Merge "Fix selinux denials when applying updates in recovery." into qt-dev
diff --git a/prebuilts/api/29.0/private/app_neverallows.te b/prebuilts/api/29.0/private/app_neverallows.te
index 3c5b921..23e1fd2 100644
--- a/prebuilts/api/29.0/private/app_neverallows.te
+++ b/prebuilts/api/29.0/private/app_neverallows.te
@@ -311,9 +311,10 @@
   neverallow all_untrusted_apps {
     halserverdomain
     -coredomain
+    -hal_cas_server
+    -hal_codec2_server
     -hal_configstore_server
     -hal_graphics_allocator_server
-    -hal_cas_server
     -hal_neuralnetworks_server
     -hal_omx_server
     -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
diff --git a/prebuilts/api/29.0/private/atrace.te b/prebuilts/api/29.0/private/atrace.te
index 8de1826..75be787 100644
--- a/prebuilts/api/29.0/private/atrace.te
+++ b/prebuilts/api/29.0/private/atrace.te
@@ -24,17 +24,7 @@
 # atrace pokes all the binder-enabled processes at startup with a
 # SYSPROPS_TRANSACTION, to tell them to reload the debug.atrace.* properties.
 
-binder_use(atrace)
-allow atrace healthd:binder call;
-allow atrace surfaceflinger:binder call;
-allow atrace system_server:binder call;
-allow atrace cameraserver:binder call;
-
-get_prop(atrace, hwservicemanager_prop)
-
-# atrace can call atrace HAL
-hal_client_domain(atrace, hal_atrace)
-
+# Allow discovery of binder services.
 allow atrace {
   service_manager_type
   -apex_service
@@ -50,6 +40,33 @@
 }:service_manager { find };
 allow atrace servicemanager:service_manager list;
 
+# Allow notifying the processes hosting specific binder services that
+# trace-related system properties have changed.
+binder_use(atrace)
+allow atrace healthd:binder call;
+allow atrace surfaceflinger:binder call;
+allow atrace system_server:binder call;
+allow atrace cameraserver:binder call;
+
+# Similarly, on debug builds, allow specific HALs to be notified that
+# trace-related system properties have changed.
+userdebug_or_eng(`
+  # List HAL interfaces.
+  allow atrace hwservicemanager:hwservice_manager list;
+  # Notify the camera HAL.
+  hal_client_domain(atrace, hal_camera)
+')
+
+# Remove logspam from notification attempts to non-whitelisted services.
+dontaudit atrace hwservice_manager_type:hwservice_manager find;
+dontaudit atrace service_manager_type:service_manager find;
+dontaudit atrace domain:binder call;
+
+# atrace can call atrace HAL
+hal_client_domain(atrace, hal_atrace)
+
+get_prop(atrace, hwservicemanager_prop)
+
 userdebug_or_eng(`
   # atrace is generally invoked as a standalone binary from shell or perf
   # daemons like Perfetto traced_probes. However, in userdebug builds, there is
diff --git a/prebuilts/api/29.0/private/compat/28.0/28.0.ignore.cil b/prebuilts/api/29.0/private/compat/28.0/28.0.ignore.cil
index 2633bcf..d5fca32 100644
--- a/prebuilts/api/29.0/private/compat/28.0/28.0.ignore.cil
+++ b/prebuilts/api/29.0/private/compat/28.0/28.0.ignore.cil
@@ -142,6 +142,8 @@
     vendor_idc_file
     vendor_keychars_file
     vendor_keylayout_file
+    vendor_misc_writer
+    vendor_misc_writer_exec
     vendor_task_profiles_file
     vrflinger_vsync_service
     watchdogd_tmpfs))
diff --git a/prebuilts/api/29.0/private/domain.te b/prebuilts/api/29.0/private/domain.te
index 037a7d5..3265faf 100644
--- a/prebuilts/api/29.0/private/domain.te
+++ b/prebuilts/api/29.0/private/domain.te
@@ -257,6 +257,7 @@
   install_recovery
   userdebug_or_eng(`llkd')
   lmkd
+  migrate_legacy_obb_data
   netd
   perfprofd
   postinstall_dexopt
diff --git a/prebuilts/api/29.0/private/file_contexts b/prebuilts/api/29.0/private/file_contexts
index 919c889..530bd45 100644
--- a/prebuilts/api/29.0/private/file_contexts
+++ b/prebuilts/api/29.0/private/file_contexts
@@ -326,6 +326,7 @@
 /system/bin/gsid                 u:object_r:gsid_exec:s0
 /system/bin/simpleperf_app_runner    u:object_r:simpleperf_app_runner_exec:s0
 /system/bin/notify_traceur\.sh       u:object_r:notify_traceur_exec:s0
+/system/bin/migrate_legacy_obb_data\.sh u:object_r:migrate_legacy_obb_data_exec:s0
 
 #############################
 # Vendor files
@@ -350,6 +351,8 @@
 /(vendor|system/vendor)/overlay(/.*)?          u:object_r:vendor_overlay_file:s0
 /(vendor|system/vendor)/framework(/.*)?        u:object_r:vendor_framework_file:s0
 
+/vendor/bin/misc_writer                        u:object_r:vendor_misc_writer_exec:s0
+
 # HAL location
 /(vendor|system/vendor)/lib(64)?/hw            u:object_r:vendor_hal_file:s0
 
diff --git a/prebuilts/api/29.0/private/incidentd.te b/prebuilts/api/29.0/private/incidentd.te
index 6f10955..7b38911 100644
--- a/prebuilts/api/29.0/private/incidentd.te
+++ b/prebuilts/api/29.0/private/incidentd.te
@@ -90,6 +90,7 @@
   hal_audio_server
   hal_bluetooth_server
   hal_camera_server
+  hal_codec2_server
   hal_graphics_allocator_server
   hal_graphics_composer_server
   hal_health_server
diff --git a/prebuilts/api/29.0/private/installd.te b/prebuilts/api/29.0/private/installd.te
index 3693c59..b9e67ae 100644
--- a/prebuilts/api/29.0/private/installd.te
+++ b/prebuilts/api/29.0/private/installd.te
@@ -17,6 +17,10 @@
 # Run idmap in its own sandbox.
 domain_auto_trans(installd, idmap_exec, idmap)
 
