Merge "Split system and product sepolicy hashes."
diff --git a/private/apexd.te b/private/apexd.te
index 5959035..5beaa4b 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -67,6 +67,9 @@
# See b/35323867#comment3
dontaudit apexd self:global_capability_class_set { dac_override dac_read_search };
+# Allow apexd to log to the kernel.
+allow apexd kmsg_device:chr_file w_file_perms;
+
neverallow { domain -apexd -init } apex_data_file:dir no_w_dir_perms;
neverallow { domain -apexd -init -kernel } apex_data_file:file no_w_file_perms;
neverallow { domain -apexd } apex_mnt_dir:lnk_file no_w_file_perms;
diff --git a/private/bluetooth.te b/private/bluetooth.te
index 68cfb35..fcbd509 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -52,6 +52,7 @@
allow bluetooth radio_service:service_manager find;
allow bluetooth app_api_service:service_manager find;
allow bluetooth system_api_service:service_manager find;
+allow bluetooth network_stack_service:service_manager find;
# already open bugreport file descriptors may be shared with
# the bluetooth process, from a file in
diff --git a/private/bug_map b/private/bug_map
index 9747704..60a7337 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -29,4 +29,5 @@
system_server zygote process 77856826
usbd usbd capability 72472544
vrcore_app mnt_user_file dir 118185801
+webview_zygote system_data_file lnk_file 123246126
zygote untrusted_app_25 process 77925912
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 3633181..c9c127f 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -144,6 +144,8 @@
secure_element_tmpfs
secure_element_service
server_configurable_flags_data_file
+ simpleperf_app_runner
+ simpleperf_app_runner_exec
slice_service
staging_data_file
stats
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 3b7f7ff..ddd4e06 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -131,6 +131,8 @@
secure_element_service
secure_element_tmpfs
server_configurable_flags_data_file
+ simpleperf_app_runner
+ simpleperf_app_runner_exec
slice_service
stats
stats_data_file
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index aeba945..7c1a78d 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -25,7 +25,9 @@
content_suggestions_service
cpu_variant_prop
dev_cpu_variant
+ device_config_activity_manager_native_boot_prop
device_config_boot_count_prop
+ device_config_input_native_boot_prop
device_config_netd_native_prop
device_config_reset_performed_prop
device_config_service
@@ -85,6 +87,8 @@
runtime_service
sensor_privacy_service
server_configurable_flags_data_file
+ simpleperf_app_runner
+ simpleperf_app_runner_exec
super_block_device
system_event_log_tags_file
system_lmk_prop
diff --git a/private/domain.te b/private/domain.te
index 326e62a..dda8f21 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -10,7 +10,8 @@
# heap profiling, as initialization will fail if it does not have the
# necessary SELinux permissions.
get_prop(domain, heapprofd_prop);
-userdebug_or_eng(`can_profile_heap({
+# Allow heap profiling on debug builds.
+userdebug_or_eng(`can_profile_heap_userdebug_or_eng({
domain
-bpfloader
-init
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 3500c0f..9a6a300 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -49,6 +49,10 @@
allow ephemeral_app traced_tmpfs:file { read write getattr map };
unix_socket_connect(ephemeral_app, traced_producer, traced)
+# Allow heap profiling if the app opts in by being marked
+# profileable/debuggable.
+can_profile_heap(ephemeral_app)
+
# allow ephemeral apps to use UDP sockets provided by the system server but not
# modify them other than to connect
allow ephemeral_app system_server:udp_socket {
diff --git a/private/file_contexts b/private/file_contexts
index 474c637..01c5bb0 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -314,6 +314,7 @@
