private/sdcardd.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute sdcardd coredomain;
+
type_transition sdcardd system_data_file:{ dir file } media_rw_data_file;
diff --git a/private/sensord.te b/private/sensord.te
index ef03b09..bdeded6 100644
--- a/private/sensord.te
+++ b/private/sensord.te
@@ -1 +1,3 @@
+typeattribute sensord coredomain;
+
init_daemon_domain(sensord)
diff --git a/private/servicemanager.te b/private/servicemanager.te
index 6f382a7..9f675a2 100644
--- a/private/servicemanager.te
+++ b/private/servicemanager.te
@@ -1,5 +1,5 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute servicemanager coredomain;
+
init_daemon_domain(servicemanager)
read_runtime_log_tags(servicemanager)
diff --git a/private/sgdisk.te b/private/sgdisk.te
new file mode 100644
index 0000000..a17342e
--- /dev/null
+++ b/private/sgdisk.te
@@ -0,0 +1 @@
+typeattribute sgdisk coredomain;
diff --git a/private/shared_relro.te b/private/shared_relro.te
index b1ba0ff..02f7206 100644
--- a/private/shared_relro.te
+++ b/private/shared_relro.te
@@ -1,3 +1,5 @@
+typeattribute shared_relro coredomain;
+
# The shared relro process is a Java program forked from the zygote, so it
# inherits from app to get basic permissions it needs to run.
app_domain(shared_relro)
diff --git a/private/shell.te b/private/shell.te
index 1e77964..aab0a15 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -1,3 +1,5 @@
+typeattribute shell coredomain;
+
# systrace support - allow atrace to run
allow shell debugfs_tracing:dir r_dir_perms;
allow shell debugfs_tracing:file r_file_perms;
diff --git a/private/slideshow.te b/private/slideshow.te
new file mode 100644
index 0000000..7dfa994
--- /dev/null
+++ b/private/slideshow.te
@@ -0,0 +1 @@
+typeattribute slideshow coredomain;
diff --git a/private/storaged.te b/private/storaged.te
index 4796675..3dbabf6 100644
--- a/private/storaged.te
+++ b/private/storaged.te
@@ -1,5 +1,5 @@
# storaged daemon
-type storaged, domain, mlstrustedsubject;
+type storaged, domain, coredomain, mlstrustedsubject;
type storaged_exec, exec_type, file_type;
init_daemon_domain(storaged)
diff --git a/private/su.te b/private/su.te
index 466bc0b..d42bf61 100644
--- a/private/su.te
+++ b/private/su.te
@@ -1,4 +1,6 @@
userdebug_or_eng(`
+ typeattribute su coredomain;
+
domain_auto_trans(shell, su_exec, su)
# Allow dumpstate to call su on userdebug / eng builds to collect
# additional information.
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 3808c83..f143580 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -1,5 +1,7 @@
# surfaceflinger - display compositor service
+typeattribute surfaceflinger coredomain;
+
type surfaceflinger_exec, exec_type, file_type;
init_daemon_domain(surfaceflinger)
diff --git a/private/system_app.te b/private/system_app.te
index 7539da2..12ba609 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -4,6 +4,7 @@
### server.
###
+typeattribute system_app coredomain;
typeattribute system_app domain_deprecated;
app_domain(system_app)
diff --git a/private/system_server.te b/private/system_server.te
index d1f9bc3..8f85a48 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -3,6 +3,7 @@
# Most of the framework services run in this process.
#
+typeattribute system_server coredomain;
typeattribute system_server domain_deprecated;
typeattribute system_server mlstrustedsubject;
@@ -167,7 +168,7 @@
# Perform HwBinder IPC.
hwbinder_use(system_server)
-hwallocator_use(system_server)
+hal_client_domain(system_server, hal_allocator)
binder_call(system_server, hal_contexthub)
hal_client_domain(system_server, hal_contexthub)
hal_client_domain(system_server, hal_fingerprint)
@@ -198,21 +199,28 @@
unix_socket_connect(system_server, tombstoned_intercept, tombstoned)
# Send signals to trigger ANR traces.
-# This is derived from the list that system server defines as interesting native processes
-# to dump during ANRs or watchdog aborts, defined in NATIVE_STACKS_OF_INTEREST in
-# frameworks/base/services/core/java/com/android/server/Watchdog.java.
