Merge "Allow gsid to create subdirectories under /metadata/gsi/dsu"
diff --git a/apex/Android.bp b/apex/Android.bp
index 29c2518..4a860e1 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -28,6 +28,13 @@
}
filegroup {
+ name: "com.android.sdkext-file_contexts",
+ srcs: [
+ "com.android.sdkext-file_contexts",
+ ],
+}
+
+filegroup {
name: "com.android.art.debug-file_contexts",
srcs: [
"com.android.art.debug-file_contexts",
@@ -63,6 +70,13 @@
}
filegroup {
+ name: "com.android.cronet-file_contexts",
+ srcs: [
+ "com.android.cronet-file_contexts",
+ ],
+}
+
+filegroup {
name: "com.android.ipsec-file_contexts",
srcs: [
"com.android.ipsec-file_contexts",
@@ -133,13 +147,6 @@
}
filegroup {
- name: "com.android.sdkext-file_contexts",
- srcs: [
- "com.android.sdkext-file_contexts",
- ],
-}
-
-filegroup {
name: "com.android.telephony-file_contexts",
srcs: [
"com.android.telephony-file_contexts",
diff --git a/private/access_vectors b/private/access_vectors
index 66c1b79..cd1ad12 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -27,6 +27,14 @@
execute
quotaon
mounton
+ audit_access
+ open
+ execmod
+ watch
+ watch_mount
+ watch_sb
+ watch_with_perm
+ watch_reads
}
@@ -164,14 +172,6 @@
reparent
search
rmdir
- open
- audit_access
- execmod
- watch
- watch_mount
- watch_sb
- watch_with_perm
- watch_reads
}
class file
@@ -179,82 +179,26 @@
{
execute_no_trans
entrypoint
- execmod
- open
- audit_access
- watch
- watch_mount
- watch_sb
- watch_with_perm
- watch_reads
}
class lnk_file
inherits file
-{
- open
- audit_access
- execmod
- watch
- watch_mount
- watch_sb
- watch_with_perm
- watch_reads
-}
class chr_file
inherits file
{
execute_no_trans
entrypoint
- execmod
- open
- audit_access
- watch
- watch_mount
- watch_sb
- watch_with_perm
- watch_reads
}
class blk_file
inherits file
-{
- open
- audit_access
- execmod
- watch
- watch_mount
- watch_sb
- watch_with_perm
- watch_reads
-}
class sock_file
inherits file
-{
- open
- audit_access
- execmod
- watch
- watch_mount
- watch_sb
- watch_with_perm
- watch_reads
-}
class fifo_file
inherits file
-{
- open
- audit_access
- execmod
- watch
- watch_mount
- watch_sb
- watch_with_perm
- watch_reads
-}
class fd
{
@@ -781,3 +725,13 @@
class xdp_socket
inherits socket
+
+class perf_event
+{
+ open
+ cpu
+ kernel
+ tracepoint
+ read
+ write
+}
diff --git a/private/aidl_lazy_test_server.te b/private/aidl_lazy_test_server.te
new file mode 100644
index 0000000..33efde0
--- /dev/null
+++ b/private/aidl_lazy_test_server.te
@@ -0,0 +1,5 @@
+userdebug_or_eng(`
+ typeattribute aidl_lazy_test_server coredomain;
+
+ init_daemon_domain(aidl_lazy_test_server)
+')
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index eb798e3..6248cab 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -136,8 +136,8 @@
')
}:dir_file_class_set { create unlink };
-# No untrusted component except mediaprovider should be touching /dev/fuse
-neverallow { all_untrusted_apps -mediaprovider } fuse_device:chr_file *;
+# No untrusted component should be touching /dev/fuse
+neverallow all_untrusted_apps fuse_device:chr_file *;
# Do not allow untrusted apps to directly open the tun_device
neverallow all_untrusted_apps tun_device:chr_file open;
diff --git a/private/bug_map b/private/bug_map
index c6c8278..60c2f15 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -27,6 +27,7 @@
system_server crash_dump process b/73128755
system_server overlayfs_file file b/142390309
system_server sdcardfs file b/77856826
+system_server storage_stub_file dir b/145267097
system_server zygote process b/77856826
vold system_data_file file b/124108085
zygote untrusted_app_25 process b/77925912
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 15746a2..51e7b5c 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -199,6 +199,7 @@
vendor_apex_file
vendor_init
vendor_shell
+ vndk_prop
vold_metadata_file
vold_prepare_subdirs
vold_prepare_subdirs_exec
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index fa8d9fe..a8d64bd 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -177,6 +177,7 @@
vendor_init
vendor_security_patch_level_prop
vendor_shell
+ vndk_prop
vold_metadata_file
vold_prepare_subdirs
vold_prepare_subdirs_exec
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 222fa7b..de62740 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -151,5 +151,6 @@
vendor_misc_writer
vendor_misc_writer_exec
vendor_task_profiles_file
+ vndk_prop
vrflinger_vsync_service
watchdogd_tmpfs))
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 03b987e..2811683 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -5,6 +5,9 @@
(typeattribute new_objects)
(typeattributeset new_objects
( new_objects
+ aidl_lazy_test_server
+ aidl_lazy_test_server_exec
+ aidl_lazy_test_service
apex_module_data_file
apex_rollback_data_file
app_integrity_service
@@ -12,6 +15,10 @@
auth_service
ashmem_libcutils_device
blob_store_service
+ binder_cache_system_server_prop
+ binderfs
+ binderfs_logs
