Merge "sepolicy: Fix the path of policy.conf"
diff --git a/private/adbd.te b/private/adbd.te
index cabaf66..5b0b8f2 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -1,3 +1,129 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+### ADB daemon
+
+typeattribute adbd mlstrustedsubject;
+
domain_auto_trans(adbd, shell_exec, shell)
+
+userdebug_or_eng(`
+ allow adbd self:process setcurrent;
+ allow adbd su:process dyntransition;
+')
+
+# Do not sanitize the environment or open fds of the shell. Allow signaling
+# created processes.
+allow adbd shell:process { noatsecure signal };
+
+# Set UID and GID to shell. Set supplementary groups.
+allow adbd self:capability { setuid setgid };
+
+# Drop capabilities from bounding set on user builds.
+allow adbd self:capability setpcap;
+
+# Create and use network sockets.
+net_domain(adbd)
+
+# Access /dev/usb-ffs/adb/ep0
+allow adbd functionfs:dir search;
+allow adbd functionfs:file rw_file_perms;
+
+# Use a pseudo tty.
+allow adbd devpts:chr_file rw_file_perms;
+
+# adb push/pull /data/local/tmp.
+allow adbd shell_data_file:dir create_dir_perms;
+allow adbd shell_data_file:file create_file_perms;
+
+# adb pull /data/misc/profman.
+allow adbd profman_dump_data_file:dir r_dir_perms;
+allow adbd profman_dump_data_file:file r_file_perms;
+
+# adb push/pull sdcard.
+allow adbd tmpfs:dir search;
+allow adbd rootfs:lnk_file r_file_perms; # /sdcard symlink
+allow adbd tmpfs:lnk_file r_file_perms; # /mnt/sdcard symlink
+allow adbd sdcard_type:dir create_dir_perms;
+allow adbd sdcard_type:file create_file_perms;
+
+# adb pull /data/anr/traces.txt
+allow adbd anr_data_file:dir r_dir_perms;
+allow adbd anr_data_file:file r_file_perms;
+
+# Set service.adb.*, sys.powerctl, and sys.usb.ffs.ready properties.
+set_prop(adbd, shell_prop)
+set_prop(adbd, powerctl_prop)
+set_prop(adbd, ffs_prop)
+
+# Access device logging gating property
+get_prop(adbd, device_logging_prop)
+
+# Read device's serial number from system properties
+get_prop(adbd, serialno_prop)
+
+# Run /system/bin/bu
+allow adbd system_file:file rx_file_perms;
+
+# Perform binder IPC to surfaceflinger (screencap)
+# XXX Run screencap in a separate domain?
+binder_use(adbd)
+binder_call(adbd, surfaceflinger)
+# b/13188914
+allow adbd gpu_device:chr_file rw_file_perms;
+allow adbd ion_device:chr_file rw_file_perms;
+r_dir_file(adbd, system_file)
+
+# Read /data/misc/adb/adb_keys.
+allow adbd adb_keys_file:dir search;
+allow adbd adb_keys_file:file r_file_perms;
+
+userdebug_or_eng(`
+ # Write debugging information to /data/adb
+ # when persist.adb.trace_mask is set
+ # https://code.google.com/p/android/issues/detail?id=72895
+ allow adbd adb_data_file:dir rw_dir_perms;
+ allow adbd adb_data_file:file create_file_perms;
+')
+
+# ndk-gdb invokes adb forward to forward the gdbserver socket.
+allow adbd app_data_file:dir search;
+allow adbd app_data_file:sock_file write;
+allow adbd appdomain:unix_stream_socket connectto;
+
+# ndk-gdb invokes adb pull of app_process, linker, and libc.so.
+allow adbd zygote_exec:file r_file_perms;
+allow adbd system_file:file r_file_perms;
+
+# Allow pulling the SELinux policy for CTS purposes
+allow adbd selinuxfs:dir r_dir_perms;
+allow adbd selinuxfs:file r_file_perms;
+allow adbd kernel:security read_policy;
+
+allow adbd surfaceflinger_service:service_manager find;
+allow adbd bootchart_data_file:dir search;
+allow adbd bootchart_data_file:file r_file_perms;
+
+# Allow access to external storage; we have several visible mount points under /storage
+# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
+allow adbd storage_file:dir r_dir_perms;
+allow adbd storage_file:lnk_file r_file_perms;
+allow adbd mnt_user_file:dir r_dir_perms;
+allow adbd mnt_user_file:lnk_file r_file_perms;
+
+# Access to /data/media.
+# This should be removed if sdcardfs is modified to alter the secontext for its
+# accesses to the underlying FS.
+allow adbd media_rw_data_file:dir create_dir_perms;
+allow adbd media_rw_data_file:file create_file_perms;
+
+r_dir_file(adbd, apk_data_file)
+
+allow adbd rootfs:dir r_dir_perms;
+
+###
+### Neverallow rules
+###
+
+# No transitions from adbd to non-shell, non-crash_dump domains. adbd only ever
+# transitions to the shell domain (except when it crashes). In particular, we
+# never want to see a transition from adbd to su (aka "adb root")
+neverallow adbd { domain -crash_dump -shell }:process transition;
+neverallow adbd { domain userdebug_or_eng(`-su') }:process dyntransition;
diff --git a/private/app.te b/private/app.te
index e87f8df..b009d98 100644
--- a/private/app.te
+++ b/private/app.te
@@ -158,6 +158,11 @@
# Perform binder IPC to ephemeral apps.
binder_call(appdomain, ephemeral_app)
+# hidl access for mediacodec
+# TODO(b/34454312): only allow getting and talking to mediacodec service
+hwbinder_use(appdomain)
+hwallocator_use(appdomain)
+
# Already connected, unnamed sockets being passed over some other IPC
# hence no sock_file or connectto permission. This appears to be how
# Chrome works, may need to be updated as more apps using isolated services
@@ -255,6 +260,12 @@
# For app fuse.
allow appdomain app_fuse_file:file { getattr read append write };
+use_pdx({ appdomain -isolated_app -ephemeral_app }, surfaceflinger)
+use_pdx({ appdomain -isolated_app -ephemeral_app }, sensord)
+use_pdx({ appdomain -isolated_app -ephemeral_app }, performanced)
+# TODO: apps do not directly open the IPC socket for bufferhubd.
+use_pdx({ appdomain -isolated_app -ephemeral_app }, bufferhubd)
+
###
### CTS-specific rules
###
diff --git a/private/atrace.te b/private/atrace.te
index 7a7a4ca..9c4f342 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -1,3 +1,24 @@
+# Domain for atrace process spawned by boottrace service.
+
+type atrace_exec, exec_type, file_type;
+
userdebug_or_eng(`
+ type atrace, domain, domain_deprecated;
+
init_daemon_domain(atrace)
+
+ # boottrace services uses /data/misc/boottrace/categories
+ allow atrace boottrace_data_file:dir search;
+ allow atrace boottrace_data_file:file r_file_perms;
+
+ # atrace reads the files in /sys/kernel/debug/tracing/
+ allow atrace debugfs_tracing:file r_file_perms;
+
+ # atrace sets debug.atrace.* properties
+ set_prop(atrace, debug_prop)
+
+ # atrace pokes all the binder-enabled processes at startup.
+ binder_use(atrace)
+ allow atrace healthd:binder call;
+ allow atrace surfaceflinger:binder call;
')
diff --git a/private/audioserver.te b/private/audioserver.te
index 6417858..88007aa 100644
--- a/private/audioserver.te
+++ b/private/audioserver.te
@@ -1,3 +1,58 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+# audioserver - audio services daemon
+
+type audioserver_exec, exec_type, file_type;
init_daemon_domain(audioserver)
+
+r_dir_file(audioserver, sdcard_type)
+
+binder_use(audioserver)
+binder_call(audioserver, binderservicedomain)
+binder_call(audioserver, appdomain)
+binder_service(audioserver)
+
+hwbinder_use(audioserver)
+binder_call(audioserver, hal_audio)
+hwallocator_use(audioserver)
+
+r_dir_file(audioserver, proc)
+allow audioserver ion_device:chr_file r_file_perms;
+allow audioserver system_file:dir r_dir_perms;
+
+userdebug_or_eng(`
+ # used for TEE sink - pcm capture for debug.
+ allow audioserver media_data_file:dir create_dir_perms;
+ allow audioserver audioserver_data_file:dir create_dir_perms;
+ allow audioserver audioserver_data_file:file create_file_perms;
+
+ # ptrace to processes in the same domain for memory leak detection
+ allow audioserver self:process ptrace;
+')
+
+allow audioserver audio_device:dir r_dir_perms;
+allow audioserver audio_device:chr_file rw_file_perms;
+
+add_service(audioserver, audioserver_service)
+allow audioserver appops_service:service_manager find;
+allow audioserver batterystats_service:service_manager find;
+allow audioserver permission_service:service_manager find;
+allow audioserver power_service:service_manager find;
+allow audioserver scheduling_policy_service:service_manager find;
+
+# Grant access to audio files to audioserver
+allow audioserver audio_data_file:dir ra_dir_perms;
+allow audioserver audio_data_file:file create_file_perms;
+
+# Needed on some devices for playing audio on paired BT device,
+# but seems appropriate for all devices.
+unix_socket_connect(audioserver, bluetooth, bluetooth)
+
+###
+### neverallow rules
+###
+
+# audioserver should never execute any executable without a
+# domain transition
+neverallow audioserver { file_type fs_type }:file execute_no_trans;
+
+# audioserver should never need network access. Disallow network sockets.
+neverallow audioserver domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/public/binderservicedomain.te b/private/binderservicedomain.te
similarity index 69%
rename from public/binderservicedomain.te
rename to private/binderservicedomain.te
index a2157a4..0891ee5 100644
--- a/public/binderservicedomain.te
+++ b/private/binderservicedomain.te
@@ -1,9 +1,9 @@
# Rules common to all binder service domains
-# Allow dumpstate to collect information from binder services
-allow binderservicedomain dumpstate:fd use;
-allow binderservicedomain dumpstate:unix_stream_socket { read write getopt getattr };
-allow binderservicedomain dumpstate:fifo_file { getattr write };
+# Allow dumpstate and incidentd to collect information from binder services
+allow binderservicedomain { dumpstate incidentd }:fd use;
+allow binderservicedomain { dumpstate incidentd }:unix_stream_socket { read write getopt getattr };
+allow binderservicedomain { dumpstate incidentd }:fifo_file { getattr write };
allow binderservicedomain shell_data_file:file { getattr write };
# Allow dumpsys to work from adb shell or the serial console
diff --git a/private/blkid.te b/private/blkid.te
new file mode 100644
index 0000000..9c4cfcc
--- /dev/null
+++ b/private/blkid.te
@@ -0,0 +1,20 @@
+# blkid called from vold
+
+type blkid_exec, exec_type, file_type;
+
+# Allowed read-only access to encrypted devices to extract UUID/label
+allow blkid block_device:dir search;
+allow blkid userdata_block_device:blk_file r_file_perms;
+allow blkid dm_device:blk_file r_file_perms;
+
+# Allow stdin/out back to vold
+allow blkid vold:fd use;
+allow blkid vold:fifo_file { read write getattr };
+
+# For blkid launched through popen()
+allow blkid blkid_exec:file rx_file_perms;
+
+# Only allow entry from vold
+neverallow { domain -vold } blkid:process transition;
+neverallow * blkid:process dyntransition;
+neverallow blkid { file_type fs_type -blkid_exec -shell_exec }:file entrypoint;
diff --git a/private/blkid_untrusted.te b/private/blkid_untrusted.te
new file mode 100644
index 0000000..ae18e68
--- /dev/null
+++ b/private/blkid_untrusted.te
@@ -0,0 +1,35 @@
+# blkid for untrusted block devices
+
+# Allowed read-only access to vold block devices to extract UUID/label
+allow blkid_untrusted block_device:dir search;
+allow blkid_untrusted vold_device:blk_file r_file_perms;
+
+# Allow stdin/out back to vold
+allow blkid_untrusted vold:fd use;
+allow blkid_untrusted vold:fifo_file { read write getattr };
+
+# For blkid launched through popen()
+allow blkid_untrusted blkid_exec:file rx_file_perms;
+
+###
+### neverallow rules
+###
+
+# Untrusted blkid should never be run on block devices holding sensitive data
+neverallow blkid_untrusted {
+ boot_block_device
+ frp_block_device
+ metadata_block_device
+ recovery_block_device
+ root_block_device
+ swap_block_device
+ system_block_device
+ userdata_block_device
+ cache_block_device
+ dm_device
+}:blk_file no_rw_file_perms;
+
+# Only allow entry from vold via blkid binary
+neverallow { domain -vold } blkid_untrusted:process transition;
+neverallow * blkid_untrusted:process dyntransition;
+neverallow blkid_untrusted { file_type fs_type -blkid_exec -shell_exec }:file entrypoint;
diff --git a/private/bluetooth.te b/private/bluetooth.te
index 40ce8c1..5ea6027 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -1,6 +1,83 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+# bluetooth subsystem
+
+typeattribute bluetooth domain_deprecated;
+
+app_domain(bluetooth)
+net_domain(bluetooth)
+
# Socket creation under /data/misc/bluedroid.
type_transition bluetooth bluetooth_data_file:sock_file bluetooth_socket;
-app_domain(bluetooth)
+# Allow access to net_admin ioctls
+allowxperm bluetooth self:udp_socket ioctl priv_sock_ioctls;
+
+wakelock_use(bluetooth);
+
+# Data file accesses.
+allow bluetooth bluetooth_data_file:dir create_dir_perms;
+allow bluetooth bluetooth_data_file:notdevfile_class_set create_file_perms;
+allow bluetooth bluetooth_logs_data_file:dir rw_dir_perms;
+allow bluetooth bluetooth_logs_data_file:file create_file_perms;
+
+# Socket creation under /data/misc/bluedroid.
+allow bluetooth bluetooth_socket:sock_file create_file_perms;
+
+# bluetooth factory file accesses.
+r_dir_file(bluetooth, bluetooth_efs_file)
+
+allow bluetooth { uhid_device hci_attach_dev }:chr_file rw_file_perms;
+
+# sysfs access.
+r_dir_file(bluetooth, sysfs_type)
+allow bluetooth sysfs_bluetooth_writable:file rw_file_perms;
+allow bluetooth self:capability net_admin;
+allow bluetooth self:capability2 wake_alarm;
+
+# tethering
+allow bluetooth self:packet_socket create_socket_perms_no_ioctl;
+allow bluetooth self:capability { net_admin net_raw net_bind_service };
+allow bluetooth self:tun_socket create_socket_perms_no_ioctl;
+allow bluetooth tun_device:chr_file rw_file_perms;
+allow bluetooth efs_file:dir search;
+
+# proc access.
+allow bluetooth proc_bluetooth_writable:file rw_file_perms;
+
+# Allow write access to bluetooth specific properties
+set_prop(bluetooth, bluetooth_prop)
+set_prop(bluetooth, pan_result_prop)
+
+allow bluetooth audioserver_service:service_manager find;
+allow bluetooth bluetooth_service:service_manager find;
+allow bluetooth drmserver_service:service_manager find;
+allow bluetooth mediaserver_service:service_manager find;
+allow bluetooth radio_service:service_manager find;
+allow bluetooth surfaceflinger_service:service_manager find;
+allow bluetooth app_api_service:service_manager find;
+allow bluetooth system_api_service:service_manager find;
+
+# Bluetooth Sim Access Profile Socket to the RIL
+unix_socket_connect(bluetooth, sap_uim, rild)
+
+# already open bugreport file descriptors may be shared with
+# the bluetooth process, from a file in
+# /data/data/com.android.shell/files/bugreports/bugreport-*.
+allow bluetooth shell_data_file:file read;
+
+# Perform HwBinder IPC.
+hwbinder_use(bluetooth)
+binder_call(bluetooth, hal_bluetooth)
+binder_call(bluetooth, hal_telephony)
+
+read_runtime_log_tags(bluetooth)
+
+###
+### Neverallow rules
+###
+### These are things that the bluetooth app should NEVER be able to do
+###
+
+# Superuser capabilities.
+# bluetooth requires net_{admin,raw,bind_service} and wake_alarm and block_suspend.