+# Run migrate_legacy_obb_data.sh in its own sandbox.
+domain_auto_trans(installd, migrate_legacy_obb_data_exec, migrate_legacy_obb_data)
+allow installd shell_exec:file rx_file_perms;
+
 # Create /data/.layout_version.* file
 type_transition installd system_data_file:file install_data_file;
 
diff --git a/prebuilts/api/29.0/private/mediaserver.te b/prebuilts/api/29.0/private/mediaserver.te
index b1cf64a..635cf4e 100644
--- a/prebuilts/api/29.0/private/mediaserver.te
+++ b/prebuilts/api/29.0/private/mediaserver.te
@@ -6,3 +6,5 @@
 # allocate and use graphic buffers
 hal_client_domain(mediaserver, hal_graphics_allocator)
 hal_client_domain(mediaserver, hal_omx)
+hal_client_domain(mediaserver, hal_codec2)
+
diff --git a/prebuilts/api/29.0/private/migrate_legacy_obb_data.te b/prebuilts/api/29.0/private/migrate_legacy_obb_data.te
new file mode 100644
index 0000000..4bc1e2c
--- /dev/null
+++ b/prebuilts/api/29.0/private/migrate_legacy_obb_data.te
@@ -0,0 +1,20 @@
+type migrate_legacy_obb_data, domain, coredomain;
+type migrate_legacy_obb_data_exec, system_file_type, exec_type, file_type;
+
+allow migrate_legacy_obb_data media_rw_data_file:dir create_dir_perms;
+allow migrate_legacy_obb_data media_rw_data_file:file create_file_perms;
+
+allow migrate_legacy_obb_data shell_exec:file rx_file_perms;
+
+allow migrate_legacy_obb_data toolbox_exec:file rx_file_perms;
+
+allow migrate_legacy_obb_data self:capability { chown dac_override dac_read_search fowner fsetid };
+
+# TODO: This should not be necessary. We don't deliberately hand over
+# any open file descriptors to this domain, so anything that triggers this
+# should be a candidate for O_CLOEXEC.
+allow migrate_legacy_obb_data installd:fd use;
+
+# This rule is required to let this process read /proc/{parent_pid}/mount.
+# TODO: Why is this required ?
+allow migrate_legacy_obb_data installd:file read;
diff --git a/prebuilts/api/29.0/private/statsd.te b/prebuilts/api/29.0/private/statsd.te
index 99548a0..9d250bd 100644
--- a/prebuilts/api/29.0/private/statsd.te
+++ b/prebuilts/api/29.0/private/statsd.te
@@ -18,3 +18,6 @@
 
 # Allow incidentd to obtain the statsd incident section.
 allow statsd incidentd:fifo_file write;
+
+# Allow StatsCompanionService to pipe data to statsd.
+allow statsd system_server:fifo_file { read getattr };
diff --git a/prebuilts/api/29.0/private/surfaceflinger.te b/prebuilts/api/29.0/private/surfaceflinger.te
index b1aa775..1236627 100644
--- a/prebuilts/api/29.0/private/surfaceflinger.te
+++ b/prebuilts/api/29.0/private/surfaceflinger.te
@@ -15,6 +15,7 @@
 hal_client_domain(surfaceflinger, hal_graphics_allocator)
 hal_client_domain(surfaceflinger, hal_graphics_composer)
 typeattribute surfaceflinger_tmpfs hal_graphics_composer_client_tmpfs;
+hal_client_domain(surfaceflinger, hal_codec2)
 hal_client_domain(surfaceflinger, hal_omx)
 hal_client_domain(surfaceflinger, hal_configstore)
 hal_client_domain(surfaceflinger, hal_power)
diff --git a/prebuilts/api/29.0/private/system_server.te b/prebuilts/api/29.0/private/system_server.te
index 0d02657..f551780 100644
--- a/prebuilts/api/29.0/private/system_server.te
+++ b/prebuilts/api/29.0/private/system_server.te
@@ -116,6 +116,7 @@
 allow system_server audioserver:process { getsched setsched };
 allow system_server hal_audio:process { getsched setsched };
 allow system_server hal_bluetooth:process { getsched setsched };
+allow system_server hal_codec2_server:process { getsched setsched };
 allow system_server hal_omx_server:process { getsched setsched };
 allow system_server mediaswcodec:process { getsched setsched };
 allow system_server cameraserver:process { getsched setsched };
@@ -206,6 +207,7 @@
 hal_client_domain(system_server, hal_allocator)
 hal_client_domain(system_server, hal_authsecret)
 hal_client_domain(system_server, hal_broadcastradio)
+hal_client_domain(system_server, hal_codec2)
 hal_client_domain(system_server, hal_configstore)
 hal_client_domain(system_server, hal_contexthub)
 hal_client_domain(system_server, hal_face)
@@ -275,6 +277,7 @@
   hal_audio_server
   hal_bluetooth_server
   hal_camera_server
+  hal_codec2_server
   hal_graphics_allocator_server
   hal_graphics_composer_server
   hal_health_server
diff --git a/prebuilts/api/29.0/private/technical_debt.cil b/prebuilts/api/29.0/private/technical_debt.cil
index d1215fe..289f69e 100644
--- a/prebuilts/api/29.0/private/technical_debt.cil
+++ b/prebuilts/api/29.0/private/technical_debt.cil
@@ -16,6 +16,10 @@
 ; Unfortunately, we can't currently express this in module policy language:
 (typeattributeset hal_omx_client ((and (appdomain) ((not (isolated_app))))))
 