/system/bin/watchdogd u:object_r:watchdogd_exec:s0
/system/bin/apexd u:object_r:apexd_exec:s0
/system/bin/gsid u:object_r:gsid_exec:s0
+/system/bin/simpleperf_app_runner u:object_r:simpleperf_app_runner_exec:s0
#############################
# Vendor files
diff --git a/private/gpuservice.te b/private/gpuservice.te
index 5e8aab5..c8f3def 100644
--- a/private/gpuservice.te
+++ b/private/gpuservice.te
@@ -28,6 +28,9 @@
# Use socket supplied by adbd, for cmd gpu vkjson etc.
allow gpuservice adbd:unix_stream_socket { read write getattr };
+# Needed for interactive shell
+allow gpuservice devpts:chr_file { read write getattr };
+
add_service(gpuservice, gpu_service)
# Only uncomment below line when in development
diff --git a/private/heapprofd.te b/private/heapprofd.te
index 5a17990..7f8d8d6 100644
--- a/private/heapprofd.te
+++ b/private/heapprofd.te
@@ -1,33 +1,47 @@
-# Android Heap Profiler Daemon go/heapprofd
+# Android heap profiling daemon. go/heapprofd.
+#
+# On user builds, this daemon is responsible for receiving the initial
+# profiling configuration, finding matching target processes (if profiling by
+# process name), and sending the activation signal to them (+ setting system
+# properties for new processes to start profiling from startup). When profiling
+# is triggered in a process, it spawns a private heapprofd subprocess (in its
+# own SELinux domain), which will exclusively handle profiling of its parent.
+#
+# On debug builds, this central daemon performs profiling for all target
+# processes (which talk directly to this daemon).
type heapprofd_exec, exec_type, file_type, system_file_type;
init_daemon_domain(heapprofd)
set_prop(heapprofd, heapprofd_prop);
-userdebug_or_eng(`
- # TODO(fmayer): We will also need this on user to read /proc/<pid>/cmdline
- # and send signals.
- typeattribute heapprofd mlstrustedsubject;
- # Allow to send signal to processes.
- # This excludes SIGKILL, SIGSTOP and SIGCHLD,
- # which are controlled by separate permissions.
- allow heapprofd self:capability kill;
+# Necessary for /proc/[pid]/cmdline access & sending signals.
+typeattribute heapprofd mlstrustedsubject;
- # Executables and libraries.
- # These are needed to read the ELF binary data needed for unwinding.
+# Allow sending signals to processes. This excludes SIGKILL, SIGSTOP and
+# SIGCHLD, which are controlled by separate permissions.
+allow heapprofd self:capability kill;
+
+# When scanning /proc/[pid]/cmdline to find matching processes for by-name
+# profiling, only whitelisted domains will be allowed by SELinux. Avoid
+# spamming logs with denials for entries that we can not access.
+dontaudit heapprofd domain:dir { search open };
+
+# Write trace data to the Perfetto traced daemon. This requires connecting to
+# its producer socket and obtaining a (per-process) tmpfs fd.
+allow heapprofd traced:fd use;
+allow heapprofd traced_tmpfs:file { read write getattr map };
+unix_socket_connect(heapprofd, traced_producer, traced)
+
+# When handling profiling for all processes, heapprofd needs to read
+# executables/libraries/etc to do stack unwinding.
+userdebug_or_eng(`
r_dir_file(heapprofd, system_file_type)
r_dir_file(heapprofd, apk_data_file)
r_dir_file(heapprofd, dalvikcache_data_file)
r_dir_file(heapprofd, vendor_file_type)
')
-# Write trace data to the Perfetto traced damon. This requires connecting to its
-# producer socket and obtaining a (per-process) tmpfs fd.
-allow heapprofd traced:fd use;
-allow heapprofd traced_tmpfs:file { read write getattr map };
-unix_socket_connect(heapprofd, traced_producer, traced)
-
never_profile_heap(`{
bpfloader
init
diff --git a/private/isolated_app.te b/private/isolated_app.te
index 3443dc4..017f46b 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -60,6 +60,10 @@
allow isolated_app traced_tmpfs:file { read write getattr map };
unix_socket_connect(isolated_app, traced_producer, traced)
+# Allow heap profiling if the main app has been marked as profileable or
+# debuggable.