+ binderfs_logs_proc
boringssl_self_test
charger_prop
cold_boot_done_prop
@@ -20,10 +27,12 @@
dataloader_manager_service
device_config_storage_native_boot_prop
device_config_sys_traced_prop
+ exported_camera_prop
file_integrity_service
gmscore_app
hal_can_bus_hwservice
hal_can_controller_hwservice
+ hal_identity_hwservice
hal_rebootescrow_service
hal_tv_tuner_hwservice
hal_vibrator_service
@@ -43,12 +52,14 @@
linker_prop
linkerconfig_file
mock_ota_prop
- module_sdkext_prop
+ module_sdkextensions_prop
ota_metadata_file
ota_prop
art_apex_dir
service_manager_service
+ simpleperf
soundtrigger_middleware_service
+ sysfs_dm_verity
system_group_file
system_jvmti_agent_prop
system_passwd_file
@@ -56,10 +67,12 @@
timezonedetector_service
usb_serial_device
userspace_reboot_prop
+ userspace_reboot_config_prop
userspace_reboot_exported_prop
vehicle_hal_prop
vendor_apex_file
vendor_boringssl_self_test
vendor_install_recovery
vendor_install_recovery_exec
+ vndk_prop
virtual_ab_prop))
diff --git a/private/derive_sdk.te b/private/derive_sdk.te
index 98cda20..1f60e34 100644
--- a/private/derive_sdk.te
+++ b/private/derive_sdk.te
@@ -8,5 +8,5 @@
allow derive_sdk apex_mnt_dir:dir r_dir_perms;
# Prop rules: writable by derive_sdk, readable by bootclasspath (apps)
-set_prop(derive_sdk, module_sdkext_prop)
-neverallow {domain -init -derive_sdk} module_sdkext_prop:property_service set;
+set_prop(derive_sdk, module_sdkextensions_prop)
+neverallow { domain -init -derive_sdk } module_sdkextensions_prop:property_service set;
diff --git a/private/domain.te b/private/domain.te
index 8a0a8e5..08d963c 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -45,8 +45,8 @@
# Allow to read properties for linker
get_prop(domain, linker_prop);
-# Read access to sdkext props
-get_prop(domain, module_sdkext_prop)
+# Read access to sdkextensions props
+get_prop(domain, module_sdkextensions_prop)
# For now, everyone can access core property files
# Device specific properties are not granted by default
@@ -76,6 +76,8 @@
get_prop({coredomain appdomain shell}, exported3_default_prop)
get_prop({coredomain appdomain shell}, exported3_radio_prop)
get_prop({coredomain appdomain shell}, exported3_system_prop)
+ get_prop({coredomain appdomain shell}, exported_camera_prop)
+ get_prop({coredomain appdomain shell}, userspace_reboot_config_prop)
get_prop({coredomain shell}, userspace_reboot_exported_prop)
get_prop({coredomain shell}, userspace_reboot_prop)
get_prop({domain -coredomain -appdomain}, vendor_default_prop)
diff --git a/private/file_contexts b/private/file_contexts
index 65d0e6f..560d190 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -338,9 +338,11 @@
/system/bin/watchdogd u:object_r:watchdogd_exec:s0
/system/bin/apexd u:object_r:apexd_exec:s0
/system/bin/gsid u:object_r:gsid_exec:s0
+/system/bin/simpleperf u:object_r:simpleperf_exec:s0
/system/bin/simpleperf_app_runner u:object_r:simpleperf_app_runner_exec:s0
/system/bin/notify_traceur\.sh u:object_r:notify_traceur_exec:s0
/system/bin/migrate_legacy_obb_data\.sh u:object_r:migrate_legacy_obb_data_exec:s0
+/system/bin/aidl_lazy_test_server u:object_r:aidl_lazy_test_server_exec:s0
#############################
# Vendor files
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 5b956da..92ef6a8 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -145,6 +145,7 @@
genfscon sysfs /kernel/notes u:object_r:sysfs_kernel_notes:s0
genfscon sysfs /kernel/uevent_helper u:object_r:sysfs_usermodehelper:s0
genfscon sysfs /kernel/wakeup_reasons u:object_r:sysfs_wakeup_reasons:s0
+genfscon sysfs /module/dm_verity/parameters/prefetch_cluster u:object_r:sysfs_dm_verity:s0
genfscon sysfs /module/lowmemorykiller u:object_r:sysfs_lowmemorykiller:s0
genfscon sysfs /module/tcp_cubic/parameters u:object_r:sysfs_net:s0
genfscon sysfs /module/wlan/parameters/fwpath u:object_r:sysfs_wlan_fwpath:s0
@@ -290,9 +291,15 @@
genfscon debugfs /kcov u:object_r:debugfs_kcov:s0
+genfscon binder /binder u:object_r:binder_device:s0
+genfscon binder /hwbinder u:object_r:hwbinder_device:s0
+genfscon binder /vndbinder u:object_r:vndbinder_device:s0
+genfscon binder /binder_logs u:object_r:binderfs_logs:s0
+genfscon binder /binder_logs/proc u:object_r:binderfs_logs_proc:s0
genfscon inotifyfs / u:object_r:inotify:s0
genfscon vfat / u:object_r:vfat:s0
+genfscon binder / u:object_r:binderfs:s0
genfscon exfat / u:object_r:exfat:s0
genfscon debugfs / u:object_r:debugfs:s0
genfscon fuse / u:object_r:fuse:s0
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index daca057..4ae8eff 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -3,14 +3,6 @@
###
typeattribute gmscore_app coredomain;
-# Allow everything.
-# TODO(b/142672293): remove when no selinux denials are triggered for this
-# domain
-# STOPSHIP(b/142672293): monitor http://go/sedenials for any denials around
-# `gmscore_app` and remove this line once we are confident about this having
-# the right set of permissions.
