Merge "Add Adam to OWNERS."
diff --git a/apex/com.android.runtime.debug-file_contexts b/apex/com.android.runtime.debug-file_contexts
index 35ef891..507d665 100644
--- a/apex/com.android.runtime.debug-file_contexts
+++ b/apex/com.android.runtime.debug-file_contexts
@@ -5,5 +5,6 @@
/bin/dex2oat(d)? u:object_r:dex2oat_exec:s0
/bin/dexoptanalyzer(d)? u:object_r:dexoptanalyzer_exec:s0
/bin/profman(d)? u:object_r:profman_exec:s0
+/bin/linker(64)? u:object_r:system_linker_exec:s0
/lib(64)?(/.*)? u:object_r:system_lib_file:s0
/etc/tz(/.*)? u:object_r:system_zoneinfo_file:s0
diff --git a/apex/com.android.runtime.release-file_contexts b/apex/com.android.runtime.release-file_contexts
index 207704d..286d698 100644
--- a/apex/com.android.runtime.release-file_contexts
+++ b/apex/com.android.runtime.release-file_contexts
@@ -5,5 +5,6 @@
/bin/dex2oat u:object_r:dex2oat_exec:s0
/bin/dexoptanalyzer u:object_r:dexoptanalyzer_exec:s0
/bin/profman u:object_r:profman_exec:s0
+/bin/linker(64)? u:object_r:system_linker_exec:s0
/lib(64)?(/.*)? u:object_r:system_lib_file:s0
/etc/tz(/.*)? u:object_r:system_zoneinfo_file:s0
diff --git a/private/adbd.te b/private/adbd.te
index 23f3c92..0b42672 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -167,6 +167,11 @@
allow adbd perfetto_traces_data_file:file r_file_perms;
allow adbd perfetto_traces_data_file:dir r_dir_perms;
+# Connect to shell and use a socket transferred from it.
+# Used for e.g. abb.
+allow adbd shell:unix_stream_socket { read write };
+allow adbd shell:fd use;
+
###
### Neverallow rules
###
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 10b0b3b..6ebbd43 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -47,7 +47,7 @@
neverallow all_untrusted_apps rs_data_file:file
{ append create link relabelfrom relabelto rename setattr write };
-# Block calling execve() in app /data/data files.
+# Block calling execve() on files in an apps home directory.
# This is a W^X violation (loading executable code from a writable
# home directory). For compatibility, allow for targetApi <= 28.
# b/112357170
@@ -58,17 +58,6 @@
-runas_app
} { app_data_file privapp_data_file }:file execute_no_trans;
-# Block calling dlopen() in app /data/data files.
-# This is a W^X violation (loading executable code from a writable
-# home directory). For compatibility, allow for targetApi <= 28.
-# b/112357170
-neverallow {
- all_untrusted_apps
- -untrusted_app_25
- -untrusted_app_27
- -runas_app
-} app_data_file:file execute;
-
# Do not allow untrusted apps to invoke dex2oat. This was historically required
# by ART for compiling secondary dex files but has been removed in Q.
# Exempt legacy apps (targetApi<=28) for compatibility.
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 588c138..f40ca77 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -121,6 +121,8 @@
mnt_product_file
mnt_vendor_file
netd_stable_secret_prop
+ network_stack
+ network_stack_service
network_watchlist_data_file
network_watchlist_service
overlayfs_file
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index e63d226..88cf5d6 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -109,6 +109,8 @@
metadata_file
mnt_product_file
mnt_vendor_file
+ network_stack
+ network_stack_service
network_watchlist_data_file
network_watchlist_service
overlayfs_file
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 222f381..8247614 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -35,6 +35,7 @@
fwk_stats_hwservice
color_display_service
hal_atrace_hwservice
+ hal_face_hwservice
hal_health_storage_hwservice
hal_power_stats_hwservice
hal_system_suspend_default
@@ -62,13 +63,18 @@
mediaswcodec_exec
mediaswcodec_tmpfs
mnt_product_file
+ network_stack
+ network_stack_service
overlayfs_file
permissionmgr_service
recovery_socket
role_service
+ rs
+ rs_exec
rss_hwm_reset
rss_hwm_reset_exec
runtime_service
+ sensor_privacy_service
super_block_device
system_lmk_prop
system_suspend_hwservice
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 92fd325..4935f33 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -22,7 +22,7 @@
