Merge "Add media services to ephemeral_app" into oc-dev
diff --git a/private/adbd.te b/private/adbd.te
index 73302ac..eb6ae32 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -100,6 +100,9 @@
allow adbd selinuxfs:dir r_dir_perms;
allow adbd selinuxfs:file r_file_perms;
allow adbd kernel:security read_policy;
+allow adbd service_contexts_file:file r_file_perms;
+allow adbd file_contexts_file:file r_file_perms;
+allow adbd seapp_contexts_file:file r_file_perms;
allow adbd surfaceflinger_service:service_manager find;
allow adbd bootchart_data_file:dir search;
diff --git a/private/file_contexts b/private/file_contexts
index 1db5210..6687144 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -38,20 +38,20 @@
/sdcard u:object_r:rootfs:s0
# SELinux policy files
-/file_contexts\.bin u:object_r:rootfs:s0
-/nonplat_file_contexts u:object_r:rootfs:s0
-/plat_file_contexts u:object_r:rootfs:s0
-/mapping_sepolicy\.cil u:object_r:rootfs:s0
-/nonplat_sepolicy\.cil u:object_r:rootfs:s0
-/plat_sepolicy\.cil u:object_r:rootfs:s0
-/plat_property_contexts u:object_r:property_contexts:s0
-/nonplat_property_contexts u:object_r:property_contexts:s0
-/seapp_contexts u:object_r:rootfs:s0
-/nonplat_seapp_contexts u:object_r:rootfs:s0
-/plat_seapp_contexts u:object_r:rootfs:s0
-/sepolicy u:object_r:rootfs:s0
-/plat_service_contexts u:object_r:rootfs:s0
-/nonplat_service_contexts u:object_r:rootfs:s0
+/file_contexts\.bin u:object_r:file_contexts_file:s0
+/nonplat_file_contexts u:object_r:file_contexts_file:s0
+/plat_file_contexts u:object_r:file_contexts_file:s0
+/mapping_sepolicy\.cil u:object_r:sepolicy_file:s0
+/nonplat_sepolicy\.cil u:object_r:sepolicy_file:s0
+/plat_sepolicy\.cil u:object_r:sepolicy_file:s0
+/plat_property_contexts u:object_r:property_contexts_file:s0
+/nonplat_property_contexts u:object_r:property_contexts_file:s0
+/seapp_contexts u:object_r:seapp_contexts_file:s0
+/nonplat_seapp_contexts u:object_r:seapp_contexts_file:s0
+/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
+/sepolicy u:object_r:sepolicy_file:s0
+/plat_service_contexts u:object_r:service_contexts_file:s0
+/nonplat_service_contexts u:object_r:service_contexts_file:s0
##########################
# Devices
@@ -249,11 +249,27 @@
/system/bin/virtual_touchpad u:object_r:virtual_touchpad_exec:s0
/system/bin/vr_wm u:object_r:vr_wm_exec:s0
/system/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
+/system/etc/selinux/plat_mac_permissions.xml u:object_r:mac_perms_file:s0
+/system/etc/selinux/plat_property_contexts u:object_r:property_contexts_file:s0
+/system/etc/selinux/plat_service_contexts u:object_r:service_contexts_file:s0
+/system/etc/selinux/plat_file_contexts u:object_r:file_contexts_file:s0
+/system/etc/selinux/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
+/system/etc/selinux/plat_sepolicy.cil u:object_r:sepolicy_file:s0
+/system/etc/selinux/plat_sepolicy.cil.sha256 u:object_r:sepolicy_file:s0
#############################
# Vendor files
#
/vendor(/.*)? u:object_r:system_file:s0
+/vendor/etc/selinux/mapping_sepolicy.cil u:object_r:sepolicy_file:s0
+/vendor/etc/selinux/nonplat_mac_permissions.xml u:object_r:mac_perms_file:s0
+/vendor/etc/selinux/nonplat_property_contexts u:object_r:property_contexts_file:s0
+/vendor/etc/selinux/nonplat_service_contexts u:object_r:service_contexts_file:s0
+/vendor/etc/selinux/nonplat_file_contexts u:object_r:file_contexts_file:s0
+/vendor/etc/selinux/nonplat_seapp_contexts u:object_r:seapp_contexts_file:s0
+/vendor/etc/selinux/nonplat_sepolicy.cil u:object_r:sepolicy_file:s0
+/vendor/etc/selinux/precompiled_sepolicy u:object_r:sepolicy_file:s0
+/vendor/etc/selinux/precompiled_sepolicy.plat.sha256 u:object_r:sepolicy_file:s0
#############################
# OEM and ODM files
diff --git a/private/system_server.te b/private/system_server.te
index 5aae022..ddeeb1b 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -230,6 +230,10 @@
allow system_server mediadrmserver:tcp_socket rw_socket_perms;
allow system_server mediadrmserver:udp_socket rw_socket_perms;
+# Get file context
+allow system_server file_contexts_file:file r_file_perms;
+# access for mac_permissions
+allow system_server mac_perms_file: file r_file_perms;