allow system_server {
+ # This is derived from the list that system server defines as interesting native processes
+ # to dump during ANRs or watchdog aborts, defined in NATIVE_STACKS_OF_INTEREST in
+ # frameworks/base/services/core/java/com/android/server/Watchdog.java.
audioserver
cameraserver
drmserver
inputflinger
- mediacodec
mediadrmserver
mediaextractor
mediaserver
mediametrics
sdcardd
surfaceflinger
+
+ # This list comes from HAL_INTERFACES_OF_INTEREST in
+ # frameworks/base/services/core/java/com/android/server/Watchdog.java.
+ hal_audio_server
+ hal_bluetooth_server
+ hal_camera_server
+ hal_vr_server
+ mediacodec # TODO(b/36375899): hal_omx_server
}:process { signal };
# Use sockets received over binder from various services.
diff --git a/private/technical_debt.cil b/private/technical_debt.cil
new file mode 100644
index 0000000..2d9ec8b
--- /dev/null
+++ b/private/technical_debt.cil
@@ -0,0 +1,13 @@
+; THIS IS A WORKAROUND for the current limitations of the module policy language
+; This should be used sparingly until we figure out a saner way to achieve the
+; stuff below, for example, by improving typeattribute statement of module
+; language.
+;
+; NOTE: This file has no effect on recovery policy.
+
+; Apps, except isolated apps, are clients of Allocator HAL
+; Unfortunately, we can't currently express this in module policy language:
+; typeattribute { appdomain -isolated_app } hal_allocator_client;
+; typeattribute hal_allocator_client halclientdomain;
+(typeattributeset hal_allocator_client ((and (appdomain) ((not (isolated_app))))))
+(typeattributeset halclientdomain (hal_allocator_client))
diff --git a/private/tee.te b/private/tee.te
index 17b276f..99f501e 100644
--- a/private/tee.te
+++ b/private/tee.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute tee coredomain;
+
init_daemon_domain(tee)
diff --git a/private/tombstoned.te b/private/tombstoned.te
index 73fdb1b..305f9d0 100644
--- a/private/tombstoned.te
+++ b/private/tombstoned.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute tombstoned coredomain;
+
init_daemon_domain(tombstoned)
diff --git a/private/toolbox.te b/private/toolbox.te
index fd43d5e..a2b958d 100644
--- a/private/toolbox.te
+++ b/private/toolbox.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute toolbox coredomain;
+
init_daemon_domain(toolbox)
diff --git a/private/tzdatacheck.te b/private/tzdatacheck.te
index ee67bb2..502735c 100644
--- a/private/tzdatacheck.te
+++ b/private/tzdatacheck.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute tzdatacheck coredomain;
+
init_daemon_domain(tzdatacheck)
diff --git a/private/ueventd.te b/private/ueventd.te
index 5034db7..1bd6773 100644
--- a/private/ueventd.te
+++ b/private/ueventd.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute ueventd coredomain;
+
tmpfs_domain(ueventd)
diff --git a/private/uncrypt.te b/private/uncrypt.te
index e2b919c..e4e9224 100644
--- a/private/uncrypt.te
+++ b/private/uncrypt.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute uncrypt coredomain;
+
init_daemon_domain(uncrypt)
diff --git a/private/untrusted_app.te b/private/untrusted_app.te
index 2f4a1a4..68c1a41 100644
--- a/private/untrusted_app.te
+++ b/private/untrusted_app.te
@@ -17,6 +17,8 @@
### seapp_contexts.
###
+typeattribute untrusted_app coredomain;
+
app_domain(untrusted_app)
untrusted_app_domain(untrusted_app)
net_domain(untrusted_app)
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index e576d27..3fa79ef 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -19,6 +19,8 @@
### seapp_contexts.
###
+typeattribute untrusted_app_25 coredomain;
+
app_domain(untrusted_app_25)
untrusted_app_domain(untrusted_app_25)
net_domain(untrusted_app_25)
