Merge "Revert "Move aidl_lazy_test_server to system_ext""
diff --git a/private/app_zygote.te b/private/app_zygote.te
index 5f20086..a826f7f 100644
--- a/private/app_zygote.te
+++ b/private/app_zygote.te
@@ -132,8 +132,9 @@
alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket
} *;
-# Only allow app_zygote to talk to the logd socket, and su/heapprofd on eng/userdebug
-# This is because cap_setuid/cap_setgid allow to forge uid/gid in SCM_CREDENTIALS.
+# Only allow app_zygote to talk to the logd socket, and
+# su/heapprofd/traced_perf on eng/userdebug. This is because
+# cap_setuid/cap_setgid allow to forge uid/gid in SCM_CREDENTIALS.
# Think twice before changing.
neverallow app_zygote {
domain
@@ -142,6 +143,7 @@
-system_server
userdebug_or_eng(`-su')
userdebug_or_eng(`-heapprofd')
+ userdebug_or_eng(`-traced_perf')
}:unix_dgram_socket *;
neverallow app_zygote {
@@ -149,6 +151,7 @@
-app_zygote
userdebug_or_eng(`-su')
userdebug_or_eng(`-heapprofd')
+ userdebug_or_eng(`-traced_perf')
}:unix_stream_socket *;
# Never allow ptrace
diff --git a/private/bluetooth.te b/private/bluetooth.te
index b96fc58..1680361 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -40,6 +40,9 @@
allow bluetooth proc_bluetooth_writable:file rw_file_perms;
# Allow write access to bluetooth specific properties
+set_prop(bluetooth, binder_cache_bluetooth_server_prop);
+neverallow { domain -bluetooth -init }
+ binder_cache_bluetooth_server_prop:property_service set;
set_prop(bluetooth, bluetooth_a2dp_offload_prop)
set_prop(bluetooth, bluetooth_audio_hal_prop)
set_prop(bluetooth, bluetooth_prop)
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 38d980e..e558a93 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -18,6 +18,7 @@
automotive_display_exec
ashmem_libcutils_device
blob_store_service
+ binder_cache_bluetooth_server_prop
binder_cache_system_server_prop
binderfs
binderfs_logs
@@ -30,6 +31,7 @@
dataloader_manager_service
device_config_storage_native_boot_prop
device_config_sys_traced_prop
+ device_config_window_manager_native_boot_prop
exported_camera_prop
file_integrity_service
fwk_automotive_display_hwservice
@@ -74,6 +76,8 @@
system_passwd_file
system_unsolzygote_socket
tethering_service
+ traced_perf
+ traced_perf_socket
timezonedetector_service
untrusted_app_29
usb_serial_device
diff --git a/private/coredomain.te b/private/coredomain.te
index dac061a..44052c3 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -29,6 +29,7 @@
-postinstall_dexopt
-rs # spawned by appdomain, so carryover the exception above
-system_server
+ -traced_perf
} vendor_app_file:dir { open read getattr search };
')
@@ -44,6 +45,7 @@
-postinstall_dexopt
-rs # spawned by appdomain, so carryover the exception above
-system_server
+ -traced_perf
-mediaserver
} vendor_app_file:file r_file_perms;
')
@@ -60,6 +62,7 @@
-postinstall_dexopt
-rs # spawned by appdomain, so carryover the exception above
-system_server
+ -traced_perf
-app_zygote
-webview_zygote
-zygote
@@ -78,6 +81,7 @@
-postinstall_dexopt
-rs # spawned by appdomain, so carryover the exception above
-system_server
+ -traced_perf
-app_zygote
-webview_zygote
-zygote
diff --git a/private/domain.te b/private/domain.te
index 08d963c..df42fdc 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -28,6 +28,25 @@
-vold
})')
+# As above, allow perf profiling most processes on debug builds.
+# Do not diverge the two lists without a really good reason.
