Merge "Allow shell to set persist.logd.audit.rate" into main
diff --git a/Android.bp b/Android.bp
index 6c8fa2a..038d92f 100644
--- a/Android.bp
+++ b/Android.bp
@@ -103,6 +103,7 @@
// policy and subsequent removal of CIL policy that should not be exported.
se_policy_conf {
name: "reqd_policy_mask.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: reqd_mask_policy,
installable: false,
}
@@ -138,6 +139,7 @@
//
se_policy_conf {
name: "pub_policy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
system_ext_public_policy +
product_public_policy +
@@ -157,6 +159,7 @@
se_policy_conf {
name: "system_ext_pub_policy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
system_ext_public_policy +
reqd_mask_policy,
@@ -175,6 +178,7 @@
se_policy_conf {
name: "plat_pub_policy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
reqd_mask_policy,
installable: false,
@@ -195,6 +199,7 @@
// currently being attributized.
se_policy_conf {
name: "plat_sepolicy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
plat_private_policy,
installable: false,
@@ -210,6 +215,7 @@
// userdebug_plat_policy.conf - the userdebug version plat_sepolicy.cil
se_policy_conf {
name: "userdebug_plat_sepolicy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
plat_private_policy,
build_variant: "userdebug",
@@ -260,6 +266,7 @@
// policy which will ship with the device. System_ext policy is not attributized
se_policy_conf {
name: "system_ext_sepolicy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
plat_private_policy +
system_ext_public_policy +
@@ -280,6 +287,7 @@
// which will ship with the device. Product policy is not attributized
se_policy_conf {
name: "product_sepolicy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
plat_private_policy +
system_ext_public_policy +
@@ -348,6 +356,7 @@
// policy and the platform public policy files in order to use checkpolicy.
se_policy_conf {
name: "vendor_sepolicy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
system_ext_public_policy +
product_public_policy +
@@ -389,6 +398,7 @@
// policy and the platform public policy files in order to use checkpolicy.
se_policy_conf {
name: "odm_sepolicy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
system_ext_public_policy +
product_public_policy +
@@ -598,6 +608,7 @@
// policy for recovery
se_policy_conf {
name: "recovery_sepolicy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
plat_private_policy +
system_ext_public_policy +
@@ -634,6 +645,7 @@
//////////////////////////////////
se_policy_conf {
name: "general_sepolicy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
plat_private_policy,
build_variant: "user",
@@ -650,6 +662,7 @@
//////////////////////////////////
se_policy_conf {
name: "base_plat_sepolicy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
plat_private_policy,
build_variant: "user",
@@ -675,6 +688,7 @@
se_policy_conf {
name: "base_product_sepolicy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
plat_private_policy +
system_ext_public_policy +
@@ -704,6 +718,7 @@
se_policy_conf {
name: "base_plat_pub_policy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
reqd_mask_policy,
build_variant: "user",
@@ -723,6 +738,7 @@
se_policy_conf {
name: "base_product_pub_policy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
system_ext_public_policy +
product_public_policy +
@@ -770,6 +786,7 @@
se_neverallow_test {
name: "sepolicy_neverallows",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
plat_private_policy +
system_ext_public_policy +
diff --git a/Android.mk b/Android.mk
index 5ce31d2..384c416 100644
--- a/Android.mk
+++ b/Android.mk
@@ -94,13 +94,6 @@
$(strip $(foreach type, $(1), $(foreach file, $(addsuffix /$(type), $(2)), $(sort $(wildcard $(file))))))
endef
-# Builds paths for all policy files found in BOARD_VENDOR_SEPOLICY_DIRS.
-# $(1): the set of policy name paths to build
-build_vendor_policy = $(call build_policy, $(1), $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS))
-
-# Builds paths for all policy files found in BOARD_ODM_SEPOLICY_DIRS.
-build_odm_policy = $(call build_policy, $(1), $(BOARD_ODM_SEPOLICY_DIRS))
-
sepolicy_build_files := security_classes \
initial_sids \
access_vectors \
@@ -465,21 +458,14 @@
# Note: That a newline file is placed between each file_context file found to
# ensure a proper build when an fc file is missing an ending newline.
-local_fc_files := $(call build_policy, file_contexts, $(PLAT_PRIVATE_POLICY))
+local_fc_files := $(call intermediates-dir-for,ETC,plat_file_contexts)/plat_file_contexts
ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
-local_fc_files += $(call build_policy, file_contexts, $(SYSTEM_EXT_PRIVATE_POLICY))
+local_fc_files += $(call intermediates-dir-for,ETC,system_ext_file_contexts)/system_ext_file_contexts
endif
ifdef HAS_PRODUCT_SEPOLICY_DIR
-local_fc_files += $(call build_policy, file_contexts, $(PRODUCT_PRIVATE_POLICY))
-endif
-
-ifneq ($(filter address,$(SANITIZE_TARGET)),)
- local_fc_files += $(wildcard $(addsuffix /file_contexts_asan, $(PLAT_PRIVATE_POLICY)))
-endif
-ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))
- local_fc_files += $(wildcard $(addsuffix /file_contexts_overlayfs, $(PLAT_PRIVATE_POLICY)))
+local_fc_files += $(call intermediates-dir-for,ETC,product_file_contexts)/product_file_contexts
endif
###########################################################
@@ -506,10 +492,10 @@
# it gathers LOCAL_FILE_CONTEXTS from product_MODULES
file_contexts.modules.tmp := $(intermediates)/file_contexts.modules.tmp
-device_fc_files := $(call build_vendor_policy, file_contexts)
+device_fc_files += $(call intermediates-dir-for,ETC,vendor_file_contexts)/vendor_file_contexts
ifdef BOARD_ODM_SEPOLICY_DIRS
-device_fc_files += $(call build_odm_policy, file_contexts)
+device_fc_files += $(call intermediates-dir-for,ETC,odm_file_contexts)/odm_file_contexts
endif
file_contexts.device.tmp := $(intermediates)/file_contexts.device.tmp
@@ -573,8 +559,6 @@
#################################
-build_vendor_policy :=
-build_odm_policy :=
build_policy :=
built_sepolicy :=
built_sepolicy_neverallows :=
diff --git a/apex/com.android.nfc-file_contexts b/apex/com.android.nfcservices-file_contexts
similarity index 100%
rename from apex/com.android.nfc-file_contexts
rename to apex/com.android.nfcservices-file_contexts
diff --git a/apex/com.android.tethering-file_contexts b/apex/com.android.tethering-file_contexts
index 53843ea..473b0f2 100644
--- a/apex/com.android.tethering-file_contexts
+++ b/apex/com.android.tethering-file_contexts
@@ -1,4 +1,5 @@
(/.*)? u:object_r:system_file:s0
/bin/for-system/clatd u:object_r:clatd_exec:s0
+/bin/netbpfload u:object_r:bpfloader_exec:s0
/bin/ot-daemon u:object_r:ot_daemon_exec:s0
/lib(64)?(/.*) u:object_r:system_lib_file:s0
diff --git a/build/soong/Android.bp b/build/soong/Android.bp
index 83b31b4..0abfdf6 100644
--- a/build/soong/Android.bp
+++ b/build/soong/Android.bp
@@ -35,6 +35,7 @@
"build_files.go",
"cil_compat_map.go",
"compat_cil.go",
+ "flags.go",
"mac_permissions.go",
"policy.go",
"selinux.go",
diff --git a/build/soong/compat_cil.go b/build/soong/compat_cil.go
index 1f7901b..baad413 100644
--- a/build/soong/compat_cil.go
+++ b/build/soong/compat_cil.go
@@ -129,6 +129,7 @@
// current policy.
func compatTestFactory() android.SingletonModule {
f := &compatTestModule{}
+ f.AddProperties(&f.properties)
android.InitAndroidModule(f)
android.AddLoadHook(f, func(ctx android.LoadHookContext) {
f.loadHook(ctx)
@@ -138,6 +139,10 @@
type compatTestModule struct {
android.SingletonModuleBase
+ properties struct {
+ // Default modules for conf
+ Defaults []string
+ }
compatTestTimestamp android.ModuleOutPath
}
@@ -157,6 +162,10 @@
":se_build_files{.reqd_mask}",
},
Installable: proptools.BoolPtr(false),
+ }, &struct {
+ Defaults []string
+ }{
+ Defaults: f.properties.Defaults,
})
ctx.CreateModule(policyCilFactory, &nameProperties{
diff --git a/build/soong/flags.go b/build/soong/flags.go
new file mode 100644
index 0000000..b1aebac
--- /dev/null
+++ b/build/soong/flags.go
@@ -0,0 +1,54 @@
+// Copyright (C) 2023 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package selinux
+
+import (
+ "android/soong/android"
+)
+
+type flagsProperties struct {
+ // List of flags to be passed to M4 macro.
+ Flags []string
+}
+
+type flaggableModule interface {
+ android.Module
+ flagModuleBase() *flaggableModuleBase
+ getBuildFlags(ctx android.ModuleContext) map[string]string
+}
+
+type flaggableModuleBase struct {
+ properties flagsProperties
+}
+
+func initFlaggableModule(m flaggableModule) {
+ base := m.flagModuleBase()
+ m.AddProperties(&base.properties)
+}
+
+func (f *flaggableModuleBase) flagModuleBase() *flaggableModuleBase {
+ return f
+}
+
+// getBuildFlags returns a map from flag names to flag values.
+func (f *flaggableModuleBase) getBuildFlags(ctx android.ModuleContext) map[string]string {
+ ret := make(map[string]string)
+ for _, flag := range android.SortedUniqueStrings(f.properties.Flags) {
+ if val, ok := ctx.Config().GetBuildFlag(flag); ok {
+ ret[flag] = val
+ }
+ }
+ return ret
+}
diff --git a/build/soong/policy.go b/build/soong/policy.go
index 0793e2a..9d87275 100644
--- a/build/soong/policy.go
+++ b/build/soong/policy.go
@@ -58,6 +58,7 @@
func init() {
android.RegisterModuleType("se_policy_conf", policyConfFactory)
+ android.RegisterModuleType("se_policy_conf_defaults", policyConfDefaultFactory)
android.RegisterModuleType("se_policy_cil", policyCilFactory)
android.RegisterModuleType("se_policy_binary", policyBinaryFactory)
}
@@ -93,6 +94,8 @@
type policyConf struct {
android.ModuleBase
+ android.DefaultableModuleBase
+ flaggableModuleBase
properties policyConfProperties
@@ -100,12 +103,35 @@
installPath android.InstallPath
}
+var _ flaggableModule = (*policyConf)(nil)
+
// se_policy_conf merges collection of policy files into a policy.conf file to be processed by
// checkpolicy.
func policyConfFactory() android.Module {
c := &policyConf{}
c.AddProperties(&c.properties)
+ initFlaggableModule(c)
android.InitAndroidArchModule(c, android.DeviceSupported, android.MultilibCommon)
+ android.InitDefaultableModule(c)
+ return c
+}
+
+type policyConfDefaults struct {
+ android.ModuleBase
+ android.DefaultsModuleBase
+}
+
+// se_policy_conf_defaults provides a set of properties that can be inherited by other
+// se_policy_conf_defaults modules. A module can use the properties from a se_policy_conf_defaults
+// using `defaults: ["<:default_module_name>"]`. Properties of both modules are merged (when
+// possible) by prepending the default module's values to the depending module's values.
+func policyConfDefaultFactory() android.Module {
+ c := &policyConfDefaults{}
+ c.AddProperties(
+ &policyConfProperties{},
+ &flagsProperties{},
+ )
+ android.InitDefaultsModule(c)
return c
}
@@ -216,6 +242,7 @@
return findPolicyConfOrder(srcs[x].Base()) < findPolicyConfOrder(srcs[y].Base())
})
+ flags := c.getBuildFlags(ctx)
rule.Command().Tool(ctx.Config().PrebuiltBuildTool(ctx, "m4")).
Flag("--fatal-warnings").
FlagForEachArg("-D ", ctx.DeviceConfig().SepolicyM4Defs()).
@@ -234,6 +261,7 @@
FlagWithArg("-D target_requires_insecure_execmem_for_swiftshader=", strconv.FormatBool(ctx.DeviceConfig().RequiresInsecureExecmemForSwiftshader())).
FlagWithArg("-D target_enforce_debugfs_restriction=", c.enforceDebugfsRestrictions(ctx)).
FlagWithArg("-D target_recovery=", strconv.FormatBool(c.isTargetRecovery())).
+ Flags(flagsToM4Macros(flags)).
Flag("-s").
Inputs(srcs).
Text("> ").Output(conf)
@@ -242,10 +270,6 @@
return conf
}
-func (c *policyConf) DepsMutator(ctx android.BottomUpMutatorContext) {
- // do nothing
-}
-
func (c *policyConf) GenerateAndroidBuildActions(ctx android.ModuleContext) {
if !c.installable() {
c.SkipInstall()
diff --git a/build/soong/selinux.go b/build/soong/selinux.go
index 5fbe01eb..f811231 100644
--- a/build/soong/selinux.go
+++ b/build/soong/selinux.go
@@ -40,3 +40,13 @@
return android.PathForModuleOut(ctx, ctx.Config().DeviceName()).Join(ctx, paths...)
}
+
+// flagsToM4Macros converts given map to a list of M4's -D parameters to guard te files and contexts
+// files.
+func flagsToM4Macros(flags map[string]string) []string {
+ flagMacros := []string{}
+ for _, flag := range android.SortedKeys(flags) {
+ flagMacros = append(flagMacros, "-D target_flag_"+flag+"="+flags[flag])
+ }
+ return flagMacros
+}
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index a7a2436..5cc9c70 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -17,7 +17,6 @@
import (
"fmt"
"io"
- "os"
"github.com/google/blueprint"
"github.com/google/blueprint/proptools"
@@ -59,6 +58,8 @@
type selinuxContextsModule struct {
android.ModuleBase
+ android.DefaultableModuleBase
+ flaggableModuleBase
properties selinuxContextsProperties
seappProperties seappProperties
@@ -68,6 +69,8 @@
installPath android.InstallPath
}
+var _ flaggableModule = (*selinuxContextsModule)(nil)
+
var (
reuseContextsDepTag = dependencyTag{name: "reuseContexts"}
syspropLibraryDepTag = dependencyTag{name: "sysprop_library"}
@@ -76,6 +79,7 @@
func init() {
pctx.HostBinToolVariable("fc_sort", "fc_sort")
+ android.RegisterModuleType("contexts_defaults", contextsDefaultsFactory)
android.RegisterModuleType("file_contexts", fileFactory)
android.RegisterModuleType("hwservice_contexts", hwServiceFactory)
android.RegisterModuleType("property_contexts", propertyFactory)
@@ -155,13 +159,35 @@
&m.properties,
&m.seappProperties,
)
+ initFlaggableModule(m)
android.InitAndroidArchModule(m, android.DeviceSupported, android.MultilibCommon)
+ android.InitDefaultableModule(m)
android.AddLoadHook(m, func(ctx android.LoadHookContext) {
m.selinuxContextsHook(ctx)
})
return m
}
+type contextsDefaults struct {
+ android.ModuleBase
+ android.DefaultsModuleBase
+}
+
+// contexts_defaults provides a set of properties that can be inherited by other contexts modules.
+// (file_contexts, property_contexts, seapp_contexts, etc.) A module can use the properties from a
+// contexts_defaults using `defaults: ["<:default_module_name>"]`. Properties of both modules are
+// erged (when possible) by prepending the default module's values to the depending module's values.
+func contextsDefaultsFactory() android.Module {
+ m := &contextsDefaults{}
+ m.AddProperties(
+ &selinuxContextsProperties{},
+ &seappProperties{},
+ &flagsProperties{},
+ )
+ android.InitDefaultsModule(m)
+ return m
+}
+
func (m *selinuxContextsModule) selinuxContextsHook(ctx android.LoadHookContext) {
// TODO: clean this up to use build/soong/android/variable.go after b/79249983
var srcs []string
@@ -245,10 +271,12 @@
inputsWithNewline = append(inputsWithNewline, input, newlineFile)
}
+ flags := m.getBuildFlags(ctx)
rule.Command().
Tool(ctx.Config().PrebuiltBuildTool(ctx, "m4")).
Text("--fatal-warnings -s").
FlagForEachArg("-D", ctx.DeviceConfig().SepolicyM4Defs()).
+ Flags(flagsToM4Macros(flags)).
Inputs(inputsWithNewline).
FlagWithOutput("> ", builtContext)
@@ -289,8 +317,8 @@
}
func (m *selinuxContextsModule) buildFileContexts(ctx android.ModuleContext, inputs android.Paths) android.Path {
- if m.properties.Fc_sort == nil {
- m.properties.Fc_sort = proptools.BoolPtr(true)
+ if m.properties.Remove_comment == nil {
+ m.properties.Remove_comment = proptools.BoolPtr(true)
}
return m.buildGeneralContexts(ctx, inputs)
}
@@ -309,7 +337,7 @@
return m.buildGeneralContexts(ctx, inputs)
}
-func (m *selinuxContextsModule) checkVendorPropertyNamespace(ctx android.ModuleContext, inputs android.Paths) android.Paths {
+func (m *selinuxContextsModule) checkVendorPropertyNamespace(ctx android.ModuleContext, input android.Path) android.Path {
shippingApiLevel := ctx.DeviceConfig().ShippingApiLevel()
ApiLevelR := android.ApiLevelOrPanic(ctx, "R")
@@ -350,37 +378,33 @@
}
}
- var ret android.Paths
- for _, input := range inputs {
- cmd := rule.Command().
- BuiltTool("check_prop_prefix").
- FlagWithInput("--property-contexts ", input).
- FlagForEachArg("--allowed-property-prefix ", proptools.ShellEscapeList(allowedPropertyPrefixes)). // contains shell special character '$'
- FlagForEachArg("--allowed-context-prefix ", allowedContextPrefixes)
+ cmd := rule.Command().
+ BuiltTool("check_prop_prefix").
+ FlagWithInput("--property-contexts ", input).
+ FlagForEachArg("--allowed-property-prefix ", proptools.ShellEscapeList(allowedPropertyPrefixes)). // contains shell special character '$'
+ FlagForEachArg("--allowed-context-prefix ", allowedContextPrefixes)
- if !ctx.DeviceConfig().BuildBrokenVendorPropertyNamespace() {
- cmd.Flag("--strict")
- }
-
- out := pathForModuleOut(ctx, "namespace_checked").Join(ctx, input.String())
- rule.Command().Text("cp -f").Input(input).Output(out)
- ret = append(ret, out)
+ if !ctx.DeviceConfig().BuildBrokenVendorPropertyNamespace() {
+ cmd.Flag("--strict")
}
+
+ out := pathForModuleOut(ctx, ctx.ModuleName()+"_namespace_checked")
+ rule.Command().Text("cp -f").Input(input).Output(out)
rule.Build("check_namespace", "checking namespace of "+ctx.ModuleName())
- return ret
+ return out
}
func (m *selinuxContextsModule) buildPropertyContexts(ctx android.ModuleContext, inputs android.Paths) android.Path {
// vendor/odm properties are enforced for devices launching with Android Q or later. So, if
// vendor/odm, make sure that only vendor/odm properties exist.
+ builtCtxFile := m.buildGeneralContexts(ctx, inputs)
+
shippingApiLevel := ctx.DeviceConfig().ShippingApiLevel()
ApiLevelQ := android.ApiLevelOrPanic(ctx, "Q")
if (ctx.SocSpecific() || ctx.DeviceSpecific()) && shippingApiLevel.GreaterThanOrEqualTo(ApiLevelQ) {
- inputs = m.checkVendorPropertyNamespace(ctx, inputs)
+ builtCtxFile = m.checkVendorPropertyNamespace(ctx, builtCtxFile)
}
- builtCtxFile := m.buildGeneralContexts(ctx, inputs)
-
var apiFiles android.Paths
ctx.VisitDirectDepsWithTag(syspropLibraryDepTag, func(c android.Module) {
i, ok := c.(interface{ CurrentSyspropApiFile() android.OptionalPath })
@@ -429,23 +453,39 @@
func (m *selinuxContextsModule) buildSeappContexts(ctx android.ModuleContext, inputs android.Paths) android.Path {
neverallowFile := pathForModuleOut(ctx, "neverallow")
- ret := pathForModuleOut(ctx, m.stem())
+ ret := pathForModuleOut(ctx, "checkseapp", m.stem())
+ // Step 1. Generate a M4 processed neverallow file
+ flags := m.getBuildFlags(ctx)
+ m4NeverallowFile := pathForModuleOut(ctx, "neverallow.m4out")
rule := android.NewRuleBuilder(pctx, ctx)
- rule.Command().Text("(grep").
+ rule.Command().
+ Tool(ctx.Config().PrebuiltBuildTool(ctx, "m4")).
+ Flag("--fatal-warnings").
+ FlagForEachArg("-D", ctx.DeviceConfig().SepolicyM4Defs()).
+ Flags(flagsToM4Macros(flags)).
+ Inputs(android.PathsForModuleSrc(ctx, m.seappProperties.Neverallow_files)).
+ FlagWithOutput("> ", m4NeverallowFile)
+
+ rule.Temporary(m4NeverallowFile)
+ rule.Command().
+ Text("( grep").
Flag("-ihe").
Text("'^neverallow'").
- Inputs(android.PathsForModuleSrc(ctx, m.seappProperties.Neverallow_files)).
- Text(os.DevNull). // to make grep happy even when Neverallow_files is empty
+ Input(m4NeverallowFile).
Text(">").
Output(neverallowFile).
- Text("|| true)") // to make ninja happy even when result is empty
+ Text("|| true )") // to make ninja happy even when result is empty
+ // Step 2. Generate a M4 processed contexts file
+ builtCtx := m.buildGeneralContexts(ctx, inputs)
+
+ // Step 3. checkseapp
rule.Temporary(neverallowFile)
checkCmd := rule.Command().BuiltTool("checkseapp").
FlagWithInput("-p ", android.PathForModuleSrc(ctx, proptools.String(m.seappProperties.Sepolicy))).
FlagWithOutput("-o ", ret).
- Inputs(inputs).
+ Input(builtCtx).
Input(neverallowFile)
if m.shouldCheckCoredomain(ctx) {
@@ -517,19 +557,32 @@
Sepolicy *string `android:"path"`
}
+type fileContextsTestProperties struct {
+ // Test data. File passed to `checkfc -t` to validate how contexts are resolved.
+ Test_data *string `android:"path"`
+}
+
type contextsTestModule struct {
android.ModuleBase
- // Name of the test tool. "checkfc" or "property_info_checker"
- tool string
+ // The type of context.
+ context contextType
- // Additional flags to be passed to the tool.
- flags []string
-
- properties contextsTestProperties
- testTimestamp android.OutputPath
+ properties contextsTestProperties
+ fileProperties fileContextsTestProperties
+ testTimestamp android.OutputPath
}
+type contextType int
+
+const (
+ FileContext contextType = iota
+ PropertyContext
+ ServiceContext
+ HwServiceContext
+ VndServiceContext
+)
+
// checkfc parses a context file and checks for syntax errors.
// If -s is specified, the service backend is used to verify binder services.
// If -l is specified, the service backend is used to verify hwbinder services.
