Sync internal master and AOSP sepolicy.
Bug: 37916906
Test: Builds 'n' boots.
Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668
Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
diff --git a/prebuilts/api/26.0/private/access_vectors b/prebuilts/api/26.0/private/access_vectors
new file mode 100644
index 0000000..74cf530
--- /dev/null
+++ b/prebuilts/api/26.0/private/access_vectors
@@ -0,0 +1,710 @@
+#
+# Define common prefixes for access vectors
+#
+# common common_name { permission_name ... }
+
+
+#
+# Define a common prefix for file access vectors.
+#
+
+common file
+{
+ ioctl
+ read
+ write
+ create
+ getattr
+ setattr
+ lock
+ relabelfrom
+ relabelto
+ append
+ unlink
+ link
+ rename
+ execute
+ quotaon
+ mounton
+}
+
+
+#
+# Define a common prefix for socket access vectors.
+#
+
+common socket
+{
+# inherited from file
+ ioctl
+ read
+ write
+ create
+ getattr
+ setattr
+ lock
+ relabelfrom
+ relabelto
+ append
+# socket-specific
+ bind
+ connect
+ listen
+ accept
+ getopt
+ setopt
+ shutdown
+ recvfrom
+ sendto
+ name_bind
+}
+
+#
+# Define a common prefix for ipc access vectors.
+#
+
+common ipc
+{
+ create
+ destroy
+ getattr
+ setattr
+ read
+ write
+ associate
+ unix_read
+ unix_write
+}
+
+#
+# Define a common for capability access vectors.
+#
+common cap
+{
+ # The capabilities are defined in include/linux/capability.h
+ # Capabilities >= 32 are defined in the cap2 common.
+ # Care should be taken to ensure that these are consistent with
+ # those definitions. (Order matters)
+
+ chown
+ dac_override
+ dac_read_search
+ fowner
+ fsetid
+ kill
+ setgid
+ setuid
+ setpcap
+ linux_immutable
+ net_bind_service
+ net_broadcast
+ net_admin
+ net_raw
+ ipc_lock
+ ipc_owner
+ sys_module
+ sys_rawio
+ sys_chroot
+ sys_ptrace
+ sys_pacct
+ sys_admin
+ sys_boot
+ sys_nice
+ sys_resource
+ sys_time
+ sys_tty_config
+ mknod
+ lease
+ audit_write
+ audit_control
+ setfcap
+}
+
+common cap2
+{
+ mac_override # unused by SELinux
+ mac_admin # unused by SELinux
+ syslog
+ wake_alarm
+ block_suspend
+ audit_read
+}
+
+#
+# Define the access vectors.
+#
+# class class_name [ inherits common_name ] { permission_name ... }
+
+
+#
+# Define the access vector interpretation for file-related objects.
+#
+
+class filesystem
+{
+ mount
+ remount
+ unmount
+ getattr
+ relabelfrom
+ relabelto
+ associate
+ quotamod
+ quotaget
+}
+
+class dir
+inherits file
+{
+ add_name
+ remove_name
+ reparent
+ search
+ rmdir
+ open
+ audit_access
+ execmod
+}
+
+class file
+inherits file
+{
+ execute_no_trans
+ entrypoint
+ execmod
+ open
+ audit_access
+}
+
+class lnk_file
+inherits file
+{
+ open
+ audit_access
+ execmod
+}
+
+class chr_file
+inherits file
+{
+ execute_no_trans
+ entrypoint
+ execmod
+ open
+ audit_access
+}
+
+class blk_file
+inherits file
+{
+ open
+ audit_access
+ execmod
+}
+
+class sock_file
+inherits file
+{
+ open
+ audit_access
+ execmod
+}
+
+class fifo_file
+inherits file
+{
+ open
+ audit_access
+ execmod
+}
+
+class fd
+{
+ use
+}
+
+
+#
+# Define the access vector interpretation for network-related objects.
+#
+
+class socket
+inherits socket
+
+class tcp_socket
+inherits socket
+{
+ node_bind
+ name_connect
+}
+
+class udp_socket
+inherits socket
+{
+ node_bind
+}
+
+class rawip_socket
+inherits socket
+{
+ node_bind
+}
+
+class node
+{
+ recvfrom
+ sendto
+}
+
+class netif
+{
+ ingress
+ egress
+}
+
+class netlink_socket
+inherits socket
+
+class packet_socket
+inherits socket
+
+class key_socket
+inherits socket
+
+class unix_stream_socket
+inherits socket
+{
+ connectto
+}
+
+class unix_dgram_socket
+inherits socket
+
+#
+# Define the access vector interpretation for process-related objects
+#
+
+class process
+{
+ fork
+ transition
+ sigchld # commonly granted from child to parent
+ sigkill # cannot be caught or ignored
+ sigstop # cannot be caught or ignored
+ signull # for kill(pid, 0)
+ signal # all other signals
+ ptrace
+ getsched
+ setsched
+ getsession
+ getpgid
+ setpgid
+ getcap
+ setcap
+ share
+ getattr
+ setexec
+ setfscreate
+ noatsecure
+ siginh
+ setrlimit
+ rlimitinh
+ dyntransition
+ setcurrent
+ execmem
+ execstack
+ execheap
+ setkeycreate
+ setsockcreate
+}
+
+
+#
+# Define the access vector interpretation for ipc-related objects
+#
+
+class ipc
+inherits ipc
+
+class sem
+inherits ipc
+
+class msgq
+inherits ipc
+{
+ enqueue
+}
+
+class msg
+{
+ send
+ receive
+}
+
+class shm
+inherits ipc
+{
+ lock
+}
+
+
+#
+# Define the access vector interpretation for the security server.
+#
+
+class security
+{
+ compute_av
+ compute_create
+ compute_member
+ check_context
+ load_policy
+ compute_relabel
+ compute_user
+ setenforce # was avc_toggle in system class
+ setbool
+ setsecparam
+ setcheckreqprot
+ read_policy
+}
+
+
+#
+# Define the access vector interpretation for system operations.
+#
+
+class system
+{
+ ipc_info
+ syslog_read
+ syslog_mod
+ syslog_console
+ module_request
+ module_load
+}
+
+#
+# Define the access vector interpretation for controlling capabilities
+#
+
+class capability
+inherits cap
+
+class capability2
+inherits cap2
+
+#
+# Extended Netlink classes
+#
+class netlink_route_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+}
+
+class netlink_tcpdiag_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+}
+
+class netlink_nflog_socket
+inherits socket
+
+class netlink_xfrm_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+}
+
+class netlink_selinux_socket
+inherits socket
+
+class netlink_audit_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+ nlmsg_relay
+ nlmsg_readpriv
+ nlmsg_tty_audit
+}
+
+class netlink_dnrt_socket
+inherits socket
+
+# Define the access vector interpretation for controlling
+# access to IPSec network data by association
+#
+class association
+{
+ sendto
+ recvfrom
+ setcontext
+ polmatch
+}
+
+# Updated Netlink class for KOBJECT_UEVENT family.
+class netlink_kobject_uevent_socket
+inherits socket
+
+class appletalk_socket
+inherits socket
+
+class packet
+{
+ send
+ recv
+ relabelto
+ flow_in # deprecated
+ flow_out # deprecated
+ forward_in
+ forward_out
+}
+
+class key
+{
+ view
+ read
+ write
+ search
+ link
+ setattr
+ create
+}
+
+class dccp_socket
+inherits socket
+{
+ node_bind
+ name_connect
+}
+
+class memprotect
+{
+ mmap_zero
+}
+
+# network peer labels
+class peer
+{
+ recv
+}
+
+class kernel_service
+{
+ use_as_override
+ create_files_as
+}
+
+class tun_socket
+inherits socket
+{
+ attach_queue
+}
+
+class binder
+{
+ impersonate
+ call
+ set_context_mgr
+ transfer
+}
+
+class netlink_iscsi_socket
+inherits socket
+
+class netlink_fib_lookup_socket
+inherits socket
+
+class netlink_connector_socket
+inherits socket
+
+class netlink_netfilter_socket
+inherits socket
+
+class netlink_generic_socket
+inherits socket
+
+class netlink_scsitransport_socket
+inherits socket
+
+class netlink_rdma_socket
+inherits socket
+
+class netlink_crypto_socket
+inherits socket
+
+#
+# Define the access vector interpretation for controlling capabilities
+# in user namespaces
+#
+
+class cap_userns
+inherits cap
+
+class cap2_userns
+inherits cap2
+
+
+#
+# Define the access vector interpretation for the new socket classes
+# enabled by the extended_socket_class policy capability.
+#
+
+#
+# The next two classes were previously mapped to rawip_socket and therefore
+# have the same definition as rawip_socket (until further permissions
+# are defined).
+#
+class sctp_socket
+inherits socket
+{
+ node_bind
+}
+
+class icmp_socket
+inherits socket
+{
+ node_bind
+}
+
+#
+# The remaining network socket classes were previously
+# mapped to the socket class and therefore have the
+# same definition as socket.
+#
+
+class ax25_socket
+inherits socket
+
+class ipx_socket
+inherits socket
+
+class netrom_socket
+inherits socket
+
+class atmpvc_socket
+inherits socket
+
+class x25_socket
+inherits socket
+
+class rose_socket
+inherits socket
+
+class decnet_socket
+inherits socket
+
+class atmsvc_socket
+inherits socket
+
+class rds_socket
+inherits socket
+
+class irda_socket
+inherits socket
+
+class pppox_socket
+inherits socket
+
+class llc_socket
+inherits socket
+
+class can_socket
+inherits socket
+
+class tipc_socket
+inherits socket
+
+class bluetooth_socket
+inherits socket
+
+class iucv_socket
+inherits socket
+
+class rxrpc_socket
+inherits socket
+
+class isdn_socket
+inherits socket
+
+class phonet_socket
+inherits socket
+
+class ieee802154_socket
+inherits socket
+
+class caif_socket
+inherits socket
+
+class alg_socket
+inherits socket
+
+class nfc_socket
+inherits socket
+
+class vsock_socket
+inherits socket
+
+class kcm_socket
+inherits socket
+
+class qipcrtr_socket
+inherits socket
+
+class property_service
+{
+ set
+}
+
+class service_manager
+{
+ add
+ find
+ list
+}
+
+class hwservice_manager
+{
+ add
+ find
+ list
+}
+
+class keystore_key
+{
+ get_state
+ get
+ insert
+ delete
+ exist
+ list
+ reset
+ password
+ lock
+ unlock
+ is_empty
+ sign
+ verify
+ grant
+ duplicate
+ clear_uid
+ add_auth
+ user_changed
+ gen_unique_id
+}
+
+class drmservice {
+ consumeRights
+ setPlaybackStatus
+ openDecryptSession
+ closeDecryptSession
+ initializeDecryptUnit
+ decrypt
+ finalizeDecryptUnit
+ pread
+}
diff --git a/prebuilts/api/26.0/private/adbd.te b/prebuilts/api/26.0/private/adbd.te
new file mode 100644
index 0000000..52597eb
--- /dev/null
+++ b/prebuilts/api/26.0/private/adbd.te
@@ -0,0 +1,141 @@
+### ADB daemon
+
+typeattribute adbd coredomain;
+typeattribute adbd mlstrustedsubject;
+
+domain_auto_trans(adbd, shell_exec, shell)
+
+userdebug_or_eng(`
+ allow adbd self:process setcurrent;
+ allow adbd su:process dyntransition;
+')
+
+# Do not sanitize the environment or open fds of the shell. Allow signaling
+# created processes.
+allow adbd shell:process { noatsecure signal };
+
+# Set UID and GID to shell. Set supplementary groups.
+allow adbd self:capability { setuid setgid };
+
+# Drop capabilities from bounding set on user builds.
+allow adbd self:capability setpcap;
+
+# Create and use network sockets.
+net_domain(adbd)
+
+# Access /dev/usb-ffs/adb/ep0
+allow adbd functionfs:dir search;
+allow adbd functionfs:file rw_file_perms;
+
+# Use a pseudo tty.
+allow adbd devpts:chr_file rw_file_perms;
+
+# adb push/pull /data/local/tmp.
+allow adbd shell_data_file:dir create_dir_perms;
+allow adbd shell_data_file:file create_file_perms;
+
+# adb pull /data/misc/profman.
+allow adbd profman_dump_data_file:dir r_dir_perms;
+allow adbd profman_dump_data_file:file r_file_perms;
+
+# adb push/pull sdcard.
+allow adbd tmpfs:dir search;
+allow adbd rootfs:lnk_file r_file_perms; # /sdcard symlink
+allow adbd tmpfs:lnk_file r_file_perms; # /mnt/sdcard symlink
+allow adbd sdcard_type:dir create_dir_perms;
+allow adbd sdcard_type:file create_file_perms;
+
+# adb pull /data/anr/traces.txt
+allow adbd anr_data_file:dir r_dir_perms;
+allow adbd anr_data_file:file r_file_perms;
+
+# Set service.adb.*, sys.powerctl, and sys.usb.ffs.ready properties.
+set_prop(adbd, shell_prop)
+set_prop(adbd, powerctl_prop)
+set_prop(adbd, ffs_prop)
+
+# Access device logging gating property
+get_prop(adbd, device_logging_prop)
+
+# Read device's serial number from system properties
+get_prop(adbd, serialno_prop)
+
+# Run /system/bin/bu
+allow adbd system_file:file rx_file_perms;
+
+# Perform binder IPC to surfaceflinger (screencap)
+# XXX Run screencap in a separate domain?
+binder_use(adbd)
+binder_call(adbd, surfaceflinger)
+# b/13188914
+allow adbd gpu_device:chr_file rw_file_perms;
+allow adbd ion_device:chr_file rw_file_perms;
+r_dir_file(adbd, system_file)
+
+# Needed for various screenshots
+hal_client_domain(adbd, hal_graphics_allocator)
+
+# Read /data/misc/adb/adb_keys.
+allow adbd adb_keys_file:dir search;
+allow adbd adb_keys_file:file r_file_perms;
+
+userdebug_or_eng(`
+ # Write debugging information to /data/adb
+ # when persist.adb.trace_mask is set
+ # https://code.google.com/p/android/issues/detail?id=72895
+ allow adbd adb_data_file:dir rw_dir_perms;
+ allow adbd adb_data_file:file create_file_perms;
+')
+
+# ndk-gdb invokes adb forward to forward the gdbserver socket.
+allow adbd app_data_file:dir search;
+allow adbd app_data_file:sock_file write;
+allow adbd appdomain:unix_stream_socket connectto;
+
+# ndk-gdb invokes adb pull of app_process, linker, and libc.so.
+allow adbd zygote_exec:file r_file_perms;
+allow adbd system_file:file r_file_perms;
+
+# Allow pulling the SELinux policy for CTS purposes
+allow adbd selinuxfs:dir r_dir_perms;
+allow adbd selinuxfs:file r_file_perms;
+allow adbd kernel:security read_policy;
+allow adbd service_contexts_file:file r_file_perms;
+allow adbd file_contexts_file:file r_file_perms;
+allow adbd seapp_contexts_file:file r_file_perms;
+allow adbd property_contexts_file:file r_file_perms;
+allow adbd sepolicy_file:file r_file_perms;
+
+# Allow pulling config.gz for CTS purposes
+allow adbd config_gz:file r_file_perms;
+
+allow adbd surfaceflinger_service:service_manager find;
+allow adbd bootchart_data_file:dir search;
+allow adbd bootchart_data_file:file r_file_perms;
+
+# Allow access to external storage; we have several visible mount points under /storage
+# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
+allow adbd storage_file:dir r_dir_perms;
+allow adbd storage_file:lnk_file r_file_perms;
+allow adbd mnt_user_file:dir r_dir_perms;
+allow adbd mnt_user_file:lnk_file r_file_perms;
+
+# Access to /data/media.
+# This should be removed if sdcardfs is modified to alter the secontext for its
+# accesses to the underlying FS.
+allow adbd media_rw_data_file:dir create_dir_perms;
+allow adbd media_rw_data_file:file create_file_perms;
+
+r_dir_file(adbd, apk_data_file)
+
+allow adbd rootfs:dir r_dir_perms;
+
+###
+### Neverallow rules
+###
+
+# No transitions from adbd to non-shell, non-crash_dump domains. adbd only ever
+# transitions to the shell domain (except when it crashes). In particular, we
+# never want to see a transition from adbd to su (aka "adb root")
+neverallow adbd { domain -crash_dump -shell }:process transition;
+neverallow adbd { domain userdebug_or_eng(`-su') }:process dyntransition;
diff --git a/prebuilts/api/26.0/private/app.te b/prebuilts/api/26.0/private/app.te
new file mode 100644
index 0000000..6f2b820
--- /dev/null
+++ b/prebuilts/api/26.0/private/app.te
@@ -0,0 +1,524 @@
+###
+### Domain for all zygote spawned apps
+###
+### This file is the base policy for all zygote spawned apps.
+### Other policy files, such as isolated_app.te, untrusted_app.te, etc
+### extend from this policy. Only policies which should apply to ALL
+### zygote spawned apps should be added here.
+###
+
+# TODO: deal with tmpfs_domain pub/priv split properly
+# Read system properties managed by zygote.
+allow appdomain zygote_tmpfs:file read;
+
+# WebView and other application-specific JIT compilers
+allow appdomain self:process execmem;
+
+allow appdomain ashmem_device:chr_file execute;
+
+# Receive and use open file descriptors inherited from zygote.
+allow appdomain zygote:fd use;
+
+# gdbserver for ndk-gdb reads the zygote.
+# valgrind needs mmap exec for zygote
+allow appdomain zygote_exec:file rx_file_perms;
+
+# Notify zygote of death;
+allow appdomain zygote:process sigchld;
+
+# Place process into foreground / background
+allow appdomain cgroup:dir { search write };
+allow appdomain cgroup:file rw_file_perms;
+
+# Read /data/dalvik-cache.
+allow appdomain dalvikcache_data_file:dir { search getattr };
+allow appdomain dalvikcache_data_file:file r_file_perms;
+
+# Read the /sdcard and /mnt/sdcard symlinks
+allow { appdomain -isolated_app } rootfs:lnk_file r_file_perms;
+allow { appdomain -isolated_app } tmpfs:lnk_file r_file_perms;
+
+# Search /storage/emulated tmpfs mount.
+allow appdomain tmpfs:dir r_dir_perms;
+
+userdebug_or_eng(`
+ # Notify zygote of the wrapped process PID when using --invoke-with.
+ allow appdomain zygote:fifo_file write;
+
+ # Allow apps to create and write method traces in /data/misc/trace.
+ allow appdomain method_trace_data_file:dir w_dir_perms;
+ allow appdomain method_trace_data_file:file { create w_file_perms };
+')
+
+# Notify shell and adbd of death when spawned via runas for ndk-gdb.
+allow appdomain shell:process sigchld;
+allow appdomain adbd:process sigchld;
+
+# child shell or gdbserver pty access for runas.
+allow appdomain devpts:chr_file { getattr read write ioctl };
+
+# Use pipes and sockets provided by system_server via binder or local socket.
+allow appdomain system_server:fd use;
+allow appdomain system_server:fifo_file rw_file_perms;
+allow appdomain system_server:unix_stream_socket { read write setopt getattr getopt shutdown };
+allow appdomain system_server:tcp_socket { read write getattr getopt shutdown };
+
+# Communication with other apps via fifos
+allow appdomain appdomain:fifo_file rw_file_perms;
+
+# Communicate with surfaceflinger.
+allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
+
+# Query whether a Surface supports wide color
+allow { appdomain -isolated_app } hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find;
+
+# App sandbox file accesses.
+allow { appdomain -isolated_app } app_data_file:dir create_dir_perms;
+allow { appdomain -isolated_app } app_data_file:notdevfile_class_set create_file_perms;
+
+# Traverse into expanded storage
+allow appdomain mnt_expand_file:dir r_dir_perms;
+
+# Keychain and user-trusted credentials
+r_dir_file(appdomain, keychain_data_file)
+allow appdomain misc_user_data_file:dir r_dir_perms;
+allow appdomain misc_user_data_file:file r_file_perms;
+
+# TextClassifier
+r_dir_file({ appdomain -isolated_app }, textclassifier_data_file)
+
+# Access to OEM provided data and apps
+allow appdomain oemfs:dir r_dir_perms;
+allow appdomain oemfs:file rx_file_perms;
+
+# Execute the shell or other system executables.
+allow { appdomain -ephemeral_app -untrusted_v2_app } shell_exec:file rx_file_perms;
+allow { appdomain -ephemeral_app -untrusted_v2_app } toolbox_exec:file rx_file_perms;
+allow { appdomain -ephemeral_app -untrusted_v2_app } system_file:file x_file_perms;
+not_full_treble(`allow { appdomain -ephemeral_app -untrusted_v2_app } vendor_file:file x_file_perms;')
+
+# Renderscript needs the ability to read directories on /system
+allow appdomain system_file:dir r_dir_perms;
+allow appdomain system_file:lnk_file { getattr open read };
+# Renderscript specific permissions to open /system/vendor/lib64.
+not_full_treble(`
+ allow appdomain vendor_file_type:dir r_dir_perms;
+ allow appdomain vendor_file_type:lnk_file { getattr open read };
+')
+
+full_treble_only(`
+ # For looking up Renderscript vendor drivers
+ allow { appdomain -isolated_app } vendor_file:dir { open read };
+')
+
+# Allow apps access to /vendor/app except for privileged
+# apps which cannot be in /vendor.
+r_dir_file({ appdomain -ephemeral_app -untrusted_v2_app }, vendor_app_file)
+allow { appdomain -ephemeral_app -untrusted_v2_app } vendor_app_file:file execute;
+
+# Allow apps access to /vendor/overlay
+r_dir_file(appdomain, vendor_overlay_file)
+
+# Allow apps access to /vendor/framework
+# for vendor provided libraries.
+r_dir_file(appdomain, vendor_framework_file)
+
+# Execute dex2oat when apps call dexclassloader
+allow appdomain dex2oat_exec:file rx_file_perms;
+
+# Read/write wallpaper file (opened by system).
+allow appdomain wallpaper_file:file { getattr read write };
+
+# Read/write cached ringtones (opened by system).
+allow appdomain ringtone_file:file { getattr read write };
+
+# Read ShortcutManager icon files (opened by system).
+allow appdomain shortcut_manager_icons:file { getattr read };
+
+# Read icon file (opened by system).
+allow appdomain icon_file:file { getattr read };
+
+# Write to /data/anr/traces.txt.
+allow appdomain anr_data_file:dir search;
+allow appdomain anr_data_file:file { open append };
+
+# Allow apps to send dump information to dumpstate
+allow appdomain dumpstate:fd use;
+allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown };
+allow appdomain dumpstate:fifo_file { write getattr };
+allow appdomain shell_data_file:file { write getattr };
+
+# Write profiles /data/misc/profiles
+allow appdomain user_profile_data_file:dir { search write add_name };
+allow appdomain user_profile_data_file:file create_file_perms;
+
+# Send heap dumps to system_server via an already open file descriptor
+# % adb shell am set-watch-heap com.android.systemui 1048576
+# % adb shell dumpsys procstats --start-testing
+# debuggable builds only.
+userdebug_or_eng(`
+ allow appdomain heapdump_data_file:file append;
+')
+
+# Write to /proc/net/xt_qtaguid/ctrl file.
+allow appdomain qtaguid_proc:file rw_file_perms;
+# read /proc/net/xt_qtguid/stats
+r_dir_file({ appdomain -ephemeral_app}, proc_net)
+# Everybody can read the xt_qtaguid resource tracking misc dev.
+# So allow all apps to read from /dev/xt_qtaguid.
+allow appdomain qtaguid_device:chr_file r_file_perms;
+
+# Grant GPU access to all processes started by Zygote.
+# They need that to render the standard UI.
+allow { appdomain -isolated_app } gpu_device:chr_file rw_file_perms;
+
+# Use the Binder.
+binder_use(appdomain)
+# Perform binder IPC to binder services.
+binder_call(appdomain, binderservicedomain)
+# Perform binder IPC to other apps.
+binder_call(appdomain, appdomain)
+# Perform binder IPC to ephemeral apps.
+binder_call(appdomain, ephemeral_app)
+
+# TODO(b/36375899): Replace this with hal_client_domain once mediacodec is properly attributized
+# as OMX HAL
+hwbinder_use({ appdomain -isolated_app })
+allow { appdomain -isolated_app } hal_omx_hwservice:hwservice_manager find;
+allow { appdomain -isolated_app } hidl_token_hwservice:hwservice_manager find;
+
+# Talk with graphics composer fences
+allow appdomain hal_graphics_composer:fd use;
+
+# Already connected, unnamed sockets being passed over some other IPC
+# hence no sock_file or connectto permission. This appears to be how
+# Chrome works, may need to be updated as more apps using isolated services
+# are examined.
+allow appdomain appdomain:unix_stream_socket { getopt getattr read write shutdown };
+
+# Backup ability for every app. BMS opens and passes the fd
+# to any app that has backup ability. Hence, no open permissions here.
+allow appdomain backup_data_file:file { read write getattr };
+allow appdomain cache_backup_file:file { read write getattr };
+allow appdomain cache_backup_file:dir getattr;
+# Backup ability using 'adb backup'
+allow appdomain system_data_file:lnk_file r_file_perms;
+allow appdomain system_data_file:file { getattr read };
+
+# Allow read/stat of /data/media files passed by Binder or local socket IPC.
+allow { appdomain -isolated_app } media_rw_data_file:file { read getattr };
+
+# Read and write /data/data/com.android.providers.telephony files passed over Binder.
+allow { appdomain -isolated_app } radio_data_file:file { read write getattr };
+
+# Allow access to external storage; we have several visible mount points under /storage
+# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
+allow { appdomain -isolated_app -ephemeral_app } storage_file:dir r_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } storage_file:lnk_file r_file_perms;
+allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:dir r_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:lnk_file r_file_perms;
+
+# Read/write visible storage
+allow { appdomain -isolated_app -ephemeral_app } fuse:dir create_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } fuse:file create_file_perms;
+allow { appdomain -isolated_app -ephemeral_app } sdcardfs:dir create_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } sdcardfs:file create_file_perms;
+# This should be removed if sdcardfs is modified to alter the secontext for its
+# accesses to the underlying FS.
+allow { appdomain -isolated_app -ephemeral_app } { media_rw_data_file vfat }:dir create_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } { media_rw_data_file vfat }:file create_file_perms;
+
+# Access OBBs (vfat images) mounted by vold (b/17633509)
+# File write access allowed for FDs returned through Storage Access Framework
+allow { appdomain -isolated_app -ephemeral_app } vfat:dir r_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } vfat:file rw_file_perms;
+
+# Allow apps to use the USB Accessory interface.
+# http://developer.android.com/guide/topics/connectivity/usb/accessory.html
+#
+# USB devices are first opened by the system server (USBDeviceManagerService)
+# and the file descriptor is passed to the right Activity via binder.
+allow { appdomain -isolated_app -ephemeral_app } usb_device:chr_file { read write getattr ioctl };
+allow { appdomain -isolated_app -ephemeral_app } usbaccessory_device:chr_file { read write getattr };
+
+# For art.
+allow appdomain dalvikcache_data_file:file execute;
+allow appdomain dalvikcache_data_file:lnk_file r_file_perms;
+
+# Allow any app to read shared RELRO files.
+allow appdomain shared_relro_file:dir search;
+allow appdomain shared_relro_file:file r_file_perms;
+
+# Allow apps to read/execute installed binaries
+allow appdomain apk_data_file:dir r_dir_perms;
+allow appdomain apk_data_file:file rx_file_perms;
+
+# /data/resource-cache
+allow appdomain resourcecache_data_file:file r_file_perms;
+allow appdomain resourcecache_data_file:dir r_dir_perms;
+
+# logd access
+read_logd(appdomain)
+control_logd({ appdomain -ephemeral_app untrusted_v2_app })
+# application inherit logd write socket (urge is to deprecate this long term)
+allow appdomain zygote:unix_dgram_socket write;
+
+allow { appdomain -isolated_app -ephemeral_app } keystore:keystore_key { get_state get insert delete exist list sign verify };
+
+use_keystore({ appdomain -isolated_app -ephemeral_app })
+
+allow appdomain console_device:chr_file { read write };
+
+# only allow unprivileged socket ioctl commands
+allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket }
+ ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
+
+allow { appdomain -isolated_app } ion_device:chr_file rw_file_perms;
+# TODO is write really necessary ?
+auditallow { appdomain userdebug_or_eng(`-su') } ion_device:chr_file { write append };
+
+# TODO(b/36375899) replace with hal_client_domain for mediacodec (hal_omx)
+get_prop({ appdomain -isolated_app }, hwservicemanager_prop);
+
+# Allow app access to mediacodec (IOMX HAL)
+binder_call({ appdomain -isolated_app }, mediacodec)
+
+# Allow AAudio apps to use shared memory file descriptors from the HAL
+allow { appdomain -isolated_app } hal_audio:fd use;
+
+# Allow app to access shared memory created by camera HAL1
+allow { appdomain -isolated_app } hal_camera:fd use;
+
+# RenderScript always-passthrough HAL
+allow { appdomain -isolated_app } hal_renderscript_hwservice:hwservice_manager find;
+
+# TODO: switch to meminfo service
+allow appdomain proc_meminfo:file r_file_perms;
+
+# For app fuse.
+allow appdomain app_fuse_file:file { getattr read append write };
+
+pdx_client({ appdomain -isolated_app -ephemeral_app }, display_client)
+pdx_client({ appdomain -isolated_app -ephemeral_app }, display_manager)
+pdx_client({ appdomain -isolated_app -ephemeral_app }, display_vsync)
+pdx_client({ appdomain -isolated_app -ephemeral_app }, performance_client)
+# Apps do not directly open the IPC socket for bufferhubd.
+pdx_use({ appdomain -isolated_app -ephemeral_app }, bufferhub_client)
+
+###
+### CTS-specific rules
+###
+
+# For cts/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java.
+# testRunAsHasCorrectCapabilities
+allow appdomain runas_exec:file getattr;
+# Others are either allowed elsewhere or not desired.
+
+# For cts/tests/tests/security/src/android/security/cts/SELinuxTest.java
+# Check SELinux policy and contexts.
+selinux_check_access(appdomain)
+selinux_check_context(appdomain)
+
+# Apps receive an open tun fd from the framework for
+# device traffic. Do not allow untrusted app to directly open tun_device
+allow { appdomain -isolated_app -ephemeral_app } tun_device:chr_file { read write getattr ioctl append };
+
+# Connect to adbd and use a socket transferred from it.
+# This is used for e.g. adb backup/restore.
+allow appdomain adbd:unix_stream_socket connectto;
+allow appdomain adbd:fd use;
+allow appdomain adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
+
+allow appdomain cache_file:dir getattr;
+
+###
+### Neverallow rules
+###
+### These are things that Android apps should NEVER be able to do
+###
+
+# Superuser capabilities.
+# bluetooth requires net_admin and wake_alarm.
+neverallow { appdomain -bluetooth } self:capability *;
+neverallow { appdomain -bluetooth } self:capability2 *;
+
+# Block device access.
+neverallow appdomain dev_type:blk_file { read write };
+
+# Access to any of the following character devices.
+neverallow appdomain {
+ audio_device
+ camera_device
+ dm_device
+ radio_device
+ rpmsg_device
+ video_device
+}:chr_file { read write };
+
+# Note: Try expanding list of app domains in the future.
+neverallow { untrusted_app isolated_app shell } graphics_device:chr_file { read write };
+
+neverallow { appdomain -nfc } nfc_device:chr_file
+ { read write };
+neverallow { appdomain -bluetooth } hci_attach_dev:chr_file
+ { read write };
+neverallow appdomain tee_device:chr_file { read write };
+
+# Privileged netlink socket interfaces.
+neverallow appdomain
+ domain:{
+ netlink_tcpdiag_socket
+ netlink_nflog_socket
+ netlink_xfrm_socket
+ netlink_audit_socket
+ netlink_dnrt_socket
+ } *;
+
+# These messages are broadcast messages from the kernel to userspace.
+# Do not allow the writing of netlink messages, which has been a source
+# of rooting vulns in the past.
+neverallow appdomain domain:netlink_kobject_uevent_socket { write append };
+
+# Sockets under /dev/socket that are not specifically typed.
+neverallow appdomain socket_device:sock_file write;
+
+# Unix domain sockets.
+neverallow appdomain adbd_socket:sock_file write;
+neverallow { appdomain -radio } rild_socket:sock_file write;
+neverallow appdomain vold_socket:sock_file write;
+neverallow appdomain zygote_socket:sock_file write;
+
+# ptrace access to non-app domains.
+neverallow appdomain { domain -appdomain }:process ptrace;
+
+# Write access to /proc/pid entries for any non-app domain.
+neverallow appdomain { domain -appdomain }:file write;
+
+# signal access to non-app domains.
+# sigchld allowed for parent death notification.
+# signull allowed for kill(pid, 0) existence test.
+# All others prohibited.
+neverallow appdomain { domain -appdomain }:process
+ { sigkill sigstop signal };
+
+# Transition to a non-app domain.
+# Exception for the shell and su domains, can transition to runas, etc.
+# Exception for crash_dump.
+neverallow { appdomain -shell userdebug_or_eng(`-su') } { domain -appdomain -crash_dump }:process
+ { transition };
+neverallow { appdomain -shell userdebug_or_eng(`-su') } { domain -appdomain }:process
+ { dyntransition };
+
+# Write to rootfs.
+neverallow appdomain rootfs:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+
+# Write to /system.
+neverallow appdomain system_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+
+# Write to entrypoint executables.
+neverallow appdomain exec_type:file
+ { create write setattr relabelfrom relabelto append unlink link rename };
+
+# Write to system-owned parts of /data.
+# This is the default type for anything under /data not otherwise
+# specified in file_contexts. Define a different type for portions
+# that should be writable by apps.
+neverallow appdomain system_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+
+# Write to various other parts of /data.
+neverallow appdomain drm_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -platform_app }
+ apk_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -platform_app }
+ apk_tmp_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -platform_app }
+ apk_private_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -platform_app }
+ apk_private_tmp_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -shell }
+ shell_data_file:dir_file_class_set
+ { create setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -bluetooth }
+ bluetooth_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow appdomain
+ keystore_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow appdomain
+ systemkeys_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow appdomain
+ wifi_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow appdomain
+ dhcp_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+
+# access tmp apk files
+neverallow { appdomain -platform_app -priv_app }
+ { apk_tmp_file apk_private_tmp_file }:dir_file_class_set *;
+
+# Access to factory files.
+neverallow appdomain efs_file:dir_file_class_set write;
+neverallow { appdomain -shell } efs_file:dir_file_class_set read;
+
+# Write to various pseudo file systems.
+neverallow { appdomain -bluetooth -nfc }
+ sysfs:dir_file_class_set write;
+neverallow appdomain
+ proc:dir_file_class_set write;
+
+# Access to syslog(2) or /proc/kmsg.
+neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console };
+
+# Ability to perform any filesystem operation other than statfs(2).
+# i.e. no mount(2), unmount(2), etc.
+neverallow appdomain fs_type:filesystem ~getattr;
+
+# prevent creation/manipulation of globally readable symlinks
+neverallow appdomain {
+ apk_data_file
+ cache_file
+ cache_recovery_file
+ dev_type
+ rootfs
+ system_file
+ tmpfs
+}:lnk_file no_w_file_perms;
+
+# Blacklist app domains not allowed to execute from /data
+neverallow {
+ bluetooth
+ isolated_app
+ nfc
+ radio
+ shared_relro
+ system_app
+} {
+ data_file_type
+ -dalvikcache_data_file
+ -system_data_file # shared libs in apks
+ -apk_data_file
+}:file no_x_file_perms;
+
+# Applications should use the activity model for receiving events
+neverallow {
+ appdomain
+ -shell # bugreport
+} input_device:chr_file ~getattr;
+
+# Do not allow access to Bluetooth-related system properties except for a few whitelisted domains.
+# neverallow rules for access to Bluetooth-related data files are above.
+neverallow {
+ appdomain
+ -bluetooth
+ -system_app
+} bluetooth_prop:file create_file_perms;
diff --git a/prebuilts/api/26.0/private/app_neverallows.te b/prebuilts/api/26.0/private/app_neverallows.te
new file mode 100644
index 0000000..3c159d5
--- /dev/null
+++ b/prebuilts/api/26.0/private/app_neverallows.te
@@ -0,0 +1,215 @@
+###
+### neverallow rules for untrusted app domains
+###
+
+# Only allow domains in AOSP to use the untrusted_app_all attribute.
+neverallow { untrusted_app_all -untrusted_app -untrusted_app_25 } domain:process fork;
+
+define(`all_untrusted_apps',`{ untrusted_app_all untrusted_app_25 untrusted_app ephemeral_app isolated_app }')
+# Receive or send uevent messages.
+neverallow all_untrusted_apps domain:netlink_kobject_uevent_socket *;
+
+# Receive or send generic netlink messages
+neverallow all_untrusted_apps domain:netlink_socket *;
+
+# Too much leaky information in debugfs. It's a security
+# best practice to ensure these files aren't readable.
+neverallow all_untrusted_apps debugfs_type:file read;
+
+# Do not allow untrusted apps to register services.
+# Only trusted components of Android should be registering
+# services.
+neverallow all_untrusted_apps service_manager_type:service_manager add;
+
+# Do not allow untrusted apps to use VendorBinder
+neverallow all_untrusted_apps vndbinder_device:chr_file *;
+neverallow all_untrusted_apps vndservice_manager_type:service_manager *;
+
+# Do not allow untrusted apps to connect to the property service
+# or set properties. b/10243159
+neverallow all_untrusted_apps property_socket:sock_file write;
+neverallow all_untrusted_apps init:unix_stream_socket connectto;
+neverallow all_untrusted_apps property_type:property_service set;
+
+# Do not allow untrusted apps to be assigned mlstrustedsubject.
+# This would undermine the per-user isolation model being
+# enforced via levelFrom=user in seapp_contexts and the mls
+# constraints. As there is no direct way to specify a neverallow
+# on attribute assignment, this relies on the fact that fork
+# permission only makes sense within a domain (hence should
+# never be granted to any other domain within mlstrustedsubject)
+# and an untrusted app is allowed fork permission to itself.
+neverallow all_untrusted_apps mlstrustedsubject:process fork;
+
+# Do not allow untrusted apps to hard link to any files.
+# In particular, if an untrusted app links to other app data
+# files, installd will not be able to guarantee the deletion
+# of the linked to file. Hard links also contribute to security
+# bugs, so we want to ensure untrusted apps never have this
+# capability.
+neverallow all_untrusted_apps file_type:file link;
+
+# Do not allow untrusted apps to access network MAC address file
+neverallow all_untrusted_apps sysfs_mac_address:file no_rw_file_perms;
+
+# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
+# ioctl permission, or 3. disallow the socket class.
+neverallowxperm all_untrusted_apps domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+neverallow all_untrusted_apps *:{ netlink_route_socket netlink_selinux_socket } ioctl;
+neverallow all_untrusted_apps *:{
+ socket netlink_socket packet_socket key_socket appletalk_socket
+ netlink_tcpdiag_socket netlink_nflog_socket
+ netlink_xfrm_socket netlink_audit_socket
+ netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
+ netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
+ netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
+ netlink_rdma_socket netlink_crypto_socket
+} *;
+
+# Do not allow untrusted apps access to /cache
+neverallow all_untrusted_apps { cache_file cache_recovery_file }:dir ~{ r_dir_perms };
+neverallow all_untrusted_apps { cache_file cache_recovery_file }:file ~{ read getattr };
+
+# Do not allow untrusted apps to create/unlink files outside of its sandbox,
+# internal storage or sdcard.
+# World accessible data locations allow application to fill the device
+# with unaccounted for data. This data will not get removed during
+# application un-installation.
+neverallow all_untrusted_apps {
+ fs_type
+ -fuse # sdcard
+ -sdcardfs # sdcard
+ -vfat
+ file_type
+ -app_data_file # The apps sandbox itself
+ -media_rw_data_file # Internal storage. Known that apps can
+ # leave artfacts here after uninstall.
+ -user_profile_data_file # Access to profile files
+ userdebug_or_eng(`
+ -method_trace_data_file # only on ro.debuggable=1
+ -coredump_file # userdebug/eng only
+ ')
+}:dir_file_class_set { create unlink };
+
+# No untrusted component should be touching /dev/fuse
+neverallow all_untrusted_apps fuse_device:chr_file *;
+
+# Do not allow untrusted apps to directly open tun_device
+neverallow all_untrusted_apps tun_device:chr_file open;
+
+# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
+neverallow all_untrusted_apps anr_data_file:file ~{ open append };
+neverallow all_untrusted_apps anr_data_file:dir ~search;
+
+# Avoid reads from generically labeled /proc files
+# Create a more specific label if needed
+neverallow all_untrusted_apps proc:file { no_rw_file_perms no_x_file_perms };
+
+# Avoid all access to kernel configuration
+neverallow all_untrusted_apps config_gz:file { no_rw_file_perms no_x_file_perms };
+
+# Do not allow untrusted apps access to preloads data files
+neverallow all_untrusted_apps preloads_data_file:file no_rw_file_perms;
+
+# Locking of files on /system could lead to denial of service attacks
+# against privileged system components
+neverallow all_untrusted_apps system_file:file lock;
+
+# Do not permit untrusted apps to perform actions on HwBinder service_manager
+# other than find actions for services listed below
+neverallow all_untrusted_apps *:hwservice_manager ~find;
+
+# Do not permit access from apps which host arbitrary code to HwBinder services,
+# except those considered sufficiently safe for access from such apps.
+# The two main reasons for this are:
+# 1. HwBinder servers do not perform client authentication because HIDL
+# currently does not expose caller UID information and, even if it did, many
+# HwBinder services either operate at a level below that of apps (e.g., HALs)
+# or must not rely on app identity for authorization. Thus, to be safe, the
+# default assumption is that every HwBinder service treats all its clients as
+# equally authorized to perform operations offered by the service.
+# 2. HAL servers (a subset of HwBinder services) contain code with higher
+# incidence rate of security issues than system/core components and have
+# access to lower layes of the stack (all the way down to hardware) thus
+# increasing opportunities for bypassing the Android security model.
+#
+# Safe services include:
+# - same process services: because they by definition run in the process
+# of the client and thus have the same access as the client domain in which
+# the process runs
+# - coredomain_hwservice: are considered safe because they do not pose risks
+# associated with reason #2 above.
+# - hal_configstore_ISurfaceFlingerConfigs: becuase it has specifically been
+# designed for use by any domain.
+# - hal_graphics_allocator_hwservice: because these operations are also offered
+# by surfaceflinger Binder service, which apps are permitted to access
+# - hal_omx_hwservice: because this is a HwBinder version of the mediacodec
+# Binder service which apps were permitted to access.
+neverallow all_untrusted_apps {
+ hwservice_manager_type
+ -same_process_hwservice
+ -coredomain_hwservice
+ -hal_configstore_ISurfaceFlingerConfigs
+ -hal_graphics_allocator_hwservice
+ -hal_omx_hwservice
+ -untrusted_app_visible_hwservice
+}:hwservice_manager find;
+neverallow untrusted_app_visible_hwservice unlabeled:service_manager list; #TODO: b/62658302
+# Make sure that the following services are never accessible by untrusted_apps
+neverallow all_untrusted_apps {
+ default_android_hwservice
+ hal_audio_hwservice
+ hal_bluetooth_hwservice
+ hal_bootctl_hwservice
+ hal_camera_hwservice
+ hal_contexthub_hwservice
+ hal_drm_hwservice
+ hal_dumpstate_hwservice
+ hal_fingerprint_hwservice
+ hal_gatekeeper_hwservice
+ hal_gnss_hwservice
+ hal_graphics_composer_hwservice
+ hal_health_hwservice
+ hal_ir_hwservice
+ hal_keymaster_hwservice
+ hal_light_hwservice
+ hal_memtrack_hwservice
+ hal_nfc_hwservice
+ hal_oemlock_hwservice
+ hal_power_hwservice
+ hal_sensors_hwservice
+ hal_telephony_hwservice
+ hal_thermal_hwservice
+ hal_tv_cec_hwservice
+ hal_tv_input_hwservice
+ hal_usb_hwservice
+ hal_vibrator_hwservice
+ hal_vr_hwservice
+ hal_weaver_hwservice
+ hal_wifi_hwservice
+ hal_wifi_supplicant_hwservice
+ hidl_base_hwservice
+}:hwservice_manager find;
+# HwBinder services offered by core components (as opposed to vendor components)
+# are considered somewhat safer due to point #2 above.
+neverallow all_untrusted_apps {
+ coredomain_hwservice
+ -same_process_hwservice
+ -hidl_allocator_hwservice # Designed for use by any domain
+ -hidl_manager_hwservice # Designed for use by any domain
+ -hidl_memory_hwservice # Designed for use by any domain
+ -hidl_token_hwservice # Designed for use by any domain
+}:hwservice_manager find;
+
+# Restrict *Binder access from apps to HAL domains. We can only do this on full
+# Treble devices where *Binder communications between apps and HALs are tightly
+# restricted.
+full_treble_only(`
+ neverallow all_untrusted_apps {
+ halserverdomain
+ -coredomain
+ -hal_configstore_server
+ -hal_graphics_allocator_server
+ -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
+ }:binder { call transfer };
+')
diff --git a/prebuilts/api/26.0/private/asan_extract.te b/prebuilts/api/26.0/private/asan_extract.te
new file mode 100644
index 0000000..1c20d78
--- /dev/null
+++ b/prebuilts/api/26.0/private/asan_extract.te
@@ -0,0 +1,8 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+# Technically not a daemon but we do want the transition from init domain to
+# asan_extract to occur.
+with_asan(`
+typeattribute asan_extract coredomain;
+init_daemon_domain(asan_extract)
+')
diff --git a/prebuilts/api/26.0/private/atrace.te b/prebuilts/api/26.0/private/atrace.te
new file mode 100644
index 0000000..94d8483
--- /dev/null
+++ b/prebuilts/api/26.0/private/atrace.te
@@ -0,0 +1,24 @@
+# Domain for atrace process spawned by boottrace service.
+
+type atrace_exec, exec_type, file_type;
+
+userdebug_or_eng(`
+ type atrace, domain, coredomain, domain_deprecated;
+
+ init_daemon_domain(atrace)
+
+ # boottrace services uses /data/misc/boottrace/categories
+ allow atrace boottrace_data_file:dir search;
+ allow atrace boottrace_data_file:file r_file_perms;
+
+ # atrace reads the files in /sys/kernel/debug/tracing/
+ allow atrace debugfs_tracing:file r_file_perms;
+
+ # atrace sets debug.atrace.* properties
+ set_prop(atrace, debug_prop)
+
+ # atrace pokes all the binder-enabled processes at startup.
+ binder_use(atrace)
+ allow atrace healthd:binder call;
+ allow atrace surfaceflinger:binder call;
+')
diff --git a/prebuilts/api/26.0/private/attributes b/prebuilts/api/26.0/private/attributes
new file mode 100644
index 0000000..fcbfecf
--- /dev/null
+++ b/prebuilts/api/26.0/private/attributes
@@ -0,0 +1,9 @@
+# Temporary attribute used for migrating permissions out of domain.
+# Motivation: Domain is overly permissive. Start removing permissions
+# from domain and assign them to the domain_deprecated attribute.
+# Domain_deprecated and domain can initially be assigned to all
+# domains. The goal is to not assign domain_deprecated to new domains
+# and to start removing domain_deprecated where it's not required or
+# reassigning the appropriate permissions to the inheriting domain
+# when necessary.
+attribute domain_deprecated;
diff --git a/prebuilts/api/26.0/private/audioserver.te b/prebuilts/api/26.0/private/audioserver.te
new file mode 100644
index 0000000..9119daa
--- /dev/null
+++ b/prebuilts/api/26.0/private/audioserver.te
@@ -0,0 +1,66 @@
+# audioserver - audio services daemon
+
+typeattribute audioserver coredomain;
+
+type audioserver_exec, exec_type, file_type;
+init_daemon_domain(audioserver)
+
+r_dir_file(audioserver, sdcard_type)
+
+binder_use(audioserver)
+binder_call(audioserver, binderservicedomain)
+binder_call(audioserver, appdomain)
+binder_service(audioserver)
+
+hal_client_domain(audioserver, hal_allocator)
+# /system/lib64/hw for always-passthrough Allocator HAL ashmem / mapper .so
+r_dir_file(audioserver, system_file)
+
+hal_client_domain(audioserver, hal_audio)
+
+userdebug_or_eng(`
+ # used for TEE sink - pcm capture for debug.
+ allow audioserver media_data_file:dir create_dir_perms;
+ allow audioserver audioserver_data_file:dir create_dir_perms;
+ allow audioserver audioserver_data_file:file create_file_perms;
+
+ # ptrace to processes in the same domain for memory leak detection
+ allow audioserver self:process ptrace;
+')
+
+add_service(audioserver, audioserver_service)
+allow audioserver appops_service:service_manager find;
+allow audioserver batterystats_service:service_manager find;
+allow audioserver permission_service:service_manager find;
+allow audioserver power_service:service_manager find;
+allow audioserver scheduling_policy_service:service_manager find;
+
+# Grant access to audio files to audioserver
+allow audioserver audio_data_file:dir ra_dir_perms;
+allow audioserver audio_data_file:file create_file_perms;
+
+# allow access to ALSA MMAP FDs for AAudio API
+allow audioserver audio_device:chr_file { read write };
+
+# For A2DP bridge which is loaded directly into audioserver
+unix_socket_connect(audioserver, bluetooth, bluetooth)
+
+###
+### neverallow rules
+###
+
+# audioserver should never execute any executable without a
+# domain transition
+neverallow audioserver { file_type fs_type }:file execute_no_trans;
+
+# The goal of the mediaserver split is to place media processing code into
+# restrictive sandboxes with limited responsibilities and thus limited
+# permissions. Example: Audioserver is only responsible for controlling audio
+# hardware and processing audio content. Cameraserver does the same for camera
+# hardware/content. Etc.
+#
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
+neverallow audioserver domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/prebuilts/api/26.0/private/binder_in_vendor_violators.te b/prebuilts/api/26.0/private/binder_in_vendor_violators.te
new file mode 100644
index 0000000..4a1218e
--- /dev/null
+++ b/prebuilts/api/26.0/private/binder_in_vendor_violators.te
@@ -0,0 +1 @@
+allow binder_in_vendor_violators binder_device:chr_file rw_file_perms;
diff --git a/prebuilts/api/26.0/private/binderservicedomain.te b/prebuilts/api/26.0/private/binderservicedomain.te
new file mode 100644
index 0000000..0891ee5
--- /dev/null
+++ b/prebuilts/api/26.0/private/binderservicedomain.te
@@ -0,0 +1,22 @@
+# Rules common to all binder service domains
+
+# Allow dumpstate and incidentd to collect information from binder services
+allow binderservicedomain { dumpstate incidentd }:fd use;
+allow binderservicedomain { dumpstate incidentd }:unix_stream_socket { read write getopt getattr };
+allow binderservicedomain { dumpstate incidentd }:fifo_file { getattr write };
+allow binderservicedomain shell_data_file:file { getattr write };
+
+# Allow dumpsys to work from adb shell or the serial console
+allow binderservicedomain devpts:chr_file rw_file_perms;
+allow binderservicedomain console_device:chr_file rw_file_perms;
+
+# Receive and write to a pipe received over Binder from an app.
+allow binderservicedomain appdomain:fd use;
+allow binderservicedomain appdomain:fifo_file write;
+
+# allow all services to run permission checks
+allow binderservicedomain permission_service:service_manager find;
+
+allow binderservicedomain keystore:keystore_key { get_state get insert delete exist list sign verify };
+
+use_keystore(binderservicedomain)
diff --git a/prebuilts/api/26.0/private/blkid.te b/prebuilts/api/26.0/private/blkid.te
new file mode 100644
index 0000000..090912b
--- /dev/null
+++ b/prebuilts/api/26.0/private/blkid.te
@@ -0,0 +1,22 @@
+# blkid called from vold
+
+typeattribute blkid coredomain;
+
+type blkid_exec, exec_type, file_type;
+
+# Allowed read-only access to encrypted devices to extract UUID/label
+allow blkid block_device:dir search;
+allow blkid userdata_block_device:blk_file r_file_perms;
+allow blkid dm_device:blk_file r_file_perms;
+
+# Allow stdin/out back to vold
+allow blkid vold:fd use;
+allow blkid vold:fifo_file { read write getattr };
+
+# For blkid launched through popen()
+allow blkid blkid_exec:file rx_file_perms;
+
+# Only allow entry from vold
+neverallow { domain -vold } blkid:process transition;
+neverallow * blkid:process dyntransition;
+neverallow blkid { file_type fs_type -blkid_exec -shell_exec }:file entrypoint;
diff --git a/prebuilts/api/26.0/private/blkid_untrusted.te b/prebuilts/api/26.0/private/blkid_untrusted.te
new file mode 100644
index 0000000..1256771
--- /dev/null
+++ b/prebuilts/api/26.0/private/blkid_untrusted.te
@@ -0,0 +1,37 @@
+# blkid for untrusted block devices
+
+typeattribute blkid_untrusted coredomain;
+
+# Allowed read-only access to vold block devices to extract UUID/label
+allow blkid_untrusted block_device:dir search;
+allow blkid_untrusted vold_device:blk_file r_file_perms;
+
+# Allow stdin/out back to vold
+allow blkid_untrusted vold:fd use;
+allow blkid_untrusted vold:fifo_file { read write getattr };
+
+# For blkid launched through popen()
+allow blkid_untrusted blkid_exec:file rx_file_perms;
+
+###
+### neverallow rules
+###
+
+# Untrusted blkid should never be run on block devices holding sensitive data
+neverallow blkid_untrusted {
+ boot_block_device
+ frp_block_device
+ metadata_block_device
+ recovery_block_device
+ root_block_device
+ swap_block_device
+ system_block_device
+ userdata_block_device
+ cache_block_device
+ dm_device
+}:blk_file no_rw_file_perms;
+
+# Only allow entry from vold via blkid binary
+neverallow { domain -vold } blkid_untrusted:process transition;
+neverallow * blkid_untrusted:process dyntransition;
+neverallow blkid_untrusted { file_type fs_type -blkid_exec -shell_exec }:file entrypoint;
diff --git a/prebuilts/api/26.0/private/bluetooth.te b/prebuilts/api/26.0/private/bluetooth.te
new file mode 100644
index 0000000..1c0e14f
--- /dev/null
+++ b/prebuilts/api/26.0/private/bluetooth.te
@@ -0,0 +1,77 @@
+# bluetooth subsystem
+
+typeattribute bluetooth coredomain;
+typeattribute bluetooth domain_deprecated;
+
+app_domain(bluetooth)
+net_domain(bluetooth)
+
+# Socket creation under /data/misc/bluedroid.
+type_transition bluetooth bluetooth_data_file:sock_file bluetooth_socket;
+
+# Allow access to net_admin ioctls
+allowxperm bluetooth self:udp_socket ioctl priv_sock_ioctls;
+
+wakelock_use(bluetooth);
+
+# Data file accesses.
+allow bluetooth bluetooth_data_file:dir create_dir_perms;
+allow bluetooth bluetooth_data_file:notdevfile_class_set create_file_perms;
+allow bluetooth bluetooth_logs_data_file:dir rw_dir_perms;
+allow bluetooth bluetooth_logs_data_file:file create_file_perms;
+
+# Socket creation under /data/misc/bluedroid.
+allow bluetooth bluetooth_socket:sock_file create_file_perms;
+
+allow bluetooth self:capability net_admin;
+allow bluetooth self:capability2 wake_alarm;
+
+# tethering
+allow bluetooth self:packet_socket create_socket_perms_no_ioctl;
+allow bluetooth self:capability { net_admin net_raw net_bind_service };
+allow bluetooth self:tun_socket create_socket_perms_no_ioctl;
+allow bluetooth tun_device:chr_file rw_file_perms;
+allow bluetooth efs_file:dir search;
+
+# allow Bluetooth to access uhid device for HID profile
+allow bluetooth uhid_device:chr_file rw_file_perms;
+
+# proc access.
+allow bluetooth proc_bluetooth_writable:file rw_file_perms;
+
+# Allow write access to bluetooth specific properties
+set_prop(bluetooth, bluetooth_prop)
+set_prop(bluetooth, pan_result_prop)
+
+allow bluetooth audioserver_service:service_manager find;
+allow bluetooth bluetooth_service:service_manager find;
+allow bluetooth drmserver_service:service_manager find;
+allow bluetooth mediaserver_service:service_manager find;
+allow bluetooth radio_service:service_manager find;
+allow bluetooth surfaceflinger_service:service_manager find;
+allow bluetooth app_api_service:service_manager find;
+allow bluetooth system_api_service:service_manager find;
+
+# already open bugreport file descriptors may be shared with
+# the bluetooth process, from a file in
+# /data/data/com.android.shell/files/bugreports/bugreport-*.
+allow bluetooth shell_data_file:file read;
+
+# Bluetooth audio needs RT scheduling to meet deadlines, allow sys_nice
+allow bluetooth self:capability sys_nice;
+
+hal_client_domain(bluetooth, hal_bluetooth)
+hal_client_domain(bluetooth, hal_telephony)
+
+read_runtime_log_tags(bluetooth)
+
+###
+### Neverallow rules
+###
+### These are things that the bluetooth app should NEVER be able to do
+###
+
+# Superuser capabilities.
+# Bluetooth requires net_{admin,raw,bind_service} and wake_alarm and block_suspend and sys_nice.
+neverallow bluetooth self:capability ~{ net_admin net_raw net_bind_service sys_nice};
+neverallow bluetooth self:capability2 ~{ wake_alarm block_suspend };
diff --git a/prebuilts/api/26.0/private/bluetoothdomain.te b/prebuilts/api/26.0/private/bluetoothdomain.te
new file mode 100644
index 0000000..fe4f0e6
--- /dev/null
+++ b/prebuilts/api/26.0/private/bluetoothdomain.te
@@ -0,0 +1,2 @@
+# Allow clients to use a socket provided by the bluetooth app.
+allow bluetoothdomain bluetooth:unix_stream_socket { getopt setopt getattr read write ioctl shutdown };
diff --git a/prebuilts/api/26.0/private/bootanim.te b/prebuilts/api/26.0/private/bootanim.te
new file mode 100644
index 0000000..8c9f6c7
--- /dev/null
+++ b/prebuilts/api/26.0/private/bootanim.te
@@ -0,0 +1,3 @@
+typeattribute bootanim coredomain;
+
+init_daemon_domain(bootanim)
diff --git a/prebuilts/api/26.0/private/bootstat.te b/prebuilts/api/26.0/private/bootstat.te
new file mode 100644
index 0000000..806144c
--- /dev/null
+++ b/prebuilts/api/26.0/private/bootstat.te
@@ -0,0 +1,3 @@
+typeattribute bootstat coredomain;
+
+init_daemon_domain(bootstat)
diff --git a/prebuilts/api/26.0/private/bufferhubd.te b/prebuilts/api/26.0/private/bufferhubd.te
new file mode 100644
index 0000000..012eb20
--- /dev/null
+++ b/prebuilts/api/26.0/private/bufferhubd.te
@@ -0,0 +1,3 @@
+typeattribute bufferhubd coredomain;
+
+init_daemon_domain(bufferhubd)
diff --git a/prebuilts/api/26.0/private/cameraserver.te b/prebuilts/api/26.0/private/cameraserver.te
new file mode 100644
index 0000000..c16c132
--- /dev/null
+++ b/prebuilts/api/26.0/private/cameraserver.te
@@ -0,0 +1,3 @@
+typeattribute cameraserver coredomain;
+
+init_daemon_domain(cameraserver)
diff --git a/prebuilts/api/26.0/private/charger.te b/prebuilts/api/26.0/private/charger.te
new file mode 100644
index 0000000..65109de
--- /dev/null
+++ b/prebuilts/api/26.0/private/charger.te
@@ -0,0 +1 @@
+typeattribute charger coredomain;
diff --git a/prebuilts/api/26.0/private/clatd.te b/prebuilts/api/26.0/private/clatd.te
new file mode 100644
index 0000000..c09398d
--- /dev/null
+++ b/prebuilts/api/26.0/private/clatd.te
@@ -0,0 +1,2 @@
+typeattribute clatd coredomain;
+typeattribute clatd domain_deprecated;
diff --git a/prebuilts/api/26.0/private/cppreopts.te b/prebuilts/api/26.0/private/cppreopts.te
new file mode 100644
index 0000000..34f0d66
--- /dev/null
+++ b/prebuilts/api/26.0/private/cppreopts.te
@@ -0,0 +1,6 @@
+typeattribute cppreopts coredomain;
+
+# Technically not a daemon but we do want the transition from init domain to
+# cppreopts to occur.
+init_daemon_domain(cppreopts)
+domain_auto_trans(cppreopts, preopt2cachename_exec, preopt2cachename);
diff --git a/prebuilts/api/26.0/private/crash_dump.te b/prebuilts/api/26.0/private/crash_dump.te
new file mode 100644
index 0000000..fb73f08
--- /dev/null
+++ b/prebuilts/api/26.0/private/crash_dump.te
@@ -0,0 +1 @@
+typeattribute crash_dump coredomain;
diff --git a/prebuilts/api/26.0/private/dex2oat.te b/prebuilts/api/26.0/private/dex2oat.te
new file mode 100644
index 0000000..89c3970
--- /dev/null
+++ b/prebuilts/api/26.0/private/dex2oat.te
@@ -0,0 +1,2 @@
+typeattribute dex2oat coredomain;
+typeattribute dex2oat domain_deprecated;
diff --git a/prebuilts/api/26.0/private/dexoptanalyzer.te b/prebuilts/api/26.0/private/dexoptanalyzer.te
new file mode 100644
index 0000000..db81d0d
--- /dev/null
+++ b/prebuilts/api/26.0/private/dexoptanalyzer.te
@@ -0,0 +1,26 @@
+# dexoptanalyzer
+type dexoptanalyzer, domain, coredomain, mlstrustedsubject;
+type dexoptanalyzer_exec, exec_type, file_type;
+
+# Reading an APK opens a ZipArchive, which unpack to tmpfs.
+# Use tmpfs_domain() which will give tmpfs files created by dexoptanalyzer their
+# own label, which differs from other labels created by other processes.
+# This allows to distinguish in policy files created by dexoptanalyzer vs other
+#processes.
+tmpfs_domain(dexoptanalyzer)
+
+# Read symlinks in /data/dalvik-cache. This is required for PIC mode boot
+# app_data_file the oat file is symlinked to the original file in /system.
+allow dexoptanalyzer dalvikcache_data_file:dir { getattr search };
+allow dexoptanalyzer dalvikcache_data_file:file r_file_perms;
+allow dexoptanalyzer dalvikcache_data_file:lnk_file read;
+
+allow dexoptanalyzer installd:fd use;
+
+# Allow reading secondary dex files that were reported by the app to the
+# package manager.
+allow dexoptanalyzer app_data_file:dir { getattr search };
+allow dexoptanalyzer app_data_file:file r_file_perms;
+
+# Allow testing /data/user/0 which symlinks to /data/data
+allow dexoptanalyzer system_data_file:lnk_file { getattr };
diff --git a/prebuilts/api/26.0/private/dhcp.te b/prebuilts/api/26.0/private/dhcp.te
new file mode 100644
index 0000000..6a6a139
--- /dev/null
+++ b/prebuilts/api/26.0/private/dhcp.te
@@ -0,0 +1,5 @@
+typeattribute dhcp coredomain;
+typeattribute dhcp domain_deprecated;
+
+init_daemon_domain(dhcp)
+type_transition dhcp system_data_file:{ dir file } dhcp_data_file;
diff --git a/prebuilts/api/26.0/private/dnsmasq.te b/prebuilts/api/26.0/private/dnsmasq.te
new file mode 100644
index 0000000..96084b4
--- /dev/null
+++ b/prebuilts/api/26.0/private/dnsmasq.te
@@ -0,0 +1 @@
+typeattribute dnsmasq coredomain;
diff --git a/prebuilts/api/26.0/private/domain.te b/prebuilts/api/26.0/private/domain.te
new file mode 100644
index 0000000..d37a0bd
--- /dev/null
+++ b/prebuilts/api/26.0/private/domain.te
@@ -0,0 +1,18 @@
+# Transition to crash_dump when /system/bin/crash_dump* is executed.
+# This occurs when the process crashes.
+domain_auto_trans(domain, crash_dump_exec, crash_dump);
+allow domain crash_dump:process sigchld;
+
+# Limit ability to ptrace or read sensitive /proc/pid files of processes
+# with other UIDs to these whitelisted domains.
+neverallow {
+ domain
+ -vold
+ -dumpstate
+ -storaged
+ -system_server
+ userdebug_or_eng(`-perfprofd')
+} self:capability sys_ptrace;
+
+# Limit ability to generate hardware unique device ID attestations to priv_apps
+neverallow { domain -priv_app } *:keystore_key gen_unique_id;
diff --git a/prebuilts/api/26.0/private/domain_deprecated.te b/prebuilts/api/26.0/private/domain_deprecated.te
new file mode 100644
index 0000000..aefb724
--- /dev/null
+++ b/prebuilts/api/26.0/private/domain_deprecated.te
@@ -0,0 +1,311 @@
+# rules removed from the domain attribute
+
+# Search /storage/emulated tmpfs mount.
+allow { domain_deprecated -installd } tmpfs:dir r_dir_perms;
+userdebug_or_eng(`
+auditallow {
+ domain_deprecated
+ -appdomain
+ -installd
+ -sdcardd
+ -surfaceflinger
+ -system_server
+ -vold
+ -zygote
+} tmpfs:dir r_dir_perms;
+')
+
+# Inherit or receive open files from others.
+allow domain_deprecated system_server:fd use;
+userdebug_or_eng(`
+auditallow { domain_deprecated -appdomain -netd -surfaceflinger } system_server:fd use;
+')
+
+# Connect to adbd and use a socket transferred from it.
+# This is used for e.g. adb backup/restore.
+allow domain_deprecated adbd:fd use;
+userdebug_or_eng(`
+auditallow { domain_deprecated -appdomain -system_server } adbd:fd use;
+')
+
+# Root fs.
+allow domain_deprecated rootfs:dir r_dir_perms;
+allow domain_deprecated rootfs:file r_file_perms;
+allow domain_deprecated rootfs:lnk_file r_file_perms;
+userdebug_or_eng(`
+auditallow {
+ domain_deprecated
+ -fsck
+ -healthd
+ -installd
+ -servicemanager
+ -system_server
+ -ueventd
+ -uncrypt
+ -vold
+ -zygote
+} rootfs:dir { open getattr read ioctl lock }; # search granted in domain
+auditallow {
+ domain_deprecated
+ -healthd
+ -installd
+ -servicemanager
+ -system_server
+ -ueventd
+ -uncrypt
+ -vold
+ -zygote
+} rootfs:file r_file_perms;
+auditallow {
+ domain_deprecated
+ -appdomain
+ -healthd
+ -installd
+ -servicemanager
+ -system_server
+ -ueventd
+ -uncrypt
+ -vold
+ -zygote
+} rootfs:lnk_file { getattr open ioctl lock }; # read granted in domain
+')
+
+# System file accesses.
+allow domain_deprecated system_file:dir r_dir_perms;
+userdebug_or_eng(`
+auditallow {
+ domain_deprecated
+ -appdomain
+ -fingerprintd
+ -installd
+ -keystore
+ -surfaceflinger
+ -system_server
+ -update_engine
+ -vold
+ -zygote
+} system_file:dir { open read ioctl lock }; # search getattr in domain
+')
+
+# Read files already opened under /data.
+allow domain_deprecated system_data_file:file { getattr read };
+allow domain_deprecated system_data_file:lnk_file r_file_perms;
+userdebug_or_eng(`
+auditallow {
+ domain_deprecated
+ -appdomain
+ -sdcardd
+ -system_server
+ -tee
+} system_data_file:file { getattr read };
+auditallow {
+ domain_deprecated
+ -appdomain
+ -system_server
+ -tee
+} system_data_file:lnk_file r_file_perms;
+')
+
+# Read apk files under /data/app.
+allow domain_deprecated apk_data_file:dir { getattr search };
+allow domain_deprecated apk_data_file:file r_file_perms;
+allow domain_deprecated apk_data_file:lnk_file r_file_perms;
+userdebug_or_eng(`
+auditallow {
+ domain_deprecated
+ -appdomain
+ -dex2oat
+ -installd
+ -system_server
+} apk_data_file:dir { getattr search };
+auditallow {
+ domain_deprecated
+ -appdomain
+ -dex2oat
+ -installd
+ -system_server
+} apk_data_file:file r_file_perms;
+auditallow {
+ domain_deprecated
+ -appdomain
+ -dex2oat
+ -installd
+ -system_server
+} apk_data_file:lnk_file r_file_perms;
+')
+
+# Read already opened /cache files.
+allow domain_deprecated cache_file:dir r_dir_perms;
+allow domain_deprecated cache_file:file { getattr read };
+allow domain_deprecated cache_file:lnk_file r_file_perms;
+userdebug_or_eng(`
+auditallow {
+ domain_deprecated
+ -system_server
+ -vold
+} cache_file:dir { open read search ioctl lock };
+auditallow {
+ domain_deprecated
+ -appdomain
+ -system_server
+ -vold
+} cache_file:dir getattr;
+auditallow {
+ domain_deprecated
+ -system_server
+ -vold
+} cache_file:file { getattr read };
+auditallow {
+ domain_deprecated
+ -system_server
+ -vold
+} cache_file:lnk_file r_file_perms;
+')
+
+# Allow access to ion memory allocation device
+allow domain_deprecated ion_device:chr_file rw_file_perms;
+# split this auditallow into read and write perms since most domains seem to
+# only require read
+userdebug_or_eng(`
+auditallow {
+ domain_deprecated
+ -appdomain
+ -fingerprintd
+ -keystore
+ -surfaceflinger
+ -system_server
+ -tee
+ -vold
+ -zygote
+} ion_device:chr_file r_file_perms;
+auditallow domain_deprecated ion_device:chr_file { write append };
+')
+
+# Read access to pseudo filesystems.
