Merge "Remove hal_binderization_prop" am: 1871fc0a88 am: 2261cab6f2
am: 484a277c29
Change-Id: Iaa779c0d07bc503e27d0d9b65816347e819daa8a
diff --git a/Android.mk b/Android.mk
index da58e53..b941bf3 100644
--- a/Android.mk
+++ b/Android.mk
@@ -1067,6 +1067,37 @@
##################################
include $(CLEAR_VARS)
+LOCAL_MODULE := vndservice_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+ifeq ($(PRODUCT_FULL_TREBLE),true)
+LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
+else
+LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
+endif
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+vnd_svcfiles := $(call build_policy, vndservice_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
+
+vndservice_contexts.tmp := $(intermediates)/vndservice_contexts.tmp
+$(vndservice_contexts.tmp): PRIVATE_SVC_FILES := $(vnd_svcfiles)
+$(vndservice_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(vndservice_contexts.tmp): $(vnd_svcfiles)
+ @mkdir -p $(dir $@)
+ $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
+
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): $(vndservice_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
+ @mkdir -p $(dir $@)
+ sed -e 's/#.*$$//' -e '/^$$/d' $< > $@
+ $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -s $(PRIVATE_SEPOLICY) $@
+
+vnd_svcfiles :=
+vndservice_contexts.tmp :=
+##################################
+include $(CLEAR_VARS)
+
LOCAL_MODULE := plat_mac_permissions.xml
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
diff --git a/private/adbd.te b/private/adbd.te
index 73302ac..b402335 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -100,6 +100,11 @@
allow adbd selinuxfs:dir r_dir_perms;
allow adbd selinuxfs:file r_file_perms;
allow adbd kernel:security read_policy;
+allow adbd service_contexts_file:file r_file_perms;
+allow adbd file_contexts_file:file r_file_perms;
+allow adbd seapp_contexts_file:file r_file_perms;
+allow adbd property_contexts_file:file r_file_perms;
+allow adbd sepolicy_file:file r_file_perms;
allow adbd surfaceflinger_service:service_manager find;
allow adbd bootchart_data_file:dir search;
diff --git a/private/bluetooth.te b/private/bluetooth.te
index 628f971..b0048aa 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -49,6 +49,7 @@
allow bluetooth app_api_service:service_manager find;
allow bluetooth system_api_service:service_manager find;
+# TODO(b/36613472): Remove this once bluetooth daemon does not communicate with rild over sockets
# Bluetooth Sim Access Profile Socket to the RIL
unix_socket_connect(bluetooth, sap_uim, rild)
diff --git a/private/drmserver.te b/private/drmserver.te
index 45663bb..afe4f0a 100644
--- a/private/drmserver.te
+++ b/private/drmserver.te
@@ -3,3 +3,5 @@
init_daemon_domain(drmserver)
type_transition drmserver apk_data_file:sock_file drmserver_socket;
+
+typeattribute drmserver_socket coredomain_socket;
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 9289027..2d4b1f1 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -20,6 +20,13 @@
allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr ioctl lock append};
# services
+allow ephemeral_app audioserver_service:service_manager find;
+allow ephemeral_app cameraserver_service:service_manager find;
+allow ephemeral_app mediaserver_service:service_manager find;
+allow ephemeral_app mediaextractor_service:service_manager find;
+allow ephemeral_app mediacodec_service:service_manager find;
+allow ephemeral_app mediametrics_service:service_manager find;
+allow ephemeral_app mediacasserver_service:service_manager find;
allow ephemeral_app surfaceflinger_service:service_manager find;
allow ephemeral_app radio_service:service_manager find;
allow ephemeral_app ephemeral_app_api_service:service_manager find;
diff --git a/private/file_contexts b/private/file_contexts
index bd111b8..1b61875 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -38,20 +38,21 @@
/sdcard u:object_r:rootfs:s0
# SELinux policy files
-/file_contexts\.bin u:object_r:rootfs:s0
-/nonplat_file_contexts u:object_r:rootfs:s0
-/plat_file_contexts u:object_r:rootfs:s0
-/mapping_sepolicy\.cil u:object_r:rootfs:s0
-/nonplat_sepolicy\.cil u:object_r:rootfs:s0
-/plat_sepolicy\.cil u:object_r:rootfs:s0
-/plat_property_contexts u:object_r:property_contexts:s0
-/nonplat_property_contexts u:object_r:property_contexts:s0
-/seapp_contexts u:object_r:rootfs:s0
-/nonplat_seapp_contexts u:object_r:rootfs:s0
-/plat_seapp_contexts u:object_r:rootfs:s0
-/sepolicy u:object_r:rootfs:s0
-/plat_service_contexts u:object_r:rootfs:s0
-/nonplat_service_contexts u:object_r:rootfs:s0
+/file_contexts\.bin u:object_r:file_contexts_file:s0
+/nonplat_file_contexts u:object_r:file_contexts_file:s0
+/plat_file_contexts u:object_r:file_contexts_file:s0
+/mapping_sepolicy\.cil u:object_r:sepolicy_file:s0
+/nonplat_sepolicy\.cil u:object_r:sepolicy_file:s0
+/plat_sepolicy\.cil u:object_r:sepolicy_file:s0
+/plat_property_contexts u:object_r:property_contexts_file:s0
+/nonplat_property_contexts u:object_r:property_contexts_file:s0
+/seapp_contexts u:object_r:seapp_contexts_file:s0
+/nonplat_seapp_contexts u:object_r:seapp_contexts_file:s0
+/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
+/sepolicy u:object_r:sepolicy_file:s0
+/plat_service_contexts u:object_r:service_contexts_file:s0
+/nonplat_service_contexts u:object_r:service_contexts_file:s0
+/vndservice_contexts u:object_r:vndservice_contexts_file:s0
##########################
# Devices
@@ -144,7 +145,6 @@
/dev/socket/zygote_secondary u:object_r:zygote_socket:s0
/dev/spdif_out.* u:object_r:audio_device:s0
/dev/tegra.* u:object_r:video_device:s0
-/dev/tf_driver u:object_r:tee_device:s0
/dev/tty u:object_r:owntty_device:s0
/dev/tty[0-9]* u:object_r:tty_device:s0
/dev/ttyS[0-9]* u:object_r:serial_device:s0
@@ -198,7 +198,6 @@
/system/bin/mediametrics u:object_r:mediametrics_exec:s0
/system/bin/cameraserver u:object_r:cameraserver_exec:s0
/system/bin/mediaextractor u:object_r:mediaextractor_exec:s0
-/system/bin/mediacodec u:object_r:mediacodec_exec:s0
/system/bin/mdnsd u:object_r:mdnsd_exec:s0
/system/bin/installd u:object_r:installd_exec:s0
/system/bin/otapreopt_chroot u:object_r:otapreopt_chroot_exec:s0
@@ -216,13 +215,11 @@
/system/bin/dhcpcd-6.8.2 u:object_r:dhcp_exec:s0
/system/bin/mtpd u:object_r:mtp_exec:s0
/system/bin/pppd u:object_r:ppp_exec:s0
-/system/bin/tf_daemon u:object_r:tee_exec:s0
/system/bin/racoon u:object_r:racoon_exec:s0
/system/xbin/su u:object_r:su_exec:s0
/system/xbin/perfprofd u:object_r:perfprofd_exec:s0
/system/bin/dnsmasq u:object_r:dnsmasq_exec:s0
/system/bin/healthd u:object_r:healthd_exec:s0
-/system/bin/hostapd u:object_r:hostapd_exec:s0
/system/bin/clatd u:object_r:clatd_exec:s0
/system/bin/lmkd u:object_r:lmkd_exec:s0
/system/bin/inputflinger u:object_r:inputflinger_exec:s0
@@ -249,12 +246,31 @@
/system/bin/webview_zygote32 u:object_r:webview_zygote_exec:s0
/system/bin/webview_zygote64 u:object_r:webview_zygote_exec:s0
/system/bin/virtual_touchpad u:object_r:virtual_touchpad_exec:s0
+/system/bin/vr_wm u:object_r:vr_wm_exec:s0
/system/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
+/system/etc/selinux/plat_mac_permissions.xml u:object_r:mac_perms_file:s0
+/system/etc/selinux/plat_property_contexts u:object_r:property_contexts_file:s0
+/system/etc/selinux/plat_service_contexts u:object_r:service_contexts_file:s0
+/system/etc/selinux/plat_file_contexts u:object_r:file_contexts_file:s0
+/system/etc/selinux/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
+/system/etc/selinux/plat_sepolicy.cil u:object_r:sepolicy_file:s0
+/system/etc/selinux/plat_sepolicy.cil.sha256 u:object_r:sepolicy_file:s0
+/system/bin/vr_hwc u:object_r:vr_hwc_exec:s0
#############################
# Vendor files
#
/vendor(/.*)? u:object_r:system_file:s0
+/vendor/etc/selinux/mapping_sepolicy.cil u:object_r:sepolicy_file:s0
+/vendor/etc/selinux/nonplat_mac_permissions.xml u:object_r:mac_perms_file:s0
+/vendor/etc/selinux/nonplat_property_contexts u:object_r:property_contexts_file:s0
+/vendor/etc/selinux/nonplat_service_contexts u:object_r:service_contexts_file:s0
+/vendor/etc/selinux/nonplat_file_contexts u:object_r:file_contexts_file:s0