@@ -538,15 +591,16 @@
// file_contexts_test tests given file_contexts files with checkfc.
func fileContextsTestFactory() android.Module {
- m := &contextsTestModule{tool: "checkfc" /* no flags: file_contexts file check */}
+ m := &contextsTestModule{context: FileContext}
m.AddProperties(&m.properties)
+ m.AddProperties(&m.fileProperties)
android.InitAndroidArchModule(m, android.DeviceSupported, android.MultilibCommon)
return m
}
// property_contexts_test tests given property_contexts files with property_info_checker.
func propertyContextsTestFactory() android.Module {
- m := &contextsTestModule{tool: "property_info_checker"}
+ m := &contextsTestModule{context: PropertyContext}
m.AddProperties(&m.properties)
android.InitAndroidArchModule(m, android.DeviceSupported, android.MultilibCommon)
return m
@@ -554,7 +608,7 @@
// hwservice_contexts_test tests given hwservice_contexts files with checkfc.
func hwserviceContextsTestFactory() android.Module {
- m := &contextsTestModule{tool: "checkfc", flags: []string{"-e" /* allow empty */, "-l" /* hwbinder services */}}
+ m := &contextsTestModule{context: HwServiceContext}
m.AddProperties(&m.properties)
android.InitAndroidArchModule(m, android.DeviceSupported, android.MultilibCommon)
return m
@@ -563,7 +617,7 @@
// service_contexts_test tests given service_contexts files with checkfc.
func serviceContextsTestFactory() android.Module {
// checkfc -s: service_contexts test
- m := &contextsTestModule{tool: "checkfc", flags: []string{"-s" /* binder services */}}
+ m := &contextsTestModule{context: ServiceContext}
m.AddProperties(&m.properties)
android.InitAndroidArchModule(m, android.DeviceSupported, android.MultilibCommon)
return m
@@ -571,16 +625,16 @@
// vndservice_contexts_test tests given vndservice_contexts files with checkfc.
func vndServiceContextsTestFactory() android.Module {
- m := &contextsTestModule{tool: "checkfc", flags: []string{"-e" /* allow empty */, "-v" /* vnd service */}}
+ m := &contextsTestModule{context: VndServiceContext}
m.AddProperties(&m.properties)
android.InitAndroidArchModule(m, android.DeviceSupported, android.MultilibCommon)
return m
}
func (m *contextsTestModule) GenerateAndroidBuildActions(ctx android.ModuleContext) {
- tool := m.tool
- if tool != "checkfc" && tool != "property_info_checker" {
- panic(fmt.Errorf("%q: unknown tool name: %q", ctx.ModuleName(), tool))
+ tool := "checkfc"
+ if m.context == PropertyContext {
+ tool = "property_info_checker"
}
if len(m.properties.Srcs) == 0 {
@@ -588,19 +642,50 @@
return
}
+ validateWithPolicy := true
if proptools.String(m.properties.Sepolicy) == "" {
- ctx.PropertyErrorf("sepolicy", "can't be empty")
- return
+ if m.context == FileContext {
+ if proptools.String(m.fileProperties.Test_data) == "" {
+ ctx.PropertyErrorf("test_data", "Either test_data or sepolicy should be provided")
+ return
+ }
+ validateWithPolicy = false
+ } else {
+ ctx.PropertyErrorf("sepolicy", "can't be empty")
+ return
+ }
+ }
+
+ flags := []string(nil)
+ switch m.context {
+ case FileContext:
+ if !validateWithPolicy {
+ flags = []string{"-t"}
+ }
+ case ServiceContext:
+ flags = []string{"-s" /* binder services */}
+ case HwServiceContext:
+ flags = []string{"-e" /* allow empty */, "-l" /* hwbinder services */}
+ case VndServiceContext:
+ flags = []string{"-e" /* allow empty */, "-v" /* vnd service */}
}
srcs := android.PathsForModuleSrc(ctx, m.properties.Srcs)
- sepolicy := android.PathForModuleSrc(ctx, proptools.String(m.properties.Sepolicy))
-
rule := android.NewRuleBuilder(pctx, ctx)
- rule.Command().BuiltTool(tool).
- Flags(m.flags).
- Input(sepolicy).
- Inputs(srcs)
+
+ if validateWithPolicy {
+ sepolicy := android.PathForModuleSrc(ctx, proptools.String(m.properties.Sepolicy))
+ rule.Command().BuiltTool(tool).
+ Flags(flags).
+ Input(sepolicy).
+ Inputs(srcs)
+ } else {
+ test_data := android.PathForModuleSrc(ctx, proptools.String(m.fileProperties.Test_data))
+ rule.Command().BuiltTool(tool).
+ Flags(flags).
+ Inputs(srcs).
+ Input(test_data)
+ }
m.testTimestamp = pathForModuleOut(ctx, "timestamp")
rule.Command().Text("touch").Output(m.testTimestamp)
diff --git a/build/soong/sepolicy_neverallow.go b/build/soong/sepolicy_neverallow.go
index fc47ab3..6e159e9 100644
--- a/build/soong/sepolicy_neverallow.go
+++ b/build/soong/sepolicy_neverallow.go
@@ -29,6 +29,9 @@
}
type neverallowTestProperties struct {
+ // Default modules for conf
+ Defaults []string
+
// Policy files to be tested.
Srcs []string `android:"path"`
}
@@ -79,6 +82,10 @@
Srcs: n.properties.Srcs,
Build_variant: proptools.StringPtr("user"),
Installable: proptools.BoolPtr(false),
+ }, &struct {
+ Defaults []string
+ }{
+ Defaults: n.properties.Defaults,
})
sepolicyAnalyzeConf := n.sepolicyAnalyzeConfModuleName()
@@ -89,6 +96,10 @@
Build_variant: proptools.StringPtr("user"),
Exclude_build_test: proptools.BoolPtr(true),
Installable: proptools.BoolPtr(false),
+ }, &struct {
+ Defaults []string
+ }{
+ Defaults: n.properties.Defaults,
})
}
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 44c3243..e19df98 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -70,6 +70,7 @@
"android.hardware.input.processor.IInputProcessor/default": EXCEPTION_NO_FUZZER,
"android.hardware.ir.IConsumerIr/default": EXCEPTION_NO_FUZZER,
"android.hardware.light.ILights/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.macsec.IMacsecPskPlugin/default": EXCEPTION_NO_FUZZER,
"android.hardware.media.c2.IComponentStore/default": EXCEPTION_NO_FUZZER,
"android.hardware.media.c2.IComponentStore/software": []string{"libcodec2-aidl-fuzzer"},
"android.hardware.memtrack.IMemtrack/default": EXCEPTION_NO_FUZZER,
@@ -114,6 +115,7 @@
"android.hardware.secure_element.ISecureElement/SIM1": EXCEPTION_NO_FUZZER,
"android.hardware.secure_element.ISecureElement/SIM2": EXCEPTION_NO_FUZZER,
"android.hardware.secure_element.ISecureElement/SIM3": EXCEPTION_NO_FUZZER,
+ "android.hardware.security.authgraph.IAuthGraphKeyExchange/nonsecure": []string{"android.hardware.authgraph-service.nonsecure_fuzzer"},
"android.hardware.security.dice.IDiceDevice/default": EXCEPTION_NO_FUZZER,
"android.hardware.security.keymint.IKeyMintDevice/default": EXCEPTION_NO_FUZZER,
"android.hardware.security.keymint.IRemotelyProvisionedComponent/default": EXCEPTION_NO_FUZZER,
@@ -307,10 +309,10 @@
"logd": EXCEPTION_NO_FUZZER,
"looper_stats": EXCEPTION_NO_FUZZER,
"lpdump_service": EXCEPTION_NO_FUZZER,
- "mdns": []string{"mdns_service_fuzzer"},
+ "mdns": EXCEPTION_NO_FUZZER,
"media.aaudio": EXCEPTION_NO_FUZZER,
- "media.audio_flinger": EXCEPTION_NO_FUZZER,
- "media.audio_policy": EXCEPTION_NO_FUZZER,
+ "media.audio_flinger": []string{"audioflinger_aidl_fuzzer"},
+ "media.audio_policy": []string{"audiopolicy_aidl_fuzzer"},
"media.camera": []string{"camera_service_aidl_fuzzer"},
"media.camera.proxy": EXCEPTION_NO_FUZZER,
"media.log": EXCEPTION_NO_FUZZER,
@@ -392,6 +394,7 @@
"search": EXCEPTION_NO_FUZZER,
"search_ui": EXCEPTION_NO_FUZZER,
"secure_element": EXCEPTION_NO_FUZZER,
+ "security_state": EXCEPTION_NO_FUZZER,
"sec_key_att_app_id_provider": EXCEPTION_NO_FUZZER,
"selection_toolbar": EXCEPTION_NO_FUZZER,
"sensorservice": EXCEPTION_NO_FUZZER,
@@ -444,6 +447,7 @@
"translation": EXCEPTION_NO_FUZZER,
"transparency": EXCEPTION_NO_FUZZER,
"trust": EXCEPTION_NO_FUZZER,
+ "tv_ad": EXCEPTION_NO_FUZZER,
"tv_interactive_app": EXCEPTION_NO_FUZZER,
"tv_input": EXCEPTION_NO_FUZZER,
"tv_tuner_resource_mgr": EXCEPTION_NO_FUZZER,
@@ -457,6 +461,7 @@
"uwb": EXCEPTION_NO_FUZZER,
"vcn_management": EXCEPTION_NO_FUZZER,
"vibrator": EXCEPTION_NO_FUZZER,
+ "vibrator_control": EXCEPTION_NO_FUZZER,
"vibrator_manager": EXCEPTION_NO_FUZZER,
"virtualdevice": EXCEPTION_NO_FUZZER,
"virtualdevice_native": EXCEPTION_NO_FUZZER,
diff --git a/compat/Android.bp b/compat/Android.bp
index 9768eb1..2c6239f 100644
--- a/compat/Android.bp
+++ b/compat/Android.bp
@@ -429,6 +429,7 @@
se_compat_test {
name: "sepolicy_compat_test",
+ defaults: ["se_policy_conf_flags_defaults"],
}
se_build_files {
diff --git a/contexts/Android.bp b/contexts/Android.bp
index f2bb9c0..464c772 100644
--- a/contexts/Android.bp
+++ b/contexts/Android.bp
@@ -70,6 +70,7 @@
file_contexts {
name: "plat_file_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":file_contexts_files{.plat_private}"],
product_variables: {
address_sanitize: {
@@ -83,6 +84,7 @@
file_contexts {
name: "plat_file_contexts.recovery",
+ defaults: ["contexts_flags_defaults"],
srcs: [":file_contexts_files{.plat_private}"],
stem: "plat_file_contexts",
product_variables: {
@@ -98,31 +100,37 @@
file_contexts {
name: "vendor_file_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [
":file_contexts_files{.plat_vendor}",
":file_contexts_files{.vendor}",
],
soc_specific: true,
+ fc_sort: true,
}
file_contexts {
name: "vendor_file_contexts.recovery",
+ defaults: ["contexts_flags_defaults"],
srcs: [
":file_contexts_files{.plat_vendor}",
":file_contexts_files{.vendor}",
],
stem: "vendor_file_contexts",
recovery: true,
+ fc_sort: true,
}
file_contexts {
name: "system_ext_file_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":file_contexts_files{.system_ext_private}"],
system_ext_specific: true,
}
file_contexts {
name: "system_ext_file_contexts.recovery",
+ defaults: ["contexts_flags_defaults"],
srcs: [":file_contexts_files{.system_ext_private}"],
stem: "system_ext_file_contexts",
recovery: true,
@@ -130,12 +138,14 @@
file_contexts {
name: "product_file_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":file_contexts_files{.product_private}"],
product_specific: true,
}
file_contexts {
name: "product_file_contexts.recovery",
+ defaults: ["contexts_flags_defaults"],
srcs: [":file_contexts_files{.product_private}"],
stem: "product_file_contexts",
recovery: true,
@@ -143,36 +153,44 @@
file_contexts {
name: "odm_file_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":file_contexts_files{.odm}"],
device_specific: true,
+ fc_sort: true,
}
file_contexts {
name: "odm_file_contexts.recovery",
+ defaults: ["contexts_flags_defaults"],
srcs: [":file_contexts_files{.odm}"],
stem: "odm_file_contexts",
recovery: true,
+ fc_sort: true,
}
hwservice_contexts {
name: "plat_hwservice_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":hwservice_contexts_files{.plat_private}"],
}
hwservice_contexts {
name: "system_ext_hwservice_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":hwservice_contexts_files{.system_ext_private}"],
system_ext_specific: true,
}
hwservice_contexts {
name: "product_hwservice_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":hwservice_contexts_files{.product_private}"],
product_specific: true,
}
hwservice_contexts {
name: "vendor_hwservice_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [
":hwservice_contexts_files{.plat_vendor}",
":hwservice_contexts_files{.vendor}",
@@ -183,17 +201,20 @@
hwservice_contexts {
name: "odm_hwservice_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":hwservice_contexts_files{.odm}"],
device_specific: true,
}
property_contexts {
name: "plat_property_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":property_contexts_files{.plat_private}"],
}
property_contexts {
name: "plat_property_contexts.recovery",
+ defaults: ["contexts_flags_defaults"],
srcs: [":property_contexts_files{.plat_private}"],
stem: "plat_property_contexts",
recovery: true,
@@ -201,6 +222,7 @@
property_contexts {
name: "system_ext_property_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":property_contexts_files{.system_ext_private}"],
system_ext_specific: true,
recovery_available: true,
@@ -208,6 +230,7 @@
property_contexts {
name: "product_property_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":property_contexts_files{.product_private}"],
product_specific: true,
recovery_available: true,
@@ -215,6 +238,7 @@
property_contexts {
name: "vendor_property_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [
":property_contexts_files{.plat_vendor}",
":property_contexts_files{.vendor}",
@@ -226,6 +250,7 @@
property_contexts {
name: "odm_property_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":property_contexts_files{.odm}"],
device_specific: true,
recovery_available: true,
@@ -233,11 +258,13 @@
service_contexts {
name: "plat_service_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":service_contexts_files{.plat_private}"],
}
service_contexts {
name: "plat_service_contexts.recovery",
+ defaults: ["contexts_flags_defaults"],
srcs: [":service_contexts_files{.plat_private}"],
stem: "plat_service_contexts",
recovery: true,
@@ -245,6 +272,7 @@
service_contexts {
name: "system_ext_service_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":service_contexts_files{.system_ext_private}"],
system_ext_specific: true,
recovery_available: true,
@@ -252,6 +280,7 @@
service_contexts {
name: "product_service_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":service_contexts_files{.product_private}"],
product_specific: true,
recovery_available: true,
@@ -259,6 +288,7 @@
service_contexts {
name: "vendor_service_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [
":service_contexts_files{.plat_vendor}",
":service_contexts_files{.vendor}",
@@ -270,6 +300,7 @@
service_contexts {
name: "odm_service_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [
":service_contexts_files{.odm}",
],
@@ -279,23 +310,27 @@
keystore2_key_contexts {
name: "plat_keystore2_key_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":keystore2_key_contexts_files{.plat_private}"],
}
keystore2_key_contexts {
name: "system_keystore2_key_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":keystore2_key_contexts_files{.system_ext_private}"],
system_ext_specific: true,
}
keystore2_key_contexts {
name: "product_keystore2_key_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":keystore2_key_contexts_files{.product_private}"],
product_specific: true,
}
keystore2_key_contexts {
name: "vendor_keystore2_key_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [
":keystore2_key_contexts_files{.plat_vendor}",
":keystore2_key_contexts_files{.vendor}",
@@ -306,12 +341,14 @@
seapp_contexts {
name: "plat_seapp_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":seapp_contexts_files{.plat_private}"],
sepolicy: ":precompiled_sepolicy",
}
seapp_contexts {
name: "system_ext_seapp_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":seapp_contexts_files{.system_ext_private}"],
neverallow_files: [":seapp_contexts_files{.plat_private}"],
system_ext_specific: true,
@@ -320,6 +357,7 @@
seapp_contexts {
name: "product_seapp_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":seapp_contexts_files{.product_private}"],
neverallow_files: [
":seapp_contexts_files{.plat_private}",
@@ -331,6 +369,7 @@
seapp_contexts {
name: "vendor_seapp_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [
":seapp_contexts_files{.plat_vendor}",
":seapp_contexts_files{.vendor}",
@@ -347,6 +386,7 @@
seapp_contexts {
name: "odm_seapp_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [
":seapp_contexts_files{.odm}",
],
@@ -361,6 +401,7 @@
vndservice_contexts {
name: "vndservice_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [
":vndservice_contexts_files{.plat_vendor}",
":vndservice_contexts_files{.vendor}",
@@ -390,6 +431,12 @@
}
file_contexts_test {
+ name: "plat_file_contexts_data_test",
+ srcs: [":file_contexts_files{.plat_private}"],
+ test_data: "plat_file_contexts_test",
+}
+
+file_contexts_test {
name: "system_ext_file_contexts_test",
srcs: [":system_ext_file_contexts"],
sepolicy: ":precompiled_sepolicy",
diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
new file mode 100644
index 0000000..d9767ed
--- /dev/null
+++ b/contexts/plat_file_contexts_test
@@ -0,0 +1,1269 @@
+# Test data for private/file_contexts.
+#
+# It can be passed to checkfc to confirm that the regular expressions in
+# file_contexts are matching the intended paths.
+/ rootfs
+/adb_keys adb_keys_file
+/build.prop rootfs
+/default.prop rootfs
+/fstab.persist rootfs
+/fstab.postinstall rootfs
+/init.rc rootfs
+/init.environ.rc rootfs
+/res rootfs
+/res/test rootfs
+/selinux_version rootfs
+/ueventd.rc rootfs
+/ueventd.common.rc rootfs
+/verity_key rootfs
+
+/init init_exec
+/sbin rootfs
+/sbin/su rootfs
+
+/lib rootfs
+/lib/lib.so rootfs
+/system_dlkm system_dlkm_file
+/system_dlkm/lib/modules/modules.load system_dlkm_file
+
+/lost+found rootfs
+/acct cgroup
+/config rootfs
+/data_mirror mirror_data_file
+/debug_ramdisk tmpfs
+/mnt tmpfs
+/proc rootfs
+/second_stage_resources tmpfs
+/sys sysfs
+/apex apex_mnt_dir
+/bootstrap-apex apex_mnt_dir
+
+/postinstall postinstall_mnt_dir
+/postinstall/apex postinstall_apex_mnt_dir
+
+/apex/.bootstrap-apex-info-list.xml apex_info_file
+/apex/.default-apex-info-list.xml apex_info_file
+/apex/apex-info-list.xml apex_info_file
+
+/bin rootfs
+/bugreports rootfs
+/charger rootfs
+/d rootfs
+/etc rootfs
+/sdcard rootfs
+
+/vendor_file_contexts file_contexts_file
+/plat_file_contexts file_contexts_file
+/product_file_contexts file_contexts_file
+/mapping_sepolicy.cil sepolicy_file
+/plat_sepolicy.cil sepolicy_file
+/plat_property_contexts property_contexts_file
+/product_property_contexts property_contexts_file
+/vendor_property_contexts property_contexts_file
+/seapp_contexts seapp_contexts_file
+/vendor_seapp_contexts seapp_contexts_file
+/plat_seapp_contexts seapp_contexts_file
+/sepolicy sepolicy_file
+/plat_service_contexts service_contexts_file
+/plat_hwservice_contexts hwservice_contexts_file
+/plat_keystore2_key_contexts keystore2_key_contexts_file
+/vendor_service_contexts vendor_service_contexts_file
+/vendor_hwservice_contexts hwservice_contexts_file
+/vndservice_contexts vndservice_contexts_file
+
+/dev device
+/dev/does_not_exist device
+/dev/adf graphics_device
+/dev/adf0 graphics_device
+/dev/adf123 graphics_device
+/dev/adf-interface. graphics_device
+/dev/adf-interface0. graphics_device
+/dev/adf-interface.1 graphics_device
+/dev/adf-interface2.3 graphics_device
+/dev/adf-overlay-engine. graphics_device
+/dev/adf-overlay-engine0. graphics_device
+/dev/adf-overlay-engine.1 graphics_device
+/dev/adf-overlay-engine2.3 graphics_device
+/dev/ashmem ashmem_device
+/dev/ashmemtest ashmem_libcutils_device
+/dev/ashmem-test ashmem_libcutils_device
+/dev/ashmem/test ashmem_libcutils_device
+/dev/audio audio_device
+/dev/audiotest audio_device
+/dev/audio-test audio_device
+/dev/audio/test audio_device
+/dev/binder binder_device
+/dev/block block_device
+/dev/block/does_not_exist block_device
+/dev/block123 device
+/dev/block/by-name/zoned_device zoned_block_device
+/dev/block/dm-0 dm_device
+/dev/block/dm-123 dm_device
+/dev/block/dm block_device
+/dev/block/dm- block_device
+/dev/block/ublkb0 ublk_block_device
+/dev/block/ublkb123 ublk_block_device
+/dev/block/ublkb block_device
+/dev/block/loop0 loop_device
+/dev/block/loop10 loop_device
+/dev/block/loop loop_device
+/dev/block/vda vd_device
+/dev/block/vdb vd_device
+/dev/block/vda0 vd_device
+/dev/block/vda10 vd_device
+/dev/block/vd block_device
+/dev/block/vd1a block_device
+/dev/block/vold block_device
+/dev/block/vold/disk:253,32 vold_device
+/dev/block/ram ram_device
+/dev/block/ram0 ram_device
+/dev/block/ram10 ram_device
+/dev/block/zram ram_device
+/dev/block/zram0 ram_device
+/dev/block/zram10 ram_device
+/dev/boringssl/selftest boringssl_self_test_marker
+/dev/boringssl/selftest/test boringssl_self_test_marker
+/dev/bus/usb usb_device
+/dev/bus/usb/001 usb_device
+/dev/console console_device
+/dev/cpu_variant: dev_cpu_variant
+/dev/cpu_variant:test dev_cpu_variant
+/dev/dma_heap dmabuf_heap_device
+/dev/dma_heap/test dmabuf_heap_device
+/dev/dma_heap/system dmabuf_system_heap_device
+/dev/dma_heap/system-uncached dmabuf_system_heap_device
+/dev/dma_heap/system-secure dmabuf_system_secure_heap_device
+/dev/dma_heap/system-secure-test dmabuf_system_secure_heap_device
+/dev/dma_heap/system-secure/test dmabuf_system_secure_heap_device
+/dev/dm-user dm_user_device
+/dev/dm-user/test dm_user_device
+/dev/ublk-control ublk_control_device
+/dev/device-mapper dm_device
+/dev/eac audio_device
+/dev/event-log-tags runtime_event_log_tags_file
+/dev/cgroup_info cgroup_rc_file
+/dev/cgroup_info/cgroup.rc cgroup_rc_file
+/dev/fscklogs fscklogs
+/dev/fscklogs/fsck fscklogs
+/dev/fuse fuse_device
+/dev/gnss0 gnss_device
+/dev/gnss10 gnss_device
+/dev/graphics graphics_device
+/dev/graphics/test graphics_device
+/dev/hw_random hw_random_device
+/dev/hwbinder hwbinder_device
+/dev/input input_device
+/dev/input/event0 input_device
+/dev/iio:device0 iio_device
+/dev/iio:device1 iio_device
+/dev/ion ion_device
+/dev/keychord keychord_device
+/dev/loop-control loop_control_device
+/dev/modem radio_device
+/dev/modem0 radio_device
+/dev/modem-test radio_device
+/dev/modem/test radio_device
+/dev/mtp_usb mtp_device
+/dev/pmsg0 pmsg_device
+/dev/pn544 nfc_device