+userdebug_or_eng(`can_profile_perf({
+ domain
+ -bpfloader
+ -init
+ -kernel
+ -keystore
+ -llkd
+ -logd
+ -logpersist
+ -recovery
+ -recovery_persist
+ -recovery_refresh
+ -ueventd
+ -vendor_init
+ -vold
+})')
+
# Path resolution access in cgroups.
allow domain cgroup:dir search;
allow { domain -appdomain -rs } cgroup:dir w_dir_perms;
@@ -296,6 +315,7 @@
neverallow ~{
dac_override_allowed
iorap_prefetcherd
+ traced_perf
traced_probes
userdebug_or_eng(`heapprofd')
} self:global_capability_class_set dac_read_search;
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 508653c..56d4747 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -53,9 +53,9 @@
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
perfetto_producer(ephemeral_app)
-# Allow heap profiling if the app opts in by being marked
-# profileable/debuggable.
+# Allow profiling if the app opts in by being marked profileable/debuggable.
can_profile_heap(ephemeral_app)
+can_profile_perf(ephemeral_app)
# allow ephemeral apps to use UDP sockets provided by the system server but not
# modify them other than to connect
diff --git a/private/file_contexts b/private/file_contexts
index c7729d8..3e36cd6 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -150,8 +150,9 @@
/dev/socket/tombstoned_crash u:object_r:tombstoned_crash_socket:s0
/dev/socket/tombstoned_java_trace u:object_r:tombstoned_java_trace_socket:s0
/dev/socket/tombstoned_intercept u:object_r:tombstoned_intercept_socket:s0
-/dev/socket/traced_producer u:object_r:traced_producer_socket:s0
/dev/socket/traced_consumer u:object_r:traced_consumer_socket:s0
+/dev/socket/traced_perf u:object_r:traced_perf_socket:s0
+/dev/socket/traced_producer u:object_r:traced_producer_socket:s0
/dev/socket/heapprofd u:object_r:heapprofd_socket:s0
/dev/socket/uncrypt u:object_r:uncrypt_socket:s0
/dev/socket/wpa_eth[0-9] u:object_r:wpa_socket:s0
@@ -282,6 +283,7 @@
/system/bin/rss_hwm_reset u:object_r:rss_hwm_reset_exec:s0
/system/bin/perfetto u:object_r:perfetto_exec:s0
/system/bin/traced u:object_r:traced_exec:s0
+/system/bin/traced_perf u:object_r:traced_perf_exec:s0
/system/bin/traced_probes u:object_r:traced_probes_exec:s0
/system/bin/heapprofd u:object_r:heapprofd_exec:s0
/system/bin/uncrypt u:object_r:uncrypt_exec:s0
diff --git a/private/incidentd.te b/private/incidentd.te
index b806f6e..45499fc 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -128,10 +128,18 @@
# Run a shell.
allow incidentd shell_exec:file rx_file_perms;
+# For running am, incident-helper-cmd and similar framework commands.
+# Run /system/bin/app_process.
+allow incidentd zygote_exec:file { rx_file_perms };
+
# logd access - work to be done is a PII safe log (possibly an event log?)
userdebug_or_eng(`read_logd(incidentd)')
# TODO control_logd(incidentd)
+# Access /data/misc/logd
+allow incidentd misc_logd_file:dir r_dir_perms;
+allow incidentd misc_logd_file:file r_file_perms;
