Merge "Add rules to cover memfd's for testing."
diff --git a/apex/Android.bp b/apex/Android.bp
index b5199f0..8be5aa1 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -197,6 +197,13 @@
}
filegroup {
+ name: "com.android.uwb-file_contexts",
+ srcs: [
+ "com.android.uwb-file_contexts",
+ ],
+}
+
+filegroup {
name: "com.android.virt-file_contexts",
srcs: [
"com.android.virt-file_contexts",
diff --git a/apex/com.android.compos-file_contexts b/apex/com.android.compos-file_contexts
index 83b4b58..d678ca6 100644
--- a/apex/com.android.compos-file_contexts
+++ b/apex/com.android.compos-file_contexts
@@ -1 +1,4 @@
(/.*)? u:object_r:system_file:s0
+/bin/compos_key_main u:object_r:compos_exec:s0
+/bin/compsvc u:object_r:compos_exec:s0
+/bin/compsvc_worker u:object_r:compos_exec:s0
diff --git a/apex/com.android.uwb-file_contexts b/apex/com.android.uwb-file_contexts
new file mode 100644
index 0000000..f6b21da
--- /dev/null
+++ b/apex/com.android.uwb-file_contexts
@@ -0,0 +1,2 @@
+(/.*)? u:object_r:system_file:s0
+/lib(64)?(/.*) u:object_r:system_lib_file:s0
diff --git a/microdroid/system/private/compos.te b/microdroid/system/private/compos.te
new file mode 100644
index 0000000..9e6b2bb
--- /dev/null
+++ b/microdroid/system/private/compos.te
@@ -0,0 +1,20 @@
+# TODO(b/193504816): move this to compos APEX
+type compos, domain, coredomain, microdroid_payload;
+type compos_exec, exec_type, file_type, system_file_type;
+
+allow compos self:vsock_socket { create_socket_perms_no_ioctl listen accept };
+
+# Talk to binder services (for keystore)
+binder_use(compos);
+
+# Allow payloads to use keystore
+use_keystore(compos);
+
+# Allow payloads to use and manage their keys
+allow compos vm_payload_key:keystore2_key {
+ delete
+ get_info
+ manage_blob
+ rebind
+ use
+};
diff --git a/microdroid/system/private/dex2oat.te b/microdroid/system/private/dex2oat.te
new file mode 100644
index 0000000..6bfd05e
--- /dev/null
+++ b/microdroid/system/private/dex2oat.te
@@ -0,0 +1,5 @@
+# dex2oat
+type dex2oat, domain, coredomain;
+type dex2oat_exec, system_file_type, exec_type, file_type;
+
+allow dex2oat tmpfs:file { read getattr map };
diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te
index fe4d072..a3dfb27 100644
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te
@@ -242,6 +242,15 @@
allow domain task_profiles_file:file r_file_perms;
allow domain task_profiles_api_file:file r_file_perms;
+# cgroupfs directories can be created, but not files within them.
+neverallow domain cgroup:file create;
+neverallow domain cgroup_v2:file create;
+
+dontaudit domain proc_type:dir write;
+dontaudit domain sysfs_type:dir write;
+dontaudit domain cgroup:file create;
+dontaudit domain cgroup_v2:file create;
+
#-----------------------------------------
# Allow access to fsverity keyring.
allow domain kernel:key search;
diff --git a/microdroid/system/private/keystore.te b/microdroid/system/private/keystore.te
index ac3ada1..be211a3 100644
--- a/microdroid/system/private/keystore.te
+++ b/microdroid/system/private/keystore.te
@@ -13,3 +13,6 @@
# microdroid doesn't use keymaster HAL
dontaudit keystore hal_keymaster_hwservice:hwservice_manager find;
+
+# microdroid isn't related to F2FS, but sqlite3 tries to query F2FS features.
+dontauditxperm keystore keystore_data_file:file ioctl F2FS_IOC_GET_FEATURES;
diff --git a/microdroid/system/private/microdroid_app.te b/microdroid/system/private/microdroid_app.te
index 820ec68..d3ec74b 100644
--- a/microdroid/system/private/microdroid_app.te
+++ b/microdroid/system/private/microdroid_app.te
@@ -6,29 +6,9 @@
# Both microdroid_launcher and payload from the shared library run in the
# context of microdroid_app.
-type microdroid_app, domain, coredomain;
+type microdroid_app, domain, coredomain, microdroid_payload;
type microdroid_app_exec, exec_type, file_type, system_file_type;
-# Allow to communicate use, read and write over the adb connection.
-allow microdroid_app adbd:fd use;
-allow microdroid_app adbd:unix_stream_socket { read write };
-
-# microdroid_launcher is launched by microdroid_manager with fork/execvp.
-allow microdroid_app microdroid_manager:fd use;
-
-# Allow to use FDs inherited from the shell. This includes the FD opened for
-# the microdroid_launcher executable itself and the FD for adb connection.
-# TODO(b/186396070) remove this when this is executed from microdroid_manager
-userdebug_or_eng(`
- allow microdroid_app shell:fd use;
-')
-
-# Allow to use terminal
-allow microdroid_app devpts:chr_file rw_file_perms;
-
-# Allow to set debug prop
-set_prop(microdroid_app, debug_prop)
-
# Talk to binder services (for keystore)
binder_use(microdroid_app);
@@ -44,8 +24,3 @@
use
};
-# Allow microdroid_app to use vsock inherited from microdroid_manager
-allow microdroid_app microdroid_manager:vsock_socket { read write };
-
-# Write to /dev/kmsg.
-allow microdroid_app kmsg_device:chr_file rw_file_perms;
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index 074024f..728d156 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -11,14 +11,9 @@
allow microdroid_manager block_device:lnk_file r_file_perms;
allow microdroid_manager vd_device:blk_file r_file_perms;
-# microdroid_manager start payload task via microdroid_launcher
-domain_auto_trans(microdroid_manager, microdroid_app_exec, microdroid_app);
-
-# Let microdroid_manager exec other files (e.g. payload command) in the same domain.