diff --git a/private/untrusted_v2_app.te b/private/untrusted_v2_app.te
index e511709..ef62841 100644
--- a/private/untrusted_v2_app.te
+++ b/private/untrusted_v2_app.te
@@ -1,6 +1,9 @@
###
### Untrusted v2 sandbox apps.
###
+
+typeattribute untrusted_v2_app coredomain;
+
app_domain(untrusted_v2_app)
net_domain(untrusted_v2_app)
bluetooth_domain(untrusted_v2_app)
diff --git a/private/update_engine.te b/private/update_engine.te
index 01199eb..5af7db6 100644
--- a/private/update_engine.te
+++ b/private/update_engine.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute update_engine coredomain;
+
init_daemon_domain(update_engine);
diff --git a/private/update_verifier.te b/private/update_verifier.te
index c5f110b..1b934d9 100644
--- a/private/update_verifier.te
+++ b/private/update_verifier.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute update_verifier coredomain;
+
init_daemon_domain(update_verifier)
diff --git a/private/vdc.te b/private/vdc.te
index 877e913..bc7409e 100644
--- a/private/vdc.te
+++ b/private/vdc.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute vdc coredomain;
+
init_daemon_domain(vdc)
diff --git a/private/virtual_touchpad.te b/private/virtual_touchpad.te
index ced556e..e735172 100644
--- a/private/virtual_touchpad.te
+++ b/private/virtual_touchpad.te
@@ -1 +1,3 @@
+typeattribute virtual_touchpad coredomain;
+
init_daemon_domain(virtual_touchpad)
diff --git a/private/vold.te b/private/vold.te
index b2495f6..a6d1001 100644
--- a/private/vold.te
+++ b/private/vold.te
@@ -1,5 +1,5 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute vold coredomain;
+
init_daemon_domain(vold)
# Switch to more restrictive domains when executing common tools
diff --git a/private/watchdogd.te b/private/watchdogd.te
new file mode 100644
index 0000000..36dd30f
--- /dev/null
+++ b/private/watchdogd.te
@@ -0,0 +1 @@
+typeattribute watchdogd coredomain;
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index aad66bf..b2a1951 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -1,6 +1,8 @@
# webview_zygote is an auxiliary zygote process that is used to spawn
# isolated_app processes for rendering untrusted web content.
+typeattribute webview_zygote coredomain;
+
# The webview_zygote needs to be able to transition domains.
typeattribute webview_zygote mlstrustedsubject;
diff --git a/private/wificond.te b/private/wificond.te
index 2e89975..5476e33 100644
--- a/private/wificond.te
+++ b/private/wificond.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute wificond coredomain;
+
init_daemon_domain(wificond)
diff --git a/private/zygote.te b/private/zygote.te
index f0ac0b2..e9ec672 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -1,4 +1,5 @@
# zygote
+typeattribute zygote coredomain;
typeattribute zygote domain_deprecated;
typeattribute zygote mlstrustedsubject;