-userdebug_or_eng(`permissive gmscore_app;')
-
app_domain(gmscore_app)
allow gmscore_app sysfs_type:dir search;
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index d72231b..96b2760 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -24,6 +24,7 @@
android.hardware.camera.provider::ICameraProvider u:object_r:hal_camera_hwservice:s0
android.hardware.configstore::ISurfaceFlingerConfigs u:object_r:hal_configstore_ISurfaceFlingerConfigs:s0
android.hardware.confirmationui::IConfirmationUI u:object_r:hal_confirmationui_hwservice:s0
+android.hardware.identity::IIdentityCredentialStore u:object_r:hal_identity_hwservice:s0
android.hardware.contexthub::IContexthub u:object_r:hal_contexthub_hwservice:s0
android.hardware.cas::IMediaCasService u:object_r:hal_cas_hwservice:s0
android.hardware.drm::ICryptoFactory u:object_r:hal_drm_hwservice:s0
diff --git a/private/mediaprovider.te b/private/mediaprovider.te
index 5050e1a..249fee1 100644
--- a/private/mediaprovider.te
+++ b/private/mediaprovider.te
@@ -34,9 +34,6 @@
# MtpServer uses /dev/mtp_usb
allow mediaprovider mtp_device:chr_file rw_file_perms;
-# Fuse daemon
-allow mediaprovider fuse_device:chr_file { read write ioctl getattr };
-
# MtpServer uses /dev/usb-ffs/mtp
allow mediaprovider functionfs:dir search;
allow mediaprovider functionfs:file rw_file_perms;
diff --git a/private/permissioncontroller_app.te b/private/permissioncontroller_app.te
index 0fa2dea..8a6f6aa 100644
--- a/private/permissioncontroller_app.te
+++ b/private/permissioncontroller_app.te
@@ -3,14 +3,6 @@
###
type permissioncontroller_app, domain, coredomain;
-# Allow everything.
-# TODO(b/142672293): remove when no selinux denials are triggered for this
-# domain
-# STOPSHIP(b/142672293): monitor http://go/sedenials for any denials around
-# `permissioncontroller_app` and remove this line once we are confident about
-# this having the right set of permissions.
-userdebug_or_eng(`permissive permissioncontroller_app;')
-
app_domain(permissioncontroller_app)
# Allow interaction with gpuservice
diff --git a/private/platform_app.te b/private/platform_app.te
index 9e26d7a..76eaae6 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -68,9 +68,7 @@
allow platform_app vr_manager_service:service_manager find;
allow platform_app gpu_service:service_manager find;
allow platform_app stats_service:service_manager find;
-userdebug_or_eng(`
- allow platform_app platform_compat_service:service_manager find;
-')
+allow platform_app platform_compat_service:service_manager find;
# Allow platform apps to interact with gpuservice
binder_call(platform_app, gpuservice)
diff --git a/private/priv_app.te b/private/priv_app.te
index e180b1d..161b245 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -14,13 +14,6 @@
# Used by: https://play.privileged.com/store/apps/details?id=jackpal.androidterm
create_pty(priv_app)
-# webview crash handling depends on self ptrace (b/27697529, b/20150694, b/19277529#comment7)
-allow priv_app self:process ptrace;
-# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
-userdebug_or_eng(`
- auditallow priv_app self:process ptrace;
-')
-
# Allow loading executable code from writable priv-app home
# directories. This is a W^X violation, however, it needs
# to be supported for now for the following reasons.
@@ -80,11 +73,6 @@
# running "adb install foo.apk".
allow priv_app shell_data_file:file r_file_perms;
allow priv_app shell_data_file:dir r_dir_perms;
-# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
-userdebug_or_eng(`
- auditallow priv_app shell_data_file:file r_file_perms;
- auditallow priv_app shell_data_file:dir r_dir_perms;
-')
# Allow traceur to pass file descriptors through a content provider to betterbug
allow priv_app trace_data_file:file { getattr read };
@@ -127,37 +115,6 @@
# access the mac address
allowxperm priv_app self:udp_socket ioctl SIOCGIFHWADDR;
-# Allow GMS core to communicate with update_engine for A/B update.
-binder_call(priv_app, update_engine)
-allow priv_app update_engine_service:service_manager find;
-# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
-userdebug_or_eng(`
- auditallow priv_app update_engine:binder { call transfer };
- auditallow update_engine priv_app:binder transfer;
- auditallow priv_app update_engine:fd use;
- auditallow priv_app update_engine_service:service_manager find;
-')
-
-# Allow GMS core to communicate with dumpsys storaged.
-binder_call(priv_app, storaged)
-allow priv_app storaged_service:service_manager find;
-# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
-userdebug_or_eng(`
- auditallow priv_app storaged:binder { call transfer };
- auditallow storaged priv_app:binder transfer;
- auditallow priv_app storaged:fd use;
- auditallow priv_app storaged_service:service_manager find;
-')
-
-
-# Allow GMS core to access system_update_service (e.g. to publish pending
-# system update info).
-allow priv_app system_update_service:service_manager find;
-# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
-userdebug_or_eng(`
- auditallow priv_app system_update_service:service_manager find;
-')
-
# Allow com.android.vending to communicate with statsd.
binder_call(priv_app, statsd)
@@ -170,13 +127,6 @@
allow priv_app preloads_media_file:file r_file_perms;
allow priv_app preloads_media_file:dir r_dir_perms;
-# Allow privileged apps (e.g. GMS core) to generate unique hardware IDs
-allow priv_app keystore:keystore_key gen_unique_id;
-# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
-userdebug_or_eng(`
- auditallow priv_app keystore:keystore_key gen_unique_id;
-')
-
# Allow GMS core to access /sys/fs/selinux/policyvers for compatibility check
allow priv_app selinuxfs:file r_file_perms;
# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
diff --git a/private/property_contexts b/private/property_contexts
index b2b6abc..faa425b 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -226,5 +226,5 @@
ota.warm_reset u:object_r:ota_prop:s0
# Module properties
-com.android.sdkext. u:object_r:module_sdkext_prop:s0
-persist.com.android.sdkext. u:object_r:module_sdkext_prop:s0
+com.android.sdkext. u:object_r:module_sdkextensions_prop:s0
+persist.com.android.sdkext. u:object_r:module_sdkextensions_prop:s0
diff --git a/private/runas_app.te b/private/runas_app.te
index e6fd953..c1b354a 100644
--- a/private/runas_app.te
+++ b/private/runas_app.te
@@ -16,3 +16,17 @@
# Allow lldb/ndk-gdb/simpleperf to ptrace attach to debuggable app processes.
allow runas_app untrusted_app_all:process { ptrace signal sigstop };
allow runas_app untrusted_app_all:unix_stream_socket connectto;
+
+# Allow executing system image simpleperf without a domain transition.