-# TODO(b/189706019) we need to a domain for the app process.
-allow microdroid_manager system_file:file execute_no_trans;
-# Until then, allow microdroid_manager to execute the shell or other system executables.
-allow microdroid_manager {shell_exec toolbox_exec}:file rx_file_perms;
+# Allow microdroid_manager to start payload tasks
+domain_auto_trans(microdroid_manager, microdroid_app_exec, microdroid_app)
+domain_auto_trans(microdroid_manager, compos_exec, compos)
# Let microdroid_manager kernel-log.
allow microdroid_manager kmsg_device:chr_file w_file_perms;
@@ -27,11 +22,16 @@
set_prop(microdroid_manager, vmsecret_keymint_prop);
# Let microdroid_manager read a config file from /mnt/apk (fusefs)
-# TODO(b/188400186) remove the below two rules
+# TODO(b/188400186) remove the below rule
userdebug_or_eng(`
- allow microdroid_manager fuse:dir r_dir_perms;
- allow microdroid_manager fuse:file rx_file_perms;
+ r_dir_file(microdroid_manager, fuse)
')
# Let microdroid_manager to create a vsock connection back to the host VM
allow microdroid_manager self:vsock_socket { create_socket_perms_no_ioctl };
+
+# microdroid_manager is using bootstrap bionic
+allow microdroid_manager system_bootstrap_lib_file:dir r_dir_perms;
+allow microdroid_manager system_bootstrap_lib_file:file { execute read open getattr map };
+
+neverallow microdroid_manager { file_type fs_type }:file execute_no_trans;
diff --git a/microdroid/system/private/microdroid_payload.te b/microdroid/system/private/microdroid_payload.te
new file mode 100644
index 0000000..87edb31
--- /dev/null
+++ b/microdroid/system/private/microdroid_payload.te
@@ -0,0 +1,31 @@
+# microdroid_payload is an attribute for microdroid payload processes.
+# Domains should have microdroid_payload to be run from microdroid_manager.
+
+# Allow to communicate use, read and write over the adb connection.
+allow microdroid_payload adbd:fd use;
+allow microdroid_payload adbd:unix_stream_socket { read write };
+
+# microdroid_launcher is launched by microdroid_manager with fork/execvp.
+allow microdroid_payload microdroid_manager:fd use;
+
+# Allow to use FDs inherited from the shell. This includes the FD opened for
+# the microdroid_launcher executable itself and the FD for adb connection.
+# TODO(b/186396070) remove this when this is executed from microdroid_manager
+userdebug_or_eng(`
+ allow microdroid_payload shell:fd use;
+')
+
+# Allow to use terminal
+allow microdroid_payload devpts:chr_file rw_file_perms;
+
+# Allow to set debug prop
+set_prop(microdroid_payload, debug_prop)
+
+# Allow microdroid_payload to use vsock inherited from microdroid_manager
+allow microdroid_payload microdroid_manager:vsock_socket { read write };
+
+# Write to /dev/kmsg.
+allow microdroid_payload kmsg_device:chr_file rw_file_perms;
+
+# Only microdroid_payload can be run by microdroid_manager
+neverallow microdroid_manager { domain -crash_dump -microdroid_payload }:process transition;
diff --git a/microdroid/system/public/attributes b/microdroid/system/public/attributes
index c82c0c8..cf516dd 100644
--- a/microdroid/system/public/attributes
+++ b/microdroid/system/public/attributes
@@ -393,3 +393,6 @@
attribute gsi_metadata_file_type;
attribute fusefs_type;
+
+# All types run from microdroid_manager as a payload
+attribute microdroid_payload;
diff --git a/prebuilts/api/31.0/plat_pub_versioned.cil b/prebuilts/api/31.0/plat_pub_versioned.cil
index 7928315..3f2c0be 100644
--- a/prebuilts/api/31.0/plat_pub_versioned.cil
+++ b/prebuilts/api/31.0/plat_pub_versioned.cil
@@ -524,6 +524,7 @@
(type labeledfs)
(type launcherapps_service)
(type legacy_permission_service)
+(type legacykeystore_service)
(type libc_debug_prop)
(type light_service)
(type linkerconfig_file)
@@ -1183,7 +1184,6 @@
(type vold_status_prop)
(type vpn_data_file)
(type vpn_management_service)
-(type vpnprofilestore_service)
(type vr_hwc)
(type vr_hwc_exec)
(type vr_hwc_service)
@@ -2502,6 +2502,7 @@
(typeattribute labeledfs_31_0)
(typeattribute launcherapps_service_31_0)
(typeattribute legacy_permission_service_31_0)
+(typeattribute legacykeystore_service_31_0)
(typeattribute libc_debug_prop_31_0)
(typeattribute light_service_31_0)
(typeattribute linkerconfig_file_31_0)
@@ -3235,7 +3236,6 @@
(typeattribute vold_status_prop_31_0)
(typeattribute vpn_data_file_31_0)
(typeattribute vpn_management_service_31_0)
-(typeattribute vpnprofilestore_service_31_0)
(typeattribute vr_hwc_31_0)
(typeattribute vr_hwc_exec_31_0)
(typeattribute vr_hwc_service_31_0)
diff --git a/prebuilts/api/31.0/private/bug_map b/prebuilts/api/31.0/private/bug_map
index 5b042ae..de7a4b5 100644
--- a/prebuilts/api/31.0/private/bug_map
+++ b/prebuilts/api/31.0/private/bug_map
@@ -25,6 +25,7 @@
netd untrusted_app_27 unix_stream_socket b/77870037
netd untrusted_app_29 unix_stream_socket b/77870037
platform_app nfc_data_file dir b/74331887
+system_server apex_art_data_file file b/194054685
system_server crash_dump process b/73128755
system_server overlayfs_file file b/142390309
system_server sdcardfs file b/77856826
diff --git a/prebuilts/api/31.0/private/odsign.te b/prebuilts/api/31.0/private/odsign.te
index 0ff3b7b..c6c7808 100644
--- a/prebuilts/api/31.0/private/odsign.te
+++ b/prebuilts/api/31.0/private/odsign.te
@@ -54,6 +54,9 @@
set_prop(odsign, odsign_prop)
neverallow { domain -odsign -init } odsign_prop:property_service set;
+# Allow odsign to stop itself
+set_prop(odsign, ctl_odsign_prop)
+
# Neverallows
neverallow { domain -odsign -init -fsverity_init } odsign_data_file:dir *;
neverallow { domain -odsign -init -fsverity_init } odsign_data_file:file *;
diff --git a/prebuilts/api/31.0/private/postinstall_dexopt.te b/prebuilts/api/31.0/private/postinstall_dexopt.te
index 94af043..2fdc941 100644
--- a/prebuilts/api/31.0/private/postinstall_dexopt.te
+++ b/prebuilts/api/31.0/private/postinstall_dexopt.te
@@ -32,6 +32,9 @@
allow postinstall_dexopt tmpfs:file read;
+# Allow access odsign verification status
+get_prop(postinstall_dexopt, odsign_prop)
