DO NOT MERGE - Mark RQ2A.210105.001 as merged.
Bug: 180401296
Merged-In: Ifbb111dbee0429d8aaea4688c0390ee80e25cb22
Change-Id: I8f6ea01c2aba66ed72afb27f3b21aa1daf83a432
diff --git a/Android.bp b/Android.bp
index 8705622..1ec7570 100644
--- a/Android.bp
+++ b/Android.bp
@@ -12,6 +12,36 @@
// See the License for the specific language governing permissions and
// limitations under the License.
+package {
+ default_applicable_licenses: ["system_sepolicy_license"],
+}
+
+// Added automatically by a large-scale-change that took the approach of
+// 'apply every license found to every target'. While this makes sure we respect
+// every license restriction, it may not be entirely correct.
+//
+// e.g. GPL in an MIT project might only apply to the contrib/ directory.
+//
+// Please consider splitting the single license below into multiple licenses,
+// taking care not to lose any license_kind information, and overriding the
+// default license using the 'licenses: [...]' property on targets as needed.
+//
+// For unused files, consider creating a 'filegroup' with "//visibility:private"
+// to attach the license to, and including a comment whether the files may be
+// used in the current project.
+// http://go/android-license-faq
+license {
+ name: "system_sepolicy_license",
+ visibility: [":__subpackages__"],
+ license_kinds: [
+ "SPDX-license-identifier-Apache-2.0",
+ "legacy_unencumbered",
+ ],
+ license_text: [
+ "NOTICE",
+ ],
+}
+
cc_defaults { name: "selinux_policy_version", cflags: ["-DSEPOLICY_VERSION=30"], }
se_filegroup {
@@ -43,6 +73,48 @@
}
se_filegroup {
+ name: "30.0.board.compat.map",
+ srcs: [
+ "compat/30.0/30.0.cil",
+ ],
+}
+
+se_filegroup {
+ name: "26.0.board.compat.cil",
+ srcs: [
+ "compat/26.0/26.0.compat.cil",
+ ],
+}
+
+se_filegroup {
+ name: "27.0.board.compat.cil",
+ srcs: [
+ "compat/27.0/27.0.compat.cil",
+ ],
+}
+
+se_filegroup {
+ name: "28.0.board.compat.cil",
+ srcs: [
+ "compat/28.0/28.0.compat.cil",
+ ],
+}
+
+se_filegroup {
+ name: "29.0.board.compat.cil",
+ srcs: [
+ "compat/29.0/29.0.compat.cil",
+ ],
+}
+
+se_filegroup {
+ name: "30.0.board.compat.cil",
+ srcs: [
+ "compat/30.0/30.0.compat.cil",
+ ],
+}
+
+se_filegroup {
name: "26.0.board.ignore.map",
srcs: [
"compat/26.0/26.0.ignore.cil",
@@ -70,6 +142,13 @@
],
}
+se_filegroup {
+ name: "30.0.board.ignore.map",
+ srcs: [
+ "compat/30.0/30.0.ignore.cil",
+ ],
+}
+
se_cil_compat_map {
name: "plat_26.0.cil",
stem: "26.0.cil",
@@ -95,7 +174,14 @@
name: "plat_29.0.cil",
stem: "29.0.cil",
bottom_half: [":29.0.board.compat.map"],
- // top_half: "plat_30.0.cil",
+ top_half: "plat_30.0.cil",
+}
+
+se_cil_compat_map {
+ name: "plat_30.0.cil",
+ stem: "30.0.cil",
+ bottom_half: [":30.0.board.compat.map"],
+ // top_half: "plat_31.0.cil",
}
se_cil_compat_map {
@@ -126,7 +212,15 @@
name: "system_ext_29.0.cil",
stem: "29.0.cil",
bottom_half: [":29.0.board.compat.map"],
- // top_half: "system_ext_30.0.cil",
+ top_half: "system_ext_30.0.cil",
+ system_ext_specific: true,
+}
+
+se_cil_compat_map {
+ name: "system_ext_30.0.cil",
+ stem: "30.0.cil",
+ bottom_half: [":30.0.board.compat.map"],
+ // top_half: "system_ext_31.0.cil",
system_ext_specific: true,
}
@@ -158,7 +252,15 @@
name: "product_29.0.cil",
stem: "29.0.cil",
bottom_half: [":29.0.board.compat.map"],
- // top_half: "product_30.0.cil",
+ top_half: "product_30.0.cil",
+ product_specific: true,
+}
+
+se_cil_compat_map {
+ name: "product_30.0.cil",
+ stem: "30.0.cil",
+ bottom_half: [":30.0.board.compat.map"],
+ // top_half: "product_31.0.cil",
product_specific: true,
}
@@ -183,31 +285,73 @@
se_cil_compat_map {
name: "29.0.ignore.cil",
bottom_half: [":29.0.board.ignore.map"],
- // top_half: "30.0.ignore.cil",
+ top_half: "30.0.ignore.cil",
}
-prebuilt_etc {
+se_cil_compat_map {
+ name: "30.0.ignore.cil",
+ bottom_half: [":30.0.board.ignore.map"],
+ // top_half: "31.0.ignore.cil",
+}
+
+se_compat_cil {
name: "26.0.compat.cil",
- src: "private/compat/26.0/26.0.compat.cil",
- sub_dir: "selinux/mapping",
+ srcs: [":26.0.board.compat.cil"],
}
-prebuilt_etc {
+se_compat_cil {
name: "27.0.compat.cil",
- src: "private/compat/27.0/27.0.compat.cil",
- sub_dir: "selinux/mapping",
+ srcs: [":27.0.board.compat.cil"],
}
-prebuilt_etc {
+se_compat_cil {
name: "28.0.compat.cil",
- src: "private/compat/28.0/28.0.compat.cil",
- sub_dir: "selinux/mapping",
+ srcs: [":28.0.board.compat.cil"],
}
-prebuilt_etc {
+se_compat_cil {
name: "29.0.compat.cil",
- src: "private/compat/29.0/29.0.compat.cil",
- sub_dir: "selinux/mapping",
+ srcs: [":29.0.board.compat.cil"],
+}
+
+se_compat_cil {
+ name: "30.0.compat.cil",
+ srcs: [":30.0.board.compat.cil"],
+}
+
+se_compat_cil {
+ name: "system_ext_26.0.compat.cil",
+ srcs: [":26.0.board.compat.cil"],
+ stem: "26.0.compat.cil",
+ system_ext_specific: true,
+}
+
+se_compat_cil {
+ name: "system_ext_27.0.compat.cil",
+ srcs: [":27.0.board.compat.cil"],
+ stem: "27.0.compat.cil",
+ system_ext_specific: true,
+}
+
+se_compat_cil {
+ name: "system_ext_28.0.compat.cil",
+ srcs: [":28.0.board.compat.cil"],
+ stem: "28.0.compat.cil",
+ system_ext_specific: true,
+}
+
+se_compat_cil {
+ name: "system_ext_29.0.compat.cil",
+ srcs: [":29.0.board.compat.cil"],
+ stem: "29.0.compat.cil",
+ system_ext_specific: true,
+}
+
+se_compat_cil {
+ name: "system_ext_30.0.compat.cil",
+ srcs: [":30.0.board.compat.cil"],
+ stem: "30.0.compat.cil",
+ system_ext_specific: true,
}
se_filegroup {
@@ -240,6 +384,11 @@
srcs: ["service_contexts"],
}
+se_filegroup {
+ name: "keystore2_key_contexts_files",
+ srcs: ["keystore2_key_contexts"],
+}
+
file_contexts {
name: "plat_file_contexts",
srcs: [":file_contexts_files"],
@@ -376,11 +525,451 @@
soc_specific: true,
}
+keystore2_key_contexts {
+ name: "plat_keystore2_key_contexts",
+ srcs: [":keystore2_key_contexts_files"],
+}
+
+keystore2_key_contexts {
+ name: "system_keystore2_key_contexts",
+ srcs: [":keystore2_key_contexts_files"],
+ system_ext_specific: true,
+}
+
+keystore2_key_contexts {
+ name: "product_keystore2_key_contexts",
+ srcs: [":keystore2_key_contexts_files"],
+ product_specific: true,
+}
+
+keystore2_key_contexts {
+ name: "vendor_keystore2_key_contexts",
+ srcs: [":keystore2_key_contexts_files"],
+ reqd_mask: true,
+ soc_specific: true,
+}
+
// For vts_treble_sys_prop_test
filegroup {
- name: "public_property_contexts",
- srcs: ["public/property_contexts"],
+ name: "private_property_contexts",
+ srcs: ["private/property_contexts"],
visibility: [
"//test/vts-testcase/security/system_property",
],
}
+
+se_build_files {
+ name: "se_build_files",
+ srcs: [
+ "security_classes",
+ "initial_sids",
+ "access_vectors",
+ "global_macros",
+ "neverallow_macros",
+ "mls_macros",
+ "mls_decl",
+ "mls",
+ "policy_capabilities",
+ "te_macros",
+ "attributes",
+ "ioctl_defines",
+ "ioctl_macros",
+ "*.te",
+ "roles_decl",
+ "roles",
+ "users",
+ "initial_sid_contexts",
+ "fs_use",
+ "genfs_contexts",
+ "port_contexts",
+ ],
+}
+
+// reqd_policy_mask - a policy.conf file which contains only the bare minimum
+// policy necessary to use checkpolicy.
+//
+// This bare-minimum policy needs to be present in all policy.conf files, but
+// should not necessarily be exported as part of the public policy.
+//
+// The rules generated by reqd_policy_mask will allow the compilation of public
+// policy and subsequent removal of CIL policy that should not be exported.
+se_policy_conf {
+ name: "reqd_policy_mask.conf",
+ srcs: [":se_build_files{.reqd_mask}"],
+ installable: false,
+}
+
+se_policy_cil {
+ name: "reqd_policy_mask.cil",
+ src: ":reqd_policy_mask.conf",
+ secilc_check: false,
+ installable: false,
+}
+
+// pub_policy - policy that will be exported to be a part of non-platform
+// policy corresponding to this platform version.
+//
+// This is a limited subset of policy that would not compile in checkpolicy on
+// its own.
+//
+// To get around this limitation, add only the required files from private
+// policy, which will generate CIL policy that will then be filtered out by the
+// reqd_policy_mask.
+//
+// There are three pub_policy.cil files below:
+// - pub_policy.cil: exported 'product', 'system_ext' and 'system' policy.
+// - system_ext_pub_policy.cil: exported 'system_ext' and 'system' policy.
+// - plat_pub_policy.cil: exported 'system' policy.
+//
+// Those above files will in turn be used to generate the following versioned cil files:
+// - product_mapping_file: the versioned, exported 'product' policy in product partition.
+// - system_ext_mapping_file: the versioned, exported 'system_ext' policy in system_ext partition.
+// - plat_mapping_file: the versioned, exported 'system' policy in system partition.
+// - plat_pub_versioned.cil: the versioned, exported 'product', 'system_ext' and 'system' policy
+// in vendor partition.
+//
+se_policy_conf {
+ name: "pub_policy.conf",
+ srcs: [":se_build_files{.product_public}"], // product_ includes system and system_ext
+ installable: false,
+}
+
+se_policy_cil {
+ name: "pub_policy.cil",
+ src: ":pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "system_ext_pub_policy.conf",
+ srcs: [":se_build_files{.system_ext_public}"], // system_ext_public includes system
+ installable: false,
+}
+
+se_policy_cil {
+ name: "system_ext_pub_policy.cil",
+ src: ":system_ext_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "plat_pub_policy.conf",
+ srcs: [":se_build_files{.plat_public}"],
+ installable: false,
+}
+
+se_policy_cil {
+ name: "plat_pub_policy.cil",
+ src: ":plat_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+// plat_policy.conf - A combination of the private and public platform policy
+// which will ship with the device.
+//
+// The platform will always reflect the most recent platform version and is not
+// currently being attributized.
+se_policy_conf {
+ name: "plat_sepolicy.conf",
+ srcs: [":se_build_files{.plat}"],
+ installable: false,
+}
+
+se_policy_cil {
+ name: "plat_sepolicy.cil",
+ src: ":plat_sepolicy.conf",
+ additional_cil_files: ["private/technical_debt.cil"],
+}
+
+// userdebug_plat_policy.conf - the userdebug version plat_sepolicy.cil
+se_policy_conf {
+ name: "userdebug_plat_sepolicy.conf",
+ srcs: [":se_build_files{.plat}"],
+ build_variant: "userdebug",
+ installable: false,
+}
+
+se_policy_cil {
+ name: "userdebug_plat_sepolicy.cil",
+ src: ":userdebug_plat_sepolicy.conf",
+ additional_cil_files: ["private/technical_debt.cil"],
+ debug_ramdisk: true,
+}
+
+// system_ext_policy.conf - A combination of the private and public system_ext
+// policy which will ship with the device. System_ext policy is not attributized
+se_policy_conf {
+ name: "system_ext_sepolicy.conf",
+ srcs: [":se_build_files{.system_ext}"],
+ installable: false,
+}
+
+se_policy_cil {
+ name: "system_ext_sepolicy.cil",
+ src: ":system_ext_sepolicy.conf",
+ system_ext_specific: true,
+ filter_out: [":plat_sepolicy.cil"],
+ remove_line_marker: true,
+}
+
+// product_policy.conf - A combination of the private and public product policy
+// which will ship with the device. Product policy is not attributized
+se_policy_conf {
+ name: "product_sepolicy.conf",
+ srcs: [":se_build_files{.product}"],
+ installable: false,
+}
+
+se_policy_cil {
+ name: "product_sepolicy.cil",
+ src: ":product_sepolicy.conf",
+ product_specific: true,
+ filter_out: [":plat_sepolicy.cil", ":system_ext_sepolicy.cil"],
+ remove_line_marker: true,
+}
+
+// policy mapping files
+// auto-generate the mapping file for current platform policy, since it needs to
+// track platform policy development
+se_versioned_policy {
+ name: "plat_mapping_file",
+ base: ":plat_pub_policy.cil",
+ mapping: true,
+ version: "current",
+ relative_install_path: "mapping", // install to /system/etc/selinux/mapping
+}
+
+se_versioned_policy {
+ name: "system_ext_mapping_file",
+ base: ":system_ext_pub_policy.cil",
+ mapping: true,
+ version: "current",
+ filter_out: [":plat_mapping_file"],
+ relative_install_path: "mapping", // install to /system_ext/etc/selinux/mapping
+ system_ext_specific: true,
+}
+
+se_versioned_policy {
+ name: "product_mapping_file",
+ base: ":pub_policy.cil",
+ mapping: true,
+ version: "current",
+ filter_out: [":plat_mapping_file", ":system_ext_mapping_file"],
+ relative_install_path: "mapping", // install to /product/etc/selinux/mapping
+ product_specific: true,
+}
+
+// plat_pub_versioned.cil - the exported platform policy associated with the version
+// that non-platform policy targets.
+se_versioned_policy {
+ name: "plat_pub_versioned.cil",
+ base: ":pub_policy.cil",
+ target_policy: ":pub_policy.cil",
+ version: "current",
+ dependent_cils: [
+ ":plat_sepolicy.cil",
+ ":system_ext_sepolicy.cil",
+ ":product_sepolicy.cil",
+ ":plat_mapping_file",
+ ":system_ext_mapping_file",
+ ":product_mapping_file",
+ ],
+ vendor: true,
+}
+
+//////////////////////////////////
+// Precompiled sepolicy is loaded if and only if:
+// - plat_sepolicy_and_mapping.sha256 equals
+// precompiled_sepolicy.plat_sepolicy_and_mapping.sha256
+// AND
+// - system_ext_sepolicy_and_mapping.sha256 equals
+// precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256
+// AND
+// - product_sepolicy_and_mapping.sha256 equals
+// precompiled_sepolicy.product_sepolicy_and_mapping.sha256
+// See system/core/init/selinux.cpp for details.
+//////////////////////////////////
+genrule {
+ name: "plat_sepolicy_and_mapping.sha256_gen",
+ srcs: [":plat_sepolicy.cil", ":plat_mapping_file"],
+ out: ["plat_sepolicy_and_mapping.sha256"],
+ cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)",
+}
+
+prebuilt_etc {
+ name: "plat_sepolicy_and_mapping.sha256",
+ filename: "plat_sepolicy_and_mapping.sha256",
+ src: ":plat_sepolicy_and_mapping.sha256_gen",
+ relative_install_path: "selinux",
+}
+
+genrule {
+ name: "system_ext_sepolicy_and_mapping.sha256_gen",
+ srcs: [":system_ext_sepolicy.cil", ":system_ext_mapping_file"],
+ out: ["system_ext_sepolicy_and_mapping.sha256"],
+ cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)",
+}
+
+prebuilt_etc {
+ name: "system_ext_sepolicy_and_mapping.sha256",
+ filename: "system_ext_sepolicy_and_mapping.sha256",
+ src: ":system_ext_sepolicy_and_mapping.sha256_gen",
+ relative_install_path: "selinux",
+ system_ext_specific: true,
+}
+
+genrule {
+ name: "product_sepolicy_and_mapping.sha256_gen",
+ srcs: [":product_sepolicy.cil", ":product_mapping_file"],
+ out: ["product_sepolicy_and_mapping.sha256"],
+ cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)",
+}
+
+prebuilt_etc {
+ name: "product_sepolicy_and_mapping.sha256",
+ filename: "product_sepolicy_and_mapping.sha256",
+ src: ":product_sepolicy_and_mapping.sha256_gen",
+ relative_install_path: "selinux",
+ product_specific: true,
+}
+
+sepolicy_vers {
+ name: "plat_sepolicy_vers.txt",
+ version: "vendor",
+ vendor: true,
+}
+
+soong_config_module_type {
+ name: "precompiled_sepolicy_defaults",
+ module_type: "prebuilt_defaults",
+ config_namespace: "ANDROID",
+ bool_variables: ["BOARD_USES_ODMIMAGE"],
+ properties: ["vendor", "device_specific"],
+}
+
+precompiled_sepolicy_defaults {
+ name: "precompiled_sepolicy",
+ soong_config_variables: {
+ BOARD_USES_ODMIMAGE: {
+ device_specific: true,
+ conditions_default: {
+ vendor: true,
+ },
+ },
+ },
+}
+
+//////////////////////////////////
+// SHA-256 digest of the plat_sepolicy.cil and plat_mapping_file against
+// which precompiled_policy was built.
+//////////////////////////////////
+prebuilt_etc {
+ defaults: ["precompiled_sepolicy"],
+ name: "precompiled_sepolicy.plat_sepolicy_and_mapping.sha256",
+ filename: "precompiled_sepolicy.plat_sepolicy_and_mapping.sha256",
+ src: ":plat_sepolicy_and_mapping.sha256_gen",
+ relative_install_path: "selinux",
+}
+
+//////////////////////////////////
+// SHA-256 digest of the system_ext_sepolicy.cil and system_ext_mapping_file against
+// which precompiled_policy was built.
+//////////////////////////////////
+prebuilt_etc {
+ defaults: ["precompiled_sepolicy"],
+ name: "precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256",
+ filename: "precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256",
+ src: ":system_ext_sepolicy_and_mapping.sha256_gen",
+ relative_install_path: "selinux",
+}
+
+//////////////////////////////////
+// SHA-256 digest of the product_sepolicy.cil and product_mapping_file against
+// which precompiled_policy was built.
+//////////////////////////////////
+prebuilt_etc {
+ defaults: ["precompiled_sepolicy"],
+ name: "precompiled_sepolicy.product_sepolicy_and_mapping.sha256",
+ filename: "precompiled_sepolicy.product_sepolicy_and_mapping.sha256",
+ src: ":product_sepolicy_and_mapping.sha256_gen",
+ relative_install_path: "selinux",
+}
+
+
+//////////////////////////////////
+// SELinux policy embedded into CTS.
+// CTS checks neverallow rules of this policy against the policy of the device under test.
+//////////////////////////////////
+se_policy_conf {
+ name: "general_sepolicy.conf",
+ srcs: [":se_build_files{.plat}"],
+ build_variant: "user",
+ cts: true,
+ exclude_build_test: true,
+}
+
+//////////////////////////////////
+// modules for microdroid
+//////////////////////////////////
+
+// microdroid's system sepolicy is almost identical to host's system sepolicy, except that
+// microdroid doesn't have system_ext and product. So microdroid's plat_pub_versioned.cil is
+// generated with plat_pub_policy.cil (exported system), not pub_policy.cil (exported system +
+// system_ext + product). Other two files, plat_sepolicy.cil and plat_mapping_file, are copied from
+// host's files.
+se_versioned_policy {
+ name: "microdroid_plat_pub_versioned.cil",
+ stem: "plat_pub_versioned.cil",
+ base: ":plat_pub_policy.cil",
+ target_policy: ":plat_pub_policy.cil",
+ version: "current",
+ dependent_cils: [
+ ":plat_sepolicy.cil",
+ ":plat_mapping_file",
+ ],
+ installable: false,
+}
+
+// microdroid's vendor sepolicy is a minimalized sepolicy needed for microdroid to boot. It just
+// contains system/sepolicy/public and system/sepolicy/vendor.
+se_policy_conf {
+ name: "microdroid_vendor_sepolicy.conf",
+ srcs: [":se_build_files{.plat_vendor}"],
+ installable: false,
+}
+
+se_policy_cil {
+ name: "microdroid_vendor_sepolicy.cil.raw",
+ src: ":microdroid_vendor_sepolicy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false, // will be done in se_versioned_policy module
+ installable: false,
+}
+
+se_versioned_policy {
+ name: "microdroid_vendor_sepolicy.cil",
+ stem: "vendor_sepolicy.cil",
+ base: ":plat_pub_policy.cil",
+ target_policy: ":microdroid_vendor_sepolicy.cil.raw",
+ version: "current", // microdroid is bundled to system
+ dependent_cils: [
+ ":plat_sepolicy.cil",
+ ":microdroid_plat_pub_versioned.cil",
+ ":plat_mapping_file",
+ ],
+ filter_out: [":microdroid_plat_pub_versioned.cil"],
+ installable: false,
+}
+
+sepolicy_vers {
+ name: "microdroid_plat_sepolicy_vers.txt",
+ version: "platform",
+ stem: "plat_sepolicy_vers.txt",
+ installable: false,
+}
diff --git a/Android.mk b/Android.mk
index 33a08ee..882f397 100644
--- a/Android.mk
+++ b/Android.mk
@@ -52,8 +52,18 @@
PLAT_PRIVATE_POLICY := $(LOCAL_PATH)/private
PLAT_VENDOR_POLICY := $(LOCAL_PATH)/vendor
REQD_MASK_POLICY := $(LOCAL_PATH)/reqd_mask
-SYSTEM_EXT_PUBLIC_POLICY := $(BOARD_PLAT_PUBLIC_SEPOLICY_DIR)
-SYSTEM_EXT_PRIVATE_POLICY := $(BOARD_PLAT_PRIVATE_SEPOLICY_DIR)
+
+SYSTEM_EXT_PUBLIC_POLICY := $(SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS)
+ifneq (,$(BOARD_PLAT_PUBLIC_SEPOLICY_DIR))
+ # TODO: Disallow BOARD_PLAT_*
+ SYSTEM_EXT_PUBLIC_POLICY += $(BOARD_PLAT_PUBLIC_SEPOLICY_DIR)
+endif
+SYSTEM_EXT_PRIVATE_POLICY := $(SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS)
+ifneq (,$(BOARD_PLAT_PRIVATE_SEPOLICY_DIR))
+ # TODO: Disallow BOARD_PLAT_*
+ SYSTEM_EXT_PRIVATE_POLICY += $(BOARD_PLAT_PRIVATE_SEPOLICY_DIR)
+endif
+
PRODUCT_PUBLIC_POLICY := $(PRODUCT_PUBLIC_SEPOLICY_DIRS)
PRODUCT_PRIVATE_POLICY := $(PRODUCT_PRIVATE_SEPOLICY_DIRS)
@@ -85,6 +95,51 @@
BOARD_SEPOLICY_VERS := $(PLATFORM_SEPOLICY_VERSION)
endif
+# If BOARD_SEPOLICY_VERS is set to a value other than PLATFORM_SEPOLICY_VERSION,
+# policy files of platform (system, system_ext, product) can't be mixed with
+# policy files of vendor (vendor, odm). If it's the case, platform policies and
+# vendor policies are separately built. More specifically,
+#
+# - Platform policy files needed to build vendor policies, such as plat_policy,
+# plat_mapping_cil, plat_pub_policy, reqd_policy_mask, are built from the
+# prebuilts (copy of platform policy files of version BOARD_SEPOLICY_VERS).
+#
+# - sepolicy_neverallows only checks platform policies, and a new module
+# sepolicy_neverallows_vendor checks vendor policies.
+#
+# - neverallow checks are turned off while compiling precompiled_sepolicy module
+# and sepolicy module.
+#
+# - Vendor policies are not checked on the compat test (compat.mk).
+#
+# In such scenario, we can grab platform policy files from the prebuilts/api
+# directory. But we need more than that: prebuilts of system_ext, product,
+# system/sepolicy/reqd_mask, and system/sepolicy/vendor. The following variables
+# are introduced to specify such prebuilts.
+#
+# - BOARD_REQD_MASK_POLICY (prebuilt of system/sepolicy/reqd_mask)
+# - BOARD_PLAT_VENDOR_POLICY (prebuilt of system/sepolicy/vendor)
+# - BOARD_SYSTEM_EXT_PUBLIC_PREBUILT_DIRS (prebuilt of system_ext public)
+# - BOARD_SYSTEM_EXT_PRIVATE_PREBUILT_DIRS (prebuilt of system_ext private)
+# - BOARD_PRODUCT_PUBLIC_PREBUILT_DIRS (prebuilt of product public)
+# - BOARD_PRODUCT_PRIVATE_PREBUILT_DIRS (prebuilt of product private)
+#
+# Vendors are responsible for copying policy files from the old version of the
+# source tree as prebuilts, and for setting BOARD_*_POLICY variables so they can
+# be used to build vendor policies. See prebuilt_policy.mk for more details.
+#
+# To support both mixed build and normal build, platform policy files are
+# indirectly referred by {partition}_{public|private}_policy_$(ver) variables
+# when building vendor policies. See vendor_sepolicy.cil and odm_sepolicy.cil
+# for more details.
+#
+# sepolicy.recovery is also compiled from vendor and plat prebuilt policies.
+ifneq ($(PLATFORM_SEPOLICY_VERSION),$(BOARD_SEPOLICY_VERS))
+mixed_sepolicy_build := true
+else
+mixed_sepolicy_build :=
+endif
+
NEVERALLOW_ARG :=
ifeq ($(SELINUX_IGNORE_NEVERALLOWS),true)
ifeq ($(TARGET_BUILD_VARIANT),user)
@@ -104,6 +159,21 @@
BOARD_VENDOR_SEPOLICY_DIRS += $(BOARD_SEPOLICY_DIRS)
endif
+# Set default values for these prebuilt directories
+ifeq (,$(BOARD_REQD_MASK_POLICY))
+BOARD_REQD_MASK_POLICY := $(REQD_MASK_POLICY)
+endif
+
+ifeq (,$(BOARD_PLAT_VENDOR_POLICY))
+BOARD_PLAT_VENDOR_POLICY := $(PLAT_VENDOR_POLICY)
+endif
+
+$(foreach p,SYSTEM_EXT PRODUCT,$(foreach q,PUBLIC PRIVATE,$(eval \
+ $(if $(BOARD_$(p)_$(q)_PREBUILT_DIRS),,\
+ BOARD_$(p)_$(q)_PREBUILT_DIRS := $($(p)_$(q)_POLICY) \
+ ) \
+)))
+
ifdef BOARD_ODM_SEPOLICY_DIRS
ifneq ($(PRODUCT_SEPOLICY_SPLIT),true)
$(error PRODUCT_SEPOLICY_SPLIT needs to be true when using BOARD_ODM_SEPOLICY_DIRS)
@@ -149,6 +219,9 @@
genfs_contexts \
port_contexts
+sepolicy_compat_files := $(foreach ver, $(PLATFORM_SEPOLICY_COMPAT_VERSIONS), \
+ $(addprefix compat/$(ver)/, $(addsuffix .cil, $(ver))))
+
# Security classes and permissions defined outside of system/sepolicy.
security_class_extension_files := $(call build_policy, security_classes access_vectors, \
$(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) \
@@ -223,6 +296,24 @@
endif
endif
+enforce_sysprop_owner := true
+ifeq ($(BUILD_BROKEN_ENFORCE_SYSPROP_OWNER),true)
+ enforce_sysprop_owner := false
+endif
+
+enforce_debugfs_restriction := false
+ifeq ($(PRODUCT_SET_DEBUGFS_RESTRICTIONS),true)
+ enforce_debugfs_restriction := true
+endif
+
+ifeq ($(PRODUCT_SHIPPING_API_LEVEL),)
+ #$(warning no product shipping level defined)
+else ifneq ($(call math_lt,30,$(PRODUCT_SHIPPING_API_LEVEL)),)
+ ifneq ($(BUILD_BROKEN_ENFORCE_SYSPROP_OWNER),)
+ $(error BUILD_BROKEN_ENFORCE_SYSPROP_OWNER cannot be set on a device shipping with S or later, and this is tested by CTS.)
+ endif
+endif
+
# Library extension for host-side tests
ifeq ($(HOST_OS),darwin)
SHAREDLIB_EXT=dylib
@@ -248,6 +339,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := selinux_policy
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_TAGS := optional
LOCAL_REQUIRED_MODULES += \
selinux_policy_nonsystem \
@@ -262,6 +356,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := selinux_policy_system
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
# These build targets are not used on non-Treble devices. However, we build these to avoid
# divergence between Treble and non-Treble devices.
LOCAL_REQUIRED_MODULES += \
@@ -269,13 +366,17 @@
$(addprefix plat_,$(addsuffix .cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS))) \
$(addsuffix .compat.cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \
plat_sepolicy.cil \
- plat_sepolicy_and_mapping.sha256 \
secilc \
+ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
+LOCAL_REQUIRED_MODULES += plat_sepolicy_and_mapping.sha256
+endif
+
LOCAL_REQUIRED_MODULES += \
build_sepolicy \
plat_file_contexts \
plat_file_contexts_test \
+ plat_keystore2_key_contexts \
plat_mac_permissions.xml \
plat_property_contexts \
plat_property_contexts_test \
@@ -327,16 +428,116 @@
include $(CLEAR_VARS)
+LOCAL_MODULE := selinux_policy_system_ext
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
+# Include precompiled policy, unless told otherwise.
+ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
+ifdef HAS_SYSTEM_EXT_SEPOLICY
+LOCAL_REQUIRED_MODULES += system_ext_sepolicy_and_mapping.sha256
+endif
+endif
+
+ifdef HAS_SYSTEM_EXT_SEPOLICY
+LOCAL_REQUIRED_MODULES += system_ext_sepolicy.cil
+endif
+
+ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
+LOCAL_REQUIRED_MODULES += \
+ system_ext_mapping_file
+
+system_ext_compat_files := $(call build_policy, $(sepolicy_compat_files), $(SYSTEM_EXT_PRIVATE_POLICY))
+
+LOCAL_REQUIRED_MODULES += $(addprefix system_ext_, $(notdir $(system_ext_compat_files)))
+
+endif
+
+ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
+LOCAL_REQUIRED_MODULES += \
+ system_ext_file_contexts \
+ system_ext_file_contexts_test \
+ system_ext_hwservice_contexts \
+ system_ext_hwservice_contexts_test \
+ system_ext_property_contexts \
+ system_ext_property_contexts_test \
+ system_ext_seapp_contexts \
+ system_ext_service_contexts \
+ system_ext_service_contexts_test \
+ system_ext_mac_permissions.xml \
+ $(addprefix system_ext_,$(addsuffix .compat.cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS))) \
+
+endif
+
+include $(BUILD_PHONY_PACKAGE)
+
+#################################
+
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := selinux_policy_product
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
+# Include precompiled policy, unless told otherwise.
+ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
+ifdef HAS_PRODUCT_SEPOLICY
+LOCAL_REQUIRED_MODULES += product_sepolicy_and_mapping.sha256
+endif
+endif
+
+ifdef HAS_PRODUCT_SEPOLICY
+LOCAL_REQUIRED_MODULES += product_sepolicy.cil
+endif
+
+ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
+LOCAL_REQUIRED_MODULES += \
+ product_mapping_file
+
+product_compat_files := $(call build_policy, $(sepolicy_compat_files), $(PRODUCT_PRIVATE_POLICY))
+
+LOCAL_REQUIRED_MODULES += $(addprefix product_, $(notdir $(product_compat_files)))
+
+endif
+
+ifdef HAS_PRODUCT_SEPOLICY_DIR
+LOCAL_REQUIRED_MODULES += \
+ product_file_contexts \
+ product_file_contexts_test \
+ product_hwservice_contexts \
+ product_hwservice_contexts_test \
+ product_property_contexts \
+ product_property_contexts_test \
+ product_seapp_contexts \
+ product_service_contexts \
+ product_service_contexts_test \
+ product_mac_permissions.xml \
+
+endif
+
+include $(BUILD_PHONY_PACKAGE)
+
+#################################
+
+include $(CLEAR_VARS)
+
LOCAL_MODULE := selinux_policy_nonsystem
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
# Include precompiled policy, unless told otherwise.
ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
LOCAL_REQUIRED_MODULES += \
precompiled_sepolicy \
- precompiled_sepolicy.plat_sepolicy_and_mapping.sha256 \
- precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256 \
- system_ext_sepolicy_and_mapping.sha256 \
- precompiled_sepolicy.product_sepolicy_and_mapping.sha256 \
- product_sepolicy_and_mapping.sha256 \
+ precompiled_sepolicy.plat_sepolicy_and_mapping.sha256
+
+ifdef HAS_SYSTEM_EXT_SEPOLICY
+LOCAL_REQUIRED_MODULES += precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256
+endif
+
+ifdef HAS_PRODUCT_SEPOLICY
+LOCAL_REQUIRED_MODULES += precompiled_sepolicy.product_sepolicy_and_mapping.sha256
+endif
endif # ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
@@ -373,57 +574,8 @@
odm_mac_permissions.xml
endif
-ifdef HAS_SYSTEM_EXT_SEPOLICY
-LOCAL_REQUIRED_MODULES += system_ext_sepolicy.cil
-endif
-
-ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
-LOCAL_REQUIRED_MODULES += \
- system_ext_mapping_file \
- $(addprefix system_ext_,$(addsuffix .cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS))) \
-
-endif
-
-ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
-LOCAL_REQUIRED_MODULES += \
- system_ext_file_contexts \
- system_ext_file_contexts_test \
- system_ext_hwservice_contexts \
- system_ext_hwservice_contexts_test \
- system_ext_property_contexts \
- system_ext_property_contexts_test \
- system_ext_seapp_contexts \
- system_ext_service_contexts \
- system_ext_service_contexts_test \
- system_ext_mac_permissions.xml \
-
-endif
-
-ifdef HAS_PRODUCT_SEPOLICY
-LOCAL_REQUIRED_MODULES += product_sepolicy.cil
-endif
-
-ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
-LOCAL_REQUIRED_MODULES += \
- product_mapping_file \
- $(addprefix product_,$(addsuffix .cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS))) \
-
-endif
-
-ifdef HAS_PRODUCT_SEPOLICY_DIR
-LOCAL_REQUIRED_MODULES += \
- product_file_contexts \
- product_file_contexts_test \
- product_hwservice_contexts \
- product_hwservice_contexts_test \
- product_property_contexts \
- product_property_contexts_test \
- product_seapp_contexts \
- product_service_contexts \
- product_service_contexts_test \
- product_mac_permissions.xml \
-
-endif
+LOCAL_REQUIRED_MODULES += selinux_policy_system_ext
+LOCAL_REQUIRED_MODULES += selinux_policy_product
LOCAL_REQUIRED_MODULES += \
selinux_denial_metadata \
@@ -435,9 +587,26 @@
include $(BUILD_PHONY_PACKAGE)
#################################
+
+ifeq ($(mixed_sepolicy_build),true)
+include $(LOCAL_PATH)/prebuilt_policy.mk
+else
+reqd_policy_$(PLATFORM_SEPOLICY_VERSION) := $(REQD_MASK_POLICY)
+plat_public_policy_$(PLATFORM_SEPOLICY_VERSION) := $(LOCAL_PATH)/public
+plat_private_policy_$(PLATFORM_SEPOLICY_VERSION) := $(LOCAL_PATH)/private
+system_ext_public_policy_$(PLATFORM_SEPOLICY_VERSION) := $(SYSTEM_EXT_PUBLIC_POLICY)
+system_ext_private_policy_$(PLATFORM_SEPOLICY_VERSION) := $(SYSTEM_EXT_PRIVATE_POLICY)
+product_public_policy_$(PLATFORM_SEPOLICY_VERSION) := $(PRODUCT_PUBLIC_POLICY)
+product_private_policy_$(PLATFORM_SEPOLICY_VERSION) := $(PRODUCT_PRIVATE_POLICY)
+endif
+
+#################################
include $(CLEAR_VARS)
LOCAL_MODULE := sepolicy_neverallows
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
@@ -445,11 +614,19 @@
# sepolicy_policy.conf - All of the policy for the device. This is only used to
# check neverallow rules.
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) $(PLAT_VENDOR_POLICY) \
+# In a mixed build target, vendor policies are checked separately, on the module
+# sepolicy_neverallows_vendor.
+
+all_plat_policy := $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) $(PLAT_VENDOR_POLICY) \
$(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) \
- $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY) \
- $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS))
+ $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY)
+ifeq ($(mixed_sepolicy_build),true)
+policy_files := $(call build_policy, $(sepolicy_build_files), $(all_plat_policy))
+else
+policy_files := $(call build_policy, $(sepolicy_build_files), \
+ $(all_plat_policy) $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS))
+endif
+
sepolicy_policy.conf := $(intermediates)/policy.conf
$(sepolicy_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(sepolicy_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
@@ -459,6 +636,7 @@
$(sepolicy_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
$(sepolicy_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(sepolicy_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
+$(sepolicy_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
$(sepolicy_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(sepolicy_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -466,11 +644,6 @@
# sepolicy_policy_2.conf - All of the policy for the device. This is only used to
# check neverallow rules using sepolicy-analyze, similar to CTS.
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) $(PLAT_VENDOR_POLICY) \
- $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) \
- $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY) \
- $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS))
sepolicy_policy_2.conf := $(intermediates)/policy_2.conf
$(sepolicy_policy_2.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(sepolicy_policy_2.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
@@ -481,6 +654,7 @@
$(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
$(sepolicy_policy_2.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(sepolicy_policy_2.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
+$(sepolicy_policy_2.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
$(sepolicy_policy_2.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(sepolicy_policy_2.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -507,467 +681,125 @@
sepolicy_policy_2.conf :=
built_sepolicy_neverallows := $(LOCAL_BUILT_MODULE)
-##################################
-# reqd_policy_mask - a policy.conf file which contains only the bare minimum
-# policy necessary to use checkpolicy. This bare-minimum policy needs to be
-# present in all policy.conf files, but should not necessarily be exported as
-# part of the public policy. The rules generated by reqd_policy_mask will allow
-# the compilation of public policy and subsequent removal of CIL policy that
-# should not be exported.
-
-policy_files := $(call build_policy, $(sepolicy_build_files), $(REQD_MASK_POLICY))
-reqd_policy_mask.conf := $(intermediates)/reqd_policy_mask.conf
-$(reqd_policy_mask.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(reqd_policy_mask.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(reqd_policy_mask.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
-$(reqd_policy_mask.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(reqd_policy_mask.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(reqd_policy_mask.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
-$(reqd_policy_mask.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(reqd_policy_mask.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
-$(reqd_policy_mask.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
-$(reqd_policy_mask.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
-$(reqd_policy_mask.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$(reqd_policy_mask.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
-# b/37755687
-CHECKPOLICY_ASAN_OPTIONS := ASAN_OPTIONS=detect_leaks=0
-
-reqd_policy_mask.cil := $(intermediates)/reqd_policy_mask.cil
-$(reqd_policy_mask.cil): $(reqd_policy_mask.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -C -M -c \
- $(POLICYVERS) -o $@ $<
-
-reqd_policy_mask.conf :=
-
-##################################
-# pub_policy - policy that will be exported to be a part of non-platform
-# policy corresponding to this platform version. This is a limited subset of
-# policy that would not compile in checkpolicy on its own. To get around this
-# limitation, add only the required files from private policy, which will
-# generate CIL policy that will then be filtered out by the reqd_policy_mask.
-#
-# There are three pub_policy.cil files below:
-# - pub_policy.cil: exported 'product', 'system_ext' and 'system' policy.
-# - system_ext_pub_policy.cil: exported 'system_ext' and 'system' policy.
-# - plat_pub_policy.cil: exported 'system' policy.
-#
-# Those above files will in turn be used to generate the following versioned cil files:
-# - product_mapping_file: the versioned, exported 'product' policy in product partition.
-# - system_ext_mapping_file: the versioned, exported 'system_ext' policy in system_ext partition.
-# - plat_mapping_file: the versioned, exported 'system' policy in system partition.
-# - plat_pub_versioned.cil: the versioned, exported 'product', 'system_ext' and 'system'
-# policy in vendor partition.
-#
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(PLAT_PUBLIC_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(PRODUCT_PUBLIC_POLICY) $(REQD_MASK_POLICY))
-pub_policy.conf := $(intermediates)/pub_policy.conf
-$(pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
-$(pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(pub_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
-$(pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
-$(pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
-$(pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
-$(pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$(pub_policy.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
-pub_policy.cil := $(intermediates)/pub_policy.cil
-$(pub_policy.cil): PRIVATE_POL_CONF := $(pub_policy.conf)
-$(pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
-$(pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
-$(HOST_OUT_EXECUTABLES)/build_sepolicy $(pub_policy.conf) $(reqd_policy_mask.cil)
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
- $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
- -f $(PRIVATE_REQD_MASK) -t $@
-
-pub_policy.conf :=
-
-##################################
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(PLAT_PUBLIC_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(REQD_MASK_POLICY))
-system_ext_pub_policy.conf := $(intermediates)/system_ext_pub_policy.conf
-$(system_ext_pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(system_ext_pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(system_ext_pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
-$(system_ext_pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(system_ext_pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(system_ext_pub_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
-$(system_ext_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(system_ext_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
-$(system_ext_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
-$(system_ext_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
-$(system_ext_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$(system_ext_pub_policy.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
-
-system_ext_pub_policy.cil := $(intermediates)/system_ext_pub_policy.cil
-$(system_ext_pub_policy.cil): PRIVATE_POL_CONF := $(system_ext_pub_policy.conf)
-$(system_ext_pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
-$(system_ext_pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
-$(HOST_OUT_EXECUTABLES)/build_sepolicy $(system_ext_pub_policy.conf) $(reqd_policy_mask.cil)
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
- $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
- -f $(PRIVATE_REQD_MASK) -t $@
-
-system_ext_pub_policy.conf :=
-
-##################################
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY))
-plat_pub_policy.conf := $(intermediates)/plat_pub_policy.conf
-$(plat_pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(plat_pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(plat_pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
-$(plat_pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(plat_pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(plat_pub_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
-$(plat_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(plat_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
-$(plat_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
-$(plat_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
-$(plat_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$(plat_pub_policy.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
-
-plat_pub_policy.cil := $(intermediates)/plat_pub_policy.cil
-$(plat_pub_policy.cil): PRIVATE_POL_CONF := $(plat_pub_policy.conf)
-$(plat_pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
-$(plat_pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
-$(HOST_OUT_EXECUTABLES)/build_sepolicy $(plat_pub_policy.conf) $(reqd_policy_mask.cil)
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
- $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
- -f $(PRIVATE_REQD_MASK) -t $@
-
-plat_pub_policy.conf :=
-
#################################
+# sepolicy_neverallows_vendor: neverallow check module for vendors in a mixed build target
+ifeq ($(mixed_sepolicy_build),true)
include $(CLEAR_VARS)
-LOCAL_MODULE := plat_sepolicy.cil
-LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE := sepolicy_neverallows_vendor
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
+LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
include $(BUILD_SYSTEM)/base_rules.mk
-# plat_policy.conf - A combination of the private and public platform policy
-# which will ship with the device. The platform will always reflect the most
-# recent platform version and is not currently being attributized.
+# Check neverallow with prebuilt policy files
policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
-plat_policy.conf := $(intermediates)/plat_policy.conf
-$(plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
-$(plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(plat_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
-$(plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
-$(plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
-$(plat_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
-$(plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$(plat_policy.conf): $(policy_files) $(M4)
+ $(plat_public_policy_$(BOARD_SEPOLICY_VERS)) $(plat_private_policy_$(BOARD_SEPOLICY_VERS)) \
+ $(system_ext_public_policy_$(BOARD_SEPOLICY_VERS)) $(system_ext_private_policy_$(BOARD_SEPOLICY_VERS)) \
+ $(product_public_policy_$(BOARD_SEPOLICY_VERS)) $(product_private_policy_$(BOARD_SEPOLICY_VERS)) \
+ $(BOARD_PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS))
+
+# sepolicy_policy.conf - All of the policy for the device. This is only used to
+# check neverallow rules.
+sepolicy_policy.conf := $(intermediates)/policy_vendor.conf
+$(sepolicy_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(sepolicy_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(sepolicy_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
+$(sepolicy_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(sepolicy_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(sepolicy_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
+$(sepolicy_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(sepolicy_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
+$(sepolicy_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
+$(sepolicy_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
+$(sepolicy_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
$(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
-$(LOCAL_BUILT_MODULE): PRIVATE_ADDITIONAL_CIL_FILES := \
- $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY))
-$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
-$(LOCAL_BUILT_MODULE): $(plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
- $(HOST_OUT_EXECUTABLES)/secilc \
- $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY)) \
- $(built_sepolicy_neverallows)
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
- $(POLICYVERS) -o $@.tmp $<
- $(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@.tmp
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@.tmp -o /dev/null -f /dev/null
- $(hide) mv $@.tmp $@
-
-built_plat_cil := $(LOCAL_BUILT_MODULE)
-plat_policy.conf :=
-
-#################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := userdebug_plat_sepolicy.cil
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_DEBUG_RAMDISK_OUT)
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-# userdebug_plat_policy.conf - the userdebug version plat_sepolicy.cil
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
-userdebug_plat_policy.conf := $(intermediates)/userdebug_plat_policy.conf
-$(userdebug_plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(userdebug_plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(userdebug_plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := userdebug
-$(userdebug_plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(userdebug_plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(userdebug_plat_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
-$(userdebug_plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(userdebug_plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
-$(userdebug_plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
-$(userdebug_plat_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
-$(userdebug_plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$(userdebug_plat_policy.conf): $(policy_files) $(M4)
+# sepolicy_policy_2.conf - All of the policy for the device. This is only used to
+# check neverallow rules using sepolicy-analyze, similar to CTS.
+sepolicy_policy_2.conf := $(intermediates)/policy_vendor_2.conf
+$(sepolicy_policy_2.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(sepolicy_policy_2.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(sepolicy_policy_2.conf): PRIVATE_TARGET_BUILD_VARIANT := user
+$(sepolicy_policy_2.conf): PRIVATE_EXCLUDE_BUILD_TEST := true
+$(sepolicy_policy_2.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
+$(sepolicy_policy_2.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(sepolicy_policy_2.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
+$(sepolicy_policy_2.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
+$(sepolicy_policy_2.conf): PRIVATE_POLICY_FILES := $(policy_files)
+$(sepolicy_policy_2.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
$(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
-$(LOCAL_BUILT_MODULE): PRIVATE_ADDITIONAL_CIL_FILES := \
- $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY))
-$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
-$(LOCAL_BUILT_MODULE): $(userdebug_plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
- $(HOST_OUT_EXECUTABLES)/secilc \
- $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY)) \
- $(built_sepolicy_neverallows)
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
- $(POLICYVERS) -o $@.tmp $<
- $(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@.tmp
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@.tmp -o /dev/null -f /dev/null
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_1 := $(sepolicy_policy.conf)
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_2 := $(sepolicy_policy_2.conf)
+$(LOCAL_BUILT_MODULE): $(sepolicy_policy.conf) $(sepolicy_policy_2.conf) \
+ $(HOST_OUT_EXECUTABLES)/checkpolicy $(HOST_OUT_EXECUTABLES)/sepolicy-analyze
+ifneq ($(SELINUX_IGNORE_NEVERALLOWS),true)
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c \
+ $(POLICYVERS) -o $@.tmp $(PRIVATE_SEPOLICY_1)
+ $(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $@.tmp neverallow -w -f $(PRIVATE_SEPOLICY_2) || \
+ ( echo "" 1>&2; \
+ echo "sepolicy-analyze failed. This is most likely due to the use" 1>&2; \
+ echo "of an expanded attribute in a neverallow assertion. Please fix" 1>&2; \
+ echo "the policy." 1>&2; \
+ exit 1 )
+endif # ($(SELINUX_IGNORE_NEVERALLOWS),true)
+ $(hide) touch $@.tmp
$(hide) mv $@.tmp $@
-userdebug_plat_policy.conf :=
+sepolicy_policy.conf :=
+sepolicy_policy_2.conf :=
+built_sepolicy_neverallows += $(LOCAL_BUILT_MODULE)
-#################################
-include $(CLEAR_VARS)
+endif # ifeq ($(mixed_sepolicy_build),true)
+
+##################################
+# plat policy files are now built with Android.bp. Grab them from intermediate.
+# See Android.bp for details of plat policy files.
+#
+reqd_policy_mask.cil := $(call intermediates-dir-for,ETC,reqd_policy_mask.cil)/reqd_policy_mask.cil
+reqd_policy_mask_$(PLATFORM_SEPOLICY_VERSION).cil := $(reqd_policy_mask.cil)
+
+pub_policy.cil := $(call intermediates-dir-for,ETC,pub_policy.cil)/pub_policy.cil
+pub_policy_$(PLATFORM_SEPOLICY_VERSION).cil := $(pub_policy.cil)
+
+system_ext_pub_policy.cil := $(call intermediates-dir-for,ETC,system_ext_pub_policy.cil)/system_ext_pub_policy.cil
+system_ext_pub_policy_$(PLATFORM_SEPOLICY_VERSION).cil := $(system_ext_pub_policy.cil)
+
+plat_pub_policy.cil := $(call intermediates-dir-for,ETC,plat_pub_policy.cil)/plat_pub_policy.cil
+plat_pub_policy_$(PLATFORM_SEPOLICY_VERSION).cil := $(plat_pub_policy.cil)
+
+built_plat_cil := $(call intermediates-dir-for,ETC,plat_sepolicy.cil)/plat_sepolicy.cil
+built_plat_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_plat_cil)
+built_plat_mapping_cil := $(call intermediates-dir-for,ETC,plat_mapping_file)/plat_mapping_file
+built_plat_mapping_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_plat_mapping_cil)
ifdef HAS_SYSTEM_EXT_SEPOLICY
-LOCAL_MODULE := system_ext_sepolicy.cil
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT_SYSTEM_EXT)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-# system_ext_policy.conf - A combination of the private and public system_ext policy
-# which will ship with the device. System_ext policy is not attributized.
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) \
- $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY))
-system_ext_policy.conf := $(intermediates)/system_ext_policy.conf
-$(system_ext_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(system_ext_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(system_ext_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
-$(system_ext_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(system_ext_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(system_ext_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
-$(system_ext_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(system_ext_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
-$(system_ext_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
-$(system_ext_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
-$(system_ext_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$(system_ext_policy.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
- $(hide) sed '/dontaudit/d' $@ > $@.dontaudit
-
-$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
-$(LOCAL_BUILT_MODULE): PRIVATE_PLAT_CIL := $(built_plat_cil)
-$(LOCAL_BUILT_MODULE): $(system_ext_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
-$(HOST_OUT_EXECUTABLES)/build_sepolicy $(HOST_OUT_EXECUTABLES)/secilc $(built_plat_cil)
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
- $(POLICYVERS) -o $@ $<
- $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
- -f $(PRIVATE_PLAT_CIL) -t $@
- # Line markers (denoted by ;;) are malformed after above cmd. They are only
- # used for debugging, so we remove them.
- $(hide) grep -v ';;' $@ > $@.tmp
- $(hide) mv $@.tmp $@
- # Combine plat_sepolicy.cil and system_ext_sepolicy.cil to make sure that the
- # latter doesn't accidentally depend on vendor/odm policies.
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) \
- $(PRIVATE_NEVERALLOW_ARG) $(PRIVATE_PLAT_CIL) $@ -o /dev/null -f /dev/null
-
-
-built_system_ext_cil := $(LOCAL_BUILT_MODULE)
-system_ext_policy.conf :=
+built_system_ext_cil := $(call intermediates-dir-for,ETC,system_ext_sepolicy.cil)/system_ext_sepolicy.cil
+built_system_ext_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_system_ext_cil)
+built_system_ext_mapping_cil := $(call intermediates-dir-for,ETC,system_ext_mapping_file)/system_ext_mapping_file
+built_system_ext_mapping_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_system_ext_mapping_cil)
endif # ifdef HAS_SYSTEM_EXT_SEPOLICY
-#################################
-include $(CLEAR_VARS)
-
ifdef HAS_PRODUCT_SEPOLICY
-LOCAL_MODULE := product_sepolicy.cil
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-# product_policy.conf - A combination of the private and public product policy
-# which will ship with the device. Product policy is not attributized.
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) \
- $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) \
- $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY))
-product_policy.conf := $(intermediates)/product_policy.conf
-$(product_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(product_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(product_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
-$(product_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(product_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(product_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
-$(product_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(product_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
-$(product_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
-$(product_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
-$(product_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$(product_policy.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
- $(hide) sed '/dontaudit/d' $@ > $@.dontaudit
-
-$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
-$(LOCAL_BUILT_MODULE): PRIVATE_PLAT_CIL_FILES := $(built_plat_cil) $(built_system_ext_cil)
-$(LOCAL_BUILT_MODULE): $(product_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
-$(HOST_OUT_EXECUTABLES)/build_sepolicy $(HOST_OUT_EXECUTABLES)/secilc \
-$(built_plat_cil) $(built_system_ext_cil)
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
- $(POLICYVERS) -o $@ $<
- $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
- -f $(PRIVATE_PLAT_CIL_FILES) -t $@
- # Line markers (denoted by ;;) are malformed after above cmd. They are only
- # used for debugging, so we remove them.
- $(hide) grep -v ';;' $@ > $@.tmp
- $(hide) mv $@.tmp $@
- # Combine plat_sepolicy.cil, system_ext_sepolicy.cil and product_sepolicy.cil to
- # make sure that the latter doesn't accidentally depend on vendor/odm policies.
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) \
- $(PRIVATE_NEVERALLOW_ARG) $(PRIVATE_PLAT_CIL_FILES) $@ -o /dev/null -f /dev/null
-
-
-built_product_cil := $(LOCAL_BUILT_MODULE)
-product_policy.conf :=
+built_product_cil := $(call intermediates-dir-for,ETC,product_sepolicy.cil)/product_sepolicy.cil
+built_product_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_product_cil)
+built_product_mapping_cil := $(call intermediates-dir-for,ETC,product_mapping_file)/product_mapping_file
+built_product_mapping_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_product_mapping_cil)
endif # ifdef HAS_PRODUCT_SEPOLICY
-#################################
-include $(CLEAR_VARS)
+built_pub_vers_cil := $(call intermediates-dir-for,ETC,plat_pub_versioned.cil)/plat_pub_versioned.cil
+built_pub_vers_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_pub_vers_cil)
-LOCAL_MODULE := plat_sepolicy_vers.txt
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_PROPRIETARY_MODULE := true
-LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(LOCAL_BUILT_MODULE) : PRIVATE_PLAT_SEPOL_VERS := $(BOARD_SEPOLICY_VERS)
-$(LOCAL_BUILT_MODULE) :
- mkdir -p $(dir $@)
- echo $(PRIVATE_PLAT_SEPOL_VERS) > $@
-
-#################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := plat_mapping_file
-LOCAL_MODULE_STEM := $(PLATFORM_SEPOLICY_VERSION).cil
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux/mapping
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-# auto-generate the mapping file for current platform policy, since it needs to
-# track platform policy development
-$(LOCAL_BUILT_MODULE) : PRIVATE_VERS := $(PLATFORM_SEPOLICY_VERSION)
-$(LOCAL_BUILT_MODULE) : $(plat_pub_policy.cil) $(HOST_OUT_EXECUTABLES)/version_policy
- @mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@
-
-built_plat_mapping_cil := $(LOCAL_BUILT_MODULE)
-
-#################################
-include $(CLEAR_VARS)
-
-ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
-LOCAL_MODULE := system_ext_mapping_file
-LOCAL_MODULE_STEM := $(PLATFORM_SEPOLICY_VERSION).cil
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT_SYSTEM_EXT)/etc/selinux/mapping
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(LOCAL_BUILT_MODULE) : PRIVATE_VERS := $(PLATFORM_SEPOLICY_VERSION)
-$(LOCAL_BUILT_MODULE) : PRIVATE_PLAT_MAPPING_CIL := $(built_plat_mapping_cil)
-$(LOCAL_BUILT_MODULE) : $(system_ext_pub_policy.cil) $(HOST_OUT_EXECUTABLES)/version_policy \
-$(built_plat_mapping_cil)
- @mkdir -p $(dir $@)
- # Generate system_ext mapping file as mapping file of 'system' (plat) and 'system_ext'
- # sepolicy minus plat_mapping_file.
- $(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@
- $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
- -f $(PRIVATE_PLAT_MAPPING_CIL) -t $@
-
-built_system_ext_mapping_cil := $(LOCAL_BUILT_MODULE)
-endif # ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
-
-#################################
-include $(CLEAR_VARS)
-
-ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
-LOCAL_MODULE := product_mapping_file
-LOCAL_MODULE_STEM := $(PLATFORM_SEPOLICY_VERSION).cil
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/etc/selinux/mapping
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(LOCAL_BUILT_MODULE) : PRIVATE_VERS := $(PLATFORM_SEPOLICY_VERSION)
-$(LOCAL_BUILT_MODULE) : PRIVATE_FILTER_CIL_FILES := $(built_plat_mapping_cil) $(built_system_ext_mapping_cil)
-$(LOCAL_BUILT_MODULE) : $(pub_policy.cil) $(HOST_OUT_EXECUTABLES)/version_policy \
-$(built_plat_mapping_cil) $(built_system_ext_mapping_cil)
- @mkdir -p $(dir $@)
- # Generate product mapping file as mapping file of all public sepolicy minus
- # plat_mapping_file and system_ext_mapping_file.
- $(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@
- $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
- -f $(PRIVATE_FILTER_CIL_FILES) -t $@
-
-built_product_mapping_cil := $(LOCAL_BUILT_MODULE)
-endif # ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
-
-#################################
-include $(CLEAR_VARS)
-
-# plat_pub_versioned.cil - the exported platform policy associated with the version
-# that non-platform policy targets.
-LOCAL_MODULE := plat_pub_versioned.cil
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_PROPRIETARY_MODULE := true
-LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(LOCAL_BUILT_MODULE) : PRIVATE_VERS := $(BOARD_SEPOLICY_VERS)
-$(LOCAL_BUILT_MODULE) : PRIVATE_TGT_POL := $(pub_policy.cil)
-$(LOCAL_BUILT_MODULE) : PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_system_ext_cil) \
-$(built_product_cil) $(built_plat_mapping_cil) $(built_system_ext_mapping_cil) \
-$(built_product_mapping_cil)
-$(LOCAL_BUILT_MODULE) : $(pub_policy.cil) $(HOST_OUT_EXECUTABLES)/version_policy \
- $(HOST_OUT_EXECUTABLES)/secilc $(built_plat_cil) $(built_system_ext_cil) $(built_product_cil) \
- $(built_plat_mapping_cil) $(built_system_ext_mapping_cil) $(built_product_mapping_cil)
- @mkdir -p $(dir $@)
- $(HOST_OUT_EXECUTABLES)/version_policy -b $< -t $(PRIVATE_TGT_POL) -n $(PRIVATE_VERS) -o $@
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -N -c $(POLICYVERS) \
- $(PRIVATE_DEP_CIL_FILES) $@ -o /dev/null -f /dev/null
-
-built_pub_vers_cil := $(LOCAL_BUILT_MODULE)
+# b/37755687
+CHECKPOLICY_ASAN_OPTIONS := ASAN_OPTIONS=detect_leaks=0
#################################
include $(CLEAR_VARS)
@@ -976,6 +808,9 @@
# with the platform-provided policy. It makes use of the reqd_policy_mask files from private
# policy and the platform public policy files in order to use checkpolicy.
LOCAL_MODULE := vendor_sepolicy.cil
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_PROPRIETARY_MODULE := true
@@ -983,9 +818,11 @@
include $(BUILD_SYSTEM)/base_rules.mk
+# Use either prebuilt policy files or current policy files, depending on BOARD_SEPOLICY_VERS
policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(PLAT_PUBLIC_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(PRODUCT_PUBLIC_POLICY) \
- $(REQD_MASK_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS))
+ $(plat_public_policy_$(BOARD_SEPOLICY_VERS)) $(system_ext_public_policy_$(BOARD_SEPOLICY_VERS)) \
+ $(product_public_policy_$(BOARD_SEPOLICY_VERS)) $(reqd_policy_$(BOARD_SEPOLICY_VERS)) \
+ $(BOARD_PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS))
vendor_policy.conf := $(intermediates)/vendor_policy.conf
$(vendor_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(vendor_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
@@ -997,24 +834,28 @@
$(vendor_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(vendor_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
$(vendor_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
+$(vendor_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
+$(vendor_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
$(vendor_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(vendor_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
$(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
$(LOCAL_BUILT_MODULE): PRIVATE_POL_CONF := $(vendor_policy.conf)
-$(LOCAL_BUILT_MODULE): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
-$(LOCAL_BUILT_MODULE): PRIVATE_BASE_CIL := $(pub_policy.cil)
+$(LOCAL_BUILT_MODULE): PRIVATE_REQD_MASK := $(reqd_policy_mask_$(BOARD_SEPOLICY_VERS).cil)
+$(LOCAL_BUILT_MODULE): PRIVATE_BASE_CIL := $(pub_policy_$(BOARD_SEPOLICY_VERS).cil)
$(LOCAL_BUILT_MODULE): PRIVATE_VERS := $(BOARD_SEPOLICY_VERS)
-$(LOCAL_BUILT_MODULE): PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_system_ext_cil) \
-$(built_product_cil) $(built_pub_vers_cil) $(built_plat_mapping_cil) \
-$(built_system_ext_mapping_cil) $(built_product_mapping_cil)
-$(LOCAL_BUILT_MODULE): PRIVATE_FILTER_CIL := $(built_pub_vers_cil)
+$(LOCAL_BUILT_MODULE): PRIVATE_DEP_CIL_FILES := $(built_plat_cil_$(BOARD_SEPOLICY_VERS)) \
+$(built_system_ext_cil_$(BOARD_SEPOLICY_VERS)) $(built_product_cil_$(BOARD_SEPOLICY_VERS)) \
+$(built_pub_vers_cil_$(BOARD_SEPOLICY_VERS)) $(built_plat_mapping_cil_$(BOARD_SEPOLICY_VERS)) \
+$(built_system_ext_mapping_cil_$(BOARD_SEPOLICY_VERS)) $(built_product_mapping_cil_$(BOARD_SEPOLICY_VERS))
+$(LOCAL_BUILT_MODULE): PRIVATE_FILTER_CIL := $(built_pub_vers_cil_$(BOARD_SEPOLICY_VERS))
$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/build_sepolicy \
- $(vendor_policy.conf) $(reqd_policy_mask.cil) $(pub_policy.cil) \
- $(built_plat_cil) $(built_system_ext_cil) $(built_product_cil) \
- $(built_pub_vers_cil) $(built_plat_mapping_cil) $(built_system_ext_mapping_cil) \
- $(built_product_mapping_cil)
+ $(vendor_policy.conf) $(reqd_policy_mask_$(BOARD_SEPOLICY_VERS).cil) \
+ $(pub_policy_$(BOARD_SEPOLICY_VERS).cil) $(built_plat_cil_$(BOARD_SEPOLICY_VERS)) \
+ $(built_system_ext_cil_$(BOARD_SEPOLICY_VERS)) $(built_product_cil_$(BOARD_SEPOLICY_VERS)) \
+ $(built_pub_vers_cil_$(BOARD_SEPOLICY_VERS)) $(built_plat_mapping_cil_$(BOARD_SEPOLICY_VERS)) \
+ $(built_system_ext_mapping_cil_$(BOARD_SEPOLICY_VERS)) $(built_product_mapping_cil_$(BOARD_SEPOLICY_VERS))
@mkdir -p $(dir $@)
$(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) build_cil \
-i $(PRIVATE_POL_CONF) -m $(PRIVATE_REQD_MASK) -c $(CHECKPOLICY_ASAN_OPTIONS) \
@@ -1032,6 +873,9 @@
# with the platform-provided policy. It makes use of the reqd_policy_mask files from private
# policy and the platform public policy files in order to use checkpolicy.
LOCAL_MODULE := odm_sepolicy.cil
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_PROPRIETARY_MODULE := true
@@ -1039,9 +883,11 @@
include $(BUILD_SYSTEM)/base_rules.mk
+# Use either prebuilt policy files or current policy files, depending on BOARD_SEPOLICY_VERS
policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(PLAT_PUBLIC_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(PRODUCT_PUBLIC_POLICY) \
- $(REQD_MASK_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS))
+ $(plat_public_policy_$(BOARD_SEPOLICY_VERS)) $(system_ext_public_policy_$(BOARD_SEPOLICY_VERS)) \
+ $(product_public_policy_$(BOARD_SEPOLICY_VERS)) $(reqd_policy_$(BOARD_SEPOLICY_VERS)) \
+ $(BOARD_PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS))
odm_policy.conf := $(intermediates)/odm_policy.conf
$(odm_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(odm_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
@@ -1053,23 +899,29 @@
$(odm_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(odm_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
$(odm_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
+$(odm_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
+$(odm_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
$(odm_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(odm_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
$(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
$(LOCAL_BUILT_MODULE): PRIVATE_POL_CONF := $(odm_policy.conf)
-$(LOCAL_BUILT_MODULE): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
-$(LOCAL_BUILT_MODULE): PRIVATE_BASE_CIL := $(pub_policy.cil)
+$(LOCAL_BUILT_MODULE): PRIVATE_REQD_MASK := $(reqd_policy_mask_$(BOARD_SEPOLICY_VERS).cil)
+$(LOCAL_BUILT_MODULE): PRIVATE_BASE_CIL := $(pub_policy_$(BOARD_SEPOLICY_VERS).cil)
$(LOCAL_BUILT_MODULE): PRIVATE_VERS := $(BOARD_SEPOLICY_VERS)
-$(LOCAL_BUILT_MODULE): PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_system_ext_cil) \
- $(built_product_cil) $(built_pub_vers_cil) $(built_plat_mapping_cil) \
- $(built_system_ext_mapping_cil) $(built_product_mapping_cil) $(built_vendor_cil)
-$(LOCAL_BUILT_MODULE) : PRIVATE_FILTER_CIL_FILES := $(built_pub_vers_cil) $(built_vendor_cil)
+$(LOCAL_BUILT_MODULE): PRIVATE_DEP_CIL_FILES := $(built_plat_cil_$(BOARD_SEPOLICY_VERS)) \
+$(built_system_ext_cil_$(BOARD_SEPOLICY_VERS)) $(built_product_cil_$(BOARD_SEPOLICY_VERS)) \
+$(built_pub_vers_cil_$(BOARD_SEPOLICY_VERS)) $(built_plat_mapping_cil_$(BOARD_SEPOLICY_VERS)) \
+$(built_system_ext_mapping_cil_$(BOARD_SEPOLICY_VERS)) $(built_product_mapping_cil_$(BOARD_SEPOLICY_VERS)) \
+$(built_vendor_cil)
+$(LOCAL_BUILT_MODULE) : PRIVATE_FILTER_CIL_FILES := $(built_pub_vers_cil_$(BOARD_SEPOLICY_VERS)) $(built_vendor_cil)
$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/build_sepolicy \
- $(odm_policy.conf) $(reqd_policy_mask.cil) $(pub_policy.cil) \
- $(built_plat_cil) $(built_system_ext_cil) $(built_product_cil) $(built_pub_vers_cil) \
- $(built_plat_mapping_cil) $(built_system_ext_mapping_cil) $(built_product_mapping_cil) \
+ $(odm_policy.conf) $(reqd_policy_mask_$(BOARD_SEPOLICY_VERS).cil) \
+ $(pub_policy_$(BOARD_SEPOLICY_VERS).cil) $(built_plat_cil_$(BOARD_SEPOLICY_VERS)) \
+ $(built_system_ext_cil_$(BOARD_SEPOLICY_VERS)) $(built_product_cil_$(BOARD_SEPOLICY_VERS)) \
+ $(built_pub_vers_cil_$(BOARD_SEPOLICY_VERS)) $(built_plat_mapping_cil_$(BOARD_SEPOLICY_VERS)) \
+ $(built_system_ext_mapping_cil_$(BOARD_SEPOLICY_VERS)) $(built_product_mapping_cil_$(BOARD_SEPOLICY_VERS)) \
$(built_vendor_cil)
@mkdir -p $(dir $@)
$(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) build_cil \
@@ -1086,6 +938,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := precompiled_sepolicy
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_PROPRIETARY_MODULE := true
@@ -1100,8 +955,8 @@
all_cil_files := \
$(built_plat_cil) \
- $(built_plat_mapping_cil) \
- $(built_pub_vers_cil) \
+ $(TARGET_OUT)/etc/selinux/mapping/$(BOARD_SEPOLICY_VERS).cil \
+ $(built_pub_vers_cil_$(BOARD_SEPOLICY_VERS)) \
$(built_vendor_cil)
ifdef HAS_SYSTEM_EXT_SEPOLICY
@@ -1109,7 +964,7 @@
endif
ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
-all_cil_files += $(built_system_ext_mapping_cil)
+all_cil_files += $(TARGET_OUT_SYSTEM_EXT)/etc/selinux/mapping/$(BOARD_SEPOLICY_VERS).cil
endif
ifdef HAS_PRODUCT_SEPOLICY
@@ -1117,7 +972,7 @@
endif
ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
-all_cil_files += $(built_product_mapping_cil)
+all_cil_files += $(TARGET_OUT_PRODUCT)/etc/selinux/mapping/$(BOARD_SEPOLICY_VERS).cil
endif
ifdef BOARD_ODM_SEPOLICY_DIRS
@@ -1125,7 +980,8 @@
endif
$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(all_cil_files)
-$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
+# Neverallow checks are skipped in a mixed build target.
+$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(if $(filter $(PLATFORM_SEPOLICY_VERSION),$(BOARD_SEPOLICY_VERS)),$(NEVERALLOW_ARG),-N)
$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(all_cil_files) $(built_sepolicy_neverallows)
$(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) \
$(PRIVATE_CIL_FILES) -o $@ -f /dev/null
@@ -1145,112 +1001,15 @@
# precompiled_sepolicy.product_sepolicy_and_mapping.sha256
# See system/core/init/selinux.cpp for details.
#################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := plat_sepolicy_and_mapping.sha256
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH = $(TARGET_OUT)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(LOCAL_BUILT_MODULE): $(built_plat_cil) $(built_plat_mapping_cil)
- cat $^ | sha256sum | cut -d' ' -f1 > $@
-
-#################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := system_ext_sepolicy_and_mapping.sha256
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH = $(TARGET_OUT_SYSTEM_EXT)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(LOCAL_BUILT_MODULE): $(built_system_ext_cil) $(built_system_ext_mapping_cil)
- cat $^ | sha256sum | cut -d' ' -f1 > $@
-
-#################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := product_sepolicy_and_mapping.sha256
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH = $(TARGET_OUT_PRODUCT)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(LOCAL_BUILT_MODULE): $(built_product_cil) $(built_product_mapping_cil)
- cat $^ | sha256sum | cut -d' ' -f1 > $@
-
-#################################
-# SHA-256 digest of the plat_sepolicy.cil and plat_mapping_file against
-# which precompiled_policy was built.
-#################################
-include $(CLEAR_VARS)
-LOCAL_MODULE := precompiled_sepolicy.plat_sepolicy_and_mapping.sha256
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-
-ifeq ($(BOARD_USES_ODMIMAGE),true)
-LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
-else
-LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
-endif
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(built_plat_cil) $(built_plat_mapping_cil)
-$(LOCAL_BUILT_MODULE): $(built_precompiled_sepolicy) $(built_plat_cil) $(built_plat_mapping_cil)
- cat $(PRIVATE_CIL_FILES) | sha256sum | cut -d' ' -f1 > $@
-
-#################################
-# SHA-256 digest of the system_ext_sepolicy.cil and system_ext_mapping_file against
-# which precompiled_policy was built.
-#################################
-include $(CLEAR_VARS)
-LOCAL_MODULE := precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-
-ifeq ($(BOARD_USES_ODMIMAGE),true)
-LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
-else
-LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
-endif
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(built_system_ext_cil) $(built_system_ext_mapping_cil)
-$(LOCAL_BUILT_MODULE): $(built_precompiled_sepolicy) $(built_system_ext_cil) $(built_system_ext_mapping_cil)
- cat $(PRIVATE_CIL_FILES) | sha256sum | cut -d' ' -f1 > $@
-
-#################################
-# SHA-256 digest of the product_sepolicy.cil and product_mapping_file against
-# which precompiled_policy was built.
-#################################
-include $(CLEAR_VARS)
-LOCAL_MODULE := precompiled_sepolicy.product_sepolicy_and_mapping.sha256
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-
-ifeq ($(BOARD_USES_ODMIMAGE),true)
-LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
-else
-LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
-endif
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(built_product_cil) $(built_product_mapping_cil)
-$(LOCAL_BUILT_MODULE): $(built_precompiled_sepolicy) $(built_product_cil) $(built_product_mapping_cil)
- cat $(PRIVATE_CIL_FILES) | sha256sum | cut -d' ' -f1 > $@
#################################
include $(CLEAR_VARS)
# build this target so that we can still perform neverallow checks
LOCAL_MODULE := sepolicy
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
@@ -1259,8 +1018,8 @@
all_cil_files := \
$(built_plat_cil) \
- $(built_plat_mapping_cil) \
- $(built_pub_vers_cil) \
+ $(TARGET_OUT)/etc/selinux/mapping/$(BOARD_SEPOLICY_VERS).cil \
+ $(built_pub_vers_cil_$(BOARD_SEPOLICY_VERS)) \
$(built_vendor_cil)
ifdef HAS_SYSTEM_EXT_SEPOLICY
@@ -1268,7 +1027,7 @@
endif
ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
-all_cil_files += $(built_system_ext_mapping_cil)
+all_cil_files += $(TARGET_OUT_SYSTEM_EXT)/etc/selinux/mapping/$(BOARD_SEPOLICY_VERS).cil
endif
ifdef HAS_PRODUCT_SEPOLICY
@@ -1276,7 +1035,7 @@
endif
ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
-all_cil_files += $(built_product_mapping_cil)
+all_cil_files += $(TARGET_OUT_PRODUCT)/etc/selinux/mapping/$(BOARD_SEPOLICY_VERS).cil
endif
ifdef BOARD_ODM_SEPOLICY_DIRS
@@ -1284,7 +1043,8 @@
endif
$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(all_cil_files)
-$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
+# Neverallow checks are skipped in a mixed build target.
+$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(if $(filter $(PLATFORM_SEPOLICY_VERSION),$(BOARD_SEPOLICY_VERS)),$(NEVERALLOW_ARG),-N)
$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $(all_cil_files) \
$(built_sepolicy_neverallows)
@mkdir -p $(dir $@)
@@ -1309,6 +1069,9 @@
# If SELINUX_IGNORE_NEVERALLOWS is set, we use sed to remove the neverallow lines before compiling.
LOCAL_MODULE := sepolicy.recovery
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_STEM := sepolicy
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
@@ -1316,12 +1079,12 @@
include $(BUILD_SYSTEM)/base_rules.mk
+# We use vendor version's policy files because recovery partition is vendor-owned.
policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) \
- $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) \
- $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY) \
- $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) \
- $(BOARD_ODM_SEPOLICY_DIRS))
+ $(plat_public_policy_$(BOARD_SEPOLICY_VERS)) $(plat_private_policy_$(BOARD_SEPOLICY_VERS)) \
+ $(system_ext_public_policy_$(BOARD_SEPOLICY_VERS)) $(system_ext_private_policy_$(BOARD_SEPOLICY_VERS)) \
+ $(product_public_policy_$(BOARD_SEPOLICY_VERS)) $(product_private_policy_$(BOARD_SEPOLICY_VERS)) \
+ $(BOARD_PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS))
sepolicy.recovery.conf := $(intermediates)/sepolicy.recovery.conf
$(sepolicy.recovery.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(sepolicy.recovery.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
@@ -1331,6 +1094,7 @@
$(sepolicy.recovery.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
$(sepolicy.recovery.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(sepolicy.recovery.conf): PRIVATE_TGT_RECOVERY := -D target_recovery=true
+$(sepolicy.recovery.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
$(sepolicy.recovery.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(sepolicy.recovery.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -1359,39 +1123,14 @@
sepolicy.recovery.conf :=
##################################
-# SELinux policy embedded into CTS.
-# CTS checks neverallow rules of this policy against the policy of the device under test.
-##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := general_sepolicy.conf
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := tests
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
-$(LOCAL_BUILT_MODULE): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(LOCAL_BUILT_MODULE): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(LOCAL_BUILT_MODULE): PRIVATE_TARGET_BUILD_VARIANT := user
-$(LOCAL_BUILT_MODULE): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(LOCAL_BUILT_MODULE): PRIVATE_WITH_ASAN := false
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_SPLIT := cts
-$(LOCAL_BUILT_MODULE): PRIVATE_COMPATIBLE_PROPERTY := cts
-$(LOCAL_BUILT_MODULE): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := cts
-$(LOCAL_BUILT_MODULE): PRIVATE_EXCLUDE_BUILD_TEST := true
-$(LOCAL_BUILT_MODULE): PRIVATE_POLICY_FILES := $(policy_files)
-$(LOCAL_BUILT_MODULE): $(policy_files) $(M4)
- $(transform-policy-to-conf)
- $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
-
-##################################
# TODO - remove this. Keep around until we get the filesystem creation stuff taken care of.
#
include $(CLEAR_VARS)
LOCAL_MODULE := file_contexts.bin
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
@@ -1401,13 +1140,15 @@
# The file_contexts.bin is built in the following way:
# 1. Collect all file_contexts files in THIS repository and process them with
# m4 into a tmp file called file_contexts.local.tmp.
-# 2. Collect all device specific file_contexts files and process them with m4
+# 2. Collect all file_contexts files from LOCAL_FILE_CONTEXTS of installed
+# modules with m4 with a tmp file called file_contexts.modules.tmp.
+# 3. Collect all device specific file_contexts files and process them with m4
# into a tmp file called file_contexts.device.tmp.
-# 3. Run checkfc -e (allow no device fc entries ie empty) and fc_sort on
+# 4. Run checkfc -e (allow no device fc entries ie empty) and fc_sort on
# file_contexts.device.tmp and output to file_contexts.device.sorted.tmp.
-# 4. Concatenate file_contexts.local.tmp and file_contexts.device.tmp into
-# file_contexts.concat.tmp.
-# 5. Run checkfc and sefcontext_compile on file_contexts.concat.tmp to produce
+# 5. Concatenate file_contexts.local.tmp, file_contexts.modules.tmp and
+# file_contexts.device.sorted.tmp into file_contexts.concat.tmp.
+# 6. Run checkfc and sefcontext_compile on file_contexts.concat.tmp to produce
# file_contexts.bin.
#
# Note: That a newline file is placed between each file_context file found to
@@ -1430,21 +1171,12 @@
local_fc_files += $(wildcard $(addsuffix /file_contexts_overlayfs, $(PLAT_PRIVATE_POLICY)))
endif
-# Even if TARGET_FLATTEN_APEX is not turned on, "flattened" APEXes are installed
-$(foreach _tuple,$(APEX_FILE_CONTEXTS_INFOS),\
- $(eval _apex_name := $(call word-colon,1,$(_tuple)))\
- $(eval _apex_path := $(call word-colon,2,$(_tuple)))\
- $(eval _fc_path := $(call word-colon,3,$(_tuple)))\
- $(eval _input := $(_fc_path))\
- $(eval _output := $(intermediates)/$(_apex_name)-flattened)\
- $(eval $(call build_flattened_apex_file_contexts,$(_input),$(_apex_path),$(_output),local_fc_files))\
- )
-
file_contexts.local.tmp := $(intermediates)/file_contexts.local.tmp
-$(file_contexts.local.tmp): PRIVATE_FC_FILES := $(local_fc_files)
-$(file_contexts.local.tmp): $(local_fc_files) $(M4)
- @mkdir -p $(dir $@)
- $(hide) $(M4) --fatal-warnings -s $(PRIVATE_FC_FILES) > $@
+$(call merge-fc-files,$(local_fc_files),$(file_contexts.local.tmp))
+
+# The rule for file_contexts.modules.tmp is defined in build/make/core/Makefile.
+# it gathers LOCAL_FILE_CONTEXTS from product_MODULES
+file_contexts.modules.tmp := $(intermediates)/file_contexts.modules.tmp
device_fc_files := $(call build_vendor_policy, file_contexts)
@@ -1468,10 +1200,9 @@
$(hide) $(HOST_OUT_EXECUTABLES)/fc_sort -i $< -o $@
file_contexts.concat.tmp := $(intermediates)/file_contexts.concat.tmp
-$(file_contexts.concat.tmp): PRIVATE_CONTEXTS := $(file_contexts.local.tmp) $(file_contexts.device.sorted.tmp)
-$(file_contexts.concat.tmp): $(file_contexts.local.tmp) $(file_contexts.device.sorted.tmp) $(M4)
- @mkdir -p $(dir $@)
- $(hide) $(M4) --fatal-warnings -s $(PRIVATE_CONTEXTS) > $@
+$(call merge-fc-files,\
+ $(file_contexts.local.tmp) $(file_contexts.modules.tmp) $(file_contexts.device.sorted.tmp),\
+ $(file_contexts.concat.tmp))
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
$(LOCAL_BUILT_MODULE): $(file_contexts.concat.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/sefcontext_compile $(HOST_OUT_EXECUTABLES)/checkfc
@@ -1488,11 +1219,15 @@
file_contexts.device.sorted.tmp :=
file_contexts.device.tmp :=
file_contexts.local.tmp :=
+file_contexts.modules.tmp :=
##################################
include $(CLEAR_VARS)
LOCAL_MODULE := selinux_denial_metadata
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
@@ -1516,6 +1251,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := vndservice_contexts
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
@@ -1546,6 +1284,9 @@
#################################
include $(CLEAR_VARS)
LOCAL_MODULE := sepolicy_tests
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
@@ -1590,6 +1331,8 @@
$(base_plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
$(base_plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
$(base_plat_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
+$(base_plat_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
+$(base_plat_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
$(base_plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(base_plat_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -1621,6 +1364,8 @@
$(base_plat_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
$(base_plat_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
$(base_plat_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
+$(base_plat_pub_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
+$(base_plat_pub_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
$(base_plat_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(base_plat_pub_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -1646,6 +1391,8 @@
include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk
version_under_treble_tests := 29.0
include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk
+version_under_treble_tests := 30.0
+include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk
endif # PRODUCT_SEPOLICY_SPLIT
version_under_treble_tests := 26.0
@@ -1656,6 +1403,8 @@
include $(LOCAL_PATH)/compat.mk
version_under_treble_tests := 29.0
include $(LOCAL_PATH)/compat.mk
+version_under_treble_tests := 30.0
+include $(LOCAL_PATH)/compat.mk
base_plat_policy.conf :=
base_plat_pub_policy.conf :=
@@ -1666,6 +1415,9 @@
#################################
include $(CLEAR_VARS)
LOCAL_MODULE := sepolicy_freeze_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
@@ -1731,6 +1483,8 @@
built_vendor_svc :=
built_plat_sepolicy :=
treble_sysprop_neverallow :=
+enforce_sysprop_owner :=
+enforce_debugfs_restriction :=
mapping_policy :=
my_target_arch :=
pub_policy.cil :=
diff --git a/METADATA b/METADATA
new file mode 100644
index 0000000..cdcfa70
--- /dev/null
+++ b/METADATA
@@ -0,0 +1,6 @@
+third_party {
+ # would be UNENCUMBERED save for
+ # tests/combine_maps.py
+ # build/soong/
+ license_type: NOTICE
+}
diff --git a/OWNERS b/OWNERS
index 55f7f00..866b7b6 100644
--- a/OWNERS
+++ b/OWNERS
@@ -2,12 +2,10 @@
alanstokes@google.com
bowgotsai@google.com
cbrubaker@google.com
+inseob@google.com
jbires@google.com
jeffv@google.com
jgalenson@google.com
jiyong@google.com
-nnk@google.com
smoreland@google.com
-sspatil@google.com
-tomcherry@google.com
trong@google.com
diff --git a/README b/README
index 43d9bbc..f14ac67 100644
--- a/README
+++ b/README
@@ -34,6 +34,17 @@
BOARD_VENDOR_SEPOLICY_DIRS += device/samsung/tuna/sepolicy
+Alongside vendor sepolicy dirs, OEMs can also amend the public and private
+policy of the product and system_ext partitions:
+
+SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS += device/acme/roadrunner-sepolicy/systemext/public
+SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/acme/roadrunner-sepolicy/systemext/private
+PRODUCT_PUBLIC_SEPOLICY_DIRS += device/acme/roadrunner-sepolicy/product/public
+PRODUCT_PRIVATE_SEPOLICY_DIRS += device/acme/roadrunner-sepolicy/product/private
+
+The old BOARD_PLAT_PUBLIC_SEPOLICY_DIR and BOARD_PLAT_PRIVATE_SEPOLICY_DIR
+variables have been deprecated in favour of SYSTEM_EXT_*.