+/dev/port port_device
+/dev/ppp ppp_device
+/dev/ptmx ptmx_device
+/dev/pvrsrvkm gpu_device
+/dev/kmsg kmsg_device
+/dev/kmsg_debug kmsg_debug_device
+/dev/kvm kvm_device
+/dev/null null_device
+/dev/nvhdcp1 video_device
+/dev/random random_device
+/dev/rpmsg-omx0 rpmsg_device
+/dev/rpmsg-omx1 rpmsg_device
+/dev/rproc_user rpmsg_device
+/dev/rtc0 rtc_device
+/dev/rtc9 rtc_device
+/dev/snd audio_device
+/dev/snd/controlC0 audio_device
+/dev/snd/timer audio_device
+/dev/socket socket_device
+/dev/socket/does_not_exist socket_device
+/dev/socket/adbd adbd_socket
+/dev/socket/dnsproxyd dnsproxyd_socket
+/dev/socket/dumpstate dumpstate_socket
+/dev/socket/fwmarkd fwmarkd_socket
+/dev/socket/lmkd lmkd_socket
+/dev/socket/logd logd_socket
+/dev/socket/logdr logdr_socket
+/dev/socket/logdw logdw_socket
+/dev/socket/statsdw statsdw_socket
+/dev/socket/mdns mdns_socket
+/dev/socket/mdnsd mdnsd_socket
+/dev/socket/mtpd mtpd_socket
+/dev/socket/pdx/system/buffer_hub pdx_bufferhub_dir
+/dev/socket/pdx/system/buffer_hub/client pdx_bufferhub_client_endpoint_socket
+/dev/socket/pdx/system/performance pdx_performance_dir
+/dev/socket/pdx/system/performance/client pdx_performance_client_endpoint_socket
+/dev/socket/pdx/system/vr/display pdx_display_dir
+/dev/socket/pdx/system/vr/display/client pdx_display_client_endpoint_socket
+/dev/socket/pdx/system/vr/display/manager pdx_display_manager_endpoint_socket
+/dev/socket/pdx/system/vr/display/screenshot pdx_display_screenshot_endpoint_socket
+/dev/socket/pdx/system/vr/display/vsync pdx_display_vsync_endpoint_socket
+/dev/socket/prng_seeder prng_seeder_socket
+/dev/socket/property_service property_socket
+/dev/socket/property_service_for_system property_socket
+/dev/socket/racoon racoon_socket
+/dev/socket/recovery recovery_socket
+/dev/socket/rild rild_socket
+/dev/socket/rild-debug rild_debug_socket
+/dev/socket/snapuserd snapuserd_socket
+/dev/socket/snapuserd_proxy snapuserd_proxy_socket
+/dev/socket/tombstoned_crash tombstoned_crash_socket
+/dev/socket/tombstoned_java_trace tombstoned_java_trace_socket
+/dev/socket/tombstoned_intercept tombstoned_intercept_socket
+/dev/socket/traced_consumer traced_consumer_socket
+/dev/socket/traced_perf traced_perf_socket
+/dev/socket/traced_producer traced_producer_socket
+/dev/socket/heapprofd heapprofd_socket
+/dev/socket/uncrypt uncrypt_socket
+/dev/socket/wpa_eth0 wpa_socket
+/dev/socket/wpa_eth9 wpa_socket
+/dev/socket/wpa_wlan0 wpa_socket
+/dev/socket/wpa_wlan9 wpa_socket
+/dev/socket/zygote zygote_socket
+/dev/socket/zygote_secondary zygote_socket
+/dev/socket/usap_pool_primary zygote_socket
+/dev/socket/usap_pool_secondary zygote_socket
+/dev/spdif_out audio_device
+/dev/spdif_out-test audio_device
+/dev/spdif_out/test audio_device
+/dev/sys/block/by-name/rootdisk rootdisk_sysdev
+/dev/sys/block/by-name/rootdisk/test rootdisk_sysdev
+/dev/sys/block/by-name/rootdisk-test device
+/dev/sys/block/by-name/userdata userdata_sysdev
+/dev/sys/block/by-name/userdata/test userdata_sysdev
+/dev/sys/block/by-name/userdata-test device
+/dev/sys/fs/by-name/userdata userdata_sysdev
+/dev/sys/fs/by-name/userdata/test userdata_sysdev
+/dev/sys/fs/by-name/userdata-test device
+/dev/tty owntty_device
+/dev/tty0 tty_device
+/dev/tty1 tty_device
+/dev/ttyS serial_device
+/dev/ttyS0 serial_device
+/dev/ttyS99 serial_device
+/dev/ttyUSB usb_serial_device
+/dev/ttyUSB0 usb_serial_device
+/dev/ttyUSB99 usb_serial_device
+/dev/ttyACM usb_serial_device
+/dev/ttyACM0 usb_serial_device
+/dev/ttyACM99 usb_serial_device
+/dev/tun tun_device
+/dev/uhid uhid_device
+/dev/uinput uhid_device
+/dev/uio uio_device
+/dev/uio0 uio_device
+/dev/uio9 uio_device
+/dev/urandom random_device
+/dev/usb_accessory usbaccessory_device
+/dev/v4l-touch input_device
+/dev/v4l-touch0 input_device
+/dev/v4l-touch10 input_device
+/dev/vfio vfio_device
+/dev/vfio/test vfio_device
+/dev/vfio-test device
+/dev/vhost-vsock kvm_device
+/dev/video video_device
+/dev/video0 video_device
+/dev/video99 video_device
+/dev/vndbinder vndbinder_device
+/dev/watchdog watchdog_device
+/dev/xt_qtaguid qtaguid_device
+/dev/zero zero_device
+/dev/__properties__ properties_device
+/dev/__properties__/property_info property_info
+/dev/__properties__/appcompat_override properties_device
+/dev/__properties__/appcompat_override/property_info property_info
+
+/linkerconfig linkerconfig_file
+/linkerconfig/test linkerconfig_file
+
+/system system_file
+/system/does_not_exist system_file
+/system/apex/com.android.art art_apex_dir
+/system/lib system_lib_file
+/system/lib64 system_lib_file
+/system/lib/does_not_exist system_lib_file
+/system/lib64/does_not_exist system_lib_file
+/system/lib/bootstrap system_bootstrap_lib_file
+/system/lib64/bootstrap system_bootstrap_lib_file
+/system/lib/bootstrap/test system_bootstrap_lib_file
+/system/lib64/bootstrap/test system_bootstrap_lib_file
+/system/bin/mm_events mm_events_exec
+/system/bin/atrace atrace_exec
+/system/bin/auditctl auditctl_exec
+/system/bin/bcc rs_exec
+/system/bin/blank_screen blank_screen_exec
+/system/bin/boringssl_self_test32 boringssl_self_test_exec
+/system/bin/boringssl_self_test64 boringssl_self_test_exec
+/system/bin/boringssl_self_test31 system_file
+/system/bin/prng_seeder prng_seeder_exec
+/system/bin/charger charger_exec
+/system/bin/e2fsdroid e2fs_exec
+/system/bin/mke2fs e2fs_exec
+/system/bin/e2fsck fsck_exec
+/system/bin/extra_free_kbytes.sh extra_free_kbytes_exec
+/system/bin/fsck.exfat fsck_exec
+/system/bin/fsck.f2fs fsck_exec
+/system/bin/init init_exec
+/system/bin/mini-keyctl toolbox_exec
+/system/bin/fsverity_init fsverity_init_exec
+/system/bin/sload_f2fs e2fs_exec
+/system/bin/make_f2fs e2fs_exec
+/system/bin/fsck_msdos fsck_exec
+/system/bin/tcpdump tcpdump_exec
+/system/bin/tune2fs fsck_exec
+/system/bin/resize2fs fsck_exec
+/system/bin/toolbox toolbox_exec
+/system/bin/toybox toolbox_exec
+/system/bin/ld.mc rs_exec
+/system/bin/logcat logcat_exec
+/system/bin/logcatd logcat_exec
+/system/bin/sh shell_exec
+/system/bin/run-as runas_exec
+/system/bin/bootanimation bootanim_exec
+/system/bin/bootstat bootstat_exec
+/system/bin/app_process32 zygote_exec
+/system/bin/app_process64 zygote_exec
+/system/bin/servicemanager servicemanager_exec
+/system/bin/surfaceflinger surfaceflinger_exec
+/system/bin/gpuservice gpuservice_exec
+/system/bin/bufferhubd bufferhubd_exec
+/system/bin/performanced performanced_exec
+/system/bin/drmserver drmserver_exec
+/system/bin/drmserver32 drmserver_exec
+/system/bin/drmserver64 drmserver_exec
+/system/bin/dumpstate dumpstate_exec
+/system/bin/incident incident_exec
+/system/bin/incidentd incidentd_exec
+/system/bin/incident_helper incident_helper_exec
+/system/bin/iw iw_exec
+/system/bin/netutils-wrapper-1.0 netutils_wrapper_exec
+/system/bin/vold vold_exec
+/system/bin/netd netd_exec
+/system/bin/wificond wificond_exec
+/system/bin/audioserver audioserver_exec
+/system/bin/mediadrmserver mediadrmserver_exec
+/system/bin/mediaserver mediaserver_exec
+/system/bin/mediaserver32 mediaserver_exec
+/system/bin/mediaserver64 mediaserver_exec
+/system/bin/mediametrics mediametrics_exec
+/system/bin/cameraserver cameraserver_exec
+/system/bin/mediaextractor mediaextractor_exec
+/system/bin/mediaswcodec mediaswcodec_exec
+/system/bin/mediatranscoding mediatranscoding_exec
+/system/bin/mediatuner mediatuner_exec
+/system/bin/mdnsd mdnsd_exec
+/system/bin/installd installd_exec
+/system/bin/otapreopt_chroot otapreopt_chroot_exec
+/system/bin/otapreopt_slot otapreopt_slot_exec
+/system/bin/credstore credstore_exec
+/system/bin/keystore keystore_exec
+/system/bin/keystore2 keystore_exec
+/system/bin/fingerprintd fingerprintd_exec
+/system/bin/gatekeeperd gatekeeperd_exec
+/system/bin/tombstoned tombstoned_exec
+/system/bin/recovery-persist recovery_persist_exec
+/system/bin/recovery-refresh recovery_refresh_exec
+/system/bin/sdcard sdcardd_exec
+/system/bin/snapshotctl snapshotctl_exec
+/system/bin/remount remount_exec
+/system/bin/dhcpcd dhcp_exec
+/system/bin/dhcpcd-6.8.2 dhcp_exec
+/system/bin/dmesgd dmesgd_exec
+/system/bin/mtpd mtp_exec
+/system/bin/pppd ppp_exec
+/system/bin/racoon racoon_exec
+/system/xbin/su su_exec
+/system/bin/dnsmasq dnsmasq_exec
+/system/bin/linker system_linker_exec
+/system/bin/linker64 system_linker_exec
+/system/bin/linker63 system_file
+/system/bin/linkerconfig linkerconfig_exec
+/system/bin/bootstrap/linker system_linker_exec
+/system/bin/bootstrap/linker64 system_linker_exec
+/system/bin/bootstrap/linker63 system_file
+/system/bin/bootstrap/linkerconfig linkerconfig_exec
+/system/bin/llkd llkd_exec
+/system/bin/lmkd lmkd_exec
+/system/bin/usbd usbd_exec
+/system/bin/inputflinger inputflinger_exec
+/system/bin/logd logd_exec
+/system/bin/lpdumpd lpdumpd_exec
+/system/bin/rss_hwm_reset rss_hwm_reset_exec
+/system/bin/perfetto perfetto_exec
+/system/bin/mtectrl mtectrl_exec
+/system/bin/traced traced_exec
+/system/bin/traced_perf traced_perf_exec
+/system/bin/traced_probes traced_probes_exec
+/system/bin/heapprofd heapprofd_exec
+/system/bin/uncrypt uncrypt_exec
+/system/bin/update_verifier update_verifier_exec
+/system/bin/logwrapper system_file
+/system/bin/vdc vdc_exec
+/system/bin/cppreopts.sh cppreopts_exec
+/system/bin/preloads_copy.sh preloads_copy_exec
+/system/bin/preopt2cachename preopt2cachename_exec
+/system/bin/viewcompiler viewcompiler_exec
+/system/bin/sgdisk sgdisk_exec
+/system/bin/blkid blkid_exec
+/system/bin/flags_health_check flags_health_check_exec
+/system/bin/idmap2 idmap_exec
+/system/bin/idmap2d idmap_exec
+/system/bin/update_engine update_engine_exec
+/system/bin/profcollectd profcollectd_exec
+/system/bin/profcollectctl profcollectd_exec
+/system/bin/storaged storaged_exec
+/system/bin/virtual_camera virtual_camera_exec
+/system/bin/virtual_touchpad virtual_touchpad_exec
+/system/bin/hw/android.frameworks.bufferhub@1.0-service fwk_bufferhub_exec
+/system/bin/hw/android.system.suspend-service system_suspend_exec
+/system/etc/cgroups.json cgroup_desc_file
+/system/etc/task_profiles/cgroups_0.json cgroup_desc_api_file
+/system/etc/task_profiles/cgroups_999.json cgroup_desc_api_file
+/system/etc/event-log-tags system_event_log_tags_file
+/system/etc/font_fallback.xml system_font_fallback_file
+/system/etc/group system_group_file
+/system/etc/ld.config. system_linker_config_file
+/system/etc/ld.config.test system_linker_config_file
+/system/etc/passwd system_passwd_file
+/system/etc/seccomp_policy system_seccomp_policy_file
+/system/etc/seccomp_policy/crash_dump.x86.policy system_seccomp_policy_file
+/system/etc/security/cacerts system_security_cacerts_file
+/system/etc/security/cacerts/123 system_security_cacerts_file
+/system/etc/selinux/mapping/30.0.cil sepolicy_file
+#/system/etc/selinux/mapping/30.compat.0.cil sepolicy_file
+/system/etc/selinux/plat_mac_permissions.xml mac_perms_file
+/system/etc/selinux/plat_property_contexts property_contexts_file
+/system/etc/selinux/plat_service_contexts service_contexts_file
+/system/etc/selinux/plat_hwservice_contexts hwservice_contexts_file
+/system/etc/selinux/plat_keystore2_key_contexts keystore2_key_contexts_file
+/system/etc/selinux/plat_file_contexts file_contexts_file
+/system/etc/selinux/plat_seapp_contexts seapp_contexts_file
+/system/etc/selinux/plat_sepolicy.cil sepolicy_file
+/system/etc/selinux/plat_and_mapping_sepolicy.cil.sha256 sepolicy_file
+/system/etc/task_profiles.json task_profiles_file
+/system/etc/task_profiles/task_profiles_0.json task_profiles_api_file
+/system/etc/task_profiles/task_profiles_99.json task_profiles_api_file
+/system/usr/share/zoneinfo system_zoneinfo_file
+/system/usr/share/zoneinfo/0 system_zoneinfo_file
+/system/bin/adbd adbd_exec
+/system/bin/vold_prepare_subdirs vold_prepare_subdirs_exec
+/system/bin/stats stats_exec
+/system/bin/statsd statsd_exec
+/system/bin/bpfloader bpfloader_exec
+/system/bin/netbpfload bpfloader_exec
+/system/bin/watchdogd watchdogd_exec
+/system/bin/apexd apexd_exec
+/system/bin/gsid gsid_exec
+/system/bin/simpleperf simpleperf_exec
+/system/bin/simpleperf_app_runner simpleperf_app_runner_exec
+/system/bin/migrate_legacy_obb_data migrate_legacy_obb_data_exec
+/system/bin/android.frameworks.automotive.display@1.0-service automotive_display_service_exec
+/system/bin/snapuserd snapuserd_exec
+/system/bin/odsign odsign_exec
+/system/bin/vehicle_binding_util vehicle_binding_util_exec
+/system/bin/cardisplayproxyd automotive_display_service_exec
+/system/bin/evsmanagerd evsmanagerd_exec
+/system/bin/android.automotive.evs.manager@1.0 evsmanagerd_exec
+/system/bin/android.automotive.evs.manager@1.99 evsmanagerd_exec
+/system/bin/uprobestats uprobestats_exec
+
+/vendor vendor_file
+/vendor/does_not_exist vendor_file
+/system/vendor vendor_file
+/system/vendor/does_not_exist vendor_file
+/vendor/bin/sh vendor_shell_exec
+/system/vendor/bin/sh vendor_shell_exec
+/vendor/bin/toybox_vendor vendor_toolbox_exec
+/system/vendor/bin/toybox_vendor vendor_toolbox_exec
+/vendor/bin/toolbox vendor_toolbox_exec
+/system/vendor/bin/toolbox vendor_toolbox_exec
+/vendor/etc vendor_configs_file
+/vendor/etc/does_not_exist vendor_configs_file
+/system/vendor/etc vendor_configs_file
+/system/vendor/etc/does_not_exist vendor_configs_file
+/vendor/etc/cgroups.json vendor_cgroup_desc_file
+/system/vendor/etc/cgroups.json vendor_cgroup_desc_file
+/vendor/etc/task_profiles.json vendor_task_profiles_file
+/system/vendor/etc/task_profiles.json vendor_task_profiles_file
+
+/vendor/lib/egl same_process_hal_file
+/vendor/lib64/egl same_process_hal_file
+/vendor/lib/egl/test same_process_hal_file
+/vendor/lib64/egl/test same_process_hal_file
+/system/vendor/lib/egl same_process_hal_file
+/system/vendor/lib64/egl same_process_hal_file
+/system/vendor/lib/egl/test same_process_hal_file
+/system/vendor/lib64/egl/test same_process_hal_file
+
+/vendor/lib/vndk-sp vndk_sp_file
+/vendor/lib64/vndk-sp vndk_sp_file
+/vendor/lib/vndk-sp/test vndk_sp_file
+/vendor/lib64/vndk-sp/test vndk_sp_file
+/system/vendor/lib/vndk-sp vndk_sp_file
+/system/vendor/lib64/vndk-sp vndk_sp_file
+/system/vendor/lib/vndk-sp/test vndk_sp_file
+/system/vendor/lib64/vndk-sp/test vndk_sp_file
+
+/vendor/manifest.xml vendor_configs_file
+/system/vendor/manifest.xml vendor_configs_file
+/vendor/compatibility_matrix.xml vendor_configs_file
+/system/vendor/compatibility_matrix.xml vendor_configs_file
+/vendor/etc/vintf vendor_configs_file
+/vendor/etc/vintf/test vendor_configs_file
+/system/vendor/etc/vintf vendor_configs_file
+/system/vendor/etc/vintf/test vendor_configs_file
+/vendor/app vendor_app_file
+/vendor/app/test vendor_app_file
+/system/vendor/app vendor_app_file
+/system/vendor/app/test vendor_app_file
+/vendor/priv-app vendor_app_file
+/vendor/priv-app/test vendor_app_file
+/system/vendor/priv-app vendor_app_file
+/system/vendor/priv-app/test vendor_app_file
+/vendor/overlay vendor_overlay_file
+/vendor/overlay/test vendor_overlay_file
+/system/vendor/overlay vendor_overlay_file
+/system/vendor/overlay/test vendor_overlay_file
+/vendor/framework vendor_framework_file
+/vendor/framework/test vendor_framework_file
+/system/vendor/framework vendor_framework_file
+/system/vendor/framework/test vendor_framework_file
+/vendor/etc/avf/microdroid vendor_microdroid_file
+/vendor/etc/avf/microdroid/test vendor_microdroid_file
+
+/vendor/apex vendor_apex_file
+/vendor/apex/test vendor_apex_file
+/vendor/apex/test/test vendor_apex_file
+/vendor/apex/test/test/test vendor_file
+/system/vendor/apex vendor_apex_file
+/system/vendor/apex/test vendor_apex_file
+/system/vendor/apex/test/test vendor_apex_file
+/system/vendor/apex/test/test/test vendor_file
+/vendor/bin/misc_writer vendor_misc_writer_exec
+/system/vendor/bin/misc_writer vendor_misc_writer_exec
+/vendor/bin/boringssl_self_test32 vendor_boringssl_self_test_exec
+/vendor/bin/boringssl_self_test64 vendor_boringssl_self_test_exec
+/system/vendor/bin/boringssl_self_test32 vendor_boringssl_self_test_exec
+/system/vendor/bin/boringssl_self_test64 vendor_boringssl_self_test_exec
+
+/vendor/lib/hw vendor_hal_file
+/vendor/lib64/hw vendor_hal_file
+/system/vendor/lib/hw vendor_hal_file
+/system/vendor/lib64/hw vendor_hal_file
+
+/vendor/etc/selinux/vendor_service_contexts vendor_service_contexts_file
+/system/vendor/etc/selinux/vendor_service_contexts vendor_service_contexts_file
+
+/odm vendor_file
+/odm/does_not_exist vendor_file
+/vendor/odm vendor_file
+/vendor/does_not_exist vendor_file
+/odm/lib/egl same_process_hal_file
+/odm/lib64/egl same_process_hal_file
+/odm/lib/egl/test same_process_hal_file
+/odm/lib64/egl/test same_process_hal_file
+/vendor/odm/lib/egl same_process_hal_file
+/vendor/odm/lib64/egl same_process_hal_file
+/vendor/odm/lib/egl/test same_process_hal_file
+/vendor/odm/lib64/egl/test same_process_hal_file
+/odm/lib/hw vendor_hal_file
+/odm/lib64/hw vendor_hal_file
+/vendor/odm/lib/hw vendor_hal_file
+/vendor/odm/lib64/hw vendor_hal_file
+/odm/lib/vndk-sp vndk_sp_file
+/odm/lib64/vndk-sp vndk_sp_file
+/odm/lib/vndk-sp/test vndk_sp_file
+/odm/lib64/vndk-sp/test vndk_sp_file
+/vendor/odm/lib/vndk-sp vndk_sp_file
+/vendor/odm/lib64/vndk-sp vndk_sp_file
+/vendor/odm/lib/vndk-sp/test vndk_sp_file
+/vendor/odm/lib64/vndk-sp/test vndk_sp_file
+
+/odm/bin/sh vendor_shell_exec
+/vendor/odm/bin/sh vendor_shell_exec
+/odm/etc vendor_configs_file
+/odm/etc/test vendor_configs_file
+/vendor/odm/etc vendor_configs_file
+/vendor/odm/etc/test vendor_configs_file
+/odm/app vendor_app_file
+/odm/app/test vendor_app_file
+/vendor/odm/app vendor_app_file
+/vendor/odm/app/test vendor_app_file
+/odm/priv-app vendor_app_file
+/odm/priv-app/test vendor_app_file
+/vendor/odm/priv-app vendor_app_file
+/vendor/odm/priv-app/test vendor_app_file
+/odm/overlay vendor_overlay_file
+/odm/overlay/test vendor_overlay_file
+/vendor/odm/overlay vendor_overlay_file
+/vendor/odm/overlay/test vendor_overlay_file
+/odm/framework vendor_framework_file
+/odm/framework/test vendor_framework_file
+/vendor/odm/framework vendor_framework_file
+/vendor/odm/framework/test vendor_framework_file
+
+/odm/etc/hal_uuid_map_.xml vendor_uuid_mapping_config_file
+/odm/etc/hal_uuid_map_test.xml vendor_uuid_mapping_config_file
+/vendor/odm/etc/hal_uuid_map_.xml vendor_uuid_mapping_config_file
+/vendor/odm/etc/hal_uuid_map_test.xml vendor_uuid_mapping_config_file
+/vendor/etc/hal_uuid_map_.xml vendor_uuid_mapping_config_file
+/vendor/etc/hal_uuid_map_test.xml vendor_uuid_mapping_config_file
+/system/vendor/etc/hal_uuid_map_.xml vendor_uuid_mapping_config_file
+/system/vendor/etc/hal_uuid_map_test.xml vendor_uuid_mapping_config_file
+
+/odm/usr/keylayout.kl vendor_keylayout_file
+/odm/usr/keylayout/test.kl vendor_keylayout_file
+/vendor/odm/usr/keylayout.kl vendor_keylayout_file
+/vendor/odm/usr/keylayout/test.kl vendor_keylayout_file
+/vendor/usr/keylayout.kl vendor_keylayout_file
+/vendor/usr/keylayout/test.kl vendor_keylayout_file
+/system/vendor/usr/keylayout.kl vendor_keylayout_file
+/system/vendor/usr/keylayout/test.kl vendor_keylayout_file
+/odm/usr/keychars.kcm vendor_keychars_file
+/odm/usr/keychars/test.kcm vendor_keychars_file
+/vendor/odm/usr/keychars.kcm vendor_keychars_file
+/vendor/odm/usr/keychars/test.kcm vendor_keychars_file
+/vendor/usr/keychars.kcm vendor_keychars_file
+/vendor/usr/keychars/test.kcm vendor_keychars_file
+/system/vendor/usr/keychars.kcm vendor_keychars_file
+/system/vendor/usr/keychars/test.kcm vendor_keychars_file
+/odm/usr/idc.idc vendor_idc_file
+/odm/usr/idc/test.idc vendor_idc_file
+/vendor/odm/usr/idc.idc vendor_idc_file
+/vendor/odm/usr/idc/test.idc vendor_idc_file
+/vendor/usr/idc.idc vendor_idc_file
+/vendor/usr/idc/test.idc vendor_idc_file
+/system/vendor/usr/idc.idc vendor_idc_file
+/system/vendor/usr/idc/test.idc vendor_idc_file
+
+/oem oemfs
+/oem/does_not_exist oemfs
+/oem/overlay vendor_overlay_file
+/oem/overlay/does_not_exist vendor_overlay_file
+
+/odm/etc/selinux/precompiled_sepolicy sepolicy_file
+/odm/etc/selinux/precompiled_sepolicy.plat_and_mapping.sha256 sepolicy_file
+
+/odm/etc/selinux/odm_sepolicy.cil sepolicy_file
+/vendor/odm/etc/selinux/odm_sepolicy.cil sepolicy_file
+/odm/etc/selinux/odm_file_contexts file_contexts_file
+/vendor/odm/etc/selinux/odm_file_contexts file_contexts_file
+/odm/etc/selinux/odm_seapp_contexts seapp_contexts_file
+/vendor/odm/etc/selinux/odm_seapp_contexts seapp_contexts_file
+/odm/etc/selinux/odm_property_contexts property_contexts_file
+/vendor/odm/etc/selinux/odm_property_contexts property_contexts_file
+/odm/etc/selinux/odm_service_contexts vendor_service_contexts_file
+/vendor/odm/etc/selinux/odm_service_contexts vendor_service_contexts_file
+/odm/etc/selinux/odm_hwservice_contexts hwservice_contexts_file
+/vendor/odm/etc/selinux/odm_hwservice_contexts hwservice_contexts_file