+
# Allow access to /postinstall/apex.
allow postinstall_dexopt postinstall_apex_mnt_dir:dir { getattr search };
diff --git a/prebuilts/api/31.0/private/property.te b/prebuilts/api/31.0/private/property.te
index 4f67251..faa0183 100644
--- a/prebuilts/api/31.0/private/property.te
+++ b/prebuilts/api/31.0/private/property.te
@@ -36,6 +36,7 @@
system_internal_prop(verity_status_prop)
system_internal_prop(zygote_wrap_prop)
system_internal_prop(ctl_mediatranscoding_prop)
+system_internal_prop(ctl_odsign_prop)
###
### Neverallow rules
diff --git a/prebuilts/api/31.0/private/property_contexts b/prebuilts/api/31.0/private/property_contexts
index 5ecb87f..eedbe8a 100644
--- a/prebuilts/api/31.0/private/property_contexts
+++ b/prebuilts/api/31.0/private/property_contexts
@@ -168,6 +168,9 @@
# Restrict access to stopping apexd.
ctl.stop$apexd u:object_r:ctl_apexd_prop:s0
+# Restrict access to stopping odsign
+ctl.stop$odsign u:object_r:ctl_odsign_prop:s0
+
# Restrict access to starting media.transcoding.
ctl.start$media.transcoding u:object_r:ctl_mediatranscoding_prop:s0
diff --git a/private/app.te b/private/app.te
index 2b3554f..a33b6a0 100644
--- a/private/app.te
+++ b/private/app.te
@@ -103,3 +103,8 @@
-system_data_file # shared libs in apks
-apk_data_file
}:file no_x_file_perms;
+
+# Allow apps to read/write vsock created by virtualizationservice to communicate with
+# the VM that the app created. Notice that the app doesn't have permission to create
+# a vsock by itself; it can't connect to other VMs that it doesn't own.
+allow appdomain virtualizationservice:vsock_socket { getattr read write };
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 5c41b02..eb93529 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -114,9 +114,13 @@
ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket
atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket
bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
- alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket xdp_socket
+ alg_socket nfc_socket kcm_socket qipcrtr_socket smc_socket xdp_socket
} *;
+# Apps can read/write vsock created by virtualizationservice to communicate with the VM that they own,
+# but nothing more than that (e.g. creating a new vsock, etc.)
+neverallow all_untrusted_apps virtualizationservice:vsock_socket ~{ getattr read write };
+
# Disallow sending RTM_GETLINK messages on netlink sockets.
neverallow all_untrusted_apps domain:netlink_route_socket { bind nlmsg_readpriv };
diff --git a/private/bug_map b/private/bug_map
index 5b042ae..de7a4b5 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -25,6 +25,7 @@
netd untrusted_app_27 unix_stream_socket b/77870037
netd untrusted_app_29 unix_stream_socket b/77870037
platform_app nfc_data_file dir b/74331887
+system_server apex_art_data_file file b/194054685
system_server crash_dump process b/73128755
system_server overlayfs_file file b/142390309
system_server sdcardfs file b/77856826
diff --git a/private/compat/31.0/31.0.cil b/private/compat/31.0/31.0.cil
index c33bc73..f3abde4 100644
--- a/private/compat/31.0/31.0.cil
+++ b/private/compat/31.0/31.0.cil
@@ -530,6 +530,7 @@
(expandtypeattribute (labeledfs_31_0) true)
(expandtypeattribute (launcherapps_service_31_0) true)
(expandtypeattribute (legacy_permission_service_31_0) true)
+(expandtypeattribute (legacykeystore_service_31_0) true)
(expandtypeattribute (libc_debug_prop_31_0) true)
(expandtypeattribute (light_service_31_0) true)
(expandtypeattribute (linkerconfig_file_31_0) true)
@@ -1189,7 +1190,6 @@
(expandtypeattribute (vold_status_prop_31_0) true)
(expandtypeattribute (vpn_data_file_31_0) true)
(expandtypeattribute (vpn_management_service_31_0) true)
-(expandtypeattribute (vpnprofilestore_service_31_0) true)
(expandtypeattribute (vr_hwc_31_0) true)
(expandtypeattribute (vr_hwc_exec_31_0) true)
(expandtypeattribute (vr_hwc_service_31_0) true)
@@ -1760,6 +1760,7 @@
(typeattributeset labeledfs_31_0 (labeledfs))
(typeattributeset launcherapps_service_31_0 (launcherapps_service))
(typeattributeset legacy_permission_service_31_0 (legacy_permission_service))
+(typeattributeset legacykeystore_service_31_0 (legacykeystore_service))
(typeattributeset libc_debug_prop_31_0 (libc_debug_prop))
(typeattributeset light_service_31_0 (light_service))
(typeattributeset linkerconfig_file_31_0 (linkerconfig_file))
@@ -2419,7 +2420,6 @@
(typeattributeset vold_status_prop_31_0 (vold_status_prop))
(typeattributeset vpn_data_file_31_0 (vpn_data_file))
(typeattributeset vpn_management_service_31_0 (vpn_management_service))
-(typeattributeset vpnprofilestore_service_31_0 (vpnprofilestore_service))
(typeattributeset vr_hwc_31_0 (vr_hwc))
(typeattributeset vr_hwc_exec_31_0 (vr_hwc_exec))
(typeattributeset vr_hwc_service_31_0 (vr_hwc_service))
diff --git a/private/compat/31.0/31.0.ignore.cil b/private/compat/31.0/31.0.ignore.cil
index c2ffde0..72994dd 100644
--- a/private/compat/31.0/31.0.ignore.cil
+++ b/private/compat/31.0/31.0.ignore.cil
@@ -7,9 +7,16 @@
( new_objects
artd_service
camera2_extensions_prop
+ hal_system_suspend_service
+ hal_tv_tuner_service
+ hal_wifi_hostapd_service
power_stats_service
+ snapuserd_prop
+ snapuserd_proxy_socket
tare_service
transformer_service
proc_watermark_boost_factor
untrusted_app_30
+ proc_vendor_sched
+ sysfs_vendor_sched
))
diff --git a/private/compos.te b/private/compos.te
new file mode 100644
index 0000000..f4cdc17
--- /dev/null
+++ b/private/compos.te
@@ -0,0 +1,3 @@
+# TODO(b/193504816): move this to compos APEX
+type compos, domain, coredomain;
+type compos_exec, exec_type, file_type, system_file_type;
diff --git a/private/crosvm.te b/private/crosvm.te
index b139286..7426ef9 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -2,12 +2,6 @@
type crosvm_exec, system_file_type, exec_type, file_type;
type crosvm_tmpfs, file_type;
-# Let crosvm create temporary files.