+/vendor/etc/selinux/nonplat_seapp_contexts u:object_r:seapp_contexts_file:s0
+/vendor/etc/selinux/nonplat_sepolicy.cil u:object_r:sepolicy_file:s0
+/vendor/etc/selinux/precompiled_sepolicy u:object_r:sepolicy_file:s0
+/vendor/etc/selinux/precompiled_sepolicy.plat.sha256 u:object_r:sepolicy_file:s0
+/vendor/etc/selinux/vndservice_contexts u:object_r:vndservice_contexts_file:s0
#############################
# OEM and ODM files
@@ -331,7 +347,6 @@
/data/misc/wifi(/.*)? u:object_r:wifi_data_file:s0
/data/misc/wifi/sockets(/.*)? u:object_r:wpa_socket:s0
/data/misc/wifi/sockets/wpa_ctrl.* u:object_r:system_wpa_socket:s0
-/data/misc/wifi/hostapd(/.*)? u:object_r:hostapd_socket:s0
/data/misc/zoneinfo(/.*)? u:object_r:zoneinfo_data_file:s0
/data/misc/vold(/.*)? u:object_r:vold_data_file:s0
/data/misc/perfprofd(/.*)? u:object_r:perfprofd_data_file:s0
diff --git a/private/hostapd.te b/private/hostapd.te
deleted file mode 100644
index d895f29..0000000
--- a/private/hostapd.te
+++ /dev/null
@@ -1,3 +0,0 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
-init_daemon_domain(hostapd)
diff --git a/private/mediacodec.te b/private/mediacodec.te
deleted file mode 100644
index ff290bc..0000000
--- a/private/mediacodec.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute mediacodec coredomain;
-
-init_daemon_domain(mediacodec)
diff --git a/private/mediadrmserver.te b/private/mediadrmserver.te
index def8759..4e511a8 100644
--- a/private/mediadrmserver.te
+++ b/private/mediadrmserver.te
@@ -1,3 +1,8 @@
typeattribute mediadrmserver coredomain;
init_daemon_domain(mediadrmserver)
+
+# allocate and use graphic buffers
+hal_client_domain(mediadrmserver, hal_graphics_allocator)
+auditallow mediadrmserver hal_graphics_allocator_server:binder call;
+
diff --git a/private/mediaserver.te b/private/mediaserver.te
index 4b510a5..08c3f9b 100644
--- a/private/mediaserver.te
+++ b/private/mediaserver.te
@@ -1,3 +1,6 @@
typeattribute mediaserver coredomain;
init_daemon_domain(mediaserver)
+
+# allocate and use graphic buffers
+hal_client_domain(mediaserver, hal_graphics_allocator)
diff --git a/private/service_contexts b/private/service_contexts
index 8be98e9..943cdee 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -157,6 +157,8 @@
vibrator u:object_r:vibrator_service:s0
virtual_touchpad u:object_r:virtual_touchpad_service:s0
voiceinteraction u:object_r:voiceinteraction_service:s0
+vr_window_manager u:object_r:vr_window_manager_service:s0
+vr_hwc u:object_r:vr_hwc_service:s0
vrmanager u:object_r:vr_manager_service:s0
wallpaper u:object_r:wallpaper_service:s0
webviewupdate u:object_r:webviewupdate_service:s0
diff --git a/private/system_app.te b/private/system_app.te
index 606c4a0..02e6101 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -56,7 +56,7 @@
allow system_app servicemanager:service_manager list;
# TODO: scope this down? Too broad?
-allow system_app { service_manager_type -netd_service -dumpstate_service -installd_service }:service_manager find;
+allow system_app { service_manager_type -netd_service -dumpstate_service -installd_service -virtual_touchpad_service -vr_hwc_service }:service_manager find;
allow system_app keystore:keystore_key {
get_state
diff --git a/private/system_server.te b/private/system_server.te
index 8f85a48..e9ffa82 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -58,16 +58,13 @@
net_raw
sys_boot
sys_nice
- sys_resource
+ sys_ptrace
sys_time
sys_tty_config
};
wakelock_use(system_server)
-# Triggered by /proc/pid accesses, not allowed.
-dontaudit system_server self:capability sys_ptrace;
-
# Trigger module auto-load.
allow system_server kernel:system module_request;
@@ -186,6 +183,7 @@
hal_client_domain(system_server, hal_sensors)
binder_call(system_server, hal_thermal)
hal_client_domain(system_server, hal_thermal)
+hal_client_domain(system_server, hal_tv_input)
binder_call(system_server, hal_usb)
hal_client_domain(system_server, hal_usb)
binder_call(system_server, hal_vibrator)
@@ -193,6 +191,12 @@
binder_call(system_server, hal_vr)
hal_client_domain(system_server, hal_vr)
hal_client_domain(system_server, hal_wifi)
+
+# TODO(b/34274385): Remove this once Wi-Fi Supplicant HAL is guaranteed to be binderized on full
+# Treble devices. Passthrough Wi-Fi Supplicant HAL makes system_server touch wpa_socket which is a
+# vendor type. system_server, being a non-vendor component, is not permitted to touch that socket.
+typeattribute system_server socket_between_core_and_vendor_violators;
+
hal_client_domain(system_server, hal_wifi_supplicant)
# Talk to tombstoned to get ANR traces.
@@ -233,6 +237,10 @@
allow system_server mediadrmserver:tcp_socket rw_socket_perms;
allow system_server mediadrmserver:udp_socket rw_socket_perms;
+# Get file context
+allow system_server file_contexts_file:file r_file_perms;
+# access for mac_permissions
+allow system_server mac_perms_file: file r_file_perms;
# Check SELinux permissions.
selinux_check_access(system_server)
@@ -511,6 +519,8 @@
allow system_server nfc_service:service_manager find;
allow system_server radio_service:service_manager find;
allow system_server surfaceflinger_service:service_manager find;
+# TODO(b/36506799): move vr_wm code to VrCore and remove this:
+allow system_server vr_window_manager_service:service_manager find;
allow system_server wificond_service:service_manager find;
allow system_server keystore:keystore_key {
@@ -701,3 +711,11 @@
# dexoptanalyzer is currently used only for secondary dex files which
# system_server should never access.
neverallow system_server dexoptanalyzer_exec:file no_x_file_perms;
+
+# No ptracing others
+neverallow system_server { domain -system_server }:process ptrace;
+
+# CAP_SYS_RESOURCE was traditionally needed for sensitive /proc/PID
+# file read access. However, that is now unnecessary (b/34951864)
+# This neverallow can be removed after b/34951864 is fixed.
+neverallow system_server system_server:capability sys_resource;
diff --git a/private/technical_debt.cil b/private/technical_debt.cil
index 2d9ec8b..abc21a7 100644
--- a/private/technical_debt.cil
+++ b/private/technical_debt.cil
@@ -11,3 +11,8 @@
; typeattribute hal_allocator_client halclientdomain;
(typeattributeset hal_allocator_client ((and (appdomain) ((not (isolated_app))))))
(typeattributeset halclientdomain (hal_allocator_client))
+
+; Domains hosting Camera HAL implementations are clients of Allocator HAL
+; Unfortunately, we can't currently express this in module policy language:
+; typeattribute hal_camera hal_allocator_client;
+(typeattributeset hal_allocator_client (hal_camera))
diff --git a/private/tee.te b/private/tee.te
deleted file mode 100644
index 99f501e..0000000
--- a/private/tee.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute tee coredomain;
-
-init_daemon_domain(tee)
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 993b3d0..73aa79e 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -1,7 +1,8 @@
###
### Untrusted_app_all.
###
-### This file defines the rules shared by all untrusted app domains.
+### This file defines the rules shared by all untrusted app domains except
+### ephemeral apps.
### Apps are labeled based on mac_permissions.xml (maps signer and
### optionally package name to seinfo value) and seapp_contexts (maps UID
### and optionally seinfo value to domain for process and type for data
diff --git a/private/vr_hwc.te b/private/vr_hwc.te
new file mode 100644
index 0000000..51d2420
--- /dev/null
+++ b/private/vr_hwc.te
@@ -0,0 +1,4 @@
+typeattribute vr_hwc coredomain;
+
+# Daemon started by init.
+init_daemon_domain(vr_hwc)
diff --git a/private/vr_wm.te b/private/vr_wm.te
new file mode 100644
index 0000000..38564f2
--- /dev/null
+++ b/private/vr_wm.te
@@ -0,0 +1,5 @@
+# vr_wm - VR Window Manager
+typeattribute vr_wm coredomain;
+
+# The vr_wm is started by init.
+init_daemon_domain(vr_wm)
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index b2a1951..501581a 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -10,9 +10,6 @@
# resulting process into webview_zygote domain.
init_daemon_domain(webview_zygote)
-# Access to system files for SELinux contexts.