+neverallow bluetooth self:capability ~{ net_admin net_raw net_bind_service };
+neverallow bluetooth self:capability2 ~{ wake_alarm block_suspend };
diff --git a/public/bluetoothdomain.te b/private/bluetoothdomain.te
similarity index 100%
rename from public/bluetoothdomain.te
rename to private/bluetoothdomain.te
diff --git a/private/bufferhubd.te b/private/bufferhubd.te
new file mode 100644
index 0000000..4fa77a5
--- /dev/null
+++ b/private/bufferhubd.te
@@ -0,0 +1 @@
+init_daemon_domain(bufferhubd)
diff --git a/private/file_contexts b/private/file_contexts
index 0bf16c8..31e813e 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -124,6 +124,7 @@
/dev/socket/mdnsd u:object_r:mdnsd_socket:s0
/dev/socket/mtpd u:object_r:mtpd_socket:s0
/dev/socket/netd u:object_r:netd_socket:s0
+/dev/socket/pdx(/.*)? u:object_r:pdx_socket:s0
/dev/socket/property_service u:object_r:property_socket:s0
/dev/socket/racoon u:object_r:racoon_socket:s0
/dev/socket/rild u:object_r:rild_socket:s0
@@ -176,8 +177,13 @@
/system/bin/servicemanager u:object_r:servicemanager_exec:s0
/system/bin/hwservicemanager u:object_r:hwservicemanager_exec:s0
/system/bin/surfaceflinger u:object_r:surfaceflinger_exec:s0
+/system/bin/bufferhubd u:object_r:bufferhubd_exec:s0
+/system/bin/performanced u:object_r:performanced_exec:s0
+/system/bin/sensord u:object_r:sensord_exec:s0
/system/bin/drmserver u:object_r:drmserver_exec:s0
/system/bin/dumpstate u:object_r:dumpstate_exec:s0
+/system/bin/incident u:object_r:incident_exec:s0
+/system/bin/incidentd u:object_r:incidentd_exec:s0
/system/bin/vold u:object_r:vold_exec:s0
/system/bin/netd u:object_r:netd_exec:s0
/system/bin/wificond u:object_r:wificond_exec:s0
@@ -239,32 +245,8 @@
/system/bin/storaged u:object_r:storaged_exec:s0
/system/bin/webview_zygote32 u:object_r:webview_zygote_exec:s0
/system/bin/webview_zygote64 u:object_r:webview_zygote_exec:s0
-/system/bin/hw/android\.hardware\.audio@2\.0-service u:object_r:hal_audio_default_exec:s0
-/system/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service u:object_r:hal_fingerprint_default_exec:s0
+/system/bin/virtual_touchpad u:object_r:virtual_touchpad_exec:s0
/system/bin/hw/android\.hardware\.bluetooth@1\.0-service u:object_r:hal_bluetooth_default_exec:s0
-/system/bin/hw/android\.hardware\.boot@1\.0-service u:object_r:hal_boot_exec:s0
-/system/bin/hw/android\.hardware\.camera\.provider@2\.4-service u:object_r:hal_camera_default_exec:s0
-/system/bin/hw/android\.hardware\.configstore@1\.0-service u:object_r:hal_configstore_default_exec:s0
-/system/bin/hw/android\.hardware\.contexthub@1\.0-service u:object_r:hal_contexthub_default_exec:s0
-/system/bin/hw/android\.hardware\.drm@1\.0-service u:object_r:hal_drm_default_exec:s0
-/system/bin/hw/android\.hardware\.dumpstate@1\.0-service u:object_r:hal_dumpstate_default_exec:s0
-/system/bin/hw/android\.hardware\.gatekeeper@1\.0-service u:object_r:hal_gatekeeper_default_exec:s0
-/system/bin/hw/android\.hardware\.gnss@1\.0-service u:object_r:hal_gnss_default_exec:s0
-/system/bin/hw/android\.hardware\.graphics\.allocator@2\.0-service u:object_r:hal_graphics_allocator_default_exec:s0
-/system/bin/hw/android\.hardware\.graphics\.composer@2\.1-service u:object_r:hal_graphics_composer_default_exec:s0
-/system/bin/hw/android\.hardware\.health@1\.0-service u:object_r:hal_health_default_exec:s0
-/system/bin/hw/android\.hardware\.ir@1\.0-service u:object_r:hal_ir_default_exec:s0
-/system/bin/hw/android\.hardware\.keymaster@3\.0-service u:object_r:hal_keymaster_default_exec:s0
-/system/bin/hw/android\.hardware\.light@2\.0-service u:object_r:hal_light_default_exec:s0
-/system/bin/hw/android\.hardware\.memtrack@1\.0-service u:object_r:hal_memtrack_default_exec:s0
-/system/bin/hw/android\.hardware\.nfc@1\.0-service u:object_r:hal_nfc_default_exec:s0
-/system/bin/hw/android\.hardware\.power@1\.0-service u:object_r:hal_power_default_exec:s0
-/system/bin/hw/android\.hardware\.sensors@1\.0-service u:object_r:hal_sensors_default_exec:s0
-/system/bin/hw/android\.hardware\.thermal@1\.0-service u:object_r:hal_thermal_default_exec:s0
-/system/bin/hw/android\.hardware\.usb@1\.0-service u:object_r:hal_usb_default_exec:s0
-/system/bin/hw/android\.hardware\.vibrator@1\.0-service u:object_r:hal_vibrator_default_exec:s0
-/system/bin/hw/android\.hardware\.vr@1\.0-service u:object_r:hal_vr_default_exec:s0
-/system/bin/hw/android\.hardware\.wifi@1\.0-service u:object_r:hal_wifi_default_exec:s0
/system/bin/hw/android\.hidl\.memory@1\.0-service u:object_r:hal_allocator_exec:s0
#############################
@@ -329,6 +311,7 @@
/data/misc/dhcp(/.*)? u:object_r:dhcp_data_file:s0
/data/misc/dhcp-6.8.2(/.*)? u:object_r:dhcp_data_file:s0
/data/misc/gatekeeper(/.*)? u:object_r:gatekeeper_data_file:s0
+/data/misc/incidents(/.*)? u:object_r:incident_data_file:s0
/data/misc/keychain(/.*)? u:object_r:keychain_data_file:s0
/data/misc/keystore(/.*)? u:object_r:keystore_data_file:s0
/data/misc/logd(/.*)? u:object_r:misc_logd_file:s0
@@ -437,12 +420,39 @@
# debugfs files
#
/sys/kernel/debug/mmc0(/.*)? u:object_r:debugfs_mmc:s0
-/sys/kernel(/debug)?/tracing(/.*)? u:object_r:debugfs_tracing:s0
-/sys/kernel(/debug)?/tracing/trace_marker u:object_r:debugfs_trace_marker:s0
-/sys/kernel(/debug)?/tracing/instances(/.*)? u:object_r:debugfs_tracing_instances:s0
-/sys/kernel(/debug)?/tracing/instances/wifi/free_buffer u:object_r:debugfs_wifi_tracing:s0
-/sys/kernel(/debug)?/tracing/instances/wifi/trace u:object_r:debugfs_wifi_tracing:s0
-/sys/kernel(/debug)?/tracing/instances/wifi/tracing_on u:object_r:debugfs_wifi_tracing:s0
+
+#############################
+# tracefs files
+#
+/sys/kernel(/debug)?/tracing/buffer_size_kb u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/events/binder/binder_locked/enable u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/events/binder/binder_lock/enable u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/events/binder/binder_transaction/enable u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/events/binder/binder_transaction_received/enable u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/events/binder/binder_unlock/enable u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/events/cpufreq_interactive/enable u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/events/power/clock_set_rate/enable u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/events/power/cpu_frequency/enable u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/events/power/cpu_frequency_limits/enable u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/events/power/cpu_idle/enable u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/events/sched/sched_blocked_reason/enable u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/events/sched/sched_cpu_hotplug/enable u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/events/sched/sched_switch/enable u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/events/sched/sched_wakeup/enable u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/events/vmscan/mm_vmscan_direct_reclaim_begin/enable u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/events/vmscan/mm_vmscan_direct_reclaim_end/enable u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/events/vmscan/mm_vmscan_kswapd_sleep/enable u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/events/vmscan/mm_vmscan_kswapd_wake/enable u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/instances(/.*)? u:object_r:debugfs_tracing_instances:s0
+/sys/kernel(/debug)?/tracing/instances/wifi/free_buffer u:object_r:debugfs_wifi_tracing:s0
+/sys/kernel(/debug)?/tracing/instances/wifi/trace u:object_r:debugfs_wifi_tracing:s0
+/sys/kernel(/debug)?/tracing/instances/wifi/tracing_on u:object_r:debugfs_wifi_tracing:s0
+/sys/kernel(/debug)?/tracing/options/overwrite u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/options/print-tgid u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/trace u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/trace_clock u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/trace_marker u:object_r:debugfs_trace_marker:s0
+/sys/kernel(/debug)?/tracing/tracing_on u:object_r:tracing_shell_writable:s0
#############################
# asec containers
diff --git a/private/hal_drm_default.te b/private/hal_drm_default.te
index 6e4df5b..74875af 100644
--- a/private/hal_drm_default.te
+++ b/private/hal_drm_default.te
@@ -3,3 +3,6 @@
type hal_drm_default_exec, exec_type, file_type;
init_daemon_domain(hal_drm_default)
+
+allow hal_drm_default mediacodec:fd use;
+allow hal_drm_default { appdomain -isolated_app }:fd use;
diff --git a/private/healthd.te b/private/healthd.te
index 0214c59..fc13e28 100644
--- a/private/healthd.te
+++ b/private/healthd.te
@@ -1,3 +1,6 @@
# type_transition must be private policy the domain_trans rules could stay
# public, but conceptually should go with this
init_daemon_domain(healthd)
+
+# Allow callback to storaged batteryproperties listener
+binder_call(healthd, storaged)
diff --git a/private/incident.te b/private/incident.te
new file mode 100644
index 0000000..084bd5d
--- /dev/null
+++ b/private/incident.te
@@ -0,0 +1,23 @@
+type incident_exec, exec_type, file_type;
+
+# switch to incident domain for incident command
+domain_auto_trans(shell, incident_exec, incident)
+
+# allow incident access to stdout from its parent shell.
+allow incident shell:fd use;
+
+# allow incident to communicate use, read and write over the adb
+# connection.
+allow incident adbd:fd use;
+allow incident adbd:unix_stream_socket { read write };
+
+# allow adbd to reap incident
+allow incident adbd:process { sigchld };
+
+# Allow the incident command to talk to the incidentd over the binder, and get
+# back the incident report data from a ParcelFileDescriptor.
+binder_use(incident)
+allow incident incident_service:service_manager find;
+binder_call(incident, incidentd)
+allow incident incidentd:fifo_file write;
+
diff --git a/private/incidentd.te b/private/incidentd.te
new file mode 100644
index 0000000..49830f4
--- /dev/null
+++ b/private/incidentd.te
@@ -0,0 +1,108 @@
+init_daemon_domain(incidentd)
+type incidentd_exec, exec_type, file_type;
+binder_use(incidentd)
+wakelock_use(incidentd)
+
+# Allow setting process priority, protect from OOM killer, and dropping
+# privileges by switching UID / GID
+# TODO allow incidentd self:capability { setuid setgid sys_resource };
+
+# Allow incidentd to scan through /proc/pid for all processes
+r_dir_file(incidentd, domain)
+
+allow incidentd self:capability {
+ # Send signals to processes
+ kill
+};
+
+# Allow executing files on system, such as:
+# /system/bin/toolbox
+# /system/bin/logcat
+# /system/bin/dumpsys
+allow incidentd system_file:file execute_no_trans;
+allow incidentd toolbox_exec:file rx_file_perms;
+
+# Create and write into /data/misc/incidents
+allow incidentd incident_data_file:dir rw_dir_perms;
+allow incidentd incident_data_file:file create_file_perms;
+
+# Get process attributes
+# TODO allow incidentd domain:process getattr;
+
+# Signal java processes to dump their stack and get the results
+# TODO allow incidentd { appdomain ephemeral_app system_server }:process signal;
+# TODO allow incidentd anr_data_file:dir rw_dir_perms;
+# TODO allow incidentd anr_data_file:file create_file_perms;
+
+# Signal native processes to dump their stack.
+# This list comes from native_processes_to_dump in incidentd/utils.c
+allow incidentd {
+ audioserver
+ cameraserver
+ drmserver
+ inputflinger
+ mediacodec
+ mediadrmserver
+ mediaextractor
+ mediaserver
+ sdcardd
+ surfaceflinger
+}:process signal;
+
+# Allow incidentd to make binder calls to any binder service
+binder_call(incidentd, binderservicedomain)
+binder_call(incidentd, appdomain)
+
+# Reading /proc/PID/maps of other processes
+# TODO allow incidentd self:capability sys_ptrace;
+
+# Run a shell.
+allow incidentd shell_exec:file rx_file_perms;
+
+# logd access - work to be done is a PII safe log (possibly an event log?)
+# TODO read_logd(incidentd)
+# TODO control_logd(incidentd)
+
+# Allow incidentd to find these standard groups of services.
+# Others can be whitelisted individually.
+allow incidentd {
+ system_server_service
+ app_api_service
+ system_api_service
+}:service_manager find;
+
+# Only incidentd can publish the binder service
+add_service(incidentd, incident_service)
+
+# Allow pipes from (and only from) incident
+allow incidentd incident:fd use;
+allow incidentd incident:fifo_file write;
+
+# Allow incident to call back to incident with status updates.
+binder_call(incidentd, incident)
+
+###
+### neverallow rules
+###
+
+# only system_server, system_app and incident command can find the incident service
+neverallow { domain -system_server -system_app -incident -incidentd } incident_service:service_manager find;
+
+# only incidentd and the other root services in limited circumstances
+# can get to the files in /data/misc/incidents
+#
+# write, execute, append are forbidden almost everywhere
+neverallow { domain -incidentd -init -vold } incident_data_file:file {
+ w_file_perms
+ x_file_perms
+ create
+ rename
+ setattr
+ unlink
+ append
+};
+# read is also allowed by system_server, for when the file is handed to dropbox
+neverallow { domain -incidentd -init -vold -system_server } incident_data_file:file r_file_perms;
+# limited access to the directory itself
+neverallow { domain -incidentd -init -vold } incident_data_file:dir create_dir_perms;
+
diff --git a/private/init.te b/private/init.te
index d495d54..8a6dcea 100644
--- a/private/init.te
+++ b/private/init.te
@@ -17,3 +17,8 @@
userdebug_or_eng(`
domain_auto_trans(init, logcat_exec, logpersist)
')
+
+# Creating files on sysfs is impossible so this isn't a threat
+# Sometimes we have to write to non-existent files to avoid conditional
+# init behavior. See b/35303861 for an example.
+dontaudit init sysfs:dir write;
diff --git a/private/mdnsd.te b/private/mdnsd.te
index 54659d1..2fefc32 100644
--- a/private/mdnsd.te
+++ b/private/mdnsd.te
@@ -1,3 +1,11 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+# mdns daemon
+
+typeattribute mdnsd mlstrustedsubject;
+
+type mdnsd_exec, exec_type, file_type;
init_daemon_domain(mdnsd)
+
+net_domain(mdnsd)
+
+# Read from /proc/net
+r_dir_file(mdnsd, proc_net)
diff --git a/private/net.te b/private/net.te
new file mode 100644
index 0000000..f16daf9
--- /dev/null
+++ b/private/net.te
@@ -0,0 +1,24 @@
+###
+### Domain with network access
+###
+
+# Use network sockets.
+allow netdomain self:tcp_socket create_stream_socket_perms;
+allow netdomain self:{ udp_socket rawip_socket } create_socket_perms;
+# Connect to ports.
+allow netdomain port_type:tcp_socket name_connect;
+# Bind to ports.
+allow {netdomain -ephemeral_app} node_type:{ tcp_socket udp_socket } node_bind;
+allow {netdomain -ephemeral_app} port_type:udp_socket name_bind;
+allow {netdomain -ephemeral_app} port_type:tcp_socket name_bind;
+# See changes to the routing table.
+allow netdomain self:netlink_route_socket { create read getattr write setattr lock append bind connect getopt setopt shutdown nlmsg_read };
+
+# Talks to netd via dnsproxyd socket.
+unix_socket_connect(netdomain, dnsproxyd, netd)
+
+# Talks to netd via fwmarkd socket.
+unix_socket_connect(netdomain, fwmarkd, netd)
+
+# Connect to mdnsd via mdnsd socket.
+unix_socket_connect(netdomain, mdnsd, mdnsd)
diff --git a/private/performanced.te b/private/performanced.te
new file mode 100644
index 0000000..9544f66
--- /dev/null
+++ b/private/performanced.te
@@ -0,0 +1 @@
+init_daemon_domain(performanced)
diff --git a/private/property_contexts b/private/property_contexts
index 552c6b5..7845505 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -8,7 +8,7 @@
net.qmi u:object_r:net_radio_prop:s0
net.lte u:object_r:net_radio_prop:s0
net.cdma u:object_r:net_radio_prop:s0
-net.dns u:object_r:net_radio_prop:s0
+net.dns u:object_r:net_dns_prop:s0
sys.usb.config u:object_r:system_radio_prop:s0
ril. u:object_r:radio_prop:s0
ro.ril. u:object_r:radio_prop:s0
diff --git a/private/sensord.te b/private/sensord.te
new file mode 100644
index 0000000..ef03b09
--- /dev/null
+++ b/private/sensord.te
@@ -0,0 +1 @@
+init_daemon_domain(sensord)
diff --git a/private/service_contexts b/private/service_contexts
index d53ba91..3b01c0b 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -56,6 +56,7 @@
hardware u:object_r:hardware_service:s0
hardware_properties u:object_r:hardware_properties_service:s0
hdmi_control u:object_r:hdmi_control_service:s0
+incident u:object_r:incident_service:s0
inputflinger u:object_r:inputflinger_service:s0
input_method u:object_r:input_method_service:s0
input u:object_r:input_service:s0
@@ -151,6 +152,7 @@
usb u:object_r:usb_service:s0
user u:object_r:user_service:s0
vibrator u:object_r:vibrator_service:s0
+virtual_touchpad u:object_r:virtual_touchpad_service:s0
voiceinteraction u:object_r:voiceinteraction_service:s0
vrmanager u:object_r:vr_manager_service:s0
wallpaper u:object_r:wallpaper_service:s0
diff --git a/private/shell.te b/private/shell.te
index 333265f..1e77964 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -1,6 +1,7 @@
# systrace support - allow atrace to run
allow shell debugfs_tracing:dir r_dir_perms;
-allow shell debugfs_tracing:file rw_file_perms;
+allow shell debugfs_tracing:file r_file_perms;
+allow shell tracing_shell_writable:file rw_file_perms;
allow shell debugfs_trace_marker:file getattr;
allow shell atrace_exec:file rx_file_perms;
diff --git a/private/storaged.te b/private/storaged.te
index 1d87251..134bec4 100644
--- a/private/storaged.te
+++ b/private/storaged.te
@@ -29,6 +29,10 @@
binder_use(storaged)
binder_call(storaged, system_server)
+# use batteryproperties service
+allow storaged batteryproperties_service:service_manager find;
+binder_call(storaged, healthd)
+
###
### neverallow
###
diff --git a/private/su.te b/private/su.te
index b594ebe..466bc0b 100644
--- a/private/su.te
+++ b/private/su.te
@@ -8,6 +8,9 @@
# from the "init" domain.
domain_auto_trans(su, dumpstate_exec, dumpstate)
+ # Put the incident command into its domain so it is the same on user, userdebug and eng.
+ domain_auto_trans(su, incident_exec, incident)
+
# su is also permissive to permit setenforce.
permissive su;
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index ae8ab08..5f7549d 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -1,3 +1,102 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+# surfaceflinger - display compositor service
+
+type surfaceflinger_exec, exec_type, file_type;
init_daemon_domain(surfaceflinger)
+
+typeattribute surfaceflinger mlstrustedsubject;
+
+read_runtime_log_tags(surfaceflinger)
+
+# Perform HwBinder IPC.