-tmpfs_domain(crosvm)
-
-# Let crosvm receive file descriptors from VirtualizationService.
-allow crosvm virtualizationservice:fd use;
-
# Let crosvm open /dev/kvm.
allow crosvm kvm_device:chr_file rw_file_perms;
@@ -15,9 +9,55 @@
neverallow { domain -crosvm -ueventd -shell } kvm_device:chr_file getattr;
neverallow { domain -crosvm -ueventd } kvm_device:chr_file ~getattr;
-# Let crosvm read and write files from clients of virtualizationservice, but not open them directly
-# as they must be passed via virtualizationservice.
-allow crosvm apk_data_file:file { getattr read };
-allow crosvm app_data_file:file { getattr read write };
-# shell_data_file is used for automated tests and manual debugging.
-allow crosvm shell_data_file:file { getattr read write };
+# Let crosvm create temporary files.
+tmpfs_domain(crosvm)
+
+# Let crosvm receive file descriptors from VirtualizationService.
+allow crosvm virtualizationservice:fd use;
+
+# Let crosvm read the composite disk images (virtualizationservice_data_file), APEXes
+# (staging_data_file), APKs (apk_data_file and shell_data_file where the latter is for test apks in
+# /data/local/tmp), and instance.img (app_data_file). Note that the open permission is not given as
+# the files are passed as file descriptors.
+allow crosvm {
+ virtualizationservice_data_file
+ staging_data_file
+ apk_data_file
+ app_data_file
+ apex_compos_data_file
+ userdebug_or_eng(`shell_data_file')
+}:file { getattr read ioctl lock };
+
+# Allow searching the directory where the composite disk images are.
+allow crosvm virtualizationservice_data_file:dir search;
+
+# TODO(b/193402941) delete this. This for now is required because crosvm needs to open the files for
+# the GPT headers of the composite disks.
+allow crosvm virtualizationservice_data_file:file open;
+
+# Don't allow crosvm to open files that it doesn't own.
+neverallow crosvm {
+ #TODO(b/193402941) uncomment the following line
+ #virtualizationservice_data_file
+ staging_data_file
+ apk_data_file
+ app_data_file
+ userdebug_or_eng(`-shell_data_file')
+}:file open;
+
+# The instance image and the composite image should be writable as well because they could represent
+# mutable disks.
+allow crosvm {
+ virtualizationservice_data_file
+ app_data_file
+ apex_compos_data_file
+}:file write;
+
+# Allow crosvm to pipe console log to shell or app which could be the owner of a VM.
+allow crosvm { adbd appdomain }:fd use;
+allow crosvm adbd:unix_stream_socket { read write };
+allow crosvm appdomain:fifo_file { read write };
+
+# The console log can also be written to /data/local/tmp. This is not safe as the log then can be
+# visible to the processes which don't own the VM. Therefore, this is a debugging only feature.
+userdebug_or_eng(`allow crosvm shell_data_file:file w_file_perms;')
diff --git a/private/domain.te b/private/domain.te
index 7f4401d..9eeee88 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -216,6 +216,7 @@
-iorap_inode2filename
-priv_app
-virtualizationservice
+ -crosvm
} staging_data_file:file *;
neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms;
# apexd needs the link and unlink permissions, so list every `no_w_file_perms`
@@ -553,3 +554,18 @@
-tracefs_type
}:file no_rw_file_perms;
')
+
+# Restrict write access to shell owned files. The /data/local/tmp directory is
+# untrustworthy, and non-allowed domains should not be trusting any content in
+# those directories. We allow shell files to be passed around by file
+# descriptor, but not directly opened.