-allow webview_zygote rootfs:file r_file_perms;
-
# Allow reading/executing installed binaries to enable preloading the
# installed WebView implementation.
allow webview_zygote apk_data_file:dir r_dir_perms;
@@ -46,6 +43,8 @@
# Interaction between the webview_zygote and its children.
allow webview_zygote isolated_app:process setpgid;
+# Get seapp_contexts
+allow webview_zygote seapp_contexts_file:file r_file_perms;
# Check validity of SELinux context before use.
selinux_check_context(webview_zygote)
# Check SELinux permissions.
diff --git a/private/zygote.te b/private/zygote.te
index e9ec672..15fd951 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -62,6 +62,8 @@
allow zygote pmsg_device:chr_file getattr;
allow zygote debugfs_trace_marker:file getattr;
+# Get seapp_contexts
+allow zygote seapp_contexts_file:file r_file_perms;
# Check validity of SELinux context before use.
selinux_check_context(zygote)
# Check SELinux permissions.
diff --git a/public/attributes b/public/attributes
index 00035ab..b7f0701 100644
--- a/public/attributes
+++ b/public/attributes
@@ -39,6 +39,16 @@
# All types used for /data files.
attribute data_file_type;
+# All types in /data, not in /data/vendor
+attribute core_data_file_type;
+# All vendor domains which violate the requirement of not accessing
+# data outside /data/vendor.
+# TODO(b/34980020): Remove this once there are no violations
+attribute coredata_in_vendor_violators;
+# All core domains which violate the requirement of not accessing vendor
+# owned data.
+# TODO(b/34980020): Remove this once there are no violations
+attribute vendordata_in_core_violators;
# All types use for sysfs files.
attribute sysfs_type;
@@ -118,10 +128,18 @@
# All core domains (as opposed to vendor/device-specific domains)
attribute coredomain;
+# All socket devices owned by core domain components
+attribute coredomain_socket;
+
# All vendor domains which violate the requirement of not using Binder
# TODO(b/35870313): Remove this once there are no violations
attribute binder_in_vendor_violators;
+# All vendor domains which violate the requirement of not using sockets for
+# communicating with core components
+# TODO(b/36577153): Remove this once there are no violations
+attribute socket_between_core_and_vendor_violators;
+
# All HAL servers
attribute halserverdomain;
# All HAL clients
@@ -200,6 +218,9 @@
attribute hal_thermal;
attribute hal_thermal_client;
attribute hal_thermal_server;
+attribute hal_tv_input;
+attribute hal_tv_input_client;
+attribute hal_tv_input_server;
attribute hal_usb;
attribute hal_usb_client;
attribute hal_usb_server;
@@ -212,6 +233,9 @@
attribute hal_wifi;
attribute hal_wifi_client;
attribute hal_wifi_server;
+attribute hal_wifi_keystore;
+attribute hal_wifi_keystore_client;
+attribute hal_wifi_keystore_server;
attribute hal_wifi_supplicant;
attribute hal_wifi_supplicant_client;
attribute hal_wifi_supplicant_server;
diff --git a/public/bootanim.te b/public/bootanim.te
index 9922451..e2584c3 100644
--- a/public/bootanim.te
+++ b/public/bootanim.te
@@ -22,7 +22,6 @@
allow bootanim audioserver_service:service_manager find;
allow bootanim surfaceflinger_service:service_manager find;
-allow bootanim audioserver_service:service_manager find;
# Allow access to ion memory allocation device
allow bootanim ion_device:chr_file rw_file_perms;
diff --git a/public/dhcp.te b/public/dhcp.te
index 6b9fb4a..c18b08d 100644
--- a/public/dhcp.te
+++ b/public/dhcp.te
@@ -1,6 +1,5 @@
type dhcp, domain, domain_deprecated;
type dhcp_exec, exec_type, file_type;
-type dhcp_data_file, file_type, data_file_type;
net_domain(dhcp)
diff --git a/public/domain.te b/public/domain.te
index 8a42336..30b3a98 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -67,7 +67,12 @@
allow domain zero_device:chr_file rw_file_perms;
allow domain ashmem_device:chr_file rw_file_perms;
# /dev/binder can be accessed by non-vendor domains and by apps
-allow { coredomain appdomain -hwservicemanager } binder_device:chr_file rw_file_perms;
+allow {
+ coredomain
+ appdomain
+ binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
+ -hwservicemanager
+} binder_device:chr_file rw_file_perms;
# Devices which are not full TREBLE have fewer restrictions on access to /dev/binder
not_full_treble(`allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;')
allow { domain -servicemanager -vndservicemanager } hwbinder_device:chr_file rw_file_perms;
@@ -84,7 +89,7 @@
# messages to logd.
get_prop(domain, log_property_type)
dontaudit domain property_type:file audit_access;
-allow domain property_contexts:file r_file_perms;
+allow domain property_contexts_file:file r_file_perms;
allow domain init:key search;
allow domain vold:key search;
@@ -101,6 +106,7 @@
allow domain sysfs:lnk_file read;
# libc references /data/misc/zoneinfo for timezone related information
+# This directory is considered to be a VNDK-stable
r_dir_file(domain, zoneinfo_data_file)
# Lots of processes access current CPU information
@@ -109,8 +115,11 @@
r_dir_file(domain, sysfs_usb);
# files under /data.
-allow domain system_data_file:dir { search getattr };
-allow domain system_data_file:lnk_file read;
+not_full_treble(`allow domain system_data_file:dir getattr;')
+allow { coredomain appdomain } system_data_file:dir getattr;
+# /data has the label system_data_file. Vendor components need the search
+# permission on system_data_file for path traversal to /data/vendor.
+allow domain system_data_file:dir search;
# required by the dynamic linker
allow domain proc:lnk_file { getattr read };
@@ -436,11 +445,179 @@
neverallow {
domain
-coredomain
+ -appdomain # restrictions for vendor apps are declared lower down
+ -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
+ } service_manager_type:service_manager find;
+ # Vendor apps are permited to use only stable public services. If they were to use arbitrary
+ # services which can change any time framework/core is updated, breakage is likely.
+ neverallow {
+ appdomain
+ -coredomain
+ } {
+ service_manager_type
+ -app_api_service
+ -ephemeral_app_api_service
+ -audioserver_service # TODO(b/36783122) remove exemptions below once app_api_service is fixed
+ -cameraserver_service
+ -drmserver_service
+ -keystore_service
+ -mediacasserver_service
+ -mediadrmserver_service
+ -mediaextractor_service
+ -mediametrics_service
+ -mediaserver_service
+ -nfc_service
+ -radio_service
+ -surfaceflinger_service
+ -vr_manager_service
+ }:service_manager find;
+ neverallow {
+ domain
+ -coredomain
-appdomain
-binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
} servicemanager:binder { call transfer };
')
+##
+# On full TREBLE devices core android components and vendor components may
+# not directly access each other's data types. All communication must occur
+# over HW binder. Open file descriptors may be passed and read/write/stat
+# operations my be performed on those FDs. Disallow all other operations.
+full_treble_only(`
+ # do not allow vendor component access to coredomains data types
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -coredata_in_vendor_violators
+ }
+ core_data_file_type
+ -zoneinfo_data_file # VNDK stable API provided by libc
+ :{
+ file_class_set
+ } ~{ append getattr ioctl read write };
+ # do not allow vendor component access to coredomains data directories.
+ # /data has the system_data_file type. Allow all domains to have dir
+ # search permissions which allows path traversal.
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -coredata_in_vendor_violators
+ } {
+ core_data_file_type
+ -system_data_file
+ -zoneinfo_data_file # VNDK stable API provided by libc
+ }:dir *;
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -coredata_in_vendor_violators
+ } system_data_file:dir ~search;
+ # do not allow coredomains to directly access vendor data. Exempt init
+ # because it is responsible for dir/file creation in init.rc scripts.
+ # Also exempt halclientdomain to exclude rules for passthrough mode.
+ neverallow {
+ coredomain
+ -halclientdomain
+ -init
+ -vendordata_in_core_violators
+ } {
+ data_file_type
+ -core_data_file_type
+ }:file_class_set ~{ append getattr ioctl read write };
+ # do not allow coredomain to access vendor data directories.
+ neverallow {
+ coredomain
+ -halclientdomain
+ -init
+ -vendordata_in_core_violators
+ } { data_file_type -core_data_file_type }:dir *;
+')
+
+# On full TREBLE devices, socket communications between core components and vendor components are
+# not permitted.
+full_treble_only(`
+ # Most general rules first, more specific rules below.
+
+ # Core domains are not permitted to initiate communications to vendor domain sockets.
+ # We are not restricting the use of already established sockets because it is fine for a process
+ # to obtain an already established socket via some public/official/stable API and then exchange
+ # data with its peer over that socket. The wire format in this scenario is dicatated by the API
+ # and thus does not break the core-vendor separation.