+allow runas_app simpleperf_exec:file rx_file_perms;
+
+# Suppress denial logspam when simpleperf is trying to find a matching process
+# by scanning /proc/<pid>/cmdline files. The /proc/<pid> directories are within
+# the same domain as their respective process, most of which this domain is not
+# allowed to see.
+dontaudit runas_app domain:dir search;
+
+# Allow runas_app to call perf_event_open for profiling debuggable app
+# processes, but not the whole system.
+allow runas_app self:perf_event { open read write kernel };
+neverallow runas_app self:perf_event ~{ open read write kernel };
diff --git a/private/security_classes b/private/security_classes
index 25b4cba..c0631e9 100644
--- a/private/security_classes
+++ b/private/security_classes
@@ -139,6 +139,8 @@
class xdp_socket
+class perf_event
+
# Property service
class property_service # userspace
diff --git a/private/service_contexts b/private/service_contexts
index 849717a..26d9f5c 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -6,6 +6,8 @@
activity u:object_r:activity_service:s0
activity_task u:object_r:activity_task_service:s0
adb u:object_r:adb_service:s0
+aidl_lazy_test_1 u:object_r:aidl_lazy_test_service:s0
+aidl_lazy_test_2 u:object_r:aidl_lazy_test_service:s0
alarm u:object_r:alarm_service:s0
android.os.UpdateEngineService u:object_r:update_engine_service:s0
android.security.keystore u:object_r:keystore_service:s0
diff --git a/private/shell.te b/private/shell.te
index 975fde4..8bd4e1d 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -83,3 +83,11 @@
FS_IOC_GET_ENCRYPTION_POLICY
FS_IOC_GET_ENCRYPTION_POLICY_EX
};
+
+# Allow shell to execute simpleperf without a domain transition.
+allow shell simpleperf_exec:file rx_file_perms;
+
+# Allow shell to call perf_event_open for profiling other shell processes, but
+# not the whole system.
+allow shell self:perf_event { open read write kernel };
+neverallow shell self:perf_event ~{ open read write kernel };
diff --git a/private/simpleperf.te b/private/simpleperf.te
new file mode 100644
index 0000000..0639c11
--- /dev/null
+++ b/private/simpleperf.te
@@ -0,0 +1,37 @@
+# Domain used when running /system/bin/simpleperf to profile a specific app.
+# Entered either by the app itself exec-ing the binary, or through
+# simpleperf_app_runner (with shell as its origin). Certain other domains
+# (runas_app, shell) can also exec this binary without a domain transition.
+typeattribute simpleperf coredomain;
+type simpleperf_exec, system_file_type, exec_type, file_type;
+
+domain_auto_trans({ untrusted_app_all -runas_app }, simpleperf_exec, simpleperf)
+
+# When running in this domain, simpleperf is scoped to profiling an individual
+# app. The necessary MAC permissions for profiling are more maintainable and
+# consistent if simpleperf is marked as an app domain as well (as, for example,
+# it will then see the same set of system libraries as the app).
+app_domain(simpleperf)
+untrusted_app_domain(simpleperf)
+
+# Allow ptrace attach to the target app, for reading JIT debug info (using
+# process_vm_readv) during unwinding and symbolization.
+allow simpleperf untrusted_app_all:process ptrace;
+
+# Allow using perf_event_open syscall for profiling the target app.
+allow simpleperf self:perf_event { open read write kernel };
+
+# Allow /proc/<pid> access for the target app (for example, when trying to
+# discover it by cmdline).
+r_dir_file(simpleperf, untrusted_app_all)
+
+# Suppress denial logspam when simpleperf is trying to find a matching process
+# by scanning /proc/<pid>/cmdline files. The /proc/<pid> directories are within
+# the same domain as their respective processes, most of which this domain is
+# not allowed to see.
+dontaudit simpleperf domain:dir search;
+
+# Neverallows:
+
+# Profiling must be confined to the scope of an individual app.
+neverallow simpleperf self:perf_event ~{ open read write kernel };