+neverallow {
+ domain
+ -adbd
+ -appdomain
+ -dumpstate
+ -installd
+ userdebug_or_eng(`-uncrypt')
+ userdebug_or_eng(`-virtualizationservice')
+ userdebug_or_eng(`-crosvm')
+} shell_data_file:file open;
diff --git a/private/fastbootd.te b/private/fastbootd.te
index 40b3945..2c65281 100644
--- a/private/fastbootd.te
+++ b/private/fastbootd.te
@@ -22,6 +22,7 @@
# Determine allocation scheme (whether B partitions needs to be
# at the second half of super.
get_prop(fastbootd, virtual_ab_prop)
+ get_prop(fastbootd, snapuserd_prop)
# Needed for TCP protocol
allow fastbootd node:tcp_socket node_bind;
diff --git a/private/file_contexts b/private/file_contexts
index 779a37a..a5dd5a6 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -162,6 +162,7 @@
/dev/socket/rild u:object_r:rild_socket:s0
/dev/socket/rild-debug u:object_r:rild_debug_socket:s0
/dev/socket/snapuserd u:object_r:snapuserd_socket:s0
+/dev/socket/snapuserd_proxy u:object_r:snapuserd_proxy_socket:s0
/dev/socket/tombstoned_crash u:object_r:tombstoned_crash_socket:s0
/dev/socket/tombstoned_java_trace u:object_r:tombstoned_java_trace_socket:s0
/dev/socket/tombstoned_intercept u:object_r:tombstoned_intercept_socket:s0
@@ -475,8 +476,10 @@
/(system_ext|system/system_ext)/etc/selinux/system_ext_service_contexts u:object_r:service_contexts_file:s0
/(system_ext|system/system_ext)/etc/selinux/system_ext_mac_permissions\.xml u:object_r:mac_perms_file:s0
-/(system_ext|system/system_ext)/bin/aidl_lazy_test_server u:object_r:aidl_lazy_test_server_exec:s0
-/(system_ext|system/system_ext)/bin/hidl_lazy_test_server u:object_r:hidl_lazy_test_server_exec:s0
+/(system_ext|system/system_ext)/bin/aidl_lazy_test_server u:object_r:aidl_lazy_test_server_exec:s0
+/(system_ext|system/system_ext)/bin/aidl_lazy_cb_test_server u:object_r:aidl_lazy_test_server_exec:s0
+/(system_ext|system/system_ext)/bin/hidl_lazy_test_server u:object_r:hidl_lazy_test_server_exec:s0
+/(system_ext|system/system_ext)/bin/hidl_lazy_cb_test_server u:object_r:hidl_lazy_test_server_exec:s0
/(system_ext|system/system_ext)/lib(64)?(/.*)? u:object_r:system_lib_file:s0
diff --git a/private/fsverity_init.te b/private/fsverity_init.te
index 42d142f..e069233 100644
--- a/private/fsverity_init.te
+++ b/private/fsverity_init.te
@@ -6,9 +6,8 @@
# Allow to read /proc/keys for searching key id.
allow fsverity_init proc_keys:file r_file_perms;
-# Kernel only prints the keys that can be accessed and only kernel keyring is needed here.
-dontaudit fsverity_init init:key view;
-dontaudit fsverity_init vold:key view;
+# Ignore denials to access irrelevant keys, as a side effect to access /proc/keys.
+dontaudit fsverity_init domain:key view;
allow fsverity_init kernel:key { view search write setattr };
allow fsverity_init fsverity_init:key { view search write };
diff --git a/private/genfs_contexts b/private/genfs_contexts
index b890ba6..8af6198 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -104,6 +104,7 @@
genfscon proc /vmallocinfo u:object_r:proc_vmallocinfo:s0
genfscon proc /vmstat u:object_r:proc_vmstat:s0
genfscon proc /zoneinfo u:object_r:proc_zoneinfo:s0
+genfscon proc /vendor_sched u:object_r:proc_vendor_sched:s0
genfscon fusectl / u:object_r:fusectlfs:s0
@@ -165,6 +166,7 @@
genfscon sysfs /module/wlan/parameters/fwpath u:object_r:sysfs_wlan_fwpath:s0
genfscon sysfs /devices/virtual/timed_output/vibrator/enable u:object_r:sysfs_vibrator:s0
genfscon sysfs /devices/virtual/misc/uhid u:object_r:sysfs_uhid:s0
+genfscon sysfs /kernel/vendor_sched u:object_r:sysfs_vendor_sched:s0
genfscon debugfs /kprobes u:object_r:debugfs_kprobes:s0
genfscon debugfs /mmc0 u:object_r:debugfs_mmc:s0
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index 5b6e79d..4a44dc5 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -41,6 +41,7 @@
android.hardware.ir::IConsumerIr u:object_r:hal_ir_hwservice:s0
android.hardware.keymaster::IKeymasterDevice u:object_r:hal_keymaster_hwservice:s0
android.hardware.tests.lazy::ILazy u:object_r:hal_lazy_test_hwservice:s0
+android.hardware.tests.lazy_cb::ILazyCb u:object_r:hal_lazy_test_hwservice:s0
android.hardware.light::ILight u:object_r:hal_light_hwservice:s0
android.hardware.lowpan::ILowpanDevice u:object_r:hal_lowpan_hwservice:s0
android.hardware.media.omx::IOmx u:object_r:hal_omx_hwservice:s0
diff --git a/private/mediaprovider.te b/private/mediaprovider.te
index 78bbdb0..545d9ea 100644
--- a/private/mediaprovider.te
+++ b/private/mediaprovider.te
@@ -39,6 +39,7 @@
allow mediaprovider functionfs:dir search;
allow mediaprovider functionfs:file rw_file_perms;
allowxperm mediaprovider functionfs:file ioctl FUNCTIONFS_ENDPOINT_DESC;
+allowxperm mediaprovider functionfs:file ioctl FUNCTIONFS_ENDPOINT_ALLOC;
# MtpServer sets sys.usb.ffs.mtp.ready
get_prop(mediaprovider, ffs_config_prop)
diff --git a/private/odsign.te b/private/odsign.te
index 10adcd5..3297af7 100644
--- a/private/odsign.te
+++ b/private/odsign.te
@@ -44,9 +44,9 @@
allow odsign apex_art_data_file:dir { rw_dir_perms rmdir rename };
allow odsign apex_art_data_file:file { rw_file_perms unlink };
-# For CompOS pending key files
-allow odsign apex_compos_data_file:dir { getattr search write remove_name };
-allow odsign apex_compos_data_file:file { r_file_perms unlink };
+# For CompOS instance & key files
+allow odsign apex_compos_data_file:dir rw_dir_perms;
+allow odsign apex_compos_data_file:file { r_file_perms unlink rename };
# Run odrefresh to refresh ART artifacts
domain_auto_trans(odsign, odrefresh_exec, odrefresh)
@@ -58,6 +58,9 @@
set_prop(odsign, odsign_prop)
neverallow { domain -odsign -init } odsign_prop:property_service set;
+# Allow odsign to stop itself
+set_prop(odsign, ctl_odsign_prop)
+
# Neverallows
neverallow { domain -odsign -init -fsverity_init } odsign_data_file:dir *;
neverallow { domain -odsign -init -fsverity_init } odsign_data_file:file *;
diff --git a/private/postinstall_dexopt.te b/private/postinstall_dexopt.te
index 94af043..2fdc941 100644
--- a/private/postinstall_dexopt.te
+++ b/private/postinstall_dexopt.te
@@ -32,6 +32,9 @@
allow postinstall_dexopt tmpfs:file read;
+# Allow access odsign verification status
+get_prop(postinstall_dexopt, odsign_prop)