+r_dir_file(domain_deprecated, proc)
+r_dir_file(domain_deprecated, sysfs)
+r_dir_file(domain_deprecated, cgroup)
+allow domain_deprecated proc_meminfo:file r_file_perms;
+
+userdebug_or_eng(`
+auditallow {
+ domain_deprecated
+ -fsck
+ -fsck_untrusted
+ -sdcardd
+ -system_server
+ -update_engine
+ -vold
+} proc:file r_file_perms;
+auditallow {
+ domain_deprecated
+ -fsck
+ -fsck_untrusted
+ -system_server
+ -vold
+} proc:lnk_file { open ioctl lock }; # getattr read granted in domain
+auditallow {
+ domain_deprecated
+ -bluetooth
+ -fingerprintd
+ -healthd
+ -netd
+ -system_app
+ -surfaceflinger
+ -system_server
+ -tee
+ -ueventd
+ -vold
+} sysfs:dir { open getattr read ioctl lock }; # search granted in domain
+auditallow {
+ domain_deprecated
+ -bluetooth
+ -fingerprintd
+ -healthd
+ -netd
+ -system_app
+ -surfaceflinger
+ -system_server
+ -tee
+ -ueventd
+ -vold
+} sysfs:file r_file_perms;
+auditallow {
+ domain_deprecated
+ -bluetooth
+ -fingerprintd
+ -healthd
+ -netd
+ -system_app
+ -surfaceflinger
+ -system_server
+ -tee
+ -ueventd
+ -vold
+} sysfs:lnk_file { getattr open ioctl lock }; # read granted in domain
+auditallow {
+ domain_deprecated
+ -appdomain
+ -dumpstate
+ -fingerprintd
+ -healthd
+ -inputflinger
+ -installd
+ -keystore
+ -netd
+ -surfaceflinger
+ -system_server
+ -zygote
+} cgroup:dir r_dir_perms;
+auditallow {
+ domain_deprecated
+ -appdomain
+ -dumpstate
+ -fingerprintd
+ -healthd
+ -inputflinger
+ -installd
+ -keystore
+ -netd
+ -surfaceflinger
+ -system_server
+ -zygote
+} cgroup:{ file lnk_file } r_file_perms;
+auditallow {
+ domain_deprecated
+ -appdomain
+ -surfaceflinger
+ -system_server
+ -vold
+} proc_meminfo:file r_file_perms;
+')
+
+# Get SELinux enforcing status.
+allow domain_deprecated selinuxfs:dir r_dir_perms;
+allow domain_deprecated selinuxfs:file r_file_perms;
+userdebug_or_eng(`
+auditallow {
+ domain_deprecated
+ -appdomain
+ -installd
+ -keystore
+ -postinstall_dexopt
+ -runas
+ -servicemanager
+ -system_server
+ -ueventd
+ -zygote
+} selinuxfs:dir { open getattr read ioctl lock }; # search granted in domain
+auditallow {
+ domain_deprecated
+ -appdomain
+ -installd
+ -keystore
+ -postinstall_dexopt
+ -runas
+ -servicemanager
+ -system_server
+ -ueventd
+ -zygote
+} selinuxfs:file { open read ioctl lock }; # getattr granted in domain
+')
diff --git a/prebuilts/api/26.0/private/drmserver.te b/prebuilts/api/26.0/private/drmserver.te
new file mode 100644
index 0000000..afe4f0a
--- /dev/null
+++ b/prebuilts/api/26.0/private/drmserver.te
@@ -0,0 +1,7 @@
+typeattribute drmserver coredomain;
+
+init_daemon_domain(drmserver)
+
+type_transition drmserver apk_data_file:sock_file drmserver_socket;
+
+typeattribute drmserver_socket coredomain_socket;
diff --git a/prebuilts/api/26.0/private/dumpstate.te b/prebuilts/api/26.0/private/dumpstate.te
new file mode 100644
index 0000000..0fe2adf
--- /dev/null
+++ b/prebuilts/api/26.0/private/dumpstate.te
@@ -0,0 +1,26 @@
+typeattribute dumpstate coredomain;
+typeattribute dumpstate domain_deprecated;
+
+init_daemon_domain(dumpstate)
+
+# Execute and transition to the vdc domain
+domain_auto_trans(dumpstate, vdc_exec, vdc)
+
+# Acquire advisory lock on /system/etc/xtables.lock from ip[6]tables
+allow dumpstate system_file:file lock;
+
+# TODO: deal with tmpfs_domain pub/priv split properly
+allow dumpstate dumpstate_tmpfs:file execute;
+
+# systrace support - allow atrace to run
+allow dumpstate debugfs_tracing:dir r_dir_perms;
+allow dumpstate debugfs_tracing:file rw_file_perms;
+allow dumpstate debugfs_trace_marker:file getattr;
+allow dumpstate atrace_exec:file rx_file_perms;
+allow dumpstate storaged_exec:file rx_file_perms;
+
+# Allow dumpstate to make binder calls to storaged service
+binder_call(dumpstate, storaged)
+
+# Collect metrics on boot time created by init
+get_prop(dumpstate, boottime_prop)
diff --git a/prebuilts/api/26.0/private/ephemeral_app.te b/prebuilts/api/26.0/private/ephemeral_app.te
new file mode 100644
index 0000000..d664a50
--- /dev/null
+++ b/prebuilts/api/26.0/private/ephemeral_app.te
@@ -0,0 +1,68 @@
+###
+### Ephemeral apps.
+###
+### This file defines the security policy for apps with the ephemeral
+### feature.
+###
+### The ephemeral_app domain is a reduced permissions sandbox allowing
+### ephemeral applications to be safely installed and run. Non ephemeral
+### applications may also opt-in to ephemeral to take advantage of the
+### additional security features.
+###
+### PackageManager flags an app as ephemeral at install time.
+
+typeattribute ephemeral_app coredomain;
+
+net_domain(ephemeral_app)
+app_domain(ephemeral_app)
+
+# Allow ephemeral apps to read/write files in visible storage if provided fds
+allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr ioctl lock append};
+
+# services
+allow ephemeral_app audioserver_service:service_manager find;
+allow ephemeral_app cameraserver_service:service_manager find;
+allow ephemeral_app mediaserver_service:service_manager find;
+allow ephemeral_app mediaextractor_service:service_manager find;
+allow ephemeral_app mediacodec_service:service_manager find;
+allow ephemeral_app mediametrics_service:service_manager find;
+allow ephemeral_app mediadrmserver_service:service_manager find;
+allow ephemeral_app mediacasserver_service:service_manager find;
+allow ephemeral_app surfaceflinger_service:service_manager find;
+allow ephemeral_app radio_service:service_manager find;
+allow ephemeral_app ephemeral_app_api_service:service_manager find;
+
+###
+### neverallow rules
+###
+
+# Executable content should never be loaded from an ephemeral app home directory.
+neverallow ephemeral_app app_data_file:file { execute execute_no_trans };
+
+# Receive or send uevent messages.
+neverallow ephemeral_app domain:netlink_kobject_uevent_socket *;
+
+# Receive or send generic netlink messages
+neverallow ephemeral_app domain:netlink_socket *;
+
+# Too much leaky information in debugfs. It's a security
+# best practice to ensure these files aren't readable.
+neverallow ephemeral_app debugfs:file read;
+
+# execute gpu_device
+neverallow ephemeral_app gpu_device:chr_file execute;
+
+# access files in /sys with the default sysfs label
+neverallow ephemeral_app sysfs:file *;
+
+# Avoid reads from generically labeled /proc files
+# Create a more specific label if needed
+neverallow ephemeral_app proc:file { no_rw_file_perms no_x_file_perms };
+
+# Directly access external storage
+neverallow ephemeral_app { sdcard_type media_rw_data_file }:file {open create};
+neverallow ephemeral_app { sdcard_type media_rw_data_file }:dir search;
+
+# Avoid reads to proc_net, it contains too much device wide information about
+# ongoing connections.
+neverallow ephemeral_app proc_net:file no_rw_file_perms;
diff --git a/prebuilts/api/26.0/private/file.te b/prebuilts/api/26.0/private/file.te
new file mode 100644
index 0000000..da5f9ad
--- /dev/null
+++ b/prebuilts/api/26.0/private/file.te
@@ -0,0 +1,7 @@
+# Compatibility with type names used in vanilla Android 4.3 and 4.4.
+typealias audio_data_file alias audio_firmware_file;
+typealias app_data_file alias platform_app_data_file;
+typealias app_data_file alias download_file;
+
+# /proc/config.gz
+type config_gz, fs_type;
diff --git a/prebuilts/api/26.0/private/file_contexts b/prebuilts/api/26.0/private/file_contexts
new file mode 100644
index 0000000..4485b95
--- /dev/null
+++ b/prebuilts/api/26.0/private/file_contexts
@@ -0,0 +1,539 @@
+###########################################
+# Root
+/ u:object_r:rootfs:s0
+
+# Data files
+/adb_keys u:object_r:adb_keys_file:s0
+/build\.prop u:object_r:rootfs:s0
+/default\.prop u:object_r:rootfs:s0
+/fstab\..* u:object_r:rootfs:s0
+/init\..* u:object_r:rootfs:s0
+/res(/.*)? u:object_r:rootfs:s0
+/selinux_version u:object_r:rootfs:s0
+/ueventd\..* u:object_r:rootfs:s0
+/verity_key u:object_r:rootfs:s0
+
+# Executables
+/charger u:object_r:rootfs:s0
+/init u:object_r:init_exec:s0
+/sbin(/.*)? u:object_r:rootfs:s0
+
+# For kernel modules
+/lib(/.*)? u:object_r:rootfs:s0
+
+# Empty directories
+/lost\+found u:object_r:rootfs:s0
+/acct u:object_r:cgroup:s0
+/config u:object_r:rootfs:s0
+/mnt u:object_r:tmpfs:s0
+/postinstall u:object_r:postinstall_mnt_dir:s0
+/proc u:object_r:rootfs:s0
+/root u:object_r:rootfs:s0
+/sys u:object_r:sysfs:s0
+
+# Symlinks
+/bugreports u:object_r:rootfs:s0
+/d u:object_r:rootfs:s0
+/etc u:object_r:rootfs:s0
+/sdcard u:object_r:rootfs:s0
+
+# SELinux policy files
+/nonplat_file_contexts u:object_r:file_contexts_file:s0
+/plat_file_contexts u:object_r:file_contexts_file:s0
+/mapping_sepolicy\.cil u:object_r:sepolicy_file:s0
+/nonplat_sepolicy\.cil u:object_r:sepolicy_file:s0
+/plat_sepolicy\.cil u:object_r:sepolicy_file:s0
+/plat_property_contexts u:object_r:property_contexts_file:s0
+/nonplat_property_contexts u:object_r:property_contexts_file:s0
+/seapp_contexts u:object_r:seapp_contexts_file:s0
+/nonplat_seapp_contexts u:object_r:seapp_contexts_file:s0
+/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
+/sepolicy u:object_r:sepolicy_file:s0
+/plat_service_contexts u:object_r:service_contexts_file:s0
+/plat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
+/nonplat_service_contexts u:object_r:service_contexts_file:s0
+/nonplat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
+/vndservice_contexts u:object_r:vndservice_contexts_file:s0
+
+##########################
+# Devices
+#
+/dev(/.*)? u:object_r:device:s0
+/dev/akm8973.* u:object_r:sensors_device:s0
+/dev/accelerometer u:object_r:sensors_device:s0
+/dev/adf[0-9]* u:object_r:graphics_device:s0
+/dev/adf-interface[0-9]*\.[0-9]* u:object_r:graphics_device:s0
+/dev/adf-overlay-engine[0-9]*\.[0-9]* u:object_r:graphics_device:s0
+/dev/alarm u:object_r:alarm_device:s0
+/dev/ashmem u:object_r:ashmem_device:s0
+/dev/audio.* u:object_r:audio_device:s0
+/dev/binder u:object_r:binder_device:s0
+/dev/block(/.*)? u:object_r:block_device:s0
+/dev/block/dm-[0-9]+ u:object_r:dm_device:s0
+/dev/block/loop[0-9]* u:object_r:loop_device:s0
+/dev/block/vold/.+ u:object_r:vold_device:s0
+/dev/block/ram[0-9]* u:object_r:ram_device:s0
+/dev/block/zram[0-9]* u:object_r:ram_device:s0
+/dev/bus/usb(.*)? u:object_r:usb_device:s0
+/dev/cam u:object_r:camera_device:s0
+/dev/console u:object_r:console_device:s0
+/dev/cpuctl(/.*)? u:object_r:cpuctl_device:s0
+/dev/device-mapper u:object_r:dm_device:s0
+/dev/eac u:object_r:audio_device:s0
+/dev/event-log-tags u:object_r:runtime_event_log_tags_file:s0
+/dev/fscklogs(/.*)? u:object_r:fscklogs:s0
+/dev/full u:object_r:full_device:s0
+/dev/fuse u:object_r:fuse_device:s0
+/dev/graphics(/.*)? u:object_r:graphics_device:s0
+/dev/hw_random u:object_r:hw_random_device:s0
+/dev/hwbinder u:object_r:hwbinder_device:s0
+/dev/i2c-[0-9]+ u:object_r:i2c_device:s0
+/dev/input(/.*) u:object_r:input_device:s0
+/dev/iio:device[0-9]+ u:object_r:iio_device:s0
+/dev/ion u:object_r:ion_device:s0
+/dev/keychord u:object_r:keychord_device:s0
+/dev/kmem u:object_r:kmem_device:s0
+/dev/log(/.*)? u:object_r:log_device:s0
+/dev/loop-control u:object_r:loop_control_device:s0
+/dev/mem u:object_r:kmem_device:s0
+/dev/modem.* u:object_r:radio_device:s0
+/dev/mtd(/.*)? u:object_r:mtd_device:s0
+/dev/mtp_usb u:object_r:mtp_device:s0
+/dev/pmsg0 u:object_r:pmsg_device:s0
+/dev/pn544 u:object_r:nfc_device:s0
+/dev/port u:object_r:port_device:s0
+/dev/ppp u:object_r:ppp_device:s0
+/dev/ptmx u:object_r:ptmx_device:s0
+/dev/pvrsrvkm u:object_r:gpu_device:s0
+/dev/kmsg u:object_r:kmsg_device:s0
+/dev/null u:object_r:null_device:s0
+/dev/nvhdcp1 u:object_r:video_device:s0
+/dev/random u:object_r:random_device:s0
+/dev/rpmsg-omx[0-9] u:object_r:rpmsg_device:s0
+/dev/rproc_user u:object_r:rpmsg_device:s0
+/dev/rtc[0-9] u:object_r:rtc_device:s0
+/dev/snd(/.*)? u:object_r:audio_device:s0
+/dev/snd/audio_timer_device u:object_r:audio_timer_device:s0
+/dev/snd/audio_seq_device u:object_r:audio_seq_device:s0
+/dev/socket(/.*)? u:object_r:socket_device:s0
+/dev/socket/adbd u:object_r:adbd_socket:s0
+/dev/socket/cryptd u:object_r:vold_socket:s0
+/dev/socket/dnsproxyd u:object_r:dnsproxyd_socket:s0
+/dev/socket/dumpstate u:object_r:dumpstate_socket:s0
+/dev/socket/fwmarkd u:object_r:fwmarkd_socket:s0
+/dev/socket/lmkd u:object_r:lmkd_socket:s0
+/dev/socket/logd u:object_r:logd_socket:s0
+/dev/socket/logdr u:object_r:logdr_socket:s0
+/dev/socket/logdw u:object_r:logdw_socket:s0
+/dev/socket/mdns u:object_r:mdns_socket:s0
+/dev/socket/mdnsd u:object_r:mdnsd_socket:s0
+/dev/socket/mtpd u:object_r:mtpd_socket:s0
+/dev/socket/netd u:object_r:netd_socket:s0
+/dev/socket/pdx/system/buffer_hub u:object_r:pdx_bufferhub_dir:s0
+/dev/socket/pdx/system/buffer_hub/client u:object_r:pdx_bufferhub_client_endpoint_socket:s0
+/dev/socket/pdx/system/performance u:object_r:pdx_performance_dir:s0
+/dev/socket/pdx/system/performance/client u:object_r:pdx_performance_client_endpoint_socket:s0
+/dev/socket/pdx/system/vr/display u:object_r:pdx_display_dir:s0
+/dev/socket/pdx/system/vr/display/client u:object_r:pdx_display_client_endpoint_socket:s0
+/dev/socket/pdx/system/vr/display/manager u:object_r:pdx_display_manager_endpoint_socket:s0
+/dev/socket/pdx/system/vr/display/screenshot u:object_r:pdx_display_screenshot_endpoint_socket:s0
+/dev/socket/pdx/system/vr/display/vsync u:object_r:pdx_display_vsync_endpoint_socket:s0
+/dev/socket/property_service u:object_r:property_socket:s0
+/dev/socket/racoon u:object_r:racoon_socket:s0
+/dev/socket/rild u:object_r:rild_socket:s0
+/dev/socket/rild-debug u:object_r:rild_debug_socket:s0
+/dev/socket/tombstoned_crash u:object_r:tombstoned_crash_socket:s0
+/dev/socket/tombstoned_intercept u:object_r:tombstoned_intercept_socket:s0
+/dev/socket/uncrypt u:object_r:uncrypt_socket:s0
+/dev/socket/vold u:object_r:vold_socket:s0
+/dev/socket/webview_zygote u:object_r:webview_zygote_socket:s0
+/dev/socket/wpa_eth[0-9] u:object_r:wpa_socket:s0
+/dev/socket/wpa_wlan[0-9] u:object_r:wpa_socket:s0
+/dev/socket/zygote u:object_r:zygote_socket:s0
+/dev/socket/zygote_secondary u:object_r:zygote_socket:s0
+/dev/spdif_out.* u:object_r:audio_device:s0
+/dev/tegra.* u:object_r:video_device:s0
+/dev/tty u:object_r:owntty_device:s0
+/dev/tty[0-9]* u:object_r:tty_device:s0
+/dev/ttyS[0-9]* u:object_r:serial_device:s0
+/dev/tun u:object_r:tun_device:s0
+/dev/uhid u:object_r:uhid_device:s0
+/dev/uinput u:object_r:uhid_device:s0
+/dev/uio[0-9]* u:object_r:uio_device:s0
+/dev/urandom u:object_r:random_device:s0
+/dev/usb_accessory u:object_r:usbaccessory_device:s0
+/dev/vcs[0-9a-z]* u:object_r:vcs_device:s0
+/dev/video[0-9]* u:object_r:video_device:s0
+/dev/vndbinder u:object_r:vndbinder_device:s0
+/dev/watchdog u:object_r:watchdog_device:s0
+/dev/xt_qtaguid u:object_r:qtaguid_device:s0
+/dev/zero u:object_r:zero_device:s0
+/dev/__properties__ u:object_r:properties_device:s0
+#############################
+# System files
+#
+/system(/.*)? u:object_r:system_file:s0
+/system/bin/atrace u:object_r:atrace_exec:s0
+/system/bin/e2fsck -- u:object_r:fsck_exec:s0
+/system/bin/fsck\.f2fs -- u:object_r:fsck_exec:s0
+/system/bin/fsck_msdos -- u:object_r:fsck_exec:s0
+/system/bin/tune2fs -- u:object_r:fsck_exec:s0
+/system/bin/toolbox -- u:object_r:toolbox_exec:s0
+/system/bin/toybox -- u:object_r:toolbox_exec:s0
+/system/bin/logcat -- u:object_r:logcat_exec:s0
+/system/bin/logcatd -- u:object_r:logcat_exec:s0
+/system/bin/sh -- u:object_r:shell_exec:s0
+/system/bin/run-as -- u:object_r:runas_exec:s0
+/system/bin/bootanimation u:object_r:bootanim_exec:s0
+/system/bin/bootstat u:object_r:bootstat_exec:s0
+/system/bin/app_process32 u:object_r:zygote_exec:s0
+/system/bin/app_process64 u:object_r:zygote_exec:s0
+/system/bin/servicemanager u:object_r:servicemanager_exec:s0
+/system/bin/hwservicemanager u:object_r:hwservicemanager_exec:s0
+/system/bin/surfaceflinger u:object_r:surfaceflinger_exec:s0
+/system/bin/bufferhubd u:object_r:bufferhubd_exec:s0
+/system/bin/performanced u:object_r:performanced_exec:s0
+/system/bin/drmserver u:object_r:drmserver_exec:s0
+/system/bin/dumpstate u:object_r:dumpstate_exec:s0
+/system/bin/incident u:object_r:incident_exec:s0
+/system/bin/incidentd u:object_r:incidentd_exec:s0
+/system/bin/netutils-wrapper-1\.0 u:object_r:netutils_wrapper_exec:s0
+/system/bin/vold u:object_r:vold_exec:s0
+/system/bin/netd u:object_r:netd_exec:s0
+/system/bin/wificond u:object_r:wificond_exec:s0
+/system/bin/audioserver u:object_r:audioserver_exec:s0
+/system/bin/mediadrmserver u:object_r:mediadrmserver_exec:s0
+/system/bin/mediaserver u:object_r:mediaserver_exec:s0
+/system/bin/mediametrics u:object_r:mediametrics_exec:s0
+/system/bin/cameraserver u:object_r:cameraserver_exec:s0
+/system/bin/mediaextractor u:object_r:mediaextractor_exec:s0
+/system/bin/mdnsd u:object_r:mdnsd_exec:s0
+/system/bin/installd u:object_r:installd_exec:s0
+/system/bin/otapreopt_chroot u:object_r:otapreopt_chroot_exec:s0
+/system/bin/otapreopt_slot u:object_r:otapreopt_slot_exec:s0
+/system/bin/keystore u:object_r:keystore_exec:s0
+/system/bin/fingerprintd u:object_r:fingerprintd_exec:s0
+/system/bin/gatekeeperd u:object_r:gatekeeperd_exec:s0
+/system/bin/crash_dump32 u:object_r:crash_dump_exec:s0
+/system/bin/crash_dump64 u:object_r:crash_dump_exec:s0
+/system/bin/tombstoned u:object_r:tombstoned_exec:s0
+/system/bin/recovery-persist u:object_r:recovery_persist_exec:s0
+/system/bin/recovery-refresh u:object_r:recovery_refresh_exec:s0
+/system/bin/sdcard u:object_r:sdcardd_exec:s0
+/system/bin/dhcpcd u:object_r:dhcp_exec:s0
+/system/bin/dhcpcd-6.8.2 u:object_r:dhcp_exec:s0
+/system/bin/mtpd u:object_r:mtp_exec:s0
+/system/bin/pppd u:object_r:ppp_exec:s0
+/system/bin/racoon u:object_r:racoon_exec:s0
+/system/xbin/su u:object_r:su_exec:s0
+/system/xbin/perfprofd u:object_r:perfprofd_exec:s0
+/system/bin/dnsmasq u:object_r:dnsmasq_exec:s0
+/system/bin/healthd u:object_r:healthd_exec:s0
+/system/bin/clatd u:object_r:clatd_exec:s0
+/system/bin/lmkd u:object_r:lmkd_exec:s0
+/system/bin/inputflinger u:object_r:inputflinger_exec:s0
+/system/bin/logd u:object_r:logd_exec:s0
+/system/bin/uncrypt u:object_r:uncrypt_exec:s0
+/system/bin/update_verifier u:object_r:update_verifier_exec:s0
+/system/bin/logwrapper u:object_r:system_file:s0
+/system/bin/vdc u:object_r:vdc_exec:s0
+/system/bin/cppreopts.sh u:object_r:cppreopts_exec:s0
+/system/bin/preopt2cachename u:object_r:preopt2cachename_exec:s0
+/system/bin/install-recovery.sh u:object_r:install_recovery_exec:s0
+/system/bin/dex2oat(d)? u:object_r:dex2oat_exec:s0
+/system/bin/dexoptanalyzer u:object_r:dexoptanalyzer_exec:s0
+# patchoat executable has (essentially) the same requirements as dex2oat.
+/system/bin/patchoat(d)? u:object_r:dex2oat_exec:s0
+/system/bin/profman u:object_r:profman_exec:s0
+/system/bin/sgdisk u:object_r:sgdisk_exec:s0
+/system/bin/blkid u:object_r:blkid_exec:s0
+/system/bin/tzdatacheck u:object_r:tzdatacheck_exec:s0
+/system/bin/idmap u:object_r:idmap_exec:s0
+/system/bin/update_engine u:object_r:update_engine_exec:s0
+/system/bin/bspatch u:object_r:update_engine_exec:s0
+/system/bin/storaged u:object_r:storaged_exec:s0
+/system/bin/webview_zygote32 u:object_r:webview_zygote_exec:s0
+/system/bin/webview_zygote64 u:object_r:webview_zygote_exec:s0
+/system/bin/virtual_touchpad u:object_r:virtual_touchpad_exec:s0
+/system/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
+/system/etc/selinux/mapping/[0-9]+\.[0-9]+\.cil u:object_r:sepolicy_file:s0
+/system/etc/selinux/plat_mac_permissions\.xml u:object_r:mac_perms_file:s0
+/system/etc/selinux/plat_property_contexts u:object_r:property_contexts_file:s0
+/system/etc/selinux/plat_service_contexts u:object_r:service_contexts_file:s0
+/system/etc/selinux/plat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
+/system/etc/selinux/plat_file_contexts u:object_r:file_contexts_file:s0
+/system/etc/selinux/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
+/system/etc/selinux/plat_sepolicy.cil u:object_r:sepolicy_file:s0
+/system/etc/selinux/plat_and_mapping_sepolicy\.cil\.sha256 u:object_r:sepolicy_file:s0
+/system/bin/vr_hwc u:object_r:vr_hwc_exec:s0
+
+#############################
+# Vendor files
+#
+/(vendor|system/vendor)(/.*)? u:object_r:vendor_file:s0
+/(vendor|system/vendor)/bin/sh u:object_r:vendor_shell_exec:s0
+/(vendor|system/vendor)/bin/toybox_vendor u:object_r:vendor_toolbox_exec:s0
+/(vendor|system/vendor)/etc(/.*)? u:object_r:vendor_configs_file:s0
+
+/(vendor|system/vendor)/lib(64)?/egl(/.*)? u:object_r:same_process_hal_file:s0
+
+/(vendor|system/vendor)/lib(64)?/vndk-sp(/.*)? u:object_r:vndk_sp_file:s0
+
+# TODO: b/36790901 move this to /vendor/etc
+/(vendor|system/vendor)/manifest.xml u:object_r:vendor_configs_file:s0
+/(vendor|system/vendor)/compatibility_matrix.xml u:object_r:vendor_configs_file:s0
+/(vendor|system/vendor)/app(/.*)? u:object_r:vendor_app_file:s0
+/(vendor|system/vendor)/overlay(/.*)? u:object_r:vendor_overlay_file:s0
+/(vendor|system/vendor)/framework(/.*)? u:object_r:vendor_framework_file:s0
+
+# HAL location
+/(vendor|system/vendor)/lib(64)?/hw u:object_r:vendor_hal_file:s0
+
+/vendor/etc/selinux/nonplat_mac_permissions.xml u:object_r:mac_perms_file:s0
+/vendor/etc/selinux/nonplat_property_contexts u:object_r:property_contexts_file:s0
+/vendor/etc/selinux/nonplat_service_contexts u:object_r:service_contexts_file:s0
+/vendor/etc/selinux/nonplat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
+/vendor/etc/selinux/nonplat_file_contexts u:object_r:file_contexts_file:s0
+/vendor/etc/selinux/nonplat_seapp_contexts u:object_r:seapp_contexts_file:s0
+/vendor/etc/selinux/nonplat_sepolicy.cil u:object_r:sepolicy_file:s0
+/vendor/etc/selinux/precompiled_sepolicy u:object_r:sepolicy_file:s0
+/vendor/etc/selinux/precompiled_sepolicy\.plat_and_mapping\.sha256 u:object_r:sepolicy_file:s0
+/vendor/etc/selinux/vndservice_contexts u:object_r:vndservice_contexts_file:s0
+
+#############################
+# OEM and ODM files
+#
+/odm(/.*)? u:object_r:system_file:s0
+/oem(/.*)? u:object_r:oemfs:s0
+
+
+#############################
+# Data files
+#
+# NOTE: When modifying existing label rules, changes may also need to
+# propagate to the "Expanded data files" section.
+#
+/data(/.*)? u:object_r:system_data_file:s0
+/data/.layout_version u:object_r:install_data_file:s0
+/data/unencrypted(/.*)? u:object_r:unencrypted_data_file:s0
+/data/backup(/.*)? u:object_r:backup_data_file:s0
+/data/secure/backup(/.*)? u:object_r:backup_data_file:s0
+/data/system/ndebugsocket u:object_r:system_ndebug_socket:s0
+/data/drm(/.*)? u:object_r:drm_data_file:s0
+/data/resource-cache(/.*)? u:object_r:resourcecache_data_file:s0
+/data/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0
+/data/ota(/.*)? u:object_r:ota_data_file:s0
+/data/ota_package(/.*)? u:object_r:ota_package_file:s0
+/data/adb(/.*)? u:object_r:adb_data_file:s0
+/data/anr(/.*)? u:object_r:anr_data_file:s0
+/data/app(/.*)? u:object_r:apk_data_file:s0
+/data/app/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0
+/data/app/vmdl[^/]+\.tmp(/.*)? u:object_r:apk_tmp_file:s0
+/data/app/vmdl[^/]+\.tmp/oat(/.*)? u:object_r:dalvikcache_data_file:s0
+/data/app-private(/.*)? u:object_r:apk_private_data_file:s0
+/data/app-private/vmdl.*\.tmp(/.*)? u:object_r:apk_private_tmp_file:s0
+/data/tombstones(/.*)? u:object_r:tombstone_data_file:s0
+/data/local/tmp(/.*)? u:object_r:shell_data_file:s0
+/data/media(/.*)? u:object_r:media_rw_data_file:s0
+/data/mediadrm(/.*)? u:object_r:media_data_file:s0
+/data/nativetest(/.*)? u:object_r:nativetest_data_file:s0
+/data/nativetest64(/.*)? u:object_r:nativetest_data_file:s0
+/data/property(/.*)? u:object_r:property_data_file:s0
+/data/preloads(/.*)? u:object_r:preloads_data_file:s0
+/data/preloads/media(/.*)? u:object_r:preloads_media_file:s0
+/data/preloads/demo(/.*)? u:object_r:preloads_media_file:s0
+
+# Misc data
+/data/misc/adb(/.*)? u:object_r:adb_keys_file:s0
+/data/misc/audio(/.*)? u:object_r:audio_data_file:s0
+/data/misc/audioserver(/.*)? u:object_r:audioserver_data_file:s0
+/data/misc/audiohal(/.*)? u:object_r:audiohal_data_file:s0
+/data/misc/bootstat(/.*)? u:object_r:bootstat_data_file:s0
+/data/misc/boottrace(/.*)? u:object_r:boottrace_data_file:s0
+/data/misc/bluetooth(/.*)? u:object_r:bluetooth_data_file:s0
+/data/misc/bluetooth/logs(/.*)? u:object_r:bluetooth_logs_data_file:s0
+/data/misc/bluedroid(/.*)? u:object_r:bluetooth_data_file:s0
+/data/misc/bluedroid/\.a2dp_ctrl u:object_r:bluetooth_socket:s0
+/data/misc/bluedroid/\.a2dp_data u:object_r:bluetooth_socket:s0
+/data/misc/camera(/.*)? u:object_r:camera_data_file:s0
+/data/misc/dhcp(/.*)? u:object_r:dhcp_data_file:s0
+/data/misc/dhcp-6.8.2(/.*)? u:object_r:dhcp_data_file:s0
+/data/misc/gatekeeper(/.*)? u:object_r:gatekeeper_data_file:s0
+/data/misc/incidents(/.*)? u:object_r:incident_data_file:s0
+/data/misc/keychain(/.*)? u:object_r:keychain_data_file:s0
+/data/misc/keystore(/.*)? u:object_r:keystore_data_file:s0
+/data/misc/logd(/.*)? u:object_r:misc_logd_file:s0
+/data/misc/media(/.*)? u:object_r:media_data_file:s0
+/data/misc/net(/.*)? u:object_r:net_data_file:s0
+/data/misc/reboot(/.*)? u:object_r:reboot_data_file:s0
+/data/misc/recovery(/.*)? u:object_r:recovery_data_file:s0
+/data/misc/shared_relro(/.*)? u:object_r:shared_relro_file:s0
+/data/misc/sms(/.*)? u:object_r:radio_data_file:s0
+/data/misc/systemkeys(/.*)? u:object_r:systemkeys_data_file:s0
+/data/misc/textclassifier(/.*)? u:object_r:textclassifier_data_file:s0
+/data/misc/user(/.*)? u:object_r:misc_user_data_file:s0
+/data/misc/vpn(/.*)? u:object_r:vpn_data_file:s0
+/data/misc/wifi(/.*)? u:object_r:wifi_data_file:s0
+/data/misc/wifi/sockets(/.*)? u:object_r:wpa_socket:s0
+/data/misc/wifi/sockets/wpa_ctrl.* u:object_r:system_wpa_socket:s0
+/data/misc/zoneinfo(/.*)? u:object_r:zoneinfo_data_file:s0
+/data/misc/vold(/.*)? u:object_r:vold_data_file:s0
+/data/misc/perfprofd(/.*)? u:object_r:perfprofd_data_file:s0
+/data/misc/update_engine(/.*)? u:object_r:update_engine_data_file:s0
+/data/system/heapdump(/.*)? u:object_r:heapdump_data_file:s0
+/data/misc/trace(/.*)? u:object_r:method_trace_data_file:s0
+# TODO(calin) label profile reference differently so that only
+# profman run as a special user can write to them
+/data/misc/profiles/cur(/.*)? u:object_r:user_profile_data_file:s0
+/data/misc/profiles/ref(/.*)? u:object_r:user_profile_data_file:s0
+/data/misc/profman(/.*)? u:object_r:profman_dump_data_file:s0
+
+# Fingerprint data
+/data/system/users/[0-9]+/fpdata(/.*)? u:object_r:fingerprintd_data_file:s0
+
+# Bootchart data
+/data/bootchart(/.*)? u:object_r:bootchart_data_file:s0
+
+#############################
+# Expanded data files
+#
+/mnt/expand(/.*)? u:object_r:mnt_expand_file:s0
+/mnt/expand/[^/]+(/.*)? u:object_r:system_data_file:s0
+/mnt/expand/[^/]+/app(/.*)? u:object_r:apk_data_file:s0
+/mnt/expand/[^/]+/app/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0
+/mnt/expand/[^/]+/app/vmdl[^/]+\.tmp(/.*)? u:object_r:apk_tmp_file:s0
+/mnt/expand/[^/]+/app/vmdl[^/]+\.tmp/oat(/.*)? u:object_r:dalvikcache_data_file:s0
+/mnt/expand/[^/]+/local/tmp(/.*)? u:object_r:shell_data_file:s0
+/mnt/expand/[^/]+/media(/.*)? u:object_r:media_rw_data_file:s0
+/mnt/expand/[^/]+/misc/vold(/.*)? u:object_r:vold_data_file:s0
+
+# coredump directory for userdebug/eng devices
+/cores(/.*)? u:object_r:coredump_file:s0
+
+# Wallpaper files
+/data/system/users/[0-9]+/wallpaper_lock_orig u:object_r:wallpaper_file:s0
+/data/system/users/[0-9]+/wallpaper_lock u:object_r:wallpaper_file:s0
+/data/system/users/[0-9]+/wallpaper_orig u:object_r:wallpaper_file:s0
+/data/system/users/[0-9]+/wallpaper u:object_r:wallpaper_file:s0
+
+# Ringtone files
+/data/system_de/[0-9]+/ringtones(/.*)? u:object_r:ringtone_file:s0
+
+# ShortcutManager icons, e.g.