+hwbinder_use(surfaceflinger)
+binder_call(surfaceflinger, hal_graphics_allocator)
+binder_call(surfaceflinger, hal_graphics_composer)
+binder_call(surfaceflinger, hal_configstore)
+
+# Perform Binder IPC.
+binder_use(surfaceflinger)
+binder_call(surfaceflinger, binderservicedomain)
+binder_call(surfaceflinger, appdomain)
+binder_call(surfaceflinger, bootanim)
+binder_service(surfaceflinger)
+
+# Binder IPC to bu, presently runs in adbd domain.
+binder_call(surfaceflinger, adbd)
+
+# Read /proc/pid files for Binder clients.
+r_dir_file(surfaceflinger, binderservicedomain)
+r_dir_file(surfaceflinger, appdomain)
+
+# Access the GPU.
+allow surfaceflinger gpu_device:chr_file rw_file_perms;
+
+# Access /dev/graphics/fb0.
+allow surfaceflinger graphics_device:dir search;
+allow surfaceflinger graphics_device:chr_file rw_file_perms;
+
+# Access /dev/video1.
+allow surfaceflinger video_device:dir r_dir_perms;
+allow surfaceflinger video_device:chr_file rw_file_perms;
+
+# Create and use netlink kobject uevent sockets.
+allow surfaceflinger self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+# Set properties.
+set_prop(surfaceflinger, system_prop)
+set_prop(surfaceflinger, ctl_bootanim_prop)
+
+# Use open files supplied by an app.
+allow surfaceflinger appdomain:fd use;
+allow surfaceflinger app_data_file:file { read write };
+
+# Allow a dumpstate triggered screenshot
+binder_call(surfaceflinger, dumpstate)
+binder_call(surfaceflinger, shell)
+r_dir_file(surfaceflinger, dumpstate)
+
+# Needed on some devices for playing DRM protected content,
+# but seems expected and appropriate for all devices.
+allow surfaceflinger tee:unix_stream_socket connectto;
+allow surfaceflinger tee_device:chr_file rw_file_perms;
+
+
+# media.player service
+add_service(surfaceflinger, gpu_service)
+
+# do not use add_service() as hal_graphics_composer_default may be the
+# provider as well
+#add_service(surfaceflinger, surfaceflinger_service)
+allow surfaceflinger surfaceflinger_service:service_manager { add find };
+
+allow surfaceflinger mediaserver_service:service_manager find;
+allow surfaceflinger permission_service:service_manager find;
+allow surfaceflinger power_service:service_manager find;
+allow surfaceflinger vr_manager_service:service_manager find;
+allow surfaceflinger window_service:service_manager find;
+
+
+# allow self to set SCHED_FIFO
+allow surfaceflinger self:capability sys_nice;
+allow surfaceflinger proc_meminfo:file r_file_perms;
+r_dir_file(surfaceflinger, cgroup)
+r_dir_file(surfaceflinger, sysfs_type)
+r_dir_file(surfaceflinger, system_file)
+allow surfaceflinger tmpfs:dir r_dir_perms;
+allow surfaceflinger system_server:fd use;
+allow surfaceflinger ion_device:chr_file r_file_perms;
+
+# pdx IPC
+pdx_server(surfaceflinger)
+
+use_pdx(surfaceflinger, bufferhubd)
+use_pdx(surfaceflinger, performanced)
+use_pdx(surfaceflinger, sensord)
+
+###
+### Neverallow rules
+###
+### surfaceflinger should NEVER do any of this
+
+# Do not allow accessing SDcard files as unsafe ejection could
+# cause the kernel to kill the process.
+neverallow surfaceflinger sdcard_type:file rw_file_perms;
diff --git a/private/system_app.te b/private/system_app.te
index 66c1e4d..7539da2 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -51,6 +51,9 @@
# Settings need to access app name and icon from asec
allow system_app asec_apk_file:file r_file_perms;
+# Allow system apps to interact with incidentd
+binder_call(system_app, incidentd)
+
allow system_app servicemanager:service_manager list;
# TODO: scope this down? Too broad?
allow system_app { service_manager_type -netd_service -dumpstate_service -installd_service }:service_manager find;
diff --git a/private/system_server.te b/private/system_server.te
index e5e4939..cba1ab3 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1,7 +1,14 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+#
+# System Server aka system_server spawned by zygote.
+# Most of the framework services run in this process.
+#
+
+typeattribute system_server domain_deprecated;
+typeattribute system_server mlstrustedsubject;
+
# Define a type for tmpfs-backed ashmem regions.
tmpfs_domain(system_server)
+
# Create a socket for connections from crash_dump.
type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
@@ -11,6 +18,678 @@
type_transition system_server wifi_data_file:sock_file system_wpa_socket;
type_transition system_server wpa_socket:sock_file system_wpa_socket;
+# For art.
+allow system_server dalvikcache_data_file:dir r_dir_perms;
+allow system_server dalvikcache_data_file:file { r_file_perms execute };
+
+# Enable system server to check the foreign dex usage markers.
+# We need search on top level directories so that we can get to the files
+allow system_server user_profile_data_file:dir search;
+allow system_server user_profile_data_file:file getattr;
+allow system_server user_profile_foreign_dex_data_file:dir { add_name open read write search remove_name };
+allow system_server user_profile_foreign_dex_data_file:file { getattr rename unlink };
+
+# /data/resource-cache
+allow system_server resourcecache_data_file:file r_file_perms;
+allow system_server resourcecache_data_file:dir r_dir_perms;
+
+# ptrace to processes in the same domain for debugging crashes.
+allow system_server self:process ptrace;
+
+# Child of the zygote.
+allow system_server zygote:fd use;
+allow system_server zygote:process sigchld;
+
+# May kill zygote on crashes.
+allow system_server zygote:process sigkill;
+allow system_server crash_dump:process sigkill;
+
+# Read /system/bin/app_process.
+allow system_server zygote_exec:file r_file_perms;
+
+# Needed to close the zygote socket, which involves getopt / getattr
+allow system_server zygote:unix_stream_socket { getopt getattr };
+
+# system server gets network and bluetooth permissions.
+net_domain(system_server)
+# in addition to ioctls whitelisted for all domains, also allow system_server
+# to use privileged ioctls commands. Needed to set up VPNs.
+allowxperm system_server self:udp_socket ioctl priv_sock_ioctls;
+bluetooth_domain(system_server)
+
+# These are the capabilities assigned by the zygote to the
+# system server.
+allow system_server self:capability {
+ ipc_lock
+ kill
+ net_admin
+ net_bind_service
+ net_broadcast
+ net_raw
+ sys_boot
+ sys_nice
+ sys_resource
+ sys_time
+ sys_tty_config
+};
+
+wakelock_use(system_server)
+
+# Triggered by /proc/pid accesses, not allowed.
+dontaudit system_server self:capability sys_ptrace;
+
+# Trigger module auto-load.
+allow system_server kernel:system module_request;
+
+# Allow alarmtimers to be set
+allow system_server self:capability2 wake_alarm;
+
+# Use netlink uevent sockets.
+allow system_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+# Use generic netlink sockets.
+allow system_server self:netlink_socket create_socket_perms_no_ioctl;
+allow system_server self:netlink_generic_socket create_socket_perms_no_ioctl;
+
+# Use generic "sockets" where the address family is not known
+# to the kernel. The ioctl permission is specifically omitted here, but may
+# be added to device specific policy along with the ioctl commands to be
+# whitelisted.
+allow system_server self:socket create_socket_perms_no_ioctl;
+
+# Set and get routes directly via netlink.
+allow system_server self:netlink_route_socket nlmsg_write;
+
+# Kill apps.
+allow system_server appdomain:process { sigkill signal };
+
+# Set scheduling info for apps.
+allow system_server appdomain:process { getsched setsched };
+allow system_server audioserver:process { getsched setsched };
+allow system_server hal_audio:process { getsched setsched };
+allow system_server cameraserver:process { getsched setsched };
+allow system_server mediaserver:process { getsched setsched };
+allow system_server bootanim:process { getsched setsched };
+
+# Read /proc/pid data for all domains. This is used by ProcessCpuTracker
+# within system_server to keep track of memory and CPU usage for
+# all processes on the device. In addition, /proc/pid files access is needed
+# for dumping stack traces of native processes.
+r_dir_file(system_server, domain)
+
+# Read/Write to /proc/net/xt_qtaguid/ctrl and and /dev/xt_qtaguid.
+allow system_server qtaguid_proc:file rw_file_perms;
+allow system_server qtaguid_device:chr_file rw_file_perms;
+
+# Read /proc/uid_cputime/show_uid_stat.
+allow system_server proc_uid_cputime_showstat:file r_file_perms;
+
+# Write /proc/uid_cputime/remove_uid_range.
+allow system_server proc_uid_cputime_removeuid:file { w_file_perms getattr };
+
+# Write /proc/uid_procstat/set.
+allow system_server proc_uid_procstat_set:file { w_file_perms getattr };
+
+# Write to /proc/sysrq-trigger.
+allow system_server proc_sysrq:file rw_file_perms;
+
+# Read /proc/stat for CPU usage statistics
+allow system_server proc_stat:file r_file_perms;
+
+# Read /sys/kernel/debug/wakeup_sources.
+allow system_server debugfs:file r_file_perms;
+
+# The DhcpClient and WifiWatchdog use packet_sockets
+allow system_server self:packet_socket create_socket_perms_no_ioctl;
+
+# NetworkDiagnostics requires explicit bind() calls to ping sockets. These aren't actually the same
+# as raw sockets, but the kernel doesn't yet distinguish between the two.
+allow system_server node:rawip_socket node_bind;
+
+# 3rd party VPN clients require a tun_socket to be created
+allow system_server self:tun_socket create_socket_perms_no_ioctl;
+
+# Talk to init and various daemons via sockets.
+unix_socket_connect(system_server, lmkd, lmkd)
+unix_socket_connect(system_server, mtpd, mtp)
+unix_socket_connect(system_server, netd, netd)
+unix_socket_connect(system_server, vold, vold)
+unix_socket_connect(system_server, webview_zygote, webview_zygote)
+unix_socket_connect(system_server, zygote, zygote)
+unix_socket_connect(system_server, racoon, racoon)
+unix_socket_send(system_server, wpa, wpa)
+unix_socket_connect(system_server, uncrypt, uncrypt)
+
+# Communicate over a socket created by surfaceflinger.
+allow system_server surfaceflinger:unix_stream_socket { read write setopt };
+
+# Perform Binder IPC.
+binder_use(system_server)
+binder_call(system_server, appdomain)
+binder_call(system_server, binderservicedomain)
+binder_call(system_server, dumpstate)
+binder_call(system_server, fingerprintd)
+binder_call(system_server, hal_fingerprint)
+binder_call(system_server, gatekeeperd)
+binder_call(system_server, installd)
+binder_call(system_server, incidentd)
+binder_call(system_server, netd)
+binder_call(system_server, wificond)
+binder_service(system_server)
+
+# Perform HwBinder IPC.
+hwbinder_use(system_server)
+hwallocator_use(system_server)
+binder_call(system_server, hal_bluetooth)
+binder_call(system_server, hal_boot)
+binder_call(system_server, hal_contexthub)
+binder_call(system_server, hal_fingerprint)
+binder_call(system_server, hal_gnss);
+binder_call(system_server, hal_ir)
+binder_call(system_server, hal_light)
+binder_call(system_server, hal_memtrack)
+binder_call(system_server, hal_power)
+binder_call(system_server, hal_sensors)
+binder_call(system_server, hal_thermal)
+binder_call(system_server, hal_usb)
+binder_call(system_server, hal_vibrator)
+binder_call(system_server, hal_vr)
+binder_call(system_server, hal_wifi)
+binder_call(system_server, hal_drm)
+binder_call(system_server, wpa)
+
+# Talk to tombstoned to get ANR traces.
+unix_socket_connect(system_server, tombstoned_intercept, tombstoned)
+
+# Send signals to trigger ANR traces.
+# This is derived from the list that system server defines as interesting native processes
+# to dump during ANRs or watchdog aborts, defined in NATIVE_STACKS_OF_INTEREST in
+# frameworks/base/services/core/java/com/android/server/Watchdog.java.
+allow system_server {
+ audioserver
+ cameraserver
+ drmserver
+ inputflinger
+ mediacodec
+ mediadrmserver
+ mediaextractor
+ mediaserver
+ mediametrics
+ sdcardd
+ surfaceflinger
+}:process { signal };
+
+# Use sockets received over binder from various services.
+allow system_server audioserver:tcp_socket rw_socket_perms;
+allow system_server audioserver:udp_socket rw_socket_perms;
+allow system_server mediaserver:tcp_socket rw_socket_perms;
+allow system_server mediaserver:udp_socket rw_socket_perms;
+
+# Use sockets received over binder from various services.
+allow system_server mediadrmserver:tcp_socket rw_socket_perms;
+allow system_server mediadrmserver:udp_socket rw_socket_perms;
+
+# Check SELinux permissions.
+selinux_check_access(system_server)
+
+# XXX Label sysfs files with a specific type?
+allow system_server sysfs:file rw_file_perms;
+allow system_server sysfs_nfc_power_writable:file rw_file_perms;
+allow system_server sysfs_devices_system_cpu:file w_file_perms;
+allow system_server sysfs_mac_address:file r_file_perms;
+allow system_server sysfs_thermal:dir search;
+allow system_server sysfs_thermal:file r_file_perms;
+
+# TODO: Remove when HALs are forced into separate processes
+allow system_server sysfs_vibrator:file { write append };
+
+# TODO: added to match above sysfs rule. Remove me?
+allow system_server sysfs_usb:file w_file_perms;
+
+# Access devices.
+allow system_server device:dir r_dir_perms;
+allow system_server mdns_socket:sock_file rw_file_perms;
+allow system_server alarm_device:chr_file rw_file_perms;
+allow system_server gpu_device:chr_file rw_file_perms;
+allow system_server iio_device:chr_file rw_file_perms;
+allow system_server input_device:dir r_dir_perms;
+allow system_server input_device:chr_file rw_file_perms;
+allow system_server radio_device:chr_file r_file_perms;
+allow system_server tty_device:chr_file rw_file_perms;
+allow system_server usbaccessory_device:chr_file rw_file_perms;
+allow system_server video_device:dir r_dir_perms;
+allow system_server video_device:chr_file rw_file_perms;
+allow system_server adbd_socket:sock_file rw_file_perms;
+allow system_server rtc_device:chr_file rw_file_perms;
+allow system_server audio_device:dir r_dir_perms;
+
+# write access needed for MIDI
+allow system_server audio_device:chr_file rw_file_perms;
+
+# tun device used for 3rd party vpn apps
+allow system_server tun_device:chr_file rw_file_perms;
+
+# Manage system data files.
+allow system_server system_data_file:dir create_dir_perms;
+allow system_server system_data_file:notdevfile_class_set create_file_perms;
+allow system_server keychain_data_file:dir create_dir_perms;
+allow system_server keychain_data_file:file create_file_perms;
+allow system_server keychain_data_file:lnk_file create_file_perms;
+
+# Manage /data/app.
+allow system_server apk_data_file:dir create_dir_perms;
+allow system_server apk_data_file:{ file lnk_file } { create_file_perms link };
+allow system_server apk_tmp_file:dir create_dir_perms;
+allow system_server apk_tmp_file:file create_file_perms;
+
+# Manage /data/app-private.
+allow system_server apk_private_data_file:dir create_dir_perms;
+allow system_server apk_private_data_file:file create_file_perms;
+allow system_server apk_private_tmp_file:dir create_dir_perms;
+allow system_server apk_private_tmp_file:file create_file_perms;
+
+# Manage files within asec containers.
+allow system_server asec_apk_file:dir create_dir_perms;
+allow system_server asec_apk_file:file create_file_perms;
+allow system_server asec_public_file:file create_file_perms;
+
+# Manage /data/anr.
+allow system_server anr_data_file:dir create_dir_perms;
+allow system_server anr_data_file:file create_file_perms;
+
+# Read /data/misc/incidents - only read. The fd will be sent over binder,
+# with no DAC access to it, for dropbox to read.
+allow system_server incident_data_file:file read;
+
+# Manage /data/backup.
+allow system_server backup_data_file:dir create_dir_perms;
+allow system_server backup_data_file:file create_file_perms;
+
+# Write to /data/system/heapdump
+allow system_server heapdump_data_file:dir rw_dir_perms;
+allow system_server heapdump_data_file:file create_file_perms;
+
+# Manage /data/misc/adb.
+allow system_server adb_keys_file:dir create_dir_perms;
+allow system_server adb_keys_file:file create_file_perms;
+
+# Manage /data/misc/sms.
+# TODO: Split into a separate type?
+allow system_server radio_data_file:dir create_dir_perms;
+allow system_server radio_data_file:file create_file_perms;
+
+# Manage /data/misc/systemkeys.
+allow system_server systemkeys_data_file:dir create_dir_perms;
+allow system_server systemkeys_data_file:file create_file_perms;
+
+# Access /data/tombstones.
+allow system_server tombstone_data_file:dir r_dir_perms;
+allow system_server tombstone_data_file:file r_file_perms;
+
+# Manage /data/misc/vpn.
+allow system_server vpn_data_file:dir create_dir_perms;
+allow system_server vpn_data_file:file create_file_perms;
+
+# Manage /data/misc/wifi.
+allow system_server wifi_data_file:dir create_dir_perms;
+allow system_server wifi_data_file:file create_file_perms;
+
+# Manage /data/misc/zoneinfo.
+allow system_server zoneinfo_data_file:dir create_dir_perms;
+allow system_server zoneinfo_data_file:file create_file_perms;
+
+# Walk /data/data subdirectories.
+# Types extracted from seapp_contexts type= fields.
+allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:dir { getattr read search };
+# Also permit for unlabeled /data/data subdirectories and
+# for unlabeled asec containers on upgrades from 4.2.
+allow system_server unlabeled:dir r_dir_perms;
+# Read pkg.apk file before it has been relabeled by vold.
+allow system_server unlabeled:file r_file_perms;
+
+# Populate com.android.providers.settings/databases/settings.db.
+allow system_server system_app_data_file:dir create_dir_perms;
+allow system_server system_app_data_file:file create_file_perms;
+
+# Receive and use open app data files passed over binder IPC.