diff --git a/public/attributes b/public/attributes
index b9360a6..00035ab 100644
--- a/public/attributes
+++ b/public/attributes
@@ -115,6 +115,13 @@
# recovery for A/B devices.
attribute update_engine_common;
+# All core domains (as opposed to vendor/device-specific domains)
+attribute coredomain;
+
+# All vendor domains which violate the requirement of not using Binder
+# TODO(b/35870313): Remove this once there are no violations
+attribute binder_in_vendor_violators;
+
# All HAL servers
attribute halserverdomain;
# All HAL clients
diff --git a/public/bootanim.te b/public/bootanim.te
index 9c5702d..9922451 100644
--- a/public/bootanim.te
+++ b/public/bootanim.te
@@ -2,6 +2,9 @@
type bootanim, domain;
type bootanim_exec, exec_type, file_type;
+hal_client_domain(bootanim, hal_graphics_allocator)
+hal_client_domain(bootanim, hal_graphics_composer)
+
binder_use(bootanim)
binder_call(bootanim, surfaceflinger)
binder_call(bootanim, audioserver)
diff --git a/public/bufferhubd.te b/public/bufferhubd.te
index 2314433..7d5be49 100644
--- a/public/bufferhubd.te
+++ b/public/bufferhubd.te
@@ -2,6 +2,8 @@
type bufferhubd, domain, mlstrustedsubject;
type bufferhubd_exec, exec_type, file_type;
+hal_client_domain(bufferhubd, hal_graphics_allocator)
+
pdx_server(bufferhubd)
use_pdx(bufferhubd, performanced)
diff --git a/public/device.te b/public/device.te
index c9c64dc..4a3bec9 100644
--- a/public/device.te
+++ b/public/device.te
@@ -7,10 +7,12 @@
type audio_seq_device, dev_type;
type binder_device, dev_type, mlstrustedobject;
type hwbinder_device, dev_type, mlstrustedobject;
+type vndbinder_device, dev_type;
type block_device, dev_type;
type camera_device, dev_type;
type dm_device, dev_type;
type keychord_device, dev_type;
+type loop_control_device, dev_type;
type loop_device, dev_type;
type pmsg_device, dev_type, mlstrustedobject;
type radio_device, dev_type;
diff --git a/public/domain.te b/public/domain.te
index 9631c9c..8a42336 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -66,8 +66,11 @@
allow domain null_device:chr_file rw_file_perms;
allow domain zero_device:chr_file rw_file_perms;
allow domain ashmem_device:chr_file rw_file_perms;
-allow { domain -hwservicemanager } binder_device:chr_file rw_file_perms;
-allow { domain -servicemanager } hwbinder_device:chr_file rw_file_perms;
+# /dev/binder can be accessed by non-vendor domains and by apps
+allow { coredomain appdomain -hwservicemanager } binder_device:chr_file rw_file_perms;
+# Devices which are not full TREBLE have fewer restrictions on access to /dev/binder
+not_full_treble(`allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;')
+allow { domain -servicemanager -vndservicemanager } hwbinder_device:chr_file rw_file_perms;
allow domain ptmx_device:chr_file rw_file_perms;
allow domain alarm_device:chr_file r_file_perms;
allow domain random_device:chr_file rw_file_perms;
@@ -410,11 +413,33 @@
-ueventd
} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };
-# Only servicemanager/hwservicemanager should be able to register with binder as the context manager
-neverallow { domain -servicemanager -hwservicemanager} *:binder set_context_mgr;
+# Only (hw|vnd|)servicemanager should be able to register with binder as the context manager
+neverallow { domain -servicemanager -hwservicemanager -vndservicemanager } *:binder set_context_mgr;
# The service managers are only allowed to access their own device node
neverallow servicemanager hwbinder_device:chr_file no_rw_file_perms;
+neverallow servicemanager vndbinder_device:chr_file no_rw_file_perms;
neverallow hwservicemanager binder_device:chr_file no_rw_file_perms;
+neverallow hwservicemanager vndbinder_device:chr_file no_rw_file_perms;
+neverallow vndservicemanager binder_device:chr_file no_rw_file_perms;
+neverallow vndservicemanager hwbinder_device:chr_file no_rw_file_perms;
+
+# On full TREBLE devices, only core components and apps can use Binder and servicemanager. Non-core
+# domain apps need this because Android framework offers many of its services to apps as Binder
+# services.
+full_treble_only(`
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
+ } binder_device:chr_file rw_file_perms;
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
+ } servicemanager:binder { call transfer };
+')
# Only authorized processes should be writing to files in /data/dalvik-cache
neverallow {
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 8e645b9..9b54329 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -52,18 +52,24 @@
allow dumpstate { appdomain system_server }:process signal;
# Signal native processes to dump their stack.
-# This list comes from native_processes_to_dump in dumpstate/utils.c
allow dumpstate {
+ # This list comes from native_processes_to_dump in dumpstate/utils.c
audioserver
cameraserver
drmserver
inputflinger
- mediacodec
mediadrmserver
mediaextractor
mediaserver
sdcardd
surfaceflinger
+
+ # This list comes from hal_interfaces_to_dump in dumpstate/utils.c
+ hal_audio_server
+ hal_bluetooth_server
+ hal_camera_server
+ hal_vr_server
+ mediacodec # TODO(b/36375899): hal_omx_server
}:process signal;