+can_profile_heap(isolated_app)
+
#####
##### Neverallow
#####
diff --git a/private/priv_app.te b/private/priv_app.te
index b6828f0..9232bd0 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -144,6 +144,10 @@
allow priv_app traced_tmpfs:file { read write getattr map };
unix_socket_connect(priv_app, traced_producer, traced)
+# Allow heap profiling if the app opts in by being marked
+# profileable/debuggable.
+can_profile_heap(priv_app)
+
# suppress denials for non-API accesses.
dontaudit priv_app exec_type:file getattr;
dontaudit priv_app device:dir read;
diff --git a/private/property_contexts b/private/property_contexts
index 80ccbdf..3296a04 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -168,7 +168,9 @@
# Properties that relate to server configurable flags
device_config.reset_performed u:object_r:device_config_reset_performed_prop:s0
+persist.device_config.activity_manager_native_boot. u:object_r:device_config_activity_manager_native_boot_prop:s0
persist.device_config.attempted_boot_count u:object_r:device_config_boot_count_prop:s0
+persist.device_config.input_native_boot. u:object_r:device_config_input_native_boot_prop:s0
persist.device_config.netd_native. u:object_r:device_config_netd_native_prop:s0
apexd. u:object_r:apexd_prop:s0
diff --git a/private/simpleperf_app_runner.te b/private/simpleperf_app_runner.te
new file mode 100644
index 0000000..8501826
--- /dev/null
+++ b/private/simpleperf_app_runner.te
@@ -0,0 +1,3 @@
+typeattribute simpleperf_app_runner coredomain;
+
+domain_auto_trans(shell, simpleperf_app_runner_exec, simpleperf_app_runner)
diff --git a/private/system_server.te b/private/system_server.te
index 8648738..8aa7785 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -582,7 +582,9 @@
set_prop(system_server, cppreopt_prop)
# server configurable flags properties
+set_prop(system_server, device_config_input_native_boot_prop)
set_prop(system_server, device_config_netd_native_prop)
+set_prop(system_server, device_config_activity_manager_native_boot_prop)
# BootReceiver to read ro.boot.bootreason
get_prop(system_server, bootloader_boot_reason_prop)
@@ -851,11 +853,15 @@
allow system_server zygote_exec:file rx_file_perms;
')
-# allow system_server to read the eBPF maps that stores the traffic stats information amd clean up
+# allow system_server to read the eBPF maps that stores the traffic stats information and update
# the map after snapshot is recorded
allow system_server fs_bpf:dir search;
-allow system_server fs_bpf:file read;
-allow system_server bpfloader:bpf map_read;
+allow system_server fs_bpf:file { read write };
+allow system_server bpfloader:bpf { map_read map_write };
+# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
+# TODO: Remove this permission when 4.9 kernel is deprecated.
+allow system_server self:key_socket create;
+
# ART Profiles.
# Allow system_server to open profile snapshots for read.
@@ -935,6 +941,8 @@
-system_server
-flags_health_check
} {
+ device_config_activity_manager_native_boot_prop
+ device_config_input_native_boot_prop
device_config_netd_native_prop
}:property_service set;
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index ba70751..9b91806 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -100,6 +100,12 @@
# gdbserver for ndk-gdb ptrace attaches to app process.
allow untrusted_app_all self:process ptrace;
+# Android Studio Instant Run has the application connect to a
+# runas_app socket listening in the abstract namespace.
+# https://developer.android.com/studio/run/
+# b/123297648
+allow untrusted_app_all runas_app:unix_stream_socket connectto;
+
# Cts: HwRngTest
allow untrusted_app_all sysfs_hwrandom:dir search;
allow untrusted_app_all sysfs_hwrandom:file r_file_perms;
@@ -123,6 +129,10 @@
allow untrusted_app_all traced_tmpfs:file { read write getattr map };
unix_socket_connect(untrusted_app_all, traced_producer, traced)
+# Allow heap profiling if the app opts in by being marked
+# profileable/debuggable.