# Check SELinux permissions.
selinux_check_access(system_server)
diff --git a/private/tee.te b/private/tee.te
index 01a52de..c29bee6 100644
--- a/private/tee.te
+++ b/private/tee.te
@@ -1,7 +1,5 @@
-typeattribute tee coredomain;
-
init_daemon_domain(tee)
-# TODO(b/36601092, b/36601602): Remove this once Keymaster HAL and DRM HAL no longer communicate
-# with tee daemon over sockets or once the tee daemon is moved to vendor partition
+# TODO(b/36714625, b/36715266): Remove this once drmserver, mediaserver, and surfaceflinger no
+# longer communicate with tee daemon over sockets
typeattribute tee socket_between_core_and_vendor_violators;
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index b2a1951..501581a 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -10,9 +10,6 @@
# resulting process into webview_zygote domain.
init_daemon_domain(webview_zygote)
-# Access to system files for SELinux contexts.
-allow webview_zygote rootfs:file r_file_perms;
-
# Allow reading/executing installed binaries to enable preloading the
# installed WebView implementation.
allow webview_zygote apk_data_file:dir r_dir_perms;
@@ -46,6 +43,8 @@
# Interaction between the webview_zygote and its children.
allow webview_zygote isolated_app:process setpgid;
+# Get seapp_contexts
+allow webview_zygote seapp_contexts_file:file r_file_perms;
# Check validity of SELinux context before use.
selinux_check_context(webview_zygote)
# Check SELinux permissions.
diff --git a/private/zygote.te b/private/zygote.te
index e9ec672..15fd951 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -62,6 +62,8 @@
allow zygote pmsg_device:chr_file getattr;
allow zygote debugfs_trace_marker:file getattr;
+# Get seapp_contexts
+allow zygote seapp_contexts_file:file r_file_perms;
# Check validity of SELinux context before use.
selinux_check_context(zygote)
# Check SELinux permissions.
diff --git a/public/attributes b/public/attributes
index bfd53a3..d9d123f 100644
--- a/public/attributes
+++ b/public/attributes
@@ -39,6 +39,12 @@
# All types used for /data files.
attribute data_file_type;
+# All types in /data, not in /data/vendor
+attribute core_data_file_type;
+# All vendor domains which violate the requirement of not accessing
+# data outside /data/vendor.
+# TODO(b/34980020): Remove this once there are no violations
+attribute coredata_in_vendor_violators;
# All types use for sysfs files.
attribute sysfs_type;
diff --git a/public/domain.te b/public/domain.te
index b498cda..97d6a11 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -89,7 +89,7 @@
# messages to logd.
get_prop(domain, log_property_type)
dontaudit domain property_type:file audit_access;
-allow domain property_contexts:file r_file_perms;
+allow domain property_contexts_file:file r_file_perms;
allow domain init:key search;
allow domain vold:key search;
@@ -106,7 +106,8 @@
allow domain sysfs:lnk_file read;
# libc references /data/misc/zoneinfo for timezone related information
-r_dir_file(domain, zoneinfo_data_file)
+not_full_treble(`r_dir_file(domain, zoneinfo_data_file)')
+r_dir_file({ coredomain appdomain }, zoneinfo_data_file)
# Lots of processes access current CPU information
r_dir_file(domain, sysfs_devices_system_cpu)
@@ -114,8 +115,11 @@
r_dir_file(domain, sysfs_usb);
# files under /data.
-allow domain system_data_file:dir { search getattr };
-allow domain system_data_file:lnk_file read;
+not_full_treble(`allow domain system_data_file:dir getattr;')
+allow { coredomain appdomain } system_data_file:dir getattr;
+# /data has the label system_data_file. Vendor components need the search
+# permission on system_data_file for path traversal to /data/vendor.