# Some apps ship with shared libraries and binaries that they write out
# to their sandbox directory and then execute.
allow ephemeral_app privapp_data_file:file { r_file_perms execute };
-allow ephemeral_app app_data_file:file r_file_perms;
+allow ephemeral_app app_data_file:file { r_file_perms execute };
# Allow the renderscript compiler to be run.
domain_auto_trans(ephemeral_app, rs_exec, rs)
diff --git a/private/file_contexts b/private/file_contexts
index fd3e1dc..13d87ff 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -382,6 +382,14 @@
/(product_services|system/product_services)/overlay(/.*)? u:object_r:vendor_overlay_file:s0
#############################
+# Vendor files from /(product|system/product)/vendor_overlay
+#
+# NOTE: For additional vendor file contexts for vendor overlay files,
+# use device specific file_contexts.
+#
+/(product|system/product)/vendor_overlay/[0-9]+/.* u:object_r:vendor_file:s0
+
+#############################
# Data files
#
# NOTE: When modifying existing label rules, changes may also need to
diff --git a/private/heapprofd.te b/private/heapprofd.te
index b7013d7..5a17990 100644
--- a/private/heapprofd.te
+++ b/private/heapprofd.te
@@ -6,6 +6,9 @@
set_prop(heapprofd, heapprofd_prop);
userdebug_or_eng(`
+ # TODO(fmayer): We will also need this on user to read /proc/<pid>/cmdline
+ # and send signals.
+ typeattribute heapprofd mlstrustedsubject;
# Allow to send signal to processes.
# This excludes SIGKILL, SIGSTOP and SIGCHLD,
# which are controlled by separate permissions.
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index f64eccd..1fead40 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -10,6 +10,7 @@
android.hardware.automotive.audiocontrol::IAudioControl u:object_r:hal_audiocontrol_hwservice:s0
android.hardware.automotive.evs::IEvsEnumerator u:object_r:hal_evs_hwservice:s0
android.hardware.automotive.vehicle::IVehicle u:object_r:hal_vehicle_hwservice:s0
+android.hardware.biometrics.face::IBiometricsFace u:object_r:hal_face_hwservice:s0
android.hardware.biometrics.fingerprint::IBiometricsFingerprint u:object_r:hal_fingerprint_hwservice:s0
android.hardware.bluetooth::IBluetoothHci u:object_r:hal_bluetooth_hwservice:s0
android.hardware.bluetooth.a2dp::IBluetoothAudioOffload u:object_r:hal_audio_hwservice:s0
diff --git a/private/network_stack.te b/private/network_stack.te
new file mode 100644
index 0000000..d250ebd
--- /dev/null
+++ b/private/network_stack.te
@@ -0,0 +1,25 @@
+# Networking service app
+typeattribute network_stack coredomain;
+
+app_domain(network_stack);
+net_domain(network_stack);
+
+allow network_stack self:global_capability_class_set {
+ net_admin
+ net_bind_service
+ net_broadcast
+ net_raw
+};
+
+# Allow access to net_admin ioctl, DHCP server uses SIOCSARP
+allowxperm network_stack self:udp_socket ioctl priv_sock_ioctls;
+
+# The DhcpClient uses packet_sockets
+allow network_stack self:packet_socket create_socket_perms_no_ioctl;
+
+allow network_stack activity_service:service_manager find;
+allow network_stack netd_service:service_manager find;
+allow network_stack wifi_service:service_manager find;
+allow network_stack connmetrics_service:service_manager find;
+
+binder_call(network_stack, netd);
diff --git a/private/rs.te b/private/rs.te
index 9229ed9..56f8dfc 100644
--- a/private/rs.te
+++ b/private/rs.te
@@ -1,6 +1,3 @@
-type rs, domain, coredomain;
-type rs_exec, system_file_type, exec_type, file_type;
-
# Any files which would have been created as app_data_file
# will be created as rs_data_file instead.
allow rs app_data_file:dir ra_dir_perms;
diff --git a/private/runas_app.te b/private/runas_app.te
index 00baa83..b976b91 100644
--- a/private/runas_app.te
+++ b/private/runas_app.te
@@ -6,7 +6,6 @@
net_domain(runas_app)
bluetooth_domain(runas_app)
-# The ability to call exec() or dlopen() on app /data/data
-# files when using run-as on a debuggable app.