+
# Allow access to /postinstall/apex.
allow postinstall_dexopt postinstall_apex_mnt_dir:dir { getattr search };
diff --git a/private/property.te b/private/property.te
index 49d18ee..671a24a 100644
--- a/private/property.te
+++ b/private/property.te
@@ -30,6 +30,7 @@
system_internal_prop(profcollectd_node_id_prop)
system_internal_prop(rollback_test_prop)
system_internal_prop(setupwizard_prop)
+system_internal_prop(snapuserd_prop)
system_internal_prop(system_adbd_prop)
system_internal_prop(traced_perf_enabled_prop)
system_internal_prop(userspace_reboot_log_prop)
@@ -37,6 +38,7 @@
system_internal_prop(verity_status_prop)
system_internal_prop(zygote_wrap_prop)
system_internal_prop(ctl_mediatranscoding_prop)
+system_internal_prop(ctl_odsign_prop)
###
### Neverallow rules
diff --git a/private/property_contexts b/private/property_contexts
index fa5389d..7f97281 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -169,6 +169,9 @@
# Restrict access to stopping apexd.
ctl.stop$apexd u:object_r:ctl_apexd_prop:s0
+# Restrict access to stopping odsign
+ctl.stop$odsign u:object_r:ctl_odsign_prop:s0
+
# Restrict access to starting media.transcoding.
ctl.start$media.transcoding u:object_r:ctl_mediatranscoding_prop:s0
@@ -278,10 +281,12 @@
sys.boot_from_charger_mode u:object_r:charger_status_prop:s0 exact int
ro.enable_boot_charger_mode u:object_r:charger_config_prop:s0 exact bool
-# Virtual A/B properties
+# Virtual A/B and snapuserd properties
ro.virtual_ab.enabled u:object_r:virtual_ab_prop:s0 exact bool
ro.virtual_ab.retrofit u:object_r:virtual_ab_prop:s0 exact bool
ro.virtual_ab.compression.enabled u:object_r:virtual_ab_prop:s0 exact bool
+snapuserd.ready u:object_r:snapuserd_prop:s0 exact bool
+snapuserd.proxy_ready u:object_r:snapuserd_prop:s0 exact bool
ro.product.ab_ota_partitions u:object_r:ota_prop:s0 exact string
# Property to set/clear the warm reset flag after an OTA update.
diff --git a/private/recovery.te b/private/recovery.te
index bba2a0d..2dba93b 100644
--- a/private/recovery.te
+++ b/private/recovery.te
@@ -38,6 +38,7 @@
allow recovery snapuserd_socket:sock_file write;
allow recovery snapuserd:unix_stream_socket connectto;
allow recovery dm_user_device:dir r_dir_perms;
+ get_prop(recovery, snapuserd_prop)
# Set fastbootd protocol property
set_prop(recovery, fastbootd_protocol_prop)
diff --git a/private/service_contexts b/private/service_contexts
index 6c8c83e..337ee80 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -16,11 +16,14 @@
android.hardware.security.secureclock.ISecureClock/default u:object_r:hal_secureclock_service:s0
android.hardware.security.sharedsecret.ISharedSecret/default u:object_r:hal_sharedsecret_service:s0
android.hardware.soundtrigger3.ISoundTriggerHw/default u:object_r:hal_audio_service:s0
+android.hardware.tv.tuner.ITuner/default u:object_r:hal_tv_tuner_service:s0
android.hardware.vibrator.IVibrator/default u:object_r:hal_vibrator_service:s0
android.hardware.vibrator.IVibratorManager/default u:object_r:hal_vibrator_service:s0
android.hardware.weaver.IWeaver/default u:object_r:hal_weaver_service:s0
+android.hardware.wifi.hostapd.IHostapd/default u:object_r:hal_wifi_hostapd_service:s0
android.frameworks.stats.IStats/default u:object_r:fwk_stats_service:s0
android.system.keystore2.IKeystoreService/default u:object_r:keystore_service:s0
+android.system.suspend.ISystemSuspend/default u:object_r:hal_system_suspend_service:s0
accessibility u:object_r:accessibility_service:s0
account u:object_r:account_service:s0
@@ -29,6 +32,7 @@
adb u:object_r:adb_service:s0
aidl_lazy_test_1 u:object_r:aidl_lazy_test_service:s0
aidl_lazy_test_2 u:object_r:aidl_lazy_test_service:s0
+aidl_lazy_cb_test u:object_r:aidl_lazy_test_service:s0
alarm u:object_r:alarm_service:s0
android.os.UpdateEngineService u:object_r:update_engine_service:s0
android.os.UpdateEngineStableService u:object_r:update_engine_stable_service:s0
diff --git a/private/shell.te b/private/shell.te
index e8d0b2b..bd4e5c0 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -106,8 +106,16 @@
# Allow shell to execute simpleperf without a domain transition.
allow shell simpleperf_exec:file rx_file_perms;
-# Allow shell to execute profcollectctl without a domain transition.
-allow shell profcollectd_exec:file rx_file_perms;
+userdebug_or_eng(`
+ # Allow shell to execute profcollectctl without a domain transition.
+ allow shell profcollectd_exec:file rx_file_perms;
+
+ # Allow shell to read profcollectd data files.