# Connect to tombstoned to intercept dumps.
diff --git a/public/file.te b/public/file.te
index a13f396..2abfe70 100644
--- a/public/file.te
+++ b/public/file.te
@@ -242,7 +242,7 @@
type rild_socket, file_type;
type rild_debug_socket, file_type;
type system_wpa_socket, file_type;
-type system_ndebug_socket, file_type;
+type system_ndebug_socket, file_type, mlstrustedobject;
type tombstoned_crash_socket, file_type, mlstrustedobject;
type tombstoned_intercept_socket, file_type;
type uncrypt_socket, file_type;
diff --git a/public/hal_allocator.te b/public/hal_allocator.te
new file mode 100644
index 0000000..b444593
--- /dev/null
+++ b/public/hal_allocator.te
@@ -0,0 +1,2 @@
+# HwBinder IPC from client to server
+binder_call(hal_allocator_client, hal_allocator_server)
diff --git a/public/hal_audio.te b/public/hal_audio.te
index a195c93..3531944 100644
--- a/public/hal_audio.te
+++ b/public/hal_audio.te
@@ -2,14 +2,8 @@
binder_call(hal_audio_client, hal_audio_server)
binder_call(hal_audio_server, hal_audio_client)
-# Both client and the server need to use hwallocator
-hwallocator_use(hal_audio_client)
-hwallocator_use(hal_audio_server)
-
allow hal_audio ion_device:chr_file r_file_perms;
-allow hal_audio system_file:dir { open read };
-
userdebug_or_eng(`
# used for pcm capture for debug.
allow hal_audio audiohal_data_file:dir create_dir_perms;
diff --git a/public/hal_nfc.te b/public/hal_nfc.te
index 0c4bd9c..d289ef7 100644
--- a/public/hal_nfc.te
+++ b/public/hal_nfc.te
@@ -1,5 +1,6 @@
-# call into NFC process (callbacks)
-binder_call(hal_nfc, nfc)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_nfc_client, hal_nfc_server)
+binder_call(hal_nfc_server, hal_nfc_client)
# Set NFC properties (used by bcm2079x HAL).
set_prop(hal_nfc, nfc_prop)
diff --git a/public/kernel.te b/public/kernel.te
index d1463dc..a93c8e9 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -73,6 +73,9 @@
allow kernel media_rw_data_file:dir create_dir_perms;
allow kernel media_rw_data_file:file create_file_perms;
+# Access to /data/misc/vold/virtual_disk.
+allow kernel vold_data_file:file read;
+
###
### neverallow rules
###
diff --git a/public/mediacodec.te b/public/mediacodec.te
index 6ab90eb..469c8ba 100644
--- a/public/mediacodec.te
+++ b/public/mediacodec.te
@@ -4,6 +4,10 @@
typeattribute mediacodec mlstrustedsubject;
+# TODO(b/36375899) attributize this domain appropriately as hal_omx
+# and use macro hal_server_domain
+get_prop(mediacodec, hwservicemanager_prop)
+
binder_use(mediacodec)
binder_call(mediacodec, binderservicedomain)
binder_call(mediacodec, appdomain)
@@ -21,10 +25,7 @@
crash_dump_fallback(mediacodec)
-# hidl access
-hwbinder_use(mediacodec)
-hwallocator_use(mediacodec)
-allow mediacodec system_file:dir { open read };
+hal_client_domain(mediacodec, hal_allocator)
# Recieve gralloc buffer FDs from bufferhubd. Note that mediacodec never
# directly connects to bufferhubd via PDX. Instead, a VR app acts as a bridge
diff --git a/public/mediaserver.te b/public/mediaserver.te
index a641bf7..93f1548 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -4,6 +4,9 @@
typeattribute mediaserver mlstrustedsubject;
+# TODO(b/36375899): replace with hal_client_domain macro on hal_omx
+typeattribute mediaserver halclientdomain;
+
net_domain(mediaserver)
r_dir_file(mediaserver, sdcard_type)
@@ -133,9 +136,7 @@
allow mediaserver system_server:fd use;
-# hidl access
-hwbinder_use(mediaserver)
-hwallocator_use(mediaserver)
+hal_client_domain(mediaserver, hal_allocator)
###
### neverallow rules
diff --git a/public/nfc.te b/public/nfc.te
index cb6a781..e3a03e7 100644
--- a/public/nfc.te
+++ b/public/nfc.te
@@ -1,41 +1,2 @@
# nfc subsystem
type nfc, domain;
-
-net_domain(nfc)
-binder_service(nfc)
-
-# hwbinder access
-hwbinder_use(nfc)
-
-# Set NFC properties
-set_prop(nfc, nfc_prop)
-
-# NFC device access.