-# Needed by simpleperf.
-allow runas_app app_data_file:file { execute_no_trans execute };
+# The ability to call exec() on files in the apps home directories
+# when using run-as on a debuggable app. Needed by simpleperf.
+allow runas_app app_data_file:file execute_no_trans;
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 55391ea..37f7872 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -106,6 +106,7 @@
user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
user=system seinfo=platform domain=system_app type=system_app_data_file
user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
+user=network_stack seinfo=platform name=com.google.android.networkstack domain=network_stack levelFrom=all
user=nfc seinfo=platform domain=nfc type=nfc_data_file
user=secure_element seinfo=platform domain=secure_element levelFrom=all
user=radio seinfo=platform domain=radio type=radio_data_file
diff --git a/private/service_contexts b/private/service_contexts
index c90f93b..51980ad 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -118,6 +118,7 @@
netd u:object_r:netd_service:s0
netpolicy u:object_r:netpolicy_service:s0
netstats u:object_r:netstats_service:s0
+network_stack u:object_r:network_stack_service:s0
network_management u:object_r:network_management_service:s0
network_score u:object_r:network_score_service:s0
network_time_update_service u:object_r:network_time_update_service:s0
@@ -155,6 +156,7 @@
secure_element u:object_r:secure_element_service:s0
sec_key_att_app_id_provider u:object_r:sec_key_att_app_id_provider_service:s0
sensorservice u:object_r:sensorservice_service:s0
+sensor_privacy u:object_r:sensor_privacy_service:s0
serial u:object_r:serial_service:s0
servicediscovery u:object_r:servicediscovery_service:s0
settings u:object_r:settings_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index ed864f5..b8e0511 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -205,6 +205,7 @@
hal_client_domain(system_server, hal_broadcastradio)
hal_client_domain(system_server, hal_configstore)
hal_client_domain(system_server, hal_contexthub)
+hal_client_domain(system_server, hal_face)
hal_client_domain(system_server, hal_fingerprint)
hal_client_domain(system_server, hal_gnss)
hal_client_domain(system_server, hal_graphics_allocator)
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index 0db825a..6f92ef5 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -45,10 +45,10 @@
# https://android.googlesource.com/platform/bionic/+/master/android-changes-for-ndk-developers.md#text-relocations-enforced-for-api-level-23
allow untrusted_app_25 { apk_data_file app_data_file asec_public_file }:file execmod;
-# The ability to call exec() or dlopen() on files in the apps home
-# directories for targetApi<=25. This is also allowed for targetAPIs 26,
-# 27, and 28 in untrusted_app_27.te.
-allow untrusted_app_25 app_data_file:file { execute execute_no_trans };
+# The ability to call exec() on files in the apps home directories
+# for targetApi<=25. This is also allowed for targetAPIs 26, 27,
+# and 28 in untrusted_app_27.te.
+allow untrusted_app_25 app_data_file:file execute_no_trans;
userdebug_or_eng(`auditallow untrusted_app_25 app_data_file:file { execute execute_no_trans };')
# The ability to invoke dex2oat. Historically required by ART, now only
diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te
index f3b9df8..be155c9 100644
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@@ -27,9 +27,9 @@
net_domain(untrusted_app_27)
bluetooth_domain(untrusted_app_27)
-# The ability to call exec() or dlopen() on files in the apps home
-# directories for targetApi 26, 27, and 28.
-allow untrusted_app_27 app_data_file:file { execute execute_no_trans };
+# The ability to call exec() on files in the apps home directories
+# for targetApi 26, 27, and 28.
+allow untrusted_app_27 app_data_file:file execute_no_trans;
userdebug_or_eng(`auditallow untrusted_app_27 app_data_file:file { execute execute_no_trans };')
# The ability to invoke dex2oat. Historically required by ART, now only
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 2c81ebd..aebb711 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -23,7 +23,7 @@
# Some apps ship with shared libraries and binaries that they write out
# to their sandbox directory and then execute.
allow untrusted_app_all privapp_data_file:file { r_file_perms execute };
-allow untrusted_app_all app_data_file:file r_file_perms;
+allow untrusted_app_all app_data_file:file { r_file_perms execute };
# Allow loading and deleting renderscript created shared libraries
# within an application home directory.
diff --git a/public/app.te b/public/app.te
index 94acac7..0a5f0b4 100644
--- a/public/app.te
+++ b/public/app.te
@@ -358,8 +358,8 @@
###
# Superuser capabilities.
-# bluetooth requires net_admin and wake_alarm.