+; Apps, except isolated apps, are clients of Codec2-related services
+; Unfortunately, we can't currently express this in module policy language:
+(typeattributeset hal_codec2_client ((and (appdomain) ((not (isolated_app))))))
+
 ; Apps, except isolated apps, are clients of Configstore HAL
 ; Unfortunately, we can't currently express this in module policy language:
 ;     typeattribute { appdomain -isolated_app } hal_configstore_client;
diff --git a/prebuilts/api/29.0/public/attributes b/prebuilts/api/29.0/public/attributes
index 67979da..857efc5 100644
--- a/prebuilts/api/29.0/public/attributes
+++ b/prebuilts/api/29.0/public/attributes
@@ -252,6 +252,7 @@
 hal_attribute(broadcastradio);
 hal_attribute(camera);
 hal_attribute(cas);
+hal_attribute(codec2);
 hal_attribute(configstore);
 hal_attribute(confirmationui);
 hal_attribute(contexthub);
@@ -305,7 +306,6 @@
 
 attribute camera_service_server;
 attribute display_service_server;
-attribute mediaswcodec_server;
 attribute scheduler_service_server;
 attribute sensor_service_server;
 attribute stats_service_server;
diff --git a/prebuilts/api/29.0/public/bufferhubd.te b/prebuilts/api/29.0/public/bufferhubd.te
index 7acfa69..37edb5d 100644
--- a/prebuilts/api/29.0/public/bufferhubd.te
+++ b/prebuilts/api/29.0/public/bufferhubd.te
@@ -19,3 +19,7 @@
 # those two: it talks to hal_omx_server via Binder and talks to bufferhubd via PDX.
 # Thus, there is no need to use pdx_client macro.
 allow bufferhubd hal_omx_server:fd use;
+
+# Codec2 is similar to OMX
+allow bufferhubd hal_codec2_server:fd use;
+
diff --git a/prebuilts/api/29.0/public/cameraserver.te b/prebuilts/api/29.0/public/cameraserver.te
index b2ee301..13ef1f7 100644
--- a/prebuilts/api/29.0/public/cameraserver.te
+++ b/prebuilts/api/29.0/public/cameraserver.te
@@ -62,6 +62,7 @@
 
 # Allow to talk with media codec
 allow cameraserver mediametrics_service:service_manager find;
+hal_client_domain(cameraserver, hal_codec2)
 hal_client_domain(cameraserver, hal_omx)
 hal_client_domain(cameraserver, hal_allocator)
 
diff --git a/prebuilts/api/29.0/public/domain.te b/prebuilts/api/29.0/public/domain.te
index 6493ca4..6866e51 100644
--- a/prebuilts/api/29.0/public/domain.te
+++ b/prebuilts/api/29.0/public/domain.te
@@ -603,6 +603,7 @@
   -uncrypt
   -update_engine
   -vendor_init
+  -vendor_misc_writer
   -vold
   -recovery
   -ueventd
@@ -1062,8 +1063,8 @@
   -system_server
 
   # Processes that can't exec crash_dump
+  -hal_codec2_server
   -hal_omx_server
-  -mediaswcodec_server
   -mediaextractor
 } tombstoned_crash_socket:unix_stream_socket connectto;
 
@@ -1393,7 +1394,7 @@
 
 neverallow {
   domain
-  -mediaswcodec_server
+  -hal_codec2_server
   -hal_omx_server
 } hal_codec2_hwservice:hwservice_manager add;
 
diff --git a/prebuilts/api/29.0/public/dumpstate.te b/prebuilts/api/29.0/public/dumpstate.te
index 2906b5b..c748b5d 100644
--- a/prebuilts/api/29.0/public/dumpstate.te
+++ b/prebuilts/api/29.0/public/dumpstate.te
@@ -72,11 +72,13 @@
   mediaswcodec
   sdcardd
   surfaceflinger
+  vold
 
   # This list comes from hal_interfaces_to_dump in dumputils/dump_utils.c
   hal_audio_server
   hal_bluetooth_server
   hal_camera_server
+  hal_codec2_server
   hal_drm_server
   hal_graphics_allocator_server
   hal_graphics_composer_server
diff --git a/prebuilts/api/29.0/public/hal_audio.te b/prebuilts/api/29.0/public/hal_audio.te
index a1c098f..bb9eec4 100644
--- a/prebuilts/api/29.0/public/hal_audio.te
+++ b/prebuilts/api/29.0/public/hal_audio.te
@@ -32,7 +32,7 @@
 neverallow hal_audio_server domain:{ tcp_socket udp_socket rawip_socket } *;
 
 # Only audio HAL may directly access the audio hardware
-neverallow { halserverdomain -hal_audio_server } audio_device:chr_file *;
+neverallow { halserverdomain -hal_audio_server -hal_omx_server } audio_device:chr_file *;
 
 get_prop(hal_audio, bluetooth_a2dp_offload_prop)
 get_prop(hal_audio, bluetooth_audio_hal_prop)
diff --git a/prebuilts/api/29.0/public/hal_codec2.te b/prebuilts/api/29.0/public/hal_codec2.te
new file mode 100644
index 0000000..60cd3b0
--- /dev/null
+++ b/prebuilts/api/29.0/public/hal_codec2.te
@@ -0,0 +1,22 @@
+binder_call(hal_codec2_client, hal_codec2_server)
+binder_call(hal_codec2_server, hal_codec2_client)
+
+hal_attribute_hwservice(hal_codec2, hal_codec2_hwservice)
+
+# The following permissions are added to hal_codec2_server because vendor and
+# vndk libraries provided for Codec2 implementation need them.
+
+# Allow server access to composer sync fences
+allow hal_codec2_server hal_graphics_composer:fd use;
+
+# Allow both server and client access to ion
+allow hal_codec2_server ion_device:chr_file r_file_perms;
+
+# Allow server access to camera HAL's fences
+allow hal_codec2_server hal_camera:fd use;
+
+# Receive gralloc buffer FDs from bufferhubd.
+allow hal_codec2_server bufferhubd:fd use;
+
+allow hal_codec2_client ion_device:chr_file r_file_perms;
+
diff --git a/prebuilts/api/29.0/public/hal_omx.te b/prebuilts/api/29.0/public/hal_omx.te
index 656b03a..707cae8 100644
--- a/prebuilts/api/29.0/public/hal_omx.te
+++ b/prebuilts/api/29.0/public/hal_omx.te
@@ -1,7 +1,6 @@
 # applies all permissions to hal_omx NOT hal_omx_server
 # since OMX must always be in its own process.
 