diff --git a/private/stats.te b/private/stats.te
index ea9530c..26508f1 100644
--- a/private/stats.te
+++ b/private/stats.te
@@ -47,6 +47,7 @@
-shell
-stats
-statsd
+ -surfaceflinger
-system_app
-system_server
-traceur_app
diff --git a/private/statsd.te b/private/statsd.te
index a55c42d..1e56b67 100644
--- a/private/statsd.te
+++ b/private/statsd.te
@@ -19,3 +19,6 @@
# Allow StatsCompanionService to pipe data to statsd.
allow statsd system_server:fifo_file { read getattr };
+
+# Allow statsd to retrieve SF statistics over binder
+binder_call(statsd, surfaceflinger);
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index e696fe5..5d78a18 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -114,6 +114,10 @@
pdx_client(surfaceflinger, bufferhub_client)
pdx_client(surfaceflinger, performance_client)
+# Allow supplying timestats statistics to statsd
+allow surfaceflinger stats_service:service_manager find;
+binder_call(surfaceflinger, statsd);
+
###
### Neverallow rules
###
diff --git a/private/system_server.te b/private/system_server.te
index c1342d8..ec79319 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1090,3 +1090,8 @@
-system_server
} password_slot_metadata_file:notdevfile_class_set ~{ relabelto getattr };
neverallow { domain -init -system_server } password_slot_metadata_file:notdevfile_class_set *;
+
+# Allow systemserver to read/write the invalidation property
+set_prop(system_server, binder_cache_system_server_prop)
+neverallow { domain -system_server -init }
+ binder_cache_system_server_prop:property_service set;
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index d8e0b14..769ddb0 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -168,3 +168,8 @@
allow untrusted_app_all debugfs_kcov:file rw_file_perms;
allowxperm untrusted_app_all debugfs_kcov:file ioctl { KCOV_INIT_TRACE KCOV_ENABLE KCOV_DISABLE };
')
+
+# Allow signalling simpleperf domain, which is the domain that the simpleperf
+# profiler runs as when executed by the app. The signals are used to control
+# the profiler (which would be profiling the app that is sending the signal).
+allow untrusted_app_all simpleperf:process signal;
diff --git a/private/zygote.te b/private/zygote.te
index e6c1db9..6ad6db4 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -53,6 +53,16 @@
# Bind mount on /data/data and mounted volumes
allow zygote { system_data_file mnt_expand_file }:dir mounton;
+# Relabel /data/user /data/user_de and /data/data
+allow zygote tmpfs:{ dir lnk_file } relabelfrom;
+allow zygote system_data_file:{ dir lnk_file } relabelto;
+
+# Zygote opens /mnt/expand to mount CE DE storage on each vol
+allow zygote mnt_expand_file:dir { open read search relabelto };
+
+# Bind mount subdirectories on /data/misc/profiles/cur
+allow zygote { user_profile_data_file }:dir { mounton search };
+
# Create and bind dirs on /data/data
allow zygote tmpfs:dir { create_dir_perms mounton };
@@ -61,7 +71,7 @@
allow zygote mirror_data_file:dir r_dir_perms;
-# Get and set data directories
+# Get inode of data directories
allow zygote {
system_data_file
radio_data_file
@@ -126,9 +136,6 @@
allow zygote { sdcard_type }:dir { create_dir_perms mounton };
allow zygote { sdcard_type }:file { create_file_perms };
-# Allow zygote to expand app files while preloading libraries
-allow zygote mnt_expand_file:dir getattr;
-
# Handle --invoke-with command when launching Zygote with a wrapper command.
allow zygote zygote_exec:file rx_file_perms;
@@ -201,7 +208,7 @@
exported_bluetooth_prop
}:file create_file_perms;
-# Do not allow zygote to access app data except getting attributes and relabeling to.
+# Zygote should not be able to access app private data.
neverallow zygote {
privapp_data_file
app_data_file
diff --git a/public/aidl_lazy_test_server.te b/public/aidl_lazy_test_server.te
new file mode 100644
index 0000000..626d008
--- /dev/null
+++ b/public/aidl_lazy_test_server.te
@@ -0,0 +1,9 @@
+type aidl_lazy_test_server, domain;
+type aidl_lazy_test_server_exec, exec_type, file_type, system_file_type;
+
+userdebug_or_eng(`
+ binder_use(aidl_lazy_test_server)
+ binder_call(aidl_lazy_test_server, binderservicedomain)
+
+ add_service(aidl_lazy_test_server, aidl_lazy_test_service)
+')
diff --git a/public/app.te b/public/app.te
index b771b5f..e4eee82 100644
--- a/public/app.te
+++ b/public/app.te
@@ -50,6 +50,9 @@
# child shell or gdbserver pty access for runas.
allow appdomain devpts:chr_file { getattr read write ioctl };
+# Allow appdomain to access app_api_service
+allow { appdomain -isolated_app } app_api_service:service_manager find;
+
# Use pipes and sockets provided by system_server via binder or local socket.
allow appdomain system_server:fd use;
allow appdomain system_server:fifo_file rw_file_perms;
diff --git a/public/attributes b/public/attributes
index 0fd2be2..dcbe9c0 100644
--- a/public/attributes
+++ b/public/attributes
@@ -313,6 +313,7 @@
hal_attribute(graphics_composer);
hal_attribute(health);
hal_attribute(health_storage);
+hal_attribute(identity);
hal_attribute(input_classifier);
hal_attribute(ir);
hal_attribute(keymaster);
diff --git a/public/domain.te b/public/domain.te
index e50ef75..feb0435 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -80,6 +80,10 @@
# /dev/binder can be accessed by ... everyone! :)
allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;
+# /dev/binderfs needs to be accessed by everyone too!
+allow domain binderfs:dir { getattr search };
+allow domain binderfs_logs_proc:dir search;
+
allow { domain -servicemanager -vndservicemanager -isolated_app } hwbinder_device:chr_file rw_file_perms;
allow domain ptmx_device:chr_file rw_file_perms;
allow domain random_device:chr_file rw_file_perms;
@@ -101,6 +105,10 @@
get_prop(domain, exported_vold_prop)
get_prop(domain, exported2_default_prop)
get_prop(domain, logd_prop)
+get_prop(domain, vndk_prop)
+
+# Allow every to read binder cache properties
+get_prop(domain, binder_cache_system_server_prop)
# Let everyone read log properties, so that liblog can avoid sending unloggable
# messages to logd.
@@ -509,6 +517,7 @@
# anyone but init to modify unknown properties.
neverallow { domain -init -vendor_init } default_prop:property_service set;
neverallow { domain -init -vendor_init } mmc_prop:property_service set;
+neverallow { domain -init -vendor_init } vndk_prop:property_service set;
compatible_property_only(`
neverallow { domain -init } default_prop:property_service set;
@@ -1164,10 +1173,11 @@
-zygote
} shell:process { transition dyntransition };
-# Only domains spawned from zygote, runas and simpleperf_app_runner may have the appdomain
-# attribute.