+ neverallow_establish_socket_comms({
+ coredomain
+ -init
+ -adbd
+ }, {
+ domain
+ -coredomain
+ -socket_between_core_and_vendor_violators
+ });
+ # Vendor domains are not permitted to initiate communications to core domain sockets
+ neverallow_establish_socket_comms({
+ domain
+ -coredomain
+ -appdomain
+ -socket_between_core_and_vendor_violators
+ }, {
+ coredomain
+ -logd # Logging by writing to logd Unix domain socket is public API
+ -netd # netdomain needs this
+ -mdnsd # netdomain needs this
+ userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds
+ -init
+ -incidentd # TODO(b/35870313): Remove incidentd from this list once vendor domains no longer declare Binder services
+ -tombstoned # TODO(b/36604251): Remove tombstoned from this list once mediacodec (OMX HAL) no longer declares Binder services
+ });
+
+ # Vendor domains (except netdomain) are not permitted to initiate communications to netd sockets
+ neverallow_establish_socket_comms({
+ domain
+ -coredomain
+ -netdomain
+ -socket_between_core_and_vendor_violators
+ }, netd);
+
+ # Vendor domains are not permitted to initiate create/open sockets owned by core domains
+ neverallow {
+ domain
+ -coredomain
+ -appdomain # appdomain restrictions below
+ -socket_between_core_and_vendor_violators
+ } {
+ coredomain_socket
+ core_data_file_type
+ unlabeled # used only by core domains
+ }:sock_file ~{ append getattr ioctl read write };
+ neverallow {
+ appdomain
+ -coredomain
+ } {
+ coredomain_socket
+ unlabeled # used only by core domains
+ core_data_file_type
+ -app_data_file
+ -pdx_socket # used by VR layer
+ }:sock_file ~{ append getattr ioctl read write };
+
+ # Core domains are not permitted to create/open sockets owned by vendor domains
+ neverallow {
+ coredomain
+ -init
+ -ueventd
+ -socket_between_core_and_vendor_violators
+ } {
+ file_type
+ dev_type
+ -coredomain_socket
+ -core_data_file_type
+ -unlabeled
+ }:sock_file ~{ append getattr ioctl read write };
+')
+
# Only authorized processes should be writing to files in /data/dalvik-cache
neverallow {
domain
@@ -570,10 +747,17 @@
# respect system_app sandboxes
neverallow {
domain
- -system_app # its own sandbox
+ -appdomain # finer-grained rules for appdomain are listed below
-system_server #populate com.android.providers.settings/databases/settings.db.
-installd # creation of app sandbox
} system_app_data_file:dir_file_class_set { create unlink open };
+neverallow {
+ isolated_app
+ untrusted_app_all # finer-grained rules for appdomain are listed below
+ ephemeral_app
+ priv_app
+} system_app_data_file:dir_file_class_set { create unlink open };
+
# Services should respect app sandboxes
neverallow {
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 9b54329..bfbb43b 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -170,7 +170,7 @@
allow dumpstate misc_logd_file:file r_file_perms;
')
-allow dumpstate { service_manager_type -gatekeeper_service -dumpstate_service -incident_service -virtual_touchpad_service }:service_manager find;
+allow dumpstate { service_manager_type -gatekeeper_service -dumpstate_service -incident_service -virtual_touchpad_service -vr_hwc_service }:service_manager find;
allow dumpstate servicemanager:service_manager list;
allow dumpstate devpts:chr_file rw_file_perms;
diff --git a/public/file.te b/public/file.te
index 2abfe70..f776ef6 100644
--- a/public/file.te
+++ b/public/file.te
@@ -87,54 +87,56 @@
# /cores for coredumps on userdebug / eng builds
type coredump_file, file_type;
# Default type for anything under /data.
-type system_data_file, file_type, data_file_type;
+type system_data_file, file_type, data_file_type, core_data_file_type;
# Unencrypted data
-type unencrypted_data_file, file_type, data_file_type;
+type unencrypted_data_file, file_type, data_file_type, core_data_file_type;
# /data/.layout_version or other installd-created files that
# are created in a system_data_file directory.
-type install_data_file, file_type, data_file_type;
+type install_data_file, file_type, data_file_type, core_data_file_type;
# /data/drm - DRM plugin data
-type drm_data_file, file_type, data_file_type;
+type drm_data_file, file_type, data_file_type, core_data_file_type;
# /data/adb - adb debugging files
-type adb_data_file, file_type, data_file_type;
+type adb_data_file, file_type, data_file_type, core_data_file_type;
# /data/anr - ANR traces
-type anr_data_file, file_type, data_file_type, mlstrustedobject;
+type anr_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/tombstones - core dumps
-type tombstone_data_file, file_type, data_file_type, mlstrustedobject;
+type tombstone_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/app - user-installed apps
-type apk_data_file, file_type, data_file_type;
-type apk_tmp_file, file_type, data_file_type, mlstrustedobject;
+type apk_data_file, file_type, data_file_type, core_data_file_type;
+type apk_tmp_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/app-private - forward-locked apps
-type apk_private_data_file, file_type, data_file_type;
-type apk_private_tmp_file, file_type, data_file_type, mlstrustedobject;
+type apk_private_data_file, file_type, data_file_type, core_data_file_type;
+type apk_private_tmp_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/dalvik-cache
-type dalvikcache_data_file, file_type, data_file_type;
+type dalvikcache_data_file, file_type, data_file_type, core_data_file_type;
# /data/ota
-type ota_data_file, file_type, data_file_type;
+type ota_data_file, file_type, data_file_type, core_data_file_type;
# /data/ota_package
-type ota_package_file, file_type, data_file_type, mlstrustedobject;
+type ota_package_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/misc/profiles
-type user_profile_data_file, file_type, data_file_type, mlstrustedobject;
+type user_profile_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/misc/profman
-type profman_dump_data_file, file_type, data_file_type;
+type profman_dump_data_file, file_type, data_file_type, core_data_file_type;
# /data/resource-cache
-type resourcecache_data_file, file_type, data_file_type;
+type resourcecache_data_file, file_type, data_file_type, core_data_file_type;
# /data/local - writable by shell
-type shell_data_file, file_type, data_file_type, mlstrustedobject;
+type shell_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/property
-type property_data_file, file_type, data_file_type;
+type property_data_file, file_type, data_file_type, core_data_file_type;
# /data/bootchart
-type bootchart_data_file, file_type, data_file_type;
+type bootchart_data_file, file_type, data_file_type, core_data_file_type;
# /data/system/heapdump
-type heapdump_data_file, file_type, data_file_type, mlstrustedobject;
+type heapdump_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/nativetest
-type nativetest_data_file, file_type, data_file_type;
+type nativetest_data_file, file_type, data_file_type, core_data_file_type;
# /data/system_de/0/ringtones
-type ringtone_file, file_type, data_file_type, mlstrustedobject;
+type ringtone_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/preloads
-type preloads_data_file, file_type, data_file_type;
+type preloads_data_file, file_type, data_file_type, core_data_file_type;
# /data/preloads/media
-type preloads_media_file, file_type, data_file_type;
+type preloads_media_file, file_type, data_file_type, core_data_file_type;
+# /data/misc/dhcp and /data/misc/dhcp-6.8.2
+type dhcp_data_file, file_type, data_file_type, core_data_file_type;
# Mount locations managed by vold
type mnt_media_rw_file, file_type;
@@ -152,41 +154,43 @@
type postinstall_file, file_type;
# /data/misc subdirectories
-type adb_keys_file, file_type, data_file_type;
-type audio_data_file, file_type, data_file_type;
-type audiohal_data_file, file_type, data_file_type;
-type audioserver_data_file, file_type, data_file_type;
-type bluetooth_data_file, file_type, data_file_type;
-type bluetooth_logs_data_file, file_type, data_file_type;
-type bootstat_data_file, file_type, data_file_type;
-type boottrace_data_file, file_type, data_file_type;
-type camera_data_file, file_type, data_file_type;
-type gatekeeper_data_file, file_type, data_file_type;
-type incident_data_file, file_type, data_file_type;
-type keychain_data_file, file_type, data_file_type;
-type keystore_data_file, file_type, data_file_type;
-type media_data_file, file_type, data_file_type;
-type media_rw_data_file, file_type, data_file_type, mlstrustedobject;
-type misc_user_data_file, file_type, data_file_type;
-type net_data_file, file_type, data_file_type;
-type nfc_data_file, file_type, data_file_type;
-type radio_data_file, file_type, data_file_type, mlstrustedobject;
-type reboot_data_file, file_type, data_file_type;
-type recovery_data_file, file_type, data_file_type;
-type shared_relro_file, file_type, data_file_type;
-type systemkeys_data_file, file_type, data_file_type;
-type vpn_data_file, file_type, data_file_type;
-type wifi_data_file, file_type, data_file_type;
-type zoneinfo_data_file, file_type, data_file_type;
-type vold_data_file, file_type, data_file_type;
-type perfprofd_data_file, file_type, data_file_type, mlstrustedobject;
+type adb_keys_file, file_type, data_file_type, core_data_file_type;
+type audio_data_file, file_type, data_file_type, core_data_file_type;
+type audiohal_data_file, file_type, data_file_type, core_data_file_type;
+type audioserver_data_file, file_type, data_file_type, core_data_file_type;
+type bluetooth_data_file, file_type, data_file_type, core_data_file_type;
+type bluetooth_logs_data_file, file_type, data_file_type, core_data_file_type;
+type bootstat_data_file, file_type, data_file_type, core_data_file_type;
+type boottrace_data_file, file_type, data_file_type, core_data_file_type;
+type camera_data_file, file_type, data_file_type, core_data_file_type;
+type gatekeeper_data_file, file_type, data_file_type, core_data_file_type;
+type incident_data_file, file_type, data_file_type, core_data_file_type;
+type keychain_data_file, file_type, data_file_type, core_data_file_type;
+type keystore_data_file, file_type, data_file_type, core_data_file_type;
+type media_data_file, file_type, data_file_type, core_data_file_type;
+type media_rw_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+type misc_user_data_file, file_type, data_file_type, core_data_file_type;
+type net_data_file, file_type, data_file_type, core_data_file_type;
+type nfc_data_file, file_type, data_file_type, core_data_file_type;
+type radio_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+type reboot_data_file, file_type, data_file_type, core_data_file_type;
+type recovery_data_file, file_type, data_file_type, core_data_file_type;
+type shared_relro_file, file_type, data_file_type, core_data_file_type;
+type systemkeys_data_file, file_type, data_file_type, core_data_file_type;
+type vpn_data_file, file_type, data_file_type, core_data_file_type;
+type wifi_data_file, file_type, data_file_type, core_data_file_type;
+type zoneinfo_data_file, file_type, data_file_type, core_data_file_type;
+type vold_data_file, file_type, data_file_type, core_data_file_type;
+type perfprofd_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+type tee_data_file, file_type, data_file_type;
+type update_engine_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc/trace for method traces on userdebug / eng builds
-type method_trace_data_file, file_type, data_file_type, mlstrustedobject;
+type method_trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/data subdirectories - app sandboxes
-type app_data_file, file_type, data_file_type;
+type app_data_file, file_type, data_file_type, core_data_file_type;