+# /data/system_ce/0/shortcut_service/bitmaps/com.example.app/1457472879282.png
+/data/system_ce/[0-9]+/shortcut_service/bitmaps(/.*)? u:object_r:shortcut_manager_icons:s0
+
+# User icon files
+/data/system/users/[0-9]+/photo.png u:object_r:icon_file:s0
+
+#############################
+# efs files
+#
+/efs(/.*)? u:object_r:efs_file:s0
+
+#############################
+# Cache files
+#
+/cache(/.*)? u:object_r:cache_file:s0
+/cache/recovery(/.*)? u:object_r:cache_recovery_file:s0
+# General backup/restore interchange with apps
+/cache/backup_stage(/.*)? u:object_r:cache_backup_file:s0
+# LocalTransport (backup) uses this subtree
+/cache/backup(/.*)? u:object_r:cache_private_backup_file:s0
+
+/data/cache(/.*)? u:object_r:cache_file:s0
+/data/cache/recovery(/.*)? u:object_r:cache_recovery_file:s0
+# General backup/restore interchange with apps
+/data/cache/backup_stage(/.*)? u:object_r:cache_backup_file:s0
+# LocalTransport (backup) uses this subtree
+/data/cache/backup(/.*)? u:object_r:cache_private_backup_file:s0
+
+#############################
+# sysfs files
+#
+/sys/class/leds(/.*)? u:object_r:sysfs_leds:s0
+/sys/devices/platform/nfc-power/nfc_power -- u:object_r:sysfs_nfc_power_writable:s0
+/sys/devices/virtual/block/zram\d+(/.*)? u:object_r:sysfs_zram:s0
+/sys/devices/virtual/block/zram\d+/uevent u:object_r:sysfs_zram_uevent:s0
+/sys/devices/virtual/misc/hw_random(/.*)? u:object_r:sysfs_hwrandom:s0
+/sys/power/wake_lock -- u:object_r:sysfs_wake_lock:s0
+/sys/power/wake_unlock -- u:object_r:sysfs_wake_lock:s0
+/sys/kernel/uevent_helper -- u:object_r:usermodehelper:s0
+/sys/module/lowmemorykiller(/.*)? -- u:object_r:sysfs_lowmemorykiller:s0
+/sys/module/wlan/parameters/fwpath u:object_r:sysfs_wlan_fwpath:s0
+/sys/devices/virtual/timed_output/vibrator/enable u:object_r:sysfs_vibrator:s0
+
+#############################
+# debugfs files
+#
+/sys/kernel/debug/mmc0(/.*)? u:object_r:debugfs_mmc:s0
+
+#############################
+# tracefs files
+#
+/sys/kernel(/debug)?/tracing/buffer_size_kb u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/events/binder/binder_locked/enable u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/events/binder/binder_lock/enable u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/events/binder/binder_transaction/enable u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/events/binder/binder_transaction_received/enable u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/events/binder/binder_unlock/enable u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/events/cpufreq_interactive/enable u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/events/power/clock_set_rate/enable u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/events/power/cpu_frequency/enable u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/events/power/cpu_frequency_limits/enable u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/events/power/cpu_idle/enable u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/events/sched/sched_blocked_reason/enable u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/events/sched/sched_cpu_hotplug/enable u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/events/sched/sched_switch/enable u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/events/sched/sched_wakeup/enable u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/events/vmscan/mm_vmscan_direct_reclaim_begin/enable u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/events/vmscan/mm_vmscan_direct_reclaim_end/enable u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/events/vmscan/mm_vmscan_kswapd_sleep/enable u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/events/vmscan/mm_vmscan_kswapd_wake/enable u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/instances(/.*)? u:object_r:debugfs_tracing_instances:s0
+/sys/kernel(/debug)?/tracing/instances/wifi/free_buffer u:object_r:debugfs_wifi_tracing:s0
+/sys/kernel(/debug)?/tracing/instances/wifi/trace u:object_r:debugfs_wifi_tracing:s0
+/sys/kernel(/debug)?/tracing/instances/wifi/tracing_on u:object_r:debugfs_wifi_tracing:s0
+/sys/kernel(/debug)?/tracing/options/overwrite u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/options/print-tgid u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/trace u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/trace_clock u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/trace_marker u:object_r:debugfs_trace_marker:s0
+/sys/kernel(/debug)?/tracing/tracing_on u:object_r:tracing_shell_writable:s0
+
+###########################################
+# debug-only tracing
+#
+/sys/kernel/debug/tracing/events/sync/enable u:object_r:tracing_shell_writable_debug:s0
+/sys/kernel/debug/tracing/events/workqueue/enable u:object_r:tracing_shell_writable_debug:s0
+/sys/kernel/debug/tracing/events/regulator/enable u:object_r:tracing_shell_writable_debug:s0
+/sys/kernel/debug/tracing/events/pagecache/enable u:object_r:tracing_shell_writable_debug:s0
+
+/sys/kernel/debug/tracing/events/irq/enable u:object_r:tracing_shell_writable_debug:s0
+/sys/kernel/debug/tracing/events/ipi/enable u:object_r:tracing_shell_writable_debug:s0
+
+/sys/kernel/debug/tracing/events/f2fs/f2fs_sync_file_enter/enable u:object_r:tracing_shell_writable_debug:s0
+/sys/kernel/debug/tracing/events/f2fs/f2fs_sync_file_exit/enable u:object_r:tracing_shell_writable_debug:s0
+/sys/kernel/debug/tracing/events/f2fs/f2fs_write_begin/enable u:object_r:tracing_shell_writable_debug:s0
+/sys/kernel/debug/tracing/events/f2fs/f2fs_write_end/enable u:object_r:tracing_shell_writable_debug:s0
+/sys/kernel/debug/tracing/events/ext4/ext4_da_write_begin/enable u:object_r:tracing_shell_writable_debug:s0
+/sys/kernel/debug/tracing/events/ext4/ext4_da_write_end/enable u:object_r:tracing_shell_writable_debug:s0
+/sys/kernel/debug/tracing/events/ext4/ext4_sync_file_enter/enable u:object_r:tracing_shell_writable_debug:s0
+/sys/kernel/debug/tracing/events/ext4/ext4_sync_file_exit/enable u:object_r:tracing_shell_writable_debug:s0
+/sys/kernel/debug/tracing/events/block/block_rq_issue/enable u:object_r:tracing_shell_writable_debug:s0
+/sys/kernel/debug/tracing/events/block/block_rq_complete/enable u:object_r:tracing_shell_writable_debug:s0
+/sys/kernel/debug/tracing/saved_cmdlines_size u:object_r:tracing_shell_writable_debug:s0
+
+#############################
+# asec containers
+/mnt/asec(/.*)? u:object_r:asec_apk_file:s0
+/mnt/asec/[^/]+/[^/]+\.zip u:object_r:asec_public_file:s0
+/mnt/asec/[^/]+/lib(/.*)? u:object_r:asec_public_file:s0
+/data/app-asec(/.*)? u:object_r:asec_image_file:s0
+
+#############################
+# external storage
+/mnt/media_rw(/.*)? u:object_r:mnt_media_rw_file:s0
+/mnt/user(/.*)? u:object_r:mnt_user_file:s0
+/mnt/runtime(/.*)? u:object_r:storage_file:s0
+/storage(/.*)? u:object_r:storage_file:s0
diff --git a/prebuilts/api/26.0/private/file_contexts_asan b/prebuilts/api/26.0/private/file_contexts_asan
new file mode 100644
index 0000000..d35cd3c
--- /dev/null
+++ b/prebuilts/api/26.0/private/file_contexts_asan
@@ -0,0 +1,5 @@
+/data/asan/system/lib(/.*)? u:object_r:system_file:s0
+/data/asan/system/lib64(/.*)? u:object_r:system_file:s0
+/data/asan/vendor/lib(/.*)? u:object_r:system_file:s0
+/data/asan/vendor/lib64(/.*)? u:object_r:system_file:s0
+/system/bin/asan_extract u:object_r:asan_extract_exec:s0
diff --git a/prebuilts/api/26.0/private/fingerprintd.te b/prebuilts/api/26.0/private/fingerprintd.te
new file mode 100644
index 0000000..0c1dfaa
--- /dev/null
+++ b/prebuilts/api/26.0/private/fingerprintd.te
@@ -0,0 +1,4 @@
+typeattribute fingerprintd coredomain;
+typeattribute fingerprintd domain_deprecated;
+
+init_daemon_domain(fingerprintd)
diff --git a/prebuilts/api/26.0/private/fs_use b/prebuilts/api/26.0/private/fs_use
new file mode 100644
index 0000000..4bd1112
--- /dev/null
+++ b/prebuilts/api/26.0/private/fs_use
@@ -0,0 +1,23 @@
+# Label inodes via getxattr.
+fs_use_xattr yaffs2 u:object_r:labeledfs:s0;
+fs_use_xattr jffs2 u:object_r:labeledfs:s0;
+fs_use_xattr ext2 u:object_r:labeledfs:s0;
+fs_use_xattr ext3 u:object_r:labeledfs:s0;
+fs_use_xattr ext4 u:object_r:labeledfs:s0;
+fs_use_xattr xfs u:object_r:labeledfs:s0;
+fs_use_xattr btrfs u:object_r:labeledfs:s0;
+fs_use_xattr f2fs u:object_r:labeledfs:s0;
+fs_use_xattr squashfs u:object_r:labeledfs:s0;
+
+# Label inodes from task label.
+fs_use_task pipefs u:object_r:pipefs:s0;
+fs_use_task sockfs u:object_r:sockfs:s0;
+
+# Label inodes from combination of task label and fs label.
+# Define type_transition rules if you want per-domain types.
+fs_use_trans devpts u:object_r:devpts:s0;
+fs_use_trans tmpfs u:object_r:tmpfs:s0;
+fs_use_trans devtmpfs u:object_r:device:s0;
+fs_use_trans shm u:object_r:shm:s0;
+fs_use_trans mqueue u:object_r:mqueue:s0;
+
diff --git a/prebuilts/api/26.0/private/fsck.te b/prebuilts/api/26.0/private/fsck.te
new file mode 100644
index 0000000..e846797
--- /dev/null
+++ b/prebuilts/api/26.0/private/fsck.te
@@ -0,0 +1,4 @@
+typeattribute fsck coredomain;
+typeattribute fsck domain_deprecated;
+
+init_daemon_domain(fsck)
diff --git a/prebuilts/api/26.0/private/fsck_untrusted.te b/prebuilts/api/26.0/private/fsck_untrusted.te
new file mode 100644
index 0000000..2a1a39f
--- /dev/null
+++ b/prebuilts/api/26.0/private/fsck_untrusted.te
@@ -0,0 +1,2 @@
+typeattribute fsck_untrusted coredomain;
+typeattribute fsck_untrusted domain_deprecated;
diff --git a/prebuilts/api/26.0/private/gatekeeperd.te b/prebuilts/api/26.0/private/gatekeeperd.te
new file mode 100644
index 0000000..5e4d0a2
--- /dev/null
+++ b/prebuilts/api/26.0/private/gatekeeperd.te
@@ -0,0 +1,3 @@
+typeattribute gatekeeperd coredomain;
+
+init_daemon_domain(gatekeeperd)
diff --git a/prebuilts/api/26.0/private/genfs_contexts b/prebuilts/api/26.0/private/genfs_contexts
new file mode 100644
index 0000000..a2d9b89
--- /dev/null
+++ b/prebuilts/api/26.0/private/genfs_contexts
@@ -0,0 +1,61 @@
+# Label inodes with the fs label.
+genfscon rootfs / u:object_r:rootfs:s0
+# proc labeling can be further refined (longest matching prefix).
+genfscon proc / u:object_r:proc:s0
+genfscon proc /config.gz u:object_r:config_gz:s0
+genfscon proc /interrupts u:object_r:proc_interrupts:s0
+genfscon proc /iomem u:object_r:proc_iomem:s0
+genfscon proc /meminfo u:object_r:proc_meminfo:s0
+genfscon proc /misc u:object_r:proc_misc:s0
+genfscon proc /modules u:object_r:proc_modules:s0
+genfscon proc /net u:object_r:proc_net:s0
+genfscon proc /net/xt_qtaguid/ctrl u:object_r:qtaguid_proc:s0
+genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0
+genfscon proc /softirqs u:object_r:proc_timer:s0
+genfscon proc /stat u:object_r:proc_stat:s0
+genfscon proc /sysrq-trigger u:object_r:proc_sysrq:s0
+genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0
+genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0
+genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0
+genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/dmesg_restrict u:object_r:proc_security:s0
+genfscon proc /sys/kernel/hotplug u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/kptr_restrict u:object_r:proc_security:s0
+genfscon proc /sys/kernel/modprobe u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/modules_disabled u:object_r:proc_security:s0
+genfscon proc /sys/kernel/perf_event_max_sample_rate u:object_r:proc_perf:s0
+genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0
+genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
+genfscon proc /sys/net u:object_r:proc_net:s0
+genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0
+genfscon proc /sys/vm/mmap_rnd_bits u:object_r:proc_security:s0
+genfscon proc /sys/vm/mmap_rnd_compat_bits u:object_r:proc_security:s0
+genfscon proc /sys/vm/drop_caches u:object_r:proc_drop_caches:s0
+genfscon proc /sys/vm/overcommit_memory u:object_r:proc_overcommit_memory:s0
+genfscon proc /timer_list u:object_r:proc_timer:s0
+genfscon proc /timer_stats u:object_r:proc_timer:s0
+genfscon proc /tty/drivers u:object_r:proc_tty_drivers:s0
+genfscon proc /uid_cputime/show_uid_stat u:object_r:proc_uid_cputime_showstat:s0
+genfscon proc /uid_cputime/remove_uid_range u:object_r:proc_uid_cputime_removeuid:s0
+genfscon proc /uid_io/stats u:object_r:proc_uid_io_stats:s0
+genfscon proc /uid_procstat/set u:object_r:proc_uid_procstat_set:s0
+genfscon proc /zoneinfo u:object_r:proc_zoneinfo:s0
+
+# selinuxfs booleans can be individually labeled.
+genfscon selinuxfs / u:object_r:selinuxfs:s0
+genfscon cgroup / u:object_r:cgroup:s0
+# sysfs labels can be set by userspace.
+genfscon sysfs / u:object_r:sysfs:s0
+genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0
+genfscon inotifyfs / u:object_r:inotify:s0
+genfscon vfat / u:object_r:vfat:s0
+genfscon debugfs / u:object_r:debugfs:s0
+genfscon tracefs / u:object_r:debugfs_tracing:s0
+genfscon fuse / u:object_r:fuse:s0
+genfscon configfs / u:object_r:configfs:s0
+genfscon sdcardfs / u:object_r:sdcardfs:s0
+genfscon pstore / u:object_r:pstorefs:s0
+genfscon functionfs / u:object_r:functionfs:s0
+genfscon usbfs / u:object_r:usbfs:s0
+genfscon binfmt_misc / u:object_r:binfmt_miscfs:s0
diff --git a/prebuilts/api/26.0/private/hal_allocator_default.te b/prebuilts/api/26.0/private/hal_allocator_default.te
new file mode 100644
index 0000000..49ef178
--- /dev/null
+++ b/prebuilts/api/26.0/private/hal_allocator_default.te
@@ -0,0 +1,5 @@
+type hal_allocator_default, domain, coredomain;
+hal_server_domain(hal_allocator_default, hal_allocator)
+
+type hal_allocator_default_exec, exec_type, file_type;
+init_daemon_domain(hal_allocator_default)
diff --git a/prebuilts/api/26.0/private/halclientdomain.te b/prebuilts/api/26.0/private/halclientdomain.te
new file mode 100644
index 0000000..9dcd3ee
--- /dev/null
+++ b/prebuilts/api/26.0/private/halclientdomain.te
@@ -0,0 +1,13 @@
+###
+### Rules for all domains which are clients of a HAL
+###
+
+# Find out whether a HAL in passthrough/in-process mode or
+# binderized/out-of-process mode
+hwbinder_use(halclientdomain)
+
+# Used to wait for hwservicemanager
+get_prop(halclientdomain, hwservicemanager_prop)
+
+# Wait for HAL server to be up (used by getService)
+allow halclientdomain hidl_manager_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/26.0/private/halserverdomain.te b/prebuilts/api/26.0/private/halserverdomain.te
new file mode 100644
index 0000000..f36e0e7
--- /dev/null
+++ b/prebuilts/api/26.0/private/halserverdomain.te
@@ -0,0 +1,12 @@
+###
+### Rules for all domains which offer a HAL service over HwBinder
+###
+
+# Register the HAL service with hwservicemanager
+hwbinder_use(halserverdomain)
+
+# Find HAL implementations
+allow halserverdomain system_file:dir r_dir_perms;
+
+# Used to wait for hwservicemanager
+get_prop(halserverdomain, hwservicemanager_prop)
diff --git a/prebuilts/api/26.0/private/healthd.te b/prebuilts/api/26.0/private/healthd.te
new file mode 100644
index 0000000..0693a3a
--- /dev/null
+++ b/prebuilts/api/26.0/private/healthd.te
@@ -0,0 +1,6 @@
+typeattribute healthd coredomain;
+
+init_daemon_domain(healthd)
+
+# Allow callback to storaged batteryproperties listener
+binder_call(healthd, storaged)
diff --git a/prebuilts/api/26.0/private/hwservice_contexts b/prebuilts/api/26.0/private/hwservice_contexts
new file mode 100644
index 0000000..0516364
--- /dev/null
+++ b/prebuilts/api/26.0/private/hwservice_contexts
@@ -0,0 +1,52 @@
+android.frameworks.displayservice::IDisplayService u:object_r:fwk_display_hwservice:s0
+android.frameworks.schedulerservice::ISchedulingPolicyService u:object_r:fwk_scheduler_hwservice:s0
+android.frameworks.sensorservice::ISensorManager u:object_r:fwk_sensor_hwservice:s0
+android.hardware.audio.effect::IEffectsFactory u:object_r:hal_audio_hwservice:s0
+android.hardware.audio::IDevicesFactory u:object_r:hal_audio_hwservice:s0
+android.hardware.biometrics.fingerprint::IBiometricsFingerprint u:object_r:hal_fingerprint_hwservice:s0
+android.hardware.bluetooth::IBluetoothHci u:object_r:hal_bluetooth_hwservice:s0
+android.hardware.boot::IBootControl u:object_r:hal_bootctl_hwservice:s0
+android.hardware.broadcastradio::IBroadcastRadioFactory u:object_r:hal_audio_hwservice:s0
+android.hardware.camera.provider::ICameraProvider u:object_r:hal_camera_hwservice:s0
+android.hardware.configstore::ISurfaceFlingerConfigs u:object_r:hal_configstore_ISurfaceFlingerConfigs:s0
+android.hardware.contexthub::IContexthub u:object_r:hal_contexthub_hwservice:s0
+android.hardware.drm::ICryptoFactory u:object_r:hal_drm_hwservice:s0
+android.hardware.drm::IDrmFactory u:object_r:hal_drm_hwservice:s0
+android.hardware.dumpstate::IDumpstateDevice u:object_r:hal_dumpstate_hwservice:s0
+android.hardware.gatekeeper::IGatekeeper u:object_r:hal_gatekeeper_hwservice:s0
+android.hardware.gnss::IGnss u:object_r:hal_gnss_hwservice:s0
+android.hardware.graphics.allocator::IAllocator u:object_r:hal_graphics_allocator_hwservice:s0
+android.hardware.graphics.composer::IComposer u:object_r:hal_graphics_composer_hwservice:s0
+android.hardware.graphics.mapper::IMapper u:object_r:hal_graphics_mapper_hwservice:s0
+android.hardware.health::IHealth u:object_r:hal_health_hwservice:s0
+android.hardware.ir::IConsumerIr u:object_r:hal_ir_hwservice:s0
+android.hardware.keymaster::IKeymasterDevice u:object_r:hal_keymaster_hwservice:s0
+android.hardware.light::ILight u:object_r:hal_light_hwservice:s0
+android.hardware.media.omx::IOmx u:object_r:hal_omx_hwservice:s0
+android.hardware.media.omx::IOmxStore u:object_r:hal_omx_hwservice:s0
+android.hardware.memtrack::IMemtrack u:object_r:hal_memtrack_hwservice:s0
+android.hardware.nfc::INfc u:object_r:hal_nfc_hwservice:s0
+android.hardware.oemlock::IOemLock u:object_r:hal_oemlock_hwservice:s0
+android.hardware.power::IPower u:object_r:hal_power_hwservice:s0
+android.hardware.radio.deprecated::IOemHook u:object_r:hal_telephony_hwservice:s0
+android.hardware.radio::IRadio u:object_r:hal_telephony_hwservice:s0
+android.hardware.radio::ISap u:object_r:hal_telephony_hwservice:s0
+android.hardware.renderscript::IDevice u:object_r:hal_renderscript_hwservice:s0
+android.hardware.sensors::ISensors u:object_r:hal_sensors_hwservice:s0
+android.hardware.soundtrigger::ISoundTriggerHw u:object_r:hal_audio_hwservice:s0
+android.hardware.thermal::IThermal u:object_r:hal_thermal_hwservice:s0
+android.hardware.tv.cec::IHdmiCec u:object_r:hal_tv_cec_hwservice:s0
+android.hardware.tv.input::ITvInput u:object_r:hal_tv_input_hwservice:s0
+android.hardware.usb::IUsb u:object_r:hal_usb_hwservice:s0
+android.hardware.vibrator::IVibrator u:object_r:hal_vibrator_hwservice:s0
+android.hardware.vr::IVr u:object_r:hal_vr_hwservice:s0
+android.hardware.weaver::IWeaver u:object_r:hal_weaver_hwservice:s0
+android.hardware.wifi::IWifi u:object_r:hal_wifi_hwservice:s0
+android.hardware.wifi.supplicant::ISupplicant u:object_r:hal_wifi_supplicant_hwservice:s0
+android.hidl.allocator::IAllocator u:object_r:hidl_allocator_hwservice:s0
+android.hidl.base::IBase u:object_r:hidl_base_hwservice:s0
+android.hidl.manager::IServiceManager u:object_r:hidl_manager_hwservice:s0
+android.hidl.memory::IMapper u:object_r:hidl_memory_hwservice:s0
+android.hidl.token::ITokenManager u:object_r:hidl_token_hwservice:s0
+android.system.wifi.keystore::IKeystore u:object_r:system_wifi_keystore_hwservice:s0
+* u:object_r:default_android_hwservice:s0
diff --git a/prebuilts/api/26.0/private/hwservicemanager.te b/prebuilts/api/26.0/private/hwservicemanager.te
new file mode 100644
index 0000000..a43eb02
--- /dev/null
+++ b/prebuilts/api/26.0/private/hwservicemanager.te
@@ -0,0 +1,6 @@
+typeattribute hwservicemanager coredomain;
+
+init_daemon_domain(hwservicemanager)
+
+add_hwservice(hwservicemanager, hidl_manager_hwservice)
+add_hwservice(hwservicemanager, hidl_token_hwservice)
diff --git a/prebuilts/api/26.0/private/idmap.te b/prebuilts/api/26.0/private/idmap.te
new file mode 100644
index 0000000..73abf35
--- /dev/null
+++ b/prebuilts/api/26.0/private/idmap.te
@@ -0,0 +1 @@
+typeattribute idmap coredomain;
diff --git a/prebuilts/api/26.0/private/incident.te b/prebuilts/api/26.0/private/incident.te
new file mode 100644
index 0000000..b910dde
--- /dev/null
+++ b/prebuilts/api/26.0/private/incident.te
@@ -0,0 +1,25 @@
+typeattribute incident coredomain;
+
+type incident_exec, exec_type, file_type;
+
+# switch to incident domain for incident command
+domain_auto_trans(shell, incident_exec, incident)
+
+# allow incident access to stdout from its parent shell.
+allow incident shell:fd use;
+
+# allow incident to communicate use, read and write over the adb
+# connection.
+allow incident adbd:fd use;
+allow incident adbd:unix_stream_socket { read write };
+
+# allow adbd to reap incident
+allow incident adbd:process { sigchld };
+
+# Allow the incident command to talk to the incidentd over the binder, and get
+# back the incident report data from a ParcelFileDescriptor.
+binder_use(incident)
+allow incident incident_service:service_manager find;
+binder_call(incident, incidentd)
+allow incident incidentd:fifo_file write;
+
diff --git a/prebuilts/api/26.0/private/incidentd.te b/prebuilts/api/26.0/private/incidentd.te
new file mode 100644
index 0000000..efd23bd
--- /dev/null
+++ b/prebuilts/api/26.0/private/incidentd.te
@@ -0,0 +1,110 @@
+typeattribute incidentd coredomain;
+
+init_daemon_domain(incidentd)
+type incidentd_exec, exec_type, file_type;
+binder_use(incidentd)
+wakelock_use(incidentd)
+
+# Allow setting process priority, protect from OOM killer, and dropping
+# privileges by switching UID / GID
+# TODO allow incidentd self:capability { setuid setgid sys_resource };
+
+# Allow incidentd to scan through /proc/pid for all processes
+r_dir_file(incidentd, domain)
+
+allow incidentd self:capability {
+ # Send signals to processes
+ kill
+};
+
+# Allow executing files on system, such as:
+# /system/bin/toolbox
+# /system/bin/logcat
+# /system/bin/dumpsys
+allow incidentd system_file:file execute_no_trans;
+allow incidentd toolbox_exec:file rx_file_perms;
+
+# Create and write into /data/misc/incidents
+allow incidentd incident_data_file:dir rw_dir_perms;
+allow incidentd incident_data_file:file create_file_perms;
+
+# Get process attributes
+# TODO allow incidentd domain:process getattr;
+
+# Signal java processes to dump their stack and get the results
+# TODO allow incidentd { appdomain ephemeral_app system_server }:process signal;
+# TODO allow incidentd anr_data_file:dir rw_dir_perms;
+# TODO allow incidentd anr_data_file:file create_file_perms;
+
+# Signal native processes to dump their stack.
+# This list comes from native_processes_to_dump in incidentd/utils.c
+allow incidentd {
+ audioserver
+ cameraserver
+ drmserver
+ inputflinger
+ mediacodec
+ mediadrmserver
+ mediaextractor
+ mediaserver
+ sdcardd
+ surfaceflinger
+}:process signal;
+
+# Allow incidentd to make binder calls to any binder service
+binder_call(incidentd, binderservicedomain)
+binder_call(incidentd, appdomain)
+
+# Reading /proc/PID/maps of other processes
+# TODO allow incidentd self:capability sys_ptrace;
+
+# Run a shell.
+allow incidentd shell_exec:file rx_file_perms;
+
+# logd access - work to be done is a PII safe log (possibly an event log?)
+# TODO read_logd(incidentd)
+# TODO control_logd(incidentd)
+
+# Allow incidentd to find these standard groups of services.
+# Others can be whitelisted individually.
+allow incidentd {
+ system_server_service
+ app_api_service
+ system_api_service
+}:service_manager find;
+
+# Only incidentd can publish the binder service
+add_service(incidentd, incident_service)
+
+# Allow pipes from (and only from) incident
+allow incidentd incident:fd use;
+allow incidentd incident:fifo_file write;
+
+# Allow incident to call back to incident with status updates.
+binder_call(incidentd, incident)
+
+###
+### neverallow rules
+###
+
+# only system_server, system_app and incident command can find the incident service
+neverallow { domain -system_server -system_app -incident -incidentd } incident_service:service_manager find;
+
+# only incidentd and the other root services in limited circumstances
+# can get to the files in /data/misc/incidents
+#
+# write, execute, append are forbidden almost everywhere
+neverallow { domain -incidentd -init -vold } incident_data_file:file {
+ w_file_perms
+ x_file_perms
+ create
+ rename
+ setattr
+ unlink
+ append
+};
+# read is also allowed by system_server, for when the file is handed to dropbox
+neverallow { domain -incidentd -init -vold -system_server } incident_data_file:file r_file_perms;
+# limited access to the directory itself
+neverallow { domain -incidentd -init -vold } incident_data_file:dir create_dir_perms;
+
diff --git a/prebuilts/api/26.0/private/init.te b/prebuilts/api/26.0/private/init.te
new file mode 100644
index 0000000..568e0d3
--- /dev/null
+++ b/prebuilts/api/26.0/private/init.te
@@ -0,0 +1,25 @@
+typeattribute init coredomain;
+
+tmpfs_domain(init)
+
+# Transitions to seclabel processes in init.rc
+domain_trans(init, rootfs, adbd)
+domain_trans(init, rootfs, charger)
+domain_trans(init, rootfs, healthd)
+domain_trans(init, rootfs, slideshow)
+recovery_only(`
+ domain_trans(init, rootfs, recovery)
+')
+domain_trans(init, shell_exec, shell)
+domain_trans(init, init_exec, ueventd)
+domain_trans(init, init_exec, watchdogd)
+domain_trans(init, { rootfs toolbox_exec }, modprobe)
+# case where logpersistd is actually logcat -f in logd context (nee: logcatd)
+userdebug_or_eng(`
+ domain_auto_trans(init, logcat_exec, logpersist)
+')
+
+# Creating files on sysfs is impossible so this isn't a threat
+# Sometimes we have to write to non-existent files to avoid conditional
+# init behavior. See b/35303861 for an example.
+dontaudit init sysfs:dir write;
diff --git a/prebuilts/api/26.0/private/initial_sid_contexts b/prebuilts/api/26.0/private/initial_sid_contexts
new file mode 100644
index 0000000..9819051
--- /dev/null
+++ b/prebuilts/api/26.0/private/initial_sid_contexts
@@ -0,0 +1,27 @@
+sid kernel u:r:kernel:s0
+sid security u:object_r:kernel:s0
+sid unlabeled u:object_r:unlabeled:s0
+sid fs u:object_r:labeledfs:s0
+sid file u:object_r:unlabeled:s0
+sid file_labels u:object_r:unlabeled:s0
+sid init u:object_r:unlabeled:s0
+sid any_socket u:object_r:unlabeled:s0
+sid port u:object_r:port:s0
+sid netif u:object_r:netif:s0
+sid netmsg u:object_r:unlabeled:s0
+sid node u:object_r:node:s0
+sid igmp_packet u:object_r:unlabeled:s0
+sid icmp_socket u:object_r:unlabeled:s0
+sid tcp_socket u:object_r:unlabeled:s0
+sid sysctl_modprobe u:object_r:unlabeled:s0
+sid sysctl u:object_r:proc:s0
+sid sysctl_fs u:object_r:unlabeled:s0
+sid sysctl_kernel u:object_r:unlabeled:s0
+sid sysctl_net u:object_r:unlabeled:s0
+sid sysctl_net_unix u:object_r:unlabeled:s0
+sid sysctl_vm u:object_r:unlabeled:s0
+sid sysctl_dev u:object_r:unlabeled:s0
+sid kmod u:object_r:unlabeled:s0
+sid policy u:object_r:unlabeled:s0
+sid scmp_packet u:object_r:unlabeled:s0
+sid devnull u:object_r:null_device:s0
diff --git a/prebuilts/api/26.0/private/initial_sids b/prebuilts/api/26.0/private/initial_sids
new file mode 100644
index 0000000..91ac816
--- /dev/null
+++ b/prebuilts/api/26.0/private/initial_sids
@@ -0,0 +1,35 @@
+# FLASK
+
+#
+# Define initial security identifiers
+#
+
+sid kernel
+sid security
+sid unlabeled
+sid fs
+sid file
+sid file_labels
+sid init
+sid any_socket
+sid port
+sid netif
+sid netmsg
+sid node
+sid igmp_packet
+sid icmp_socket
+sid tcp_socket
+sid sysctl_modprobe
+sid sysctl
+sid sysctl_fs
+sid sysctl_kernel
+sid sysctl_net
+sid sysctl_net_unix
+sid sysctl_vm
+sid sysctl_dev
+sid kmod
+sid policy
+sid scmp_packet
+sid devnull
+
+# FLASK
diff --git a/prebuilts/api/26.0/private/inputflinger.te b/prebuilts/api/26.0/private/inputflinger.te
new file mode 100644
index 0000000..9696b49
--- /dev/null
+++ b/prebuilts/api/26.0/private/inputflinger.te
@@ -0,0 +1,3 @@
+typeattribute inputflinger coredomain;
+
+init_daemon_domain(inputflinger)
diff --git a/prebuilts/api/26.0/private/install_recovery.te b/prebuilts/api/26.0/private/install_recovery.te
new file mode 100644
index 0000000..b79d683
--- /dev/null
+++ b/prebuilts/api/26.0/private/install_recovery.te
@@ -0,0 +1,3 @@
+typeattribute install_recovery coredomain;
+
+init_daemon_domain(install_recovery)
diff --git a/prebuilts/api/26.0/private/installd.te b/prebuilts/api/26.0/private/installd.te
new file mode 100644
index 0000000..d726e7d
--- /dev/null
+++ b/prebuilts/api/26.0/private/installd.te
@@ -0,0 +1,19 @@
+typeattribute installd coredomain;
+typeattribute installd domain_deprecated;
+
+init_daemon_domain(installd)
+
+# Run dex2oat in its own sandbox.
+domain_auto_trans(installd, dex2oat_exec, dex2oat)
+
+# Run dexoptanalyzer in its own sandbox.
+domain_auto_trans(installd, dexoptanalyzer_exec, dexoptanalyzer)
+
+# Run profman in its own sandbox.