-
 binder_call(hal_omx_server, binderservicedomain)
 binder_call(hal_omx_server, { appdomain -isolated_app })
 
@@ -21,9 +20,6 @@
 
 hal_attribute_hwservice(hal_omx, hal_omx_hwservice)
 
-allow hal_omx_client hal_codec2_hwservice:hwservice_manager find;
-allow hal_omx_server hal_codec2_hwservice:hwservice_manager { add find };
-
 allow hal_omx_client hidl_token_hwservice:hwservice_manager find;
 
 binder_call(hal_omx_client, hal_omx_server)
diff --git a/prebuilts/api/29.0/public/init.te b/prebuilts/api/29.0/public/init.te
index 69c11d6..c5fc9b4 100644
--- a/prebuilts/api/29.0/public/init.te
+++ b/prebuilts/api/29.0/public/init.te
@@ -46,6 +46,8 @@
   userdata_block_device
 }:{ blk_file lnk_file } relabelto;
 
+allow init super_block_device:lnk_file relabelto;
+
 # setrlimit
 allow init self:global_capability_class_set sys_resource;
 
diff --git a/prebuilts/api/29.0/public/mediaserver.te b/prebuilts/api/29.0/public/mediaserver.te
index dbdb051..70d0a55 100644
--- a/prebuilts/api/29.0/public/mediaserver.te
+++ b/prebuilts/api/29.0/public/mediaserver.te
@@ -86,7 +86,7 @@
 # for ModDrm/MediaPlayer
 allow mediaserver mediadrmserver_service:service_manager find;
 
-# For interfacing with OMX HAL
+# For hybrid interfaces
 allow mediaserver hidl_token_hwservice:hwservice_manager find;
 
 # /oem access
diff --git a/prebuilts/api/29.0/public/mediaswcodec.te b/prebuilts/api/29.0/public/mediaswcodec.te
index e002787..2acdeea 100644
--- a/prebuilts/api/29.0/public/mediaswcodec.te
+++ b/prebuilts/api/29.0/public/mediaswcodec.te
@@ -1,10 +1,27 @@
 type mediaswcodec, domain;
 type mediaswcodec_exec, system_file_type, exec_type, file_type;
 
-typeattribute mediaswcodec halserverdomain;
-typeattribute mediaswcodec mediaswcodec_server;
+hal_server_domain(mediaswcodec, hal_codec2)
+
+# mediaswcodec may use an input surface from a different Codec2 service or an
+# OMX service
+hal_client_domain(mediaswcodec, hal_codec2)
+hal_client_domain(mediaswcodec, hal_omx)
 
 hal_client_domain(mediaswcodec, hal_allocator)
 hal_client_domain(mediaswcodec, hal_graphics_allocator)
 
 get_prop(mediaswcodec, device_config_media_native_prop)
+
+crash_dump_fallback(mediaswcodec)
+
+# mediaswcodec_server should never execute any executable without a
+# domain transition
+neverallow mediaswcodec { file_type fs_type }:file execute_no_trans;
+
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
+neverallow mediaswcodec domain:{ tcp_socket udp_socket rawip_socket } *;
+
diff --git a/prebuilts/api/29.0/public/property_contexts b/prebuilts/api/29.0/public/property_contexts
index 4fb06a1..94b7569 100644
--- a/prebuilts/api/29.0/public/property_contexts
+++ b/prebuilts/api/29.0/public/property_contexts
@@ -161,6 +161,7 @@
 # vendor-init-readable
 apexd.status u:object_r:apexd_prop:s0 exact enum starting ready
 dev.bootcomplete u:object_r:exported3_system_prop:s0 exact bool
+persist.sys.device_provisioned u:object_r:exported3_system_prop:s0 exact string
 persist.sys.usb.usbradio.config u:object_r:exported3_system_prop:s0 exact string
 sys.boot_completed u:object_r:exported3_system_prop:s0 exact bool
 sys.retaildemo.enabled u:object_r:exported3_system_prop:s0 exact int
@@ -390,4 +391,5 @@
 ro.surface_flinger.protected_contents u:object_r:exported_default_prop:s0 exact bool
 ro.surface_flinger.set_idle_timer_ms u:object_r:exported_default_prop:s0 exact int
 ro.surface_flinger.set_touch_timer_ms u:object_r:exported_default_prop:s0 exact int
+ro.surface_flinger.support_kernel_idle_timer u:object_r:exported_default_prop:s0 exact bool
 ro.surface_flinger.use_smart_90_for_video u:object_r:exported_default_prop:s0 exact bool
diff --git a/prebuilts/api/29.0/public/swcodec_service_server.te b/prebuilts/api/29.0/public/swcodec_service_server.te
deleted file mode 100644
index f20d990..0000000
--- a/prebuilts/api/29.0/public/swcodec_service_server.te
+++ /dev/null
@@ -1,40 +0,0 @@
-# Add hal_codec2_hwservice to mediaswcodec_server
-allow mediaswcodec_server hal_codec2_hwservice:hwservice_manager { add find };
-allow mediaswcodec_server hidl_base_hwservice:hwservice_manager add;
-
-# Allow mediaswcodec_server access to composer sync fences
-allow mediaswcodec_server hal_graphics_composer:fd use;
-
-allow mediaswcodec_server ion_device:chr_file r_file_perms;
-allow mediaswcodec_server hal_camera:fd use;
-
-crash_dump_fallback(mediaswcodec_server)
-
-# Recieve gralloc buffer FDs from bufferhubd. Note that mediaswcodec_server never
-# directly connects to bufferhubd via PDX. Instead, a VR app acts as a bridge
-# between those two: it talks to hal_omx_server via Binder and talks to bufferhubd
-# via PDX. Thus, there is no need to use pdx_client macro.
-allow mediaswcodec_server bufferhubd:fd use;
-
-binder_call(mediaswcodec_server, hal_omx_client)
-binder_call(hal_omx_client, mediaswcodec_server)
-
-###
-### neverallow rules
-###
-
-# mediaswcodec_server should never execute any executable without a
-# domain transition
-neverallow mediaswcodec_server { file_type fs_type }:file execute_no_trans;
-
-# The goal of the mediaserver/codec split is to place media processing code into
-# restrictive sandboxes with limited responsibilities and thus limited
-# permissions. Example: Audioserver is only responsible for controlling audio
-# hardware and processing audio content. Cameraserver does the same for camera
-# hardware/content. Etc.
-#
-# Media processing code is inherently risky and thus should have limited
-# permissions and be isolated from the rest of the system and network.
-# Lengthier explanation here:
-# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediaswcodec_server domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/prebuilts/api/29.0/public/vendor_misc_writer.te b/prebuilts/api/29.0/public/vendor_misc_writer.te
new file mode 100644
index 0000000..7093fec
--- /dev/null
+++ b/prebuilts/api/29.0/public/vendor_misc_writer.te
@@ -0,0 +1,11 @@
+# vendor_misc_writer
+type vendor_misc_writer, domain;
+type vendor_misc_writer_exec, vendor_file_type, exec_type, file_type;
+
+# Raw writes to misc_block_device
+allow vendor_misc_writer misc_block_device:blk_file w_file_perms;
+allow vendor_misc_writer block_device:dir r_dir_perms;
+
+# Silence the denial when calling libfstab's ReadDefaultFstab.
+dontaudit vendor_misc_writer proc_cmdline:file read;
+dontaudit vendor_misc_writer metadata_file:dir search;
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 3c5b921..23e1fd2 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -311,9 +311,10 @@
   neverallow all_untrusted_apps {
     halserverdomain
     -coredomain
+    -hal_cas_server
+    -hal_codec2_server
     -hal_configstore_server
     -hal_graphics_allocator_server
-    -hal_cas_server
     -hal_neuralnetworks_server
     -hal_omx_server
     -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
diff --git a/private/atrace.te b/private/atrace.te
index 8de1826..75be787 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -24,17 +24,7 @@
 # atrace pokes all the binder-enabled processes at startup with a
 # SYSPROPS_TRANSACTION, to tell them to reload the debug.atrace.* properties.
 