+
# Allow incidentd to find these standard groups of services.
# Others can be whitelisted individually.
allow incidentd {
diff --git a/private/isolated_app.te b/private/isolated_app.te
index 49e9065..4c6c5aa 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -62,9 +62,10 @@
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
perfetto_producer(isolated_app)
-# Allow heap profiling if the main app has been marked as profileable or
+# Allow profiling if the main app has been marked as profileable or
# debuggable.
can_profile_heap(isolated_app)
+can_profile_perf(isolated_app)
#####
##### Neverallow
diff --git a/private/logpersist.te b/private/logpersist.te
index 6f6ab50..ac324df 100644
--- a/private/logpersist.te
+++ b/private/logpersist.te
@@ -24,6 +24,6 @@
userdebug_or_eng(`-misc_logd_file -coredump_file')
with_native_coverage(`-method_trace_data_file')
}:file { create write append };
-neverallow { domain -init -dumpstate userdebug_or_eng(`-logpersist -logd') } misc_logd_file:file no_rw_file_perms;
+neverallow { domain -init -dumpstate -incidentd userdebug_or_eng(`-logpersist -logd') } misc_logd_file:file no_rw_file_perms;
neverallow { domain -init userdebug_or_eng(`-logpersist -logd') } misc_logd_file:file no_w_file_perms;
neverallow { domain -init userdebug_or_eng(`-logpersist -logd') } misc_logd_file:dir { add_name link relabelfrom remove_name rename reparent rmdir write };
diff --git a/private/priv_app.te b/private/priv_app.te
index c879c33..16f651a 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -123,9 +123,9 @@
binder_call(priv_app, incidentd)
allow priv_app incidentd:fifo_file { read write };
-# Allow heap profiling if the app opts in by being marked
-# profileable/debuggable.
+# Allow profiling if the app opts in by being marked profileable/debuggable.
can_profile_heap(priv_app)
+can_profile_perf(priv_app)
# Allow priv_apps to check whether Dynamic System Update is enabled
get_prop(priv_app, dynamic_system_prop)
diff --git a/private/property_contexts b/private/property_contexts
index 2db46a0..4359806 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -198,6 +198,7 @@
persist.device_config.runtime_native_boot. u:object_r:device_config_runtime_native_boot_prop:s0
persist.device_config.media_native. u:object_r:device_config_media_native_prop:s0
persist.device_config.storage_native_boot. u:object_r:device_config_storage_native_boot_prop:s0
+persist.device_config.window_manager_native_boot. u:object_r:device_config_window_manager_native_boot_prop:s0
# Properties that relate to legacy server configurable flags
persist.device_config.global_settings.sys_traced u:object_r:device_config_sys_traced_prop:s0
diff --git a/private/system_server.te b/private/system_server.te
index 5c50fa4..be2eec6 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -622,6 +622,7 @@
set_prop(system_server, device_config_media_native_prop)
set_prop(system_server, device_config_storage_native_boot_prop)
set_prop(system_server, device_config_sys_traced_prop)
+set_prop(system_server, device_config_window_manager_native_boot_prop)
# BootReceiver to read ro.boot.bootreason
get_prop(system_server, bootloader_boot_reason_prop)
@@ -1006,6 +1007,7 @@
device_config_media_native_prop
device_config_storage_native_boot_prop
device_config_sys_traced_prop
+ device_config_window_manager_native_boot_prop
}:property_service set;
# system_server should never be executing dex2oat. This is either
diff --git a/private/traced_perf.te b/private/traced_perf.te
new file mode 100644
index 0000000..7a78d79
--- /dev/null
+++ b/private/traced_perf.te
@@ -0,0 +1,53 @@
+# Performance profiler, backed by perf_event_open(2).
+# See go/perfetto-perf-android.
+typeattribute traced_perf coredomain;
+typeattribute traced_perf mlstrustedsubject;
+
+type traced_perf_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(traced_perf)
+perfetto_producer(traced_perf)
+
+# Allow traced_perf full use of perf_event_open(2). It will perform cpu-wide
+# profiling, but retain samples only for profileable processes.
+# Thread-specific profiling is still disallowed due to a PTRACE_MODE_ATTACH
+# check (which would require a process:attach SELinux allow-rule).