-neverallow { appdomain -bluetooth } self:capability_class_set *;
+# bluetooth requires net_admin and wake_alarm. network stack app requires net_admin.
+neverallow { appdomain -bluetooth -network_stack } self:capability_class_set *;
# Block device access.
neverallow appdomain dev_type:blk_file { read write };
diff --git a/public/attributes b/public/attributes
index 37c2b94..bc3723c 100644
--- a/public/attributes
+++ b/public/attributes
@@ -258,6 +258,7 @@
hal_attribute(drm);
hal_attribute(dumpstate);
hal_attribute(evs);
+hal_attribute(face);
hal_attribute(fingerprint);
hal_attribute(gatekeeper);
hal_attribute(gnss);
diff --git a/public/dumpstate.te b/public/dumpstate.te
index cd3310a..1c8bbb1 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -90,6 +90,7 @@
allow dumpstate {
sysfs_dm
+ sysfs_loop
sysfs_usb
sysfs_zram
}:file r_file_perms;
diff --git a/public/file.te b/public/file.te
index 99a2c0d..2a5e6f4 100644
--- a/public/file.te
+++ b/public/file.te
@@ -395,7 +395,7 @@
type uncrypt_socket, file_type, coredomain_socket;
type wpa_socket, file_type, data_file_type, core_data_file_type;
type zygote_socket, file_type, coredomain_socket;
-type heapprofd_socket, file_type, coredomain_socket;
+type heapprofd_socket, file_type, coredomain_socket, mlstrustedobject;
# UART (for GPS) control proc file
type gps_control, file_type;
diff --git a/public/hal_face.te b/public/hal_face.te
new file mode 100644
index 0000000..b250586
--- /dev/null
+++ b/public/hal_face.te
@@ -0,0 +1,12 @@
+# Allow HwBinder IPC from client to server, and vice versa for callbacks.
+binder_call(hal_face_client, hal_face_server)
+binder_call(hal_face_server, hal_face_client)
+
+hal_attribute_hwservice(hal_face, hal_face_hwservice)
+
+# Allow access to the ion memory allocation device.
+allow hal_face ion_device:chr_file r_file_perms;
+
+# Allow read/write access to the face template directory.
+allow hal_face face_vendor_data_file:file create_file_perms;
+allow hal_face face_vendor_data_file:dir rw_dir_perms;
diff --git a/public/hwservice.te b/public/hwservice.te
index 09808b3..a511981 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -20,6 +20,7 @@
type hal_cas_hwservice, hwservice_manager_type;
type hal_dumpstate_hwservice, hwservice_manager_type;
type hal_evs_hwservice, hwservice_manager_type;
+type hal_face_hwservice, hwservice_manager_type;
type hal_fingerprint_hwservice, hwservice_manager_type;
type hal_gatekeeper_hwservice, hwservice_manager_type;
type hal_gnss_hwservice, hwservice_manager_type;
diff --git a/public/netd.te b/public/netd.te
index 241380b..10f1959 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -130,14 +130,20 @@
# Write to files in /data/data or system files on /data
neverallow netd { app_data_file privapp_data_file system_data_file }:dir_file_class_set write;
-# only system_server and dumpstate may find netd service
-neverallow { domain -system_server -dumpstate -netd } netd_service:service_manager find;
+# only system_server, dumpstate and network stack app may find netd service
+neverallow {
+ domain
+ -system_server
+ -dumpstate
+ -network_stack
+ -netd
+} netd_service:service_manager find;
# only netd can create the bpf maps
neverallow { domain -netd } netd:bpf { map_create };
