Merge "Allow installd to read system_data_file:lnk_file"
diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index 2a32f14..4ebb66e 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -447,7 +447,21 @@
(typeattributeset preopt2cachename_exec_26_0 (preopt2cachename_exec))
(typeattributeset print_service_26_0 (print_service))
(typeattributeset priv_app_26_0 (mediaprovider priv_app))
-(typeattributeset proc_26_0 (proc proc_asound proc_cmdline proc_filesystems proc_kmsg proc_loadavg proc_mounts proc_pagetypeinfo proc_swaps proc_uid_time_in_state proc_version proc_vmallocinfo))
+(typeattributeset proc_26_0
+ ( proc
+ proc_asound
+ proc_cmdline
+ proc_filesystems
+ proc_kmsg
+ proc_loadavg
+ proc_mounts
+ proc_page_cluster
+ proc_pagetypeinfo
+ proc_random
+ proc_swaps
+ proc_uid_time_in_state
+ proc_version
+ proc_vmallocinfo))
(typeattributeset proc_bluetooth_writable_26_0 (proc_bluetooth_writable))
(typeattributeset proc_cpuinfo_26_0 (proc_cpuinfo))
(typeattributeset proc_drop_caches_26_0 (proc_drop_caches))
@@ -568,6 +582,7 @@
( sysfs
sysfs_android_usb
sysfs_dm
+ sysfs_dt_firmware_android
sysfs_ipv4
sysfs_net
sysfs_power
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 2cb4d09..1d8351d 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -22,6 +22,7 @@
mediaprovider_tmpfs
netd_stable_secret_prop
package_native_service
+ statscompanion_service
storaged_data_file
sysfs_fs_ext4_features
system_boot_reason_prop
@@ -33,6 +34,7 @@
thermalserviced_tmpfs
timezone_service
tombstoned_java_trace_socket
+ vendor_init
vold_prepare_subdirs
vold_prepare_subdirs_exec
vold_service
diff --git a/private/file_contexts b/private/file_contexts
index 03bd889..ca0a696 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -396,6 +396,7 @@
/data/misc/profman(/.*)? u:object_r:profman_dump_data_file:s0
# storaged proto files
+/data/misc_de/[0-9]+/storaged(/.*)? u:object_r:storaged_data_file:s0
/data/misc_ce/[0-9]+/storaged(/.*)? u:object_r:storaged_data_file:s0
# Fingerprint data
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 7bf252d..a6de59a 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -33,12 +33,14 @@
genfscon proc /sys/kernel/modules_disabled u:object_r:proc_security:s0
genfscon proc /sys/kernel/perf_event_max_sample_rate u:object_r:proc_perf:s0
genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/random u:object_r:proc_random:s0
genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0
genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
genfscon proc /sys/net u:object_r:proc_net:s0
genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0
genfscon proc /sys/vm/mmap_rnd_bits u:object_r:proc_security:s0
genfscon proc /sys/vm/mmap_rnd_compat_bits u:object_r:proc_security:s0
+genfscon proc /sys/vm/page-cluster u:object_r:proc_page_cluster:s0
genfscon proc /sys/vm/drop_caches u:object_r:proc_drop_caches:s0
genfscon proc /sys/vm/overcommit_memory u:object_r:proc_overcommit_memory:s0
genfscon proc /timer_list u:object_r:proc_timer:s0
@@ -73,6 +75,7 @@
genfscon sysfs /devices/virtual/misc/hw_random u:object_r:sysfs_hwrandom:s0
genfscon sysfs /devices/virtual/net u:object_r:sysfs_net:s0
genfscon sysfs /devices/virtual/switch u:object_r:sysfs_switch:s0
+genfscon sysfs /firmware/devicetree/base/firmware/android u:object_r:sysfs_dt_firmware_android:s0
genfscon sysfs /fs/ext4/features u:object_r:sysfs_fs_ext4_features:s0
genfscon sysfs /power/state u:object_r:sysfs_power:s0
genfscon sysfs /power/wakeup_count u:object_r:sysfs_power:s0
diff --git a/private/init.te b/private/init.te
index 5c23f66..5464865 100644
--- a/private/init.te
+++ b/private/init.te
@@ -14,6 +14,7 @@
domain_trans(init, shell_exec, shell)
domain_trans(init, init_exec, ueventd)
domain_trans(init, init_exec, watchdogd)
+domain_trans(init, init_exec, vendor_init)
domain_trans(init, { rootfs toolbox_exec }, modprobe)