+ r_dir_file(shell, profcollectd_data_file)
+
+ # Allow to issue control commands to profcollectd binder service.
+ allow shell profcollectd:binder call;
+')
# Allow shell to call perf_event_open for profiling other shell processes, but
# not the whole system.
@@ -173,11 +181,6 @@
userdebug_or_eng(`set_prop(shell, persist_debug_prop)')
-# Allow to issue control commands to profcollectd binder service.
-userdebug_or_eng(`
- allow shell profcollectd:binder call;
-')
-
# Allow shell to read the keystore key contexts files. Used by native tests to test label lookup.
allow shell keystore2_key_contexts_file:file r_file_perms;
diff --git a/private/snapuserd.te b/private/snapuserd.te
index d96b31e..2956891 100644
--- a/private/snapuserd.te
+++ b/private/snapuserd.te
@@ -17,10 +17,24 @@
allow snapuserd dm_user_device:dir r_dir_perms;
allow snapuserd dm_user_device:chr_file rw_file_perms;
-# Reading and writing to /dev/socket/snapuserd.
+# Reading and writing to /dev/socket/snapuserd and snapuserd_proxy.
allow snapuserd snapuserd_socket:unix_stream_socket { accept listen getattr read write };
+allow snapuserd snapuserd_proxy_socket:sock_file write;
# This arises due to first-stage init opening /dev/null without F_CLOEXEC
# (see SetStdioToDevNull in init). When we fork() and execveat() snapuserd
# again, the descriptor leaks into the new process.
allow snapuserd kernel:fd use;
+
+# snapuserd.* properties
+set_prop(snapuserd, snapuserd_prop)
+
+# For inotify watching for /dev/socket/snapuserd_proxy to appear.
+allow snapuserd tmpfs:dir read;
+
+# Forbid anything other than snapuserd and init setting snapuserd properties.
+neverallow {
+ domain
+ -snapuserd
+ -init
+} snapuserd_prop:property_service set;
diff --git a/private/system_suspend.te b/private/system_suspend.te
index caf8955..d924187 100644
--- a/private/system_suspend.te
+++ b/private/system_suspend.te
@@ -7,6 +7,8 @@
binder_use(system_suspend)
add_service(system_suspend, system_suspend_control_service)
+add_service(system_suspend, hal_system_suspend_service)
+
# Access to /sys/power/{ wakeup_count, state } suspend interface.
allow system_suspend sysfs_power:file rw_file_perms;
diff --git a/private/update_engine.te b/private/update_engine.te
index d828e1f..c3f575f 100644
--- a/private/update_engine.te
+++ b/private/update_engine.te
@@ -24,6 +24,7 @@
# Allow to communicate with the snapuserd service, for dm-user snapshots.
allow update_engine snapuserd:unix_stream_socket connectto;
allow update_engine snapuserd_socket:sock_file write;
+get_prop(update_engine, snapuserd_prop)
# Allow to communicate with apexd for calculating and reserving space for
# capex decompression
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index 4efe355..f92c94f 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -7,6 +7,14 @@
# Let the virtualizationservice domain use Binder.
binder_use(virtualizationservice)
+# ... and host a binder service
+binder_service(virtualizationservice)
+# It needs to call back to app
+binder_call(virtualizationservice, appdomain)
+
+# Allow calling into the system server so that it can check permissions.
+binder_call(virtualizationservice, system_server)
+allow virtualizationservice permission_service:service_manager find;
# Let the virtualizationservice domain register the virtualization_service with ServiceManager.
add_service(virtualizationservice, virtualization_service)
@@ -32,22 +40,32 @@
allow virtualizationservice $1:fd use;
')
-# Let the shell user call virtualizationservice for debugging.
+# Let the shell user call virtualizationservice (and virtualizationservice call back to shell) for
+# debugging.
virtualizationservice_use(shell)
+binder_call(virtualizationservice, shell)
+
+# Allow to use fd (e.g. /dev/pts/0) inherited from adbd so that we can redirect output from
+# crosvm to the console
+allow virtualizationservice adbd:fd use;
+allow virtualizationservice adbd:unix_stream_socket { read write };
# Let virtualizationservice read and write files from its various clients, but not open them
# directly as they must be passed over Binder by the client.
allow virtualizationservice apk_data_file:file { getattr read };
-allow virtualizationservice app_data_file:file { getattr read write };
+# Write access is needed for mutable partitions like instance.img
+allow virtualizationservice {
+ app_data_file
+ apex_compos_data_file
+}:file { getattr read write };
+
# shell_data_file is used for automated tests and manual debugging.
allow virtualizationservice shell_data_file:file { getattr read write };
-# Allow virtualizationservice to access apex files in /data/apex/{active,decompressed}
+# Allow virtualizationservice to read apex-info-list.xml and access the APEX files listed there.
+allow virtualizationservice apex_info_file:file r_file_perms;
allow virtualizationservice apex_data_file:dir search;
allow virtualizationservice staging_data_file:file r_file_perms;
-# Allow virtualizationservice to read apex-info-list.xml
-allow virtualizationservice apex_info_file:file r_file_perms;
-
# Let virtualizationservice to accept vsock connection from the guest VMs
allow virtualizationservice self:vsock_socket { create_socket_perms_no_ioctl listen accept };
diff --git a/public/domain.te b/public/domain.te
index 799a2f1..3643d8c 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1227,17 +1227,6 @@
userdebug_or_eng(`-uncrypt')
} shell_data_file:dir { open search };
-# Same as above for /data/local/tmp files. We allow shell files
-# to be passed around by file descriptor, but not directly opened.