+allow traced_perf self:perf_event { open cpu kernel read write tracepoint };
+
+# Allow CAP_KILL for delivery of dedicated signal to obtain proc-fds from a
+# process. Allow CAP_DAC_READ_SEARCH for stack unwinding and symbolization of
+# sampled stacks, which requires opening the backing libraries/executables (as
+# symbols are usually not mapped into the process space). Not all such files
+# are world-readable, e.g. odex files that included user profiles during
+# profile-guided optimization.
+allow traced_perf self:capability { kill dac_read_search };
+
+# Allow reading /system/data/packages.list.
+allow traced_perf packages_list_file:file r_file_perms;
+
+# Allow reading files for stack unwinding and symbolization.
+r_dir_file(traced_perf, nativetest_data_file)
+r_dir_file(traced_perf, system_file_type)
+r_dir_file(traced_perf, apk_data_file)
+r_dir_file(traced_perf, dalvikcache_data_file)
+r_dir_file(traced_perf, vendor_file_type)
+
+# Do not audit the cases where traced_perf attempts to access /proc/[pid] for
+# domains that it cannot read.
+dontaudit traced_perf domain:dir { search getattr open };
+
+# Never allow access to app data files
+neverallow traced_perf { app_data_file privapp_data_file system_app_data_file }:file *;
+
+# Never allow profiling highly privileged processes.
+never_profile_heap(`{
+ bpfloader
+ init
+ kernel
+ keystore
+ llkd
+ logd
+ ueventd
+ vendor_init
+ vold
+}')
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 769ddb0..d9fd5a1 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -137,9 +137,9 @@
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
perfetto_producer(untrusted_app_all)
-# Allow heap profiling if the app opts in by being marked
-# profileable/debuggable.
+# Allow profiling if the app opts in by being marked profileable/debuggable.
can_profile_heap(untrusted_app_all)
+can_profile_perf(untrusted_app_all)
# allow untrusted apps to use UDP sockets provided by the system server but not
# modify them other than to connect
diff --git a/private/zygote.te b/private/zygote.te
index da06837..682f609 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -170,6 +170,10 @@
get_prop(zygote, device_config_runtime_native_prop)
get_prop(zygote, device_config_runtime_native_boot_prop)
+# Allow the zygote to access window manager native boot feature flags
+# to initialize WindowManager static properties.
+get_prop(zygote, device_config_window_manager_native_boot_prop)
+
# ingore spurious denials
dontaudit zygote self:global_capability_class_set sys_resource;
diff --git a/public/domain.te b/public/domain.te
index 604df89..0ecc280 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -107,7 +107,8 @@
get_prop(domain, logd_prop)
get_prop(domain, vndk_prop)
-# Allow every to read binder cache properties
+# Binder cache properties are world-readable
+get_prop(domain, binder_cache_bluetooth_server_prop)
get_prop(domain, binder_cache_system_server_prop)
# Let everyone read log properties, so that liblog can avoid sending unloggable
@@ -728,7 +729,8 @@
userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds
-init
-tombstoned # linker to tombstoned
- userdebug_or_eng('-heapprofd`)
+ userdebug_or_eng(`-heapprofd')
+ userdebug_or_eng(`-traced_perf')
});
')
@@ -987,6 +989,7 @@
userdebug_or_eng(`-heapprofd')
-shell
-system_executes_vendor_violators
+ -traced_perf # library/binary access for symbolization
-ueventd # reads /vendor/ueventd.rc
} {
vendor_file_type
@@ -1310,10 +1313,11 @@
-appdomain
-bootanim
-crash_dump
+ -heapprofd
-init
-iorap_prefetcherd
-kernel
- -heapprofd
+ -traced_perf
-ueventd
} vendor_file:file { no_w_file_perms no_x_file_perms open };
')
diff --git a/public/file.te b/public/file.te
index ef30fc7..408d515 100644
--- a/public/file.te