# /data/data subdirectory for system UID apps.
-type system_app_data_file, file_type, data_file_type, mlstrustedobject;
+type system_app_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# Compatibility with type name used in Android 4.3 and 4.4.
# Default type for anything under /cache
type cache_file, file_type, mlstrustedobject;
@@ -199,65 +203,81 @@
# Default type for anything under /efs
type efs_file, file_type;
# Type for wallpaper file.
-type wallpaper_file, file_type, data_file_type, mlstrustedobject;
+type wallpaper_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# Type for shortcut manager icon file.
-type shortcut_manager_icons, file_type, data_file_type, mlstrustedobject;
+type shortcut_manager_icons, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# Type for user icon file.
-type icon_file, file_type, data_file_type;
+type icon_file, file_type, data_file_type, core_data_file_type;
# /mnt/asec
-type asec_apk_file, file_type, data_file_type, mlstrustedobject;
+type asec_apk_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# Elements of asec files (/mnt/asec) that are world readable
-type asec_public_file, file_type, data_file_type;
+type asec_public_file, file_type, data_file_type, core_data_file_type;
# /data/app-asec
-type asec_image_file, file_type, data_file_type;
+type asec_image_file, file_type, data_file_type, core_data_file_type;
# /data/backup and /data/secure/backup
-type backup_data_file, file_type, data_file_type, mlstrustedobject;
+type backup_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# All devices have bluetooth efs files. But they
# vary per device, so this type is used in per
# device policy
type bluetooth_efs_file, file_type;
# Type for fingerprint template file
-type fingerprintd_data_file, file_type, data_file_type;
+type fingerprintd_data_file, file_type, data_file_type, core_data_file_type;
# Type for appfuse file.
-type app_fuse_file, file_type, data_file_type, mlstrustedobject;
+type app_fuse_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# Socket types
-type adbd_socket, file_type;
-type bluetooth_socket, file_type;
-type dnsproxyd_socket, file_type, mlstrustedobject;
-type dumpstate_socket, file_type;
-type fwmarkd_socket, file_type, mlstrustedobject;
-type lmkd_socket, file_type;
-type logd_socket, file_type, mlstrustedobject;
-type logdr_socket, file_type, mlstrustedobject;
-type logdw_socket, file_type, mlstrustedobject;
-type mdns_socket, file_type;
-type mdnsd_socket, file_type, mlstrustedobject;
-type misc_logd_file, file_type;
-type mtpd_socket, file_type;
-type netd_socket, file_type;
-type pdx_socket, file_type, mlstrustedobject;
-type property_socket, file_type, mlstrustedobject;
-type racoon_socket, file_type;
+type adbd_socket, file_type, coredomain_socket;
+type bluetooth_socket, file_type, coredomain_socket;
+type dnsproxyd_socket, file_type, coredomain_socket, mlstrustedobject;
+type dumpstate_socket, file_type, coredomain_socket;
+type fwmarkd_socket, file_type, coredomain_socket, mlstrustedobject;
+type lmkd_socket, file_type, coredomain_socket;
+type logd_socket, file_type, coredomain_socket, mlstrustedobject;
+type logdr_socket, file_type, coredomain_socket, mlstrustedobject;
+type logdw_socket, file_type, coredomain_socket, mlstrustedobject;
+type mdns_socket, file_type, coredomain_socket;
+type mdnsd_socket, file_type, coredomain_socket, mlstrustedobject;
+type misc_logd_file, coredomain_socket, file_type;
+type mtpd_socket, file_type, coredomain_socket;
+type netd_socket, file_type, coredomain_socket;
+type pdx_socket, file_type, coredomain_socket, mlstrustedobject;
+type property_socket, file_type, coredomain_socket, mlstrustedobject;
+type racoon_socket, file_type, coredomain_socket;
type rild_socket, file_type;
type rild_debug_socket, file_type;
-type system_wpa_socket, file_type;
-type system_ndebug_socket, file_type, mlstrustedobject;
-type tombstoned_crash_socket, file_type, mlstrustedobject;
-type tombstoned_intercept_socket, file_type;
-type uncrypt_socket, file_type;
-type vold_socket, file_type;
-type webview_zygote_socket, file_type;
+type system_wpa_socket, file_type, coredomain_socket;
+type system_ndebug_socket, file_type, coredomain_socket, mlstrustedobject;
+type tombstoned_crash_socket, file_type, coredomain_socket, mlstrustedobject;
+type tombstoned_intercept_socket, file_type, coredomain_socket;
+type uncrypt_socket, file_type, coredomain_socket;
+type vold_socket, file_type, coredomain_socket;
+type webview_zygote_socket, file_type, coredomain_socket;
type wpa_socket, file_type;
-# hostapd control interface.
-type hostapd_socket, file_type;
-type zygote_socket, file_type;
+type zygote_socket, file_type, coredomain_socket;
type sap_uim_socket, file_type;
# UART (for GPS) control proc file
type gps_control, file_type;
+# file_contexts files
+type file_contexts_file, file_type;
+
+# mac_permissions file
+type mac_perms_file, file_type;
+
# property_contexts file
-type property_contexts, file_type;
+type property_contexts_file, file_type;
+
+# seapp_contexts file
+type seapp_contexts_file, file_type;
+
+# sepolicy files binary and others
+type sepolicy_file, file_type;
+
+# service_contexts file
+type service_contexts_file, file_type;
+
+# vndservice_contexts file
+type vndservice_contexts_file, file_type;
# Allow files to be created in their appropriate filesystems.
allow fs_type self:filesystem associate;
diff --git a/public/hal_tv_input.te b/public/hal_tv_input.te
new file mode 100644
index 0000000..5276ddf
--- /dev/null
+++ b/public/hal_tv_input.te
@@ -0,0 +1,3 @@
+# HwBinder IPC from clients into server, and callbacks
+binder_call(hal_tv_input_client, hal_tv_input_server)
+binder_call(hal_tv_input_server, hal_tv_input_client)
diff --git a/public/hal_wifi_keystore.te b/public/hal_wifi_keystore.te
new file mode 100644
index 0000000..15368ae
--- /dev/null
+++ b/public/hal_wifi_keystore.te
@@ -0,0 +1,2 @@
+# HwBinder IPC from client to server.
+binder_call(hal_wifi_keystore_client, hal_wifi_keystore_server)
diff --git a/public/hal_wifi_supplicant.te b/public/hal_wifi_supplicant.te
index ed10f8d..49ce4fa 100644
--- a/public/hal_wifi_supplicant.te
+++ b/public/hal_wifi_supplicant.te
@@ -23,17 +23,6 @@
allow hal_wifi_supplicant wpa_socket:dir create_dir_perms;
allow hal_wifi_supplicant wpa_socket:sock_file create_file_perms;
-# TODO(b/34131400): Use hwbinder to access keystore.
-use_keystore(hal_wifi_supplicant)
-binder_use(hal_wifi_supplicant)
-
-# WPA (wifi) has a restricted set of permissions from the default.