-neverallow {
- domain
- -adbd
- -appdomain
- -dumpstate
- -installd
- userdebug_or_eng(`-uncrypt')
-} shell_data_file:file open;
-
# servicemanager and vndservicemanager are the only processes which handle the
# service_manager list request
neverallow * ~{
diff --git a/public/file.te b/public/file.te
index cf65c7d..9bb1ff9 100644
--- a/public/file.te
+++ b/public/file.te
@@ -78,6 +78,7 @@
type proc_vmallocinfo, fs_type, proc_type;
type proc_vmstat, fs_type, proc_type;
type proc_zoneinfo, fs_type, proc_type;
+type proc_vendor_sched, proc_type, fs_type;
type selinuxfs, fs_type, mlstrustedobject;
type fusectlfs, fs_type;
type cgroup, fs_type, mlstrustedobject;
@@ -117,6 +118,10 @@
type sysfs_fs_f2fs, sysfs_type, fs_type;
type sysfs_fs_incfs_features, sysfs_type, fs_type;
type sysfs_fs_incfs_metrics, sysfs_type, fs_type;
+type sysfs_vendor_sched, sysfs_type, fs_type;
+userdebug_or_eng(`
+ typeattribute sysfs_vendor_sched mlstrustedobject;
+')
type fs_bpf, fs_type;
type fs_bpf_tethering, fs_type;
type configfs, fs_type;
@@ -499,6 +504,7 @@
type rild_socket, file_type;
type rild_debug_socket, file_type;
type snapuserd_socket, file_type, coredomain_socket;
+type snapuserd_proxy_socket, file_type, coredomain_socket;
type statsdw_socket, file_type, coredomain_socket, mlstrustedobject;
type system_wpa_socket, file_type, data_file_type, core_data_file_type, coredomain_socket;
type system_ndebug_socket, file_type, data_file_type, core_data_file_type, coredomain_socket, mlstrustedobject;
diff --git a/public/hal_tv_tuner.te b/public/hal_tv_tuner.te
index 0da4ec7..4b7c030 100644
--- a/public/hal_tv_tuner.te
+++ b/public/hal_tv_tuner.te
@@ -2,3 +2,7 @@
binder_call(hal_tv_tuner_server, hal_tv_tuner_client)
hal_attribute_hwservice(hal_tv_tuner, hal_tv_tuner_hwservice)
+hal_attribute_service(hal_tv_tuner, hal_tv_tuner_service)
+
+binder_call(hal_tv_tuner_server, servicemanager)
+binder_call(hal_tv_tuner_client, servicemanager)
diff --git a/public/hal_wifi_hostapd.te b/public/hal_wifi_hostapd.te
index 55efc3c..b508aa5 100644
--- a/public/hal_wifi_hostapd.te
+++ b/public/hal_wifi_hostapd.te
@@ -3,6 +3,11 @@
binder_call(hal_wifi_hostapd_server, hal_wifi_hostapd_client)
hal_attribute_hwservice(hal_wifi_hostapd, hal_wifi_hostapd_hwservice)
+hal_attribute_service(hal_wifi_hostapd, hal_wifi_hostapd_service)
+
+binder_call(hal_wifi_hostapd_server, servicemanager)
+
+allow hal_wifi_hostapd_server dumpstate:fifo_file write;
allow hal_wifi_hostapd_server self:global_capability_class_set { net_admin net_raw };
diff --git a/public/ioctl_defines b/public/ioctl_defines
index 5ac4d94..fa96726 100644
--- a/public/ioctl_defines
+++ b/public/ioctl_defines
@@ -841,6 +841,7 @@
define(`FSL_HV_IOCTL_PARTITION_STOP', `0xc008af04')
define(`FSL_HV_IOCTL_SETPROP', `0xc028af08')
define(`FUNCTIONFS_CLEAR_HALT', `0x00006703')
+define(`FUNCTIONFS_ENDPOINT_ALLOC', `0x000067e7')
define(`FUNCTIONFS_ENDPOINT_DESC', `0x80096782')
define(`FUNCTIONFS_ENDPOINT_REVMAP', `0x00006781')
define(`FUNCTIONFS_FIFO_FLUSH', `0x00006702')
diff --git a/public/service.te b/public/service.te
index 5e94477..5cf379a 100644
--- a/public/service.te
+++ b/public/service.te
@@ -43,7 +43,7 @@
type system_suspend_control_service, service_manager_type;
type update_engine_service, service_manager_type;
type update_engine_stable_service, service_manager_type;
-type virtualization_service, service_manager_type;
+type virtualization_service, app_api_service, service_manager_type;
type virtual_touchpad_service, service_manager_type;
type vold_service, service_manager_type;
type vr_hwc_service, service_manager_type;
@@ -243,6 +243,7 @@
type wpantund_service, system_api_service, service_manager_type;
type tethering_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type emergency_affordance_service, system_server_service, service_manager_type;
+type hal_wifi_hostapd_service, vendor_service, protected_service, service_manager_type;
###
### HAL Services
@@ -267,6 +268,8 @@
type hal_remotelyprovisionedcomponent_service, vendor_service, protected_service, service_manager_type;
type hal_secureclock_service, vendor_service, protected_service, service_manager_type;
type hal_sharedsecret_service, vendor_service, protected_service, service_manager_type;
+type hal_system_suspend_service, protected_service, service_manager_type;
+type hal_tv_tuner_service, vendor_service, protected_service, service_manager_type;
type hal_vibrator_service, vendor_service, protected_service, service_manager_type;
type hal_weaver_service, vendor_service, protected_service, service_manager_type;
diff --git a/public/te_macros b/public/te_macros
index 200b2e3..1bdf039 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -431,6 +431,9 @@
hwbinder_use($1)
get_prop($1, hwservicemanager_prop)
allow $1 hidl_manager_hwservice:hwservice_manager find;
+# AIDL suspend hal permissions
+allow $1 hal_system_suspend_service:service_manager find;
+binder_use($1)
')
#####################################
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 3f7c8f9..79bbda4 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -76,6 +76,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.cec@1\.[01]-service u:object_r:hal_tv_cec_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.input@1\.0-service u:object_r:hal_tv_input_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.tuner@1\.[01]-service u:object_r:hal_tv_tuner_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.tuner-service\.example u:object_r:hal_tv_tuner_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.0-service u:object_r:hal_usb_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.usb\.gadget@1\.1-service u:object_r:hal_usb_gadget_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.vibrator@1\.0-service u:object_r:hal_vibrator_default_exec:s0