-binder_use(atrace)
-allow atrace healthd:binder call;
-allow atrace surfaceflinger:binder call;
-allow atrace system_server:binder call;
-allow atrace cameraserver:binder call;
-
-get_prop(atrace, hwservicemanager_prop)
-
-# atrace can call atrace HAL
-hal_client_domain(atrace, hal_atrace)
-
+# Allow discovery of binder services.
 allow atrace {
   service_manager_type
   -apex_service
@@ -50,6 +40,33 @@
 }:service_manager { find };
 allow atrace servicemanager:service_manager list;
 
+# Allow notifying the processes hosting specific binder services that
+# trace-related system properties have changed.
+binder_use(atrace)
+allow atrace healthd:binder call;
+allow atrace surfaceflinger:binder call;
+allow atrace system_server:binder call;
+allow atrace cameraserver:binder call;
+
+# Similarly, on debug builds, allow specific HALs to be notified that
+# trace-related system properties have changed.
+userdebug_or_eng(`
+  # List HAL interfaces.
+  allow atrace hwservicemanager:hwservice_manager list;
+  # Notify the camera HAL.
+  hal_client_domain(atrace, hal_camera)
+')
+
+# Remove logspam from notification attempts to non-whitelisted services.
+dontaudit atrace hwservice_manager_type:hwservice_manager find;
+dontaudit atrace service_manager_type:service_manager find;
+dontaudit atrace domain:binder call;
+
+# atrace can call atrace HAL
+hal_client_domain(atrace, hal_atrace)
+
+get_prop(atrace, hwservicemanager_prop)
+
 userdebug_or_eng(`
   # atrace is generally invoked as a standalone binary from shell or perf
   # daemons like Perfetto traced_probes. However, in userdebug builds, there is
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 2633bcf..d5fca32 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -142,6 +142,8 @@
     vendor_idc_file
     vendor_keychars_file
     vendor_keylayout_file
+    vendor_misc_writer
+    vendor_misc_writer_exec
     vendor_task_profiles_file
     vrflinger_vsync_service
     watchdogd_tmpfs))
diff --git a/private/domain.te b/private/domain.te
index 037a7d5..3265faf 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -257,6 +257,7 @@
   install_recovery
   userdebug_or_eng(`llkd')
   lmkd
+  migrate_legacy_obb_data
   netd
   perfprofd
   postinstall_dexopt
diff --git a/private/file_contexts b/private/file_contexts
index 919c889..530bd45 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -326,6 +326,7 @@
 /system/bin/gsid                 u:object_r:gsid_exec:s0
 /system/bin/simpleperf_app_runner    u:object_r:simpleperf_app_runner_exec:s0
 /system/bin/notify_traceur\.sh       u:object_r:notify_traceur_exec:s0
+/system/bin/migrate_legacy_obb_data\.sh u:object_r:migrate_legacy_obb_data_exec:s0
 
 #############################
 # Vendor files
@@ -350,6 +351,8 @@
 /(vendor|system/vendor)/overlay(/.*)?          u:object_r:vendor_overlay_file:s0
 /(vendor|system/vendor)/framework(/.*)?        u:object_r:vendor_framework_file:s0
 
+/vendor/bin/misc_writer                        u:object_r:vendor_misc_writer_exec:s0
+
 # HAL location
 /(vendor|system/vendor)/lib(64)?/hw            u:object_r:vendor_hal_file:s0
 
diff --git a/private/incidentd.te b/private/incidentd.te
index 6f10955..7b38911 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -90,6 +90,7 @@
   hal_audio_server
   hal_bluetooth_server
   hal_camera_server
+  hal_codec2_server
   hal_graphics_allocator_server
   hal_graphics_composer_server
   hal_health_server
diff --git a/private/installd.te b/private/installd.te
index 3693c59..b9e67ae 100644
--- a/private/installd.te
+++ b/private/installd.te
@@ -17,6 +17,10 @@
 # Run idmap in its own sandbox.
 domain_auto_trans(installd, idmap_exec, idmap)
 