-allow hal_wifi_supplicant keystore:keystore_key {
- get
- sign
- verify
-};
-
# Allow wpa_cli to work. wpa_cli creates a socket in
# /data/misc/wifi/sockets which hal_wifi_supplicant supplicant communicates with.
userdebug_or_eng(`
diff --git a/public/init.te b/public/init.te
index 4b08046..4af41ec 100644
--- a/public/init.te
+++ b/public/init.te
@@ -299,6 +299,12 @@
# setsockcreate is for labeling local/unix domain sockets.
allow init self:process { setexec setfscreate setsockcreate };
+# Get file context
+allow init file_contexts_file:file r_file_perms;
+
+# sepolicy access
+allow init sepolicy_file:file r_file_perms;
+
# Perform SELinux access checks on setting properties.
selinux_check_access(init)
diff --git a/public/installd.te b/public/installd.te
index 0a5b8a3..a85edff 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -27,6 +27,10 @@
r_dir_file(installd, rootfs)
# Scan through APKs in /system/app and /system/priv-app
r_dir_file(installd, system_file)
+# Get file context
+allow installd file_contexts_file:file r_file_perms;
+# Get seapp_context
+allow installd seapp_contexts_file:file r_file_perms;
# Search /data/app-asec and stat files in it.
allow installd asec_image_file:dir search;
diff --git a/public/kernel.te b/public/kernel.te
index a93c8e9..9537c0d 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -11,6 +11,9 @@
allow kernel selinuxfs:dir r_dir_perms;
allow kernel selinuxfs:file r_file_perms;
+# Get file contexts during first stage
+allow kernel file_contexts_file:file r_file_perms;
+
# Allow init relabel itself.
allow kernel rootfs:file relabelfrom;
allow kernel init_exec:file relabelto;
diff --git a/public/keystore.te b/public/keystore.te
index 55cafc5..456c74d 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -10,6 +10,9 @@
# talk to keymaster
hal_client_domain(keystore, hal_keymaster)
+# Implement the wifi keystore hal.
+hal_server_domain(keystore, hal_wifi_keystore)
+
allow keystore keystore_data_file:dir create_dir_perms;
allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
allow keystore keystore_exec:file { getattr };
diff --git a/public/mediacodec.te b/public/mediacodec.te
index 469c8ba..721f624 100644
--- a/public/mediacodec.te
+++ b/public/mediacodec.te
@@ -13,6 +13,8 @@
binder_call(mediacodec, appdomain)
binder_service(mediacodec)
+# TODO(b/36604251): Remove this once OMX HAL stops using Binder
+typeattribute mediacodec binder_in_vendor_violators;
add_service(mediacodec, mediacodec_service)
allow mediacodec mediametrics_service:service_manager find;
allow mediacodec surfaceflinger_service:service_manager find;
@@ -20,13 +22,15 @@
allow mediacodec video_device:chr_file rw_file_perms;
allow mediacodec video_device:dir search;
allow mediacodec ion_device:chr_file rw_file_perms;
-allow mediacodec hal_graphics_allocator:fd use;
allow mediacodec hal_camera:fd use;
crash_dump_fallback(mediacodec)
hal_client_domain(mediacodec, hal_allocator)
+# allocate and use graphic buffers
+hal_client_domain(mediacodec, hal_graphics_allocator)
+
# Recieve gralloc buffer FDs from bufferhubd. Note that mediacodec never
# directly connects to bufferhubd via PDX. Instead, a VR app acts as a bridge
# between those two: it talks to mediacodec via Binder and talks to bufferhubd
diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index 398d413..969c1a5 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -20,6 +20,9 @@
crash_dump_fallback(mediaextractor)
+# allow mediaextractor read permissions for file sources
+allow mediaextractor media_rw_data_file:file { getattr read };
+
###
### neverallow rules
###
diff --git a/public/neverallow_macros b/public/neverallow_macros
index b36cceb..e2b6ed1 100644
--- a/public/neverallow_macros
+++ b/public/neverallow_macros
@@ -4,3 +4,12 @@
define(`no_rw_file_perms', `{ no_w_file_perms open read ioctl lock }')
define(`no_x_file_perms', `{ execute execute_no_trans }')
define(`no_w_dir_perms', `{ add_name create link relabelfrom remove_name rename reparent rmdir setattr write }')
+
+#####################################
+# neverallow_establish_socket_comms(src, dst)
+# neverallow src domain establishing socket connections to dst domain.
+#
+define(`neverallow_establish_socket_comms', `
+ neverallow $1 $2:socket_class_set { connect sendto };
+ neverallow $1 $2:unix_stream_socket connectto;
+')
diff --git a/public/performanced.te b/public/performanced.te
index 8f9d16b..95038cd 100644
--- a/public/performanced.te
+++ b/public/performanced.te
@@ -10,9 +10,9 @@
# Access /proc to validate we're only affecting threads in the same thread group.
# Performanced also shields unbound kernel threads. It scans every task in the
# root cpu set, but only affects the kernel threads.
-r_dir_file(performanced, { appdomain bufferhubd kernel sensord surfaceflinger })
+r_dir_file(performanced, { appdomain bufferhubd kernel sensord surfaceflinger vr_wm })
dontaudit performanced domain:dir read;
-allow performanced { appdomain bufferhubd kernel sensord surfaceflinger }:process setsched;
+allow performanced { appdomain bufferhubd kernel sensord surfaceflinger vr_wm }:process setsched;
# Access /dev/cpuset/cpuset.cpus
r_dir_file(performanced, cgroup)
diff --git a/public/perfprofd.te b/public/perfprofd.te
index eed7e58..499e2a9 100644
--- a/public/perfprofd.te
+++ b/public/perfprofd.te
@@ -3,7 +3,7 @@
userdebug_or_eng(`
- type perfprofd, domain, domain_deprecated, mlstrustedsubject;
+ type perfprofd, domain, domain_deprecated, mlstrustedsubject, coredomain;
# perfprofd needs to control CPU hot-plug in order to avoid kernel
# perfevents problems in cases where CPU goes on/off during measurement;
diff --git a/public/radio.te b/public/radio.te
index a896659..8c3c6a5 100644
--- a/public/radio.te
+++ b/public/radio.te
@@ -5,6 +5,7 @@
bluetooth_domain(radio)
binder_service(radio)
+# TODO(b/36613472): Remove this once radio no longer communicates with rild over sockets.
# Talks to rild via the rild socket.
unix_socket_connect(radio, rild, rild)
diff --git a/public/recovery.te b/public/recovery.te
index 1ec19c5..d6aef1c 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -37,6 +37,8 @@
# currently loaded policy. Allow it.
allow recovery unlabeled:{ file lnk_file } { create_file_perms relabelfrom relabelto };
allow recovery unlabeled:dir { create_dir_perms relabelfrom relabelto };
+ # Get file contexts
+ allow recovery file_contexts_file:file r_file_perms;
# 0eb17d944704b3eb140bb9dded299d3be3aed77e in build/ added SELinux
# support to OTAs. However, that code has a bug. When an update occurs,
diff --git a/public/rild.te b/public/rild.te
index e4b0186..77f146b 100644
--- a/public/rild.te
+++ b/public/rild.te
@@ -19,6 +19,9 @@
allow rild shell_exec:file rx_file_perms;
allow rild bluetooth_efs_file:file r_file_perms;
allow rild bluetooth_efs_file:dir r_dir_perms;
+# TODO (b/36601950) remove RILD's access to radio_data_file and
+# system_data_file. Remove coredata_in_vendor_violators attribute.
+typeattribute rild coredata_in_vendor_violators;
allow rild radio_data_file:dir rw_dir_perms;
allow rild radio_data_file:file create_file_perms;
allow rild sdcard_type:dir r_dir_perms;
diff --git a/public/runas.te b/public/runas.te
index 19e30e8..046165d 100644
--- a/public/runas.te
+++ b/public/runas.te
@@ -23,6 +23,10 @@
allow runas self:process setcurrent;
allow runas non_system_app_set:process dyntransition; # setcon
+# runas/libselinux needs access to seapp_contexts_file to
+# determine which domain to transition to.
+allow runas seapp_contexts_file:file r_file_perms;
+
###
### neverallow rules
###
diff --git a/public/service.te b/public/service.te
index 909b96a..96a692a 100644
--- a/public/service.te
+++ b/public/service.te
@@ -27,6 +27,8 @@
type system_app_service, service_manager_type;
type update_engine_service, service_manager_type;
type virtual_touchpad_service, service_manager_type;
+type vr_window_manager_service, service_manager_type;
+type vr_hwc_service, service_manager_type;
# system_server_services broken down
type accessibility_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -44,7 +46,7 @@
type bluetooth_manager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type cameraproxy_service, system_server_service, service_manager_type;
type clipboard_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type contexthub_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type contexthub_service, app_api_service, system_server_service, service_manager_type;
type IProxyService_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type commontime_management_service, system_server_service, service_manager_type;
type companion_device_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -58,7 +60,7 @@
type coverage_service, system_server_service, service_manager_type;
type cpuinfo_service, system_api_service, system_server_service, service_manager_type;
type dbinfo_service, system_api_service, system_server_service, service_manager_type;
-type device_policy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type device_policy_service, app_api_service, system_server_service, service_manager_type;
type deviceidle_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type device_identifiers_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type devicestoragemonitor_service, system_server_service, service_manager_type;
@@ -69,8 +71,8 @@
type DockObserver_service, system_server_service, service_manager_type;
type dreams_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type dropbox_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type ethernet_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type fingerprint_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type ethernet_service, app_api_service, system_server_service, service_manager_type;
+type fingerprint_service, app_api_service, system_server_service, service_manager_type;
type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
type graphicsstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type hardware_service, system_server_service, service_manager_type;
@@ -118,19 +120,19 @@
type serial_service, system_api_service, system_server_service, service_manager_type;
type servicediscovery_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type settings_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type shortcut_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type shortcut_service, app_api_service, system_server_service, service_manager_type;
type statusbar_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type storagestats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type task_service, system_server_service, service_manager_type;
type textclassification_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type textservices_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type telecom_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type trust_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type trust_service, app_api_service, system_server_service, service_manager_type;
type tv_input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type uimode_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type updatelock_service, system_api_service, system_server_service, service_manager_type;
type usagestats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type usb_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type usb_service, app_api_service, system_server_service, service_manager_type;
type user_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type vibrator_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type voiceinteraction_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
diff --git a/public/servicemanager.te b/public/servicemanager.te
index 46b3b0e..bba9c6e 100644
--- a/public/servicemanager.te
+++ b/public/servicemanager.te
@@ -11,7 +11,10 @@
allow servicemanager self:binder set_context_mgr;
allow servicemanager { domain -init }:binder transfer;
-r_dir_file(servicemanager, rootfs)
+# Access to all (system and vendor) service_contexts
+# TODO(b/36866029) access to nonplat_service_contexts
+# should not be allowed on full treble devices
+allow servicemanager service_contexts_file:file r_file_perms;