-allow nfc nfc_device:chr_file rw_file_perms;
-
-# Data file accesses.
-allow nfc nfc_data_file:dir create_dir_perms;
-allow nfc nfc_data_file:notdevfile_class_set create_file_perms;
-
-# SoundPool loading and playback
-allow nfc audioserver_service:service_manager find;
-allow nfc drmserver_service:service_manager find;
-allow nfc mediacodec_service:service_manager find;
-allow nfc mediametrics_service:service_manager find;
-allow nfc mediaextractor_service:service_manager find;
-allow nfc mediaserver_service:service_manager find;
-
-add_service(nfc, nfc_service)
-allow nfc radio_service:service_manager find;
-allow nfc surfaceflinger_service:service_manager find;
-allow nfc app_api_service:service_manager find;
-allow nfc system_api_service:service_manager find;
-
-# already open bugreport file descriptors may be shared with
-# the nfc process, from a file in
-# /data/data/com.android.shell/files/bugreports/bugreport-*.
-allow nfc shell_data_file:file read;
-
-# allow NFC process to call into the NFC HAL
-binder_call(nfc, hal_nfc)
-hal_client_domain(nfc, hal_nfc)
diff --git a/public/sensord.te b/public/sensord.te
index bffe3cd..3211f81 100644
--- a/public/sensord.te
+++ b/public/sensord.te
@@ -2,6 +2,9 @@
type sensord, domain, mlstrustedsubject;
type sensord_exec, exec_type, file_type;
+hal_client_domain(sensord, hal_graphics_allocator)
+allow sensord hal_graphics_allocator:fd use;
+
pdx_server(sensord)
use_pdx(sensord, bufferhubd)
use_pdx(sensord, performanced)
diff --git a/public/te_macros b/public/te_macros
index d31bb1d..57a038a 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -294,6 +294,20 @@
')
#####################################
+# vndbinder_use(domain)
+# Allow domain to use Binder IPC.
+define(`vndbinder_use', `
+# Talk to the vndbinder device node
+allow $1 vndbinder_device:chr_file rw_file_perms;
+# Call the vndservicemanager and transfer references to it.
+allow $1 vndservicemanager:binder { call transfer };
+# vndservicemanager performs getpidcon on clients.
+allow vndservicemanager $1:dir search;
+allow vndservicemanager $1:file { read open };
+allow vndservicemanager $1:process getattr;
+')
+
+#####################################
# binder_call(clientdomain, serverdomain)
# Allow clientdomain to perform binder IPC to serverdomain.
define(`binder_call', `
@@ -314,14 +328,6 @@
')
#####################################
-# hwallocator_use(domain)
-# Allow a domain to use Hidl shared memory
-define(`hwallocator_use', `
-# Call into the allocator hal
-binder_call($1, hal_allocator_server);
-')
-
-#####################################
# wakelock_use(domain)
# Allow domain to manage wake locks
define(`wakelock_use', `
@@ -381,6 +387,18 @@
define(`recovery_only', ifelse(target_recovery, `true', $1, ))
#####################################
+# Full TREBLE only
+# SELinux rules which apply only to full TREBLE devices
+#
+define(`full_treble_only', ifelse(target_full_treble, `true', $1, ))
+
+#####################################
+# Not full TREBLE
+# SELinux rules which apply only to devices which are not full TREBLE devices
+#
+define(`not_full_treble', ifelse(target_full_treble, `true', , $1))
+
+#####################################
# Userdebug or eng builds
# SELinux rules which apply only to userdebug or eng builds
#
diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index 29d730c..8e454cc 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -30,7 +30,7 @@
allow update_engine_common shell_exec:file rx_file_perms;