+# Types extracted from seapp_contexts type= fields.
+allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:file { getattr read write append };
+
+# Access to /data/media for measuring disk usage.
+allow system_server media_rw_data_file:dir { search getattr open read };
+
+# Receive and use open /data/media files passed over binder IPC.
+# Also used for measuring disk usage.
+allow system_server media_rw_data_file:file { getattr read write append };
+
+# Relabel apk files.
+allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto };
+allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto };
+
+# Relabel wallpaper.
+allow system_server system_data_file:file relabelfrom;
+allow system_server wallpaper_file:file relabelto;
+allow system_server wallpaper_file:file { rw_file_perms rename unlink };
+
+# Backup of wallpaper imagery uses temporary hard links to avoid data churn
+allow system_server { system_data_file wallpaper_file }:file link;
+
+# ShortcutManager icons
+allow system_server system_data_file:dir relabelfrom;
+allow system_server shortcut_manager_icons:dir { create_dir_perms relabelto };
+allow system_server shortcut_manager_icons:file create_file_perms;
+
+# Manage ringtones.
+allow system_server ringtone_file:dir { create_dir_perms relabelto };
+allow system_server ringtone_file:file create_file_perms;
+
+# Relabel icon file.
+allow system_server icon_file:file relabelto;
+allow system_server icon_file:file { rw_file_perms unlink };
+
+# FingerprintService.java does a restorecon of the directory /data/system/users/[0-9]+/fpdata(/.*)?
+allow system_server system_data_file:dir relabelfrom;
+
+# Property Service write
+set_prop(system_server, system_prop)
+set_prop(system_server, safemode_prop)
+set_prop(system_server, dhcp_prop)
+set_prop(system_server, net_radio_prop)
+set_prop(system_server, net_dns_prop)
+set_prop(system_server, system_radio_prop)
+set_prop(system_server, debug_prop)
+set_prop(system_server, powerctl_prop)
+set_prop(system_server, fingerprint_prop)
+set_prop(system_server, device_logging_prop)
+set_prop(system_server, wifi_prop)
+set_prop(system_server, dumpstate_options_prop)
+set_prop(system_server, overlay_prop)
+userdebug_or_eng(`set_prop(system_server, wifi_log_prop)')
+
+# ctl interface
+set_prop(system_server, ctl_default_prop)
+set_prop(system_server, ctl_bugreport_prop)
+
+# cppreopt property
+set_prop(system_server, cppreopt_prop)
+
+# Collect metrics on boot time created by init
+get_prop(system_server, boottime_prop)
+
+# Read device's serial number from system properties
+get_prop(system_server, serialno_prop)
+
+# Read/write the property which keeps track of whether this is the first start of system_server
+set_prop(system_server, firstboot_prop)
+
+# Create a socket for receiving info from wpa.
+allow system_server wpa_socket:dir rw_dir_perms;
+allow system_server system_wpa_socket:sock_file create_file_perms;
+
+# Remove sockets created by wpa_supplicant
+allow system_server wpa_socket:sock_file unlink;
+
+# Create a socket for connections from debuggerd.
+allow system_server system_ndebug_socket:sock_file create_file_perms;
+
+# Manage cache files.
+allow system_server { cache_file cache_recovery_file }:dir { relabelfrom create_dir_perms };
+allow system_server { cache_file cache_recovery_file }:file { relabelfrom create_file_perms };
+allow system_server { cache_file cache_recovery_file }:fifo_file create_file_perms;
+
+allow system_server system_file:dir r_dir_perms;
+allow system_server system_file:lnk_file r_file_perms;
+
+# LocationManager(e.g, GPS) needs to read and write
+# to uart driver and ctrl proc entry
+allow system_server gps_control:file rw_file_perms;
+
+# Allow system_server to use app-created sockets and pipes.
+allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown };
+allow system_server appdomain:{ fifo_file unix_stream_socket } { getattr read write };
+
+# Allow abstract socket connection
+allow system_server rild:unix_stream_socket connectto;
+
+# BackupManagerService needs to manipulate backup data files
+allow system_server cache_backup_file:dir rw_dir_perms;
+allow system_server cache_backup_file:file create_file_perms;
+# LocalTransport works inside /cache/backup
+allow system_server cache_private_backup_file:dir create_dir_perms;
+allow system_server cache_private_backup_file:file create_file_perms;
+
+# Allow system to talk to usb device
+allow system_server usb_device:chr_file rw_file_perms;
+allow system_server usb_device:dir r_dir_perms;
+
+# Allow system to talk to sensors
+allow system_server sensors_device:chr_file rw_file_perms;
+
+# Read from HW RNG (needed by EntropyMixer).
+allow system_server hw_random_device:chr_file r_file_perms;
+
+# Read and delete files under /dev/fscklogs.
+r_dir_file(system_server, fscklogs)
+allow system_server fscklogs:dir { write remove_name };
+allow system_server fscklogs:file unlink;
+
+# logd access, system_server inherit logd write socket
+# (urge is to deprecate this long term)
+allow system_server zygote:unix_dgram_socket write;
+
+# Read from log daemon.
+read_logd(system_server)
+read_runtime_log_tags(system_server)
+
+# Be consistent with DAC permissions. Allow system_server to write to
+# /sys/module/lowmemorykiller/parameters/adj
+# /sys/module/lowmemorykiller/parameters/minfree
+allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms };
+
+# Read /sys/fs/pstore/console-ramoops
+# Don't worry about overly broad permissions for now, as there's
+# only one file in /sys/fs/pstore
+allow system_server pstorefs:dir r_dir_perms;
+allow system_server pstorefs:file r_file_perms;
+
+# /sys access
+allow system_server sysfs_zram:dir search;
+allow system_server sysfs_zram:file r_file_perms;
+
+add_service(system_server, system_server_service);
+allow system_server audioserver_service:service_manager find;
+allow system_server batteryproperties_service:service_manager find;
+allow system_server cameraserver_service:service_manager find;
+allow system_server drmserver_service:service_manager find;
+allow system_server dumpstate_service:service_manager find;
+allow system_server fingerprintd_service:service_manager find;
+allow system_server hal_fingerprint_service:service_manager find;
+allow system_server gatekeeper_service:service_manager find;
+allow system_server incident_service:service_manager find;
+allow system_server installd_service:service_manager find;
+allow system_server keystore_service:service_manager find;
+allow system_server mediaserver_service:service_manager find;
+allow system_server mediametrics_service:service_manager find;
+allow system_server mediaextractor_service:service_manager find;
+allow system_server mediacodec_service:service_manager find;
+allow system_server mediadrmserver_service:service_manager find;
+allow system_server netd_service:service_manager find;
+allow system_server nfc_service:service_manager find;
+allow system_server radio_service:service_manager find;
+allow system_server surfaceflinger_service:service_manager find;
+allow system_server wificond_service:service_manager find;
+
+allow system_server keystore:keystore_key {
+ get_state
+ get
+ insert
+ delete
+ exist
+ list
+ reset
+ password
+ lock
+ unlock
+ is_empty
+ sign
+ verify
+ grant
+ duplicate
+ clear_uid
+ add_auth
+ user_changed
+};
+
+# Allow system server to search and write to the persistent factory reset
+# protection partition. This block device does not get wiped in a factory reset.
+allow system_server block_device:dir search;
+allow system_server frp_block_device:blk_file rw_file_perms;
+
+# Clean up old cgroups
+allow system_server cgroup:dir { remove_name rmdir };
+
+# /oem access
+r_dir_file(system_server, oemfs)
+
+# Allow resolving per-user storage symlinks
+allow system_server { mnt_user_file storage_file }:dir { getattr search };
+allow system_server { mnt_user_file storage_file }:lnk_file { getattr read };
+
+# Allow statfs() on storage devices, which happens fast enough that
+# we shouldn't be killed during unsafe removal
+allow system_server sdcard_type:dir { getattr search };
+
+# Traverse into expanded storage
+allow system_server mnt_expand_file:dir r_dir_perms;
+
+# Allow system process to relabel the fingerprint directory after mkdir
+# and delete the directory and files when no longer needed
+allow system_server fingerprintd_data_file:dir { r_dir_perms remove_name rmdir relabelto write };
+allow system_server fingerprintd_data_file:file { getattr unlink };
+
+# Allow system process to read network MAC address
+allow system_server sysfs_mac_address:file r_file_perms;
+
+userdebug_or_eng(`
+ # Allow system server to create and write method traces in /data/misc/trace.
+ allow system_server method_trace_data_file:dir w_dir_perms;
+ allow system_server method_trace_data_file:file { create w_file_perms };
+
+ # Allow system server to read dmesg
+ allow system_server kernel:system syslog_read;
+')
+
+# For AppFuse.
+allow system_server vold:fd use;
+allow system_server fuse_device:chr_file { read write ioctl getattr };
+allow system_server app_fuse_file:dir rw_dir_perms;
+allow system_server app_fuse_file:file { read write open getattr append };
+
+# For configuring sdcardfs
+allow system_server configfs:dir { create_dir_perms };
+allow system_server configfs:file { getattr open unlink write };
+
+# Connect to adbd and use a socket transferred from it.
+# Used for e.g. jdwp.
+allow system_server adbd:unix_stream_socket connectto;
+allow system_server adbd:fd use;
+allow system_server adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
+
+# Allow invoking tools like "timeout"
+allow system_server toolbox_exec:file rx_file_perms;
+
+# Postinstall
+#
+# For OTA dexopt, allow calls coming from postinstall.
+binder_call(system_server, postinstall)
+
+allow system_server postinstall:fifo_file write;
+allow system_server update_engine:fd use;
+allow system_server update_engine:fifo_file write;
+
+# Access to /data/preloads
+allow system_server preloads_data_file:file { r_file_perms unlink };
+allow system_server preloads_data_file:dir { r_dir_perms write remove_name rmdir };
+
+r_dir_file(system_server, cgroup)
+allow system_server ion_device:chr_file r_file_perms;
+allow system_server hal_graphics_allocator:fd use;
+
+r_dir_file(system_server, proc)
+r_dir_file(system_server, proc_meminfo)
+r_dir_file(system_server, proc_net)
+r_dir_file(system_server, rootfs)
+r_dir_file(system_server, sysfs_type)
+
+# Allow system_server to make binder calls to hwservicemanager
+binder_call(system_server, hwservicemanager)
+
+### Rules needed when Light HAL runs inside system_server process.
+### These rules should eventually be granted only when needed.
+allow system_server sysfs_leds:lnk_file read;
+allow system_server sysfs_leds:file rw_file_perms;
+allow system_server sysfs_leds:dir r_dir_perms;
+###
+
+userdebug_or_eng(`
+ # Allow WifiService to start, stop, and read wifi-specific trace events.
+ allow system_server debugfs_tracing_instances:dir search;
+ allow system_server debugfs_wifi_tracing:file rw_file_perms;
+')
+
+###
+### Neverallow rules
+###
+### system_server should NEVER do any of this
+
+# Do not allow opening files from external storage as unsafe ejection
+# could cause the kernel to kill the system_server.
+neverallow system_server sdcard_type:dir { open read write };
+neverallow system_server sdcard_type:file rw_file_perms;
+
+# system server should never be operating on zygote spawned app data
+# files directly. Rather, they should always be passed via a
+# file descriptor.
+# Types extracted from seapp_contexts type= fields, excluding
+# those types that system_server needs to open directly.
+neverallow system_server { bluetooth_data_file nfc_data_file shell_data_file app_data_file }:file { open create unlink link };
+
+# Forking and execing is inherently dangerous and racy. See, for
+# example, https://www.linuxprogrammingblog.com/threads-and-fork-think-twice-before-using-them
+# Prevent the addition of new file execs to stop the problem from
+# getting worse. b/28035297
+neverallow system_server { file_type -toolbox_exec -logcat_exec }:file execute_no_trans;
+
+# Ensure that system_server doesn't perform any domain transitions other than
+# transitioning to the crash_dump domain when a crash occurs.
+neverallow system_server { domain -crash_dump }:process transition;
+neverallow system_server *:process dyntransition;
+
+# Only allow crash_dump to connect to system_ndebug_socket.
+neverallow { domain -init -system_server -crash_dump } system_ndebug_socket:sock_file { open write };
+
+# system_server should never be executing dex2oat. This is either
+# a bug (for example, bug 16317188), or represents an attempt by
+# system server to dynamically load a dex file, something we do not
+# want to allow.
+neverallow system_server dex2oat_exec:file no_x_file_perms;
+
+# system_server should never execute or load executable shared libraries
+# in /data except for /data/dalvik-cache files.
+neverallow system_server {
+ data_file_type
+ -dalvikcache_data_file #mapping with PROT_EXEC
+}:file no_x_file_perms;
+
+# The only block device system_server should be accessing is
+# the frp_block_device. This helps avoid a system_server to root
+# escalation by writing to raw block devices.
+neverallow system_server { dev_type -frp_block_device }:blk_file no_rw_file_perms;
+
+# system_server should never use JIT functionality
+neverallow system_server self:process execmem;
+neverallow system_server ashmem_device:chr_file execute;
+
# TODO: deal with tmpfs_domain pub/priv split properly
neverallow system_server system_server_tmpfs:file execute;
diff --git a/private/untrusted_app.te b/private/untrusted_app.te
index c0d2b93..50d79ee 100644
--- a/private/untrusted_app.te
+++ b/private/untrusted_app.te
@@ -21,6 +21,10 @@
net_domain(untrusted_app)
bluetooth_domain(untrusted_app)
+# b/34115651 - net.dns* properties read
+# This will go away in a future Android release
+get_prop(untrusted_app, net_dns_prop)
+
# Allow the allocation and use of ptys
# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
create_pty(untrusted_app)
@@ -78,6 +82,7 @@
allow untrusted_app radio_service:service_manager find;
allow untrusted_app surfaceflinger_service:service_manager find;
allow untrusted_app app_api_service:service_manager find;
+allow untrusted_app vr_manager_service:service_manager find;
# Allow GMS core to access perfprofd output, which is stored
# in /data/misc/perfprofd/. GMS core will need to list all
diff --git a/private/virtual_touchpad.te b/private/virtual_touchpad.te
new file mode 100644
index 0000000..ced556e
--- /dev/null
+++ b/private/virtual_touchpad.te
@@ -0,0 +1 @@
+init_daemon_domain(virtual_touchpad)
diff --git a/public/adbd.te b/public/adbd.te
index e3b0ebb..7ecd045 100644
--- a/public/adbd.te
+++ b/public/adbd.te
@@ -1,127 +1,3 @@
# adbd seclabel is specified in init.rc since
# it lives in the rootfs and has no unique file type.
-type adbd, domain, mlstrustedsubject;
-
-userdebug_or_eng(`
- allow adbd self:process setcurrent;
- allow adbd su:process dyntransition;
-')
-
-# Do not sanitize the environment or open fds of the shell. Allow signaling
-# created processes.
-allow adbd shell:process { noatsecure signal };
-
-# Set UID and GID to shell. Set supplementary groups.
-allow adbd self:capability { setuid setgid };
-
-# Drop capabilities from bounding set on user builds.
-allow adbd self:capability setpcap;
-
-# Create and use network sockets.
-net_domain(adbd)
-
-# Access /dev/usb-ffs/adb/ep0
-allow adbd functionfs:dir search;
-allow adbd functionfs:file rw_file_perms;
-
-# Use a pseudo tty.
-allow adbd devpts:chr_file rw_file_perms;
-
-# adb push/pull /data/local/tmp.
-allow adbd shell_data_file:dir create_dir_perms;
-allow adbd shell_data_file:file create_file_perms;
-
-# adb pull /data/misc/profman.
-allow adbd profman_dump_data_file:dir r_dir_perms;
-allow adbd profman_dump_data_file:file r_file_perms;
-
-# adb push/pull sdcard.
-allow adbd tmpfs:dir search;
-allow adbd rootfs:lnk_file r_file_perms; # /sdcard symlink
-allow adbd tmpfs:lnk_file r_file_perms; # /mnt/sdcard symlink
-allow adbd sdcard_type:dir create_dir_perms;
-allow adbd sdcard_type:file create_file_perms;
-
-# adb pull /data/anr/traces.txt
-allow adbd anr_data_file:dir r_dir_perms;
-allow adbd anr_data_file:file r_file_perms;
-
-# Set service.adb.*, sys.powerctl, and sys.usb.ffs.ready properties.
-set_prop(adbd, shell_prop)
-set_prop(adbd, powerctl_prop)
-set_prop(adbd, ffs_prop)
-
-# Access device logging gating property
-get_prop(adbd, device_logging_prop)
-
-# Read device's serial number from system properties
-get_prop(adbd, serialno_prop)
-
-# Run /system/bin/bu
-allow adbd system_file:file rx_file_perms;
-
-# Perform binder IPC to surfaceflinger (screencap)
-# XXX Run screencap in a separate domain?
-binder_use(adbd)
-binder_call(adbd, surfaceflinger)
-# b/13188914
-allow adbd gpu_device:chr_file rw_file_perms;
-allow adbd ion_device:chr_file rw_file_perms;
-r_dir_file(adbd, system_file)
-
-# Read /data/misc/adb/adb_keys.
-allow adbd adb_keys_file:dir search;
-allow adbd adb_keys_file:file r_file_perms;
-
-userdebug_or_eng(`
- # Write debugging information to /data/adb
- # when persist.adb.trace_mask is set
- # https://code.google.com/p/android/issues/detail?id=72895
- allow adbd adb_data_file:dir rw_dir_perms;
- allow adbd adb_data_file:file create_file_perms;
-')
-
-# ndk-gdb invokes adb forward to forward the gdbserver socket.
-allow adbd app_data_file:dir search;
-allow adbd app_data_file:sock_file write;
-allow adbd appdomain:unix_stream_socket connectto;
-
-# ndk-gdb invokes adb pull of app_process, linker, and libc.so.