+can_profile_heap(untrusted_app_all)
+
# allow untrusted apps to use UDP sockets provided by the system server but not
# modify them other than to connect
allow untrusted_app_all system_server:udp_socket {
diff --git a/public/domain.te b/public/domain.te
index 7c3a110..d29adc2 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1205,8 +1205,9 @@
-zygote
} shell:process { transition dyntransition };
-# Only domains spawned from zygote and runas may have the appdomain attribute.
-neverallow { domain -runas -app_zygote -webview_zygote -zygote } {
+# Only domains spawned from zygote, runas and simpleperf_app_runner may have the appdomain
+# attribute.
+neverallow { domain -simpleperf_app_runner -runas -app_zygote -webview_zygote -zygote } {
appdomain -shell userdebug_or_eng(`-su')
}:process { transition dyntransition };
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 39ef87d..0991bed 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -41,6 +41,9 @@
# TODO: scope this down.
allow dumpstate system_data_file:file r_file_perms;
+# Allow dumpstate to append into privileged apps private files.
+allow dumpstate privapp_data_file:file append;
+
# Read dmesg
allow dumpstate self:global_capability2_class_set syslog;
allow dumpstate kernel:system syslog_read;
diff --git a/public/flags_heatlh_check.te b/public/flags_heatlh_check.te
index 257abc6..835a82a 100644
--- a/public/flags_heatlh_check.te
+++ b/public/flags_heatlh_check.te
@@ -4,8 +4,9 @@
set_prop(flags_health_check, device_config_boot_count_prop)
set_prop(flags_health_check, device_config_reset_performed_prop)
-
+set_prop(flags_health_check, device_config_input_native_boot_prop)
set_prop(flags_health_check, device_config_netd_native_prop)
+set_prop(flags_health_check, device_config_activity_manager_native_boot_prop)
allow flags_health_check server_configurable_flags_data_file:dir rw_dir_perms;
allow flags_health_check server_configurable_flags_data_file:file create_file_perms;
diff --git a/public/property.te b/public/property.te
index a4893ea..379c4d3 100644
--- a/public/property.te
+++ b/public/property.te
@@ -28,8 +28,10 @@
type debuggerd_prop, property_type, core_property_type;
type debug_prop, property_type, core_property_type;
type default_prop, property_type, core_property_type;
+type device_config_activity_manager_native_boot_prop, property_type;
type device_config_boot_count_prop, property_type;
type device_config_reset_performed_prop, property_type;
+type device_config_input_native_boot_prop, property_type;
type device_config_netd_native_prop, property_type;
type device_logging_prop, property_type;
type dhcp_prop, property_type, core_property_type;
@@ -398,8 +400,10 @@
-ffs_prop
-fingerprint_prop
-firstboot_prop
+ -device_config_activity_manager_native_boot_prop
-device_config_reset_performed_prop
-device_config_boot_count_prop
+ -device_config_input_native_boot_prop
-device_config_netd_native_prop
-heapprofd_enabled_prop
-heapprofd_prop
diff --git a/public/property_contexts b/public/property_contexts
index 2b1b0e9..e7cddee 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -348,3 +348,23 @@
ro.bootmode u:object_r:exported2_default_prop:s0 exact string
ro.build.type u:object_r:exported2_default_prop:s0 exact string
sys.shutdown.requested u:object_r:exported_system_prop:s0 exact string
+
+# Using Sysprop as API. So the ro.surface_flinger.* are guaranteed to be API-stable
+ro.surface_flinger.default_composition_dataspace u:object_r:exported_default_prop:s0 int
+ro.surface_flinger.default_composition_pixel_format u:object_r:exported_default_prop:s0 int
+ro.surface_flinger.force_hwc_copy_for_virtual_displays u:object_r:exported_default_prop:s0 bool
+ro.surface_flinger.has_HDR_display u:object_r:exported_default_prop:s0 bool
+ro.surface_flinger.has_wide_color_display u:object_r:exported_default_prop:s0 bool