+
Additionally, OEMs can specify BOARD_SEPOLICY_M4DEFS to pass arbitrary m4
definitions during the build. A definition consists of a string in the form
of macro-name=value. Spaces must NOT be present. This is useful for building modular
diff --git a/apex/Android.bp b/apex/Android.bp
index d3acfdb..2ffaa9e 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -13,6 +13,14 @@
// limitations under the License.
+package {
+ // http://go/android-license-faq
+ // A large-scale-change added 'default_applicable_licenses' to import
+ // the below license kinds from "system_sepolicy_license":
+ // legacy_unencumbered
+ default_applicable_licenses: ["system_sepolicy_license"],
+}
+
filegroup {
name: "apex.test-file_contexts",
srcs: [
@@ -35,16 +43,16 @@
}
filegroup {
- name: "com.android.art.debug-file_contexts",
+ name: "com.android.art-file_contexts",
srcs: [
- "com.android.art.debug-file_contexts",
+ "com.android.art-file_contexts",
],
}
filegroup {
- name: "com.android.art.release-file_contexts",
+ name: "com.android.art.debug-file_contexts",
srcs: [
- "com.android.art.release-file_contexts",
+ "com.android.art.debug-file_contexts",
],
}
@@ -77,6 +85,20 @@
}
filegroup {
+ name: "com.android.geotz-file_contexts",
+ srcs: [
+ "com.android.geotz-file_contexts",
+ ],
+}
+
+filegroup {
+ name: "com.android.gki-file_contexts",
+ srcs: [
+ "com.android.gki-file_contexts",
+ ],
+}
+
+filegroup {
name: "com.android.ipsec-file_contexts",
srcs: [
"com.android.ipsec-file_contexts",
@@ -147,6 +169,13 @@
}
filegroup {
+ name: "com.android.scheduling-file_contexts",
+ srcs: [
+ "com.android.scheduling-file_contexts",
+ ],
+}
+
+filegroup {
name: "com.android.telephony-file_contexts",
srcs: [
"com.android.telephony-file_contexts",
@@ -161,6 +190,13 @@
}
filegroup {
+ name: "com.android.virt-file_contexts",
+ srcs: [
+ "com.android.virt-file_contexts",
+ ],
+}
+
+filegroup {
name: "com.android.vndk-file_contexts",
srcs: [
"com.android.vndk-file_contexts",
diff --git a/apex/com.android.art.release-file_contexts b/apex/com.android.art-file_contexts
similarity index 75%
rename from apex/com.android.art.release-file_contexts
rename to apex/com.android.art-file_contexts
index 1598afd..2533cac 100644
--- a/apex/com.android.art.release-file_contexts
+++ b/apex/com.android.art-file_contexts
@@ -2,7 +2,9 @@
# System files
#
(/.*)? u:object_r:system_file:s0
+/bin/artd u:object_r:artd_exec:s0
/bin/dex2oat(32|64)? u:object_r:dex2oat_exec:s0
/bin/dexoptanalyzer u:object_r:dexoptanalyzer_exec:s0
+/bin/odrefresh u:object_r:odrefresh_exec:s0
/bin/profman u:object_r:profman_exec:s0
/lib(64)?(/.*)? u:object_r:system_lib_file:s0
diff --git a/apex/com.android.art.debug-file_contexts b/apex/com.android.art.debug-file_contexts
index 8007efd..a0e9ea0 100644
--- a/apex/com.android.art.debug-file_contexts
+++ b/apex/com.android.art.debug-file_contexts
@@ -4,7 +4,6 @@
(/.*)? u:object_r:system_file:s0
/bin/dex2oat(d)?(32|64)? u:object_r:dex2oat_exec:s0
/bin/dexoptanalyzer(d)? u:object_r:dexoptanalyzer_exec:s0
+/bin/odrefresh u:object_r:odrefresh_exec:s0
/bin/profman(d)? u:object_r:profman_exec:s0
/lib(64)?(/.*)? u:object_r:system_lib_file:s0
-/bin/art_preinstall_hook(.*)? u:object_r:art_apex_preinstall_exec:s0
-/bin/art_postinstall_hook(.*)? u:object_r:art_apex_postinstall_exec:s0
diff --git a/apex/com.android.geotz-file_contexts b/apex/com.android.geotz-file_contexts
new file mode 100644
index 0000000..1918e73
--- /dev/null
+++ b/apex/com.android.geotz-file_contexts
@@ -0,0 +1,4 @@
+#############################
+# System files
+#
+(/.*)? u:object_r:system_file:s0
diff --git a/apex/com.android.gki-file_contexts b/apex/com.android.gki-file_contexts
new file mode 100644
index 0000000..ccee7f8
--- /dev/null
+++ b/apex/com.android.gki-file_contexts
@@ -0,0 +1,2 @@
+(/.*)? u:object_r:system_file:s0
+/bin/(.*)? u:object_r:gki_apex_prepostinstall_exec:s0
diff --git a/apex/com.android.i18n-file_contexts b/apex/com.android.i18n-file_contexts
index c8b6ba1..51d45a0 100644
--- a/apex/com.android.i18n-file_contexts
+++ b/apex/com.android.i18n-file_contexts
@@ -2,3 +2,4 @@
# System files
#
(/.*)? u:object_r:system_file:s0
+/lib(64)?(/.*)? u:object_r:system_lib_file:s0
diff --git a/apex/com.android.media-file_contexts b/apex/com.android.media-file_contexts
index f6b21da..8822046 100644
--- a/apex/com.android.media-file_contexts
+++ b/apex/com.android.media-file_contexts
@@ -1,2 +1,3 @@
(/.*)? u:object_r:system_file:s0
/lib(64)?(/.*) u:object_r:system_lib_file:s0
+/bin/mediatranscoding u:object_r:mediatranscoding_exec:s0
diff --git a/apex/com.android.runtime-file_contexts b/apex/com.android.runtime-file_contexts
index 7878b20..d090d50 100644
--- a/apex/com.android.runtime-file_contexts
+++ b/apex/com.android.runtime-file_contexts
@@ -2,5 +2,7 @@
# System files
#
(/.*)? u:object_r:system_file:s0
+/bin/crash_dump(32|64) u:object_r:crash_dump_exec:s0
/bin/linker(64)? u:object_r:system_linker_exec:s0
+/bin/linkerconfig u:object_r:linkerconfig_exec:s0
/lib(64)?(/.*)? u:object_r:system_lib_file:s0
diff --git a/apex/com.android.scheduling-file_contexts b/apex/com.android.scheduling-file_contexts
new file mode 100644
index 0000000..9398505
--- /dev/null
+++ b/apex/com.android.scheduling-file_contexts
@@ -0,0 +1 @@
+(/.*)? u:object_r:system_file:s0
diff --git a/apex/com.android.sdkext-file_contexts b/apex/com.android.sdkext-file_contexts
index 2d59dda..551a12c 100644
--- a/apex/com.android.sdkext-file_contexts
+++ b/apex/com.android.sdkext-file_contexts
@@ -1,2 +1,3 @@
-(/.*)? u:object_r:system_file:s0
-/bin/derive_sdk u:object_r:derive_sdk_exec:s0
+(/.*)? u:object_r:system_file:s0
+/bin/derive_classpath u:object_r:derive_classpath_exec:s0
+/bin/derive_sdk u:object_r:derive_sdk_exec:s0
diff --git a/apex/com.android.virt-file_contexts b/apex/com.android.virt-file_contexts
new file mode 100644
index 0000000..4703eba
--- /dev/null
+++ b/apex/com.android.virt-file_contexts
@@ -0,0 +1,3 @@
+(/.*)? u:object_r:system_file:s0
+/bin/crosvm u:object_r:crosvm_exec:s0
+/bin/virtmanager u:object_r:virtmanager_exec:s0
diff --git a/build/Android.bp b/build/Android.bp
index d3f1fc3..5298f71 100644
--- a/build/Android.bp
+++ b/build/Android.bp
@@ -12,6 +12,14 @@
// See the License for the specific language governing permissions and
// limitations under the License.
+package {
+ // http://go/android-license-faq
+ // A large-scale-change added 'default_applicable_licenses' to import
+ // the below license kinds from "system_sepolicy_license":
+ // SPDX-license-identifier-Apache-2.0
+ default_applicable_licenses: ["system_sepolicy_license"],
+}
+
python_binary_host {
name: "build_sepolicy",
srcs: [
diff --git a/build/file_utils.py b/build/file_utils.py
index 1559a9b..9f95f52 100644
--- a/build/file_utils.py
+++ b/build/file_utils.py
@@ -43,6 +43,9 @@
with open(input_file, 'r') as in_file:
tmp_output.writelines(line for line in in_file.readlines()
if line not in patterns)
+ # Append empty line because a completely empty file
+ # will trip up secilc later on:
+ tmp_output.write("\n")
tmp_output.flush()
# Replaces the input_file.
diff --git a/build/soong/Android.bp b/build/soong/Android.bp
index ae2bdd6..2282112 100644
--- a/build/soong/Android.bp
+++ b/build/soong/Android.bp
@@ -12,6 +12,14 @@
// See the License for the specific language governing permissions and
// limitations under the License.
+package {
+ // http://go/android-license-faq
+ // A large-scale-change added 'default_applicable_licenses' to import
+ // the below license kinds from "system_sepolicy_license":
+ // SPDX-license-identifier-Apache-2.0
+ default_applicable_licenses: ["system_sepolicy_license"],
+}
+
bootstrap_go_package {
name: "soong-selinux",
pkgPath: "android/soong/selinux",
@@ -20,12 +28,18 @@
"soong",
"soong-android",
"soong-genrule",
+ "soong-sysprop",
],
srcs: [
+ "build_files.go",
"cil_compat_map.go",
+ "compat_cil.go",
"filegroup.go",
+ "policy.go",
"selinux.go",
"selinux_contexts.go",
+ "sepolicy_vers.go",
+ "versioned_policy.go",
],
pluginFor: ["soong_build"],
}
diff --git a/build/soong/build_files.go b/build/soong/build_files.go
new file mode 100644
index 0000000..5de6122
--- /dev/null
+++ b/build/soong/build_files.go
@@ -0,0 +1,199 @@
+// Copyright 2021 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package selinux
+
+import (
+ "fmt"
+ "path/filepath"
+ "sort"
+ "strings"
+
+ "android/soong/android"
+)
+
+func init() {
+ android.RegisterModuleType("se_build_files", buildFilesFactory)
+}
+
+// se_build_files gathers policy files from sepolicy dirs, and acts like a filegroup. A tag with
+// partition(plat, system_ext, product) and scope(public, private) is used to select directories.
+// Supported tags are: "plat", "plat_public", "system_ext", "system_ext_public", "product",
+// "product_public", and "reqd_mask".
+func buildFilesFactory() android.Module {
+ module := &buildFiles{}
+ module.AddProperties(&module.properties)
+ android.InitAndroidModule(module)
+ return module
+}
+
+type buildFilesProperties struct {
+ // list of source file suffixes used to collect selinux policy files.
+ // Source files will be looked up in the following local directories:
+ // system/sepolicy/{public, private, vendor, reqd_mask}
+ // and directories specified by following config variables:
+ // BOARD_SEPOLICY_DIRS, BOARD_ODM_SEPOLICY_DIRS
+ // SYSTEM_EXT_PUBLIC_SEPOLICY_DIR, SYSTEM_EXT_PRIVATE_SEPOLICY_DIR
+ Srcs []string
+}
+
+type buildFiles struct {
+ android.ModuleBase
+ properties buildFilesProperties
+
+ srcs map[string]android.Paths
+}
+
+func (b *buildFiles) findSrcsInDirs(ctx android.ModuleContext, dirs ...string) android.Paths {
+ result := android.Paths{}
+ for _, file := range b.properties.Srcs {
+ for _, dir := range dirs {
+ path := filepath.Join(dir, file)
+ files, err := ctx.GlobWithDeps(path, nil)
+ if err != nil {
+ ctx.ModuleErrorf("glob: %s", err.Error())
+ }
+ for _, f := range files {
+ result = append(result, android.PathForSource(ctx, f))
+ }
+ }
+ }
+ return result
+}
+
+func (b *buildFiles) DepsMutator(ctx android.BottomUpMutatorContext) {
+ // do nothing
+}
+
+func (b *buildFiles) OutputFiles(tag string) (android.Paths, error) {
+ if paths, ok := b.srcs[tag]; ok {
+ return paths, nil
+ }
+
+ return nil, fmt.Errorf("unknown tag %q. Supported tags are: %q", tag, strings.Join(android.SortedStringKeys(b.srcs), " "))
+}
+
+var _ android.OutputFileProducer = (*buildFiles)(nil)
+
+type partition int
+
+const (
+ system partition = iota
+ system_ext
+ product
+)
+
+type scope int
+
+const (
+ public scope = iota
+ private
+)
+
+type sepolicyDir struct {
+ partition partition
+ scope scope
+ paths []string
+}
+
+func (p partition) String() string {
+ switch p {
+ case system:
+ return "plat"
+ case system_ext:
+ return "system_ext"
+ case product:
+ return "product"
+ default:
+ panic(fmt.Sprintf("Unknown partition %#v", p))
+ }
+}
+
+func (b *buildFiles) GenerateAndroidBuildActions(ctx android.ModuleContext) {
+ // Sepolicy directories should be included in the following order.
+ // - system_public
+ // - system_private
+ // - system_ext_public
+ // - system_ext_private
+ // - product_public
+ // - product_private
+ dirs := []sepolicyDir{
+ sepolicyDir{partition: system, scope: public, paths: []string{filepath.Join(ctx.ModuleDir(), "public")}},
+ sepolicyDir{partition: system, scope: private, paths: []string{filepath.Join(ctx.ModuleDir(), "private")}},
+ sepolicyDir{partition: system_ext, scope: public, paths: ctx.DeviceConfig().SystemExtPublicSepolicyDirs()},
+ sepolicyDir{partition: system_ext, scope: private, paths: ctx.DeviceConfig().SystemExtPrivateSepolicyDirs()},
+ sepolicyDir{partition: product, scope: public, paths: ctx.Config().ProductPublicSepolicyDirs()},
+ sepolicyDir{partition: product, scope: private, paths: ctx.Config().ProductPrivateSepolicyDirs()},
+ }
+
+ if !sort.SliceIsSorted(dirs, func(i, j int) bool {
+ if dirs[i].partition != dirs[j].partition {
+ return dirs[i].partition < dirs[j].partition
+ }
+
+ return dirs[i].scope < dirs[j].scope
+ }) {
+ panic("dirs is not sorted")
+ }
+
+ // Exported cil policy files are built with the following policies.
+ //
+ // - plat_pub_policy.cil: exported 'system'
+ // - system_ext_pub_policy.cil: exported 'system' and 'system_ext'
+ // - pub_policy.cil: exported 'system', 'system_ext', and 'product'
+ //
+ // cil policy files are built with the following policies.
+ //
+ // - plat_policy.cil: 'system', including private
+ // - system_ext_policy.cil: 'system_ext', including private
+ // - product_sepolicy.cil: 'product', including private
+ //
+ // gatherDirsFor collects all needed directories for given partition and scope. For example,
+ //
+ // - gatherDirsFor(system_ext, private) will return system + system_ext (including private)
+ // - gatherDirsFor(product, public) will return system + system_ext + product (public only)
+ //
+ // "dirs" should be sorted before calling this.
+ gatherDirsFor := func(p partition, s scope) []string {
+ var ret []string
+
+ for _, d := range dirs {
+ if d.partition <= p && d.scope <= s {
+ ret = append(ret, d.paths...)
+ }
+ }
+
+ return ret
+ }
+
+ reqdMaskDir := filepath.Join(ctx.ModuleDir(), "reqd_mask")
+
+ b.srcs = make(map[string]android.Paths)
+ b.srcs[".reqd_mask"] = b.findSrcsInDirs(ctx, reqdMaskDir)
+
+ for _, p := range []partition{system, system_ext, product} {
+ b.srcs["."+p.String()] = b.findSrcsInDirs(ctx, gatherDirsFor(p, private)...)
+
+ // reqd_mask is needed for public policies
+ b.srcs["."+p.String()+"_public"] = b.findSrcsInDirs(ctx, append(gatherDirsFor(p, public), reqdMaskDir)...)
+ }
+
+ // A special tag, "plat_vendor", includes minimized vendor policies required to boot.
+ // - system/sepolicy/public
+ // - system/sepolicy/reqd_mask
+ // - system/sepolicy/vendor
+ // This is for minimized vendor partition, e.g. microdroid's vendor
+ platVendorDir := filepath.Join(ctx.ModuleDir(), "vendor")
+ b.srcs[".plat_vendor"] = b.findSrcsInDirs(ctx, append(gatherDirsFor(system, public), reqdMaskDir, platVendorDir)...)
+}
diff --git a/build/soong/compat_cil.go b/build/soong/compat_cil.go
new file mode 100644
index 0000000..5cc73f9
--- /dev/null
+++ b/build/soong/compat_cil.go
@@ -0,0 +1,122 @@
+// Copyright 2021 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package selinux
+
+import (
+ "github.com/google/blueprint/proptools"
+
+ "android/soong/android"
+)
+
+func init() {
+ android.RegisterModuleType("se_compat_cil", compatCilFactory)
+}
+
+// se_compat_cil collects and installs backwards compatibility cil files.
+func compatCilFactory() android.Module {
+ c := &compatCil{}
+ c.AddProperties(&c.properties)
+ android.InitAndroidArchModule(c, android.DeviceSupported, android.MultilibCommon)
+ return c
+}
+
+type compatCil struct {
+ android.ModuleBase
+ properties compatCilProperties
+ installSource android.Path
+ installPath android.InstallPath
+}
+
+type compatCilProperties struct {
+ // List of source files. Can reference se_filegroup type modules with the ":module" syntax.
+ Srcs []string
+
+ // Output file name. Defaults to module name if unspecified.
+ Stem *string
+}
+
+func (c *compatCil) stem() string {
+ return proptools.StringDefault(c.properties.Stem, c.Name())
+}
+
+func (c *compatCil) expandSeSources(ctx android.ModuleContext) android.Paths {
+ srcPaths := make(android.Paths, 0, len(c.properties.Srcs))
+ for _, src := range c.properties.Srcs {
+ if m := android.SrcIsModule(src); m != "" {
+ module := ctx.GetDirectDepWithTag(m, android.SourceDepTag)
+ if module == nil {
+ // Error would have been handled by ExtractSourcesDeps
+ continue
+ }
+ if fg, ok := module.(*fileGroup); ok {
+ if c.SystemExtSpecific() {
+ srcPaths = append(srcPaths, fg.SystemExtPrivateSrcs()...)
+ } else {
+ srcPaths = append(srcPaths, fg.SystemPrivateSrcs()...)
+ }
+ } else {
+ ctx.PropertyErrorf("srcs", "%q is not an se_filegroup", m)
+ }
+ } else {
+ srcPaths = append(srcPaths, android.PathForModuleSrc(ctx, src))
+ }
+ }
+ return srcPaths
+}
+
+func (c *compatCil) DepsMutator(ctx android.BottomUpMutatorContext) {
+ android.ExtractSourcesDeps(ctx, c.properties.Srcs)
+}
+
+func (c *compatCil) GenerateAndroidBuildActions(ctx android.ModuleContext) {
+ if c.ProductSpecific() || c.SocSpecific() || c.DeviceSpecific() {
+ ctx.ModuleErrorf("Compat cil files only support system and system_ext partitions")
+ }
+
+ srcPaths := c.expandSeSources(ctx)
+ out := android.PathForModuleGen(ctx, c.Name())
+
+ // TODO(b/183362912): Patch secilc to handle empty cil files.
+ // Put a header so that the generated cil mustn't be empty.
+ header := android.PathForModuleGen(ctx, c.Name()+"_header")
+ rule := android.NewRuleBuilder(pctx, ctx)
+ rule.Command().Text("echo").Flag(proptools.ShellEscape(";; " + c.stem())).Text(">").Output(header)
+ rule.Build(c.Name()+"_header", "Generate cil header")
+ srcPaths = append(android.Paths{header}, srcPaths...)
+
+ ctx.Build(pctx, android.BuildParams{
+ Rule: android.Cat,
+ Inputs: srcPaths,
+ Output: out,
+ Description: "Combining compat cil for " + c.Name(),
+ })
+
+ c.installPath = android.PathForModuleInstall(ctx, "etc", "selinux", "mapping")
+ c.installSource = out
+ ctx.InstallFile(c.installPath, c.stem(), c.installSource)
+}
+
+func (c *compatCil) AndroidMkEntries() []android.AndroidMkEntries {
+ return []android.AndroidMkEntries{android.AndroidMkEntries{
+ Class: "ETC",
+ OutputFile: android.OptionalPathForPath(c.installSource),
+ ExtraEntries: []android.AndroidMkExtraEntriesFunc{
+ func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
+ entries.SetPath("LOCAL_MODULE_PATH", c.installPath.ToMakePath())
+ entries.SetString("LOCAL_INSTALLED_MODULE_STEM", c.stem())
+ },
+ },
+ }}
+}
diff --git a/build/soong/filegroup.go b/build/soong/filegroup.go
index a45b427..0d426af 100644
--- a/build/soong/filegroup.go
+++ b/build/soong/filegroup.go
@@ -36,7 +36,7 @@
// system/sepolicy/{public, private, vendor, reqd_mask}
// and directories specified by following config variables:
// BOARD_SEPOLICY_DIRS, BOARD_ODM_SEPOLICY_DIRS
- // BOARD_PLAT_PUBLIC_SEPOLICY_DIR, BOARD_PLAT_PRIVATE_SEPOLICY_DIR
+ // SYSTEM_EXT_PUBLIC_SEPOLICY_DIR, SYSTEM_EXT_PRIVATE_SEPOLICY_DIR
Srcs []string
}
@@ -55,8 +55,9 @@
productPublicSrcs android.Paths
productPrivateSrcs android.Paths
- vendorSrcs android.Paths
- odmSrcs android.Paths
+ vendorSrcs android.Paths
+ vendorReqdMaskSrcs android.Paths
+ odmSrcs android.Paths
}
// Source files from system/sepolicy/public
@@ -79,12 +80,12 @@
return fg.systemReqdMaskSrcs
}
-// Source files from BOARD_PLAT_PUBLIC_SEPOLICY_DIR
+// Source files from SYSTEM_EXT_PUBLIC_SEPOLICY_DIR
func (fg *fileGroup) SystemExtPublicSrcs() android.Paths {
return fg.systemExtPublicSrcs
}
-// Source files from BOARD_PLAT_PRIVATE_SEPOLICY_DIR
+// Source files from SYSTEM_EXT_PRIVATE_SEPOLICY_DIR
func (fg *fileGroup) SystemExtPrivateSrcs() android.Paths {
return fg.systemExtPrivateSrcs
}
@@ -104,6 +105,10 @@
return fg.vendorSrcs
}
+func (fg *fileGroup) VendorReqdMaskSrcs() android.Paths {
+ return fg.vendorReqdMaskSrcs
+}
+
// Source files from BOARD_ODM_SEPOLICY_DIRS
func (fg *fileGroup) OdmSrcs() android.Paths {
return fg.odmSrcs
@@ -135,12 +140,13 @@
fg.systemVendorSrcs = fg.findSrcsInDir(ctx, filepath.Join(ctx.ModuleDir(), "vendor"))
fg.systemReqdMaskSrcs = fg.findSrcsInDir(ctx, filepath.Join(ctx.ModuleDir(), "reqd_mask"))
- fg.systemExtPublicSrcs = fg.findSrcsInDirs(ctx, ctx.DeviceConfig().PlatPublicSepolicyDirs())
- fg.systemExtPrivateSrcs = fg.findSrcsInDirs(ctx, ctx.DeviceConfig().PlatPrivateSepolicyDirs())
+ fg.systemExtPublicSrcs = fg.findSrcsInDirs(ctx, ctx.DeviceConfig().SystemExtPublicSepolicyDirs())
+ fg.systemExtPrivateSrcs = fg.findSrcsInDirs(ctx, ctx.DeviceConfig().SystemExtPrivateSepolicyDirs())
fg.productPublicSrcs = fg.findSrcsInDirs(ctx, ctx.Config().ProductPublicSepolicyDirs())
fg.productPrivateSrcs = fg.findSrcsInDirs(ctx, ctx.Config().ProductPrivateSepolicyDirs())
+ fg.vendorReqdMaskSrcs = fg.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardReqdMaskPolicy())
fg.vendorSrcs = fg.findSrcsInDirs(ctx, ctx.DeviceConfig().VendorSepolicyDirs())
fg.odmSrcs = fg.findSrcsInDirs(ctx, ctx.DeviceConfig().OdmSepolicyDirs())
}
diff --git a/build/soong/policy.go b/build/soong/policy.go
new file mode 100644
index 0000000..75fbdf1
--- /dev/null
+++ b/build/soong/policy.go
@@ -0,0 +1,363 @@
+// Copyright (C) 2021 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package selinux
+
+import (
+ "fmt"
+ "os"
+ "strconv"
+
+ "github.com/google/blueprint/proptools"
+
+ "android/soong/android"
+)
+
+const (
+ // TODO: sync with Android.mk
+ MlsSens = 1
+ MlsCats = 1024
+ PolicyVers = 30
+)
+
+func init() {
+ android.RegisterModuleType("se_policy_conf", policyConfFactory)
+ android.RegisterModuleType("se_policy_cil", policyCilFactory)
+}
+
+type policyConfProperties struct {
+ // Name of the output. Default is {module_name}
+ Stem *string
+
+ // Policy files to be compiled to cil file.
+ Srcs []string `android:"path"`
+
+ // Target build variant (user / userdebug / eng). Default follows the current lunch target
+ Build_variant *string
+
+ // Whether to exclude build test or not. Default is false
+ Exclude_build_test *bool
+
+ // Whether to include asan specific policies or not. Default follows the current lunch target
+ With_asan *bool
+
+ // Whether to build CTS specific policy or not. Default is false
+ Cts *bool
+
+ // Whether this module is directly installable to one of the partitions. Default is true
+ Installable *bool
+}
+
+type policyConf struct {
+ android.ModuleBase
+
+ properties policyConfProperties
+
+ installSource android.Path
+ installPath android.InstallPath
+}
+
+// se_policy_conf merges collection of policy files into a policy.conf file to be processed by
+// checkpolicy.
+func policyConfFactory() android.Module {
+ c := &policyConf{}
+ c.AddProperties(&c.properties)
+ android.InitAndroidArchModule(c, android.DeviceSupported, android.MultilibCommon)
+ return c
+}
+
+func (c *policyConf) installable() bool {
+ return proptools.BoolDefault(c.properties.Installable, true)
+}
+
+func (c *policyConf) stem() string {
+ return proptools.StringDefault(c.properties.Stem, c.Name())
+}
+
+func (c *policyConf) buildVariant(ctx android.ModuleContext) string {
+ if variant := proptools.String(c.properties.Build_variant); variant != "" {
+ return variant
+ }
+ if ctx.Config().Eng() {
+ return "eng"
+ }
+ if ctx.Config().Debuggable() {
+ return "userdebug"
+ }
+ return "user"
+}
+
+func (c *policyConf) cts() bool {
+ return proptools.Bool(c.properties.Cts)
+}
+
+func (c *policyConf) withAsan(ctx android.ModuleContext) string {
+ isAsanDevice := android.InList("address", ctx.Config().SanitizeDevice())
+ return strconv.FormatBool(proptools.BoolDefault(c.properties.With_asan, isAsanDevice))
+}
+
+func (c *policyConf) sepolicySplit(ctx android.ModuleContext) string {
+ if c.cts() {
+ return "cts"
+ }
+ return strconv.FormatBool(ctx.DeviceConfig().SepolicySplit())
+}
+
+func (c *policyConf) compatibleProperty(ctx android.ModuleContext) string {
+ if c.cts() {
+ return "cts"
+ }
+ return "true"
+}
+
+func (c *policyConf) trebleSyspropNeverallow(ctx android.ModuleContext) string {
+ if c.cts() {
+ return "cts"
+ }
+ return strconv.FormatBool(!ctx.DeviceConfig().BuildBrokenTrebleSyspropNeverallow())
+}
+
+func (c *policyConf) enforceSyspropOwner(ctx android.ModuleContext) string {
+ if c.cts() {
+ return "cts"
+ }
+ return strconv.FormatBool(!ctx.DeviceConfig().BuildBrokenEnforceSyspropOwner())
+}
+
+func (c *policyConf) enforceDebugfsRestrictions(ctx android.ModuleContext) string {
+ if c.cts() {
+ return "cts"
+ }
+ return strconv.FormatBool(ctx.DeviceConfig().BuildDebugfsRestrictionsEnabled())
+}
+
+func (c *policyConf) transformPolicyToConf(ctx android.ModuleContext) android.OutputPath {
+ conf := android.PathForModuleOut(ctx, "conf").OutputPath
+ rule := android.NewRuleBuilder(pctx, ctx)
+ rule.Command().Tool(ctx.Config().PrebuiltBuildTool(ctx, "m4")).
+ Flag("--fatal-warnings").
+ FlagForEachArg("-D ", ctx.DeviceConfig().SepolicyM4Defs()).
+ FlagWithArg("-D mls_num_sens=", strconv.Itoa(MlsSens)).
+ FlagWithArg("-D mls_num_cats=", strconv.Itoa(MlsCats)).
+ FlagWithArg("-D target_arch=", ctx.DeviceConfig().DeviceArch()).
+ FlagWithArg("-D target_with_asan=", c.withAsan(ctx)).
+ FlagWithArg("-D target_with_dexpreopt=", strconv.FormatBool(ctx.DeviceConfig().WithDexpreopt())).
+ FlagWithArg("-D target_with_native_coverage=", strconv.FormatBool(ctx.DeviceConfig().ClangCoverageEnabled() || ctx.DeviceConfig().GcovCoverageEnabled())).
+ FlagWithArg("-D target_build_variant=", c.buildVariant(ctx)).
+ FlagWithArg("-D target_full_treble=", c.sepolicySplit(ctx)).
+ FlagWithArg("-D target_compatible_property=", c.compatibleProperty(ctx)).
+ FlagWithArg("-D target_treble_sysprop_neverallow=", c.trebleSyspropNeverallow(ctx)).
+ FlagWithArg("-D target_enforce_sysprop_owner=", c.enforceSyspropOwner(ctx)).
+ FlagWithArg("-D target_exclude_build_test=", strconv.FormatBool(proptools.Bool(c.properties.Exclude_build_test))).
+ FlagWithArg("-D target_requires_insecure_execmem_for_swiftshader=", strconv.FormatBool(ctx.DeviceConfig().RequiresInsecureExecmemForSwiftshader())).
+ FlagWithArg("-D target_enforce_debugfs_restriction=", c.enforceDebugfsRestrictions(ctx)).
+ Flag("-s").
+ Inputs(android.PathsForModuleSrc(ctx, c.properties.Srcs)).
+ Text("> ").Output(conf)
+
+ rule.Build("conf", "Transform policy to conf: "+ctx.ModuleName())
+ return conf
+}
+
+func (c *policyConf) DepsMutator(ctx android.BottomUpMutatorContext) {
+ // do nothing
+}
+
+func (c *policyConf) GenerateAndroidBuildActions(ctx android.ModuleContext) {
+ c.installSource = c.transformPolicyToConf(ctx)
+ c.installPath = android.PathForModuleInstall(ctx, "etc")
+ ctx.InstallFile(c.installPath, c.stem(), c.installSource)
+
+ if !c.installable() {
+ c.SkipInstall()
+ }
+}
+
+func (c *policyConf) AndroidMkEntries() []android.AndroidMkEntries {
+ return []android.AndroidMkEntries{android.AndroidMkEntries{
+ OutputFile: android.OptionalPathForPath(c.installSource),
+ Class: "ETC",
+ ExtraEntries: []android.AndroidMkExtraEntriesFunc{
+ func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
+ entries.SetBool("LOCAL_UNINSTALLABLE_MODULE", !c.installable())
+ entries.SetPath("LOCAL_MODULE_PATH", c.installPath.ToMakePath())
+ entries.SetString("LOCAL_INSTALLED_MODULE_STEM", c.stem())
+ },
+ },
+ }}
+}
+
+func (c *policyConf) OutputFiles(tag string) (android.Paths, error) {
+ if tag == "" {
+ return android.Paths{c.installSource}, nil
+ }
+ return nil, fmt.Errorf("Unknown tag %q", tag)
+}
+
+var _ android.OutputFileProducer = (*policyConf)(nil)
+
+type policyCilProperties struct {
+ // Name of the output. Default is {module_name}
+ Stem *string
+
+ // Policy file to be compiled to cil file.
+ Src *string `android:"path"`
+
+ // Additional cil files to be added in the end of the output. This is to support workarounds
+ // which are not supported by the policy language.
+ Additional_cil_files []string `android:"path"`
+
+ // Cil files to be filtered out by the filter_out tool of "build_sepolicy". Used to build
+ // exported policies
+ Filter_out []string `android:"path"`
+
+ // Whether to remove line markers (denoted by ;;) out of compiled cil files. Defaults to false
+ Remove_line_marker *bool
+
+ // Whether to run secilc to check compiled policy or not. Defaults to true
+ Secilc_check *bool
+
+ // Whether to ignore neverallow when running secilc check. Defaults to
+ // SELINUX_IGNORE_NEVERALLOWS.
+ Ignore_neverallow *bool
+
+ // Whether this module is directly installable to one of the partitions. Default is true
+ Installable *bool
+}
+
+type policyCil struct {
+ android.ModuleBase
+
+ properties policyCilProperties
+
+ installSource android.Path
+ installPath android.InstallPath
+}
+
+// se_policy_cil compiles a policy.conf file to a cil file with checkpolicy, and optionally runs
+// secilc to check the output cil file. Affected by SELINUX_IGNORE_NEVERALLOWS.
+func policyCilFactory() android.Module {
+ c := &policyCil{}
+ c.AddProperties(&c.properties)
+ android.InitAndroidArchModule(c, android.DeviceSupported, android.MultilibCommon)
+ return c
+}
+
+func (c *policyCil) Installable() bool {
+ return proptools.BoolDefault(c.properties.Installable, true)
+}
+
+func (c *policyCil) stem() string {
+ return proptools.StringDefault(c.properties.Stem, c.Name())
+}
+
+func (c *policyCil) compileConfToCil(ctx android.ModuleContext, conf android.Path) android.OutputPath {
+ cil := android.PathForModuleOut(ctx, c.stem()).OutputPath
+ rule := android.NewRuleBuilder(pctx, ctx)
+ rule.Command().BuiltTool("checkpolicy").
+ Flag("-C"). // Write CIL
+ Flag("-M"). // Enable MLS
+ FlagWithArg("-c ", strconv.Itoa(PolicyVers)).
+ FlagWithOutput("-o ", cil).
+ Input(conf)
+
+ if len(c.properties.Additional_cil_files) > 0 {
+ rule.Command().Text("cat").
+ Inputs(android.PathsForModuleSrc(ctx, c.properties.Additional_cil_files)).
+ Text(">> ").Output(cil)
+ }
+
+ if len(c.properties.Filter_out) > 0 {
+ rule.Command().BuiltTool("build_sepolicy").
+ Text("filter_out").
+ Flag("-f").
+ Inputs(android.PathsForModuleSrc(ctx, c.properties.Filter_out)).
+ FlagWithOutput("-t ", cil)
+ }
+
+ if proptools.Bool(c.properties.Remove_line_marker) {
+ rule.Command().Text("grep -v").
+ Text(proptools.ShellEscape(";;")).
+ Text(cil.String()).
+ Text(">").
+ Text(cil.String() + ".tmp").
+ Text("&& mv").
+ Text(cil.String() + ".tmp").
+ Text(cil.String())
+ }
+
+ if proptools.BoolDefault(c.properties.Secilc_check, true) {
+ secilcCmd := rule.Command().BuiltTool("secilc").
+ Flag("-m"). // Multiple decls
+ FlagWithArg("-M ", "true"). // Enable MLS
+ Flag("-G"). // expand and remove auto generated attributes
+ FlagWithArg("-c ", strconv.Itoa(PolicyVers)).
+ Inputs(android.PathsForModuleSrc(ctx, c.properties.Filter_out)). // Also add cil files which are filtered out
+ Text(cil.String()).
+ FlagWithArg("-o ", os.DevNull).
+ FlagWithArg("-f ", os.DevNull)
+
+ if proptools.BoolDefault(c.properties.Ignore_neverallow, ctx.Config().SelinuxIgnoreNeverallows()) {
+ secilcCmd.Flag("-N")
+ }
+ }
+
+ rule.Build("cil", "Building cil for "+ctx.ModuleName())
+ return cil
+}
+
+func (c *policyCil) GenerateAndroidBuildActions(ctx android.ModuleContext) {
+ if proptools.String(c.properties.Src) == "" {
+ ctx.PropertyErrorf("src", "must be specified")
+ return
+ }
+ conf := android.PathForModuleSrc(ctx, *c.properties.Src)
+ cil := c.compileConfToCil(ctx, conf)
+
+ if c.InstallInDebugRamdisk() {
+ // for userdebug_plat_sepolicy.cil
+ c.installPath = android.PathForModuleInstall(ctx)
+ } else {
+ c.installPath = android.PathForModuleInstall(ctx, "etc", "selinux")
+ }
+ c.installSource = cil
+ ctx.InstallFile(c.installPath, c.stem(), c.installSource)
+
+ if !c.Installable() {
+ c.SkipInstall()
+ }
+}
+
+func (c *policyCil) AndroidMkEntries() []android.AndroidMkEntries {
+ return []android.AndroidMkEntries{android.AndroidMkEntries{
+ OutputFile: android.OptionalPathForPath(c.installSource),
+ Class: "ETC",
+ ExtraEntries: []android.AndroidMkExtraEntriesFunc{
+ func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
+ entries.SetBool("LOCAL_UNINSTALLABLE_MODULE", !c.Installable())
+ entries.SetPath("LOCAL_MODULE_PATH", c.installPath.ToMakePath())
+ entries.SetString("LOCAL_INSTALLED_MODULE_STEM", c.stem())
+ },
+ },
+ }}
+}
+
+func (c *policyCil) OutputFiles(tag string) (android.Paths, error) {
+ if tag == "" {
+ return android.Paths{c.installSource}, nil
+ }
+ return nil, fmt.Errorf("Unknown tag %q", tag)
+}
+
+var _ android.OutputFileProducer = (*policyCil)(nil)
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index 03f8f19..a9aed60 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -19,14 +19,11 @@
"io"
"strings"
+ "github.com/google/blueprint"
"github.com/google/blueprint/proptools"
"android/soong/android"
-)
-
-const (
- coreMode = "core"
- recoveryMode = "recovery"
+ "android/soong/sysprop"
)
type selinuxContextsProperties struct {
@@ -54,8 +51,6 @@
// Make this module available when building for recovery
Recovery_available *bool
-
- InRecovery bool `blueprint:"mutated"`
}
type fileContextsProperties struct {
@@ -72,13 +67,15 @@
properties selinuxContextsProperties
fileContextsProperties fileContextsProperties
- build func(ctx android.ModuleContext, inputs android.Paths)
- outputPath android.ModuleGenPath
+ build func(ctx android.ModuleContext, inputs android.Paths) android.Path
+ deps func(ctx android.BottomUpMutatorContext)
+ outputPath android.Path
installPath android.InstallPath
}
var (
- reuseContextsDepTag = dependencyTag{name: "reuseContexts"}
+ reuseContextsDepTag = dependencyTag{name: "reuseContexts"}
+ syspropLibraryDepTag = dependencyTag{name: "sysprop_library"}
)
func init() {
@@ -88,37 +85,50 @@
android.RegisterModuleType("hwservice_contexts", hwServiceFactory)
android.RegisterModuleType("property_contexts", propertyFactory)
android.RegisterModuleType("service_contexts", serviceFactory)
-
- android.PreDepsMutators(func(ctx android.RegisterMutatorsContext) {
- ctx.BottomUp("selinux_contexts", selinuxContextsMutator).Parallel()
- })
-}
-
-func (m *selinuxContextsModule) inRecovery() bool {
- return m.properties.InRecovery || m.ModuleBase.InstallInRecovery()
-}
-
-func (m *selinuxContextsModule) onlyInRecovery() bool {
- return m.ModuleBase.InstallInRecovery()
-}
-
-func (m *selinuxContextsModule) InstallInRecovery() bool {
- return m.inRecovery()
+ android.RegisterModuleType("keystore2_key_contexts", keystoreKeyFactory)
}
func (m *selinuxContextsModule) InstallInRoot() bool {
- return m.inRecovery()
+ return m.InRecovery()
+}
+
+func (m *selinuxContextsModule) InstallInRecovery() bool {
+ // ModuleBase.InRecovery() checks the image variant
+ return m.InRecovery()
+}
+
+func (m *selinuxContextsModule) onlyInRecovery() bool {
+ // ModuleBase.InstallInRecovery() checks commonProperties.Recovery property
+ return m.ModuleBase.InstallInRecovery()
+}
+
+func (m *selinuxContextsModule) DepsMutator(ctx android.BottomUpMutatorContext) {
+ if m.deps != nil {
+ m.deps(ctx)
+ }
+
+ if m.InRecovery() && !m.onlyInRecovery() {
+ ctx.AddFarVariationDependencies([]blueprint.Variation{
+ {Mutator: "image", Variation: android.CoreVariation},
+ }, reuseContextsDepTag, ctx.ModuleName())
+ }
+}
+
+func (m *selinuxContextsModule) propertyContextsDeps(ctx android.BottomUpMutatorContext) {
+ for _, lib := range sysprop.SyspropLibraries(ctx.Config()) {
+ ctx.AddFarVariationDependencies([]blueprint.Variation{}, syspropLibraryDepTag, lib)
+ }
}
func (m *selinuxContextsModule) GenerateAndroidBuildActions(ctx android.ModuleContext) {
- if m.inRecovery() {
+ if m.InRecovery() {
// Installing context files at the root of the recovery partition
m.installPath = android.PathForModuleInstall(ctx)
} else {
m.installPath = android.PathForModuleInstall(ctx, "etc", "selinux")
}
- if m.inRecovery() && !m.onlyInRecovery() {
+ if m.InRecovery() && !m.onlyInRecovery() {
dep := ctx.GetDirectDepWithTag(m.Name(), reuseContextsDepTag)
if reuseDeps, ok := dep.(*selinuxContextsModule); ok {
@@ -141,7 +151,9 @@
if ctx.ProductSpecific() {
inputs = append(inputs, segroup.ProductPrivateSrcs()...)
} else if ctx.SocSpecific() {
- inputs = append(inputs, segroup.SystemVendorSrcs()...)
+ if ctx.DeviceConfig().BoardSepolicyVers() == ctx.DeviceConfig().PlatformSepolicyVersion() {
+ inputs = append(inputs, segroup.SystemVendorSrcs()...)
+ }
inputs = append(inputs, segroup.VendorSrcs()...)
} else if ctx.DeviceSpecific() {
inputs = append(inputs, segroup.OdmSrcs()...)
@@ -149,14 +161,15 @@
inputs = append(inputs, segroup.SystemExtPrivateSrcs()...)
} else {
inputs = append(inputs, segroup.SystemPrivateSrcs()...)
-
- if ctx.Config().ProductCompatibleProperty() {
- inputs = append(inputs, segroup.SystemPublicSrcs()...)
- }
+ inputs = append(inputs, segroup.SystemPublicSrcs()...)
}
if proptools.Bool(m.properties.Reqd_mask) {
- inputs = append(inputs, segroup.SystemReqdMaskSrcs()...)
+ if ctx.SocSpecific() || ctx.DeviceSpecific() {
+ inputs = append(inputs, segroup.VendorReqdMaskSrcs()...)
+ } else {
+ inputs = append(inputs, segroup.SystemReqdMaskSrcs()...)
+ }
}
})
@@ -167,7 +180,8 @@
}
}
- m.build(ctx, inputs)
+ m.outputPath = m.build(ctx, inputs)
+ ctx.InstallFile(m.installPath, ctx.ModuleName(), m.outputPath)
}
func newModule() *selinuxContextsModule {
@@ -204,12 +218,13 @@
return android.AndroidMkData{
Custom: func(w io.Writer, name, prefix, moduleDir string, data android.AndroidMkData) {
nameSuffix := ""
- if m.inRecovery() && !m.onlyInRecovery() {
+ if m.InRecovery() && !m.onlyInRecovery() {
nameSuffix = ".recovery"
}
fmt.Fprintln(w, "\ninclude $(CLEAR_VARS)")
fmt.Fprintln(w, "LOCAL_PATH :=", moduleDir)
fmt.Fprintln(w, "LOCAL_MODULE :=", name+nameSuffix)
+ data.Entries.WriteLicenseVariables(w)
fmt.Fprintln(w, "LOCAL_MODULE_CLASS := ETC")
if m.Owner() != "" {
fmt.Fprintln(w, "LOCAL_MODULE_OWNER :=", m.Owner())
@@ -223,102 +238,100 @@
}
}
-func selinuxContextsMutator(ctx android.BottomUpMutatorContext) {
- m, ok := ctx.Module().(*selinuxContextsModule)
- if !ok {
- return
- }
-
- var coreVariantNeeded bool = true
- var recoveryVariantNeeded bool = false
- if proptools.Bool(m.properties.Recovery_available) {
- recoveryVariantNeeded = true
- }
-
- if m.ModuleBase.InstallInRecovery() {
- recoveryVariantNeeded = true
- coreVariantNeeded = false
- }
-
- var variants []string
- if coreVariantNeeded {
- variants = append(variants, coreMode)
- }
- if recoveryVariantNeeded {
- variants = append(variants, recoveryMode)
- }
- mod := ctx.CreateVariations(variants...)
-
- for i, v := range variants {
- if v == recoveryMode {
- m := mod[i].(*selinuxContextsModule)
- m.properties.InRecovery = true
-
- if coreVariantNeeded {
- ctx.AddInterVariantDependency(reuseContextsDepTag, m, mod[i-1])
- }
- }
+func (m *selinuxContextsModule) ImageMutatorBegin(ctx android.BaseModuleContext) {
+ if proptools.Bool(m.properties.Recovery_available) && m.InstallInRecovery() {
+ ctx.PropertyErrorf("recovery_available",
+ "doesn't make sense at the same time as `recovery: true`")
}
}
-func (m *selinuxContextsModule) buildGeneralContexts(ctx android.ModuleContext, inputs android.Paths) {
- m.outputPath = android.PathForModuleGen(ctx, ctx.ModuleName()+"_m4out")
+func (m *selinuxContextsModule) CoreVariantNeeded(ctx android.BaseModuleContext) bool {
+ return !m.InstallInRecovery()
+}
- rule := android.NewRuleBuilder()
+func (m *selinuxContextsModule) RamdiskVariantNeeded(ctx android.BaseModuleContext) bool {
+ return false
+}
+
+func (m *selinuxContextsModule) VendorRamdiskVariantNeeded(ctx android.BaseModuleContext) bool {
+ return false
+}
+
+func (m *selinuxContextsModule) DebugRamdiskVariantNeeded(ctx android.BaseModuleContext) bool {
+ return false
+}
+
+func (m *selinuxContextsModule) RecoveryVariantNeeded(ctx android.BaseModuleContext) bool {
+ return m.InstallInRecovery() || proptools.Bool(m.properties.Recovery_available)
+}
+
+func (m *selinuxContextsModule) ExtraImageVariations(ctx android.BaseModuleContext) []string {
+ return nil
+}
+
+func (m *selinuxContextsModule) SetImageVariation(ctx android.BaseModuleContext, variation string, module android.Module) {
+}
+
+var _ android.ImageInterface = (*selinuxContextsModule)(nil)
+
+func (m *selinuxContextsModule) buildGeneralContexts(ctx android.ModuleContext, inputs android.Paths) android.Path {
+ ret := android.PathForModuleGen(ctx, ctx.ModuleName()+"_m4out")
+
+ rule := android.NewRuleBuilder(pctx, ctx)
rule.Command().
Tool(ctx.Config().PrebuiltBuildTool(ctx, "m4")).
Text("--fatal-warnings -s").
FlagForEachArg("-D", ctx.DeviceConfig().SepolicyM4Defs()).
Inputs(inputs).
- FlagWithOutput("> ", m.outputPath)
+ FlagWithOutput("> ", ret)
if proptools.Bool(m.properties.Remove_comment) {
- rule.Temporary(m.outputPath)
+ rule.Temporary(ret)
remove_comment_output := android.PathForModuleGen(ctx, ctx.ModuleName()+"_remove_comment")
rule.Command().
Text("sed -e 's/#.*$//' -e '/^$/d'").
- Input(m.outputPath).
+ Input(ret).
FlagWithOutput("> ", remove_comment_output)
- m.outputPath = remove_comment_output
+ ret = remove_comment_output
}
if proptools.Bool(m.properties.Fc_sort) {
- rule.Temporary(m.outputPath)
+ rule.Temporary(ret)
sorted_output := android.PathForModuleGen(ctx, ctx.ModuleName()+"_sorted")
rule.Command().
Tool(ctx.Config().HostToolPath(ctx, "fc_sort")).
- FlagWithInput("-i ", m.outputPath).
+ FlagWithInput("-i ", ret).
FlagWithOutput("-o ", sorted_output)
- m.outputPath = sorted_output
+ ret = sorted_output
}
- rule.Build(pctx, ctx, "selinux_contexts", m.Name())
+ rule.Build("selinux_contexts", "building contexts: "+m.Name())
rule.DeleteTemporaryFiles()
- ctx.InstallFile(m.installPath, ctx.ModuleName(), m.outputPath)
+ return ret
}
-func (m *selinuxContextsModule) buildFileContexts(ctx android.ModuleContext, inputs android.Paths) {
+func (m *selinuxContextsModule) buildFileContexts(ctx android.ModuleContext, inputs android.Paths) android.Path {
if m.properties.Fc_sort == nil {
m.properties.Fc_sort = proptools.BoolPtr(true)
}
- rule := android.NewRuleBuilder()
+ rule := android.NewRuleBuilder(pctx, ctx)
if ctx.Config().FlattenApex() {
for _, src := range m.fileContextsProperties.Flatten_apex.Srcs {
if m := android.SrcIsModule(src); m != "" {
ctx.ModuleErrorf(
"Module srcs dependency %q is not supported for flatten_apex.srcs", m)
- return
+ return nil
}
for _, path := range android.PathsForModuleSrcExcludes(ctx, []string{src}, nil) {
out := android.PathForModuleGen(ctx, "flattened_apex", path.Rel())
@@ -336,8 +349,8 @@
}
}
- rule.Build(pctx, ctx, m.Name(), "flattened_apex_file_contexts")
- m.buildGeneralContexts(ctx, inputs)
+ rule.Build(m.Name(), "flattened_apex_file_contexts")
+ return m.buildGeneralContexts(ctx, inputs)
}
func fileFactory() android.Module {
@@ -347,12 +360,122 @@
return m
}
-func (m *selinuxContextsModule) buildHwServiceContexts(ctx android.ModuleContext, inputs android.Paths) {
+func (m *selinuxContextsModule) buildHwServiceContexts(ctx android.ModuleContext, inputs android.Paths) android.Path {
if m.properties.Remove_comment == nil {
m.properties.Remove_comment = proptools.BoolPtr(true)
}
- m.buildGeneralContexts(ctx, inputs)
+ return m.buildGeneralContexts(ctx, inputs)
+}
+
+func (m *selinuxContextsModule) checkVendorPropertyNamespace(ctx android.ModuleContext, inputs android.Paths) android.Paths {
+ shippingApiLevel := ctx.DeviceConfig().ShippingApiLevel()
+ ApiLevelR := android.ApiLevelOrPanic(ctx, "R")
+
+ rule := android.NewRuleBuilder(pctx, ctx)
+
+ // This list is from vts_treble_sys_prop_test.
+ allowedPropertyPrefixes := []string{
+ "ctl.odm.",
+ "ctl.vendor.",
+ "ctl.start$odm.",
+ "ctl.start$vendor.",
+ "ctl.stop$odm.",
+ "ctl.stop$vendor.",
+ "init.svc.odm.",
+ "init.svc.vendor.",
+ "ro.boot.",
+ "ro.hardware.",
+ "ro.odm.",
+ "ro.vendor.",
+ "odm.",
+ "persist.odm.",
+ "persist.vendor.",
+ "vendor.",
+ }
+
+ // persist.camera is also allowed for devices launching with R or eariler
+ if shippingApiLevel.LessThanOrEqualTo(ApiLevelR) {
+ allowedPropertyPrefixes = append(allowedPropertyPrefixes, "persist.camera.")
+ }
+
+ var allowedContextPrefixes []string
+
+ if shippingApiLevel.GreaterThanOrEqualTo(ApiLevelR) {
+ // This list is from vts_treble_sys_prop_test.
+ allowedContextPrefixes = []string{
+ "vendor_",
+ "odm_",
+ }
+ }
+
+ var ret android.Paths
+ for _, input := range inputs {
+ cmd := rule.Command().
+ BuiltTool("check_prop_prefix").
+ FlagWithInput("--property-contexts ", input).
+ FlagForEachArg("--allowed-property-prefix ", proptools.ShellEscapeList(allowedPropertyPrefixes)). // contains shell special character '$'
+ FlagForEachArg("--allowed-context-prefix ", allowedContextPrefixes)
+
+ if !ctx.DeviceConfig().BuildBrokenVendorPropertyNamespace() {
+ cmd.Flag("--strict")
+ }
+
+ out := android.PathForModuleGen(ctx, "namespace_checked").Join(ctx, input.String())
+ rule.Command().Text("cp -f").Input(input).Output(out)
+ ret = append(ret, out)
+ }
+ rule.Build("check_namespace", "checking namespace of "+ctx.ModuleName())
+ return ret
+}
+
+func (m *selinuxContextsModule) buildPropertyContexts(ctx android.ModuleContext, inputs android.Paths) android.Path {
+ // vendor/odm properties are enforced for devices launching with Android Q or later. So, if
+ // vendor/odm, make sure that only vendor/odm properties exist.
+ shippingApiLevel := ctx.DeviceConfig().ShippingApiLevel()
+ ApiLevelQ := android.ApiLevelOrPanic(ctx, "Q")
+ if (ctx.SocSpecific() || ctx.DeviceSpecific()) && shippingApiLevel.GreaterThanOrEqualTo(ApiLevelQ) {
+ inputs = m.checkVendorPropertyNamespace(ctx, inputs)
+ }
+
+ builtCtxFile := m.buildGeneralContexts(ctx, inputs)
+
+ var apiFiles android.Paths
+ ctx.VisitDirectDepsWithTag(syspropLibraryDepTag, func(c android.Module) {
+ i, ok := c.(interface{ CurrentSyspropApiFile() android.OptionalPath })
+ if !ok {
+ panic(fmt.Errorf("unknown dependency %q for %q", ctx.OtherModuleName(c), ctx.ModuleName()))
+ }
+ if api := i.CurrentSyspropApiFile(); api.Valid() {
+ apiFiles = append(apiFiles, api.Path())
+ }
+ })
+
+ // check compatibility with sysprop_library
+ if len(apiFiles) > 0 {
+ out := android.PathForModuleGen(ctx, ctx.ModuleName()+"_api_checked")
+ rule := android.NewRuleBuilder(pctx, ctx)
+
+ msg := `\n******************************\n` +
+ `API of sysprop_library doesn't match with property_contexts\n` +
+ `Please fix the breakage and rebuild.\n` +
+ `******************************\n`
+
+ rule.Command().
+ Text("( ").
+ BuiltTool("sysprop_type_checker").
+ FlagForEachInput("--api ", apiFiles).
+ FlagWithInput("--context ", builtCtxFile).
+ Text(" || ( echo").Flag("-e").
+ Flag(`"` + msg + `"`).
+ Text("; exit 38) )")
+
+ rule.Command().Text("cp -f").Input(builtCtxFile).Output(out)
+ rule.Build("property_contexts_check_api", "checking API: "+m.Name())
+ builtCtxFile = out
+ }
+
+ return builtCtxFile
}
func hwServiceFactory() android.Module {
@@ -363,7 +486,8 @@
func propertyFactory() android.Module {
m := newModule()
- m.build = m.buildGeneralContexts
+ m.build = m.buildPropertyContexts
+ m.deps = m.propertyContextsDeps
return m
}
@@ -372,3 +496,9 @@
m.build = m.buildGeneralContexts
return m
}
+
+func keystoreKeyFactory() android.Module {
+ m := newModule()
+ m.build = m.buildGeneralContexts
+ return m
+}
diff --git a/build/soong/sepolicy_vers.go b/build/soong/sepolicy_vers.go
new file mode 100644
index 0000000..0d938e7
--- /dev/null
+++ b/build/soong/sepolicy_vers.go
@@ -0,0 +1,114 @@
+// Copyright 2021 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package selinux
+
+import (
+ "fmt"
+
+ "github.com/google/blueprint/proptools"
+
+ "android/soong/android"
+)
+
+func init() {
+ android.RegisterModuleType("sepolicy_vers", sepolicyVersFactory)
+}
+
+// sepolicy_vers prints sepolicy version string to {partition}/etc/selinux.
+func sepolicyVersFactory() android.Module {
+ v := &sepolicyVers{}
+ v.AddProperties(&v.properties)
+ android.InitAndroidArchModule(v, android.DeviceSupported, android.MultilibCommon)
+ return v
+}
+
+type sepolicyVers struct {
+ android.ModuleBase
+ properties sepolicyVersProperties
+ installSource android.Path
+ installPath android.InstallPath
+}
+
+type sepolicyVersProperties struct {
+ // Version to output. Can be "platform" for PLATFORM_SEPOLICY_VERSION, "vendor" for
+ // BOARD_SEPOLICY_VERS
+ Version *string
+
+ // Output file name. Defaults to module name if unspecified.
+ Stem *string
+
+ // Whether this module is directly installable to one of the partitions. Default is true
+ Installable *bool
+}
+
+func (v *sepolicyVers) installable() bool {
+ return proptools.BoolDefault(v.properties.Installable, true)
+}
+
+func (v *sepolicyVers) stem() string {
+ return proptools.StringDefault(v.properties.Stem, v.Name())
+}
+
+func (v *sepolicyVers) DepsMutator(ctx android.BottomUpMutatorContext) {
+ // do nothing
+}
+
+func (v *sepolicyVers) GenerateAndroidBuildActions(ctx android.ModuleContext) {
+ var ver string
+ switch proptools.String(v.properties.Version) {
+ case "platform":
+ ver = ctx.DeviceConfig().PlatformSepolicyVersion()
+ case "vendor":
+ ver = ctx.DeviceConfig().BoardSepolicyVers()
+ default:
+ ctx.PropertyErrorf("version", `should be either "platform" or "vendor"`)
+ }
+
+ out := android.PathForModuleGen(ctx, v.stem())
+
+ rule := android.NewRuleBuilder(pctx, ctx)
+ rule.Command().Text("echo").Text(ver).Text(">").Output(out)
+ rule.Build("sepolicy_vers", v.Name())
+
+ v.installPath = android.PathForModuleInstall(ctx, "etc", "selinux")
+ v.installSource = out
+ ctx.InstallFile(v.installPath, v.stem(), v.installSource)
+
+ if !v.installable() {
+ v.SkipInstall()
+ }
+}
+
+func (v *sepolicyVers) AndroidMkEntries() []android.AndroidMkEntries {
+ return []android.AndroidMkEntries{android.AndroidMkEntries{
+ Class: "ETC",
+ OutputFile: android.OptionalPathForPath(v.installSource),
+ ExtraEntries: []android.AndroidMkExtraEntriesFunc{
+ func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
+ entries.SetPath("LOCAL_MODULE_PATH", v.installPath.ToMakePath())
+ entries.SetString("LOCAL_INSTALLED_MODULE_STEM", v.stem())
+ },
+ },
+ }}
+}
+
+func (v *sepolicyVers) OutputFiles(tag string) (android.Paths, error) {
+ if tag == "" {
+ return android.Paths{v.installSource}, nil
+ }
+ return nil, fmt.Errorf("Unknown tag %q", tag)
+}
+
+var _ android.OutputFileProducer = (*sepolicyVers)(nil)
diff --git a/build/soong/versioned_policy.go b/build/soong/versioned_policy.go
new file mode 100644
index 0000000..f25cd59
--- /dev/null
+++ b/build/soong/versioned_policy.go
@@ -0,0 +1,187 @@
+// Copyright (C) 2021 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package selinux
+
+import (
+ "fmt"
+ "os"
+ "strconv"
+
+ "github.com/google/blueprint/proptools"
+
+ "android/soong/android"
+)
+
+func init() {
+ android.RegisterModuleType("se_versioned_policy", versionedPolicyFactory)
+}
+
+type versionedPolicyProperties struct {
+ // Base cil file for versioning.
+ Base *string `android:"path"`
+
+ // Output file name. Defaults to {name} if target_policy is set, {version}.cil if mapping is set
+ Stem *string
+
+ // Target sepolicy version. Can be a specific version number (e.g. "30.0" for R) or "current"
+ // (PLATFORM_SEPOLICY_VERSION). Defaults to "current"
+ Version *string
+
+ // If true, generate mapping file from given base cil file. Cannot be set with target_policy.
+ Mapping *bool
+
+ // If given, version target policy file according to base policy. Cannot be set with mapping.
+ Target_policy *string `android:"path"`
+
+ // Cil files to be filtered out by the filter_out tool of "build_sepolicy".
+ Filter_out []string `android:"path"`
+
+ // Cil files to which this mapping file depends. If specified, secilc checks whether the output
+ // file can be merged with specified cil files or not.
+ Dependent_cils []string `android:"path"`
+
+ // Whether this module is directly installable to one of the partitions. Default is true
+ Installable *bool
+
+ // install to a subdirectory of the default install path for the module
+ Relative_install_path *string
+}
+
+type versionedPolicy struct {
+ android.ModuleBase
+
+ properties versionedPolicyProperties
+
+ installSource android.Path
+ installPath android.InstallPath
+}
+
+// se_versioned_policy generates versioned cil file with "version_policy". This can generate either
+// mapping file for public plat policies, or associate a target policy file with the version that
+// non-platform policy targets.
+func versionedPolicyFactory() android.Module {
+ m := &versionedPolicy{}
+ m.AddProperties(&m.properties)
+ android.InitAndroidArchModule(m, android.DeviceSupported, android.MultilibCommon)
+ return m
+}
+
+func (m *versionedPolicy) installable() bool {
+ return proptools.BoolDefault(m.properties.Installable, true)
+}
+
+func (m *versionedPolicy) DepsMutator(ctx android.BottomUpMutatorContext) {
+ // do nothing
+}
+
+func (m *versionedPolicy) GenerateAndroidBuildActions(ctx android.ModuleContext) {
+ version := proptools.StringDefault(m.properties.Version, "current")
+ if version == "current" {
+ version = ctx.DeviceConfig().PlatformSepolicyVersion()
+ }
+
+ var stem string
+ if s := proptools.String(m.properties.Stem); s != "" {
+ stem = s
+ } else if proptools.Bool(m.properties.Mapping) {
+ stem = version + ".cil"
+ } else {
+ stem = ctx.ModuleName()
+ }
+
+ out := android.PathForModuleOut(ctx, stem)
+ rule := android.NewRuleBuilder(pctx, ctx)
+
+ if proptools.String(m.properties.Base) == "" {
+ ctx.PropertyErrorf("base", "must be specified")
+ return
+ }
+
+ versionCmd := rule.Command().BuiltTool("version_policy").
+ FlagWithInput("-b ", android.PathForModuleSrc(ctx, *m.properties.Base)).
+ FlagWithArg("-n ", version).
+ FlagWithOutput("-o ", out)
+
+ if proptools.Bool(m.properties.Mapping) && proptools.String(m.properties.Target_policy) != "" {
+ ctx.ModuleErrorf("Can't set both mapping and target_policy")
+ return
+ }
+
+ if proptools.Bool(m.properties.Mapping) {
+ versionCmd.Flag("-m")
+ } else if target := proptools.String(m.properties.Target_policy); target != "" {
+ versionCmd.FlagWithInput("-t ", android.PathForModuleSrc(ctx, target))
+ } else {
+ ctx.ModuleErrorf("Either mapping or target_policy must be set")
+ return
+ }
+
+ if len(m.properties.Filter_out) > 0 {
+ rule.Command().BuiltTool("build_sepolicy").
+ Text("filter_out").
+ Flag("-f").
+ Inputs(android.PathsForModuleSrc(ctx, m.properties.Filter_out)).
+ FlagWithOutput("-t ", out)
+ }
+
+ if len(m.properties.Dependent_cils) > 0 {
+ rule.Command().BuiltTool("secilc").
+ Flag("-m").
+ FlagWithArg("-M ", "true").
+ Flag("-G").
+ Flag("-N").
+ FlagWithArg("-c ", strconv.Itoa(PolicyVers)).
+ Inputs(android.PathsForModuleSrc(ctx, m.properties.Dependent_cils)).
+ Text(out.String()).
+ FlagWithArg("-o ", os.DevNull).
+ FlagWithArg("-f ", os.DevNull)
+ }
+
+ rule.Build("mapping", "Versioning mapping file "+ctx.ModuleName())
+
+ m.installSource = out
+ m.installPath = android.PathForModuleInstall(ctx, "etc", "selinux")
+ if subdir := proptools.String(m.properties.Relative_install_path); subdir != "" {
+ m.installPath = m.installPath.Join(ctx, subdir)
+ }
+ ctx.InstallFile(m.installPath, m.installSource.Base(), m.installSource)
+
+ if !m.installable() {
+ m.SkipInstall()
+ }
+}
+
+func (m *versionedPolicy) AndroidMkEntries() []android.AndroidMkEntries {
+ return []android.AndroidMkEntries{android.AndroidMkEntries{
+ OutputFile: android.OptionalPathForPath(m.installSource),
+ Class: "ETC",
+ ExtraEntries: []android.AndroidMkExtraEntriesFunc{
+ func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
+ entries.SetBool("LOCAL_UNINSTALLABLE_MODULE", !m.installable())
+ entries.SetPath("LOCAL_MODULE_PATH", m.installPath.ToMakePath())
+ entries.SetString("LOCAL_INSTALLED_MODULE_STEM", m.installSource.Base())
+ },
+ },
+ }}
+}
+
+func (m *versionedPolicy) OutputFiles(tag string) (android.Paths, error) {
+ if tag == "" {
+ return android.Paths{m.installSource}, nil
+ }
+ return nil, fmt.Errorf("Unknown tag %q", tag)
+}
+
+var _ android.OutputFileProducer = (*policyConf)(nil)
diff --git a/compat.mk b/compat.mk
index 5e6dc41..4aed864 100644
--- a/compat.mk
+++ b/compat.mk
@@ -5,6 +5,9 @@
# build this target to ensure the compat permissions files all build against the current policy
#
LOCAL_MODULE := $(version)_compat_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_REQUIRED_MODULES := $(version).compat.cil
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
@@ -15,7 +18,6 @@
$(built_plat_cil) \
$(built_plat_mapping_cil) \
$(built_pub_vers_cil) \
- $(built_vendor_cil) \
$(ALL_MODULES.$(version).compat.cil.BUILT) \
ifdef HAS_SYSTEM_EXT_SEPOLICY
@@ -34,10 +36,16 @@
all_cil_files += $(built_product_mapping_cil)
endif
+ifneq ($(mixed_sepolicy_build),true)
+
+all_cil_files += $(built_vendor_cil)
+
ifdef BOARD_ODM_SEPOLICY_DIRS
all_cil_files += $(built_odm_cil)
endif
+endif # ifneq ($(mixed_sepolicy_build),true)
+
$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(all_cil_files)
$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $(all_cil_files)
@mkdir -p $(dir $@)
diff --git a/contexts_tests.mk b/contexts_tests.mk
index da5dd83..1189b83 100644
--- a/contexts_tests.mk
+++ b/contexts_tests.mk
@@ -17,197 +17,234 @@
# TODO: move tests into Soong after refactoring sepolicy module (b/130693869)
# Run host-side test with contexts files and the sepolicy file.
-# $(1): paths to contexts files
+# $(1): names of modules containing context files
# $(2): path to the host tool
# $(3): additional argument to be passed to the tool
define run_contexts_test
-$$(LOCAL_BUILT_MODULE): PRIVATE_CONTEXTS := $(1)
+my_contexts := $(foreach m,$(1),$$(call intermediates-dir-for,ETC,$(m))/$(m))
+$$(LOCAL_BUILT_MODULE): PRIVATE_CONTEXTS := $$(my_contexts)
$$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $$(built_sepolicy)
-$$(LOCAL_BUILT_MODULE): $(2) $(1) $$(built_sepolicy)
+$$(LOCAL_BUILT_MODULE): $(2) $$(my_contexts) $$(built_sepolicy)
$$(hide) $$< $(3) $$(PRIVATE_SEPOLICY) $$(PRIVATE_CONTEXTS)
$$(hide) mkdir -p $$(dir $$@)
$$(hide) touch $$@
+my_contexts :=
endef
-system_out := $(TARGET_OUT)/etc/selinux
-system_ext_out := $(TARGET_OUT_SYSTEM_EXT)/etc/selinux
-product_out := $(TARGET_OUT_PRODUCT)/etc/selinux
-vendor_out := $(TARGET_OUT_VENDOR)/etc/selinux
-odm_out := $(TARGET_OUT_ODM)/etc/selinux
-
checkfc := $(HOST_OUT_EXECUTABLES)/checkfc
property_info_checker := $(HOST_OUT_EXECUTABLES)/property_info_checker
##################################
LOCAL_MODULE := plat_file_contexts_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
include $(BUILD_SYSTEM)/base_rules.mk
-
-$(eval $(call run_contexts_test, $(system_out)/plat_file_contexts, $(checkfc),))
+$(eval $(call run_contexts_test, plat_file_contexts, $(checkfc),))
##################################
include $(CLEAR_VARS)
LOCAL_MODULE := system_ext_file_contexts_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(system_ext_out)/system_ext_file_contexts, $(checkfc),))
+$(eval $(call run_contexts_test, system_ext_file_contexts, $(checkfc),))
##################################
include $(CLEAR_VARS)
LOCAL_MODULE := product_file_contexts_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(product_out)/product_file_contexts, $(checkfc),))
+$(eval $(call run_contexts_test, product_file_contexts, $(checkfc),))
##################################
include $(CLEAR_VARS)
LOCAL_MODULE := vendor_file_contexts_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(vendor_out)/vendor_file_contexts, $(checkfc),))
+$(eval $(call run_contexts_test, vendor_file_contexts, $(checkfc),))
##################################
include $(CLEAR_VARS)
LOCAL_MODULE := odm_file_contexts_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(odm_out)/odm_file_contexts, $(checkfc),))
+$(eval $(call run_contexts_test, odm_file_contexts, $(checkfc),))
##################################
include $(CLEAR_VARS)
LOCAL_MODULE := plat_hwservice_contexts_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(system_out)/plat_hwservice_contexts, $(checkfc), -e -l))
+$(eval $(call run_contexts_test, plat_hwservice_contexts, $(checkfc), -e -l))
##################################
include $(CLEAR_VARS)
LOCAL_MODULE := system_ext_hwservice_contexts_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(system_ext_out)/system_ext_hwservice_contexts, $(checkfc), -e -l))
+$(eval $(call run_contexts_test, system_ext_hwservice_contexts, $(checkfc), -e -l))
##################################
include $(CLEAR_VARS)
LOCAL_MODULE := product_hwservice_contexts_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(product_out)/product_hwservice_contexts, $(checkfc), -e -l))
+$(eval $(call run_contexts_test, product_hwservice_contexts, $(checkfc), -e -l))
##################################
include $(CLEAR_VARS)
LOCAL_MODULE := vendor_hwservice_contexts_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(vendor_out)/vendor_hwservice_contexts, $(checkfc), -e -l))
+$(eval $(call run_contexts_test, vendor_hwservice_contexts, $(checkfc), -e -l))
##################################
include $(CLEAR_VARS)
LOCAL_MODULE := odm_hwservice_contexts_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(odm_out)/odm_hwservice_contexts, $(checkfc), -e -l))
+$(eval $(call run_contexts_test, odm_hwservice_contexts, $(checkfc), -e -l))
##################################
-pc_files := $(system_out)/plat_property_contexts
+pc_modules := plat_property_contexts
include $(CLEAR_VARS)
LOCAL_MODULE := plat_property_contexts_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(pc_files), $(property_info_checker),))
+$(eval $(call run_contexts_test, $(pc_modules), $(property_info_checker),))
##################################
ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
-pc_files += $(system_ext_out)/system_ext_property_contexts
+pc_modules += system_ext_property_contexts
include $(CLEAR_VARS)
LOCAL_MODULE := system_ext_property_contexts_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(pc_files), $(property_info_checker),))
+$(eval $(call run_contexts_test, $(pc_modules), $(property_info_checker),))
endif
##################################
-pc_files += $(vendor_out)/vendor_property_contexts
+pc_modules += vendor_property_contexts
include $(CLEAR_VARS)
LOCAL_MODULE := vendor_property_contexts_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(pc_files), $(property_info_checker),))
+$(eval $(call run_contexts_test, $(pc_modules), $(property_info_checker),))
##################################
ifdef BOARD_ODM_SEPOLICY_DIRS
-pc_files += $(odm_out)/odm_property_contexts
+pc_modules += odm_property_contexts
include $(CLEAR_VARS)
LOCAL_MODULE := odm_property_contexts_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(pc_files), $(property_info_checker),))
+$(eval $(call run_contexts_test, $(pc_modules), $(property_info_checker),))
endif
@@ -215,54 +252,66 @@
ifdef HAS_PRODUCT_SEPOLICY_DIR
-pc_files += $(product_out)/product_property_contexts
+pc_modules += product_property_contexts
include $(CLEAR_VARS)
LOCAL_MODULE := product_property_contexts_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(pc_files), $(property_info_checker),))
+$(eval $(call run_contexts_test, $(pc_modules), $(property_info_checker),))
endif
-pc_files :=
+pc_modules :=
##################################
include $(CLEAR_VARS)
LOCAL_MODULE := plat_service_contexts_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(system_out)/plat_service_contexts, $(checkfc), -s))
+$(eval $(call run_contexts_test, plat_service_contexts, $(checkfc), -s))
##################################
include $(CLEAR_VARS)
LOCAL_MODULE := system_ext_service_contexts_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(system_ext_out)/system_ext_service_contexts, $(checkfc), -s))
+$(eval $(call run_contexts_test, system_ext_service_contexts, $(checkfc), -s))
##################################
include $(CLEAR_VARS)
LOCAL_MODULE := product_service_contexts_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(product_out)/product_service_contexts, $(checkfc), -s))
+$(eval $(call run_contexts_test, product_service_contexts, $(checkfc), -s))
##################################
# nonplat_service_contexts is only allowed on non-full-treble devices
@@ -271,19 +320,18 @@
include $(CLEAR_VARS)
LOCAL_MODULE := vendor_service_contexts_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(vendor_out)/vendor_service_contexts, $(checkfc), -s))
+$(eval $(call run_contexts_test, vendor_service_contexts, $(checkfc), -s))
endif
-system_out :=
-product_out :=
-vendor_out :=
-odm_out :=
checkfc :=
property_info_checker :=
run_contexts_test :=
diff --git a/definitions.mk b/definitions.mk
index 2ecdbdc..63c4d94 100644
--- a/definitions.mk
+++ b/definitions.mk
@@ -12,9 +12,28 @@
-D target_full_treble=$(PRIVATE_SEPOLICY_SPLIT) \
-D target_compatible_property=$(PRIVATE_COMPATIBLE_PROPERTY) \
-D target_treble_sysprop_neverallow=$(PRIVATE_TREBLE_SYSPROP_NEVERALLOW) \
+ -D target_enforce_sysprop_owner=$(PRIVATE_ENFORCE_SYSPROP_OWNER) \
-D target_exclude_build_test=$(PRIVATE_EXCLUDE_BUILD_TEST) \
-D target_requires_insecure_execmem_for_swiftshader=$(PRODUCT_REQUIRES_INSECURE_EXECMEM_FOR_SWIFTSHADER) \
+ -D target_enforce_debugfs_restriction=$(PRIVATE_ENFORCE_DEBUGFS_RESTRICTION) \
$(PRIVATE_TGT_RECOVERY) \
-s $(PRIVATE_POLICY_FILES) > $@
endef
.KATI_READONLY := transform-policy-to-conf
+
+###########################################################
+## Collect file_contexts files into a single tmp file with m4
+##
+## $(1): list of file_contexts files
+## $(2): filename into which file_contexts files are merged
+###########################################################
+
+define _merge-fc-files
+$(2): $(1) $(M4)
+ $(hide) mkdir -p $$(dir $$@)
+ $(hide) $(M4) --fatal-warnings -s $(1) > $$@
+endef
+
+define merge-fc-files
+$(eval $(call _merge-fc-files,$(1),$(2)))
+endef
diff --git a/mac_permissions.mk b/mac_permissions.mk
index 3cc0151..566c82b 100644
--- a/mac_permissions.mk
+++ b/mac_permissions.mk
@@ -1,6 +1,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := plat_mac_permissions.xml
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
@@ -39,6 +42,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := system_ext_mac_permissions.xml
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_OUT_SYSTEM_EXT)/etc/selinux
@@ -52,9 +58,9 @@
system_ext_mac_perms_keys.tmp := $(intermediates)/system_ext_keys.tmp
$(system_ext_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(system_ext_mac_perms_keys.tmp): PRIVATE_KEYS := $(all_system_ext_mac_perms_keys)
-$(system_ext_mac_perms_keys.tmp): $(all_system_ext_mac_perms_keys)
+$(system_ext_mac_perms_keys.tmp): $(all_system_ext_mac_perms_keys) $(M4)
@mkdir -p $(dir $@)
- $(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@
+ $(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_KEYS) > $@
$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_system_ext_mac_perms_files)
$(LOCAL_BUILT_MODULE): $(system_ext_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py \
@@ -70,6 +76,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := product_mac_permissions.xml
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/etc/selinux
@@ -83,9 +92,9 @@
product_mac_perms_keys.tmp := $(intermediates)/product_keys.tmp
$(product_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(product_mac_perms_keys.tmp): PRIVATE_KEYS := $(all_product_mac_perms_keys)
-$(product_mac_perms_keys.tmp): $(all_product_mac_perms_keys)
+$(product_mac_perms_keys.tmp): $(all_product_mac_perms_keys) $(M4)
@mkdir -p $(dir $@)
- $(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@
+ $(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_KEYS) > $@
$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_product_mac_perms_files)
$(LOCAL_BUILT_MODULE): $(product_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py \
@@ -101,6 +110,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := vendor_mac_permissions.xml
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
@@ -133,6 +145,9 @@
include $(CLEAR_VARS)
LOCAL_MODULE := odm_mac_permissions.xml
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
diff --git a/prebuilt_policy.mk b/prebuilt_policy.mk
new file mode 100644
index 0000000..a591a48
--- /dev/null
+++ b/prebuilt_policy.mk
@@ -0,0 +1,321 @@
+# Copyright (C) 2020 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# prebuilt_policy.mk generates policy files from prebuilts of BOARD_SEPOLICY_VERS.
+# The policy files will only be used to compile vendor and odm policies.
+#
+# Specifically, the following prebuilts are used...
+# - system/sepolicy/prebuilts/api/{BOARD_SEPOLICY_VERS}
+# - BOARD_PLAT_VENDOR_POLICY (copy of system/sepolicy/vendor from a previous release)
+# - BOARD_REQD_MASK_POLICY (copy of reqd_mask from a previous release)
+# - BOARD_SYSTEM_EXT_PUBLIC_PREBUILT_DIRS (copy of system_ext public from a previous release)
+# - BOARD_SYSTEM_EXT_PRIVATE_PREBUILT_DIRS (copy of system_ext private from a previous release)
+# - BOARD_PRODUCT_PUBLIC_PREBUILT_DIRS (copy of product public from a previous release)
+# - BOARD_PRODUCT_PRIVATE_PREBUILT_DIRS (copy of product private from a previous release)
+#
+# ... to generate following policy files.
+#
+# - reqd policy mask
+# - plat, system_ext, product public policy
+# - plat, system_ext, product policy
+# - plat, system_ext, product versioned policy
+#
+# These generated policy files will be used only when building vendor policies.
+# They are not installed to system, system_ext, or product partition.
+ver := $(BOARD_SEPOLICY_VERS)
+prebuilt_dir := $(LOCAL_PATH)/prebuilts/api/$(ver)
+plat_public_policy_$(ver) := $(prebuilt_dir)/public
+plat_private_policy_$(ver) := $(prebuilt_dir)/private
+system_ext_public_policy_$(ver) := $(BOARD_SYSTEM_EXT_PUBLIC_PREBUILT_DIRS)
+system_ext_private_policy_$(ver) := $(BOARD_SYSTEM_EXT_PRIVATE_PREBUILT_DIRS)
+product_public_policy_$(ver) := $(BOARD_PRODUCT_PUBLIC_PREBUILT_DIRS)
+product_private_policy_$(ver) := $(BOARD_PRODUCT_PRIVATE_PREBUILT_DIRS)
+
+##################################
+# policy-to-conf-rule: a helper macro to transform policy files to conf file.
+#
+# This expands to a set of rules which assign variables for transform-policy-to-conf and then call
+# transform-policy-to-conf. Before calling this, policy_files must be set with build_policy macro.
+#
+# $(1): output path (.conf file)
+define policy-to-conf-rule
+$(1): PRIVATE_MLS_SENS := $$(MLS_SENS)
+$(1): PRIVATE_MLS_CATS := $$(MLS_CATS)
+$(1): PRIVATE_TARGET_BUILD_VARIANT := $$(TARGET_BUILD_VARIANT)
+$(1): PRIVATE_TGT_ARCH := $$(my_target_arch)
+$(1): PRIVATE_TGT_WITH_ASAN := $$(with_asan)
+$(1): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $$(with_native_coverage)
+$(1): PRIVATE_ADDITIONAL_M4DEFS := $$(LOCAL_ADDITIONAL_M4DEFS)
+$(1): PRIVATE_SEPOLICY_SPLIT := $$(PRODUCT_SEPOLICY_SPLIT)
+$(1): PRIVATE_COMPATIBLE_PROPERTY := $$(PRODUCT_COMPATIBLE_PROPERTY)
+$(1): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $$(treble_sysprop_neverallow)
+$(1): PRIVATE_ENFORCE_SYSPROP_OWNER := $$(enforce_sysprop_owner)
+$(1): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $$(enforce_debugfs_restriction)
+$(1): PRIVATE_POLICY_FILES := $$(policy_files)
+$(1): $$(policy_files) $$(M4)
+ $$(transform-policy-to-conf)
+endef
+
+##################################
+# reqd_policy_mask_$(ver).cil
+#
+policy_files := $(call build_policy, $(sepolicy_build_files), $(BOARD_REQD_MASK_POLICY))
+reqd_policy_mask_$(ver).conf := $(intermediates)/reqd_policy_mask_$(ver).conf
+$(eval $(call policy-to-conf-rule,$(reqd_policy_mask_$(ver).conf)))
+
+# b/37755687
+CHECKPOLICY_ASAN_OPTIONS := ASAN_OPTIONS=detect_leaks=0
+
+reqd_policy_mask_$(ver).cil := $(intermediates)/reqd_policy_mask_$(ver).cil
+$(reqd_policy_mask_$(ver).cil): $(reqd_policy_mask_$(ver).conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
+ @mkdir -p $(dir $@)
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -C -M -c \
+ $(POLICYVERS) -o $@ $<
+
+reqd_policy_mask_$(ver).conf :=
+
+reqd_policy_$(ver) := $(BOARD_REQD_MASK_POLICY)
+
+##################################
+# plat_pub_policy_$(ver).cil: exported plat policies
+#
+policy_files := $(call build_policy, $(sepolicy_build_files), \
+ $(plat_public_policy_$(ver)) $(reqd_policy_$(ver)))
+plat_pub_policy_$(ver).conf := $(intermediates)/plat_pub_policy_$(ver).conf
+$(eval $(call policy-to-conf-rule,$(plat_pub_policy_$(ver).conf)))
+
+plat_pub_policy_$(ver).cil := $(intermediates)/plat_pub_policy_$(ver).cil
+$(plat_pub_policy_$(ver).cil): PRIVATE_POL_CONF := $(plat_pub_policy_$(ver).conf)
+$(plat_pub_policy_$(ver).cil): PRIVATE_REQD_MASK := $(reqd_policy_mask_$(ver).cil)
+$(plat_pub_policy_$(ver).cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
+$(HOST_OUT_EXECUTABLES)/build_sepolicy $(plat_pub_policy_$(ver).conf) $(reqd_policy_mask_$(ver).cil)
+ @mkdir -p $(dir $@)
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
+ $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
+ -f $(PRIVATE_REQD_MASK) -t $@
+
+plat_pub_policy_$(ver).conf :=
+
+##################################
+# plat_mapping_cil_$(ver).cil: versioned exported system policy
+#
+plat_mapping_cil_$(ver) := $(intermediates)/plat_mapping_$(ver).cil
+$(plat_mapping_cil_$(ver)) : PRIVATE_VERS := $(ver)
+$(plat_mapping_cil_$(ver)) : $(plat_pub_policy_$(ver).cil) $(HOST_OUT_EXECUTABLES)/version_policy
+ @mkdir -p $(dir $@)
+ $(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@
+built_plat_mapping_cil_$(ver) := $(plat_mapping_cil_$(ver))
+
+##################################
+# plat_policy_$(ver).cil: system policy
+#
+policy_files := $(call build_policy, $(sepolicy_build_files), \
+ $(plat_public_policy_$(ver)) $(plat_private_policy_$(ver)) )
+plat_policy_$(ver).conf := $(intermediates)/plat_policy_$(ver).conf
+$(eval $(call policy-to-conf-rule,$(plat_policy_$(ver).conf)))
+
+plat_policy_$(ver).cil := $(intermediates)/plat_policy_$(ver).cil
+$(plat_policy_$(ver).cil): PRIVATE_ADDITIONAL_CIL_FILES := \
+ $(call build_policy, $(sepolicy_build_cil_workaround_files), $(plat_private_policy_$(ver)))
+$(plat_policy_$(ver).cil): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
+$(plat_policy_$(ver).cil): $(plat_policy_$(ver).conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
+ $(HOST_OUT_EXECUTABLES)/secilc \
+ $(call build_policy, $(sepolicy_build_cil_workaround_files), $(plat_private_policy_$(ver)))
+ @mkdir -p $(dir $@)
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
+ $(POLICYVERS) -o $@.tmp $<
+ $(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@.tmp
+ $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@.tmp -o /dev/null -f /dev/null
+ $(hide) mv $@.tmp $@
+
+plat_policy_$(ver).conf :=
+
+built_plat_cil_$(ver) := $(plat_policy_$(ver).cil)
+
+ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
+
+##################################
+# system_ext_pub_policy_$(ver).cil: exported system and system_ext policy
+#
+policy_files := $(call build_policy, $(sepolicy_build_files), \
+ $(plat_public_policy_$(ver)) $(system_ext_public_policy_$(ver)) $(reqd_policy_$(ver)))
+system_ext_pub_policy_$(ver).conf := $(intermediates)/system_ext_pub_policy_$(ver).conf
+$(eval $(call policy-to-conf-rule,$(system_ext_pub_policy_$(ver).conf)))
+
+system_ext_pub_policy_$(ver).cil := $(intermediates)/system_ext_pub_policy_$(ver).cil
+$(system_ext_pub_policy_$(ver).cil): PRIVATE_POL_CONF := $(system_ext_pub_policy_$(ver).conf)
+$(system_ext_pub_policy_$(ver).cil): PRIVATE_REQD_MASK := $(reqd_policy_mask_$(ver).cil)
+$(system_ext_pub_policy_$(ver).cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
+$(HOST_OUT_EXECUTABLES)/build_sepolicy $(system_ext_pub_policy_$(ver).conf) $(reqd_policy_mask_$(ver).cil)
+ @mkdir -p $(dir $@)
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
+ $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
+ -f $(PRIVATE_REQD_MASK) -t $@
+
+system_ext_pub_policy_$(ver).conf :=
+
+##################################
+# system_ext_policy_$(ver).cil: system_ext policy
+#
+policy_files := $(call build_policy, $(sepolicy_build_files), \
+ $(plat_public_policy_$(ver)) $(plat_private_policy_$(ver)) \
+ $(system_ext_public_policy_$(ver)) $(system_ext_private_policy_$(ver)) )
+system_ext_policy_$(ver).conf := $(intermediates)/system_ext_policy_$(ver).conf
+$(eval $(call policy-to-conf-rule,$(system_ext_policy_$(ver).conf)))
+
+system_ext_policy_$(ver).cil := $(intermediates)/system_ext_policy_$(ver).cil
+$(system_ext_policy_$(ver).cil): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
+$(system_ext_policy_$(ver).cil): PRIVATE_PLAT_CIL := $(built_plat_cil_$(ver))
+$(system_ext_policy_$(ver).cil): $(system_ext_policy_$(ver).conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
+$(HOST_OUT_EXECUTABLES)/build_sepolicy $(HOST_OUT_EXECUTABLES)/secilc $(built_plat_cil_$(ver))
+ @mkdir -p $(dir $@)
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
+ $(POLICYVERS) -o $@ $<
+ $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
+ -f $(PRIVATE_PLAT_CIL) -t $@
+ # Line markers (denoted by ;;) are malformed after above cmd. They are only
+ # used for debugging, so we remove them.