+allow domain system_data_file:dir search;
# required by the dynamic linker
allow domain proc:lnk_file { getattr read };
@@ -444,6 +448,38 @@
-appdomain
-binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
} servicemanager:binder { call transfer };
+
+ ##
+ # On full TREBLE devices core android components and vendor components may
+ # not directly access each other data types. All communication must occur
+ # over HW binder. Open file descriptors may be passed and read/write/stat
+ # operations my be performed on those FDs. Disallow all other operations.
+ #
+ # do not allow vendor component access to coredomains data types
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -coredata_in_vendor_violators
+ } core_data_file_type:{
+ file_class_set
+ } ~{ append getattr ioctl read write };
+ # do not allow vendor component access to coredomains data directories.
+ # /data has the system_data_file type. Allow all domains to have dir
+ # search permissions which allows path traversal.
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -coredata_in_vendor_violators
+ } { core_data_file_type -system_data_file }:dir *;
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -coredata_in_vendor_violators
+ } system_data_file:dir ~search;
+
')
# On full TREBLE devices, socket communications between core components and vendor components are
@@ -620,10 +656,17 @@
# respect system_app sandboxes
neverallow {
domain
- -system_app # its own sandbox
+ -appdomain # finer-grained rules for appdomain are listed below
-system_server #populate com.android.providers.settings/databases/settings.db.
-installd # creation of app sandbox
} system_app_data_file:dir_file_class_set { create unlink open };
+neverallow {
+ isolated_app
+ untrusted_app_all # finer-grained rules for appdomain are listed below
+ ephemeral_app
+ priv_app
+} system_app_data_file:dir_file_class_set { create unlink open };
+
# Services should respect app sandboxes
neverallow {
diff --git a/public/file.te b/public/file.te
index fd7b048..d7a82bc 100644
--- a/public/file.te
+++ b/public/file.te
@@ -87,54 +87,54 @@
# /cores for coredumps on userdebug / eng builds
type coredump_file, file_type;
# Default type for anything under /data.
-type system_data_file, file_type, data_file_type;
+type system_data_file, file_type, data_file_type, core_data_file_type;
# Unencrypted data
-type unencrypted_data_file, file_type, data_file_type;
+type unencrypted_data_file, file_type, data_file_type, core_data_file_type;
# /data/.layout_version or other installd-created files that
# are created in a system_data_file directory.
-type install_data_file, file_type, data_file_type;
+type install_data_file, file_type, data_file_type, core_data_file_type;
# /data/drm - DRM plugin data
-type drm_data_file, file_type, data_file_type;
+type drm_data_file, file_type, data_file_type, core_data_file_type;
# /data/adb - adb debugging files
-type adb_data_file, file_type, data_file_type;
+type adb_data_file, file_type, data_file_type, core_data_file_type;
# /data/anr - ANR traces
-type anr_data_file, file_type, data_file_type, mlstrustedobject;
+type anr_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/tombstones - core dumps
-type tombstone_data_file, file_type, data_file_type, mlstrustedobject;
+type tombstone_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/app - user-installed apps
-type apk_data_file, file_type, data_file_type;
-type apk_tmp_file, file_type, data_file_type, mlstrustedobject;
+type apk_data_file, file_type, data_file_type, core_data_file_type;
+type apk_tmp_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/app-private - forward-locked apps
-type apk_private_data_file, file_type, data_file_type;
-type apk_private_tmp_file, file_type, data_file_type, mlstrustedobject;
+type apk_private_data_file, file_type, data_file_type, core_data_file_type;
+type apk_private_tmp_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/dalvik-cache
-type dalvikcache_data_file, file_type, data_file_type;
+type dalvikcache_data_file, file_type, data_file_type, core_data_file_type;
# /data/ota
-type ota_data_file, file_type, data_file_type;
+type ota_data_file, file_type, data_file_type, core_data_file_type;
# /data/ota_package
-type ota_package_file, file_type, data_file_type, mlstrustedobject;