+# Run migrate_legacy_obb_data.sh in its own sandbox.
+domain_auto_trans(installd, migrate_legacy_obb_data_exec, migrate_legacy_obb_data)
+allow installd shell_exec:file rx_file_perms;
+
 # Create /data/.layout_version.* file
 type_transition installd system_data_file:file install_data_file;
 
diff --git a/private/mediaserver.te b/private/mediaserver.te
index b1cf64a..635cf4e 100644
--- a/private/mediaserver.te
+++ b/private/mediaserver.te
@@ -6,3 +6,5 @@
 # allocate and use graphic buffers
 hal_client_domain(mediaserver, hal_graphics_allocator)
 hal_client_domain(mediaserver, hal_omx)
+hal_client_domain(mediaserver, hal_codec2)
+
diff --git a/private/migrate_legacy_obb_data.te b/private/migrate_legacy_obb_data.te
new file mode 100644
index 0000000..4bc1e2c
--- /dev/null
+++ b/private/migrate_legacy_obb_data.te
@@ -0,0 +1,20 @@
+type migrate_legacy_obb_data, domain, coredomain;
+type migrate_legacy_obb_data_exec, system_file_type, exec_type, file_type;
+
+allow migrate_legacy_obb_data media_rw_data_file:dir create_dir_perms;
+allow migrate_legacy_obb_data media_rw_data_file:file create_file_perms;
+
+allow migrate_legacy_obb_data shell_exec:file rx_file_perms;
+
+allow migrate_legacy_obb_data toolbox_exec:file rx_file_perms;
+
+allow migrate_legacy_obb_data self:capability { chown dac_override dac_read_search fowner fsetid };
+
+# TODO: This should not be necessary. We don't deliberately hand over
+# any open file descriptors to this domain, so anything that triggers this
+# should be a candidate for O_CLOEXEC.
+allow migrate_legacy_obb_data installd:fd use;
+
+# This rule is required to let this process read /proc/{parent_pid}/mount.
+# TODO: Why is this required ?
+allow migrate_legacy_obb_data installd:file read;
diff --git a/private/statsd.te b/private/statsd.te
index 99548a0..9d250bd 100644
--- a/private/statsd.te
+++ b/private/statsd.te
@@ -18,3 +18,6 @@
 
 # Allow incidentd to obtain the statsd incident section.
 allow statsd incidentd:fifo_file write;
+
+# Allow StatsCompanionService to pipe data to statsd.
+allow statsd system_server:fifo_file { read getattr };
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index b1aa775..1236627 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -15,6 +15,7 @@
 hal_client_domain(surfaceflinger, hal_graphics_allocator)
 hal_client_domain(surfaceflinger, hal_graphics_composer)
 typeattribute surfaceflinger_tmpfs hal_graphics_composer_client_tmpfs;
+hal_client_domain(surfaceflinger, hal_codec2)
 hal_client_domain(surfaceflinger, hal_omx)
 hal_client_domain(surfaceflinger, hal_configstore)
 hal_client_domain(surfaceflinger, hal_power)
diff --git a/private/system_server.te b/private/system_server.te
index 0d02657..f551780 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -116,6 +116,7 @@
 allow system_server audioserver:process { getsched setsched };
 allow system_server hal_audio:process { getsched setsched };
 allow system_server hal_bluetooth:process { getsched setsched };
+allow system_server hal_codec2_server:process { getsched setsched };
 allow system_server hal_omx_server:process { getsched setsched };
 allow system_server mediaswcodec:process { getsched setsched };
 allow system_server cameraserver:process { getsched setsched };
@@ -206,6 +207,7 @@
 hal_client_domain(system_server, hal_allocator)
 hal_client_domain(system_server, hal_authsecret)
 hal_client_domain(system_server, hal_broadcastradio)
+hal_client_domain(system_server, hal_codec2)
 hal_client_domain(system_server, hal_configstore)
 hal_client_domain(system_server, hal_contexthub)
 hal_client_domain(system_server, hal_face)
@@ -275,6 +277,7 @@
   hal_audio_server
   hal_bluetooth_server
   hal_camera_server
+  hal_codec2_server
   hal_graphics_allocator_server
   hal_graphics_composer_server
   hal_health_server
diff --git a/private/technical_debt.cil b/private/technical_debt.cil
index d1215fe..289f69e 100644
--- a/private/technical_debt.cil
+++ b/private/technical_debt.cil
@@ -16,6 +16,10 @@
 ; Unfortunately, we can't currently express this in module policy language:
 (typeattributeset hal_omx_client ((and (appdomain) ((not (isolated_app))))))
 
+; Apps, except isolated apps, are clients of Codec2-related services
+; Unfortunately, we can't currently express this in module policy language:
+(typeattributeset hal_codec2_client ((and (appdomain) ((not (isolated_app))))))
+
 ; Apps, except isolated apps, are clients of Configstore HAL
 ; Unfortunately, we can't currently express this in module policy language:
 ;     typeattribute { appdomain -isolated_app } hal_configstore_client;
diff --git a/public/attributes b/public/attributes
index 67979da..857efc5 100644
--- a/public/attributes
+++ b/public/attributes
@@ -252,6 +252,7 @@
 hal_attribute(broadcastradio);
 hal_attribute(camera);
 hal_attribute(cas);
+hal_attribute(codec2);
 hal_attribute(configstore);
 hal_attribute(confirmationui);
 hal_attribute(contexthub);
@@ -305,7 +306,6 @@
 
 attribute camera_service_server;
 attribute display_service_server;
-attribute mediaswcodec_server;
 attribute scheduler_service_server;
 attribute sensor_service_server;
 attribute stats_service_server;
diff --git a/public/bufferhubd.te b/public/bufferhubd.te
index 7acfa69..37edb5d 100644
--- a/public/bufferhubd.te
+++ b/public/bufferhubd.te
@@ -19,3 +19,7 @@
 # those two: it talks to hal_omx_server via Binder and talks to bufferhubd via PDX.
 # Thus, there is no need to use pdx_client macro.
 allow bufferhubd hal_omx_server:fd use;
+
+# Codec2 is similar to OMX
+allow bufferhubd hal_codec2_server:fd use;
+
diff --git a/public/cameraserver.te b/public/cameraserver.te
index b2ee301..13ef1f7 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -62,6 +62,7 @@
 