# apps may not interact with netd over binder.
-neverallow appdomain netd:binder call;
+neverallow { appdomain -network_stack } netd:binder call;
neverallow netd { appdomain userdebug_or_eng(`-su') }:binder call;
# persist.netd.stable_secret contains RFC 7217 secret key which should never be
diff --git a/public/network_stack.te b/public/network_stack.te
new file mode 100644
index 0000000..feff664
--- /dev/null
+++ b/public/network_stack.te
@@ -0,0 +1,2 @@
+# Network stack service app
+type network_stack, domain;
diff --git a/public/rs.te b/public/rs.te
new file mode 100644
index 0000000..16b6e96
--- /dev/null
+++ b/public/rs.te
@@ -0,0 +1,2 @@
+type rs, domain, coredomain;
+type rs_exec, system_file_type, exec_type, file_type;
diff --git a/public/service.te b/public/service.te
index 606602d..cc1bc9f 100644
--- a/public/service.te
+++ b/public/service.te
@@ -118,6 +118,7 @@
type netstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type network_management_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type network_score_service, system_api_service, system_server_service, service_manager_type;
+type network_stack_service, system_server_service, service_manager_type;
type network_time_update_service, system_server_service, service_manager_type;
type notification_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type oem_lock_service, system_api_service, system_server_service, service_manager_type;
@@ -126,7 +127,7 @@
type package_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type package_native_service, system_server_service, service_manager_type;
type permission_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type permissionmgr_service, system_server_service, service_manager_type;
+type permissionmgr_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type persistent_data_block_service, system_api_service, system_server_service, service_manager_type;
type pinner_service, system_server_service, service_manager_type;
type power_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -144,6 +145,7 @@
type search_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type sec_key_att_app_id_provider_service, app_api_service, system_server_service, service_manager_type;
type sensorservice_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type sensor_privacy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type serial_service, system_api_service, system_server_service, service_manager_type;
type servicediscovery_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type settings_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
diff --git a/public/vold.te b/public/vold.te
index 7e71f16..14286c4 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -78,6 +78,7 @@
# Manage per-user primary symlinks
allow vold mnt_user_file:dir { create_dir_perms mounton };
allow vold mnt_user_file:lnk_file create_file_perms;
+allow vold mnt_user_file:file create_file_perms;
# Allow to create and mount expanded storage
allow vold mnt_expand_file:dir { create_dir_perms mounton };
diff --git a/tests/treble_sepolicy_tests.py b/tests/treble_sepolicy_tests.py
index f2d600a..0851d3b 100644
--- a/tests/treble_sepolicy_tests.py
+++ b/tests/treble_sepolicy_tests.py
@@ -242,7 +242,10 @@
ret += "policy without an entry into the compatibility mapping file(s) "
ret += "found in private/compat/V.v/V.v[.ignore].cil, where V.v is the "
ret += "latest API level.\n"
- ret += " ".join(str(x) for x in sorted(violators)) + "\n"
+ ret += " ".join(str(x) for x in sorted(violators)) + "\n\n"
+ ret += "See examples of how to fix this:\n"
+ ret += "https://android-review.git.corp.google.com/c/platform/system/sepolicy/+/781036\n"
+ ret += "https://android-review.git.corp.google.com/c/platform/system/sepolicy/+/852612\n"
return ret
###
@@ -265,7 +268,9 @@
ret += "policy without a declaration in the compatibility mapping "
ret += "found in private/compat/V.v/V.v[.ignore].cil, where V.v is the "
ret += "latest API level.\n"
- ret += " ".join(str(x) for x in sorted(violators)) + "\n"
+ ret += " ".join(str(x) for x in sorted(violators)) + "\n\n"
+ ret += "See examples of how to fix this:\n"
+ ret += "https://android-review.git.corp.google.com/c/platform/system/sepolicy/+/822743\n"
return ret
def TestTrebleCompatMapping():
diff --git a/vendor/file_contexts b/vendor/file_contexts
index a6772ca..32e1871 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -24,8 +24,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.gatekeeper@1\.0-service u:object_r:hal_gatekeeper_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@[0-9]\.[0-9]-service u:object_r:hal_gnss_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator@2\.0-service u:object_r:hal_graphics_allocator_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.composer@2\.1-service u:object_r:hal_graphics_composer_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.composer@2\.2-service u:object_r:hal_graphics_composer_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.composer@[0-9]\.[0-9]-service u:object_r:hal_graphics_composer_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@1\.0-service u:object_r:hal_health_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@2\.0-service u:object_r:hal_health_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health\.storage@1\.0-service u:object_r:hal_health_storage_default_exec:s0
diff --git a/vendor/hal_face_default.te b/vendor/hal_face_default.te
new file mode 100644
index 0000000..891d1f4
--- /dev/null
+++ b/vendor/hal_face_default.te
@@ -0,0 +1,5 @@
+type hal_face_default, domain;
+hal_server_domain(hal_face_default, hal_face)
+
+type hal_face_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_face_default)