+ $(hide) grep -v ';;' $@ > $@.tmp
+ $(hide) mv $@.tmp $@
+ # Combine plat_sepolicy.cil and system_ext_sepolicy.cil to make sure that the
+ # latter doesn't accidentally depend on vendor/odm policies.
+ $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) \
+ $(PRIVATE_NEVERALLOW_ARG) $(PRIVATE_PLAT_CIL) $@ -o /dev/null -f /dev/null
+
+system_ext_policy_$(ver).conf :=
+
+built_system_ext_cil_$(ver) := $(system_ext_policy_$(ver).cil)
+
+##################################
+# system_ext_mapping_cil_$(ver).cil: versioned exported system_ext policy
+#
+system_ext_mapping_cil_$(ver) := $(intermediates)/system_ext_mapping_$(ver).cil
+$(system_ext_mapping_cil_$(ver)) : PRIVATE_VERS := $(ver)
+$(system_ext_mapping_cil_$(ver)) : PRIVATE_PLAT_MAPPING_CIL := $(built_plat_mapping_cil_$(ver))
+$(system_ext_mapping_cil_$(ver)) : $(HOST_OUT_EXECUTABLES)/version_policy
+$(system_ext_mapping_cil_$(ver)) : $(HOST_OUT_EXECUTABLES)/build_sepolicy
+$(system_ext_mapping_cil_$(ver)) : $(built_plat_mapping_cil_$(ver))
+$(system_ext_mapping_cil_$(ver)) : $(system_ext_pub_policy_$(ver).cil)
+ @mkdir -p $(dir $@)
+ # Generate system_ext mapping file as mapping file of 'system' (plat) and 'system_ext'
+ # sepolicy minus plat_mapping_file.
+ $(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@
+ $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
+ -f $(PRIVATE_PLAT_MAPPING_CIL) -t $@
+
+built_system_ext_mapping_cil_$(ver) := $(system_ext_mapping_cil_$(ver))
+
+endif # ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
+
+ifdef HAS_PRODUCT_SEPOLICY_DIR
+
+##################################
+# product_policy_$(ver).cil: product policy
+#
+policy_files := $(call build_policy, $(sepolicy_build_files), \
+ $(plat_public_policy_$(ver)) $(plat_private_policy_$(ver)) \
+ $(system_ext_public_policy_$(ver)) $(system_ext_private_policy_$(ver)) \
+ $(product_public_policy_$(ver)) $(product_private_policy_$(ver)) )
+product_policy_$(ver).conf := $(intermediates)/product_policy_$(ver).conf
+$(eval $(call policy-to-conf-rule,$(product_policy_$(ver).conf)))
+
+product_policy_$(ver).cil := $(intermediates)/product_policy_$(ver).cil
+$(product_policy_$(ver).cil): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
+$(product_policy_$(ver).cil): PRIVATE_PLAT_CIL_FILES := $(built_plat_cil_$(ver)) $(built_system_ext_cil_$(ver))
+$(product_policy_$(ver).cil): $(product_policy_$(ver).conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
+$(HOST_OUT_EXECUTABLES)/build_sepolicy $(HOST_OUT_EXECUTABLES)/secilc \
+$(built_plat_cil_$(ver)) $(built_system_ext_cil_$(ver))
+ @mkdir -p $(dir $@)
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
+ $(POLICYVERS) -o $@ $<
+ $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
+ -f $(PRIVATE_PLAT_CIL) -t $@
+ # Line markers (denoted by ;;) are malformed after above cmd. They are only
+ # used for debugging, so we remove them.
+ $(hide) grep -v ';;' $@ > $@.tmp
+ $(hide) mv $@.tmp $@
+ # Combine plat_sepolicy.cil, system_ext_sepolicy.cil and product_sepolicy.cil to
+ # make sure that the latter doesn't accidentally depend on vendor/odm policies.
+ $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) \
+ $(PRIVATE_NEVERALLOW_ARG) $(PRIVATE_PLAT_CIL_FILES) $@ -o /dev/null -f /dev/null
+
+product_policy_$(ver).conf :=
+
+built_product_cil_$(ver) := $(product_policy_$(ver).cil)
+
+endif # ifdef HAS_PRODUCT_SEPOLICY_DIR
+
+##################################
+# pub_policy_$(ver).cil: exported plat, system_ext, and product policies
+#
+policy_files := $(call build_policy, $(sepolicy_build_files), \
+ $(plat_public_policy_$(ver)) $(system_ext_public_policy_$(ver)) \
+ $(product_public_policy_$(ver)) $(reqd_policy_$(ver)) )
+pub_policy_$(ver).conf := $(intermediates)/pub_policy_$(ver).conf
+$(eval $(call policy-to-conf-rule,$(pub_policy_$(ver).conf)))
+
+pub_policy_$(ver).cil := $(intermediates)/pub_policy_$(ver).cil
+$(pub_policy_$(ver).cil): PRIVATE_POL_CONF := $(pub_policy_$(ver).conf)
+$(pub_policy_$(ver).cil): PRIVATE_REQD_MASK := $(reqd_policy_mask_$(ver).cil)
+$(pub_policy_$(ver).cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
+$(HOST_OUT_EXECUTABLES)/build_sepolicy $(pub_policy_$(ver).conf) $(reqd_policy_mask_$(ver).cil)
+ @mkdir -p $(dir $@)
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
+ $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
+ -f $(PRIVATE_REQD_MASK) -t $@
+
+pub_policy_$(ver).conf :=
+
+ifdef HAS_PRODUCT_SEPOLICY_DIR
+
+##################################
+# product_mapping_cil_$(ver).cil: versioned exported product policy
+#
+product_mapping_cil_$(ver) := $(intermediates)/product_mapping_cil_$(ver).cil
+$(product_mapping_cil_$(ver)) : PRIVATE_VERS := $(ver)
+$(product_mapping_cil_$(ver)) : PRIVATE_FILTER_CIL_FILES := $(built_plat_mapping_cil_$(ver)) $(built_system_ext_mapping_cil_$(ver))
+$(product_mapping_cil_$(ver)) : $(pub_policy_$(ver).cil)
+$(product_mapping_cil_$(ver)) : $(HOST_OUT_EXECUTABLES)/build_sepolicy
+$(product_mapping_cil_$(ver)) : $(HOST_OUT_EXECUTABLES)/version_policy
+$(product_mapping_cil_$(ver)) : $(built_plat_mapping_cil_$(ver))
+$(product_mapping_cil_$(ver)) : $(built_system_ext_mapping_cil_$(ver))
+ @mkdir -p $(dir $@)
+ # Generate product mapping file as mapping file of all public sepolicy minus
+ # plat_mapping_file and system_ext_mapping_file.
+ $(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@
+ $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
+ -f $(PRIVATE_FILTER_CIL_FILES) -t $@
+
+built_product_mapping_cil_$(ver) := $(product_mapping_cil_$(ver))
+
+endif # ifdef HAS_PRODUCT_SEPOLICY_DIR
+
+##################################
+# plat_pub_versioned_$(ver).cil - the exported platform policy
+#
+plat_pub_versioned_$(ver).cil := $(intermediates)/plat_pub_versioned_$(ver).cil
+$(plat_pub_versioned_$(ver).cil) : PRIVATE_VERS := $(ver)
+$(plat_pub_versioned_$(ver).cil) : PRIVATE_TGT_POL := $(pub_policy_$(ver).cil)
+$(plat_pub_versioned_$(ver).cil) : PRIVATE_DEP_CIL_FILES := $(built_plat_cil_$(ver)) $(built_system_ext_cil_$(ver)) \
+$(built_product_cil_$(ver)) $(built_plat_mapping_cil_$(ver)) $(built_system_ext_mapping_cil_$(ver)) \
+$(built_product_mapping_cil_$(ver))
+$(plat_pub_versioned_$(ver).cil) : $(pub_policy_$(ver).cil) $(HOST_OUT_EXECUTABLES)/version_policy \
+ $(HOST_OUT_EXECUTABLES)/secilc $(built_plat_cil_$(ver)) $(built_system_ext_cil_$(ver)) $(built_product_cil_$(ver)) \
+ $(built_plat_mapping_cil_$(ver)) $(built_system_ext_mapping_cil_$(ver)) $(built_product_mapping_cil_$(ver))
+ @mkdir -p $(dir $@)
+ $(HOST_OUT_EXECUTABLES)/version_policy -b $< -t $(PRIVATE_TGT_POL) -n $(PRIVATE_VERS) -o $@
+ $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -N -c $(POLICYVERS) \
+ $(PRIVATE_DEP_CIL_FILES) $@ -o /dev/null -f /dev/null
+
+built_pub_vers_cil_$(ver) := $(plat_pub_versioned_$(ver).cil)
diff --git a/prebuilts/api/26.0/private/app.te b/prebuilts/api/26.0/private/app.te
index 6f2b820..da8c67b 100644
--- a/prebuilts/api/26.0/private/app.te
+++ b/prebuilts/api/26.0/private/app.te
@@ -494,7 +494,7 @@
tmpfs
}:lnk_file no_w_file_perms;
-# Blacklist app domains not allowed to execute from /data
+# Denylist app domains not allowed to execute from /data
neverallow {
bluetooth
isolated_app
@@ -515,7 +515,7 @@
-shell # bugreport
} input_device:chr_file ~getattr;
-# Do not allow access to Bluetooth-related system properties except for a few whitelisted domains.
+# Do not allow access to Bluetooth-related system properties except for a few allowlisted domains.
# neverallow rules for access to Bluetooth-related data files are above.
neverallow {
appdomain
diff --git a/prebuilts/api/26.0/private/domain.te b/prebuilts/api/26.0/private/domain.te
index d37a0bd..999c16a 100644
--- a/prebuilts/api/26.0/private/domain.te
+++ b/prebuilts/api/26.0/private/domain.te
@@ -4,7 +4,7 @@
allow domain crash_dump:process sigchld;
# Limit ability to ptrace or read sensitive /proc/pid files of processes
-# with other UIDs to these whitelisted domains.
+# with other UIDs to these allowlisted domains.
neverallow {
domain
-vold
diff --git a/prebuilts/api/26.0/private/incidentd.te b/prebuilts/api/26.0/private/incidentd.te
index efd23bd..64e174f 100644
--- a/prebuilts/api/26.0/private/incidentd.te
+++ b/prebuilts/api/26.0/private/incidentd.te
@@ -66,7 +66,7 @@
# TODO control_logd(incidentd)
# Allow incidentd to find these standard groups of services.
-# Others can be whitelisted individually.
+# Others can be allowlisted individually.
allow incidentd {
system_server_service
app_api_service
diff --git a/prebuilts/api/26.0/private/system_server.te b/prebuilts/api/26.0/private/system_server.te
index 05e4773..2e14d18 100644
--- a/prebuilts/api/26.0/private/system_server.te
+++ b/prebuilts/api/26.0/private/system_server.te
@@ -50,7 +50,7 @@
# system server gets network and bluetooth permissions.
net_domain(system_server)
-# in addition to ioctls whitelisted for all domains, also allow system_server
+# in addition to ioctls allowlisted for all domains, also allow system_server
# to use privileged ioctls commands. Needed to set up VPNs.
allowxperm system_server self:udp_socket ioctl priv_sock_ioctls;
bluetooth_domain(system_server)
@@ -92,7 +92,7 @@
# Use generic "sockets" where the address family is not known
# to the kernel. The ioctl permission is specifically omitted here, but may
# be added to device specific policy along with the ioctl commands to be
-# whitelisted.
+# allowlisted.
allow system_server self:socket create_socket_perms_no_ioctl;
# Set and get routes directly via netlink.
diff --git a/prebuilts/api/26.0/public/domain.te b/prebuilts/api/26.0/public/domain.te
index d2b370a..3adefd1 100644
--- a/prebuilts/api/26.0/public/domain.te
+++ b/prebuilts/api/26.0/public/domain.te
@@ -195,19 +195,19 @@
allow domain fs_type:filesystem getattr;
allow domain fs_type:dir getattr;
-# Restrict all domains to a whitelist for common socket types. Additional
+# Restrict all domains to a allowlist for common socket types. Additional
# ioctl commands may be added to individual domains, but this sets safe
-# defaults for all processes. Note that granting this whitelist to domain does
+# defaults for all processes. Note that granting this allowlist to domain does
# not grant the ioctl permission on these socket types. That must be granted
# separately.
allowxperm domain domain:{ rawip_socket tcp_socket udp_socket }
ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
-# default whitelist for unix sockets.
+# default allowlist for unix sockets.
allowxperm domain domain:{ unix_dgram_socket unix_stream_socket }
ioctl unpriv_unix_sock_ioctls;
-# Restrict PTYs to only whitelisted ioctls.
-# Note that granting this whitelist to domain does
+# Restrict PTYs to only allowlisted ioctls.
+# Note that granting this allowlist to domain does
# not grant the wider ioctl permission. That must be granted
# separately.
allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
@@ -223,7 +223,7 @@
### neverallow rules
###
-# All socket ioctls must be restricted to a whitelist.
+# All socket ioctls must be restricted to a allowlist.
neverallowxperm domain domain:socket_class_set ioctl { 0 };
# TIOCSTI is only ever used for exploits. Block it.
@@ -234,7 +234,7 @@
# Do not allow any domain other than init or recovery to create unlabeled files.
neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
-# Limit device node creation to these whitelisted domains.
+# Limit device node creation to these allowlisted domains.
neverallow {
domain
-kernel
@@ -243,7 +243,7 @@
-vold
} self:capability mknod;
-# Limit raw I/O to these whitelisted domains. Do not apply to debug builds.
+# Limit raw I/O to these allowlisted domains. Do not apply to debug builds.
neverallow {
domain
userdebug_or_eng(`-domain')
@@ -343,7 +343,7 @@
#
# Assert that, to the extent possible, we're not loading executable content from
-# outside the rootfs or /system partition except for a few whitelisted domains.
+# outside the rootfs or /system partition except for a few allowlisted domains.
#
neverallow {
domain
@@ -445,7 +445,7 @@
neverallow { domain -init } mmc_prop:property_service set;
# Do not allow reading device's serial number from system properties except form
-# a few whitelisted domains.
+# a few allowlisted domains.
neverallow {
domain
-adbd
@@ -668,7 +668,7 @@
')
# On TREBLE devices, a limited set of files in /vendor are accessible to
-# only a few whitelisted coredomains to keep system/vendor separation.
+# only a few allowlisted coredomains to keep system/vendor separation.
full_treble_only(`
# Limit access to /vendor/app
neverallow {
@@ -722,7 +722,7 @@
} vendor_shell_exec:file { execute execute_no_trans };
# Do not allow vendor components to execute files from system
- # except for the ones whitelist here.
+ # except for the ones allowlist here.
neverallow {
domain
-coredomain
@@ -923,7 +923,7 @@
# In addition to the symlink reading restrictions above, restrict
# write access to shell owned directories. The /data/local/tmp
-# directory is untrustworthy, and non-whitelisted domains should
+# directory is untrustworthy, and non-allowlisted domains should
# not be trusting any content in those directories.
neverallow {
domain
diff --git a/prebuilts/api/26.0/public/hal_wifi_supplicant.te b/prebuilts/api/26.0/public/hal_wifi_supplicant.te
index 0f2540e..028440c 100644
--- a/prebuilts/api/26.0/public/hal_wifi_supplicant.te
+++ b/prebuilts/api/26.0/public/hal_wifi_supplicant.te
@@ -5,7 +5,7 @@
add_hwservice(hal_wifi_supplicant_server, hal_wifi_supplicant_hwservice)
allow hal_wifi_supplicant_client hal_wifi_supplicant_hwservice:hwservice_manager find;
-# in addition to ioctls whitelisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
+# in addition to ioctls allowlisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls;
r_dir_file(hal_wifi_supplicant, sysfs_type)
diff --git a/prebuilts/api/26.0/public/netd.te b/prebuilts/api/26.0/public/netd.te
index 691887f..80fb76d 100644
--- a/prebuilts/api/26.0/public/netd.te
+++ b/prebuilts/api/26.0/public/netd.te
@@ -3,7 +3,7 @@
type netd_exec, exec_type, file_type;
net_domain(netd)
-# in addition to ioctls whitelisted for all domains, grant netd priv_sock_ioctls.
+# in addition to ioctls allowlisted for all domains, grant netd priv_sock_ioctls.
allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
r_dir_file(netd, cgroup)
diff --git a/prebuilts/api/26.0/public/vendor_toolbox.te b/prebuilts/api/26.0/public/vendor_toolbox.te
index eb292ca..63f938d 100644
--- a/prebuilts/api/26.0/public/vendor_toolbox.te
+++ b/prebuilts/api/26.0/public/vendor_toolbox.te
@@ -7,7 +7,7 @@
# or read, execute the vendor_toolbox file.
full_treble_only(`
# Do not allow non-vendor domains to transition
- # to vendor toolbox except for the whitelisted domains.
+ # to vendor toolbox except for the allowlisted domains.
neverallow {
coredomain
-init
diff --git a/prebuilts/api/27.0/private/app.te b/prebuilts/api/27.0/private/app.te
index 9251ed9..c53fa36 100644
--- a/prebuilts/api/27.0/private/app.te
+++ b/prebuilts/api/27.0/private/app.te
@@ -512,7 +512,7 @@
tmpfs
}:lnk_file no_w_file_perms;
-# Blacklist app domains not allowed to execute from /data
+# Denylist app domains not allowed to execute from /data
neverallow {
bluetooth
isolated_app
@@ -533,7 +533,7 @@
-shell # bugreport
} input_device:chr_file ~getattr;
-# Do not allow access to Bluetooth-related system properties except for a few whitelisted domains.
+# Do not allow access to Bluetooth-related system properties except for a few allowlisted domains.
# neverallow rules for access to Bluetooth-related data files are above.
neverallow {
appdomain
diff --git a/prebuilts/api/27.0/private/domain.te b/prebuilts/api/27.0/private/domain.te
index d37a0bd..999c16a 100644
--- a/prebuilts/api/27.0/private/domain.te
+++ b/prebuilts/api/27.0/private/domain.te
@@ -4,7 +4,7 @@
allow domain crash_dump:process sigchld;
# Limit ability to ptrace or read sensitive /proc/pid files of processes
-# with other UIDs to these whitelisted domains.
+# with other UIDs to these allowlisted domains.
neverallow {
domain
-vold
diff --git a/prebuilts/api/27.0/private/incidentd.te b/prebuilts/api/27.0/private/incidentd.te
index efd23bd..64e174f 100644
--- a/prebuilts/api/27.0/private/incidentd.te
+++ b/prebuilts/api/27.0/private/incidentd.te
@@ -66,7 +66,7 @@
# TODO control_logd(incidentd)
# Allow incidentd to find these standard groups of services.
-# Others can be whitelisted individually.
+# Others can be allowlisted individually.
allow incidentd {
system_server_service
app_api_service
diff --git a/prebuilts/api/27.0/private/isolated_app.te b/prebuilts/api/27.0/private/isolated_app.te
index 37935c3..fbfb8a5 100644
--- a/prebuilts/api/27.0/private/isolated_app.te
+++ b/prebuilts/api/27.0/private/isolated_app.te
@@ -74,7 +74,7 @@
neverallow isolated_app vndbinder_device:chr_file *;
# Isolated apps must not be permitted to perform actions on Binder and VndBinder service_manager
-# except the find actions for services whitelisted below.
+# except the find actions for services allowlisted below.
neverallow isolated_app *:service_manager ~find;
# b/17487348
diff --git a/prebuilts/api/27.0/private/system_server.te b/prebuilts/api/27.0/private/system_server.te
index 40c5382..3a5b53b 100644
--- a/prebuilts/api/27.0/private/system_server.te
+++ b/prebuilts/api/27.0/private/system_server.te
@@ -50,7 +50,7 @@
# system server gets network and bluetooth permissions.
net_domain(system_server)
-# in addition to ioctls whitelisted for all domains, also allow system_server
+# in addition to ioctls allowlisted for all domains, also allow system_server
# to use privileged ioctls commands. Needed to set up VPNs.
allowxperm system_server self:udp_socket ioctl priv_sock_ioctls;
bluetooth_domain(system_server)
@@ -95,7 +95,7 @@
# Use generic "sockets" where the address family is not known
# to the kernel. The ioctl permission is specifically omitted here, but may
# be added to device specific policy along with the ioctl commands to be
-# whitelisted.
+# allowlisted.
allow system_server self:socket create_socket_perms_no_ioctl;
# Set and get routes directly via netlink.
diff --git a/prebuilts/api/27.0/public/domain.te b/prebuilts/api/27.0/public/domain.te
index f5c72cc..e9ae56c 100644
--- a/prebuilts/api/27.0/public/domain.te
+++ b/prebuilts/api/27.0/public/domain.te
@@ -195,19 +195,19 @@
allow domain fs_type:filesystem getattr;
allow domain fs_type:dir getattr;
-# Restrict all domains to a whitelist for common socket types. Additional
+# Restrict all domains to a allowlist for common socket types. Additional
# ioctl commands may be added to individual domains, but this sets safe
-# defaults for all processes. Note that granting this whitelist to domain does
+# defaults for all processes. Note that granting this allowlist to domain does
# not grant the ioctl permission on these socket types. That must be granted
# separately.
allowxperm domain domain:{ rawip_socket tcp_socket udp_socket }
ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
-# default whitelist for unix sockets.
+# default allowlist for unix sockets.
allowxperm domain domain:{ unix_dgram_socket unix_stream_socket }
ioctl unpriv_unix_sock_ioctls;
-# Restrict PTYs to only whitelisted ioctls.
-# Note that granting this whitelist to domain does
+# Restrict PTYs to only allowlisted ioctls.
+# Note that granting this allowlist to domain does
# not grant the wider ioctl permission. That must be granted
# separately.
allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
@@ -226,7 +226,7 @@
### neverallow rules
###
-# All socket ioctls must be restricted to a whitelist.
+# All socket ioctls must be restricted to a allowlist.
neverallowxperm domain domain:socket_class_set ioctl { 0 };
# TIOCSTI is only ever used for exploits. Block it.
@@ -237,7 +237,7 @@
# Do not allow any domain other than init or recovery to create unlabeled files.
neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
-# Limit device node creation to these whitelisted domains.
+# Limit device node creation to these allowlisted domains.
neverallow {
domain
-kernel
@@ -246,7 +246,7 @@
-vold
} self:capability mknod;
-# Limit raw I/O to these whitelisted domains. Do not apply to debug builds.
+# Limit raw I/O to these allowlisted domains. Do not apply to debug builds.
neverallow {
domain
userdebug_or_eng(`-domain')
@@ -347,7 +347,7 @@
#
# Assert that, to the extent possible, we're not loading executable content from
-# outside the rootfs or /system partition except for a few whitelisted domains.
+# outside the rootfs or /system partition except for a few allowlisted domains.
#
neverallow {
domain
@@ -448,7 +448,7 @@
neverallow { domain -init } mmc_prop:property_service set;
# Do not allow reading device's serial number from system properties except form
-# a few whitelisted domains.
+# a few allowlisted domains.
neverallow {
domain
-adbd
@@ -664,7 +664,7 @@
')
# On TREBLE devices, a limited set of files in /vendor are accessible to
-# only a few whitelisted coredomains to keep system/vendor separation.
+# only a few allowlisted coredomains to keep system/vendor separation.
full_treble_only(`
# Limit access to /vendor/app
neverallow {
@@ -718,7 +718,7 @@
} vendor_shell_exec:file { execute execute_no_trans };
# Do not allow vendor components to execute files from system
- # except for the ones whitelist here.
+ # except for the ones allowlist here.
neverallow {
domain
-coredomain
@@ -916,7 +916,7 @@
# In addition to the symlink reading restrictions above, restrict
# write access to shell owned directories. The /data/local/tmp
-# directory is untrustworthy, and non-whitelisted domains should
+# directory is untrustworthy, and non-allowlisted domains should
# not be trusting any content in those directories.
neverallow {
domain
diff --git a/prebuilts/api/27.0/public/hal_wifi_supplicant.te b/prebuilts/api/27.0/public/hal_wifi_supplicant.te
index 0f2540e..028440c 100644
--- a/prebuilts/api/27.0/public/hal_wifi_supplicant.te
+++ b/prebuilts/api/27.0/public/hal_wifi_supplicant.te
@@ -5,7 +5,7 @@
add_hwservice(hal_wifi_supplicant_server, hal_wifi_supplicant_hwservice)
allow hal_wifi_supplicant_client hal_wifi_supplicant_hwservice:hwservice_manager find;
-# in addition to ioctls whitelisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
+# in addition to ioctls allowlisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls;
r_dir_file(hal_wifi_supplicant, sysfs_type)
diff --git a/prebuilts/api/27.0/public/netd.te b/prebuilts/api/27.0/public/netd.te
index aa99da2..7f7872e 100644
--- a/prebuilts/api/27.0/public/netd.te
+++ b/prebuilts/api/27.0/public/netd.te
@@ -3,7 +3,7 @@
type netd_exec, exec_type, file_type;
net_domain(netd)
-# in addition to ioctls whitelisted for all domains, grant netd priv_sock_ioctls.
+# in addition to ioctls allowlisted for all domains, grant netd priv_sock_ioctls.
allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
r_dir_file(netd, cgroup)
diff --git a/prebuilts/api/27.0/public/vendor_toolbox.te b/prebuilts/api/27.0/public/vendor_toolbox.te
index eb292ca..63f938d 100644
--- a/prebuilts/api/27.0/public/vendor_toolbox.te
+++ b/prebuilts/api/27.0/public/vendor_toolbox.te
@@ -7,7 +7,7 @@
# or read, execute the vendor_toolbox file.
full_treble_only(`
# Do not allow non-vendor domains to transition
- # to vendor toolbox except for the whitelisted domains.
+ # to vendor toolbox except for the allowlisted domains.
neverallow {
coredomain
-init
diff --git a/prebuilts/api/28.0/private/domain.te b/prebuilts/api/28.0/private/domain.te
index fb6ba4f..5053c28 100644
--- a/prebuilts/api/28.0/private/domain.te
+++ b/prebuilts/api/28.0/private/domain.te
@@ -4,7 +4,7 @@
allow domain crash_dump:process sigchld;
# Limit ability to ptrace or read sensitive /proc/pid files of processes
-# with other UIDs to these whitelisted domains.
+# with other UIDs to these allowlisted domains.
neverallow {
domain
-vold
diff --git a/prebuilts/api/28.0/private/incidentd.te b/prebuilts/api/28.0/private/incidentd.te
index 6b248f1..35b184c 100644
--- a/prebuilts/api/28.0/private/incidentd.te
+++ b/prebuilts/api/28.0/private/incidentd.te
@@ -115,7 +115,7 @@
# TODO control_logd(incidentd)
# Allow incidentd to find these standard groups of services.
-# Others can be whitelisted individually.
+# Others can be allowlisted individually.
allow incidentd {
system_server_service
app_api_service
diff --git a/prebuilts/api/28.0/private/isolated_app.te b/prebuilts/api/28.0/private/isolated_app.te
index a6276b3..6af6040 100644
--- a/prebuilts/api/28.0/private/isolated_app.te
+++ b/prebuilts/api/28.0/private/isolated_app.te
@@ -77,7 +77,7 @@
neverallow isolated_app vndbinder_device:chr_file *;
# Isolated apps must not be permitted to perform actions on Binder and VndBinder service_manager
-# except the find actions for services whitelisted below.
+# except the find actions for services allowlisted below.
neverallow isolated_app *:service_manager ~find;
# b/17487348
diff --git a/prebuilts/api/28.0/private/perfetto.te b/prebuilts/api/28.0/private/perfetto.te
index 9ac5d87..67725bf 100644
--- a/prebuilts/api/28.0/private/perfetto.te
+++ b/prebuilts/api/28.0/private/perfetto.te
@@ -1,5 +1,5 @@
# Perfetto command-line client. Can be used only from the domains that are
-# explicitly whitelisted with a domain_auto_trans(X, perfetto_exec, perfetto).
+# explicitly allowlisted with a domain_auto_trans(X, perfetto_exec, perfetto).
# This command line client accesses the privileged socket of the traced
# daemon.
diff --git a/prebuilts/api/28.0/private/system_server.te b/prebuilts/api/28.0/private/system_server.te
index fa84c32..2927e0b 100644
--- a/prebuilts/api/28.0/private/system_server.te
+++ b/prebuilts/api/28.0/private/system_server.te
@@ -46,7 +46,7 @@
# system server gets network and bluetooth permissions.
net_domain(system_server)
-# in addition to ioctls whitelisted for all domains, also allow system_server
+# in addition to ioctls allowlisted for all domains, also allow system_server
# to use privileged ioctls commands. Needed to set up VPNs.
allowxperm system_server self:udp_socket ioctl priv_sock_ioctls;
bluetooth_domain(system_server)
@@ -91,7 +91,7 @@
# Use generic "sockets" where the address family is not known
# to the kernel. The ioctl permission is specifically omitted here, but may
# be added to device specific policy along with the ioctl commands to be
-# whitelisted.
+# allowlisted.
allow system_server self:socket create_socket_perms_no_ioctl;
# Set and get routes directly via netlink.
diff --git a/prebuilts/api/28.0/private/traced_probes.te b/prebuilts/api/28.0/private/traced_probes.te
index 5d80f7e..e32e2e6 100644
--- a/prebuilts/api/28.0/private/traced_probes.te
+++ b/prebuilts/api/28.0/private/traced_probes.te
@@ -16,7 +16,7 @@
allow traced_probes debugfs_trace_marker:file getattr;
# TODO(primiano): temporarily I/O tracing categories are still
-# userdebug only until we nail down the blacklist/whitelist.
+# userdebug only until we nail down the denylist/allowlist.
userdebug_or_eng(`
allow traced_probes debugfs_tracing_debug:file rw_file_perms;
')
diff --git a/prebuilts/api/28.0/public/app.te b/prebuilts/api/28.0/public/app.te
index 439c1f8..55308da 100644
--- a/prebuilts/api/28.0/public/app.te
+++ b/prebuilts/api/28.0/public/app.te
@@ -530,7 +530,7 @@
tmpfs
}:lnk_file no_w_file_perms;
-# Blacklist app domains not allowed to execute from /data
+# Denylist app domains not allowed to execute from /data
neverallow {
bluetooth
isolated_app
@@ -551,7 +551,7 @@
-shell # bugreport
} input_device:chr_file ~getattr;
-# Do not allow access to Bluetooth-related system properties except for a few whitelisted domains.
+# Do not allow access to Bluetooth-related system properties except for a few allowlisted domains.
# neverallow rules for access to Bluetooth-related data files are above.
neverallow {
appdomain
diff --git a/prebuilts/api/28.0/public/domain.te b/prebuilts/api/28.0/public/domain.te
index e9337b6..2533aec 100644
--- a/prebuilts/api/28.0/public/domain.te
+++ b/prebuilts/api/28.0/public/domain.te
@@ -257,19 +257,19 @@
allow domain fs_type:filesystem getattr;
allow domain fs_type:dir getattr;
-# Restrict all domains to a whitelist for common socket types. Additional
+# Restrict all domains to a allowlist for common socket types. Additional
# ioctl commands may be added to individual domains, but this sets safe
-# defaults for all processes. Note that granting this whitelist to domain does
+# defaults for all processes. Note that granting this allowlist to domain does
# not grant the ioctl permission on these socket types. That must be granted
# separately.
allowxperm domain domain:{ rawip_socket tcp_socket udp_socket }
ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
-# default whitelist for unix sockets.
+# default allowlist for unix sockets.
allowxperm domain domain:{ unix_dgram_socket unix_stream_socket }
ioctl unpriv_unix_sock_ioctls;
-# Restrict PTYs to only whitelisted ioctls.
-# Note that granting this whitelist to domain does
+# Restrict PTYs to only allowlisted ioctls.
+# Note that granting this allowlist to domain does
# not grant the wider ioctl permission. That must be granted
# separately.
allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
@@ -288,7 +288,7 @@
### neverallow rules
###
-# All socket ioctls must be restricted to a whitelist.
+# All socket ioctls must be restricted to a allowlist.
neverallowxperm domain domain:socket_class_set ioctl { 0 };
# b/68014825 and https://android-review.googlesource.com/516535
@@ -303,7 +303,7 @@
# Do not allow any domain other than init to create unlabeled files.
neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
-# Limit device node creation to these whitelisted domains.
+# Limit device node creation to these allowlisted domains.
neverallow {
domain
-kernel
@@ -312,7 +312,7 @@
-vold
} self:global_capability_class_set mknod;
-# Limit raw I/O to these whitelisted domains. Do not apply to debug builds.
+# Limit raw I/O to these allowlisted domains. Do not apply to debug builds.
neverallow {
domain
userdebug_or_eng(`-domain')
@@ -424,7 +424,7 @@
#
# Assert that, to the extent possible, we're not loading executable content from
-# outside the rootfs or /system partition except for a few whitelisted domains.
+# outside the rootfs or /system partition except for a few allowlisted domains.
#
neverallow {
domain
@@ -552,7 +552,7 @@
')
# Do not allow reading device's serial number from system properties except form
-# a few whitelisted domains.
+# a few allowlisted domains.
neverallow {
domain
-adbd
@@ -928,7 +928,7 @@
')
# On TREBLE devices, a limited set of files in /vendor are accessible to
-# only a few whitelisted coredomains to keep system/vendor separation.
+# only a few allowlisted coredomains to keep system/vendor separation.
full_treble_only(`
# Limit access to /vendor/app
neverallow {
@@ -997,7 +997,7 @@
full_treble_only(`
# Do not allow vendor components to execute files from system
- # except for the ones whitelist here.
+ # except for the ones allowlist here.
neverallow {
domain
-coredomain
@@ -1014,7 +1014,7 @@
full_treble_only(`
# Do not allow system components to execute files from vendor
- # except for the ones whitelisted here.
+ # except for the ones allowlisted here.
neverallow {
coredomain
-init
@@ -1224,7 +1224,7 @@
# In addition to the symlink reading restrictions above, restrict
# write access to shell owned directories. The /data/local/tmp
-# directory is untrustworthy, and non-whitelisted domains should
+# directory is untrustworthy, and non-allowlisted domains should
# not be trusting any content in those directories.
neverallow {
domain
diff --git a/prebuilts/api/28.0/public/hal_wifi_supplicant.te b/prebuilts/api/28.0/public/hal_wifi_supplicant.te
index 6bf0d32..3778515 100644
--- a/prebuilts/api/28.0/public/hal_wifi_supplicant.te
+++ b/prebuilts/api/28.0/public/hal_wifi_supplicant.te
@@ -5,7 +5,7 @@
add_hwservice(hal_wifi_supplicant_server, hal_wifi_supplicant_hwservice)
allow hal_wifi_supplicant_client hal_wifi_supplicant_hwservice:hwservice_manager find;
-# in addition to ioctls whitelisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
+# in addition to ioctls allowlisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls;
r_dir_file(hal_wifi_supplicant, sysfs_type)
diff --git a/prebuilts/api/28.0/public/netd.te b/prebuilts/api/28.0/public/netd.te
index 18113e7..1fb3d48 100644
--- a/prebuilts/api/28.0/public/netd.te
+++ b/prebuilts/api/28.0/public/netd.te
@@ -3,7 +3,7 @@
type netd_exec, exec_type, file_type;
net_domain(netd)
-# in addition to ioctls whitelisted for all domains, grant netd priv_sock_ioctls.
+# in addition to ioctls allowlisted for all domains, grant netd priv_sock_ioctls.
allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
r_dir_file(netd, cgroup)
diff --git a/prebuilts/api/28.0/public/vendor_toolbox.te b/prebuilts/api/28.0/public/vendor_toolbox.te
index eb292ca..63f938d 100644
--- a/prebuilts/api/28.0/public/vendor_toolbox.te
+++ b/prebuilts/api/28.0/public/vendor_toolbox.te
@@ -7,7 +7,7 @@
# or read, execute the vendor_toolbox file.
full_treble_only(`
# Do not allow non-vendor domains to transition
- # to vendor toolbox except for the whitelisted domains.
+ # to vendor toolbox except for the allowlisted domains.
neverallow {
coredomain
-init
diff --git a/prebuilts/api/29.0/private/coredomain.te b/prebuilts/api/29.0/private/coredomain.te
index 169f6b2..419d9fe 100644
--- a/prebuilts/api/29.0/private/coredomain.te
+++ b/prebuilts/api/29.0/private/coredomain.te
@@ -15,7 +15,7 @@
')
# On TREBLE devices, a limited set of files in /vendor are accessible to
-# only a few whitelisted coredomains to keep system/vendor separation.
+# only a few allowlisted coredomains to keep system/vendor separation.
full_treble_only(`
# Limit access to /vendor/app
neverallow {
diff --git a/prebuilts/api/29.0/private/domain.te b/prebuilts/api/29.0/private/domain.te
index 209eeb0..447176e 100644
--- a/prebuilts/api/29.0/private/domain.te
+++ b/prebuilts/api/29.0/private/domain.te
@@ -83,7 +83,7 @@
')
# Limit ability to ptrace or read sensitive /proc/pid files of processes
-# with other UIDs to these whitelisted domains.
+# with other UIDs to these allowlisted domains.
neverallow {
domain
-vold
@@ -185,7 +185,7 @@
#
# Assert that, to the extent possible, we're not loading executable content from
-# outside the rootfs or /system partition except for a few whitelisted domains.
+# outside the rootfs or /system partition except for a few allowlisted domains.
# Executable files loaded from /data is a persistence vector
# we want to avoid. See
# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example.
@@ -299,7 +299,7 @@
-zygote
} { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
-# Limit raw I/O to these whitelisted domains. Do not apply to debug builds.
+# Limit raw I/O to these allowlisted domains. Do not apply to debug builds.
neverallow {
domain
userdebug_or_eng(`-domain')
diff --git a/prebuilts/api/29.0/private/heapprofd.te b/prebuilts/api/29.0/private/heapprofd.te
index 5330c58..f984677 100644
--- a/prebuilts/api/29.0/private/heapprofd.te
+++ b/prebuilts/api/29.0/private/heapprofd.te
@@ -29,7 +29,7 @@
allow heapprofd self:capability kill;
# When scanning /proc/[pid]/cmdline to find matching processes for by-name
-# profiling, only whitelisted domains will be allowed by SELinux. Avoid
+# profiling, only allowlisted domains will be allowed by SELinux. Avoid
# spamming logs with denials for entries that we can not access.
dontaudit heapprofd domain:dir { search open };
diff --git a/prebuilts/api/29.0/private/incidentd.te b/prebuilts/api/29.0/private/incidentd.te
index b93f1b2..ee9812e 100644
--- a/prebuilts/api/29.0/private/incidentd.te
+++ b/prebuilts/api/29.0/private/incidentd.te
@@ -126,7 +126,7 @@
# TODO control_logd(incidentd)
# Allow incidentd to find these standard groups of services.
-# Others can be whitelisted individually.
+# Others can be allowlisted individually.
allow incidentd {
system_server_service
app_api_service
diff --git a/prebuilts/api/29.0/private/isolated_app.te b/prebuilts/api/29.0/private/isolated_app.te
index 94b49b0..714405f 100644
--- a/prebuilts/api/29.0/private/isolated_app.te
+++ b/prebuilts/api/29.0/private/isolated_app.te
@@ -87,7 +87,7 @@
neverallow isolated_app vndbinder_device:chr_file *;
# Isolated apps must not be permitted to perform actions on Binder and VndBinder service_manager
-# except the find actions for services whitelisted below.
+# except the find actions for services allowlisted below.
neverallow isolated_app *:service_manager ~find;
# b/17487348
diff --git a/prebuilts/api/29.0/private/perfetto.te b/prebuilts/api/29.0/private/perfetto.te
index 60a6250..6b1a81a 100644
--- a/prebuilts/api/29.0/private/perfetto.te
+++ b/prebuilts/api/29.0/private/perfetto.te
@@ -1,5 +1,5 @@
# Perfetto command-line client. Can be used only from the domains that are
-# explicitly whitelisted with a domain_auto_trans(X, perfetto_exec, perfetto).
+# explicitly allowlisted with a domain_auto_trans(X, perfetto_exec, perfetto).
# This command line client accesses the privileged socket of the traced
# daemon.
diff --git a/prebuilts/api/29.0/private/system_server.te b/prebuilts/api/29.0/private/system_server.te
index 73891c9..5f60674 100644
--- a/prebuilts/api/29.0/private/system_server.te
+++ b/prebuilts/api/29.0/private/system_server.te
@@ -50,14 +50,14 @@
# system server gets network and bluetooth permissions.
net_domain(system_server)
-# in addition to ioctls whitelisted for all domains, also allow system_server
+# in addition to ioctls allowlisted for all domains, also allow system_server
# to use privileged ioctls commands. Needed to set up VPNs.
allowxperm system_server self:udp_socket ioctl priv_sock_ioctls;
bluetooth_domain(system_server)
# Allow setup of tcp keepalive offload. This gives system_server the permission to
# call ioctl on app domains' tcp sockets. Additional ioctl commands still need to
-# be granted individually, except for a small set of safe values whitelisted in
+# be granted individually, except for a small set of safe values allowlisted in
# public/domain.te.
allow system_server appdomain:tcp_socket ioctl;
@@ -102,7 +102,7 @@
# Use generic "sockets" where the address family is not known
# to the kernel. The ioctl permission is specifically omitted here, but may
# be added to device specific policy along with the ioctl commands to be
-# whitelisted.
+# allowlisted.
allow system_server self:socket create_socket_perms_no_ioctl;
# Set and get routes directly via netlink.
diff --git a/prebuilts/api/29.0/private/traced_probes.te b/prebuilts/api/29.0/private/traced_probes.te
index 4820e3f..5b4c0cc 100644
--- a/prebuilts/api/29.0/private/traced_probes.te
+++ b/prebuilts/api/29.0/private/traced_probes.te
@@ -16,7 +16,7 @@
allow traced_probes debugfs_trace_marker:file getattr;
# TODO(primiano): temporarily I/O tracing categories are still
-# userdebug only until we nail down the blacklist/whitelist.
+# userdebug only until we nail down the denylist/allowlist.
userdebug_or_eng(`
allow traced_probes debugfs_tracing_debug:dir r_dir_perms;
allow traced_probes debugfs_tracing_debug:file rw_file_perms;
diff --git a/prebuilts/api/29.0/public/app.te b/prebuilts/api/29.0/public/app.te
index 5c48e71..5b3459f 100644
--- a/prebuilts/api/29.0/public/app.te
+++ b/prebuilts/api/29.0/public/app.te
@@ -537,7 +537,7 @@
tmpfs
}:lnk_file no_w_file_perms;
-# Blacklist app domains not allowed to execute from /data
+# Denylist app domains not allowed to execute from /data
neverallow {
bluetooth
isolated_app
@@ -558,7 +558,7 @@
-shell # bugreport
} input_device:chr_file ~getattr;
-# Do not allow access to Bluetooth-related system properties except for a few whitelisted domains.
+# Do not allow access to Bluetooth-related system properties except for a few allowlisted domains.
# neverallow rules for access to Bluetooth-related data files are above.
neverallow {
appdomain
diff --git a/prebuilts/api/29.0/public/domain.te b/prebuilts/api/29.0/public/domain.te
index 987bb9f..1a9e0e1 100644
--- a/prebuilts/api/29.0/public/domain.te
+++ b/prebuilts/api/29.0/public/domain.te
@@ -260,19 +260,19 @@
allow domain fs_type:filesystem getattr;
allow domain fs_type:dir getattr;
-# Restrict all domains to a whitelist for common socket types. Additional
+# Restrict all domains to a allowlist for common socket types. Additional
# ioctl commands may be added to individual domains, but this sets safe
-# defaults for all processes. Note that granting this whitelist to domain does
+# defaults for all processes. Note that granting this allowlist to domain does
# not grant the ioctl permission on these socket types. That must be granted
# separately.
allowxperm domain domain:{ icmp_socket rawip_socket tcp_socket udp_socket }
ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
-# default whitelist for unix sockets.
+# default allowlist for unix sockets.
allowxperm domain { domain pdx_channel_socket_type }:{ unix_dgram_socket unix_stream_socket }
ioctl unpriv_unix_sock_ioctls;
-# Restrict PTYs to only whitelisted ioctls.
-# Note that granting this whitelist to domain does
+# Restrict PTYs to only allowlisted ioctls.
+# Note that granting this allowlist to domain does
# not grant the wider ioctl permission. That must be granted
# separately.
allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
@@ -288,7 +288,7 @@
# Allow a process to make a determination whether a file descriptor
# for a plain file or pipe (fifo_file) is a tty. Note that granting
-# this whitelist to domain does not grant the ioctl permission to
+# this allowlist to domain does not grant the ioctl permission to
# these files. That must be granted separately.
allowxperm domain { file_type fs_type }:file ioctl { TCGETS };
allowxperm domain domain:fifo_file ioctl { TCGETS };
@@ -331,7 +331,7 @@
###
# All ioctls on file-like objects (except chr_file and blk_file) and
-# sockets must be restricted to a whitelist.
+# sockets must be restricted to a allowlist.
neverallowxperm * *:{ dir notdevfile_class_set socket_class_set blk_file } ioctl { 0 };
# b/68014825 and https://android-review.googlesource.com/516535
@@ -346,7 +346,7 @@
# Do not allow any domain other than init to create unlabeled files.
neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
-# Limit device node creation to these whitelisted domains.
+# Limit device node creation to these allowlisted domains.
neverallow {
domain
-kernel
@@ -544,7 +544,7 @@
')
# Do not allow reading device's serial number from system properties except form
-# a few whitelisted domains.
+# a few allowlisted domains.
neverallow {
domain
-adbd
@@ -951,7 +951,7 @@
full_treble_only(`
# Do not allow vendor components to execute files from system
- # except for the ones whitelist here.
+ # except for the ones allowlist here.
neverallow {
domain
-coredomain
@@ -970,7 +970,7 @@
full_treble_only(`
# Do not allow system components to execute files from vendor
- # except for the ones whitelisted here.
+ # except for the ones allowlisted here.
neverallow {
coredomain
-init
@@ -998,7 +998,7 @@
full_treble_only(`
# Do not allow system components access to /vendor files except for the
- # ones whitelisted here.
+ # ones allowlisted here.
neverallow {
coredomain
# TODO(b/37168747): clean up fwk access to /vendor
@@ -1028,7 +1028,7 @@
full_treble_only(`
# Do not allow vendor components access to /system files except for the
- # ones whitelisted here.
+ # ones allowlisted here.
neverallow {
domain
-appdomain
@@ -1215,7 +1215,7 @@
# In addition to the symlink reading restrictions above, restrict
# write access to shell owned directories. The /data/local/tmp
-# directory is untrustworthy, and non-whitelisted domains should
+# directory is untrustworthy, and non-allowlisted domains should
# not be trusting any content in those directories.
neverallow {
domain
diff --git a/prebuilts/api/29.0/public/hal_wifi_supplicant.te b/prebuilts/api/29.0/public/hal_wifi_supplicant.te
index 6004c33..79a0667 100644
--- a/prebuilts/api/29.0/public/hal_wifi_supplicant.te
+++ b/prebuilts/api/29.0/public/hal_wifi_supplicant.te
@@ -4,7 +4,7 @@
hal_attribute_hwservice(hal_wifi_supplicant, hal_wifi_supplicant_hwservice)
-# in addition to ioctls whitelisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
+# in addition to ioctls allowlisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls;
r_dir_file(hal_wifi_supplicant, sysfs_type)
diff --git a/prebuilts/api/29.0/public/netd.te b/prebuilts/api/29.0/public/netd.te
index c8877b2..f776db6 100644
--- a/prebuilts/api/29.0/public/netd.te
+++ b/prebuilts/api/29.0/public/netd.te
@@ -3,7 +3,7 @@
type netd_exec, system_file_type, exec_type, file_type;
net_domain(netd)
-# in addition to ioctls whitelisted for all domains, grant netd priv_sock_ioctls.
+# in addition to ioctls allowlisted for all domains, grant netd priv_sock_ioctls.
allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
r_dir_file(netd, cgroup)
diff --git a/prebuilts/api/29.0/public/property_contexts b/prebuilts/api/29.0/public/property_contexts
index 865502e..71002be 100644
--- a/prebuilts/api/29.0/public/property_contexts
+++ b/prebuilts/api/29.0/public/property_contexts
@@ -148,6 +148,9 @@
ro.url.legal u:object_r:exported3_default_prop:s0 exact string
ro.url.legal.android_privacy u:object_r:exported3_default_prop:s0 exact string
ro.vendor.build.security_patch u:object_r:vendor_security_patch_level_prop:s0 exact string
+ro.media.xml_variant.codecs u:object_r:media_variant_prop:s0 exact string
+ro.media.xml_variant.codecs_performance u:object_r:media_variant_prop:s0 exact string
+ro.media.xml_variant.profiles u:object_r:media_variant_prop:s0 exact string
ro.zram.mark_idle_delay_mins u:object_r:exported3_default_prop:s0 exact int
ro.zram.first_wb_delay_mins u:object_r:exported3_default_prop:s0 exact int
ro.zram.periodic_wb_delay_hours u:object_r:exported3_default_prop:s0 exact int
diff --git a/prebuilts/api/29.0/public/vendor_toolbox.te b/prebuilts/api/29.0/public/vendor_toolbox.te
index eb292ca..63f938d 100644
--- a/prebuilts/api/29.0/public/vendor_toolbox.te
+++ b/prebuilts/api/29.0/public/vendor_toolbox.te
@@ -7,7 +7,7 @@
# or read, execute the vendor_toolbox file.
full_treble_only(`
# Do not allow non-vendor domains to transition
- # to vendor toolbox except for the whitelisted domains.
+ # to vendor toolbox except for the allowlisted domains.
neverallow {
coredomain
-init
diff --git a/prebuilts/api/30.0/plat_pub_versioned.cil b/prebuilts/api/30.0/plat_pub_versioned.cil
new file mode 100644
index 0000000..3942219
--- /dev/null
+++ b/prebuilts/api/30.0/plat_pub_versioned.cil
@@ -0,0 +1,3011 @@
+(type DockObserver_service)
+(type IProxyService_service)
+(type accessibility_service)
+(type account_service)
+(type activity_service)
+(type activity_task_service)
+(type adb_data_file)
+(type adb_keys_file)
+(type adb_service)
+(type adbd)
+(type adbd_exec)
+(type adbd_prop)
+(type adbd_socket)
+(type aidl_lazy_test_server)
+(type aidl_lazy_test_server_exec)
+(type aidl_lazy_test_service)
+(type alarm_service)
+(type anr_data_file)
+(type apex_data_file)
+(type apex_metadata_file)
+(type apex_mnt_dir)
+(type apex_module_data_file)
+(type apex_permission_data_file)
+(type apex_rollback_data_file)
+(type apex_service)
+(type apex_wifi_data_file)
+(type apexd)
+(type apexd_exec)
+(type apexd_prop)
+(type apk_data_file)
+(type apk_private_data_file)
+(type apk_private_tmp_file)
+(type apk_tmp_file)
+(type apk_verity_prop)
+(type app_binding_service)
+(type app_data_file)
+(type app_fuse_file)
+(type app_fusefs)
+(type app_integrity_service)
+(type app_prediction_service)
+(type app_search_service)
+(type app_zygote)
+(type app_zygote_tmpfs)
+(type appdomain_tmpfs)
+(type appops_service)
+(type appwidget_service)
+(type art_apex_dir)
+(type asec_apk_file)
+(type asec_image_file)
+(type asec_public_file)
+(type ashmem_device)
+(type ashmem_libcutils_device)
+(type assetatlas_service)
+(type audio_data_file)
+(type audio_device)
+(type audio_prop)
+(type audio_service)
+(type audiohal_data_file)
+(type audioserver)
+(type audioserver_data_file)
+(type audioserver_service)
+(type audioserver_tmpfs)
+(type auth_service)
+(type autofill_service)
+(type backup_data_file)
+(type backup_service)
+(type battery_service)
+(type batteryproperties_service)
+(type batterystats_service)
+(type binder_cache_bluetooth_server_prop)
+(type binder_cache_system_server_prop)
+(type binder_cache_telephony_server_prop)
+(type binder_calls_stats_service)
+(type binder_device)
+(type binderfs)
+(type binderfs_logs)
+(type binderfs_logs_proc)
+(type binfmt_miscfs)
+(type biometric_service)
+(type blkid)
+(type blkid_untrusted)
+(type blob_store_service)
+(type block_device)
+(type bluetooth)
+(type bluetooth_a2dp_offload_prop)
+(type bluetooth_audio_hal_prop)
+(type bluetooth_data_file)
+(type bluetooth_efs_file)
+(type bluetooth_logs_data_file)
+(type bluetooth_manager_service)
+(type bluetooth_prop)
+(type bluetooth_service)
+(type bluetooth_socket)
+(type boot_block_device)
+(type bootanim)
+(type bootanim_exec)
+(type bootchart_data_file)
+(type bootloader_boot_reason_prop)
+(type bootstat)
+(type bootstat_data_file)
+(type bootstat_exec)
+(type boottime_prop)
+(type boottime_public_prop)
+(type boottrace_data_file)
+(type bpf_progs_loaded_prop)
+(type bq_config_prop)
+(type broadcastradio_service)
+(type bufferhubd)
+(type bufferhubd_exec)
+(type bugreport_service)
+(type cache_backup_file)
+(type cache_block_device)
+(type cache_file)
+(type cache_private_backup_file)
+(type cache_recovery_file)
+(type cacheinfo_service)
+(type camera_data_file)
+(type camera_device)
+(type cameraproxy_service)
+(type cameraserver)
+(type cameraserver_exec)
+(type cameraserver_service)
+(type cameraserver_tmpfs)
+(type cgroup)
+(type cgroup_bpf)
+(type cgroup_desc_file)
+(type cgroup_rc_file)
+(type charger)
+(type charger_exec)
+(type charger_prop)
+(type clipboard_service)
+(type cold_boot_done_prop)
+(type color_display_service)
+(type companion_device_service)
+(type config_prop)
+(type configfs)
+(type connectivity_service)
+(type connmetrics_service)
+(type console_device)
+(type consumer_ir_service)
+(type content_capture_service)
+(type content_service)
+(type content_suggestions_service)
+(type contexthub_service)
+(type coredump_file)
+(type country_detector_service)
+(type coverage_service)
+(type cppreopt_prop)
+(type cpu_variant_prop)
+(type cpuinfo_service)
+(type crash_dump)
+(type crash_dump_exec)
+(type credstore)
+(type credstore_data_file)
+(type credstore_exec)
+(type credstore_service)
+(type crossprofileapps_service)
+(type ctl_adbd_prop)
+(type ctl_apexd_prop)
+(type ctl_bootanim_prop)
+(type ctl_bugreport_prop)
+(type ctl_console_prop)
+(type ctl_default_prop)
+(type ctl_dumpstate_prop)
+(type ctl_fuse_prop)
+(type ctl_gsid_prop)
+(type ctl_interface_restart_prop)
+(type ctl_interface_start_prop)
+(type ctl_interface_stop_prop)
+(type ctl_mdnsd_prop)
+(type ctl_restart_prop)
+(type ctl_rildaemon_prop)
+(type ctl_sigstop_prop)
+(type ctl_start_prop)
+(type ctl_stop_prop)
+(type dalvik_prop)
+(type dalvikcache_data_file)
+(type dataloader_manager_service)
+(type dbinfo_service)
+(type debug_prop)
+(type debugfs)
+(type debugfs_kprobes)
+(type debugfs_mmc)
+(type debugfs_trace_marker)
+(type debugfs_tracing)
+(type debugfs_tracing_debug)
+(type debugfs_tracing_instances)
+(type debugfs_wakeup_sources)
+(type debugfs_wifi_tracing)
+(type debuggerd_prop)
+(type default_android_hwservice)
+(type default_android_service)
+(type default_android_vndservice)
+(type default_prop)
+(type dev_cpu_variant)
+(type device)
+(type device_config_activity_manager_native_boot_prop)
+(type device_config_boot_count_prop)
+(type device_config_configuration_prop)
+(type device_config_input_native_boot_prop)
+(type device_config_media_native_prop)
+(type device_config_netd_native_prop)
+(type device_config_reset_performed_prop)
+(type device_config_runtime_native_boot_prop)
+(type device_config_runtime_native_prop)
+(type device_config_service)
+(type device_config_storage_native_boot_prop)
+(type device_config_sys_traced_prop)
+(type device_config_window_manager_native_boot_prop)
+(type device_identifiers_service)
+(type device_logging_prop)
+(type device_policy_service)
+(type deviceidle_service)
+(type devicestoragemonitor_service)
+(type devpts)
+(type dhcp)
+(type dhcp_data_file)
+(type dhcp_exec)
+(type dhcp_prop)
+(type diskstats_service)
+(type display_service)
+(type dm_device)
+(type dnsmasq)
+(type dnsmasq_exec)
+(type dnsproxyd_socket)
+(type dnsresolver_service)
+(type dreams_service)
+(type drm_data_file)
+(type drmserver)
+(type drmserver_exec)
+(type drmserver_service)
+(type drmserver_socket)
+(type dropbox_data_file)
+(type dropbox_service)
+(type dumpstate)
+(type dumpstate_exec)
+(type dumpstate_options_prop)
+(type dumpstate_prop)
+(type dumpstate_service)
+(type dumpstate_socket)
+(type dynamic_system_prop)
+(type e2fs)
+(type e2fs_exec)
+(type efs_file)
+(type emergency_affordance_service)
+(type ephemeral_app)
+(type ethernet_service)
+(type exfat)
+(type exported2_config_prop)
+(type exported2_default_prop)
+(type exported2_radio_prop)
+(type exported2_system_prop)
+(type exported2_vold_prop)
+(type exported3_default_prop)
+(type exported3_radio_prop)
+(type exported3_system_prop)
+(type exported_audio_prop)
+(type exported_bluetooth_prop)
+(type exported_camera_prop)
+(type exported_config_prop)
+(type exported_dalvik_prop)
+(type exported_default_prop)
+(type exported_dumpstate_prop)
+(type exported_ffs_prop)
+(type exported_fingerprint_prop)
+(type exported_overlay_prop)
+(type exported_pm_prop)
+(type exported_radio_prop)
+(type exported_secure_prop)
+(type exported_system_prop)
+(type exported_system_radio_prop)
+(type exported_vold_prop)
+(type exported_wifi_prop)
+(type external_vibrator_service)
+(type face_service)
+(type face_vendor_data_file)
+(type fastbootd)
+(type fastbootd_protocol_prop)
+(type ffs_prop)
+(type file_contexts_file)
+(type file_integrity_service)
+(type fingerprint_prop)
+(type fingerprint_service)
+(type fingerprint_vendor_data_file)
+(type fingerprintd)
+(type fingerprintd_data_file)
+(type fingerprintd_exec)
+(type fingerprintd_service)
+(type firstboot_prop)
+(type flags_health_check)
+(type flags_health_check_exec)
+(type font_service)
+(type frp_block_device)
+(type fs_bpf)
+(type fsck)
+(type fsck_exec)
+(type fsck_untrusted)
+(type fscklogs)
+(type functionfs)
+(type fuse)
+(type fuse_device)
+(type fusectlfs)
+(type fwk_automotive_display_hwservice)
+(type fwk_bufferhub_hwservice)
+(type fwk_camera_hwservice)
+(type fwk_display_hwservice)
+(type fwk_scheduler_hwservice)
+(type fwk_sensor_hwservice)
+(type fwk_stats_hwservice)
+(type fwmarkd_socket)
+(type gatekeeper_data_file)
+(type gatekeeper_service)
+(type gatekeeperd)
+(type gatekeeperd_exec)
+(type gfxinfo_service)
+(type gmscore_app)
+(type gps_control)
+(type gpu_device)
+(type gpu_service)
+(type gpuservice)
+(type graphics_config_prop)
+(type graphics_device)
+(type graphicsstats_service)
+(type gsi_data_file)
+(type gsi_metadata_file)
+(type gsid_prop)
+(type hal_atrace_hwservice)
+(type hal_audio_hwservice)
+(type hal_audiocontrol_hwservice)
+(type hal_authsecret_hwservice)
+(type hal_bluetooth_hwservice)
+(type hal_bootctl_hwservice)
+(type hal_broadcastradio_hwservice)
+(type hal_camera_hwservice)
+(type hal_can_bus_hwservice)
+(type hal_can_controller_hwservice)
+(type hal_cas_hwservice)
+(type hal_codec2_hwservice)
+(type hal_configstore_ISurfaceFlingerConfigs)
+(type hal_confirmationui_hwservice)
+(type hal_contexthub_hwservice)
+(type hal_drm_hwservice)
+(type hal_dumpstate_hwservice)
+(type hal_evs_hwservice)
+(type hal_face_hwservice)
+(type hal_fingerprint_hwservice)
+(type hal_fingerprint_service)
+(type hal_gatekeeper_hwservice)
+(type hal_gnss_hwservice)
+(type hal_graphics_allocator_hwservice)
+(type hal_graphics_composer_hwservice)
+(type hal_graphics_composer_server_tmpfs)
+(type hal_graphics_mapper_hwservice)
+(type hal_health_hwservice)
+(type hal_health_storage_hwservice)
+(type hal_identity_service)
+(type hal_input_classifier_hwservice)
+(type hal_ir_hwservice)
+(type hal_keymaster_hwservice)
+(type hal_light_hwservice)
+(type hal_light_service)
+(type hal_lowpan_hwservice)
+(type hal_memtrack_hwservice)
+(type hal_neuralnetworks_hwservice)
+(type hal_nfc_hwservice)
+(type hal_oemlock_hwservice)
+(type hal_omx_hwservice)
+(type hal_power_hwservice)
+(type hal_power_service)
+(type hal_power_stats_hwservice)
+(type hal_rebootescrow_service)
+(type hal_renderscript_hwservice)
+(type hal_secure_element_hwservice)
+(type hal_sensors_hwservice)
+(type hal_telephony_hwservice)
+(type hal_tetheroffload_hwservice)
+(type hal_thermal_hwservice)
+(type hal_tv_cec_hwservice)
+(type hal_tv_input_hwservice)
+(type hal_tv_tuner_hwservice)
+(type hal_usb_gadget_hwservice)
+(type hal_usb_hwservice)
+(type hal_vehicle_hwservice)
+(type hal_vibrator_hwservice)
+(type hal_vibrator_service)
+(type hal_vr_hwservice)
+(type hal_weaver_hwservice)
+(type hal_wifi_hostapd_hwservice)
+(type hal_wifi_hwservice)
+(type hal_wifi_supplicant_hwservice)
+(type hardware_properties_service)
+(type hardware_service)
+(type hci_attach_dev)
+(type hdmi_control_service)
+(type healthd)
+(type healthd_exec)
+(type heapdump_data_file)
+(type heapprofd)
+(type heapprofd_enabled_prop)
+(type heapprofd_prop)
+(type heapprofd_socket)
+(type hidl_allocator_hwservice)
+(type hidl_base_hwservice)
+(type hidl_manager_hwservice)
+(type hidl_memory_hwservice)
+(type hidl_token_hwservice)
+(type hw_random_device)
+(type hwbinder_device)
+(type hwservice_contexts_file)
+(type hwservicemanager)
+(type hwservicemanager_exec)
+(type hwservicemanager_prop)
+(type icon_file)
+(type idmap)
+(type idmap_exec)
+(type idmap_service)
+(type iio_device)
+(type imms_service)
+(type incident)
+(type incident_data_file)
+(type incident_helper)
+(type incident_service)
+(type incidentd)
+(type incremental_control_file)
+(type incremental_prop)
+(type incremental_service)
+(type init)
+(type init_exec)
+(type init_perf_lsm_hooks_prop)
+(type init_svc_debug_prop)
+(type init_tmpfs)
+(type inotify)
+(type input_device)
+(type input_method_service)
+(type input_service)
+(type inputflinger)
+(type inputflinger_exec)
+(type inputflinger_service)
+(type install_data_file)
+(type installd)
+(type installd_exec)
+(type installd_service)
+(type ion_device)
+(type iorap_inode2filename)
+(type iorap_inode2filename_exec)
+(type iorap_inode2filename_tmpfs)
+(type iorap_prefetcherd)
+(type iorap_prefetcherd_exec)
+(type iorap_prefetcherd_tmpfs)
+(type iorapd)
+(type iorapd_data_file)
+(type iorapd_exec)
+(type iorapd_service)
+(type iorapd_tmpfs)
+(type ipsec_service)
+(type iris_service)
+(type iris_vendor_data_file)
+(type isolated_app)
+(type jobscheduler_service)
+(type kernel)
+(type keychain_data_file)
+(type keychord_device)
+(type keystore)
+(type keystore_data_file)
+(type keystore_exec)
+(type keystore_service)
+(type kmsg_debug_device)
+(type kmsg_device)
+(type labeledfs)
+(type last_boot_reason_prop)
+(type launcherapps_service)
+(type light_service)
+(type linkerconfig_file)
+(type llkd)
+(type llkd_exec)
+(type llkd_prop)
+(type lmkd)
+(type lmkd_exec)
+(type lmkd_prop)
+(type lmkd_socket)
+(type location_service)
+(type lock_settings_service)
+(type log_prop)
+(type log_tag_prop)
+(type logcat_exec)
+(type logd)
+(type logd_exec)
+(type logd_prop)
+(type logd_socket)
+(type logdr_socket)
+(type logdw_socket)
+(type logpersist)
+(type logpersistd_logging_prop)
+(type loop_control_device)
+(type loop_device)
+(type looper_stats_service)
+(type lowpan_device)
+(type lowpan_prop)
+(type lowpan_service)
+(type lpdump_service)
+(type lpdumpd_prop)
+(type mac_perms_file)
+(type mdns_socket)
+(type mdnsd)
+(type mdnsd_socket)
+(type media_data_file)
+(type media_projection_service)
+(type media_router_service)
+(type media_rw_data_file)
+(type media_session_service)
+(type media_variant_prop)
+(type mediadrmserver)
+(type mediadrmserver_exec)
+(type mediadrmserver_service)
+(type mediaextractor)
+(type mediaextractor_exec)
+(type mediaextractor_service)
+(type mediaextractor_tmpfs)
+(type mediametrics)
+(type mediametrics_exec)
+(type mediametrics_service)
+(type mediaprovider)
+(type mediaserver)
+(type mediaserver_exec)
+(type mediaserver_service)
+(type mediaserver_tmpfs)
+(type mediaswcodec)
+(type mediaswcodec_exec)
+(type mediatranscoding)
+(type mediatranscoding_exec)
+(type mediatranscoding_service)
+(type meminfo_service)
+(type metadata_block_device)
+(type metadata_bootstat_file)
+(type metadata_file)
+(type method_trace_data_file)
+(type midi_service)
+(type mirror_data_file)
+(type misc_block_device)
+(type misc_logd_file)
+(type misc_user_data_file)
+(type mmc_prop)
+(type mnt_expand_file)
+(type mnt_media_rw_file)
+(type mnt_media_rw_stub_file)
+(type mnt_pass_through_file)
+(type mnt_product_file)
+(type mnt_sdcard_file)
+(type mnt_user_file)
+(type mnt_vendor_file)
+(type mock_ota_prop)
+(type modprobe)
+(type module_sdkextensions_prop)
+(type mount_service)
+(type mqueue)
+(type mtp)
+(type mtp_device)
+(type mtp_exec)
+(type mtpd_socket)
+(type nativetest_data_file)
+(type net_data_file)
+(type net_dns_prop)
+(type net_radio_prop)
+(type netd)
+(type netd_exec)
+(type netd_listener_service)
+(type netd_service)
+(type netd_stable_secret_prop)
+(type netif)
+(type netpolicy_service)
+(type netstats_service)
+(type netutils_wrapper)
+(type netutils_wrapper_exec)
+(type network_management_service)
+(type network_score_service)
+(type network_stack)
+(type network_stack_service)
+(type network_time_update_service)
+(type network_watchlist_data_file)
+(type network_watchlist_service)
+(type nfc)
+(type nfc_data_file)
+(type nfc_device)
+(type nfc_prop)
+(type nfc_service)
+(type nnapi_ext_deny_product_prop)
+(type node)
+(type nonplat_service_contexts_file)
+(type notification_service)
+(type null_device)
+(type oem_lock_service)
+(type oemfs)
+(type ota_data_file)
+(type ota_metadata_file)
+(type ota_package_file)
+(type ota_prop)
+(type otadexopt_service)
+(type overlay_prop)
+(type overlay_service)
+(type overlayfs_file)
+(type owntty_device)
+(type package_native_service)
+(type package_service)
+(type packages_list_file)
+(type pan_result_prop)
+(type password_slot_metadata_file)
+(type pdx_bufferhub_client_channel_socket)
+(type pdx_bufferhub_client_endpoint_socket)
+(type pdx_bufferhub_dir)
+(type pdx_display_client_channel_socket)
+(type pdx_display_client_endpoint_socket)
+(type pdx_display_dir)
+(type pdx_display_manager_channel_socket)
+(type pdx_display_manager_endpoint_socket)
+(type pdx_display_screenshot_channel_socket)
+(type pdx_display_screenshot_endpoint_socket)
+(type pdx_display_vsync_channel_socket)
+(type pdx_display_vsync_endpoint_socket)
+(type pdx_performance_client_channel_socket)
+(type pdx_performance_client_endpoint_socket)
+(type pdx_performance_dir)
+(type perfetto)
+(type performanced)
+(type performanced_exec)
+(type permission_service)
+(type permissionmgr_service)
+(type persist_debug_prop)
+(type persistent_data_block_service)
+(type persistent_properties_ready_prop)
+(type pinner_service)
+(type pipefs)
+(type platform_app)
+(type platform_compat_service)
+(type pm_prop)
+(type pmsg_device)
+(type port)
+(type port_device)
+(type postinstall)
+(type postinstall_apex_mnt_dir)
+(type postinstall_file)
+(type postinstall_mnt_dir)
+(type power_service)
+(type powerctl_prop)
+(type ppp)
+(type ppp_device)
+(type ppp_exec)
+(type preloads_data_file)
+(type preloads_media_file)
+(type prereboot_data_file)
+(type print_service)
+(type priv_app)
+(type privapp_data_file)
+(type proc)
+(type proc_abi)
+(type proc_asound)
+(type proc_bluetooth_writable)
+(type proc_buddyinfo)
+(type proc_cmdline)
+(type proc_cpuinfo)
+(type proc_dirty)
+(type proc_diskstats)
+(type proc_drop_caches)
+(type proc_extra_free_kbytes)
+(type proc_filesystems)
+(type proc_fs_verity)
+(type proc_hostname)
+(type proc_hung_task)
+(type proc_interrupts)
+(type proc_iomem)
+(type proc_keys)
+(type proc_kmsg)
+(type proc_kpageflags)
+(type proc_loadavg)
+(type proc_lowmemorykiller)
+(type proc_max_map_count)
+(type proc_meminfo)
+(type proc_min_free_order_shift)
+(type proc_misc)
+(type proc_modules)
+(type proc_mounts)
+(type proc_net)
+(type proc_net_tcp_udp)
+(type proc_overcommit_memory)
+(type proc_page_cluster)
+(type proc_pagetypeinfo)
+(type proc_panic)
+(type proc_perf)
+(type proc_pid_max)
+(type proc_pipe_conf)
+(type proc_pressure_cpu)
+(type proc_pressure_io)
+(type proc_pressure_mem)
+(type proc_qtaguid_ctrl)
+(type proc_qtaguid_stat)
+(type proc_random)
+(type proc_sched)
+(type proc_security)
+(type proc_slabinfo)
+(type proc_stat)
+(type proc_swaps)
+(type proc_sysrq)
+(type proc_timer)
+(type proc_tty_drivers)
+(type proc_uid_concurrent_active_time)
+(type proc_uid_concurrent_policy_time)
+(type proc_uid_cpupower)
+(type proc_uid_cputime_removeuid)
+(type proc_uid_cputime_showstat)
+(type proc_uid_io_stats)
+(type proc_uid_procstat_set)
+(type proc_uid_time_in_state)
+(type proc_uptime)
+(type proc_version)
+(type proc_vmallocinfo)
+(type proc_vmstat)
+(type proc_zoneinfo)
+(type processinfo_service)
+(type procstats_service)
+(type profman)
+(type profman_dump_data_file)
+(type profman_exec)
+(type properties_device)
+(type properties_serial)
+(type property_contexts_file)
+(type property_data_file)
+(type property_info)
+(type property_socket)
+(type pstorefs)
+(type ptmx_device)
+(type qtaguid_device)
+(type racoon)
+(type racoon_exec)
+(type racoon_socket)
+(type radio)
+(type radio_data_file)
+(type radio_device)
+(type radio_prop)
+(type radio_service)
+(type ram_device)
+(type random_device)
+(type rebootescrow_hal_prop)
+(type recovery)
+(type recovery_block_device)
+(type recovery_data_file)
+(type recovery_persist)
+(type recovery_persist_exec)
+(type recovery_refresh)
+(type recovery_refresh_exec)
+(type recovery_service)
+(type recovery_socket)
+(type registry_service)
+(type resourcecache_data_file)
+(type restorecon_prop)
+(type restrictions_service)
+(type rild_debug_socket)
+(type rild_socket)
+(type ringtone_file)
+(type role_service)
+(type rollback_service)
+(type root_block_device)
+(type rootfs)
+(type rpmsg_device)
+(type rs)
+(type rs_exec)
+(type rss_hwm_reset)
+(type rtc_device)
+(type rttmanager_service)
+(type runas)
+(type runas_app)
+(type runas_exec)
+(type runtime_event_log_tags_file)
+(type runtime_service)
+(type safemode_prop)
+(type same_process_hal_file)
+(type samplingprofiler_service)
+(type scheduling_policy_service)
+(type sdcard_block_device)
+(type sdcardd)
+(type sdcardd_exec)
+(type sdcardfs)
+(type seapp_contexts_file)
+(type search_service)
+(type sec_key_att_app_id_provider_service)
+(type secure_element)
+(type secure_element_device)
+(type secure_element_service)
+(type securityfs)
+(type selinuxfs)
+(type sensor_privacy_service)
+(type sensors_device)
+(type sensorservice_service)
+(type sepolicy_file)
+(type serial_device)
+(type serial_service)
+(type serialno_prop)
+(type server_configurable_flags_data_file)
+(type service_contexts_file)
+(type service_manager_service)
+(type service_manager_vndservice)
+(type servicediscovery_service)
+(type servicemanager)
+(type servicemanager_exec)
+(type settings_service)
+(type sgdisk)
+(type sgdisk_exec)
+(type shared_relro)
+(type shared_relro_file)
+(type shell)
+(type shell_data_file)
+(type shell_exec)
+(type shell_prop)
+(type shm)
+(type shortcut_manager_icons)
+(type shortcut_service)
+(type simpleperf)
+(type simpleperf_app_runner)
+(type simpleperf_app_runner_exec)
+(type slice_service)
+(type slideshow)
+(type snapshotctl_log_data_file)
+(type socket_device)
+(type socket_hook_prop)
+(type sockfs)
+(type sota_prop)
+(type soundtrigger_middleware_service)
+(type staged_install_file)
+(type staging_data_file)
+(type stats_data_file)
+(type statsd)
+(type statsd_exec)
+(type statsdw_socket)
+(type statusbar_service)
+(type storage_config_prop)
+(type storage_file)
+(type storage_stub_file)
+(type storaged_service)
+(type storagestats_service)
+(type su)
+(type su_exec)
+(type super_block_device)
+(type surfaceflinger)
+(type surfaceflinger_display_prop)
+(type surfaceflinger_service)
+(type surfaceflinger_tmpfs)
+(type swap_block_device)
+(type sysfs)
+(type sysfs_android_usb)
+(type sysfs_batteryinfo)
+(type sysfs_bluetooth_writable)
+(type sysfs_devices_block)
+(type sysfs_devices_system_cpu)
+(type sysfs_dm)
+(type sysfs_dm_verity)
+(type sysfs_dt_firmware_android)
+(type sysfs_extcon)
+(type sysfs_fs_ext4_features)
+(type sysfs_fs_f2fs)
+(type sysfs_hwrandom)
+(type sysfs_ion)
+(type sysfs_ipv4)
+(type sysfs_kernel_notes)
+(type sysfs_leds)
+(type sysfs_loop)
+(type sysfs_lowmemorykiller)
+(type sysfs_net)
+(type sysfs_nfc_power_writable)
+(type sysfs_power)
+(type sysfs_rtc)
+(type sysfs_suspend_stats)
+(type sysfs_switch)
+(type sysfs_thermal)
+(type sysfs_transparent_hugepage)
+(type sysfs_uio)
+(type sysfs_usb)
+(type sysfs_usermodehelper)
+(type sysfs_vibrator)
+(type sysfs_wake_lock)
+(type sysfs_wakeup)
+(type sysfs_wakeup_reasons)
+(type sysfs_wlan_fwpath)
+(type sysfs_zram)
+(type sysfs_zram_uevent)
+(type system_adbd_prop)
+(type system_app)
+(type system_app_data_file)
+(type system_app_service)
+(type system_asan_options_file)
+(type system_block_device)
+(type system_boot_reason_prop)
+(type system_bootstrap_lib_file)
+(type system_config_service)
+(type system_data_file)
+(type system_data_root_file)
+(type system_event_log_tags_file)
+(type system_file)
+(type system_group_file)
+(type system_jvmti_agent_prop)
+(type system_lib_file)
+(type system_linker_config_file)
+(type system_linker_exec)
+(type system_lmk_prop)
+(type system_ndebug_socket)
+(type system_net_netd_hwservice)
+(type system_passwd_file)
+(type system_prop)
+(type system_radio_prop)
+(type system_seccomp_policy_file)
+(type system_security_cacerts_file)
+(type system_server)
+(type system_server_tmpfs)
+(type system_suspend_control_service)
+(type system_suspend_hwservice)
+(type system_trace_prop)
+(type system_unsolzygote_socket)
+(type system_update_service)
+(type system_wifi_keystore_hwservice)
+(type system_wpa_socket)
+(type system_zoneinfo_file)
+(type systemkeys_data_file)
+(type task_profiles_file)
+(type task_service)
+(type tcpdump_exec)
+(type tee)
+(type tee_data_file)
+(type tee_device)
+(type telecom_service)
+(type test_boot_reason_prop)
+(type test_harness_prop)
+(type testharness_service)
+(type tethering_service)
+(type textclassification_service)
+(type textclassifier_data_file)
+(type textservices_service)
+(type theme_prop)
+(type thermal_service)
+(type thermalcallback_hwservice)
+(type time_prop)
+(type timedetector_service)
+(type timezone_service)
+(type timezonedetector_service)
+(type tmpfs)
+(type tombstone_data_file)
+(type tombstone_wifi_data_file)
+(type tombstoned)
+(type tombstoned_crash_socket)
+(type tombstoned_exec)
+(type tombstoned_intercept_socket)
+(type tombstoned_java_trace_socket)
+(type toolbox)
+(type toolbox_exec)
+(type trace_data_file)
+(type traced)
+(type traced_consumer_socket)
+(type traced_enabled_prop)
+(type traced_lazy_prop)
+(type traced_perf)
+(type traced_perf_enabled_prop)
+(type traced_perf_socket)
+(type traced_probes)
+(type traced_producer_socket)
+(type traceur_app)
+(type trust_service)
+(type tty_device)
+(type tun_device)
+(type tv_input_service)
+(type tv_tuner_resource_mgr_service)
+(type tzdatacheck)
+(type tzdatacheck_exec)
+(type ueventd)
+(type ueventd_tmpfs)
+(type uhid_device)
+(type uimode_service)
+(type uio_device)
+(type uncrypt)
+(type uncrypt_exec)
+(type uncrypt_socket)
+(type unencrypted_data_file)
+(type unlabeled)
+(type untrusted_app)
+(type untrusted_app_25)
+(type untrusted_app_27)
+(type untrusted_app_29)
+(type update_engine)
+(type update_engine_data_file)
+(type update_engine_exec)
+(type update_engine_log_data_file)
+(type update_engine_service)
+(type update_verifier)
+(type update_verifier_exec)
+(type updatelock_service)
+(type uri_grants_service)
+(type usagestats_service)
+(type usb_device)
+(type usb_serial_device)
+(type usb_service)
+(type usbaccessory_device)
+(type usbd)
+(type usbd_exec)
+(type usbfs)
+(type use_memfd_prop)
+(type user_profile_data_file)
+(type user_service)
+(type userdata_block_device)
+(type usermodehelper)
+(type userspace_reboot_config_prop)
+(type userspace_reboot_exported_prop)
+(type userspace_reboot_log_prop)
+(type userspace_reboot_test_prop)
+(type vdc)
+(type vdc_exec)
+(type vehicle_hal_prop)
+(type vendor_apex_file)
+(type vendor_app_file)
+(type vendor_cgroup_desc_file)
+(type vendor_configs_file)
+(type vendor_data_file)
+(type vendor_default_prop)
+(type vendor_file)
+(type vendor_framework_file)
+(type vendor_hal_file)
+(type vendor_idc_file)
+(type vendor_init)
+(type vendor_keychars_file)
+(type vendor_keylayout_file)
+(type vendor_misc_writer)
+(type vendor_misc_writer_exec)
+(type vendor_overlay_file)
+(type vendor_public_lib_file)
+(type vendor_security_patch_level_prop)
+(type vendor_service_contexts_file)
+(type vendor_shell)
+(type vendor_shell_exec)
+(type vendor_socket_hook_prop)
+(type vendor_task_profiles_file)
+(type vendor_toolbox_exec)
+(type vfat)
+(type vibrator_service)
+(type video_device)
+(type virtual_ab_prop)
+(type virtual_touchpad)
+(type virtual_touchpad_exec)
+(type virtual_touchpad_service)
+(type vndbinder_device)
+(type vndk_prop)
+(type vndk_sp_file)
+(type vndservice_contexts_file)
+(type vndservicemanager)
+(type voiceinteraction_service)
+(type vold)
+(type vold_data_file)
+(type vold_device)
+(type vold_exec)
+(type vold_metadata_file)
+(type vold_prepare_subdirs)
+(type vold_prepare_subdirs_exec)
+(type vold_prop)
+(type vold_service)
+(type vpn_data_file)
+(type vr_hwc)
+(type vr_hwc_exec)
+(type vr_hwc_service)
+(type vr_manager_service)
+(type vrflinger_vsync_service)
+(type wallpaper_file)
+(type wallpaper_service)
+(type watchdog_device)
+(type watchdogd)
+(type watchdogd_exec)
+(type webview_zygote)
+(type webview_zygote_exec)
+(type webview_zygote_tmpfs)
+(type webviewupdate_service)
+(type wifi_data_file)
+(type wifi_log_prop)
+(type wifi_prop)
+(type wifi_service)
+(type wifiaware_service)
+(type wificond)
+(type wificond_exec)
+(type wifinl80211_service)
+(type wifip2p_service)
+(type wifiscanner_service)
+(type window_service)
+(type wpa_socket)
+(type wpantund)
+(type wpantund_exec)
+(type wpantund_service)
+(type zero_device)
+(type zoneinfo_data_file)
+(type zygote)
+(type zygote_exec)
+(type zygote_socket)
+(type zygote_tmpfs)
+(typeattribute DockObserver_service_30_0)
+(typeattribute IProxyService_service_30_0)
+(typeattribute accessibility_service_30_0)
+(typeattribute account_service_30_0)
+(typeattribute activity_service_30_0)
+(typeattribute activity_task_service_30_0)
+(typeattribute adb_data_file_30_0)
+(typeattribute adb_keys_file_30_0)
+(typeattribute adb_service_30_0)
+(typeattribute adbd_30_0)
+(typeattribute adbd_exec_30_0)
+(typeattribute adbd_prop_30_0)
+(typeattribute adbd_socket_30_0)
+(typeattribute aidl_lazy_test_server_30_0)
+(typeattribute aidl_lazy_test_server_exec_30_0)
+(typeattribute aidl_lazy_test_service_30_0)
+(typeattribute alarm_service_30_0)
+(typeattribute anr_data_file_30_0)
+(typeattribute apex_data_file_30_0)
+(typeattribute apex_metadata_file_30_0)
+(typeattribute apex_mnt_dir_30_0)