+# Only domains spawned from zygote, runas and simpleperf_app_runner may have
+# the appdomain attribute. simpleperf is excluded as a domain transitioned to
+# when running an app-scoped profiling session.
neverallow { domain -simpleperf_app_runner -runas -app_zygote -webview_zygote -zygote } {
- appdomain -shell userdebug_or_eng(`-su')
+ appdomain -shell -simpleperf userdebug_or_eng(`-su')
}:process { transition dyntransition };
# Minimize read access to shell- or app-writable symlinks.
diff --git a/public/fastbootd.te b/public/fastbootd.te
index f08885a..3ab489b 100644
--- a/public/fastbootd.te
+++ b/public/fastbootd.te
@@ -53,12 +53,13 @@
userdata_block_device
}:blk_file { w_file_perms getattr ioctl };
- # For disabling/wiping GSI.
+ # For disabling/wiping GSI, and for modifying/deleting files created via
+ # libfiemap.
allow fastbootd metadata_block_device:blk_file r_file_perms;
allow fastbootd {rootfs tmpfs}:dir mounton;
- allow fastbootd metadata_file:dir search;
- allow fastbootd gsi_metadata_file:dir r_dir_perms;
- allow fastbootd gsi_metadata_file:file rw_file_perms;
+ allow fastbootd metadata_file:dir { search getattr };
+ allow fastbootd gsi_metadata_file:dir rw_dir_perms;
+ allow fastbootd gsi_metadata_file:file create_file_perms;
allowxperm fastbootd super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
diff --git a/public/file.te b/public/file.te
index 73ac226..3348fd4 100644
--- a/public/file.te
+++ b/public/file.te
@@ -4,6 +4,9 @@
type sockfs, fs_type;
type rootfs, fs_type;
type proc, fs_type, proc_type;
+type binderfs, fs_type;
+type binderfs_logs, fs_type;
+type binderfs_logs_proc, fs_type;
# Security-sensitive proc nodes that should not be writable to most.
type proc_security, fs_type, proc_type;
type proc_drop_caches, fs_type, proc_type;
@@ -81,6 +84,7 @@
type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
type sysfs_devices_block, fs_type, sysfs_type;
type sysfs_dm, fs_type, sysfs_type;
+type sysfs_dm_verity, fs_type, sysfs_type;
type sysfs_dt_firmware_android, fs_type, sysfs_type;
type sysfs_extcon, fs_type, sysfs_type;
type sysfs_ion, fs_type, sysfs_type;
diff --git a/public/hal_identity.te b/public/hal_identity.te
new file mode 100644
index 0000000..a8df186
--- /dev/null
+++ b/public/hal_identity.te
@@ -0,0 +1,4 @@
+# HwBinder IPC from client to server
+binder_call(hal_identity_client, hal_identity_server)
+
+hal_attribute_hwservice(hal_identity, hal_identity_hwservice)
diff --git a/public/hwservice.te b/public/hwservice.te
index 2cd582b..5085ea5 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -27,6 +27,7 @@
type hal_graphics_composer_hwservice, hwservice_manager_type, protected_hwservice;
type hal_health_hwservice, hwservice_manager_type, protected_hwservice;
type hal_health_storage_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_identity_hwservice, hwservice_manager_type, protected_hwservice;
type hal_input_classifier_hwservice, hwservice_manager_type, protected_hwservice;
type hal_ir_hwservice, hwservice_manager_type, protected_hwservice;
type hal_keymaster_hwservice, hwservice_manager_type, protected_hwservice;
diff --git a/public/init.te b/public/init.te
index 56ed703..cc60b5a 100644
--- a/public/init.te
+++ b/public/init.te
@@ -381,6 +381,7 @@
# init access to /sys files.
allow init {
sysfs_android_usb
+ sysfs_dm_verity
sysfs_leds
sysfs_power
sysfs_fs_f2fs
diff --git a/public/iorapd.te b/public/iorapd.te
index abf7adb..4c08c72 100644
--- a/public/iorapd.te
+++ b/public/iorapd.te
@@ -36,6 +36,9 @@
# tracing sessions and read trace data.
unix_socket_connect(iorapd, traced_consumer, traced)
+# Allow iorapd to execute compilation (iorap.cmd.compiler) in idle time.
+allow iorapd system_file:file rx_file_perms;
+
###
### neverallow rules
###
diff --git a/public/property.te b/public/property.te
index 50844fb..2cf043a 100644
--- a/public/property.te
+++ b/public/property.te
@@ -60,12 +60,13 @@
# Properties which can't be written outside system
system_restricted_prop(linker_prop)
-system_restricted_prop(module_sdkext_prop)
+system_restricted_prop(module_sdkextensions_prop)
system_restricted_prop(nnapi_ext_deny_product_prop)
system_restricted_prop(restorecon_prop)
system_restricted_prop(system_boot_reason_prop)
system_restricted_prop(system_jvmti_agent_prop)
system_restricted_prop(userspace_reboot_exported_prop)
+system_restricted_prop(vndk_prop)
compatible_property_only(`
# DO NOT ADD ANY PROPERTIES HERE
@@ -119,6 +120,7 @@
system_public_prop(exported3_radio_prop)
system_public_prop(exported_audio_prop)
system_public_prop(exported_bluetooth_prop)
+system_public_prop(exported_camera_prop)
system_public_prop(exported_config_prop)
system_public_prop(exported_dalvik_prop)
system_public_prop(exported_default_prop)
@@ -141,11 +143,15 @@
system_public_prop(radio_prop)
system_public_prop(serialno_prop)
system_public_prop(system_prop)
+system_public_prop(userspace_reboot_config_prop)
system_public_prop(vehicle_hal_prop)
system_public_prop(vendor_security_patch_level_prop)
system_public_prop(wifi_log_prop)
system_public_prop(wifi_prop)
+# Properties used by binder caches
+system_public_prop(binder_cache_system_server_prop)