# Check SELinux permissions.
selinux_check_access(servicemanager)
diff --git a/public/shell.te b/public/shell.te
index ee8cf2a..cb1a086 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -80,7 +80,7 @@
# don't allow shell to access GateKeeper service
# TODO: why is this so broad? Tightening candidate? It needs at list:
# - dumpstate_service (so it can receive dumpstate progress updates)
-allow shell { service_manager_type -gatekeeper_service -incident_service -installd_service -netd_service -virtual_touchpad_service }:service_manager find;
+allow shell { service_manager_type -gatekeeper_service -incident_service -installd_service -netd_service -virtual_touchpad_service -vr_hwc_service }:service_manager find;
allow shell dumpstate:binder call;
# allow shell to get information from hwservicemanager
@@ -145,6 +145,13 @@
#
allow shell dev_type:blk_file getattr;
+# read selinux policy files
+allow shell file_contexts_file:file r_file_perms;
+allow shell property_contexts_file:file r_file_perms;
+allow shell seapp_contexts_file:file r_file_perms;
+allow shell service_contexts_file:file r_file_perms;
+allow shell sepolicy_file:file r_file_perms;
+
###
### Neverallow rules
###
diff --git a/public/tee.te b/public/tee.te
index a95be88..f023d5c 100644
--- a/public/tee.te
+++ b/public/tee.te
@@ -1,18 +1,7 @@
##
# trusted execution environment (tee) daemon
#
-type tee, domain, domain_deprecated;
-type tee_exec, exec_type, file_type;
-type tee_device, dev_type;
-type tee_data_file, file_type, data_file_type;
+type tee, domain;
-allow tee self:capability { dac_override };
-allow tee tee_device:chr_file rw_file_perms;
-allow tee tee_data_file:dir rw_dir_perms;
-allow tee tee_data_file:file create_file_perms;
-allow tee self:netlink_socket create_socket_perms_no_ioctl;
-allow tee self:netlink_generic_socket create_socket_perms_no_ioctl;
-allow tee ion_device:chr_file r_file_perms;
-r_dir_file(tee, sysfs_type)
-allow tee system_data_file:file { getattr read };
-allow tee system_data_file:lnk_file r_file_perms;
+# Device(s) for communicating with the TEE
+type tee_device, dev_type;
diff --git a/public/ueventd.te b/public/ueventd.te
index b0706c8..512b019 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -29,6 +29,9 @@
# Get SELinux enforcing status.
r_dir_file(ueventd, selinuxfs)
+# Get file contexts for new device nodes
+allow ueventd file_contexts_file:file r_file_perms;
+
# Use setfscreatecon() to label /dev directories and files.
allow ueventd self:process setfscreate;
diff --git a/public/update_engine.te b/public/update_engine.te
index 33eb2a8..69ee7c8 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -1,7 +1,6 @@
# Domain for update_engine daemon.
type update_engine, domain, domain_deprecated, update_engine_common;
type update_engine_exec, exec_type, file_type;
-type update_engine_data_file, file_type, data_file_type;
net_domain(update_engine);
diff --git a/public/virtual_touchpad.te b/public/virtual_touchpad.te
index 92d5c27..544550a 100644
--- a/public/virtual_touchpad.te
+++ b/public/virtual_touchpad.te
@@ -9,4 +9,4 @@
allow virtual_touchpad uhid_device:chr_file { w_file_perms ioctl };
# Limit access so that nothing else can inject input.
-neverallow { domain -system_app -virtual_touchpad } virtual_touchpad_service:service_manager find;
+neverallow { domain -virtual_touchpad -vr_wm } virtual_touchpad_service:service_manager find;
diff --git a/public/vold.te b/public/vold.te
index f4a3916..89e2c24 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -19,6 +19,9 @@
r_dir_file(vold, rootfs)
allow vold proc_meminfo:file r_file_perms;
+#Get file contexts
+allow vold file_contexts_file:file r_file_perms;
+
# Allow us to jump into execution domains of above tools
allow vold self:process setexec;
diff --git a/public/vr_hwc.te b/public/vr_hwc.te
new file mode 100644
index 0000000..b0d3ad9
--- /dev/null
+++ b/public/vr_hwc.te
@@ -0,0 +1,29 @@
+type vr_hwc, domain;
+type vr_hwc_exec, exec_type, file_type;
+
+# Get buffer metadata.
+hal_client_domain(vr_hwc, hal_graphics_allocator)
+
+binder_use(vr_hwc)
+binder_service(vr_hwc)
+
+binder_call(vr_hwc, surfaceflinger)
+binder_call(vr_hwc, vr_wm)
+
+add_service(vr_hwc, vr_hwc_service)
+
+# Hosts the VR HWC implementation and provides a simple Binder interface for VR
+# Window Manager to receive the layers/buffers.
+hwbinder_use(vr_hwc)
+
+# Load vendor libraries.
+allow vr_hwc system_file:dir r_dir_perms;
+
+allow vr_hwc ion_device:chr_file r_file_perms;
+
+# Allow connection to VR DisplayClient to get the primary display metadata
+# (ie: size).
+use_pdx(vr_hwc, surfaceflinger)
+
+# Limit access so only vr_wm can connect.
+neverallow { domain -vr_hwc -vr_wm } vr_hwc_service:service_manager find;
diff --git a/public/vr_wm.te b/public/vr_wm.te
new file mode 100644
index 0000000..1e48609
--- /dev/null
+++ b/public/vr_wm.te
@@ -0,0 +1,28 @@
+type vr_wm, domain;
+type vr_wm_exec, exec_type, file_type;
+
+hal_client_domain(vr_wm, hal_graphics_allocator)
+
+binder_use(vr_wm)
+binder_call(vr_wm, virtual_touchpad)
+binder_call(vr_wm, vr_hwc)
+
+allow vr_wm virtual_touchpad_service:service_manager find;
+allow vr_wm vr_hwc_service:service_manager find;
+
+binder_service(vr_wm)
+add_service(vr_wm, vr_window_manager_service)
+
+# Load vendor libraries.
+allow vr_wm system_file:dir r_dir_perms;
+
+allow vr_wm gpu_device:chr_file rw_file_perms;
+allow vr_wm ion_device:chr_file r_file_perms;
+
+# Get buffer metadata.
+allow vr_wm hal_graphics_allocator:fd use;
+
+use_pdx(vr_wm, bufferhubd)
+use_pdx(vr_wm, sensord)
+use_pdx(vr_wm, surfaceflinger)
+use_pdx(vr_wm, performanced)
diff --git a/public/wificond.te b/public/wificond.te
index dd22d26..0584b85 100644
--- a/public/wificond.te
+++ b/public/wificond.te
@@ -7,10 +7,6 @@
add_service(wificond, wificond_service)
-# wificond writes firmware paths to this file.
-# wificond also changes the owership of this file on startup.