-allow adbd zygote_exec:file r_file_perms;
-allow adbd system_file:file r_file_perms;
-
-# Allow pulling the SELinux policy for CTS purposes
-allow adbd selinuxfs:dir r_dir_perms;
-allow adbd selinuxfs:file r_file_perms;
-allow adbd kernel:security read_policy;
-
-allow adbd surfaceflinger_service:service_manager find;
-allow adbd bootchart_data_file:dir search;
-allow adbd bootchart_data_file:file r_file_perms;
-
-# Allow access to external storage; we have several visible mount points under /storage
-# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
-allow adbd storage_file:dir r_dir_perms;
-allow adbd storage_file:lnk_file r_file_perms;
-allow adbd mnt_user_file:dir r_dir_perms;
-allow adbd mnt_user_file:lnk_file r_file_perms;
-
-# Access to /data/media.
-# This should be removed if sdcardfs is modified to alter the secontext for its
-# accesses to the underlying FS.
-allow adbd media_rw_data_file:dir create_dir_perms;
-allow adbd media_rw_data_file:file create_file_perms;
-
-r_dir_file(adbd, apk_data_file)
-
-allow adbd rootfs:dir r_dir_perms;
-
-###
-### Neverallow rules
-###
-
-# No transitions from adbd to non-shell, non-crash_dump domains. adbd only ever
-# transitions to the shell domain (except when it crashes). In particular, we
-# never want to see a transition from adbd to su (aka "adb root")
-neverallow adbd { domain -crash_dump -shell }:process transition;
-neverallow adbd { domain userdebug_or_eng(`-su') }:process dyntransition;
+type adbd, domain;
diff --git a/public/atrace.te b/public/atrace.te
deleted file mode 100644
index b4ae753..0000000
--- a/public/atrace.te
+++ /dev/null
@@ -1,23 +0,0 @@
-# Domain for atrace process spawned by boottrace service.
-type atrace_exec, exec_type, file_type;
-
-userdebug_or_eng(`
-
- type atrace, domain, domain_deprecated;
-
- # boottrace services uses /data/misc/boottrace/categories
- allow atrace boottrace_data_file:dir search;
- allow atrace boottrace_data_file:file r_file_perms;
-
- # atrace reads the files in /sys/kernel/debug/tracing/
- allow atrace debugfs_tracing:file r_file_perms;
-
- # atrace sets debug.atrace.* properties
- set_prop(atrace, debug_prop)
-
- # atrace pokes all the binder-enabled processes at startup.
- binder_use(atrace)
- allow atrace healthd:binder call;
- allow atrace surfaceflinger:binder call;
-
-')
diff --git a/public/audioserver.te b/public/audioserver.te
index bc0b989..9a72858 100644
--- a/public/audioserver.te
+++ b/public/audioserver.te
@@ -1,57 +1,2 @@
# audioserver - audio services daemon
type audioserver, domain;
-type audioserver_exec, exec_type, file_type;
-
-r_dir_file(audioserver, sdcard_type)
-
-binder_use(audioserver)
-binder_call(audioserver, binderservicedomain)
-binder_call(audioserver, appdomain)
-binder_service(audioserver)
-
-hwbinder_use(audioserver)
-binder_call(audioserver, hal_audio)
-hwallocator_use(audioserver)
-
-r_dir_file(audioserver, proc)
-allow audioserver ion_device:chr_file r_file_perms;
-allow audioserver system_file:dir r_dir_perms;
-
-userdebug_or_eng(`
- # used for TEE sink - pcm capture for debug.
- allow audioserver media_data_file:dir create_dir_perms;
- allow audioserver audioserver_data_file:dir create_dir_perms;
- allow audioserver audioserver_data_file:file create_file_perms;
-
- # ptrace to processes in the same domain for memory leak detection
- allow audioserver self:process ptrace;
-')
-
-allow audioserver audio_device:dir r_dir_perms;
-allow audioserver audio_device:chr_file rw_file_perms;
-
-add_service(audioserver, audioserver_service)
-allow audioserver appops_service:service_manager find;
-allow audioserver batterystats_service:service_manager find;
-allow audioserver permission_service:service_manager find;
-allow audioserver power_service:service_manager find;
-allow audioserver scheduling_policy_service:service_manager find;
-
-# Grant access to audio files to audioserver
-allow audioserver audio_data_file:dir ra_dir_perms;
-allow audioserver audio_data_file:file create_file_perms;
-
-# Needed on some devices for playing audio on paired BT device,
-# but seems appropriate for all devices.
-unix_socket_connect(audioserver, bluetooth, bluetooth)
-
-###
-### neverallow rules
-###
-
-# audioserver should never execute any executable without a
-# domain transition
-neverallow audioserver { file_type fs_type }:file execute_no_trans;
-
-# audioserver should never need network access. Disallow network sockets.
-neverallow audioserver domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/public/blkid.te b/public/blkid.te
index c8df183..dabe014 100644
--- a/public/blkid.te
+++ b/public/blkid.te
@@ -1,20 +1,2 @@
# blkid called from vold
type blkid, domain;
-type blkid_exec, exec_type, file_type;
-
-# Allowed read-only access to encrypted devices to extract UUID/label
-allow blkid block_device:dir search;
-allow blkid userdata_block_device:blk_file r_file_perms;
-allow blkid dm_device:blk_file r_file_perms;
-
-# Allow stdin/out back to vold
-allow blkid vold:fd use;
-allow blkid vold:fifo_file { read write getattr };
-
-# For blkid launched through popen()
-allow blkid blkid_exec:file rx_file_perms;
-
-# Only allow entry from vold
-neverallow { domain -vold } blkid:process transition;
-neverallow * blkid:process dyntransition;
-neverallow blkid { file_type fs_type -blkid_exec -shell_exec }:file entrypoint;
diff --git a/public/blkid_untrusted.te b/public/blkid_untrusted.te
index cbbbbae..4be4c0c 100644
--- a/public/blkid_untrusted.te
+++ b/public/blkid_untrusted.te
@@ -1,36 +1,2 @@
# blkid for untrusted block devices
type blkid_untrusted, domain;
-
-# Allowed read-only access to vold block devices to extract UUID/label
-allow blkid_untrusted block_device:dir search;
-allow blkid_untrusted vold_device:blk_file r_file_perms;
-
-# Allow stdin/out back to vold
-allow blkid_untrusted vold:fd use;
-allow blkid_untrusted vold:fifo_file { read write getattr };
-
-# For blkid launched through popen()
-allow blkid_untrusted blkid_exec:file rx_file_perms;
-
-###
-### neverallow rules
-###
-
-# Untrusted blkid should never be run on block devices holding sensitive data
-neverallow blkid_untrusted {
- boot_block_device
- frp_block_device
- metadata_block_device
- recovery_block_device
- root_block_device
- swap_block_device
- system_block_device
- userdata_block_device
- cache_block_device
- dm_device
-}:blk_file no_rw_file_perms;
-
-# Only allow entry from vold via blkid binary
-neverallow { domain -vold } blkid_untrusted:process transition;
-neverallow * blkid_untrusted:process dyntransition;
-neverallow blkid_untrusted { file_type fs_type -blkid_exec -shell_exec }:file entrypoint;
diff --git a/public/bluetooth.te b/public/bluetooth.te
index eda60de..9b3442a 100644
--- a/public/bluetooth.te
+++ b/public/bluetooth.te
@@ -1,77 +1,2 @@
# bluetooth subsystem
-type bluetooth, domain, domain_deprecated;
-
-net_domain(bluetooth)
-# Allow access to net_admin ioctls
-allowxperm bluetooth self:udp_socket ioctl priv_sock_ioctls;
-
-wakelock_use(bluetooth);
-
-# Data file accesses.
-allow bluetooth bluetooth_data_file:dir create_dir_perms;
-allow bluetooth bluetooth_data_file:notdevfile_class_set create_file_perms;
-allow bluetooth bluetooth_logs_data_file:dir rw_dir_perms;
-allow bluetooth bluetooth_logs_data_file:file create_file_perms;
-
-# Socket creation under /data/misc/bluedroid.
-allow bluetooth bluetooth_socket:sock_file create_file_perms;
-
-# bluetooth factory file accesses.
-r_dir_file(bluetooth, bluetooth_efs_file)
-
-allow bluetooth { uhid_device hci_attach_dev }:chr_file rw_file_perms;
-
-# sysfs access.
-r_dir_file(bluetooth, sysfs_type)
-allow bluetooth sysfs_bluetooth_writable:file rw_file_perms;
-allow bluetooth self:capability net_admin;
-allow bluetooth self:capability2 wake_alarm;
-
-# tethering
-allow bluetooth self:packet_socket create_socket_perms_no_ioctl;
-allow bluetooth self:capability { net_admin net_raw net_bind_service };
-allow bluetooth self:tun_socket create_socket_perms_no_ioctl;
-allow bluetooth tun_device:chr_file rw_file_perms;
-allow bluetooth efs_file:dir search;
-
-# proc access.
-allow bluetooth proc_bluetooth_writable:file rw_file_perms;
-
-# Allow write access to bluetooth specific properties
-set_prop(bluetooth, bluetooth_prop)
-set_prop(bluetooth, pan_result_prop)
-
-allow bluetooth audioserver_service:service_manager find;
-allow bluetooth bluetooth_service:service_manager find;
-allow bluetooth drmserver_service:service_manager find;
-allow bluetooth mediaserver_service:service_manager find;
-allow bluetooth radio_service:service_manager find;
-allow bluetooth surfaceflinger_service:service_manager find;
-allow bluetooth app_api_service:service_manager find;
-allow bluetooth system_api_service:service_manager find;
-
-# Bluetooth Sim Access Profile Socket to the RIL
-unix_socket_connect(bluetooth, sap_uim, rild)
-
-# already open bugreport file descriptors may be shared with
-# the bluetooth process, from a file in
-# /data/data/com.android.shell/files/bugreports/bugreport-*.
-allow bluetooth shell_data_file:file read;
-
-# Perform HwBinder IPC.
-hwbinder_use(bluetooth)
-binder_call(bluetooth, hal_bluetooth)
-binder_call(bluetooth, hal_telephony)
-
-read_runtime_log_tags(bluetooth)
-
-###
-### Neverallow rules
-###
-### These are things that the bluetooth app should NEVER be able to do
-###
-
-# Superuser capabilities.
-# bluetooth requires net_{admin,raw,bind_service} and wake_alarm and block_suspend.
-neverallow bluetooth self:capability ~{ net_admin net_raw net_bind_service };
-neverallow bluetooth self:capability2 ~{ wake_alarm block_suspend };
+type bluetooth, domain;
diff --git a/public/bufferhubd.te b/public/bufferhubd.te
new file mode 100644
index 0000000..9543398
--- /dev/null
+++ b/public/bufferhubd.te
@@ -0,0 +1,12 @@
+# bufferhubd
+type bufferhubd, domain, mlstrustedsubject;
+type bufferhubd_exec, exec_type, file_type;
+
+pdx_server(bufferhubd)
+use_pdx(bufferhubd, performanced)
+
+# Access the GPU.
+allow bufferhubd gpu_device:chr_file rw_file_perms;
+
+# Access /dev/ion
+allow bufferhubd ion_device:chr_file r_file_perms;
diff --git a/public/domain.te b/public/domain.te
index 8bdd548..e2ffb88 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -55,7 +55,7 @@
# Root fs.
allow domain rootfs:dir search;
-allow domain rootfs:lnk_file read;
+allow domain rootfs:lnk_file { read getattr };
# Device accesses.
allow domain device:dir search;
diff --git a/public/domain_deprecated.te b/public/domain_deprecated.te
index 1f535c3..66acfd6 100644
--- a/public/domain_deprecated.te
+++ b/public/domain_deprecated.te
@@ -2,97 +2,270 @@
# Search /storage/emulated tmpfs mount.
allow domain_deprecated tmpfs:dir r_dir_perms;
-auditallow { domain_deprecated -appdomain -init -sdcardd -surfaceflinger -system_server -vold -zygote } tmpfs:dir r_dir_perms;
+userdebug_or_eng(`
+auditallow {
+ domain_deprecated
+ -appdomain
+ -sdcardd
+ -surfaceflinger
+ -system_server
+ -vold
+ -zygote
+} tmpfs:dir r_dir_perms;
+')
# Inherit or receive open files from others.
allow domain_deprecated system_server:fd use;
+userdebug_or_eng(`
auditallow { domain_deprecated -appdomain -netd -surfaceflinger } system_server:fd use;
+')
# Connect to adbd and use a socket transferred from it.
# This is used for e.g. adb backup/restore.
allow domain_deprecated adbd:fd use;
+userdebug_or_eng(`
auditallow { domain_deprecated -appdomain -system_server } adbd:fd use;
+')
# Root fs.
allow domain_deprecated rootfs:dir r_dir_perms;
allow domain_deprecated rootfs:file r_file_perms;
allow domain_deprecated rootfs:lnk_file r_file_perms;
-auditallow { domain_deprecated -healthd -init -installd -servicemanager -system_server -ueventd -uncrypt -vold -zygote } rootfs:dir { open getattr read ioctl lock }; # search granted in domain
-auditallow { domain_deprecated -healthd -init -installd -servicemanager -system_server -ueventd -uncrypt -vold -zygote } rootfs:file r_file_perms;
-auditallow { domain_deprecated -appdomain -healthd -init -installd -servicemanager -system_server -ueventd -uncrypt -vold -zygote } rootfs:lnk_file { getattr open ioctl lock }; # read granted in domain
+userdebug_or_eng(`
+auditallow {
+ domain_deprecated
+ -fsck
+ -healthd
+ -installd
+ -servicemanager
+ -system_server
+ -ueventd
+ -uncrypt
+ -vold
+ -zygote
+} rootfs:dir { open getattr read ioctl lock }; # search granted in domain
+auditallow {
+ domain_deprecated
+ -healthd
+ -installd
+ -servicemanager
+ -system_server
+ -ueventd
+ -uncrypt
+ -vold
+ -zygote
+} rootfs:file r_file_perms;
+auditallow {
+ domain_deprecated
+ -appdomain
+ -healthd
+ -installd
+ -servicemanager
+ -system_server
+ -ueventd
+ -uncrypt
+ -vold
+ -zygote
+} rootfs:lnk_file { getattr open ioctl lock }; # read granted in domain
+')
# System file accesses.
allow domain_deprecated system_file:dir r_dir_perms;
allow domain_deprecated system_file:file r_file_perms;
+userdebug_or_eng(`
auditallow {
domain_deprecated
-appdomain
-fingerprintd
- -init
-installd
+ -keystore
-rild
-surfaceflinger
-system_server
+ -update_engine
+ -vold
-zygote
} system_file:dir { open read ioctl lock }; # search getattr in domain
auditallow {
domain_deprecated
-appdomain
- -init
-rild
-surfaceflinger
-system_server
-zygote
} system_file:file { ioctl lock }; # read open getattr in domain
+')
# Read files already opened under /data.
allow domain_deprecated system_data_file:file { getattr read };
allow domain_deprecated system_data_file:lnk_file r_file_perms;
-auditallow { domain_deprecated -appdomain -init -sdcardd -system_server -tee } system_data_file:file { getattr read };
-auditallow { domain_deprecated -appdomain -init -system_server -tee } system_data_file:lnk_file r_file_perms;
+userdebug_or_eng(`
+auditallow {
+ domain_deprecated
+ -appdomain
+ -sdcardd
+ -system_server
+ -tee
+} system_data_file:file { getattr read };
+auditallow {
+ domain_deprecated
+ -appdomain
+ -system_server
+ -tee
+} system_data_file:lnk_file r_file_perms;
+')
# Read apk files under /data/app.
allow domain_deprecated apk_data_file:dir { getattr search };
allow domain_deprecated apk_data_file:file r_file_perms;
allow domain_deprecated apk_data_file:lnk_file r_file_perms;
-auditallow { domain_deprecated -appdomain -dex2oat -init -installd -system_server } apk_data_file:dir { getattr search };
-auditallow { domain_deprecated -appdomain -dex2oat -installd -system_server } apk_data_file:file r_file_perms;
-auditallow { domain_deprecated -appdomain -dex2oat -installd -system_server } apk_data_file:lnk_file r_file_perms;
+userdebug_or_eng(`
+auditallow {
+ domain_deprecated
+ -appdomain
+ -dex2oat
+ -installd
+ -system_server
+} apk_data_file:dir { getattr search };
+auditallow {
+ domain_deprecated
+ -appdomain
+ -dex2oat
+ -installd
+ -system_server
+} apk_data_file:file r_file_perms;
+auditallow {
+ domain_deprecated
+ -appdomain
+ -dex2oat
+ -installd
+ -system_server
+} apk_data_file:lnk_file r_file_perms;
+')
# Read already opened /cache files.
allow domain_deprecated cache_file:dir r_dir_perms;
allow domain_deprecated cache_file:file { getattr read };
allow domain_deprecated cache_file:lnk_file r_file_perms;
-auditallow { domain_deprecated -init -system_server -vold } cache_file:dir { open read search ioctl lock };
-auditallow { domain_deprecated -appdomain -init -system_server -vold } cache_file:dir getattr;
-auditallow { domain_deprecated -init -system_server -vold } cache_file:file { getattr read };
-auditallow { domain_deprecated -init -system_server -vold } cache_file:lnk_file r_file_perms;
+userdebug_or_eng(`
+auditallow {
+ domain_deprecated
+ -system_server
+ -vold
+} cache_file:dir { open read search ioctl lock };
+auditallow {
+ domain_deprecated
+ -appdomain
+ -system_server
+ -vold
+} cache_file:dir getattr;
+auditallow {
+ domain_deprecated
+ -system_server
+ -vold
+} cache_file:file { getattr read };
+auditallow {
+ domain_deprecated
+ -system_server
+ -vold
+} cache_file:lnk_file r_file_perms;
+')
-#Allow access to ion memory allocation device
+# Allow access to ion memory allocation device
allow domain_deprecated ion_device:chr_file rw_file_perms;
# split this auditallow into read and write perms since most domains seem to
# only require read
-auditallow { domain_deprecated -appdomain -fingerprintd -keystore -surfaceflinger -system_server -tee -vold -zygote } ion_device:chr_file r_file_perms;
+userdebug_or_eng(`
+auditallow {
+ domain_deprecated
+ -appdomain
+ -fingerprintd
+ -keystore
+ -surfaceflinger
+ -system_server
+ -tee
+ -vold
+ -zygote
+} ion_device:chr_file r_file_perms;
auditallow domain_deprecated ion_device:chr_file { write append };
+')