+/odm/etc/selinux/odm_keystore2_key_contexts keystore2_key_contexts_file
+/vendor/odm/etc/selinux/odm_keystore2_key_contexts keystore2_key_contexts_file
+/odm/etc/selinux/odm_mac_permissions.xml mac_perms_file
+/vendor/odm/etc/selinux/odm_mac_permissions.xml mac_perms_file
+
+/product system_file
+/product/does_not_exist system_file
+/system/product system_file
+/system/product/does_not_exist system_file
+/product/etc/group system_group_file
+/system/product/etc/group system_group_file
+/product/etc/passwd system_passwd_file
+/system/product/etc/passwd system_passwd_file
+/product/overlay system_file
+/product/overlay/does_not_exist system_file
+/system/product/overlay system_file
+/system/product/overlay/does_not_exist system_file
+
+/product/etc/selinux/product_file_contexts file_contexts_file
+/system/product/etc/selinux/product_file_contexts file_contexts_file
+/product/etc/selinux/product_hwservice_contexts hwservice_contexts_file
+/system/product/etc/selinux/product_hwservice_contexts hwservice_contexts_file
+/product/etc/selinux/product_keystore2_key_contexts keystore2_key_contexts_file
+/system/product/etc/selinux/product_keystore2_key_contexts keystore2_key_contexts_file
+/product/etc/selinux/product_property_contexts property_contexts_file
+/system/product/etc/selinux/product_property_contexts property_contexts_file
+/product/etc/selinux/product_seapp_contexts seapp_contexts_file
+/system/product/etc/selinux/product_seapp_contexts seapp_contexts_file
+/product/etc/selinux/product_service_contexts service_contexts_file
+/system/product/etc/selinux/product_service_contexts service_contexts_file
+/product/etc/selinux/product_mac_permissions.xml mac_perms_file
+/system/product/etc/selinux/product_mac_permissions.xml mac_perms_file
+
+/product/lib system_lib_file
+/product/lib/does_not_exist system_lib_file
+/product/lib64 system_lib_file
+/product/lib64/does_not_exist system_lib_file
+/system/product/lib system_lib_file
+/system/product/lib/does_not_exist system_lib_file
+/system/product/lib64 system_lib_file
+/system/product/lib64/does_not_exist system_lib_file
+
+/system_ext system_file
+/system_ext/does_not_exist system_file
+/system/system_ext system_file
+/system/system_ext/does_not_exist system_file
+/system_ext/etc/group system_group_file
+/system/system_ext/etc/group system_group_file
+/system_ext/etc/passwd system_passwd_file
+/system/system_ext/etc/passwd system_passwd_file
+/system_ext/overlay vendor_overlay_file
+/system_ext/overlay/does_not_exist vendor_overlay_file
+/system/system_ext/overlay vendor_overlay_file
+/system/system_ext/overlay/does_not_exist vendor_overlay_file
+
+/system_ext/etc/selinux/system_ext_file_contexts file_contexts_file
+/system/system_ext/etc/selinux/system_ext_file_contexts file_contexts_file
+/system_ext/etc/selinux/system_ext_hwservice_contexts hwservice_contexts_file
+/system/system_ext/etc/selinux/system_ext_hwservice_contexts hwservice_contexts_file
+/system_ext/etc/selinux/system_ext_keystore2_key_contexts keystore2_key_contexts_file
+/system/system_ext/etc/selinux/system_ext_keystore2_key_contexts keystore2_key_contexts_file
+/system_ext/etc/selinux/system_ext_property_contexts property_contexts_file
+/system/system_ext/etc/selinux/system_ext_property_contexts property_contexts_file
+/system_ext/etc/selinux/system_ext_seapp_contexts seapp_contexts_file
+/system/system_ext/etc/selinux/system_ext_seapp_contexts seapp_contexts_file
+/system_ext/etc/selinux/system_ext_service_contexts service_contexts_file
+/system/system_ext/etc/selinux/system_ext_service_contexts service_contexts_file
+/system_ext/etc/selinux/system_ext_mac_permissions.xml mac_perms_file
+/system/system_ext/etc/selinux/system_ext_mac_permissions.xml mac_perms_file
+/system_ext/etc/selinux/userdebug_plat_sepolicy.cil sepolicy_file
+/system/system_ext/etc/selinux/userdebug_plat_sepolicy.cil sepolicy_file
+
+/system_ext/bin/aidl_lazy_test_server aidl_lazy_test_server_exec
+/system/system_ext/bin/aidl_lazy_test_server aidl_lazy_test_server_exec
+/system_ext/bin/aidl_lazy_cb_test_server aidl_lazy_test_server_exec
+/system/system_ext/bin/aidl_lazy_cb_test_server aidl_lazy_test_server_exec
+/system_ext/bin/hidl_lazy_test_server hidl_lazy_test_server_exec
+/system/system_ext/bin/hidl_lazy_test_server hidl_lazy_test_server_exec
+/system_ext/bin/hidl_lazy_cb_test_server hidl_lazy_test_server_exec
+/system/system_ext/bin/hidl_lazy_cb_test_server hidl_lazy_test_server_exec
+/system_ext/bin/hwservicemanager hwservicemanager_exec
+/system/system_ext/bin/hwservicemanager hwservicemanager_exec
+/system_ext/bin/hw/android.hidl.allocator@1.0-service hal_allocator_default_exec
+/system/system_ext/bin/hw/android.hidl.allocator@1.0-service hal_allocator_default_exec
+
+
+/system_ext/bin/canhalconfigurator canhalconfigurator_exec
+/system_ext/bin/canhalconfigurator-aidl canhalconfigurator_exec
+/system/system_ext/bin/canhalconfigurator canhalconfigurator_exec
+/system/system_ext/bin/canhalconfigurator-aidl canhalconfigurator_exec
+
+/system_ext/lib system_lib_file
+/system_ext/lib/does_not_exist system_lib_file
+/system_ext/lib64 system_lib_file
+/system_ext/lib64/does_not_exist system_lib_file
+/system/system_ext/lib system_lib_file
+/system/system_ext/lib/does_not_exist system_lib_file
+/system/system_ext/lib64 system_lib_file
+/system/system_ext/lib64/does_not_exist system_lib_file
+
+/vendor_dlkm vendor_file
+/vendor_dlkm/does_not_exist vendor_file
+/vendor/vendor_dlkm vendor_file
+/vendor/vendor_dlkm/does_not_exist vendor_file
+/system/vendor/vendor_dlkm vendor_file
+/system/vendor/vendor_dlkm/does_not_exist vendor_file
+/vendor_dlkm/etc vendor_configs_file
+/vendor_dlkm/etc/does_not_exist vendor_configs_file
+/vendor/vendor_dlkm/etc vendor_configs_file
+/vendor/vendor_dlkm/etc/does_not_exist vendor_configs_file
+/system/vendor/vendor_dlkm/etc vendor_configs_file
+/system/vendor/vendor_dlkm/etc/does_not_exist vendor_configs_file
+
+/odm_dlkm vendor_file
+/odm_dlkm/does_not_exist vendor_file
+/vendor/odm_dlkm vendor_file
+/vendor/odm_dlkm/does_not_exist vendor_file
+/system/vendor/odm_dlkm vendor_file
+/system/vendor/odm_dlkm/does_not_exist vendor_file
+/odm_dlkm/etc vendor_configs_file
+/odm_dlkm/etc/does_not_exist vendor_configs_file
+/vendor/odm_dlkm/etc vendor_configs_file
+/vendor/odm_dlkm/etc/does_not_exist vendor_configs_file
+/system/vendor/odm_dlkm/etc vendor_configs_file
+/system/vendor/odm_dlkm/etc/does_not_exist vendor_configs_file
+
+/product/vendor_overlay/0/test vendor_file
+/product/vendor_overlay/1/test vendor_file
+/system/product/vendor_overlay/0/test vendor_file
+/system/product/vendor_overlay/1/test vendor_file
+
+/data system_data_root_file
+/data/does_not_exist system_data_file
+/data/system/environ environ_system_data_file
+/data/system/environ/test environ_system_data_file
+/data/system/packages.list packages_list_file
+/data/system/game_mode_intervention.list game_mode_intervention_list_file
+/data/unencrypted unencrypted_data_file
+/data/unencrypted/test unencrypted_data_file
+/data/backup backup_data_file
+/data/backup/test backup_data_file
+/data/secure/backup backup_data_file
+/data/secure/backup/test backup_data_file
+/data/system/ndebugsocket system_ndebug_socket
+/data/system/unsolzygotesocket system_unsolzygote_socket
+/data/drm drm_data_file
+/data/drm/test drm_data_file
+/data/resource-cache resourcecache_data_file
+/data/resource-cache/test resourcecache_data_file
+/data/dalvik-cache dalvikcache_data_file
+/data/dalvik-cache/test dalvikcache_data_file
+/data/ota ota_data_file
+/data/ota/test ota_data_file
+/data/ota_package ota_package_file
+/data/ota_package/test ota_package_file
+/data/adb adb_data_file
+/data/adb/test adb_data_file
+/data/anr anr_data_file
+/data/anr/test anr_data_file
+/data/apex apex_data_file
+/data/apex/test apex_data_file
+/data/apex/active/test staging_data_file
+/data/apex/backup/test staging_data_file
+/data/apex/decompressed/test staging_data_file
+/data/apex/ota_reserved apex_ota_reserved_file
+/data/apex/ota_reserved/test apex_ota_reserved_file
+/data/app apk_data_file
+/data/app/test apk_data_file
+/data/app/test01/oat dalvikcache_data_file
+/data/app/test01/oat/test dalvikcache_data_file
+/data/app/test01/test02/oat dalvikcache_data_file
+/data/app/test01/test02/oat/test dalvikcache_data_file
+/data/app/vmdltest01.tmp apk_tmp_file
+/data/app/vmdltest01.tmp/test apk_tmp_file
+/data/app/vmdltest02.tmp/oat dalvikcache_data_file
+/data/app/vmdltest02.tmp/oat/test dalvikcache_data_file
+/data/app-private apk_private_data_file
+/data/app-private/test apk_private_data_file
+/data/app-private/vmdltest.tmp apk_private_tmp_file
+/data/app-private/vmdltest/does_not_exist.tmp apk_private_tmp_file
+/data/app-private/vmdltest.tmp/test apk_private_tmp_file
+/data/gsi gsi_data_file
+/data/gsi/test gsi_data_file
+/data/gsi_persistent_data gsi_persistent_data_file
+/data/gsi/ota ota_image_data_file
+/data/gsi/ota/test ota_image_data_file
+/data/tombstones tombstone_data_file
+/data/tombstones/test tombstone_data_file
+/data/vendor/tombstones/wifi tombstone_wifi_data_file
+/data/vendor/tombstones/wifi/test tombstone_wifi_data_file
+/data/local/tests shell_test_data_file
+/data/local/tests/test shell_test_data_file
+/data/local/tmp shell_data_file
+/data/local/tmp/test shell_data_file
+/data/local/tmp/ltp nativetest_data_file
+/data/local/tmp/ltp/test nativetest_data_file
+/data/local/traces trace_data_file
+/data/local/traces/test trace_data_file
+/data/media media_userdir_file
+/data/media/test media_rw_data_file
+/data/mediadrm media_data_file
+/data/mediadrm/test media_data_file
+/data/nativetest nativetest_data_file
+/data/nativetest/test nativetest_data_file
+/data/nativetest64 nativetest_data_file
+/data/nativetest64/test nativetest_data_file
+/data/pkg_staging staging_data_file
+/data/pkg_staging/test staging_data_file
+/data/property property_data_file
+/data/property/test property_data_file
+/data/preloads preloads_data_file
+/data/preloads/test preloads_data_file
+/data/preloads/media preloads_media_file
+/data/preloads/media/test preloads_media_file
+/data/preloads/demo preloads_media_file
+/data/preloads/demo/test preloads_media_file
+/data/server_configurable_flags server_configurable_flags_data_file
+/data/server_configurable_flags/test server_configurable_flags_data_file
+/data/app-staging staging_data_file
+/data/app-staging/test staging_data_file
+/data/rollback/0/test/test.apk apk_data_file
+/data/rollback/999/test/test.apex staging_data_file
+/data/fonts/files font_data_file
+/data/fonts/files/test font_data_file
+/data/misc_ce system_userdir_file
+/data/misc_de system_userdir_file
+/data/system_ce system_userdir_file
+/data/system_de system_userdir_file
+/data/user system_userdir_file
+/data/user_de system_userdir_file
+
+/data/misc/adb adb_keys_file
+/data/misc/adb/test adb_keys_file
+/data/misc/a11ytrace accessibility_trace_data_file
+/data/misc/a11ytrace/test accessibility_trace_data_file
+/data/misc/apexdata apex_module_data_file
+/data/misc/apexdata/test apex_module_data_file
+/data/misc/apexdata/com.android.art apex_art_data_file
+/data/misc/apexdata/com.android.art/test apex_art_data_file
+/data/misc/apexdata/com.android.compos apex_compos_data_file
+/data/misc/apexdata/com.android.compos/test apex_compos_data_file
+/data/misc/apexdata/com.android.virt apex_virt_data_file
+/data/misc/apexdata/com.android.virt/test apex_virt_data_file
+/data/misc/apexdata/com.android.permission apex_system_server_data_file
+/data/misc/apexdata/com.android.permission/test apex_system_server_data_file
+/data/misc/apexdata/com.android.scheduling apex_system_server_data_file
+/data/misc/apexdata/com.android.scheduling/test apex_system_server_data_file
+/data/misc/apexdata/com.android.tethering apex_system_server_data_file
+/data/misc/apexdata/com.android.tethering/test apex_system_server_data_file
+/data/misc/apexdata/com.android.uwb apex_system_server_data_file
+/data/misc/apexdata/com.android.uwb/test apex_system_server_data_file
+/data/misc/apexdata/com.android.wifi apex_system_server_data_file
+/data/misc/apexdata/com.android.wifi/test apex_system_server_data_file
+/data/misc/apexrollback apex_rollback_data_file
+/data/misc/apexrollback/test apex_rollback_data_file
+/data/misc/apns radio_data_file
+/data/misc/apns/test radio_data_file
+/data/misc/appcompat appcompat_data_file
+/data/misc/appcompat/test appcompat_data_file
+/data/misc/audio audio_data_file
+/data/misc/audio/test audio_data_file
+/data/misc/audioserver audioserver_data_file
+/data/misc/audioserver/test audioserver_data_file
+/data/misc/audiohal audiohal_data_file
+/data/misc/audiohal/test audiohal_data_file
+/data/misc/bootstat bootstat_data_file
+/data/misc/bootstat/test bootstat_data_file
+/data/misc/boottrace boottrace_data_file
+/data/misc/boottrace/test boottrace_data_file
+/data/misc/bluetooth bluetooth_data_file
+/data/misc/bluetooth/test bluetooth_data_file
+/data/misc/bluetooth/logs bluetooth_logs_data_file
+/data/misc/bluetooth/logs/test bluetooth_logs_data_file
+/data/misc/bluedroid bluetooth_data_file
+/data/misc/bluedroid/test bluetooth_data_file
+/data/misc/bluedroid/.a2dp_ctrl bluetooth_socket
+/data/misc/bluedroid/.a2dp_data bluetooth_socket
+/data/misc/camera camera_data_file
+/data/misc/camera/test camera_data_file
+/data/misc/carrierid radio_data_file
+/data/misc/carrierid/test radio_data_file
+/data/misc/dhcp dhcp_data_file
+/data/misc/dhcp/test dhcp_data_file
+/data/misc/dhcp-6.8.2 dhcp_data_file
+/data/misc/dhcp-6.8.2/test dhcp_data_file
+/data/misc/dmesgd dmesgd_data_file
+/data/misc/dmesgd/test dmesgd_data_file
+/data/misc/emergencynumberdb emergency_data_file
+/data/misc/emergencynumberdb/test emergency_data_file
+/data/misc/gatekeeper gatekeeper_data_file
+/data/misc/gatekeeper/test gatekeeper_data_file
+/data/misc/incidents incident_data_file
+/data/misc/incidents/test incident_data_file
+/data/misc/installd install_data_file
+/data/misc/installd/test install_data_file
+/data/misc/keychain keychain_data_file
+/data/misc/keychain/test keychain_data_file
+/data/misc/credstore credstore_data_file
+/data/misc/credstore/test credstore_data_file
+/data/misc/keystore keystore_data_file
+/data/misc/keystore/test keystore_data_file
+/data/misc/logd misc_logd_file
+/data/misc/logd/test misc_logd_file
+/data/misc/media media_data_file
+/data/misc/media/test media_data_file
+/data/misc/net net_data_file
+/data/misc/net/test net_data_file
+/data/misc/network_watchlist network_watchlist_data_file
+/data/misc/network_watchlist/test network_watchlist_data_file
+/data/misc/nfc/logs nfc_logs_data_file
+/data/misc/nfc/logs/test nfc_logs_data_file
+/data/misc/odrefresh odrefresh_data_file
+/data/misc/odrefresh/test odrefresh_data_file
+/data/misc/odsign odsign_data_file
+/data/misc/odsign/test odsign_data_file
+/data/misc/odsign/metrics odsign_metrics_file
+/data/misc/odsign/metrics/test odsign_metrics_file
+/data/misc/perfetto-traces/bugreport perfetto_traces_bugreport_data_file
+/data/misc/perfetto-traces/bugreport/test perfetto_traces_bugreport_data_file
+/data/misc/perfetto-traces perfetto_traces_data_file
+/data/misc/perfetto-traces/test perfetto_traces_data_file
+/data/misc/perfetto-configs perfetto_configs_data_file
+/data/misc/perfetto-configs/test perfetto_configs_data_file
+/data/misc/prereboot prereboot_data_file
+/data/misc/prereboot/test prereboot_data_file
+/data/misc/profcollectd profcollectd_data_file
+/data/misc/profcollectd/test profcollectd_data_file
+/data/misc/radio radio_core_data_file
+/data/misc/radio/test radio_core_data_file
+/data/misc/recovery recovery_data_file
+/data/misc/recovery/test recovery_data_file
+/data/misc/shared_relro shared_relro_file
+/data/misc/shared_relro/test shared_relro_file
+/data/misc/sms radio_data_file
+/data/misc/sms/test radio_data_file
+/data/misc/snapshotctl_log snapshotctl_log_data_file
+/data/misc/snapshotctl_log/test snapshotctl_log_data_file
+/data/misc/stats-active-metric stats_data_file
+/data/misc/stats-active-metric/test stats_data_file
+/data/misc/stats-data stats_data_file
+/data/misc/stats-data/test stats_data_file
+/data/misc/stats-service stats_config_data_file
+/data/misc/stats-service/test stats_config_data_file
+/data/misc/stats-metadata stats_data_file
+/data/misc/stats-metadata/test stats_data_file
+/data/misc/systemkeys systemkeys_data_file
+/data/misc/systemkeys/test systemkeys_data_file
+/data/misc/textclassifier textclassifier_data_file
+/data/misc/textclassifier/test textclassifier_data_file
+/data/misc/threadnetwork threadnetwork_data_file
+/data/misc/threadnetwork/test threadnetwork_data_file
+/data/misc/train-info stats_data_file
+/data/misc/train-info/test stats_data_file
+/data/misc/user misc_user_data_file
+/data/misc/user/test misc_user_data_file
+/data/misc/virtualizationservice virtualizationservice_data_file
+/data/misc/virtualizationservice/test virtualizationservice_data_file
+/data/misc/vpn vpn_data_file
+/data/misc/vpn/test vpn_data_file
+/data/misc/wifi wifi_data_file
+/data/misc/wifi/test wifi_data_file
+/data/misc_ce/0/wifi wifi_data_file
+/data/misc_ce/99/wifi/test wifi_data_file
+/data/misc/wifi/sockets wpa_socket
+/data/misc/wifi/sockets/test wpa_socket
+/data/misc/wifi/sockets/wpa_ctrl_test system_wpa_socket
+/data/misc/wifi/sockets/wpa_ctrl.rc system_wpa_socket
+/data/misc/vold vold_data_file
+/data/misc/vold/test vold_data_file
+/data/misc/update_engine update_engine_data_file
+/data/misc/update_engine/test update_engine_data_file
+/data/misc/update_engine_log update_engine_log_data_file
+/data/misc/update_engine_log/test update_engine_log_data_file
+/data/misc/snapuserd_log snapuserd_log_data_file
+/data/misc/snapuserd_log/test snapuserd_log_data_file
+/data/system/dropbox dropbox_data_file
+/data/system/dropbox/test dropbox_data_file
+/data/system/heapdump heapdump_data_file
+/data/system/heapdump/test heapdump_data_file
+/data/misc/trace method_trace_data_file
+/data/misc/trace/test method_trace_data_file
+/data/misc/wmtrace wm_trace_data_file
+/data/misc/wmtrace/test wm_trace_data_file
+/data/misc/profiles/cur/0 user_profile_root_file
+/data/misc/profiles/cur/9 user_profile_root_file
+/data/misc/profiles/cur/0/test user_profile_data_file
+/data/misc/profiles/ref user_profile_data_file
+/data/misc/profiles/ref/test user_profile_data_file
+/data/misc/profman profman_dump_data_file
+/data/misc/profman/test profman_dump_data_file
+/data/vendor vendor_data_file
+/data/vendor/test vendor_data_file
+/data/vendor_ce vendor_userdir_file
+/data/vendor_ce/test vendor_data_file
+/data/vendor_de vendor_userdir_file
+/data/vendor_de/test vendor_data_file
+
+/data/misc_de/0/storaged storaged_data_file
+/data/misc_de/99/storaged/test storaged_data_file
+/data/misc_ce/0/storaged storaged_data_file
+/data/misc_ce/99/storaged/test storaged_data_file
+
+/data/misc_ce/0/checkin checkin_data_file
+/data/misc_ce/99/checkin/test checkin_data_file
+
+/data/system/users/0/fpdata fingerprintd_data_file
+/data/system/users/99/fpdata/test fingerprintd_data_file
+/data/vendor_de/0/fpdata fingerprint_vendor_data_file
+/data/vendor_de/99/fpdata/test fingerprint_vendor_data_file
+/data/vendor_de/0/facedata face_vendor_data_file
+/data/vendor_de/99/facedata/test face_vendor_data_file
+/data/vendor_ce/0/facedata face_vendor_data_file
+/data/vendor_ce/99/facedata/test face_vendor_data_file
+/data/vendor_de/0/irisdata iris_vendor_data_file
+/data/vendor_de/99/irisdata/test iris_vendor_data_file
+
+/data/bootchart bootchart_data_file
+/data/bootchart/test bootchart_data_file
+
+/data/misc_de/0/sdksandbox sdk_sandbox_system_data_file
+/data/misc_de/99/sdksandbox sdk_sandbox_system_data_file
+/data/misc_ce/0/sdksandbox sdk_sandbox_system_data_file
+/data/misc_ce/99/sdksandbox sdk_sandbox_system_data_file
+
+/data/misc_de/0/rollback rollback_data_file
+/data/misc_de/99/rollback/test rollback_data_file
+/data/misc_ce/0/rollback rollback_data_file
+/data/misc_ce/99/rollback/test rollback_data_file
+
+/data/misc_de/0/apexdata apex_module_data_file
+/data/misc_de/99/apexdata/test apex_module_data_file
+/data/misc_ce/0/apexdata apex_module_data_file
+/data/misc_ce/99/apexdata/test apex_module_data_file
+/data/misc_ce/0/apexdata/com.android.appsearch apex_system_server_data_file
+/data/misc_ce/99/apexdata/com.android.appsearch/test apex_system_server_data_file
+/data/misc_de/0/apexdata/com.android.permission apex_system_server_data_file
+/data/misc_de/99/apexdata/com.android.permission/test apex_system_server_data_file
+/data/misc_ce/0/apexdata/com.android.permission apex_system_server_data_file
+/data/misc_ce/99/apexdata/com.android.permission/test apex_system_server_data_file
+/data/misc_de/0/apexdata/com.android.wifi apex_system_server_data_file