+type ota_package_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/misc/profiles
-type user_profile_data_file, file_type, data_file_type, mlstrustedobject;
+type user_profile_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/misc/profman
-type profman_dump_data_file, file_type, data_file_type;
+type profman_dump_data_file, file_type, data_file_type, core_data_file_type;
# /data/resource-cache
-type resourcecache_data_file, file_type, data_file_type;
+type resourcecache_data_file, file_type, data_file_type, core_data_file_type;
# /data/local - writable by shell
-type shell_data_file, file_type, data_file_type, mlstrustedobject;
+type shell_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/property
-type property_data_file, file_type, data_file_type;
+type property_data_file, file_type, data_file_type, core_data_file_type;
# /data/bootchart
-type bootchart_data_file, file_type, data_file_type;
+type bootchart_data_file, file_type, data_file_type, core_data_file_type;
# /data/system/heapdump
-type heapdump_data_file, file_type, data_file_type, mlstrustedobject;
+type heapdump_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/nativetest
-type nativetest_data_file, file_type, data_file_type;
+type nativetest_data_file, file_type, data_file_type, core_data_file_type;
# /data/system_de/0/ringtones
-type ringtone_file, file_type, data_file_type, mlstrustedobject;
+type ringtone_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/preloads
-type preloads_data_file, file_type, data_file_type;
+type preloads_data_file, file_type, data_file_type, core_data_file_type;
# /data/preloads/media
-type preloads_media_file, file_type, data_file_type;
+type preloads_media_file, file_type, data_file_type, core_data_file_type;
# Mount locations managed by vold
type mnt_media_rw_file, file_type;
@@ -152,41 +152,43 @@
type postinstall_file, file_type;
# /data/misc subdirectories
-type adb_keys_file, file_type, data_file_type;
-type audio_data_file, file_type, data_file_type;
-type audiohal_data_file, file_type, data_file_type;
-type audioserver_data_file, file_type, data_file_type;
-type bluetooth_data_file, file_type, data_file_type;
-type bluetooth_logs_data_file, file_type, data_file_type;
-type bootstat_data_file, file_type, data_file_type;
-type boottrace_data_file, file_type, data_file_type;
-type camera_data_file, file_type, data_file_type;
-type gatekeeper_data_file, file_type, data_file_type;
-type incident_data_file, file_type, data_file_type;
-type keychain_data_file, file_type, data_file_type;
-type keystore_data_file, file_type, data_file_type;
-type media_data_file, file_type, data_file_type;
-type media_rw_data_file, file_type, data_file_type, mlstrustedobject;
-type misc_user_data_file, file_type, data_file_type;
-type net_data_file, file_type, data_file_type;
-type nfc_data_file, file_type, data_file_type;
-type radio_data_file, file_type, data_file_type, mlstrustedobject;
-type reboot_data_file, file_type, data_file_type;
-type recovery_data_file, file_type, data_file_type;
-type shared_relro_file, file_type, data_file_type;
-type systemkeys_data_file, file_type, data_file_type;
-type vpn_data_file, file_type, data_file_type;
-type wifi_data_file, file_type, data_file_type;
-type zoneinfo_data_file, file_type, data_file_type;
-type vold_data_file, file_type, data_file_type;
-type perfprofd_data_file, file_type, data_file_type, mlstrustedobject;
+type adb_keys_file, file_type, data_file_type, core_data_file_type;
+type audio_data_file, file_type, data_file_type, core_data_file_type;
+type audiohal_data_file, file_type, data_file_type, core_data_file_type;
+type audioserver_data_file, file_type, data_file_type, core_data_file_type;
+type bluetooth_data_file, file_type, data_file_type, core_data_file_type;
+type bluetooth_logs_data_file, file_type, data_file_type, core_data_file_type;
+type bootstat_data_file, file_type, data_file_type, core_data_file_type;
+type boottrace_data_file, file_type, data_file_type, core_data_file_type;
+type camera_data_file, file_type, data_file_type, core_data_file_type;
+type gatekeeper_data_file, file_type, data_file_type, core_data_file_type;
+type incident_data_file, file_type, data_file_type, core_data_file_type;