+ro.surface_flinger.max_frame_buffer_acquired_buffers u:object_r:exported_default_prop:s0 int
+ro.surface_flinger.max_virtual_display_dimension u:object_r:exported_default_prop:s0 int
+ro.surface_flinger.primary_display_orientation u:object_r:exported_default_prop:s0 string
+ro.surface_flinger.present_time_offset_from_vsync_ns u:object_r:exported_default_prop:s0 int
+ro.surface_flinger.running_without_sync_framework u:object_r:exported_default_prop:s0 bool
+ro.surface_flinger.start_graphics_allocator_service u:object_r:exported_default_prop:s0 bool
+ro.surface_flinger.use_color_management u:object_r:exported_default_prop:s0 bool
+ro.surface_flinger.use_context_priority u:object_r:exported_default_prop:s0 bool
+ro.surface_flinger.use_vr_flinger u:object_r:exported_default_prop:s0 bool
+ro.surface_flinger.vsync_event_phase_offset_ns u:object_r:exported_default_prop:s0 int
+ro.surface_flinger.vsync_sf_event_phase_offset_ns u:object_r:exported_default_prop:s0 int
+ro.surface_flinger.wcg_composition_dataspace u:object_r:exported_default_prop:s0 int
+ro.surface_flinger.wcg_composition_pixel_format u:object_r:exported_default_prop:s0 int
diff --git a/public/simpleperf_app_runner.te b/public/simpleperf_app_runner.te
new file mode 100644
index 0000000..cabf04b
--- /dev/null
+++ b/public/simpleperf_app_runner.te
@@ -0,0 +1,34 @@
+type simpleperf_app_runner, domain, mlstrustedsubject;
+type simpleperf_app_runner_exec, system_file_type, exec_type, file_type;
+
+# run simpleperf_app_runner in adb shell.
+allow simpleperf_app_runner adbd:fd use;
+allow simpleperf_app_runner shell:fd use;
+allow simpleperf_app_runner devpts:chr_file { read write ioctl };
+
+# simpleperf_app_runner reads package information.
+allow simpleperf_app_runner system_data_file:file r_file_perms;
+allow simpleperf_app_runner system_data_file:lnk_file getattr;
+
+# The app's data dir may be accessed through a symlink.
+allow simpleperf_app_runner system_data_file:lnk_file read;
+
+# simpleperf_app_runner switches to the app UID/GID.
+allow simpleperf_app_runner self:global_capability_class_set { setuid setgid };
+
+# simpleperf_app_runner switches to the app security context.
+selinux_check_context(simpleperf_app_runner) # validate context
+allow simpleperf_app_runner self:process setcurrent;
+allow simpleperf_app_runner untrusted_app_all:process dyntransition; # setcon
+
+# simpleperf_app_runner/libselinux needs access to seapp_contexts_file to
+# determine which domain to transition to.
+allow simpleperf_app_runner seapp_contexts_file:file r_file_perms;
+
+###
+### neverallow rules
+###
+
+# simpleperf_app_runner cannot have capabilities other than CAP_SETUID and CAP_SETGID
+neverallow simpleperf_app_runner self:global_capability_class_set ~{ setuid setgid };
+neverallow simpleperf_app_runner self:global_capability2_class_set *;
diff --git a/public/te_macros b/public/te_macros
index 149d5ac..ca6070b 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -647,31 +647,66 @@
###################################
# can_profile_heap(domain)
-# never_profile_heap(domain)
+# Allow processes within the domain to have their heap profiled by heapprofd.
#
-# Opt in our out of heap profiling.
-# This will allow a heap profiling daemon to read this
-# process' address space in order to support unwinding.
-#
+# Note that profiling is performed differently between debug and user builds.
+# This macro covers both user and debug builds, but see
+# can_profile_heap_userdebug_or_eng for a variant that can be used when
+# allowing profiling for a domain only on debug builds, without granting
+# the exec permission. The exec permission is necessary for user builds, but
+# only a nice-to-have for development and testing purposes on debug builds.
define(`can_profile_heap', `
+ # Allow central daemon to send signal for client initialization.