+(typeattribute apex_module_data_file_30_0)
+(typeattribute apex_permission_data_file_30_0)
+(typeattribute apex_rollback_data_file_30_0)
+(typeattribute apex_service_30_0)
+(typeattribute apex_wifi_data_file_30_0)
+(typeattribute apexd_30_0)
+(typeattribute apexd_exec_30_0)
+(typeattribute apexd_prop_30_0)
+(typeattribute apk_data_file_30_0)
+(typeattribute apk_private_data_file_30_0)
+(typeattribute apk_private_tmp_file_30_0)
+(typeattribute apk_tmp_file_30_0)
+(typeattribute apk_verity_prop_30_0)
+(typeattribute app_api_service)
+(typeattribute app_binding_service_30_0)
+(typeattribute app_data_file_30_0)
+(typeattribute app_fuse_file_30_0)
+(typeattribute app_fusefs_30_0)
+(typeattribute app_integrity_service_30_0)
+(typeattribute app_prediction_service_30_0)
+(typeattribute app_search_service_30_0)
+(typeattribute app_zygote_30_0)
+(typeattribute app_zygote_tmpfs_30_0)
+(typeattribute appdomain)
+(typeattribute appdomain_tmpfs_30_0)
+(typeattribute appops_service_30_0)
+(typeattribute appwidget_service_30_0)
+(typeattribute art_apex_dir_30_0)
+(typeattribute asec_apk_file_30_0)
+(typeattribute asec_image_file_30_0)
+(typeattribute asec_public_file_30_0)
+(typeattribute ashmem_device_30_0)
+(typeattribute ashmem_libcutils_device_30_0)
+(typeattribute assetatlas_service_30_0)
+(typeattribute audio_data_file_30_0)
+(typeattribute audio_device_30_0)
+(typeattribute audio_prop_30_0)
+(typeattribute audio_service_30_0)
+(typeattribute audiohal_data_file_30_0)
+(typeattribute audioserver_30_0)
+(typeattribute audioserver_data_file_30_0)
+(typeattribute audioserver_service_30_0)
+(typeattribute audioserver_tmpfs_30_0)
+(typeattribute auth_service_30_0)
+(typeattribute autofill_service_30_0)
+(typeattribute automotive_display_service_server)
+(typeattribute backup_data_file_30_0)
+(typeattribute backup_service_30_0)
+(typeattribute base_typeattr_100_30_0)
+(typeattribute base_typeattr_101_30_0)
+(typeattribute base_typeattr_102_30_0)
+(typeattribute base_typeattr_103_30_0)
+(typeattribute base_typeattr_104_30_0)
+(typeattribute base_typeattr_105_30_0)
+(typeattribute base_typeattr_106_30_0)
+(typeattribute base_typeattr_107_30_0)
+(typeattribute base_typeattr_108_30_0)
+(typeattribute base_typeattr_109_30_0)
+(typeattribute base_typeattr_10_30_0)
+(typeattribute base_typeattr_110_30_0)
+(typeattribute base_typeattr_111_30_0)
+(typeattribute base_typeattr_112_30_0)
+(typeattribute base_typeattr_113_30_0)
+(typeattribute base_typeattr_114_30_0)
+(typeattribute base_typeattr_115_30_0)
+(typeattribute base_typeattr_116_30_0)
+(typeattribute base_typeattr_117_30_0)
+(typeattribute base_typeattr_118_30_0)
+(typeattribute base_typeattr_119_30_0)
+(typeattribute base_typeattr_11_30_0)
+(typeattribute base_typeattr_120_30_0)
+(typeattribute base_typeattr_121_30_0)
+(typeattribute base_typeattr_122_30_0)
+(typeattribute base_typeattr_123_30_0)
+(typeattribute base_typeattr_124_30_0)
+(typeattribute base_typeattr_125_30_0)
+(typeattribute base_typeattr_126_30_0)
+(typeattribute base_typeattr_127_30_0)
+(typeattribute base_typeattr_128_30_0)
+(typeattribute base_typeattr_129_30_0)
+(typeattribute base_typeattr_12_30_0)
+(typeattribute base_typeattr_130_30_0)
+(typeattribute base_typeattr_131_30_0)
+(typeattribute base_typeattr_132_30_0)
+(typeattribute base_typeattr_133_30_0)
+(typeattribute base_typeattr_134_30_0)
+(typeattribute base_typeattr_135_30_0)
+(typeattribute base_typeattr_136_30_0)
+(typeattribute base_typeattr_137_30_0)
+(typeattribute base_typeattr_138_30_0)
+(typeattribute base_typeattr_139_30_0)
+(typeattribute base_typeattr_13_30_0)
+(typeattribute base_typeattr_140_30_0)
+(typeattribute base_typeattr_141_30_0)
+(typeattribute base_typeattr_142_30_0)
+(typeattribute base_typeattr_143_30_0)
+(typeattribute base_typeattr_144_30_0)
+(typeattribute base_typeattr_145_30_0)
+(typeattribute base_typeattr_146_30_0)
+(typeattribute base_typeattr_147_30_0)
+(typeattribute base_typeattr_148_30_0)
+(typeattribute base_typeattr_149_30_0)
+(typeattribute base_typeattr_14_30_0)
+(typeattribute base_typeattr_150_30_0)
+(typeattribute base_typeattr_151_30_0)
+(typeattribute base_typeattr_152_30_0)
+(typeattribute base_typeattr_153_30_0)
+(typeattribute base_typeattr_154_30_0)
+(typeattribute base_typeattr_155_30_0)
+(typeattribute base_typeattr_156_30_0)
+(typeattribute base_typeattr_157_30_0)
+(typeattribute base_typeattr_158_30_0)
+(typeattribute base_typeattr_159_30_0)
+(typeattribute base_typeattr_15_30_0)
+(typeattribute base_typeattr_160_30_0)
+(typeattribute base_typeattr_161_30_0)
+(typeattribute base_typeattr_162_30_0)
+(typeattribute base_typeattr_163_30_0)
+(typeattribute base_typeattr_164_30_0)
+(typeattribute base_typeattr_165_30_0)
+(typeattribute base_typeattr_166_30_0)
+(typeattribute base_typeattr_167_30_0)
+(typeattribute base_typeattr_168_30_0)
+(typeattribute base_typeattr_169_30_0)
+(typeattribute base_typeattr_16_30_0)
+(typeattribute base_typeattr_170_30_0)
+(typeattribute base_typeattr_171_30_0)
+(typeattribute base_typeattr_172_30_0)
+(typeattribute base_typeattr_173_30_0)
+(typeattribute base_typeattr_174_30_0)
+(typeattribute base_typeattr_175_30_0)
+(typeattribute base_typeattr_176_30_0)
+(typeattribute base_typeattr_177_30_0)
+(typeattribute base_typeattr_178_30_0)
+(typeattribute base_typeattr_179_30_0)
+(typeattribute base_typeattr_17_30_0)
+(typeattribute base_typeattr_180_30_0)
+(typeattribute base_typeattr_181_30_0)
+(typeattribute base_typeattr_182_30_0)
+(typeattribute base_typeattr_183_30_0)
+(typeattribute base_typeattr_184_30_0)
+(typeattribute base_typeattr_185_30_0)
+(typeattribute base_typeattr_186_30_0)
+(typeattribute base_typeattr_187_30_0)
+(typeattribute base_typeattr_188_30_0)
+(typeattribute base_typeattr_189_30_0)
+(typeattribute base_typeattr_18_30_0)
+(typeattribute base_typeattr_190_30_0)
+(typeattribute base_typeattr_191_30_0)
+(typeattribute base_typeattr_192_30_0)
+(typeattribute base_typeattr_193_30_0)
+(typeattribute base_typeattr_194_30_0)
+(typeattribute base_typeattr_195_30_0)
+(typeattribute base_typeattr_196_30_0)
+(typeattribute base_typeattr_197_30_0)
+(typeattribute base_typeattr_198_30_0)
+(typeattribute base_typeattr_199_30_0)
+(typeattribute base_typeattr_19_30_0)
+(typeattribute base_typeattr_1_30_0)
+(typeattribute base_typeattr_200_30_0)
+(typeattribute base_typeattr_201_30_0)
+(typeattribute base_typeattr_202_30_0)
+(typeattribute base_typeattr_203_30_0)
+(typeattribute base_typeattr_204_30_0)
+(typeattribute base_typeattr_205_30_0)
+(typeattribute base_typeattr_206_30_0)
+(typeattribute base_typeattr_207_30_0)
+(typeattribute base_typeattr_208_30_0)
+(typeattribute base_typeattr_209_30_0)
+(typeattribute base_typeattr_20_30_0)
+(typeattribute base_typeattr_210_30_0)
+(typeattribute base_typeattr_211_30_0)
+(typeattribute base_typeattr_212_30_0)
+(typeattribute base_typeattr_213_30_0)
+(typeattribute base_typeattr_214_30_0)
+(typeattribute base_typeattr_215_30_0)
+(typeattribute base_typeattr_216_30_0)
+(typeattribute base_typeattr_217_30_0)
+(typeattribute base_typeattr_218_30_0)
+(typeattribute base_typeattr_219_30_0)
+(typeattribute base_typeattr_21_30_0)
+(typeattribute base_typeattr_220_30_0)
+(typeattribute base_typeattr_221_30_0)
+(typeattribute base_typeattr_222_30_0)
+(typeattribute base_typeattr_223_30_0)
+(typeattribute base_typeattr_224_30_0)
+(typeattribute base_typeattr_225_30_0)
+(typeattribute base_typeattr_226_30_0)
+(typeattribute base_typeattr_227_30_0)
+(typeattribute base_typeattr_228_30_0)
+(typeattribute base_typeattr_229_30_0)
+(typeattribute base_typeattr_22_30_0)
+(typeattribute base_typeattr_230_30_0)
+(typeattribute base_typeattr_231_30_0)
+(typeattribute base_typeattr_232_30_0)
+(typeattribute base_typeattr_233_30_0)
+(typeattribute base_typeattr_234_30_0)
+(typeattribute base_typeattr_235_30_0)
+(typeattribute base_typeattr_236_30_0)
+(typeattribute base_typeattr_237_30_0)
+(typeattribute base_typeattr_238_30_0)
+(typeattribute base_typeattr_239_30_0)
+(typeattribute base_typeattr_23_30_0)
+(typeattribute base_typeattr_240_30_0)
+(typeattribute base_typeattr_241_30_0)
+(typeattribute base_typeattr_242_30_0)
+(typeattribute base_typeattr_243_30_0)
+(typeattribute base_typeattr_244_30_0)
+(typeattribute base_typeattr_245_30_0)
+(typeattribute base_typeattr_246_30_0)
+(typeattribute base_typeattr_247_30_0)
+(typeattribute base_typeattr_248_30_0)
+(typeattribute base_typeattr_249_30_0)
+(typeattribute base_typeattr_24_30_0)
+(typeattribute base_typeattr_250_30_0)
+(typeattribute base_typeattr_251_30_0)
+(typeattribute base_typeattr_252_30_0)
+(typeattribute base_typeattr_253_30_0)
+(typeattribute base_typeattr_254_30_0)
+(typeattribute base_typeattr_255_30_0)
+(typeattribute base_typeattr_256_30_0)
+(typeattribute base_typeattr_257_30_0)
+(typeattribute base_typeattr_258_30_0)
+(typeattribute base_typeattr_259_30_0)
+(typeattribute base_typeattr_25_30_0)
+(typeattribute base_typeattr_260_30_0)
+(typeattribute base_typeattr_261_30_0)
+(typeattribute base_typeattr_262_30_0)
+(typeattribute base_typeattr_263_30_0)
+(typeattribute base_typeattr_264_30_0)
+(typeattribute base_typeattr_265_30_0)
+(typeattribute base_typeattr_266_30_0)
+(typeattribute base_typeattr_267_30_0)
+(typeattribute base_typeattr_268_30_0)
+(typeattribute base_typeattr_269_30_0)
+(typeattribute base_typeattr_26_30_0)
+(typeattribute base_typeattr_270_30_0)
+(typeattribute base_typeattr_271_30_0)
+(typeattribute base_typeattr_272_30_0)
+(typeattribute base_typeattr_273_30_0)
+(typeattribute base_typeattr_274_30_0)
+(typeattribute base_typeattr_275_30_0)
+(typeattribute base_typeattr_276_30_0)
+(typeattribute base_typeattr_277_30_0)
+(typeattribute base_typeattr_278_30_0)
+(typeattribute base_typeattr_279_30_0)
+(typeattribute base_typeattr_27_30_0)
+(typeattribute base_typeattr_280_30_0)
+(typeattribute base_typeattr_281_30_0)
+(typeattribute base_typeattr_282_30_0)
+(typeattribute base_typeattr_283_30_0)
+(typeattribute base_typeattr_284_30_0)
+(typeattribute base_typeattr_285_30_0)
+(typeattribute base_typeattr_286_30_0)
+(typeattribute base_typeattr_287_30_0)
+(typeattribute base_typeattr_288_30_0)
+(typeattribute base_typeattr_289_30_0)
+(typeattribute base_typeattr_28_30_0)
+(typeattribute base_typeattr_290_30_0)
+(typeattribute base_typeattr_291_30_0)
+(typeattribute base_typeattr_292_30_0)
+(typeattribute base_typeattr_293_30_0)
+(typeattribute base_typeattr_294_30_0)
+(typeattribute base_typeattr_295_30_0)
+(typeattribute base_typeattr_296_30_0)
+(typeattribute base_typeattr_297_30_0)
+(typeattribute base_typeattr_298_30_0)
+(typeattribute base_typeattr_299_30_0)
+(typeattribute base_typeattr_29_30_0)
+(typeattribute base_typeattr_2_30_0)
+(typeattribute base_typeattr_300_30_0)
+(typeattribute base_typeattr_301_30_0)
+(typeattribute base_typeattr_302_30_0)
+(typeattribute base_typeattr_303_30_0)
+(typeattribute base_typeattr_304_30_0)
+(typeattribute base_typeattr_305_30_0)
+(typeattribute base_typeattr_306_30_0)
+(typeattribute base_typeattr_307_30_0)
+(typeattribute base_typeattr_308_30_0)
+(typeattribute base_typeattr_309_30_0)
+(typeattribute base_typeattr_30_30_0)
+(typeattribute base_typeattr_310_30_0)
+(typeattribute base_typeattr_311_30_0)
+(typeattribute base_typeattr_312_30_0)
+(typeattribute base_typeattr_313_30_0)
+(typeattribute base_typeattr_314_30_0)
+(typeattribute base_typeattr_315_30_0)
+(typeattribute base_typeattr_316_30_0)
+(typeattribute base_typeattr_317_30_0)
+(typeattribute base_typeattr_318_30_0)
+(typeattribute base_typeattr_319_30_0)
+(typeattribute base_typeattr_31_30_0)
+(typeattribute base_typeattr_320_30_0)
+(typeattribute base_typeattr_321_30_0)
+(typeattribute base_typeattr_322_30_0)
+(typeattribute base_typeattr_323_30_0)
+(typeattribute base_typeattr_324_30_0)
+(typeattribute base_typeattr_325_30_0)
+(typeattribute base_typeattr_326_30_0)
+(typeattribute base_typeattr_327_30_0)
+(typeattribute base_typeattr_328_30_0)
+(typeattribute base_typeattr_329_30_0)
+(typeattribute base_typeattr_32_30_0)
+(typeattribute base_typeattr_330_30_0)
+(typeattribute base_typeattr_331_30_0)
+(typeattribute base_typeattr_332_30_0)
+(typeattribute base_typeattr_333_30_0)
+(typeattribute base_typeattr_334_30_0)
+(typeattribute base_typeattr_335_30_0)
+(typeattribute base_typeattr_336_30_0)
+(typeattribute base_typeattr_337_30_0)
+(typeattribute base_typeattr_338_30_0)
+(typeattribute base_typeattr_339_30_0)
+(typeattribute base_typeattr_33_30_0)
+(typeattribute base_typeattr_340_30_0)
+(typeattribute base_typeattr_341_30_0)
+(typeattribute base_typeattr_342_30_0)
+(typeattribute base_typeattr_343_30_0)
+(typeattribute base_typeattr_344_30_0)
+(typeattribute base_typeattr_345_30_0)
+(typeattribute base_typeattr_346_30_0)
+(typeattribute base_typeattr_347_30_0)
+(typeattribute base_typeattr_348_30_0)
+(typeattribute base_typeattr_349_30_0)
+(typeattribute base_typeattr_34_30_0)
+(typeattribute base_typeattr_350_30_0)
+(typeattribute base_typeattr_351_30_0)
+(typeattribute base_typeattr_352_30_0)
+(typeattribute base_typeattr_353_30_0)
+(typeattribute base_typeattr_354_30_0)
+(typeattribute base_typeattr_355_30_0)
+(typeattribute base_typeattr_356_30_0)
+(typeattribute base_typeattr_357_30_0)
+(typeattribute base_typeattr_358_30_0)
+(typeattribute base_typeattr_359_30_0)
+(typeattribute base_typeattr_35_30_0)
+(typeattribute base_typeattr_360_30_0)
+(typeattribute base_typeattr_361_30_0)
+(typeattribute base_typeattr_362_30_0)
+(typeattribute base_typeattr_363_30_0)
+(typeattribute base_typeattr_364_30_0)
+(typeattribute base_typeattr_365_30_0)
+(typeattribute base_typeattr_366_30_0)
+(typeattribute base_typeattr_367_30_0)
+(typeattribute base_typeattr_368_30_0)
+(typeattribute base_typeattr_369_30_0)
+(typeattribute base_typeattr_36_30_0)
+(typeattribute base_typeattr_370_30_0)
+(typeattribute base_typeattr_371_30_0)
+(typeattribute base_typeattr_372_30_0)
+(typeattribute base_typeattr_373_30_0)
+(typeattribute base_typeattr_374_30_0)
+(typeattribute base_typeattr_375_30_0)
+(typeattribute base_typeattr_376_30_0)
+(typeattribute base_typeattr_377_30_0)
+(typeattribute base_typeattr_378_30_0)
+(typeattribute base_typeattr_379_30_0)
+(typeattribute base_typeattr_37_30_0)
+(typeattribute base_typeattr_380_30_0)
+(typeattribute base_typeattr_381_30_0)
+(typeattribute base_typeattr_382_30_0)
+(typeattribute base_typeattr_383_30_0)
+(typeattribute base_typeattr_384_30_0)
+(typeattribute base_typeattr_385_30_0)
+(typeattribute base_typeattr_386_30_0)
+(typeattribute base_typeattr_387_30_0)
+(typeattribute base_typeattr_388_30_0)
+(typeattribute base_typeattr_389_30_0)
+(typeattribute base_typeattr_38_30_0)
+(typeattribute base_typeattr_390_30_0)
+(typeattribute base_typeattr_391_30_0)
+(typeattribute base_typeattr_392_30_0)
+(typeattribute base_typeattr_393_30_0)
+(typeattribute base_typeattr_394_30_0)
+(typeattribute base_typeattr_395_30_0)
+(typeattribute base_typeattr_396_30_0)
+(typeattribute base_typeattr_397_30_0)
+(typeattribute base_typeattr_398_30_0)
+(typeattribute base_typeattr_399_30_0)
+(typeattribute base_typeattr_39_30_0)
+(typeattribute base_typeattr_3_30_0)
+(typeattribute base_typeattr_400_30_0)
+(typeattribute base_typeattr_401_30_0)
+(typeattribute base_typeattr_402_30_0)
+(typeattribute base_typeattr_403_30_0)
+(typeattribute base_typeattr_404_30_0)
+(typeattribute base_typeattr_405_30_0)
+(typeattribute base_typeattr_406_30_0)
+(typeattribute base_typeattr_407_30_0)
+(typeattribute base_typeattr_408_30_0)
+(typeattribute base_typeattr_409_30_0)
+(typeattribute base_typeattr_40_30_0)
+(typeattribute base_typeattr_410_30_0)
+(typeattribute base_typeattr_411_30_0)
+(typeattribute base_typeattr_412_30_0)
+(typeattribute base_typeattr_413_30_0)
+(typeattribute base_typeattr_414_30_0)
+(typeattribute base_typeattr_415_30_0)
+(typeattribute base_typeattr_416_30_0)
+(typeattribute base_typeattr_417_30_0)
+(typeattribute base_typeattr_418_30_0)
+(typeattribute base_typeattr_419_30_0)
+(typeattribute base_typeattr_41_30_0)
+(typeattribute base_typeattr_420_30_0)
+(typeattribute base_typeattr_421_30_0)
+(typeattribute base_typeattr_422_30_0)
+(typeattribute base_typeattr_423_30_0)
+(typeattribute base_typeattr_424_30_0)
+(typeattribute base_typeattr_425_30_0)
+(typeattribute base_typeattr_426_30_0)
+(typeattribute base_typeattr_427_30_0)
+(typeattribute base_typeattr_428_30_0)
+(typeattribute base_typeattr_429_30_0)
+(typeattribute base_typeattr_42_30_0)
+(typeattribute base_typeattr_430_30_0)
+(typeattribute base_typeattr_431_30_0)
+(typeattribute base_typeattr_432_30_0)
+(typeattribute base_typeattr_433_30_0)
+(typeattribute base_typeattr_434_30_0)
+(typeattribute base_typeattr_435_30_0)
+(typeattribute base_typeattr_436_30_0)
+(typeattribute base_typeattr_437_30_0)
+(typeattribute base_typeattr_438_30_0)
+(typeattribute base_typeattr_439_30_0)
+(typeattribute base_typeattr_43_30_0)
+(typeattribute base_typeattr_440_30_0)
+(typeattribute base_typeattr_441_30_0)
+(typeattribute base_typeattr_442_30_0)
+(typeattribute base_typeattr_443_30_0)
+(typeattribute base_typeattr_444_30_0)
+(typeattribute base_typeattr_445_30_0)
+(typeattribute base_typeattr_446_30_0)
+(typeattribute base_typeattr_447_30_0)
+(typeattribute base_typeattr_448_30_0)
+(typeattribute base_typeattr_449_30_0)
+(typeattribute base_typeattr_44_30_0)
+(typeattribute base_typeattr_450_30_0)
+(typeattribute base_typeattr_451_30_0)
+(typeattribute base_typeattr_452_30_0)
+(typeattribute base_typeattr_453_30_0)
+(typeattribute base_typeattr_454_30_0)
+(typeattribute base_typeattr_455_30_0)
+(typeattribute base_typeattr_456_30_0)
+(typeattribute base_typeattr_457_30_0)
+(typeattribute base_typeattr_458_30_0)
+(typeattribute base_typeattr_459_30_0)
+(typeattribute base_typeattr_45_30_0)
+(typeattribute base_typeattr_460_30_0)
+(typeattribute base_typeattr_461_30_0)
+(typeattribute base_typeattr_462_30_0)
+(typeattribute base_typeattr_463_30_0)
+(typeattribute base_typeattr_464_30_0)
+(typeattribute base_typeattr_465_30_0)
+(typeattribute base_typeattr_466_30_0)
+(typeattribute base_typeattr_467_30_0)
+(typeattribute base_typeattr_468_30_0)
+(typeattribute base_typeattr_469_30_0)
+(typeattribute base_typeattr_46_30_0)
+(typeattribute base_typeattr_470_30_0)
+(typeattribute base_typeattr_471_30_0)
+(typeattribute base_typeattr_472_30_0)
+(typeattribute base_typeattr_473_30_0)
+(typeattribute base_typeattr_474_30_0)
+(typeattribute base_typeattr_475_30_0)
+(typeattribute base_typeattr_476_30_0)
+(typeattribute base_typeattr_477_30_0)
+(typeattribute base_typeattr_478_30_0)
+(typeattribute base_typeattr_479_30_0)
+(typeattribute base_typeattr_47_30_0)
+(typeattribute base_typeattr_480_30_0)
+(typeattribute base_typeattr_481_30_0)
+(typeattribute base_typeattr_482_30_0)
+(typeattribute base_typeattr_483_30_0)
+(typeattribute base_typeattr_484_30_0)
+(typeattribute base_typeattr_485_30_0)
+(typeattribute base_typeattr_486_30_0)
+(typeattribute base_typeattr_487_30_0)
+(typeattribute base_typeattr_488_30_0)
+(typeattribute base_typeattr_489_30_0)
+(typeattribute base_typeattr_48_30_0)
+(typeattribute base_typeattr_490_30_0)
+(typeattribute base_typeattr_491_30_0)
+(typeattribute base_typeattr_492_30_0)
+(typeattribute base_typeattr_493_30_0)
+(typeattribute base_typeattr_494_30_0)
+(typeattribute base_typeattr_495_30_0)
+(typeattribute base_typeattr_496_30_0)
+(typeattribute base_typeattr_497_30_0)
+(typeattribute base_typeattr_498_30_0)
+(typeattribute base_typeattr_499_30_0)
+(typeattribute base_typeattr_49_30_0)
+(typeattribute base_typeattr_4_30_0)
+(typeattribute base_typeattr_500_30_0)
+(typeattribute base_typeattr_501_30_0)
+(typeattribute base_typeattr_502_30_0)
+(typeattribute base_typeattr_503_30_0)
+(typeattribute base_typeattr_504_30_0)
+(typeattribute base_typeattr_505_30_0)
+(typeattribute base_typeattr_506_30_0)
+(typeattribute base_typeattr_507_30_0)
+(typeattribute base_typeattr_508_30_0)
+(typeattribute base_typeattr_509_30_0)
+(typeattribute base_typeattr_50_30_0)
+(typeattribute base_typeattr_510_30_0)
+(typeattribute base_typeattr_511_30_0)
+(typeattribute base_typeattr_512_30_0)
+(typeattribute base_typeattr_513_30_0)
+(typeattribute base_typeattr_514_30_0)
+(typeattribute base_typeattr_515_30_0)
+(typeattribute base_typeattr_516_30_0)
+(typeattribute base_typeattr_517_30_0)
+(typeattribute base_typeattr_518_30_0)
+(typeattribute base_typeattr_519_30_0)
+(typeattribute base_typeattr_51_30_0)
+(typeattribute base_typeattr_520_30_0)
+(typeattribute base_typeattr_521_30_0)
+(typeattribute base_typeattr_522_30_0)
+(typeattribute base_typeattr_523_30_0)
+(typeattribute base_typeattr_524_30_0)
+(typeattribute base_typeattr_525_30_0)
+(typeattribute base_typeattr_526_30_0)
+(typeattribute base_typeattr_527_30_0)
+(typeattribute base_typeattr_528_30_0)
+(typeattribute base_typeattr_529_30_0)
+(typeattribute base_typeattr_52_30_0)
+(typeattribute base_typeattr_530_30_0)
+(typeattribute base_typeattr_531_30_0)
+(typeattribute base_typeattr_532_30_0)
+(typeattribute base_typeattr_533_30_0)
+(typeattribute base_typeattr_534_30_0)
+(typeattribute base_typeattr_535_30_0)
+(typeattribute base_typeattr_536_30_0)
+(typeattribute base_typeattr_537_30_0)
+(typeattribute base_typeattr_538_30_0)
+(typeattribute base_typeattr_539_30_0)
+(typeattribute base_typeattr_53_30_0)
+(typeattribute base_typeattr_540_30_0)
+(typeattribute base_typeattr_541_30_0)
+(typeattribute base_typeattr_542_30_0)
+(typeattribute base_typeattr_543_30_0)
+(typeattribute base_typeattr_544_30_0)
+(typeattribute base_typeattr_545_30_0)
+(typeattribute base_typeattr_546_30_0)
+(typeattribute base_typeattr_547_30_0)
+(typeattribute base_typeattr_548_30_0)
+(typeattribute base_typeattr_54_30_0)
+(typeattribute base_typeattr_55_30_0)
+(typeattribute base_typeattr_56_30_0)
+(typeattribute base_typeattr_57_30_0)
+(typeattribute base_typeattr_58_30_0)
+(typeattribute base_typeattr_59_30_0)
+(typeattribute base_typeattr_5_30_0)
+(typeattribute base_typeattr_60_30_0)
+(typeattribute base_typeattr_61_30_0)
+(typeattribute base_typeattr_62_30_0)
+(typeattribute base_typeattr_63_30_0)
+(typeattribute base_typeattr_64_30_0)
+(typeattribute base_typeattr_65_30_0)
+(typeattribute base_typeattr_66_30_0)
+(typeattribute base_typeattr_67_30_0)
+(typeattribute base_typeattr_68_30_0)
+(typeattribute base_typeattr_69_30_0)
+(typeattribute base_typeattr_6_30_0)
+(typeattribute base_typeattr_70_30_0)
+(typeattribute base_typeattr_71_30_0)
+(typeattribute base_typeattr_72_30_0)
+(typeattribute base_typeattr_73_30_0)
+(typeattribute base_typeattr_74_30_0)
+(typeattribute base_typeattr_75_30_0)
+(typeattribute base_typeattr_76_30_0)
+(typeattribute base_typeattr_77_30_0)
+(typeattribute base_typeattr_78_30_0)
+(typeattribute base_typeattr_79_30_0)
+(typeattribute base_typeattr_7_30_0)
+(typeattribute base_typeattr_80_30_0)
+(typeattribute base_typeattr_81_30_0)
+(typeattribute base_typeattr_82_30_0)
+(typeattribute base_typeattr_83_30_0)
+(typeattribute base_typeattr_84_30_0)
+(typeattribute base_typeattr_85_30_0)
+(typeattribute base_typeattr_86_30_0)
+(typeattribute base_typeattr_87_30_0)
+(typeattribute base_typeattr_88_30_0)
+(typeattribute base_typeattr_89_30_0)
+(typeattribute base_typeattr_8_30_0)
+(typeattribute base_typeattr_90_30_0)
+(typeattribute base_typeattr_91_30_0)
+(typeattribute base_typeattr_92_30_0)
+(typeattribute base_typeattr_93_30_0)
+(typeattribute base_typeattr_94_30_0)
+(typeattribute base_typeattr_95_30_0)
+(typeattribute base_typeattr_96_30_0)
+(typeattribute base_typeattr_97_30_0)
+(typeattribute base_typeattr_98_30_0)
+(typeattribute base_typeattr_99_30_0)
+(typeattribute base_typeattr_9_30_0)
+(typeattribute battery_service_30_0)
+(typeattribute batteryproperties_service_30_0)
+(typeattribute batterystats_service_30_0)
+(typeattribute binder_cache_bluetooth_server_prop_30_0)
+(typeattribute binder_cache_system_server_prop_30_0)
+(typeattribute binder_cache_telephony_server_prop_30_0)
+(typeattribute binder_calls_stats_service_30_0)
+(typeattribute binder_device_30_0)
+(typeattribute binder_in_vendor_violators)
+(typeattribute binderfs_30_0)
+(typeattribute binderfs_logs_30_0)
+(typeattribute binderfs_logs_proc_30_0)
+(typeattribute binderservicedomain)
+(typeattribute binfmt_miscfs_30_0)
+(typeattribute biometric_service_30_0)
+(typeattribute blkid_30_0)
+(typeattribute blkid_untrusted_30_0)
+(typeattribute blob_store_service_30_0)
+(typeattribute block_device_30_0)
+(typeattribute bluetooth_30_0)
+(typeattribute bluetooth_a2dp_offload_prop_30_0)
+(typeattribute bluetooth_audio_hal_prop_30_0)
+(typeattribute bluetooth_data_file_30_0)
+(typeattribute bluetooth_efs_file_30_0)
+(typeattribute bluetooth_logs_data_file_30_0)
+(typeattribute bluetooth_manager_service_30_0)
+(typeattribute bluetooth_prop_30_0)
+(typeattribute bluetooth_service_30_0)
+(typeattribute bluetooth_socket_30_0)
+(typeattribute bluetoothdomain)
+(typeattribute boot_block_device_30_0)
+(typeattribute bootanim_30_0)
+(typeattribute bootanim_exec_30_0)
+(typeattribute bootchart_data_file_30_0)
+(typeattribute bootloader_boot_reason_prop_30_0)
+(typeattribute bootstat_30_0)
+(typeattribute bootstat_data_file_30_0)
+(typeattribute bootstat_exec_30_0)
+(typeattribute boottime_prop_30_0)
+(typeattribute boottime_public_prop_30_0)
+(typeattribute boottrace_data_file_30_0)
+(typeattribute bpf_progs_loaded_prop_30_0)
+(typeattribute bq_config_prop_30_0)
+(typeattribute broadcastradio_service_30_0)
+(typeattribute bufferhubd_30_0)
+(typeattribute bufferhubd_exec_30_0)
+(typeattribute bugreport_service_30_0)
+(typeattribute cache_backup_file_30_0)
+(typeattribute cache_block_device_30_0)
+(typeattribute cache_file_30_0)
+(typeattribute cache_private_backup_file_30_0)
+(typeattribute cache_recovery_file_30_0)
+(typeattribute cacheinfo_service_30_0)
+(typeattribute camera_data_file_30_0)
+(typeattribute camera_device_30_0)
+(typeattribute camera_service_server)
+(typeattribute cameraproxy_service_30_0)
+(typeattribute cameraserver_30_0)
+(typeattribute cameraserver_exec_30_0)
+(typeattribute cameraserver_service_30_0)
+(typeattribute cameraserver_tmpfs_30_0)
+(typeattribute cgroup_30_0)
+(typeattribute cgroup_bpf_30_0)
+(typeattribute cgroup_desc_file_30_0)
+(typeattribute cgroup_rc_file_30_0)
+(typeattribute charger_30_0)
+(typeattribute charger_exec_30_0)
+(typeattribute charger_prop_30_0)
+(typeattribute clipboard_service_30_0)
+(typeattribute cold_boot_done_prop_30_0)
+(typeattribute color_display_service_30_0)
+(typeattribute companion_device_service_30_0)
+(typeattribute config_prop_30_0)
+(typeattribute configfs_30_0)
+(typeattribute connectivity_service_30_0)
+(typeattribute connmetrics_service_30_0)
+(typeattribute console_device_30_0)
+(typeattribute consumer_ir_service_30_0)
+(typeattribute content_capture_service_30_0)
+(typeattribute content_service_30_0)
+(typeattribute content_suggestions_service_30_0)
+(typeattribute contexthub_service_30_0)
+(typeattribute contextmount_type)
+(typeattribute core_data_file_type)
+(typeattribute core_property_type)
+(typeattribute coredomain)
+(typeattribute coredomain_hwservice)
+(typeattribute coredomain_socket)
+(typeattribute coredump_file_30_0)
+(typeattribute country_detector_service_30_0)
+(typeattribute coverage_service_30_0)
+(typeattribute cppreopt_prop_30_0)
+(typeattribute cpu_variant_prop_30_0)
+(typeattribute cpuinfo_service_30_0)
+(typeattribute crash_dump_30_0)
+(typeattribute crash_dump_exec_30_0)
+(typeattribute credstore_30_0)
+(typeattribute credstore_data_file_30_0)
+(typeattribute credstore_exec_30_0)
+(typeattribute credstore_service_30_0)
+(typeattribute crossprofileapps_service_30_0)
+(typeattribute ctl_adbd_prop_30_0)
+(typeattribute ctl_apexd_prop_30_0)
+(typeattribute ctl_bootanim_prop_30_0)
+(typeattribute ctl_bugreport_prop_30_0)
+(typeattribute ctl_console_prop_30_0)
+(typeattribute ctl_default_prop_30_0)
+(typeattribute ctl_dumpstate_prop_30_0)
+(typeattribute ctl_fuse_prop_30_0)
+(typeattribute ctl_gsid_prop_30_0)
+(typeattribute ctl_interface_restart_prop_30_0)
+(typeattribute ctl_interface_start_prop_30_0)
+(typeattribute ctl_interface_stop_prop_30_0)
+(typeattribute ctl_mdnsd_prop_30_0)
+(typeattribute ctl_restart_prop_30_0)
+(typeattribute ctl_rildaemon_prop_30_0)
+(typeattribute ctl_sigstop_prop_30_0)
+(typeattribute ctl_start_prop_30_0)
+(typeattribute ctl_stop_prop_30_0)
+(typeattribute dalvik_prop_30_0)
+(typeattribute dalvikcache_data_file_30_0)
+(typeattribute data_between_core_and_vendor_violators)
+(typeattribute data_file_type)
+(typeattribute dataloader_manager_service_30_0)
+(typeattribute dbinfo_service_30_0)
+(typeattribute debug_prop_30_0)
+(typeattribute debugfs_30_0)
+(typeattribute debugfs_kprobes_30_0)
+(typeattribute debugfs_mmc_30_0)
+(typeattribute debugfs_trace_marker_30_0)
+(typeattribute debugfs_tracing_30_0)
+(typeattribute debugfs_tracing_debug_30_0)
+(typeattribute debugfs_tracing_instances_30_0)
+(typeattribute debugfs_type)
+(typeattribute debugfs_wakeup_sources_30_0)
+(typeattribute debugfs_wifi_tracing_30_0)
+(typeattribute debuggerd_prop_30_0)
+(typeattribute default_android_hwservice_30_0)
+(typeattribute default_android_service_30_0)
+(typeattribute default_android_vndservice_30_0)
+(typeattribute default_prop_30_0)
+(typeattribute dev_cpu_variant_30_0)
+(typeattribute dev_type)
+(typeattribute device_30_0)
+(typeattribute device_config_activity_manager_native_boot_prop_30_0)
+(typeattribute device_config_boot_count_prop_30_0)
+(typeattribute device_config_configuration_prop_30_0)
+(typeattribute device_config_input_native_boot_prop_30_0)
+(typeattribute device_config_media_native_prop_30_0)
+(typeattribute device_config_netd_native_prop_30_0)
+(typeattribute device_config_reset_performed_prop_30_0)
+(typeattribute device_config_runtime_native_boot_prop_30_0)
+(typeattribute device_config_runtime_native_prop_30_0)
+(typeattribute device_config_service_30_0)
+(typeattribute device_config_storage_native_boot_prop_30_0)
+(typeattribute device_config_sys_traced_prop_30_0)
+(typeattribute device_config_window_manager_native_boot_prop_30_0)
+(typeattribute device_identifiers_service_30_0)
+(typeattribute device_logging_prop_30_0)
+(typeattribute device_policy_service_30_0)
+(typeattribute deviceidle_service_30_0)
+(typeattribute devicestoragemonitor_service_30_0)
+(typeattribute devpts_30_0)
+(typeattribute dhcp_30_0)
+(typeattribute dhcp_data_file_30_0)
+(typeattribute dhcp_exec_30_0)
+(typeattribute dhcp_prop_30_0)
+(typeattribute diskstats_service_30_0)
+(typeattribute display_service_30_0)
+(typeattribute display_service_server)
+(typeattribute dm_device_30_0)
+(typeattribute dnsmasq_30_0)
+(typeattribute dnsmasq_exec_30_0)
+(typeattribute dnsproxyd_socket_30_0)
+(typeattribute dnsresolver_service_30_0)
+(typeattribute domain)
+(typeattribute dreams_service_30_0)
+(typeattribute drm_data_file_30_0)
+(typeattribute drmserver_30_0)
+(typeattribute drmserver_exec_30_0)
+(typeattribute drmserver_service_30_0)
+(typeattribute drmserver_socket_30_0)
+(typeattribute dropbox_data_file_30_0)
+(typeattribute dropbox_service_30_0)
+(typeattribute dumpstate_30_0)
+(typeattribute dumpstate_exec_30_0)
+(typeattribute dumpstate_options_prop_30_0)
+(typeattribute dumpstate_prop_30_0)
+(typeattribute dumpstate_service_30_0)
+(typeattribute dumpstate_socket_30_0)
+(typeattribute dynamic_system_prop_30_0)
+(typeattribute e2fs_30_0)
+(typeattribute e2fs_exec_30_0)
+(typeattribute efs_file_30_0)
+(typeattribute emergency_affordance_service_30_0)
+(typeattribute ephemeral_app_30_0)
+(typeattribute ephemeral_app_api_service)
+(typeattribute ethernet_service_30_0)
+(typeattribute exec_type)
+(typeattribute exfat_30_0)
+(typeattribute exported2_config_prop_30_0)
+(typeattribute exported2_default_prop_30_0)
+(typeattribute exported2_radio_prop_30_0)
+(typeattribute exported2_system_prop_30_0)
+(typeattribute exported2_vold_prop_30_0)
+(typeattribute exported3_default_prop_30_0)
+(typeattribute exported3_radio_prop_30_0)
+(typeattribute exported3_system_prop_30_0)
+(typeattribute exported_audio_prop_30_0)
+(typeattribute exported_bluetooth_prop_30_0)
+(typeattribute exported_camera_prop_30_0)
+(typeattribute exported_config_prop_30_0)
+(typeattribute exported_dalvik_prop_30_0)
+(typeattribute exported_default_prop_30_0)
+(typeattribute exported_dumpstate_prop_30_0)
+(typeattribute exported_ffs_prop_30_0)
+(typeattribute exported_fingerprint_prop_30_0)
+(typeattribute exported_overlay_prop_30_0)
+(typeattribute exported_pm_prop_30_0)
+(typeattribute exported_radio_prop_30_0)
+(typeattribute exported_secure_prop_30_0)
+(typeattribute exported_system_prop_30_0)
+(typeattribute exported_system_radio_prop_30_0)
+(typeattribute exported_vold_prop_30_0)
+(typeattribute exported_wifi_prop_30_0)
+(typeattribute extended_core_property_type)
+(typeattribute external_vibrator_service_30_0)
+(typeattribute face_service_30_0)
+(typeattribute face_vendor_data_file_30_0)
+(typeattribute fastbootd_30_0)
+(typeattribute fastbootd_protocol_prop_30_0)
+(typeattribute ffs_prop_30_0)
+(typeattribute file_contexts_file_30_0)
+(typeattribute file_integrity_service_30_0)
+(typeattribute file_type)
+(typeattribute fingerprint_prop_30_0)
+(typeattribute fingerprint_service_30_0)
+(typeattribute fingerprint_vendor_data_file_30_0)
+(typeattribute fingerprintd_30_0)
+(typeattribute fingerprintd_data_file_30_0)
+(typeattribute fingerprintd_exec_30_0)
+(typeattribute fingerprintd_service_30_0)
+(typeattribute firstboot_prop_30_0)
+(typeattribute flags_health_check_30_0)
+(typeattribute flags_health_check_exec_30_0)
+(typeattribute font_service_30_0)
+(typeattribute frp_block_device_30_0)
+(typeattribute fs_bpf_30_0)
+(typeattribute fs_type)
+(typeattribute fsck_30_0)
+(typeattribute fsck_exec_30_0)
+(typeattribute fsck_untrusted_30_0)
+(typeattribute fscklogs_30_0)
+(typeattribute functionfs_30_0)
+(typeattribute fuse_30_0)
+(typeattribute fuse_device_30_0)
+(typeattribute fusectlfs_30_0)
+(typeattribute fwk_automotive_display_hwservice_30_0)
+(typeattribute fwk_bufferhub_hwservice_30_0)
+(typeattribute fwk_camera_hwservice_30_0)
+(typeattribute fwk_display_hwservice_30_0)
+(typeattribute fwk_scheduler_hwservice_30_0)
+(typeattribute fwk_sensor_hwservice_30_0)
+(typeattribute fwk_stats_hwservice_30_0)
+(typeattribute fwmarkd_socket_30_0)
+(typeattribute gatekeeper_data_file_30_0)
+(typeattribute gatekeeper_service_30_0)
+(typeattribute gatekeeperd_30_0)
+(typeattribute gatekeeperd_exec_30_0)
+(typeattribute gfxinfo_service_30_0)
+(typeattribute gmscore_app_30_0)
+(typeattribute gps_control_30_0)
+(typeattribute gpu_device_30_0)
+(typeattribute gpu_service_30_0)
+(typeattribute gpuservice_30_0)
+(typeattribute graphics_config_prop_30_0)
+(typeattribute graphics_device_30_0)
+(typeattribute graphicsstats_service_30_0)
+(typeattribute gsi_data_file_30_0)
+(typeattribute gsi_metadata_file_30_0)
+(typeattribute gsid_prop_30_0)
+(typeattribute hal_allocator)
+(typeattribute hal_allocator_client)
+(typeattribute hal_allocator_server)
+(typeattribute hal_atrace)
+(typeattribute hal_atrace_client)
+(typeattribute hal_atrace_hwservice_30_0)
+(typeattribute hal_atrace_server)
+(typeattribute hal_audio)
+(typeattribute hal_audio_client)
+(typeattribute hal_audio_hwservice_30_0)
+(typeattribute hal_audio_server)
+(typeattribute hal_audiocontrol)
+(typeattribute hal_audiocontrol_client)
+(typeattribute hal_audiocontrol_hwservice_30_0)
+(typeattribute hal_audiocontrol_server)
+(typeattribute hal_authsecret)
+(typeattribute hal_authsecret_client)
+(typeattribute hal_authsecret_hwservice_30_0)
+(typeattribute hal_authsecret_server)
+(typeattribute hal_automotive_socket_exemption)
+(typeattribute hal_bluetooth)
+(typeattribute hal_bluetooth_client)
+(typeattribute hal_bluetooth_hwservice_30_0)
+(typeattribute hal_bluetooth_server)
+(typeattribute hal_bootctl)
+(typeattribute hal_bootctl_client)
+(typeattribute hal_bootctl_hwservice_30_0)
+(typeattribute hal_bootctl_server)
+(typeattribute hal_broadcastradio)
+(typeattribute hal_broadcastradio_client)
+(typeattribute hal_broadcastradio_hwservice_30_0)
+(typeattribute hal_broadcastradio_server)
+(typeattribute hal_bufferhub)
+(typeattribute hal_bufferhub_client)
+(typeattribute hal_bufferhub_server)
+(typeattribute hal_camera)
+(typeattribute hal_camera_client)
+(typeattribute hal_camera_hwservice_30_0)
+(typeattribute hal_camera_server)
+(typeattribute hal_can_bus)
+(typeattribute hal_can_bus_client)
+(typeattribute hal_can_bus_hwservice_30_0)
+(typeattribute hal_can_bus_server)
+(typeattribute hal_can_controller)
+(typeattribute hal_can_controller_client)
+(typeattribute hal_can_controller_hwservice_30_0)
+(typeattribute hal_can_controller_server)
+(typeattribute hal_cas)
+(typeattribute hal_cas_client)
+(typeattribute hal_cas_hwservice_30_0)
+(typeattribute hal_cas_server)
+(typeattribute hal_codec2)
+(typeattribute hal_codec2_client)
+(typeattribute hal_codec2_hwservice_30_0)
+(typeattribute hal_codec2_server)
+(typeattribute hal_configstore)
+(typeattribute hal_configstore_ISurfaceFlingerConfigs_30_0)
+(typeattribute hal_configstore_client)
+(typeattribute hal_configstore_server)
+(typeattribute hal_confirmationui)
+(typeattribute hal_confirmationui_client)
+(typeattribute hal_confirmationui_hwservice_30_0)
+(typeattribute hal_confirmationui_server)
+(typeattribute hal_contexthub)
+(typeattribute hal_contexthub_client)
+(typeattribute hal_contexthub_hwservice_30_0)
+(typeattribute hal_contexthub_server)
+(typeattribute hal_drm)
+(typeattribute hal_drm_client)
+(typeattribute hal_drm_hwservice_30_0)
+(typeattribute hal_drm_server)
+(typeattribute hal_dumpstate)
+(typeattribute hal_dumpstate_client)
+(typeattribute hal_dumpstate_hwservice_30_0)
+(typeattribute hal_dumpstate_server)
+(typeattribute hal_evs)
+(typeattribute hal_evs_client)
+(typeattribute hal_evs_hwservice_30_0)
+(typeattribute hal_evs_server)
+(typeattribute hal_face)
+(typeattribute hal_face_client)
+(typeattribute hal_face_hwservice_30_0)
+(typeattribute hal_face_server)
+(typeattribute hal_fingerprint)
+(typeattribute hal_fingerprint_client)
+(typeattribute hal_fingerprint_hwservice_30_0)
+(typeattribute hal_fingerprint_server)
+(typeattribute hal_fingerprint_service_30_0)
+(typeattribute hal_gatekeeper)
+(typeattribute hal_gatekeeper_client)
+(typeattribute hal_gatekeeper_hwservice_30_0)
+(typeattribute hal_gatekeeper_server)
+(typeattribute hal_gnss)
+(typeattribute hal_gnss_client)
+(typeattribute hal_gnss_hwservice_30_0)
+(typeattribute hal_gnss_server)
+(typeattribute hal_graphics_allocator)
+(typeattribute hal_graphics_allocator_client)
+(typeattribute hal_graphics_allocator_hwservice_30_0)
+(typeattribute hal_graphics_allocator_server)
+(typeattribute hal_graphics_composer)
+(typeattribute hal_graphics_composer_client)
+(typeattribute hal_graphics_composer_client_tmpfs)
+(typeattribute hal_graphics_composer_hwservice_30_0)
+(typeattribute hal_graphics_composer_server)
+(typeattribute hal_graphics_composer_server_tmpfs_30_0)
+(typeattribute hal_graphics_mapper_hwservice_30_0)
+(typeattribute hal_health)
+(typeattribute hal_health_client)
+(typeattribute hal_health_hwservice_30_0)
+(typeattribute hal_health_server)
+(typeattribute hal_health_storage)
+(typeattribute hal_health_storage_client)
+(typeattribute hal_health_storage_hwservice_30_0)
+(typeattribute hal_health_storage_server)
+(typeattribute hal_identity)
+(typeattribute hal_identity_client)
+(typeattribute hal_identity_server)
+(typeattribute hal_identity_service_30_0)
+(typeattribute hal_input_classifier)
+(typeattribute hal_input_classifier_client)
+(typeattribute hal_input_classifier_hwservice_30_0)
+(typeattribute hal_input_classifier_server)
+(typeattribute hal_ir)
+(typeattribute hal_ir_client)
+(typeattribute hal_ir_hwservice_30_0)
+(typeattribute hal_ir_server)
+(typeattribute hal_keymaster)
+(typeattribute hal_keymaster_client)
+(typeattribute hal_keymaster_hwservice_30_0)
+(typeattribute hal_keymaster_server)
+(typeattribute hal_light)
+(typeattribute hal_light_client)
+(typeattribute hal_light_hwservice_30_0)
+(typeattribute hal_light_server)
+(typeattribute hal_light_service_30_0)
+(typeattribute hal_lowpan)
+(typeattribute hal_lowpan_client)
+(typeattribute hal_lowpan_hwservice_30_0)
+(typeattribute hal_lowpan_server)
+(typeattribute hal_memtrack)
+(typeattribute hal_memtrack_client)
+(typeattribute hal_memtrack_hwservice_30_0)
+(typeattribute hal_memtrack_server)
+(typeattribute hal_neuralnetworks)
+(typeattribute hal_neuralnetworks_client)
+(typeattribute hal_neuralnetworks_hwservice_30_0)
+(typeattribute hal_neuralnetworks_server)
+(typeattribute hal_nfc)
+(typeattribute hal_nfc_client)
+(typeattribute hal_nfc_hwservice_30_0)
+(typeattribute hal_nfc_server)
+(typeattribute hal_oemlock)
+(typeattribute hal_oemlock_client)
+(typeattribute hal_oemlock_hwservice_30_0)
+(typeattribute hal_oemlock_server)
+(typeattribute hal_omx)
+(typeattribute hal_omx_client)
+(typeattribute hal_omx_hwservice_30_0)
+(typeattribute hal_omx_server)
+(typeattribute hal_power)
+(typeattribute hal_power_client)
+(typeattribute hal_power_hwservice_30_0)
+(typeattribute hal_power_server)
+(typeattribute hal_power_service_30_0)
+(typeattribute hal_power_stats)
+(typeattribute hal_power_stats_client)
+(typeattribute hal_power_stats_hwservice_30_0)
+(typeattribute hal_power_stats_server)
+(typeattribute hal_rebootescrow)
+(typeattribute hal_rebootescrow_client)
+(typeattribute hal_rebootescrow_server)
+(typeattribute hal_rebootescrow_service_30_0)
+(typeattribute hal_renderscript_hwservice_30_0)
+(typeattribute hal_secure_element)
+(typeattribute hal_secure_element_client)
+(typeattribute hal_secure_element_hwservice_30_0)
+(typeattribute hal_secure_element_server)
+(typeattribute hal_sensors)
+(typeattribute hal_sensors_client)
+(typeattribute hal_sensors_hwservice_30_0)
+(typeattribute hal_sensors_server)
+(typeattribute hal_telephony)
+(typeattribute hal_telephony_client)
+(typeattribute hal_telephony_hwservice_30_0)
+(typeattribute hal_telephony_server)
+(typeattribute hal_tetheroffload)
+(typeattribute hal_tetheroffload_client)
+(typeattribute hal_tetheroffload_hwservice_30_0)
+(typeattribute hal_tetheroffload_server)
+(typeattribute hal_thermal)
+(typeattribute hal_thermal_client)
+(typeattribute hal_thermal_hwservice_30_0)
+(typeattribute hal_thermal_server)
+(typeattribute hal_tv_cec)
+(typeattribute hal_tv_cec_client)
+(typeattribute hal_tv_cec_hwservice_30_0)
+(typeattribute hal_tv_cec_server)
+(typeattribute hal_tv_input)
+(typeattribute hal_tv_input_client)
+(typeattribute hal_tv_input_hwservice_30_0)
+(typeattribute hal_tv_input_server)
+(typeattribute hal_tv_tuner)
+(typeattribute hal_tv_tuner_client)
+(typeattribute hal_tv_tuner_hwservice_30_0)
+(typeattribute hal_tv_tuner_server)
+(typeattribute hal_usb)
+(typeattribute hal_usb_client)
+(typeattribute hal_usb_gadget)
+(typeattribute hal_usb_gadget_client)
+(typeattribute hal_usb_gadget_hwservice_30_0)
+(typeattribute hal_usb_gadget_server)
+(typeattribute hal_usb_hwservice_30_0)
+(typeattribute hal_usb_server)
+(typeattribute hal_vehicle)
+(typeattribute hal_vehicle_client)
+(typeattribute hal_vehicle_hwservice_30_0)
+(typeattribute hal_vehicle_server)
+(typeattribute hal_vibrator)
+(typeattribute hal_vibrator_client)
+(typeattribute hal_vibrator_hwservice_30_0)
+(typeattribute hal_vibrator_server)
+(typeattribute hal_vibrator_service_30_0)
+(typeattribute hal_vr)
+(typeattribute hal_vr_client)
+(typeattribute hal_vr_hwservice_30_0)
+(typeattribute hal_vr_server)
+(typeattribute hal_weaver)
+(typeattribute hal_weaver_client)
+(typeattribute hal_weaver_hwservice_30_0)
+(typeattribute hal_weaver_server)
+(typeattribute hal_wifi)
+(typeattribute hal_wifi_client)
+(typeattribute hal_wifi_hostapd)
+(typeattribute hal_wifi_hostapd_client)
+(typeattribute hal_wifi_hostapd_hwservice_30_0)
+(typeattribute hal_wifi_hostapd_server)
+(typeattribute hal_wifi_hwservice_30_0)
+(typeattribute hal_wifi_server)
+(typeattribute hal_wifi_supplicant)
+(typeattribute hal_wifi_supplicant_client)
+(typeattribute hal_wifi_supplicant_hwservice_30_0)
+(typeattribute hal_wifi_supplicant_server)
+(typeattribute halclientdomain)
+(typeattribute halserverdomain)
+(typeattribute hardware_properties_service_30_0)
+(typeattribute hardware_service_30_0)
+(typeattribute hci_attach_dev_30_0)
+(typeattribute hdmi_control_service_30_0)
+(typeattribute healthd_30_0)
+(typeattribute healthd_exec_30_0)
+(typeattribute heapdump_data_file_30_0)
+(typeattribute heapprofd_30_0)
+(typeattribute heapprofd_enabled_prop_30_0)
+(typeattribute heapprofd_prop_30_0)
+(typeattribute heapprofd_socket_30_0)
+(typeattribute hidl_allocator_hwservice_30_0)
+(typeattribute hidl_base_hwservice_30_0)
+(typeattribute hidl_manager_hwservice_30_0)
+(typeattribute hidl_memory_hwservice_30_0)
+(typeattribute hidl_token_hwservice_30_0)
+(typeattribute hw_random_device_30_0)
+(typeattribute hwbinder_device_30_0)
+(typeattribute hwservice_contexts_file_30_0)
+(typeattribute hwservice_manager_type)
+(typeattribute hwservicemanager_30_0)
+(typeattribute hwservicemanager_exec_30_0)
+(typeattribute hwservicemanager_prop_30_0)
+(typeattribute icon_file_30_0)
+(typeattribute idmap_30_0)
+(typeattribute idmap_exec_30_0)
+(typeattribute idmap_service_30_0)
+(typeattribute iio_device_30_0)
+(typeattribute imms_service_30_0)
+(typeattribute incident_30_0)
+(typeattribute incident_data_file_30_0)
+(typeattribute incident_helper_30_0)
+(typeattribute incident_service_30_0)
+(typeattribute incidentd_30_0)
+(typeattribute incremental_control_file_30_0)
+(typeattribute incremental_prop_30_0)
+(typeattribute incremental_service_30_0)
+(typeattribute init_30_0)
+(typeattribute init_exec_30_0)
+(typeattribute init_perf_lsm_hooks_prop_30_0)
+(typeattribute init_svc_debug_prop_30_0)
+(typeattribute init_tmpfs_30_0)
+(typeattribute inotify_30_0)
+(typeattribute input_device_30_0)
+(typeattribute input_method_service_30_0)
+(typeattribute input_service_30_0)
+(typeattribute inputflinger_30_0)
+(typeattribute inputflinger_exec_30_0)
+(typeattribute inputflinger_service_30_0)
+(typeattribute install_data_file_30_0)
+(typeattribute installd_30_0)
+(typeattribute installd_exec_30_0)
+(typeattribute installd_service_30_0)
+(typeattribute ion_device_30_0)
+(typeattribute iorap_inode2filename_30_0)
+(typeattribute iorap_inode2filename_exec_30_0)
+(typeattribute iorap_inode2filename_tmpfs_30_0)
+(typeattribute iorap_prefetcherd_30_0)
+(typeattribute iorap_prefetcherd_exec_30_0)
+(typeattribute iorap_prefetcherd_tmpfs_30_0)
+(typeattribute iorapd_30_0)
+(typeattribute iorapd_data_file_30_0)
+(typeattribute iorapd_exec_30_0)
+(typeattribute iorapd_service_30_0)
+(typeattribute iorapd_tmpfs_30_0)
+(typeattribute ipsec_service_30_0)
+(typeattribute iris_service_30_0)
+(typeattribute iris_vendor_data_file_30_0)
+(typeattribute isolated_app_30_0)
+(typeattribute jobscheduler_service_30_0)
+(typeattribute kernel_30_0)
+(typeattribute keychain_data_file_30_0)
+(typeattribute keychord_device_30_0)
+(typeattribute keystore_30_0)
+(typeattribute keystore_data_file_30_0)
+(typeattribute keystore_exec_30_0)
+(typeattribute keystore_service_30_0)
+(typeattribute kmsg_debug_device_30_0)
+(typeattribute kmsg_device_30_0)
+(typeattribute labeledfs_30_0)
+(typeattribute last_boot_reason_prop_30_0)
+(typeattribute launcherapps_service_30_0)
+(typeattribute light_service_30_0)
+(typeattribute linkerconfig_file_30_0)
+(typeattribute llkd_30_0)
+(typeattribute llkd_exec_30_0)
+(typeattribute llkd_prop_30_0)
+(typeattribute lmkd_30_0)
+(typeattribute lmkd_exec_30_0)
+(typeattribute lmkd_prop_30_0)
+(typeattribute lmkd_socket_30_0)
+(typeattribute location_service_30_0)
+(typeattribute lock_settings_service_30_0)
+(typeattribute log_prop_30_0)
+(typeattribute log_property_type)
+(typeattribute log_tag_prop_30_0)
+(typeattribute logcat_exec_30_0)
+(typeattribute logd_30_0)
+(typeattribute logd_exec_30_0)
+(typeattribute logd_prop_30_0)
+(typeattribute logd_socket_30_0)
+(typeattribute logdr_socket_30_0)
+(typeattribute logdw_socket_30_0)
+(typeattribute logpersist_30_0)
+(typeattribute logpersistd_logging_prop_30_0)
+(typeattribute loop_control_device_30_0)
+(typeattribute loop_device_30_0)
+(typeattribute looper_stats_service_30_0)
+(typeattribute lowpan_device_30_0)
+(typeattribute lowpan_prop_30_0)
+(typeattribute lowpan_service_30_0)
+(typeattribute lpdump_service_30_0)
+(typeattribute lpdumpd_prop_30_0)
+(typeattribute mac_perms_file_30_0)
+(typeattribute mdns_socket_30_0)
+(typeattribute mdnsd_30_0)
+(typeattribute mdnsd_socket_30_0)
+(typeattribute media_data_file_30_0)
+(typeattribute media_projection_service_30_0)
+(typeattribute media_router_service_30_0)
+(typeattribute media_rw_data_file_30_0)
+(typeattribute media_session_service_30_0)
+(typeattribute media_variant_prop_30_0)
+(typeattribute mediadrmserver_30_0)
+(typeattribute mediadrmserver_exec_30_0)
+(typeattribute mediadrmserver_service_30_0)
+(typeattribute mediaextractor_30_0)
+(typeattribute mediaextractor_exec_30_0)
+(typeattribute mediaextractor_service_30_0)
+(typeattribute mediaextractor_tmpfs_30_0)
+(typeattribute mediametrics_30_0)
+(typeattribute mediametrics_exec_30_0)
+(typeattribute mediametrics_service_30_0)
+(typeattribute mediaprovider_30_0)
+(typeattribute mediaserver_30_0)
+(typeattribute mediaserver_exec_30_0)
+(typeattribute mediaserver_service_30_0)
+(typeattribute mediaserver_tmpfs_30_0)
+(typeattribute mediaswcodec_30_0)
+(typeattribute mediaswcodec_exec_30_0)
+(typeattribute mediatranscoding_30_0)
+(typeattribute mediatranscoding_exec_30_0)
+(typeattribute mediatranscoding_service_30_0)
+(typeattribute meminfo_service_30_0)
+(typeattribute metadata_block_device_30_0)
+(typeattribute metadata_bootstat_file_30_0)
+(typeattribute metadata_file_30_0)
+(typeattribute method_trace_data_file_30_0)
+(typeattribute midi_service_30_0)
+(typeattribute mirror_data_file_30_0)
+(typeattribute misc_block_device_30_0)
+(typeattribute misc_logd_file_30_0)
+(typeattribute misc_user_data_file_30_0)
+(typeattribute mlstrustedobject)
+(typeattribute mlstrustedsubject)
+(typeattribute mmc_prop_30_0)
+(typeattribute mnt_expand_file_30_0)
+(typeattribute mnt_media_rw_file_30_0)
+(typeattribute mnt_media_rw_stub_file_30_0)
+(typeattribute mnt_pass_through_file_30_0)
+(typeattribute mnt_product_file_30_0)
+(typeattribute mnt_sdcard_file_30_0)
+(typeattribute mnt_user_file_30_0)
+(typeattribute mnt_vendor_file_30_0)
+(typeattribute mock_ota_prop_30_0)
+(typeattribute modprobe_30_0)
+(typeattribute module_sdkextensions_prop_30_0)
+(typeattribute mount_service_30_0)
+(typeattribute mqueue_30_0)
+(typeattribute mtp_30_0)
+(typeattribute mtp_device_30_0)
+(typeattribute mtp_exec_30_0)
+(typeattribute mtpd_socket_30_0)
+(typeattribute nativetest_data_file_30_0)
+(typeattribute net_data_file_30_0)
+(typeattribute net_dns_prop_30_0)
+(typeattribute net_radio_prop_30_0)
+(typeattribute netd_30_0)
+(typeattribute netd_exec_30_0)
+(typeattribute netd_listener_service_30_0)
+(typeattribute netd_service_30_0)
+(typeattribute netd_stable_secret_prop_30_0)
+(typeattribute netdomain)
+(typeattribute netif_30_0)
+(typeattribute netif_type)
+(typeattribute netpolicy_service_30_0)
+(typeattribute netstats_service_30_0)
+(typeattribute netutils_wrapper_30_0)
+(typeattribute netutils_wrapper_exec_30_0)
+(typeattribute network_management_service_30_0)
+(typeattribute network_score_service_30_0)
+(typeattribute network_stack_30_0)
+(typeattribute network_stack_service_30_0)
+(typeattribute network_time_update_service_30_0)
+(typeattribute network_watchlist_data_file_30_0)
+(typeattribute network_watchlist_service_30_0)
+(typeattribute nfc_30_0)
+(typeattribute nfc_data_file_30_0)
+(typeattribute nfc_device_30_0)
+(typeattribute nfc_prop_30_0)
+(typeattribute nfc_service_30_0)
+(typeattribute nnapi_ext_deny_product_prop_30_0)
+(typeattribute node_30_0)
+(typeattribute node_type)
+(typeattribute nonplat_service_contexts_file_30_0)
+(typeattribute notification_service_30_0)
+(typeattribute null_device_30_0)
+(typeattribute oem_lock_service_30_0)
+(typeattribute oemfs_30_0)
+(typeattribute ota_data_file_30_0)
+(typeattribute ota_metadata_file_30_0)
+(typeattribute ota_package_file_30_0)
+(typeattribute ota_prop_30_0)
+(typeattribute otadexopt_service_30_0)
+(typeattribute overlay_prop_30_0)
+(typeattribute overlay_service_30_0)
+(typeattribute overlayfs_file_30_0)
+(typeattribute owntty_device_30_0)
+(typeattribute package_native_service_30_0)
+(typeattribute package_service_30_0)
+(typeattribute packages_list_file_30_0)
+(typeattribute pan_result_prop_30_0)
+(typeattribute password_slot_metadata_file_30_0)
+(typeattribute pdx_bufferhub_client_channel_socket_30_0)
+(typeattribute pdx_bufferhub_client_channel_socket_type)
+(typeattribute pdx_bufferhub_client_endpoint_dir_type)
+(typeattribute pdx_bufferhub_client_endpoint_socket_30_0)
+(typeattribute pdx_bufferhub_client_endpoint_socket_type)
+(typeattribute pdx_bufferhub_client_server_type)
+(typeattribute pdx_bufferhub_dir_30_0)
+(typeattribute pdx_channel_socket_type)
+(typeattribute pdx_display_client_channel_socket_30_0)
+(typeattribute pdx_display_client_channel_socket_type)
+(typeattribute pdx_display_client_endpoint_dir_type)
+(typeattribute pdx_display_client_endpoint_socket_30_0)
+(typeattribute pdx_display_client_endpoint_socket_type)
+(typeattribute pdx_display_client_server_type)
+(typeattribute pdx_display_dir_30_0)
+(typeattribute pdx_display_manager_channel_socket_30_0)
+(typeattribute pdx_display_manager_channel_socket_type)
+(typeattribute pdx_display_manager_endpoint_dir_type)
+(typeattribute pdx_display_manager_endpoint_socket_30_0)
+(typeattribute pdx_display_manager_endpoint_socket_type)
+(typeattribute pdx_display_manager_server_type)
+(typeattribute pdx_display_screenshot_channel_socket_30_0)
+(typeattribute pdx_display_screenshot_channel_socket_type)
+(typeattribute pdx_display_screenshot_endpoint_dir_type)
+(typeattribute pdx_display_screenshot_endpoint_socket_30_0)
+(typeattribute pdx_display_screenshot_endpoint_socket_type)
+(typeattribute pdx_display_screenshot_server_type)
+(typeattribute pdx_display_vsync_channel_socket_30_0)
+(typeattribute pdx_display_vsync_channel_socket_type)
+(typeattribute pdx_display_vsync_endpoint_dir_type)
+(typeattribute pdx_display_vsync_endpoint_socket_30_0)
+(typeattribute pdx_display_vsync_endpoint_socket_type)
+(typeattribute pdx_display_vsync_server_type)
+(typeattribute pdx_endpoint_dir_type)
+(typeattribute pdx_endpoint_socket_type)
+(typeattribute pdx_performance_client_channel_socket_30_0)
+(typeattribute pdx_performance_client_channel_socket_type)
+(typeattribute pdx_performance_client_endpoint_dir_type)
+(typeattribute pdx_performance_client_endpoint_socket_30_0)
+(typeattribute pdx_performance_client_endpoint_socket_type)
+(typeattribute pdx_performance_client_server_type)
+(typeattribute pdx_performance_dir_30_0)
+(typeattribute perfetto_30_0)
+(typeattribute performanced_30_0)
+(typeattribute performanced_exec_30_0)
+(typeattribute permission_service_30_0)
+(typeattribute permissionmgr_service_30_0)
+(typeattribute persist_debug_prop_30_0)
+(typeattribute persistent_data_block_service_30_0)
+(typeattribute persistent_properties_ready_prop_30_0)
+(typeattribute pinner_service_30_0)
+(typeattribute pipefs_30_0)
+(typeattribute platform_app_30_0)
+(typeattribute platform_compat_service_30_0)
+(typeattribute pm_prop_30_0)
+(typeattribute pmsg_device_30_0)
+(typeattribute port_30_0)
+(typeattribute port_device_30_0)
+(typeattribute port_type)
+(typeattribute postinstall_30_0)
+(typeattribute postinstall_apex_mnt_dir_30_0)
+(typeattribute postinstall_file_30_0)
+(typeattribute postinstall_mnt_dir_30_0)
+(typeattribute power_service_30_0)
+(typeattribute powerctl_prop_30_0)
+(typeattribute ppp_30_0)
+(typeattribute ppp_device_30_0)
+(typeattribute ppp_exec_30_0)
+(typeattribute preloads_data_file_30_0)
+(typeattribute preloads_media_file_30_0)
+(typeattribute prereboot_data_file_30_0)
+(typeattribute print_service_30_0)
+(typeattribute priv_app_30_0)
+(typeattribute privapp_data_file_30_0)
+(typeattribute proc_30_0)
+(typeattribute proc_abi_30_0)
+(typeattribute proc_asound_30_0)
+(typeattribute proc_bluetooth_writable_30_0)
+(typeattribute proc_buddyinfo_30_0)
+(typeattribute proc_cmdline_30_0)
+(typeattribute proc_cpuinfo_30_0)
+(typeattribute proc_dirty_30_0)
+(typeattribute proc_diskstats_30_0)
+(typeattribute proc_drop_caches_30_0)
+(typeattribute proc_extra_free_kbytes_30_0)
+(typeattribute proc_filesystems_30_0)
+(typeattribute proc_fs_verity_30_0)
+(typeattribute proc_hostname_30_0)
+(typeattribute proc_hung_task_30_0)
+(typeattribute proc_interrupts_30_0)
+(typeattribute proc_iomem_30_0)
+(typeattribute proc_keys_30_0)
+(typeattribute proc_kmsg_30_0)
+(typeattribute proc_kpageflags_30_0)
+(typeattribute proc_loadavg_30_0)
+(typeattribute proc_lowmemorykiller_30_0)
+(typeattribute proc_max_map_count_30_0)
+(typeattribute proc_meminfo_30_0)
+(typeattribute proc_min_free_order_shift_30_0)
+(typeattribute proc_misc_30_0)
+(typeattribute proc_modules_30_0)
+(typeattribute proc_mounts_30_0)
+(typeattribute proc_net_30_0)
+(typeattribute proc_net_tcp_udp_30_0)
+(typeattribute proc_net_type)
+(typeattribute proc_overcommit_memory_30_0)
+(typeattribute proc_page_cluster_30_0)
+(typeattribute proc_pagetypeinfo_30_0)
+(typeattribute proc_panic_30_0)
+(typeattribute proc_perf_30_0)
+(typeattribute proc_pid_max_30_0)
+(typeattribute proc_pipe_conf_30_0)
+(typeattribute proc_pressure_cpu_30_0)
+(typeattribute proc_pressure_io_30_0)
+(typeattribute proc_pressure_mem_30_0)
+(typeattribute proc_qtaguid_ctrl_30_0)
+(typeattribute proc_qtaguid_stat_30_0)
+(typeattribute proc_random_30_0)
+(typeattribute proc_sched_30_0)
+(typeattribute proc_security_30_0)
+(typeattribute proc_slabinfo_30_0)
+(typeattribute proc_stat_30_0)
+(typeattribute proc_swaps_30_0)
+(typeattribute proc_sysrq_30_0)
+(typeattribute proc_timer_30_0)
+(typeattribute proc_tty_drivers_30_0)
+(typeattribute proc_type)
+(typeattribute proc_uid_concurrent_active_time_30_0)
+(typeattribute proc_uid_concurrent_policy_time_30_0)
+(typeattribute proc_uid_cpupower_30_0)
+(typeattribute proc_uid_cputime_removeuid_30_0)
+(typeattribute proc_uid_cputime_showstat_30_0)
+(typeattribute proc_uid_io_stats_30_0)
+(typeattribute proc_uid_procstat_set_30_0)
+(typeattribute proc_uid_time_in_state_30_0)
+(typeattribute proc_uptime_30_0)
+(typeattribute proc_version_30_0)
+(typeattribute proc_vmallocinfo_30_0)
+(typeattribute proc_vmstat_30_0)
+(typeattribute proc_zoneinfo_30_0)
+(typeattribute processinfo_service_30_0)
+(typeattribute procstats_service_30_0)
+(typeattribute profman_30_0)
+(typeattribute profman_dump_data_file_30_0)
+(typeattribute profman_exec_30_0)
+(typeattribute properties_device_30_0)
+(typeattribute properties_serial_30_0)
+(typeattribute property_contexts_file_30_0)
+(typeattribute property_data_file_30_0)
+(typeattribute property_info_30_0)
+(typeattribute property_socket_30_0)
+(typeattribute property_type)
+(typeattribute protected_hwservice)
+(typeattribute pstorefs_30_0)
+(typeattribute ptmx_device_30_0)
+(typeattribute qtaguid_device_30_0)
+(typeattribute racoon_30_0)
+(typeattribute racoon_exec_30_0)
+(typeattribute racoon_socket_30_0)
+(typeattribute radio_30_0)
+(typeattribute radio_data_file_30_0)
+(typeattribute radio_device_30_0)
+(typeattribute radio_prop_30_0)
+(typeattribute radio_service_30_0)
+(typeattribute ram_device_30_0)
+(typeattribute random_device_30_0)
+(typeattribute rebootescrow_hal_prop_30_0)
+(typeattribute recovery_30_0)
+(typeattribute recovery_block_device_30_0)
+(typeattribute recovery_data_file_30_0)
+(typeattribute recovery_persist_30_0)
+(typeattribute recovery_persist_exec_30_0)
+(typeattribute recovery_refresh_30_0)
+(typeattribute recovery_refresh_exec_30_0)
+(typeattribute recovery_service_30_0)
+(typeattribute recovery_socket_30_0)
+(typeattribute registry_service_30_0)
+(typeattribute resourcecache_data_file_30_0)
+(typeattribute restorecon_prop_30_0)
+(typeattribute restrictions_service_30_0)
+(typeattribute rild_debug_socket_30_0)
+(typeattribute rild_socket_30_0)
+(typeattribute ringtone_file_30_0)
+(typeattribute role_service_30_0)
+(typeattribute rollback_service_30_0)
+(typeattribute root_block_device_30_0)
+(typeattribute rootfs_30_0)
+(typeattribute rpmsg_device_30_0)
+(typeattribute rs_30_0)
+(typeattribute rs_exec_30_0)
+(typeattribute rss_hwm_reset_30_0)
+(typeattribute rtc_device_30_0)
+(typeattribute rttmanager_service_30_0)
+(typeattribute runas_30_0)
+(typeattribute runas_app_30_0)
+(typeattribute runas_exec_30_0)
+(typeattribute runtime_event_log_tags_file_30_0)
+(typeattribute runtime_service_30_0)
+(typeattribute safemode_prop_30_0)
+(typeattribute same_process_hal_file_30_0)
+(typeattribute same_process_hwservice)
+(typeattribute samplingprofiler_service_30_0)
+(typeattribute scheduler_service_server)
+(typeattribute scheduling_policy_service_30_0)
+(typeattribute sdcard_block_device_30_0)
+(typeattribute sdcard_type)
+(typeattribute sdcardd_30_0)
+(typeattribute sdcardd_exec_30_0)
+(typeattribute sdcardfs_30_0)
+(typeattribute seapp_contexts_file_30_0)
+(typeattribute search_service_30_0)
+(typeattribute sec_key_att_app_id_provider_service_30_0)
+(typeattribute secure_element_30_0)
+(typeattribute secure_element_device_30_0)
+(typeattribute secure_element_service_30_0)
+(typeattribute securityfs_30_0)
+(typeattribute selinuxfs_30_0)
+(typeattribute sensor_privacy_service_30_0)
+(typeattribute sensor_service_server)
+(typeattribute sensors_device_30_0)
+(typeattribute sensorservice_service_30_0)
+(typeattribute sepolicy_file_30_0)
+(typeattribute serial_device_30_0)
+(typeattribute serial_service_30_0)
+(typeattribute serialno_prop_30_0)
+(typeattribute server_configurable_flags_data_file_30_0)
+(typeattribute service_contexts_file_30_0)
+(typeattribute service_manager_service_30_0)
+(typeattribute service_manager_type)
+(typeattribute service_manager_vndservice_30_0)
+(typeattribute servicediscovery_service_30_0)
+(typeattribute servicemanager_30_0)
+(typeattribute servicemanager_exec_30_0)
+(typeattribute settings_service_30_0)
+(typeattribute sgdisk_30_0)
+(typeattribute sgdisk_exec_30_0)
+(typeattribute shared_relro_30_0)
+(typeattribute shared_relro_file_30_0)
+(typeattribute shell_30_0)
+(typeattribute shell_data_file_30_0)
+(typeattribute shell_exec_30_0)
+(typeattribute shell_prop_30_0)
+(typeattribute shm_30_0)
+(typeattribute shortcut_manager_icons_30_0)
+(typeattribute shortcut_service_30_0)
+(typeattribute simpleperf_30_0)
+(typeattribute simpleperf_app_runner_30_0)
+(typeattribute simpleperf_app_runner_exec_30_0)
+(typeattribute slice_service_30_0)
+(typeattribute slideshow_30_0)
+(typeattribute snapshotctl_log_data_file_30_0)
+(typeattribute socket_between_core_and_vendor_violators)
+(typeattribute socket_device_30_0)
+(typeattribute socket_hook_prop_30_0)
+(typeattribute sockfs_30_0)
+(typeattribute sota_prop_30_0)
+(typeattribute soundtrigger_middleware_service_30_0)
+(typeattribute staged_install_file_30_0)
+(typeattribute staging_data_file_30_0)
+(typeattribute stats_data_file_30_0)
+(typeattribute stats_service_server)
+(typeattribute statsd_30_0)
+(typeattribute statsd_exec_30_0)
+(typeattribute statsdw_socket_30_0)
+(typeattribute statusbar_service_30_0)
+(typeattribute storage_config_prop_30_0)
+(typeattribute storage_file_30_0)
+(typeattribute storage_stub_file_30_0)
+(typeattribute storaged_service_30_0)
+(typeattribute storagestats_service_30_0)
+(typeattribute su_30_0)
+(typeattribute su_exec_30_0)
+(typeattribute super_block_device_30_0)
+(typeattribute super_block_device_type)
+(typeattribute surfaceflinger_30_0)
+(typeattribute surfaceflinger_display_prop_30_0)
+(typeattribute surfaceflinger_service_30_0)
+(typeattribute surfaceflinger_tmpfs_30_0)
+(typeattribute swap_block_device_30_0)
+(typeattribute sysfs_30_0)
+(typeattribute sysfs_android_usb_30_0)
+(typeattribute sysfs_batteryinfo_30_0)
+(typeattribute sysfs_bluetooth_writable_30_0)
+(typeattribute sysfs_devices_block_30_0)
+(typeattribute sysfs_devices_system_cpu_30_0)
+(typeattribute sysfs_dm_30_0)
+(typeattribute sysfs_dm_verity_30_0)
+(typeattribute sysfs_dt_firmware_android_30_0)
+(typeattribute sysfs_extcon_30_0)
+(typeattribute sysfs_fs_ext4_features_30_0)
+(typeattribute sysfs_fs_f2fs_30_0)
+(typeattribute sysfs_hwrandom_30_0)
+(typeattribute sysfs_ion_30_0)
+(typeattribute sysfs_ipv4_30_0)
+(typeattribute sysfs_kernel_notes_30_0)
+(typeattribute sysfs_leds_30_0)
+(typeattribute sysfs_loop_30_0)
+(typeattribute sysfs_lowmemorykiller_30_0)
+(typeattribute sysfs_net_30_0)
+(typeattribute sysfs_nfc_power_writable_30_0)
+(typeattribute sysfs_power_30_0)
+(typeattribute sysfs_rtc_30_0)
+(typeattribute sysfs_suspend_stats_30_0)
+(typeattribute sysfs_switch_30_0)
+(typeattribute sysfs_thermal_30_0)
+(typeattribute sysfs_transparent_hugepage_30_0)
+(typeattribute sysfs_type)
+(typeattribute sysfs_uio_30_0)
+(typeattribute sysfs_usb_30_0)
+(typeattribute sysfs_usermodehelper_30_0)
+(typeattribute sysfs_vibrator_30_0)
+(typeattribute sysfs_wake_lock_30_0)
+(typeattribute sysfs_wakeup_30_0)
+(typeattribute sysfs_wakeup_reasons_30_0)
+(typeattribute sysfs_wlan_fwpath_30_0)
+(typeattribute sysfs_zram_30_0)
+(typeattribute sysfs_zram_uevent_30_0)
+(typeattribute system_adbd_prop_30_0)
+(typeattribute system_api_service)
+(typeattribute system_app_30_0)
+(typeattribute system_app_data_file_30_0)
+(typeattribute system_app_service_30_0)
+(typeattribute system_asan_options_file_30_0)
+(typeattribute system_block_device_30_0)
+(typeattribute system_boot_reason_prop_30_0)
+(typeattribute system_bootstrap_lib_file_30_0)
+(typeattribute system_config_service_30_0)
+(typeattribute system_data_file_30_0)
+(typeattribute system_data_root_file_30_0)
+(typeattribute system_event_log_tags_file_30_0)
+(typeattribute system_executes_vendor_violators)
+(typeattribute system_file_30_0)
+(typeattribute system_file_type)
+(typeattribute system_group_file_30_0)
+(typeattribute system_internal_property_type)
+(typeattribute system_jvmti_agent_prop_30_0)
+(typeattribute system_lib_file_30_0)
+(typeattribute system_linker_config_file_30_0)
+(typeattribute system_linker_exec_30_0)
+(typeattribute system_lmk_prop_30_0)
+(typeattribute system_ndebug_socket_30_0)
+(typeattribute system_net_netd_hwservice_30_0)
+(typeattribute system_passwd_file_30_0)
+(typeattribute system_prop_30_0)
+(typeattribute system_property_type)
+(typeattribute system_public_property_type)
+(typeattribute system_radio_prop_30_0)
+(typeattribute system_restricted_property_type)
+(typeattribute system_seccomp_policy_file_30_0)
+(typeattribute system_security_cacerts_file_30_0)
+(typeattribute system_server_30_0)
+(typeattribute system_server_service)
+(typeattribute system_server_tmpfs_30_0)
+(typeattribute system_suspend_control_service_30_0)
+(typeattribute system_suspend_hwservice_30_0)
+(typeattribute system_suspend_server)
+(typeattribute system_trace_prop_30_0)
+(typeattribute system_unsolzygote_socket_30_0)
+(typeattribute system_update_service_30_0)
+(typeattribute system_wifi_keystore_hwservice_30_0)
+(typeattribute system_wpa_socket_30_0)
+(typeattribute system_writes_mnt_vendor_violators)
+(typeattribute system_writes_vendor_properties_violators)
+(typeattribute system_zoneinfo_file_30_0)
+(typeattribute systemkeys_data_file_30_0)
+(typeattribute task_profiles_file_30_0)
+(typeattribute task_service_30_0)
+(typeattribute tcpdump_exec_30_0)
+(typeattribute tee_30_0)
+(typeattribute tee_data_file_30_0)
+(typeattribute tee_device_30_0)
+(typeattribute telecom_service_30_0)
+(typeattribute test_boot_reason_prop_30_0)
+(typeattribute test_harness_prop_30_0)
+(typeattribute testharness_service_30_0)
+(typeattribute tethering_service_30_0)
+(typeattribute textclassification_service_30_0)
+(typeattribute textclassifier_data_file_30_0)
+(typeattribute textservices_service_30_0)
+(typeattribute theme_prop_30_0)
+(typeattribute thermal_service_30_0)
+(typeattribute thermalcallback_hwservice_30_0)
+(typeattribute time_prop_30_0)
+(typeattribute timedetector_service_30_0)
+(typeattribute timezone_service_30_0)
+(typeattribute timezonedetector_service_30_0)
+(typeattribute tmpfs_30_0)
+(typeattribute tombstone_data_file_30_0)
+(typeattribute tombstone_wifi_data_file_30_0)
+(typeattribute tombstoned_30_0)
+(typeattribute tombstoned_crash_socket_30_0)
+(typeattribute tombstoned_exec_30_0)
+(typeattribute tombstoned_intercept_socket_30_0)
+(typeattribute tombstoned_java_trace_socket_30_0)
+(typeattribute toolbox_30_0)
+(typeattribute toolbox_exec_30_0)
+(typeattribute trace_data_file_30_0)
+(typeattribute traced_30_0)
+(typeattribute traced_consumer_socket_30_0)
+(typeattribute traced_enabled_prop_30_0)
+(typeattribute traced_lazy_prop_30_0)
+(typeattribute traced_perf_30_0)
+(typeattribute traced_perf_enabled_prop_30_0)
+(typeattribute traced_perf_socket_30_0)
+(typeattribute traced_probes_30_0)
+(typeattribute traced_producer_socket_30_0)
+(typeattribute traceur_app_30_0)
+(typeattribute trust_service_30_0)
+(typeattribute tty_device_30_0)
+(typeattribute tun_device_30_0)
+(typeattribute tv_input_service_30_0)
+(typeattribute tv_tuner_resource_mgr_service_30_0)
+(typeattribute tzdatacheck_30_0)
+(typeattribute tzdatacheck_exec_30_0)
+(typeattribute ueventd_30_0)
+(typeattribute ueventd_tmpfs_30_0)
+(typeattribute uhid_device_30_0)
+(typeattribute uimode_service_30_0)
+(typeattribute uio_device_30_0)
+(typeattribute uncrypt_30_0)
+(typeattribute uncrypt_exec_30_0)
+(typeattribute uncrypt_socket_30_0)
+(typeattribute unencrypted_data_file_30_0)
+(typeattribute unlabeled_30_0)
+(typeattribute untrusted_app_25_30_0)
+(typeattribute untrusted_app_27_30_0)
+(typeattribute untrusted_app_29_30_0)
+(typeattribute untrusted_app_30_0)
+(typeattribute untrusted_app_all)
+(typeattribute untrusted_app_visible_halserver_violators)
+(typeattribute untrusted_app_visible_hwservice_violators)
+(typeattribute update_engine_30_0)
+(typeattribute update_engine_common)
+(typeattribute update_engine_data_file_30_0)
+(typeattribute update_engine_exec_30_0)
+(typeattribute update_engine_log_data_file_30_0)
+(typeattribute update_engine_service_30_0)
+(typeattribute update_verifier_30_0)
+(typeattribute update_verifier_exec_30_0)
+(typeattribute updatelock_service_30_0)
+(typeattribute uri_grants_service_30_0)
+(typeattribute usagestats_service_30_0)
+(typeattribute usb_device_30_0)
+(typeattribute usb_serial_device_30_0)
+(typeattribute usb_service_30_0)
+(typeattribute usbaccessory_device_30_0)
+(typeattribute usbd_30_0)
+(typeattribute usbd_exec_30_0)
+(typeattribute usbfs_30_0)
+(typeattribute use_memfd_prop_30_0)
+(typeattribute user_profile_data_file_30_0)
+(typeattribute user_service_30_0)
+(typeattribute userdata_block_device_30_0)
+(typeattribute usermodehelper_30_0)
+(typeattribute userspace_reboot_config_prop_30_0)
+(typeattribute userspace_reboot_exported_prop_30_0)
+(typeattribute userspace_reboot_log_prop_30_0)
+(typeattribute userspace_reboot_test_prop_30_0)
+(typeattribute vdc_30_0)
+(typeattribute vdc_exec_30_0)
+(typeattribute vehicle_hal_prop_30_0)
+(typeattribute vendor_apex_file_30_0)
+(typeattribute vendor_app_file_30_0)
+(typeattribute vendor_cgroup_desc_file_30_0)
+(typeattribute vendor_configs_file_30_0)
+(typeattribute vendor_data_file_30_0)
+(typeattribute vendor_default_prop_30_0)
+(typeattribute vendor_executes_system_violators)
+(typeattribute vendor_file_30_0)
+(typeattribute vendor_file_type)
+(typeattribute vendor_framework_file_30_0)
+(typeattribute vendor_hal_file_30_0)
+(typeattribute vendor_idc_file_30_0)
+(typeattribute vendor_init_30_0)
+(typeattribute vendor_internal_property_type)
+(typeattribute vendor_keychars_file_30_0)
+(typeattribute vendor_keylayout_file_30_0)
+(typeattribute vendor_misc_writer_30_0)
+(typeattribute vendor_misc_writer_exec_30_0)
+(typeattribute vendor_overlay_file_30_0)
+(typeattribute vendor_property_type)
+(typeattribute vendor_public_lib_file_30_0)
+(typeattribute vendor_public_property_type)
+(typeattribute vendor_restricted_property_type)
+(typeattribute vendor_security_patch_level_prop_30_0)
+(typeattribute vendor_service)
+(typeattribute vendor_service_contexts_file_30_0)
+(typeattribute vendor_shell_30_0)
+(typeattribute vendor_shell_exec_30_0)
+(typeattribute vendor_socket_hook_prop_30_0)
+(typeattribute vendor_task_profiles_file_30_0)
+(typeattribute vendor_toolbox_exec_30_0)
+(typeattribute vfat_30_0)
+(typeattribute vibrator_service_30_0)
+(typeattribute video_device_30_0)
+(typeattribute virtual_ab_prop_30_0)
+(typeattribute virtual_touchpad_30_0)
+(typeattribute virtual_touchpad_exec_30_0)
+(typeattribute virtual_touchpad_service_30_0)
+(typeattribute vndbinder_device_30_0)
+(typeattribute vndk_prop_30_0)
+(typeattribute vndk_sp_file_30_0)
+(typeattribute vndservice_contexts_file_30_0)
+(typeattribute vndservice_manager_type)
+(typeattribute vndservicemanager_30_0)
+(typeattribute voiceinteraction_service_30_0)
+(typeattribute vold_30_0)
+(typeattribute vold_data_file_30_0)
+(typeattribute vold_device_30_0)
+(typeattribute vold_exec_30_0)
+(typeattribute vold_metadata_file_30_0)
+(typeattribute vold_prepare_subdirs_30_0)
+(typeattribute vold_prepare_subdirs_exec_30_0)
+(typeattribute vold_prop_30_0)
+(typeattribute vold_service_30_0)
+(typeattribute vpn_data_file_30_0)
+(typeattribute vr_hwc_30_0)
+(typeattribute vr_hwc_exec_30_0)
+(typeattribute vr_hwc_service_30_0)
+(typeattribute vr_manager_service_30_0)
+(typeattribute vrflinger_vsync_service_30_0)
+(typeattribute wallpaper_file_30_0)
+(typeattribute wallpaper_service_30_0)
+(typeattribute watchdog_device_30_0)
+(typeattribute watchdogd_30_0)
+(typeattribute watchdogd_exec_30_0)
+(typeattribute webview_zygote_30_0)
+(typeattribute webview_zygote_exec_30_0)
+(typeattribute webview_zygote_tmpfs_30_0)
+(typeattribute webviewupdate_service_30_0)
+(typeattribute wifi_data_file_30_0)
+(typeattribute wifi_keystore_service_server)
+(typeattribute wifi_log_prop_30_0)
+(typeattribute wifi_prop_30_0)
+(typeattribute wifi_service_30_0)
+(typeattribute wifiaware_service_30_0)
+(typeattribute wificond_30_0)
+(typeattribute wificond_exec_30_0)
+(typeattribute wifinl80211_service_30_0)
+(typeattribute wifip2p_service_30_0)
+(typeattribute wifiscanner_service_30_0)
+(typeattribute window_service_30_0)
+(typeattribute wpa_socket_30_0)
+(typeattribute wpantund_30_0)
+(typeattribute wpantund_exec_30_0)
+(typeattribute wpantund_service_30_0)
+(typeattribute zero_device_30_0)
+(typeattribute zoneinfo_data_file_30_0)
+(typeattribute zygote_30_0)
+(typeattribute zygote_exec_30_0)
+(typeattribute zygote_socket_30_0)
+(typeattribute zygote_tmpfs_30_0)
diff --git a/prebuilts/api/30.0/private/apexd.te b/prebuilts/api/30.0/private/apexd.te
index 7c7ddc6..9e702dd 100644
--- a/prebuilts/api/30.0/private/apexd.te
+++ b/prebuilts/api/30.0/private/apexd.te
@@ -37,7 +37,6 @@
LOOP_SET_DIRECT_IO
LOOP_CLR_FD
BLKFLSBUF
- LOOP_CONFIGURE
};
# allow apexd to access /dev/block
allow apexd block_device:dir r_dir_perms;
diff --git a/prebuilts/api/30.0/private/atrace.te b/prebuilts/api/30.0/private/atrace.te
index ad7d177..585c254 100644
--- a/prebuilts/api/30.0/private/atrace.te
+++ b/prebuilts/api/30.0/private/atrace.te
@@ -59,7 +59,7 @@
hal_client_domain(atrace, hal_vibrator)
')
-# Remove logspam from notification attempts to non-whitelisted services.