+/data/misc_de/99/apexdata/com.android.wifi/test apex_system_server_data_file
+/data/misc_ce/0/apexdata/com.android.wifi apex_system_server_data_file
+/data/misc_ce/99/apexdata/com.android.wifi/test apex_system_server_data_file
+/data/misc_de/0/apexdata/com.android.uwb apex_system_server_data_file
+/data/misc_de/99/apexdata/com.android.uwb/test apex_system_server_data_file
+/data/misc_ce/0/apexdata/com.android.uwb apex_system_server_data_file
+/data/misc_ce/99/apexdata/com.android.uwb/test apex_system_server_data_file
+
+/data/misc_de/0/apexrollback apex_rollback_data_file
+/data/misc_de/99/apexrollback/test apex_rollback_data_file
+/data/misc_ce/0/apexrollback apex_rollback_data_file
+/data/misc_ce/99/apexrollback/test apex_rollback_data_file
+
+/data/incremental apk_data_file
+/data/incremental/test apk_data_file
+/data/incremental/MT_test/mount/.pending_reads incremental_control_file
+/data/incremental/MT_test/mount/.log incremental_control_file
+/data/incremental/MT_test/mount/.blocks_written incremental_control_file
+
+/data/misc/bootanim bootanim_data_file
+/data/misc/bootanim/test bootanim_data_file
+/mnt/expand mnt_expand_file
+/mnt/expand/does_not_exist system_data_file
+/mnt/expand/test/test system_data_file
+/mnt/expand/test/app apk_data_file
+/mnt/expand/test/app/test apk_data_file
+/mnt/expand/test/app/test/oat dalvikcache_data_file
+/mnt/expand/test/app/test/oat/test dalvikcache_data_file
+/mnt/expand/test/app/test/test/oat dalvikcache_data_file
+/mnt/expand/test/app/test/test/oat/test dalvikcache_data_file
+/mnt/expand/test/app/vmdltest.tmp apk_tmp_file
+/mnt/expand/test/app/vmdltest.tmp/test apk_tmp_file
+/mnt/expand/test/app/vmdltest.tmp/oat dalvikcache_data_file
+/mnt/expand/test/app/vmdltest.tmp/oat/test dalvikcache_data_file
+/mnt/expand/test/local/tmp shell_data_file
+/mnt/expand/test/local/tmp/test shell_data_file
+/mnt/expand/test/media media_userdir_file
+/mnt/expand/test/media/test media_rw_data_file
+/mnt/expand/test/misc/vold vold_data_file
+/mnt/expand/test/misc/vold/test vold_data_file
+/mnt/expand/test/misc_ce system_userdir_file
+/mnt/expand/test/misc_de system_userdir_file
+/mnt/expand/test/user system_userdir_file
+/mnt/expand/test/user_de system_userdir_file
+
+/cores coredump_file
+/cores/test coredump_file
+
+/data/system/users/0/wallpaper_lock_orig wallpaper_file
+/data/system/users/99/wallpaper_lock wallpaper_file
+/data/system/users/0/wallpaper_orig wallpaper_file
+/data/system/users/10/wallpaper wallpaper_file
+
+/data/system_de/0/ringtones ringtone_file
+/data/system_de/0/ringtones/test ringtone_file
+
+/data/system_ce/0/shortcut_service/bitmaps shortcut_manager_icons
+/data/system_ce/9/shortcut_service/bitmaps/test shortcut_manager_icons
+
+/data/system/users/10/photo.png icon_file
+
+/data/system/shutdown-checkpoints shutdown_checkpoints_system_data_file
+/data/system/shutdown-checkpoints/test shutdown_checkpoints_system_data_file
+
+/data/misc_de/0/vold vold_data_file
+/data/misc_de/99/vold/test vold_data_file
+/data/misc_ce/0/vold vold_data_file
+/data/misc_ce/99/vold/test vold_data_file
+
+/data/system_ce/0/backup backup_data_file
+/data/system_ce/99/backup/test backup_data_file
+/data/system_ce/0/backup_stage backup_data_file
+/data/system_ce/99/backup_stage/test backup_data_file
+
+/efs efs_file
+/efs/test efs_file
+
+/cache cache_file
+/cache/test cache_file
+/cache/recovery cache_recovery_file
+/cache/recovery/test cache_recovery_file
+/cache/backup_stage cache_backup_file
+/cache/backup_stage/test cache_backup_file
+/cache/backup cache_private_backup_file
+/cache/backup/test cache_private_backup_file
+
+/cache/overlay overlayfs_file
+/cache/overlay/test overlayfs_file
+/mnt/scratch overlayfs_file
+/mnt/scratch/test overlayfs_file
+
+/data/cache cache_file
+/data/cache/test cache_file
+/data/cache/recovery cache_recovery_file
+/data/cache/recovery/test cache_recovery_file
+/data/cache/backup_stage cache_backup_file
+/data/cache/backup_stage/test cache_backup_file
+/data/cache/backup cache_private_backup_file
+/data/cache/backup/test cache_private_backup_file
+
+/metadata metadata_file
+/metadata/test metadata_file
+/metadata/apex apex_metadata_file
+/metadata/apex/test apex_metadata_file
+/metadata/vold vold_metadata_file
+/metadata/vold/test vold_metadata_file
+/metadata/gsi gsi_metadata_file
+/metadata/gsi/test gsi_metadata_file
+/metadata/gsi/dsu/active gsi_public_metadata_file
+/metadata/gsi/dsu/booted gsi_public_metadata_file
+/metadata/gsi/dsu/lp_names gsi_public_metadata_file
+/metadata/gsi/dsu/test/metadata_encryption_dir gsi_public_metadata_file
+/metadata/gsi/ota ota_metadata_file
+/metadata/gsi/ota/test ota_metadata_file
+/metadata/password_slots password_slot_metadata_file
+/metadata/password_slots/test password_slot_metadata_file
+/metadata/ota ota_metadata_file
+/metadata/ota/test ota_metadata_file
+/metadata/bootstat metadata_bootstat_file
+/metadata/bootstat/test metadata_bootstat_file
+/metadata/staged-install staged_install_file
+/metadata/staged-install/test staged_install_file
+/metadata/userspacereboot userspace_reboot_metadata_file
+/metadata/userspacereboot/test userspace_reboot_metadata_file
+/metadata/watchdog watchdog_metadata_file
+/metadata/watchdog/test watchdog_metadata_file
+/metadata/repair-mode repair_mode_metadata_file
+/metadata/repair-mode/test repair_mode_metadata_file
+
+/mnt/asec asec_apk_file
+/mnt/asec/test asec_apk_file
+/mnt/asec/test/test.zip asec_public_file
+/mnt/asec/test/lib asec_public_file
+/mnt/asec/test/lib/test asec_public_file
+/data/app-asec asec_image_file
+/data/app-asec/test asec_image_file
+
+/mnt/media_rw mnt_media_rw_file
+/mnt/media_rw/test mnt_media_rw_file
+/mnt/user mnt_user_file
+/mnt/user/test mnt_user_file
+/mnt/pass_through mnt_pass_through_file
+/mnt/pass_through/test mnt_pass_through_file
+/mnt/sdcard mnt_sdcard_file
+/mnt/runtime storage_file
+/mnt/runtime/test storage_file
+/storage storage_file
+/storage/test storage_file
+
+/mnt/vendor mnt_vendor_file
+/mnt/vendor/test mnt_vendor_file
+
+/mnt/product mnt_product_file
+/mnt/product/test mnt_product_file
+
+/system/bin/check_dynamic_partitions postinstall_exec
+/product/bin/check_dynamic_partitions postinstall_exec
+/system/bin/otapreopt_script postinstall_exec
+/product/bin/otapreopt_script postinstall_exec
+/system/bin/otapreopt postinstall_dexopt_exec
+/product/bin/otapreopt postinstall_dexopt_exec
diff --git a/flagging/Android.bp b/flagging/Android.bp
new file mode 100644
index 0000000..babd034
--- /dev/null
+++ b/flagging/Android.bp
@@ -0,0 +1,32 @@
+// Copyright (C) 2023 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// This file contains a list of flags for sepolicy.
+se_policy_conf_defaults {
+ name: "se_policy_conf_flags_defaults",
+ srcs: [":sepolicy_flagging_macros"],
+ flags: [],
+}
+
+contexts_defaults {
+ name: "contexts_flags_defaults",
+ srcs: [":sepolicy_flagging_macros"],
+ neverallow_files: [":sepolicy_flagging_macros"], // for seapp_contexts
+ flags: [],
+}
+
+filegroup {
+ name: "sepolicy_flagging_macros",
+ srcs: ["te_macros"],
+}
diff --git a/flagging/te_macros b/flagging/te_macros
new file mode 100644
index 0000000..3464502
--- /dev/null
+++ b/flagging/te_macros
@@ -0,0 +1,9 @@
+####################################
+# is_flag_enabled(flag, rules)
+# SELinux rules which apply only if given feature is turned on
+define(`is_flag_enabled', `ifelse(target_flag_$1, `true', `$2')')
+
+####################################
+# is_flag_disabled(flag, rules)
+# SELinux rules which apply only if given feature is turned off
+define(`is_flag_disabled', `ifelse(target_flag_$1, `true', , `$2')')
diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index e483237..046f20f 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@@ -72,7 +72,9 @@
/dev/vsock u:object_r:vsock_device:s0
/dev/zero u:object_r:zero_device:s0
/dev/__properties__ u:object_r:properties_device:s0
+/dev/__properties__/appcompat_override u:object_r:properties_device:s0
/dev/__properties__/property_info u:object_r:property_info:s0
+/dev/__properties__/appcompat_override/property_info u:object_r:property_info:s0
#############################
# Linker configuration
#
diff --git a/microdroid/system/private/init.te b/microdroid/system/private/init.te
index f4541a3..896590d 100644
--- a/microdroid/system/private/init.te
+++ b/microdroid/system/private/init.te
@@ -32,11 +32,11 @@
# /dev/__null__ node created by init.
allow init tmpfs:chr_file { create setattr unlink rw_file_perms };
-# /dev/__properties__
+# /dev/__properties__ and /dev/__properties__/appcompat_override
allow init properties_device:dir relabelto;
allow init properties_serial:file { write relabelto };
allow init property_type:file { append create getattr map open read relabelto rename setattr unlink write };
-# /dev/__properties__/property_info
+# /dev/__properties__/property_info and /dev/__properties__/appcompat_override/property_info
allow init properties_device:file create_file_perms;
allow init property_info:file relabelto;
# /dev/socket
diff --git a/microdroid/system/private/microdroid_payload.te b/microdroid/system/private/microdroid_payload.te
index 5d4a73c..e4315a2 100644
--- a/microdroid/system/private/microdroid_payload.te
+++ b/microdroid/system/private/microdroid_payload.te
@@ -57,6 +57,9 @@
allow microdroid_payload encryptedstore_file:dir create_dir_perms;
allow microdroid_payload encryptedstore_file:file create_file_perms;
+# Payload can access devices labeled as payload accessible.
+allow microdroid_payload payload_accessible_device:chr_file rw_file_perms;
+
# Never allow microdroid_payload to connect to vsock
neverallow microdroid_payload self:vsock_socket connect;
diff --git a/microdroid/system/public/device.te b/microdroid/system/public/device.te
index 1a64b62..dfae6f9 100644
--- a/microdroid/system/public/device.te
+++ b/microdroid/system/public/device.te
@@ -12,6 +12,7 @@
type null_device, dev_type;
type open_dice_device, dev_type;
type owntty_device, dev_type;
+type payload_accessible_device, dev_type;
type properties_device, dev_type;
type properties_serial, dev_type;
type property_info, dev_type;
diff --git a/prebuilts/api/34.0/private/compat/33.0/33.0.ignore.cil b/prebuilts/api/34.0/private/compat/33.0/33.0.ignore.cil
index fa6712f..069d06a 100644
--- a/prebuilts/api/34.0/private/compat/33.0/33.0.ignore.cil
+++ b/prebuilts/api/34.0/private/compat/33.0/33.0.ignore.cil
@@ -59,6 +59,7 @@
quick_start_prop
recovery_usb_config_prop
remote_provisioning_service
+ repair_mode_metadata_file
rkpdapp
servicemanager_prop
shutdown_checkpoints_system_data_file
diff --git a/prebuilts/api/34.0/private/file_contexts b/prebuilts/api/34.0/private/file_contexts
index ac2ab12..0caddf2 100644
--- a/prebuilts/api/34.0/private/file_contexts
+++ b/prebuilts/api/34.0/private/file_contexts
@@ -841,6 +841,7 @@
/metadata/staged-install(/.*)? u:object_r:staged_install_file:s0
/metadata/userspacereboot(/.*)? u:object_r:userspace_reboot_metadata_file:s0
/metadata/watchdog(/.*)? u:object_r:watchdog_metadata_file:s0
+/metadata/repair-mode(/.*)? u:object_r:repair_mode_metadata_file:s0
#############################
# asec containers
diff --git a/prebuilts/api/34.0/private/system_server.te b/prebuilts/api/34.0/private/system_server.te
index 98d859c..aff4a0a 100644
--- a/prebuilts/api/34.0/private/system_server.te
+++ b/prebuilts/api/34.0/private/system_server.te
@@ -1441,6 +1441,9 @@
allow system_server watchdog_metadata_file:dir rw_dir_perms;
allow system_server watchdog_metadata_file:file create_file_perms;
+allow system_server repair_mode_metadata_file:dir rw_dir_perms;
+allow system_server repair_mode_metadata_file:file create_file_perms;
+
allow system_server gsi_persistent_data_file:dir rw_dir_perms;
allow system_server gsi_persistent_data_file:file create_file_perms;
diff --git a/prebuilts/api/34.0/public/file.te b/prebuilts/api/34.0/public/file.te
index da76aee..7cfd8ad 100644
--- a/prebuilts/api/34.0/public/file.te
+++ b/prebuilts/api/34.0/public/file.te
@@ -287,6 +287,8 @@
type staged_install_file, file_type;
# Metadata information within /metadata/watchdog
type watchdog_metadata_file, file_type;
+# Repair mode files within /metadata/repair-mode
+type repair_mode_metadata_file, file_type;
# Type for /dev/cpu_variant:.*.
type dev_cpu_variant, file_type;
diff --git a/private/access_vectors b/private/access_vectors
index adb3a61..32d73dd 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -726,6 +726,7 @@
early_boot_ended
get_attestation_key
get_auth_token
+ get_last_auth_time
get_state
list
lock
diff --git a/private/app.te b/private/app.te
index 3c6e5d0..19cb2e0 100644
--- a/private/app.te
+++ b/private/app.te
@@ -176,11 +176,9 @@
control_logd({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all })
# application inherit logd write socket (urge is to deprecate this long term)
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore:keystore_key { get_state get insert delete exist list sign verify };
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore:keystore2_key { delete use get_info rebind update };
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore_maintenance_service:service_manager find;
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore:keystore2 get_state;
use_keystore({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all })
diff --git a/private/app_zygote.te b/private/app_zygote.te
index e3869cd..46cea8e 100644
--- a/private/app_zygote.te
+++ b/private/app_zygote.te
@@ -34,6 +34,8 @@
# Interaction between the app_zygote and its children.
allow app_zygote isolated_app:process setpgid;
+allow app_zygote properties_device:dir mounton;
+
# TODO (b/63631799) fix this access
dontaudit app_zygote mnt_expand_file:dir getattr;
diff --git a/private/artd.te b/private/artd.te
index 3b234bf..acab397 100644
--- a/private/artd.te
+++ b/private/artd.te
@@ -137,3 +137,8 @@
# This is needed for getting CPU time and wall time spent on subprocesses.
r_dir_file(artd, profman);
r_dir_file(artd, dex2oat);
+
+# Allow artd to reopen its own memfd.
+# artd needs to reopen a memfd with readonly in order to pass it to subprocesses
+# that don't have write permissions on memfds.
+allow artd artd_tmpfs:file open;
diff --git a/private/attributes b/private/attributes
index 77143a3..fe50b0d 100644
--- a/private/attributes
+++ b/private/attributes
@@ -13,4 +13,5 @@
# All SDK sandbox domains
attribute sdk_sandbox_all;
-
+# The SDK sandbox domains for the current SDK level.
+attribute sdk_sandbox_current;
diff --git a/private/binderservicedomain.te b/private/binderservicedomain.te
index 21349df..b8ae9f4 100644
--- a/private/binderservicedomain.te
+++ b/private/binderservicedomain.te
@@ -18,8 +18,6 @@
# allow all services to run permission checks
allow binderservicedomain permission_service:service_manager find;
-allow binderservicedomain keystore:keystore_key { get_state get insert delete exist list sign verify };
-allow binderservicedomain keystore:keystore2 { get_state };
allow binderservicedomain keystore:keystore2_key { delete get_info rebind use };
use_keystore(binderservicedomain)
diff --git a/private/bootanim.te b/private/bootanim.te
index 2b3c807..f63a230 100644
--- a/private/bootanim.te
+++ b/private/bootanim.te
@@ -18,3 +18,6 @@
# Allow accessing /data/misc/bootanim
r_dir_file(bootanim, bootanim_data_file)
+
+# Allow accessing vendor apex for EGL/GLES
+allow bootanim vendor_apex_metadata_file:dir r_dir_perms;
diff --git a/private/bug_map b/private/bug_map
index 9aced64..3a78a40 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -19,8 +19,12 @@
mediaprovider cache_file blk_file b/77925342
mediaprovider mnt_media_rw_file dir b/77925342
mediaprovider shell_data_file dir b/77925342
+mediaprovider_app device_config_media_native_prop file b/308043377
mediaswcodec ashmem_device chr_file b/142679232
+nfc device_config_media_native_prop file b/308043377
+platform_app device_config_media_native_prop file b/308043377
platform_app nfc_data_file dir b/74331887
+platform_app system_data_file dir b/306090533
system_server overlayfs_file file b/142390309
system_server sdcardfs file b/77856826
system_server system_server capability b/228030183
@@ -29,4 +33,4 @@
untrusted_app untrusted_app netlink_route_socket b/155595000
vold system_data_file file b/124108085
zygote untrusted_app_25 process b/77925912
-zygote labeledfs filesystem b/170748799
+zygote labeledfs filesystem b/170748799
\ No newline at end of file
diff --git a/private/cameraserver.te b/private/cameraserver.te
index 96d7dbd..76ffba6 100644
--- a/private/cameraserver.te
+++ b/private/cameraserver.te
@@ -7,3 +7,4 @@
allow cameraserver gpu_device:chr_file rw_file_perms;
allow cameraserver gpu_device:dir r_dir_perms;
+allow cameraserver virtual_camera:binder call;
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index 618bb11..ea4ed5d 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -29,6 +29,7 @@
fwk_altitude_service
fwk_camera_service
fwk_sensor_service
+ game_manager_config_prop
grammatical_inflection_service
graphics_config_writable_prop
hal_bluetooth_service
@@ -63,6 +64,7 @@
quick_start_prop
recovery_usb_config_prop
remote_provisioning_service
+ repair_mode_metadata_file
rkpdapp
servicemanager_prop
shutdown_checkpoints_system_data_file
diff --git a/private/compat/34.0/34.0.ignore.cil b/private/compat/34.0/34.0.ignore.cil
index 750b78c..03887d8 100644
--- a/private/compat/34.0/34.0.ignore.cil
+++ b/private/compat/34.0/34.0.ignore.cil
@@ -9,14 +9,25 @@
dtbo_block_device
ota_build_prop
snapuserd_log_data_file
+ hal_authgraph_service
+ vibrator_control_service
hal_codec2_service
+ hal_macsec_service
hal_threadnetwork_service
virtual_camera_service
ot_daemon_service
remote_auth_service
+ security_state_service
+ setupwizard_mode_prop
sysfs_sync_on_suspend
+ tv_ad_service
threadnetwork_service
device_config_aconfig_flags_prop
proc_memhealth
virtual_device_native_service
+ next_boot_prop
+ binderfs_logs_stats
+ drm_forcel3_prop
+ proc_percpu_pagelist_high_fraction
+ vendor_microdroid_file
))
diff --git a/private/coredomain.te b/private/coredomain.te
index f9b47df..dfb08b1 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -15,6 +15,7 @@
get_prop(coredomain, radio_control_prop)
get_prop(coredomain, rollback_test_prop)
get_prop(coredomain, setupwizard_prop)
+get_prop(coredomain, setupwizard_mode_prop)
get_prop(coredomain, sqlite_log_prop)
get_prop(coredomain, storagemanager_config_prop)
get_prop(coredomain, surfaceflinger_color_prop)
diff --git a/private/crosvm.te b/private/crosvm.te
index afcaa3d..ed89b87 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -27,7 +27,7 @@
# Let crosvm read the composite disk images (virtualizationservice_data_file), APEXes
# (staging_data_file), APKs (apk_data_file and shell_data_file where the latter is for test apks in
-# /data/local/tmp), and instance.img (app_data_file).
+# /data/local/tmp), instance.img (app_data_file), and microdroid vendor image (vendor_microdroid_file).
# Allow crosvm to read the instance image of the service VM saved in apex_virt_data_file.
# Note that the open permission is not given as the files are passed as file descriptors.
allow crosvm {
@@ -39,6 +39,7 @@
apex_compos_data_file
apex_virt_data_file
shell_data_file
+ vendor_microdroid_file
}:file { getattr read ioctl lock };
# Allow searching the directory where the composite disk images are.
@@ -126,6 +127,7 @@
# These types are not required for crosvm, but the access is granted to globally in domain.te
# thus should be exempted here.
-vendor_configs_file
+ -vendor_microdroid_file
-vndk_sp_file
-vendor_task_profiles_file
}:file *;
diff --git a/private/domain.te b/private/domain.te
index 1ecb7b6..2f107dd 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -214,7 +214,6 @@
} self:global_capability_class_set sys_ptrace;
# Limit ability to generate hardware unique device ID attestations to priv_apps
-neverallow { domain -priv_app -gmscore_app } *:keystore_key gen_unique_id;
neverallow { domain -priv_app -gmscore_app } *:keystore2_key gen_unique_id;
neverallow { domain -system_server } *:keystore2_key use_dev_id;
neverallow { domain -system_server } keystore:keystore2 { clear_ns lock reset unlock };
@@ -611,6 +610,7 @@
-vendor_apex_file
-vendor_apex_metadata_file
-vendor_configs_file
+ -vendor_microdroid_file
-vendor_service_contexts_file
-vendor_framework_file
-vendor_idc_file
diff --git a/private/file_contexts b/private/file_contexts
index e928d43..32092da 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -1,4 +1,25 @@
###########################################
+# Entries in this file describe the security context associated with a file
+# path. They are used when building the device image, to include the security
+# context within the extended file attributes of the file system. They are also
+# used at runtime when calling restorecon.