 # Allow to talk with media codec
 allow cameraserver mediametrics_service:service_manager find;
+hal_client_domain(cameraserver, hal_codec2)
 hal_client_domain(cameraserver, hal_omx)
 hal_client_domain(cameraserver, hal_allocator)
 
diff --git a/public/domain.te b/public/domain.te
index 6493ca4..6866e51 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -603,6 +603,7 @@
   -uncrypt
   -update_engine
   -vendor_init
+  -vendor_misc_writer
   -vold
   -recovery
   -ueventd
@@ -1062,8 +1063,8 @@
   -system_server
 
   # Processes that can't exec crash_dump
+  -hal_codec2_server
   -hal_omx_server
-  -mediaswcodec_server
   -mediaextractor
 } tombstoned_crash_socket:unix_stream_socket connectto;
 
@@ -1393,7 +1394,7 @@
 
 neverallow {
   domain
-  -mediaswcodec_server
+  -hal_codec2_server
   -hal_omx_server
 } hal_codec2_hwservice:hwservice_manager add;
 
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 2906b5b..c748b5d 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -72,11 +72,13 @@
   mediaswcodec
   sdcardd
   surfaceflinger
+  vold
 
   # This list comes from hal_interfaces_to_dump in dumputils/dump_utils.c
   hal_audio_server
   hal_bluetooth_server
   hal_camera_server
+  hal_codec2_server
   hal_drm_server
   hal_graphics_allocator_server
   hal_graphics_composer_server
diff --git a/public/hal_audio.te b/public/hal_audio.te
index a1c098f..bb9eec4 100644
--- a/public/hal_audio.te
+++ b/public/hal_audio.te
@@ -32,7 +32,7 @@
 neverallow hal_audio_server domain:{ tcp_socket udp_socket rawip_socket } *;
 
 # Only audio HAL may directly access the audio hardware
-neverallow { halserverdomain -hal_audio_server } audio_device:chr_file *;
+neverallow { halserverdomain -hal_audio_server -hal_omx_server } audio_device:chr_file *;
 
 get_prop(hal_audio, bluetooth_a2dp_offload_prop)
 get_prop(hal_audio, bluetooth_audio_hal_prop)
diff --git a/public/hal_codec2.te b/public/hal_codec2.te
new file mode 100644
index 0000000..60cd3b0
--- /dev/null
+++ b/public/hal_codec2.te
@@ -0,0 +1,22 @@
+binder_call(hal_codec2_client, hal_codec2_server)
+binder_call(hal_codec2_server, hal_codec2_client)
+
+hal_attribute_hwservice(hal_codec2, hal_codec2_hwservice)
+
+# The following permissions are added to hal_codec2_server because vendor and
+# vndk libraries provided for Codec2 implementation need them.
+
+# Allow server access to composer sync fences
+allow hal_codec2_server hal_graphics_composer:fd use;
+
+# Allow both server and client access to ion
+allow hal_codec2_server ion_device:chr_file r_file_perms;
+
+# Allow server access to camera HAL's fences
+allow hal_codec2_server hal_camera:fd use;
+
+# Receive gralloc buffer FDs from bufferhubd.
+allow hal_codec2_server bufferhubd:fd use;
+
+allow hal_codec2_client ion_device:chr_file r_file_perms;
+
diff --git a/public/hal_omx.te b/public/hal_omx.te
index 656b03a..707cae8 100644
--- a/public/hal_omx.te
+++ b/public/hal_omx.te
@@ -1,7 +1,6 @@
 # applies all permissions to hal_omx NOT hal_omx_server
 # since OMX must always be in its own process.
 
-
 binder_call(hal_omx_server, binderservicedomain)
 binder_call(hal_omx_server, { appdomain -isolated_app })
 
@@ -21,9 +20,6 @@
 
 hal_attribute_hwservice(hal_omx, hal_omx_hwservice)
 
-allow hal_omx_client hal_codec2_hwservice:hwservice_manager find;
-allow hal_omx_server hal_codec2_hwservice:hwservice_manager { add find };
-
 allow hal_omx_client hidl_token_hwservice:hwservice_manager find;
 
 binder_call(hal_omx_client, hal_omx_server)
diff --git a/public/init.te b/public/init.te
index 69c11d6..c5fc9b4 100644
--- a/public/init.te
+++ b/public/init.te
@@ -46,6 +46,8 @@
   userdata_block_device
 }:{ blk_file lnk_file } relabelto;
 
+allow init super_block_device:lnk_file relabelto;
+
 # setrlimit
 allow init self:global_capability_class_set sys_resource;
 
diff --git a/public/mediaserver.te b/public/mediaserver.te
index dbdb051..70d0a55 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -86,7 +86,7 @@
 # for ModDrm/MediaPlayer
 allow mediaserver mediadrmserver_service:service_manager find;
 
-# For interfacing with OMX HAL
+# For hybrid interfaces
 allow mediaserver hidl_token_hwservice:hwservice_manager find;
 
 # /oem access
diff --git a/public/mediaswcodec.te b/public/mediaswcodec.te
index e002787..2acdeea 100644
--- a/public/mediaswcodec.te
+++ b/public/mediaswcodec.te
@@ -1,10 +1,27 @@
 type mediaswcodec, domain;
 type mediaswcodec_exec, system_file_type, exec_type, file_type;
 