-allow wificond sysfs_wlan_fwpath:file { w_file_perms setattr };
-
set_prop(wificond, wifi_prop)
set_prop(wificond, ctl_default_prop)
@@ -31,15 +27,6 @@
allow wificond wifi_data_file:dir rw_dir_perms;
allow wificond wifi_data_file:file create_file_perms;
-# wificond drops root shortly after starting
-# wificond changes the ownership of some files before dropping root
-allow wificond self:capability { setuid setgid setpcap chown };
-
-# wificond cleans up sockets created by wpa_supplicant and framework
-allow wificond wpa_socket:dir rw_dir_perms;
-allow wificond system_wpa_socket:sock_file unlink;
-allow wificond wpa_socket:sock_file unlink;
-
# dumpstate support
allow wificond dumpstate:fd use;
allow wificond dumpstate:fifo_file write;
diff --git a/vendor/file.te b/vendor/file.te
new file mode 100644
index 0000000..aeafb4a
--- /dev/null
+++ b/vendor/file.te
@@ -0,0 +1,2 @@
+# Socket types
+type hostapd_socket, file_type;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index a781341..ea0ef29 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -20,13 +20,20 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service u:object_r:hal_light_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack@1\.0-service u:object_r:hal_memtrack_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.0-service u:object_r:hal_nfc_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.media\.omx@1\.0-service u:object_r:mediacodec_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.power@1\.0-service u:object_r:hal_power_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors@1\.0-service u:object_r:hal_sensors_default_exec:s0
/(vendor|system/vendor)/bin/hw/rild u:object_r:rild_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@1\.0-service u:object_r:hal_thermal_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.input@1\.0-service u:object_r:hal_tv_input_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.0-service u:object_r:hal_usb_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.vibrator@1\.0-service u:object_r:hal_vibrator_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.vr@1\.0-service u:object_r:hal_vr_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.wifi@1\.0-service u:object_r:hal_wifi_default_exec:s0
/(vendor|system/vendor)/bin/hw/wpa_supplicant u:object_r:hal_wifi_supplicant_default_exec:s0
+/(vendor|system/vendor)/bin/hostapd u:object_r:hostapd_exec:s0
/(vendor|system/vendor)/bin/vndservicemanager u:object_r:vndservicemanager_exec:s0
+#############################
+# Data files
+#
+/data/misc/wifi/hostapd(/.*)? u:object_r:hostapd_socket:s0
diff --git a/vendor/hal_audio_default.te b/vendor/hal_audio_default.te
index 04ef7aa..79c0814 100644
--- a/vendor/hal_audio_default.te
+++ b/vendor/hal_audio_default.te
@@ -5,3 +5,9 @@
init_daemon_domain(hal_audio_default)
hal_client_domain(hal_audio_default, hal_allocator)
+
+typeattribute hal_audio_default socket_between_core_and_vendor_violators;
+# TODO (b/36601590) move hal_audio's data file to
+# /data/vendor/hardware/hal_audio. Remove coredata_in_vendor_violators
+# attribute.
+typeattribute hal_audio_default coredata_in_vendor_violators;
diff --git a/vendor/hal_camera_default.te b/vendor/hal_camera_default.te
index 8fdb4f0..449f159 100644
--- a/vendor/hal_camera_default.te
+++ b/vendor/hal_camera_default.te
@@ -3,3 +3,8 @@
type hal_camera_default_exec, exec_type, file_type;
init_daemon_domain(hal_camera_default)
+
+# TODO (b/36601397) move hal_camera's data file to
+# /data/vendor/hardware/hal_camera. Remove coredata_in_vendor_violators
+# attribute.
+typeattribute hal_camera_default coredata_in_vendor_violators;
diff --git a/vendor/hal_drm_default.te b/vendor/hal_drm_default.te
index eba763a..ad1762f 100644
--- a/vendor/hal_drm_default.te
+++ b/vendor/hal_drm_default.te
@@ -6,3 +6,8 @@
allow hal_drm_default mediacodec:fd use;
allow hal_drm_default { appdomain -isolated_app }:fd use;
+
+# TODO (b/36601695) remove hal_drm's access to /data or move to
+# /data/vendor/hardware/hal_drm. Remove coredata_in_vendor_violators
+# attribute.
+typeattribute hal_drm_default coredata_in_vendor_violators;
diff --git a/vendor/hal_fingerprint_default.te b/vendor/hal_fingerprint_default.te
index 2b9001e..5f5de7e 100644
--- a/vendor/hal_fingerprint_default.te
+++ b/vendor/hal_fingerprint_default.te
@@ -3,3 +3,7 @@
type hal_fingerprint_default_exec, exec_type, file_type;
init_daemon_domain(hal_fingerprint_default)
+
+# TODO (b/36644492) move hal_fingerprint's data file to
+# /data/vendor/. Remove coredata_in_vendor_violators attribute.
+typeattribute hal_fingerprint_default coredata_in_vendor_violators;
diff --git a/vendor/hal_nfc_default.te b/vendor/hal_nfc_default.te
index b155f27..a906d97 100644
--- a/vendor/hal_nfc_default.te
+++ b/vendor/hal_nfc_default.te
@@ -3,3 +3,9 @@
type hal_nfc_default_exec, exec_type, file_type;
init_daemon_domain(hal_nfc_default)
+
+# TODO (b/36645109) Remove hal_nfc's access to the nfc app's
+# data type. Remove coredata_in_vendor_violators and
+# socket_between_core_and_vendor_violators attribute associations below.
+typeattribute hal_nfc_default coredata_in_vendor_violators;
+typeattribute hal_nfc_default socket_between_core_and_vendor_violators;
diff --git a/vendor/hal_omx.te b/vendor/hal_omx.te
new file mode 100644
index 0000000..fdb4aca
--- /dev/null
+++ b/vendor/hal_omx.te
@@ -0,0 +1 @@
+init_daemon_domain(mediacodec)
diff --git a/vendor/hal_tv_input_default.te b/vendor/hal_tv_input_default.te
new file mode 100644
index 0000000..a97c171
--- /dev/null
+++ b/vendor/hal_tv_input_default.te
@@ -0,0 +1,6 @@
+type hal_tv_input_default, domain;
+hal_server_domain(hal_tv_input_default, hal_tv_input)
+
+type hal_tv_input_default_exec, exec_type, file_type;
+init_daemon_domain(hal_tv_input_default)
+
diff --git a/vendor/hal_wifi_supplicant_default.te b/vendor/hal_wifi_supplicant_default.te
index 5e49605..f0a6ffc 100644
--- a/vendor/hal_wifi_supplicant_default.te
+++ b/vendor/hal_wifi_supplicant_default.te
@@ -8,5 +8,9 @@
# Create a socket for receiving info from wpa
type_transition hal_wifi_supplicant_default wifi_data_file:dir wpa_socket "sockets";
-# TODO(b/34603782): Remove this once Wi-Fi Supplicant HAL stops using Binder
-typeattribute hal_wifi_supplicant_default binder_in_vendor_violators;
+# Allow wpa_supplicant to talk to Wifi Keystore HAL.
+hal_client_domain(hal_wifi_supplicant_default, hal_wifi_keystore)
+# TODO (b/36645291) Move hal_wifi_supplicant's data access to /data/vendor
+# Remove coredata_in_vendor_violators attribute.
+# wpa supplicant or equivalent
+typeattribute hal_wifi_supplicant_default coredata_in_vendor_violators;
diff --git a/public/hostapd.te b/vendor/hostapd.te
similarity index 86%
rename from public/hostapd.te
rename to vendor/hostapd.te
index b40bdc8..e7d8308 100644
--- a/public/hostapd.te
+++ b/vendor/hostapd.te
@@ -2,6 +2,7 @@
type hostapd, domain;
type hostapd_exec, exec_type, file_type;
+init_daemon_domain(hostapd)
net_domain(hostapd)
allow hostapd self:capability { net_admin net_raw };
@@ -30,3 +31,7 @@
allow hostapd hostapd_socket:dir create_dir_perms;
# hostapd needs to create, bind to, read, and write its control socket.
allow hostapd hostapd_socket:sock_file create_file_perms;
+
+# TODO (b/36646171) Move hostapd's data access to /data/vendor
+# Remove coredata_in_vendor_violators attribute.
+typeattribute hostapd coredata_in_vendor_violators;
diff --git a/vendor/rild.te b/vendor/rild.te
index 515d1b4..69c5c39 100644
--- a/vendor/rild.te
+++ b/vendor/rild.te
@@ -2,3 +2,7 @@
# public, but conceptually should go with this
type rild_exec, exec_type, file_type;
init_daemon_domain(rild)
+
+# TODO(b/36613472), TODO(b/36718031): Remove this once rild no longer
+# communicates with non-vendor components over sockets.
+typeattribute rild socket_between_core_and_vendor_violators;
diff --git a/vendor/tee.te b/vendor/tee.te
new file mode 100644
index 0000000..6278d4b
--- /dev/null
+++ b/vendor/tee.te
@@ -0,0 +1,25 @@
+##
+# trusted execution environment (tee) daemon
+#
+typeattribute tee domain_deprecated;
+
+type tee_exec, exec_type, file_type;
+init_daemon_domain(tee)
+
+# TODO(b/36714625, b/36715266): Remove this once drmserver, mediaserver, and surfaceflinger no
+# longer communicate with tee daemon over sockets
+typeattribute tee socket_between_core_and_vendor_violators;
+
+allow tee self:capability { dac_override };
+allow tee tee_device:chr_file rw_file_perms;
+allow tee tee_data_file:dir rw_dir_perms;
+allow tee tee_data_file:file create_file_perms;
+allow tee self:netlink_socket create_socket_perms_no_ioctl;
+allow tee self:netlink_generic_socket create_socket_perms_no_ioctl;
+allow tee ion_device:chr_file r_file_perms;
+r_dir_file(tee, sysfs_type)
+
+# TODO(b/36720355): Remove this once tee no longer access non-vendor files
+typeattribute tee coredata_in_vendor_violators;
+allow tee system_data_file:file { getattr read };
+allow tee system_data_file:lnk_file r_file_perms;
diff --git a/vendor/vndservicemanager.te b/vendor/vndservicemanager.te
index dff18ce..e898884 100644
--- a/vendor/vndservicemanager.te
+++ b/vendor/vndservicemanager.te
@@ -10,5 +10,8 @@
allow vndservicemanager vndbinder_device:chr_file rw_file_perms;
+# Read vndservice_contexts
+allow vndservicemanager vndservice_contexts_file:file r_file_perms;
+
# Check SELinux permissions.
selinux_check_access(vndservicemanager)