+#
+# Entries are merged with other file_contexts from other partitions (e.g.,
+# vendor or odm, see the full list at libselinux/src/android/android.c).
+#
+# The entries are evaluated by the following rules:
+# - Static entries (that is, not using regular expressions) are always
+# evaluated first.
+# - The first matching entry is used.
+# - Entries are evaluated from the bottom to the top.
+#
+# Based on these rules, it is recommended that the less specific entries appear
+# first. For instance:
+# /dev(/.*)? u:object_r:device:s0
+# /dev/block(/.*)? u:object_r:block_device:s0
+# /dev/block/my_dev u:object_r:my_dev:s0
+#
+
# Root
/ u:object_r:rootfs:s0
@@ -200,7 +221,9 @@
/dev/xt_qtaguid u:object_r:qtaguid_device:s0
/dev/zero u:object_r:zero_device:s0
/dev/__properties__ u:object_r:properties_device:s0
+/dev/__properties__/appcompat_override u:object_r:properties_device:s0
/dev/__properties__/property_info u:object_r:property_info:s0
+/dev/__properties__/appcompat_override/property_info u:object_r:property_info:s0
#############################
# Linker configuration
#
@@ -333,6 +356,7 @@
/system/bin/profcollectctl u:object_r:profcollectd_exec:s0
/system/bin/storaged u:object_r:storaged_exec:s0
/system/bin/virtual_touchpad u:object_r:virtual_touchpad_exec:s0
+/system/bin/virtual_camera u:object_r:virtual_camera_exec:s0
/system/bin/hw/android\.frameworks\.bufferhub@1\.0-service u:object_r:fwk_bufferhub_exec:s0
/system/bin/hw/android\.system\.suspend-service u:object_r:system_suspend_exec:s0
/system/etc/cgroups\.json u:object_r:cgroup_desc_file:s0
@@ -344,7 +368,7 @@
/system/etc/passwd u:object_r:system_passwd_file:s0
/system/etc/seccomp_policy(/.*)? u:object_r:system_seccomp_policy_file:s0
/system/etc/security/cacerts(/.*)? u:object_r:system_security_cacerts_file:s0
-/system/etc/selinux/mapping/[0-9]+\.[0-9]+\.cil u:object_r:sepolicy_file:s0
+/system/etc/selinux/mapping/[0-9]+\.[0-9]+(\.compat)?\.cil u:object_r:sepolicy_file:s0
/system/etc/selinux/plat_mac_permissions\.xml u:object_r:mac_perms_file:s0
/system/etc/selinux/plat_property_contexts u:object_r:property_contexts_file:s0
/system/etc/selinux/plat_service_contexts u:object_r:service_contexts_file:s0
@@ -362,7 +386,7 @@
/system/bin/stats u:object_r:stats_exec:s0
/system/bin/statsd u:object_r:statsd_exec:s0
/system/bin/bpfloader u:object_r:bpfloader_exec:s0
-/system/bin/btfloader u:object_r:bpfloader_exec:s0
+/system/bin/netbpfload u:object_r:bpfloader_exec:s0
/system/bin/watchdogd u:object_r:watchdogd_exec:s0
/system/bin/apexd u:object_r:apexd_exec:s0
/system/bin/gsid u:object_r:gsid_exec:s0
@@ -388,6 +412,7 @@
/(vendor|system/vendor)/etc(/.*)? u:object_r:vendor_configs_file:s0
/(vendor|system/vendor)/etc/cgroups\.json u:object_r:vendor_cgroup_desc_file:s0
/(vendor|system/vendor)/etc/task_profiles\.json u:object_r:vendor_task_profiles_file:s0
+/(vendor|system/vendor)/etc/avf/microdroid(/.*)? u:object_r:vendor_microdroid_file:s0
/(vendor|system/vendor)/lib(64)?/egl(/.*)? u:object_r:same_process_hal_file:s0
@@ -560,7 +585,6 @@
/data/gsi_persistent_data u:object_r:gsi_persistent_data_file:s0
/data/gsi/ota(/.*)? u:object_r:ota_image_data_file:s0
/data/tombstones(/.*)? u:object_r:tombstone_data_file:s0
-/data/vendor/tombstones/wifi(/.*)? u:object_r:tombstone_wifi_data_file:s0
/data/local/tests(/.*)? u:object_r:shell_test_data_file:s0
/data/local/tmp(/.*)? u:object_r:shell_data_file:s0
/data/local/tmp/ltp(/.*)? u:object_r:nativetest_data_file:s0
@@ -635,8 +659,8 @@
/data/misc/odrefresh(/.*)? u:object_r:odrefresh_data_file:s0
/data/misc/odsign(/.*)? u:object_r:odsign_data_file:s0
/data/misc/odsign/metrics(/.*)? u:object_r:odsign_metrics_file:s0
-/data/misc/perfetto-traces/bugreport(.*)? u:object_r:perfetto_traces_bugreport_data_file:s0
/data/misc/perfetto-traces(/.*)? u:object_r:perfetto_traces_data_file:s0
+/data/misc/perfetto-traces/bugreport(.*)? u:object_r:perfetto_traces_bugreport_data_file:s0
/data/misc/perfetto-configs(/.*)? u:object_r:perfetto_configs_data_file:s0
/data/misc/prereboot(/.*)? u:object_r:prereboot_data_file:s0
/data/misc/profcollectd(/.*)? u:object_r:profcollectd_data_file:s0
@@ -679,6 +703,7 @@
/data/vendor_ce/.* u:object_r:vendor_data_file:s0
/data/vendor_de u:object_r:vendor_userdir_file:s0
/data/vendor_de/.* u:object_r:vendor_data_file:s0
+/data/vendor/tombstones/wifi(/.*)? u:object_r:tombstone_wifi_data_file:s0
# storaged proto files
/data/misc_de/[0-9]+/storaged(/.*)? u:object_r:storaged_data_file:s0
@@ -738,16 +763,7 @@
# Expanded data files
#
/mnt/expand u:object_r:mnt_expand_file:s0
-# CAREFUL: the two system_data_file patterns below can't be replaced with one
-# pattern "/mnt/expand/[^/]+(/.*)?", since SELinux would prioritize that over
-# "/mnt/expand/[^/]+/user". This is because when a path is matched by two
-# patterns that contain regex meta-characters, SELinux just chooses the longer
-# pattern (or the later pattern if the patterns are the same length), rather
-# than the pattern containing fewer regex meta-characters. Splitting the
-# pattern into "/mnt/expand/[^/]+" and "/mnt/expand/[^/]+/.*" works around this
-# problem, except for 1-character filenames which we aren't using.
-/mnt/expand/[^/]+ u:object_r:system_data_file:s0
-/mnt/expand/[^/]+/.* u:object_r:system_data_file:s0
+/mnt/expand/[^/]+(/.*)? u:object_r:system_data_file:s0
/mnt/expand/[^/]+/app(/.*)? u:object_r:apk_data_file:s0
/mnt/expand/[^/]+/app/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0
# /mnt/expand/..../app/[randomStringA]/[packageName]-[randomStringB]/base.apk layout
@@ -840,6 +856,7 @@
/metadata/staged-install(/.*)? u:object_r:staged_install_file:s0
/metadata/userspacereboot(/.*)? u:object_r:userspace_reboot_metadata_file:s0
/metadata/watchdog(/.*)? u:object_r:watchdog_metadata_file:s0
+/metadata/repair-mode(/.*)? u:object_r:repair_mode_metadata_file:s0
#############################
# asec containers
diff --git a/private/flags_health_check.te b/private/flags_health_check.te
index b1a333c..b7f5808 100644
--- a/private/flags_health_check.te
+++ b/private/flags_health_check.te
@@ -34,6 +34,7 @@
set_prop(flags_health_check, device_config_remote_key_provisioning_native_prop)
set_prop(flags_health_check, device_config_camera_native_prop)
set_prop(flags_health_check, device_config_tethering_u_or_later_native_prop)
+set_prop(flags_health_check, next_boot_prop)
# system property device_config_boot_count_prop is used for deciding when to perform server
# configurable flags related disaster recovery. Mistakenly set up by unrelated components can, at a
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 3ec6ab1..41c60df 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -92,6 +92,7 @@
genfscon proc /sys/vm/min_free_order_shift u:object_r:proc_min_free_order_shift:s0
genfscon proc /sys/vm/watermark_boost_factor u:object_r:proc_watermark_boost_factor:s0
genfscon proc /sys/vm/watermark_scale_factor u:object_r:proc_watermark_scale_factor:s0
+genfscon proc /sys/vm/percpu_pagelist_high_fraction u:object_r:proc_percpu_pagelist_high_fraction:s0
genfscon proc /timer_list u:object_r:proc_timer:s0
genfscon proc /timer_stats u:object_r:proc_timer:s0
genfscon proc /tty/drivers u:object_r:proc_tty_drivers:s0
@@ -392,6 +393,7 @@
genfscon binder /vndbinder u:object_r:vndbinder_device:s0
genfscon binder /binder_logs u:object_r:binderfs_logs:s0
genfscon binder /binder_logs/proc u:object_r:binderfs_logs_proc:s0
+genfscon binder /binder_logs/stats u:object_r:binderfs_logs_stats:s0
genfscon binder /features u:object_r:binderfs_features:s0
genfscon inotifyfs / u:object_r:inotify:s0
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index b662f4f..859c2ec 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -36,7 +36,6 @@
allow gmscore_app perfetto_traces_data_file:file { read getattr };
# Allow GMS core to generate unique hardware IDs
-allow gmscore_app keystore:keystore_key gen_unique_id;
allow gmscore_app keystore:keystore2_key gen_unique_id;
# Allow GMS core to access /sys/fs/selinux/policyvers for compatibility check
diff --git a/private/keystore.te b/private/keystore.te
index cd2ef76..73961ac 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -26,7 +26,7 @@
# Allow keystore to write to statsd.
unix_socket_send(keystore, statsdw, statsd)
-# Keystore need access to the keystore_key context files to load the keystore key backend.
+# Keystore need access to the keystore2_key_contexts file to load the keystore key backend.
allow keystore keystore2_key_contexts_file:file r_file_perms;
# Allow keystore to listen to changing boot levels
diff --git a/private/keystore2_key_contexts b/private/keystore2_key_contexts
index 3833971..868bf15 100644
--- a/private/keystore2_key_contexts
+++ b/private/keystore2_key_contexts
@@ -4,10 +4,10 @@
# <namespace> <label>
#
# <namespace> must be an integer in the interval [0 ... 2^31)
-# su_key is a keystore_key namespace for the su domain intended for native tests.
+# su_key is a keystore2_key namespace for the su domain intended for native tests.
0 u:object_r:su_key:s0
-# shell_key is a keystore_key namespace for the shell domain intended for native tests.
+# shell_key is a keystore2_key namespace for the shell domain intended for native tests.
1 u:object_r:shell_key:s0
# vold_key is a keystore2_key namespace for vold. It allows using raw Keymint blobs.
diff --git a/private/network_stack.te b/private/network_stack.te
index 84c8d4d..8e09be8 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -43,7 +43,6 @@
binder_call(network_stack, netd);
# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
-# TODO: Remove this permission when 4.9 kernel is deprecated.
allow network_stack self:key_socket create;
# Java's Os.close() in libcore/luni/src/main/java/libcore/io/BlockGuardOs.java;l=100
# calls if (fd.isSocket$()) if (isLingerSocket(fd)) ...
diff --git a/private/ot_daemon.te b/private/ot_daemon.te
index 1021fd9..066d3d5 100644
--- a/private/ot_daemon.te
+++ b/private/ot_daemon.te
@@ -29,3 +29,6 @@
binder_use(ot_daemon)
add_service(ot_daemon, ot_daemon_service)
binder_call(ot_daemon, system_server)
+
+# Allow OT daemon to write to statsd
+unix_socket_send(ot_daemon, statsdw, statsd)
diff --git a/private/priv_app.te b/private/priv_app.te
index b911bc0..cadefe1 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -150,7 +150,7 @@
dontaudit priv_app sysfs:file read;
dontaudit priv_app sysfs_android_usb:file read;
dontaudit priv_app sysfs_dm:file r_file_perms;
-dontaudit priv_app { wifi_prop wifi_hal_prop }:file read;
+dontaudit priv_app { wifi_prop wifi_config_prop wifi_hal_prop }:file read;
# allow privileged apps to use UDP sockets provided by the system server but not
# modify them other than to connect
diff --git a/private/profman.te b/private/profman.te
index 390f83e..7ad49b2 100644
--- a/private/profman.te
+++ b/private/profman.te
@@ -10,3 +10,8 @@
# Allow profman to use file descriptors passed from privileged programs.
allow profman { artd installd }:fd use;
+
+# Allow profman to read from memfd created by artd.
+# profman needs to read the embedded profile that artd extracts from an APK,
+# which is passed by a memfd.
+allow profman artd_tmpfs:file { getattr read map lock };
diff --git a/private/property.te b/private/property.te
index b7ff516..d599751 100644
--- a/private/property.te
+++ b/private/property.te
@@ -32,6 +32,7 @@
system_internal_prop(net_464xlat_fromvendor_prop)
system_internal_prop(net_connectivity_prop)
system_internal_prop(netd_stable_secret_prop)
+system_internal_prop(next_boot_prop)
system_internal_prop(odsign_prop)
system_internal_prop(perf_drop_caches_prop)
system_internal_prop(pm_prop)
@@ -57,6 +58,7 @@
system_internal_prop(sensors_config_prop)
system_internal_prop(hypervisor_pvmfw_prop)
system_internal_prop(hypervisor_virtualizationmanager_prop)
+system_internal_prop(game_manager_config_prop)
# Properties which can't be written outside system
system_restricted_prop(device_config_virtualization_framework_native_prop)
@@ -604,6 +606,12 @@
neverallow {
domain
-init
+ -vendor_init
+} setupwizard_mode_prop:property_service set;
+
+neverallow {
+ domain
+ -init
} setupwizard_prop:property_service set;
# ro.product.property_source_order is useless after initialization of ro.product.* props.
diff --git a/private/property_contexts b/private/property_contexts
index 715e2f9..9187e60 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -280,6 +280,9 @@
persist.device_config.memory_safety_native. u:object_r:device_config_memory_safety_native_prop:s0
persist.device_config.tethering_u_or_later_native. u:object_r:device_config_tethering_u_or_later_native_prop:s0
+# Properties that is for staging
+next_boot. u:object_r:next_boot_prop:s0
+
# F2FS smart idle maint prop
persist.device_config.storage_native_boot.smart_idle_maint_enabled u:object_r:smart_idle_maint_enabled_prop:s0 exact bool
@@ -336,6 +339,10 @@
ro.virtual_ab.io_uring.enabled u:object_r:virtual_ab_prop:s0 exact bool
ro.virtual_ab.compression.threads u:object_r:virtual_ab_prop:s0 exact bool
ro.virtual_ab.batch_writes u:object_r:virtual_ab_prop:s0 exact bool
+# OEMs can set this prop at build time to configure how many seconds to delay
+# merge after installing a Virtual AB OTA. The default behavior is to start
+# merge immediately.
+ro.virtual_ab.merge_delay_seconds u:object_r:virtual_ab_prop:s0 exact int
snapuserd.ready u:object_r:snapuserd_prop:s0 exact bool
snapuserd.proxy_ready u:object_r:snapuserd_prop:s0 exact bool
snapuserd.test.dm.snapshots u:object_r:snapuserd_prop:s0 exact bool
@@ -414,6 +421,7 @@
ro.camera.enableCamera1MaxZsl u:object_r:camera_config_prop:s0 exact bool
ro.camera.disableJpegR u:object_r:camera_config_prop:s0 exact bool
ro.camera.enableCompositeAPI0JpegR u:object_r:camera_config_prop:s0 exact bool
+ro.camera.enableVirtualCamera u:object_r:camera_config_prop:s0 exact bool
ro.camerax.extensions.enabled u:object_r:camerax_extensions_prop:s0 exact bool
@@ -510,6 +518,7 @@
keyguard.no_require_sim u:object_r:keyguard_config_prop:s0 exact bool
media.c2.dmabuf.padding u:object_r:codec2_config_prop:s0 exact int
+media.c2.hal.selection u:object_r:codec2_config_prop:s0 exact enum aidl hidl
media.recorder.show_manufacturer_and_model u:object_r:media_config_prop:s0 exact bool
media.resolution.limit.32bit u:object_r:media_config_prop:s0 exact int
@@ -823,6 +832,7 @@
drm.64bit.enabled u:object_r:mediadrm_config_prop:s0 exact bool
media.mediadrmservice.enable u:object_r:mediadrm_config_prop:s0 exact bool
+persist.drm.forcel3.enabled u:object_r:drm_forcel3_prop:s0 exact bool
drm.service.enabled u:object_r:drm_service_config_prop:s0 exact bool
@@ -857,9 +867,8 @@
persist.libc.debug.gwp_asan. u:object_r:gwp_asan_prop:s0 prefix string
# shell-only props for ARM memory tagging (MTE).
-arm64.memtag. u:object_r:arm64_memtag_prop:s0 prefix string
-persist.arm64.memtag.default u:object_r:arm64_memtag_prop:s0 exact string
-persist.arm64.memtag.app_default u:object_r:arm64_memtag_prop:s0 exact string
+arm64.memtag. u:object_r:arm64_memtag_prop:s0 prefix string
+persist.arm64.memtag. u:object_r:arm64_memtag_prop:s0 prefix string
net.redirect_socket_calls.hooked u:object_r:socket_hook_prop:s0 exact bool
@@ -1128,9 +1137,11 @@
ro.product.device_for_attestation u:object_r:build_attestation_prop:s0 exact string
ro.product.manufacturer_for_attestation u:object_r:build_attestation_prop:s0 exact string
-# GRF property for the first api level of the vendor partition
+# Vendor API level properties for the vFRC and GRF
ro.board.first_api_level u:object_r:build_vendor_prop:s0 exact int
ro.board.api_level u:object_r:build_vendor_prop:s0 exact int
+ro.board.api_frozen u:object_r:build_vendor_prop:s0 exact bool
+ro.llndk.api_level u:object_r:build_vendor_prop:s0 exact int
ro.vendor.api_level u:object_r:build_vendor_prop:s0 exact int
# Boot image build props set by /{second_stage_resources/,}boot/etc/build.prop
@@ -1342,6 +1353,8 @@
ro.surface_flinger.uclamp.min u:object_r:surfaceflinger_prop:s0 exact int
ro.surface_flinger.ignore_hdr_camera_layers u:object_r:surfaceflinger_prop:s0 exact bool
ro.surface_flinger.clear_slots_with_set_layer_buffer u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.prime_shader_cache.ultrahdr u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.game_default_frame_rate_override u:object_r:surfaceflinger_prop:s0 exact int
ro.sf.disable_triple_buffer u:object_r:surfaceflinger_prop:s0 exact bool
ro.sf.lcd_density u:object_r:surfaceflinger_prop:s0 exact int
@@ -1423,6 +1436,8 @@
ro.cpuvulkan.version u:object_r:graphics_config_prop:s0 exact int
+ro.vulkan.apex u:object_r:graphics_config_prop:s0 exact string
+
# surfaceflinger-settable
graphics.display.kernel_idle_timer.enabled u:object_r:surfaceflinger_display_prop:s0 exact bool
@@ -1473,6 +1488,8 @@
ro.setupwizard.rotation_locked u:object_r:setupwizard_prop:s0 exact bool
ro.setupwizard.wifi_on_exit u:object_r:setupwizard_prop:s0 exact bool
+ro.setupwizard.mode u:object_r:setupwizard_mode_prop:s0 exact string
+
setupwizard.enable_assist_gesture_training u:object_r:setupwizard_prop:s0 exact bool
setupwizard.feature.avoid_duplicate_tos u:object_r:setupwizard_prop:s0 exact bool
setupwizard.feature.baseline_setupwizard_enabled u:object_r:setupwizard_prop:s0 exact bool
@@ -1587,3 +1604,6 @@
# Properties for sensor service
sensors.aosp_low_power_sensor_fusion.maximum_rate u:object_r:sensors_config_prop:s0 exact uint
+
+# Propertues for game manager service
+persist.graphics.game_default_frame_rate.enabled u:object_r:game_manager_config_prop:s0 exact bool
diff --git a/private/sdk_sandbox_34.te b/private/sdk_sandbox_34.te
index d45da88..bb15057 100644
--- a/private/sdk_sandbox_34.te
+++ b/private/sdk_sandbox_34.te
@@ -3,89 +3,7 @@
###
### This file defines the security policy for the sdk sandbox processes
### for targetSdkVersion=34.
-type sdk_sandbox_34, domain, coredomain, sdk_sandbox_all;
+type sdk_sandbox_34, domain, coredomain, sdk_sandbox_all, sdk_sandbox_current;
net_domain(sdk_sandbox_34)
app_domain(sdk_sandbox_34)
-
-# Allow finding services. This is different from ephemeral_app policy.
-# Adding services manually to the allowlist is preferred hence app_api_service is not used.
-allow sdk_sandbox_34 {
- activity_service
- activity_task_service
- appops_service
- audio_service
- audioserver_service
- batteryproperties_service
- batterystats_service
- cameraserver_service
- connectivity_service
- connmetrics_service
- deviceidle_service
- display_service
- dropbox_service
- ephemeral_app_api_service
- font_service
- game_service
- gpu_service
- graphicsstats_service
- hardware_properties_service
- hint_service
- imms_service
- input_method_service
- input_service
- IProxyService_service
- ipsec_service
- launcherapps_service
- legacy_permission_service
- light_service
- locale_service
- media_communication_service
- mediadrmserver_service
- mediaextractor_service
- mediametrics_service
- media_projection_service
- media_router_service
- mediaserver_service
- media_session_service
- memtrackproxy_service
- midi_service
- netpolicy_service
- netstats_service
- network_management_service
- notification_service
- package_service
- permission_checker_service
- permission_service
- permissionmgr_service
- platform_compat_service
- power_service
- procstats_service
- radio_service
- registry_service
- restrictions_service
- rttmanager_service
- search_service
- selection_toolbar_service
- sensor_privacy_service
- sensorservice_service
- servicediscovery_service
- settings_service
- speech_recognition_service
- statusbar_service
- storagestats_service
- surfaceflinger_service
- telecom_service
- tethering_service
- textclassification_service
- textservices_service
- texttospeech_service
- thermal_service
- translation_service
- tv_iapp_service
- tv_input_service
- uimode_service
- vcn_management_service
- webviewupdate_service
-}:service_manager find;
-
diff --git a/private/sdk_sandbox_audit.te b/private/sdk_sandbox_audit.te
new file mode 100644
index 0000000..bb531ca
--- /dev/null
+++ b/private/sdk_sandbox_audit.te
@@ -0,0 +1,34 @@
+###
+### SDK Sandbox process.
+###
+### This file defines the audit sdk sandbox security policy for
+### the set of restrictions proposed for the next SDK level.
+###
+### The sdk_sandbox_audit domain has the same rules as the
+### sdk_sandbox_current domain and additional auditing rules
+### for the accesses we are considering forbidding in the upcoming
+### sdk_sandbox_next domain.