-typeattribute mediaswcodec halserverdomain;
-typeattribute mediaswcodec mediaswcodec_server;
+hal_server_domain(mediaswcodec, hal_codec2)
+
+# mediaswcodec may use an input surface from a different Codec2 service or an
+# OMX service
+hal_client_domain(mediaswcodec, hal_codec2)
+hal_client_domain(mediaswcodec, hal_omx)
 
 hal_client_domain(mediaswcodec, hal_allocator)
 hal_client_domain(mediaswcodec, hal_graphics_allocator)
 
 get_prop(mediaswcodec, device_config_media_native_prop)
+
+crash_dump_fallback(mediaswcodec)
+
+# mediaswcodec_server should never execute any executable without a
+# domain transition
+neverallow mediaswcodec { file_type fs_type }:file execute_no_trans;
+
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
+neverallow mediaswcodec domain:{ tcp_socket udp_socket rawip_socket } *;
+
diff --git a/public/property_contexts b/public/property_contexts
index 4fb06a1..94b7569 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -161,6 +161,7 @@
 # vendor-init-readable
 apexd.status u:object_r:apexd_prop:s0 exact enum starting ready
 dev.bootcomplete u:object_r:exported3_system_prop:s0 exact bool
+persist.sys.device_provisioned u:object_r:exported3_system_prop:s0 exact string
 persist.sys.usb.usbradio.config u:object_r:exported3_system_prop:s0 exact string
 sys.boot_completed u:object_r:exported3_system_prop:s0 exact bool
 sys.retaildemo.enabled u:object_r:exported3_system_prop:s0 exact int
@@ -390,4 +391,5 @@
 ro.surface_flinger.protected_contents u:object_r:exported_default_prop:s0 exact bool
 ro.surface_flinger.set_idle_timer_ms u:object_r:exported_default_prop:s0 exact int
 ro.surface_flinger.set_touch_timer_ms u:object_r:exported_default_prop:s0 exact int
+ro.surface_flinger.support_kernel_idle_timer u:object_r:exported_default_prop:s0 exact bool
 ro.surface_flinger.use_smart_90_for_video u:object_r:exported_default_prop:s0 exact bool
diff --git a/public/swcodec_service_server.te b/public/swcodec_service_server.te
deleted file mode 100644
index f20d990..0000000
--- a/public/swcodec_service_server.te
+++ /dev/null
@@ -1,40 +0,0 @@
-# Add hal_codec2_hwservice to mediaswcodec_server
-allow mediaswcodec_server hal_codec2_hwservice:hwservice_manager { add find };
-allow mediaswcodec_server hidl_base_hwservice:hwservice_manager add;
-
-# Allow mediaswcodec_server access to composer sync fences
-allow mediaswcodec_server hal_graphics_composer:fd use;
-
-allow mediaswcodec_server ion_device:chr_file r_file_perms;
-allow mediaswcodec_server hal_camera:fd use;
-
-crash_dump_fallback(mediaswcodec_server)
-
-# Recieve gralloc buffer FDs from bufferhubd. Note that mediaswcodec_server never
-# directly connects to bufferhubd via PDX. Instead, a VR app acts as a bridge
-# between those two: it talks to hal_omx_server via Binder and talks to bufferhubd
-# via PDX. Thus, there is no need to use pdx_client macro.
-allow mediaswcodec_server bufferhubd:fd use;
-
-binder_call(mediaswcodec_server, hal_omx_client)
-binder_call(hal_omx_client, mediaswcodec_server)
-
-###
-### neverallow rules
-###
-
-# mediaswcodec_server should never execute any executable without a
-# domain transition
-neverallow mediaswcodec_server { file_type fs_type }:file execute_no_trans;
-
-# The goal of the mediaserver/codec split is to place media processing code into
-# restrictive sandboxes with limited responsibilities and thus limited
-# permissions. Example: Audioserver is only responsible for controlling audio
-# hardware and processing audio content. Cameraserver does the same for camera
-# hardware/content. Etc.
-#
-# Media processing code is inherently risky and thus should have limited
-# permissions and be isolated from the rest of the system and network.
-# Lengthier explanation here:
-# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediaswcodec_server domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/public/vendor_misc_writer.te b/public/vendor_misc_writer.te
new file mode 100644
index 0000000..7093fec
--- /dev/null
+++ b/public/vendor_misc_writer.te
@@ -0,0 +1,11 @@
+# vendor_misc_writer
+type vendor_misc_writer, domain;
+type vendor_misc_writer_exec, vendor_file_type, exec_type, file_type;
+
+# Raw writes to misc_block_device
+allow vendor_misc_writer misc_block_device:blk_file w_file_perms;
+allow vendor_misc_writer block_device:dir r_dir_perms;
+
+# Silence the denial when calling libfstab's ReadDefaultFstab.
+dontaudit vendor_misc_writer proc_cmdline:file read;
+dontaudit vendor_misc_writer metadata_file:dir search;
diff --git a/vendor/hal_drm_default.te b/vendor/hal_drm_default.te
index 5bcbe9a..f81f398 100644
--- a/vendor/hal_drm_default.te
+++ b/vendor/hal_drm_default.te
@@ -4,6 +4,7 @@
 type hal_drm_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_drm_default)
 
+allow hal_drm_default hal_codec2_server:fd use;
 allow hal_drm_default hal_omx_server:fd use;
 allow hal_drm_default { appdomain -isolated_app }:fd use;
 
diff --git a/vendor/mediacodec.te b/vendor/mediacodec.te
index 29e1a90..40a5489 100644
--- a/vendor/mediacodec.te
+++ b/vendor/mediacodec.te
@@ -15,12 +15,29 @@
 # can route /dev/binder traffic to /dev/vndbinder
 vndbinder_use(mediacodec)
 
+hal_server_domain(mediacodec, hal_codec2)
 hal_server_domain(mediacodec, hal_omx)
 
+# mediacodec may use an input surface from a different Codec2 or OMX service
+hal_client_domain(mediacodec, hal_codec2)
+hal_client_domain(mediacodec, hal_omx)
+
 hal_client_domain(mediacodec, hal_allocator)
 hal_client_domain(mediacodec, hal_graphics_allocator)
 
 allow mediacodec gpu_device:chr_file rw_file_perms;
+allow mediacodec ion_device:chr_file rw_file_perms;
 allow mediacodec video_device:chr_file rw_file_perms;
 allow mediacodec video_device:dir search;
 
+crash_dump_fallback(mediacodec)
+
+# mediacodec should never execute any executable without a domain transition
+neverallow mediacodec { file_type fs_type }:file execute_no_trans;
+
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
+neverallow mediacodec domain:{ tcp_socket udp_socket rawip_socket } *;
+
diff --git a/vendor/vendor_misc_writer.te b/vendor/vendor_misc_writer.te
new file mode 100644
index 0000000..245749e
--- /dev/null
+++ b/vendor/vendor_misc_writer.te
@@ -0,0 +1 @@
+init_daemon_domain(vendor_misc_writer)