# case where logpersistd is actually logcat -f in logd context (nee: logcatd)
userdebug_or_eng(`
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 1f451be..dc7e389 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -91,10 +91,6 @@
# uid's can be in shell domain
neverallow user=shell domain=((?!shell).)*
-# only the package named com.android.shell can run in the shell domain
-neverallow domain=shell name=((?!com\.android\.shell).)*
-neverallow user=shell name=((?!com\.android\.shell).)*
-
# Ephemeral Apps must run in the ephemeral_app domain
neverallow isEphemeralApp=true domain=((?!ephemeral_app).)*
@@ -104,7 +100,7 @@
user=nfc seinfo=platform domain=nfc type=nfc_data_file
user=radio seinfo=platform domain=radio type=radio_data_file
user=shared_relro domain=shared_relro
-user=shell seinfo=platform domain=shell name=com.android.shell type=shell_data_file
+user=shell seinfo=platform domain=shell type=shell_data_file
user=_isolated domain=isolated_app levelFrom=user
user=_app seinfo=media domain=mediaprovider name=android.process.media type=app_data_file levelFrom=user
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
diff --git a/private/service_contexts b/private/service_contexts
index 86a6032..ac7fb8e 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -140,6 +140,7 @@
simphonebook2 u:object_r:radio_service:s0
simphonebook u:object_r:radio_service:s0
sip u:object_r:radio_service:s0
+statscompanion u:object_r:statscompanion_service:s0
soundtrigger u:object_r:voiceinteraction_service:s0
statusbar u:object_r:statusbar_service:s0
storaged u:object_r:storaged_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index 9879913..b38509c 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -786,3 +786,6 @@
# file read access. However, that is now unnecessary (b/34951864)
# This neverallow can be removed after b/34951864 is fixed.
neverallow system_server system_server:capability sys_resource;
+
+# TODO(b/67468181): Remove following lines upon resolution of this bug
+dontaudit system_server statscompanion_service:service_manager { add find };
diff --git a/private/vendor_init.te b/private/vendor_init.te
new file mode 100644
index 0000000..c99d96f
--- /dev/null
+++ b/private/vendor_init.te
@@ -0,0 +1,2 @@
+typeattribute vendor_init coredomain;
+
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index c2146f9..3f17ce5 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -1 +1,15 @@
domain_auto_trans(vold, vold_prepare_subdirs_exec, vold_prepare_subdirs)
+
+allow vold_prepare_subdirs system_file:file execute_no_trans;
+allow vold_prepare_subdirs shell_exec:file rx_file_perms;
+allow vold_prepare_subdirs toolbox_exec:file rx_file_perms;
+allow vold_prepare_subdirs devpts:chr_file rw_file_perms;
+allow vold_prepare_subdirs vold:fd use;
+allow vold_prepare_subdirs vold:fifo_file { read write };
+allow vold_prepare_subdirs file_contexts_file:file r_file_perms;
+allow vold_prepare_subdirs self:capability dac_override;
+allow vold_prepare_subdirs self:process setfscreate;
+allow vold_prepare_subdirs system_data_file:dir { open read write add_name remove_name };
+allow vold_prepare_subdirs vold_data_file:dir { create open read write search getattr setattr remove_name rmdir };
+allow vold_prepare_subdirs vold_data_file:file { getattr unlink };
+allow vold_prepare_subdirs storaged_data_file:dir create_dir_perms;
diff --git a/public/domain.te b/public/domain.te
index 4b771dc..914ef97 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -321,7 +321,7 @@
# security-sensitive proc settings.
neverallow { domain -init } usermodehelper:file { append write };
neverallow { domain -init -ueventd } sysfs_usermodehelper:file { append write };
-neverallow { domain -init } proc_security:file { append open read write };
+neverallow { domain -init -vendor_init } proc_security:file { append open read write };