+domain_auto_trans(installd, profman_exec, profman)
+
+# Run idmap in its own sandbox.
+domain_auto_trans(installd, idmap_exec, idmap)
+
+# Create /data/.layout_version.* file
+type_transition installd system_data_file:file install_data_file;
diff --git a/prebuilts/api/26.0/private/isolated_app.te b/prebuilts/api/26.0/private/isolated_app.te
new file mode 100644
index 0000000..418a322
--- /dev/null
+++ b/prebuilts/api/26.0/private/isolated_app.te
@@ -0,0 +1,93 @@
+###
+### Services with isolatedProcess=true in their manifest.
+###
+### This file defines the rules for isolated apps. An "isolated
+### app" is an APP with UID between AID_ISOLATED_START (99000)
+### and AID_ISOLATED_END (99999).
+###
+
+typeattribute isolated_app coredomain;
+
+app_domain(isolated_app)
+
+# Access already open app data files received over Binder or local socket IPC.
+allow isolated_app app_data_file:file { append read write getattr lock };
+
+allow isolated_app activity_service:service_manager find;
+allow isolated_app display_service:service_manager find;
+allow isolated_app webviewupdate_service:service_manager find;
+
+# Google Breakpad (crash reporter for Chrome) relies on ptrace
+# functionality. Without the ability to ptrace, the crash reporter
+# tool is broken.
+# b/20150694
+# https://code.google.com/p/chromium/issues/detail?id=475270
+allow isolated_app self:process ptrace;
+
+# b/32896414: Allow accessing sdcard file descriptors passed to isolated_apps
+# by other processes. Open should never be allowed, and is blocked by
+# neverallow rules below.
+# TODO: consider removing write/append. We want to limit isolated_apps
+# ability to mutate files of any type.
+# media_rw_data_file is included for sdcardfs, and can be removed if sdcardfs
+# is modified to change the secontext when accessing the lower filesystem.
+allow isolated_app { sdcard_type media_rw_data_file }:file { read write append getattr lock };
+auditallow isolated_app { sdcard_type media_rw_data_file }:file { write append };
+
+# For webviews, isolated_app processes can be forked from the webview_zygote
+# in addition to the zygote. Allow access to resources inherited from the
+# webview_zygote process. These rules are specialized copies of the ones in app.te.
+# Inherit FDs from the webview_zygote.
+allow isolated_app webview_zygote:fd use;
+# Notify webview_zygote of child death.
+allow isolated_app webview_zygote:process sigchld;
+# Inherit logd write socket.
+allow isolated_app webview_zygote:unix_dgram_socket write;
+# Read system properties managed by webview_zygote.
+allow isolated_app webview_zygote_tmpfs:file read;
+
+#####
+##### Neverallow
+#####
+
+# Do not allow isolated_app to directly open tun_device
+neverallow isolated_app tun_device:chr_file open;
+
+# Isolated apps should not directly open app data files themselves.
+neverallow isolated_app app_data_file:file open;
+
+# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
+# TODO: are there situations where isolated_apps write to this file?
+# TODO: should we tighten these restrictions further?
+neverallow isolated_app anr_data_file:file ~{ open append };
+neverallow isolated_app anr_data_file:dir ~search;
+
+# b/17487348
+# Isolated apps can only access three services,
+# activity_service, display_service and webviewupdate_service.
+neverallow isolated_app {
+ service_manager_type
+ -activity_service
+ -display_service
+ -webviewupdate_service
+}:service_manager find;
+
+# Isolated apps shouldn't be able to access the driver directly.
+neverallow isolated_app gpu_device:chr_file { rw_file_perms execute };
+
+# Do not allow isolated_app access to /cache
+neverallow isolated_app cache_file:dir ~{ r_dir_perms };
+neverallow isolated_app cache_file:file ~{ read getattr };
+
+# Do not allow isolated_app to access external storage, except for files passed
+# via file descriptors (b/32896414).
+neverallow isolated_app { storage_file mnt_user_file sdcard_type }:dir ~getattr;
+neverallow isolated_app { storage_file mnt_user_file }:file_class_set *;
+neverallow isolated_app sdcard_type:{ devfile_class_set lnk_file sock_file fifo_file } *;
+neverallow isolated_app sdcard_type:file ~{ read write append getattr lock };
+
+# Do not allow USB access
+neverallow isolated_app { usb_device usbaccessory_device }:chr_file *;
+
+# Restrict the webview_zygote control socket.
+neverallow isolated_app webview_zygote_socket:sock_file write;
diff --git a/prebuilts/api/26.0/private/kernel.te b/prebuilts/api/26.0/private/kernel.te
new file mode 100644
index 0000000..a4e6ebe
--- /dev/null
+++ b/prebuilts/api/26.0/private/kernel.te
@@ -0,0 +1,3 @@
+typeattribute kernel coredomain;
+
+domain_auto_trans(kernel, init_exec, init)
diff --git a/prebuilts/api/26.0/private/keys.conf b/prebuilts/api/26.0/private/keys.conf
new file mode 100644
index 0000000..7a307b5
--- /dev/null
+++ b/prebuilts/api/26.0/private/keys.conf
@@ -0,0 +1,25 @@
+#
+# Maps an arbitrary tag [TAGNAME] with the string contents found in
+# TARGET_BUILD_VARIANT. Common convention is to start TAGNAME with an @ and
+# name it after the base file name of the pem file.
+#
+# Each tag (section) then allows one to specify any string found in
+# TARGET_BUILD_VARIANT. Typcially this is user, eng, and userdebug. Another
+# option is to use ALL which will match ANY TARGET_BUILD_VARIANT string.
+#
+
+[@PLATFORM]
+ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/platform.x509.pem
+
+[@MEDIA]
+ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/media.x509.pem
+
+[@SHARED]
+ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/shared.x509.pem
+
+# Example of ALL TARGET_BUILD_VARIANTS
+[@RELEASE]
+ENG : $DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem
+USER : $DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem
+USERDEBUG : $DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem
+
diff --git a/prebuilts/api/26.0/private/keystore.te b/prebuilts/api/26.0/private/keystore.te
new file mode 100644
index 0000000..1e56338
--- /dev/null
+++ b/prebuilts/api/26.0/private/keystore.te
@@ -0,0 +1,11 @@
+typeattribute keystore coredomain;
+typeattribute keystore domain_deprecated;
+
+init_daemon_domain(keystore)
+
+# talk to keymaster
+hal_client_domain(keystore, hal_keymaster)
+
+# Offer the Wifi Keystore HwBinder service
+typeattribute keystore wifi_keystore_service_server;
+add_hwservice(keystore, system_wifi_keystore_hwservice)
diff --git a/prebuilts/api/26.0/private/lmkd.te b/prebuilts/api/26.0/private/lmkd.te
new file mode 100644
index 0000000..a07ce87
--- /dev/null
+++ b/prebuilts/api/26.0/private/lmkd.te
@@ -0,0 +1,3 @@
+typeattribute lmkd coredomain;
+
+init_daemon_domain(lmkd)
diff --git a/prebuilts/api/26.0/private/logd.te b/prebuilts/api/26.0/private/logd.te
new file mode 100644
index 0000000..4338e40
--- /dev/null
+++ b/prebuilts/api/26.0/private/logd.te
@@ -0,0 +1,39 @@
+typeattribute logd coredomain;
+
+init_daemon_domain(logd)
+
+# logd is not allowed to write anywhere other than /data/misc/logd, and then
+# only on userdebug or eng builds
+# TODO: deal with tmpfs_domain pub/priv split properly
+neverallow logd {
+ file_type
+ -logd_tmpfs
+ -runtime_event_log_tags_file
+ userdebug_or_eng(`-coredump_file -misc_logd_file')
+}:file { create write append };
+
+# protect the event-log-tags file
+neverallow {
+ domain
+ -appdomain # covered below
+ -bootstat
+ -dumpstate
+ -init
+ -logd
+ userdebug_or_eng(`-logpersist')
+ -servicemanager
+ -system_server
+ -surfaceflinger
+ -zygote
+} runtime_event_log_tags_file:file no_rw_file_perms;
+
+neverallow {
+ appdomain
+ -bluetooth
+ -platform_app
+ -priv_app
+ -radio
+ -shell
+ userdebug_or_eng(`-su')
+ -system_app
+} runtime_event_log_tags_file:file no_rw_file_perms;
diff --git a/prebuilts/api/26.0/private/logpersist.te b/prebuilts/api/26.0/private/logpersist.te
new file mode 100644
index 0000000..70e3198
--- /dev/null
+++ b/prebuilts/api/26.0/private/logpersist.te
@@ -0,0 +1,24 @@
+typeattribute logpersist coredomain;
+
+# android debug log storage in logpersist domains (eng and userdebug only)
+userdebug_or_eng(`
+
+ r_dir_file(logpersist, cgroup)
+
+ allow logpersist misc_logd_file:file create_file_perms;
+ allow logpersist misc_logd_file:dir rw_dir_perms;
+
+ allow logpersist self:capability sys_nice;
+ allow logpersist pstorefs:dir search;
+ allow logpersist pstorefs:file r_file_perms;
+
+ control_logd(logpersist)
+ unix_socket_connect(logpersist, logdr, logd)
+ read_runtime_log_tags(logpersist)
+
+')
+
+# logpersist is allowed to write to /data/misc/log for userdebug and eng builds
+neverallow logpersist { file_type userdebug_or_eng(`-misc_logd_file -coredump_file') }:file { create write append };
+neverallow { domain -init userdebug_or_eng(`-logpersist -logd -dumpstate') } misc_logd_file:file no_rw_file_perms;
+neverallow { domain -init userdebug_or_eng(`-logpersist -logd') } misc_logd_file:dir { add_name link relabelfrom remove_name rename reparent rmdir write };
diff --git a/prebuilts/api/26.0/private/mac_permissions.xml b/prebuilts/api/26.0/private/mac_permissions.xml
new file mode 100644
index 0000000..1fcd2a4
--- /dev/null
+++ b/prebuilts/api/26.0/private/mac_permissions.xml
@@ -0,0 +1,59 @@
+<?xml version="1.0" encoding="utf-8"?>
+<policy>
+
+<!--
+
+ * A signature is a hex encoded X.509 certificate or a tag defined in
+ keys.conf and is required for each signer tag. The signature can
+ either appear as a set of attached cert child tags or as an attribute.
+ * A signer tag must contain a seinfo tag XOR multiple package stanzas.
+ * Each signer/package tag is allowed to contain one seinfo tag. This tag
+ represents additional info that each app can use in setting a SELinux security
+ context on the eventual process as well as the apps data directory.
+ * seinfo assignments are made according to the following rules:
+ - Stanzas with package name refinements will be checked first.
+ - Stanzas w/o package name refinements will be checked second.
+ - The "default" seinfo label is automatically applied.
+
+ * valid stanzas can take one of the following forms:
+
+ // single cert protecting seinfo
+ <signer signature="@PLATFORM" >
+ <seinfo value="platform" />
+ </signer>
+
+ // multiple certs protecting seinfo (all contained certs must match)
+ <signer>
+ <cert signature="@PLATFORM1"/>
+ <cert signature="@PLATFORM2"/>
+ <seinfo value="platform" />
+ </signer>
+
+ // single cert protecting explicitly named app
+ <signer signature="@PLATFORM" >
+ <package name="com.android.foo">
+ <seinfo value="bar" />
+ </package>
+ </signer>
+
+ // multiple certs protecting explicitly named app (all certs must match)
+ <signer>
+ <cert signature="@PLATFORM1"/>
+ <cert signature="@PLATFORM2"/>
+ <package name="com.android.foo">
+ <seinfo value="bar" />
+ </package>
+ </signer>
+-->
+
+ <!-- Platform dev key in AOSP -->
+ <signer signature="@PLATFORM" >
+ <seinfo value="platform" />
+ </signer>
+
+ <!-- Media key in AOSP -->
+ <signer signature="@MEDIA" >
+ <seinfo value="media" />
+ </signer>
+
+</policy>
diff --git a/prebuilts/api/26.0/private/mdnsd.te b/prebuilts/api/26.0/private/mdnsd.te
new file mode 100644
index 0000000..96259e2
--- /dev/null
+++ b/prebuilts/api/26.0/private/mdnsd.te
@@ -0,0 +1,12 @@
+# mdns daemon
+
+typeattribute mdnsd coredomain;
+typeattribute mdnsd mlstrustedsubject;
+
+type mdnsd_exec, exec_type, file_type;
+init_daemon_domain(mdnsd)
+
+net_domain(mdnsd)
+
+# Read from /proc/net
+r_dir_file(mdnsd, proc_net)
diff --git a/prebuilts/api/26.0/private/mediadrmserver.te b/prebuilts/api/26.0/private/mediadrmserver.te
new file mode 100644
index 0000000..4e511a8
--- /dev/null
+++ b/prebuilts/api/26.0/private/mediadrmserver.te
@@ -0,0 +1,8 @@
+typeattribute mediadrmserver coredomain;
+
+init_daemon_domain(mediadrmserver)
+
+# allocate and use graphic buffers
+hal_client_domain(mediadrmserver, hal_graphics_allocator)
+auditallow mediadrmserver hal_graphics_allocator_server:binder call;
+
diff --git a/prebuilts/api/26.0/private/mediaextractor.te b/prebuilts/api/26.0/private/mediaextractor.te
new file mode 100644
index 0000000..c1a8521
--- /dev/null
+++ b/prebuilts/api/26.0/private/mediaextractor.te
@@ -0,0 +1,3 @@
+typeattribute mediaextractor coredomain;
+
+init_daemon_domain(mediaextractor)
diff --git a/prebuilts/api/26.0/private/mediametrics.te b/prebuilts/api/26.0/private/mediametrics.te
new file mode 100644
index 0000000..f8b2fa5
--- /dev/null
+++ b/prebuilts/api/26.0/private/mediametrics.te
@@ -0,0 +1,3 @@
+typeattribute mediametrics coredomain;
+
+init_daemon_domain(mediametrics)
diff --git a/prebuilts/api/26.0/private/mediaserver.te b/prebuilts/api/26.0/private/mediaserver.te
new file mode 100644
index 0000000..a9b85be
--- /dev/null
+++ b/prebuilts/api/26.0/private/mediaserver.te
@@ -0,0 +1,10 @@
+typeattribute mediaserver coredomain;
+
+init_daemon_domain(mediaserver)
+
+# allocate and use graphic buffers
+hal_client_domain(mediaserver, hal_graphics_allocator)
+
+# TODO(b/36375899): Remove this once OMX HAL is attributized and mediaserver is marked as a client
+# of OMX HAL.
+allow mediaserver hal_omx_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/26.0/private/mls b/prebuilts/api/26.0/private/mls
new file mode 100644
index 0000000..a561de1
--- /dev/null
+++ b/prebuilts/api/26.0/private/mls
@@ -0,0 +1,100 @@
+#################################################
+# MLS policy constraints
+#
+
+#
+# Process constraints
+#
+
+# Process transition: Require equivalence unless the subject is trusted.
+mlsconstrain process { transition dyntransition }
+ ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);
+
+# Process read operations: No read up unless trusted.
+mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share }
+ (l1 dom l2 or t1 == mlstrustedsubject);
+
+# Process write operations: Require equivalence unless trusted.
+mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setrlimit ptrace share }
+ (l1 eq l2 or t1 == mlstrustedsubject);
+
+#
+# Socket constraints
+#
+
+# Create/relabel operations: Subject must be equivalent to object unless
+# the subject is trusted. Sockets inherit the range of their creator.
+mlsconstrain socket_class_set { create relabelfrom relabelto }
+ ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);
+
+# Datagram send: Sender must be equivalent to the receiver unless one of them
+# is trusted.
+mlsconstrain unix_dgram_socket { sendto }
+ (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
+
+# Stream connect: Client must be equivalent to server unless one of them
+# is trusted.
+mlsconstrain unix_stream_socket { connectto }
+ (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
+
+#
+# Directory/file constraints
+#
+
+# Create/relabel operations: Subject must be equivalent to object unless
+# the subject is trusted. Also, files should always be single-level.
+# Do NOT exempt mlstrustedobject types from this constraint.
+mlsconstrain dir_file_class_set { create relabelfrom relabelto }
+ (l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject));
+
+#
+# Constraints for app data files only.
+#
+
+# Only constrain open, not read/write.
+# Also constrain other forms of manipulation, e.g. chmod/chown, unlink, rename, etc.
+# Subject must be equivalent to object unless the subject is trusted.
+mlsconstrain dir { open search setattr rename add_name remove_name reparent rmdir }
+ (t2 != app_data_file or l1 eq l2 or t1 == mlstrustedsubject);
+mlsconstrain { file lnk_file sock_file } { open setattr unlink link rename }
+ (t2 != app_data_file or l1 eq l2 or t1 == mlstrustedsubject);
+
+#
+# Constraints for file types other than app data files.
+#
+
+# Read operations: Subject must dominate object unless the subject
+# or the object is trusted.
+mlsconstrain dir { read getattr search }
+ (t2 == app_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+
+mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute }
+ (t2 == app_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+
+# Write operations: Subject must be equivalent to the object unless the
+# subject or the object is trusted.
+mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir }
+ (t2 == app_data_file or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+
+mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename }
+ (t2 == app_data_file or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+
+# Special case for FIFOs.
+# These can be unnamed pipes, in which case they will be labeled with the
+# creating process' label. Thus we also have an exemption when the "object"
+# is a domain type, so that processes can communicate via unnamed pipes
+# passed by binder or local socket IPC.
+mlsconstrain fifo_file { read getattr }
+ (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain);
+
+mlsconstrain fifo_file { write setattr append unlink link rename }
+ (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain);
+
+#
+# Binder IPC constraints
+#
+# Presently commented out, as apps are expected to call one another.
+# This would only make sense if apps were assigned categories
+# based on allowable communications rather than per-app categories.
+#mlsconstrain binder call
+# (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
diff --git a/prebuilts/api/26.0/private/mls_decl b/prebuilts/api/26.0/private/mls_decl
new file mode 100644
index 0000000..dd53bea
--- /dev/null
+++ b/prebuilts/api/26.0/private/mls_decl
@@ -0,0 +1,10 @@
+#########################################
+# MLS declarations
+#
+
+# Generate the desired number of sensitivities and categories.
+gen_sens(mls_num_sens)
+gen_cats(mls_num_cats)
+
+# Generate level definitions for each sensitivity and category.
+gen_levels(mls_num_sens,mls_num_cats)
diff --git a/prebuilts/api/26.0/private/mls_macros b/prebuilts/api/26.0/private/mls_macros
new file mode 100644
index 0000000..83e0542
--- /dev/null
+++ b/prebuilts/api/26.0/private/mls_macros
@@ -0,0 +1,54 @@
+########################################
+#
+# gen_cats(N)
+#
+# declares categores c0 to c(N-1)
+#
+define(`decl_cats',`dnl
+category c$1;
+ifelse(`$1',`$2',,`decl_cats(incr($1),$2)')dnl
+')
+
+define(`gen_cats',`decl_cats(0,decr($1))')
+
+########################################
+#
+# gen_sens(N)
+#
+# declares sensitivites s0 to s(N-1) with dominance
+# in increasing numeric order with s0 lowest, s(N-1) highest
+#
+define(`decl_sens',`dnl
+sensitivity s$1;
+ifelse(`$1',`$2',,`decl_sens(incr($1),$2)')dnl
+')
+
+define(`gen_dominance',`s$1 ifelse(`$1',`$2',,`gen_dominance(incr($1),$2)')')
+
+define(`gen_sens',`
+# Each sensitivity has a name and zero or more aliases.
+decl_sens(0,decr($1))
+
+# Define the ordering of the sensitivity levels (least to greatest)
+dominance { gen_dominance(0,decr($1)) }
+')
+
+########################################
+#
+# gen_levels(N,M)
+#
+# levels from s0 to (N-1) with categories c0 to (M-1)
+#
+define(`decl_levels',`dnl
+level s$1:c0.c$3;
+ifelse(`$1',`$2',,`decl_levels(incr($1),$2,$3)')dnl
+')
+
+define(`gen_levels',`decl_levels(0,decr($1),decr($2))')
+
+########################################
+#
+# Basic level names for system low and high
+#
+define(`mls_systemlow',`s0')
+define(`mls_systemhigh',`s`'decr(mls_num_sens):c0.c`'decr(mls_num_cats)')
diff --git a/prebuilts/api/26.0/private/modprobe.te b/prebuilts/api/26.0/private/modprobe.te
new file mode 100644
index 0000000..9858675
--- /dev/null
+++ b/prebuilts/api/26.0/private/modprobe.te
@@ -0,0 +1 @@
+typeattribute modprobe coredomain;
diff --git a/prebuilts/api/26.0/private/mtp.te b/prebuilts/api/26.0/private/mtp.te
new file mode 100644
index 0000000..3cfda0b
--- /dev/null
+++ b/prebuilts/api/26.0/private/mtp.te
@@ -0,0 +1,4 @@
+typeattribute mtp coredomain;
+typeattribute mtp domain_deprecated;
+
+init_daemon_domain(mtp)
diff --git a/prebuilts/api/26.0/private/net.te b/prebuilts/api/26.0/private/net.te
new file mode 100644
index 0000000..f16daf9
--- /dev/null
+++ b/prebuilts/api/26.0/private/net.te
@@ -0,0 +1,24 @@
+###
+### Domain with network access
+###
+
+# Use network sockets.
+allow netdomain self:tcp_socket create_stream_socket_perms;
+allow netdomain self:{ udp_socket rawip_socket } create_socket_perms;
+# Connect to ports.
+allow netdomain port_type:tcp_socket name_connect;
+# Bind to ports.
+allow {netdomain -ephemeral_app} node_type:{ tcp_socket udp_socket } node_bind;
+allow {netdomain -ephemeral_app} port_type:udp_socket name_bind;
+allow {netdomain -ephemeral_app} port_type:tcp_socket name_bind;
+# See changes to the routing table.
+allow netdomain self:netlink_route_socket { create read getattr write setattr lock append bind connect getopt setopt shutdown nlmsg_read };
+
+# Talks to netd via dnsproxyd socket.
+unix_socket_connect(netdomain, dnsproxyd, netd)
+
+# Talks to netd via fwmarkd socket.
+unix_socket_connect(netdomain, fwmarkd, netd)
+
+# Connect to mdnsd via mdnsd socket.
+unix_socket_connect(netdomain, mdnsd, mdnsd)
diff --git a/prebuilts/api/26.0/private/netd.te b/prebuilts/api/26.0/private/netd.te
new file mode 100644
index 0000000..3a824af
--- /dev/null
+++ b/prebuilts/api/26.0/private/netd.te
@@ -0,0 +1,10 @@
+typeattribute netd coredomain;
+typeattribute netd domain_deprecated;
+
+init_daemon_domain(netd)
+
+# Allow netd to spawn dnsmasq in it's own domain
+domain_auto_trans(netd, dnsmasq_exec, dnsmasq)
+
+# Allow netd to start clatd in its own domain
+domain_auto_trans(netd, clatd_exec, clatd)
diff --git a/prebuilts/api/26.0/private/netutils_wrapper.te b/prebuilts/api/26.0/private/netutils_wrapper.te
new file mode 100644
index 0000000..f7fe32a
--- /dev/null
+++ b/prebuilts/api/26.0/private/netutils_wrapper.te
@@ -0,0 +1,28 @@
+typeattribute netutils_wrapper coredomain;
+
+r_dir_file(netutils_wrapper, system_file);
+
+# For netutils (ip, iptables, tc)
+allow netutils_wrapper self:capability net_raw;
+
+allow netutils_wrapper system_file:file { execute execute_no_trans };
+allow netutils_wrapper proc_net:file { open read getattr };
+allow netutils_wrapper self:rawip_socket create_socket_perms;
+allow netutils_wrapper self:udp_socket create_socket_perms;
+allow netutils_wrapper self:capability net_admin;
+# ip utils need everything but ioctl
+allow netutils_wrapper self:netlink_route_socket ~ioctl;
+allow netutils_wrapper self:netlink_xfrm_socket ~ioctl;
+
+# For netutils (ndc) to be able to talk to netd
+allow netutils_wrapper netd_socket:sock_file { open getattr read write append };
+allow netutils_wrapper netd:unix_stream_socket { read getattr connectto };
+
+# For /data/misc/net access to ndc and ip
+r_dir_file(netutils_wrapper, net_data_file)
+
+domain_auto_trans({
+ domain
+ -coredomain
+ -appdomain
+}, netutils_wrapper_exec, netutils_wrapper)
diff --git a/prebuilts/api/26.0/private/nfc.te b/prebuilts/api/26.0/private/nfc.te
new file mode 100644
index 0000000..25ad702
--- /dev/null
+++ b/prebuilts/api/26.0/private/nfc.te
@@ -0,0 +1,31 @@
+# nfc subsystem
+typeattribute nfc coredomain;
+app_domain(nfc)
+net_domain(nfc)
+
+binder_service(nfc)
+add_service(nfc, nfc_service)
+
+hal_client_domain(nfc, hal_nfc)
+
+# Data file accesses.
+allow nfc nfc_data_file:dir create_dir_perms;
+allow nfc nfc_data_file:notdevfile_class_set create_file_perms;
+
+# SoundPool loading and playback
+allow nfc audioserver_service:service_manager find;
+allow nfc drmserver_service:service_manager find;
+allow nfc mediacodec_service:service_manager find;
+allow nfc mediametrics_service:service_manager find;
+allow nfc mediaextractor_service:service_manager find;
+allow nfc mediaserver_service:service_manager find;
+
+allow nfc radio_service:service_manager find;
+allow nfc surfaceflinger_service:service_manager find;
+allow nfc app_api_service:service_manager find;
+allow nfc system_api_service:service_manager find;
+
+# already open bugreport file descriptors may be shared with
+# the nfc process, from a file in
+# /data/data/com.android.shell/files/bugreports/bugreport-*.
+allow nfc shell_data_file:file read;
diff --git a/prebuilts/api/26.0/private/otapreopt_chroot.te b/prebuilts/api/26.0/private/otapreopt_chroot.te
new file mode 100644
index 0000000..1f69931
--- /dev/null
+++ b/prebuilts/api/26.0/private/otapreopt_chroot.te
@@ -0,0 +1,4 @@
+typeattribute otapreopt_chroot coredomain;
+
+# Allow to transition to postinstall_ota, to run otapreopt in its own sandbox.
+domain_auto_trans(otapreopt_chroot, postinstall_file, postinstall_dexopt)
diff --git a/prebuilts/api/26.0/private/otapreopt_slot.te b/prebuilts/api/26.0/private/otapreopt_slot.te
new file mode 100644
index 0000000..98b93d4
--- /dev/null
+++ b/prebuilts/api/26.0/private/otapreopt_slot.te
@@ -0,0 +1,5 @@
+typeattribute otapreopt_slot coredomain;
+
+# Technically not a daemon but we do want the transition from init domain to
+# cppreopts to occur.
+init_daemon_domain(otapreopt_slot)
diff --git a/prebuilts/api/26.0/private/performanced.te b/prebuilts/api/26.0/private/performanced.te
new file mode 100644
index 0000000..792826e
--- /dev/null
+++ b/prebuilts/api/26.0/private/performanced.te
@@ -0,0 +1,3 @@
+typeattribute performanced coredomain;
+
+init_daemon_domain(performanced)
diff --git a/prebuilts/api/26.0/private/perfprofd.te b/prebuilts/api/26.0/private/perfprofd.te
new file mode 100644
index 0000000..a655f1d
--- /dev/null
+++ b/prebuilts/api/26.0/private/perfprofd.te
@@ -0,0 +1,5 @@
+userdebug_or_eng(`
+ typeattribute perfprofd coredomain;
+ typeattribute perfprofd domain_deprecated;
+ init_daemon_domain(perfprofd)
+')
diff --git a/prebuilts/api/26.0/private/platform_app.te b/prebuilts/api/26.0/private/platform_app.te
new file mode 100644
index 0000000..fd4634a
--- /dev/null
+++ b/prebuilts/api/26.0/private/platform_app.te
@@ -0,0 +1,70 @@
+###
+### Apps signed with the platform key.
+###
+
+typeattribute platform_app coredomain;
+typeattribute platform_app domain_deprecated;
+
+app_domain(platform_app)
+
+# Access the network.
+net_domain(platform_app)
+# Access bluetooth.
+bluetooth_domain(platform_app)
+# Read from /data/local/tmp or /data/data/com.android.shell.
+allow platform_app shell_data_file:dir search;
+allow platform_app shell_data_file:file { open getattr read };
+allow platform_app icon_file:file { open getattr read };
+# Populate /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files
+# created by system server.
+allow platform_app { apk_tmp_file apk_private_tmp_file }:dir rw_dir_perms;
+allow platform_app { apk_tmp_file apk_private_tmp_file }:file rw_file_perms;
+allow platform_app apk_private_data_file:dir search;
+# ASEC
+allow platform_app asec_apk_file:dir create_dir_perms;
+allow platform_app asec_apk_file:file create_file_perms;
+
+# Access to /data/media.
+allow platform_app media_rw_data_file:dir create_dir_perms;
+allow platform_app media_rw_data_file:file create_file_perms;
+
+# Write to /cache.
+allow platform_app cache_file:dir create_dir_perms;
+allow platform_app cache_file:file create_file_perms;
+
+# Direct access to vold-mounted storage under /mnt/media_rw
+# This is a performance optimization that allows platform apps to bypass the FUSE layer
+allow platform_app mnt_media_rw_file:dir r_dir_perms;
+allow platform_app vfat:dir create_dir_perms;
+allow platform_app vfat:file create_file_perms;
+
+allow platform_app audioserver_service:service_manager find;
+allow platform_app cameraserver_service:service_manager find;
+allow platform_app drmserver_service:service_manager find;
+allow platform_app mediaserver_service:service_manager find;
+allow platform_app mediametrics_service:service_manager find;
+allow platform_app mediaextractor_service:service_manager find;
+allow platform_app mediacodec_service:service_manager find;
+allow platform_app mediadrmserver_service:service_manager find;
+allow platform_app mediacasserver_service:service_manager find;
+allow platform_app persistent_data_block_service:service_manager find;
+allow platform_app radio_service:service_manager find;
+allow platform_app surfaceflinger_service:service_manager find;
+allow platform_app app_api_service:service_manager find;
+allow platform_app system_api_service:service_manager find;
+allow platform_app vr_manager_service:service_manager find;
+
+# Access to /data/preloads
+allow platform_app preloads_data_file:file r_file_perms;
+allow platform_app preloads_data_file:dir r_dir_perms;
+allow platform_app preloads_media_file:file r_file_perms;
+allow platform_app preloads_media_file:dir r_dir_perms;
+
+read_runtime_log_tags(platform_app)
+
+###
+### Neverallow rules
+###
+
+# app domains which access /dev/fuse should not run as platform_app
+neverallow platform_app fuse_device:chr_file *;
diff --git a/prebuilts/api/26.0/private/policy_capabilities b/prebuilts/api/26.0/private/policy_capabilities
new file mode 100644
index 0000000..ab55c15
--- /dev/null
+++ b/prebuilts/api/26.0/private/policy_capabilities
@@ -0,0 +1,13 @@
+# Enable new networking controls.
+policycap network_peer_controls;
+
+# Enable open permission check.
+policycap open_perms;
+
+# Enable separate security classes for
+# all network address families previously
+# mapped to the socket class and for
+# ICMP and SCTP sockets previously mapped
+# to the rawip_socket class.
+policycap extended_socket_class;
+
diff --git a/prebuilts/api/26.0/private/port_contexts b/prebuilts/api/26.0/private/port_contexts
new file mode 100644
index 0000000..b473c0c
--- /dev/null
+++ b/prebuilts/api/26.0/private/port_contexts
@@ -0,0 +1,3 @@
+# portcon statements go here, e.g.
+# portcon tcp 80 u:object_r:http_port:s0
+
diff --git a/prebuilts/api/26.0/private/postinstall.te b/prebuilts/api/26.0/private/postinstall.te
new file mode 100644
index 0000000..363e362
--- /dev/null
+++ b/prebuilts/api/26.0/private/postinstall.te
@@ -0,0 +1,3 @@
+typeattribute postinstall coredomain;
+
+domain_auto_trans(postinstall, otapreopt_chroot_exec, otapreopt_chroot)
diff --git a/prebuilts/api/26.0/private/postinstall_dexopt.te b/prebuilts/api/26.0/private/postinstall_dexopt.te
new file mode 100644
index 0000000..ff5fe87
--- /dev/null
+++ b/prebuilts/api/26.0/private/postinstall_dexopt.te
@@ -0,0 +1,5 @@
+typeattribute postinstall_dexopt coredomain;
+
+# Run dex2oat/patchoat in its own sandbox.
+# We have to manually transition, as we don't have an entrypoint.
+domain_auto_trans(postinstall_dexopt, postinstall_file, dex2oat)
diff --git a/prebuilts/api/26.0/private/ppp.te b/prebuilts/api/26.0/private/ppp.te
new file mode 100644
index 0000000..9b301f4
--- /dev/null
+++ b/prebuilts/api/26.0/private/ppp.te
@@ -0,0 +1,4 @@
+typeattribute ppp coredomain;
+typeattribute ppp domain_deprecated;
+
+domain_auto_trans(mtp, ppp_exec, ppp)
diff --git a/prebuilts/api/26.0/private/preopt2cachename.te b/prebuilts/api/26.0/private/preopt2cachename.te
new file mode 100644
index 0000000..d10f767
--- /dev/null
+++ b/prebuilts/api/26.0/private/preopt2cachename.te
@@ -0,0 +1 @@
+typeattribute preopt2cachename coredomain;
diff --git a/prebuilts/api/26.0/private/priv_app.te b/prebuilts/api/26.0/private/priv_app.te
new file mode 100644
index 0000000..065ea1a
--- /dev/null
+++ b/prebuilts/api/26.0/private/priv_app.te
@@ -0,0 +1,168 @@
+###
+### A domain for further sandboxing privileged apps.
+###
+
+typeattribute priv_app coredomain;
+app_domain(priv_app)
+
+# Access the network.
+net_domain(priv_app)
+# Access bluetooth.
+bluetooth_domain(priv_app)
+
+# Allow the allocation and use of ptys
+# Used by: https://play.privileged.com/store/apps/details?id=jackpal.androidterm
+create_pty(priv_app)
+
+# webview crash handling depends on self ptrace (b/27697529, b/20150694, b/19277529#comment7)
+allow priv_app self:process ptrace;
+
+# Some apps ship with shared libraries that they write out
+# to their sandbox directory and then dlopen().