# Read access to pseudo filesystems.
r_dir_file(domain_deprecated, proc)
r_dir_file(domain_deprecated, sysfs)
r_dir_file(domain_deprecated, cgroup)
allow domain_deprecated proc_meminfo:file r_file_perms;
-#auditallow domain_deprecated proc:dir r_dir_perms; # r_dir_perms granted in domain
-auditallow { domain_deprecated -fsck -fsck_untrusted -init -rild -system_server -vold } proc:file r_file_perms;
-auditallow { domain_deprecated -fsck -fsck_untrusted -init -rild -system_server -vold } proc:lnk_file { open ioctl lock }; # getattr read granted in domain
-auditallow { domain_deprecated -bluetooth -fingerprintd -healthd -init -netd -rild -system_app -surfaceflinger -system_server -tee -ueventd -vold -wpa } sysfs:dir { open getattr read ioctl lock }; # search granted in domain
-auditallow { domain_deprecated -bluetooth -fingerprintd -healthd -init -netd -rild -system_app -surfaceflinger -system_server -tee -ueventd -vold -wpa } sysfs:file r_file_perms;
-auditallow { domain_deprecated -bluetooth -fingerprintd -healthd -init -netd -rild -system_app -surfaceflinger -system_server -tee -ueventd -vold -wpa } sysfs:lnk_file { getattr open ioctl lock }; # read granted in domain
+
+userdebug_or_eng(`
+auditallow {
+ domain_deprecated
+ -fsck
+ -fsck_untrusted
+ -rild
+ -sdcardd
+ -system_server
+ -update_engine
+ -vold
+} proc:file r_file_perms;
+auditallow {
+ domain_deprecated
+ -fsck
+ -fsck_untrusted
+ -rild
+ -system_server
+ -vold
+} proc:lnk_file { open ioctl lock }; # getattr read granted in domain
+auditallow {
+ domain_deprecated
+ -bluetooth
+ -fingerprintd
+ -healthd
+ -netd
+ -rild
+ -system_app
+ -surfaceflinger
+ -system_server
+ -tee
+ -ueventd
+ -vold
+ -wpa
+} sysfs:dir { open getattr read ioctl lock }; # search granted in domain
+auditallow {
+ domain_deprecated
+ -bluetooth
+ -fingerprintd
+ -healthd
+ -netd
+ -rild
+ -system_app
+ -surfaceflinger
+ -system_server
+ -tee
+ -ueventd
+ -vold
+ -wpa
+} sysfs:file r_file_perms;
+auditallow {
+ domain_deprecated
+ -bluetooth
+ -fingerprintd
+ -healthd
+ -netd
+ -rild
+ -system_app
+ -surfaceflinger
+ -system_server
+ -tee
+ -ueventd
+ -vold
+ -wpa
+} sysfs:lnk_file { getattr open ioctl lock }; # read granted in domain
auditallow {
domain_deprecated
-appdomain
-dumpstate
-fingerprintd
-healthd
- -init
-inputflinger
-installd
-keystore
@@ -108,7 +281,6 @@
-dumpstate
-fingerprintd
-healthd
- -init
-inputflinger
-installd
-keystore
@@ -118,10 +290,41 @@
-system_server
-zygote
} cgroup:{ file lnk_file } r_file_perms;
-auditallow { domain_deprecated -appdomain -init -surfaceflinger -system_server -vold } proc_meminfo:file r_file_perms;
+auditallow {
+ domain_deprecated
+ -appdomain
+ -surfaceflinger
+ -system_server
+ -vold
+} proc_meminfo:file r_file_perms;
+')
# Get SELinux enforcing status.
allow domain_deprecated selinuxfs:dir r_dir_perms;
allow domain_deprecated selinuxfs:file r_file_perms;
-auditallow { domain_deprecated -appdomain -init -installd -keystore -postinstall_dexopt -runas -servicemanager -system_server -ueventd -zygote } selinuxfs:dir { open getattr read ioctl lock }; # search granted in domain
-auditallow { domain_deprecated -appdomain -init -installd -keystore -postinstall_dexopt -runas -servicemanager -system_server -ueventd -zygote } selinuxfs:file { open read ioctl lock }; # getattr granted in domain
+userdebug_or_eng(`
+auditallow {
+ domain_deprecated
+ -appdomain
+ -installd
+ -keystore
+ -postinstall_dexopt
+ -runas
+ -servicemanager
+ -system_server
+ -ueventd
+ -zygote
+} selinuxfs:dir { open getattr read ioctl lock }; # search granted in domain
+auditallow {
+ domain_deprecated
+ -appdomain
+ -installd
+ -keystore
+ -postinstall_dexopt
+ -runas
+ -servicemanager
+ -system_server
+ -ueventd
+ -zygote
+} selinuxfs:file { open read ioctl lock }; # getattr granted in domain
+')
diff --git a/public/dumpstate.te b/public/dumpstate.te
index bac648e..2ba0e58 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -167,7 +167,7 @@
allow dumpstate misc_logd_file:file r_file_perms;
')
-allow dumpstate { service_manager_type -gatekeeper_service -dumpstate_service }:service_manager find;
+allow dumpstate { service_manager_type -gatekeeper_service -dumpstate_service -incident_service -virtual_touchpad_service }:service_manager find;
allow dumpstate servicemanager:service_manager list;
allow dumpstate devpts:chr_file rw_file_perms;
diff --git a/public/file.te b/public/file.te
index e562798..cd646f5 100644
--- a/public/file.te
+++ b/public/file.te
@@ -65,6 +65,7 @@
type debugfs_tracing, fs_type, debugfs_type;
type debugfs_tracing_instances, fs_type, debugfs_type;
type debugfs_wifi_tracing, fs_type, debugfs_type;
+type tracing_shell_writable, fs_type, debugfs_type;
type pstorefs, fs_type;
type functionfs, fs_type, mlstrustedobject;
type oemfs, fs_type, contextmount_type;
@@ -157,6 +158,7 @@
type boottrace_data_file, file_type, data_file_type;
type camera_data_file, file_type, data_file_type;
type gatekeeper_data_file, file_type, data_file_type;
+type incident_data_file, file_type, data_file_type;
type keychain_data_file, file_type, data_file_type;
type keystore_data_file, file_type, data_file_type;
type media_data_file, file_type, data_file_type;
@@ -229,6 +231,7 @@
type misc_logd_file, file_type;
type mtpd_socket, file_type;
type netd_socket, file_type;
+type pdx_socket, file_type, mlstrustedobject;
type property_socket, file_type, mlstrustedobject;
type racoon_socket, file_type;
type rild_socket, file_type;
diff --git a/public/fsck.te b/public/fsck.te
index bdbbd33..2f0a838 100644
--- a/public/fsck.te
+++ b/public/fsck.te
@@ -24,6 +24,7 @@
allow fsck swap_block_device:blk_file getattr;
r_dir_file(fsck, proc)
+allow fsck rootfs:dir r_dir_perms;
###
### neverallow rules
diff --git a/public/hal_bluetooth.te b/public/hal_bluetooth.te
index a3497a7..3e132b9 100644
--- a/public/hal_bluetooth.te
+++ b/public/hal_bluetooth.te
@@ -20,3 +20,6 @@
# Allow write access to bluetooth-specific properties
set_prop(hal_bluetooth, bluetooth_prop)
+
+# /proc access (bluesleep etc.).
+allow hal_bluetooth proc_bluetooth_writable:file rw_file_perms;
diff --git a/public/hal_fingerprint.te b/public/hal_fingerprint.te
index aa5bf2b..8405a7e 100644
--- a/public/hal_fingerprint.te
+++ b/public/hal_fingerprint.te
@@ -19,3 +19,4 @@
binder_use(hal_fingerprint);
r_dir_file(hal_fingerprint, cgroup)
+r_dir_file(hal_fingerprint, sysfs)
diff --git a/public/hal_graphics_composer.te b/public/hal_graphics_composer.te
index ee12ff1..9ba0bdb 100644
--- a/public/hal_graphics_composer.te
+++ b/public/hal_graphics_composer.te
@@ -14,3 +14,6 @@
allow hal_graphics_composer system_server:fd use;
allow hal_graphics_composer bootanim:fd use;
allow hal_graphics_composer appdomain:fd use;
+
+# allow self to set SCHED_FIFO
+allow hal_graphics_composer self:capability sys_nice;
diff --git a/public/incident.te b/public/incident.te
new file mode 100644
index 0000000..ce57bf6
--- /dev/null
+++ b/public/incident.te
@@ -0,0 +1,8 @@
+# The incident command is used to call into the incidentd service to
+# take an incident report (binary, shared bugreport), download incident
+# reports that have already been taken, and monitor for new ones.
+# It doesn't do anything else.
+
+# incident
+type incident, domain;
+
diff --git a/public/incidentd.te b/public/incidentd.te
new file mode 100644
index 0000000..b03249c
--- /dev/null
+++ b/public/incidentd.te
@@ -0,0 +1,3 @@
+# incidentd
+type incidentd, domain;
+
diff --git a/public/init.te b/public/init.te
index fe8cdbb..a65bf2c 100644
--- a/public/init.te
+++ b/public/init.te
@@ -1,5 +1,5 @@
# init is its own domain.
-type init, domain, domain_deprecated, mlstrustedsubject;
+type init, domain, mlstrustedsubject;
# The init domain is entered by execing init.
type init_exec, exec_type, file_type;
@@ -175,6 +175,8 @@
-vold_data_file
}:lnk_file { create getattr setattr relabelfrom unlink };
+allow init cache_file:lnk_file r_file_perms;
+
allow init { file_type -system_file -exec_type }:dir_file_class_set relabelto;
allow init { sysfs debugfs debugfs_tracing }:{ dir file lnk_file } { getattr relabelfrom };
allow init { sysfs_type debugfs_type }:{ dir file lnk_file } relabelto;
@@ -182,7 +184,7 @@
allow init dev_type:lnk_file create;
# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
-allow init debugfs_tracing:file w_file_perms;
+allow init tracing_shell_writable:file w_file_perms;
userdebug_or_eng(`
# Setup and control wifi event tracing (see wifi-events.rc)
@@ -200,10 +202,24 @@
allow init { dev_type -kmem_device -port_device -device }:chr_file { read open };
auditallow init {
dev_type
- -kmem_device
- -port_device
+ -alarm_device
+ -ashmem_device
+ -binder_device
+ -console_device
-device
+ -devpts
+ -dm_device
+ -hwbinder_device
+ -hw_random_device
+ -keychord_device
+ -kmem_device
+ -kmsg_device
-null_device
+ -owntty_device
+ -port_device
+ -ptmx_device
+ -random_device
+ -zero_device
}:chr_file { read open };
# chown/chmod on devices.
diff --git a/public/keystore.te b/public/keystore.te
index 4dd65eb..ec6d192 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -25,6 +25,7 @@
allow keystore ion_device:chr_file r_file_perms;
r_dir_file(keystore, cgroup)
+allow keystore system_file:dir r_dir_perms;
###
### Neverallow rules
diff --git a/public/mdnsd.te b/public/mdnsd.te
index c32b433..ef7b065 100644
--- a/public/mdnsd.te
+++ b/public/mdnsd.te
@@ -1,8 +1,2 @@
# mdns daemon
-type mdnsd, domain, mlstrustedsubject;
-type mdnsd_exec, exec_type, file_type;
-
-net_domain(mdnsd)
-
-# Read from /proc/net
-r_dir_file(mdnsd, proc_net)
+type mdnsd, domain;
diff --git a/public/mediacodec.te b/public/mediacodec.te
index 9f07d85..6b4d677 100644
--- a/public/mediacodec.te
+++ b/public/mediacodec.te
@@ -18,6 +18,11 @@
allow mediacodec ion_device:chr_file rw_file_perms;
allow mediacodec hal_graphics_allocator:fd use;
+# hidl access
+hwbinder_use(mediacodec)
+hwallocator_use(mediacodec)
+allow mediacodec system_file:dir { open read };
+
###
### neverallow rules
###
diff --git a/public/mediadrmserver.te b/public/mediadrmserver.te
index f93cf45..8835585 100644
--- a/public/mediadrmserver.te
+++ b/public/mediadrmserver.te
@@ -9,6 +9,7 @@
binder_call(mediadrmserver, binderservicedomain)
binder_call(mediadrmserver, appdomain)
binder_service(mediadrmserver)
+binder_call(mediadrmserver, hal_drm)
add_service(mediadrmserver, mediadrmserver_service)
allow mediadrmserver mediaserver_service:service_manager find;
diff --git a/public/mediaserver.te b/public/mediaserver.te
index 16b8013..fa47288 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -132,6 +132,10 @@
allow mediaserver system_server:fd use;
+# hidl access
+hwbinder_use(mediaserver)
+hwallocator_use(mediaserver)
+
###
### neverallow rules
###
diff --git a/public/net.te b/public/net.te
index 9345454..7e00ed8 100644
--- a/public/net.te
+++ b/public/net.te
@@ -2,24 +2,3 @@
type node, node_type;
type netif, netif_type;
type port, port_type;
-
-# Use network sockets.
-allow netdomain self:tcp_socket create_stream_socket_perms;
-allow netdomain self:{ udp_socket rawip_socket } create_socket_perms;
-# Connect to ports.
-allow netdomain port_type:tcp_socket name_connect;
-# Bind to ports.
-allow {netdomain -ephemeral_app} node_type:{ tcp_socket udp_socket } node_bind;
-allow {netdomain -ephemeral_app} port_type:udp_socket name_bind;
-allow {netdomain -ephemeral_app} port_type:tcp_socket name_bind;
-# See changes to the routing table.
-allow netdomain self:netlink_route_socket { create read getattr write setattr lock append bind connect getopt setopt shutdown nlmsg_read };
-
-# Talks to netd via dnsproxyd socket.
-unix_socket_connect(netdomain, dnsproxyd, netd)
-
-# Talks to netd via fwmarkd socket.
-unix_socket_connect(netdomain, fwmarkd, netd)
-
-# Connect to mdnsd via mdnsd socket.
-unix_socket_connect(netdomain, mdnsd, mdnsd)
diff --git a/public/performanced.te b/public/performanced.te
new file mode 100644
index 0000000..8f9d16b
--- /dev/null
+++ b/public/performanced.te
@@ -0,0 +1,18 @@
+# performanced
+type performanced, domain, mlstrustedsubject;
+type performanced_exec, exec_type, file_type;
+
+pdx_server(performanced)
+
+# TODO: use file caps to obtain sys_nice instead of setuid / setgid.
+allow performanced self:capability { setuid setgid sys_nice };
+
+# Access /proc to validate we're only affecting threads in the same thread group.
+# Performanced also shields unbound kernel threads. It scans every task in the
+# root cpu set, but only affects the kernel threads.
+r_dir_file(performanced, { appdomain bufferhubd kernel sensord surfaceflinger })
+dontaudit performanced domain:dir read;
+allow performanced { appdomain bufferhubd kernel sensord surfaceflinger }:process setsched;
+
+# Access /dev/cpuset/cpuset.cpus
+r_dir_file(performanced, cgroup)
diff --git a/public/property.te b/public/property.te
index 572c24e..5bf0c62 100644
--- a/public/property.te
+++ b/public/property.te
@@ -28,6 +28,7 @@
type log_prop, property_type, log_property_type;
type log_tag_prop, property_type, log_property_type;
type mmc_prop, property_type;
+type net_dns_prop, property_type;
type net_radio_prop, property_type, core_property_type;
type nfc_prop, property_type, core_property_type;
type overlay_prop, property_type;
diff --git a/public/sdcardd.te b/public/sdcardd.te
index 6813aa6..3cb69be 100644
--- a/public/sdcardd.te
+++ b/public/sdcardd.te
@@ -31,6 +31,9 @@
# Allow running on top of expanded storage
allow sdcardd mnt_expand_file:dir search;
+# access /proc/filesystems
+allow sdcardd proc:file r_file_perms;
+
###
### neverallow rules
###
diff --git a/public/sensord.te b/public/sensord.te
new file mode 100644
index 0000000..bffe3cd
--- /dev/null
+++ b/public/sensord.te
@@ -0,0 +1,20 @@
+# sensord
+type sensord, domain, mlstrustedsubject;
+type sensord_exec, exec_type, file_type;
+
+pdx_server(sensord)
+use_pdx(sensord, bufferhubd)
+use_pdx(sensord, performanced)
+
+# Access /dev/ion
+allow sensord ion_device:chr_file r_file_perms;
+
+allow sensord sensors_device:chr_file rw_file_perms;
+
+binder_use(sensord)
+binder_call(sensord, system_server)
+allow sensord system_server:unix_stream_socket { read write };
+
+allow sensord sensorservice_service:service_manager find;
+# permission_service is used by the NDK sensor APIs.
+allow sensord permission_service:service_manager find;
diff --git a/public/service.te b/public/service.te
index 097aa49..7ef27118 100644
--- a/public/service.te
+++ b/public/service.te
@@ -10,6 +10,7 @@
type gatekeeper_service, app_api_service, service_manager_type;
type gpu_service, service_manager_type;
type inputflinger_service, service_manager_type;
+type incident_service, service_manager_type;
type installd_service, service_manager_type;
type keystore_service, service_manager_type;
type mediaserver_service, service_manager_type;
@@ -24,6 +25,7 @@
type surfaceflinger_service, service_manager_type;
type system_app_service, service_manager_type;
type update_engine_service, service_manager_type;
+type virtual_touchpad_service, service_manager_type;
# system_server_services broken down
type accessibility_service, app_api_service, system_server_service, service_manager_type;
diff --git a/public/shell.te b/public/shell.te
index 9f4ac5c..0e55f84 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -82,11 +82,11 @@
# don't allow shell to access GateKeeper service
# TODO: why is this so broad? Tightening candidate? It needs at list:
# - dumpstate_service (so it can receive dumpstate progress updates)
-allow shell { service_manager_type -gatekeeper_service -netd_service -installd_service}:service_manager find;
+allow shell { service_manager_type -gatekeeper_service -incident_service -installd_service -netd_service -virtual_touchpad_service }:service_manager find;
allow shell dumpstate:binder call;
# allow shell to get information from hwservicemanager
-# for instance, listing hardware services with dumpsys
+# for instance, listing hardware services with lshal
hwbinder_use(shell)
# allow shell to look through /proc/ for ps, top, netstat
diff --git a/public/surfaceflinger.te b/public/surfaceflinger.te
index 3f7a583..ae00287 100644
--- a/public/surfaceflinger.te
+++ b/public/surfaceflinger.te
@@ -1,92 +1,2 @@
# surfaceflinger - display compositor service
type surfaceflinger, domain;
-type surfaceflinger_exec, exec_type, file_type;
-
-typeattribute surfaceflinger mlstrustedsubject;
-
-read_runtime_log_tags(surfaceflinger)
-
-# Perform HwBinder IPC.