# No domain should be allowed to ptrace init.
neverallow * init:process ptrace;
@@ -464,6 +464,7 @@
-recovery
-shell
-system_server
+ -vendor_init
} serialno_prop:file r_file_perms;
# Do not allow reading the last boot timestamp from system properties
@@ -658,6 +659,7 @@
-init
-ueventd
-socket_between_core_and_vendor_violators
+ -vendor_init
} {
file_type
dev_type
@@ -680,6 +682,7 @@
-installd
-postinstall_dexopt
-system_server
+ -vendor_init
} vendor_app_file:dir { open read getattr search };
neverallow {
@@ -691,6 +694,7 @@
-installd
-postinstall_dexopt
-system_server
+ -vendor_init
} vendor_app_file:{ file lnk_file } r_file_perms;
# Limit access to /vendor/overlay
@@ -702,6 +706,7 @@
-installd
-system_server
-zygote
+ -vendor_init
} vendor_overlay_file:dir { getattr open read search };
neverallow {
@@ -712,6 +717,7 @@
-installd
-system_server
-zygote
+ -vendor_init
} vendor_overlay_file:{ file lnk_file } r_file_perms;
# Non-vendor domains are not allowed to file execute shell
@@ -719,6 +725,7 @@
neverallow {
coredomain
-init
+ -vendor_init
} vendor_shell_exec:file { execute execute_no_trans };
# Do not allow vendor components to execute files from system
@@ -729,6 +736,7 @@
-appdomain
-rild
-vendor_executes_system_violators
+ -vendor_init
} {
exec_type
-vendor_file_type
@@ -855,6 +863,7 @@
-system_server
-system_app
-init
+ -vendor_init
-installd # for relabelfrom and unlink, check for this in explicit neverallow
with_asan(`-asan_extract')
} system_data_file:file no_w_file_perms;
@@ -990,7 +999,7 @@
# Instead, if access to part of debugfs is desired, it should have a
# more specific label.
# TODO: fix system_server and dumpstate
-neverallow { domain -init -system_server -dumpstate } debugfs:file no_rw_file_perms;
+neverallow { domain -init -vendor_init -system_server -dumpstate } debugfs:file no_rw_file_perms;
# Profiles contain untrusted data and profman parses that. We should only run
# in from installd forked processes.
diff --git a/public/file.te b/public/file.te
index 323198a..cd0a452 100644
--- a/public/file.te
+++ b/public/file.te
@@ -26,8 +26,10 @@
type proc_modules, fs_type;
type proc_mounts, fs_type;
type proc_net, fs_type;
+type proc_page_cluster, fs_type;
type proc_pagetypeinfo, fs_type;
type proc_perf, fs_type;
+type proc_random, fs_type;
type proc_stat, fs_type;
type proc_swaps, fs_type;
type proc_sysrq, fs_type;
@@ -49,6 +51,7 @@
type sysfs_batteryinfo, fs_type, sysfs_type;
type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
type sysfs_dm, fs_type, sysfs_type;
+type sysfs_dt_firmware_android, fs_type, sysfs_type;
type sysfs_ipv4, fs_type, sysfs_type;
type sysfs_leds, fs_type, sysfs_type;
type sysfs_hwrandom, fs_type, sysfs_type;
@@ -199,7 +202,6 @@
# /data/misc subdirectories
type adb_keys_file, file_type, data_file_type, core_data_file_type;
type audio_data_file, file_type, data_file_type, core_data_file_type;
-type audiohal_data_file, file_type, data_file_type, core_data_file_type;
type audioserver_data_file, file_type, data_file_type, core_data_file_type;
type bluetooth_data_file, file_type, data_file_type, core_data_file_type;
type bluetooth_logs_data_file, file_type, data_file_type, core_data_file_type;
@@ -354,6 +356,9 @@
# asanwrapper (run a sanitized app_process, to be used with wrap properties)
with_asan(`type asanwrapper_exec, exec_type, file_type;')
+# Deprecated in SDK version 28
+type audiohal_data_file, file_type, data_file_type, core_data_file_type;
+
# It's a bug to assign the file_type attribute and fs_type attribute
# to any type. Do not allow it.
#
diff --git a/public/fingerprintd.te b/public/fingerprintd.te
index 5dd18a3..2dc1107 100644
--- a/public/fingerprintd.te
+++ b/public/fingerprintd.te
@@ -23,6 +23,4 @@
binder_call(fingerprintd, system_server);
allow fingerprintd permission_service:service_manager find;
-r_dir_file(fingerprintd, cgroup)
-r_dir_file(fingerprintd, sysfs_type)
allow fingerprintd ion_device:chr_file r_file_perms;
diff --git a/public/hal_audio.te b/public/hal_audio.te
index 6a436bd..0665e26 100644
--- a/public/hal_audio.te
+++ b/public/hal_audio.te
@@ -7,12 +7,6 @@
allow hal_audio ion_device:chr_file r_file_perms;
-userdebug_or_eng(`
- # used for pcm capture for debug.