+allow priv_app app_data_file:file execute;
+
+allow priv_app audioserver_service:service_manager find;
+allow priv_app cameraserver_service:service_manager find;
+allow priv_app drmserver_service:service_manager find;
+allow priv_app mediacodec_service:service_manager find;
+allow priv_app mediametrics_service:service_manager find;
+allow priv_app mediadrmserver_service:service_manager find;
+allow priv_app mediacasserver_service:service_manager find;
+allow priv_app mediaextractor_service:service_manager find;
+allow priv_app mediaserver_service:service_manager find;
+allow priv_app nfc_service:service_manager find;
+allow priv_app oem_lock_service:service_manager find;
+allow priv_app radio_service:service_manager find;
+allow priv_app surfaceflinger_service:service_manager find;
+allow priv_app app_api_service:service_manager find;
+allow priv_app system_api_service:service_manager find;
+allow priv_app persistent_data_block_service:service_manager find;
+allow priv_app recovery_service:service_manager find;
+
+# Write to /cache.
+allow priv_app { cache_file cache_recovery_file }:dir create_dir_perms;
+allow priv_app { cache_file cache_recovery_file }:file create_file_perms;
+# /cache is a symlink to /data/cache on some devices. Allow reading the link.
+allow priv_app cache_file:lnk_file r_file_perms;
+
+# Write to /data/ota_package for OTA packages.
+allow priv_app ota_package_file:dir rw_dir_perms;
+allow priv_app ota_package_file:file create_file_perms;
+
+# Access to /data/media.
+allow priv_app media_rw_data_file:dir create_dir_perms;
+allow priv_app media_rw_data_file:file create_file_perms;
+
+# Used by Finsky / Android "Verify Apps" functionality when
+# running "adb install foo.apk".
+allow priv_app shell_data_file:file r_file_perms;
+allow priv_app shell_data_file:dir r_dir_perms;
+
+# Allow verifier to access staged apks.
+allow priv_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
+allow priv_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
+
+# b/18504118: Allow reads from /data/anr/traces.txt
+allow priv_app anr_data_file:file r_file_perms;
+
+# Allow GMS core to access perfprofd output, which is stored
+# in /data/misc/perfprofd/. GMS core will need to list all
+# data stored in that directory to process them one by one.
+userdebug_or_eng(`
+ allow priv_app perfprofd_data_file:file r_file_perms;
+ allow priv_app perfprofd_data_file:dir r_dir_perms;
+')
+
+# For AppFuse.
+allow priv_app vold:fd use;
+allow priv_app fuse_device:chr_file { read write };
+
+# /sys and /proc access
+r_dir_file(priv_app, sysfs_type)
+r_dir_file(priv_app, proc)
+r_dir_file(priv_app, rootfs)
+
+# Allow GMS core to open kernel config for OTA matching through libvintf
+allow priv_app config_gz:file { open read getattr };
+
+# access the mac address
+allowxperm priv_app self:udp_socket ioctl SIOCGIFHWADDR;
+
+# Allow GMS core to communicate with update_engine for A/B update.
+binder_call(priv_app, update_engine)
+allow priv_app update_engine_service:service_manager find;
+
+# Allow GMS core to communicate with dumpsys storaged.
+binder_call(priv_app, storaged)
+allow priv_app storaged_service:service_manager find;
+
+# Allow Phone to read/write cached ringtones (opened by system).
+allow priv_app ringtone_file:file { getattr read write };
+
+# Access to /data/preloads
+allow priv_app preloads_data_file:file r_file_perms;
+allow priv_app preloads_data_file:dir r_dir_perms;
+allow priv_app preloads_media_file:file r_file_perms;
+allow priv_app preloads_media_file:dir r_dir_perms;
+
+# TODO: revert this as part of fixing 33574909
+# android.process.media uses /dev/mtp_usb
+allow priv_app mtp_device:chr_file rw_file_perms;
+
+# TODO: revert this as part of fixing 33574909
+# MtpServer uses /dev/usb-ffs/mtp
+allow priv_app functionfs:dir search;
+allow priv_app functionfs:file rw_file_perms;
+
+# TODO: revert this as part of fixing 33574909
+# Traverse into /mnt/media_rw for bypassing FUSE daemon
+# TODO: narrow this to just MediaProvider
+allow priv_app mnt_media_rw_file:dir search;
+
+# Allow privileged apps (e.g. GMS core) to generate unique hardware IDs
+allow priv_app keystore:keystore_key gen_unique_id;
+
+read_runtime_log_tags(priv_app)
+
+###
+### neverallow rules
+###
+
+# Receive or send uevent messages.
+neverallow priv_app domain:netlink_kobject_uevent_socket *;
+
+# Receive or send generic netlink messages
+neverallow priv_app domain:netlink_socket *;
+
+# Too much leaky information in debugfs. It's a security
+# best practice to ensure these files aren't readable.
+neverallow priv_app debugfs:file read;
+
+# Do not allow privileged apps to register services.
+# Only trusted components of Android should be registering
+# services.
+neverallow priv_app service_manager_type:service_manager add;
+
+# Do not allow privileged apps to connect to the property service
+# or set properties. b/10243159
+neverallow priv_app property_socket:sock_file write;
+neverallow priv_app init:unix_stream_socket connectto;
+neverallow priv_app property_type:property_service set;
+
+# Do not allow priv_app to be assigned mlstrustedsubject.
+# This would undermine the per-user isolation model being
+# enforced via levelFrom=user in seapp_contexts and the mls
+# constraints. As there is no direct way to specify a neverallow
+# on attribute assignment, this relies on the fact that fork
+# permission only makes sense within a domain (hence should
+# never be granted to any other domain within mlstrustedsubject)
+# and priv_app is allowed fork permission to itself.
+neverallow priv_app mlstrustedsubject:process fork;
+
+# Do not allow priv_app to hard link to any files.
+# In particular, if priv_app links to other app data
+# files, installd will not be able to guarantee the deletion
+# of the linked to file. Hard links also contribute to security
+# bugs, so we want to ensure priv_app never has this
+# capability.
+neverallow priv_app file_type:file link;
diff --git a/prebuilts/api/26.0/private/profman.te b/prebuilts/api/26.0/private/profman.te
new file mode 100644
index 0000000..f61d05e
--- /dev/null
+++ b/prebuilts/api/26.0/private/profman.te
@@ -0,0 +1 @@
+typeattribute profman coredomain;
diff --git a/prebuilts/api/26.0/private/property_contexts b/prebuilts/api/26.0/private/property_contexts
new file mode 100644
index 0000000..4c27b35
--- /dev/null
+++ b/prebuilts/api/26.0/private/property_contexts
@@ -0,0 +1,116 @@
+##########################
+# property service keys
+#
+#
+net.rmnet u:object_r:net_radio_prop:s0
+net.gprs u:object_r:net_radio_prop:s0
+net.ppp u:object_r:net_radio_prop:s0
+net.qmi u:object_r:net_radio_prop:s0
+net.lte u:object_r:net_radio_prop:s0
+net.cdma u:object_r:net_radio_prop:s0
+net.dns u:object_r:net_dns_prop:s0
+sys.usb.config u:object_r:system_radio_prop:s0
+ril. u:object_r:radio_prop:s0
+ro.ril. u:object_r:radio_prop:s0
+gsm. u:object_r:radio_prop:s0
+persist.radio u:object_r:radio_prop:s0
+
+net. u:object_r:system_prop:s0
+dev. u:object_r:system_prop:s0
+ro.runtime. u:object_r:system_prop:s0
+ro.runtime.firstboot u:object_r:firstboot_prop:s0
+hw. u:object_r:system_prop:s0
+ro.hw. u:object_r:system_prop:s0
+sys. u:object_r:system_prop:s0
+sys.cppreopt u:object_r:cppreopt_prop:s0
+sys.powerctl u:object_r:powerctl_prop:s0
+sys.usb.ffs. u:object_r:ffs_prop:s0
+service. u:object_r:system_prop:s0
+dhcp. u:object_r:dhcp_prop:s0
+dhcp.bt-pan.result u:object_r:pan_result_prop:s0
+bluetooth. u:object_r:bluetooth_prop:s0
+
+debug. u:object_r:debug_prop:s0
+debug.db. u:object_r:debuggerd_prop:s0
+dumpstate. u:object_r:dumpstate_prop:s0
+dumpstate.options u:object_r:dumpstate_options_prop:s0
+log. u:object_r:log_prop:s0
+log.tag u:object_r:log_tag_prop:s0
+log.tag.WifiHAL u:object_r:wifi_log_prop:s0
+security.perf_harden u:object_r:shell_prop:s0
+service.adb.root u:object_r:shell_prop:s0
+service.adb.tcp.port u:object_r:shell_prop:s0
+
+persist.audio. u:object_r:audio_prop:s0
+persist.bluetooth. u:object_r:bluetooth_prop:s0
+persist.debug. u:object_r:persist_debug_prop:s0
+persist.logd. u:object_r:logd_prop:s0
+persist.logd.security u:object_r:device_logging_prop:s0
+persist.logd.logpersistd u:object_r:logpersistd_logging_prop:s0
+logd.logpersistd u:object_r:logpersistd_logging_prop:s0
+persist.log.tag u:object_r:log_tag_prop:s0
+persist.mmc. u:object_r:mmc_prop:s0
+persist.sys. u:object_r:system_prop:s0
+persist.sys.safemode u:object_r:safemode_prop:s0
+ro.sys.safemode u:object_r:safemode_prop:s0
+persist.sys.audit_safemode u:object_r:safemode_prop:s0
+persist.service. u:object_r:system_prop:s0
+persist.service.bdroid. u:object_r:bluetooth_prop:s0
+persist.security. u:object_r:system_prop:s0
+persist.vendor.overlay. u:object_r:overlay_prop:s0
+ro.boot.vendor.overlay. u:object_r:overlay_prop:s0
+ro.boottime. u:object_r:boottime_prop:s0
+ro.serialno u:object_r:serialno_prop:s0
+ro.boot.btmacaddr u:object_r:bluetooth_prop:s0
+ro.boot.serialno u:object_r:serialno_prop:s0
+ro.bt. u:object_r:bluetooth_prop:s0
+
+# Boolean property set by system server upon boot indicating
+# if device owner is provisioned.
+ro.device_owner u:object_r:device_logging_prop:s0
+
+# selinux non-persistent properties
+selinux.restorecon_recursive u:object_r:restorecon_prop:s0
+
+# default property context
+* u:object_r:default_prop:s0
+
+# data partition encryption properties
+vold. u:object_r:vold_prop:s0
+ro.crypto. u:object_r:vold_prop:s0
+
+# ro.build.fingerprint is either set in /system/build.prop, or is
+# set at runtime by system_server.
+ro.build.fingerprint u:object_r:fingerprint_prop:s0
+
+ro.persistent_properties.ready u:object_r:persistent_properties_ready_prop:s0
+
+# ctl properties
+ctl.bootanim u:object_r:ctl_bootanim_prop:s0
+ctl.dumpstate u:object_r:ctl_dumpstate_prop:s0
+ctl.fuse_ u:object_r:ctl_fuse_prop:s0
+ctl.mdnsd u:object_r:ctl_mdnsd_prop:s0
+ctl.ril-daemon u:object_r:ctl_rildaemon_prop:s0
+ctl.bugreport u:object_r:ctl_bugreport_prop:s0
+ctl.console u:object_r:ctl_console_prop:s0
+ctl. u:object_r:ctl_default_prop:s0
+
+# NFC properties
+nfc. u:object_r:nfc_prop:s0
+
+# These properties are not normally set by processes other than init.
+# They are only distinguished here for setting by qemu-props on the
+# emulator/goldfish.
+config. u:object_r:config_prop:s0
+ro.config. u:object_r:config_prop:s0
+dalvik. u:object_r:dalvik_prop:s0
+ro.dalvik. u:object_r:dalvik_prop:s0
+
+# Shared between system server and wificond
+wlan. u:object_r:wifi_prop:s0
+
+# hwservicemanager properties
+hwservicemanager. u:object_r:hwservicemanager_prop:s0
+
+# ASAN install trigger
+asan.restore_reboot u:object_r:asan_reboot_prop:s0
diff --git a/prebuilts/api/26.0/private/racoon.te b/prebuilts/api/26.0/private/racoon.te
new file mode 100644
index 0000000..42ea7c9
--- /dev/null
+++ b/prebuilts/api/26.0/private/racoon.te
@@ -0,0 +1,3 @@
+typeattribute racoon coredomain;
+
+init_daemon_domain(racoon)
diff --git a/prebuilts/api/26.0/private/radio.te b/prebuilts/api/26.0/private/radio.te
new file mode 100644
index 0000000..83b5b41
--- /dev/null
+++ b/prebuilts/api/26.0/private/radio.te
@@ -0,0 +1,6 @@
+typeattribute radio coredomain;
+typeattribute radio domain_deprecated;
+
+app_domain(radio)
+
+read_runtime_log_tags(radio)
diff --git a/prebuilts/api/26.0/private/recovery.te b/prebuilts/api/26.0/private/recovery.te
new file mode 100644
index 0000000..b7b2847
--- /dev/null
+++ b/prebuilts/api/26.0/private/recovery.te
@@ -0,0 +1,2 @@
+typeattribute recovery coredomain;
+typeattribute recovery domain_deprecated;
diff --git a/prebuilts/api/26.0/private/recovery_persist.te b/prebuilts/api/26.0/private/recovery_persist.te
new file mode 100644
index 0000000..1fdd758
--- /dev/null
+++ b/prebuilts/api/26.0/private/recovery_persist.te
@@ -0,0 +1,7 @@
+typeattribute recovery_persist coredomain;
+
+init_daemon_domain(recovery_persist)
+
+# recovery_persist is not allowed to write anywhere other than recovery_data_file
+# TODO: deal with tmpfs_domain pub/priv split properly
+neverallow recovery_persist { file_type -recovery_data_file -recovery_persist_tmpfs userdebug_or_eng(`-coredump_file') }:file write;
diff --git a/prebuilts/api/26.0/private/recovery_refresh.te b/prebuilts/api/26.0/private/recovery_refresh.te
new file mode 100644
index 0000000..327098d
--- /dev/null
+++ b/prebuilts/api/26.0/private/recovery_refresh.te
@@ -0,0 +1,7 @@
+typeattribute recovery_refresh coredomain;
+
+init_daemon_domain(recovery_refresh)
+
+# recovery_refresh is not allowed to write anywhere
+# TODO: deal with tmpfs_domain pub/priv split properly
+neverallow recovery_refresh { file_type -recovery_refresh_tmpfs userdebug_or_eng(`-coredump_file') }:file write;
diff --git a/prebuilts/api/26.0/private/roles_decl b/prebuilts/api/26.0/private/roles_decl
new file mode 100644
index 0000000..c84fcba
--- /dev/null
+++ b/prebuilts/api/26.0/private/roles_decl
@@ -0,0 +1 @@
+role r;
diff --git a/prebuilts/api/26.0/private/runas.te b/prebuilts/api/26.0/private/runas.te
new file mode 100644
index 0000000..73a91ff
--- /dev/null
+++ b/prebuilts/api/26.0/private/runas.te
@@ -0,0 +1,5 @@
+typeattribute runas coredomain;
+typeattribute runas domain_deprecated;
+
+# ndk-gdb invokes adb shell run-as.
+domain_auto_trans(shell, runas_exec, runas)
diff --git a/prebuilts/api/26.0/private/sdcardd.te b/prebuilts/api/26.0/private/sdcardd.te
new file mode 100644
index 0000000..ac6bb4e
--- /dev/null
+++ b/prebuilts/api/26.0/private/sdcardd.te
@@ -0,0 +1,4 @@
+typeattribute sdcardd coredomain;
+typeattribute sdcardd domain_deprecated;
+
+type_transition sdcardd system_data_file:{ dir file } media_rw_data_file;
diff --git a/prebuilts/api/26.0/private/seapp_contexts b/prebuilts/api/26.0/private/seapp_contexts
new file mode 100644
index 0000000..4356889
--- /dev/null
+++ b/prebuilts/api/26.0/private/seapp_contexts
@@ -0,0 +1,110 @@
+# Input selectors:
+# isSystemServer (boolean)
+# isEphemeralApp (boolean)
+# isV2App (boolean)
+# isOwner (boolean)
+# user (string)
+# seinfo (string)
+# name (string)
+# path (string)
+# isPrivApp (boolean)
+# minTargetSdkVersion (unsigned integer)
+# isSystemServer=true can only be used once.
+# An unspecified isSystemServer defaults to false.
+# isEphemeralApp=true will match apps marked by PackageManager as Ephemeral
+# isV2App=true will match apps in the v2 app sandbox.
+# isOwner=true will only match for the owner/primary user.
+# isOwner=false will only match for secondary users.
+# If unspecified, the entry can match either case.
+# An unspecified string selector will match any value.
+# A user string selector that ends in * will perform a prefix match.
+# user=_app will match any regular app UID.
+# user=_isolated will match any isolated service UID.
+# isPrivApp=true will only match for applications preinstalled in
+# /system/priv-app.
+# minTargetSdkVersion will match applications with a targetSdkVersion
+# greater than or equal to the specified value. If unspecified,
+# it has a default value of 0.
+# All specified input selectors in an entry must match (i.e. logical AND).
+# Matching is case-insensitive.
+#
+# Precedence rules (see external/selinux/libselinux/src/android/android.c seapp_context_cmp()):
+# (1) isSystemServer=true before isSystemServer=false.
+# (2) Specified isEphemeralApp= before unspecified isEphemeralApp= boolean.
+# (3) Specified isV2App= before unspecified isV2App= boolean.
+# (4) Specified isOwner= before unspecified isOwner= boolean.
+# (5) Specified user= string before unspecified user= string.
+# (6) Fixed user= string before user= prefix (i.e. ending in *).
+# (7) Longer user= prefix before shorter user= prefix.
+# (8) Specified seinfo= string before unspecified seinfo= string.
+# ':' character is reserved and may not be used.
+# (9) Specified name= string before unspecified name= string.
+# (10) Specified path= string before unspecified path= string.
+# (11) Specified isPrivApp= before unspecified isPrivApp= boolean.
+# (12) Higher value of minTargetSdkVersion= before lower value of minTargetSdkVersion=
+# integer. Note that minTargetSdkVersion= defaults to 0 if unspecified.
+#
+# Outputs:
+# domain (string)
+# type (string)
+# levelFrom (string; one of none, all, app, or user)
+# level (string)
+# Only entries that specify domain= will be used for app process labeling.
+# Only entries that specify type= will be used for app directory labeling.
+# levelFrom=user is only supported for _app or _isolated UIDs.
+# levelFrom=app or levelFrom=all is only supported for _app UIDs.
+# level may be used to specify a fixed level for any UID.
+#
+#
+# Neverallow Assertions
+# Additional compile time assertion checks can be added as well. The assertion
+# rules are lines beginning with the keyword neverallow. Full support for PCRE
+# regular expressions exists on all input and output selectors. Neverallow
+# rules are never output to the built seapp_contexts file. Like all keywords,
+# neverallows are case-insensitive. A neverallow is asserted when all key value
+# inputs are matched on a key value rule line.
+#
+
+# only the system server can be in system_server domain
+neverallow isSystemServer=false domain=system_server
+neverallow isSystemServer="" domain=system_server
+
+# system domains should never be assigned outside of system uid
+neverallow user=((?!system).)* domain=system_app
+neverallow user=((?!system).)* type=system_app_data_file
+
+# anything with a non-known uid with a specified name should have a specified seinfo
+neverallow user=_app name=.* seinfo=""
+neverallow user=_app name=.* seinfo=default
+
+# neverallow shared relro to any other domain
+# and neverallow any other uid into shared_relro
+neverallow user=shared_relro domain=((?!shared_relro).)*
+neverallow user=((?!shared_relro).)* domain=shared_relro
+
+# neverallow non-isolated uids into isolated_app domain
+# and vice versa
+neverallow user=_isolated domain=((?!isolated_app).)*
+neverallow user=((?!_isolated).)* domain=isolated_app
+
+# uid shell should always be in shell domain, however non-shell
+# uid's can be in shell domain
+neverallow user=shell domain=((?!shell).)*
+
+# Ephemeral Apps must run in the ephemeral_app domain
+neverallow isEphemeralApp=true domain=((?!ephemeral_app).)*
+
+isSystemServer=true domain=system_server
+user=system seinfo=platform domain=system_app type=system_app_data_file
+user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
+user=nfc seinfo=platform domain=nfc type=nfc_data_file
+user=radio seinfo=platform domain=radio type=radio_data_file
+user=shared_relro domain=shared_relro
+user=shell seinfo=platform domain=shell type=shell_data_file
+user=_isolated domain=isolated_app levelFrom=user
+user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
+user=_app isV2App=true isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=user
+user=_app isV2App=true domain=untrusted_v2_app type=app_data_file levelFrom=user
+user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user
+user=_app minTargetSdkVersion=26 domain=untrusted_app type=app_data_file levelFrom=user
+user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user
diff --git a/prebuilts/api/26.0/private/security_classes b/prebuilts/api/26.0/private/security_classes
new file mode 100644
index 0000000..02e3ef2
--- /dev/null
+++ b/prebuilts/api/26.0/private/security_classes
@@ -0,0 +1,144 @@
+# FLASK
+
+#
+# Define the security object classes
+#
+
+# Classes marked as userspace are classes
+# for userspace object managers
+
+class security
+class process
+class system
+class capability
+
+# file-related classes
+class filesystem
+class file
+class dir
+class fd
+class lnk_file
+class chr_file
+class blk_file
+class sock_file
+class fifo_file
+
+# network-related classes
+class socket
+class tcp_socket
+class udp_socket
+class rawip_socket
+class node
+class netif
+class netlink_socket
+class packet_socket
+class key_socket
+class unix_stream_socket
+class unix_dgram_socket
+
+# sysv-ipc-related classes
+class sem
+class msg
+class msgq
+class shm
+class ipc
+
+# extended netlink sockets
+class netlink_route_socket
+class netlink_tcpdiag_socket
+class netlink_nflog_socket
+class netlink_xfrm_socket
+class netlink_selinux_socket
+class netlink_audit_socket
+class netlink_dnrt_socket
+
+# IPSec association
+class association
+
+# Updated Netlink class for KOBJECT_UEVENT family.
+class netlink_kobject_uevent_socket
+
+class appletalk_socket
+
+class packet
+
+# Kernel access key retention
+class key
+
+class dccp_socket
+
+class memprotect
+
+# network peer labels
+class peer
+
+# Capabilities >= 32
+class capability2
+
+# kernel services that need to override task security, e.g. cachefiles
+class kernel_service
+
+class tun_socket
+
+class binder
+
+# Updated netlink classes for more recent netlink protocols.
+class netlink_iscsi_socket
+class netlink_fib_lookup_socket
+class netlink_connector_socket
+class netlink_netfilter_socket
+class netlink_generic_socket
+class netlink_scsitransport_socket
+class netlink_rdma_socket
+class netlink_crypto_socket
+
+# Capability checks when on a non-init user namespace
+class cap_userns
+class cap2_userns
+
+# New socket classes introduced by extended_socket_class policy capability.
+# These two were previously mapped to rawip_socket.
+class sctp_socket
+class icmp_socket
+# These were previously mapped to socket.
+class ax25_socket
+class ipx_socket
+class netrom_socket
+class atmpvc_socket
+class x25_socket
+class rose_socket
+class decnet_socket
+class atmsvc_socket
+class rds_socket
+class irda_socket
+class pppox_socket
+class llc_socket
+class can_socket
+class tipc_socket
+class bluetooth_socket
+class iucv_socket
+class rxrpc_socket
+class isdn_socket
+class phonet_socket
+class ieee802154_socket
+class caif_socket
+class alg_socket
+class nfc_socket
+class vsock_socket
+class kcm_socket
+class qipcrtr_socket
+
+# Property service
+class property_service # userspace
+
+# Service manager
+class service_manager # userspace
+
+# hardware service manager # userspace
+class hwservice_manager
+
+# Keystore Key
+class keystore_key # userspace
+
+class drmservice # userspace
+# FLASK
diff --git a/prebuilts/api/26.0/private/service_contexts b/prebuilts/api/26.0/private/service_contexts
new file mode 100644
index 0000000..dc77cb9
--- /dev/null
+++ b/prebuilts/api/26.0/private/service_contexts
@@ -0,0 +1,172 @@
+accessibility u:object_r:accessibility_service:s0
+account u:object_r:account_service:s0
+activity u:object_r:activity_service:s0
+alarm u:object_r:alarm_service:s0
+android.os.UpdateEngineService u:object_r:update_engine_service:s0
+android.security.keystore u:object_r:keystore_service:s0
+android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
+appops u:object_r:appops_service:s0
+appwidget u:object_r:appwidget_service:s0
+assetatlas u:object_r:assetatlas_service:s0
+audio u:object_r:audio_service:s0
+autofill u:object_r:autofill_service:s0
+backup u:object_r:backup_service:s0
+batteryproperties u:object_r:batteryproperties_service:s0
+batterystats u:object_r:batterystats_service:s0
+battery u:object_r:battery_service:s0
+bluetooth_manager u:object_r:bluetooth_manager_service:s0
+bluetooth u:object_r:bluetooth_service:s0
+carrier_config u:object_r:radio_service:s0
+clipboard u:object_r:clipboard_service:s0
+com.android.net.IProxyService u:object_r:IProxyService_service:s0
+commontime_management u:object_r:commontime_management_service:s0
+common_time.clock u:object_r:mediaserver_service:s0
+common_time.config u:object_r:mediaserver_service:s0
+companiondevice u:object_r:companion_device_service:s0
+connectivity u:object_r:connectivity_service:s0
+connmetrics u:object_r:connmetrics_service:s0
+consumer_ir u:object_r:consumer_ir_service:s0
+content u:object_r:content_service:s0
+contexthub u:object_r:contexthub_service:s0
+country_detector u:object_r:country_detector_service:s0
+coverage u:object_r:coverage_service:s0
+cpuinfo u:object_r:cpuinfo_service:s0
+dbinfo u:object_r:dbinfo_service:s0
+device_policy u:object_r:device_policy_service:s0
+device_identifiers u:object_r:device_identifiers_service:s0
+deviceidle u:object_r:deviceidle_service:s0
+devicestoragemonitor u:object_r:devicestoragemonitor_service:s0
+diskstats u:object_r:diskstats_service:s0
+display.qservice u:object_r:surfaceflinger_service:s0
+display u:object_r:display_service:s0
+netd_listener u:object_r:netd_listener_service:s0
+DockObserver u:object_r:DockObserver_service:s0
+dreams u:object_r:dreams_service:s0
+drm.drmManager u:object_r:drmserver_service:s0
+dropbox u:object_r:dropbox_service:s0
+dumpstate u:object_r:dumpstate_service:s0
+econtroller u:object_r:radio_service:s0
+ethernet u:object_r:ethernet_service:s0
+fingerprint u:object_r:fingerprint_service:s0
+font u:object_r:font_service:s0
+android.hardware.fingerprint.IFingerprintDaemon u:object_r:fingerprintd_service:s0
+gfxinfo u:object_r:gfxinfo_service:s0
+graphicsstats u:object_r:graphicsstats_service:s0
+gpu u:object_r:gpu_service:s0
+hardware u:object_r:hardware_service:s0
+hardware_properties u:object_r:hardware_properties_service:s0
+hdmi_control u:object_r:hdmi_control_service:s0
+incident u:object_r:incident_service:s0
+inputflinger u:object_r:inputflinger_service:s0
+input_method u:object_r:input_method_service:s0
+input u:object_r:input_service:s0
+installd u:object_r:installd_service:s0
+iphonesubinfo_msim u:object_r:radio_service:s0
+iphonesubinfo2 u:object_r:radio_service:s0
+iphonesubinfo u:object_r:radio_service:s0
+ims u:object_r:radio_service:s0
+imms u:object_r:imms_service:s0
+ipsec u:object_r:ipsec_service:s0
+isms_msim u:object_r:radio_service:s0
+isms2 u:object_r:radio_service:s0
+isms u:object_r:radio_service:s0
+isub u:object_r:radio_service:s0
+jobscheduler u:object_r:jobscheduler_service:s0
+launcherapps u:object_r:launcherapps_service:s0
+location u:object_r:location_service:s0
+lock_settings u:object_r:lock_settings_service:s0
+media.aaudio u:object_r:audioserver_service:s0
+media.audio_flinger u:object_r:audioserver_service:s0
+media.audio_policy u:object_r:audioserver_service:s0
+media.camera u:object_r:cameraserver_service:s0
+media.camera.proxy u:object_r:cameraproxy_service:s0
+media.log u:object_r:audioserver_service:s0
+media.player u:object_r:mediaserver_service:s0
+media.metrics u:object_r:mediametrics_service:s0
+media.extractor u:object_r:mediaextractor_service:s0
+media.codec u:object_r:mediacodec_service:s0
+media.resource_manager u:object_r:mediaserver_service:s0
+media.radio u:object_r:audioserver_service:s0
+media.sound_trigger_hw u:object_r:audioserver_service:s0
+media.drm u:object_r:mediadrmserver_service:s0
+media.cas u:object_r:mediacasserver_service:s0
+media_projection u:object_r:media_projection_service:s0
+media_resource_monitor u:object_r:media_session_service:s0
+media_router u:object_r:media_router_service:s0
+media_session u:object_r:media_session_service:s0
+meminfo u:object_r:meminfo_service:s0
+midi u:object_r:midi_service:s0
+mount u:object_r:mount_service:s0
+netd u:object_r:netd_service:s0
+netpolicy u:object_r:netpolicy_service:s0
+netstats u:object_r:netstats_service:s0
+network_management u:object_r:network_management_service:s0
+network_score u:object_r:network_score_service:s0
+network_time_update_service u:object_r:network_time_update_service:s0
+nfc u:object_r:nfc_service:s0
+notification u:object_r:notification_service:s0
+oem_lock u:object_r:oem_lock_service:s0
+otadexopt u:object_r:otadexopt_service:s0
+overlay u:object_r:overlay_service:s0
+package u:object_r:package_service:s0
+permission u:object_r:permission_service:s0
+persistent_data_block u:object_r:persistent_data_block_service:s0
+phone_msim u:object_r:radio_service:s0
+phone1 u:object_r:radio_service:s0
+phone2 u:object_r:radio_service:s0
+phone u:object_r:radio_service:s0
+pinner u:object_r:pinner_service:s0
+power u:object_r:power_service:s0
+print u:object_r:print_service:s0
+processinfo u:object_r:processinfo_service:s0
+procstats u:object_r:procstats_service:s0
+radio.phonesubinfo u:object_r:radio_service:s0
+radio.phone u:object_r:radio_service:s0
+radio.sms u:object_r:radio_service:s0
+recovery u:object_r:recovery_service:s0
+restrictions u:object_r:restrictions_service:s0
+rttmanager u:object_r:rttmanager_service:s0
+samplingprofiler u:object_r:samplingprofiler_service:s0
+scheduling_policy u:object_r:scheduling_policy_service:s0
+search u:object_r:search_service:s0
+sec_key_att_app_id_provider u:object_r:sec_key_att_app_id_provider_service:s0
+sensorservice u:object_r:sensorservice_service:s0
+serial u:object_r:serial_service:s0
+servicediscovery u:object_r:servicediscovery_service:s0
+settings u:object_r:settings_service:s0
+shortcut u:object_r:shortcut_service:s0
+simphonebook_msim u:object_r:radio_service:s0
+simphonebook2 u:object_r:radio_service:s0
+simphonebook u:object_r:radio_service:s0
+sip u:object_r:radio_service:s0
+soundtrigger u:object_r:voiceinteraction_service:s0
+statusbar u:object_r:statusbar_service:s0
+storaged u:object_r:storaged_service:s0
+storagestats u:object_r:storagestats_service:s0
+SurfaceFlinger u:object_r:surfaceflinger_service:s0
+task u:object_r:task_service:s0
+telecom u:object_r:telecom_service:s0
+telephony.registry u:object_r:registry_service:s0
+textclassification u:object_r:textclassification_service:s0
+textservices u:object_r:textservices_service:s0
+trust u:object_r:trust_service:s0
+tv_input u:object_r:tv_input_service:s0
+uimode u:object_r:uimode_service:s0
+updatelock u:object_r:updatelock_service:s0
+usagestats u:object_r:usagestats_service:s0
+usb u:object_r:usb_service:s0
+user u:object_r:user_service:s0
+vibrator u:object_r:vibrator_service:s0
+virtual_touchpad u:object_r:virtual_touchpad_service:s0
+voiceinteraction u:object_r:voiceinteraction_service:s0
+vr_hwc u:object_r:vr_hwc_service:s0
+vrmanager u:object_r:vr_manager_service:s0
+wallpaper u:object_r:wallpaper_service:s0
+webviewupdate u:object_r:webviewupdate_service:s0
+wifip2p u:object_r:wifip2p_service:s0
+wifiscanner u:object_r:wifiscanner_service:s0
+wifi u:object_r:wifi_service:s0
+wificond u:object_r:wificond_service:s0
+wifiaware u:object_r:wifiaware_service:s0
+window u:object_r:window_service:s0
+* u:object_r:default_android_service:s0
diff --git a/prebuilts/api/26.0/private/servicemanager.te b/prebuilts/api/26.0/private/servicemanager.te
new file mode 100644
index 0000000..9f675a2
--- /dev/null
+++ b/prebuilts/api/26.0/private/servicemanager.te
@@ -0,0 +1,5 @@
+typeattribute servicemanager coredomain;
+
+init_daemon_domain(servicemanager)
+
+read_runtime_log_tags(servicemanager)
diff --git a/prebuilts/api/26.0/private/sgdisk.te b/prebuilts/api/26.0/private/sgdisk.te
new file mode 100644
index 0000000..a17342e
--- /dev/null
+++ b/prebuilts/api/26.0/private/sgdisk.te
@@ -0,0 +1 @@
+typeattribute sgdisk coredomain;
diff --git a/prebuilts/api/26.0/private/shared_relro.te b/prebuilts/api/26.0/private/shared_relro.te
new file mode 100644
index 0000000..8d06294
--- /dev/null
+++ b/prebuilts/api/26.0/private/shared_relro.te
@@ -0,0 +1,6 @@
+typeattribute shared_relro coredomain;
+typeattribute shared_relro domain_deprecated;
+
+# The shared relro process is a Java program forked from the zygote, so it
+# inherits from app to get basic permissions it needs to run.
+app_domain(shared_relro)
diff --git a/prebuilts/api/26.0/private/shell.te b/prebuilts/api/26.0/private/shell.te
new file mode 100644
index 0000000..fbd9676
--- /dev/null
+++ b/prebuilts/api/26.0/private/shell.te
@@ -0,0 +1,22 @@
+typeattribute shell coredomain;
+
+# systrace support - allow atrace to run
+allow shell debugfs_tracing:dir r_dir_perms;
+allow shell debugfs_tracing:file r_file_perms;
+allow shell tracing_shell_writable:file rw_file_perms;
+allow shell debugfs_trace_marker:file getattr;
+allow shell atrace_exec:file rx_file_perms;
+
+# read config.gz for CTS purposes
+allow shell config_gz:file r_file_perms;
+
+userdebug_or_eng(`
+ allow shell tracing_shell_writable_debug:file rw_file_perms;
+')
+
+# Run app_process.