+type keychain_data_file, file_type, data_file_type, core_data_file_type;
+type keystore_data_file, file_type, data_file_type, core_data_file_type;
+type media_data_file, file_type, data_file_type, core_data_file_type;
+type media_rw_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+type misc_user_data_file, file_type, data_file_type, core_data_file_type;
+type net_data_file, file_type, data_file_type, core_data_file_type;
+type nfc_data_file, file_type, data_file_type, core_data_file_type;
+type radio_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+type reboot_data_file, file_type, data_file_type, core_data_file_type;
+type recovery_data_file, file_type, data_file_type, core_data_file_type;
+type shared_relro_file, file_type, data_file_type, core_data_file_type;
+type systemkeys_data_file, file_type, data_file_type, core_data_file_type;
+type vpn_data_file, file_type, data_file_type, core_data_file_type;
+type wifi_data_file, file_type, data_file_type, core_data_file_type;
+type zoneinfo_data_file, file_type, data_file_type, core_data_file_type;
+type vold_data_file, file_type, data_file_type, core_data_file_type;
+type perfprofd_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+type tee_data_file, file_type, data_file_type;
+type update_engine_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc/trace for method traces on userdebug / eng builds
-type method_trace_data_file, file_type, data_file_type, mlstrustedobject;
+type method_trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/data subdirectories - app sandboxes
-type app_data_file, file_type, data_file_type;
+type app_data_file, file_type, data_file_type, core_data_file_type;
# /data/data subdirectory for system UID apps.
-type system_app_data_file, file_type, data_file_type, mlstrustedobject;
+type system_app_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# Compatibility with type name used in Android 4.3 and 4.4.
# Default type for anything under /cache
type cache_file, file_type, mlstrustedobject;
@@ -199,27 +201,27 @@
# Default type for anything under /efs
type efs_file, file_type;
# Type for wallpaper file.
-type wallpaper_file, file_type, data_file_type, mlstrustedobject;
+type wallpaper_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# Type for shortcut manager icon file.
-type shortcut_manager_icons, file_type, data_file_type, mlstrustedobject;
+type shortcut_manager_icons, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# Type for user icon file.
-type icon_file, file_type, data_file_type;
+type icon_file, file_type, data_file_type, core_data_file_type;
# /mnt/asec
-type asec_apk_file, file_type, data_file_type, mlstrustedobject;
+type asec_apk_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# Elements of asec files (/mnt/asec) that are world readable
-type asec_public_file, file_type, data_file_type;
+type asec_public_file, file_type, data_file_type, core_data_file_type;
# /data/app-asec
-type asec_image_file, file_type, data_file_type;
+type asec_image_file, file_type, data_file_type, core_data_file_type;
# /data/backup and /data/secure/backup
-type backup_data_file, file_type, data_file_type, mlstrustedobject;
+type backup_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# All devices have bluetooth efs files. But they
# vary per device, so this type is used in per
# device policy
type bluetooth_efs_file, file_type;
# Type for fingerprint template file
-type fingerprintd_data_file, file_type, data_file_type;
+type fingerprintd_data_file, file_type, data_file_type, core_data_file_type;
# Type for appfuse file.
-type app_fuse_file, file_type, data_file_type, mlstrustedobject;
+type app_fuse_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# Socket types
type adbd_socket, file_type;
@@ -254,8 +256,23 @@
# UART (for GPS) control proc file
type gps_control, file_type;
+# file_contexts files
+type file_contexts_file, file_type;
+
+# mac_permissions file
+type mac_perms_file, file_type;
+
# property_contexts file
-type property_contexts, file_type;
+type property_contexts_file, file_type;
+
+# seapp_contexts file
+type seapp_contexts_file, file_type;
+
+# sepolicy files binary and others
+type sepolicy_file, file_type;
+
+# service_contexts file
+type service_contexts_file, file_type;