- allow hal_audio audiohal_data_file:dir create_dir_perms;
- allow hal_audio audiohal_data_file:file create_file_perms;
-')
-
r_dir_file(hal_audio, proc)
r_dir_file(hal_audio, proc_asound)
allow hal_audio audio_device:dir r_dir_perms;
diff --git a/public/init.te b/public/init.te
index db2ce43..2d55aba 100644
--- a/public/init.te
+++ b/public/init.te
@@ -277,6 +277,9 @@
# Read /proc/cmdline
allow init proc_cmdline:file r_file_perms;
+# Write to /proc/sys/vm/page-cluster
+allow init proc_page_cluster:file w_file_perms;
+
# Reboot.
allow init self:capability sys_boot;
diff --git a/public/postinstall_dexopt.te b/public/postinstall_dexopt.te
index 0ce617b..d6c2060 100644
--- a/public/postinstall_dexopt.te
+++ b/public/postinstall_dexopt.te
@@ -10,7 +10,7 @@
allow postinstall_dexopt postinstall_file:filesystem getattr;
allow postinstall_dexopt postinstall_file:dir { getattr search };
allow postinstall_dexopt postinstall_file:lnk_file read;
-allow postinstall_dexopt proc:file { getattr open read };
+allow postinstall_dexopt proc_filesystems:file { getattr open read };
allow postinstall_dexopt tmpfs:file read;
# Note: /data/ota is created by init (see system/core/rootdir/init.rc) to avoid giving access
diff --git a/public/recovery.te b/public/recovery.te
index ee5f125..fb61dbd 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -52,11 +52,12 @@
# Write to /proc/sys/vm/drop_caches
allow recovery proc_drop_caches:file w_file_perms;
+ # Read /proc/swaps
+ allow recovery proc_swaps:file r_file_perms;
+
# Read kernel config through libvintf for OTA matching
allow recovery config_gz:file { open read getattr };
- r_dir_file(recovery, sysfs)
-
# Write to /sys/class/android_usb/android0/enable.
r_dir_file(recovery, sysfs_android_usb)
allow recovery sysfs_android_usb:file w_file_perms;
@@ -66,6 +67,9 @@
allow recovery sysfs_batteryinfo:file r_file_perms;
+ # Read /sysfs/fs/ext4/features
+ r_dir_file(recovery, sysfs_fs_ext4_features)
+
# Read from /sys/class/leds/lcd-backlight/max_brightness and write to /s/c/l/l/brightness to
# control backlight brightness.
allow recovery sysfs_leds:dir r_dir_perms;
@@ -135,8 +139,6 @@
# This line seems suspect, as it should not really need to
# set scheduling parameters for a kernel domain task.
allow recovery kernel:process setsched;
-
- allow recovery proc_cmdline:file r_file_perms;
')
###
diff --git a/public/service.te b/public/service.te
index fe26020..3b9d60b 100644
--- a/public/service.te
+++ b/public/service.te
@@ -21,6 +21,7 @@
type netd_service, service_manager_type;
type nfc_service, service_manager_type;
type radio_service, service_manager_type;
+type statscompanion_service, service_manager_type;
type storaged_service, service_manager_type;
type surfaceflinger_service, service_manager_type;
type system_app_service, service_manager_type;
diff --git a/public/uncrypt.te b/public/uncrypt.te
index 4437ab7..dd2d7dd 100644
--- a/public/uncrypt.te
+++ b/public/uncrypt.te
@@ -42,4 +42,4 @@
allow uncrypt proc_cmdline:file r_file_perms;
# Read files in /sys
-r_dir_file(uncrypt, sysfs)
+r_dir_file(uncrypt, sysfs_dt_firmware_android)
diff --git a/public/update_engine.te b/public/update_engine.te
index f67afc2..289d216 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -40,12 +40,8 @@
# Use Boot Control HAL
hal_client_domain(update_engine, hal_bootctl)
-# access /proc/misc and /proc/sys/kernel/random/boot_id
-allow update_engine proc:file r_file_perms;
+# access /proc/misc
allow update_engine proc_misc:file r_file_perms;
# read directories on /system and /vendor
allow update_engine system_file:dir r_dir_perms;
-
-# Read files in /sys
-r_dir_file(update_engine, sysfs)
diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index 61d393a..e275900 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -37,3 +37,10 @@