+++ b/public/file.te
@@ -457,8 +457,9 @@
type tombstoned_crash_socket, file_type, coredomain_socket, mlstrustedobject;
type tombstoned_java_trace_socket, file_type, mlstrustedobject;
type tombstoned_intercept_socket, file_type, coredomain_socket;
-type traced_producer_socket, file_type, coredomain_socket, mlstrustedobject;
type traced_consumer_socket, file_type, coredomain_socket, mlstrustedobject;
+type traced_perf_socket, file_type, coredomain_socket, mlstrustedobject;
+type traced_producer_socket, file_type, coredomain_socket, mlstrustedobject;
type uncrypt_socket, file_type, coredomain_socket;
type wpa_socket, file_type, data_file_type, core_data_file_type;
type zygote_socket, file_type, coredomain_socket;
diff --git a/public/flags_health_check.te b/public/flags_health_check.te
index af7d96a..cf33ce7 100644
--- a/public/flags_health_check.te
+++ b/public/flags_health_check.te
@@ -12,6 +12,7 @@
set_prop(flags_health_check, device_config_media_native_prop)
set_prop(flags_health_check, device_config_storage_native_boot_prop)
set_prop(flags_health_check, device_config_sys_traced_prop)
+set_prop(flags_health_check, device_config_window_manager_native_boot_prop)
allow flags_health_check server_configurable_flags_data_file:dir rw_dir_perms;
allow flags_health_check server_configurable_flags_data_file:file create_file_perms;
diff --git a/public/hal_configstore.te b/public/hal_configstore.te
index 1a95b72..069da47 100644
--- a/public/hal_configstore.te
+++ b/public/hal_configstore.te
@@ -34,6 +34,7 @@
userdebug_or_eng(`-su')
-tombstoned
userdebug_or_eng(`-heapprofd')
+ userdebug_or_eng(`-traced_perf')
}:{ unix_dgram_socket unix_stream_socket } *;
# Should never need access to anything on /data
diff --git a/public/netd.te b/public/netd.te
index c15a03b..92c2ed1 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -173,3 +173,13 @@
neverallow netd sysfs_net:dir no_w_dir_perms;
dontaudit netd sysfs_net:dir write;
+
+# Netd should not have SYS_ADMIN privs.
+neverallow netd self:capability sys_admin;
+dontaudit netd self:capability sys_admin;
+
+# Netd should not have SYS_MODULE privs, nor should it be requesting module loads
+# (things it requires should be built directly into the kernel)
+dontaudit netd self:capability sys_module;
+
+dontaudit netd kernel:system module_request;
diff --git a/public/property.te b/public/property.te
index 8142aa2..0fa8143 100644
--- a/public/property.te
+++ b/public/property.te
@@ -11,6 +11,7 @@
system_internal_prop(device_config_runtime_native_prop)
system_internal_prop(device_config_storage_native_boot_prop)
system_internal_prop(device_config_sys_traced_prop)
+system_internal_prop(device_config_window_manager_native_boot_prop)
system_internal_prop(firstboot_prop)
system_internal_prop(gsid_prop)
system_internal_prop(init_perf_lsm_hooks_prop)
@@ -151,6 +152,7 @@
system_public_prop(wifi_prop)
# Properties used by binder caches
+system_public_prop(binder_cache_bluetooth_server_prop)
system_public_prop(binder_cache_system_server_prop)
# Properties which are public for devices launching with Android O or earlier
@@ -556,10 +558,11 @@
property_type
-apexd_prop
-audio_prop
+ -binder_cache_bluetooth_server_prop
+ -binder_cache_system_server_prop
-bluetooth_a2dp_offload_prop
-bluetooth_audio_hal_prop
-bluetooth_prop
- -binder_cache_system_server_prop
-bootloader_boot_reason_prop
-boottime_prop
-bpf_progs_loaded_prop
@@ -630,6 +633,7 @@
-device_config_media_native_prop
-device_config_storage_native_boot_prop
-device_config_sys_traced_prop
+ -device_config_window_manager_native_boot_prop
-dynamic_system_prop
-gsid_prop
-heapprofd_enabled_prop
diff --git a/public/property_contexts b/public/property_contexts
index 0a000ec..f3dc51f 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -441,6 +441,13 @@