+
# Properties which are public for devices launching with Android O or earlier
# This should not be used for any new properties.
not_compatible_property(`
@@ -452,6 +458,16 @@
neverallow {
domain
-coredomain
+ -hal_camera_server
+ -cameraserver
+ -vendor_init
+ } {
+ exported_camera_prop
+ }:property_service set;
+
+ neverallow {
+ domain
+ -coredomain
-hal_wifi_server
-wificond
} {
@@ -542,6 +558,7 @@
-bluetooth_a2dp_offload_prop
-bluetooth_audio_hal_prop
-bluetooth_prop
+ -binder_cache_system_server_prop
-bootloader_boot_reason_prop
-boottime_prop
-bpf_progs_loaded_prop
@@ -618,7 +635,7 @@
-heapprofd_prop
-hwservicemanager_prop
-last_boot_reason_prop
- -module_sdkext_prop
+ -module_sdkextensions_prop
-system_lmk_prop
-linker_prop
-log_prop
diff --git a/public/property_contexts b/public/property_contexts
index c5b80cf..8414e87 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -253,10 +253,10 @@
ro.build.user u:object_r:exported2_default_prop:s0 exact string
ro.build.version.base_os u:object_r:exported2_default_prop:s0 exact string
ro.build.version.codename u:object_r:exported2_default_prop:s0 exact string
+ro.build.version.extensions. u:object_r:module_sdkextensions_prop:s0 prefix int
ro.build.version.incremental u:object_r:exported2_default_prop:s0 exact string
ro.build.version.preview_sdk u:object_r:exported2_default_prop:s0 exact int
ro.build.version.release u:object_r:exported2_default_prop:s0 exact string
-ro.build.version.extensions. u:object_r:module_sdkext_prop:s0 prefix int
ro.build.version.sdk u:object_r:exported2_default_prop:s0 exact int
ro.build.version.security_patch u:object_r:exported2_default_prop:s0 exact string
ro.crypto.state u:object_r:exported_vold_prop:s0 exact string
@@ -298,6 +298,7 @@
aaudio.mmap_exclusive_policy u:object_r:exported_default_prop:s0 exact int
aaudio.mmap_policy u:object_r:exported_default_prop:s0 exact int
aaudio.wakeup_delay_usec u:object_r:exported_default_prop:s0 exact int
+config.disable_cameraservice u:object_r:exported_camera_prop:s0 exact bool
gsm.sim.operator.numeric u:object_r:exported_radio_prop:s0 exact string
media.mediadrmservice.enable u:object_r:exported_default_prop:s0 exact bool
persist.rcs.supported u:object_r:exported_default_prop:s0 exact int
@@ -385,6 +386,7 @@
ro.product.vendor.manufacturer u:object_r:exported_default_prop:s0 exact string
ro.product.vendor.model u:object_r:exported_default_prop:s0 exact string
ro.product.vendor.name u:object_r:exported_default_prop:s0 exact string
+ro.product.vndk.version u:object_r:vndk_prop:s0 exact string
ro.telephony.iwlan_operation_mode u:object_r:exported_radio_prop:s0 exact enum default legacy AP-assisted
ro.vendor.build.date u:object_r:exported_default_prop:s0 exact string
ro.vendor.build.date.utc u:object_r:exported_default_prop:s0 exact int
@@ -398,7 +400,7 @@
wifi.direct.interface u:object_r:exported_default_prop:s0 exact string
wifi.interface u:object_r:exported_default_prop:s0 exact string
ro.apex.updatable u:object_r:exported_default_prop:s0 exact bool
-ro.init.userspace_reboot.is_supported u:object_r:userspace_reboot_prop:s0 exact bool
+ro.init.userspace_reboot.is_supported u:object_r:userspace_reboot_config_prop:s0 exact bool
# public-readable
ro.boot.revision u:object_r:exported2_default_prop:s0 exact string
@@ -437,3 +439,6 @@
ro.surface_flinger.use_smart_90_for_video u:object_r:exported_default_prop:s0 exact bool
ro.surface_flinger.color_space_agnostic_dataspace u:object_r:exported_default_prop:s0 exact int
ro.surface_flinger.refresh_rate_switching u:object_r:exported_default_prop:s0 exact bool
+
+# Binder cache properties. These are world-readable
+binder.cache_key.has_system_feature u:object_r:binder_cache_system_server_prop:s0
diff --git a/public/service.te b/public/service.te
index 8d56fb9..67128d2 100644
--- a/public/service.te
+++ b/public/service.te
@@ -1,3 +1,4 @@
+type aidl_lazy_test_service, service_manager_type;
type apex_service, service_manager_type;
type audioserver_service, service_manager_type;
type batteryproperties_service, app_api_service, ephemeral_app_api_service, service_manager_type;
diff --git a/public/simpleperf.te b/public/simpleperf.te
new file mode 100644
index 0000000..218fee7
--- /dev/null
+++ b/public/simpleperf.te
@@ -0,0 +1 @@
+type simpleperf, domain;
diff --git a/public/su.te b/public/su.te
index fa32a4b..16ace6e 100644
--- a/public/su.te
+++ b/public/su.te
@@ -52,6 +52,7 @@
dontaudit su postinstall_file:filesystem *;
dontaudit su domain:bpf *;
dontaudit su unlabeled:vsock_socket *;
+ dontaudit su self:perf_event *;
# VTS tests run in the permissive su domain on debug builds, but the HALs
# being tested run in enforcing mode. Because hal_foo_server is enforcing
diff --git a/public/te_macros b/public/te_macros
index f065a21..b69c800 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -171,16 +171,17 @@