+type sdk_sandbox_audit, domain, coredomain, sdk_sandbox_all, sdk_sandbox_current;
+
+net_domain(sdk_sandbox_audit)
+app_domain(sdk_sandbox_audit)
+
+# Auditallow rules for accesses that are currently allowed but we
+# might remove in the future.
+
+auditallow sdk_sandbox_audit {
+ cameraserver_service
+ ephemeral_app_api_service
+ mediadrmserver_service
+ radio_service
+}:service_manager find;
+
+auditallow sdk_sandbox_audit {
+ property_type
+ -system_property_type
+}:file rw_file_perms;
+
+auditallow sdk_sandbox_audit {
+ property_type
+ -system_property_type
+}:dir rw_dir_perms;
diff --git a/private/sdk_sandbox_current.te b/private/sdk_sandbox_current.te
new file mode 100644
index 0000000..55e5bc1
--- /dev/null
+++ b/private/sdk_sandbox_current.te
@@ -0,0 +1,87 @@
+###
+### SDK Sandbox process.
+###
+### This file defines the security policy for the sdk sandbox processes
+### for the current SDK level.
+
+# Allow finding services. This is different from ephemeral_app policy.
+# Adding services manually to the allowlist is preferred hence app_api_service is not used.
+allow sdk_sandbox_current {
+ activity_service
+ activity_task_service
+ appops_service
+ audio_service
+ audioserver_service
+ batteryproperties_service
+ batterystats_service
+ cameraserver_service
+ connectivity_service
+ connmetrics_service
+ deviceidle_service
+ display_service
+ dropbox_service
+ ephemeral_app_api_service
+ font_service
+ game_service
+ gpu_service
+ graphicsstats_service
+ hardware_properties_service
+ hint_service
+ imms_service
+ input_method_service
+ input_service
+ IProxyService_service
+ ipsec_service
+ launcherapps_service
+ legacy_permission_service
+ light_service
+ locale_service
+ media_communication_service
+ mediadrmserver_service
+ mediaextractor_service
+ mediametrics_service
+ media_projection_service
+ media_router_service
+ mediaserver_service
+ media_session_service
+ memtrackproxy_service
+ midi_service
+ netpolicy_service
+ netstats_service
+ network_management_service
+ notification_service
+ package_service
+ permission_checker_service
+ permission_service
+ permissionmgr_service
+ platform_compat_service
+ power_service
+ procstats_service
+ radio_service
+ registry_service
+ restrictions_service
+ rttmanager_service
+ search_service
+ selection_toolbar_service
+ sensor_privacy_service
+ sensorservice_service
+ servicediscovery_service
+ settings_service
+ speech_recognition_service
+ statusbar_service
+ storagestats_service
+ surfaceflinger_service
+ telecom_service
+ tethering_service
+ textclassification_service
+ textservices_service
+ texttospeech_service
+ thermal_service
+ translation_service
+ tv_iapp_service
+ tv_input_service
+ uimode_service
+ vcn_management_service
+ webviewupdate_service
+}:service_manager find;
+
diff --git a/private/seapp_contexts b/private/seapp_contexts
index bc68209..9a76f69 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -13,6 +13,7 @@
# fromRunAs (boolean)
# isIsolatedComputeApp (boolean)
# isSdkSandboxNext (boolean)
+# isSdkSandboxAudit (boolean)
#
# All specified input selectors in an entry must match (i.e. logical AND).
# An unspecified string or boolean selector with no default will match any
@@ -49,10 +50,30 @@
# to provide isolated processes with relaxed security restrictions.
# An unspecified isIsolatedComputeApp defaults to false.
#
+# The sdk_sandbox_next and sdk_sandbox_audit domains are special domains for the
+# SDK sandbox process. sdk_sandbox_next defines the set of restrictions proposed
+# for the upcoming dessert release. sdk_sandbox_audit uses the same restrictions
+# as the current dessert release, with additional auditing rules for the accesses
+# we are considering forbidding in the upcoming release.
+#
+# The sdk_sandbox_next and sdk_sandbox_audit domains are special domains for the
+# SDK sandbox process. sdk_sandbox_next defines the set of restrictions proposed
+# for the upcoming dessert release. sdk_sandbox_audit uses the same restrictions
+# as the current dessert release, with additional auditing rules for the accesses
+# we are considering forbidding in the upcoming release.
+#
# isSdkSandboxNext=true means sdk sandbox processes will get
# sdk_sandbox_next sepolicy applied to them.
# An unspecified isSdkSandboxNext defaults to false.
#
+# isSdkSandboxAudit=true means sdk sandbox processes will get
+# sdk_sandbox_audit sepolicy applied to them.
+# An unspecified isSdkSandboxAudit defaults to false.
+#
+# isSdkSandboxAudit=true means sdk sandbox processes will get
+# sdk_sandbox_audit sepolicy applied to them.
+# An unspecified isSdkSandboxAudit defaults to false.
+#
# Precedence: entries are compared using the following rules, in the order shown
# (see external/selinux/libselinux/src/android/android_platform.c,
# seapp_context_cmp()).
@@ -174,6 +195,7 @@
user=_isolated isIsolatedComputeApp=true domain=isolated_compute_app levelFrom=user
user=_sdksandbox domain=sdk_sandbox_34 type=sdk_sandbox_data_file levelFrom=all
user=_sdksandbox isSdkSandboxNext=true domain=sdk_sandbox_next type=sdk_sandbox_data_file levelFrom=all
+user=_sdksandbox isSdkSandboxAudit=true domain=sdk_sandbox_audit type=sdk_sandbox_data_file levelFrom=all
user=_app seinfo=app_zygote domain=app_zygote levelFrom=user
user=_app seinfo=media domain=mediaprovider type=app_data_file levelFrom=user
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
diff --git a/private/service_contexts b/private/service_contexts
index a1fb06b..c269196 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -51,6 +51,7 @@
android.hardware.input.processor.IInputProcessor/default u:object_r:hal_input_processor_service:s0
android.hardware.ir.IConsumerIr/default u:object_r:hal_ir_service:s0
android.hardware.light.ILights/default u:object_r:hal_light_service:s0
+android.hardware.macsec.IMacsecPskPlugin/default u:object_r:hal_macsec_service:s0
android.hardware.media.c2.IComponentStore/default u:object_r:hal_codec2_service:s0
android.hardware.media.c2.IComponentStore/software u:object_r:hal_codec2_service:s0
android.hardware.memtrack.IMemtrack/default u:object_r:hal_memtrack_service:s0
@@ -89,6 +90,7 @@
android.hardware.radio.voice.IRadioVoice/slot2 u:object_r:hal_radio_service:s0
android.hardware.radio.voice.IRadioVoice/slot3 u:object_r:hal_radio_service:s0
android.hardware.rebootescrow.IRebootEscrow/default u:object_r:hal_rebootescrow_service:s0
+android.hardware.security.authgraph.IAuthGraphKeyExchange/nonsecure u:object_r:hal_authgraph_service:s0
android.hardware.security.keymint.IKeyMintDevice/default u:object_r:hal_keymint_service:s0
android.hardware.security.keymint.IRemotelyProvisionedComponent/default u:object_r:hal_remotelyprovisionedcomponent_service:s0
android.hardware.gatekeeper.IGatekeeper/default u:object_r:hal_gatekeeper_service:s0
@@ -368,6 +370,7 @@
search_ui u:object_r:search_ui_service:s0
secure_element u:object_r:secure_element_service:s0
sec_key_att_app_id_provider u:object_r:sec_key_att_app_id_provider_service:s0
+security_state u:object_r:security_state_service:s0
selection_toolbar u:object_r:selection_toolbar_service:s0
sensorservice u:object_r:sensorservice_service:s0
sensor_privacy u:object_r:sensor_privacy_service:s0
@@ -420,6 +423,7 @@
translation u:object_r:translation_service:s0
transparency u:object_r:transparency_service:s0
trust u:object_r:trust_service:s0
+tv_ad u:object_r:tv_ad_service:s0
tv_interactive_app u:object_r:tv_iapp_service:s0
tv_input u:object_r:tv_input_service:s0
tv_tuner_resource_mgr u:object_r:tv_tuner_resource_mgr_service:s0
@@ -433,6 +437,7 @@
uwb u:object_r:uwb_service:s0
vcn_management u:object_r:vcn_management_service:s0
vibrator u:object_r:vibrator_service:s0
+vibrator_control u:object_r:vibrator_control_service:s0
vibrator_manager u:object_r:vibrator_manager_service:s0
virtualdevice u:object_r:virtual_device_service:s0
virtualdevice_native u:object_r:virtual_device_native_service:s0
diff --git a/private/shell.te b/private/shell.te
index 8564050..f32395e 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -132,6 +132,9 @@
allow shell self:perf_event { open read write kernel };
neverallow shell self:perf_event ~{ open read write kernel };
+# Allow shell to read microdroid vendor image
+r_dir_file(shell, vendor_microdroid_file)
+
# Allow shell to read /apex/apex-info-list.xml and the vendor apexes
allow shell apex_info_file:file r_file_perms;
allow shell vendor_apex_file:file r_file_perms;
diff --git a/private/system_app.te b/private/system_app.te
index d0d88e9..06b0feb 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -52,6 +52,7 @@
set_prop(system_app, usb_control_prop)
set_prop(system_app, usb_prop)
set_prop(system_app, log_tag_prop)
+set_prop(system_app, drm_forcel3_prop)
userdebug_or_eng(`set_prop(system_app, logpersistd_logging_prop)')
auditallow system_app net_radio_prop:property_service set;
auditallow system_app usb_control_prop:property_service set;
@@ -120,26 +121,6 @@
# Ignore access to zram when Debug.getMemInfo is called.
dontaudit system_app sysfs_zram:dir search;
-allow system_app keystore:keystore_key {
- get_state
- get
- insert
- delete
- exist
- list
- reset
- password
- lock
- unlock
- is_empty
- sign
- verify
- grant
- duplicate
- clear_uid
- user_changed
-};
-
allow system_app keystore:keystore2_key {
delete
get_info
diff --git a/private/system_server.te b/private/system_server.te
index 68a0609..97e64af 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -306,6 +306,7 @@
# Use HALs
hal_client_domain(system_server, hal_allocator)
hal_client_domain(system_server, hal_audio)
+hal_client_domain(system_server, hal_authgraph)
hal_client_domain(system_server, hal_authsecret)
hal_client_domain(system_server, hal_broadcastradio)
hal_client_domain(system_server, hal_codec2)
@@ -774,6 +775,9 @@
set_prop(system_server, smart_idle_maint_enabled_prop)
set_prop(system_server, arm64_memtag_prop)
+# staged flag properties
+set_prop(system_server, next_boot_prop)
+
# Allow query ART device config properties
get_prop(system_server, device_config_runtime_native_boot_prop)
get_prop(system_server, device_config_runtime_native_prop)
@@ -924,6 +928,9 @@
allow system_server sysfs_zram:dir search;
allow system_server sysfs_zram:file rw_file_perms;
+# Read /sys/fs/selinux/policy
+allow system_server kernel:security read_policy;
+
add_service(system_server, system_server_service);
allow system_server artd_service:service_manager find;
allow system_server audioserver_service:service_manager find;
@@ -970,34 +977,13 @@
add_service(system_server, batteryproperties_service)
-allow system_server keystore:keystore_key {
- get_state
- get
- insert
- delete
- exist
- list
- reset
- password
- lock
- unlock
- is_empty
- sign
- verify
- grant
- duplicate
- clear_uid
- add_auth
- user_changed
-};
-
allow system_server keystore:keystore2 {
add_auth
change_password
change_user
clear_ns
clear_uid
- get_state
+ get_last_auth_time
lock
pull_metrics
reset
@@ -1199,6 +1185,9 @@
allow system_server bpfloader:bpf { map_read map_write prog_run };
# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
allow system_server self:key_socket create;
+# Java's Os.close() in libcore/luni/src/main/java/libcore/io/BlockGuardOs.java;l=100
+# calls if (fd.isSocket$()) if (isLingerSocket(fd)) ...
+dontaudit system_server self:key_socket getopt;
# Allow system_server to start clatd in its own domain and kill it.
domain_auto_trans(system_server, clatd_exec, clatd)
@@ -1337,6 +1326,7 @@
device_config_aconfig_flags_prop
device_config_window_manager_native_boot_prop
device_config_tethering_u_or_later_native_prop
+ next_boot_prop
}:property_service set;
# Only allow system_server and init to set tuner_server_ctl_prop
@@ -1453,6 +1443,9 @@
allow system_server watchdog_metadata_file:dir rw_dir_perms;
allow system_server watchdog_metadata_file:file create_file_perms;
+allow system_server repair_mode_metadata_file:dir rw_dir_perms;
+allow system_server repair_mode_metadata_file:file create_file_perms;
+
allow system_server gsi_persistent_data_file:dir rw_dir_perms;
allow system_server gsi_persistent_data_file:file create_file_perms;
@@ -1557,3 +1550,11 @@
# Allow system server to set dynamic ART properties.
set_prop(system_server, dalvik_dynamic_config_prop)
+
+# Allow system server to read binderfs
+allow system_server binderfs_logs:dir r_dir_perms;
+allow system_server binderfs_logs_stats:file r_file_perms;
+
+# Allow GameManagerService to read and write persist.graphics.game_default_frame_rate.enabled
+set_prop(system_server, game_manager_config_prop)
+
diff --git a/private/virtual_camera.te b/private/virtual_camera.te
index c39625d..765a59f 100644
--- a/private/virtual_camera.te
+++ b/private/virtual_camera.te
@@ -1,16 +1,20 @@
# virtual_camera - virtual camera daemon
type virtual_camera, domain, coredomain;
+type virtual_camera_exec, system_file_type, exec_type, file_type;
-app_domain(virtual_camera)
+init_daemon_domain(virtual_camera)
-allow virtual_camera system_app_data_file:dir create_dir_perms;
-allow virtual_camera system_app_data_file:file create_file_perms;
+# Since virtual_camera is not a real HAL we don't set the
+# hal_server_domain(virtual_camera, hal_camera) macro but only the rules that
+# we actually need from halserverdomain and hal_camera_server:
+binder_use(virtual_camera)
-allow virtual_camera activity_service:service_manager find;
+# Allow virtual_camera to use fd from apps
+allow virtual_camera { appdomain -isolated_app }:fd use;
-# hal_server_domain adds this rule to prevent any other domain from adding
-# a virtual_camera_service. We cannot mix app_domain and hal_server_domain
-# so we use app_domain and manully add the neverallow
-allow virtual_camera virtual_camera_service:service_manager add;
-neverallow { domain -virtual_camera} virtual_camera_service:service_manager add;
+# Only allow virtual_camera to add a virtual_camera_service and no one else.
+add_service(virtual_camera, virtual_camera_service);
+
+# Allow virtual_camera to map graphic buffers
+hal_client_domain(virtual_camera, hal_graphics_allocator)
diff --git a/private/virtualizationmanager.te b/private/virtualizationmanager.te
index d6f0e19..871d3f2 100644
--- a/private/virtualizationmanager.te
+++ b/private/virtualizationmanager.te
@@ -94,6 +94,9 @@
allow virtualizationmanager shell_data_file:file open;
')
+# Allow virtualizationmanager to read microdroid related files in vendor partition
+r_dir_file(virtualizationmanager, vendor_microdroid_file)
+
# Allow reading files under /proc/[crosvm pid]/, for collecting CPU & memory usage inside VM.
r_dir_file(virtualizationmanager, crosvm);
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index 0556950..7b05af2 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -83,6 +83,8 @@
allow webview_zygote system_data_file:lnk_file r_file_perms;
+allow webview_zygote properties_device:dir mounton;
+
# Send unsolicited message to system_server
unix_socket_send(webview_zygote, system_unsolzygote, system_server)
diff --git a/private/zygote.te b/private/zygote.te
index 788dafe..4815ecc 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -76,6 +76,8 @@
user_profile_data_file
# /storage/emulated/$userId/Android/{data,obb}
media_rw_data_file
+ # /dev/__properties__
+ properties_device
}:dir { mounton search };
# Traverse /data_mirror to get to the above directories while their normal paths
diff --git a/public/attributes b/public/attributes
index d2b2cc1..fa47b25 100644
--- a/public/attributes
+++ b/public/attributes
@@ -331,6 +331,7 @@
hal_attribute(atrace);
hal_attribute(audio);
hal_attribute(audiocontrol);
+hal_attribute(authgraph);
hal_attribute(authsecret);
hal_attribute(bluetooth);
hal_attribute(bootctl);
@@ -364,6 +365,7 @@
hal_attribute(keymint);
hal_attribute(light);
hal_attribute(lowpan);
+hal_attribute(macsec);
hal_attribute(memtrack);
hal_attribute(neuralnetworks);
hal_attribute(nfc);
diff --git a/public/domain.te b/public/domain.te
index bed0d7d..ec8b247 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -337,10 +337,6 @@
allow domain apex_mnt_dir:dir { getattr search };
allow domain apex_mnt_dir:lnk_file r_file_perms;
-# Allow everyone to read media server-configurable flags, so that libstagefright can be
-# configured using server-configurable flags
-get_prop(domain, device_config_media_native_prop)
-
###
### neverallow rules
###
@@ -440,6 +436,10 @@
neverallow * init:binder *;
neverallow * vendor_init:binder *;
+# Binderfs logs contain sensitive information about other processes.
+neverallow { domain -dumpstate -init -vendor_init userdebug_or_eng(`-domain') } { binderfs_logs binderfs_logs_proc }:file no_rw_file_perms;
+neverallow { domain -dumpstate -init -vendor_init -system_server } binderfs_logs_stats:file no_rw_file_perms;
+
# Don't allow raw read/write/open access to block_device
# Rather force a relabel to a more specific type
neverallow { domain -kernel -init -recovery } block_device:blk_file { open read write };
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 3748605..496d95974 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -151,6 +151,7 @@
# Allow dumpstate to call dump() on specific hals.
dump_hal(hal_audio)
dump_hal(hal_audiocontrol)
+dump_hal(hal_authgraph)
dump_hal(hal_authsecret)
dump_hal(hal_bluetooth)
dump_hal(hal_broadcastradio)
@@ -379,6 +380,7 @@
allow dumpstate binderfs_logs:dir r_dir_perms;
allow dumpstate binderfs_logs:file r_file_perms;
allow dumpstate binderfs_logs_proc:file r_file_perms;
+allow dumpstate binderfs_logs_stats:file r_file_perms;
use_apex_info(dumpstate)
diff --git a/public/file.te b/public/file.te
index 72f511b..142e167 100644
--- a/public/file.te
+++ b/public/file.te
@@ -7,6 +7,7 @@
type binderfs, fs_type;
type binderfs_logs, fs_type;
type binderfs_logs_proc, fs_type;
+type binderfs_logs_stats, fs_type;
type binderfs_features, fs_type;
# Security-sensitive proc nodes that should not be writable to most.
type proc_security, fs_type, proc_type;
@@ -15,6 +16,7 @@
type proc_min_free_order_shift, fs_type, proc_type;
type proc_kpageflags, fs_type, proc_type;
type proc_watermark_boost_factor, fs_type, proc_type;
+type proc_percpu_pagelist_high_fraction, fs_type, proc_type;
# proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers.
type usermodehelper, fs_type, proc_type;
type sysfs_usermodehelper, fs_type, sysfs_type;
@@ -253,6 +255,8 @@
# Type for all vendor public libraries for system. These libs should only be exposed to
# system. ABI stability of these libs is vendor's responsibility.
type vendor_public_framework_file, vendor_file_type, file_type;
+# Type for all microdroid related files in the vendor partition.
+type vendor_microdroid_file, vendor_file_type, file_type;
# Input configuration
type vendor_keylayout_file, vendor_file_type, file_type;
@@ -289,6 +293,8 @@
type staged_install_file, file_type;
# Metadata information within /metadata/watchdog
type watchdog_metadata_file, file_type;
+# Repair mode files within /metadata/repair-mode
+type repair_mode_metadata_file, file_type;
# Type for /dev/cpu_variant:.*.
type dev_cpu_variant, file_type;
diff --git a/public/fingerprintd.te b/public/fingerprintd.te
index 8cf2411..eab38dd 100644
--- a/public/fingerprintd.te
+++ b/public/fingerprintd.te
@@ -17,7 +17,6 @@
# Need to add auth tokens to KeyStore
use_keystore(fingerprintd)
-allow fingerprintd keystore:keystore_key { add_auth };
allow fingerprintd keystore:keystore2 { add_auth };
# For permissions checking
diff --git a/public/gatekeeperd.te b/public/gatekeeperd.te
index d48c5f8..0035bc6 100644
--- a/public/gatekeeperd.te
+++ b/public/gatekeeperd.te
@@ -22,7 +22,6 @@
# Need to add auth tokens to KeyStore
use_keystore(gatekeeperd)
-allow gatekeeperd keystore:keystore_key { add_auth };
allow gatekeeperd keystore:keystore2 { add_auth };
allow gatekeeperd authorization_service:service_manager find;
diff --git a/public/hal_authgraph.te b/public/hal_authgraph.te
new file mode 100644
index 0000000..f053cb0
--- /dev/null
+++ b/public/hal_authgraph.te
@@ -0,0 +1,7 @@
+binder_call(hal_authgraph_client, hal_authgraph_server)
+
+hal_attribute_service(hal_authgraph, hal_authgraph_service)
+binder_call(hal_authgraph_server, servicemanager)
+
+allow hal_authgraph_server tee_device:chr_file rw_file_perms;
+allow hal_authgraph_server ion_device:chr_file r_file_perms;
diff --git a/public/hal_drm.te b/public/hal_drm.te
index 34ca0b2..0ee0c5f 100644
--- a/public/hal_drm.te
+++ b/public/hal_drm.te
@@ -13,6 +13,8 @@
# Permit reading device's serial number from system properties
get_prop(hal_drm_server, serialno_prop)
+# Permit reading force L3 system property
+get_prop(hal_drm_server, drm_forcel3_prop)
# Read files already opened under /data
allow hal_drm system_data_file:file { getattr read };
diff --git a/public/hal_macsec.te b/public/hal_macsec.te
new file mode 100644
index 0000000..27225db
--- /dev/null
+++ b/public/hal_macsec.te
@@ -0,0 +1,7 @@
+# Binder IPC from client to server, and callbacks
+binder_call(hal_macsec_client, hal_macsec_server)
+binder_call(hal_macsec_server, hal_macsec_client)
+
+hal_attribute_service(hal_macsec, hal_macsec_service)
+
+binder_use(hal_macsec_server)
diff --git a/public/hal_vibrator.te b/public/hal_vibrator.te
index c902495..85b8e8c 100644
--- a/public/hal_vibrator.te
+++ b/public/hal_vibrator.te
@@ -12,3 +12,6 @@
# vibrator sysfs rw access
allow hal_vibrator sysfs_vibrator:file rw_file_perms;
allow hal_vibrator sysfs_vibrator:dir search;
+
+# Allow HAL vibrator to control some parameters of a vibration, such as scaling.