# Allow update_engine_common to suspend, resume and kill the postinstall program.
-allow update_engine_common postinstall:process { signal sigstop };
+allow update_engine_common postinstall:process { signal sigstop sigkill };
# access /proc/misc
# Access is also granted to proc:file, but it is likely unneeded
diff --git a/public/vndservicemanager.te b/public/vndservicemanager.te
new file mode 100644
index 0000000..6b9f73d
--- /dev/null
+++ b/public/vndservicemanager.te
@@ -0,0 +1,2 @@
+# vndservicemanager - the Binder context manager for vendor processes
+type vndservicemanager, domain;
diff --git a/public/vold.te b/public/vold.te
index 7e8be29..f4a3916 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -64,6 +64,7 @@
allow vold self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
allow vold app_data_file:dir search;
allow vold app_data_file:file rw_file_perms;
+allow vold loop_control_device:chr_file rw_file_perms;
allow vold loop_device:blk_file { create setattr unlink rw_file_perms };
allow vold vold_device:blk_file { create setattr unlink rw_file_perms };
allow vold dm_device:chr_file rw_file_perms;
@@ -174,9 +175,9 @@
allow vold misc_block_device:blk_file w_file_perms;
neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
-neverallow { domain -vold } vold_data_file:notdevfile_class_set ~{ relabelto getattr };
+neverallow { domain -vold -kernel } vold_data_file:notdevfile_class_set ~{ relabelto getattr };
neverallow { domain -vold -init } vold_data_file:dir *;
-neverallow { domain -vold -init } vold_data_file:notdevfile_class_set *;
+neverallow { domain -vold -init -kernel } vold_data_file:notdevfile_class_set *;
neverallow { domain -vold -init } restorecon_prop:property_service set;
neverallow vold fsck_exec:file execute_no_trans;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 4e74f00..a781341 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -28,4 +28,5 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.vibrator@1\.0-service u:object_r:hal_vibrator_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.vr@1\.0-service u:object_r:hal_vr_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.wifi@1\.0-service u:object_r:hal_wifi_default_exec:s0
-/(vendor|system/vendor)/bin/hw/wpa_supplicant u:object_r:hal_wifi_supplicant_default_exec:s0
+/(vendor|system/vendor)/bin/hw/wpa_supplicant u:object_r:hal_wifi_supplicant_default_exec:s0
+/(vendor|system/vendor)/bin/vndservicemanager u:object_r:vndservicemanager_exec:s0
diff --git a/vendor/hal_audio_default.te b/vendor/hal_audio_default.te
index 4811f4d..04ef7aa 100644
--- a/vendor/hal_audio_default.te
+++ b/vendor/hal_audio_default.te
@@ -3,3 +3,5 @@
type hal_audio_default_exec, exec_type, file_type;
init_daemon_domain(hal_audio_default)
+
+hal_client_domain(hal_audio_default, hal_allocator)
diff --git a/vendor/hal_wifi_supplicant_default.te b/vendor/hal_wifi_supplicant_default.te
index 3bde9ec..5e49605 100644
--- a/vendor/hal_wifi_supplicant_default.te
+++ b/vendor/hal_wifi_supplicant_default.te
@@ -7,3 +7,6 @@
net_domain(hal_wifi_supplicant_default)
# Create a socket for receiving info from wpa
type_transition hal_wifi_supplicant_default wifi_data_file:dir wpa_socket "sockets";
+
+# TODO(b/34603782): Remove this once Wi-Fi Supplicant HAL stops using Binder
+typeattribute hal_wifi_supplicant_default binder_in_vendor_violators;
diff --git a/vendor/vndservicemanager.te b/vendor/vndservicemanager.te
new file mode 100644
index 0000000..dff18ce
--- /dev/null
+++ b/vendor/vndservicemanager.te
@@ -0,0 +1,14 @@
+# vndservicemanager - the Binder context manager for vendor processes
+type vndservicemanager_exec, exec_type, file_type;
+
+init_daemon_domain(vndservicemanager);
+
+allow vndservicemanager self:binder set_context_mgr;
+
+# transfer binder objects to other processes (TODO b/35870313 limit this to vendor-only)
+allow vndservicemanager { domain -coredomain -init }:binder transfer;
+
+allow vndservicemanager vndbinder_device:chr_file rw_file_perms;
+
+# Check SELinux permissions.
+selinux_check_access(vndservicemanager)