+# Remove logspam from notification attempts to non-allowlisted services.
dontaudit atrace hwservice_manager_type:hwservice_manager find;
dontaudit atrace service_manager_type:service_manager find;
dontaudit atrace domain:binder call;
diff --git a/prebuilts/api/30.0/private/bug_map b/prebuilts/api/30.0/private/bug_map
index 60c2f15..eaa1593 100644
--- a/prebuilts/api/30.0/private/bug_map
+++ b/prebuilts/api/30.0/private/bug_map
@@ -23,11 +23,13 @@
netd untrusted_app unix_stream_socket b/77870037
netd untrusted_app_25 unix_stream_socket b/77870037
netd untrusted_app_27 unix_stream_socket b/77870037
+netd untrusted_app_29 unix_stream_socket b/77870037
platform_app nfc_data_file dir b/74331887
system_server crash_dump process b/73128755
system_server overlayfs_file file b/142390309
system_server sdcardfs file b/77856826
system_server storage_stub_file dir b/145267097
system_server zygote process b/77856826
+untrusted_app untrusted_app netlink_route_socket b/155595000
vold system_data_file file b/124108085
zygote untrusted_app_25 process b/77925912
diff --git a/prebuilts/api/30.0/private/coredomain.te b/prebuilts/api/30.0/private/coredomain.te
index 86e8009..f13d98a 100644
--- a/prebuilts/api/30.0/private/coredomain.te
+++ b/prebuilts/api/30.0/private/coredomain.te
@@ -15,7 +15,7 @@
')
# On TREBLE devices, a limited set of files in /vendor are accessible to
-# only a few whitelisted coredomains to keep system/vendor separation.
+# only a few allowlisted coredomains to keep system/vendor separation.
full_treble_only(`
# Limit access to /vendor/app
neverallow {
diff --git a/prebuilts/api/30.0/private/domain.te b/prebuilts/api/30.0/private/domain.te
index 7116dad..430cb3f 100644
--- a/prebuilts/api/30.0/private/domain.te
+++ b/prebuilts/api/30.0/private/domain.te
@@ -122,7 +122,7 @@
allow domain boringssl_self_test_marker:dir search;
# Limit ability to ptrace or read sensitive /proc/pid files of processes
-# with other UIDs to these whitelisted domains.
+# with other UIDs to these allowlisted domains.
neverallow {
domain
-vold
@@ -225,7 +225,7 @@
#
# Assert that, to the extent possible, we're not loading executable content from
-# outside the rootfs or /system partition except for a few whitelisted domains.
+# outside the rootfs or /system partition except for a few allowlisted domains.
# Executable files loaded from /data is a persistence vector
# we want to avoid. See
# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example.
@@ -342,7 +342,7 @@
-zygote
} { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
-# Limit raw I/O to these whitelisted domains. Do not apply to debug builds.
+# Limit raw I/O to these allowlisted domains. Do not apply to debug builds.
neverallow {
domain
userdebug_or_eng(`-domain')
diff --git a/prebuilts/api/30.0/private/file_contexts b/prebuilts/api/30.0/private/file_contexts
index 9620b75..71a72b4 100644
--- a/prebuilts/api/30.0/private/file_contexts
+++ b/prebuilts/api/30.0/private/file_contexts
@@ -625,6 +625,7 @@
/data/incremental(/.*)? u:object_r:apk_data_file:s0
/data/incremental/MT_[^/]+/mount/.pending_reads u:object_r:incremental_control_file:s0
/data/incremental/MT_[^/]+/mount/.log u:object_r:incremental_control_file:s0
+/data/incremental/MT_[^/]+/mount/.blocks_written u:object_r:incremental_control_file:s0
#############################
# Expanded data files
diff --git a/prebuilts/api/30.0/private/heapprofd.te b/prebuilts/api/30.0/private/heapprofd.te
index ec3e4d0..7bd60a4 100644
--- a/prebuilts/api/30.0/private/heapprofd.te
+++ b/prebuilts/api/30.0/private/heapprofd.te
@@ -29,7 +29,7 @@
allow heapprofd self:capability kill;
# When scanning /proc/[pid]/cmdline to find matching processes for by-name
-# profiling, only whitelisted domains will be allowed by SELinux. Avoid
+# profiling, only allowlisted domains will be allowed by SELinux. Avoid
# spamming logs with denials for entries that we can not access.
dontaudit heapprofd domain:dir { search open };
diff --git a/prebuilts/api/30.0/private/incidentd.te b/prebuilts/api/30.0/private/incidentd.te
index 656f69f..f10173b 100644
--- a/prebuilts/api/30.0/private/incidentd.te
+++ b/prebuilts/api/30.0/private/incidentd.te
@@ -145,7 +145,7 @@
r_dir_file(incidentd, misc_logd_file)
# Allow incidentd to find these standard groups of services.
-# Others can be whitelisted individually.
+# Others can be allowlisted individually.
allow incidentd {
system_server_service
app_api_service
diff --git a/prebuilts/api/30.0/private/isolated_app.te b/prebuilts/api/30.0/private/isolated_app.te
index 4c6c5aa..94d60f0 100644
--- a/prebuilts/api/30.0/private/isolated_app.te
+++ b/prebuilts/api/30.0/private/isolated_app.te
@@ -88,7 +88,7 @@
neverallow isolated_app vndbinder_device:chr_file *;
# Isolated apps must not be permitted to perform actions on Binder and VndBinder service_manager
-# except the find actions for services whitelisted below.
+# except the find actions for services allowlisted below.
neverallow isolated_app *:service_manager ~find;
# b/17487348
diff --git a/prebuilts/api/30.0/private/perfetto.te b/prebuilts/api/30.0/private/perfetto.te
index 0161361..14707ac 100644
--- a/prebuilts/api/30.0/private/perfetto.te
+++ b/prebuilts/api/30.0/private/perfetto.te
@@ -1,5 +1,5 @@
# Perfetto command-line client. Can be used only from the domains that are
-# explicitly whitelisted with a domain_auto_trans(X, perfetto_exec, perfetto).
+# explicitly allowlisted with a domain_auto_trans(X, perfetto_exec, perfetto).
# This command line client accesses the privileged socket of the traced
# daemon.
diff --git a/prebuilts/api/30.0/private/shell.te b/prebuilts/api/30.0/private/shell.te
index 43e4dd5..fd78763 100644
--- a/prebuilts/api/30.0/private/shell.te
+++ b/prebuilts/api/30.0/private/shell.te
@@ -92,4 +92,4 @@
neverallow shell self:perf_event ~{ open read write kernel };
# Allow to read graphics related properties.
-get_prop(shell, graphics_config_prop)
\ No newline at end of file
+get_prop(shell, graphics_config_prop)
diff --git a/prebuilts/api/30.0/private/system_server.te b/prebuilts/api/30.0/private/system_server.te
index 213b3c8..0082827 100644
--- a/prebuilts/api/30.0/private/system_server.te
+++ b/prebuilts/api/30.0/private/system_server.te
@@ -66,14 +66,14 @@
# system server gets network and bluetooth permissions.
net_domain(system_server)
-# in addition to ioctls whitelisted for all domains, also allow system_server
+# in addition to ioctls allowlisted for all domains, also allow system_server
# to use privileged ioctls commands. Needed to set up VPNs.
allowxperm system_server self:udp_socket ioctl priv_sock_ioctls;
bluetooth_domain(system_server)
# Allow setup of tcp keepalive offload. This gives system_server the permission to
# call ioctl on app domains' tcp sockets. Additional ioctl commands still need to
-# be granted individually, except for a small set of safe values whitelisted in
+# be granted individually, except for a small set of safe values allowlisted in
# public/domain.te.
allow system_server appdomain:tcp_socket ioctl;
@@ -118,7 +118,7 @@
# Use generic "sockets" where the address family is not known
# to the kernel. The ioctl permission is specifically omitted here, but may
# be added to device specific policy along with the ioctl commands to be
-# whitelisted.
+# allowlisted.
allow system_server self:socket create_socket_perms_no_ioctl;
# Set and get routes directly via netlink.
@@ -893,8 +893,6 @@
r_dir_file(system_server, cgroup)
allow system_server ion_device:chr_file r_file_perms;
-allow system_server cgroup_bpf:dir rw_dir_perms;
-allow system_server cgroup_bpf:file rw_file_perms;
r_dir_file(system_server, proc_asound)
r_dir_file(system_server, proc_net_type)
@@ -973,9 +971,6 @@
# on low memory kills.
get_prop(system_server, system_lmk_prop)
-# Only system server can access BINDER_FREEZE and BINDER_GET_FROZEN_INFO
-allowxperm system_server binder_device:chr_file ioctl { BINDER_FREEZE BINDER_GET_FROZEN_INFO };
-
###
### Neverallow rules
###
@@ -1175,9 +1170,3 @@
# Do not allow any domain other than init or system server to set the property
neverallow { domain -init -system_server } socket_hook_prop:property_service set;
-
-# BINDER_FREEZE is used to block ipc transactions to frozen processes, so it
-# can be accessed by system_server only (b/143717177)
-# BINDER_GET_FROZEN_INFO is used by system_server to determine the state of a frozen binder
-# interface
-neverallowxperm { domain -system_server } binder_device:chr_file ioctl { BINDER_FREEZE BINDER_GET_FROZEN_INFO };
diff --git a/prebuilts/api/30.0/private/traced_probes.te b/prebuilts/api/30.0/private/traced_probes.te
index dd6ece0..36f9c51 100644
--- a/prebuilts/api/30.0/private/traced_probes.te
+++ b/prebuilts/api/30.0/private/traced_probes.te
@@ -16,7 +16,7 @@
allow traced_probes debugfs_trace_marker:file getattr;
# TODO(primiano): temporarily I/O tracing categories are still
-# userdebug only until we nail down the blacklist/whitelist.
+# userdebug only until we nail down the denylist/allowlist.
userdebug_or_eng(`
allow traced_probes debugfs_tracing_debug:dir r_dir_perms;
allow traced_probes debugfs_tracing_debug:file rw_file_perms;
diff --git a/prebuilts/api/30.0/public/app.te b/prebuilts/api/30.0/public/app.te
index e5b9fd6..c892d9e 100644
--- a/prebuilts/api/30.0/public/app.te
+++ b/prebuilts/api/30.0/public/app.te
@@ -537,7 +537,7 @@
tmpfs
}:lnk_file no_w_file_perms;
-# Blacklist app domains not allowed to execute from /data
+# Denylist app domains not allowed to execute from /data
neverallow {
bluetooth
isolated_app
@@ -558,7 +558,7 @@
-shell # bugreport
} input_device:chr_file ~getattr;
-# Do not allow access to Bluetooth-related system properties except for a few whitelisted domains.
+# Do not allow access to Bluetooth-related system properties except for a few allowlisted domains.
# neverallow rules for access to Bluetooth-related data files are above.
neverallow {
appdomain
diff --git a/prebuilts/api/30.0/public/domain.te b/prebuilts/api/30.0/public/domain.te
index e1ca737..c151b95 100644
--- a/prebuilts/api/30.0/public/domain.te
+++ b/prebuilts/api/30.0/public/domain.te
@@ -80,10 +80,6 @@
# /dev/binder can be accessed by ... everyone! :)
allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;
-# Restrict binder ioctls to an allowlist. Additional ioctl commands may be
-# added to individual domains, but this sets safe defaults for all processes.
-allowxperm domain binder_device:chr_file ioctl unpriv_binder_ioctls;
-
# /dev/binderfs needs to be accessed by everyone too!
allow domain binderfs:dir { getattr search };
allow domain binderfs_logs_proc:dir search;
@@ -264,19 +260,19 @@
allow domain fs_type:filesystem getattr;
allow domain fs_type:dir getattr;
-# Restrict all domains to a whitelist for common socket types. Additional
+# Restrict all domains to a allowlist for common socket types. Additional
# ioctl commands may be added to individual domains, but this sets safe
-# defaults for all processes. Note that granting this whitelist to domain does
+# defaults for all processes. Note that granting this allowlist to domain does
# not grant the ioctl permission on these socket types. That must be granted
# separately.
allowxperm domain domain:{ icmp_socket rawip_socket tcp_socket udp_socket }
ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
-# default whitelist for unix sockets.
+# default allowlist for unix sockets.
allowxperm domain { domain pdx_channel_socket_type }:{ unix_dgram_socket unix_stream_socket }
ioctl unpriv_unix_sock_ioctls;
-# Restrict PTYs to only whitelisted ioctls.
-# Note that granting this whitelist to domain does
+# Restrict PTYs to only allowlisted ioctls.
+# Note that granting this allowlist to domain does
# not grant the wider ioctl permission. That must be granted
# separately.
allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
@@ -292,7 +288,7 @@
# Allow a process to make a determination whether a file descriptor
# for a plain file or pipe (fifo_file) is a tty. Note that granting
-# this whitelist to domain does not grant the ioctl permission to
+# this allowlist to domain does not grant the ioctl permission to
# these files. That must be granted separately.
allowxperm domain { file_type fs_type }:file ioctl { TCGETS };
allowxperm domain domain:fifo_file ioctl { TCGETS };
@@ -335,7 +331,7 @@
###
# All ioctls on file-like objects (except chr_file and blk_file) and
-# sockets must be restricted to a whitelist.
+# sockets must be restricted to a allowlist.
neverallowxperm * *:{ dir notdevfile_class_set socket_class_set blk_file } ioctl { 0 };
# b/68014825 and https://android-review.googlesource.com/516535
@@ -350,7 +346,7 @@
# Do not allow any domain other than init to create unlabeled files.
neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
-# Limit device node creation to these whitelisted domains.
+# Limit device node creation to these allowlisted domains.
neverallow {
domain
-kernel
@@ -548,7 +544,7 @@
')
# Do not allow reading device's serial number from system properties except form
-# a few whitelisted domains.
+# a few allowlisted domains.
neverallow {
domain
-adbd
@@ -938,7 +934,7 @@
full_treble_only(`
# Do not allow vendor components to execute files from system
- # except for the ones whitelist here.
+ # except for the ones allowlist here.
neverallow {
domain
-coredomain
@@ -959,7 +955,7 @@
full_treble_only(`
# Do not allow system components to execute files from vendor
- # except for the ones whitelisted here.
+ # except for the ones allowlisted here.
neverallow {
coredomain
-init
@@ -988,7 +984,7 @@
full_treble_only(`
# Do not allow system components access to /vendor files except for the
- # ones whitelisted here.
+ # ones allowlisted here.
neverallow {
coredomain
# TODO(b/37168747): clean up fwk access to /vendor
@@ -1023,7 +1019,7 @@
full_treble_only(`
# Do not allow vendor components access to /system files except for the
- # ones whitelisted here.
+ # ones allowlisted here.
neverallow {
domain
-appdomain
@@ -1216,7 +1212,7 @@
# In addition to the symlink reading restrictions above, restrict
# write access to shell owned directories. The /data/local/tmp
-# directory is untrustworthy, and non-whitelisted domains should
+# directory is untrustworthy, and non-allowlisted domains should
# not be trusting any content in those directories.
neverallow {
domain
diff --git a/prebuilts/api/30.0/public/dumpstate.te b/prebuilts/api/30.0/public/dumpstate.te
index 0609d92..8d99a3c 100644
--- a/prebuilts/api/30.0/public/dumpstate.te
+++ b/prebuilts/api/30.0/public/dumpstate.te
@@ -76,12 +76,10 @@
# This list comes from hal_interfaces_to_dump in dumputils/dump_utils.c
hal_audio_server
- hal_audiocontrol_server
hal_bluetooth_server
hal_camera_server
hal_codec2_server
hal_drm_server
- hal_evs_server
hal_face_server
hal_fingerprint_server
hal_graphics_allocator_server
@@ -93,7 +91,6 @@
hal_power_stats_server
hal_sensors_server
hal_thermal_server
- hal_vehicle_server
hal_vr_server
system_suspend_server
}:process signal;
diff --git a/prebuilts/api/30.0/public/hal_wifi_supplicant.te b/prebuilts/api/30.0/public/hal_wifi_supplicant.te
index 6004c33..79a0667 100644
--- a/prebuilts/api/30.0/public/hal_wifi_supplicant.te
+++ b/prebuilts/api/30.0/public/hal_wifi_supplicant.te
@@ -4,7 +4,7 @@
hal_attribute_hwservice(hal_wifi_supplicant, hal_wifi_supplicant_hwservice)
-# in addition to ioctls whitelisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
+# in addition to ioctls allowlisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls;
r_dir_file(hal_wifi_supplicant, sysfs_type)
diff --git a/prebuilts/api/30.0/public/init.te b/prebuilts/api/30.0/public/init.te
index cc51a2b..403b4c5 100644
--- a/prebuilts/api/30.0/public/init.te
+++ b/prebuilts/api/30.0/public/init.te
@@ -96,7 +96,7 @@
postinstall_mnt_dir
mirror_data_file
}:dir mounton;
-allow init cgroup_bpf:dir { mounton create_dir_perms };
+allow init cgroup_bpf:dir { create mounton };
# Mount bpf fs on sys/fs/bpf
allow init fs_bpf:dir mounton;
diff --git a/prebuilts/api/30.0/public/ioctl_defines b/prebuilts/api/30.0/public/ioctl_defines
index 6e2ed65..4cc3bba 100644
--- a/prebuilts/api/30.0/public/ioctl_defines
+++ b/prebuilts/api/30.0/public/ioctl_defines
@@ -132,12 +132,7 @@
define(`BC_REPLY', `0x40406301')
define(`BC_REQUEST_DEATH_NOTIFICATION', `0x400c630e')
define(`BC_TRANSACTION', `0x40406300')
-define(`BINDER_FREEZE', `0x400c620e')
-define(`BINDER_GET_FROZEN_INFO', `0xc00c620f')
-define(`BINDER_GET_NODE_DEBUG_INFO', `0xc018620b')
-define(`BINDER_GET_NODE_INFO_FOR_REF', `0xc018620c')
define(`BINDER_SET_CONTEXT_MGR', `0x40046207')
-define(`BINDER_SET_CONTEXT_MGR_EXT', `0x4018620d')
define(`BINDER_SET_IDLE_PRIORITY', `0x40046206')
define(`BINDER_SET_IDLE_TIMEOUT', `0x40086203')
define(`BINDER_SET_MAX_THREADS', `0x40046205')
@@ -1375,7 +1370,6 @@
define(`LOGGER_SET_VERSION', `0x0000ae06')
define(`LOOP_CHANGE_FD', `0x00004c06')
define(`LOOP_CLR_FD', `0x00004c01')
-define(`LOOP_CONFIGURE', `0x00004c0a')
define(`LOOP_CTL_ADD', `0x00004c80')
define(`LOOP_CTL_GET_FREE', `0x00004c82')
define(`LOOP_CTL_REMOVE', `0x00004c81')
diff --git a/prebuilts/api/30.0/public/ioctl_macros b/prebuilts/api/30.0/public/ioctl_macros
index 4538962..5cbfae5 100644
--- a/prebuilts/api/30.0/public/ioctl_macros
+++ b/prebuilts/api/30.0/public/ioctl_macros
@@ -66,11 +66,3 @@
PPPIOCBUNDLE PPPIOCGMPFLAGS PPPIOCSMPFLAGS PPPIOCSMPMTU
PPPIOCSMPMRU PPPIOCGCOMPRESSORS PPPIOCSCOMPRESSOR PPPIOCGIFNAME
}')
-
-# unprivileged binder ioctls
-define(`unpriv_binder_ioctls', `{
-BINDER_WRITE_READ BINDER_SET_IDLE_TIMEOUT BINDER_SET_MAX_THREADS
-BINDER_SET_IDLE_PRIORITY BINDER_SET_CONTEXT_MGR BINDER_THREAD_EXIT
-BINDER_VERSION BINDER_GET_NODE_DEBUG_INFO BINDER_GET_NODE_INFO_FOR_REF
-BINDER_SET_CONTEXT_MGR_EXT
-}')
diff --git a/prebuilts/api/30.0/public/netd.te b/prebuilts/api/30.0/public/netd.te
index 8005406..0b83d4c 100644
--- a/prebuilts/api/30.0/public/netd.te
+++ b/prebuilts/api/30.0/public/netd.te
@@ -3,7 +3,7 @@
type netd_exec, system_file_type, exec_type, file_type;
net_domain(netd)
-# in addition to ioctls whitelisted for all domains, grant netd priv_sock_ioctls.
+# in addition to ioctls allowlisted for all domains, grant netd priv_sock_ioctls.
allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
r_dir_file(netd, cgroup)
diff --git a/prebuilts/api/30.0/public/property_contexts b/prebuilts/api/30.0/public/property_contexts
index 4607ef3..6a99e3f 100644
--- a/prebuilts/api/30.0/public/property_contexts
+++ b/prebuilts/api/30.0/public/property_contexts
@@ -67,8 +67,6 @@
dalvik.vm.method-trace-stream u:object_r:exported_dalvik_prop:s0 exact bool
dalvik.vm.profilesystemserver u:object_r:exported_dalvik_prop:s0 exact bool
dalvik.vm.profilebootclasspath u:object_r:exported_dalvik_prop:s0 exact bool
-dalvik.vm.restore-dex2oat-cpu-set u:object_r:exported_dalvik_prop:s0 exact string
-dalvik.vm.restore-dex2oat-threads u:object_r:exported_dalvik_prop:s0 exact int
dalvik.vm.usejit u:object_r:exported_dalvik_prop:s0 exact bool
dalvik.vm.usejitprofiles u:object_r:exported_dalvik_prop:s0 exact bool
dalvik.vm.zygote.max-boot-retry u:object_r:exported_dalvik_prop:s0 exact int
@@ -223,7 +221,6 @@
dumpstate.unroot u:object_r:exported_dumpstate_prop:s0 exact bool
hal.instrumentation.enable u:object_r:exported2_default_prop:s0 exact bool
init.svc.bugreport u:object_r:exported2_default_prop:s0 exact string
-init.svc.bugreportd u:object_r:exported2_default_prop:s0 exact string
init.svc.console u:object_r:exported2_default_prop:s0 exact string
init.svc.dumpstatez u:object_r:exported2_default_prop:s0 exact string
init.svc.mediadrm u:object_r:exported2_default_prop:s0 exact string
diff --git a/prebuilts/api/30.0/public/vendor_toolbox.te b/prebuilts/api/30.0/public/vendor_toolbox.te
index eb292ca..63f938d 100644
--- a/prebuilts/api/30.0/public/vendor_toolbox.te
+++ b/prebuilts/api/30.0/public/vendor_toolbox.te
@@ -7,7 +7,7 @@
# or read, execute the vendor_toolbox file.
full_treble_only(`
# Do not allow non-vendor domains to transition
- # to vendor toolbox except for the whitelisted domains.
+ # to vendor toolbox except for the allowlisted domains.
neverallow {
coredomain
-init
diff --git a/prebuilts/api/30.0/vendor_sepolicy.cil b/prebuilts/api/30.0/vendor_sepolicy.cil
new file mode 100644
index 0000000..4a3aac3
--- /dev/null
+++ b/prebuilts/api/30.0/vendor_sepolicy.cil
@@ -0,0 +1 @@
+;; empty stub
diff --git a/private/access_vectors b/private/access_vectors
index 4144be8..22f2ffa 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -138,6 +138,7 @@
wake_alarm
block_suspend
audit_read
+ perfmon
}
#
@@ -181,6 +182,9 @@
entrypoint
}
+class anon_inode
+inherits file
+
class lnk_file
inherits file
@@ -710,6 +714,38 @@
gen_unique_id
}
+class keystore2
+{
+ add_auth
+ change_password
+ change_user
+ clear_ns
+ clear_uid
+ early_boot_ended
+ get_auth_token
+ get_state
+ list
+ lock
+ report_off_body
+ reset
+ unlock
+}
+
+class keystore2_key
+{
+ convert_storage_key_to_ephemeral
+ delete
+ gen_unique_id
+ get_info
+ grant
+ manage_blob
+ rebind
+ req_forced_op
+ update
+ use
+ use_dev_id
+}
+
class drmservice {
consumeRights
setPlaybackStatus
diff --git a/private/adbd.te b/private/adbd.te
index be4f0f7..3fc77a2 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -44,6 +44,9 @@
# this occurs. (b/123569840)
dontaudit adbd self:{ socket vsock_socket } create;
+# Allow adbd inside vm to forward vm's vsock.
+allow adbd self:vsock_socket { create_socket_perms_no_ioctl listen accept };
+
# Create and use network sockets.
net_domain(adbd)
@@ -84,11 +87,15 @@
# Set service.adb.*, sys.powerctl, and sys.usb.ffs.ready properties.
set_prop(adbd, shell_prop)
set_prop(adbd, powerctl_prop)
-set_prop(adbd, ffs_prop)
-set_prop(adbd, exported_ffs_prop)
+get_prop(adbd, ffs_config_prop)
+set_prop(adbd, ffs_control_prop)
-# Set service.adb.tls.port, persist.adb.wifi. properties
+# Set service.adb.tcp.port, service.adb.tls.port, persist.adb.wifi.* properties
set_prop(adbd, adbd_prop)
+set_prop(adbd, adbd_config_prop)
+
+# Allow adbd start/stop mdnsd via ctl.start
+set_prop(adbd, ctl_mdnsd_prop)
# Access device logging gating property
get_prop(adbd, device_logging_prop)
@@ -189,11 +196,23 @@
allow adbd perfetto_traces_data_file:file r_file_perms;
allow adbd perfetto_traces_data_file:dir r_dir_perms;
+# Allow to push and manage configs in /data/misc/perfetto-configs.
+allow adbd perfetto_configs_data_file:dir rw_dir_perms;
+allow adbd perfetto_configs_data_file:file create_file_perms;
+
# Connect to shell and use a socket transferred from it.
# Used for e.g. abb.
allow adbd shell:unix_stream_socket { read write shutdown };
allow adbd shell:fd use;
+# Allow pull /vendor/apex files for CTS tests
+allow adbd vendor_apex_file:dir search;
+allow adbd vendor_apex_file:file r_file_perms;
+
+# Allow adb pull of updated apex files in /data/apex/active.
+allow adbd apex_data_file:dir search;
+allow adbd staging_data_file:file r_file_perms;
+
###
### Neverallow rules
###
diff --git a/private/apexd.te b/private/apexd.te
index 7c7ddc6..862bab9 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -5,19 +5,29 @@
# Allow creating, reading and writing of APEX files/dirs in the APEX data dir
allow apexd apex_data_file:dir create_dir_perms;
allow apexd apex_data_file:file create_file_perms;
+# Allow relabeling file created in /data/apex/decompressed
+allow apexd apex_data_file:file relabelfrom;
# Allow creating, reading and writing of APEX files/dirs in the APEX metadata dir
allow apexd metadata_file:dir search;
allow apexd apex_metadata_file:dir create_dir_perms;
allow apexd apex_metadata_file:file create_file_perms;
+# Allow reserving space on /data/apex/ota_reserved for apex decompression
+allow apexd apex_ota_reserved_file:dir create_dir_perms;
+allow apexd apex_ota_reserved_file:file create_file_perms;
+
# Allow apexd to create files and directories for snapshots of apex data
+allow apexd apex_art_data_file:dir { create_dir_perms relabelto };
+allow apexd apex_art_data_file:file { create_file_perms relabelto };
allow apexd apex_permission_data_file:dir { create_dir_perms relabelto };
allow apexd apex_permission_data_file:file { create_file_perms relabelto };
allow apexd apex_module_data_file:dir { create_dir_perms relabelfrom };
allow apexd apex_module_data_file:file { create_file_perms relabelfrom };
allow apexd apex_rollback_data_file:dir create_dir_perms;
allow apexd apex_rollback_data_file:file create_file_perms;
+allow apexd apex_scheduling_data_file:dir { create_dir_perms relabelto };
+allow apexd apex_scheduling_data_file:file { create_file_perms relabelto };
allow apexd apex_wifi_data_file:dir { create_dir_perms relabelto };
allow apexd apex_wifi_data_file:file { create_file_perms relabelto };
@@ -42,6 +52,9 @@
# allow apexd to access /dev/block
allow apexd block_device:dir r_dir_perms;
+#allow apexd to access virtual disks
+allow apexd vd_device:blk_file r_file_perms;
+
# allow apexd to access /dev/block/dm-* (device-mapper entries)
allow apexd dm_device:chr_file rw_file_perms;
allow apexd dm_device:blk_file rw_file_perms;
@@ -65,6 +78,9 @@
allow apexd apex_mnt_dir:dir mounton;
# allow apexd to create symlinks in /apex
allow apexd apex_mnt_dir:lnk_file create_file_perms;
+# allow apexd to create /apex/apex-info-list.xml and relabel to apex_info_file
+allow apexd apex_mnt_dir:file { create_file_perms relabelfrom mounton };
+allow apexd apex_info_file:file relabelto;
# allow apexd to unlink apex files in /data/apex/active
# note that apexd won't be able to unlink files in /data/app-staging/session_XXXX,
# because it doesn't have write permission for staging_data_file object.
@@ -73,6 +89,8 @@
# allow apexd to read files from /data/app-staging and hardlink them to /data/apex.
allow apexd staging_data_file:dir r_dir_perms;
allow apexd staging_data_file:file { r_file_perms link };
+# # Allow relabeling file created in /data/apex/decompressed
+allow apexd staging_data_file:file relabelto;
# allow apexd to read files from /vendor/apex
allow apexd vendor_apex_file:dir r_dir_perms;
@@ -122,16 +140,14 @@
allow apexd system_bootstrap_lib_file:dir r_dir_perms;
allow apexd system_bootstrap_lib_file:file { execute read open getattr map };
-# Allow transition to ART APEX preinstall domain.
-domain_auto_trans(apexd, art_apex_preinstall_exec, art_apex_preinstall)
-# Allow transition to ART APEX postinstall domain.
-domain_auto_trans(apexd, art_apex_postinstall_exec, art_apex_postinstall)
-
# Allow transition to test APEX preinstall domain.
userdebug_or_eng(`
domain_auto_trans(apexd, apex_test_prepostinstall_exec, apex_test_prepostinstall)
')
+# Allow transition to GKI update pre/post install domain
+domain_auto_trans(apexd, gki_apex_prepostinstall_exec, gki_apex_prepostinstall)
+
# Allow apexd to be invoked with logwrapper from init during userspace reboot.
allow apexd devpts:chr_file { read write };
@@ -145,6 +161,13 @@
# Allow apexd to execute toybox for snapshot & restore
allow apexd toolbox_exec:file rx_file_perms;
+# Allow apexd to read ro.cold_boot_done prop.
+# apexd uses it to decide whether it needs to keep retrying polling for loop device.
+get_prop(apexd, cold_boot_done_prop)
+
+# Allow apexd to read per-device configuration properties.
+get_prop(apexd, apexd_config_prop)
+
neverallow { domain -apexd -init } apex_data_file:dir no_w_dir_perms;
neverallow { domain -apexd -init } apex_metadata_file:dir no_w_dir_perms;
neverallow { domain -apexd -init -kernel } apex_data_file:file no_w_file_perms;
@@ -156,3 +179,16 @@
neverallow { domain -apexd -init -vold_prepare_subdirs } apex_rollback_data_file:dir no_w_dir_perms;
neverallow { domain -apexd -init -vold_prepare_subdirs } apex_rollback_data_file:file no_w_file_perms;
+
+# only apexd can set apexd sysprop
+set_prop(apexd, apexd_prop)
+neverallow { domain -apexd -init } apexd_prop:property_service set;
+
+# only apexd can write apex-info-list.xml
+neverallow { domain -apexd } apex_info_file:file no_w_file_perms;
+
+# Allow for use in postinstall
+allow apexd otapreopt_chroot:fd use;
+allow apexd postinstall_apex_mnt_dir:dir { create_dir_perms mounton };
+allow apexd postinstall_apex_mnt_dir:file { create_file_perms relabelfrom };
+allow apexd proc_filesystems:file r_file_perms;
diff --git a/private/app.te b/private/app.te
index 9882d8f..94d24e0 100644
--- a/private/app.te
+++ b/private/app.te
@@ -2,6 +2,18 @@
# the implementation of ActivityManager.isDeviceInTestHarnessMode()
get_prop(appdomain, test_harness_prop)
+get_prop(appdomain, boot_status_prop)
+get_prop(appdomain, dalvik_config_prop)
+get_prop(appdomain, media_config_prop)
+get_prop(appdomain, packagemanager_config_prop)
+get_prop(appdomain, radio_control_prop)
+get_prop(appdomain, surfaceflinger_color_prop)
+get_prop(appdomain, systemsound_config_prop)
+get_prop(appdomain, telephony_config_prop)
+get_prop(appdomain, userspace_reboot_config_prop)
+get_prop(appdomain, vold_config_prop)
+get_prop(appdomain, adbd_config_prop)
+
userdebug_or_eng(`perfetto_producer({ appdomain })')
# Prevent apps from causing presubmit failures.
@@ -22,6 +34,9 @@
# Apps should not be reading vendor-defined properties.
dontaudit appdomain vendor_default_prop:file read;
+# Access to /mnt/media_rw/<vol> (limited by DAC to apps with external_storage gid)
+allow appdomain mnt_media_rw_file:dir search;
+
neverallow appdomain system_server:udp_socket {
accept append bind create ioctl listen lock name_bind
relabelfrom relabelto setattr shutdown };
@@ -39,5 +54,47 @@
# Don't allow regular apps access to storage configuration properties.
neverallow { appdomain -mediaprovider_app } storage_config_prop:file no_rw_file_perms;
+# Allow to read sendbug.preferred.domain
+get_prop(appdomain, sendbug_config_prop)
+
# Allow to read graphics related properties.
get_prop(appdomain, graphics_config_prop)
+
+# Allow to read persist.config.calibration_fac
+get_prop(appdomain, camera_calibration_prop)
+
+# Allow to read db.log.detailed, db.log.slow_query_threshold*
+get_prop(appdomain, sqlite_log_prop)
+
+# Allow font file read by apps.
+allow appdomain font_data_file:file r_file_perms;
+allow appdomain font_data_file:dir r_dir_perms;
+
+# Enter /data/misc/apexdata/
+allow appdomain apex_module_data_file:dir search;
+# Read /data/misc/apexdata/com.android.art, execute signed AOT artifacts.
+allow appdomain apex_art_data_file:dir r_dir_perms;
+allow appdomain apex_art_data_file:file rx_file_perms;
+
+# Allow access to tombstones if an fd to one is given to you.
+# This is restricted by unix permissions, so an app must go through system_server to get one.
+allow appdomain tombstone_data_file:file { getattr read };
+neverallow appdomain tombstone_data_file:file ~{ getattr read };
+
+# Sensitive app domains are not allowed to execute from /data
+# to prevent persistence attacks and ensure all code is executed
+# from read-only locations.
+neverallow {
+ bluetooth
+ isolated_app
+ nfc
+ radio
+ shared_relro
+ system_app
+} {
+ data_file_type
+ -apex_art_data_file
+ -dalvikcache_data_file
+ -system_data_file # shared libs in apks
+ -apk_data_file
+}:file no_x_file_perms;
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 1157187..aff3a0a 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -19,6 +19,9 @@
# Receive or send generic netlink messages
neverallow all_untrusted_apps domain:netlink_socket *;
+# Read or write kernel printk buffer
+neverallow all_untrusted_apps kmsg_device:chr_file no_rw_file_perms;
+
# Too much leaky information in debugfs. It's a security
# best practice to ensure these files aren't readable.
neverallow all_untrusted_apps { debugfs_type -debugfs_kcov }:file read;
@@ -154,28 +157,7 @@
# The tun_device ioctls below are not allowed, to prove equivalence
# to the kernel patch at
# https://android.googlesource.com/kernel/common/+/11cee2be0c2062ba88f04eb51196506f870a3b5d%5E%21
-neverallowxperm all_untrusted_apps tun_device:chr_file ioctl {
- SIOCGIFHWADDR
- SIOCSIFHWADDR
- TUNATTACHFILTER
- TUNDETACHFILTER
- TUNGETFEATURES
- TUNGETFILTER
- TUNGETSNDBUF
- TUNGETVNETHDRSZ
- TUNSETDEBUG
- TUNSETGROUP
- TUNSETIFF
- TUNSETLINK
- TUNSETNOCSUM
- TUNSETOFFLOAD
- TUNSETOWNER
- TUNSETPERSIST
- TUNSETQUEUE
- TUNSETSNDBUF
- TUNSETTXFILTER
- TUNSETVNETHDRSZ
-};
+neverallowxperm all_untrusted_apps tun_device:chr_file ioctl ~{ FIOCLEX FIONCLEX TUNGETIFF };
# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
neverallow all_untrusted_apps anr_data_file:file ~{ open append };
@@ -217,24 +199,21 @@
# other than find actions for services listed below
neverallow all_untrusted_apps *:hwservice_manager ~find;
-# Do not permit access from apps which host arbitrary code to the protected HwBinder
-# services.
+# Do not permit access from apps which host arbitrary code to the protected services
# The two main reasons for this are:
-# 1. Protected HwBinder servers do not perform client authentication because HIDL
-# currently does not expose caller UID information and, even if it did, those
-# HwBinder services either operate at a level below that of apps (e.g., HALs)
-# or must not rely on app identity for authorization. Thus, to be safe, the
-# default assumption is that every HwBinder service treats all its clients as
-# equally authorized to perform operations offered by the service.
-# 2. HAL servers (a subset of HwBinder services) contain code with higher
-# incidence rate of security issues than system/core components and have
-# access to lower layes of the stack (all the way down to hardware) thus
-# increasing opportunities for bypassing the Android security model.
+# 1. Protected HwBinder servers do not perform client authentication because
+# vendor code does not have a way to understand apps or their relation to
+# caller UID information and, even if it did, those services either operate
+# at a level below that of apps (e.g., HALs) or must not rely on app identity
+# for authorization. Thus, to be safe, the default assumption for all added
+# vendor services is that they treat all their clients as equally authorized
+# to perform operations offered by the service.
+# 2. HAL servers contain code with higher incidence rate of security issues
+# than system/core components and have access to lower layes of the stack
+# (all the way down to hardware) thus increasing opportunities for bypassing
+# the Android security model.
neverallow all_untrusted_apps protected_hwservice:hwservice_manager find;
-
-neverallow all_untrusted_apps {
- vendor_service
-}:service_manager find;
+neverallow all_untrusted_apps protected_service:service_manager find;
# SELinux is not an API for untrusted apps to use
neverallow all_untrusted_apps selinuxfs:file no_rw_file_perms;
@@ -249,6 +228,7 @@
# Untrusted apps are not allowed to use cgroups.
neverallow all_untrusted_apps cgroup:file *;
+neverallow all_untrusted_apps cgroup_v2:file *;
# /mnt/sdcard symlink was supposed to have been removed in Gingerbread. Apps
# must not use it.
diff --git a/private/app_zygote.te b/private/app_zygote.te
index 9285323..7f2236c 100644
--- a/private/app_zygote.te
+++ b/private/app_zygote.te
@@ -53,6 +53,11 @@
r_dir_file(app_zygote, dalvikcache_data_file);
allow app_zygote dalvikcache_data_file:file execute;
+# Read /data/misc/apexdata/ to (get to com.android.art/dalvik-cache).
+allow app_zygote apex_module_data_file:dir search;
+# For ART APEX (read /data/misc/apexdata/com.android.art/dalvik-cache).
+r_dir_file(app_zygote, apex_art_data_file)
+
# Allow reading/executing installed binaries to enable preloading
# application data
allow app_zygote apk_data_file:dir r_dir_perms;
@@ -93,14 +98,7 @@
neverallow app_zygote property_type:property_service set;
# Should not have any access to data files.
-neverallow app_zygote {
- bluetooth_data_file
- nfc_data_file
- radio_data_file
- shell_data_file
- app_data_file
- privapp_data_file
-}:file { rwx_file_perms };
+neverallow app_zygote app_data_file_type:file { rwx_file_perms };
neverallow app_zygote {
service_manager_type
diff --git a/private/art_apex_boot_integrity.te b/private/art_apex_boot_integrity.te
deleted file mode 100644
index ba02083..0000000
--- a/private/art_apex_boot_integrity.te
+++ /dev/null
@@ -1,28 +0,0 @@
-# This command set checks the integrity of boot classpath ART
-# artifacts in /data, potentially removing them.
-
-type art_apex_boot_integrity, domain, coredomain;
-type art_apex_boot_integrity_exec, system_file_type, exec_type, file_type;
-
-# Technically not a daemon but we do want the transition from init domain to
-# art_apex_boot_integrity to occur.
-init_daemon_domain(art_apex_boot_integrity)
-
-# Read dalvik cache directories, remove entries.
-allow art_apex_boot_integrity dalvikcache_data_file:dir { r_dir_perms write remove_name };
-# Read and possibly delete dalvik cache files.
-allow art_apex_boot_integrity dalvikcache_data_file:file { r_file_perms unlink };
-
-# Allow art_apex_boot_integrity to execute itself using #!/system/bin/sh
-allow art_apex_boot_integrity shell_exec:file rx_file_perms;
-
-# Allow running the mv and rm/rmdir commands using art_apex_boot_integrity
-# permissions.
-allow art_apex_boot_integrity toolbox_exec:file rx_file_perms;
-
-# Fsverity in the same domain.
-allow art_apex_boot_integrity system_file:file execute_no_trans;
-# Fsverity work.
-allowxperm art_apex_boot_integrity dalvikcache_data_file:file ioctl {
- FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
-};
diff --git a/private/art_apex_postinstall.te b/private/art_apex_postinstall.te
deleted file mode 100644
index 576ed20..0000000
--- a/private/art_apex_postinstall.te
+++ /dev/null
@@ -1,31 +0,0 @@
-# ART APEX postinstall.
-#
-
-type art_apex_postinstall, domain, coredomain;
-type art_apex_postinstall_exec, system_file_type, exec_type, file_type;
-
-# /system/bin/sh (see b/126787589).
-allow art_apex_postinstall apexd:fd use;
-
-# Read temp dirs and files. Move directories.
-allow art_apex_postinstall ota_data_file:dir { r_dir_perms write rename remove_name relabelfrom reparent };
-allow art_apex_postinstall ota_data_file:file { r_file_perms relabelfrom };
-# We're deleting the old /data/dalvik-cache/* and move the new ones
-# over.
-allow art_apex_postinstall dalvikcache_data_file:dir { create_dir_perms relabelto };
-allow art_apex_postinstall dalvikcache_data_file:file { r_file_perms unlink relabelto };
-
-# Required for relabel.
-allow art_apex_postinstall file_contexts_file:file r_file_perms;
-allow art_apex_postinstall self:global_capability_class_set sys_admin;
-
-# Script helpers.
-allow art_apex_postinstall shell_exec:file rx_file_perms;
-allow art_apex_postinstall toolbox_exec:file rx_file_perms;
-
-# Fsverity in the same domain.
-allow art_apex_postinstall system_file:file execute_no_trans;
-# Fsverity work.
-allowxperm art_apex_postinstall ota_data_file:file ioctl {
- FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
-};
diff --git a/private/art_apex_preinstall.te b/private/art_apex_preinstall.te
deleted file mode 100644
index 12b1020..0000000
--- a/private/art_apex_preinstall.te
+++ /dev/null
@@ -1,33 +0,0 @@
-# ART APEX preinstall.
-#
-
-type art_apex_preinstall, domain, coredomain;
-type art_apex_preinstall_exec, system_file_type, exec_type, file_type;
-
-# /system/bin/sh (see b/126787589).
-allow art_apex_preinstall apexd:fd use;
-
-# Create temp dirs and files under /data/ota.
-allow art_apex_preinstall ota_data_file:dir create_dir_perms;
-allow art_apex_preinstall ota_data_file:file create_file_perms;
-# We mount /data/ota/dalvik-cache over /data/dalvik-cache in our
-# mount namespace.
-allow art_apex_preinstall dalvikcache_data_file:dir { r_dir_perms mounton };
-allow art_apex_preinstall self:capability sys_admin;
-
-# Script helpers.
-allow art_apex_preinstall shell_exec:file rx_file_perms;
-allow art_apex_preinstall toolbox_exec:file rx_file_perms;
-
-# Execute subscripts in the same domain.
-allow art_apex_preinstall art_apex_preinstall_exec:file execute_no_trans;
-
-# Run dex2oat.
-domain_auto_trans(art_apex_preinstall, dex2oat_exec, dex2oat)
-
-# Fsverity in the same domain.
-allow art_apex_preinstall system_file:file execute_no_trans;
-# Fsverity work.
-allowxperm art_apex_preinstall ota_data_file:file ioctl {
- FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
-};
diff --git a/private/artd.te b/private/artd.te
new file mode 100644
index 0000000..a76074b
--- /dev/null
+++ b/private/artd.te
@@ -0,0 +1,12 @@
+# art service daemon
+type artd, domain;
+type artd_exec, system_file_type, exec_type, file_type;
+
+# Allow artd to publish a binder service and make binder calls.
+binder_use(artd)
+add_service(artd, artd_service)
+allow artd dumpstate:fifo_file { getattr write };
+
+typeattribute artd coredomain;
+
+init_daemon_domain(artd)
diff --git a/private/asan_extract.te b/private/asan_extract.te
index 1c20d78..69bcd50 100644
--- a/private/asan_extract.te
+++ b/private/asan_extract.te
@@ -3,6 +3,9 @@
# Technically not a daemon but we do want the transition from init domain to
# asan_extract to occur.
with_asan(`
-typeattribute asan_extract coredomain;
-init_daemon_domain(asan_extract)
+ typeattribute asan_extract coredomain;
+ init_daemon_domain(asan_extract)
+
+ # We need to signal a reboot when done.
+ set_prop(asan_extract, powerctl_prop)
')
diff --git a/private/atrace.te b/private/atrace.te
index ad7d177..d4aed40 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -1,7 +1,6 @@
# Domain for atrace process.
# It is spawned either by traced_probes or by init for the boottrace service.
-type atrace, domain, coredomain;
type atrace_exec, exec_type, file_type, system_file_type;
# boottrace services uses /data/misc/boottrace/categories
@@ -59,7 +58,7 @@
hal_client_domain(atrace, hal_vibrator)
')
-# Remove logspam from notification attempts to non-whitelisted services.
+# Remove logspam from notification attempts to non-allowlisted services.
dontaudit atrace hwservice_manager_type:hwservice_manager find;
dontaudit atrace service_manager_type:service_manager find;
dontaudit atrace domain:binder call;
diff --git a/private/attributes b/private/attributes
index e01b212..991bac1 100644
--- a/private/attributes
+++ b/private/attributes
@@ -1 +1,12 @@
hal_attribute(lazy_test);
+
+# This is applied to apps on vendor images with SDK <=30 only,
+# to exempt them from recent mls changes. It must not be applied
+# to any domain on newer system or vendor image.
+attribute mlsvendorcompat;
+
+# Attributes for property types having both system_property_type
+# and vendor_property_type. Such types are ill-formed because
+# property owner attributes must be exclusive.
+attribute system_and_vendor_property_type;
+expandattribute system_and_vendor_property_type false;
diff --git a/private/audioserver.te b/private/audioserver.te
index 067152f..5047e2c 100644
--- a/private/audioserver.te
+++ b/private/audioserver.te
@@ -98,3 +98,6 @@
# Allow using wake locks
wakelock_use(audioserver)
+
+# Allow reading audio config props, e.g. af.fast_track_multiplier
+get_prop(audioserver, audio_config_prop)
diff --git a/private/binder_in_vendor_violators.te b/private/binder_in_vendor_violators.te
deleted file mode 100644
index 4a1218e..0000000
--- a/private/binder_in_vendor_violators.te
+++ /dev/null
@@ -1 +0,0 @@
-allow binder_in_vendor_violators binder_device:chr_file rw_file_perms;
diff --git a/private/binderservicedomain.te b/private/binderservicedomain.te
index 0891ee5..7275954 100644
--- a/private/binderservicedomain.te
+++ b/private/binderservicedomain.te
@@ -18,5 +18,7 @@
allow binderservicedomain permission_service:service_manager find;
allow binderservicedomain keystore:keystore_key { get_state get insert delete exist list sign verify };
+allow binderservicedomain keystore:keystore2 { get_state };
+allow binderservicedomain keystore:keystore2_key { delete get_info rebind use };
use_keystore(binderservicedomain)
diff --git a/private/blank_screen.te b/private/blank_screen.te
index 51310d1..20d50cc 100644
--- a/private/blank_screen.te
+++ b/private/blank_screen.te
@@ -3,4 +3,5 @@
init_daemon_domain(blank_screen)
+# hal_light_client has access to hal_light_server
hal_client_domain(blank_screen, hal_light)
diff --git a/private/bluetooth.te b/private/bluetooth.te
index 1680361..8fc6d20 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -1,6 +1,6 @@
# bluetooth app
-typeattribute bluetooth coredomain;
+typeattribute bluetooth coredomain, mlstrustedsubject;
app_domain(bluetooth)
net_domain(bluetooth)
@@ -57,6 +57,7 @@
allow bluetooth app_api_service:service_manager find;
allow bluetooth system_api_service:service_manager find;
allow bluetooth network_stack_service:service_manager find;
+allow bluetooth system_suspend_control_service:service_manager find;
# already open bugreport file descriptors may be shared with
# the bluetooth process, from a file in
diff --git a/private/bootanim.te b/private/bootanim.te
index 4740560..855bc3d 100644
--- a/private/bootanim.te
+++ b/private/bootanim.te
@@ -7,3 +7,11 @@
# Bootanim should not be reading default vendor-defined properties.
dontaudit bootanim vendor_default_prop:file read;
+
+# Read ro.boot.bootreason b/30654343
+get_prop(bootanim, bootloader_boot_reason_prop)
+
+get_prop(bootanim, bootanim_config_prop)
+
+# Allow updating boot animation status.
+set_prop(bootanim, bootanim_system_prop)
diff --git a/private/bootstat.te b/private/bootstat.te
index 806144c..016292e 100644
--- a/private/bootstat.te
+++ b/private/bootstat.te
@@ -1,3 +1,34 @@
typeattribute bootstat coredomain;
init_daemon_domain(bootstat)
+
+# Collect metrics on boot time created by init
+get_prop(bootstat, boottime_prop)
+
+# Read/Write [persist.]sys.boot.reason and ro.boot.bootreason (write if empty)
+set_prop(bootstat, bootloader_boot_reason_prop)
+set_prop(bootstat, system_boot_reason_prop)
+set_prop(bootstat, last_boot_reason_prop)
+
+neverallow {
+ domain
+ -bootanim
+ -bootstat
+ -dumpstate
+ userdebug_or_eng(`-incidentd')
+ -init
+ -recovery
+ -shell
+ -system_server
+} { bootloader_boot_reason_prop last_boot_reason_prop }:file r_file_perms;
+# ... and refine, as these components should not set the last boot reason
+neverallow { bootanim recovery } last_boot_reason_prop:file r_file_perms;
+
+neverallow {
+ domain
+ -bootstat
+ -init
+ -system_server
+} { bootloader_boot_reason_prop last_boot_reason_prop }:property_service set;
+# ... and refine ... for a ro propertly no less ... keep this _tight_
+neverallow system_server bootloader_boot_reason_prop:property_service set;
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 74a8e25..ae9b52c 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -4,37 +4,40 @@
typeattribute bpfloader coredomain;
# These permissions are required to pin ebpf maps & programs.
-allow bpfloader fs_bpf:dir { search write add_name };
-allow bpfloader fs_bpf:file { create setattr read };
+allow bpfloader { fs_bpf fs_bpf_tethering }:dir { add_name create search write };
+allow bpfloader { fs_bpf fs_bpf_tethering }:file { create read setattr };
+allow fs_bpf_tethering fs_bpf:filesystem associate;
# Allow bpfloader to create bpf maps and programs.
allow bpfloader self:bpf { map_create map_read map_write prog_load prog_run };
-allow bpfloader self:capability { chown sys_admin };
+allow bpfloader self:capability { chown sys_admin net_admin };
+
+set_prop(bpfloader, bpf_progs_loaded_prop)
###
### Neverallow rules
###
-# TODO: get rid of init & vendor_init
-neverallow { domain -init -vendor_init } fs_bpf:dir setattr;
-neverallow { domain -bpfloader } fs_bpf:dir { write add_name };
-neverallow domain fs_bpf:dir { reparent rename rmdir };
+# TODO: get rid of init & vendor_init; Note: we don't care about getattr/mounton/search
+neverallow { domain -init -vendor_init } { fs_bpf fs_bpf_tethering }:dir { open read setattr };
+neverallow { domain -bpfloader } { fs_bpf fs_bpf_tethering }:dir { add_name create write };
+neverallow domain { fs_bpf fs_bpf_tethering }:dir ~{ add_name create getattr mounton open read search setattr write };
# TODO: get rid of init & vendor_init
-neverallow { domain -bpfloader -init -vendor_init } fs_bpf:file setattr;
-neverallow { domain -bpfloader } fs_bpf:file create;
-neverallow domain fs_bpf:file { rename unlink };
+neverallow { domain -bpfloader -init -vendor_init } { fs_bpf fs_bpf_tethering }:file { map open setattr };
+neverallow { domain -bpfloader } { fs_bpf fs_bpf_tethering }:file create;
+neverallow { domain -bpfloader -gpuservice -init -netd -netutils_wrapper -network_stack -system_server -vendor_init } { fs_bpf fs_bpf_tethering }:file read;
+neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } { fs_bpf fs_bpf_tethering }:file write;
+neverallow domain { fs_bpf fs_bpf_tethering }:file ~{ create map open read setattr write };
neverallow { domain -bpfloader } *:bpf { map_create prog_load };
-neverallow { domain -bpfloader -netd -netutils_wrapper -system_server } *:bpf prog_run;
-neverallow { domain -bpfloader -netd -system_server } *:bpf { map_read map_write };
+neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } *:bpf prog_run;
+neverallow { domain -bpfloader -gpuservice -netd -network_stack -system_server } *:bpf { map_read map_write };
neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
-neverallow bpfloader domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow bpfloader *:{ tcp_socket udp_socket rawip_socket } *;
# No domain should be allowed to ptrace bpfloader
neverallow { domain userdebug_or_eng(`-llkd') } bpfloader:process ptrace;
-
-set_prop(bpfloader, bpf_progs_loaded_prop)
diff --git a/private/bug_map b/private/bug_map
index eaa1593..5b042ae 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -28,8 +28,8 @@
system_server crash_dump process b/73128755
system_server overlayfs_file file b/142390309
system_server sdcardfs file b/77856826
-system_server storage_stub_file dir b/145267097
system_server zygote process b/77856826
untrusted_app untrusted_app netlink_route_socket b/155595000
vold system_data_file file b/124108085
zygote untrusted_app_25 process b/77925912
+zygote labeledfs filesystem b/170748799
diff --git a/private/canhalconfigurator.te b/private/canhalconfigurator.te
new file mode 100644
index 0000000..9ba60ac
--- /dev/null
+++ b/private/canhalconfigurator.te
@@ -0,0 +1,7 @@
+type canhalconfigurator, domain, coredomain;
+type canhalconfigurator_exec, exec_type, system_file_type, file_type;
+init_daemon_domain(canhalconfigurator)
+
+# This allows the configurator to look up the CAN HAL controller via
+# hwservice_manager and communicate with it.
+hal_client_domain(canhalconfigurator, hal_can_controller)
diff --git a/private/charger.te b/private/charger.te
index 65109de..8be113f 100644
--- a/private/charger.te
+++ b/private/charger.te
@@ -1 +1,31 @@
typeattribute charger coredomain;
+
+# charger needs to tell init to continue the boot
+# process when running in charger mode.
+set_prop(charger, system_prop)
+set_prop(charger, exported_system_prop)
+set_prop(charger, exported3_system_prop)
+set_prop(charger, charger_status_prop)
+
+get_prop(charger, charger_prop)
+get_prop(charger, charger_config_prop)
+
+# get minui properties
+get_prop(charger, recovery_config_prop)
+
+compatible_property_only(`
+ neverallow {
+ domain
+ -init
+ -dumpstate
+ -charger
+ } charger_prop:file no_rw_file_perms;
+')
+
+neverallow {
+ domain
+ -init
+ -dumpstate
+ -vendor_init
+ -charger
+} { charger_config_prop charger_status_prop }:file no_rw_file_perms;
diff --git a/private/compat/26.0/26.0.compat.cil b/private/compat/26.0/26.0.compat.cil
index 30af58c..2e85b23 100644
--- a/private/compat/26.0/26.0.compat.cil
+++ b/private/compat/26.0/26.0.compat.cil
@@ -3,3 +3,9 @@
(allowx vendordomain dev_type (ioctl blk_file ((range 0x0000 0xffff))))
(allowx vendordomain file_type (ioctl file ((range 0x0000 0xffff))))
(allow vendordomain self (netlink_route_socket (nlmsg_readpriv)))
+
+(typeattributeset mlsvendorcompat (and appdomain vendordomain))
+(allow mlsvendorcompat app_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
+(allow mlsvendorcompat app_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))
+(allow mlsvendorcompat privapp_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
+(allow mlsvendorcompat privapp_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index b395855..98d5840 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -18,9 +18,11 @@
apexd_prop
apexd_tmpfs
app_zygote
+ audio_config_prop
atrace
binder_calls_stats_service
biometric_service
+ boot_status_prop
bootloader_boot_reason_prop
blank_screen
blank_screen_exec
@@ -39,6 +41,7 @@
ctl_interface_start_prop
ctl_interface_stop_prop
ctl_sigstop_prop
+ dalvik_config_prop
device_config_boot_count_prop
device_config_reset_performed_prop
device_config_netd_native_prop
@@ -67,7 +70,6 @@
exported2_radio_prop
exported2_system_prop
exported2_vold_prop
- exported3_default_prop
exported3_radio_prop
exported3_system_prop
fastbootd
@@ -109,6 +111,7 @@
llkd_exec
llkd_prop
llkd_tmpfs
+ lmkd_config_prop
looper_stats_service
lowpan_device
lowpan_prop
@@ -161,12 +164,15 @@
statscompanion_service
storaged_data_file
super_block_device
+ surfaceflinger_color_prop
+ surfaceflinger_prop
sysfs_fs_ext4_features
system_boot_reason_prop
system_bootstrap_lib_file
system_lmk_prop
system_net_netd_hwservice
system_update_service
+ systemsound_config_prop
test_boot_reason_prop
thermal_service
thermalcallback_hwservice
@@ -203,10 +209,13 @@
vendor_shell
vendor_socket_hook_prop
vndk_prop
+ vold_config_prop
vold_metadata_file
+ vold_post_fs_data_prop
vold_prepare_subdirs
vold_prepare_subdirs_exec
vold_service
+ vold_status_prop
vrflinger_vsync_service
wait_for_keymaster
wait_for_keymaster_exec
diff --git a/private/compat/27.0/27.0.compat.cil b/private/compat/27.0/27.0.compat.cil
index 30af58c..2e85b23 100644
--- a/private/compat/27.0/27.0.compat.cil
+++ b/private/compat/27.0/27.0.compat.cil
@@ -3,3 +3,9 @@
(allowx vendordomain dev_type (ioctl blk_file ((range 0x0000 0xffff))))
(allowx vendordomain file_type (ioctl file ((range 0x0000 0xffff))))
(allow vendordomain self (netlink_route_socket (nlmsg_readpriv)))
+
+(typeattributeset mlsvendorcompat (and appdomain vendordomain))
+(allow mlsvendorcompat app_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
+(allow mlsvendorcompat app_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))
+(allow mlsvendorcompat privapp_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
+(allow mlsvendorcompat privapp_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index cb500c9..427f4d4 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -5,6 +5,8 @@
(typeattribute new_objects)
(typeattributeset new_objects
( new_objects
+ aac_drc_prop
+ aaudio_config_prop
activity_task_service
adb_service
app_binding_service
@@ -17,18 +19,31 @@
apexd_prop
apexd_tmpfs
app_zygote
+ art_apex_dir
atrace
+ audio_config_prop
binder_calls_stats_service
biometric_service
blank_screen
blank_screen_exec
blank_screen_tmpfs
+ boot_status_prop
+ bootanim_system_prop
bootloader_boot_reason_prop
+ bootloader_prop
bluetooth_a2dp_offload_prop
bpfloader
bpfloader_exec
+ build_bootimage_prop
+ build_odm_prop
+ build_prop
+ build_vendor_prop
+ camera_calibration_prop
+ camera_config_prop
cgroup_bpf
+ charger_config_prop
charger_exec
+ charger_status_prop
color_display_service
content_capture_service
crossprofileapps_service
@@ -37,10 +52,13 @@
ctl_interface_start_prop
ctl_interface_stop_prop
ctl_sigstop_prop
+ dalvik_config_prop
+ dalvik_runtime_prop
device_config_boot_count_prop
device_config_reset_performed_prop
device_config_netd_native_prop
dnsresolver_service
+ drm_service_config_prop
exfat
exported2_config_prop
exported2_default_prop
@@ -67,6 +85,8 @@
exported_vold_prop
exported_wifi_prop
fastbootd
+ ffs_config_prop
+ ffs_control_prop
flags_health_check
flags_health_check_exec
fingerprint_vendor_data_file
@@ -79,30 +99,39 @@
hal_confirmationui_hwservice
hal_evs_hwservice
hal_health_storage_hwservice
+ hal_instrumentation_prop
hal_lowpan_hwservice
hal_secure_element_hwservice
hal_usb_gadget_hwservice
hal_vehicle_hwservice
hal_wifi_hostapd_hwservice
+ hdmi_config_prop
heapprofd
heapprofd_exec
heapprofd_socket
incident_helper
incident_helper_exec
+ init_service_status_private_prop
+ init_service_status_prop
iorapd
iorapd_data_file
iorapd_exec
iorapd_service
iorapd_tmpfs
+ keyguard_config_prop
last_boot_reason_prop
+ libc_debug_prop
llkd
llkd_exec
llkd_prop
llkd_tmpfs
+ lmkd_config_prop
looper_stats_service
lowpan_device
lowpan_prop
lowpan_service
+ media_config_prop
+ mediadrm_config_prop
mediaextractor_update_service
mediaswcodec
mediaswcodec_exec
@@ -115,21 +144,28 @@
network_stack_service
network_watchlist_data_file
network_watchlist_service
+ oem_unlock_prop
overlayfs_file
+ packagemanager_config_prop
perfetto
perfetto_exec
perfetto_tmpfs
perfetto_traces_data_file
property_info
+ property_service_version_prop
+ provisioned_prop
+ radio_control_prop
+ recovery_config_prop
recovery_socket
+ retaildemo_prop
role_service
runas_app
- art_apex_dir
runtime_service
secure_element
secure_element_device
secure_element_service
secure_element_tmpfs
+ sendbug_config_prop
server_configurable_flags_data_file
simpleperf_app_runner
simpleperf_app_runner_exec
@@ -147,14 +183,21 @@
statsdw_socket
storaged_data_file
super_block_device
+ surfaceflinger_color_prop
+ surfaceflinger_prop
staging_data_file
+ storagemanager_config_prop
system_boot_reason_prop
system_bootstrap_lib_file
system_lmk_prop
system_update_service
+ systemsound_config_prop
+ telephony_config_prop
+ telephony_status_prop
test_boot_reason_prop
time_prop
timedetector_service
+ tombstone_config_prop
tombstone_wifi_data_file
trace_data_file
traced
@@ -171,6 +214,8 @@
untrusted_app_all_devpts
update_engine_log_data_file
uri_grants_service
+ usb_config_prop
+ usb_control_prop
usbd
usbd_exec
usbd_tmpfs
@@ -181,20 +226,29 @@
vendor_shell
vendor_socket_hook_prop
vndk_prop
+ vold_config_prop
vold_metadata_file
+ vold_post_fs_data_prop
vold_prepare_subdirs
vold_prepare_subdirs_exec
vold_service
+ vold_status_prop
vrflinger_vsync_service
+ vts_config_prop
+ vts_status_prop
wait_for_keymaster
wait_for_keymaster_exec
wait_for_keymaster_tmpfs
watchdogd_tmpfs
+ wifi_config_prop
+ wifi_hal_prop
wm_trace_data_file
wpantund
wpantund_exec
wpantund_service
- wpantund_tmpfs))
+ wpantund_tmpfs
+ zram_config_prop
+ zram_control_prop))
;; private_objects - a collection of types that were labeled differently in
;; older policy, but that should not remain accessible to vendor policy.