+allow hal_vibrator vibrator_control_service:service_manager find;
diff --git a/public/init.te b/public/init.te
index e552ec2..29dd42d 100644
--- a/public/init.te
+++ b/public/init.te
@@ -26,7 +26,7 @@
allow init properties_device:dir relabelto;
allow init properties_serial:file { write relabelto };
allow init property_type:file { append create getattr map open read relabelto rename setattr unlink write };
-# /dev/__properties__/property_info
+# /dev/__properties__/property_info and /dev/__properties/appcompat_override/property_info
allow init properties_device:file create_file_perms;
allow init property_info:file relabelto;
# /dev/event-log-tags
diff --git a/public/property.te b/public/property.te
index 67463a5..44b0aef 100644
--- a/public/property.te
+++ b/public/property.te
@@ -75,6 +75,7 @@
system_restricted_prop(device_config_surface_flinger_native_boot_prop)
system_restricted_prop(device_config_vendor_system_native_prop)
system_restricted_prop(device_config_vendor_system_native_boot_prop)
+system_restricted_prop(drm_forcel3_prop)
system_restricted_prop(fingerprint_prop)
system_restricted_prop(gwp_asan_prop)
system_restricted_prop(hal_instrumentation_prop)
@@ -103,7 +104,6 @@
system_restricted_prop(vold_status_prop)
system_restricted_prop(vts_status_prop)
-
compatible_property_only(`
# DO NOT ADD ANY PROPERTIES HERE
system_restricted_prop(config_prop)
@@ -197,6 +197,7 @@
system_vendor_config_prop(dck_prop)
system_vendor_config_prop(tuner_config_prop)
system_vendor_config_prop(usb_uvc_enabled_prop)
+system_vendor_config_prop(setupwizard_mode_prop)
# Properties with no restrictions
system_public_prop(adbd_config_prop)
diff --git a/public/racoon.te b/public/racoon.te
index 00d10a4..b0383f0 100644
--- a/public/racoon.te
+++ b/public/racoon.te
@@ -25,10 +25,3 @@
allow racoon vpn_data_file:dir w_dir_perms;
use_keystore(racoon)
-
-# Racoon (VPN) has a restricted set of permissions from the default.
-allow racoon keystore:keystore_key {
- get
- sign
- verify
-};
diff --git a/public/service.te b/public/service.te
index e018e40..11894aa 100644
--- a/public/service.te
+++ b/public/service.te
@@ -212,6 +212,7 @@
type search_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type search_ui_service, app_api_service, system_server_service, service_manager_type;
type sec_key_att_app_id_provider_service, app_api_service, system_server_service, service_manager_type;
+type security_state_service, system_server_service, service_manager_type;
type selection_toolbar_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type sensorservice_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type sensor_privacy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -242,6 +243,7 @@
type timezonedetector_service, app_api_service, system_server_service, service_manager_type;
type translation_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type trust_service, app_api_service, system_server_service, service_manager_type;
+type tv_ad_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type tv_iapp_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type tv_input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type tv_tuner_resource_mgr_service, app_api_service, system_server_service, service_manager_type;
@@ -253,6 +255,7 @@
type user_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type uwb_service, app_api_service, system_server_service, service_manager_type;
type vcn_management_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type vibrator_control_service, system_server_service, service_manager_type;
type vibrator_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type vibrator_manager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type virtual_device_service, app_api_service, system_server_service, service_manager_type;
@@ -279,6 +282,7 @@
type hal_audio_service, protected_service, hal_service_type, service_manager_type;
type hal_audiocontrol_service, hal_service_type, service_manager_type;
+type hal_authgraph_service, protected_service, hal_service_type, service_manager_type;
type hal_authsecret_service, protected_service, hal_service_type, service_manager_type;
type hal_bluetooth_service, protected_service, hal_service_type, service_manager_type;
type hal_bootctl_service, protected_service, hal_service_type, service_manager_type;
@@ -306,6 +310,7 @@
type hal_ivn_service, protected_service, hal_service_type, service_manager_type;
type hal_keymint_service, protected_service, hal_service_type, service_manager_type;
type hal_light_service, protected_service, hal_service_type, service_manager_type;
+type hal_macsec_service, protected_service, hal_service_type, service_manager_type;
type hal_memtrack_service, protected_service, hal_service_type, service_manager_type;
type hal_neuralnetworks_service, hal_service_type, service_manager_type;
type hal_nfc_service, protected_service, hal_service_type, service_manager_type;
diff --git a/public/su.te b/public/su.te
index bcdc322..2887740 100644
--- a/public/su.te
+++ b/public/su.te
@@ -48,7 +48,6 @@
dontaudit su servicemanager:service_manager list;
dontaudit su hwservicemanager:hwservice_manager list;
dontaudit su vndservicemanager:service_manager list;
- dontaudit su keystore:keystore_key *;
dontaudit su keystore:keystore2 *;
dontaudit su domain:drmservice *;
dontaudit su unlabeled:filesystem *;
diff --git a/public/update_engine.te b/public/update_engine.te
index f879013..6f79902 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -73,3 +73,7 @@
allow update_engine snapshotctl_log_data_file:dir rw_dir_perms;
allow update_engine snapshotctl_log_data_file:file create_file_perms;
')
+
+# Allow determining filesystems available on system.
+# Needed for checking if overlayfs is enabled
+allow update_engine proc_filesystems:file r_file_perms;
diff --git a/public/wificond.te b/public/wificond.te
index 98db0d7..1bd89f5 100644
--- a/public/wificond.te
+++ b/public/wificond.te
@@ -33,11 +33,8 @@
typeattribute wificond wifi_keystore_service_server;
add_hwservice(wificond, system_wifi_keystore_hwservice)
-# Allow keystore binder access to serve the HwBinder service.
-allow wificond keystore_service:service_manager find;
-allow wificond keystore:keystore_key get;
-
# Allow keystore2 binder access to serve the HwBinder service.
+allow wificond keystore_service:service_manager find;
allow wificond wifi_key:keystore2_key {
get_info
use
diff --git a/tests/apex_sepolicy_tests.py b/tests/apex_sepolicy_tests.py
index 3c51b67..ab01745 100644
--- a/tests/apex_sepolicy_tests.py
+++ b/tests/apex_sepolicy_tests.py
@@ -59,10 +59,11 @@
Matcher = Is | Glob | Regex
@dataclass
-class AllowRead:
- """Rule checking if scontext can read the entity"""
+class AllowPerm:
+ """Rule checking if scontext has 'perm' to the entity"""
tclass: str
scontext: set[str]
+ perm: str
@dataclass
@@ -71,7 +72,12 @@
pass
-Rule = AllowRead | ResolveType
+Rule = AllowPerm | ResolveType
+
+
+# Helper for 'read'
+def AllowRead(tclass, scontext):
+ return AllowPerm(tclass, scontext, 'read')
def match_path(path: str, matcher: Matcher) -> bool:
@@ -89,17 +95,17 @@
"""Returns error message if scontext can't read the target"""
errors = []
match rule:
- case AllowRead(tclass, scontext):
+ case AllowPerm(tclass, scontext, perm):
# Test every source in scontext(set)
for s in scontext:
te_rules = list(pol.QueryTERule(scontext={s},
tcontext={tcontext},
tclass={tclass},
- perms={'read'}))
+ perms={perm}))
if len(te_rules) > 0:
continue # no errors
- errors.append(f"Error: {path}: {s} can't read. (tcontext={tcontext})")
+ errors.append(f"Error: {path}: {s} can't {perm}. (tcontext={tcontext})")
case ResolveType():
if tcontext not in pol.GetAllTypes(False):
errors.append(f"Error: {path}: tcontext({tcontext}) is unknown")
@@ -122,7 +128,7 @@
(Glob('./etc/vintf/*.xml'), AllowRead('file', {'servicemanager', 'apexd'})),
# ./ and apex_manifest.pb
(Is('./apex_manifest.pb'), AllowRead('file', {'linkerconfig', 'apexd'})),
- (Is('./'), AllowRead('dir', {'linkerconfig', 'apexd'})),
+ (Is('./'), AllowPerm('dir', {'linkerconfig', 'apexd'}, 'search')),
# linker.config.pb
(Is('./etc/linker.config.pb'), AllowRead('file', {'linkerconfig'})),
]
diff --git a/tests/apex_sepolicy_tests_test.py b/tests/apex_sepolicy_tests_test.py
index 6e719ed..3fee43d 100644
--- a/tests/apex_sepolicy_tests_test.py
+++ b/tests/apex_sepolicy_tests_test.py
@@ -96,7 +96,7 @@
self.assert_error('./etc/linker.config.pb u:object_r:vendor_file:s0',
r'Error: .*linkerconfig.* can\'t read')
self.assert_error('./ u:object_r:apex_data_file:s0',
- r'Error: .*linkerconfig.* can\'t read')
+ r'Error: .*linkerconfig.* can\'t search')
def test_unknown_label(self):
self.assert_error('./bin/hw/foo u:object_r:foo_exec:s0',
diff --git a/tests/check_prop_prefix.py b/tests/check_prop_prefix.py
index 68511ce..13a7b99 100644
--- a/tests/check_prop_prefix.py
+++ b/tests/check_prop_prefix.py
@@ -76,7 +76,7 @@
print('%d violations found:' % len(violations))
print('\n'.join(violations))
print('******************************')
- print('%s contains properties which are not properly namespaced.' % args.property_contexts)
+ print("vendor's and odm's property_contexts MUST use ONLY vendor-prefixed properties.")
print('This is enforced by VTS, so please fix such offending properties.')
if args.allowed_property_prefix:
print('Allowed property prefixes for %s: %s' % (args.property_contexts, args.allowed_property_prefix))
diff --git a/tools/check_seapp.c b/tools/check_seapp.c
index 21bc87a..02882af 100644
--- a/tools/check_seapp.c
+++ b/tools/check_seapp.c
@@ -228,6 +228,7 @@
{ .name = "minTargetSdkVersion", .dir = dir_in, .fn_validate = validate_uint },
{ .name = "fromRunAs", .dir = dir_in, .fn_validate = validate_bool },
{ .name = "isIsolatedComputeApp", .dir = dir_in, .fn_validate = validate_bool },
+ { .name = "isSdkSandboxAudit", .dir = dir_in, .fn_validate = validate_bool },
{ .name = "isSdkSandboxNext", .dir = dir_in, .fn_validate = validate_bool },
/*Outputs*/
{ .name = "domain", .dir = dir_out, .fn_validate = validate_domain },
diff --git a/tools/checkfc.c b/tools/checkfc.c
index 83c631e..051e24b 100644
--- a/tools/checkfc.c
+++ b/tools/checkfc.c
@@ -7,6 +7,7 @@
#include <sepol/module.h>
#include <sepol/policydb/policydb.h>
#include <sepol/sepol.h>
+#include <selinux/context.h>
#include <selinux/selinux.h>
#include <selinux/label.h>
#include <sys/stat.h>
@@ -209,8 +210,14 @@
"If -e is specified, then the context_file is allowed to be empty.\n\n"
"usage2: %s -c file_contexts1 file_contexts2\n\n"
- "Compares two file contexts files and reports one of subset, equal, superset, or incomparable.\n\n",
- name, name);
+ "Compares two file contexts files and reports one of \n"
+ "subset, equal, superset, or incomparable.\n\n"
+
+ "usage3: %s -t file_contexts test_data\n\n"
+ "Validates a file contexts file against test_data.\n"
+ "test_data is a text file where each line has the format:\n"
+ " path expected_type\n\n\n",
+ name, name, name);
exit(1);
}
@@ -264,6 +271,88 @@
printf("%s\n", result_str[result]);
}
+static int warnings = 0;
+static int log_callback(int type, const char *fmt, ...) {
+ va_list ap;
+
+ if (type == SELINUX_WARNING) {
+ warnings += 1;
+ }
+ va_start(ap, fmt);
+ vfprintf(stderr, fmt, ap);
+ va_end(ap);
+ return 0;
+}
+
+static void do_test_data_and_die_on_error(struct selinux_opt opts[], unsigned int backend,
+ char *paths[])
+{
+ opts[0].value = NULL; /* not validating against a policy */
+ opts[1].value = paths[0];
+ global_state.sepolicy.sehnd[0] = selabel_open(backend, opts, 2);
+ if (!global_state.sepolicy.sehnd[0]) {
+ fprintf(stderr, "Error: could not load context file from %s: %s\n",
+ paths[0], strerror(errno));
+ exit(1);
+ }
+
+ FILE* test_data = fopen(paths[1], "r");
+ if (test_data == NULL) {
+ fprintf(stderr, "Error: could not load test file from %s : %s\n",
+ paths[1], strerror(errno));
+ exit(1);
+ }
+
+ char line[1024];
+ while (fgets(line, sizeof(line), test_data)) {
+ char *path;
+ char *expected_type;
+
+ if (!strcmp(line, "\n") || line[0] == '#') {
+ continue;
+ }
+
+ int ret = sscanf(line, "%ms %ms", &path, &expected_type);
+ if (ret != 2) {
+ fprintf(stderr, "Error: unable to parse the line %s\n", line);
+ exit(1);
+ }
+
+ char *found_context;
+ ret = selabel_lookup(global_state.sepolicy.sehnd[0], &found_context, path, 0);
+ if (ret != 0) {
+ fprintf(stderr, "Error: unable to lookup the path for %s\n", line);
+ exit(1);
+ }
+
+ context_t found = context_new(found_context);
+ const char *found_type = context_type_get(found);
+
+ if (strcmp(found_type, expected_type)) {
+ fprintf(stderr, "Incorrect type for %s: resolved to %s, expected %s\n",
+ path, found_type, expected_type);
+ }
+
+ free(found_context);
+ context_free(found);
+ free(path);
+ free(expected_type);
+ }
+ fclose(test_data);
+
+ // Prints the coverage of file_contexts on the test data. It includes
+ // warnings for rules that have not been hit by any test example.
+ union selinux_callback cb;
+ cb.func_log = log_callback;
+ selinux_set_callback(SELINUX_CB_LOG, cb);
+ selabel_stats(global_state.sepolicy.sehnd[0]);
+ if (warnings) {
+ fprintf(stderr, "No test entries were found for the contexts above. " \
+ "You may need to update %s.\n", paths[1]);
+ exit(1);
+ }
+}
+
static void do_fc_check_and_die_on_error(struct selinux_opt opts[], unsigned int backend, filemode mode,
const char *sepolicy_file, const char *context_file, bool allow_empty)
{
@@ -345,11 +434,12 @@
bool allow_empty = false;
bool compare = false;
+ bool test_data = false;
char c;
filemode mode = filemode_file_contexts;
- while ((c = getopt(argc, argv, "clpsve")) != -1) {
+ while ((c = getopt(argc, argv, "clpsvet")) != -1) {
switch (c) {
case 'c':
compare = true;
@@ -373,6 +463,9 @@
mode = filemode_vendor_service_contexts;
backend = SELABEL_CTX_ANDROID_SERVICE;
break;
+ case 't':
+ test_data = true;
+ break;
case 'h':
default:
usage(argv[0]);
@@ -385,7 +478,7 @@
usage(argv[0]);
}
- if (compare && backend != SELABEL_CTX_FILE) {
+ if ((compare || test_data) && backend != SELABEL_CTX_FILE) {
usage(argv[0]);
}
@@ -393,6 +486,8 @@
if (compare) {
do_compare_and_die_on_error(opts, backend, &(argv[index]));
+ } else if (test_data) {
+ do_test_data_and_die_on_error(opts, backend, &(argv[index]));
} else {
/* remaining args are sepolicy file and context file */
char *sepolicy_file = argv[index];
diff --git a/tools/finalize-sdk-rel.sh b/tools/finalize-sdk-rel.sh
new file mode 100755
index 0000000..80c6fa8
--- /dev/null
+++ b/tools/finalize-sdk-rel.sh
@@ -0,0 +1,95 @@
+#!/bin/bash
+
+# Copyright (C) 2023 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+if [ $# -ne 2 ]; then
+ echo "Usage: $0 <top> <ver>"
+ exit 1
+fi
+
+top=$1
+ver=$2
+
+mkdir -p "$top/system/sepolicy/prebuilts/api/${ver}.0/"
+cp -r "$top/system/sepolicy/public/" "$top/system/sepolicy/prebuilts/api/${ver}.0/"
+cp -r "$top/system/sepolicy/private/" "$top/system/sepolicy/prebuilts/api/${ver}.0/"
+
+cat > "$top/system/sepolicy/prebuilts/api/${ver}.0/Android.bp" <<EOF
+// Automatically generated file, do not edit!
+se_policy_conf {
+ name: "${ver}.0_plat_pub_policy.conf",
+ srcs: [":se_build_files{.plat_public_${ver}.0}", ":se_build_files{.reqd_mask}"],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "${ver}.0_plat_pub_policy.cil",
+ src: ":${ver}.0_plat_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "${ver}.0_product_pub_policy.conf",
+ srcs: [
+ ":se_build_files{.plat_public_${ver}.0}",
+ ":se_build_files{.system_ext_public_${ver}.0}",
+ ":se_build_files{.product_public_${ver}.0}",
+ ":se_build_files{.reqd_mask}",
+ ],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "${ver}.0_product_pub_policy.cil",
+ src: ":${ver}.0_product_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "${ver}.0_plat_policy.conf",
+ srcs: [
+ ":se_build_files{.plat_public_${ver}.0}",
+ ":se_build_files{.plat_private_${ver}.0}",
+ ":se_build_files{.system_ext_public_${ver}.0}",
+ ":se_build_files{.system_ext_private_${ver}.0}",
+ ":se_build_files{.product_public_${ver}.0}",
+ ":se_build_files{.product_private_${ver}.0}",
+ ],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "${ver}.0_plat_policy.cil",
+ src: ":${ver}.0_plat_policy.conf",
+ additional_cil_files: [":sepolicy_technical_debt{.plat_private_${ver}.0}"],
+ installable: false,
+}
+
+se_policy_binary {
+ name: "${ver}.0_plat_policy",
+ srcs: [":${ver}.0_plat_policy.cil"],
+ installable: false,
+ dist: {
+ targets: ["base-sepolicy-files-for-mapping"],
+ },
+}
+EOF
diff --git a/vendor/file_contexts b/vendor/file_contexts
index efe0b71..1c393f1 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -76,6 +76,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service-lazy u:object_r:hal_light_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.lights-service\.example u:object_r:hal_light_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.lowpan@1\.0-service u:object_r:hal_lowpan_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.macsec-service u:object_r:hal_macsec_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.media\.c2-default-service u:object_r:mediacodec_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack@1\.0-service u:object_r:hal_memtrack_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack-service.example u:object_r:hal_memtrack_default_exec:s0
@@ -97,6 +98,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors-service(\.multihal)? u:object_r:hal_sensors_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.0-service u:object_r:hal_secure_element_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element-service.example u:object_r:hal_secure_element_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.authgraph-service\.nonsecure u:object_r:hal_authgraph_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.keymint-service u:object_r:hal_keymint_default_exec:s0
/(vendor|system/vendor)/bin/hw/rild u:object_r:rild_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tetheroffload-service\.example u:object_r:hal_tetheroffload_default_exec:s0
@@ -125,6 +127,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.wifi-service-lazy u:object_r:hal_wifi_default_exec:s0
/(vendor|system/vendor)/bin/hw/hostapd u:object_r:hal_wifi_hostapd_default_exec:s0
/(vendor|system/vendor)/bin/hw/wpa_supplicant u:object_r:hal_wifi_supplicant_default_exec:s0
+/(vendor|system/vendor)/bin/hw/wpa_supplicant_macsec u:object_r:wpa_supplicant_macsec_exec:s0
/(vendor|system/vendor)/bin/install-recovery\.sh u:object_r:vendor_install_recovery_exec:s0
/(vendor|system/vendor)/bin/ot-rcp u:object_r:ot_rcp_exec:s0
/(vendor|system/vendor)/bin/vndservicemanager u:object_r:vndservicemanager_exec:s0
@@ -168,7 +171,7 @@
/(vendor|system/vendor)/lib(64)?/android\.hardware\.graphics\.mapper@4\.0\.so u:object_r:same_process_hal_file:s0
/(vendor|system/vendor)/lib(64)?/android\.hardware\.renderscript@1\.0\.so u:object_r:same_process_hal_file:s0
/(vendor|system/vendor)/lib(64)?/android\.hidl\.memory\.token@1\.0\.so u:object_r:same_process_hal_file:s0
-/(vendor|system/vendor)/lib(64)?/android\.hidl\.memory@1\.0-impl\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/hw/android\.hidl\.memory@1\.0-impl\.so u:object_r:same_process_hal_file:s0
/(vendor|system/vendor)/lib(64)?/android\.hidl\.memory@1\.0\.so u:object_r:same_process_hal_file:s0
/(vendor|system/vendor)/lib(64)?/android\.hidl\.safe_union@1\.0\.so u:object_r:same_process_hal_file:s0
/(vendor|system/vendor)/lib(64)?/libRSCpuRef\.so u:object_r:same_process_hal_file:s0
diff --git a/vendor/hal_authgraph_default.te b/vendor/hal_authgraph_default.te
new file mode 100644
index 0000000..1676cca
--- /dev/null
+++ b/vendor/hal_authgraph_default.te
@@ -0,0 +1,5 @@
+type hal_authgraph_default, domain;
+hal_server_domain(hal_authgraph_default, hal_authgraph)
+
+type hal_authgraph_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_authgraph_default)
diff --git a/vendor/hal_drm_clearkey.te b/vendor/hal_drm_clearkey.te
index ab474d6..4b4ee46 100644
--- a/vendor/hal_drm_clearkey.te
+++ b/vendor/hal_drm_clearkey.te
@@ -4,3 +4,4 @@
init_daemon_domain(hal_drm_clearkey_aidl)
hal_server_domain(hal_drm_clearkey_aidl, hal_drm)
+allow hal_drm_clearkey_aidl mediacodec:fd use;
diff --git a/vendor/hal_evs_default.te b/vendor/hal_evs_default.te
index 0bdb7fd..9ed7a8a 100644
--- a/vendor/hal_evs_default.te
+++ b/vendor/hal_evs_default.te
@@ -32,3 +32,7 @@
# allow to access graphics related properties
get_prop(hal_evs_default, graphics_config_prop);
+get_prop(hal_evs_default, graphics_config_writable_prop)
+
+# allow to use binder IPC.
+binder_use(hal_evs_default)
diff --git a/vendor/hal_macsec_default.te b/vendor/hal_macsec_default.te
new file mode 100644
index 0000000..19b3d16
--- /dev/null
+++ b/vendor/hal_macsec_default.te
@@ -0,0 +1,8 @@
+type hal_macsec_default, domain;
+hal_server_domain(hal_macsec_default, hal_macsec)
+
+type hal_macsec_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_macsec_default)
+
+# Allow registering with service manager.
+binder_call(hal_macsec_default, servicemanager)
diff --git a/vendor/wpa_supplicant_macsec.te b/vendor/wpa_supplicant_macsec.te
new file mode 100644
index 0000000..1b90ac7
--- /dev/null
+++ b/vendor/wpa_supplicant_macsec.te
@@ -0,0 +1,28 @@
+# wpa supplicant macsec or equivalent
+type wpa_supplicant_macsec, domain;
+type wpa_supplicant_macsec_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(wpa_supplicant_macsec)
+
+net_domain(wpa_supplicant_macsec)
+
+# Allow wpa_supplicant to configure nl80211
+allow wpa_supplicant_macsec proc_net_type:file write;
+
+# in addition to ioctls allowlisted for all domains, grant wpa_supplicant_macsec priv_sock_ioctls.
+allowxperm wpa_supplicant_macsec self:udp_socket ioctl priv_sock_ioctls;
+
+r_dir_file(wpa_supplicant_macsec, sysfs_type)
+r_dir_file(wpa_supplicant_macsec, proc_net_type)
+
+allow wpa_supplicant_macsec self:global_capability_class_set { setuid net_admin setgid net_raw };
+allow wpa_supplicant_macsec cgroup:dir create_dir_perms;
+allow wpa_supplicant_macsec cgroup_v2:dir create_dir_perms;
+allow wpa_supplicant_macsec self:netlink_route_socket nlmsg_write;
+allow wpa_supplicant_macsec self:netlink_socket create_socket_perms_no_ioctl;
+allow wpa_supplicant_macsec self:netlink_generic_socket create_socket_perms_no_ioctl;
+allow wpa_supplicant_macsec self:packet_socket create_socket_perms;
+allowxperm wpa_supplicant_macsec self:packet_socket ioctl { unpriv_sock_ioctls priv_sock_ioctls unpriv_tty_ioctls };
+
+binder_use(wpa_supplicant_macsec)
+hal_client_domain(wpa_supplicant_macsec, hal_macsec)
+