-hwbinder_use(surfaceflinger)
-binder_call(surfaceflinger, hal_graphics_allocator)
-binder_call(surfaceflinger, hal_graphics_composer)
-binder_call(surfaceflinger, hal_configstore)
-
-# Perform Binder IPC.
-binder_use(surfaceflinger)
-binder_call(surfaceflinger, binderservicedomain)
-binder_call(surfaceflinger, appdomain)
-binder_call(surfaceflinger, bootanim)
-binder_service(surfaceflinger)
-
-# Binder IPC to bu, presently runs in adbd domain.
-binder_call(surfaceflinger, adbd)
-
-# Read /proc/pid files for Binder clients.
-r_dir_file(surfaceflinger, binderservicedomain)
-r_dir_file(surfaceflinger, appdomain)
-
-# Access the GPU.
-allow surfaceflinger gpu_device:chr_file rw_file_perms;
-
-# Access /dev/graphics/fb0.
-allow surfaceflinger graphics_device:dir search;
-allow surfaceflinger graphics_device:chr_file rw_file_perms;
-
-# Access /dev/video1.
-allow surfaceflinger video_device:dir r_dir_perms;
-allow surfaceflinger video_device:chr_file rw_file_perms;
-
-# Create and use netlink kobject uevent sockets.
-allow surfaceflinger self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-
-# Set properties.
-set_prop(surfaceflinger, system_prop)
-set_prop(surfaceflinger, ctl_bootanim_prop)
-
-# Use open files supplied by an app.
-allow surfaceflinger appdomain:fd use;
-allow surfaceflinger app_data_file:file { read write };
-
-# Allow a dumpstate triggered screenshot
-binder_call(surfaceflinger, dumpstate)
-binder_call(surfaceflinger, shell)
-r_dir_file(surfaceflinger, dumpstate)
-
-# Needed on some devices for playing DRM protected content,
-# but seems expected and appropriate for all devices.
-allow surfaceflinger tee:unix_stream_socket connectto;
-allow surfaceflinger tee_device:chr_file rw_file_perms;
-
-
-# media.player service
-add_service(surfaceflinger, gpu_service)
-
-# do not use add_service() as hal_graphics_composer_default may be the
-# provider as well
-#add_service(surfaceflinger, surfaceflinger_service)
-allow surfaceflinger surfaceflinger_service:service_manager { add find };
-
-allow surfaceflinger mediaserver_service:service_manager find;
-allow surfaceflinger permission_service:service_manager find;
-allow surfaceflinger power_service:service_manager find;
-allow surfaceflinger window_service:service_manager find;
-
-# allow self to set SCHED_FIFO
-allow surfaceflinger self:capability sys_nice;
-allow surfaceflinger proc_meminfo:file r_file_perms;
-r_dir_file(surfaceflinger, cgroup)
-r_dir_file(surfaceflinger, sysfs_type)
-r_dir_file(surfaceflinger, system_file)
-allow surfaceflinger tmpfs:dir r_dir_perms;
-allow surfaceflinger system_server:fd use;
-allow surfaceflinger ion_device:chr_file r_file_perms;
-
-###
-### Neverallow rules
-###
-### surfaceflinger should NEVER do any of this
-
-# Do not allow accessing SDcard files as unsafe ejection could
-# cause the kernel to kill the process.
-neverallow surfaceflinger sdcard_type:file rw_file_perms;
diff --git a/public/system_server.te b/public/system_server.te
index 78784b7..805d617 100644
--- a/public/system_server.te
+++ b/public/system_server.te
@@ -2,668 +2,4 @@
# System Server aka system_server spawned by zygote.
# Most of the framework services run in this process.
#
-type system_server, domain, domain_deprecated, mlstrustedsubject;
-
-# For art.
-allow system_server dalvikcache_data_file:dir r_dir_perms;
-allow system_server dalvikcache_data_file:file { r_file_perms execute };
-
-# Enable system server to check the foreign dex usage markers.
-# We need search on top level directories so that we can get to the files
-allow system_server user_profile_data_file:dir search;
-allow system_server user_profile_data_file:file getattr;
-allow system_server user_profile_foreign_dex_data_file:dir { add_name open read write search remove_name };
-allow system_server user_profile_foreign_dex_data_file:file { getattr rename unlink };
-
-# /data/resource-cache
-allow system_server resourcecache_data_file:file r_file_perms;
-allow system_server resourcecache_data_file:dir r_dir_perms;
-
-# ptrace to processes in the same domain for debugging crashes.
-allow system_server self:process ptrace;
-
-# Child of the zygote.
-allow system_server zygote:fd use;
-allow system_server zygote:process sigchld;
-
-# May kill zygote on crashes.
-allow system_server zygote:process sigkill;
-allow system_server crash_dump:process sigkill;
-
-# Read /system/bin/app_process.
-allow system_server zygote_exec:file r_file_perms;
-
-# Needed to close the zygote socket, which involves getopt / getattr
-allow system_server zygote:unix_stream_socket { getopt getattr };
-
-# system server gets network and bluetooth permissions.
-net_domain(system_server)
-# in addition to ioctls whitelisted for all domains, also allow system_server
-# to use privileged ioctls commands. Needed to set up VPNs.
-allowxperm system_server self:udp_socket ioctl priv_sock_ioctls;
-bluetooth_domain(system_server)
-
-# These are the capabilities assigned by the zygote to the
-# system server.
-allow system_server self:capability {
- ipc_lock
- kill
- net_admin
- net_bind_service
- net_broadcast
- net_raw
- sys_boot
- sys_nice
- sys_resource
- sys_time
- sys_tty_config
-};
-
-wakelock_use(system_server)
-
-# Triggered by /proc/pid accesses, not allowed.
-dontaudit system_server self:capability sys_ptrace;
-
-# Trigger module auto-load.
-allow system_server kernel:system module_request;
-
-# Allow alarmtimers to be set
-allow system_server self:capability2 wake_alarm;
-
-# Use netlink uevent sockets.
-allow system_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-
-# Use generic netlink sockets.
-allow system_server self:netlink_socket create_socket_perms_no_ioctl;
-allow system_server self:netlink_generic_socket create_socket_perms_no_ioctl;
-
-# Use generic "sockets" where the address family is not known
-# to the kernel. The ioctl permission is specifically omitted here, but may
-# be added to device specific policy along with the ioctl commands to be
-# whitelisted.
-allow system_server self:socket create_socket_perms_no_ioctl;
-
-# Set and get routes directly via netlink.
-allow system_server self:netlink_route_socket nlmsg_write;
-
-# Kill apps.
-allow system_server appdomain:process { sigkill signal };
-
-# Set scheduling info for apps.
-allow system_server appdomain:process { getsched setsched };
-allow system_server audioserver:process { getsched setsched };
-allow system_server hal_audio:process { getsched setsched };
-allow system_server cameraserver:process { getsched setsched };
-allow system_server mediaserver:process { getsched setsched };
-allow system_server bootanim:process { getsched setsched };
-
-# Read /proc/pid data for all domains. This is used by ProcessCpuTracker
-# within system_server to keep track of memory and CPU usage for
-# all processes on the device. In addition, /proc/pid files access is needed
-# for dumping stack traces of native processes.
-r_dir_file(system_server, domain)
-
-# Read/Write to /proc/net/xt_qtaguid/ctrl and and /dev/xt_qtaguid.
-allow system_server qtaguid_proc:file rw_file_perms;
-allow system_server qtaguid_device:chr_file rw_file_perms;
-
-# Read /proc/uid_cputime/show_uid_stat.
-allow system_server proc_uid_cputime_showstat:file r_file_perms;
-
-# Write /proc/uid_cputime/remove_uid_range.
-allow system_server proc_uid_cputime_removeuid:file { w_file_perms getattr };
-
-# Write /proc/uid_procstat/set.
-allow system_server proc_uid_procstat_set:file { w_file_perms getattr };
-
-# Write to /proc/sysrq-trigger.
-allow system_server proc_sysrq:file rw_file_perms;
-
-# Read /proc/stat for CPU usage statistics
-allow system_server proc_stat:file r_file_perms;
-
-# Read /sys/kernel/debug/wakeup_sources.
-allow system_server debugfs:file r_file_perms;
-
-# The DhcpClient and WifiWatchdog use packet_sockets
-allow system_server self:packet_socket create_socket_perms_no_ioctl;
-
-# NetworkDiagnostics requires explicit bind() calls to ping sockets. These aren't actually the same
-# as raw sockets, but the kernel doesn't yet distinguish between the two.
-allow system_server node:rawip_socket node_bind;
-
-# 3rd party VPN clients require a tun_socket to be created
-allow system_server self:tun_socket create_socket_perms_no_ioctl;
-
-# Talk to init and various daemons via sockets.
-unix_socket_connect(system_server, lmkd, lmkd)
-unix_socket_connect(system_server, mtpd, mtp)
-unix_socket_connect(system_server, netd, netd)
-unix_socket_connect(system_server, vold, vold)
-unix_socket_connect(system_server, webview_zygote, webview_zygote)
-unix_socket_connect(system_server, zygote, zygote)
-unix_socket_connect(system_server, racoon, racoon)
-unix_socket_send(system_server, wpa, wpa)
-unix_socket_connect(system_server, uncrypt, uncrypt)
-
-# Communicate over a socket created by surfaceflinger.
-allow system_server surfaceflinger:unix_stream_socket { read write setopt };
-
-# Perform Binder IPC.
-binder_use(system_server)
-binder_call(system_server, appdomain)
-binder_call(system_server, binderservicedomain)
-binder_call(system_server, dumpstate)
-binder_call(system_server, fingerprintd)
-binder_call(system_server, hal_fingerprint)
-binder_call(system_server, gatekeeperd)
-binder_call(system_server, installd)
-binder_call(system_server, netd)
-binder_call(system_server, wificond)
-binder_service(system_server)
-
-# Perform HwBinder IPC.
-hwbinder_use(system_server)
-binder_call(system_server, hal_bluetooth)
-binder_call(system_server, hal_boot)
-binder_call(system_server, hal_contexthub)
-binder_call(system_server, hal_fingerprint)
-binder_call(system_server, hal_gnss);
-binder_call(system_server, hal_ir)
-binder_call(system_server, hal_light)
-binder_call(system_server, hal_memtrack)
-binder_call(system_server, hal_power)
-binder_call(system_server, hal_sensors)
-binder_call(system_server, hal_thermal)
-binder_call(system_server, hal_usb)
-binder_call(system_server, hal_vibrator)
-binder_call(system_server, hal_vr)
-binder_call(system_server, hal_wifi)
-binder_call(system_server, hal_drm)
-binder_call(system_server, wpa)
-
-# Talk to tombstoned to get ANR traces.
-unix_socket_connect(system_server, tombstoned_intercept, tombstoned)
-
-# Send signals to trigger ANR traces.
-# This is derived from the list that system server defines as interesting native processes
-# to dump during ANRs or watchdog aborts, defined in NATIVE_STACKS_OF_INTEREST in
-# frameworks/base/services/core/java/com/android/server/Watchdog.java.
-allow system_server {
- audioserver
- cameraserver
- drmserver
- inputflinger
- mediacodec
- mediadrmserver
- mediaextractor
- mediaserver
- mediametrics
- sdcardd
- surfaceflinger
-}:process { signal };
-
-# Use sockets received over binder from various services.
-allow system_server audioserver:tcp_socket rw_socket_perms;
-allow system_server audioserver:udp_socket rw_socket_perms;
-allow system_server mediaserver:tcp_socket rw_socket_perms;
-allow system_server mediaserver:udp_socket rw_socket_perms;
-
-# Use sockets received over binder from various services.
-allow system_server mediadrmserver:tcp_socket rw_socket_perms;
-allow system_server mediadrmserver:udp_socket rw_socket_perms;
-
-# Check SELinux permissions.
-selinux_check_access(system_server)
-
-# XXX Label sysfs files with a specific type?
-allow system_server sysfs:file rw_file_perms;
-allow system_server sysfs_nfc_power_writable:file rw_file_perms;
-allow system_server sysfs_devices_system_cpu:file w_file_perms;
-allow system_server sysfs_mac_address:file r_file_perms;
-allow system_server sysfs_thermal:dir search;
-allow system_server sysfs_thermal:file r_file_perms;
-
-# TODO: Remove when HALs are forced into separate processes
-allow system_server sysfs_vibrator:file { write append };
-
-# TODO: added to match above sysfs rule. Remove me?
-allow system_server sysfs_usb:file w_file_perms;
-
-# Access devices.
-allow system_server device:dir r_dir_perms;
-allow system_server mdns_socket:sock_file rw_file_perms;
-allow system_server alarm_device:chr_file rw_file_perms;
-allow system_server gpu_device:chr_file rw_file_perms;
-allow system_server iio_device:chr_file rw_file_perms;
-allow system_server input_device:dir r_dir_perms;
-allow system_server input_device:chr_file rw_file_perms;
-allow system_server radio_device:chr_file r_file_perms;
-allow system_server tty_device:chr_file rw_file_perms;
-allow system_server usbaccessory_device:chr_file rw_file_perms;
-allow system_server video_device:dir r_dir_perms;
-allow system_server video_device:chr_file rw_file_perms;
-allow system_server adbd_socket:sock_file rw_file_perms;
-allow system_server rtc_device:chr_file rw_file_perms;
-allow system_server audio_device:dir r_dir_perms;
-
-# write access needed for MIDI
-allow system_server audio_device:chr_file rw_file_perms;
-
-# tun device used for 3rd party vpn apps
-allow system_server tun_device:chr_file rw_file_perms;
-
-# Manage system data files.
-allow system_server system_data_file:dir create_dir_perms;
-allow system_server system_data_file:notdevfile_class_set create_file_perms;
-allow system_server keychain_data_file:dir create_dir_perms;
-allow system_server keychain_data_file:file create_file_perms;
-allow system_server keychain_data_file:lnk_file create_file_perms;
-
-# Manage /data/app.
-allow system_server apk_data_file:dir create_dir_perms;
-allow system_server apk_data_file:{ file lnk_file } { create_file_perms link };
-allow system_server apk_tmp_file:dir create_dir_perms;
-allow system_server apk_tmp_file:file create_file_perms;
-
-# Manage /data/app-private.
-allow system_server apk_private_data_file:dir create_dir_perms;
-allow system_server apk_private_data_file:file create_file_perms;
-allow system_server apk_private_tmp_file:dir create_dir_perms;
-allow system_server apk_private_tmp_file:file create_file_perms;
-
-# Manage files within asec containers.
-allow system_server asec_apk_file:dir create_dir_perms;
-allow system_server asec_apk_file:file create_file_perms;
-allow system_server asec_public_file:file create_file_perms;
-
-# Manage /data/anr.
-allow system_server anr_data_file:dir create_dir_perms;
-allow system_server anr_data_file:file create_file_perms;
-
-# Manage /data/backup.
-allow system_server backup_data_file:dir create_dir_perms;
-allow system_server backup_data_file:file create_file_perms;
-
-# Write to /data/system/heapdump
-allow system_server heapdump_data_file:dir rw_dir_perms;
-allow system_server heapdump_data_file:file create_file_perms;
-
-# Manage /data/misc/adb.
-allow system_server adb_keys_file:dir create_dir_perms;
-allow system_server adb_keys_file:file create_file_perms;
-
-# Manage /data/misc/sms.
-# TODO: Split into a separate type?
-allow system_server radio_data_file:dir create_dir_perms;
-allow system_server radio_data_file:file create_file_perms;
-
-# Manage /data/misc/systemkeys.
-allow system_server systemkeys_data_file:dir create_dir_perms;
-allow system_server systemkeys_data_file:file create_file_perms;
-
-# Access /data/tombstones.
-allow system_server tombstone_data_file:dir r_dir_perms;
-allow system_server tombstone_data_file:file r_file_perms;
-
-# Manage /data/misc/vpn.
-allow system_server vpn_data_file:dir create_dir_perms;
-allow system_server vpn_data_file:file create_file_perms;
-
-# Manage /data/misc/wifi.
-allow system_server wifi_data_file:dir create_dir_perms;
-allow system_server wifi_data_file:file create_file_perms;
-
-# Manage /data/misc/zoneinfo.
-allow system_server zoneinfo_data_file:dir create_dir_perms;
-allow system_server zoneinfo_data_file:file create_file_perms;
-
-# Walk /data/data subdirectories.
-# Types extracted from seapp_contexts type= fields.
-allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:dir { getattr read search };
-# Also permit for unlabeled /data/data subdirectories and
-# for unlabeled asec containers on upgrades from 4.2.
-allow system_server unlabeled:dir r_dir_perms;
-# Read pkg.apk file before it has been relabeled by vold.
-allow system_server unlabeled:file r_file_perms;
-
-# Populate com.android.providers.settings/databases/settings.db.
-allow system_server system_app_data_file:dir create_dir_perms;
-allow system_server system_app_data_file:file create_file_perms;
-
-# Receive and use open app data files passed over binder IPC.
-# Types extracted from seapp_contexts type= fields.
-allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:file { getattr read write append };
-
-# Access to /data/media for measuring disk usage.
-allow system_server media_rw_data_file:dir { search getattr open read };
-
-# Receive and use open /data/media files passed over binder IPC.
-# Also used for measuring disk usage.
-allow system_server media_rw_data_file:file { getattr read write append };
-
-# Relabel apk files.
-allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto };
-allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto };
-
-# Relabel wallpaper.