diff --git a/private/compat/28.0/28.0.compat.cil b/private/compat/28.0/28.0.compat.cil
index 30af58c..2e85b23 100644
--- a/private/compat/28.0/28.0.compat.cil
+++ b/private/compat/28.0/28.0.compat.cil
@@ -3,3 +3,9 @@
(allowx vendordomain dev_type (ioctl blk_file ((range 0x0000 0xffff))))
(allowx vendordomain file_type (ioctl file ((range 0x0000 0xffff))))
(allow vendordomain self (netlink_route_socket (nlmsg_readpriv)))
+
+(typeattributeset mlsvendorcompat (and appdomain vendordomain))
+(allow mlsvendorcompat app_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
+(allow mlsvendorcompat app_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))
+(allow mlsvendorcompat privapp_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
+(allow mlsvendorcompat privapp_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index d24d12d..e7ddf48 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -61,6 +61,7 @@
gpuservice
gsi_data_file
gsi_metadata_file
+ gsi_public_metadata_file
gsi_service
gsid
gsid_exec
diff --git a/private/compat/29.0/29.0.cil b/private/compat/29.0/29.0.cil
index 5231498..0fb0a1c 100644
--- a/private/compat/29.0/29.0.cil
+++ b/private/compat/29.0/29.0.cil
@@ -1,5 +1,10 @@
;; types removed from current policy
(type ashmemd)
+(type exported_audio_prop)
+(type exported_dalvik_prop)
+(type exported_vold_prop)
+(type exported2_config_prop)
+(type exported2_vold_prop)
(type hal_wifi_offload_hwservice)
(type install_recovery)
(type install_recovery_exec)
@@ -1195,20 +1200,26 @@
(typeattributeset ephemeral_app_29_0 (ephemeral_app))
(typeattributeset ethernet_service_29_0 (ethernet_service))
(typeattributeset exfat_29_0 (exfat))
-(typeattributeset exported2_config_prop_29_0 (exported2_config_prop))
+(typeattributeset exported2_config_prop_29_0 (exported2_config_prop systemsound_config_prop))
(typeattributeset exported2_default_prop_29_0 (exported2_default_prop))
(typeattributeset exported2_radio_prop_29_0 (exported2_radio_prop))
-(typeattributeset exported2_system_prop_29_0 (exported2_system_prop))
-(typeattributeset exported2_vold_prop_29_0 (exported2_vold_prop))
-(typeattributeset exported3_default_prop_29_0 (exported3_default_prop))
+(typeattributeset exported2_system_prop_29_0
+ ( exported2_system_prop
+ surfaceflinger_color_prop))
+(typeattributeset exported2_vold_prop_29_0
+ ( exported2_vold_prop
+ vold_config_prop
+ vold_post_fs_data_prop))
+(typeattributeset exported3_default_prop_29_0 (exported3_default_prop lmkd_config_prop))
(typeattributeset exported3_radio_prop_29_0 (exported3_radio_prop))
-(typeattributeset exported3_system_prop_29_0 (exported3_system_prop))
-(typeattributeset exported_audio_prop_29_0 (exported_audio_prop))
+(typeattributeset exported3_system_prop_29_0 (exported3_system_prop boot_status_prop))
+(typeattributeset exported_audio_prop_29_0 (exported_audio_prop audio_config_prop))
(typeattributeset exported_bluetooth_prop_29_0 (exported_bluetooth_prop))
(typeattributeset exported_config_prop_29_0 (exported_config_prop))
-(typeattributeset exported_dalvik_prop_29_0 (exported_dalvik_prop))
+(typeattributeset exported_dalvik_prop_29_0 (exported_dalvik_prop dalvik_config_prop))
(typeattributeset exported_default_prop_29_0
( exported_default_prop
+ surfaceflinger_prop
vndk_prop))
(typeattributeset exported_dumpstate_prop_29_0 (exported_dumpstate_prop))
(typeattributeset exported_ffs_prop_29_0 (exported_ffs_prop))
@@ -1219,7 +1230,7 @@
(typeattributeset exported_secure_prop_29_0 (exported_secure_prop))
(typeattributeset exported_system_prop_29_0 (exported_system_prop))
(typeattributeset exported_system_radio_prop_29_0 (exported_system_radio_prop))
-(typeattributeset exported_vold_prop_29_0 (exported_vold_prop))
+(typeattributeset exported_vold_prop_29_0 (exported_vold_prop vold_status_prop))
(typeattributeset exported_wifi_prop_29_0 (exported_wifi_prop))
(typeattributeset external_vibrator_service_29_0 (external_vibrator_service))
(typeattributeset face_service_29_0 (face_service))
@@ -1906,7 +1917,9 @@
(typeattributeset vendor_keychars_file_29_0 (vendor_keychars_file))
(typeattributeset vendor_keylayout_file_29_0 (vendor_keylayout_file))
(typeattributeset vendor_overlay_file_29_0 (vendor_overlay_file))
-(typeattributeset vendor_public_lib_file_29_0 (vendor_public_lib_file))
+(typeattributeset vendor_public_lib_file_29_0
+ ( vendor_public_framework_file
+ vendor_public_lib_file))
(typeattributeset vendor_security_patch_level_prop_29_0 (vendor_security_patch_level_prop))
(typeattributeset vendor_shell_29_0 (vendor_shell))
(typeattributeset vendor_shell_exec_29_0 (vendor_shell_exec))
diff --git a/private/compat/29.0/29.0.compat.cil b/private/compat/29.0/29.0.compat.cil
index af4da8a..ccd9d1a 100644
--- a/private/compat/29.0/29.0.compat.cil
+++ b/private/compat/29.0/29.0.compat.cil
@@ -1,3 +1,9 @@
(typeattribute vendordomain)
(typeattributeset vendordomain ((and (domain) ((not (coredomain))))))
(allow vendordomain self (netlink_route_socket (nlmsg_readpriv)))
+
+(typeattributeset mlsvendorcompat (and appdomain vendordomain))
+(allow mlsvendorcompat app_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
+(allow mlsvendorcompat app_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))
+(allow mlsvendorcompat privapp_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
+(allow mlsvendorcompat privapp_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index fdea691..1079046 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -38,7 +38,6 @@
platform_compat_service
ctl_apexd_prop
dataloader_manager_service
- debugfs_kprobes
device_config_storage_native_boot_prop
device_config_sys_traced_prop
device_config_window_manager_native_boot_prop
@@ -50,6 +49,7 @@
fwk_automotive_display_hwservice
fusectlfs
gmscore_app
+ gnss_device
graphics_config_prop
hal_can_bus_hwservice
hal_can_controller_hwservice
diff --git a/private/compat/30.0/30.0.cil b/private/compat/30.0/30.0.cil
new file mode 100644
index 0000000..9f40876
--- /dev/null
+++ b/private/compat/30.0/30.0.cil
@@ -0,0 +1,2266 @@
+;; types removed from current policy
+(type cgroup_bpf)
+(type exported_audio_prop)
+(type exported_dalvik_prop)
+(type exported_ffs_prop)
+(type exported_fingerprint_prop)
+(type exported_system_radio_prop)
+(type exported_radio_prop)
+(type exported_vold_prop)
+(type exported_wifi_prop)
+(type exported2_config_prop)
+(type exported2_default_prop)
+(type exported2_radio_prop)
+(type exported2_system_prop)
+(type exported2_vold_prop)
+(type exported3_default_prop)
+(type exported3_radio_prop)
+(type ffs_prop)
+(type system_radio_prop)
+(type thermalcallback_hwservice)
+
+(typeattribute binder_in_vendor_violators)
+
+(expandtypeattribute (DockObserver_service_30_0) true)
+(expandtypeattribute (IProxyService_service_30_0) true)
+(expandtypeattribute (accessibility_service_30_0) true)
+(expandtypeattribute (account_service_30_0) true)
+(expandtypeattribute (activity_service_30_0) true)
+(expandtypeattribute (activity_task_service_30_0) true)
+(expandtypeattribute (adb_data_file_30_0) true)
+(expandtypeattribute (adb_keys_file_30_0) true)
+(expandtypeattribute (adb_service_30_0) true)
+(expandtypeattribute (adbd_30_0) true)
+(expandtypeattribute (adbd_exec_30_0) true)
+(expandtypeattribute (adbd_prop_30_0) true)
+(expandtypeattribute (adbd_socket_30_0) true)
+(expandtypeattribute (aidl_lazy_test_server_30_0) true)
+(expandtypeattribute (aidl_lazy_test_server_exec_30_0) true)
+(expandtypeattribute (aidl_lazy_test_service_30_0) true)
+(expandtypeattribute (alarm_service_30_0) true)
+(expandtypeattribute (anr_data_file_30_0) true)
+(expandtypeattribute (apex_data_file_30_0) true)
+(expandtypeattribute (apex_metadata_file_30_0) true)
+(expandtypeattribute (apex_mnt_dir_30_0) true)
+(expandtypeattribute (apex_module_data_file_30_0) true)
+(expandtypeattribute (apex_permission_data_file_30_0) true)
+(expandtypeattribute (apex_rollback_data_file_30_0) true)
+(expandtypeattribute (apex_service_30_0) true)
+(expandtypeattribute (apex_wifi_data_file_30_0) true)
+(expandtypeattribute (apexd_30_0) true)
+(expandtypeattribute (apexd_exec_30_0) true)
+(expandtypeattribute (apexd_prop_30_0) true)
+(expandtypeattribute (apk_data_file_30_0) true)
+(expandtypeattribute (apk_private_data_file_30_0) true)
+(expandtypeattribute (apk_private_tmp_file_30_0) true)
+(expandtypeattribute (apk_tmp_file_30_0) true)
+(expandtypeattribute (apk_verity_prop_30_0) true)
+(expandtypeattribute (app_binding_service_30_0) true)
+(expandtypeattribute (app_data_file_30_0) true)
+(expandtypeattribute (app_fuse_file_30_0) true)
+(expandtypeattribute (app_fusefs_30_0) true)
+(expandtypeattribute (app_integrity_service_30_0) true)
+(expandtypeattribute (app_prediction_service_30_0) true)
+(expandtypeattribute (app_search_service_30_0) true)
+(expandtypeattribute (app_zygote_30_0) true)
+(expandtypeattribute (app_zygote_tmpfs_30_0) true)
+(expandtypeattribute (appdomain_tmpfs_30_0) true)
+(expandtypeattribute (appops_service_30_0) true)
+(expandtypeattribute (appwidget_service_30_0) true)
+(expandtypeattribute (art_apex_dir_30_0) true)
+(expandtypeattribute (asec_apk_file_30_0) true)
+(expandtypeattribute (asec_image_file_30_0) true)
+(expandtypeattribute (asec_public_file_30_0) true)
+(expandtypeattribute (ashmem_device_30_0) true)
+(expandtypeattribute (ashmem_libcutils_device_30_0) true)
+(expandtypeattribute (assetatlas_service_30_0) true)
+(expandtypeattribute (audio_data_file_30_0) true)
+(expandtypeattribute (audio_device_30_0) true)
+(expandtypeattribute (audio_prop_30_0) true)
+(expandtypeattribute (audio_service_30_0) true)
+(expandtypeattribute (audiohal_data_file_30_0) true)
+(expandtypeattribute (audioserver_30_0) true)
+(expandtypeattribute (audioserver_data_file_30_0) true)
+(expandtypeattribute (audioserver_service_30_0) true)
+(expandtypeattribute (audioserver_tmpfs_30_0) true)
+(expandtypeattribute (auth_service_30_0) true)
+(expandtypeattribute (autofill_service_30_0) true)
+(expandtypeattribute (backup_data_file_30_0) true)
+(expandtypeattribute (backup_service_30_0) true)
+(expandtypeattribute (battery_service_30_0) true)
+(expandtypeattribute (batteryproperties_service_30_0) true)
+(expandtypeattribute (batterystats_service_30_0) true)
+(expandtypeattribute (binder_cache_bluetooth_server_prop_30_0) true)
+(expandtypeattribute (binder_cache_system_server_prop_30_0) true)
+(expandtypeattribute (binder_cache_telephony_server_prop_30_0) true)
+(expandtypeattribute (binder_calls_stats_service_30_0) true)
+(expandtypeattribute (binder_device_30_0) true)
+(expandtypeattribute (binderfs_30_0) true)
+(expandtypeattribute (binderfs_logs_30_0) true)
+(expandtypeattribute (binderfs_logs_proc_30_0) true)
+(expandtypeattribute (binfmt_miscfs_30_0) true)
+(expandtypeattribute (biometric_service_30_0) true)
+(expandtypeattribute (blkid_30_0) true)
+(expandtypeattribute (blkid_untrusted_30_0) true)
+(expandtypeattribute (blob_store_service_30_0) true)
+(expandtypeattribute (block_device_30_0) true)
+(expandtypeattribute (bluetooth_30_0) true)
+(expandtypeattribute (bluetooth_a2dp_offload_prop_30_0) true)
+(expandtypeattribute (bluetooth_audio_hal_prop_30_0) true)
+(expandtypeattribute (bluetooth_data_file_30_0) true)
+(expandtypeattribute (bluetooth_efs_file_30_0) true)
+(expandtypeattribute (bluetooth_logs_data_file_30_0) true)
+(expandtypeattribute (bluetooth_manager_service_30_0) true)
+(expandtypeattribute (bluetooth_prop_30_0) true)
+(expandtypeattribute (bluetooth_service_30_0) true)
+(expandtypeattribute (bluetooth_socket_30_0) true)
+(expandtypeattribute (boot_block_device_30_0) true)
+(expandtypeattribute (bootanim_30_0) true)
+(expandtypeattribute (bootanim_exec_30_0) true)
+(expandtypeattribute (bootchart_data_file_30_0) true)
+(expandtypeattribute (bootloader_boot_reason_prop_30_0) true)
+(expandtypeattribute (bootstat_30_0) true)
+(expandtypeattribute (bootstat_data_file_30_0) true)
+(expandtypeattribute (bootstat_exec_30_0) true)
+(expandtypeattribute (boottime_prop_30_0) true)
+(expandtypeattribute (boottime_public_prop_30_0) true)
+(expandtypeattribute (boottrace_data_file_30_0) true)
+(expandtypeattribute (bpf_progs_loaded_prop_30_0) true)
+(expandtypeattribute (bq_config_prop_30_0) true)
+(expandtypeattribute (broadcastradio_service_30_0) true)
+(expandtypeattribute (bufferhubd_30_0) true)
+(expandtypeattribute (bufferhubd_exec_30_0) true)
+(expandtypeattribute (bugreport_service_30_0) true)
+(expandtypeattribute (cache_backup_file_30_0) true)
+(expandtypeattribute (cache_block_device_30_0) true)
+(expandtypeattribute (cache_file_30_0) true)
+(expandtypeattribute (cache_private_backup_file_30_0) true)
+(expandtypeattribute (cache_recovery_file_30_0) true)
+(expandtypeattribute (camera_data_file_30_0) true)
+(expandtypeattribute (camera_device_30_0) true)
+(expandtypeattribute (cameraproxy_service_30_0) true)
+(expandtypeattribute (cameraserver_30_0) true)
+(expandtypeattribute (cameraserver_exec_30_0) true)
+(expandtypeattribute (cameraserver_service_30_0) true)
+(expandtypeattribute (cameraserver_tmpfs_30_0) true)
+(expandtypeattribute (cgroup_30_0) true)
+(expandtypeattribute (cgroup_bpf_30_0) true)
+(expandtypeattribute (cgroup_desc_file_30_0) true)
+(expandtypeattribute (cgroup_rc_file_30_0) true)
+(expandtypeattribute (charger_30_0) true)
+(expandtypeattribute (charger_exec_30_0) true)
+(expandtypeattribute (charger_prop_30_0) true)
+(expandtypeattribute (clipboard_service_30_0) true)
+(expandtypeattribute (cold_boot_done_prop_30_0) true)
+(expandtypeattribute (color_display_service_30_0) true)
+(expandtypeattribute (companion_device_service_30_0) true)
+(expandtypeattribute (config_prop_30_0) true)
+(expandtypeattribute (configfs_30_0) true)
+(expandtypeattribute (connectivity_service_30_0) true)
+(expandtypeattribute (connmetrics_service_30_0) true)
+(expandtypeattribute (console_device_30_0) true)
+(expandtypeattribute (consumer_ir_service_30_0) true)
+(expandtypeattribute (content_capture_service_30_0) true)
+(expandtypeattribute (content_service_30_0) true)
+(expandtypeattribute (content_suggestions_service_30_0) true)
+(expandtypeattribute (contexthub_service_30_0) true)
+(expandtypeattribute (coredump_file_30_0) true)
+(expandtypeattribute (country_detector_service_30_0) true)
+(expandtypeattribute (coverage_service_30_0) true)
+(expandtypeattribute (cppreopt_prop_30_0) true)
+(expandtypeattribute (cpu_variant_prop_30_0) true)
+(expandtypeattribute (cpuinfo_service_30_0) true)
+(expandtypeattribute (crash_dump_30_0) true)
+(expandtypeattribute (crash_dump_exec_30_0) true)
+(expandtypeattribute (credstore_30_0) true)
+(expandtypeattribute (credstore_data_file_30_0) true)
+(expandtypeattribute (credstore_exec_30_0) true)
+(expandtypeattribute (credstore_service_30_0) true)
+(expandtypeattribute (crossprofileapps_service_30_0) true)
+(expandtypeattribute (ctl_adbd_prop_30_0) true)
+(expandtypeattribute (ctl_apexd_prop_30_0) true)
+(expandtypeattribute (ctl_bootanim_prop_30_0) true)
+(expandtypeattribute (ctl_bugreport_prop_30_0) true)
+(expandtypeattribute (ctl_console_prop_30_0) true)
+(expandtypeattribute (ctl_default_prop_30_0) true)
+(expandtypeattribute (ctl_dumpstate_prop_30_0) true)
+(expandtypeattribute (ctl_fuse_prop_30_0) true)
+(expandtypeattribute (ctl_gsid_prop_30_0) true)
+(expandtypeattribute (ctl_interface_restart_prop_30_0) true)
+(expandtypeattribute (ctl_interface_start_prop_30_0) true)
+(expandtypeattribute (ctl_interface_stop_prop_30_0) true)
+(expandtypeattribute (ctl_mdnsd_prop_30_0) true)
+(expandtypeattribute (ctl_restart_prop_30_0) true)
+(expandtypeattribute (ctl_rildaemon_prop_30_0) true)
+(expandtypeattribute (ctl_sigstop_prop_30_0) true)
+(expandtypeattribute (ctl_start_prop_30_0) true)
+(expandtypeattribute (ctl_stop_prop_30_0) true)
+(expandtypeattribute (dalvik_prop_30_0) true)
+(expandtypeattribute (dalvikcache_data_file_30_0) true)
+(expandtypeattribute (dataloader_manager_service_30_0) true)
+(expandtypeattribute (dbinfo_service_30_0) true)
+(expandtypeattribute (debug_prop_30_0) true)
+(expandtypeattribute (debugfs_30_0) true)
+(expandtypeattribute (debugfs_mmc_30_0) true)
+(expandtypeattribute (debugfs_trace_marker_30_0) true)
+(expandtypeattribute (debugfs_tracing_30_0) true)
+(expandtypeattribute (debugfs_tracing_debug_30_0) true)
+(expandtypeattribute (debugfs_tracing_instances_30_0) true)
+(expandtypeattribute (debugfs_wakeup_sources_30_0) true)
+(expandtypeattribute (debugfs_wifi_tracing_30_0) true)
+(expandtypeattribute (debuggerd_prop_30_0) true)
+(expandtypeattribute (default_android_hwservice_30_0) true)
+(expandtypeattribute (default_android_service_30_0) true)
+(expandtypeattribute (default_android_vndservice_30_0) true)
+(expandtypeattribute (default_prop_30_0) true)
+(expandtypeattribute (dev_cpu_variant_30_0) true)
+(expandtypeattribute (device_30_0) true)
+(expandtypeattribute (device_config_activity_manager_native_boot_prop_30_0) true)
+(expandtypeattribute (device_config_boot_count_prop_30_0) true)
+(expandtypeattribute (device_config_configuration_prop_30_0) true)
+(expandtypeattribute (device_config_input_native_boot_prop_30_0) true)
+(expandtypeattribute (device_config_media_native_prop_30_0) true)
+(expandtypeattribute (device_config_netd_native_prop_30_0) true)
+(expandtypeattribute (device_config_reset_performed_prop_30_0) true)
+(expandtypeattribute (device_config_runtime_native_boot_prop_30_0) true)
+(expandtypeattribute (device_config_runtime_native_prop_30_0) true)
+(expandtypeattribute (device_config_service_30_0) true)
+(expandtypeattribute (device_config_storage_native_boot_prop_30_0) true)
+(expandtypeattribute (device_config_sys_traced_prop_30_0) true)
+(expandtypeattribute (device_config_window_manager_native_boot_prop_30_0) true)
+(expandtypeattribute (device_identifiers_service_30_0) true)
+(expandtypeattribute (device_logging_prop_30_0) true)
+(expandtypeattribute (device_policy_service_30_0) true)
+(expandtypeattribute (deviceidle_service_30_0) true)
+(expandtypeattribute (devicestoragemonitor_service_30_0) true)
+(expandtypeattribute (devpts_30_0) true)
+(expandtypeattribute (dhcp_30_0) true)
+(expandtypeattribute (dhcp_data_file_30_0) true)
+(expandtypeattribute (dhcp_exec_30_0) true)
+(expandtypeattribute (dhcp_prop_30_0) true)
+(expandtypeattribute (diskstats_service_30_0) true)
+(expandtypeattribute (display_service_30_0) true)
+(expandtypeattribute (dm_device_30_0) true)
+(expandtypeattribute (dnsmasq_30_0) true)
+(expandtypeattribute (dnsmasq_exec_30_0) true)
+(expandtypeattribute (dnsproxyd_socket_30_0) true)
+(expandtypeattribute (dnsresolver_service_30_0) true)
+(expandtypeattribute (dreams_service_30_0) true)
+(expandtypeattribute (drm_data_file_30_0) true)
+(expandtypeattribute (drmserver_30_0) true)
+(expandtypeattribute (drmserver_exec_30_0) true)
+(expandtypeattribute (drmserver_service_30_0) true)
+(expandtypeattribute (drmserver_socket_30_0) true)
+(expandtypeattribute (dropbox_data_file_30_0) true)
+(expandtypeattribute (dropbox_service_30_0) true)
+(expandtypeattribute (dumpstate_30_0) true)
+(expandtypeattribute (dumpstate_exec_30_0) true)
+(expandtypeattribute (dumpstate_options_prop_30_0) true)
+(expandtypeattribute (dumpstate_prop_30_0) true)
+(expandtypeattribute (dumpstate_service_30_0) true)
+(expandtypeattribute (dumpstate_socket_30_0) true)
+(expandtypeattribute (dynamic_system_prop_30_0) true)
+(expandtypeattribute (e2fs_30_0) true)
+(expandtypeattribute (e2fs_exec_30_0) true)
+(expandtypeattribute (efs_file_30_0) true)
+(expandtypeattribute (emergency_affordance_service_30_0) true)
+(expandtypeattribute (ephemeral_app_30_0) true)
+(expandtypeattribute (ethernet_service_30_0) true)
+(expandtypeattribute (exfat_30_0) true)
+(expandtypeattribute (exported2_config_prop_30_0) true)
+(expandtypeattribute (exported2_default_prop_30_0) true)
+(expandtypeattribute (exported2_radio_prop_30_0) true)
+(expandtypeattribute (exported2_system_prop_30_0) true)
+(expandtypeattribute (exported2_vold_prop_30_0) true)
+(expandtypeattribute (exported3_default_prop_30_0) true)
+(expandtypeattribute (exported3_radio_prop_30_0) true)
+(expandtypeattribute (exported3_system_prop_30_0) true)
+(expandtypeattribute (exported_audio_prop_30_0) true)
+(expandtypeattribute (exported_bluetooth_prop_30_0) true)
+(expandtypeattribute (exported_camera_prop_30_0) true)
+(expandtypeattribute (exported_config_prop_30_0) true)
+(expandtypeattribute (exported_dalvik_prop_30_0) true)
+(expandtypeattribute (exported_default_prop_30_0) true)
+(expandtypeattribute (exported_dumpstate_prop_30_0) true)
+(expandtypeattribute (exported_ffs_prop_30_0) true)
+(expandtypeattribute (exported_fingerprint_prop_30_0) true)
+(expandtypeattribute (exported_overlay_prop_30_0) true)
+(expandtypeattribute (exported_pm_prop_30_0) true)
+(expandtypeattribute (exported_radio_prop_30_0) true)
+(expandtypeattribute (exported_secure_prop_30_0) true)
+(expandtypeattribute (exported_system_prop_30_0) true)
+(expandtypeattribute (exported_system_radio_prop_30_0) true)
+(expandtypeattribute (exported_vold_prop_30_0) true)
+(expandtypeattribute (exported_wifi_prop_30_0) true)
+(expandtypeattribute (external_vibrator_service_30_0) true)
+(expandtypeattribute (face_service_30_0) true)
+(expandtypeattribute (face_vendor_data_file_30_0) true)
+(expandtypeattribute (fastbootd_30_0) true)
+(expandtypeattribute (ffs_prop_30_0) true)
+(expandtypeattribute (file_contexts_file_30_0) true)
+(expandtypeattribute (file_integrity_service_30_0) true)
+(expandtypeattribute (fingerprint_service_30_0) true)
+(expandtypeattribute (fingerprint_vendor_data_file_30_0) true)
+(expandtypeattribute (fingerprintd_30_0) true)
+(expandtypeattribute (fingerprintd_data_file_30_0) true)
+(expandtypeattribute (fingerprintd_exec_30_0) true)
+(expandtypeattribute (fingerprintd_service_30_0) true)
+(expandtypeattribute (firstboot_prop_30_0) true)
+(expandtypeattribute (flags_health_check_30_0) true)
+(expandtypeattribute (flags_health_check_exec_30_0) true)
+(expandtypeattribute (font_service_30_0) true)
+(expandtypeattribute (frp_block_device_30_0) true)
+(expandtypeattribute (fs_bpf_30_0) true)
+(expandtypeattribute (fsck_30_0) true)
+(expandtypeattribute (fsck_exec_30_0) true)
+(expandtypeattribute (fsck_untrusted_30_0) true)
+(expandtypeattribute (fscklogs_30_0) true)
+(expandtypeattribute (functionfs_30_0) true)
+(expandtypeattribute (fuse_30_0) true)
+(expandtypeattribute (fuse_device_30_0) true)
+(expandtypeattribute (fwk_automotive_display_hwservice_30_0) true)
+(expandtypeattribute (fwk_bufferhub_hwservice_30_0) true)
+(expandtypeattribute (fwk_camera_hwservice_30_0) true)
+(expandtypeattribute (fwk_display_hwservice_30_0) true)
+(expandtypeattribute (fwk_scheduler_hwservice_30_0) true)
+(expandtypeattribute (fwk_sensor_hwservice_30_0) true)
+(expandtypeattribute (fwk_stats_hwservice_30_0) true)
+(expandtypeattribute (fwmarkd_socket_30_0) true)
+(expandtypeattribute (gatekeeper_data_file_30_0) true)
+(expandtypeattribute (gatekeeper_service_30_0) true)
+(expandtypeattribute (gatekeeperd_30_0) true)
+(expandtypeattribute (gatekeeperd_exec_30_0) true)
+(expandtypeattribute (gfxinfo_service_30_0) true)
+(expandtypeattribute (gmscore_app_30_0) true)
+(expandtypeattribute (gps_control_30_0) true)
+(expandtypeattribute (gpu_device_30_0) true)
+(expandtypeattribute (gpu_service_30_0) true)
+(expandtypeattribute (gpuservice_30_0) true)
+(expandtypeattribute (graphics_device_30_0) true)
+(expandtypeattribute (graphicsstats_service_30_0) true)
+(expandtypeattribute (gsi_data_file_30_0) true)
+(expandtypeattribute (gsi_metadata_file_30_0) true)
+(expandtypeattribute (gsid_prop_30_0) true)
+(expandtypeattribute (hal_atrace_hwservice_30_0) true)
+(expandtypeattribute (hal_audio_hwservice_30_0) true)
+(expandtypeattribute (hal_audiocontrol_hwservice_30_0) true)
+(expandtypeattribute (hal_authsecret_hwservice_30_0) true)
+(expandtypeattribute (hal_bluetooth_hwservice_30_0) true)
+(expandtypeattribute (hal_bootctl_hwservice_30_0) true)
+(expandtypeattribute (hal_broadcastradio_hwservice_30_0) true)
+(expandtypeattribute (hal_camera_hwservice_30_0) true)
+(expandtypeattribute (hal_can_bus_hwservice_30_0) true)
+(expandtypeattribute (hal_can_controller_hwservice_30_0) true)
+(expandtypeattribute (hal_cas_hwservice_30_0) true)
+(expandtypeattribute (hal_codec2_hwservice_30_0) true)
+(expandtypeattribute (hal_configstore_ISurfaceFlingerConfigs_30_0) true)
+(expandtypeattribute (hal_confirmationui_hwservice_30_0) true)
+(expandtypeattribute (hal_contexthub_hwservice_30_0) true)
+(expandtypeattribute (hal_drm_hwservice_30_0) true)
+(expandtypeattribute (hal_dumpstate_hwservice_30_0) true)
+(expandtypeattribute (hal_evs_hwservice_30_0) true)
+(expandtypeattribute (hal_face_hwservice_30_0) true)
+(expandtypeattribute (hal_fingerprint_hwservice_30_0) true)
+(expandtypeattribute (hal_fingerprint_service_30_0) true)
+(expandtypeattribute (hal_gatekeeper_hwservice_30_0) true)
+(expandtypeattribute (hal_gnss_hwservice_30_0) true)
+(expandtypeattribute (hal_graphics_allocator_hwservice_30_0) true)
+(expandtypeattribute (hal_graphics_composer_hwservice_30_0) true)
+(expandtypeattribute (hal_graphics_composer_server_tmpfs_30_0) true)
+(expandtypeattribute (hal_graphics_mapper_hwservice_30_0) true)
+(expandtypeattribute (hal_health_hwservice_30_0) true)
+(expandtypeattribute (hal_health_storage_hwservice_30_0) true)
+(expandtypeattribute (hal_identity_service_30_0) true)
+(expandtypeattribute (hal_input_classifier_hwservice_30_0) true)
+(expandtypeattribute (hal_ir_hwservice_30_0) true)
+(expandtypeattribute (hal_keymaster_hwservice_30_0) true)
+(expandtypeattribute (hal_light_hwservice_30_0) true)
+(expandtypeattribute (hal_light_service_30_0) true)
+(expandtypeattribute (hal_lowpan_hwservice_30_0) true)
+(expandtypeattribute (hal_memtrack_hwservice_30_0) true)
+(expandtypeattribute (hal_neuralnetworks_hwservice_30_0) true)
+(expandtypeattribute (hal_nfc_hwservice_30_0) true)
+(expandtypeattribute (hal_oemlock_hwservice_30_0) true)
+(expandtypeattribute (hal_omx_hwservice_30_0) true)
+(expandtypeattribute (hal_power_hwservice_30_0) true)
+(expandtypeattribute (hal_power_service_30_0) true)
+(expandtypeattribute (hal_power_stats_hwservice_30_0) true)
+(expandtypeattribute (hal_rebootescrow_service_30_0) true)
+(expandtypeattribute (hal_renderscript_hwservice_30_0) true)
+(expandtypeattribute (hal_secure_element_hwservice_30_0) true)
+(expandtypeattribute (hal_sensors_hwservice_30_0) true)
+(expandtypeattribute (hal_telephony_hwservice_30_0) true)
+(expandtypeattribute (hal_tetheroffload_hwservice_30_0) true)
+(expandtypeattribute (hal_thermal_hwservice_30_0) true)
+(expandtypeattribute (hal_tv_cec_hwservice_30_0) true)
+(expandtypeattribute (hal_tv_input_hwservice_30_0) true)
+(expandtypeattribute (hal_tv_tuner_hwservice_30_0) true)
+(expandtypeattribute (hal_usb_gadget_hwservice_30_0) true)
+(expandtypeattribute (hal_usb_hwservice_30_0) true)
+(expandtypeattribute (hal_vehicle_hwservice_30_0) true)
+(expandtypeattribute (hal_vibrator_hwservice_30_0) true)
+(expandtypeattribute (hal_vibrator_service_30_0) true)
+(expandtypeattribute (hal_vr_hwservice_30_0) true)
+(expandtypeattribute (hal_weaver_hwservice_30_0) true)
+(expandtypeattribute (hal_wifi_hostapd_hwservice_30_0) true)
+(expandtypeattribute (hal_wifi_hwservice_30_0) true)
+(expandtypeattribute (hal_wifi_supplicant_hwservice_30_0) true)
+(expandtypeattribute (hardware_properties_service_30_0) true)
+(expandtypeattribute (hardware_service_30_0) true)
+(expandtypeattribute (hci_attach_dev_30_0) true)
+(expandtypeattribute (hdmi_control_service_30_0) true)
+(expandtypeattribute (healthd_30_0) true)
+(expandtypeattribute (healthd_exec_30_0) true)
+(expandtypeattribute (heapdump_data_file_30_0) true)
+(expandtypeattribute (heapprofd_30_0) true)
+(expandtypeattribute (heapprofd_enabled_prop_30_0) true)
+(expandtypeattribute (heapprofd_prop_30_0) true)
+(expandtypeattribute (heapprofd_socket_30_0) true)
+(expandtypeattribute (hidl_allocator_hwservice_30_0) true)
+(expandtypeattribute (hidl_base_hwservice_30_0) true)
+(expandtypeattribute (hidl_manager_hwservice_30_0) true)
+(expandtypeattribute (hidl_memory_hwservice_30_0) true)
+(expandtypeattribute (hidl_token_hwservice_30_0) true)
+(expandtypeattribute (hw_random_device_30_0) true)
+(expandtypeattribute (hwbinder_device_30_0) true)
+(expandtypeattribute (hwservice_contexts_file_30_0) true)
+(expandtypeattribute (hwservicemanager_30_0) true)
+(expandtypeattribute (hwservicemanager_exec_30_0) true)
+(expandtypeattribute (hwservicemanager_prop_30_0) true)
+(expandtypeattribute (icon_file_30_0) true)
+(expandtypeattribute (idmap_30_0) true)
+(expandtypeattribute (idmap_exec_30_0) true)
+(expandtypeattribute (idmap_service_30_0) true)
+(expandtypeattribute (iio_device_30_0) true)
+(expandtypeattribute (imms_service_30_0) true)
+(expandtypeattribute (incident_30_0) true)
+(expandtypeattribute (incident_data_file_30_0) true)
+(expandtypeattribute (incident_helper_30_0) true)
+(expandtypeattribute (incident_service_30_0) true)
+(expandtypeattribute (incidentd_30_0) true)
+(expandtypeattribute (incremental_control_file_30_0) true)
+(expandtypeattribute (incremental_prop_30_0) true)
+(expandtypeattribute (incremental_service_30_0) true)
+(expandtypeattribute (init_30_0) true)
+(expandtypeattribute (init_exec_30_0) true)
+(expandtypeattribute (init_perf_lsm_hooks_prop_30_0) true)
+(expandtypeattribute (init_svc_debug_prop_30_0) true)
+(expandtypeattribute (init_tmpfs_30_0) true)
+(expandtypeattribute (inotify_30_0) true)
+(expandtypeattribute (input_device_30_0) true)
+(expandtypeattribute (input_method_service_30_0) true)
+(expandtypeattribute (input_service_30_0) true)
+(expandtypeattribute (inputflinger_30_0) true)
+(expandtypeattribute (inputflinger_exec_30_0) true)
+(expandtypeattribute (inputflinger_service_30_0) true)
+(expandtypeattribute (install_data_file_30_0) true)
+(expandtypeattribute (installd_30_0) true)
+(expandtypeattribute (installd_exec_30_0) true)
+(expandtypeattribute (installd_service_30_0) true)
+(expandtypeattribute (ion_device_30_0) true)
+(expandtypeattribute (iorap_inode2filename_30_0) true)
+(expandtypeattribute (iorap_inode2filename_exec_30_0) true)
+(expandtypeattribute (iorap_inode2filename_tmpfs_30_0) true)
+(expandtypeattribute (iorap_prefetcherd_30_0) true)
+(expandtypeattribute (iorap_prefetcherd_exec_30_0) true)
+(expandtypeattribute (iorap_prefetcherd_tmpfs_30_0) true)
+(expandtypeattribute (iorapd_30_0) true)
+(expandtypeattribute (iorapd_data_file_30_0) true)
+(expandtypeattribute (iorapd_exec_30_0) true)
+(expandtypeattribute (iorapd_service_30_0) true)
+(expandtypeattribute (iorapd_tmpfs_30_0) true)
+(expandtypeattribute (ipsec_service_30_0) true)
+(expandtypeattribute (iris_service_30_0) true)
+(expandtypeattribute (iris_vendor_data_file_30_0) true)
+(expandtypeattribute (isolated_app_30_0) true)
+(expandtypeattribute (jobscheduler_service_30_0) true)
+(expandtypeattribute (kernel_30_0) true)
+(expandtypeattribute (keychain_data_file_30_0) true)
+(expandtypeattribute (keychord_device_30_0) true)
+(expandtypeattribute (keystore_30_0) true)
+(expandtypeattribute (keystore_data_file_30_0) true)
+(expandtypeattribute (keystore_exec_30_0) true)
+(expandtypeattribute (keystore_service_30_0) true)
+(expandtypeattribute (kmsg_debug_device_30_0) true)
+(expandtypeattribute (kmsg_device_30_0) true)
+(expandtypeattribute (labeledfs_30_0) true)
+(expandtypeattribute (last_boot_reason_prop_30_0) true)
+(expandtypeattribute (launcherapps_service_30_0) true)
+(expandtypeattribute (light_service_30_0) true)
+(expandtypeattribute (linkerconfig_file_30_0) true)
+(expandtypeattribute (llkd_30_0) true)
+(expandtypeattribute (llkd_exec_30_0) true)
+(expandtypeattribute (llkd_prop_30_0) true)
+(expandtypeattribute (lmkd_30_0) true)
+(expandtypeattribute (lmkd_exec_30_0) true)
+(expandtypeattribute (lmkd_prop_30_0) true)
+(expandtypeattribute (lmkd_socket_30_0) true)
+(expandtypeattribute (location_service_30_0) true)
+(expandtypeattribute (lock_settings_service_30_0) true)
+(expandtypeattribute (log_prop_30_0) true)
+(expandtypeattribute (log_tag_prop_30_0) true)
+(expandtypeattribute (logcat_exec_30_0) true)
+(expandtypeattribute (logd_30_0) true)
+(expandtypeattribute (logd_exec_30_0) true)
+(expandtypeattribute (logd_prop_30_0) true)
+(expandtypeattribute (logd_socket_30_0) true)
+(expandtypeattribute (logdr_socket_30_0) true)
+(expandtypeattribute (logdw_socket_30_0) true)
+(expandtypeattribute (logpersist_30_0) true)
+(expandtypeattribute (logpersistd_logging_prop_30_0) true)
+(expandtypeattribute (loop_control_device_30_0) true)
+(expandtypeattribute (loop_device_30_0) true)
+(expandtypeattribute (looper_stats_service_30_0) true)
+(expandtypeattribute (lowpan_device_30_0) true)
+(expandtypeattribute (lowpan_prop_30_0) true)
+(expandtypeattribute (lowpan_service_30_0) true)
+(expandtypeattribute (lpdump_service_30_0) true)
+(expandtypeattribute (lpdumpd_prop_30_0) true)
+(expandtypeattribute (mac_perms_file_30_0) true)
+(expandtypeattribute (mdns_socket_30_0) true)
+(expandtypeattribute (mdnsd_30_0) true)
+(expandtypeattribute (mdnsd_socket_30_0) true)
+(expandtypeattribute (media_data_file_30_0) true)
+(expandtypeattribute (media_projection_service_30_0) true)
+(expandtypeattribute (media_router_service_30_0) true)
+(expandtypeattribute (media_rw_data_file_30_0) true)
+(expandtypeattribute (media_session_service_30_0) true)
+(expandtypeattribute (media_variant_prop_30_0) true)
+(expandtypeattribute (mediadrmserver_30_0) true)
+(expandtypeattribute (mediadrmserver_exec_30_0) true)
+(expandtypeattribute (mediadrmserver_service_30_0) true)
+(expandtypeattribute (mediaextractor_30_0) true)
+(expandtypeattribute (mediaextractor_exec_30_0) true)
+(expandtypeattribute (mediaextractor_service_30_0) true)
+(expandtypeattribute (mediaextractor_tmpfs_30_0) true)
+(expandtypeattribute (mediametrics_30_0) true)
+(expandtypeattribute (mediametrics_exec_30_0) true)
+(expandtypeattribute (mediametrics_service_30_0) true)
+(expandtypeattribute (mediaprovider_30_0) true)
+(expandtypeattribute (mediaserver_30_0) true)
+(expandtypeattribute (mediaserver_exec_30_0) true)
+(expandtypeattribute (mediaserver_service_30_0) true)
+(expandtypeattribute (mediaserver_tmpfs_30_0) true)
+(expandtypeattribute (mediaswcodec_30_0) true)
+(expandtypeattribute (mediaswcodec_exec_30_0) true)
+(expandtypeattribute (mediatranscoding_30_0) true)
+(expandtypeattribute (mediatranscoding_exec_30_0) true)
+(expandtypeattribute (mediatranscoding_service_30_0) true)
+(expandtypeattribute (meminfo_service_30_0) true)
+(expandtypeattribute (metadata_block_device_30_0) true)
+(expandtypeattribute (metadata_bootstat_file_30_0) true)
+(expandtypeattribute (metadata_file_30_0) true)
+(expandtypeattribute (method_trace_data_file_30_0) true)
+(expandtypeattribute (midi_service_30_0) true)
+(expandtypeattribute (mirror_data_file_30_0) true)
+(expandtypeattribute (misc_block_device_30_0) true)
+(expandtypeattribute (misc_logd_file_30_0) true)
+(expandtypeattribute (misc_user_data_file_30_0) true)
+(expandtypeattribute (mmc_prop_30_0) true)
+(expandtypeattribute (mnt_expand_file_30_0) true)
+(expandtypeattribute (mnt_media_rw_file_30_0) true)
+(expandtypeattribute (mnt_media_rw_stub_file_30_0) true)
+(expandtypeattribute (mnt_pass_through_file_30_0) true)
+(expandtypeattribute (mnt_product_file_30_0) true)
+(expandtypeattribute (mnt_sdcard_file_30_0) true)
+(expandtypeattribute (mnt_user_file_30_0) true)
+(expandtypeattribute (mnt_vendor_file_30_0) true)
+(expandtypeattribute (mock_ota_prop_30_0) true)
+(expandtypeattribute (modprobe_30_0) true)
+(expandtypeattribute (module_sdkextensions_prop_30_0) true)
+(expandtypeattribute (mount_service_30_0) true)
+(expandtypeattribute (mqueue_30_0) true)
+(expandtypeattribute (mtp_30_0) true)
+(expandtypeattribute (mtp_device_30_0) true)
+(expandtypeattribute (mtp_exec_30_0) true)
+(expandtypeattribute (mtpd_socket_30_0) true)
+(expandtypeattribute (nativetest_data_file_30_0) true)
+(expandtypeattribute (net_data_file_30_0) true)
+(expandtypeattribute (net_dns_prop_30_0) true)
+(expandtypeattribute (net_radio_prop_30_0) true)
+(expandtypeattribute (netd_30_0) true)
+(expandtypeattribute (netd_exec_30_0) true)
+(expandtypeattribute (netd_listener_service_30_0) true)
+(expandtypeattribute (netd_service_30_0) true)
+(expandtypeattribute (netd_stable_secret_prop_30_0) true)
+(expandtypeattribute (netif_30_0) true)
+(expandtypeattribute (netpolicy_service_30_0) true)
+(expandtypeattribute (netstats_service_30_0) true)
+(expandtypeattribute (netutils_wrapper_30_0) true)
+(expandtypeattribute (netutils_wrapper_exec_30_0) true)
+(expandtypeattribute (network_management_service_30_0) true)
+(expandtypeattribute (network_score_service_30_0) true)
+(expandtypeattribute (network_stack_30_0) true)
+(expandtypeattribute (network_stack_service_30_0) true)
+(expandtypeattribute (network_time_update_service_30_0) true)
+(expandtypeattribute (network_watchlist_data_file_30_0) true)
+(expandtypeattribute (network_watchlist_service_30_0) true)
+(expandtypeattribute (nfc_30_0) true)
+(expandtypeattribute (nfc_data_file_30_0) true)
+(expandtypeattribute (nfc_device_30_0) true)
+(expandtypeattribute (nfc_prop_30_0) true)
+(expandtypeattribute (nfc_service_30_0) true)
+(expandtypeattribute (nnapi_ext_deny_product_prop_30_0) true)
+(expandtypeattribute (node_30_0) true)
+(expandtypeattribute (nonplat_service_contexts_file_30_0) true)
+(expandtypeattribute (notification_service_30_0) true)
+(expandtypeattribute (null_device_30_0) true)
+(expandtypeattribute (oem_lock_service_30_0) true)
+(expandtypeattribute (oemfs_30_0) true)
+(expandtypeattribute (ota_data_file_30_0) true)
+(expandtypeattribute (ota_metadata_file_30_0) true)
+(expandtypeattribute (ota_package_file_30_0) true)
+(expandtypeattribute (ota_prop_30_0) true)
+(expandtypeattribute (otadexopt_service_30_0) true)
+(expandtypeattribute (overlay_prop_30_0) true)
+(expandtypeattribute (overlay_service_30_0) true)
+(expandtypeattribute (overlayfs_file_30_0) true)
+(expandtypeattribute (owntty_device_30_0) true)
+(expandtypeattribute (package_native_service_30_0) true)
+(expandtypeattribute (package_service_30_0) true)
+(expandtypeattribute (packages_list_file_30_0) true)
+(expandtypeattribute (pan_result_prop_30_0) true)
+(expandtypeattribute (password_slot_metadata_file_30_0) true)
+(expandtypeattribute (pdx_bufferhub_client_channel_socket_30_0) true)
+(expandtypeattribute (pdx_bufferhub_client_endpoint_socket_30_0) true)
+(expandtypeattribute (pdx_bufferhub_dir_30_0) true)
+(expandtypeattribute (pdx_display_client_channel_socket_30_0) true)
+(expandtypeattribute (pdx_display_client_endpoint_socket_30_0) true)
+(expandtypeattribute (pdx_display_dir_30_0) true)
+(expandtypeattribute (pdx_display_manager_channel_socket_30_0) true)
+(expandtypeattribute (pdx_display_manager_endpoint_socket_30_0) true)
+(expandtypeattribute (pdx_display_screenshot_channel_socket_30_0) true)
+(expandtypeattribute (pdx_display_screenshot_endpoint_socket_30_0) true)
+(expandtypeattribute (pdx_display_vsync_channel_socket_30_0) true)
+(expandtypeattribute (pdx_display_vsync_endpoint_socket_30_0) true)
+(expandtypeattribute (pdx_performance_client_channel_socket_30_0) true)
+(expandtypeattribute (pdx_performance_client_endpoint_socket_30_0) true)
+(expandtypeattribute (pdx_performance_dir_30_0) true)
+(expandtypeattribute (perfetto_30_0) true)
+(expandtypeattribute (performanced_30_0) true)
+(expandtypeattribute (performanced_exec_30_0) true)
+(expandtypeattribute (permission_service_30_0) true)
+(expandtypeattribute (permissionmgr_service_30_0) true)
+(expandtypeattribute (persist_debug_prop_30_0) true)
+(expandtypeattribute (persistent_data_block_service_30_0) true)
+(expandtypeattribute (persistent_properties_ready_prop_30_0) true)
+(expandtypeattribute (pinner_service_30_0) true)
+(expandtypeattribute (pipefs_30_0) true)
+(expandtypeattribute (platform_app_30_0) true)
+(expandtypeattribute (platform_compat_service_30_0) true)
+(expandtypeattribute (pm_prop_30_0) true)
+(expandtypeattribute (pmsg_device_30_0) true)
+(expandtypeattribute (port_30_0) true)
+(expandtypeattribute (port_device_30_0) true)
+(expandtypeattribute (postinstall_30_0) true)
+(expandtypeattribute (postinstall_apex_mnt_dir_30_0) true)
+(expandtypeattribute (postinstall_file_30_0) true)
+(expandtypeattribute (postinstall_mnt_dir_30_0) true)
+(expandtypeattribute (power_service_30_0) true)
+(expandtypeattribute (powerctl_prop_30_0) true)
+(expandtypeattribute (ppp_30_0) true)
+(expandtypeattribute (ppp_device_30_0) true)
+(expandtypeattribute (ppp_exec_30_0) true)
+(expandtypeattribute (preloads_data_file_30_0) true)
+(expandtypeattribute (preloads_media_file_30_0) true)
+(expandtypeattribute (prereboot_data_file_30_0) true)
+(expandtypeattribute (print_service_30_0) true)
+(expandtypeattribute (priv_app_30_0) true)
+(expandtypeattribute (privapp_data_file_30_0) true)
+(expandtypeattribute (proc_30_0) true)
+(expandtypeattribute (proc_abi_30_0) true)
+(expandtypeattribute (proc_asound_30_0) true)
+(expandtypeattribute (proc_bluetooth_writable_30_0) true)
+(expandtypeattribute (proc_buddyinfo_30_0) true)
+(expandtypeattribute (proc_cmdline_30_0) true)
+(expandtypeattribute (proc_cpuinfo_30_0) true)
+(expandtypeattribute (proc_dirty_30_0) true)
+(expandtypeattribute (proc_diskstats_30_0) true)
+(expandtypeattribute (proc_drop_caches_30_0) true)
+(expandtypeattribute (proc_extra_free_kbytes_30_0) true)
+(expandtypeattribute (proc_filesystems_30_0) true)
+(expandtypeattribute (proc_fs_verity_30_0) true)
+(expandtypeattribute (proc_hostname_30_0) true)
+(expandtypeattribute (proc_hung_task_30_0) true)
+(expandtypeattribute (proc_interrupts_30_0) true)
+(expandtypeattribute (proc_iomem_30_0) true)
+(expandtypeattribute (proc_keys_30_0) true)
+(expandtypeattribute (proc_kmsg_30_0) true)
+(expandtypeattribute (proc_kpageflags_30_0) true)
+(expandtypeattribute (proc_loadavg_30_0) true)
+(expandtypeattribute (proc_lowmemorykiller_30_0) true)
+(expandtypeattribute (proc_max_map_count_30_0) true)
+(expandtypeattribute (proc_meminfo_30_0) true)
+(expandtypeattribute (proc_min_free_order_shift_30_0) true)
+(expandtypeattribute (proc_misc_30_0) true)
+(expandtypeattribute (proc_modules_30_0) true)
+(expandtypeattribute (proc_mounts_30_0) true)
+(expandtypeattribute (proc_net_30_0) true)
+(expandtypeattribute (proc_net_tcp_udp_30_0) true)
+(expandtypeattribute (proc_overcommit_memory_30_0) true)
+(expandtypeattribute (proc_page_cluster_30_0) true)
+(expandtypeattribute (proc_pagetypeinfo_30_0) true)
+(expandtypeattribute (proc_panic_30_0) true)
+(expandtypeattribute (proc_perf_30_0) true)
+(expandtypeattribute (proc_pid_max_30_0) true)
+(expandtypeattribute (proc_pipe_conf_30_0) true)
+(expandtypeattribute (proc_pressure_cpu_30_0) true)
+(expandtypeattribute (proc_pressure_io_30_0) true)
+(expandtypeattribute (proc_pressure_mem_30_0) true)
+(expandtypeattribute (proc_qtaguid_ctrl_30_0) true)
+(expandtypeattribute (proc_qtaguid_stat_30_0) true)
+(expandtypeattribute (proc_random_30_0) true)
+(expandtypeattribute (proc_sched_30_0) true)
+(expandtypeattribute (proc_security_30_0) true)
+(expandtypeattribute (proc_slabinfo_30_0) true)
+(expandtypeattribute (proc_stat_30_0) true)
+(expandtypeattribute (proc_swaps_30_0) true)
+(expandtypeattribute (proc_sysrq_30_0) true)
+(expandtypeattribute (proc_timer_30_0) true)
+(expandtypeattribute (proc_tty_drivers_30_0) true)
+(expandtypeattribute (proc_uid_concurrent_active_time_30_0) true)
+(expandtypeattribute (proc_uid_concurrent_policy_time_30_0) true)
+(expandtypeattribute (proc_uid_cpupower_30_0) true)
+(expandtypeattribute (proc_uid_cputime_removeuid_30_0) true)
+(expandtypeattribute (proc_uid_cputime_showstat_30_0) true)
+(expandtypeattribute (proc_uid_io_stats_30_0) true)
+(expandtypeattribute (proc_uid_procstat_set_30_0) true)
+(expandtypeattribute (proc_uid_time_in_state_30_0) true)
+(expandtypeattribute (proc_uptime_30_0) true)
+(expandtypeattribute (proc_version_30_0) true)
+(expandtypeattribute (proc_vmallocinfo_30_0) true)
+(expandtypeattribute (proc_vmstat_30_0) true)
+(expandtypeattribute (proc_zoneinfo_30_0) true)
+(expandtypeattribute (processinfo_service_30_0) true)
+(expandtypeattribute (procstats_service_30_0) true)
+(expandtypeattribute (profman_30_0) true)
+(expandtypeattribute (profman_dump_data_file_30_0) true)
+(expandtypeattribute (profman_exec_30_0) true)
+(expandtypeattribute (properties_device_30_0) true)
+(expandtypeattribute (properties_serial_30_0) true)
+(expandtypeattribute (property_contexts_file_30_0) true)
+(expandtypeattribute (property_data_file_30_0) true)
+(expandtypeattribute (property_info_30_0) true)
+(expandtypeattribute (property_socket_30_0) true)
+(expandtypeattribute (pstorefs_30_0) true)
+(expandtypeattribute (ptmx_device_30_0) true)
+(expandtypeattribute (qtaguid_device_30_0) true)
+(expandtypeattribute (racoon_30_0) true)
+(expandtypeattribute (racoon_exec_30_0) true)
+(expandtypeattribute (racoon_socket_30_0) true)
+(expandtypeattribute (radio_30_0) true)
+(expandtypeattribute (radio_data_file_30_0) true)
+(expandtypeattribute (radio_device_30_0) true)
+(expandtypeattribute (radio_prop_30_0) true)
+(expandtypeattribute (radio_service_30_0) true)
+(expandtypeattribute (ram_device_30_0) true)
+(expandtypeattribute (random_device_30_0) true)
+(expandtypeattribute (rebootescrow_hal_prop_30_0) true)
+(expandtypeattribute (recovery_30_0) true)
+(expandtypeattribute (recovery_block_device_30_0) true)
+(expandtypeattribute (recovery_data_file_30_0) true)
+(expandtypeattribute (recovery_persist_30_0) true)
+(expandtypeattribute (recovery_persist_exec_30_0) true)
+(expandtypeattribute (recovery_refresh_30_0) true)
+(expandtypeattribute (recovery_refresh_exec_30_0) true)
+(expandtypeattribute (recovery_service_30_0) true)
+(expandtypeattribute (recovery_socket_30_0) true)
+(expandtypeattribute (registry_service_30_0) true)
+(expandtypeattribute (resourcecache_data_file_30_0) true)
+(expandtypeattribute (restorecon_prop_30_0) true)
+(expandtypeattribute (restrictions_service_30_0) true)
+(expandtypeattribute (rild_debug_socket_30_0) true)
+(expandtypeattribute (rild_socket_30_0) true)
+(expandtypeattribute (ringtone_file_30_0) true)
+(expandtypeattribute (role_service_30_0) true)
+(expandtypeattribute (rollback_service_30_0) true)
+(expandtypeattribute (root_block_device_30_0) true)
+(expandtypeattribute (rootfs_30_0) true)
+(expandtypeattribute (rpmsg_device_30_0) true)
+(expandtypeattribute (rs_30_0) true)
+(expandtypeattribute (rs_exec_30_0) true)
+(expandtypeattribute (rss_hwm_reset_30_0) true)
+(expandtypeattribute (rtc_device_30_0) true)
+(expandtypeattribute (rttmanager_service_30_0) true)
+(expandtypeattribute (runas_30_0) true)
+(expandtypeattribute (runas_app_30_0) true)
+(expandtypeattribute (runas_exec_30_0) true)
+(expandtypeattribute (runtime_event_log_tags_file_30_0) true)
+(expandtypeattribute (runtime_service_30_0) true)
+(expandtypeattribute (safemode_prop_30_0) true)
+(expandtypeattribute (same_process_hal_file_30_0) true)
+(expandtypeattribute (samplingprofiler_service_30_0) true)
+(expandtypeattribute (scheduling_policy_service_30_0) true)
+(expandtypeattribute (sdcard_block_device_30_0) true)
+(expandtypeattribute (sdcardd_30_0) true)
+(expandtypeattribute (sdcardd_exec_30_0) true)
+(expandtypeattribute (sdcardfs_30_0) true)
+(expandtypeattribute (seapp_contexts_file_30_0) true)
+(expandtypeattribute (search_service_30_0) true)
+(expandtypeattribute (sec_key_att_app_id_provider_service_30_0) true)
+(expandtypeattribute (secure_element_30_0) true)
+(expandtypeattribute (secure_element_device_30_0) true)
+(expandtypeattribute (secure_element_service_30_0) true)
+(expandtypeattribute (securityfs_30_0) true)
+(expandtypeattribute (selinuxfs_30_0) true)
+(expandtypeattribute (sensor_privacy_service_30_0) true)
+(expandtypeattribute (sensors_device_30_0) true)
+(expandtypeattribute (sensorservice_service_30_0) true)
+(expandtypeattribute (sepolicy_file_30_0) true)
+(expandtypeattribute (serial_device_30_0) true)
+(expandtypeattribute (serial_service_30_0) true)
+(expandtypeattribute (serialno_prop_30_0) true)
+(expandtypeattribute (server_configurable_flags_data_file_30_0) true)
+(expandtypeattribute (service_contexts_file_30_0) true)
+(expandtypeattribute (service_manager_service_30_0) true)
+(expandtypeattribute (service_manager_vndservice_30_0) true)
+(expandtypeattribute (servicediscovery_service_30_0) true)
+(expandtypeattribute (servicemanager_30_0) true)
+(expandtypeattribute (servicemanager_exec_30_0) true)
+(expandtypeattribute (settings_service_30_0) true)
+(expandtypeattribute (sgdisk_30_0) true)
+(expandtypeattribute (sgdisk_exec_30_0) true)
+(expandtypeattribute (shared_relro_30_0) true)
+(expandtypeattribute (shared_relro_file_30_0) true)
+(expandtypeattribute (shell_30_0) true)
+(expandtypeattribute (shell_data_file_30_0) true)
+(expandtypeattribute (shell_exec_30_0) true)
+(expandtypeattribute (shell_prop_30_0) true)
+(expandtypeattribute (shm_30_0) true)
+(expandtypeattribute (shortcut_manager_icons_30_0) true)
+(expandtypeattribute (shortcut_service_30_0) true)
+(expandtypeattribute (simpleperf_30_0) true)
+(expandtypeattribute (simpleperf_app_runner_30_0) true)
+(expandtypeattribute (simpleperf_app_runner_exec_30_0) true)
+(expandtypeattribute (slice_service_30_0) true)
+(expandtypeattribute (slideshow_30_0) true)
+(expandtypeattribute (snapshotctl_log_data_file_30_0) true)
+(expandtypeattribute (socket_device_30_0) true)
+(expandtypeattribute (socket_hook_prop_30_0) true)
+(expandtypeattribute (sockfs_30_0) true)
+(expandtypeattribute (sota_prop_30_0) true)
+(expandtypeattribute (soundtrigger_middleware_service_30_0) true)
+(expandtypeattribute (staging_data_file_30_0) true)
+(expandtypeattribute (stats_data_file_30_0) true)
+(expandtypeattribute (statsd_30_0) true)
+(expandtypeattribute (statsd_exec_30_0) true)
+(expandtypeattribute (statsdw_socket_30_0) true)
+(expandtypeattribute (statusbar_service_30_0) true)
+(expandtypeattribute (storage_config_prop_30_0) true)
+(expandtypeattribute (storage_file_30_0) true)
+(expandtypeattribute (storage_stub_file_30_0) true)
+(expandtypeattribute (storaged_service_30_0) true)
+(expandtypeattribute (storagestats_service_30_0) true)
+(expandtypeattribute (su_30_0) true)
+(expandtypeattribute (su_exec_30_0) true)
+(expandtypeattribute (super_block_device_30_0) true)
+(expandtypeattribute (surfaceflinger_30_0) true)
+(expandtypeattribute (surfaceflinger_service_30_0) true)
+(expandtypeattribute (surfaceflinger_tmpfs_30_0) true)
+(expandtypeattribute (swap_block_device_30_0) true)
+(expandtypeattribute (sysfs_30_0) true)
+(expandtypeattribute (sysfs_android_usb_30_0) true)
+(expandtypeattribute (sysfs_batteryinfo_30_0) true)
+(expandtypeattribute (sysfs_bluetooth_writable_30_0) true)
+(expandtypeattribute (sysfs_devices_block_30_0) true)
+(expandtypeattribute (sysfs_devices_system_cpu_30_0) true)
+(expandtypeattribute (sysfs_dm_30_0) true)
+(expandtypeattribute (sysfs_dm_verity_30_0) true)
+(expandtypeattribute (sysfs_dt_firmware_android_30_0) true)
+(expandtypeattribute (sysfs_extcon_30_0) true)
+(expandtypeattribute (sysfs_fs_ext4_features_30_0) true)
+(expandtypeattribute (sysfs_fs_f2fs_30_0) true)
+(expandtypeattribute (sysfs_hwrandom_30_0) true)
+(expandtypeattribute (sysfs_ion_30_0) true)
+(expandtypeattribute (sysfs_ipv4_30_0) true)
+(expandtypeattribute (sysfs_kernel_notes_30_0) true)
+(expandtypeattribute (sysfs_leds_30_0) true)
+(expandtypeattribute (sysfs_loop_30_0) true)
+(expandtypeattribute (sysfs_lowmemorykiller_30_0) true)
+(expandtypeattribute (sysfs_net_30_0) true)
+(expandtypeattribute (sysfs_nfc_power_writable_30_0) true)
+(expandtypeattribute (sysfs_power_30_0) true)
+(expandtypeattribute (sysfs_rtc_30_0) true)
+(expandtypeattribute (sysfs_suspend_stats_30_0) true)
+(expandtypeattribute (sysfs_switch_30_0) true)
+(expandtypeattribute (sysfs_thermal_30_0) true)
+(expandtypeattribute (sysfs_transparent_hugepage_30_0) true)
+(expandtypeattribute (sysfs_uio_30_0) true)
+(expandtypeattribute (sysfs_usb_30_0) true)
+(expandtypeattribute (sysfs_usermodehelper_30_0) true)
+(expandtypeattribute (sysfs_vibrator_30_0) true)
+(expandtypeattribute (sysfs_wake_lock_30_0) true)
+(expandtypeattribute (sysfs_wakeup_30_0) true)
+(expandtypeattribute (sysfs_wakeup_reasons_30_0) true)
+(expandtypeattribute (sysfs_wlan_fwpath_30_0) true)
+(expandtypeattribute (sysfs_zram_30_0) true)
+(expandtypeattribute (sysfs_zram_uevent_30_0) true)
+(expandtypeattribute (system_adbd_prop_30_0) true)
+(expandtypeattribute (system_app_30_0) true)
+(expandtypeattribute (system_app_data_file_30_0) true)
+(expandtypeattribute (system_app_service_30_0) true)
+(expandtypeattribute (system_asan_options_file_30_0) true)
+(expandtypeattribute (system_block_device_30_0) true)
+(expandtypeattribute (system_boot_reason_prop_30_0) true)
+(expandtypeattribute (system_bootstrap_lib_file_30_0) true)
+(expandtypeattribute (system_config_service_30_0) true)
+(expandtypeattribute (system_data_file_30_0) true)
+(expandtypeattribute (system_data_root_file_30_0) true)
+(expandtypeattribute (system_event_log_tags_file_30_0) true)
+(expandtypeattribute (system_file_30_0) true)
+(expandtypeattribute (system_group_file_30_0) true)
+(expandtypeattribute (system_jvmti_agent_prop_30_0) true)
+(expandtypeattribute (system_lib_file_30_0) true)
+(expandtypeattribute (system_linker_config_file_30_0) true)
+(expandtypeattribute (system_linker_exec_30_0) true)
+(expandtypeattribute (system_lmk_prop_30_0) true)
+(expandtypeattribute (system_ndebug_socket_30_0) true)
+(expandtypeattribute (system_net_netd_hwservice_30_0) true)
+(expandtypeattribute (system_passwd_file_30_0) true)
+(expandtypeattribute (system_prop_30_0) true)
+(expandtypeattribute (system_radio_prop_30_0) true)
+(expandtypeattribute (system_seccomp_policy_file_30_0) true)
+(expandtypeattribute (system_security_cacerts_file_30_0) true)
+(expandtypeattribute (system_server_30_0) true)
+(expandtypeattribute (system_server_tmpfs_30_0) true)
+(expandtypeattribute (system_suspend_control_service_30_0) true)
+(expandtypeattribute (system_suspend_hwservice_30_0) true)
+(expandtypeattribute (system_trace_prop_30_0) true)
+(expandtypeattribute (system_unsolzygote_socket_30_0) true)
+(expandtypeattribute (system_update_service_30_0) true)
+(expandtypeattribute (system_wifi_keystore_hwservice_30_0) true)
+(expandtypeattribute (system_wpa_socket_30_0) true)
+(expandtypeattribute (system_zoneinfo_file_30_0) true)
+(expandtypeattribute (systemkeys_data_file_30_0) true)
+(expandtypeattribute (task_profiles_file_30_0) true)
+(expandtypeattribute (task_service_30_0) true)
+(expandtypeattribute (tcpdump_exec_30_0) true)
+(expandtypeattribute (tee_30_0) true)
+(expandtypeattribute (tee_data_file_30_0) true)
+(expandtypeattribute (tee_device_30_0) true)
+(expandtypeattribute (telecom_service_30_0) true)
+(expandtypeattribute (test_boot_reason_prop_30_0) true)
+(expandtypeattribute (test_harness_prop_30_0) true)
+(expandtypeattribute (testharness_service_30_0) true)
+(expandtypeattribute (tethering_service_30_0) true)
+(expandtypeattribute (textclassification_service_30_0) true)
+(expandtypeattribute (textclassifier_data_file_30_0) true)
+(expandtypeattribute (textservices_service_30_0) true)
+(expandtypeattribute (theme_prop_30_0) true)
+(expandtypeattribute (thermal_service_30_0) true)
+(expandtypeattribute (thermalcallback_hwservice_30_0) true)
+(expandtypeattribute (time_prop_30_0) true)
+(expandtypeattribute (timedetector_service_30_0) true)
+(expandtypeattribute (timezone_service_30_0) true)
+(expandtypeattribute (timezonedetector_service_30_0) true)
+(expandtypeattribute (tmpfs_30_0) true)
+(expandtypeattribute (tombstone_data_file_30_0) true)
+(expandtypeattribute (tombstone_wifi_data_file_30_0) true)
+(expandtypeattribute (tombstoned_30_0) true)
+(expandtypeattribute (tombstoned_crash_socket_30_0) true)
+(expandtypeattribute (tombstoned_exec_30_0) true)
+(expandtypeattribute (tombstoned_intercept_socket_30_0) true)
+(expandtypeattribute (tombstoned_java_trace_socket_30_0) true)
+(expandtypeattribute (toolbox_30_0) true)
+(expandtypeattribute (toolbox_exec_30_0) true)
+(expandtypeattribute (trace_data_file_30_0) true)
+(expandtypeattribute (traced_30_0) true)
+(expandtypeattribute (traced_consumer_socket_30_0) true)
+(expandtypeattribute (traced_enabled_prop_30_0) true)
+(expandtypeattribute (traced_lazy_prop_30_0) true)
+(expandtypeattribute (traced_perf_30_0) true)
+(expandtypeattribute (traced_perf_enabled_prop_30_0) true)
+(expandtypeattribute (traced_perf_socket_30_0) true)
+(expandtypeattribute (traced_probes_30_0) true)
+(expandtypeattribute (traced_producer_socket_30_0) true)
+(expandtypeattribute (traceur_app_30_0) true)
+(expandtypeattribute (trust_service_30_0) true)
+(expandtypeattribute (tty_device_30_0) true)
+(expandtypeattribute (tun_device_30_0) true)
+(expandtypeattribute (tv_input_service_30_0) true)
+(expandtypeattribute (tv_tuner_resource_mgr_service_30_0) true)
+(expandtypeattribute (tzdatacheck_30_0) true)
+(expandtypeattribute (tzdatacheck_exec_30_0) true)
+(expandtypeattribute (ueventd_30_0) true)
+(expandtypeattribute (ueventd_tmpfs_30_0) true)
+(expandtypeattribute (uhid_device_30_0) true)
+(expandtypeattribute (uimode_service_30_0) true)
+(expandtypeattribute (uio_device_30_0) true)
+(expandtypeattribute (uncrypt_30_0) true)
+(expandtypeattribute (uncrypt_exec_30_0) true)
+(expandtypeattribute (uncrypt_socket_30_0) true)
+(expandtypeattribute (unencrypted_data_file_30_0) true)
+(expandtypeattribute (unlabeled_30_0) true)
+(expandtypeattribute (untrusted_app_25_30_0) true)
+(expandtypeattribute (untrusted_app_27_30_0) true)
+(expandtypeattribute (untrusted_app_29_30_0) true)
+(expandtypeattribute (untrusted_app_30_0) true)
+(expandtypeattribute (update_engine_30_0) true)
+(expandtypeattribute (update_engine_data_file_30_0) true)
+(expandtypeattribute (update_engine_exec_30_0) true)
+(expandtypeattribute (update_engine_log_data_file_30_0) true)
+(expandtypeattribute (update_engine_service_30_0) true)
+(expandtypeattribute (update_verifier_30_0) true)
+(expandtypeattribute (update_verifier_exec_30_0) true)
+(expandtypeattribute (updatelock_service_30_0) true)
+(expandtypeattribute (uri_grants_service_30_0) true)
+(expandtypeattribute (usagestats_service_30_0) true)
+(expandtypeattribute (usb_device_30_0) true)
+(expandtypeattribute (usb_serial_device_30_0) true)
+(expandtypeattribute (usb_service_30_0) true)
+(expandtypeattribute (usbaccessory_device_30_0) true)
+(expandtypeattribute (usbd_30_0) true)
+(expandtypeattribute (usbd_exec_30_0) true)
+(expandtypeattribute (usbfs_30_0) true)
+(expandtypeattribute (use_memfd_prop_30_0) true)
+(expandtypeattribute (user_profile_data_file_30_0) true)
+(expandtypeattribute (user_service_30_0) true)
+(expandtypeattribute (userdata_block_device_30_0) true)
+(expandtypeattribute (usermodehelper_30_0) true)
+(expandtypeattribute (userspace_reboot_config_prop_30_0) true)
+(expandtypeattribute (userspace_reboot_exported_prop_30_0) true)
+(expandtypeattribute (userspace_reboot_log_prop_30_0) true)
+(expandtypeattribute (userspace_reboot_test_prop_30_0) true)
+(expandtypeattribute (vdc_30_0) true)
+(expandtypeattribute (vdc_exec_30_0) true)
+(expandtypeattribute (vehicle_hal_prop_30_0) true)
+(expandtypeattribute (vendor_apex_file_30_0) true)
+(expandtypeattribute (vendor_app_file_30_0) true)
+(expandtypeattribute (vendor_cgroup_desc_file_30_0) true)
+(expandtypeattribute (vendor_configs_file_30_0) true)
+(expandtypeattribute (vendor_data_file_30_0) true)
+(expandtypeattribute (vendor_default_prop_30_0) true)
+(expandtypeattribute (vendor_file_30_0) true)
+(expandtypeattribute (vendor_framework_file_30_0) true)
+(expandtypeattribute (vendor_hal_file_30_0) true)
+(expandtypeattribute (vendor_idc_file_30_0) true)
+(expandtypeattribute (vendor_init_30_0) true)
+(expandtypeattribute (vendor_keychars_file_30_0) true)
+(expandtypeattribute (vendor_keylayout_file_30_0) true)
+(expandtypeattribute (vendor_misc_writer_30_0) true)
+(expandtypeattribute (vendor_misc_writer_exec_30_0) true)
+(expandtypeattribute (vendor_overlay_file_30_0) true)
+(expandtypeattribute (vendor_public_lib_file_30_0) true)
+(expandtypeattribute (vendor_security_patch_level_prop_30_0) true)
+(expandtypeattribute (vendor_shell_30_0) true)
+(expandtypeattribute (vendor_shell_exec_30_0) true)
+(expandtypeattribute (vendor_socket_hook_prop_30_0) true)
+(expandtypeattribute (vendor_task_profiles_file_30_0) true)
+(expandtypeattribute (vendor_toolbox_exec_30_0) true)
+(expandtypeattribute (vfat_30_0) true)
+(expandtypeattribute (vibrator_service_30_0) true)
+(expandtypeattribute (video_device_30_0) true)
+(expandtypeattribute (virtual_ab_prop_30_0) true)
+(expandtypeattribute (virtual_touchpad_30_0) true)
+(expandtypeattribute (virtual_touchpad_exec_30_0) true)
+(expandtypeattribute (virtual_touchpad_service_30_0) true)
+(expandtypeattribute (vndbinder_device_30_0) true)
+(expandtypeattribute (vndk_prop_30_0) true)
+(expandtypeattribute (vndk_sp_file_30_0) true)
+(expandtypeattribute (vndservice_contexts_file_30_0) true)
+(expandtypeattribute (vndservicemanager_30_0) true)
+(expandtypeattribute (voiceinteraction_service_30_0) true)
+(expandtypeattribute (vold_30_0) true)
+(expandtypeattribute (vold_data_file_30_0) true)
+(expandtypeattribute (vold_device_30_0) true)
+(expandtypeattribute (vold_exec_30_0) true)
+(expandtypeattribute (vold_metadata_file_30_0) true)
+(expandtypeattribute (vold_prepare_subdirs_30_0) true)
+(expandtypeattribute (vold_prepare_subdirs_exec_30_0) true)
+(expandtypeattribute (vold_prop_30_0) true)
+(expandtypeattribute (vold_service_30_0) true)
+(expandtypeattribute (vpn_data_file_30_0) true)
+(expandtypeattribute (vr_hwc_30_0) true)
+(expandtypeattribute (vr_hwc_exec_30_0) true)
+(expandtypeattribute (vr_hwc_service_30_0) true)
+(expandtypeattribute (vr_manager_service_30_0) true)
+(expandtypeattribute (vrflinger_vsync_service_30_0) true)
+(expandtypeattribute (wallpaper_file_30_0) true)
+(expandtypeattribute (wallpaper_service_30_0) true)
+(expandtypeattribute (watchdog_device_30_0) true)
+(expandtypeattribute (watchdogd_30_0) true)
+(expandtypeattribute (watchdogd_exec_30_0) true)
+(expandtypeattribute (webview_zygote_30_0) true)
+(expandtypeattribute (webview_zygote_exec_30_0) true)
+(expandtypeattribute (webview_zygote_tmpfs_30_0) true)
+(expandtypeattribute (webviewupdate_service_30_0) true)
+(expandtypeattribute (wifi_data_file_30_0) true)
+(expandtypeattribute (wifi_log_prop_30_0) true)
+(expandtypeattribute (wifi_prop_30_0) true)
+(expandtypeattribute (wifi_service_30_0) true)
+(expandtypeattribute (wifiaware_service_30_0) true)
+(expandtypeattribute (wificond_30_0) true)
+(expandtypeattribute (wificond_exec_30_0) true)
+(expandtypeattribute (wifinl80211_service_30_0) true)
+(expandtypeattribute (wifip2p_service_30_0) true)
+(expandtypeattribute (wifiscanner_service_30_0) true)
+(expandtypeattribute (window_service_30_0) true)
+(expandtypeattribute (wpa_socket_30_0) true)
+(expandtypeattribute (wpantund_30_0) true)
+(expandtypeattribute (wpantund_exec_30_0) true)
+(expandtypeattribute (wpantund_service_30_0) true)
+(expandtypeattribute (zero_device_30_0) true)
+(expandtypeattribute (zoneinfo_data_file_30_0) true)
+(expandtypeattribute (zygote_30_0) true)
+(expandtypeattribute (zygote_exec_30_0) true)
+(expandtypeattribute (zygote_socket_30_0) true)
+(expandtypeattribute (zygote_tmpfs_30_0) true)
+(typeattributeset DockObserver_service_30_0 (DockObserver_service))
+(typeattributeset IProxyService_service_30_0 (IProxyService_service))
+(typeattributeset accessibility_service_30_0 (accessibility_service))
+(typeattributeset account_service_30_0 (account_service))
+(typeattributeset activity_service_30_0 (activity_service))
+(typeattributeset activity_task_service_30_0 (activity_task_service))
+(typeattributeset adb_data_file_30_0 (adb_data_file))
+(typeattributeset adb_keys_file_30_0 (adb_keys_file))
+(typeattributeset adb_service_30_0 (adb_service))
+(typeattributeset adbd_30_0 (adbd))
+(typeattributeset adbd_exec_30_0 (adbd_exec))
+(typeattributeset adbd_prop_30_0 (adbd_prop))
+(typeattributeset adbd_socket_30_0 (adbd_socket))
+(typeattributeset aidl_lazy_test_server_30_0 (aidl_lazy_test_server))
+(typeattributeset aidl_lazy_test_server_exec_30_0 (aidl_lazy_test_server_exec))
+(typeattributeset aidl_lazy_test_service_30_0 (aidl_lazy_test_service))
+(typeattributeset alarm_service_30_0 (alarm_service))
+(typeattributeset anr_data_file_30_0 (anr_data_file))
+(typeattributeset apex_data_file_30_0 (apex_data_file))
+(typeattributeset apex_metadata_file_30_0 (apex_metadata_file))
+(typeattributeset apex_mnt_dir_30_0 (apex_mnt_dir))
+(typeattributeset apex_module_data_file_30_0 (apex_module_data_file))
+(typeattributeset apex_permission_data_file_30_0 (apex_permission_data_file))
+(typeattributeset apex_rollback_data_file_30_0 (apex_rollback_data_file))
+(typeattributeset apex_service_30_0 (apex_service))
+(typeattributeset apex_wifi_data_file_30_0 (apex_wifi_data_file))
+(typeattributeset apexd_30_0 (apexd))
+(typeattributeset apexd_exec_30_0 (apexd_exec))
+(typeattributeset apexd_prop_30_0 (apexd_prop))
+(typeattributeset apk_data_file_30_0 (apk_data_file))
+(typeattributeset apk_private_data_file_30_0 (apk_private_data_file))
+(typeattributeset apk_private_tmp_file_30_0 (apk_private_tmp_file))
+(typeattributeset apk_tmp_file_30_0 (apk_tmp_file))
+(typeattributeset apk_verity_prop_30_0 (apk_verity_prop))
+(typeattributeset app_binding_service_30_0 (app_binding_service))
+(typeattributeset app_data_file_30_0 (app_data_file))
+(typeattributeset app_fuse_file_30_0 (app_fuse_file))
+(typeattributeset app_fusefs_30_0 (app_fusefs))
+(typeattributeset app_integrity_service_30_0 (app_integrity_service))
+(typeattributeset app_prediction_service_30_0 (app_prediction_service))
+(typeattributeset app_search_service_30_0 (app_search_service))
+(typeattributeset app_zygote_30_0 (app_zygote))
+(typeattributeset app_zygote_tmpfs_30_0 (app_zygote_tmpfs))
+(typeattributeset appdomain_tmpfs_30_0 (appdomain_tmpfs))
+(typeattributeset appops_service_30_0 (appops_service))
+(typeattributeset appwidget_service_30_0 (appwidget_service))
+(typeattributeset art_apex_dir_30_0 (art_apex_dir))
+(typeattributeset asec_apk_file_30_0 (asec_apk_file))
+(typeattributeset asec_image_file_30_0 (asec_image_file))
+(typeattributeset asec_public_file_30_0 (asec_public_file))
+(typeattributeset ashmem_device_30_0 (ashmem_device))
+(typeattributeset ashmem_libcutils_device_30_0 (ashmem_libcutils_device))
+(typeattributeset assetatlas_service_30_0 (assetatlas_service))
+(typeattributeset audio_data_file_30_0 (audio_data_file))
+(typeattributeset audio_device_30_0 (audio_device))
+(typeattributeset audio_prop_30_0 (audio_prop))
+(typeattributeset audio_service_30_0 (audio_service))
+(typeattributeset audiohal_data_file_30_0 (audiohal_data_file))
+(typeattributeset audioserver_30_0 (audioserver))
+(typeattributeset audioserver_data_file_30_0 (audioserver_data_file))
+(typeattributeset audioserver_service_30_0 (audioserver_service))
+(typeattributeset audioserver_tmpfs_30_0 (audioserver_tmpfs))
+(typeattributeset auth_service_30_0 (auth_service))
+(typeattributeset autofill_service_30_0 (autofill_service))
+(typeattributeset backup_data_file_30_0 (backup_data_file))
+(typeattributeset backup_service_30_0 (backup_service))
+(typeattributeset battery_service_30_0 (battery_service))
+(typeattributeset batteryproperties_service_30_0 (batteryproperties_service))
+(typeattributeset batterystats_service_30_0 (batterystats_service))
+(typeattributeset binder_cache_bluetooth_server_prop_30_0 (binder_cache_bluetooth_server_prop))
+(typeattributeset binder_cache_system_server_prop_30_0 (binder_cache_system_server_prop))
+(typeattributeset binder_cache_telephony_server_prop_30_0 (binder_cache_telephony_server_prop))
+(typeattributeset binder_calls_stats_service_30_0 (binder_calls_stats_service))
+(typeattributeset binder_device_30_0 (binder_device))
+(typeattributeset binderfs_30_0 (binderfs))
+(typeattributeset binderfs_logs_30_0 (binderfs_logs))
+(typeattributeset binderfs_logs_proc_30_0 (binderfs_logs_proc))
+(typeattributeset binfmt_miscfs_30_0 (binfmt_miscfs))
+(typeattributeset biometric_service_30_0 (biometric_service))
+(typeattributeset blkid_30_0 (blkid))
+(typeattributeset blkid_untrusted_30_0 (blkid_untrusted))
+(typeattributeset blob_store_service_30_0 (blob_store_service))
+(typeattributeset block_device_30_0 (block_device))
+(typeattributeset bluetooth_30_0 (bluetooth))
+(typeattributeset bluetooth_a2dp_offload_prop_30_0 (bluetooth_a2dp_offload_prop))
+(typeattributeset bluetooth_audio_hal_prop_30_0 (bluetooth_audio_hal_prop))
+(typeattributeset bluetooth_data_file_30_0 (bluetooth_data_file))
+(typeattributeset bluetooth_efs_file_30_0 (bluetooth_efs_file))
+(typeattributeset bluetooth_logs_data_file_30_0 (bluetooth_logs_data_file))
+(typeattributeset bluetooth_manager_service_30_0 (bluetooth_manager_service))
+(typeattributeset bluetooth_prop_30_0 (bluetooth_prop))
+(typeattributeset bluetooth_service_30_0 (bluetooth_service))
+(typeattributeset bluetooth_socket_30_0 (bluetooth_socket))
+(typeattributeset boot_block_device_30_0 (boot_block_device))
+(typeattributeset bootanim_30_0 (bootanim))
+(typeattributeset bootanim_exec_30_0 (bootanim_exec))
+(typeattributeset bootchart_data_file_30_0 (bootchart_data_file))
+(typeattributeset bootloader_boot_reason_prop_30_0 (bootloader_boot_reason_prop))
+(typeattributeset bootstat_30_0 (bootstat))
+(typeattributeset bootstat_data_file_30_0 (bootstat_data_file))
+(typeattributeset bootstat_exec_30_0 (bootstat_exec))
+(typeattributeset boottime_prop_30_0 (boottime_prop))
+(typeattributeset boottime_public_prop_30_0 (boottime_public_prop))
+(typeattributeset boottrace_data_file_30_0 (boottrace_data_file))
+(typeattributeset bpf_progs_loaded_prop_30_0 (bpf_progs_loaded_prop))
+(typeattributeset bq_config_prop_30_0 (bq_config_prop))
+(typeattributeset broadcastradio_service_30_0 (broadcastradio_service))
+(typeattributeset bufferhubd_30_0 (bufferhubd))
+(typeattributeset bufferhubd_exec_30_0 (bufferhubd_exec))
+(typeattributeset bugreport_service_30_0 (bugreport_service))
+(typeattributeset cache_backup_file_30_0 (cache_backup_file))
+(typeattributeset cache_block_device_30_0 (cache_block_device))
+(typeattributeset cache_file_30_0 (cache_file))
+(typeattributeset cache_private_backup_file_30_0 (cache_private_backup_file))
+(typeattributeset cache_recovery_file_30_0 (cache_recovery_file))
+(typeattributeset camera_data_file_30_0 (camera_data_file))
+(typeattributeset camera_device_30_0 (camera_device))
+(typeattributeset cameraproxy_service_30_0 (cameraproxy_service))
+(typeattributeset cameraserver_30_0 (cameraserver))
+(typeattributeset cameraserver_exec_30_0 (cameraserver_exec))
+(typeattributeset cameraserver_service_30_0 (cameraserver_service))
+(typeattributeset cameraserver_tmpfs_30_0 (cameraserver_tmpfs))
+(typeattributeset cgroup_30_0 (cgroup))
+(typeattributeset cgroup_bpf_30_0 (cgroup_bpf))
+(typeattributeset cgroup_desc_file_30_0 (cgroup_desc_file))
+(typeattributeset cgroup_rc_file_30_0 (cgroup_rc_file))
+(typeattributeset charger_30_0 (charger))
+(typeattributeset charger_exec_30_0 (charger_exec))
+(typeattributeset charger_prop_30_0 (charger_prop))
+(typeattributeset clipboard_service_30_0 (clipboard_service))
+(typeattributeset cold_boot_done_prop_30_0 (cold_boot_done_prop))
+(typeattributeset color_display_service_30_0 (color_display_service))
+(typeattributeset companion_device_service_30_0 (companion_device_service))
+(typeattributeset config_prop_30_0 (config_prop))
+(typeattributeset configfs_30_0 (configfs))
+(typeattributeset connectivity_service_30_0 (connectivity_service))
+(typeattributeset connmetrics_service_30_0 (connmetrics_service))
+(typeattributeset console_device_30_0 (console_device))
+(typeattributeset consumer_ir_service_30_0 (consumer_ir_service))
+(typeattributeset content_capture_service_30_0 (content_capture_service))
+(typeattributeset content_service_30_0 (content_service))
+(typeattributeset content_suggestions_service_30_0 (content_suggestions_service))
+(typeattributeset contexthub_service_30_0 (contexthub_service))
+(typeattributeset coredump_file_30_0 (coredump_file))
+(typeattributeset country_detector_service_30_0 (country_detector_service))
+(typeattributeset coverage_service_30_0 (coverage_service))
+(typeattributeset cppreopt_prop_30_0 (cppreopt_prop))
+(typeattributeset cpu_variant_prop_30_0 (cpu_variant_prop))
+(typeattributeset cpuinfo_service_30_0 (cpuinfo_service))
+(typeattributeset crash_dump_30_0 (crash_dump))
+(typeattributeset crash_dump_exec_30_0 (crash_dump_exec))
+(typeattributeset credstore_30_0 (credstore))
+(typeattributeset credstore_data_file_30_0 (credstore_data_file))
+(typeattributeset credstore_exec_30_0 (credstore_exec))
+(typeattributeset credstore_service_30_0 (credstore_service))
+(typeattributeset crossprofileapps_service_30_0 (crossprofileapps_service))
+(typeattributeset ctl_adbd_prop_30_0 (ctl_adbd_prop))
+(typeattributeset ctl_apexd_prop_30_0 (ctl_apexd_prop))
+(typeattributeset ctl_bootanim_prop_30_0 (ctl_bootanim_prop))
+(typeattributeset ctl_bugreport_prop_30_0 (ctl_bugreport_prop))
+(typeattributeset ctl_console_prop_30_0 (ctl_console_prop))
+(typeattributeset ctl_default_prop_30_0 (ctl_default_prop))
+(typeattributeset ctl_dumpstate_prop_30_0 (ctl_dumpstate_prop))
+(typeattributeset ctl_fuse_prop_30_0 (ctl_fuse_prop))
+(typeattributeset ctl_gsid_prop_30_0 (ctl_gsid_prop))
+(typeattributeset ctl_interface_restart_prop_30_0 (ctl_interface_restart_prop))
+(typeattributeset ctl_interface_start_prop_30_0 (ctl_interface_start_prop))
+(typeattributeset ctl_interface_stop_prop_30_0 (ctl_interface_stop_prop))
+(typeattributeset ctl_mdnsd_prop_30_0 (ctl_mdnsd_prop))
+(typeattributeset ctl_restart_prop_30_0 (ctl_restart_prop))
+(typeattributeset ctl_rildaemon_prop_30_0 (ctl_rildaemon_prop))
+(typeattributeset ctl_sigstop_prop_30_0 (ctl_sigstop_prop))
+(typeattributeset ctl_start_prop_30_0 (ctl_start_prop))
+(typeattributeset ctl_stop_prop_30_0 (ctl_stop_prop))
+(typeattributeset dalvik_prop_30_0 (dalvik_prop))
+(typeattributeset dalvikcache_data_file_30_0 (dalvikcache_data_file))
+(typeattributeset dataloader_manager_service_30_0 (dataloader_manager_service))
+(typeattributeset dbinfo_service_30_0 (dbinfo_service))
+(typeattributeset debug_prop_30_0 (debug_prop))
+(typeattributeset debugfs_30_0 (debugfs))
+(typeattributeset debugfs_mmc_30_0 (debugfs_mmc))
+(typeattributeset debugfs_trace_marker_30_0 (debugfs_trace_marker))
+(typeattributeset debugfs_tracing_30_0 (debugfs_tracing))
+(typeattributeset debugfs_tracing_debug_30_0 (debugfs_tracing_debug
+ debugfs_tracing_printk_formats))
+(typeattributeset debugfs_tracing_instances_30_0 (debugfs_tracing_instances))
+(typeattributeset debugfs_wakeup_sources_30_0 (debugfs_wakeup_sources))
+(typeattributeset debugfs_wifi_tracing_30_0 (debugfs_wifi_tracing))
+(typeattributeset debuggerd_prop_30_0 (debuggerd_prop))
+(typeattributeset default_android_hwservice_30_0 (default_android_hwservice))
+(typeattributeset default_android_service_30_0 (default_android_service))
+(typeattributeset default_android_vndservice_30_0 (default_android_vndservice))
+(typeattributeset default_prop_30_0 (
+ default_prop
+ audio_config_prop
+ build_config_prop
+ suspend_prop
+ init_service_status_private_prop
+ setupwizard_prop
+ sqlite_log_prop
+ verity_status_prop
+ zygote_wrap_prop
+))
+(typeattributeset dev_cpu_variant_30_0 (dev_cpu_variant))
+(typeattributeset device_30_0 (device))
+(typeattributeset device_config_activity_manager_native_boot_prop_30_0 (device_config_activity_manager_native_boot_prop))
+(typeattributeset device_config_boot_count_prop_30_0 (device_config_boot_count_prop))
+(typeattributeset device_config_configuration_prop_30_0 (device_config_configuration_prop))
+(typeattributeset device_config_input_native_boot_prop_30_0 (device_config_input_native_boot_prop))
+(typeattributeset device_config_media_native_prop_30_0 (device_config_media_native_prop))
+(typeattributeset device_config_netd_native_prop_30_0 (device_config_netd_native_prop))
+(typeattributeset device_config_reset_performed_prop_30_0 (device_config_reset_performed_prop))
+(typeattributeset device_config_runtime_native_boot_prop_30_0 (device_config_runtime_native_boot_prop))
+(typeattributeset device_config_runtime_native_prop_30_0 (device_config_runtime_native_prop))
+(typeattributeset device_config_service_30_0 (device_config_service))
+(typeattributeset device_config_storage_native_boot_prop_30_0 (device_config_storage_native_boot_prop))
+(typeattributeset device_config_sys_traced_prop_30_0 (device_config_sys_traced_prop))
+(typeattributeset device_config_window_manager_native_boot_prop_30_0 (device_config_window_manager_native_boot_prop))