# Allow update_engine_common to suspend, resume and kill the postinstall program.
allow update_engine_common postinstall:process { signal sigstop sigkill };
+
+# access /proc/cmdline and /proc/sys/kernel/random/
+allow update_engine_common proc_cmdline:file r_file_perms;
+r_dir_file(update_engine_common, proc_random)
+
+# Read files in /sys/firmware/devicetree/base/firmware/android/
+r_dir_file(update_engine_common, sysfs_dt_firmware_android)
diff --git a/public/vendor_init.te b/public/vendor_init.te
new file mode 100644
index 0000000..16d283f
--- /dev/null
+++ b/public/vendor_init.te
@@ -0,0 +1,210 @@
+# vendor_init is its own domain.
+type vendor_init, domain, mlstrustedsubject;
+
+# Communication to the main init process
+allow vendor_init init:unix_stream_socket { read write };
+
+# Logging to kmsg
+allow vendor_init kmsg_device:chr_file { open write };
+
+# Mount on /dev/usb-ffs/adb.
+allow vendor_init device:dir mounton;
+
+# Create and remove symlinks in /.
+allow vendor_init rootfs:lnk_file { create unlink };
+
+# Create cgroups mount points in tmpfs and mount cgroups on them.
+allow vendor_init cgroup:dir create_dir_perms;
+
+# /config
+allow vendor_init configfs:dir mounton;
+allow vendor_init configfs:dir create_dir_perms;
+allow vendor_init configfs:{ file lnk_file } create_file_perms;
+
+# Create directories under /dev/cpuctl after chowning it to system.
+allow vendor_init self:capability dac_override;
+
+# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
+# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
+# system/core/init.rc requires at least cache_file and data_file_type.
+# init.<board>.rc files often include device-specific types, so
+# we just allow all file types except /system files here.
+allow vendor_init self:capability { chown fowner fsetid };
+
+allow vendor_init {
+ file_type
+ -app_data_file
+ -bluetooth_data_file
+ -dalvikcache_data_file
+ -exec_type
+ -incident_data_file
+ -keystore_data_file
+ -misc_logd_file
+ -nfc_data_file
+ -property_data_file
+ -radio_data_file
+ -shell_data_file
+ -system_app_data_file
+ -system_file
+ -system_ndebug_socket
+ -unlabeled
+ -vendor_file_type
+ -vold_data_file
+ -zoneinfo_data_file
+}:dir { create search getattr open read setattr ioctl };
+
+allow vendor_init {
+ file_type
+ -app_data_file
+ -bluetooth_data_file
+ -dalvikcache_data_file
+ -exec_type
+ -incident_data_file
+ -keystore_data_file
+ -misc_logd_file
+ -nfc_data_file
+ -property_data_file
+ -radio_data_file
+ -shell_data_file
+ -system_app_data_file
+ -system_file
+ -system_ndebug_socket
+ -unlabeled
+ -vendor_file_type
+ -vold_data_file
+ -zoneinfo_data_file
+}:dir { write add_name remove_name rmdir relabelfrom };
+
+allow vendor_init {
+ file_type
+ -app_data_file
+ -bluetooth_data_file
+ -dalvikcache_data_file
+ -runtime_event_log_tags_file
+ -exec_type
+ -incident_data_file
+ -keystore_data_file
+ -misc_logd_file
+ -nfc_data_file
+ -property_data_file
+ -radio_data_file
+ -shell_data_file
+ -system_app_data_file
+ -system_file
+ -system_ndebug_socket
+ -unlabeled
+ -vendor_file_type
+ -vold_data_file
+ -zoneinfo_data_file
+}:file { create getattr open read write setattr relabelfrom unlink };
+
+allow vendor_init {
+ file_type
+ -app_data_file
+ -bluetooth_data_file
+ -dalvikcache_data_file
+ -exec_type
+ -incident_data_file
+ -keystore_data_file
+ -misc_logd_file
+ -nfc_data_file
+ -property_data_file
+ -radio_data_file
+ -shell_data_file
+ -system_app_data_file