+# XXX Transition into its own domain?
+app_domain(shell)
+
+# allow shell to call dumpsys storaged
+binder_call(shell, storaged)
diff --git a/prebuilts/api/26.0/private/slideshow.te b/prebuilts/api/26.0/private/slideshow.te
new file mode 100644
index 0000000..7dfa994
--- /dev/null
+++ b/prebuilts/api/26.0/private/slideshow.te
@@ -0,0 +1 @@
+typeattribute slideshow coredomain;
diff --git a/prebuilts/api/26.0/private/storaged.te b/prebuilts/api/26.0/private/storaged.te
new file mode 100644
index 0000000..96433b3
--- /dev/null
+++ b/prebuilts/api/26.0/private/storaged.te
@@ -0,0 +1,51 @@
+# storaged daemon
+type storaged, domain, coredomain, mlstrustedsubject;
+type storaged_exec, exec_type, file_type;
+
+init_daemon_domain(storaged)
+
+# Read access to pseudo filesystems
+r_dir_file(storaged, sysfs_type)
+r_dir_file(storaged, proc_net)
+r_dir_file(storaged, domain)
+
+# Read /proc/uid_io/stats
+allow storaged proc_uid_io_stats:file r_file_perms;
+
+# Read /data/system/packages.list
+allow storaged system_data_file:file r_file_perms;
+
+userdebug_or_eng(`
+ # Read access to debugfs
+ allow storaged debugfs_mmc:dir search;
+ allow storaged debugfs_mmc:file r_file_perms;
+')
+
+# Needed to provide debug dump output via dumpsys pipes.
+allow storaged shell:fd use;
+allow storaged shell:fifo_file write;
+
+# Needed for GMScore to call dumpsys storaged
+allow storaged priv_app:fd use;
+allow storaged app_data_file:file write;
+allow storaged permission_service:service_manager find;
+
+# Binder permissions
+add_service(storaged, storaged_service)
+
+binder_use(storaged)
+binder_call(storaged, system_server)
+
+# use batteryproperties service
+allow storaged batteryproperties_service:service_manager find;
+binder_call(storaged, healthd)
+
+# Kernel does extra check on CAP_DAC_OVERRIDE for libbinder when storaged is
+# running as root. See b/35323867 #3.
+dontaudit storaged self:capability dac_override;
+
+###
+### neverallow
+###
+neverallow storaged domain:process ptrace;
+neverallow storaged self:capability_class_set *;
diff --git a/prebuilts/api/26.0/private/su.te b/prebuilts/api/26.0/private/su.te
new file mode 100644
index 0000000..d42bf61
--- /dev/null
+++ b/prebuilts/api/26.0/private/su.te
@@ -0,0 +1,20 @@
+userdebug_or_eng(`
+ typeattribute su coredomain;
+
+ domain_auto_trans(shell, su_exec, su)
+ # Allow dumpstate to call su on userdebug / eng builds to collect
+ # additional information.
+ domain_auto_trans(dumpstate, su_exec, su)
+
+ # Make sure that dumpstate runs the same from the "su" domain as
+ # from the "init" domain.
+ domain_auto_trans(su, dumpstate_exec, dumpstate)
+
+ # Put the incident command into its domain so it is the same on user, userdebug and eng.
+ domain_auto_trans(su, incident_exec, incident)
+
+# su is also permissive to permit setenforce.
+ permissive su;
+
+ app_domain(su)
+')
diff --git a/prebuilts/api/26.0/private/surfaceflinger.te b/prebuilts/api/26.0/private/surfaceflinger.te
new file mode 100644
index 0000000..3595ee4
--- /dev/null
+++ b/prebuilts/api/26.0/private/surfaceflinger.te
@@ -0,0 +1,110 @@
+# surfaceflinger - display compositor service
+
+typeattribute surfaceflinger coredomain;
+
+type surfaceflinger_exec, exec_type, file_type;
+init_daemon_domain(surfaceflinger)
+
+typeattribute surfaceflinger mlstrustedsubject;
+typeattribute surfaceflinger display_service_server;
+
+read_runtime_log_tags(surfaceflinger)
+
+# Perform HwBinder IPC.
+hal_client_domain(surfaceflinger, hal_graphics_allocator)
+hal_client_domain(surfaceflinger, hal_graphics_composer)
+hal_client_domain(surfaceflinger, hal_configstore)
+allow surfaceflinger hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find;
+allow surfaceflinger hidl_token_hwservice:hwservice_manager find;
+
+# Perform Binder IPC.
+binder_use(surfaceflinger)
+binder_call(surfaceflinger, binderservicedomain)
+binder_call(surfaceflinger, appdomain)
+binder_call(surfaceflinger, bootanim)
+binder_service(surfaceflinger)
+
+# Binder IPC to bu, presently runs in adbd domain.
+binder_call(surfaceflinger, adbd)
+
+# Read /proc/pid files for Binder clients.
+r_dir_file(surfaceflinger, binderservicedomain)
+r_dir_file(surfaceflinger, appdomain)
+
+# Access the GPU.
+allow surfaceflinger gpu_device:chr_file rw_file_perms;
+
+# Access /dev/graphics/fb0.
+allow surfaceflinger graphics_device:dir search;
+allow surfaceflinger graphics_device:chr_file rw_file_perms;
+
+# Access /dev/video1.
+allow surfaceflinger video_device:dir r_dir_perms;
+allow surfaceflinger video_device:chr_file rw_file_perms;
+
+# Create and use netlink kobject uevent sockets.
+allow surfaceflinger self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+# Set properties.
+set_prop(surfaceflinger, system_prop)
+set_prop(surfaceflinger, ctl_bootanim_prop)
+
+# Use open files supplied by an app.
+allow surfaceflinger appdomain:fd use;
+allow surfaceflinger app_data_file:file { read write };
+
+# Use socket supplied by adbd, for cmd gpu vkjson etc.
+allow surfaceflinger adbd:unix_stream_socket { read write getattr };
+
+# Allow a dumpstate triggered screenshot
+binder_call(surfaceflinger, dumpstate)
+binder_call(surfaceflinger, shell)
+r_dir_file(surfaceflinger, dumpstate)
+
+# Needed on some devices for playing DRM protected content,
+# but seems expected and appropriate for all devices.
+allow surfaceflinger tee_device:chr_file rw_file_perms;
+
+
+# media.player service
+add_service(surfaceflinger, gpu_service)
+
+# do not use add_service() as hal_graphics_composer_default may be the
+# provider as well
+#add_service(surfaceflinger, surfaceflinger_service)
+allow surfaceflinger surfaceflinger_service:service_manager { add find };
+
+allow surfaceflinger mediaserver_service:service_manager find;
+allow surfaceflinger permission_service:service_manager find;
+allow surfaceflinger power_service:service_manager find;
+allow surfaceflinger vr_manager_service:service_manager find;
+allow surfaceflinger window_service:service_manager find;
+
+
+# allow self to set SCHED_FIFO
+allow surfaceflinger self:capability sys_nice;
+allow surfaceflinger proc_meminfo:file r_file_perms;
+r_dir_file(surfaceflinger, cgroup)
+r_dir_file(surfaceflinger, sysfs_type)
+r_dir_file(surfaceflinger, system_file)
+allow surfaceflinger tmpfs:dir r_dir_perms;
+allow surfaceflinger system_server:fd use;
+allow surfaceflinger ion_device:chr_file r_file_perms;
+
+# pdx IPC
+pdx_server(surfaceflinger, display_client)
+pdx_server(surfaceflinger, display_manager)
+pdx_server(surfaceflinger, display_screenshot)
+pdx_server(surfaceflinger, display_vsync)
+
+pdx_client(surfaceflinger, bufferhub_client)
+pdx_client(surfaceflinger, performance_client)
+
+###
+### Neverallow rules
+###
+### surfaceflinger should NEVER do any of this
+
+# Do not allow accessing SDcard files as unsafe ejection could
+# cause the kernel to kill the process.
+neverallow surfaceflinger sdcard_type:file rw_file_perms;
diff --git a/prebuilts/api/26.0/private/system_app.te b/prebuilts/api/26.0/private/system_app.te
new file mode 100644
index 0000000..7950044
--- /dev/null
+++ b/prebuilts/api/26.0/private/system_app.te
@@ -0,0 +1,92 @@
+###
+### Apps that run with the system UID, e.g. com.android.system.ui,
+### com.android.settings. These are not as privileged as the system
+### server.
+###
+
+typeattribute system_app coredomain;
+typeattribute system_app domain_deprecated;
+
+app_domain(system_app)
+net_domain(system_app)
+binder_service(system_app)
+
+# Read and write /data/data subdirectory.
+allow system_app system_app_data_file:dir create_dir_perms;
+allow system_app system_app_data_file:{ file lnk_file } create_file_perms;
+
+# Read and write to /data/misc/user.
+allow system_app misc_user_data_file:dir create_dir_perms;
+allow system_app misc_user_data_file:file create_file_perms;
+
+# Access to vold-mounted storage for measuring free space
+allow system_app mnt_media_rw_file:dir search;
+
+# Read wallpaper file.
+allow system_app wallpaper_file:file r_file_perms;
+
+# Read icon file.
+allow system_app icon_file:file r_file_perms;
+
+# Write to properties
+set_prop(system_app, bluetooth_prop)
+set_prop(system_app, debug_prop)
+set_prop(system_app, system_prop)
+set_prop(system_app, logd_prop)
+set_prop(system_app, net_radio_prop)
+set_prop(system_app, system_radio_prop)
+set_prop(system_app, log_tag_prop)
+userdebug_or_eng(`set_prop(system_app, logpersistd_logging_prop)')
+auditallow system_app net_radio_prop:property_service set;
+auditallow system_app system_radio_prop:property_service set;
+
+# ctl interface
+set_prop(system_app, ctl_default_prop)
+set_prop(system_app, ctl_bugreport_prop)
+
+# Create /data/anr/traces.txt.
+allow system_app anr_data_file:dir ra_dir_perms;
+allow system_app anr_data_file:file create_file_perms;
+
+# Settings need to access app name and icon from asec
+allow system_app asec_apk_file:file r_file_perms;
+
+# Allow system apps to interact with incidentd
+binder_call(system_app, incidentd)
+
+allow system_app servicemanager:service_manager list;
+# TODO: scope this down? Too broad?
+allow system_app { service_manager_type -netd_service -dumpstate_service -installd_service -virtual_touchpad_service -vr_hwc_service }:service_manager find;
+
+allow system_app keystore:keystore_key {
+ get_state
+ get
+ insert
+ delete
+ exist
+ list
+ reset
+ password
+ lock
+ unlock
+ is_empty
+ sign
+ verify
+ grant
+ duplicate
+ clear_uid
+ user_changed
+};
+
+# /sys access
+r_dir_file(system_app, sysfs_type)
+
+control_logd(system_app)
+read_runtime_log_tags(system_app)
+
+###
+### Neverallow rules
+###
+
+# app domains which access /dev/fuse should not run as system_app
+neverallow system_app fuse_device:chr_file *;
diff --git a/prebuilts/api/26.0/private/system_server.te b/prebuilts/api/26.0/private/system_server.te
new file mode 100644
index 0000000..05e4773
--- /dev/null
+++ b/prebuilts/api/26.0/private/system_server.te
@@ -0,0 +1,740 @@
+#
+# System Server aka system_server spawned by zygote.
+# Most of the framework services run in this process.
+#
+
+typeattribute system_server coredomain;
+typeattribute system_server domain_deprecated;
+typeattribute system_server mlstrustedsubject;
+
+# Define a type for tmpfs-backed ashmem regions.
+tmpfs_domain(system_server)
+
+# Create a socket for connections from crash_dump.
+type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
+
+allow system_server zygote_tmpfs:file read;
+
+# For art.
+allow system_server dalvikcache_data_file:dir r_dir_perms;
+allow system_server dalvikcache_data_file:file { r_file_perms execute };
+userdebug_or_eng(`
+ # Report dalvikcache_data_file:file execute violations.
+ auditallow system_server dalvikcache_data_file:file execute;
+')
+
+# /data/resource-cache
+allow system_server resourcecache_data_file:file r_file_perms;
+allow system_server resourcecache_data_file:dir r_dir_perms;
+
+# ptrace to processes in the same domain for debugging crashes.
+allow system_server self:process ptrace;
+
+# Read and delete last_reboot_reason file
+allow system_server reboot_data_file:file { rename r_file_perms unlink };
+allow system_server reboot_data_file:dir { write search open remove_name };
+
+# Child of the zygote.
+allow system_server zygote:fd use;
+allow system_server zygote:process sigchld;
+
+# May kill zygote on crashes.
+allow system_server zygote:process sigkill;
+allow system_server crash_dump:process sigkill;
+
+# Read /system/bin/app_process.
+allow system_server zygote_exec:file r_file_perms;
+
+# Needed to close the zygote socket, which involves getopt / getattr
+allow system_server zygote:unix_stream_socket { getopt getattr };
+
+# system server gets network and bluetooth permissions.
+net_domain(system_server)
+# in addition to ioctls whitelisted for all domains, also allow system_server
+# to use privileged ioctls commands. Needed to set up VPNs.
+allowxperm system_server self:udp_socket ioctl priv_sock_ioctls;
+bluetooth_domain(system_server)
+
+# These are the capabilities assigned by the zygote to the
+# system server.
+allow system_server self:capability {
+ ipc_lock
+ kill
+ net_admin
+ net_bind_service
+ net_broadcast
+ net_raw
+ sys_boot
+ sys_nice
+ sys_ptrace
+ sys_time
+ sys_tty_config
+};
+
+wakelock_use(system_server)
+
+# Trigger module auto-load.
+allow system_server kernel:system module_request;
+
+# Allow alarmtimers to be set
+allow system_server self:capability2 wake_alarm;
+
+# Use netlink uevent sockets.
+allow system_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+# Use generic netlink sockets.
+allow system_server self:netlink_socket create_socket_perms_no_ioctl;
+allow system_server self:netlink_generic_socket create_socket_perms_no_ioctl;
+
+# libvintf reads the kernel config to verify vendor interface compatibility.
+allow system_server config_gz:file { read open };
+
+# Use generic "sockets" where the address family is not known
+# to the kernel. The ioctl permission is specifically omitted here, but may
+# be added to device specific policy along with the ioctl commands to be
+# whitelisted.
+allow system_server self:socket create_socket_perms_no_ioctl;
+
+# Set and get routes directly via netlink.
+allow system_server self:netlink_route_socket nlmsg_write;
+
+# Kill apps.
+allow system_server appdomain:process { sigkill signal };
+
+# Set scheduling info for apps.
+allow system_server appdomain:process { getsched setsched };
+allow system_server audioserver:process { getsched setsched };
+allow system_server hal_audio:process { getsched setsched };
+allow system_server hal_bluetooth:process { getsched setsched };
+allow system_server cameraserver:process { getsched setsched };
+allow system_server hal_camera:process { getsched setsched };
+allow system_server mediaserver:process { getsched setsched };
+allow system_server bootanim:process { getsched setsched };
+
+# Read /proc/pid data for all domains. This is used by ProcessCpuTracker
+# within system_server to keep track of memory and CPU usage for
+# all processes on the device. In addition, /proc/pid files access is needed
+# for dumping stack traces of native processes.
+r_dir_file(system_server, domain)
+
+# Read/Write to /proc/net/xt_qtaguid/ctrl and and /dev/xt_qtaguid.
+allow system_server qtaguid_proc:file rw_file_perms;
+allow system_server qtaguid_device:chr_file rw_file_perms;
+
+# Read /proc/uid_cputime/show_uid_stat.
+allow system_server proc_uid_cputime_showstat:file r_file_perms;
+
+# Write /proc/uid_cputime/remove_uid_range.
+allow system_server proc_uid_cputime_removeuid:file { w_file_perms getattr };
+
+# Write /proc/uid_procstat/set.
+allow system_server proc_uid_procstat_set:file { w_file_perms getattr };
+
+# Write to /proc/sysrq-trigger.
+allow system_server proc_sysrq:file rw_file_perms;
+
+# Read /proc/stat for CPU usage statistics
+allow system_server proc_stat:file r_file_perms;
+
+# Read /sys/kernel/debug/wakeup_sources.
+allow system_server debugfs:file r_file_perms;
+
+# The DhcpClient and WifiWatchdog use packet_sockets
+allow system_server self:packet_socket create_socket_perms_no_ioctl;
+
+# NetworkDiagnostics requires explicit bind() calls to ping sockets. These aren't actually the same
+# as raw sockets, but the kernel doesn't yet distinguish between the two.
+allow system_server node:rawip_socket node_bind;
+
+# 3rd party VPN clients require a tun_socket to be created
+allow system_server self:tun_socket create_socket_perms_no_ioctl;
+
+# Talk to init and various daemons via sockets.
+unix_socket_connect(system_server, lmkd, lmkd)
+unix_socket_connect(system_server, mtpd, mtp)
+unix_socket_connect(system_server, netd, netd)
+unix_socket_connect(system_server, vold, vold)
+unix_socket_connect(system_server, webview_zygote, webview_zygote)
+unix_socket_connect(system_server, zygote, zygote)
+unix_socket_connect(system_server, racoon, racoon)
+unix_socket_connect(system_server, uncrypt, uncrypt)
+
+# Communicate over a socket created by surfaceflinger.
+allow system_server surfaceflinger:unix_stream_socket { read write setopt };
+
+# Perform Binder IPC.
+binder_use(system_server)
+binder_call(system_server, appdomain)
+binder_call(system_server, binderservicedomain)
+binder_call(system_server, dumpstate)
+binder_call(system_server, fingerprintd)
+binder_call(system_server, gatekeeperd)
+binder_call(system_server, installd)
+binder_call(system_server, incidentd)
+binder_call(system_server, netd)
+binder_call(system_server, wificond)
+binder_service(system_server)
+
+# Use HALs
+hal_client_domain(system_server, hal_allocator)
+hal_client_domain(system_server, hal_contexthub)
+hal_client_domain(system_server, hal_fingerprint)
+hal_client_domain(system_server, hal_gnss)
+hal_client_domain(system_server, hal_graphics_allocator)
+hal_client_domain(system_server, hal_ir)
+hal_client_domain(system_server, hal_light)
+hal_client_domain(system_server, hal_memtrack)
+hal_client_domain(system_server, hal_oemlock)
+allow system_server hal_omx_hwservice:hwservice_manager find;
+allow system_server hidl_token_hwservice:hwservice_manager find;
+hal_client_domain(system_server, hal_power)
+hal_client_domain(system_server, hal_sensors)
+hal_client_domain(system_server, hal_tetheroffload)
+hal_client_domain(system_server, hal_thermal)
+hal_client_domain(system_server, hal_tv_cec)
+hal_client_domain(system_server, hal_tv_input)
+hal_client_domain(system_server, hal_usb)
+hal_client_domain(system_server, hal_vibrator)
+hal_client_domain(system_server, hal_vr)
+hal_client_domain(system_server, hal_weaver)
+hal_client_domain(system_server, hal_wifi)
+hal_client_domain(system_server, hal_wifi_offload)
+hal_client_domain(system_server, hal_wifi_supplicant)
+
+binder_call(system_server, mediacodec)
+
+# Talk with graphics composer fences
+allow system_server hal_graphics_composer:fd use;
+
+# Use RenderScript always-passthrough HAL
+allow system_server hal_renderscript_hwservice:hwservice_manager find;
+
+# Offer HwBinder services
+add_hwservice(system_server, fwk_scheduler_hwservice)
+add_hwservice(system_server, fwk_sensor_hwservice)
+
+# Talk to tombstoned to get ANR traces.
+unix_socket_connect(system_server, tombstoned_intercept, tombstoned)
+
+# List HAL interfaces to get ANR traces.
+allow system_server hwservicemanager:hwservice_manager list;
+
+# Send signals to trigger ANR traces.
+allow system_server {
+ # This is derived from the list that system server defines as interesting native processes
+ # to dump during ANRs or watchdog aborts, defined in NATIVE_STACKS_OF_INTEREST in
+ # frameworks/base/services/core/java/com/android/server/Watchdog.java.
+ audioserver
+ cameraserver
+ drmserver
+ inputflinger
+ mediadrmserver
+ mediaextractor
+ mediaserver
+ mediametrics
+ sdcardd
+ surfaceflinger
+
+ # This list comes from HAL_INTERFACES_OF_INTEREST in
+ # frameworks/base/services/core/java/com/android/server/Watchdog.java.
+ hal_audio_server
+ hal_bluetooth_server
+ hal_camera_server
+ hal_graphics_composer_server
+ hal_vr_server
+ mediacodec # TODO(b/36375899): hal_omx_server
+}:process { signal };
+
+# Use sockets received over binder from various services.
+allow system_server audioserver:tcp_socket rw_socket_perms;
+allow system_server audioserver:udp_socket rw_socket_perms;
+allow system_server mediaserver:tcp_socket rw_socket_perms;
+allow system_server mediaserver:udp_socket rw_socket_perms;
+
+# Use sockets received over binder from various services.
+allow system_server mediadrmserver:tcp_socket rw_socket_perms;
+allow system_server mediadrmserver:udp_socket rw_socket_perms;
+
+# Get file context
+allow system_server file_contexts_file:file r_file_perms;
+# access for mac_permissions
+allow system_server mac_perms_file: file r_file_perms;
+# Check SELinux permissions.
+selinux_check_access(system_server)
+
+# XXX Label sysfs files with a specific type?
+allow system_server sysfs:file rw_file_perms;
+allow system_server sysfs_nfc_power_writable:file rw_file_perms;
+allow system_server sysfs_devices_system_cpu:file w_file_perms;
+allow system_server sysfs_mac_address:file r_file_perms;
+allow system_server sysfs_thermal:dir search;
+allow system_server sysfs_thermal:file r_file_perms;
+
+# TODO: Remove when HALs are forced into separate processes
+allow system_server sysfs_vibrator:file { write append };
+
+# TODO: added to match above sysfs rule. Remove me?
+allow system_server sysfs_usb:file w_file_perms;
+
+# Access devices.
+allow system_server device:dir r_dir_perms;
+allow system_server mdns_socket:sock_file rw_file_perms;
+allow system_server alarm_device:chr_file rw_file_perms;
+allow system_server gpu_device:chr_file rw_file_perms;
+allow system_server iio_device:chr_file rw_file_perms;
+allow system_server input_device:dir r_dir_perms;
+allow system_server input_device:chr_file rw_file_perms;
+allow system_server radio_device:chr_file r_file_perms;
+allow system_server tty_device:chr_file rw_file_perms;
+allow system_server usbaccessory_device:chr_file rw_file_perms;
+allow system_server video_device:dir r_dir_perms;
+allow system_server video_device:chr_file rw_file_perms;
+allow system_server adbd_socket:sock_file rw_file_perms;
+allow system_server rtc_device:chr_file rw_file_perms;
+allow system_server audio_device:dir r_dir_perms;
+
+# write access needed for MIDI
+allow system_server audio_device:chr_file rw_file_perms;
+
+# tun device used for 3rd party vpn apps
+allow system_server tun_device:chr_file rw_file_perms;
+
+# Manage system data files.
+allow system_server system_data_file:dir create_dir_perms;
+allow system_server system_data_file:notdevfile_class_set create_file_perms;
+allow system_server keychain_data_file:dir create_dir_perms;
+allow system_server keychain_data_file:file create_file_perms;
+allow system_server keychain_data_file:lnk_file create_file_perms;
+
+# Manage /data/app.
+allow system_server apk_data_file:dir create_dir_perms;
+allow system_server apk_data_file:{ file lnk_file } { create_file_perms link };
+allow system_server apk_tmp_file:dir create_dir_perms;
+allow system_server apk_tmp_file:file create_file_perms;
+
+# Access /vendor/app
+r_dir_file(system_server, vendor_app_file)
+
+# Access /vendor/app
+r_dir_file(system_server, vendor_overlay_file)
+
+# Manage /data/app-private.
+allow system_server apk_private_data_file:dir create_dir_perms;
+allow system_server apk_private_data_file:file create_file_perms;
+allow system_server apk_private_tmp_file:dir create_dir_perms;
+allow system_server apk_private_tmp_file:file create_file_perms;
+
+# Manage files within asec containers.
+allow system_server asec_apk_file:dir create_dir_perms;
+allow system_server asec_apk_file:file create_file_perms;
+allow system_server asec_public_file:file create_file_perms;
+
+# Manage /data/anr.
+allow system_server anr_data_file:dir create_dir_perms;
+allow system_server anr_data_file:file create_file_perms;
+
+# Read /data/misc/incidents - only read. The fd will be sent over binder,
+# with no DAC access to it, for dropbox to read.
+allow system_server incident_data_file:file read;
+
+# Manage /data/backup.
+allow system_server backup_data_file:dir create_dir_perms;
+allow system_server backup_data_file:file create_file_perms;
+
+# Write to /data/system/heapdump
+allow system_server heapdump_data_file:dir rw_dir_perms;
+allow system_server heapdump_data_file:file create_file_perms;
+
+# Manage /data/misc/adb.
+allow system_server adb_keys_file:dir create_dir_perms;
+allow system_server adb_keys_file:file create_file_perms;
+
+# Manage /data/misc/sms.
+# TODO: Split into a separate type?
+allow system_server radio_data_file:dir create_dir_perms;
+allow system_server radio_data_file:file create_file_perms;
+
+# Manage /data/misc/systemkeys.
+allow system_server systemkeys_data_file:dir create_dir_perms;
+allow system_server systemkeys_data_file:file create_file_perms;
+
+# Manage /data/misc/textclassifier.
+allow system_server textclassifier_data_file:dir create_dir_perms;
+allow system_server textclassifier_data_file:file create_file_perms;
+
+# Access /data/tombstones.
+allow system_server tombstone_data_file:dir r_dir_perms;
+allow system_server tombstone_data_file:file r_file_perms;
+
+# Manage /data/misc/vpn.
+allow system_server vpn_data_file:dir create_dir_perms;
+allow system_server vpn_data_file:file create_file_perms;
+
+# Manage /data/misc/wifi.
+allow system_server wifi_data_file:dir create_dir_perms;
+allow system_server wifi_data_file:file create_file_perms;
+
+# Manage /data/misc/zoneinfo.
+allow system_server zoneinfo_data_file:dir create_dir_perms;
+allow system_server zoneinfo_data_file:file create_file_perms;
+
+# Walk /data/data subdirectories.
+# Types extracted from seapp_contexts type= fields.
+allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:dir { getattr read search };
+# Also permit for unlabeled /data/data subdirectories and
+# for unlabeled asec containers on upgrades from 4.2.
+allow system_server unlabeled:dir r_dir_perms;
+# Read pkg.apk file before it has been relabeled by vold.
+allow system_server unlabeled:file r_file_perms;
+
+# Populate com.android.providers.settings/databases/settings.db.
+allow system_server system_app_data_file:dir create_dir_perms;
+allow system_server system_app_data_file:file create_file_perms;
+
+# Receive and use open app data files passed over binder IPC.
+# Types extracted from seapp_contexts type= fields.
+allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:file { getattr read write append };
+
+# Access to /data/media for measuring disk usage.
+allow system_server media_rw_data_file:dir { search getattr open read };
+
+# Receive and use open /data/media files passed over binder IPC.
+# Also used for measuring disk usage.
+allow system_server media_rw_data_file:file { getattr read write append };
+
+# Relabel apk files.
+allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto };
+allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto };
+
+# Relabel wallpaper.
+allow system_server system_data_file:file relabelfrom;
+allow system_server wallpaper_file:file relabelto;
+allow system_server wallpaper_file:file { rw_file_perms rename unlink };
+
+# Backup of wallpaper imagery uses temporary hard links to avoid data churn
+allow system_server { system_data_file wallpaper_file }:file link;
+
+# ShortcutManager icons
+allow system_server system_data_file:dir relabelfrom;
+allow system_server shortcut_manager_icons:dir { create_dir_perms relabelto };
+allow system_server shortcut_manager_icons:file create_file_perms;
+
+# Manage ringtones.
+allow system_server ringtone_file:dir { create_dir_perms relabelto };
+allow system_server ringtone_file:file create_file_perms;
+
+# Relabel icon file.
+allow system_server icon_file:file relabelto;
+allow system_server icon_file:file { rw_file_perms unlink };
+
+# FingerprintService.java does a restorecon of the directory /data/system/users/[0-9]+/fpdata(/.*)?
+allow system_server system_data_file:dir relabelfrom;
+
+# Property Service write
+set_prop(system_server, system_prop)
+set_prop(system_server, safemode_prop)
+set_prop(system_server, dhcp_prop)
+set_prop(system_server, net_radio_prop)
+set_prop(system_server, net_dns_prop)
+set_prop(system_server, system_radio_prop)
+set_prop(system_server, debug_prop)
+set_prop(system_server, powerctl_prop)
+set_prop(system_server, fingerprint_prop)
+set_prop(system_server, device_logging_prop)
+set_prop(system_server, dumpstate_options_prop)
+set_prop(system_server, overlay_prop)
+userdebug_or_eng(`set_prop(system_server, wifi_log_prop)')
+
+# ctl interface
+set_prop(system_server, ctl_default_prop)
+set_prop(system_server, ctl_bugreport_prop)
+
+# cppreopt property
+set_prop(system_server, cppreopt_prop)
+
+# Collect metrics on boot time created by init
+get_prop(system_server, boottime_prop)
+
+# Read device's serial number from system properties
+get_prop(system_server, serialno_prop)
+
+# Read/write the property which keeps track of whether this is the first start of system_server
+set_prop(system_server, firstboot_prop)
+
+# Create a socket for connections from debuggerd.
+allow system_server system_ndebug_socket:sock_file create_file_perms;
+
+# Manage cache files.
+allow system_server { cache_file cache_recovery_file }:dir { relabelfrom create_dir_perms };
+allow system_server { cache_file cache_recovery_file }:file { relabelfrom create_file_perms };
+allow system_server { cache_file cache_recovery_file }:fifo_file create_file_perms;
+
+allow system_server system_file:dir r_dir_perms;
+allow system_server system_file:lnk_file r_file_perms;
+
+# LocationManager(e.g, GPS) needs to read and write
+# to uart driver and ctrl proc entry
+allow system_server gps_control:file rw_file_perms;
+
+# Allow system_server to use app-created sockets and pipes.
+allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown };
+allow system_server appdomain:{ fifo_file unix_stream_socket } { getattr read write };
+
+# BackupManagerService needs to manipulate backup data files
+allow system_server cache_backup_file:dir rw_dir_perms;
+allow system_server cache_backup_file:file create_file_perms;
+# LocalTransport works inside /cache/backup
+allow system_server cache_private_backup_file:dir create_dir_perms;
+allow system_server cache_private_backup_file:file create_file_perms;
+
+# Allow system to talk to usb device
+allow system_server usb_device:chr_file rw_file_perms;
+allow system_server usb_device:dir r_dir_perms;
+
+# Read from HW RNG (needed by EntropyMixer).
+allow system_server hw_random_device:chr_file r_file_perms;
+
+# Read and delete files under /dev/fscklogs.
+r_dir_file(system_server, fscklogs)
+allow system_server fscklogs:dir { write remove_name };
+allow system_server fscklogs:file unlink;
+
+# logd access, system_server inherit logd write socket
+# (urge is to deprecate this long term)
+allow system_server zygote:unix_dgram_socket write;
+
+# Read from log daemon.
+read_logd(system_server)
+read_runtime_log_tags(system_server)
+
+# Be consistent with DAC permissions. Allow system_server to write to
+# /sys/module/lowmemorykiller/parameters/adj
+# /sys/module/lowmemorykiller/parameters/minfree
+allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms };
+
+# Read /sys/fs/pstore/console-ramoops
+# Don't worry about overly broad permissions for now, as there's
+# only one file in /sys/fs/pstore
+allow system_server pstorefs:dir r_dir_perms;
+allow system_server pstorefs:file r_file_perms;
+
+# /sys access
+allow system_server sysfs_zram:dir search;
+allow system_server sysfs_zram:file r_file_perms;
+
+add_service(system_server, system_server_service);
+allow system_server audioserver_service:service_manager find;
+allow system_server batteryproperties_service:service_manager find;
+allow system_server cameraserver_service:service_manager find;
+allow system_server drmserver_service:service_manager find;
+allow system_server dumpstate_service:service_manager find;
+allow system_server fingerprintd_service:service_manager find;
+allow system_server hal_fingerprint_service:service_manager find;
+allow system_server gatekeeper_service:service_manager find;
+allow system_server incident_service:service_manager find;
+allow system_server installd_service:service_manager find;
+allow system_server keystore_service:service_manager find;
+allow system_server mediaserver_service:service_manager find;
+allow system_server mediametrics_service:service_manager find;
+allow system_server mediaextractor_service:service_manager find;
+allow system_server mediacodec_service:service_manager find;
+allow system_server mediadrmserver_service:service_manager find;
+allow system_server mediacasserver_service:service_manager find;
+allow system_server netd_service:service_manager find;
+allow system_server nfc_service:service_manager find;
+allow system_server radio_service:service_manager find;
+allow system_server surfaceflinger_service:service_manager find;
+allow system_server wificond_service:service_manager find;
+
+allow system_server keystore:keystore_key {
+ get_state
+ get
+ insert
+ delete
+ exist
+ list
+ reset
+ password
+ lock
+ unlock
+ is_empty
+ sign
+ verify
+ grant
+ duplicate
+ clear_uid
+ add_auth
+ user_changed
+};
+
+# Allow system server to search and write to the persistent factory reset
+# protection partition. This block device does not get wiped in a factory reset.
+allow system_server block_device:dir search;
+allow system_server frp_block_device:blk_file rw_file_perms;
+
+# Clean up old cgroups
+allow system_server cgroup:dir { remove_name rmdir };
+
+# /oem access
+r_dir_file(system_server, oemfs)
+
+# Allow resolving per-user storage symlinks
+allow system_server { mnt_user_file storage_file }:dir { getattr search };
+allow system_server { mnt_user_file storage_file }:lnk_file { getattr read };
+
+# Allow statfs() on storage devices, which happens fast enough that
+# we shouldn't be killed during unsafe removal
+allow system_server sdcard_type:dir { getattr search };
+
+# Traverse into expanded storage
+allow system_server mnt_expand_file:dir r_dir_perms;
+
+# Allow system process to relabel the fingerprint directory after mkdir
+# and delete the directory and files when no longer needed
+allow system_server fingerprintd_data_file:dir { r_dir_perms remove_name rmdir relabelto write };
+allow system_server fingerprintd_data_file:file { getattr unlink };
+
+# Allow system process to read network MAC address
+allow system_server sysfs_mac_address:file r_file_perms;
+
+userdebug_or_eng(`
+ # Allow system server to create and write method traces in /data/misc/trace.
+ allow system_server method_trace_data_file:dir w_dir_perms;
+ allow system_server method_trace_data_file:file { create w_file_perms };
+
+ # Allow system server to read dmesg
+ allow system_server kernel:system syslog_read;
+')
+
+# For AppFuse.