+(typeattributeset device_identifiers_service_30_0 (device_identifiers_service))
+(typeattributeset device_logging_prop_30_0 (device_logging_prop))
+(typeattributeset device_policy_service_30_0 (device_policy_service))
+(typeattributeset deviceidle_service_30_0 (deviceidle_service))
+(typeattributeset devicestoragemonitor_service_30_0 (devicestoragemonitor_service))
+(typeattributeset devpts_30_0 (devpts))
+(typeattributeset dhcp_30_0 (dhcp))
+(typeattributeset dhcp_data_file_30_0 (dhcp_data_file))
+(typeattributeset dhcp_exec_30_0 (dhcp_exec))
+(typeattributeset dhcp_prop_30_0 (dhcp_prop))
+(typeattributeset diskstats_service_30_0 (diskstats_service))
+(typeattributeset display_service_30_0 (display_service))
+(typeattributeset dm_device_30_0 (dm_device))
+(typeattributeset dnsmasq_30_0 (dnsmasq))
+(typeattributeset dnsmasq_exec_30_0 (dnsmasq_exec))
+(typeattributeset dnsproxyd_socket_30_0 (dnsproxyd_socket))
+(typeattributeset dnsresolver_service_30_0 (dnsresolver_service))
+(typeattributeset dreams_service_30_0 (dreams_service))
+(typeattributeset drm_data_file_30_0 (drm_data_file))
+(typeattributeset drmserver_30_0 (drmserver))
+(typeattributeset drmserver_exec_30_0 (drmserver_exec))
+(typeattributeset drmserver_service_30_0 (drmserver_service))
+(typeattributeset drmserver_socket_30_0 (drmserver_socket))
+(typeattributeset dropbox_data_file_30_0 (dropbox_data_file))
+(typeattributeset dropbox_service_30_0 (dropbox_service))
+(typeattributeset dumpstate_30_0 (dumpstate))
+(typeattributeset dumpstate_exec_30_0 (dumpstate_exec))
+(typeattributeset dumpstate_options_prop_30_0 (dumpstate_options_prop))
+(typeattributeset dumpstate_prop_30_0 (dumpstate_prop))
+(typeattributeset dumpstate_service_30_0 (dumpstate_service))
+(typeattributeset dumpstate_socket_30_0 (dumpstate_socket))
+(typeattributeset dynamic_system_prop_30_0 (dynamic_system_prop))
+(typeattributeset e2fs_30_0 (e2fs))
+(typeattributeset e2fs_exec_30_0 (e2fs_exec))
+(typeattributeset efs_file_30_0 (efs_file))
+(typeattributeset emergency_affordance_service_30_0 (emergency_affordance_service))
+(typeattributeset ephemeral_app_30_0 (ephemeral_app))
+(typeattributeset ethernet_service_30_0 (ethernet_service))
+(typeattributeset exfat_30_0 (exfat))
+(typeattributeset exported2_config_prop_30_0 (exported2_config_prop systemsound_config_prop))
+(typeattributeset exported2_default_prop_30_0
+ ( exported2_default_prop
+ aac_drc_prop
+ bootloader_prop
+ build_prop
+ hal_instrumentation_prop
+ init_service_status_prop
+ libc_debug_prop
+ property_service_version_prop))
+(typeattributeset exported2_radio_prop_30_0 (exported2_radio_prop))
+(typeattributeset exported2_system_prop_30_0
+ ( exported2_system_prop
+ dalvik_runtime_prop
+ surfaceflinger_color_prop
+ zram_control_prop))
+(typeattributeset exported2_vold_prop_30_0
+ ( exported2_vold_prop
+ vold_config_prop
+ vold_post_fs_data_prop))
+(typeattributeset exported3_default_prop_30_0
+ ( exported3_default_prop
+ camera_calibration_prop
+ camera_config_prop
+ charger_config_prop
+ drm_service_config_prop
+ hdmi_config_prop
+ keyguard_config_prop
+ lmkd_config_prop
+ media_config_prop
+ mediadrm_config_prop
+ oem_unlock_prop
+ packagemanager_config_prop
+ recovery_config_prop
+ sendbug_config_prop
+ storagemanager_config_prop
+ telephony_config_prop
+ tombstone_config_prop
+ vts_status_prop
+ wifi_config_prop
+ zram_config_prop))
+(typeattributeset exported3_radio_prop_30_0 (exported3_radio_prop radio_control_prop))
+(typeattributeset exported3_system_prop_30_0
+ ( exported3_system_prop
+ boot_status_prop
+ provisioned_prop
+ retaildemo_prop))
+(typeattributeset exported_audio_prop_30_0 (exported_audio_prop audio_config_prop))
+(typeattributeset exported_bluetooth_prop_30_0 (exported_bluetooth_prop))
+(typeattributeset exported_camera_prop_30_0 (exported_camera_prop))
+(typeattributeset exported_config_prop_30_0 (exported_config_prop))
+(typeattributeset exported_dalvik_prop_30_0 (exported_dalvik_prop dalvik_config_prop))
+(typeattributeset exported_default_prop_30_0
+ ( exported_default_prop
+ aaudio_config_prop
+ build_bootimage_prop
+ build_odm_prop
+ build_vendor_prop
+ surfaceflinger_prop
+ vts_config_prop))
+(typeattributeset exported_dumpstate_prop_30_0 (exported_dumpstate_prop))
+(typeattributeset exported_ffs_prop_30_0
+ ( exported_ffs_prop
+ ffs_config_prop
+ ffs_control_prop))
+(typeattributeset exported_fingerprint_prop_30_0 (exported_fingerprint_prop fingerprint_prop))
+(typeattributeset exported_overlay_prop_30_0 (exported_overlay_prop))
+(typeattributeset exported_pm_prop_30_0 (exported_pm_prop))
+(typeattributeset exported_radio_prop_30_0 (exported_radio_prop telephony_status_prop))
+(typeattributeset exported_secure_prop_30_0 (exported_secure_prop))
+(typeattributeset exported_system_prop_30_0 (exported_system_prop charger_status_prop))
+(typeattributeset exported_system_prop_30_0 (exported_system_prop bootanim_system_prop))
+
+(typeattributeset exported_system_radio_prop_30_0
+ ( exported_system_radio_prop
+ usb_config_prop
+ usb_control_prop))
+(typeattributeset exported_vold_prop_30_0 (exported_vold_prop vold_status_prop))
+(typeattributeset exported_wifi_prop_30_0 (exported_wifi_prop wifi_hal_prop))
+(typeattributeset external_vibrator_service_30_0 (external_vibrator_service))
+(typeattributeset face_service_30_0 (face_service))
+(typeattributeset face_vendor_data_file_30_0 (face_vendor_data_file))
+(typeattributeset fastbootd_30_0 (fastbootd))
+(typeattributeset ffs_prop_30_0 (ffs_prop))
+(typeattributeset file_contexts_file_30_0 (file_contexts_file))
+(typeattributeset file_integrity_service_30_0 (file_integrity_service))
+(typeattributeset fingerprint_service_30_0 (fingerprint_service))
+(typeattributeset fingerprint_vendor_data_file_30_0 (fingerprint_vendor_data_file))
+(typeattributeset fingerprintd_30_0 (fingerprintd))
+(typeattributeset fingerprintd_data_file_30_0 (fingerprintd_data_file))
+(typeattributeset fingerprintd_exec_30_0 (fingerprintd_exec))
+(typeattributeset fingerprintd_service_30_0 (fingerprintd_service))
+(typeattributeset firstboot_prop_30_0 (firstboot_prop))
+(typeattributeset flags_health_check_30_0 (flags_health_check))
+(typeattributeset flags_health_check_exec_30_0 (flags_health_check_exec))
+(typeattributeset font_service_30_0 (font_service))
+(typeattributeset frp_block_device_30_0 (frp_block_device))
+(typeattributeset fs_bpf_30_0 (fs_bpf))
+(typeattributeset fsck_30_0 (fsck))
+(typeattributeset fsck_exec_30_0 (fsck_exec))
+(typeattributeset fsck_untrusted_30_0 (fsck_untrusted))
+(typeattributeset fscklogs_30_0 (fscklogs))
+(typeattributeset functionfs_30_0 (functionfs))
+(typeattributeset fuse_30_0 (fuse))
+(typeattributeset fuse_device_30_0 (fuse_device))
+(typeattributeset fwk_automotive_display_hwservice_30_0 (fwk_automotive_display_hwservice))
+(typeattributeset fwk_bufferhub_hwservice_30_0 (fwk_bufferhub_hwservice))
+(typeattributeset fwk_camera_hwservice_30_0 (fwk_camera_hwservice))
+(typeattributeset fwk_display_hwservice_30_0 (fwk_display_hwservice))
+(typeattributeset fwk_scheduler_hwservice_30_0 (fwk_scheduler_hwservice))
+(typeattributeset fwk_sensor_hwservice_30_0 (fwk_sensor_hwservice))
+(typeattributeset fwk_stats_hwservice_30_0 (fwk_stats_hwservice))
+(typeattributeset fwmarkd_socket_30_0 (fwmarkd_socket))
+(typeattributeset gatekeeper_data_file_30_0 (gatekeeper_data_file))
+(typeattributeset gatekeeper_service_30_0 (gatekeeper_service))
+(typeattributeset gatekeeperd_30_0 (gatekeeperd))
+(typeattributeset gatekeeperd_exec_30_0 (gatekeeperd_exec))
+(typeattributeset gfxinfo_service_30_0 (gfxinfo_service))
+(typeattributeset gmscore_app_30_0 (gmscore_app))
+(typeattributeset gps_control_30_0 (gps_control))
+(typeattributeset gpu_device_30_0 (gpu_device))
+(typeattributeset gpu_service_30_0 (gpu_service))
+(typeattributeset gpuservice_30_0 (gpuservice))
+(typeattributeset graphics_device_30_0 (graphics_device))
+(typeattributeset graphicsstats_service_30_0 (graphicsstats_service))
+(typeattributeset gsi_data_file_30_0 (gsi_data_file))
+(typeattributeset gsi_metadata_file_30_0
+ ( gsi_metadata_file
+ gsi_public_metadata_file))
+(typeattributeset gsid_prop_30_0 (gsid_prop))
+(typeattributeset hal_atrace_hwservice_30_0 (hal_atrace_hwservice))
+(typeattributeset hal_audio_hwservice_30_0 (hal_audio_hwservice))
+(typeattributeset hal_audiocontrol_hwservice_30_0 (hal_audiocontrol_hwservice))
+(typeattributeset hal_authsecret_hwservice_30_0 (hal_authsecret_hwservice))
+(typeattributeset hal_bluetooth_hwservice_30_0 (hal_bluetooth_hwservice))
+(typeattributeset hal_bootctl_hwservice_30_0 (hal_bootctl_hwservice))
+(typeattributeset hal_broadcastradio_hwservice_30_0 (hal_broadcastradio_hwservice))
+(typeattributeset hal_camera_hwservice_30_0 (hal_camera_hwservice))
+(typeattributeset hal_can_bus_hwservice_30_0 (hal_can_bus_hwservice))
+(typeattributeset hal_can_controller_hwservice_30_0 (hal_can_controller_hwservice))
+(typeattributeset hal_cas_hwservice_30_0 (hal_cas_hwservice))
+(typeattributeset hal_codec2_hwservice_30_0 (hal_codec2_hwservice))
+(typeattributeset hal_configstore_ISurfaceFlingerConfigs_30_0 (hal_configstore_ISurfaceFlingerConfigs))
+(typeattributeset hal_confirmationui_hwservice_30_0 (hal_confirmationui_hwservice))
+(typeattributeset hal_contexthub_hwservice_30_0 (hal_contexthub_hwservice))
+(typeattributeset hal_drm_hwservice_30_0 (hal_drm_hwservice))
+(typeattributeset hal_dumpstate_hwservice_30_0 (hal_dumpstate_hwservice))
+(typeattributeset hal_evs_hwservice_30_0 (hal_evs_hwservice))
+(typeattributeset hal_face_hwservice_30_0 (hal_face_hwservice))
+(typeattributeset hal_fingerprint_hwservice_30_0 (hal_fingerprint_hwservice))
+(typeattributeset hal_fingerprint_service_30_0 (hal_fingerprint_service))
+(typeattributeset hal_gatekeeper_hwservice_30_0 (hal_gatekeeper_hwservice))
+(typeattributeset hal_gnss_hwservice_30_0 (hal_gnss_hwservice))
+(typeattributeset hal_graphics_allocator_hwservice_30_0 (hal_graphics_allocator_hwservice))
+(typeattributeset hal_graphics_composer_hwservice_30_0 (hal_graphics_composer_hwservice))
+(typeattributeset hal_graphics_composer_server_tmpfs_30_0 (hal_graphics_composer_server_tmpfs))
+(typeattributeset hal_graphics_mapper_hwservice_30_0 (hal_graphics_mapper_hwservice))
+(typeattributeset hal_health_hwservice_30_0 (hal_health_hwservice))
+(typeattributeset hal_health_storage_hwservice_30_0 (hal_health_storage_hwservice))
+(typeattributeset hal_identity_service_30_0 (hal_identity_service))
+(typeattributeset hal_input_classifier_hwservice_30_0 (hal_input_classifier_hwservice))
+(typeattributeset hal_ir_hwservice_30_0 (hal_ir_hwservice))
+(typeattributeset hal_keymaster_hwservice_30_0 (hal_keymaster_hwservice))
+(typeattributeset hal_light_hwservice_30_0 (hal_light_hwservice))
+(typeattributeset hal_light_service_30_0 (hal_light_service))
+(typeattributeset hal_lowpan_hwservice_30_0 (hal_lowpan_hwservice))
+(typeattributeset hal_memtrack_hwservice_30_0 (hal_memtrack_hwservice))
+(typeattributeset hal_neuralnetworks_hwservice_30_0 (hal_neuralnetworks_hwservice))
+(typeattributeset hal_nfc_hwservice_30_0 (hal_nfc_hwservice))
+(typeattributeset hal_oemlock_hwservice_30_0 (hal_oemlock_hwservice))
+(typeattributeset hal_omx_hwservice_30_0 (hal_omx_hwservice))
+(typeattributeset hal_power_hwservice_30_0 (hal_power_hwservice))
+(typeattributeset hal_power_service_30_0 (hal_power_service))
+(typeattributeset hal_power_stats_hwservice_30_0 (hal_power_stats_hwservice))
+(typeattributeset hal_rebootescrow_service_30_0 (hal_rebootescrow_service))
+(typeattributeset hal_renderscript_hwservice_30_0 (hal_renderscript_hwservice))
+(typeattributeset hal_secure_element_hwservice_30_0 (hal_secure_element_hwservice))
+(typeattributeset hal_sensors_hwservice_30_0 (hal_sensors_hwservice))
+(typeattributeset hal_telephony_hwservice_30_0 (hal_telephony_hwservice))
+(typeattributeset hal_tetheroffload_hwservice_30_0 (hal_tetheroffload_hwservice))
+(typeattributeset hal_thermal_hwservice_30_0 (hal_thermal_hwservice))
+(typeattributeset hal_tv_cec_hwservice_30_0 (hal_tv_cec_hwservice))
+(typeattributeset hal_tv_input_hwservice_30_0 (hal_tv_input_hwservice))
+(typeattributeset hal_tv_tuner_hwservice_30_0 (hal_tv_tuner_hwservice))
+(typeattributeset hal_usb_gadget_hwservice_30_0 (hal_usb_gadget_hwservice))
+(typeattributeset hal_usb_hwservice_30_0 (hal_usb_hwservice))
+(typeattributeset hal_vehicle_hwservice_30_0 (hal_vehicle_hwservice))
+(typeattributeset hal_vibrator_hwservice_30_0 (hal_vibrator_hwservice))
+(typeattributeset hal_vibrator_service_30_0 (hal_vibrator_service))
+(typeattributeset hal_vr_hwservice_30_0 (hal_vr_hwservice))
+(typeattributeset hal_weaver_hwservice_30_0 (hal_weaver_hwservice))
+(typeattributeset hal_wifi_hostapd_hwservice_30_0 (hal_wifi_hostapd_hwservice))
+(typeattributeset hal_wifi_hwservice_30_0 (hal_wifi_hwservice))
+(typeattributeset hal_wifi_supplicant_hwservice_30_0 (hal_wifi_supplicant_hwservice))
+(typeattributeset hardware_properties_service_30_0 (hardware_properties_service))
+(typeattributeset hardware_service_30_0 (hardware_service))
+(typeattributeset hci_attach_dev_30_0 (hci_attach_dev))
+(typeattributeset hdmi_control_service_30_0 (hdmi_control_service))
+(typeattributeset healthd_30_0 (healthd))
+(typeattributeset healthd_exec_30_0 (healthd_exec))
+(typeattributeset heapdump_data_file_30_0 (heapdump_data_file))
+(typeattributeset heapprofd_30_0 (heapprofd))
+(typeattributeset heapprofd_enabled_prop_30_0 (heapprofd_enabled_prop))
+(typeattributeset heapprofd_prop_30_0 (heapprofd_prop))
+(typeattributeset heapprofd_socket_30_0 (heapprofd_socket))
+(typeattributeset hidl_allocator_hwservice_30_0 (hidl_allocator_hwservice))
+(typeattributeset hidl_base_hwservice_30_0 (hidl_base_hwservice))
+(typeattributeset hidl_manager_hwservice_30_0 (hidl_manager_hwservice))
+(typeattributeset hidl_memory_hwservice_30_0 (hidl_memory_hwservice))
+(typeattributeset hidl_token_hwservice_30_0 (hidl_token_hwservice))
+(typeattributeset hw_random_device_30_0 (hw_random_device))
+(typeattributeset hwbinder_device_30_0 (hwbinder_device))
+(typeattributeset hwservice_contexts_file_30_0 (hwservice_contexts_file))
+(typeattributeset hwservicemanager_30_0 (hwservicemanager))
+(typeattributeset hwservicemanager_exec_30_0 (hwservicemanager_exec))
+(typeattributeset hwservicemanager_prop_30_0 (hwservicemanager_prop))
+(typeattributeset icon_file_30_0 (icon_file))
+(typeattributeset idmap_30_0 (idmap))
+(typeattributeset idmap_exec_30_0 (idmap_exec))
+(typeattributeset idmap_service_30_0 (idmap_service))
+(typeattributeset iio_device_30_0 (iio_device))
+(typeattributeset imms_service_30_0 (imms_service))
+(typeattributeset incident_30_0 (incident))
+(typeattributeset incident_data_file_30_0 (incident_data_file))
+(typeattributeset incident_helper_30_0 (incident_helper))
+(typeattributeset incident_service_30_0 (incident_service))
+(typeattributeset incidentd_30_0 (incidentd))
+(typeattributeset incremental_control_file_30_0 (incremental_control_file))
+(typeattributeset incremental_prop_30_0 (incremental_prop))
+(typeattributeset incremental_service_30_0 (incremental_service))
+(typeattributeset init_30_0 (init))
+(typeattributeset init_exec_30_0 (init_exec))
+(typeattributeset init_perf_lsm_hooks_prop_30_0 (init_perf_lsm_hooks_prop))
+(typeattributeset init_svc_debug_prop_30_0 (init_svc_debug_prop))
+(typeattributeset init_tmpfs_30_0 (init_tmpfs))
+(typeattributeset inotify_30_0 (inotify))
+(typeattributeset input_device_30_0 (input_device))
+(typeattributeset input_method_service_30_0 (input_method_service))
+(typeattributeset input_service_30_0 (input_service))
+(typeattributeset inputflinger_30_0 (inputflinger))
+(typeattributeset inputflinger_exec_30_0 (inputflinger_exec))
+(typeattributeset inputflinger_service_30_0 (inputflinger_service))
+(typeattributeset install_data_file_30_0 (install_data_file))
+(typeattributeset installd_30_0 (installd))
+(typeattributeset installd_exec_30_0 (installd_exec))
+(typeattributeset installd_service_30_0 (installd_service))
+(typeattributeset ion_device_30_0 (ion_device))
+(typeattributeset iorap_inode2filename_30_0 (iorap_inode2filename))
+(typeattributeset iorap_inode2filename_exec_30_0 (iorap_inode2filename_exec))
+(typeattributeset iorap_inode2filename_tmpfs_30_0 (iorap_inode2filename_tmpfs))
+(typeattributeset iorap_prefetcherd_30_0 (iorap_prefetcherd))
+(typeattributeset iorap_prefetcherd_exec_30_0 (iorap_prefetcherd_exec))
+(typeattributeset iorap_prefetcherd_tmpfs_30_0 (iorap_prefetcherd_tmpfs))
+(typeattributeset iorapd_30_0 (iorapd))
+(typeattributeset iorapd_data_file_30_0 (iorapd_data_file))
+(typeattributeset iorapd_exec_30_0 (iorapd_exec))
+(typeattributeset iorapd_service_30_0 (iorapd_service))
+(typeattributeset iorapd_tmpfs_30_0 (iorapd_tmpfs))
+(typeattributeset ipsec_service_30_0 (ipsec_service))
+(typeattributeset iris_service_30_0 (iris_service))
+(typeattributeset iris_vendor_data_file_30_0 (iris_vendor_data_file))
+(typeattributeset isolated_app_30_0 (isolated_app))
+(typeattributeset jobscheduler_service_30_0 (jobscheduler_service))
+(typeattributeset kernel_30_0 (kernel))
+(typeattributeset keychain_data_file_30_0 (keychain_data_file))
+(typeattributeset keychord_device_30_0 (keychord_device))
+(typeattributeset keystore_30_0 (keystore))
+(typeattributeset keystore_data_file_30_0 (keystore_data_file))
+(typeattributeset keystore_exec_30_0 (keystore_exec))
+(typeattributeset keystore_service_30_0 (keystore_service))
+(typeattributeset kmsg_debug_device_30_0 (kmsg_debug_device))
+(typeattributeset kmsg_device_30_0 (kmsg_device))
+(typeattributeset labeledfs_30_0 (labeledfs))
+(typeattributeset last_boot_reason_prop_30_0 (last_boot_reason_prop))
+(typeattributeset launcherapps_service_30_0 (launcherapps_service))
+(typeattributeset light_service_30_0 (light_service))
+(typeattributeset linkerconfig_file_30_0 (linkerconfig_file))
+(typeattributeset llkd_30_0 (llkd))
+(typeattributeset llkd_exec_30_0 (llkd_exec))
+(typeattributeset llkd_prop_30_0 (llkd_prop))
+(typeattributeset lmkd_30_0 (lmkd))
+(typeattributeset lmkd_exec_30_0 (lmkd_exec))
+(typeattributeset lmkd_prop_30_0 (lmkd_prop))
+(typeattributeset lmkd_socket_30_0 (lmkd_socket))
+(typeattributeset location_service_30_0 (location_service))
+(typeattributeset lock_settings_service_30_0 (lock_settings_service))
+(typeattributeset log_prop_30_0 (log_prop))
+(typeattributeset log_tag_prop_30_0 (log_tag_prop))
+(typeattributeset logcat_exec_30_0 (logcat_exec))
+(typeattributeset logd_30_0 (logd))
+(typeattributeset logd_exec_30_0 (logd_exec))
+(typeattributeset logd_prop_30_0 (logd_prop))
+(typeattributeset logd_socket_30_0 (logd_socket))
+(typeattributeset logdr_socket_30_0 (logdr_socket))
+(typeattributeset logdw_socket_30_0 (logdw_socket))
+(typeattributeset logpersist_30_0 (logpersist))
+(typeattributeset logpersistd_logging_prop_30_0 (logpersistd_logging_prop))
+(typeattributeset loop_control_device_30_0 (loop_control_device))
+(typeattributeset loop_device_30_0 (loop_device))
+(typeattributeset looper_stats_service_30_0 (looper_stats_service))
+(typeattributeset lowpan_device_30_0 (lowpan_device))
+(typeattributeset lowpan_prop_30_0 (lowpan_prop))
+(typeattributeset lowpan_service_30_0 (lowpan_service))
+(typeattributeset lpdump_service_30_0 (lpdump_service))
+(typeattributeset lpdumpd_prop_30_0 (lpdumpd_prop))
+(typeattributeset mac_perms_file_30_0 (mac_perms_file))
+(typeattributeset mdns_socket_30_0 (mdns_socket))
+(typeattributeset mdnsd_30_0 (mdnsd))
+(typeattributeset mdnsd_socket_30_0 (mdnsd_socket))
+(typeattributeset media_data_file_30_0 (media_data_file))
+(typeattributeset media_projection_service_30_0 (media_projection_service))
+(typeattributeset media_router_service_30_0 (media_router_service))
+(typeattributeset media_rw_data_file_30_0 (media_rw_data_file))
+(typeattributeset media_session_service_30_0 (media_session_service))
+(typeattributeset media_variant_prop_30_0 (media_variant_prop))
+(typeattributeset mediadrmserver_30_0 (mediadrmserver))
+(typeattributeset mediadrmserver_exec_30_0 (mediadrmserver_exec))
+(typeattributeset mediadrmserver_service_30_0 (mediadrmserver_service))
+(typeattributeset mediaextractor_30_0 (mediaextractor))
+(typeattributeset mediaextractor_exec_30_0 (mediaextractor_exec))
+(typeattributeset mediaextractor_service_30_0 (mediaextractor_service))
+(typeattributeset mediaextractor_tmpfs_30_0 (mediaextractor_tmpfs))
+(typeattributeset mediametrics_30_0 (mediametrics))
+(typeattributeset mediametrics_exec_30_0 (mediametrics_exec))
+(typeattributeset mediametrics_service_30_0 (mediametrics_service))
+(typeattributeset mediaprovider_30_0 (mediaprovider))
+(typeattributeset mediaserver_30_0 (mediaserver))
+(typeattributeset mediaserver_exec_30_0 (mediaserver_exec))
+(typeattributeset mediaserver_service_30_0 (mediaserver_service))
+(typeattributeset mediaserver_tmpfs_30_0 (mediaserver_tmpfs))
+(typeattributeset mediaswcodec_30_0 (mediaswcodec))
+(typeattributeset mediaswcodec_exec_30_0 (mediaswcodec_exec))
+(typeattributeset mediatranscoding_30_0 (mediatranscoding))
+(typeattributeset mediatranscoding_exec_30_0 (mediatranscoding_exec))
+(typeattributeset mediatranscoding_service_30_0 (mediatranscoding_service))
+(typeattributeset meminfo_service_30_0 (meminfo_service))
+(typeattributeset metadata_block_device_30_0 (metadata_block_device))
+(typeattributeset metadata_bootstat_file_30_0 (metadata_bootstat_file))
+(typeattributeset metadata_file_30_0 (metadata_file))
+(typeattributeset method_trace_data_file_30_0 (method_trace_data_file))
+(typeattributeset midi_service_30_0 (midi_service))
+(typeattributeset mirror_data_file_30_0 (mirror_data_file))
+(typeattributeset misc_block_device_30_0 (misc_block_device))
+(typeattributeset misc_logd_file_30_0 (misc_logd_file))
+(typeattributeset misc_user_data_file_30_0 (misc_user_data_file))
+(typeattributeset mmc_prop_30_0 (mmc_prop))
+(typeattributeset mnt_expand_file_30_0 (mnt_expand_file))
+(typeattributeset mnt_media_rw_file_30_0 (mnt_media_rw_file))
+(typeattributeset mnt_media_rw_stub_file_30_0 (mnt_media_rw_stub_file))
+(typeattributeset mnt_pass_through_file_30_0 (mnt_pass_through_file))
+(typeattributeset mnt_product_file_30_0 (mnt_product_file))
+(typeattributeset mnt_sdcard_file_30_0 (mnt_sdcard_file))
+(typeattributeset mnt_user_file_30_0 (mnt_user_file))
+(typeattributeset mnt_vendor_file_30_0 (mnt_vendor_file))
+(typeattributeset mock_ota_prop_30_0 (mock_ota_prop))
+(typeattributeset modprobe_30_0 (modprobe))
+(typeattributeset module_sdkextensions_prop_30_0 (module_sdkextensions_prop))
+(typeattributeset mount_service_30_0 (mount_service))
+(typeattributeset mqueue_30_0 (mqueue))
+(typeattributeset mtp_30_0 (mtp))
+(typeattributeset mtp_device_30_0 (mtp_device))
+(typeattributeset mtp_exec_30_0 (mtp_exec))
+(typeattributeset mtpd_socket_30_0 (mtpd_socket))
+(typeattributeset nativetest_data_file_30_0 (nativetest_data_file))
+(typeattributeset net_data_file_30_0 (net_data_file))
+(typeattributeset net_dns_prop_30_0 (net_dns_prop))
+(typeattributeset net_radio_prop_30_0 (net_radio_prop))
+(typeattributeset netd_30_0 (netd))
+(typeattributeset netd_exec_30_0 (netd_exec))
+(typeattributeset netd_listener_service_30_0 (netd_listener_service))
+(typeattributeset netd_service_30_0 (netd_service))
+(typeattributeset netd_stable_secret_prop_30_0 (netd_stable_secret_prop))
+(typeattributeset netif_30_0 (netif))
+(typeattributeset netpolicy_service_30_0 (netpolicy_service))
+(typeattributeset netstats_service_30_0 (netstats_service))
+(typeattributeset netutils_wrapper_30_0 (netutils_wrapper))
+(typeattributeset netutils_wrapper_exec_30_0 (netutils_wrapper_exec))
+(typeattributeset network_management_service_30_0 (network_management_service))
+(typeattributeset network_score_service_30_0 (network_score_service))
+(typeattributeset network_stack_30_0 (network_stack))
+(typeattributeset network_stack_service_30_0 (network_stack_service))
+(typeattributeset network_time_update_service_30_0 (network_time_update_service))
+(typeattributeset network_watchlist_data_file_30_0 (network_watchlist_data_file))
+(typeattributeset network_watchlist_service_30_0 (network_watchlist_service))
+(typeattributeset nfc_30_0 (nfc))
+(typeattributeset nfc_data_file_30_0 (nfc_data_file))
+(typeattributeset nfc_device_30_0 (nfc_device))
+(typeattributeset nfc_prop_30_0 (nfc_prop))
+(typeattributeset nfc_service_30_0 (nfc_service))
+(typeattributeset nnapi_ext_deny_product_prop_30_0 (nnapi_ext_deny_product_prop))
+(typeattributeset node_30_0 (node))
+(typeattributeset nonplat_service_contexts_file_30_0 (nonplat_service_contexts_file))
+(typeattributeset notification_service_30_0 (notification_service))
+(typeattributeset null_device_30_0 (null_device))
+(typeattributeset oem_lock_service_30_0 (oem_lock_service))
+(typeattributeset oemfs_30_0 (oemfs))
+(typeattributeset ota_data_file_30_0 (ota_data_file))
+(typeattributeset ota_metadata_file_30_0 (ota_metadata_file))
+(typeattributeset ota_package_file_30_0 (ota_package_file))
+(typeattributeset ota_prop_30_0 (ota_prop))
+(typeattributeset otadexopt_service_30_0 (otadexopt_service))
+(typeattributeset overlay_prop_30_0 (overlay_prop))
+(typeattributeset overlay_service_30_0 (overlay_service))
+(typeattributeset overlayfs_file_30_0 (overlayfs_file))
+(typeattributeset owntty_device_30_0 (owntty_device))
+(typeattributeset package_native_service_30_0 (package_native_service))
+(typeattributeset package_service_30_0 (package_service))
+(typeattributeset packages_list_file_30_0 (packages_list_file))
+(typeattributeset pan_result_prop_30_0 (pan_result_prop))
+(typeattributeset password_slot_metadata_file_30_0 (password_slot_metadata_file))
+(typeattributeset pdx_bufferhub_client_channel_socket_30_0 (pdx_bufferhub_client_channel_socket))
+(typeattributeset pdx_bufferhub_client_endpoint_socket_30_0 (pdx_bufferhub_client_endpoint_socket))
+(typeattributeset pdx_bufferhub_dir_30_0 (pdx_bufferhub_dir))
+(typeattributeset pdx_display_client_channel_socket_30_0 (pdx_display_client_channel_socket))
+(typeattributeset pdx_display_client_endpoint_socket_30_0 (pdx_display_client_endpoint_socket))
+(typeattributeset pdx_display_dir_30_0 (pdx_display_dir))
+(typeattributeset pdx_display_manager_channel_socket_30_0 (pdx_display_manager_channel_socket))
+(typeattributeset pdx_display_manager_endpoint_socket_30_0 (pdx_display_manager_endpoint_socket))
+(typeattributeset pdx_display_screenshot_channel_socket_30_0 (pdx_display_screenshot_channel_socket))
+(typeattributeset pdx_display_screenshot_endpoint_socket_30_0 (pdx_display_screenshot_endpoint_socket))
+(typeattributeset pdx_display_vsync_channel_socket_30_0 (pdx_display_vsync_channel_socket))
+(typeattributeset pdx_display_vsync_endpoint_socket_30_0 (pdx_display_vsync_endpoint_socket))
+(typeattributeset pdx_performance_client_channel_socket_30_0 (pdx_performance_client_channel_socket))
+(typeattributeset pdx_performance_client_endpoint_socket_30_0 (pdx_performance_client_endpoint_socket))
+(typeattributeset pdx_performance_dir_30_0 (pdx_performance_dir))
+(typeattributeset perfetto_30_0 (perfetto))
+(typeattributeset performanced_30_0 (performanced))
+(typeattributeset performanced_exec_30_0 (performanced_exec))
+(typeattributeset permission_service_30_0 (permission_service))
+(typeattributeset permissionmgr_service_30_0 (permissionmgr_service))
+(typeattributeset persist_debug_prop_30_0 (persist_debug_prop))
+(typeattributeset persistent_data_block_service_30_0 (persistent_data_block_service))
+(typeattributeset persistent_properties_ready_prop_30_0 (persistent_properties_ready_prop))
+(typeattributeset pinner_service_30_0 (pinner_service))
+(typeattributeset pipefs_30_0 (pipefs))
+(typeattributeset platform_app_30_0 (platform_app))
+(typeattributeset platform_compat_service_30_0 (platform_compat_service))
+(typeattributeset pm_prop_30_0 (pm_prop))
+(typeattributeset pmsg_device_30_0 (pmsg_device))
+(typeattributeset port_30_0 (port))
+(typeattributeset port_device_30_0 (port_device))
+(typeattributeset postinstall_30_0 (postinstall))
+(typeattributeset postinstall_apex_mnt_dir_30_0 (postinstall_apex_mnt_dir))
+(typeattributeset postinstall_file_30_0 (postinstall_file))
+(typeattributeset postinstall_mnt_dir_30_0 (postinstall_mnt_dir))
+(typeattributeset power_service_30_0 (power_service))
+(typeattributeset powerctl_prop_30_0 (powerctl_prop))
+(typeattributeset ppp_30_0 (ppp))
+(typeattributeset ppp_device_30_0 (ppp_device))
+(typeattributeset ppp_exec_30_0 (ppp_exec))
+(typeattributeset preloads_data_file_30_0 (preloads_data_file))
+(typeattributeset preloads_media_file_30_0 (preloads_media_file))
+(typeattributeset prereboot_data_file_30_0 (prereboot_data_file))
+(typeattributeset print_service_30_0 (print_service))
+(typeattributeset priv_app_30_0 (priv_app))
+(typeattributeset privapp_data_file_30_0 (privapp_data_file))
+(typeattributeset proc_30_0
+ ( proc
+ proc_bootconfig))
+(typeattributeset proc_abi_30_0 (proc_abi))
+(typeattributeset proc_asound_30_0 (proc_asound))
+(typeattributeset proc_bluetooth_writable_30_0 (proc_bluetooth_writable))
+(typeattributeset proc_buddyinfo_30_0 (proc_buddyinfo))
+(typeattributeset proc_cmdline_30_0 (proc_cmdline))
+(typeattributeset proc_cpuinfo_30_0 (proc_cpuinfo))
+(typeattributeset proc_dirty_30_0 (proc_dirty))
+(typeattributeset proc_diskstats_30_0 (proc_diskstats))
+(typeattributeset proc_drop_caches_30_0 (proc_drop_caches))
+(typeattributeset proc_extra_free_kbytes_30_0 (proc_extra_free_kbytes))
+(typeattributeset proc_filesystems_30_0 (proc_filesystems))
+(typeattributeset proc_fs_verity_30_0 (proc_fs_verity))
+(typeattributeset proc_hostname_30_0 (proc_hostname))
+(typeattributeset proc_hung_task_30_0 (proc_hung_task))
+(typeattributeset proc_interrupts_30_0 (proc_interrupts))
+(typeattributeset proc_iomem_30_0 (proc_iomem))
+(typeattributeset proc_keys_30_0 (proc_keys))
+(typeattributeset proc_kmsg_30_0 (proc_kmsg))
+(typeattributeset proc_kpageflags_30_0 (proc_kpageflags))
+(typeattributeset proc_loadavg_30_0 (proc_loadavg))
+(typeattributeset proc_lowmemorykiller_30_0 (proc_lowmemorykiller))
+(typeattributeset proc_max_map_count_30_0 (proc_max_map_count))
+(typeattributeset proc_meminfo_30_0 (proc_meminfo))
+(typeattributeset proc_min_free_order_shift_30_0 (proc_min_free_order_shift))
+(typeattributeset proc_misc_30_0 (proc_misc))
+(typeattributeset proc_modules_30_0 (proc_modules))
+(typeattributeset proc_mounts_30_0 (proc_mounts))
+(typeattributeset proc_net_30_0 (proc_net))
+(typeattributeset proc_net_tcp_udp_30_0 (proc_net_tcp_udp))
+(typeattributeset proc_overcommit_memory_30_0 (proc_overcommit_memory))
+(typeattributeset proc_page_cluster_30_0 (proc_page_cluster))
+(typeattributeset proc_pagetypeinfo_30_0 (proc_pagetypeinfo))
+(typeattributeset proc_panic_30_0 (proc_panic))
+(typeattributeset proc_perf_30_0 (proc_perf))
+(typeattributeset proc_pid_max_30_0 (proc_pid_max))
+(typeattributeset proc_pipe_conf_30_0 (proc_pipe_conf))
+(typeattributeset proc_pressure_cpu_30_0 (proc_pressure_cpu))
+(typeattributeset proc_pressure_io_30_0 (proc_pressure_io))
+(typeattributeset proc_pressure_mem_30_0 (proc_pressure_mem))
+(typeattributeset proc_qtaguid_ctrl_30_0 (proc_qtaguid_ctrl))
+(typeattributeset proc_qtaguid_stat_30_0 (proc_qtaguid_stat))
+(typeattributeset proc_random_30_0 (proc_random))
+(typeattributeset proc_sched_30_0 (proc_sched))
+(typeattributeset proc_security_30_0 (proc_security))
+(typeattributeset proc_slabinfo_30_0 (proc_slabinfo))
+(typeattributeset proc_stat_30_0 (proc_stat))
+(typeattributeset proc_swaps_30_0 (proc_swaps))
+(typeattributeset proc_sysrq_30_0 (proc_sysrq))
+(typeattributeset proc_timer_30_0 (proc_timer))
+(typeattributeset proc_tty_drivers_30_0 (proc_tty_drivers))
+(typeattributeset proc_uid_concurrent_active_time_30_0 (proc_uid_concurrent_active_time))
+(typeattributeset proc_uid_concurrent_policy_time_30_0 (proc_uid_concurrent_policy_time))
+(typeattributeset proc_uid_cpupower_30_0 (proc_uid_cpupower))
+(typeattributeset proc_uid_cputime_removeuid_30_0 (proc_uid_cputime_removeuid))
+(typeattributeset proc_uid_cputime_showstat_30_0 (proc_uid_cputime_showstat))
+(typeattributeset proc_uid_io_stats_30_0 (proc_uid_io_stats))
+(typeattributeset proc_uid_procstat_set_30_0 (proc_uid_procstat_set))
+(typeattributeset proc_uid_time_in_state_30_0 (proc_uid_time_in_state))
+(typeattributeset proc_uptime_30_0 (proc_uptime))
+(typeattributeset proc_version_30_0 (proc_version))
+(typeattributeset proc_vmallocinfo_30_0 (proc_vmallocinfo))
+(typeattributeset proc_vmstat_30_0 (proc_vmstat))
+(typeattributeset proc_zoneinfo_30_0 (proc_zoneinfo))
+(typeattributeset processinfo_service_30_0 (processinfo_service))
+(typeattributeset procstats_service_30_0 (procstats_service))
+(typeattributeset profman_30_0 (profman))
+(typeattributeset profman_dump_data_file_30_0 (profman_dump_data_file))
+(typeattributeset profman_exec_30_0 (profman_exec))
+(typeattributeset properties_device_30_0 (properties_device))
+(typeattributeset properties_serial_30_0 (properties_serial))
+(typeattributeset property_contexts_file_30_0 (property_contexts_file))
+(typeattributeset property_data_file_30_0 (property_data_file))
+(typeattributeset property_info_30_0 (property_info))
+(typeattributeset property_socket_30_0 (property_socket))
+(typeattributeset pstorefs_30_0 (pstorefs))
+(typeattributeset ptmx_device_30_0 (ptmx_device))
+(typeattributeset qtaguid_device_30_0 (qtaguid_device))
+(typeattributeset racoon_30_0 (racoon))
+(typeattributeset racoon_exec_30_0 (racoon_exec))
+(typeattributeset racoon_socket_30_0 (racoon_socket))
+(typeattributeset radio_30_0 (radio))
+(typeattributeset radio_data_file_30_0 (radio_data_file))
+(typeattributeset radio_device_30_0 (radio_device))
+(typeattributeset radio_prop_30_0 (radio_prop))
+(typeattributeset radio_service_30_0 (radio_service))
+(typeattributeset ram_device_30_0 (ram_device))
+(typeattributeset random_device_30_0 (random_device))
+(typeattributeset rebootescrow_hal_prop_30_0 (rebootescrow_hal_prop))
+(typeattributeset recovery_30_0 (recovery))
+(typeattributeset recovery_block_device_30_0 (recovery_block_device))
+(typeattributeset recovery_data_file_30_0 (recovery_data_file))
+(typeattributeset recovery_persist_30_0 (recovery_persist))
+(typeattributeset recovery_persist_exec_30_0 (recovery_persist_exec))
+(typeattributeset recovery_refresh_30_0 (recovery_refresh))
+(typeattributeset recovery_refresh_exec_30_0 (recovery_refresh_exec))
+(typeattributeset recovery_service_30_0 (recovery_service))
+(typeattributeset recovery_socket_30_0 (recovery_socket))
+(typeattributeset registry_service_30_0 (registry_service))
+(typeattributeset resourcecache_data_file_30_0 (resourcecache_data_file))
+(typeattributeset restorecon_prop_30_0 (restorecon_prop))
+(typeattributeset restrictions_service_30_0 (restrictions_service))
+(typeattributeset rild_debug_socket_30_0 (rild_debug_socket))
+(typeattributeset rild_socket_30_0 (rild_socket))
+(typeattributeset ringtone_file_30_0 (ringtone_file))
+(typeattributeset role_service_30_0 (role_service))
+(typeattributeset rollback_service_30_0 (rollback_service))
+(typeattributeset root_block_device_30_0 (root_block_device))
+(typeattributeset rootfs_30_0 (rootfs))
+(typeattributeset rpmsg_device_30_0 (rpmsg_device))
+(typeattributeset rs_30_0 (rs))
+(typeattributeset rs_exec_30_0 (rs_exec))
+(typeattributeset rss_hwm_reset_30_0 (rss_hwm_reset))
+(typeattributeset rtc_device_30_0 (rtc_device))
+(typeattributeset rttmanager_service_30_0 (rttmanager_service))
+(typeattributeset runas_30_0 (runas))
+(typeattributeset runas_app_30_0 (runas_app))
+(typeattributeset runas_exec_30_0 (runas_exec))
+(typeattributeset runtime_event_log_tags_file_30_0 (runtime_event_log_tags_file))
+(typeattributeset runtime_service_30_0 (runtime_service))
+(typeattributeset safemode_prop_30_0 (safemode_prop))
+(typeattributeset same_process_hal_file_30_0 (same_process_hal_file))
+(typeattributeset samplingprofiler_service_30_0 (samplingprofiler_service))
+(typeattributeset scheduling_policy_service_30_0 (scheduling_policy_service))
+(typeattributeset sdcard_block_device_30_0 (sdcard_block_device))
+(typeattributeset sdcardd_30_0 (sdcardd))
+(typeattributeset sdcardd_exec_30_0 (sdcardd_exec))
+(typeattributeset sdcardfs_30_0 (sdcardfs))
+(typeattributeset seapp_contexts_file_30_0 (seapp_contexts_file))
+(typeattributeset search_service_30_0 (search_service))
+(typeattributeset sec_key_att_app_id_provider_service_30_0 (sec_key_att_app_id_provider_service))
+(typeattributeset secure_element_30_0 (secure_element))
+(typeattributeset secure_element_device_30_0 (secure_element_device))
+(typeattributeset secure_element_service_30_0 (secure_element_service))
+(typeattributeset securityfs_30_0 (securityfs))
+(typeattributeset selinuxfs_30_0 (selinuxfs))
+(typeattributeset sensor_privacy_service_30_0 (sensor_privacy_service))
+(typeattributeset sensors_device_30_0 (sensors_device))
+(typeattributeset sensorservice_service_30_0 (sensorservice_service))
+(typeattributeset sepolicy_file_30_0 (sepolicy_file))
+(typeattributeset serial_device_30_0 (serial_device))
+(typeattributeset serial_service_30_0 (serial_service))
+(typeattributeset serialno_prop_30_0 (serialno_prop))
+(typeattributeset server_configurable_flags_data_file_30_0 (server_configurable_flags_data_file))
+(typeattributeset service_contexts_file_30_0 (service_contexts_file))
+(typeattributeset service_manager_service_30_0 (service_manager_service))
+(typeattributeset service_manager_vndservice_30_0 (service_manager_vndservice))
+(typeattributeset servicediscovery_service_30_0 (servicediscovery_service))
+(typeattributeset servicemanager_30_0 (servicemanager))
+(typeattributeset servicemanager_exec_30_0 (servicemanager_exec))
+(typeattributeset settings_service_30_0 (settings_service))
+(typeattributeset sgdisk_30_0 (sgdisk))
+(typeattributeset sgdisk_exec_30_0 (sgdisk_exec))
+(typeattributeset shared_relro_30_0 (shared_relro))
+(typeattributeset shared_relro_file_30_0 (shared_relro_file))
+(typeattributeset shell_30_0 (shell))
+(typeattributeset shell_data_file_30_0 (shell_data_file))
+(typeattributeset shell_exec_30_0 (shell_exec))
+(typeattributeset shell_prop_30_0 (shell_prop))
+(typeattributeset shm_30_0 (shm))
+(typeattributeset shortcut_manager_icons_30_0 (shortcut_manager_icons))
+(typeattributeset shortcut_service_30_0 (shortcut_service))
+(typeattributeset simpleperf_30_0 (simpleperf))
+(typeattributeset simpleperf_app_runner_30_0 (simpleperf_app_runner))
+(typeattributeset simpleperf_app_runner_exec_30_0 (simpleperf_app_runner_exec))
+(typeattributeset slice_service_30_0 (slice_service))
+(typeattributeset slideshow_30_0 (slideshow))
+(typeattributeset snapshotctl_log_data_file_30_0 (snapshotctl_log_data_file))
+(typeattributeset socket_device_30_0 (socket_device))
+(typeattributeset socket_hook_prop_30_0 (socket_hook_prop))
+(typeattributeset sockfs_30_0 (sockfs))
+(typeattributeset sota_prop_30_0 (sota_prop))
+(typeattributeset soundtrigger_middleware_service_30_0 (soundtrigger_middleware_service))
+(typeattributeset staging_data_file_30_0 (staging_data_file))
+(typeattributeset stats_data_file_30_0 (stats_data_file))
+(typeattributeset statsd_30_0 (statsd))
+(typeattributeset statsd_exec_30_0 (statsd_exec))
+(typeattributeset statsdw_socket_30_0 (statsdw_socket))
+(typeattributeset statusbar_service_30_0 (statusbar_service))
+(typeattributeset storage_config_prop_30_0 (storage_config_prop))
+(typeattributeset storage_file_30_0 (storage_file))
+(typeattributeset storage_stub_file_30_0 (storage_stub_file))
+(typeattributeset storaged_service_30_0 (storaged_service))
+(typeattributeset storagestats_service_30_0 (storagestats_service))
+(typeattributeset su_30_0 (su))
+(typeattributeset su_exec_30_0 (su_exec))
+(typeattributeset super_block_device_30_0 (super_block_device))
+(typeattributeset surfaceflinger_30_0 (surfaceflinger))
+(typeattributeset surfaceflinger_service_30_0 (surfaceflinger_service))
+(typeattributeset surfaceflinger_tmpfs_30_0 (surfaceflinger_tmpfs))
+(typeattributeset swap_block_device_30_0 (swap_block_device))
+(typeattributeset sysfs_30_0 (sysfs sysfs_fs_incfs_features))
+(typeattributeset sysfs_30_0 (sysfs sysfs_fs_incfs_metrics))
+(typeattributeset sysfs_android_usb_30_0 (sysfs_android_usb))
+(typeattributeset sysfs_batteryinfo_30_0 (sysfs_batteryinfo))
+(typeattributeset sysfs_bluetooth_writable_30_0 (sysfs_bluetooth_writable))
+(typeattributeset sysfs_devices_block_30_0 (sysfs_devices_block))
+(typeattributeset sysfs_devices_system_cpu_30_0 (sysfs_devices_system_cpu))
+(typeattributeset sysfs_dm_30_0 (sysfs_dm))
+(typeattributeset sysfs_dm_verity_30_0 (sysfs_dm_verity))
+(typeattributeset sysfs_dt_firmware_android_30_0 (sysfs_dt_firmware_android))
+(typeattributeset sysfs_extcon_30_0 (sysfs_extcon))
+(typeattributeset sysfs_fs_ext4_features_30_0 (sysfs_fs_ext4_features))
+(typeattributeset sysfs_fs_f2fs_30_0 (sysfs_fs_f2fs))
+(typeattributeset sysfs_hwrandom_30_0 (sysfs_hwrandom))
+(typeattributeset sysfs_ion_30_0 (sysfs_ion))
+(typeattributeset sysfs_ipv4_30_0 (sysfs_ipv4))
+(typeattributeset sysfs_kernel_notes_30_0 (sysfs_kernel_notes))
+(typeattributeset sysfs_leds_30_0 (sysfs_leds))
+(typeattributeset sysfs_loop_30_0 (sysfs_loop))
+(typeattributeset sysfs_lowmemorykiller_30_0 (sysfs_lowmemorykiller))
+(typeattributeset sysfs_net_30_0 (sysfs_net))
+(typeattributeset sysfs_nfc_power_writable_30_0 (sysfs_nfc_power_writable))
+(typeattributeset sysfs_power_30_0 (sysfs_power))
+(typeattributeset sysfs_rtc_30_0 (sysfs_rtc))
+(typeattributeset sysfs_suspend_stats_30_0 (sysfs_suspend_stats))
+(typeattributeset sysfs_switch_30_0 (sysfs_switch))
+(typeattributeset sysfs_thermal_30_0 (sysfs_thermal))
+(typeattributeset sysfs_transparent_hugepage_30_0 (sysfs_transparent_hugepage))
+(typeattributeset sysfs_uio_30_0 (sysfs_uio))
+(typeattributeset sysfs_usb_30_0 (sysfs_usb))
+(typeattributeset sysfs_usermodehelper_30_0 (sysfs_usermodehelper))
+(typeattributeset sysfs_vibrator_30_0 (sysfs_vibrator))
+(typeattributeset sysfs_wake_lock_30_0 (sysfs_wake_lock))
+(typeattributeset sysfs_wakeup_30_0 (sysfs_wakeup))
+(typeattributeset sysfs_wakeup_reasons_30_0 (sysfs_wakeup_reasons))
+(typeattributeset sysfs_wlan_fwpath_30_0 (sysfs_wlan_fwpath))
+(typeattributeset sysfs_zram_30_0 (sysfs_zram))
+(typeattributeset sysfs_zram_uevent_30_0 (sysfs_zram_uevent))
+(typeattributeset system_adbd_prop_30_0 (system_adbd_prop))
+(typeattributeset system_app_30_0 (system_app))
+(typeattributeset system_app_data_file_30_0 (system_app_data_file))
+(typeattributeset system_app_service_30_0 (system_app_service))
+(typeattributeset system_asan_options_file_30_0 (system_asan_options_file))
+(typeattributeset system_block_device_30_0 (system_block_device))
+(typeattributeset system_boot_reason_prop_30_0 (system_boot_reason_prop))
+(typeattributeset system_bootstrap_lib_file_30_0 (system_bootstrap_lib_file))
+(typeattributeset system_config_service_30_0 (system_config_service))
+(typeattributeset system_data_file_30_0 (system_data_file))
+(typeattributeset system_data_root_file_30_0 (system_data_root_file))
+(typeattributeset system_event_log_tags_file_30_0 (system_event_log_tags_file))
+(typeattributeset system_file_30_0 (system_file))
+(typeattributeset system_group_file_30_0 (system_group_file))
+(typeattributeset system_jvmti_agent_prop_30_0 (system_jvmti_agent_prop))
+(typeattributeset system_lib_file_30_0 (system_lib_file))
+(typeattributeset system_linker_config_file_30_0 (system_linker_config_file))
+(typeattributeset system_linker_exec_30_0 (system_linker_exec))
+(typeattributeset system_lmk_prop_30_0 (system_lmk_prop))
+(typeattributeset system_ndebug_socket_30_0 (system_ndebug_socket))
+(typeattributeset system_net_netd_hwservice_30_0 (system_net_netd_hwservice))
+(typeattributeset system_passwd_file_30_0 (system_passwd_file))
+(typeattributeset system_prop_30_0 (system_prop))
+(typeattributeset system_radio_prop_30_0 (system_radio_prop usb_prop))
+(typeattributeset system_seccomp_policy_file_30_0 (system_seccomp_policy_file))
+(typeattributeset system_security_cacerts_file_30_0 (system_security_cacerts_file))
+(typeattributeset system_server_30_0 (system_server))
+(typeattributeset system_server_tmpfs_30_0 (system_server_tmpfs))
+(typeattributeset system_suspend_control_service_30_0 (system_suspend_control_service))
+(typeattributeset system_suspend_hwservice_30_0 (system_suspend_hwservice))
+(typeattributeset system_trace_prop_30_0 (system_trace_prop))
+(typeattributeset system_unsolzygote_socket_30_0 (system_unsolzygote_socket))
+(typeattributeset system_update_service_30_0 (system_update_service))
+(typeattributeset system_wifi_keystore_hwservice_30_0 (system_wifi_keystore_hwservice))
+(typeattributeset system_wpa_socket_30_0 (system_wpa_socket))
+(typeattributeset system_zoneinfo_file_30_0 (system_zoneinfo_file))
+(typeattributeset systemkeys_data_file_30_0 (systemkeys_data_file))
+(typeattributeset task_profiles_file_30_0 (task_profiles_file))
+(typeattributeset task_service_30_0 (task_service))
+(typeattributeset tcpdump_exec_30_0 (tcpdump_exec))
+(typeattributeset tee_30_0 (tee))
+(typeattributeset tee_data_file_30_0 (tee_data_file))
+(typeattributeset tee_device_30_0 (tee_device))
+(typeattributeset telecom_service_30_0 (telecom_service))
+(typeattributeset test_boot_reason_prop_30_0 (test_boot_reason_prop))
+(typeattributeset test_harness_prop_30_0 (test_harness_prop))
+(typeattributeset testharness_service_30_0 (testharness_service))
+(typeattributeset tethering_service_30_0 (tethering_service))
+(typeattributeset textclassification_service_30_0 (textclassification_service))
+(typeattributeset textclassifier_data_file_30_0 (textclassifier_data_file))
+(typeattributeset textservices_service_30_0 (textservices_service))
+(typeattributeset theme_prop_30_0 (theme_prop))
+(typeattributeset thermal_service_30_0 (thermal_service))
+(typeattributeset thermalcallback_hwservice_30_0 (thermalcallback_hwservice))
+(typeattributeset time_prop_30_0 (time_prop))
+(typeattributeset timedetector_service_30_0 (timedetector_service))
+(typeattributeset timezone_service_30_0 (timezone_service))
+(typeattributeset timezonedetector_service_30_0 (timezonedetector_service))
+(typeattributeset tmpfs_30_0 (tmpfs))
+(typeattributeset tombstone_data_file_30_0 (tombstone_data_file))
+(typeattributeset tombstone_wifi_data_file_30_0 (tombstone_wifi_data_file))
+(typeattributeset tombstoned_30_0 (tombstoned))
+(typeattributeset tombstoned_crash_socket_30_0 (tombstoned_crash_socket))
+(typeattributeset tombstoned_exec_30_0 (tombstoned_exec))
+(typeattributeset tombstoned_intercept_socket_30_0 (tombstoned_intercept_socket))
+(typeattributeset tombstoned_java_trace_socket_30_0 (tombstoned_java_trace_socket))
+(typeattributeset toolbox_30_0 (toolbox))
+(typeattributeset toolbox_exec_30_0 (toolbox_exec))
+(typeattributeset trace_data_file_30_0 (trace_data_file))
+(typeattributeset traced_30_0 (traced))
+(typeattributeset traced_consumer_socket_30_0 (traced_consumer_socket))
+(typeattributeset traced_enabled_prop_30_0 (traced_enabled_prop))
+(typeattributeset traced_lazy_prop_30_0 (traced_lazy_prop))
+(typeattributeset traced_perf_30_0 (traced_perf))
+(typeattributeset traced_perf_enabled_prop_30_0 (traced_perf_enabled_prop))
+(typeattributeset traced_perf_socket_30_0 (traced_perf_socket))
+(typeattributeset traced_probes_30_0 (traced_probes))
+(typeattributeset traced_producer_socket_30_0 (traced_producer_socket))
+(typeattributeset traceur_app_30_0 (traceur_app))
+(typeattributeset trust_service_30_0 (trust_service))
+(typeattributeset tty_device_30_0 (tty_device))
+(typeattributeset tun_device_30_0 (tun_device))
+(typeattributeset tv_input_service_30_0 (tv_input_service))
+(typeattributeset tv_tuner_resource_mgr_service_30_0 (tv_tuner_resource_mgr_service))
+(typeattributeset tzdatacheck_30_0 (tzdatacheck))
+(typeattributeset tzdatacheck_exec_30_0 (tzdatacheck_exec))
+(typeattributeset ueventd_30_0 (ueventd))
+(typeattributeset ueventd_tmpfs_30_0 (ueventd_tmpfs))
+(typeattributeset uhid_device_30_0 (uhid_device))
+(typeattributeset uimode_service_30_0 (uimode_service))
+(typeattributeset uio_device_30_0 (uio_device))
+(typeattributeset uncrypt_30_0 (uncrypt))
+(typeattributeset uncrypt_exec_30_0 (uncrypt_exec))
+(typeattributeset uncrypt_socket_30_0 (uncrypt_socket))
+(typeattributeset unencrypted_data_file_30_0 (unencrypted_data_file))
+(typeattributeset unlabeled_30_0 (unlabeled))
+(typeattributeset untrusted_app_25_30_0 (untrusted_app_25))
+(typeattributeset untrusted_app_27_30_0 (untrusted_app_27))
+(typeattributeset untrusted_app_29_30_0 (untrusted_app_29))
+(typeattributeset untrusted_app_30_0 (untrusted_app))
+(typeattributeset update_engine_30_0 (update_engine))
+(typeattributeset update_engine_data_file_30_0 (update_engine_data_file))
+(typeattributeset update_engine_exec_30_0 (update_engine_exec))
+(typeattributeset update_engine_log_data_file_30_0 (update_engine_log_data_file))
+(typeattributeset update_engine_service_30_0 (update_engine_service))
+(typeattributeset update_verifier_30_0 (update_verifier))
+(typeattributeset update_verifier_exec_30_0 (update_verifier_exec))
+(typeattributeset updatelock_service_30_0 (updatelock_service))
+(typeattributeset uri_grants_service_30_0 (uri_grants_service))
+(typeattributeset usagestats_service_30_0 (usagestats_service))
+(typeattributeset usb_device_30_0 (usb_device))
+(typeattributeset usb_serial_device_30_0 (usb_serial_device))
+(typeattributeset usb_service_30_0 (usb_service))
+(typeattributeset usbaccessory_device_30_0 (usbaccessory_device))
+(typeattributeset usbd_30_0 (usbd))
+(typeattributeset usbd_exec_30_0 (usbd_exec))
+(typeattributeset usbfs_30_0 (usbfs))
+(typeattributeset use_memfd_prop_30_0 (use_memfd_prop))
+(typeattributeset user_profile_data_file_30_0
+ ( user_profile_data_file
+ user_profile_root_file
+))
+(typeattributeset user_service_30_0 (user_service))
+(typeattributeset userdata_block_device_30_0 (userdata_block_device))
+(typeattributeset usermodehelper_30_0 (usermodehelper))
+(typeattributeset userspace_reboot_config_prop_30_0 (userspace_reboot_config_prop))
+(typeattributeset userspace_reboot_exported_prop_30_0 (userspace_reboot_exported_prop))
+(typeattributeset userspace_reboot_log_prop_30_0 (userspace_reboot_log_prop))
+(typeattributeset userspace_reboot_test_prop_30_0 (userspace_reboot_test_prop))
+(typeattributeset vdc_30_0 (vdc))
+(typeattributeset vdc_exec_30_0 (vdc_exec))
+(typeattributeset vehicle_hal_prop_30_0 (vehicle_hal_prop))
+(typeattributeset vendor_apex_file_30_0 (vendor_apex_file))
+(typeattributeset vendor_app_file_30_0 (vendor_app_file))
+(typeattributeset vendor_cgroup_desc_file_30_0 (vendor_cgroup_desc_file))
+(typeattributeset vendor_configs_file_30_0 (vendor_configs_file))
+(typeattributeset vendor_data_file_30_0 (vendor_data_file))
+(typeattributeset vendor_default_prop_30_0 (vendor_default_prop))
+(typeattributeset vendor_file_30_0 (vendor_file))
+(typeattributeset vendor_framework_file_30_0 (vendor_framework_file))
+(typeattributeset vendor_hal_file_30_0 (vendor_hal_file))
+(typeattributeset vendor_idc_file_30_0 (vendor_idc_file))
+(typeattributeset vendor_init_30_0 (vendor_init))
+(typeattributeset vendor_keychars_file_30_0 (vendor_keychars_file))
+(typeattributeset vendor_keylayout_file_30_0 (vendor_keylayout_file))
+(typeattributeset vendor_misc_writer_30_0 (vendor_misc_writer))
+(typeattributeset vendor_misc_writer_exec_30_0 (vendor_misc_writer_exec))
+(typeattributeset vendor_overlay_file_30_0 (vendor_overlay_file))
+(typeattributeset vendor_public_lib_file_30_0
+ ( vendor_public_framework_file
+ vendor_public_lib_file))
+(typeattributeset vendor_security_patch_level_prop_30_0 (vendor_security_patch_level_prop))
+(typeattributeset vendor_shell_30_0 (vendor_shell))
+(typeattributeset vendor_shell_exec_30_0 (vendor_shell_exec))
+(typeattributeset vendor_socket_hook_prop_30_0 (vendor_socket_hook_prop))
+(typeattributeset vendor_task_profiles_file_30_0 (vendor_task_profiles_file))
+(typeattributeset vendor_toolbox_exec_30_0 (vendor_toolbox_exec))
+(typeattributeset vfat_30_0 (vfat))
+(typeattributeset vibrator_service_30_0 (vibrator_service))
+(typeattributeset video_device_30_0 (video_device))
+(typeattributeset virtual_ab_prop_30_0 (virtual_ab_prop))
+(typeattributeset virtual_touchpad_30_0 (virtual_touchpad))
+(typeattributeset virtual_touchpad_exec_30_0 (virtual_touchpad_exec))
+(typeattributeset virtual_touchpad_service_30_0 (virtual_touchpad_service))
+(typeattributeset vndbinder_device_30_0 (vndbinder_device))
+(typeattributeset vndk_prop_30_0 (vndk_prop))
+(typeattributeset vndk_sp_file_30_0 (vndk_sp_file))
+(typeattributeset vndservice_contexts_file_30_0 (vndservice_contexts_file))
+(typeattributeset vndservicemanager_30_0 (vndservicemanager))
+(typeattributeset voiceinteraction_service_30_0 (voiceinteraction_service))
+(typeattributeset vold_30_0 (vold))
+(typeattributeset vold_data_file_30_0 (vold_data_file))
+(typeattributeset vold_device_30_0 (vold_device))
+(typeattributeset vold_exec_30_0 (vold_exec))
+(typeattributeset vold_metadata_file_30_0 (vold_metadata_file))
+(typeattributeset vold_prepare_subdirs_30_0 (vold_prepare_subdirs))
+(typeattributeset vold_prepare_subdirs_exec_30_0 (vold_prepare_subdirs_exec))
+(typeattributeset vold_prop_30_0 (vold_prop))
+(typeattributeset vold_service_30_0 (vold_service))
+(typeattributeset vpn_data_file_30_0 (vpn_data_file))
+(typeattributeset vr_hwc_30_0 (vr_hwc))
+(typeattributeset vr_hwc_exec_30_0 (vr_hwc_exec))
+(typeattributeset vr_hwc_service_30_0 (vr_hwc_service))
+(typeattributeset vr_manager_service_30_0 (vr_manager_service))
+(typeattributeset vrflinger_vsync_service_30_0 (vrflinger_vsync_service))
+(typeattributeset wallpaper_file_30_0 (wallpaper_file))
+(typeattributeset wallpaper_service_30_0 (wallpaper_service))
+(typeattributeset watchdog_device_30_0 (watchdog_device))
+(typeattributeset watchdogd_30_0 (watchdogd))
+(typeattributeset watchdogd_exec_30_0 (watchdogd_exec))
+(typeattributeset webview_zygote_30_0 (webview_zygote))
+(typeattributeset webview_zygote_exec_30_0 (webview_zygote_exec))
+(typeattributeset webview_zygote_tmpfs_30_0 (webview_zygote_tmpfs))
+(typeattributeset webviewupdate_service_30_0 (webviewupdate_service))
+(typeattributeset wifi_data_file_30_0 (wifi_data_file))
+(typeattributeset wifi_log_prop_30_0 (wifi_log_prop))
+(typeattributeset wifi_prop_30_0 (wifi_prop))
+(typeattributeset wifi_service_30_0 (wifi_service))
+(typeattributeset wifiaware_service_30_0 (wifiaware_service))
+(typeattributeset wificond_30_0 (wificond))
+(typeattributeset wificond_exec_30_0 (wificond_exec))
+(typeattributeset wifinl80211_service_30_0 (wifinl80211_service))
+(typeattributeset wifip2p_service_30_0 (wifip2p_service))
+(typeattributeset wifiscanner_service_30_0 (wifiscanner_service))
+(typeattributeset window_service_30_0 (window_service))
+(typeattributeset wpa_socket_30_0 (wpa_socket))
+(typeattributeset wpantund_30_0 (wpantund))
+(typeattributeset wpantund_exec_30_0 (wpantund_exec))
+(typeattributeset wpantund_service_30_0 (wpantund_service))
+(typeattributeset zero_device_30_0 (zero_device))
+(typeattributeset zoneinfo_data_file_30_0 (zoneinfo_data_file))
+(typeattributeset zygote_30_0 (zygote))
+(typeattributeset zygote_exec_30_0 (zygote_exec))
+(typeattributeset zygote_socket_30_0 (zygote_socket))
+(typeattributeset zygote_tmpfs_30_0 (zygote_tmpfs))
diff --git a/private/compat/30.0/30.0.compat.cil b/private/compat/30.0/30.0.compat.cil
new file mode 100644
index 0000000..97c5874
--- /dev/null
+++ b/private/compat/30.0/30.0.compat.cil
@@ -0,0 +1,10 @@
+(typeattribute vendordomain)
+(typeattributeset vendordomain ((and (domain) ((not (coredomain))))))
+
+;; TODO: Once 30.0 is no longer supported for vendor images,
+;; mlsvendorcompat can be completely from the system policy.
+(typeattributeset mlsvendorcompat (and appdomain vendordomain))
+(allow mlsvendorcompat app_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
+(allow mlsvendorcompat app_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))
+(allow mlsvendorcompat privapp_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
+(allow mlsvendorcompat privapp_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
new file mode 100644
index 0000000..59c07d3
--- /dev/null
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -0,0 +1,148 @@
+;; new_objects - a collection of types that have been introduced that have no
+;; analogue in older policy. Thus, we do not need to map these types to
+;; previous ones. Add here to pass checkapi tests.
+(type new_objects)
+(typeattribute new_objects)
+(typeattributeset new_objects
+ ( new_objects
+ ab_update_gki_prop
+ adbd_config_prop
+ apc_service
+ apex_art_data_file
+ apex_art_staging_data_file
+ apex_info_file
+ apex_ota_reserved_file
+ apex_scheduling_data_file
+ apexd_config_prop
+ app_hibernation_service
+ appcompat_data_file
+ arm64_memtag_prop
+ artd
+ artd_exec
+ artd_service
+ authorization_service
+ bootanim_config_prop
+ camerax_extensions_prop
+ cgroup_desc_api_file
+ cgroup_v2
+ codec2_config_prop
+ ctl_snapuserd_prop
+ debugfs_kprobes
+ debugfs_mm_events_tracing
+ debugfs_bootreceiver_tracing
+ debugfs_restriction_prop
+ device_config_profcollect_native_boot_prop
+ device_config_connectivity_prop
+ device_config_swcodec_native_prop
+ device_state_service
+ dm_user_device
+ dmabuf_heap_device
+ dmabuf_system_heap_device
+ dmabuf_system_secure_heap_device
+ domain_verification_service
+ dumpstate_tmpfs
+ framework_watchdog_config_prop
+ fs_bpf_tethering
+ fwk_stats_service
+ game_service
+ font_data_file
+ gki_apex_prepostinstall
+ gki_apex_prepostinstall_exec
+ hal_audio_service
+ hal_authsecret_service
+ hal_audiocontrol_service
+ hal_face_service
+ hal_fingerprint_service
+ hal_health_storage_service
+ hal_memtrack_service
+ hal_oemlock_service
+ hint_service
+ gnss_device
+ hal_dumpstate_config_prop
+ hal_gnss_service
+ hal_keymint_service
+ hal_neuralnetworks_service
+ hal_power_stats_service
+ hal_remotelyprovisionedcomponent_service
+ hal_secureclock_service
+ hal_sharedsecret_service
+ hal_weaver_service
+ hw_timeout_multiplier_prop
+ keystore_compat_hal_service
+ keystore_maintenance_service
+ keystore2_key_contexts_file
+ legacy_permission_service
+ location_time_zone_manager_service
+ media_communication_service
+ media_metrics_service
+ mediatuner_exec
+ mediatuner_service
+ mediatuner
+ mediatranscoding_tmpfs
+ memtrackproxy_service
+ mm_events_config_prop
+ music_recognition_service
+ nfc_logs_data_file
+ odrefresh
+ odrefresh_exec
+ odsign
+ odsign_data_file
+ odsign_exec
+ pac_proxy_service
+ permission_checker_service
+ people_service
+ persist_vendor_debug_wifi_prop
+ postinstall_dexopt_exec
+ postinstall_device_mnt_dir
+ postinstall_product_mnt_dir
+ postinstall_vendor_mnt_dir
+ power_debug_prop
+ power_stats_service
+ proc_kallsyms
+ proc_locks
+ profcollectd
+ profcollectd_data_file
+ profcollectd_exec
+ profcollectd_node_id_prop
+ profcollectd_service
+ qemu_hw_prop
+ qemu_sf_lcd_density_prop
+ radio_core_data_file
+ reboot_readiness_service
+ remote_prov_app
+ remoteprovisioning_service
+ resolver_service
+ search_ui_service
+ shell_test_data_file
+ smartspace_service
+ snapuserd
+ snapuserd_exec
+ snapuserd_socket
+ soc_prop
+ speech_recognition_service
+ sysfs_devfreq_cur
+ sysfs_devfreq_dir
+ sysfs_devices_cs_etm
+ sysfs_dma_heap
+ sysfs_dmabuf_stats
+ sysfs_uhid
+ system_server_dumper_service
+ system_suspend_control_internal_service
+ task_profiles_api_file
+ texttospeech_service
+ transformer_service
+ update_engine_stable_service
+ userdata_sysdev
+ userspace_reboot_metadata_file
+ uwb_service
+ vcn_management_service
+ vd_device
+ vendor_kernel_modules
+ vendor_modprobe
+ vibrator_manager_service
+ virtualization_service
+ vpn_management_service
+ vpnprofilestore_service
+ watchdog_metadata_file
+ wifi_key
+ zygote_config_prop))
diff --git a/private/coredomain.te b/private/coredomain.te
index 86e8009..b7f4f5d 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -1,5 +1,33 @@
-get_prop(coredomain, pm_prop)
+get_prop(coredomain, boot_status_prop)
+get_prop(coredomain, camera_config_prop)
+get_prop(coredomain, dalvik_config_prop)
+get_prop(coredomain, dalvik_runtime_prop)
get_prop(coredomain, exported_pm_prop)
+get_prop(coredomain, ffs_config_prop)
+get_prop(coredomain, graphics_config_prop)
+get_prop(coredomain, hdmi_config_prop)
+get_prop(coredomain, init_service_status_private_prop)
+get_prop(coredomain, lmkd_config_prop)
+get_prop(coredomain, localization_prop)
+get_prop(coredomain, pm_prop)
+get_prop(coredomain, radio_control_prop)
+get_prop(coredomain, rollback_test_prop)
+get_prop(coredomain, setupwizard_prop)
+get_prop(coredomain, sqlite_log_prop)
+get_prop(coredomain, storagemanager_config_prop)
+get_prop(coredomain, surfaceflinger_color_prop)
+get_prop(coredomain, systemsound_config_prop)
+get_prop(coredomain, telephony_config_prop)
+get_prop(coredomain, usb_config_prop)
+get_prop(coredomain, usb_control_prop)
+get_prop(coredomain, userspace_reboot_config_prop)
+get_prop(coredomain, vold_config_prop)
+get_prop(coredomain, vts_status_prop)
+get_prop(coredomain, zygote_config_prop)
+get_prop(coredomain, zygote_wrap_prop)
+
+# TODO(b/170590987): remove this after cleaning up default_prop
+get_prop(coredomain, default_prop)
full_treble_only(`
neverallow {
@@ -15,7 +43,7 @@
')
# On TREBLE devices, a limited set of files in /vendor are accessible to
-# only a few whitelisted coredomains to keep system/vendor separation.
+# only a few allowlisted coredomains to keep system/vendor separation.
full_treble_only(`
# Limit access to /vendor/app
neverallow {
@@ -26,7 +54,7 @@
-idmap
-init
-installd
- userdebug_or_eng(`-heapprofd')
+ -heapprofd
-postinstall_dexopt
-rs # spawned by appdomain, so carryover the exception above
-system_server
@@ -43,7 +71,8 @@
-idmap
-init
-installd
- userdebug_or_eng(`-heapprofd')
+ -heapprofd
+ userdebug_or_eng(`-profcollectd')
-postinstall_dexopt
-rs # spawned by appdomain, so carryover the exception above
-system_server
@@ -69,7 +98,7 @@
-app_zygote
-webview_zygote
-zygote
- userdebug_or_eng(`-heapprofd')
+ -heapprofd
} vendor_overlay_file:dir { getattr open read search };
')
@@ -89,7 +118,8 @@
-app_zygote
-webview_zygote
-zygote
- userdebug_or_eng(`-heapprofd')
+ -heapprofd
+ userdebug_or_eng(`-profcollectd')
} vendor_overlay_file:file open;
')
@@ -123,9 +153,11 @@
# debugfs
neverallow {
coredomain
- -dumpstate
- -init
- -system_server
+ no_debugfs_restriction(`
+ -dumpstate
+ -init
+ -system_server
+ ')
} debugfs:file no_rw_file_perms;
# tracefs
@@ -133,11 +165,14 @@
coredomain
-atrace
-dumpstate
+ -gpuservice
-init
+ -traced_perf
-traced_probes
-shell
-system_server
-traceur_app
+ userdebug_or_eng(`-profcollectd')
} debugfs_tracing:file no_rw_file_perms;
# inotifyfs
@@ -184,6 +219,17 @@
coredomain
-init
}{ usbfs binfmt_miscfs }:file no_rw_file_perms;
+
+ # dmabuf heaps
+ neverallow {
+ coredomain
+ -init
+ -ueventd
+ }{
+ dmabuf_heap_device_type
+ -dmabuf_system_heap_device
+ -dmabuf_system_secure_heap_device
+ }:chr_file no_rw_file_perms;
')
# Following /dev nodes must not be directly accessed by coredomain, but should
diff --git a/private/crash_dump.te b/private/crash_dump.te
index f130327..9233a4d 100644
--- a/private/crash_dump.te
+++ b/private/crash_dump.te
@@ -17,8 +17,16 @@
-vendor_init
-vold
}:process { ptrace signal sigchld sigstop sigkill };
+
+# TODO(b/186868271): Remove the keystore exception soon-ish (maybe by May 14, 2021?)
userdebug_or_eng(`
- allow crash_dump { apexd llkd logd vold }:process { ptrace signal sigchld sigstop sigkill };
+ allow crash_dump {
+ apexd
+ keystore
+ llkd
+ logd
+ vold
+ }:process { ptrace signal sigchld sigstop sigkill };
')
###
@@ -35,6 +43,7 @@
init
kernel
keystore
+ userdebug_or_eng(`-keystore')
llkd
userdebug_or_eng(`-llkd')
logd
@@ -47,3 +56,7 @@
neverallow crash_dump self:process ptrace;
neverallow crash_dump gpu_device:chr_file *;
+
+# Read ART APEX data directory
+allow crash_dump apex_art_data_file:dir { getattr search };
+allow crash_dump apex_art_data_file:file r_file_perms;
diff --git a/private/crosvm.te b/private/crosvm.te
new file mode 100644
index 0000000..5d7080a
--- /dev/null
+++ b/private/crosvm.te
@@ -0,0 +1,16 @@
+type crosvm, domain, coredomain;
+type crosvm_exec, system_file_type, exec_type, file_type;
+type crosvm_tmpfs, file_type;
+
+# Let crosvm create temporary files.
+tmpfs_domain(crosvm)
+
+# Let crosvm receive file descriptors from virtmanager.
+allow crosvm virtmanager:fd use;
+
+# Let crosvm open /dev/kvm.
+allow crosvm kvm_device:chr_file rw_file_perms;
+
+# Most other domains shouldn't access /dev/kvm.
+neverallow { domain -crosvm -ueventd -shell } kvm_device:chr_file getattr;
+neverallow { domain -crosvm -ueventd } kvm_device:chr_file ~getattr;
diff --git a/private/derive_classpath.te b/private/derive_classpath.te
new file mode 100644
index 0000000..2299ba0
--- /dev/null
+++ b/private/derive_classpath.te
@@ -0,0 +1,25 @@
+
+# Domain for derive_classpath
+type derive_classpath, domain, coredomain;
+type derive_classpath_exec, system_file_type, exec_type, file_type;
+init_daemon_domain(derive_classpath)
+
+# Read /apex
+allow derive_classpath apex_mnt_dir:dir r_dir_perms;
+
+# Create /data/system/environ/classpath file
+allow derive_classpath environ_system_data_file:dir rw_dir_perms;
+allow derive_classpath environ_system_data_file:file create_file_perms;
+
+# b/183079517 fails on gphone targets otherwise
+allow derive_classpath unlabeled:dir search;
+
+# Allow derive_classpath to write the classpath into ota dexopt
+# - Read the ota's apex dir
+allow derive_classpath postinstall_apex_mnt_dir:dir r_dir_perms;
+# - Report the BCP to the ota's dexopt
+allow derive_classpath postinstall_dexopt:dir search;
+allow derive_classpath postinstall_dexopt:fd use;
+allow derive_classpath postinstall_dexopt:file read;
+allow derive_classpath postinstall_dexopt:lnk_file read;
+allow derive_classpath postinstall_dexopt_tmpfs:file rw_file_perms;
diff --git a/private/dex2oat.te b/private/dex2oat.te
index 7907f6c..28d8b9a 100644
--- a/private/dex2oat.te
+++ b/private/dex2oat.te
@@ -2,6 +2,8 @@
type dex2oat, domain, coredomain;
type dex2oat_exec, system_file_type, exec_type, file_type;
+userfaultfd_use(dex2oat)
+
r_dir_file(dex2oat, apk_data_file)
# Access to /vendor/app
r_dir_file(dex2oat, vendor_app_file)
@@ -13,13 +15,11 @@
r_dir_file(dex2oat, dalvikcache_data_file)
allow dex2oat dalvikcache_data_file:file write;
-# Read symlinks in /data/dalvik-cache. This is required for PIC mode boot images, where
-# the oat file is symlinked to the original file in /system.
-allow dex2oat dalvikcache_data_file:lnk_file read;
allow dex2oat installd:fd use;
# Acquire advisory lock on /system/framework/arm/*
allow dex2oat system_file:file lock;
+allow dex2oat postinstall_file:file lock;
# Read already open asec_apk_file file descriptors passed by installd.
# Also allow reading unlabeled files, to allow for upgrading forward
@@ -35,6 +35,32 @@
# the framework.
allow dex2oat { privapp_data_file app_data_file }:file { getattr read write lock map };
+# Allow dex2oat to find files and directories under /data/misc/apexdata/com.android.runtime.
+allow dex2oat apex_module_data_file:dir search;
+
+# Allow dex2oat to use file descriptors passed from odrefresh.
+allow dex2oat odrefresh:fd use;
+
+# Allow dex2oat to use devpts and file descriptors passed from odsign
+allow dex2oat odsign_devpts:chr_file { read write };
+allow dex2oat odsign:fd use;
+
+# Allow dex2oat to write to file descriptors from odrefresh for files
+# in the staging area.
+allow dex2oat apex_art_staging_data_file:dir r_dir_perms;
+allow dex2oat apex_art_staging_data_file:file { getattr map read write unlink };
+
+# Allow dex2oat to read artifacts from odrefresh.
+allow dex2oat apex_art_data_file:dir r_dir_perms;
+allow dex2oat apex_art_data_file:file r_file_perms;
+
+# Allow dex2oat to read runtime native flag properties.
+get_prop(dex2oat, device_config_runtime_native_prop)
+get_prop(dex2oat, device_config_runtime_native_boot_prop)
+
+# Allow dex2oat to read /apex/apex-info-list.xml
+allow dex2oat apex_info_file:file r_file_perms;
+
##################
# A/B OTA Dexopt #
##################
@@ -75,7 +101,6 @@
allow dex2oat apexd:fd use;
# Allow dex2oat to use file descriptors from preinstall.
-allow dex2oat art_apex_preinstall:fd use;
##############
# Neverallow #
diff --git a/private/dexoptanalyzer.te b/private/dexoptanalyzer.te
index a2b2b01..5f0a41e 100644
--- a/private/dexoptanalyzer.te
+++ b/private/dexoptanalyzer.te
@@ -11,15 +11,30 @@
# Use tmpfs_domain() which will give tmpfs files created by dexoptanalyzer their
# own label, which differs from other labels created by other processes.
# This allows to distinguish in policy files created by dexoptanalyzer vs other
-#processes.
+# processes.
tmpfs_domain(dexoptanalyzer)
+userfaultfd_use(dexoptanalyzer)
+
+# Allow dexoptanalyzer to read files in the dalvik cache.
+allow dexoptanalyzer dalvikcache_data_file:dir { getattr search };
+allow dexoptanalyzer dalvikcache_data_file:file r_file_perms;
+
# Read symlinks in /data/dalvik-cache. This is required for PIC mode boot
# app_data_file the oat file is symlinked to the original file in /system.
-allow dexoptanalyzer dalvikcache_data_file:dir { getattr search };
-allow dexoptanalyzer dalvikcache_data_file:file r_file_perms;
allow dexoptanalyzer dalvikcache_data_file:lnk_file read;
+# Allow dexoptanalyzer to read files in the ART APEX data directory.
+allow dexoptanalyzer { apex_art_data_file apex_module_data_file }:dir { getattr search };
+allow dexoptanalyzer apex_art_data_file:file r_file_perms;
+
+# Allow dexoptanalyzer to use file descriptors from odrefresh.
+allow dexoptanalyzer odrefresh:fd use;
+
+# Use devpts and fd from odsign (which exec()'s odrefresh)
+allow dexoptanalyzer odsign:fd use;
+allow dexoptanalyzer odsign_devpts:chr_file { read write };
+
allow dexoptanalyzer installd:fd use;
allow dexoptanalyzer installd:fifo_file { getattr write };
@@ -28,12 +43,7 @@
# Allow reading secondary dex files that were reported by the app to the
# package manager.
-allow dexoptanalyzer { privapp_data_file app_data_file }:dir { getattr search };
allow dexoptanalyzer { privapp_data_file app_data_file }:file { getattr read map };
-# dexoptanalyzer calls access(2) with W_OK flag on app data. We can use the
-# "dontaudit...audit_access" policy line to suppress the audit access without
-# suppressing denial on actual access.
-dontaudit dexoptanalyzer { privapp_data_file app_data_file }:dir audit_access;
# Allow testing /data/user/0 which symlinks to /data/data
allow dexoptanalyzer system_data_file:lnk_file { getattr };
diff --git a/private/dhcp.te b/private/dhcp.te
index b2f8ac7..8ec9111 100644
--- a/private/dhcp.te
+++ b/private/dhcp.te
@@ -2,3 +2,6 @@
init_daemon_domain(dhcp)
type_transition dhcp system_data_file:{ dir file } dhcp_data_file;
+
+set_prop(dhcp, dhcp_prop)
+set_prop(dhcp, pan_result_prop)
diff --git a/private/domain.te b/private/domain.te
index 7116dad..b91d36d 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -11,7 +11,7 @@
# necessary SELinux permissions.
get_prop(domain, heapprofd_prop);
# Allow heap profiling on debug builds.
-userdebug_or_eng(`can_profile_heap_central({
+userdebug_or_eng(`can_profile_heap({
domain
-bpfloader
-init
@@ -49,14 +49,22 @@
-zygote
})')
+# Everyone can access the IncFS list of features.
+r_dir_file(domain, sysfs_fs_incfs_features);
+
# Path resolution access in cgroups.
allow domain cgroup:dir search;
allow { domain -appdomain -rs } cgroup:dir w_dir_perms;
allow { domain -appdomain -rs } cgroup:file w_file_perms;
+allow domain cgroup_v2:dir search;
+allow { domain -appdomain -rs } cgroup_v2:dir w_dir_perms;
+allow { domain -appdomain -rs } cgroup_v2:file w_file_perms;
+
allow domain cgroup_rc_file:dir search;
allow domain cgroup_rc_file:file r_file_perms;
allow domain task_profiles_file:file r_file_perms;
+allow domain task_profiles_api_file:file r_file_perms;
allow domain vendor_task_profiles_file:file r_file_perms;
# Allow all domains to read sys.use_memfd to determine
@@ -72,33 +80,16 @@
# For now, everyone can access core property files
# Device specific properties are not granted by default
not_compatible_property(`
+ # DO NOT ADD ANY PROPERTIES HERE
get_prop(domain, core_property_type)
- get_prop(domain, exported_dalvik_prop)
- get_prop(domain, exported_ffs_prop)
- get_prop(domain, exported_system_radio_prop)
- get_prop(domain, exported2_config_prop)
- get_prop(domain, exported2_radio_prop)
- get_prop(domain, exported2_system_prop)
- get_prop(domain, exported2_vold_prop)
- get_prop(domain, exported3_default_prop)
- get_prop(domain, exported3_radio_prop)
get_prop(domain, exported3_system_prop)
get_prop(domain, vendor_default_prop)
')
compatible_property_only(`
+ # DO NOT ADD ANY PROPERTIES HERE
get_prop({coredomain appdomain shell}, core_property_type)
- get_prop({coredomain appdomain shell}, exported_dalvik_prop)
- get_prop({coredomain appdomain shell}, exported_ffs_prop)
- get_prop({coredomain appdomain shell}, exported_system_radio_prop)
- get_prop({coredomain appdomain shell}, exported2_config_prop)
- get_prop({coredomain appdomain shell}, exported2_radio_prop)
- get_prop({coredomain appdomain shell}, exported2_system_prop)
- get_prop({coredomain appdomain shell}, exported2_vold_prop)
- get_prop({coredomain appdomain shell}, exported3_default_prop)
- get_prop({coredomain appdomain shell}, exported3_radio_prop)
get_prop({coredomain appdomain shell}, exported3_system_prop)
get_prop({coredomain appdomain shell}, exported_camera_prop)
- get_prop({coredomain appdomain shell}, userspace_reboot_config_prop)
get_prop({coredomain shell}, userspace_reboot_exported_prop)
get_prop({coredomain shell}, userspace_reboot_log_prop)
get_prop({coredomain shell}, userspace_reboot_test_prop)
@@ -122,19 +113,23 @@
allow domain boringssl_self_test_marker:dir search;
# Limit ability to ptrace or read sensitive /proc/pid files of processes
-# with other UIDs to these whitelisted domains.
+# with other UIDs to these allowlisted domains.
neverallow {
domain
-vold
userdebug_or_eng(`-llkd')
-dumpstate
userdebug_or_eng(`-incidentd')
+ userdebug_or_eng(`-profcollectd')
-storaged
-system_server
} self:global_capability_class_set sys_ptrace;
# Limit ability to generate hardware unique device ID attestations to priv_apps
neverallow { domain -priv_app -gmscore_app } *:keystore_key gen_unique_id;
+neverallow { domain -priv_app -gmscore_app } *:keystore2_key gen_unique_id;
+neverallow { domain -system_server } *:keystore2_key use_dev_id;
+neverallow { domain -system_server } keystore:keystore2 { clear_ns lock reset unlock };
neverallow {
domain
@@ -208,8 +203,8 @@
# that these files cannot be accessed by other domains to ensure that the files
# do not change between system_server staging the files and apexd processing
# the files.
-neverallow { domain -init -system_server -apexd -installd -iorap_inode2filename } staging_data_file:dir *;
-neverallow { domain -init -system_app -system_server -apexd -kernel -installd -iorap_inode2filename -priv_app } staging_data_file:file *;
+neverallow { domain -init -system_server -apexd -installd -iorap_inode2filename -priv_app } staging_data_file:dir *;
+neverallow { domain -init -system_app -system_server -apexd -adbd -kernel -installd -iorap_inode2filename -priv_app } staging_data_file:file *;
neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms;
# apexd needs the link and unlink permissions, so list every `no_w_file_perms`
# except for `link` and `unlink`.
@@ -225,7 +220,7 @@
#
# Assert that, to the extent possible, we're not loading executable content from
-# outside the rootfs or /system partition except for a few whitelisted domains.
+# outside the rootfs or /system partition except for a few allowlisted domains.
# Executable files loaded from /data is a persistence vector
# we want to avoid. See
# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example.
@@ -270,8 +265,6 @@
-cppreopts
-dex2oat
-otapreopt_slot
- -art_apex_postinstall
- -art_apex_boot_integrity
} dalvikcache_data_file:file no_w_file_perms;
neverallow {
@@ -283,10 +276,44 @@
-dex2oat
-zygote
-otapreopt_slot
- -art_apex_boot_integrity
- -art_apex_postinstall
} dalvikcache_data_file:dir no_w_dir_perms;
+# Only authorized processes should be writing to /data/misc/apexdata/com.android.art as it
+# contains boot class path and system server AOT artifacts following an ART APEX Mainline update.
+neverallow {
+ domain
+ # art processes
+ -odrefresh
+ -odsign
+ # others
+ -apexd
+ -init
+ -vold_prepare_subdirs
+} apex_art_data_file:file no_w_file_perms;
+
+neverallow {
+ domain
+ # art processes
+ -odrefresh
+ -odsign
+ # others
+ -apexd
+ -init
+ -vold_prepare_subdirs
+} apex_art_data_file:dir no_w_dir_perms;
+
+# Protect most domains from executing arbitrary content from /data.