# Allow files to be created in their appropriate filesystems.
allow fs_type self:filesystem associate;
diff --git a/public/hal_keymaster.te b/public/hal_keymaster.te
index 5e66c8a..d50812c 100644
--- a/public/hal_keymaster.te
+++ b/public/hal_keymaster.te
@@ -2,7 +2,6 @@
binder_call(hal_keymaster_client, hal_keymaster_server)
allow hal_keymaster tee_device:chr_file rw_file_perms;
-# TODO(b/36601092): Remove this once Keymaster HAL no longer talks to tee domain over Unix domain sockets
allow hal_keymaster tee:unix_stream_socket connectto;
allow hal_keymaster ion_device:chr_file r_file_perms;
diff --git a/public/init.te b/public/init.te
index 4b08046..4af41ec 100644
--- a/public/init.te
+++ b/public/init.te
@@ -299,6 +299,12 @@
# setsockcreate is for labeling local/unix domain sockets.
allow init self:process { setexec setfscreate setsockcreate };
+# Get file context
+allow init file_contexts_file:file r_file_perms;
+
+# sepolicy access
+allow init sepolicy_file:file r_file_perms;
+
# Perform SELinux access checks on setting properties.
selinux_check_access(init)
diff --git a/public/installd.te b/public/installd.te
index 0a5b8a3..a85edff 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -27,6 +27,10 @@
r_dir_file(installd, rootfs)
# Scan through APKs in /system/app and /system/priv-app
r_dir_file(installd, system_file)
+# Get file context
+allow installd file_contexts_file:file r_file_perms;
+# Get seapp_context
+allow installd seapp_contexts_file:file r_file_perms;
# Search /data/app-asec and stat files in it.
allow installd asec_image_file:dir search;
diff --git a/public/kernel.te b/public/kernel.te
index a93c8e9..9537c0d 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -11,6 +11,9 @@
allow kernel selinuxfs:dir r_dir_perms;
allow kernel selinuxfs:file r_file_perms;
+# Get file contexts during first stage
+allow kernel file_contexts_file:file r_file_perms;
+
# Allow init relabel itself.
allow kernel rootfs:file relabelfrom;
allow kernel init_exec:file relabelto;
diff --git a/public/perfprofd.te b/public/perfprofd.te
index eed7e58..499e2a9 100644
--- a/public/perfprofd.te
+++ b/public/perfprofd.te
@@ -3,7 +3,7 @@
userdebug_or_eng(`
- type perfprofd, domain, domain_deprecated, mlstrustedsubject;
+ type perfprofd, domain, domain_deprecated, mlstrustedsubject, coredomain;
# perfprofd needs to control CPU hot-plug in order to avoid kernel
# perfevents problems in cases where CPU goes on/off during measurement;
diff --git a/public/recovery.te b/public/recovery.te
index 1ec19c5..d6aef1c 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -37,6 +37,8 @@
# currently loaded policy. Allow it.
allow recovery unlabeled:{ file lnk_file } { create_file_perms relabelfrom relabelto };
allow recovery unlabeled:dir { create_dir_perms relabelfrom relabelto };
+ # Get file contexts
+ allow recovery file_contexts_file:file r_file_perms;
# 0eb17d944704b3eb140bb9dded299d3be3aed77e in build/ added SELinux
# support to OTAs. However, that code has a bug. When an update occurs,
diff --git a/public/rild.te b/public/rild.te
index e4b0186..77f146b 100644
--- a/public/rild.te
+++ b/public/rild.te
@@ -19,6 +19,9 @@
allow rild shell_exec:file rx_file_perms;
allow rild bluetooth_efs_file:file r_file_perms;
allow rild bluetooth_efs_file:dir r_dir_perms;
+# TODO (b/36601950) remove RILD's access to radio_data_file and
+# system_data_file. Remove coredata_in_vendor_violators attribute.