-allow system_server system_data_file:file relabelfrom;
-allow system_server wallpaper_file:file relabelto;
-allow system_server wallpaper_file:file { rw_file_perms rename unlink };
-
-# Backup of wallpaper imagery uses temporary hard links to avoid data churn
-allow system_server { system_data_file wallpaper_file }:file link;
-
-# ShortcutManager icons
-allow system_server system_data_file:dir relabelfrom;
-allow system_server shortcut_manager_icons:dir { create_dir_perms relabelto };
-allow system_server shortcut_manager_icons:file create_file_perms;
-
-# Manage ringtones.
-allow system_server ringtone_file:dir { create_dir_perms relabelto };
-allow system_server ringtone_file:file create_file_perms;
-
-# Relabel icon file.
-allow system_server icon_file:file relabelto;
-allow system_server icon_file:file { rw_file_perms unlink };
-
-# FingerprintService.java does a restorecon of the directory /data/system/users/[0-9]+/fpdata(/.*)?
-allow system_server system_data_file:dir relabelfrom;
-
-# Property Service write
-set_prop(system_server, system_prop)
-set_prop(system_server, safemode_prop)
-set_prop(system_server, dhcp_prop)
-set_prop(system_server, net_radio_prop)
-set_prop(system_server, system_radio_prop)
-set_prop(system_server, debug_prop)
-set_prop(system_server, powerctl_prop)
-set_prop(system_server, fingerprint_prop)
-set_prop(system_server, device_logging_prop)
-set_prop(system_server, wifi_prop)
-set_prop(system_server, dumpstate_options_prop)
-set_prop(system_server, overlay_prop)
-userdebug_or_eng(`set_prop(system_server, wifi_log_prop)')
-
-# ctl interface
-set_prop(system_server, ctl_default_prop)
-set_prop(system_server, ctl_bugreport_prop)
-
-# cppreopt property
-set_prop(system_server, cppreopt_prop)
-
-# Collect metrics on boot time created by init
-get_prop(system_server, boottime_prop)
-
-# Read device's serial number from system properties
-get_prop(system_server, serialno_prop)
-
-# Read/write the property which keeps track of whether this is the first start of system_server
-set_prop(system_server, firstboot_prop)
-
-# Create a socket for receiving info from wpa.
-allow system_server wpa_socket:dir rw_dir_perms;
-allow system_server system_wpa_socket:sock_file create_file_perms;
-
-# Remove sockets created by wpa_supplicant
-allow system_server wpa_socket:sock_file unlink;
-
-# Create a socket for connections from debuggerd.
-allow system_server system_ndebug_socket:sock_file create_file_perms;
-
-# Manage cache files.
-allow system_server { cache_file cache_recovery_file }:dir { relabelfrom create_dir_perms };
-allow system_server { cache_file cache_recovery_file }:file { relabelfrom create_file_perms };
-allow system_server { cache_file cache_recovery_file }:fifo_file create_file_perms;
-
-allow system_server system_file:dir r_dir_perms;
-allow system_server system_file:lnk_file r_file_perms;
-
-# LocationManager(e.g, GPS) needs to read and write
-# to uart driver and ctrl proc entry
-allow system_server gps_control:file rw_file_perms;
-
-# Allow system_server to use app-created sockets and pipes.
-allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown };
-allow system_server appdomain:{ fifo_file unix_stream_socket } { getattr read write };
-
-# Allow abstract socket connection
-allow system_server rild:unix_stream_socket connectto;
-
-# BackupManagerService needs to manipulate backup data files
-allow system_server cache_backup_file:dir rw_dir_perms;
-allow system_server cache_backup_file:file create_file_perms;
-# LocalTransport works inside /cache/backup
-allow system_server cache_private_backup_file:dir create_dir_perms;
-allow system_server cache_private_backup_file:file create_file_perms;
-
-# Allow system to talk to usb device
-allow system_server usb_device:chr_file rw_file_perms;
-allow system_server usb_device:dir r_dir_perms;
-
-# Allow system to talk to sensors
-allow system_server sensors_device:chr_file rw_file_perms;
-
-# Read from HW RNG (needed by EntropyMixer).
-allow system_server hw_random_device:chr_file r_file_perms;
-
-# Read and delete files under /dev/fscklogs.
-r_dir_file(system_server, fscklogs)
-allow system_server fscklogs:dir { write remove_name };
-allow system_server fscklogs:file unlink;
-
-# logd access, system_server inherit logd write socket
-# (urge is to deprecate this long term)
-allow system_server zygote:unix_dgram_socket write;
-
-# Read from log daemon.
-read_logd(system_server)
-read_runtime_log_tags(system_server)
-
-# Be consistent with DAC permissions. Allow system_server to write to
-# /sys/module/lowmemorykiller/parameters/adj
-# /sys/module/lowmemorykiller/parameters/minfree
-allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms };
-
-# Read /sys/fs/pstore/console-ramoops
-# Don't worry about overly broad permissions for now, as there's
-# only one file in /sys/fs/pstore
-allow system_server pstorefs:dir r_dir_perms;
-allow system_server pstorefs:file r_file_perms;
-
-# /sys access
-allow system_server sysfs_zram:dir search;
-allow system_server sysfs_zram:file r_file_perms;
-
-add_service(system_server, system_server_service);
-allow system_server audioserver_service:service_manager find;
-allow system_server batteryproperties_service:service_manager find;
-allow system_server cameraserver_service:service_manager find;
-allow system_server drmserver_service:service_manager find;
-allow system_server dumpstate_service:service_manager find;
-allow system_server fingerprintd_service:service_manager find;
-allow system_server hal_fingerprint_service:service_manager find;
-allow system_server gatekeeper_service:service_manager find;
-allow system_server installd_service:service_manager find;
-allow system_server keystore_service:service_manager find;
-allow system_server mediaserver_service:service_manager find;
-allow system_server mediametrics_service:service_manager find;
-allow system_server mediaextractor_service:service_manager find;
-allow system_server mediacodec_service:service_manager find;
-allow system_server mediadrmserver_service:service_manager find;
-allow system_server netd_service:service_manager find;
-allow system_server nfc_service:service_manager find;
-allow system_server radio_service:service_manager find;
-allow system_server surfaceflinger_service:service_manager find;
-allow system_server wificond_service:service_manager find;
-
-allow system_server keystore:keystore_key {
- get_state
- get
- insert
- delete
- exist
- list
- reset
- password
- lock
- unlock
- is_empty
- sign
- verify
- grant
- duplicate
- clear_uid
- add_auth
- user_changed
-};
-
-# Allow system server to search and write to the persistent factory reset
-# protection partition. This block device does not get wiped in a factory reset.
-allow system_server block_device:dir search;
-allow system_server frp_block_device:blk_file rw_file_perms;
-
-# Clean up old cgroups
-allow system_server cgroup:dir { remove_name rmdir };
-
-# /oem access
-r_dir_file(system_server, oemfs)
-
-# Allow resolving per-user storage symlinks
-allow system_server { mnt_user_file storage_file }:dir { getattr search };
-allow system_server { mnt_user_file storage_file }:lnk_file { getattr read };
-
-# Allow statfs() on storage devices, which happens fast enough that
-# we shouldn't be killed during unsafe removal
-allow system_server sdcard_type:dir { getattr search };
-
-# Traverse into expanded storage
-allow system_server mnt_expand_file:dir r_dir_perms;
-
-# Allow system process to relabel the fingerprint directory after mkdir
-# and delete the directory and files when no longer needed
-allow system_server fingerprintd_data_file:dir { r_dir_perms remove_name rmdir relabelto write };
-allow system_server fingerprintd_data_file:file { getattr unlink };
-
-# Allow system process to read network MAC address
-allow system_server sysfs_mac_address:file r_file_perms;
-
-userdebug_or_eng(`
- # Allow system server to create and write method traces in /data/misc/trace.
- allow system_server method_trace_data_file:dir w_dir_perms;
- allow system_server method_trace_data_file:file { create w_file_perms };
-
- # Allow system server to read dmesg
- allow system_server kernel:system syslog_read;
-')
-
-# For AppFuse.
-allow system_server vold:fd use;
-allow system_server fuse_device:chr_file { read write ioctl getattr };
-allow system_server app_fuse_file:dir rw_dir_perms;
-allow system_server app_fuse_file:file { read write open getattr append };
-
-# For configuring sdcardfs
-allow system_server configfs:dir { create_dir_perms };
-allow system_server configfs:file { getattr open unlink write };
-
-# Connect to adbd and use a socket transferred from it.
-# Used for e.g. jdwp.
-allow system_server adbd:unix_stream_socket connectto;
-allow system_server adbd:fd use;
-allow system_server adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
-
-# Allow invoking tools like "timeout"
-allow system_server toolbox_exec:file rx_file_perms;
-
-# Postinstall
-#
-# For OTA dexopt, allow calls coming from postinstall.
-binder_call(system_server, postinstall)
-
-allow system_server postinstall:fifo_file write;
-allow system_server update_engine:fd use;
-allow system_server update_engine:fifo_file write;
-
-# Access to /data/preloads
-allow system_server preloads_data_file:file { r_file_perms unlink };
-allow system_server preloads_data_file:dir { r_dir_perms write remove_name rmdir };
-
-r_dir_file(system_server, cgroup)
-allow system_server ion_device:chr_file r_file_perms;
-allow system_server hal_graphics_allocator:fd use;
-
-r_dir_file(system_server, proc)
-r_dir_file(system_server, proc_meminfo)
-r_dir_file(system_server, proc_net)
-r_dir_file(system_server, rootfs)
-r_dir_file(system_server, sysfs_type)
-
-# Allow system_server to make binder calls to hwservicemanager
-binder_call(system_server, hwservicemanager)
-
-### Rules needed when Light HAL runs inside system_server process.
-### These rules should eventually be granted only when needed.
-allow system_server sysfs_leds:lnk_file read;
-allow system_server sysfs_leds:file rw_file_perms;
-allow system_server sysfs_leds:dir r_dir_perms;
-###
-
-userdebug_or_eng(`
- # Allow WifiService to start, stop, and read wifi-specific trace events.
- allow system_server debugfs_tracing_instances:dir search;
- allow system_server debugfs_wifi_tracing:file rw_file_perms;
-')
-
-###
-### Neverallow rules
-###
-### system_server should NEVER do any of this
-
-# Do not allow opening files from external storage as unsafe ejection
-# could cause the kernel to kill the system_server.
-neverallow system_server sdcard_type:dir { open read write };
-neverallow system_server sdcard_type:file rw_file_perms;
-
-# system server should never be operating on zygote spawned app data
-# files directly. Rather, they should always be passed via a
-# file descriptor.
-# Types extracted from seapp_contexts type= fields, excluding
-# those types that system_server needs to open directly.
-neverallow system_server { bluetooth_data_file nfc_data_file shell_data_file app_data_file }:file { open create unlink link };
-
-# Forking and execing is inherently dangerous and racy. See, for
-# example, https://www.linuxprogrammingblog.com/threads-and-fork-think-twice-before-using-them
-# Prevent the addition of new file execs to stop the problem from
-# getting worse. b/28035297
-neverallow system_server { file_type -toolbox_exec -logcat_exec }:file execute_no_trans;
-
-# Ensure that system_server doesn't perform any domain transitions other than
-# transitioning to the crash_dump domain when a crash occurs.
-neverallow system_server { domain -crash_dump }:process transition;
-neverallow system_server *:process dyntransition;
-
-# Only allow crash_dump to connect to system_ndebug_socket.
-neverallow { domain -init -system_server -crash_dump } system_ndebug_socket:sock_file { open write };
-
-# system_server should never be executing dex2oat. This is either
-# a bug (for example, bug 16317188), or represents an attempt by
-# system server to dynamically load a dex file, something we do not
-# want to allow.
-neverallow system_server dex2oat_exec:file no_x_file_perms;
-
-# system_server should never execute or load executable shared libraries
-# in /data except for /data/dalvik-cache files.
-neverallow system_server {
- data_file_type
- -dalvikcache_data_file #mapping with PROT_EXEC
-}:file no_x_file_perms;
-
-# The only block device system_server should be accessing is
-# the frp_block_device. This helps avoid a system_server to root
-# escalation by writing to raw block devices.
-neverallow system_server { dev_type -frp_block_device }:blk_file no_rw_file_perms;
-
-# system_server should never use JIT functionality
-neverallow system_server self:process execmem;
-neverallow system_server ashmem_device:chr_file execute;
+type system_server, domain;
diff --git a/public/te_macros b/public/te_macros
index c9ab6e0..7a9eeb6 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -81,6 +81,32 @@
allow $1 tmpfs:dir { getattr search };
')
+# pdx macros for IPC. pdx is a high-level name which contains transport-specific
+# rules from underlying transport (e.g. UDS-based implementation).
+
+#####################################
+# pdx_server(domain)
+define(`pdx_server', `
+allow $1 pdx_socket:dir create_dir_perms;
+allow $1 pdx_socket:sock_file create_file_perms;
+')
+
+#####################################
+# use_pdx(clientdomain, serverdomain)
+define(`use_pdx', `
+# Open the socket.
+allow $1 pdx_socket:dir r_dir_perms;
+allow $1 pdx_socket:sock_file rw_file_perms;
+# Use the socket.
+allow $1 $2:unix_stream_socket { connectto read write shutdown };
+# Clients recieve an event fd from the server.
+allow $1 $2:fd use;
+# Servers may receive sync fences, gralloc buffers, etc, from clients.
+# This could be tightened on a per-server basis, but keeping track of service
+# clients is error prone.
+allow $2 $1:fd use;
+')
+
#####################################
# init_daemon_domain(domain)
# Set up a transition from init to the daemon domain
diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index 29581dd..9409947 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -32,3 +32,8 @@
# Allow update_engine_common to suspend, resume and kill the postinstall program.
allow update_engine_common postinstall:process { signal sigstop };
+# access /proc/misc
+allow update_engine proc:file r_file_perms;
+
+# read directories on /system and /vendor
+allow update_engine system_file:dir r_dir_perms;
diff --git a/public/virtual_touchpad.te b/public/virtual_touchpad.te
new file mode 100644
index 0000000..92d5c27
--- /dev/null
+++ b/public/virtual_touchpad.te
@@ -0,0 +1,12 @@
+type virtual_touchpad, domain;
+type virtual_touchpad_exec, exec_type, file_type;
+
+binder_use(virtual_touchpad)
+binder_service(virtual_touchpad)
+add_service(virtual_touchpad, virtual_touchpad_service)
+
+# Requires access to /dev/uinput to create and feed the virtual device.
+allow virtual_touchpad uhid_device:chr_file { w_file_perms ioctl };
+
+# Limit access so that nothing else can inject input.
+neverallow { domain -system_app -virtual_touchpad } virtual_touchpad_service:service_manager find;
diff --git a/public/vold.te b/public/vold.te
index dc8ca41..0e4eddc 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -27,6 +27,7 @@
typeattribute vold mlstrustedsubject;
allow vold self:process setfscreate;
+allow vold system_file:dir r_dir_perms;
allow vold system_file:file x_file_perms;
allow vold block_device:dir create_dir_perms;
allow vold device:dir write;
diff --git a/vendor/file_contexts b/vendor/file_contexts
new file mode 100644
index 0000000..7fc467e
--- /dev/null
+++ b/vendor/file_contexts
@@ -0,0 +1,28 @@
+#############################
+# Default HALs
+#
+/vendor/bin/hw/android\.hardware\.audio@2\.0-service u:object_r:hal_audio_default_exec:s0
+/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service u:object_r:hal_fingerprint_default_exec:s0
+/vendor/bin/hw/android\.hardware\.boot@1\.0-service u:object_r:hal_boot_exec:s0
+/vendor/bin/hw/android\.hardware\.camera\.provider@2\.4-service u:object_r:hal_camera_default_exec:s0
+/vendor/bin/hw/android\.hardware\.configstore@1\.0-service u:object_r:hal_configstore_default_exec:s0
+/vendor/bin/hw/android\.hardware\.contexthub@1\.0-service u:object_r:hal_contexthub_default_exec:s0
+/vendor/bin/hw/android\.hardware\.drm@1\.0-service u:object_r:hal_drm_default_exec:s0
+/vendor/bin/hw/android\.hardware\.dumpstate@1\.0-service u:object_r:hal_dumpstate_default_exec:s0
+/vendor/bin/hw/android\.hardware\.gatekeeper@1\.0-service u:object_r:hal_gatekeeper_default_exec:s0
+/vendor/bin/hw/android\.hardware\.gnss@1\.0-service u:object_r:hal_gnss_default_exec:s0
+/vendor/bin/hw/android\.hardware\.graphics\.allocator@2\.0-service u:object_r:hal_graphics_allocator_default_exec:s0
+/vendor/bin/hw/android\.hardware\.graphics\.composer@2\.1-service u:object_r:hal_graphics_composer_default_exec:s0
+/vendor/bin/hw/android\.hardware\.health@1\.0-service u:object_r:hal_health_default_exec:s0
+/vendor/bin/hw/android\.hardware\.ir@1\.0-service u:object_r:hal_ir_default_exec:s0
+/vendor/bin/hw/android\.hardware\.keymaster@3\.0-service u:object_r:hal_keymaster_default_exec:s0
+/vendor/bin/hw/android\.hardware\.light@2\.0-service u:object_r:hal_light_default_exec:s0
+/vendor/bin/hw/android\.hardware\.memtrack@1\.0-service u:object_r:hal_memtrack_default_exec:s0
+/vendor/bin/hw/android\.hardware\.nfc@1\.0-service u:object_r:hal_nfc_default_exec:s0
+/vendor/bin/hw/android\.hardware\.power@1\.0-service u:object_r:hal_power_default_exec:s0
+/vendor/bin/hw/android\.hardware\.sensors@1\.0-service u:object_r:hal_sensors_default_exec:s0
+/vendor/bin/hw/android\.hardware\.thermal@1\.0-service u:object_r:hal_thermal_default_exec:s0
+/vendor/bin/hw/android\.hardware\.usb@1\.0-service u:object_r:hal_usb_default_exec:s0
+/vendor/bin/hw/android\.hardware\.vibrator@1\.0-service u:object_r:hal_vibrator_default_exec:s0
+/vendor/bin/hw/android\.hardware\.vr@1\.0-service u:object_r:hal_vr_default_exec:s0
+/vendor/bin/hw/android\.hardware\.wifi@1\.0-service u:object_r:hal_wifi_default_exec:s0