+ -system_file
+ -system_ndebug_socket
+ -unlabeled
+ -vendor_file_type
+ -vold_data_file
+ -zoneinfo_data_file
+}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
+
+allow vendor_init {
+ file_type
+ -app_data_file
+ -bluetooth_data_file
+ -dalvikcache_data_file
+ -exec_type
+ -incident_data_file
+ -keystore_data_file
+ -misc_logd_file
+ -nfc_data_file
+ -property_data_file
+ -radio_data_file
+ -shell_data_file
+ -system_app_data_file
+ -system_file
+ -system_ndebug_socket
+ -unlabeled
+ -vendor_file_type
+ -vold_data_file
+ -zoneinfo_data_file
+}:lnk_file { create getattr setattr relabelfrom unlink };
+
+allow vendor_init {
+ file_type
+ -system_file
+ -vendor_file_type
+ -exec_type
+ -vold_data_file
+ -keystore_data_file
+}:dir_file_class_set relabelto;
+
+allow vendor_init dev_type:dir create_dir_perms;
+allow vendor_init dev_type:lnk_file create;
+
+# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
+allow vendor_init debugfs_tracing:file w_file_perms;
+
+# chown/chmod on pseudo files.
+allow vendor_init {
+ fs_type
+ -contextmount_type
+ -sdcard_type
+ -rootfs
+ -proc_uid_time_in_state
+}:file { open read setattr };
+
+allow vendor_init {
+ fs_type
+ -contextmount_type
+ -sdcard_type
+ -rootfs
+ -proc_uid_time_in_state
+}:dir { open read setattr search };
+
+# chown/chmod on devices, e.g. /dev/ttyHS0
+allow vendor_init {
+ dev_type
+ -kmem_device
+ -port_device
+ -lowpan_device
+ -hw_random_device
+}:chr_file setattr;
+
+allow vendor_init dev_type:blk_file getattr;
+
+# Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.
+r_dir_file(vendor_init, proc_net)
+allow vendor_init proc_net:file w_file_perms;
+allow vendor_init self:capability net_admin;
+
+# Write to /proc/sys/vm/page-cluster
+allow vendor_init proc_page_cluster:file w_file_perms;
+
+# Write to sysfs nodes.
+allow vendor_init sysfs_type:dir r_dir_perms;
+allow vendor_init sysfs_type:lnk_file read;
+allow vendor_init { sysfs_type -sysfs_usermodehelper }:file rw_file_perms;
+
+# setfscreatecon() for labeling directories and socket files.
+allow vendor_init self:process { setfscreate };
+
+r_dir_file(vendor_init, vendor_file_type)
+
+# Vendor init can read properties
+allow vendor_init serialno_prop:file { getattr open read };
+
+# Vendor init can perform operations on trusted and security Extended Attributes
+allow vendor_init self:capability sys_admin;
diff --git a/public/vold_prepare_subdirs.te b/public/vold_prepare_subdirs.te
index cc4cdae..6405d2d 100644
--- a/public/vold_prepare_subdirs.te
+++ b/public/vold_prepare_subdirs.te
@@ -4,16 +4,3 @@
type vold_prepare_subdirs_exec, exec_type, file_type;
typeattribute vold_prepare_subdirs coredomain;
-
-allow vold_prepare_subdirs system_file:file execute_no_trans;
-allow vold_prepare_subdirs shell_exec:file rx_file_perms;
-allow vold_prepare_subdirs toolbox_exec:file rx_file_perms;
-allow vold_prepare_subdirs devpts:chr_file { ioctl read write };
-allow vold_prepare_subdirs vold:fd use;
-allow vold_prepare_subdirs vold:fifo_file { read write };
-allow vold_prepare_subdirs file_contexts_file:file r_file_perms;
-allow vold_prepare_subdirs self:capability dac_override;
-allow vold_prepare_subdirs self:process setfscreate;
-allow vold_prepare_subdirs system_data_file:dir { open read write add_name remove_name };
-allow vold_prepare_subdirs vold_data_file:dir { create open read write search getattr setattr remove_name rmdir };
-allow vold_prepare_subdirs vold_data_file:file { getattr unlink };