+typeattribute rild coredata_in_vendor_violators;
allow rild radio_data_file:dir rw_dir_perms;
allow rild radio_data_file:file create_file_perms;
allow rild sdcard_type:dir r_dir_perms;
diff --git a/public/servicemanager.te b/public/servicemanager.te
index 46b3b0e..7ad32fc 100644
--- a/public/servicemanager.te
+++ b/public/servicemanager.te
@@ -11,7 +11,8 @@
allow servicemanager self:binder set_context_mgr;
allow servicemanager { domain -init }:binder transfer;
-r_dir_file(servicemanager, rootfs)
+# Access to all (system and vendor) service_contexts
+allow servicemanager service_contexts_file:file r_file_perms;
# Check SELinux permissions.
selinux_check_access(servicemanager)
diff --git a/public/tee.te b/public/tee.te
index a95be88..84e6492 100644
--- a/public/tee.te
+++ b/public/tee.te
@@ -4,7 +4,6 @@
type tee, domain, domain_deprecated;
type tee_exec, exec_type, file_type;
type tee_device, dev_type;
-type tee_data_file, file_type, data_file_type;
allow tee self:capability { dac_override };
allow tee tee_device:chr_file rw_file_perms;
@@ -14,5 +13,8 @@
allow tee self:netlink_generic_socket create_socket_perms_no_ioctl;
allow tee ion_device:chr_file r_file_perms;
r_dir_file(tee, sysfs_type)
+
+# TODO(b/36720355): Remove this once tee no longer access non-vendor files
+typeattribute tee coredata_in_vendor_violators;
allow tee system_data_file:file { getattr read };
allow tee system_data_file:lnk_file r_file_perms;
diff --git a/public/ueventd.te b/public/ueventd.te
index b0706c8..512b019 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -29,6 +29,9 @@
# Get SELinux enforcing status.
r_dir_file(ueventd, selinuxfs)
+# Get file contexts for new device nodes
+allow ueventd file_contexts_file:file r_file_perms;
+
# Use setfscreatecon() to label /dev directories and files.
allow ueventd self:process setfscreate;
diff --git a/public/update_engine.te b/public/update_engine.te
index 33eb2a8..69ee7c8 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -1,7 +1,6 @@
# Domain for update_engine daemon.
type update_engine, domain, domain_deprecated, update_engine_common;
type update_engine_exec, exec_type, file_type;
-type update_engine_data_file, file_type, data_file_type;
net_domain(update_engine);
diff --git a/public/vold.te b/public/vold.te
index f4a3916..89e2c24 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -19,6 +19,9 @@
r_dir_file(vold, rootfs)
allow vold proc_meminfo:file r_file_perms;
+#Get file contexts
+allow vold file_contexts_file:file r_file_perms;
+
# Allow us to jump into execution domains of above tools
allow vold self:process setexec;
diff --git a/vendor/hal_audio_default.te b/vendor/hal_audio_default.te
index d20063f..79c0814 100644
--- a/vendor/hal_audio_default.te
+++ b/vendor/hal_audio_default.te
@@ -7,3 +7,7 @@
hal_client_domain(hal_audio_default, hal_allocator)
typeattribute hal_audio_default socket_between_core_and_vendor_violators;
+# TODO (b/36601590) move hal_audio's data file to
+# /data/vendor/hardware/hal_audio. Remove coredata_in_vendor_violators
+# attribute.
+typeattribute hal_audio_default coredata_in_vendor_violators;
diff --git a/vendor/hal_bluetooth_default.te b/vendor/hal_bluetooth_default.te
index d22015b..54f2abf 100644
--- a/vendor/hal_bluetooth_default.te
+++ b/vendor/hal_bluetooth_default.te
@@ -7,3 +7,7 @@
# Logging for backward compatibility
allow hal_bluetooth_default bluetooth_data_file:dir ra_dir_perms;
allow hal_bluetooth_default bluetooth_data_file:file create_file_perms;
+
+# TODO (b/36602160) Remove hal_bluetooth's access to the Bluetooth app's
+# data type. Remove coredata_in_vendor_violators attribute.
+typeattribute hal_bluetooth_default coredata_in_vendor_violators;
diff --git a/vendor/hal_camera_default.te b/vendor/hal_camera_default.te
index 8fdb4f0..449f159 100644
--- a/vendor/hal_camera_default.te
+++ b/vendor/hal_camera_default.te
@@ -3,3 +3,8 @@
type hal_camera_default_exec, exec_type, file_type;
init_daemon_domain(hal_camera_default)
+
+# TODO (b/36601397) move hal_camera's data file to
+# /data/vendor/hardware/hal_camera. Remove coredata_in_vendor_violators
+# attribute.