+ allow heapprofd $1:process signal;
+
+ # Allow executing a private heapprofd process to handle profiling on
+ # user builds (also debug builds for testing & development purposes).
+ allow $1 heapprofd_exec:file rx_file_perms;
+
+ # Allow directory & file read to the central heapprofd daemon, as it scans
+ # /proc/[pid]/cmdline for by-process-name profiling configs.
+ # Note that this excludes /proc/[pid]/mem, as it requires ptrace capabilities.
+ allow heapprofd $1:file r_file_perms;
+ allow heapprofd $1:dir r_dir_perms;
+
+ # On debug builds, central daemon can handle profiling of all processes
+ # directly.
userdebug_or_eng(`
- # RT signal for client initialization.
- allow heapprofd $1:process signal;
- # Connect to heapprofd service.
+ # Allow connecting to the daemon.
unix_socket_connect($1, heapprofd, heapprofd)
- # To receive file descriptor.
+ # Allow daemon to use the passed fds.
+ allow heapprofd $1:fd use;
+ ')
+')
+
+###################################
+# can_profile_heap_userdebug_or_eng(domain)
+# Allow processes within the domain to have their heap profiled by heapprofd on
+# debug builds only.
+#
+# Only necessary when can_profile_heap cannot be applied, see its description
+# for rationale.
+define(`can_profile_heap_userdebug_or_eng', `
+ userdebug_or_eng(`
+ # Allow central daemon to send signal for client initialization.
+ allow heapprofd $1:process signal;
+ # Allow connecting to the daemon.
+ unix_socket_connect($1, heapprofd, heapprofd)
+ # Allow daemon to use the passed fds.
allow heapprofd $1:fd use;
# To read from the received file descriptors.
# /proc/[pid]/maps and /proc/[pid]/mem have the same SELinux label as the
# process they relate to.
allow heapprofd $1:file r_file_perms;
- # This is needed to search the /proc/[pid] directory.
+ # Allow searching the /proc/[pid] directory for cmdline.
allow heapprofd $1:dir r_dir_perms;
- allow heapprofd $1:process signal;
')
')
+###################################
+# never_profile_heap(domain)
+# Opt out of heap profiling by heapprofd.
define(`never_profile_heap', `
neverallow heapprofd $1:file read;
neverallow heapprofd $1:process signal;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 178f3fc..d9dc72f 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -174,8 +174,10 @@
not_compatible_property(`
set_prop(vendor_init, {
property_type
+ -device_config_activity_manager_native_boot_prop
-device_config_boot_count_prop
-device_config_reset_performed_prop
+ -device_config_input_native_boot_prop
-device_config_netd_native_prop
-restorecon_prop
-netd_stable_secret_prop
diff --git a/vendor/file_contexts b/vendor/file_contexts
index ada00d1..03b0ac6 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -34,6 +34,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@3\.0-service u:object_r:hal_keymaster_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@4\.0-service u:object_r:hal_keymaster_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service u:object_r:hal_light_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service-lazy u:object_r:hal_light_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.lowpan@1\.0-service u:object_r:hal_lowpan_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack@1\.0-service u:object_r:hal_memtrack_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.0-service u:object_r:hal_nfc_default_exec:s0
@@ -44,7 +45,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.radio\.config@1\.0-service u:object_r:hal_radio_config_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.radio@1\.2-radio-service u:object_r:hal_radio_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.radio@1\.2-sap-service u:object_r:hal_radio_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors@1\.0-service u:object_r:hal_sensors_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors@[0-9]\.[0-9]-service u:object_r:hal_sensors_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.0-service u:object_r:hal_secure_element_default_exec:s0
/(vendor|system/vendor)/bin/hw/rild u:object_r:rild_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@1\.[01]-service u:object_r:hal_thermal_default_exec:s0