# Label tmpfs objects for all apps.
type_transition $1 tmpfs:file appdomain_tmpfs;
allow $1 appdomain_tmpfs:file { execute getattr map read write };
-neverallow { $1 -runas_app -shell } { domain -$1 }:file no_rw_file_perms;
-neverallow { appdomain -runas_app -shell -$1 } $1:file no_rw_file_perms;
+neverallow { $1 -runas_app -shell -simpleperf } { domain -$1 }:file no_rw_file_perms;
+neverallow { appdomain -runas_app -shell -simpleperf -$1 } $1:file no_rw_file_perms;
# The Android security model guarantees the confidentiality and integrity
# of application data and execution state. Ptrace bypasses those
-# confidentiality guarantees. Disallow ptrace access from system components
-# to apps. Crash_dump is excluded, as it needs ptrace access to
-# produce stack traces. llkd is excluded, as it needs to inspect
-# the kernel stack for live lock conditions. runas_app is excluded, as it can
-# only access debuggable apps.
-neverallow { domain -$1 -crash_dump userdebug_or_eng(`-llkd') -runas_app } $1:process ptrace;
+# confidentiality guarantees. Disallow ptrace access from system components to
+# apps. crash_dump is excluded, as it needs ptrace access to produce stack
+# traces. runas_app is excluded, as it operates only on debuggable apps.
+# simpleperf is excluded, as it operates only on debuggable or profileable
+# apps. llkd is excluded, as it needs ptrace access to inspect stack traces for
+# live lock conditions.
+neverallow { domain -$1 -crash_dump userdebug_or_eng(`-llkd') -runas_app -simpleperf } $1:process ptrace;
')
#####################################
diff --git a/public/vendor_init.te b/public/vendor_init.te
index a756dc1..eb93d13 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -198,6 +198,7 @@
not_compatible_property(`
set_prop(vendor_init, {
property_type
+ -binder_cache_system_server_prop
-device_config_activity_manager_native_boot_prop
-device_config_boot_count_prop
-device_config_reset_performed_prop
@@ -221,9 +222,10 @@
-nnapi_ext_deny_product_prop
-init_svc_debug_prop
-linker_prop
- -module_sdkext_prop
+ -module_sdkextensions_prop
-userspace_reboot_exported_prop
-userspace_reboot_prop
+ -vndk_prop
})
')
@@ -237,6 +239,7 @@
set_prop(vendor_init, debug_prop)
set_prop(vendor_init, exported_audio_prop)
set_prop(vendor_init, exported_bluetooth_prop)
+set_prop(vendor_init, exported_camera_prop)
set_prop(vendor_init, exported_config_prop)
set_prop(vendor_init, exported_dalvik_prop)
set_prop(vendor_init, exported_default_prop)
@@ -255,6 +258,7 @@
set_prop(vendor_init, log_tag_prop)
set_prop(vendor_init, log_prop)
set_prop(vendor_init, serialno_prop)
+set_prop(vendor_init, userspace_reboot_config_prop)
set_prop(vendor_init, vehicle_hal_prop)
set_prop(vendor_init, vendor_default_prop)
set_prop(vendor_init, vendor_security_patch_level_prop)
diff --git a/tests/combine_maps.py b/tests/combine_maps.py
index d592b17..1a7dfaa 100644
--- a/tests/combine_maps.py
+++ b/tests/combine_maps.py
@@ -45,6 +45,11 @@
# Typeattributes in V.v.cil have _V_v suffix, but not in V.v.ignore.cil
bottom_type = m.group(1) if m else top_ta
+ # If type doesn't exist in bottom map, no need to maintain mappings to
+ # that type.
+ if bottom_type not in bottom.rTypeattributesets.keys():
+ continue
+
for bottom_ta in bottom.rTypeattributesets[bottom_type]:
bottom.typeattributesets[bottom_ta].update(top_type_set)
diff --git a/vendor/file_contexts b/vendor/file_contexts
index a3726ca..4e53939 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -35,6 +35,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@2\.0-service u:object_r:hal_health_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@2\.1-service u:object_r:hal_health_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health\.storage@1\.0-service u:object_r:hal_health_storage_default_exec:s0
+/(vendor|sustem/vendor)/bin/hw/android\.hardware\.identity@1\.0-service.example u:object_r:hal_identity_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.input\.classifier@1\.0-service u:object_r:hal_input_classifier_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.ir@1\.0-service u:object_r:hal_ir_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@3\.0-service u:object_r:hal_keymaster_default_exec:s0
@@ -53,6 +54,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.radio\.config@1\.0-service u:object_r:hal_radio_config_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.radio@1\.2-radio-service u:object_r:hal_radio_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.radio@1\.2-sap-service u:object_r:hal_radio_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.rebootescrow-service\.default u:object_r:hal_rebootescrow_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors@[0-9]\.[0-9]-service(\.multihal)? u:object_r:hal_sensors_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.0-service u:object_r:hal_secure_element_default_exec:s0
/(vendor|system/vendor)/bin/hw/rild u:object_r:rild_exec:s0
diff --git a/vendor/hal_identity_default.te b/vendor/hal_identity_default.te
new file mode 100644
index 0000000..7f84687
--- /dev/null
+++ b/vendor/hal_identity_default.te
@@ -0,0 +1,5 @@
+type hal_identity_default, domain;
+hal_server_domain(hal_identity_default, hal_identity)
+
+type hal_identity_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_identity_default)