+typeattribute hal_camera_default coredata_in_vendor_violators;
diff --git a/vendor/hal_drm_default.te b/vendor/hal_drm_default.te
index 77e6609..ad1762f 100644
--- a/vendor/hal_drm_default.te
+++ b/vendor/hal_drm_default.te
@@ -7,5 +7,7 @@
allow hal_drm_default mediacodec:fd use;
allow hal_drm_default { appdomain -isolated_app }:fd use;
-# TODO(b/36601602): Remove this once DRM HAL no longer uses Unix domain sockets to talk to tee daemon
-typeattribute hal_drm_default socket_between_core_and_vendor_violators;
+# TODO (b/36601695) remove hal_drm's access to /data or move to
+# /data/vendor/hardware/hal_drm. Remove coredata_in_vendor_violators
+# attribute.
+typeattribute hal_drm_default coredata_in_vendor_violators;
diff --git a/vendor/hal_fingerprint_default.te b/vendor/hal_fingerprint_default.te
index 2b9001e..5f5de7e 100644
--- a/vendor/hal_fingerprint_default.te
+++ b/vendor/hal_fingerprint_default.te
@@ -3,3 +3,7 @@
type hal_fingerprint_default_exec, exec_type, file_type;
init_daemon_domain(hal_fingerprint_default)
+
+# TODO (b/36644492) move hal_fingerprint's data file to
+# /data/vendor/. Remove coredata_in_vendor_violators attribute.
+typeattribute hal_fingerprint_default coredata_in_vendor_violators;
diff --git a/vendor/hal_keymaster_default.te b/vendor/hal_keymaster_default.te
index 2fd5b44..32df262 100644
--- a/vendor/hal_keymaster_default.te
+++ b/vendor/hal_keymaster_default.te
@@ -3,6 +3,3 @@
type hal_keymaster_default_exec, exec_type, file_type;
init_daemon_domain(hal_keymaster_default)
-
-# TODO(b/36601092): Remove this once Keymaster HAL no longer talks to tee domain over Unix domain sockets
-typeattribute hal_keymaster_default socket_between_core_and_vendor_violators;
diff --git a/vendor/hal_nfc_default.te b/vendor/hal_nfc_default.te
index b155f27..eb2bd81 100644
--- a/vendor/hal_nfc_default.te
+++ b/vendor/hal_nfc_default.te
@@ -3,3 +3,7 @@
type hal_nfc_default_exec, exec_type, file_type;
init_daemon_domain(hal_nfc_default)
+
+# TODO (b/36645109) Remove hal_nfc's access to the nfc app's
+# data type. Remove coredata_in_vendor_violators attribute.
+typeattribute hal_nfc_default coredata_in_vendor_violators;
diff --git a/vendor/hal_wifi_supplicant_default.te b/vendor/hal_wifi_supplicant_default.te
index 5e49605..1ee95bb 100644
--- a/vendor/hal_wifi_supplicant_default.te
+++ b/vendor/hal_wifi_supplicant_default.te
@@ -10,3 +10,7 @@
# TODO(b/34603782): Remove this once Wi-Fi Supplicant HAL stops using Binder
typeattribute hal_wifi_supplicant_default binder_in_vendor_violators;
+# TODO (b/36645291) Move hal_wifi_supplicant's data access to /data/vendor
+# Remove coredata_in_vendor_violators attribute.
+# wpa supplicant or equivalent
+typeattribute hal_wifi_supplicant_default coredata_in_vendor_violators;
diff --git a/vendor/hostapd.te b/vendor/hostapd.te
index 02bafaa..e7d8308 100644
--- a/vendor/hostapd.te
+++ b/vendor/hostapd.te
@@ -31,3 +31,7 @@
allow hostapd hostapd_socket:dir create_dir_perms;
# hostapd needs to create, bind to, read, and write its control socket.
allow hostapd hostapd_socket:sock_file create_file_perms;
+
+# TODO (b/36646171) Move hostapd's data access to /data/vendor
+# Remove coredata_in_vendor_violators attribute.
+typeattribute hostapd coredata_in_vendor_violators;