ro.surface_flinger.refresh_rate_switching u:object_r:exported_default_prop:s0 exact bool
# Binder cache properties. These are world-readable
+cache_key.bluetooth.get_bond_state u:object_r:binder_cache_bluetooth_server_prop:s0
+cache_key.bluetooth.get_profile_connection_state u:object_r:binder_cache_bluetooth_server_prop:s0
+cache_key.bluetooth.get_state u:object_r:binder_cache_bluetooth_server_prop:s0
+cache_key.bluetooth.is_offloaded_filtering_supported u:object_r:binder_cache_bluetooth_server_prop:s0
+cache_key.get_packages_for_uid u:object_r:binder_cache_system_server_prop:s0
cache_key.has_system_feature u:object_r:binder_cache_system_server_prop:s0
cache_key.is_interactive u:object_r:binder_cache_system_server_prop:s0
cache_key.is_power_save_mode u:object_r:binder_cache_system_server_prop:s0
+cache_key.is_user_unlocked u:object_r:binder_cache_system_server_prop:s0
+
diff --git a/public/te_macros b/public/te_macros
index b69c800..2d0e050 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -718,6 +718,34 @@
')
###################################
+# can_profile_perf(domain)
+# Allow processes within the domain to be profiled, and have their stacks
+# sampled, by traced_perf.
+define(`can_profile_perf', `
+ # Allow directory & file read to traced_perf, as it stat(2)s /proc/[pid], and
+ # reads /proc/[pid]/cmdline.
+ allow traced_perf $1:file r_file_perms;
+ allow traced_perf $1:dir r_dir_perms;
+
+ # Allow central daemon to send signal to request /proc/[pid]/maps and
+ # /proc/[pid]/mem fds from this process.
+ allow traced_perf $1:process signal;
+
+ # Allow connecting to the daemon.
+ unix_socket_connect($1, traced_perf, traced_perf)
+ # Allow daemon to use the passed fds.
+ allow traced_perf $1:fd use;
+')
+
+###################################
+# never_profile_perf(domain)
+# Opt out of profiling by traced_perf.
+define(`never_profile_perf', `
+ neverallow traced_perf $1:file read;
+ neverallow traced_perf $1:process signal;
+')
+
+###################################
# perfetto_producer(domain)
# Allow processes within the domain to write data to Perfetto.
define(`perfetto_producer', `
diff --git a/public/traced_perf.te b/public/traced_perf.te
new file mode 100644
index 0000000..f9a0324
--- /dev/null
+++ b/public/traced_perf.te
@@ -0,0 +1 @@
+type traced_perf, domain;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 609821f..514f67e 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -198,6 +198,7 @@
not_compatible_property(`
set_prop(vendor_init, {
property_type
+ -binder_cache_bluetooth_server_prop
-binder_cache_system_server_prop
-device_config_activity_manager_native_boot_prop
-device_config_boot_count_prop
@@ -209,6 +210,7 @@
-device_config_media_native_prop
-device_config_storage_native_boot_prop
-device_config_sys_traced_prop
+ -device_config_window_manager_native_boot_prop
-restorecon_prop
-netd_stable_secret_prop
-firstboot_prop
diff --git a/vendor/file_contexts b/vendor/file_contexts
index e0fcfcd..c5a9938 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -10,6 +10,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service u:object_r:hal_bluetooth_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service\.btlinux u:object_r:hal_bluetooth_btlinux_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service u:object_r:hal_fingerprint_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.face@1\.1-service\.example u:object_r:hal_face_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.boot@1\.[0-9]+-service u:object_r:hal_bootctl_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.broadcastradio@\d+\.\d+-service u:object_r:hal_broadcastradio_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-service_64 u:object_r:hal_camera_default_exec:s0