+allow system_server vold:fd use;
+allow system_server fuse_device:chr_file { read write ioctl getattr };
+allow system_server app_fuse_file:dir rw_dir_perms;
+allow system_server app_fuse_file:file { read write open getattr append };
+
+# For configuring sdcardfs
+allow system_server configfs:dir { create_dir_perms };
+allow system_server configfs:file { getattr open unlink write };
+
+# Connect to adbd and use a socket transferred from it.
+# Used for e.g. jdwp.
+allow system_server adbd:unix_stream_socket connectto;
+allow system_server adbd:fd use;
+allow system_server adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
+
+# Allow invoking tools like "timeout"
+allow system_server toolbox_exec:file rx_file_perms;
+
+# Postinstall
+#
+# For OTA dexopt, allow calls coming from postinstall.
+binder_call(system_server, postinstall)
+
+allow system_server postinstall:fifo_file write;
+allow system_server update_engine:fd use;
+allow system_server update_engine:fifo_file write;
+
+# Access to /data/preloads
+allow system_server preloads_data_file:file { r_file_perms unlink };
+allow system_server preloads_data_file:dir { r_dir_perms write remove_name rmdir };
+allow system_server preloads_media_file:file { r_file_perms unlink };
+allow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdir };
+
+r_dir_file(system_server, cgroup)
+allow system_server ion_device:chr_file r_file_perms;
+
+r_dir_file(system_server, proc)
+r_dir_file(system_server, proc_meminfo)
+r_dir_file(system_server, proc_net)
+r_dir_file(system_server, rootfs)
+r_dir_file(system_server, sysfs_type)
+
+### Rules needed when Light HAL runs inside system_server process.
+### These rules should eventually be granted only when needed.
+allow system_server sysfs_leds:lnk_file read;
+allow system_server sysfs_leds:file rw_file_perms;
+allow system_server sysfs_leds:dir r_dir_perms;
+###
+
+# Allow WifiService to start, stop, and read wifi-specific trace events.
+allow system_server debugfs_tracing_instances:dir search;
+allow system_server debugfs_wifi_tracing:file rw_file_perms;
+
+# allow system_server to exec shell on ASAN builds. Needed to run
+# asanwrapper.
+with_asan(`
+ allow system_server shell_exec:file rx_file_perms;
+')
+
+###
+### Neverallow rules
+###
+### system_server should NEVER do any of this
+
+# Do not allow opening files from external storage as unsafe ejection
+# could cause the kernel to kill the system_server.
+neverallow system_server sdcard_type:dir { open read write };
+neverallow system_server sdcard_type:file rw_file_perms;
+
+# system server should never be operating on zygote spawned app data
+# files directly. Rather, they should always be passed via a
+# file descriptor.
+# Types extracted from seapp_contexts type= fields, excluding
+# those types that system_server needs to open directly.
+neverallow system_server { bluetooth_data_file nfc_data_file shell_data_file app_data_file }:file { open create unlink link };
+
+# Forking and execing is inherently dangerous and racy. See, for
+# example, https://www.linuxprogrammingblog.com/threads-and-fork-think-twice-before-using-them
+# Prevent the addition of new file execs to stop the problem from
+# getting worse. b/28035297
+neverallow system_server {
+ file_type
+ -toolbox_exec
+ -logcat_exec
+ with_asan(`-shell_exec')
+}:file execute_no_trans;
+
+# Ensure that system_server doesn't perform any domain transitions other than
+# transitioning to the crash_dump domain when a crash occurs.
+neverallow system_server { domain -crash_dump }:process transition;
+neverallow system_server *:process dyntransition;
+
+# Only allow crash_dump to connect to system_ndebug_socket.
+neverallow { domain -init -system_server -crash_dump } system_ndebug_socket:sock_file { open write };
+
+# system_server should never be executing dex2oat. This is either
+# a bug (for example, bug 16317188), or represents an attempt by
+# system server to dynamically load a dex file, something we do not
+# want to allow.
+neverallow system_server dex2oat_exec:file no_x_file_perms;
+
+# system_server should never execute or load executable shared libraries
+# in /data except for /data/dalvik-cache files.
+neverallow system_server {
+ data_file_type
+ -dalvikcache_data_file #mapping with PROT_EXEC
+}:file no_x_file_perms;
+
+# The only block device system_server should be accessing is
+# the frp_block_device. This helps avoid a system_server to root
+# escalation by writing to raw block devices.
+neverallow system_server { dev_type -frp_block_device }:blk_file no_rw_file_perms;
+
+# system_server should never use JIT functionality
+neverallow system_server self:process execmem;
+neverallow system_server ashmem_device:chr_file execute;
+
+# TODO: deal with tmpfs_domain pub/priv split properly
+neverallow system_server system_server_tmpfs:file execute;
+
+# dexoptanalyzer is currently used only for secondary dex files which
+# system_server should never access.
+neverallow system_server dexoptanalyzer_exec:file no_x_file_perms;
+
+# No ptracing others
+neverallow system_server { domain -system_server }:process ptrace;
+
+# CAP_SYS_RESOURCE was traditionally needed for sensitive /proc/PID
+# file read access. However, that is now unnecessary (b/34951864)
+# This neverallow can be removed after b/34951864 is fixed.
+neverallow system_server system_server:capability sys_resource;
diff --git a/prebuilts/api/26.0/private/technical_debt.cil b/prebuilts/api/26.0/private/technical_debt.cil
new file mode 100644
index 0000000..ccbae10
--- /dev/null
+++ b/prebuilts/api/26.0/private/technical_debt.cil
@@ -0,0 +1,28 @@
+; THIS IS A WORKAROUND for the current limitations of the module policy language
+; This should be used sparingly until we figure out a saner way to achieve the
+; stuff below, for example, by improving typeattribute statement of module
+; language.
+;
+; NOTE: This file has no effect on recovery policy.
+
+; Apps, except isolated apps, are clients of Allocator HAL
+; Unfortunately, we can't currently express this in module policy language:
+; typeattribute { appdomain -isolated_app } hal_allocator_client;
+; typeattribute hal_allocator_client halclientdomain;
+(typeattributeset hal_allocator_client ((and (appdomain) ((not (isolated_app))))))
+(typeattributeset halclientdomain (hal_allocator_client))
+
+; Apps, except isolated apps, are clients of Configstore HAL
+; Unfortunately, we can't currently express this in module policy language:
+; typeattribute { appdomain -isolated_app } hal_configstore_client;
+(typeattributeset hal_configstore_client ((and (appdomain) ((not (isolated_app))))))
+
+; Apps, except isolated apps, are clients of Graphics Allocator HAL
+; Unfortunately, we can't currently express this in module policy language:
+; typeattribute { appdomain -isolated_app } hal_graphics_allocator_client;
+(typeattributeset hal_graphics_allocator_client ((and (appdomain) ((not (isolated_app))))))
+
+; Domains hosting Camera HAL implementations are clients of Allocator HAL
+; Unfortunately, we can't currently express this in module policy language:
+; typeattribute hal_camera hal_allocator_client;
+(typeattributeset hal_allocator_client (hal_camera))
diff --git a/prebuilts/api/26.0/private/tombstoned.te b/prebuilts/api/26.0/private/tombstoned.te
new file mode 100644
index 0000000..305f9d0
--- /dev/null
+++ b/prebuilts/api/26.0/private/tombstoned.te
@@ -0,0 +1,3 @@
+typeattribute tombstoned coredomain;
+
+init_daemon_domain(tombstoned)
diff --git a/prebuilts/api/26.0/private/toolbox.te b/prebuilts/api/26.0/private/toolbox.te
new file mode 100644
index 0000000..a2b958d
--- /dev/null
+++ b/prebuilts/api/26.0/private/toolbox.te
@@ -0,0 +1,3 @@
+typeattribute toolbox coredomain;
+
+init_daemon_domain(toolbox)
diff --git a/prebuilts/api/26.0/private/tzdatacheck.te b/prebuilts/api/26.0/private/tzdatacheck.te
new file mode 100644
index 0000000..502735c
--- /dev/null
+++ b/prebuilts/api/26.0/private/tzdatacheck.te
@@ -0,0 +1,3 @@
+typeattribute tzdatacheck coredomain;
+
+init_daemon_domain(tzdatacheck)
diff --git a/prebuilts/api/26.0/private/ueventd.te b/prebuilts/api/26.0/private/ueventd.te
new file mode 100644
index 0000000..0df587f
--- /dev/null
+++ b/prebuilts/api/26.0/private/ueventd.te
@@ -0,0 +1,4 @@
+typeattribute ueventd coredomain;
+typeattribute ueventd domain_deprecated;
+
+tmpfs_domain(ueventd)
diff --git a/prebuilts/api/26.0/private/uncrypt.te b/prebuilts/api/26.0/private/uncrypt.te
new file mode 100644
index 0000000..fde686b
--- /dev/null
+++ b/prebuilts/api/26.0/private/uncrypt.te
@@ -0,0 +1,4 @@
+typeattribute uncrypt coredomain;
+typeattribute uncrypt domain_deprecated;
+
+init_daemon_domain(uncrypt)
diff --git a/prebuilts/api/26.0/private/untrusted_app.te b/prebuilts/api/26.0/private/untrusted_app.te
new file mode 100644
index 0000000..68c1a41
--- /dev/null
+++ b/prebuilts/api/26.0/private/untrusted_app.te
@@ -0,0 +1,29 @@
+###
+### Untrusted apps.
+###
+### This file defines the rules for untrusted apps.
+### Apps are labeled based on mac_permissions.xml (maps signer and
+### optionally package name to seinfo value) and seapp_contexts (maps UID
+### and optionally seinfo value to domain for process and type for data
+### directory). The untrusted_app domain is the default assignment in
+### seapp_contexts for any app with UID between APP_AID (10000)
+### and AID_ISOLATED_START (99000) if the app has no specific seinfo
+### value as determined from mac_permissions.xml. In current AOSP, this
+### domain is assigned to all non-system apps as well as to any system apps
+### that are not signed by the platform key. To move
+### a system app into a specific domain, add a signer entry for it to
+### mac_permissions.xml and assign it one of the pre-existing seinfo values
+### or define and use a new seinfo value in both mac_permissions.xml and
+### seapp_contexts.
+###
+
+typeattribute untrusted_app coredomain;
+
+app_domain(untrusted_app)
+untrusted_app_domain(untrusted_app)
+net_domain(untrusted_app)
+bluetooth_domain(untrusted_app)
+
+# Allow the allocation and use of ptys
+# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
+create_pty(untrusted_app)
diff --git a/prebuilts/api/26.0/private/untrusted_app_25.te b/prebuilts/api/26.0/private/untrusted_app_25.te
new file mode 100644
index 0000000..3fa79ef
--- /dev/null
+++ b/prebuilts/api/26.0/private/untrusted_app_25.te
@@ -0,0 +1,46 @@
+###
+### Untrusted_app_25
+###
+### This file defines the rules for untrusted apps running with
+### targetSdkVersion <= 25.
+###
+### Apps are labeled based on mac_permissions.xml (maps signer and
+### optionally package name to seinfo value) and seapp_contexts (maps UID
+### and optionally seinfo value to domain for process and type for data
+### directory). The untrusted_app domain is the default assignment in
+### seapp_contexts for any app with UID between APP_AID (10000)
+### and AID_ISOLATED_START (99000) if the app has no specific seinfo
+### value as determined from mac_permissions.xml. In current AOSP, this
+### domain is assigned to all non-system apps as well as to any system apps
+### that are not signed by the platform key. To move
+### a system app into a specific domain, add a signer entry for it to
+### mac_permissions.xml and assign it one of the pre-existing seinfo values
+### or define and use a new seinfo value in both mac_permissions.xml and
+### seapp_contexts.
+###
+
+typeattribute untrusted_app_25 coredomain;
+
+app_domain(untrusted_app_25)
+untrusted_app_domain(untrusted_app_25)
+net_domain(untrusted_app_25)
+bluetooth_domain(untrusted_app_25)
+
+# Allow the allocation and use of ptys
+# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
+create_pty(untrusted_app_25)
+
+# b/34115651 - net.dns* properties read
+# This will go away in a future Android release
+get_prop(untrusted_app_25, net_dns_prop)
+
+# b/35917228 - /proc/misc access
+# This will go away in a future Android release
+allow untrusted_app_25 proc_misc:file r_file_perms;
+
+# Access to /proc/tty/drivers, to allow apps to determine if they
+# are running in an emulated environment.
+# b/33214085 b/33814662 b/33791054 b/33211769
+# https://github.com/strazzere/anti-emulator/blob/master/AntiEmulator/src/diff/strazzere/anti/emulator/FindEmulator.java
+# This will go away in a future Android release
+allow untrusted_app_25 proc_tty_drivers:file r_file_perms;
diff --git a/prebuilts/api/26.0/private/untrusted_app_all.te b/prebuilts/api/26.0/private/untrusted_app_all.te
new file mode 100644
index 0000000..fc80129
--- /dev/null
+++ b/prebuilts/api/26.0/private/untrusted_app_all.te
@@ -0,0 +1,106 @@
+###
+### Untrusted_app_all.
+###
+### This file defines the rules shared by all untrusted app domains except
+### apps which target the v2 security sandbox (ephemeral_app for instant apps,
+### untrusted_v2_app for fully installed v2 apps).
+### Apps are labeled based on mac_permissions.xml (maps signer and
+### optionally package name to seinfo value) and seapp_contexts (maps UID
+### and optionally seinfo value to domain for process and type for data
+### directory). The untrusted_app_all attribute is assigned to all default
+### seapp_contexts for any app with UID between APP_AID (10000)
+### and AID_ISOLATED_START (99000) if the app has no specific seinfo
+### value as determined from mac_permissions.xml. In current AOSP, this
+### attribute is assigned to all non-system apps as well as to any system apps
+### that are not signed by the platform key. To move
+### a system app into a specific domain, add a signer entry for it to
+### mac_permissions.xml and assign it one of the pre-existing seinfo values
+### or define and use a new seinfo value in both mac_permissions.xml and
+### seapp_contexts.
+###
+### Note that rules that should apply to all untrusted apps must be in app.te or also
+### added to untrusted_v2_app.te and ephemeral_app.te.
+
+# Legacy text relocations
+allow untrusted_app_all apk_data_file:file execmod;
+
+# Some apps ship with shared libraries and binaries that they write out
+# to their sandbox directory and then execute.
+allow untrusted_app_all app_data_file:file { rx_file_perms execmod };
+
+# ASEC
+allow untrusted_app_all asec_apk_file:file r_file_perms;
+allow untrusted_app_all asec_apk_file:dir r_dir_perms;
+# Execute libs in asec containers.
+allow untrusted_app_all asec_public_file:file { execute execmod };
+
+# Used by Finsky / Android "Verify Apps" functionality when
+# running "adb install foo.apk".
+# TODO: Long term, we don't want apps probing into shell data files.
+# Figure out a way to remove these rules.
+allow untrusted_app_all shell_data_file:file r_file_perms;
+allow untrusted_app_all shell_data_file:dir r_dir_perms;
+
+# Read and write system app data files passed over Binder.
+# Motivating case was /data/data/com.android.settings/cache/*.jpg for
+# cropping or taking user photos.
+allow untrusted_app_all system_app_data_file:file { read write getattr };
+
+#
+# Rules migrated from old app domains coalesced into untrusted_app.
+# This includes what used to be media_app, shared_app, and release_app.
+#
+
+# Access to /data/media.
+allow untrusted_app_all media_rw_data_file:dir create_dir_perms;
+allow untrusted_app_all media_rw_data_file:file create_file_perms;
+
+# Traverse into /mnt/media_rw for bypassing FUSE daemon
+# TODO: narrow this to just MediaProvider
+allow untrusted_app_all mnt_media_rw_file:dir search;
+
+# allow cts to query all services
+allow untrusted_app_all servicemanager:service_manager list;
+
+allow untrusted_app_all audioserver_service:service_manager find;
+allow untrusted_app_all cameraserver_service:service_manager find;
+allow untrusted_app_all drmserver_service:service_manager find;
+allow untrusted_app_all mediaserver_service:service_manager find;
+allow untrusted_app_all mediaextractor_service:service_manager find;
+allow untrusted_app_all mediacodec_service:service_manager find;
+allow untrusted_app_all mediametrics_service:service_manager find;
+allow untrusted_app_all mediadrmserver_service:service_manager find;
+allow untrusted_app_all mediacasserver_service:service_manager find;
+allow untrusted_app_all nfc_service:service_manager find;
+allow untrusted_app_all radio_service:service_manager find;
+allow untrusted_app_all surfaceflinger_service:service_manager find;
+allow untrusted_app_all app_api_service:service_manager find;
+allow untrusted_app_all vr_manager_service:service_manager find;
+
+# Allow GMS core to access perfprofd output, which is stored
+# in /data/misc/perfprofd/. GMS core will need to list all
+# data stored in that directory to process them one by one.
+userdebug_or_eng(`
+ allow untrusted_app_all perfprofd_data_file:file r_file_perms;
+ allow untrusted_app_all perfprofd_data_file:dir r_dir_perms;
+')
+
+# gdbserver for ndk-gdb ptrace attaches to app process.
+allow untrusted_app_all self:process ptrace;
+
+# Cts: HwRngTest
+allow untrusted_app_all sysfs_hwrandom:dir search;
+allow untrusted_app_all sysfs_hwrandom:file r_file_perms;
+
+# Allow apps to view preloaded media content
+allow untrusted_app_all preloads_media_file:dir r_dir_perms;
+allow untrusted_app_all preloads_media_file:file r_file_perms;
+allow untrusted_app_all preloads_data_file:dir search;
+
+# Allow untrusted apps read / execute access to /vendor/app for there can
+# be pre-installed vendor apps that package a library within themselves.
+# TODO (b/37784178) Consider creating a special type for /vendor/app installed
+# apps.
+allow untrusted_app_all vendor_app_file:dir { open getattr read search };
+allow untrusted_app_all vendor_app_file:file { open getattr read execute };
+allow untrusted_app_all vendor_app_file:lnk_file { open getattr read };
diff --git a/prebuilts/api/26.0/private/untrusted_v2_app.te b/prebuilts/api/26.0/private/untrusted_v2_app.te
new file mode 100644
index 0000000..ef62841
--- /dev/null
+++ b/prebuilts/api/26.0/private/untrusted_v2_app.te
@@ -0,0 +1,43 @@
+###
+### Untrusted v2 sandbox apps.
+###
+
+typeattribute untrusted_v2_app coredomain;
+
+app_domain(untrusted_v2_app)
+net_domain(untrusted_v2_app)
+bluetooth_domain(untrusted_v2_app)
+
+# Read and write system app data files passed over Binder.
+# Motivating case was /data/data/com.android.settings/cache/*.jpg for
+# cropping or taking user photos.
+allow untrusted_v2_app system_app_data_file:file { read write getattr };
+
+# Access to /data/media.
+allow untrusted_v2_app media_rw_data_file:dir create_dir_perms;
+allow untrusted_v2_app media_rw_data_file:file create_file_perms;
+
+# Traverse into /mnt/media_rw for bypassing FUSE daemon
+# TODO: narrow this to just MediaProvider
+allow untrusted_v2_app mnt_media_rw_file:dir search;
+
+# allow cts to query all services
+allow untrusted_v2_app servicemanager:service_manager list;
+
+allow untrusted_v2_app audioserver_service:service_manager find;
+allow untrusted_v2_app cameraserver_service:service_manager find;
+allow untrusted_v2_app drmserver_service:service_manager find;
+allow untrusted_v2_app mediaserver_service:service_manager find;
+allow untrusted_v2_app mediaextractor_service:service_manager find;
+allow untrusted_v2_app mediacodec_service:service_manager find;
+allow untrusted_v2_app mediametrics_service:service_manager find;
+allow untrusted_v2_app mediadrmserver_service:service_manager find;
+allow untrusted_v2_app mediacasserver_service:service_manager find;
+allow untrusted_v2_app nfc_service:service_manager find;
+allow untrusted_v2_app radio_service:service_manager find;
+allow untrusted_v2_app surfaceflinger_service:service_manager find;
+# TODO: potentially provide a tighter list of services here
+allow untrusted_v2_app app_api_service:service_manager find;
+
+# gdbserver for ndk-gdb ptrace attaches to app process.
+allow untrusted_v2_app self:process ptrace;
diff --git a/prebuilts/api/26.0/private/update_engine.te b/prebuilts/api/26.0/private/update_engine.te
new file mode 100644
index 0000000..f460272
--- /dev/null
+++ b/prebuilts/api/26.0/private/update_engine.te
@@ -0,0 +1,4 @@
+typeattribute update_engine coredomain;
+typeattribute update_engine domain_deprecated;
+
+init_daemon_domain(update_engine);
diff --git a/prebuilts/api/26.0/private/update_engine_common.te b/prebuilts/api/26.0/private/update_engine_common.te
new file mode 100644
index 0000000..a7fb584
--- /dev/null
+++ b/prebuilts/api/26.0/private/update_engine_common.te
@@ -0,0 +1,5 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+# The postinstall program is run by update_engine_common and will always be tagged as a
+# postinstall_file regardless of its attributes in the new system.
+domain_auto_trans(update_engine_common, postinstall_file, postinstall)
diff --git a/prebuilts/api/26.0/private/update_verifier.te b/prebuilts/api/26.0/private/update_verifier.te
new file mode 100644
index 0000000..1b934d9
--- /dev/null
+++ b/prebuilts/api/26.0/private/update_verifier.te
@@ -0,0 +1,3 @@
+typeattribute update_verifier coredomain;
+
+init_daemon_domain(update_verifier)
diff --git a/prebuilts/api/26.0/private/users b/prebuilts/api/26.0/private/users
new file mode 100644
index 0000000..51b7b57
--- /dev/null
+++ b/prebuilts/api/26.0/private/users
@@ -0,0 +1 @@
+user u roles { r } level s0 range s0 - mls_systemhigh;
diff --git a/prebuilts/api/26.0/private/vdc.te b/prebuilts/api/26.0/private/vdc.te
new file mode 100644
index 0000000..bc7409e
--- /dev/null
+++ b/prebuilts/api/26.0/private/vdc.te
@@ -0,0 +1,3 @@
+typeattribute vdc coredomain;
+
+init_daemon_domain(vdc)
diff --git a/prebuilts/api/26.0/private/virtual_touchpad.te b/prebuilts/api/26.0/private/virtual_touchpad.te
new file mode 100644
index 0000000..e735172
--- /dev/null
+++ b/prebuilts/api/26.0/private/virtual_touchpad.te
@@ -0,0 +1,3 @@
+typeattribute virtual_touchpad coredomain;
+
+init_daemon_domain(virtual_touchpad)
diff --git a/prebuilts/api/26.0/private/vold.te b/prebuilts/api/26.0/private/vold.te
new file mode 100644
index 0000000..f2416f8
--- /dev/null
+++ b/prebuilts/api/26.0/private/vold.te
@@ -0,0 +1,20 @@
+typeattribute vold coredomain;
+typeattribute vold domain_deprecated;
+
+init_daemon_domain(vold)
+
+# Switch to more restrictive domains when executing common tools
+domain_auto_trans(vold, sgdisk_exec, sgdisk);
+domain_auto_trans(vold, sdcardd_exec, sdcardd);
+
+# For a handful of probing tools, we choose an even more restrictive
+# domain when working with untrusted block devices
+domain_trans(vold, shell_exec, blkid);
+domain_trans(vold, shell_exec, blkid_untrusted);
+domain_trans(vold, fsck_exec, fsck);
+domain_trans(vold, fsck_exec, fsck_untrusted);
+
+# Newly created storage dirs are always treated as mount stubs to prevent us
+# from accidentally writing when the mount point isn't present.
+type_transition vold storage_file:dir storage_stub_file;
+type_transition vold mnt_media_rw_file:dir mnt_media_rw_stub_file;
diff --git a/prebuilts/api/26.0/private/vr_hwc.te b/prebuilts/api/26.0/private/vr_hwc.te
new file mode 100644
index 0000000..053c03d
--- /dev/null
+++ b/prebuilts/api/26.0/private/vr_hwc.te
@@ -0,0 +1,6 @@
+typeattribute vr_hwc coredomain;
+
+# Daemon started by init.
+init_daemon_domain(vr_hwc)
+
+hal_server_domain(vr_hwc, hal_graphics_composer)
diff --git a/prebuilts/api/26.0/private/watchdogd.te b/prebuilts/api/26.0/private/watchdogd.te
new file mode 100644
index 0000000..36dd30f
--- /dev/null
+++ b/prebuilts/api/26.0/private/watchdogd.te
@@ -0,0 +1 @@
+typeattribute watchdogd coredomain;
diff --git a/prebuilts/api/26.0/private/webview_zygote.te b/prebuilts/api/26.0/private/webview_zygote.te
new file mode 100644
index 0000000..501581a
--- /dev/null
+++ b/prebuilts/api/26.0/private/webview_zygote.te
@@ -0,0 +1,116 @@
+# webview_zygote is an auxiliary zygote process that is used to spawn
+# isolated_app processes for rendering untrusted web content.
+
+typeattribute webview_zygote coredomain;
+
+# The webview_zygote needs to be able to transition domains.
+typeattribute webview_zygote mlstrustedsubject;
+
+# When init launches the WebView zygote's executable, transition the
+# resulting process into webview_zygote domain.
+init_daemon_domain(webview_zygote)
+
+# Allow reading/executing installed binaries to enable preloading the
+# installed WebView implementation.
+allow webview_zygote apk_data_file:dir r_dir_perms;
+allow webview_zygote apk_data_file:file { r_file_perms execute };
+
+# Access to the WebView relro file.
+allow webview_zygote shared_relro_file:dir search;
+allow webview_zygote shared_relro_file:file r_file_perms;
+
+# Set the UID/GID of the process.
+allow webview_zygote self:capability { setgid setuid };
+# Drop capabilities from bounding set.
+allow webview_zygote self:capability setpcap;
+# Switch SELinux context to app domains.
+allow webview_zygote self:process setcurrent;
+allow webview_zygote isolated_app:process dyntransition;
+
+# For art.
+allow webview_zygote dalvikcache_data_file:dir r_dir_perms;
+allow webview_zygote dalvikcache_data_file:lnk_file r_file_perms;
+allow webview_zygote dalvikcache_data_file:file { r_file_perms execute };
+
+# Allow webview_zygote to stat the files that it opens. It must
+# be able to inspect them so that it can reopen them on fork
+# if necessary: b/30963384.
+allow webview_zygote debugfs_trace_marker:file getattr;
+
+# Allow webview_zygote to manage the pgroup of its children.
+allow webview_zygote system_server:process getpgid;
+
+# Interaction between the webview_zygote and its children.
+allow webview_zygote isolated_app:process setpgid;
+
+# Get seapp_contexts
+allow webview_zygote seapp_contexts_file:file r_file_perms;
+# Check validity of SELinux context before use.
+selinux_check_context(webview_zygote)
+# Check SELinux permissions.
+selinux_check_access(webview_zygote)
+
+#####
+##### Neverallow
+#####
+
+# Only permit transition to isolated_app.
+neverallow webview_zygote { domain -isolated_app }:process dyntransition;
+
+# Only setcon() transitions, no exec() based transitions, except for crash_dump.
+neverallow webview_zygote { domain -crash_dump }:process transition;
+
+# Must not exec() a program without changing domains.
+# Having said that, exec() above is not allowed.
+neverallow webview_zygote *:file execute_no_trans;
+
+# The only way to enter this domain is for init to exec() us.
+neverallow { domain -init } webview_zygote:process transition;
+neverallow * webview_zygote:process dyntransition;
+
+# Disallow write access to properties.
+neverallow webview_zygote property_socket:sock_file write;
+neverallow webview_zygote property_type:property_service set;
+
+# Should not have any access to app data files.
+neverallow webview_zygote {
+ app_data_file
+ system_app_data_file
+ bluetooth_data_file
+ nfc_data_file
+ radio_data_file
+ shell_data_file
+}:file { rwx_file_perms };
+
+neverallow webview_zygote {
+ service_manager_type
+ -activity_service
+ -webviewupdate_service
+}:service_manager find;
+
+# Isolated apps shouldn't be able to access the driver directly.
+neverallow webview_zygote gpu_device:chr_file { rwx_file_perms };
+
+# Do not allow webview_zygote access to /cache.
+neverallow webview_zygote cache_file:dir ~{ r_dir_perms };
+neverallow webview_zygote cache_file:file ~{ read getattr };
+
+# Do not allow most socket access. This is socket_class_set, excluding unix_dgram_socket,
+# unix_stream_socket, and netlink_selinux_socket.
+neverallow webview_zygote domain:{
+ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket
+ appletalk_socket netlink_route_socket netlink_tcpdiag_socket
+ netlink_nflog_socket netlink_xfrm_socket netlink_audit_socket
+ netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket
+ netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket
+ netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket
+ sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket
+ x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket
+ pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket
+ rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
+ alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket
+} *;
+
+# Do not allow access to Bluetooth-related system properties.
+# neverallow rules for Bluetooth-related data files are listed above.
+neverallow webview_zygote bluetooth_prop:file create_file_perms;
diff --git a/prebuilts/api/26.0/private/wificond.te b/prebuilts/api/26.0/private/wificond.te
new file mode 100644
index 0000000..cc76447
--- /dev/null
+++ b/prebuilts/api/26.0/private/wificond.te
@@ -0,0 +1,4 @@
+typeattribute wificond coredomain;
+
+init_daemon_domain(wificond)
+hal_client_domain(wificond, hal_wifi_offload)
diff --git a/prebuilts/api/26.0/private/zygote.te b/prebuilts/api/26.0/private/zygote.te
new file mode 100644
index 0000000..daabbc0
--- /dev/null
+++ b/prebuilts/api/26.0/private/zygote.te
@@ -0,0 +1,134 @@
+# zygote
+typeattribute zygote coredomain;
+typeattribute zygote domain_deprecated;
+typeattribute zygote mlstrustedsubject;
+
+init_daemon_domain(zygote)
+
+read_runtime_log_tags(zygote)
+
+# Override DAC on files and switch uid/gid.
+allow zygote self:capability { dac_override setgid setuid fowner chown };
+
+# Drop capabilities from bounding set.
+allow zygote self:capability setpcap;
+
+# Switch SELinux context to app domains.
+allow zygote self:process setcurrent;
+allow zygote system_server:process dyntransition;
+allow zygote appdomain:process dyntransition;
+
+# Allow zygote to read app /proc/pid dirs (b/10455872).
+allow zygote appdomain:dir { getattr search };
+allow zygote appdomain:file { r_file_perms };
+
+# Move children into the peer process group.
+allow zygote system_server:process { getpgid setpgid };
+allow zygote appdomain:process { getpgid setpgid };
+
+# Read system data.
+allow zygote system_data_file:dir r_dir_perms;
+allow zygote system_data_file:file r_file_perms;
+
+# Write to /data/dalvik-cache.
+allow zygote dalvikcache_data_file:dir create_dir_perms;
+allow zygote dalvikcache_data_file:file create_file_perms;
+
+# Create symlinks in /data/dalvik-cache.
+allow zygote dalvikcache_data_file:lnk_file create_file_perms;
+
+# Write to /data/resource-cache.
+allow zygote resourcecache_data_file:dir rw_dir_perms;
+allow zygote resourcecache_data_file:file create_file_perms;
+
+# When WITH_DEXPREOPT is true, the zygote does not load executable content from
+# /data/dalvik-cache.
+allow { zygote with_dexpreopt(`-zygote') } dalvikcache_data_file:file execute;
+
+# Execute idmap and dex2oat within zygote's own domain.
+# TODO: Should either of these be transitioned to the same domain
+# used by installd or stay in-domain for zygote?
+allow zygote idmap_exec:file rx_file_perms;
+allow zygote dex2oat_exec:file rx_file_perms;
+
+# Allow apps access to /vendor/overlay
+r_dir_file(zygote, vendor_overlay_file)
+
+# Control cgroups.
+allow zygote cgroup:dir create_dir_perms;
+allow zygote cgroup:{ file lnk_file } r_file_perms;
+allow zygote self:capability sys_admin;
+
+# Allow zygote to stat the files that it opens. The zygote must
+# be able to inspect them so that it can reopen them on fork
+# if necessary: b/30963384.
+allow zygote pmsg_device:chr_file getattr;
+allow zygote debugfs_trace_marker:file getattr;
+
+# Get seapp_contexts
+allow zygote seapp_contexts_file:file r_file_perms;
+# Check validity of SELinux context before use.
+selinux_check_context(zygote)
+# Check SELinux permissions.
+selinux_check_access(zygote)
+
+# Native bridge functionality requires that zygote replaces
+# /proc/cpuinfo with /system/lib/<ISA>/cpuinfo using a bind mount
+allow zygote proc_cpuinfo:file mounton;
+
+# Allow remounting rootfs as MS_SLAVE.
+allow zygote rootfs:dir mounton;
+allow zygote tmpfs:filesystem { mount unmount };
+allow zygote fuse:filesystem { unmount };
+allow zygote sdcardfs:filesystem { unmount };
+
+# Allow creating user-specific storage source if started before vold.
+allow zygote mnt_user_file:dir create_dir_perms;
+allow zygote mnt_user_file:lnk_file create_file_perms;
+# Allowed to mount user-specific storage into place
+allow zygote storage_file:dir { search mounton };
+
+# Handle --invoke-with command when launching Zygote with a wrapper command.
+allow zygote zygote_exec:file rx_file_perms;
+
+# Read access to pseudo filesystems.
+r_dir_file(zygote, proc_net)
+
+# Root fs.
+r_dir_file(zygote, rootfs)
+
+# System file accesses.
+r_dir_file(zygote, system_file)
+
+userdebug_or_eng(`
+ # Allow zygote to create and write method traces in /data/misc/trace.
+ allow zygote method_trace_data_file:dir w_dir_perms;
+ allow zygote method_trace_data_file:file { create w_file_perms };
+')
+
+allow zygote ion_device:chr_file r_file_perms;
+allow zygote tmpfs:dir r_dir_perms;
+
+# Let the zygote access overlays so it can initialize the AssetManager.
+get_prop(zygote, overlay_prop)
+
+###
+### neverallow rules
+###
+
+# Ensure that all types assigned to app processes are included
+# in the appdomain attribute, so that all allow and neverallow rules
+# written on appdomain are applied to all app processes.
+# This is achieved by ensuring that it is impossible for zygote to
+# setcon (dyntransition) to any types other than those associated
+# with appdomain plus system_server.
+neverallow zygote ~{ appdomain system_server }:process dyntransition;
+
+# Zygote should never execute anything from /data except for /data/dalvik-cache files.
+neverallow zygote {
+ data_file_type
+ -dalvikcache_data_file # map PROT_EXEC
+}:file no_x_file_perms;
+
+# Do not allow access to Bluetooth-related system properties and files
+neverallow zygote bluetooth_prop:file create_file_perms;