+neverallow {
+ domain
+ -appdomain
+} {
+ data_file_type
+ -apex_art_data_file
+ -dalvikcache_data_file
+ -system_data_file # shared libs in apks
+ -apk_data_file
+}:file no_x_file_perms;
+
# Minimize dac_override and dac_read_search.
# Instead of granting them it is usually better to add the domain to
# a Unix group or change the permissions of a file.
@@ -323,7 +350,7 @@
iorap_prefetcherd
traced_perf
traced_probes
- userdebug_or_eng(`heapprofd')
+ heapprofd
} self:global_capability_class_set dac_read_search;
# Limit what domains can mount filesystems or change their mount flags.
@@ -332,7 +359,7 @@
neverallow {
domain
-apexd
- recovery_only(`userdebug_or_eng(`-fastbootd')')
+ recovery_only(`-fastbootd')
-init
-kernel
-otapreopt_chroot
@@ -340,9 +367,17 @@
-update_engine
-vold
-zygote
-} { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
+} { fs_type
+ -sdcard_type
+}:filesystem { mount remount relabelfrom relabelto };
-# Limit raw I/O to these whitelisted domains. Do not apply to debug builds.
+enforce_debugfs_restriction(`
+ neverallow {
+ domain userdebug_or_eng(`-init')
+ } { debugfs_type -debugfs_tracing_debug }:filesystem { mount remount relabelfrom relabelto };
+')
+
+# Limit raw I/O to these allowlisted domains. Do not apply to debug builds.
neverallow {
domain
userdebug_or_eng(`-domain')
@@ -370,5 +405,137 @@
neverallow { domain -init -system_server -vendor_init } net_dns_prop:property_service set;
neverallow { domain -dumpstate -init -system_server -vendor_init } net_dns_prop:file read;
+# Only core domains are allowed to access package_manager properties
+neverallow { domain -init -system_server } pm_prop:property_service set;
+neverallow { domain -coredomain } pm_prop:file no_rw_file_perms;
+
+# Do not allow reading the last boot timestamp from system properties
+neverallow { domain -init -system_server -dumpstate } firstboot_prop:file r_file_perms;
+
# Kprobes should only be used by adb root
neverallow { domain -init -vendor_init } debugfs_kprobes:file *;
+
+# On TREBLE devices, most coredomains should not access vendor_files.
+# TODO(b/71553434): Remove exceptions here.
+full_treble_only(`
+ neverallow {
+ coredomain
+ -appdomain
+ -bootanim
+ -crash_dump
+ -heapprofd
+ userdebug_or_eng(`-profcollectd')
+ -init
+ -iorap_inode2filename
+ -iorap_prefetcherd
+ -kernel
+ -traced_perf
+ -ueventd
+ } vendor_file:file { no_w_file_perms no_x_file_perms open };
+')
+
+# Vendor domains are not permitted to initiate communications to core domain sockets
+full_treble_only(`
+ neverallow_establish_socket_comms({
+ domain
+ -coredomain
+ -appdomain
+ -socket_between_core_and_vendor_violators
+ }, {
+ coredomain
+ -logd # Logging by writing to logd Unix domain socket is public API
+ -netd # netdomain needs this
+ -mdnsd # netdomain needs this
+ userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds
+ -init
+ -tombstoned # linker to tombstoned
+ userdebug_or_eng(`-heapprofd')
+ userdebug_or_eng(`-traced_perf')
+ });
+')
+
+full_treble_only(`
+ # Do not allow system components access to /vendor files except for the
+ # ones allowed here.
+ neverallow {
+ coredomain
+ # TODO(b/37168747): clean up fwk access to /vendor
+ -crash_dump
+ -init # starts vendor executables
+ -iorap_inode2filename
+ -iorap_prefetcherd
+ -kernel # loads /vendor/firmware
+ -heapprofd
+ userdebug_or_eng(`-profcollectd')
+ -shell
+ -system_executes_vendor_violators
+ -traced_perf # library/binary access for symbolization
+ -ueventd # reads /vendor/ueventd.rc
+ -vold # loads incremental fs driver
+ } {
+ vendor_file_type
+ -same_process_hal_file
+ -vendor_app_file
+ -vendor_apex_file
+ -vendor_configs_file
+ -vendor_service_contexts_file
+ -vendor_framework_file
+ -vendor_idc_file
+ -vendor_keychars_file
+ -vendor_keylayout_file
+ -vendor_overlay_file
+ -vendor_public_framework_file
+ -vendor_public_lib_file
+ -vendor_task_profiles_file
+ -vndk_sp_file
+ }:file *;
+')
+
+# mlsvendorcompat is only for compatibility support for older vendor
+# images, and should not be granted to any domain in current policy.
+# (Every domain is allowed self:fork, so this will trigger if the
+# intsersection of domain & mlsvendorcompat is not empty.)
+neverallow domain mlsvendorcompat:process fork;
+
+# Only init and otapreopt_chroot should be mounting filesystems on locations
+# labeled system or vendor (/product and /vendor respectively).
+neverallow { domain -init -otapreopt_chroot } { system_file_type vendor_file_type }:dir_file_class_set mounton;
+
+# Only allow init and vendor_init to read/write mm_events properties
+# NOTE: dumpstate is allowed to read any system property
+neverallow {
+ domain
+ -init
+ -vendor_init
+ -dumpstate
+} mm_events_config_prop:file no_rw_file_perms;
+
+# Allow the tracing daemon and callstack sampler to use kallsyms to symbolize
+# kernel traces. Addresses are not disclosed, they are repalced with symbol
+# names (if available). Traces don't disclose KASLR.
+neverallow {
+ domain
+ -init
+ userdebug_or_eng(`-profcollectd')
+ -vendor_init
+ -traced_probes
+ -traced_perf
+} proc_kallsyms:file { open read };
+
+# debugfs_kcov type is not included in this neverallow statement since the KCOV
+# tool uses it for kernel fuzzing.
+# vendor_modprobe is also exempted since the kernel modules it loads may create
+# debugfs files in its context.
+enforce_debugfs_restriction(`
+ neverallow {
+ domain
+ -vendor_modprobe
+ userdebug_or_eng(`
+ -init
+ -hal_dumpstate
+ ')
+ } { debugfs_type
+ userdebug_or_eng(`-debugfs_kcov')
+ -tracefs_type
+ }:file no_rw_file_perms;
+')
diff --git a/private/drmserver.te b/private/drmserver.te
index afe4f0a..8449c3e 100644
--- a/private/drmserver.te
+++ b/private/drmserver.te
@@ -5,3 +5,5 @@
type_transition drmserver apk_data_file:sock_file drmserver_socket;
typeattribute drmserver_socket coredomain_socket;
+
+get_prop(drmserver, drm_service_config_prop)
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 72e508e..37a9a0c 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -1,4 +1,5 @@
typeattribute dumpstate coredomain;
+type dumpstate_tmpfs, file_type;
init_daemon_domain(dumpstate)
@@ -10,6 +11,12 @@
allow dumpstate storaged_exec:file rx_file_perms;
+# /data/misc/a11ytrace for accessibility traces
+userdebug_or_eng(`
+ allow dumpstate accessibility_trace_data_file:dir r_dir_perms;
+ allow dumpstate accessibility_trace_data_file:file r_file_perms;
+')
+
# /data/misc/wmtrace for wm traces
userdebug_or_eng(`
allow dumpstate wm_trace_data_file:dir r_dir_perms;
@@ -31,25 +38,55 @@
# Allow dumpstate to talk to idmap over binder
binder_call(dumpstate, idmap);
+# Allow dumpstate to talk to profcollectd over binder
+userdebug_or_eng(`
+ binder_call(dumpstate, profcollectd)
+')
+
# Collect metrics on boot time created by init
get_prop(dumpstate, boottime_prop)
# Signal native processes to dump their stack.
allow dumpstate {
+ mediatranscoding
statsd
netd
}:process signal;
+userdebug_or_eng(`
+ allow dumpstate keystore:process signal;
+')
+
# For collecting bugreports.
-allow dumpstate debugfs_wakeup_sources:file r_file_perms;
+no_debugfs_restriction(`
+ allow dumpstate debugfs_wakeup_sources:file r_file_perms;
+')
+
allow dumpstate dev_type:blk_file getattr;
allow dumpstate webview_zygote:process signal;
+allow dumpstate sysfs_dmabuf_stats:file r_file_perms;
dontaudit dumpstate update_engine:binder call;
-allow dumpstate proc_net_tcp_udp:file r_file_perms;
+
+# Read files in /proc
+allow dumpstate {
+ proc_net_tcp_udp
+ proc_pid_max
+}:file r_file_perms;
# For comminucating with the system process to do confirmation ui.
binder_call(dumpstate, incidentcompanion_service)
+# Set properties.
+# dumpstate_prop is used to share state with the Shell app.
+set_prop(dumpstate, dumpstate_prop)
+set_prop(dumpstate, exported_dumpstate_prop)
+
+# dumpstate_options_prop is used to pass extra command-line args.
+set_prop(dumpstate, dumpstate_options_prop)
+
+# Allow dumpstate to kill vendor dumpstate service by init
+set_prop(dumpstate, ctl_dumpstate_prop)
+
# For dumping dynamic partition information.
set_prop(dumpstate, lpdumpd_prop)
binder_call(dumpstate, lpdumpd)
@@ -60,3 +97,19 @@
binder_call(dumpstate, gsid)
r_dir_file(dumpstate, ota_metadata_file)
+
+# For starting (and killing) perfetto --save-for-bugreport. If a labelled trace
+# is being recorded, the command above will serialize it into
+# /data/misc/perfetto-traces/bugreport/*.pftrace .
+domain_auto_trans(dumpstate, perfetto_exec, perfetto)
+allow dumpstate perfetto:process signal;
+allow dumpstate perfetto_traces_data_file:dir { search };
+allow dumpstate perfetto_traces_bugreport_data_file:dir rw_dir_perms;
+allow dumpstate perfetto_traces_bugreport_data_file:file { r_file_perms unlink };
+
+# When exec-ing /system/bin/perfetto, dumpstates redirects stdio to /dev/null
+# (which is labelled as dumpstate_tmpfs) to avoid leaking a FD to the bugreport
+# zip file. These rules are to allow perfetto.te to inherit dumpstate's
+# /dev/null.
+allow perfetto dumpstate_tmpfs:file rw_file_perms;
+allow perfetto dumpstate:fd use;
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 56d4747..e004891 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -44,10 +44,6 @@
allow ephemeral_app drmserver_service:service_manager find;
allow ephemeral_app radio_service:service_manager find;
allow ephemeral_app ephemeral_app_api_service:service_manager find;
-allow ephemeral_app gpu_service:service_manager find;
-
-# Allow ephemeral apps to interact with gpuservice
-binder_call(ephemeral_app, gpuservice)
# Write app-specific trace data to the Perfetto traced damon. This requires
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
diff --git a/private/fastbootd.te b/private/fastbootd.te
index 29a9157..0174faa 100644
--- a/private/fastbootd.te
+++ b/private/fastbootd.te
@@ -1 +1,44 @@
typeattribute fastbootd coredomain;
+
+# The allow rules are only included in the recovery policy.
+# Otherwise fastbootd is only allowed the domain rules.
+recovery_only(`
+ # Reboot the device
+ set_prop(fastbootd, powerctl_prop)
+
+ # Read serial number of the device from system properties
+ get_prop(fastbootd, serialno_prop)
+
+ # Set sys.usb.ffs.ready.
+ get_prop(fastbootd, ffs_config_prop)
+ set_prop(fastbootd, ffs_control_prop)
+
+ userdebug_or_eng(`
+ get_prop(fastbootd, persistent_properties_ready_prop)
+ ')
+
+ set_prop(fastbootd, gsid_prop)
+
+ # Determine allocation scheme (whether B partitions needs to be
+ # at the second half of super.
+ get_prop(fastbootd, virtual_ab_prop)
+
+ # Needed for TCP protocol
+ allow fastbootd node:tcp_socket node_bind;
+ allow fastbootd port:tcp_socket name_bind;
+ allow fastbootd self:tcp_socket { create_socket_perms_no_ioctl listen accept };
+
+ # Start snapuserd for merging VABC updates
+ set_prop(fastbootd, ctl_snapuserd_prop)
+
+ # Needed to communicate with snapuserd to complete merges.
+ allow fastbootd snapuserd_socket:sock_file write;
+ allow fastbootd snapuserd:unix_stream_socket connectto;
+ allow fastbootd dm_user_device:dir r_dir_perms;
+
+ # Get fastbootd protocol property
+ get_prop(fastbootd, fastbootd_protocol_prop)
+
+ # Mount /metadata to interact with Virtual A/B snapshots.
+ allow fastbootd labeledfs:filesystem { mount unmount };
+')
diff --git a/private/file.te b/private/file.te
index 4492002..a024600 100644
--- a/private/file.te
+++ b/private/file.te
@@ -7,9 +7,18 @@
# /data/misc/wmtrace for wm traces
type wm_trace_data_file, file_type, data_file_type, core_data_file_type;
+# /data/misc/a11ytrace for accessibility traces
+type accessibility_trace_data_file, file_type, data_file_type, core_data_file_type;
+
# /data/misc/perfetto-traces for perfetto traces
type perfetto_traces_data_file, file_type, data_file_type, core_data_file_type;
+# /data/misc/perfetto-traces/bugreport for perfetto traces for bugreports.
+type perfetto_traces_bugreport_data_file, file_type, data_file_type, core_data_file_type;
+
+# /data/misc/perfetto-configs for perfetto configs
+type perfetto_configs_data_file, file_type, data_file_type, core_data_file_type;
+
# /sys/kernel/debug/kcov for coverage guided kernel fuzzing in userdebug builds.
type debugfs_kcov, fs_type, debugfs_type;
@@ -24,5 +33,32 @@
# /data/gsi/ota
type ota_image_data_file, file_type, data_file_type, core_data_file_type;
+# /data/gsi_persistent_data
+type gsi_persistent_data_file, file_type, data_file_type, core_data_file_type;
+
# /data/misc/emergencynumberdb
type emergency_data_file, file_type, data_file_type, core_data_file_type;
+
+# /data/misc/profcollectd
+type profcollectd_data_file, file_type, data_file_type, core_data_file_type;
+
+# /data/misc/apexdata/com.android.art
+type apex_art_data_file, file_type, data_file_type, core_data_file_type;
+
+# /data/misc/apexdata/com.android.art/staging
+type apex_art_staging_data_file, file_type, data_file_type, core_data_file_type;
+
+# /data/font/files
+type font_data_file, file_type, data_file_type, core_data_file_type;
+
+# /data/misc/odrefresh
+type odrefresh_data_file, file_type, data_file_type, core_data_file_type;
+
+# /data/misc/odsign
+type odsign_data_file, file_type, data_file_type, core_data_file_type;
+
+# /data/system/environ
+type environ_system_data_file, file_type, data_file_type, core_data_file_type;
+
+# /dev/kvm
+type kvm_device, dev_type;
diff --git a/private/file_contexts b/private/file_contexts
index 9620b75..4a4867b 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -27,12 +27,17 @@
/data_mirror u:object_r:mirror_data_file:s0
/debug_ramdisk u:object_r:tmpfs:s0
/mnt u:object_r:tmpfs:s0
-/postinstall u:object_r:postinstall_mnt_dir:s0
-/postinstall/apex u:object_r:postinstall_apex_mnt_dir:s0
/proc u:object_r:rootfs:s0
+/second_stage_resources u:object_r:tmpfs:s0
/sys u:object_r:sysfs:s0
/apex u:object_r:apex_mnt_dir:s0
+# Postinstall directories
+/postinstall u:object_r:postinstall_mnt_dir:s0
+/postinstall/apex u:object_r:postinstall_apex_mnt_dir:s0
+
+/apex/(\.(bootstrap|default)-)?apex-info-list.xml u:object_r:apex_info_file:s0
+
# Symlinks
/bin u:object_r:rootfs:s0
/bugreports u:object_r:rootfs:s0
@@ -60,6 +65,7 @@
/sepolicy u:object_r:sepolicy_file:s0
/plat_service_contexts u:object_r:service_contexts_file:s0
/plat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
+/plat_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0
/nonplat_service_contexts u:object_r:nonplat_service_contexts_file:s0
# Use nonplat_service_contexts_file to allow servicemanager to read it
# on non full-treble devices.
@@ -82,6 +88,7 @@
/dev/block(/.*)? u:object_r:block_device:s0
/dev/block/dm-[0-9]+ u:object_r:dm_device:s0
/dev/block/loop[0-9]* u:object_r:loop_device:s0
+/dev/block/vd[a-z][0-9]* u:object_r:vd_device:s0
/dev/block/vold/.+ u:object_r:vold_device:s0
/dev/block/ram[0-9]* u:object_r:ram_device:s0
/dev/block/zram[0-9]* u:object_r:ram_device:s0
@@ -89,12 +96,18 @@
/dev/bus/usb(.*)? u:object_r:usb_device:s0
/dev/console u:object_r:console_device:s0
/dev/cpu_variant:.* u:object_r:dev_cpu_variant:s0
+/dev/dma_heap(/.*)? u:object_r:dmabuf_heap_device:s0
+/dev/dma_heap/system u:object_r:dmabuf_system_heap_device:s0
+/dev/dma_heap/system-uncached u:object_r:dmabuf_system_heap_device:s0
+/dev/dma_heap/system-secure(.*) u:object_r:dmabuf_system_secure_heap_device:s0
+/dev/dm-user(/.*)? u:object_r:dm_user_device:s0
/dev/device-mapper u:object_r:dm_device:s0
/dev/eac u:object_r:audio_device:s0
/dev/event-log-tags u:object_r:runtime_event_log_tags_file:s0
/dev/cgroup_info(/.*)? u:object_r:cgroup_rc_file:s0
/dev/fscklogs(/.*)? u:object_r:fscklogs:s0
/dev/fuse u:object_r:fuse_device:s0
+/dev/gnss[0-9]+ u:object_r:gnss_device:s0
/dev/graphics(/.*)? u:object_r:graphics_device:s0
/dev/hw_random u:object_r:hw_random_device:s0
/dev/hwbinder u:object_r:hwbinder_device:s0
@@ -113,6 +126,7 @@
/dev/pvrsrvkm u:object_r:gpu_device:s0
/dev/kmsg u:object_r:kmsg_device:s0
/dev/kmsg_debug u:object_r:kmsg_debug_device:s0
+/dev/kvm u:object_r:kvm_device:s0
/dev/null u:object_r:null_device:s0
/dev/nvhdcp1 u:object_r:video_device:s0
/dev/random u:object_r:random_device:s0
@@ -147,6 +161,7 @@
/dev/socket/recovery u:object_r:recovery_socket:s0
/dev/socket/rild u:object_r:rild_socket:s0
/dev/socket/rild-debug u:object_r:rild_debug_socket:s0
+/dev/socket/snapuserd u:object_r:snapuserd_socket:s0
/dev/socket/tombstoned_crash u:object_r:tombstoned_crash_socket:s0
/dev/socket/tombstoned_java_trace u:object_r:tombstoned_java_trace_socket:s0
/dev/socket/tombstoned_intercept u:object_r:tombstoned_intercept_socket:s0
@@ -162,6 +177,8 @@
/dev/socket/usap_pool_primary u:object_r:zygote_socket:s0
/dev/socket/usap_pool_secondary u:object_r:zygote_socket:s0
/dev/spdif_out.* u:object_r:audio_device:s0
+/dev/sys/block/by-name/userdata(/.*)? u:object_r:userdata_sysdev:s0
+/dev/sys/fs/by-name/userdata(/.*)? u:object_r:userdata_sysdev:s0
/dev/tty u:object_r:owntty_device:s0
/dev/tty[0-9]* u:object_r:tty_device:s0
/dev/ttyS[0-9]* u:object_r:serial_device:s0
@@ -174,6 +191,7 @@
/dev/urandom u:object_r:random_device:s0
/dev/usb_accessory u:object_r:usbaccessory_device:s0
/dev/v4l-touch[0-9]* u:object_r:input_device:s0
+/dev/vhost-vsock u:object_r:kvm_device:s0
/dev/video[0-9]* u:object_r:video_device:s0
/dev/vndbinder u:object_r:vndbinder_device:s0
/dev/watchdog u:object_r:watchdog_device:s0
@@ -192,12 +210,14 @@
/system/apex/com.android.art u:object_r:art_apex_dir:s0
/system/lib(64)?(/.*)? u:object_r:system_lib_file:s0
/system/lib(64)?/bootstrap(/.*)? u:object_r:system_bootstrap_lib_file:s0
+/system/bin/mm_events u:object_r:mm_events_exec:s0
/system/bin/atrace u:object_r:atrace_exec:s0
/system/bin/auditctl u:object_r:auditctl_exec:s0
/system/bin/bcc u:object_r:rs_exec:s0
/system/bin/blank_screen u:object_r:blank_screen_exec:s0
/system/bin/boringssl_self_test(32|64) u:object_r:boringssl_self_test_exec:s0
/system/bin/charger u:object_r:charger_exec:s0
+/system/bin/canhalconfigurator u:object_r:canhalconfigurator_exec:s0
/system/bin/e2fsdroid u:object_r:e2fs_exec:s0
/system/bin/mke2fs u:object_r:e2fs_exec:s0
/system/bin/e2fsck -- u:object_r:fsck_exec:s0
@@ -212,6 +232,7 @@
/system/bin/fsck_msdos -- u:object_r:fsck_exec:s0
/system/bin/tcpdump -- u:object_r:tcpdump_exec:s0
/system/bin/tune2fs -- u:object_r:fsck_exec:s0
+/system/bin/resize2fs -- u:object_r:fsck_exec:s0
/system/bin/toolbox -- u:object_r:toolbox_exec:s0
/system/bin/toybox -- u:object_r:toolbox_exec:s0
/system/bin/ld\.mc u:object_r:rs_exec:s0
@@ -247,17 +268,16 @@
/system/bin/mediaextractor u:object_r:mediaextractor_exec:s0
/system/bin/mediaswcodec u:object_r:mediaswcodec_exec:s0
/system/bin/mediatranscoding u:object_r:mediatranscoding_exec:s0
+/system/bin/mediatuner u:object_r:mediatuner_exec:s0
/system/bin/mdnsd u:object_r:mdnsd_exec:s0
/system/bin/installd u:object_r:installd_exec:s0
/system/bin/otapreopt_chroot u:object_r:otapreopt_chroot_exec:s0
/system/bin/otapreopt_slot u:object_r:otapreopt_slot_exec:s0
-/system/bin/art_apex_boot_integrity u:object_r:art_apex_boot_integrity_exec:s0
/system/bin/credstore u:object_r:credstore_exec:s0
/system/bin/keystore u:object_r:keystore_exec:s0
+/system/bin/keystore2 u:object_r:keystore_exec:s0
/system/bin/fingerprintd u:object_r:fingerprintd_exec:s0
/system/bin/gatekeeperd u:object_r:gatekeeperd_exec:s0
-/system/bin/crash_dump32 u:object_r:crash_dump_exec:s0
-/system/bin/crash_dump64 u:object_r:crash_dump_exec:s0
/system/bin/tombstoned u:object_r:tombstoned_exec:s0
/system/bin/recovery-persist u:object_r:recovery_persist_exec:s0
/system/bin/recovery-refresh u:object_r:recovery_refresh_exec:s0
@@ -275,6 +295,7 @@
/system/bin/linker(64)? u:object_r:system_linker_exec:s0
/system/bin/linkerconfig u:object_r:linkerconfig_exec:s0
/system/bin/bootstrap/linker(64)? u:object_r:system_linker_exec:s0
+/system/bin/bootstrap/linkerconfig u:object_r:linkerconfig_exec:s0
/system/bin/llkd u:object_r:llkd_exec:s0
/system/bin/lmkd u:object_r:lmkd_exec:s0
/system/bin/usbd u:object_r:usbd_exec:s0
@@ -294,10 +315,7 @@
/system/bin/cppreopts\.sh u:object_r:cppreopts_exec:s0
/system/bin/preloads_copy\.sh u:object_r:preloads_copy_exec:s0
/system/bin/preopt2cachename u:object_r:preopt2cachename_exec:s0
-/system/bin/dex2oat(d)? u:object_r:dex2oat_exec:s0
-/system/bin/dexoptanalyzer(d)? u:object_r:dexoptanalyzer_exec:s0
/system/bin/viewcompiler u:object_r:viewcompiler_exec:s0
-/system/bin/profman(d)? u:object_r:profman_exec:s0
/system/bin/iorapd u:object_r:iorapd_exec:s0
/system/bin/iorap\.inode2filename u:object_r:iorap_inode2filename_exec:s0
/system/bin/iorap\.prefetcherd u:object_r:iorap_prefetcherd_exec:s0
@@ -308,6 +326,8 @@
/system/bin/idmap u:object_r:idmap_exec:s0
/system/bin/idmap2(d)? u:object_r:idmap_exec:s0
/system/bin/update_engine u:object_r:update_engine_exec:s0
+/system/bin/profcollectd u:object_r:profcollectd_exec:s0
+/system/bin/profcollectctl u:object_r:profcollectd_exec:s0
/system/bin/storaged u:object_r:storaged_exec:s0
/system/bin/wpantund u:object_r:wpantund_exec:s0
/system/bin/virtual_touchpad u:object_r:virtual_touchpad_exec:s0
@@ -315,6 +335,7 @@
/system/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
/system/bin/hw/android\.system\.suspend@1\.0-service u:object_r:system_suspend_exec:s0
/system/etc/cgroups\.json u:object_r:cgroup_desc_file:s0
+/system/etc/task_profiles/cgroups_[0-9]+\.json u:object_r:cgroup_desc_api_file:s0
/system/etc/event-log-tags u:object_r:system_event_log_tags_file:s0
/system/etc/group u:object_r:system_group_file:s0
/system/etc/ld\.config.* u:object_r:system_linker_config_file:s0
@@ -326,11 +347,13 @@
/system/etc/selinux/plat_property_contexts u:object_r:property_contexts_file:s0
/system/etc/selinux/plat_service_contexts u:object_r:service_contexts_file:s0
/system/etc/selinux/plat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
+/system/etc/selinux/plat_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0
/system/etc/selinux/plat_file_contexts u:object_r:file_contexts_file:s0
/system/etc/selinux/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
/system/etc/selinux/plat_sepolicy\.cil u:object_r:sepolicy_file:s0
/system/etc/selinux/plat_and_mapping_sepolicy\.cil\.sha256 u:object_r:sepolicy_file:s0
/system/etc/task_profiles\.json u:object_r:task_profiles_file:s0
+/system/etc/task_profiles/task_profiles_[0-9]+\.json u:object_r:task_profiles_api_file:s0
/system/usr/share/zoneinfo(/.*)? u:object_r:system_zoneinfo_file:s0
/system/bin/vr_hwc u:object_r:vr_hwc_exec:s0
/system/bin/adbd u:object_r:adbd_exec:s0
@@ -344,9 +367,10 @@
/system/bin/gsid u:object_r:gsid_exec:s0
/system/bin/simpleperf u:object_r:simpleperf_exec:s0
/system/bin/simpleperf_app_runner u:object_r:simpleperf_app_runner_exec:s0
-/system/bin/notify_traceur\.sh u:object_r:notify_traceur_exec:s0
/system/bin/migrate_legacy_obb_data\.sh u:object_r:migrate_legacy_obb_data_exec:s0
/system/bin/android\.frameworks\.automotive\.display@1\.0-service u:object_r:automotive_display_service_exec:s0
+/system/bin/snapuserd u:object_r:snapuserd_exec:s0
+/system/bin/odsign u:object_r:odsign_exec:s0
#############################
# Vendor files
@@ -382,8 +406,6 @@
/(vendor|system/vendor)/etc/selinux/vendor_service_contexts u:object_r:vendor_service_contexts_file:s0
-/(vendor|system/vendor)/bin/install-recovery\.sh u:object_r:vendor_install_recovery_exec:s0
-
#############################
# OEM and ODM files
#
@@ -416,6 +438,7 @@
/(odm|vendor/odm)/etc/selinux/odm_seapp_contexts u:object_r:seapp_contexts_file:s0
/(odm|vendor/odm)/etc/selinux/odm_property_contexts u:object_r:property_contexts_file:s0
/(odm|vendor/odm)/etc/selinux/odm_hwservice_contexts u:object_r:hwservice_contexts_file:s0
+/(odm|vendor/odm)/etc/selinux/odm_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0
/(odm|vendor/odm)/etc/selinux/odm_mac_permissions\.xml u:object_r:mac_perms_file:s0
#############################
@@ -428,6 +451,7 @@
/(product|system/product)/etc/selinux/product_file_contexts u:object_r:file_contexts_file:s0
/(product|system/product)/etc/selinux/product_hwservice_contexts u:object_r:hwservice_contexts_file:s0
+/(product|system/product)/etc/selinux/product_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0
/(product|system/product)/etc/selinux/product_property_contexts u:object_r:property_contexts_file:s0
/(product|system/product)/etc/selinux/product_seapp_contexts u:object_r:seapp_contexts_file:s0
/(product|system/product)/etc/selinux/product_service_contexts u:object_r:service_contexts_file:s0
@@ -445,6 +469,7 @@
/(system_ext|system/system_ext)/etc/selinux/system_ext_file_contexts u:object_r:file_contexts_file:s0
/(system_ext|system/system_ext)/etc/selinux/system_ext_hwservice_contexts u:object_r:hwservice_contexts_file:s0
+/(system_ext|system/system_ext)/etc/selinux/system_ext_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0
/(system_ext|system/system_ext)/etc/selinux/system_ext_property_contexts u:object_r:property_contexts_file:s0
/(system_ext|system/system_ext)/etc/selinux/system_ext_seapp_contexts u:object_r:seapp_contexts_file:s0
/(system_ext|system/system_ext)/etc/selinux/system_ext_service_contexts u:object_r:service_contexts_file:s0
@@ -456,6 +481,18 @@
/(system_ext|system/system_ext)/lib(64)?(/.*)? u:object_r:system_lib_file:s0
#############################
+# VendorDlkm files
+# This includes VENDOR Dynamically Loadable Kernel Modules and other misc files.
+#
+/(vendor_dlkm|vendor/vendor_dlkm|system/vendor/vendor_dlkm)(/.*)? u:object_r:vendor_file:s0
+
+#############################
+# OdmDlkm files
+# This includes ODM Dynamically Loadable Kernel Modules and other misc files.
+#
+/(odm_dlkm|vendor/odm_dlkm|system/vendor/odm_dlkm)(/.*)? u:object_r:vendor_file:s0
+
+#############################
# Vendor files from /(product|system/product)/vendor_overlay
#
# NOTE: For additional vendor file contexts for vendor overlay files,
@@ -471,6 +508,7 @@
#
/data u:object_r:system_data_root_file:s0
/data/(.*)? u:object_r:system_data_file:s0
+/data/system/environ(/.*)? u:object_r:environ_system_data_file:s0
/data/system/packages\.list u:object_r:packages_list_file:s0
/data/unencrypted(/.*)? u:object_r:unencrypted_data_file:s0
/data/backup(/.*)? u:object_r:backup_data_file:s0
@@ -487,6 +525,8 @@
/data/apex(/.*)? u:object_r:apex_data_file:s0
/data/apex/active/(.*)? u:object_r:staging_data_file:s0
/data/apex/backup/(.*)? u:object_r:staging_data_file:s0
+/data/apex/decompressed/(.*)? u:object_r:staging_data_file:s0
+/data/apex/ota_reserved(/.*)? u:object_r:apex_ota_reserved_file:s0
/data/app(/.*)? u:object_r:apk_data_file:s0
# Traditional /data/app/[packageName]-[randomString]/base.apk location
/data/app/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0
@@ -497,9 +537,11 @@
/data/app-private(/.*)? u:object_r:apk_private_data_file:s0
/data/app-private/vmdl.*\.tmp(/.*)? u:object_r:apk_private_tmp_file:s0
/data/gsi(/.*)? u:object_r:gsi_data_file:s0
+/data/gsi_persistent_data u:object_r:gsi_persistent_data_file:s0
/data/gsi/ota(/.*)? u:object_r:ota_image_data_file:s0
/data/tombstones(/.*)? u:object_r:tombstone_data_file:s0
/data/vendor/tombstones/wifi(/.*)? u:object_r:tombstone_wifi_data_file:s0
+/data/local/tests(/.*)? u:object_r:shell_test_data_file:s0
/data/local/tmp(/.*)? u:object_r:shell_data_file:s0
/data/local/tmp/ltp(/.*)? u:object_r:nativetest_data_file:s0
/data/local/traces(/.*)? u:object_r:trace_data_file:s0
@@ -515,14 +557,23 @@
/data/preloads/demo(/.*)? u:object_r:preloads_media_file:s0
/data/server_configurable_flags(/.*)? u:object_r:server_configurable_flags_data_file:s0
/data/app-staging(/.*)? u:object_r:staging_data_file:s0
+# Ensure we have the same labels as /data/app or /data/apex/active
+# to avoid restorecon conflicts
+/data/rollback/\d+/[^/]+/.*\.apk u:object_r:apk_data_file:s0
+/data/rollback/\d+/[^/]+/.*\.apex u:object_r:staging_data_file:s0
+/data/fonts/files(/.*)? u:object_r:font_data_file:s0
# Misc data
/data/misc/adb(/.*)? u:object_r:adb_keys_file:s0
+/data/misc/a11ytrace(/.*)? u:object_r:accessibility_trace_data_file:s0
/data/misc/apexdata(/.*)? u:object_r:apex_module_data_file:s0
-/data/misc/apexdata/com.android.permission(/.*)? u:object_r:apex_permission_data_file:s0
+/data/misc/apexdata/com\.android\.art(/.*)? u:object_r:apex_art_data_file:s0
+/data/misc/apexdata/com\.android\.permission(/.*)? u:object_r:apex_permission_data_file:s0
+/data/misc/apexdata/com\.android\.scheduling(/.*)? u:object_r:apex_scheduling_data_file:s0
/data/misc/apexdata/com\.android\.wifi(/.*)? u:object_r:apex_wifi_data_file:s0
/data/misc/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0
/data/misc/apns(/.*)? u:object_r:radio_data_file:s0
+/data/misc/appcompat(/.*)? u:object_r:appcompat_data_file:s0
/data/misc/audio(/.*)? u:object_r:audio_data_file:s0
/data/misc/audioserver(/.*)? u:object_r:audioserver_data_file:s0
/data/misc/audiohal(/.*)? u:object_r:audiohal_data_file:s0
@@ -548,8 +599,15 @@
/data/misc/media(/.*)? u:object_r:media_data_file:s0
/data/misc/net(/.*)? u:object_r:net_data_file:s0
/data/misc/network_watchlist(/.*)? u:object_r:network_watchlist_data_file:s0
-/data/misc/perfetto-traces(/.*)? u:object_r:perfetto_traces_data_file:s0
+/data/misc/nfc/logs(/.*)? u:object_r:nfc_logs_data_file:s0
+/data/misc/odrefresh(/.*)? u:object_r:odrefresh_data_file:s0
+/data/misc/odsign(/.*)? u:object_r:odsign_data_file:s0
+/data/misc/perfetto-traces/bugreport(.*)? u:object_r:perfetto_traces_bugreport_data_file:s0
+/data/misc/perfetto-traces(/.*)? u:object_r:perfetto_traces_data_file:s0
+/data/misc/perfetto-configs(/.*)? u:object_r:perfetto_configs_data_file:s0
/data/misc/prereboot(/.*)? u:object_r:prereboot_data_file:s0
+/data/misc/profcollectd(/.*)? u:object_r:profcollectd_data_file:s0
+/data/misc/radio(/.*)? u:object_r:radio_core_data_file:s0
/data/misc/recovery(/.*)? u:object_r:recovery_data_file:s0
/data/misc/shared_relro(/.*)? u:object_r:shared_relro_file:s0
/data/misc/sms(/.*)? u:object_r:radio_data_file:s0
@@ -578,7 +636,8 @@
/data/misc/wmtrace(/.*)? u:object_r:wm_trace_data_file:s0
# TODO(calin) label profile reference differently so that only
# profman run as a special user can write to them
-/data/misc/profiles/cur(/.*)? u:object_r:user_profile_data_file:s0
+/data/misc/profiles/cur(/[0-9]+)? u:object_r:user_profile_root_file:s0
+/data/misc/profiles/cur/[0-9]+/.* u:object_r:user_profile_data_file:s0
/data/misc/profiles/ref(/.*)? u:object_r:user_profile_data_file:s0
/data/misc/profman(/.*)? u:object_r:profman_dump_data_file:s0
/data/vendor(/.*)? u:object_r:vendor_data_file:s0
@@ -612,8 +671,8 @@
# Apex data directories
/data/misc_de/[0-9]+/apexdata(/.*)? u:object_r:apex_module_data_file:s0
/data/misc_ce/[0-9]+/apexdata(/.*)? u:object_r:apex_module_data_file:s0
-/data/misc_de/[0-9]+/apexdata/com.android.permission(/.*)? u:object_r:apex_permission_data_file:s0
-/data/misc_ce/[0-9]+/apexdata/com.android.permission(/.*)? u:object_r:apex_permission_data_file:s0
+/data/misc_de/[0-9]+/apexdata/com\.android\.permission(/.*)? u:object_r:apex_permission_data_file:s0
+/data/misc_ce/[0-9]+/apexdata/com\.android\.permission(/.*)? u:object_r:apex_permission_data_file:s0
/data/misc_de/[0-9]+/apexdata/com\.android\.wifi(/.*)? u:object_r:apex_wifi_data_file:s0
/data/misc_ce/[0-9]+/apexdata/com\.android\.wifi(/.*)? u:object_r:apex_wifi_data_file:s0
@@ -625,6 +684,7 @@
/data/incremental(/.*)? u:object_r:apk_data_file:s0
/data/incremental/MT_[^/]+/mount/.pending_reads u:object_r:incremental_control_file:s0
/data/incremental/MT_[^/]+/mount/.log u:object_r:incremental_control_file:s0
+/data/incremental/MT_[^/]+/mount/.blocks_written u:object_r:incremental_control_file:s0
#############################
# Expanded data files
@@ -707,11 +767,17 @@
/metadata/apex(/.*)? u:object_r:apex_metadata_file:s0
/metadata/vold(/.*)? u:object_r:vold_metadata_file:s0
/metadata/gsi(/.*)? u:object_r:gsi_metadata_file:s0
+/metadata/gsi/dsu/active u:object_r:gsi_public_metadata_file:s0
+/metadata/gsi/dsu/booted u:object_r:gsi_public_metadata_file:s0
+/metadata/gsi/dsu/lp_names u:object_r:gsi_public_metadata_file:s0
+/metadata/gsi/dsu/[^/]+/metadata_encryption_dir u:object_r:gsi_public_metadata_file:s0
/metadata/gsi/ota(/.*)? u:object_r:ota_metadata_file:s0
/metadata/password_slots(/.*)? u:object_r:password_slot_metadata_file:s0
/metadata/ota(/.*)? u:object_r:ota_metadata_file:s0
/metadata/bootstat(/.*)? u:object_r:metadata_bootstat_file:s0
/metadata/staged-install(/.*)? u:object_r:staged_install_file:s0
+/metadata/userspacereboot(/.*)? u:object_r:userspace_reboot_metadata_file:s0
+/metadata/watchdog(/.*)? u:object_r:watchdog_metadata_file:s0
#############################
# asec containers
@@ -736,3 +802,9 @@
#############################
# mount point for read-write product partitions
/mnt/product(/.*)? u:object_r:mnt_product_file:s0
+
+#############################
+# /postinstall file contexts
+/(system|product)/bin/check_dynamic_partitions u:object_r:postinstall_exec:s0
+/(system|product)/bin/otapreopt_script u:object_r:postinstall_exec:s0
+/(system|product)/bin/otapreopt u:object_r:postinstall_dexopt_exec:s0
diff --git a/private/file_contexts_asan b/private/file_contexts_asan
index b37f086..fd083c2 100644
--- a/private/file_contexts_asan
+++ b/private/file_contexts_asan
@@ -6,6 +6,8 @@
/data/asan/odm/lib64(/.*)? u:object_r:system_lib_file:s0
/data/asan/product/lib(/.*)? u:object_r:system_lib_file:s0
/data/asan/product/lib64(/.*)? u:object_r:system_lib_file:s0
+/data/asan/system/system_ext/lib(/.*)? u:object_r:system_lib_file:s0
+/data/asan/system/system_ext/lib64(/.*)? u:object_r:system_lib_file:s0
/system/asan.options u:object_r:system_asan_options_file:s0
/system/bin/asan_extract u:object_r:asan_extract_exec:s0
/system/bin/asanwrapper u:object_r:asanwrapper_exec:s0
diff --git a/private/flags_health_check.te b/private/flags_health_check.te
index fb41aff..55d1a9a 100644
--- a/private/flags_health_check.te
+++ b/private/flags_health_check.te
@@ -1,3 +1,32 @@
typeattribute flags_health_check coredomain;
init_daemon_domain(flags_health_check)
+
+set_prop(flags_health_check, device_config_boot_count_prop)
+set_prop(flags_health_check, device_config_reset_performed_prop)
+set_prop(flags_health_check, device_config_runtime_native_boot_prop)
+set_prop(flags_health_check, device_config_runtime_native_prop)
+set_prop(flags_health_check, device_config_input_native_boot_prop)
+set_prop(flags_health_check, device_config_netd_native_prop)
+set_prop(flags_health_check, device_config_activity_manager_native_boot_prop)
+set_prop(flags_health_check, device_config_media_native_prop)
+set_prop(flags_health_check, device_config_profcollect_native_boot_prop)
+set_prop(flags_health_check, device_config_statsd_native_prop)
+set_prop(flags_health_check, device_config_statsd_native_boot_prop)
+set_prop(flags_health_check, device_config_storage_native_boot_prop)
+set_prop(flags_health_check, device_config_swcodec_native_prop)
+set_prop(flags_health_check, device_config_sys_traced_prop)
+set_prop(flags_health_check, device_config_window_manager_native_boot_prop)
+set_prop(flags_health_check, device_config_configuration_prop)
+set_prop(flags_health_check, device_config_connectivity_prop)
+
+# system property device_config_boot_count_prop is used for deciding when to perform server
+# configurable flags related disaster recovery. Mistakenly set up by unrelated components can, at a
+# wrong timing, trigger server configurable flag related disaster recovery, which will override
+# server configured values of all flags with default values.
+neverallow { domain -init -flags_health_check } device_config_boot_count_prop:property_service set;
+
+# system property device_config_reset_performed_prop is used for indicating whether server
+# configurable flags have been reset during booting. Mistakenly modified by unrelated components can
+# cause bad server configurable flags synced back to device.
+neverallow { domain -init -flags_health_check } device_config_reset_performed_prop:property_service set;
diff --git a/private/fs_use b/private/fs_use
index 6fcc2cc..93d7f1b 100644
--- a/private/fs_use
+++ b/private/fs_use
@@ -11,6 +11,7 @@
fs_use_xattr overlay u:object_r:labeledfs:s0;
fs_use_xattr erofs u:object_r:labeledfs:s0;
fs_use_xattr incremental-fs u:object_r:labeledfs:s0;
+fs_use_xattr virtiofs u:object_r:labeledfs:s0;
# Label inodes from task label.
fs_use_task pipefs u:object_r:pipefs:s0;
diff --git a/private/fsverity_init.te b/private/fsverity_init.te
index 4bb3d0f..42d142f 100644
--- a/private/fsverity_init.te
+++ b/private/fsverity_init.te
@@ -15,6 +15,10 @@
# Allow init to write to /proc/sys/fs/verity/require_signatures
allow fsverity_init proc_fs_verity:file w_file_perms;
+# Read the on-device signing certificate, to be able to add it to the keyring
+allow fsverity_init odsign:fd use;
+allow fsverity_init odsign_data_file:file { getattr read };
+
# When kernel requests an algorithm, the crypto API first looks for an
# already registered algorithm with that name. If it fails, the kernel creates
# an implementation of the algorithm from templates.
diff --git a/private/gatekeeperd.te b/private/gatekeeperd.te
index 5e4d0a2..2fb88a3 100644
--- a/private/gatekeeperd.te
+++ b/private/gatekeeperd.te
@@ -1,3 +1,6 @@
typeattribute gatekeeperd coredomain;
init_daemon_domain(gatekeeperd)
+
+# For checking whether GSI is running
+get_prop(gatekeeperd, gsid_prop)
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 89232bc..3499aa0 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -3,6 +3,7 @@
# proc labeling can be further refined (longest matching prefix).
genfscon proc / u:object_r:proc:s0
genfscon proc /asound u:object_r:proc_asound:s0
+genfscon proc /bootconfig u:object_r:proc_bootconfig:s0
genfscon proc /buddyinfo u:object_r:proc_buddyinfo:s0
genfscon proc /cmdline u:object_r:proc_cmdline:s0
genfscon proc /config.gz u:object_r:config_gz:s0
@@ -10,9 +11,11 @@
genfscon proc /filesystems u:object_r:proc_filesystems:s0
genfscon proc /interrupts u:object_r:proc_interrupts:s0
genfscon proc /iomem u:object_r:proc_iomem:s0
+genfscon proc /kallsyms u:object_r:proc_kallsyms:s0
genfscon proc /keys u:object_r:proc_keys:s0
genfscon proc /kmsg u:object_r:proc_kmsg:s0
genfscon proc /loadavg u:object_r:proc_loadavg:s0
+genfscon proc /locks u:object_r:proc_locks:s0
genfscon proc /lowmemorykiller u:object_r:proc_lowmemorykiller:s0
genfscon proc /meminfo u:object_r:proc_meminfo:s0
genfscon proc /misc u:object_r:proc_misc:s0
@@ -65,6 +68,9 @@
genfscon proc /sys/kernel/sched_rt_runtime_us u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sched_schedstats u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sched_tunable_scaling u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_util_clamp_max u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_util_clamp_min u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_util_clamp_min_rt_default u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sched_wakeup_granularity_ns u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sysrq u:object_r:proc_sysrq:s0
genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
@@ -103,9 +109,10 @@
# selinuxfs booleans can be individually labeled.
genfscon selinuxfs / u:object_r:selinuxfs:s0
genfscon cgroup / u:object_r:cgroup:s0
-genfscon cgroup2 / u:object_r:cgroup_bpf:s0
+genfscon cgroup2 / u:object_r:cgroup_v2:s0
# sysfs labels can be set by userspace.
genfscon sysfs / u:object_r:sysfs:s0
+genfscon sysfs /devices/cs_etm u:object_r:sysfs_devices_cs_etm:s0
genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0
genfscon sysfs /class/android_usb u:object_r:sysfs_android_usb:s0
genfscon sysfs /class/extcon u:object_r:sysfs_extcon:s0
@@ -134,6 +141,8 @@
genfscon sysfs /firmware/devicetree/base/firmware/android u:object_r:sysfs_dt_firmware_android:s0
genfscon sysfs /fs/ext4/features u:object_r:sysfs_fs_ext4_features:s0
genfscon sysfs /fs/f2fs u:object_r:sysfs_fs_f2fs:s0
+genfscon sysfs /fs/incremental-fs/features u:object_r:sysfs_fs_incfs_features:s0
+genfscon sysfs /fs/incremental-fs/instances u:object_r:sysfs_fs_incfs_metrics:s0
genfscon sysfs /power/autosleep u:object_r:sysfs_power:s0
genfscon sysfs /power/state u:object_r:sysfs_power:s0
genfscon sysfs /power/suspend_stats u:object_r:sysfs_suspend_stats:s0
@@ -141,17 +150,20 @@
genfscon sysfs /power/wake_lock u:object_r:sysfs_wake_lock:s0
genfscon sysfs /power/wake_unlock u:object_r:sysfs_wake_lock:s0
genfscon sysfs /kernel/memory_state_time u:object_r:sysfs_power:s0
+genfscon sysfs /kernel/dma_heap u:object_r:sysfs_dma_heap:s0
genfscon sysfs /kernel/ion u:object_r:sysfs_ion:s0
genfscon sysfs /kernel/ipv4 u:object_r:sysfs_ipv4:s0
genfscon sysfs /kernel/mm/transparent_hugepage u:object_r:sysfs_transparent_hugepage:s0
genfscon sysfs /kernel/notes u:object_r:sysfs_kernel_notes:s0
genfscon sysfs /kernel/uevent_helper u:object_r:sysfs_usermodehelper:s0
genfscon sysfs /kernel/wakeup_reasons u:object_r:sysfs_wakeup_reasons:s0
+genfscon sysfs /kernel/dmabuf/buffers u:object_r:sysfs_dmabuf_stats:s0
genfscon sysfs /module/dm_verity/parameters/prefetch_cluster u:object_r:sysfs_dm_verity:s0
genfscon sysfs /module/lowmemorykiller u:object_r:sysfs_lowmemorykiller:s0
genfscon sysfs /module/tcp_cubic/parameters u:object_r:sysfs_net:s0
genfscon sysfs /module/wlan/parameters/fwpath u:object_r:sysfs_wlan_fwpath:s0
genfscon sysfs /devices/virtual/timed_output/vibrator/enable u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/virtual/misc/uhid u:object_r:sysfs_uhid:s0
genfscon debugfs /kprobes u:object_r:debugfs_kprobes:s0
genfscon debugfs /mmc0 u:object_r:debugfs_mmc:s0
@@ -166,11 +178,17 @@
genfscon debugfs /tracing/instances u:object_r:debugfs_tracing_instances:s0
genfscon tracefs /instances u:object_r:debugfs_tracing_instances:s0
+genfscon debugfs /tracing/instances/bootreceiver u:object_r:debugfs_bootreceiver_tracing:s0
+genfscon tracefs /instances/bootreceiver u:object_r:debugfs_bootreceiver_tracing:s0
+genfscon debugfs /tracing/instances/mm_events u:object_r:debugfs_mm_events_tracing:s0
+genfscon tracefs /instances/mm_events u:object_r:debugfs_mm_events_tracing:s0
genfscon debugfs /tracing/instances/wifi u:object_r:debugfs_wifi_tracing:s0
genfscon tracefs /instances/wifi u:object_r:debugfs_wifi_tracing:s0
genfscon debugfs /tracing/trace_marker u:object_r:debugfs_trace_marker:s0
genfscon tracefs /trace_marker u:object_r:debugfs_trace_marker:s0
genfscon debugfs /wakeup_sources u:object_r:debugfs_wakeup_sources:s0
+genfscon debugfs /tracing/printk_formats u:object_r:debugfs_tracing_printk_formats:s0
+genfscon tracefs /printk_formats u:object_r:debugfs_tracing_printk_formats:s0
genfscon debugfs /tracing/events/header_page u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/f2fs/f2fs_get_data_block/ u:object_r:debugfs_tracing:s0
@@ -214,12 +232,18 @@
genfscon tracefs /saved_cmdlines_size u:object_r:debugfs_tracing:s0
genfscon tracefs /events/sched/sched_switch/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/sched/sched_wakeup/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_wakeup_new/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_waking/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/sched/sched_blocked_reason/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/sched/sched_cpu_hotplug/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/sched/sched_process_exit/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_process_free/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_pi_setprio/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/cgroup/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/power/cpu_frequency/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/power/cpu_idle/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/clock_enable/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/clock_disable/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/power/clock_set_rate/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/power/cpu_frequency_limits/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/power/gpu_frequency/ u:object_r:debugfs_tracing:s0
@@ -235,6 +259,7 @@
genfscon tracefs /events/binder/binder_locked/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/binder/binder_unlock/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/binder/binder_transaction_alloc_buf/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_set_priority/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/lowmemorykiller/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/sync/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/fence/ u:object_r:debugfs_tracing:s0
@@ -247,10 +272,21 @@
genfscon tracefs /events/ion/ion_stat/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/mm_event/mm_event_record/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/oom/oom_score_adj_update/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/oom/mark_victim/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/task/task_rename/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/task/task_newtask/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/ftrace/print/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/gpu_mem/gpu_mem_total u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/thermal/thermal_temperature/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/thermal/cdev_update/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/cpuhp/cpuhp_enter/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/cpuhp/cpuhp_exit/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/cpuhp/cpuhp_pause/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/ipi/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/irq/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/clk/clk_enable/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/clk/clk_disable/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/clk/clk_set_rate/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/trace_clock u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/buffer_size_kb u:object_r:debugfs_tracing:s0
@@ -260,12 +296,18 @@
genfscon debugfs /tracing/saved_cmdlines_size u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/sched/sched_switch/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/sched/sched_wakeup/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_wakeup_new/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_waking/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/sched/sched_blocked_reason/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/sched/sched_cpu_hotplug/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/sched/sched_process_exit/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_process_exit/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_process_free/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_pi_setprio/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/cgroup/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/cpu_frequency/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/cpu_idle/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/clock_enable/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/clock_disable/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/clock_set_rate/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/cpu_frequency_limits/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/gpu_frequency/ u:object_r:debugfs_tracing:s0
@@ -280,7 +322,8 @@
genfscon debugfs /tracing/events/binder/binder_lock/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/binder/binder_locked/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/binder/binder_unlock/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/binder/binder_transaction_alloc_buf/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_transaction_alloc_buf/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_set_priority/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/lowmemorykiller/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/sync/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/fence/ u:object_r:debugfs_tracing:s0
@@ -293,10 +336,20 @@
genfscon debugfs /tracing/events/ion/ion_stat/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/mm_event/mm_event_record/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/oom/oom_score_adj_update/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/oom/mark_victim/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/task/task_rename/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/task/task_newtask/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/ftrace/print/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/gpu_mem/gpu_mem_total u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/thermal/thermal_temperature/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/thermal/cdev_update/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/cpuhp/cpuhp_enter/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/cpuhp/cpuhp_exit/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/ipi/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/irq/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/clk/clk_enable/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/clk/clk_disable/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/clk/clk_set_rate/ u:object_r:debugfs_tracing:s0
genfscon debugfs /kcov u:object_r:debugfs_kcov:s0
@@ -322,3 +375,4 @@
genfscon usbfs / u:object_r:usbfs:s0
genfscon binfmt_misc / u:object_r:binfmt_miscfs:s0
genfscon bpf / u:object_r:fs_bpf:s0
+genfscon bpf /tethering u:object_r:fs_bpf_tethering:s0
diff --git a/private/gki_apex_prepostinstall.te b/private/gki_apex_prepostinstall.te
new file mode 100644
index 0000000..1155389
--- /dev/null
+++ b/private/gki_apex_prepostinstall.te
@@ -0,0 +1,23 @@
+# GKI pre- & post-install hooks.
+#
+# Allow to run pre- and post-install hooks for GKI APEXes
+
+type gki_apex_prepostinstall, domain, coredomain;
+type gki_apex_prepostinstall_exec, system_file_type, exec_type, file_type;
+
+# Execute /system/bin/sh.
+allow gki_apex_prepostinstall shell_exec:file rx_file_perms;
+
+# Execute various toolsbox utilities.
+allow gki_apex_prepostinstall toolbox_exec:file rx_file_perms;
+
+# Allow preinstall.sh to execute update_engine_stable_client binary.
+allow gki_apex_prepostinstall gki_apex_prepostinstall_exec:file execute_no_trans;
+
+# Allow preinstall hook to communicate with update_engine to execute update.
+binder_use(gki_apex_prepostinstall)
+allow gki_apex_prepostinstall update_engine_stable_service:service_manager find;
+binder_call(gki_apex_prepostinstall, update_engine)
+
+# /dev/zero is inherited although it is not used. See b/126787589.
+allow gki_apex_prepostinstall apexd:fd use;
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index 2355326..10de777 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -33,6 +33,7 @@
# Allow GMS core to generate unique hardware IDs
allow gmscore_app keystore:keystore_key gen_unique_id;
+allow gmscore_app keystore:keystore2_key gen_unique_id;
# Allow GMS core to access /sys/fs/selinux/policyvers for compatibility check
allow gmscore_app selinuxfs:file r_file_perms;
@@ -53,8 +54,7 @@
dontaudit gmscore_app sysfs_android_usb:file r_file_perms;
dontaudit gmscore_app sysfs_dm:file r_file_perms;
dontaudit gmscore_app sysfs_loop:file r_file_perms;
-dontaudit gmscore_app wifi_prop:file r_file_perms;
-dontaudit gmscore_app { wifi_prop exported_wifi_prop }:file r_file_perms;
+dontaudit gmscore_app { wifi_prop wifi_hal_prop }:file r_file_perms;
dontaudit gmscore_app mirror_data_file:dir search;
dontaudit gmscore_app mnt_vendor_file:dir search;
@@ -75,6 +75,10 @@
# TODO: Tighten (b/112357170)
allow gmscore_app privapp_data_file:file execute;
+# Chrome Crashpad uses the the dynamic linker to load native executables
+# from an APK (b/112050209, crbug.com/928422)
+allow gmscore_app system_linker_exec:file execute_no_trans;
+
allow gmscore_app privapp_data_file:lnk_file create_file_perms;
# /proc access
@@ -127,3 +131,7 @@
# b/148974132: com.android.vending needs this
allow gmscore_app priv_app:tcp_socket { read write };
+
+# b/168059475 Allow GMSCore to read Virtual AB properties to determine
+# if device supports VAB.
+get_prop(gmscore_app, virtual_ab_prop)
diff --git a/private/gpuservice.te b/private/gpuservice.te
index a4d84ea..2e4254c 100644
--- a/private/gpuservice.te
+++ b/private/gpuservice.te
@@ -26,6 +26,9 @@
# Needed for dumpsys pipes.
allow gpuservice shell:fifo_file write;
+# Needed for perfetto producer.
+perfetto_producer(gpuservice)
+
# Use socket supplied by adbd, for cmd gpu vkjson etc.
allow gpuservice adbd:unix_stream_socket { read write getattr };
@@ -42,6 +45,21 @@
# TODO(b/146461633): remove this once native pullers talk to StatsManagerService
binder_call(gpuservice, statsd);
+# Needed for reading tracepoint ids in order to attach bpf programs.
+allow gpuservice debugfs_tracing:file r_file_perms;
+allow gpuservice self:perf_event { cpu kernel open write };
+neverallow gpuservice self:perf_event ~{ cpu kernel open write };
+
+# Needed for interact with bpf fs.
+allow gpuservice fs_bpf:dir search;
+allow gpuservice fs_bpf:file read;
+
+# Needed for enable the bpf program and read the map.
+allow gpuservice bpfloader:bpf { map_read prog_run };
+
+# Needed for getting a prop to ensure bpf programs loaded.
+get_prop(gpuservice, bpf_progs_loaded_prop)
+
add_service(gpuservice, gpu_service)
# Only uncomment below line when in development
diff --git a/private/gsid.te b/private/gsid.te
index 3ff9d67..8a13cb1 100644
--- a/private/gsid.te
+++ b/private/gsid.te
@@ -9,6 +9,11 @@
binder_use(gsid)
binder_service(gsid)
add_service(gsid, gsi_service)
+
+# Manage DSU metadata encryption key through vold.
+allow gsid vold_service:service_manager find;
+binder_call(gsid, vold)
+
set_prop(gsid, gsid_prop)
# Needed to create/delete device-mapper nodes, and read/write to them.
@@ -59,20 +64,28 @@
# When installing images to an sdcard, gsid needs to be able to stat() the
# block device. gsid also calls realpath() to remove symlinks.
allow gsid mnt_media_rw_file:dir r_dir_perms;
+allow gsid mnt_media_rw_stub_file:dir r_dir_perms;
# When installing images to an sdcard, gsid must bypass sdcardfs and install
# directly to vfat, which supports the FIBMAP ioctl.
-allow gsid vfat:dir rw_dir_perms;
+allow gsid vfat:dir create_dir_perms;
allow gsid vfat:file create_file_perms;
allow gsid sdcard_block_device:blk_file r_file_perms;
# This is needed for FIBMAP unfortunately. Oddly FIEMAP does not carry this
# requirement, but the kernel does not implement FIEMAP support for VFAT.
allow gsid self:global_capability_class_set sys_rawio;
-# gsi_tool passes the system image over the adb connection, via stdin.
-allow gsid adbd:fd use;
-# Needed when running gsi_tool through "su root" rather than adb root.
-allow gsid adbd:unix_stream_socket rw_socket_perms;
+# Allow rules for gsi_tool.
+userdebug_or_eng(`
+ # gsi_tool passes the system image over the adb connection, via stdin.
+ allow gsid adbd:fd use;
+ # Needed when running gsi_tool through "su root" rather than adb root.
+ allow gsid adbd:unix_stream_socket rw_socket_perms;
+ # gsi_tool passes a FIFO to gsid if invoked with pipe redirection.
+ allow gsid { shell su }:fifo_file r_file_perms;
+ # Allow installing images from /storage/emulated/...
+ allow gsid sdcard_type:file r_file_perms;
+')
neverallow {
domain
@@ -110,7 +123,7 @@
#
allow gsid metadata_file:dir { search getattr };
allow gsid {
- gsi_metadata_file
+ gsi_metadata_file_type
}:dir create_dir_perms;
allow gsid {
@@ -118,10 +131,15 @@
}:dir rw_dir_perms;
allow gsid {
- gsi_metadata_file
+ gsi_metadata_file_type
ota_metadata_file
}:file create_file_perms;
+# Allow restorecon to fix context of gsi_public_metadata_file.
+allow gsid file_contexts_file:file r_file_perms;
+allow gsid gsi_metadata_file:file relabelfrom;
+allow gsid gsi_public_metadata_file:file relabelto;
+
allow gsid {
gsi_data_file
ota_image_data_file
@@ -133,48 +151,50 @@
allowxperm gsid {
gsi_data_file
ota_image_data_file
-}:file ioctl FS_IOC_FIEMAP;
+}:file ioctl {
+ FS_IOC_FIEMAP
+ FS_IOC_GETFLAGS
+};
allow gsid system_server:binder call;
+# Prevent most processes from writing to gsi_metadata_file_type, but allow
+# adding rules for path resolution of gsi_public_metadata_file and reading
+# gsi_public_metadata_file.
neverallow {
domain
-init
-gsid
-fastbootd
- -recovery
- -vold
-} gsi_metadata_file:dir *;
+} gsi_metadata_file_type:dir no_w_dir_perms;
neverallow {
domain
-init
-gsid
-fastbootd
- -vold
-} gsi_metadata_file:notdevfile_class_set ~{ relabelto getattr };
+} { gsi_metadata_file_type -gsi_public_metadata_file }:file_class_set *;
neverallow {
domain
-init
-gsid
-fastbootd
- -vold
-} { gsi_data_file gsi_metadata_file }:notdevfile_class_set *;
+} gsi_public_metadata_file:file_class_set ~{ r_file_perms };
+# Prevent apps from accessing gsi_metadata_file_type.
neverallow {
- domain
- -gsid
- -init
-} gsi_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
+ appdomain
+ -shell
+} gsi_metadata_file_type:dir_file_class_set *;
neverallow {
domain
-init
-gsid
-} gsi_data_file:dir *;
+} gsi_data_file:dir_file_class_set *;
neverallow {
domain
-gsid
-} gsi_data_file:notdevfile_class_set ~{ relabelto getattr };
+} gsi_data_file:file_class_set ~{ relabelto getattr };
diff --git a/private/healthd.te b/private/healthd.te
index 20d0791..93bc3d8 100644
--- a/private/healthd.te
+++ b/private/healthd.te
@@ -4,3 +4,9 @@
# Allow healthd to serve health HAL
hal_server_domain(healthd, hal_health)
+
+# Healthd needs to tell init to continue the boot
+# process when running in charger mode.
+set_prop(healthd, system_prop)
+set_prop(healthd, exported_system_prop)
+set_prop(healthd, exported3_system_prop)
diff --git a/private/heapprofd.te b/private/heapprofd.te
index ec3e4d0..246f936 100644
--- a/private/heapprofd.te
+++ b/private/heapprofd.te
@@ -29,7 +29,7 @@
allow heapprofd self:capability kill;
# When scanning /proc/[pid]/cmdline to find matching processes for by-name
-# profiling, only whitelisted domains will be allowed by SELinux. Avoid
+# profiling, only allowlisted domains will be allowed by SELinux. Avoid
# spamming logs with denials for entries that we can not access.
dontaudit heapprofd domain:dir { search open };
@@ -39,18 +39,19 @@
# When handling profiling for all processes, heapprofd needs to read
# executables/libraries/etc to do stack unwinding.
-userdebug_or_eng(`
- r_dir_file(heapprofd, nativetest_data_file)
- r_dir_file(heapprofd, system_file_type)
- r_dir_file(heapprofd, apk_data_file)
- r_dir_file(heapprofd, dalvikcache_data_file)
- r_dir_file(heapprofd, vendor_file_type)
- # Some dex files are not world-readable.
- # We are still constrained by the SELinux rules above.
- allow heapprofd self:global_capability_class_set dac_read_search;
+r_dir_file(heapprofd, nativetest_data_file)
+r_dir_file(heapprofd, system_file_type)
+r_dir_file(heapprofd, apex_art_data_file)
+r_dir_file(heapprofd, apk_data_file)
+r_dir_file(heapprofd, dalvikcache_data_file)
+r_dir_file(heapprofd, vendor_file_type)
+r_dir_file(heapprofd, shell_test_data_file)
+# Some dex files are not world-readable.
+# We are still constrained by the SELinux rules above.
+allow heapprofd self:global_capability_class_set dac_read_search;
- allow heapprofd proc_kpageflags:file r_file_perms;
-')
+# For checking profileability.
+allow heapprofd packages_list_file:file r_file_perms;
# This is going to happen on user but is benign because central heapprofd
# does not actually need these permission.
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index c45b0ef..5b6e79d 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -63,7 +63,6 @@
android.hardware.tetheroffload.config::IOffloadConfig u:object_r:hal_tetheroffload_hwservice:s0
android.hardware.tetheroffload.control::IOffloadControl u:object_r:hal_tetheroffload_hwservice:s0
android.hardware.thermal::IThermal u:object_r:hal_thermal_hwservice:s0
-android.hardware.thermal::IThermalCallback u:object_r:thermalcallback_hwservice:s0
android.hardware.tv.cec::IHdmiCec u:object_r:hal_tv_cec_hwservice:s0
android.hardware.tv.input::ITvInput u:object_r:hal_tv_input_hwservice:s0
android.hardware.tv.tuner::ITuner u:object_r:hal_tv_tuner_hwservice:s0
diff --git a/private/hwservicemanager.te b/private/hwservicemanager.te
index 0705cc7..e1fde43 100644
--- a/private/hwservicemanager.te
+++ b/private/hwservicemanager.te
@@ -6,3 +6,4 @@
add_hwservice(hwservicemanager, hidl_token_hwservice)
set_prop(hwservicemanager, ctl_interface_start_prop)
+set_prop(hwservicemanager, hwservicemanager_prop)
diff --git a/private/incidentd.te b/private/incidentd.te
index 656f69f..ef191a2 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -22,11 +22,16 @@
# section id 1002, allow reading kernel version /proc/version
allow incidentd proc_version:file r_file_perms;
+# section id 1116, allow accessing statsd socket
+unix_socket_send(incidentd, statsdw, statsd)
+
# section id 2001, allow reading /proc/pagetypeinfo
allow incidentd proc_pagetypeinfo:file r_file_perms;
# section id 2002, allow reading /d/wakeup_sources
-allow incidentd debugfs_wakeup_sources:file r_file_perms;
+no_debugfs_restriction(`
+ allow incidentd debugfs_wakeup_sources:file r_file_perms;
+')
# section id 2003, allow executing top
allow incidentd proc_meminfo:file { open read };
@@ -53,6 +58,9 @@
allow incidentd perfetto_traces_data_file:dir r_dir_perms;
allow incidentd perfetto_traces_data_file:file r_file_perms;
+# section id 3052, allow accessing nfc_service
+allow incidentd nfc_service:service_manager find;
+
# Create and write into /data/misc/incidents
allow incidentd incident_data_file:dir rw_dir_perms;
allow incidentd incident_data_file:file create_file_perms;
@@ -67,6 +75,7 @@
# Read files in /proc
allow incidentd {
proc_cmdline
+ proc_pid_max
proc_pipe_conf
proc_stat
}:file r_file_perms;
@@ -135,6 +144,8 @@
allow incidentd system_file:file lock;
# Incidentd should never exec from the memory (e.g. JIT cache). These denials are expected.
dontaudit incidentd dalvikcache_data_file:dir r_dir_perms;
+dontaudit incidentd apex_module_data_file:dir r_dir_perms;
+dontaudit incidentd apex_art_data_file:dir r_dir_perms;
dontaudit incidentd tmpfs:file rwx_file_perms;
# logd access - work to be done is a PII safe log (possibly an event log?)
@@ -145,7 +156,7 @@
r_dir_file(incidentd, misc_logd_file)
# Allow incidentd to find these standard groups of services.
-# Others can be whitelisted individually.
+# Others can be allowlisted individually.
allow incidentd {
system_server_service
app_api_service
diff --git a/private/init.te b/private/init.te
index b0e7f80..99afd84 100644
--- a/private/init.te
+++ b/private/init.te
@@ -16,6 +16,7 @@
domain_trans(init, rootfs, fastbootd)
domain_trans(init, rootfs, recovery)
domain_trans(init, rootfs, linkerconfig)
+ domain_trans(init, rootfs, snapuserd)
')
domain_trans(init, shell_exec, shell)
domain_trans(init, init_exec, ueventd)
@@ -37,6 +38,9 @@
# that userdata is mounted onto.
allow init sysfs_dm:file read;
+# Allow init to write to the drop_caches file.
+allow init proc_drop_caches:file rw_file_perms;
+
# Allow the BoringSSL self test to request a reboot upon failure
set_prop(init, powerctl_prop)
@@ -51,10 +55,50 @@
# kernels that precede the perf_event_open hooks (Android common kernels 4.4
# and 4.9).
allow init self:perf_event { open cpu };
+allow init self:global_capability2_class_set perfmon;
neverallow init self:perf_event { kernel tracepoint read write };
dontaudit init self:perf_event { kernel tracepoint read write };
+# Allow init to communicate with snapuserd to transition Virtual A/B devices
+# from the first-stage daemon to the second-stage.
+allow init snapuserd_socket:sock_file write;
+allow init snapuserd:unix_stream_socket connectto;
+# Allow for libsnapshot's use of flock() on /metadata/ota.
+allow init ota_metadata_file:dir lock;
+
+# Allow init to restore contexts of vd_device(/dev/block/vd[..]) when labeling
+# /dev/block.
+allow init vd_device:blk_file relabelto;
+
# Only init is allowed to set the sysprop indicating whether perf_event_open()
# SELinux hooks were detected.
set_prop(init, init_perf_lsm_hooks_prop)
neverallow { domain -init } init_perf_lsm_hooks_prop:property_service set;
+
+# Only init can write vts.native_server.on
+set_prop(init, vts_status_prop)
+neverallow { domain -init } vts_status_prop:property_service set;
+
+# Only init can write normal ro.boot. properties
+neverallow { domain -init } bootloader_prop:property_service set;
+
+# Only init can write hal.instrumentation.enable
+neverallow { domain -init } hal_instrumentation_prop:property_service set;
+
+# Only init can write ro.property_service.version
+neverallow { domain -init } property_service_version_prop:property_service set;
+
+# Only init can set keystore.boot_level
+neverallow { domain -init } keystore_listen_prop:property_service set;
+
+# Allow accessing /sys/kernel/tracing/instances/bootreceiver to set up tracing.
+allow init debugfs_bootreceiver_tracing:file w_file_perms;
+
+# chown/chmod on devices.
+allow init {
+ dev_type
+ -hw_random_device
+ -keychord_device
+ -kvm_device
+ -port_device
+}:chr_file setattr;
diff --git a/private/iorap_inode2filename.te b/private/iorap_inode2filename.te
index 96b7bc2..5acb262 100644
--- a/private/iorap_inode2filename.te
+++ b/private/iorap_inode2filename.te
@@ -1,6 +1,8 @@
typeattribute iorap_inode2filename coredomain;
# Grant access to open most of the files under /
+allow iorap_inode2filename { apex_module_data_file apex_art_data_file }:dir r_dir_perms;
+allow iorap_inode2filename apex_data_file:file { getattr };
allow iorap_inode2filename dalvikcache_data_file:dir { getattr open read search };
allow iorap_inode2filename dalvikcache_data_file:file { getattr };
allow iorap_inode2filename dex2oat_exec:lnk_file { getattr open read };
diff --git a/private/isolated_app.te b/private/isolated_app.te
index 4c6c5aa..71749c0 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -88,7 +88,7 @@
neverallow isolated_app vndbinder_device:chr_file *;
# Isolated apps must not be permitted to perform actions on Binder and VndBinder service_manager
-# except the find actions for services whitelisted below.
+# except the find actions for services allowlisted below.
neverallow isolated_app *:service_manager ~find;
# b/17487348
@@ -128,6 +128,7 @@
-sysfs_devices_system_cpu
-sysfs_transparent_hugepage
-sysfs_usb # TODO: check with audio team if needed for isolated_app (b/28417852)
+ -sysfs_fs_incfs_features
}:file no_rw_file_perms;
# No creation of sockets families other than AF_UNIX sockets.
diff --git a/private/kernel.te b/private/kernel.te
index 207800e..5341163 100644
--- a/private/kernel.te
+++ b/private/kernel.te
@@ -1,8 +1,33 @@
typeattribute kernel coredomain;
domain_auto_trans(kernel, init_exec, init)
+domain_auto_trans(kernel, snapuserd_exec, snapuserd)
# Allow the kernel to read otapreopt_chroot's file descriptors and files under
# /postinstall, as it uses apexd logic to mount APEX packages in /postinstall/apex.
allow kernel otapreopt_chroot:fd use;
allow kernel postinstall_file:file read;
+
+# The following sections are for the transition period during a Virtual A/B
+# OTA. Once sepolicy is loaded, snapuserd must be re-launched in the correct
+# context, and with properly labelled devices. This must be done before
+# enabling enforcement, eg, in permissive mode while still in the kernel
+# context.
+allow kernel tmpfs:blk_file { getattr relabelfrom };
+allow kernel tmpfs:chr_file { getattr relabelfrom };
+allow kernel tmpfs:lnk_file { getattr relabelfrom };
+allow kernel tmpfs:dir { open read relabelfrom };
+
+allow kernel block_device:blk_file relabelto;
+allow kernel block_device:lnk_file relabelto;
+allow kernel dm_device:chr_file relabelto;
+allow kernel dm_device:blk_file relabelto;
+allow kernel dm_user_device:dir { read open search relabelto };
+allow kernel dm_user_device:chr_file relabelto;
+allow kernel kmsg_device:chr_file relabelto;
+allow kernel null_device:chr_file relabelto;
+allow kernel random_device:chr_file relabelto;
+allow kernel snapuserd_exec:file relabelto;
+
+allow kernel kmsg_device:chr_file write;
+allow kernel gsid:fd use;
diff --git a/private/keystore.te b/private/keystore.te
index 81b6dfb..3fccf59 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -8,6 +8,9 @@
# talk to confirmationui
hal_client_domain(keystore, hal_confirmationui)
+# talk to keymint
+hal_client_domain(keystore, hal_keymint)
+
# This is used for the ConfirmationUI async callback.
allow keystore platform_app:binder call;
@@ -16,3 +19,17 @@
# Allow keystore to write to statsd.
unix_socket_send(keystore, statsdw, statsd)
+
+# Allow keystore to register callbacks with statsd.
+allow keystore stats_service:service_manager find;
+binder_call(keystore, statsd);
+
+# Keystore need access to the keystore_key context files to load the keystore key backend.
+allow keystore keystore2_key_contexts_file:file r_file_perms;
+
+get_prop(keystore, keystore_listen_prop)
+
+# Keystore needs to transfer binder references to vold and wait_for_keymaster so that they
+# can call keystore methods on those references.
+allow keystore vold:binder transfer;
+allow keystore wait_for_keymaster:binder transfer;
diff --git a/private/keystore2_key_contexts b/private/keystore2_key_contexts
new file mode 100644
index 0000000..3833971
--- /dev/null
+++ b/private/keystore2_key_contexts
@@ -0,0 +1,28 @@
+# Keystore 2.0 key contexts.
+# This file defines Keystore 2.0 namespaces and maps them to labels.
+# Format:
+# <namespace> <label>
+#
+# <namespace> must be an integer in the interval [0 ... 2^31)
+# su_key is a keystore_key namespace for the su domain intended for native tests.
+0 u:object_r:su_key:s0
+
+# shell_key is a keystore_key namespace for the shell domain intended for native tests.
+1 u:object_r:shell_key:s0
+
+# vold_key is a keystore2_key namespace for vold. It allows using raw Keymint blobs.
+100 u:object_r:vold_key:s0
+
+# odsign_key is a keystore2_key namespace for the on-device signing daemon.
+101 u:object_r:odsign_key:s0
+
+# wifi_key is a keystore2_key namespace for the WI-FI subsystem. It replaces the WIFI_UID
+# namespace in keystore.
+102 u:object_r:wifi_key:s0
+
+# locksettings_key is a keystore2_key namespace for the LockSettingsService.
+103 u:object_r:locksettings_key:s0
+
+# resume_on_reboot_key is a keystore2_key namespace intended for resume on reboot.
+120 u:object_r:resume_on_reboot_key:s0
+
diff --git a/private/keystore_keys.te b/private/keystore_keys.te
new file mode 100644
index 0000000..2f97608
--- /dev/null
+++ b/private/keystore_keys.te
@@ -0,0 +1,22 @@
+# Specify keystore2_key namespaces in this file.
+# Please keep the names in alphabetical order and comment each new entry.
+
+# A keystore2_key namespace for the shell domain. Mainly used for native tests.
+type shell_key, keystore2_key_type;
+
+# A keystore2 namespace for the su domain. Mainly used for native tests.
+type su_key, keystore2_key_type;
+
+# A keystore2 namespace for vold. Vold need special permission to handle
+# its own Keymint blobs.
+type vold_key, keystore2_key_type;
+
+# A keystore2 namespace for the on-device signing daemon.
+type odsign_key, keystore2_key_type;
+
+# A keystore2 namespace for LockSettingsService.
+type locksettings_key, keystore2_key_type;
+
+# A keystore2 namespace for resume on reboot.
+type resume_on_reboot_key, keystore2_key_type;
+
diff --git a/private/linkerconfig.te b/private/linkerconfig.te
index 414b39f..2688102 100644
--- a/private/linkerconfig.te
+++ b/private/linkerconfig.te
@@ -16,4 +16,12 @@
# Allow linkerconfig to scan for apex modules
allow linkerconfig apex_mnt_dir:dir r_dir_perms;
-neverallow { domain -init -linkerconfig } linkerconfig_exec:file no_x_file_perms;
+# Allow linkerconfig to read apex-info-list.xml
+allow linkerconfig apex_info_file:file r_file_perms;
+
+# Allow linkerconfig to be called in the otapreopt_chroot
+allow linkerconfig otapreopt_chroot:fd use;
+allow linkerconfig postinstall_apex_mnt_dir:dir r_dir_perms;
+allow linkerconfig postinstall_apex_mnt_dir:file r_file_perms;
+
+neverallow { domain -init -linkerconfig -otapreopt_chroot } linkerconfig_exec:file no_x_file_perms;
diff --git a/private/lmkd.te b/private/lmkd.te
index e51cddb..fef3a89 100644
--- a/private/lmkd.te
+++ b/private/lmkd.te
@@ -2,7 +2,10 @@
init_daemon_domain(lmkd)
+# Set sys.lmk.* properties.
+set_prop(lmkd, system_lmk_prop)
+
# Set lmkd.* properties.
set_prop(lmkd, lmkd_prop)
-neverallow { -init -lmkd -vendor_init } lmkd_prop:property_service set;
+neverallow { domain -init -lmkd -vendor_init } lmkd_prop:property_service set;
diff --git a/private/logd.te b/private/logd.te
index ca92e20..7112c4f 100644
--- a/private/logd.te
+++ b/private/logd.te
@@ -2,6 +2,9 @@
init_daemon_domain(logd)
+# Access device logging gating property
+get_prop(logd, device_logging_prop)
+
# logd is not allowed to write anywhere other than /data/misc/logd, and then
# only on userdebug or eng builds
neverallow logd {
diff --git a/private/logpersist.te b/private/logpersist.te
index ac324df..ab2c9c6 100644
--- a/private/logpersist.te
+++ b/private/logpersist.te
@@ -4,6 +4,7 @@
userdebug_or_eng(`
r_dir_file(logpersist, cgroup)
+ r_dir_file(logpersist, cgroup_v2)
allow logpersist misc_logd_file:file create_file_perms;
allow logpersist misc_logd_file:dir rw_dir_perms;
diff --git a/private/lpdumpd.te b/private/lpdumpd.te
index 3bcd761..9f5f87e 100644
--- a/private/lpdumpd.te
+++ b/private/lpdumpd.te
@@ -16,12 +16,7 @@
# Allow lpdumpd to read fstab.
allow lpdumpd sysfs_dt_firmware_android:dir r_dir_perms;
allow lpdumpd sysfs_dt_firmware_android:file r_file_perms;
-
-# Triggered when lpdumpd tries to read default fstab.
-dontaudit lpdumpd metadata_file:dir r_dir_perms;
-dontaudit lpdumpd metadata_file:file r_file_perms;
-dontaudit lpdumpd gsi_metadata_file:dir r_dir_perms;
-dontaudit lpdumpd gsi_metadata_file:file r_file_perms;
+read_fstab(lpdumpd)
### Neverallow rules
diff --git a/private/mediaextractor.te b/private/mediaextractor.te
index 2e654d6..7bcf5c8 100644
--- a/private/mediaextractor.te
+++ b/private/mediaextractor.te
@@ -5,3 +5,6 @@
allow mediaextractor appdomain_tmpfs:file { getattr map read write };
allow mediaextractor mediaserver_tmpfs:file { getattr map read write };
allow mediaextractor system_server_tmpfs:file { getattr map read write };
+
+get_prop(mediaextractor, device_config_media_native_prop)
+get_prop(mediaextractor, device_config_swcodec_native_prop)
diff --git a/private/mediametrics.te b/private/mediametrics.te
index f8b2fa5..5a6f2e1 100644
--- a/private/mediametrics.te
+++ b/private/mediametrics.te
@@ -1,3 +1,8 @@
typeattribute mediametrics coredomain;
init_daemon_domain(mediametrics)
+
+# Needed for stats callback registration to statsd.
+allow mediametrics stats_service:service_manager find;
+allow mediametrics statsmanager_service:service_manager find;
+binder_call(mediametrics, statsd)
diff --git a/private/mediaprovider.te b/private/mediaprovider.te
index 249fee1..78bbdb0 100644
--- a/private/mediaprovider.te
+++ b/private/mediaprovider.te
@@ -24,6 +24,7 @@
allow mediaprovider app_api_service:service_manager find;
allow mediaprovider audioserver_service:service_manager find;
+allow mediaprovider cameraserver_service:service_manager find;
allow mediaprovider drmserver_service:service_manager find;
allow mediaprovider mediaextractor_service:service_manager find;
allow mediaprovider mediaserver_service:service_manager find;
@@ -40,5 +41,8 @@
allowxperm mediaprovider functionfs:file ioctl FUNCTIONFS_ENDPOINT_DESC;
# MtpServer sets sys.usb.ffs.mtp.ready
-set_prop(mediaprovider, ffs_prop)
-set_prop(mediaprovider, exported_ffs_prop)
+get_prop(mediaprovider, ffs_config_prop)
+set_prop(mediaprovider, ffs_control_prop)
+
+# DownloadManager may retrieve DRM status
+get_prop(mediaprovider, drm_service_config_prop)
diff --git a/private/mediaprovider_app.te b/private/mediaprovider_app.te
index 335c1b6..0e4a50e 100644
--- a/private/mediaprovider_app.te
+++ b/private/mediaprovider_app.te
@@ -6,7 +6,7 @@
app_domain(mediaprovider_app)
# Access to /mnt/pass_through.
-allow mediaprovider_app mnt_pass_through_file:dir r_dir_perms;
+r_dir_file(mediaprovider_app, mnt_pass_through_file)
# Allow MediaProvider to host a FUSE daemon for external storage
allow mediaprovider_app fuse_device:chr_file { read write ioctl getattr };
@@ -27,6 +27,10 @@
# Talk to the GPU service
binder_call(mediaprovider_app, gpuservice)
+# Talk to statsd
+allow mediaprovider_app statsmanager_service:service_manager find;
+binder_call(mediaprovider_app, statsd)
+
# read pipe-max-size configuration
allow mediaprovider_app proc_pipe_conf:file r_file_perms;
@@ -39,7 +43,14 @@
FS_IOC_SETFLAGS
};
+# Access external sdcards through /mnt/media_rw
+allow mediaprovider_app { mnt_media_rw_file }:dir search;
+
allow mediaprovider_app proc_filesystems:file r_file_perms;
#Allow MediaProvider to see if sdcardfs is in use
get_prop(mediaprovider_app, storage_config_prop)
+
+get_prop(mediaprovider_app, drm_service_config_prop)
+
+allow mediaprovider_app gpu_device:dir search;
diff --git a/private/mediaserver.te b/private/mediaserver.te
index c55e54a..7fb8029 100644
--- a/private/mediaserver.te
+++ b/private/mediaserver.te
@@ -11,4 +11,7 @@
hal_client_domain(mediaserver, hal_omx)
hal_client_domain(mediaserver, hal_codec2)
-allow mediaserver mediatranscoding_service:service_manager find;
+set_prop(mediaserver, audio_prop)
+
+get_prop(mediaserver, drm_service_config_prop)
+get_prop(mediaserver, media_config_prop)
diff --git a/private/mediaswcodec.te b/private/mediaswcodec.te
index 50f5698..02079c1 100644
--- a/private/mediaswcodec.te
+++ b/private/mediaswcodec.te
@@ -2,3 +2,5 @@
init_daemon_domain(mediaswcodec)
+get_prop(mediaswcodec, device_config_media_native_prop)
+get_prop(mediaswcodec, device_config_swcodec_native_prop)
diff --git a/private/mediatranscoding.te b/private/mediatranscoding.te
index e0ad84c..2a43cf9 100644
--- a/private/mediatranscoding.te
+++ b/private/mediatranscoding.te
@@ -1,3 +1,64 @@
+# mediatranscoding - daemon for transcoding video and image.
+type mediatranscoding, domain;
+type mediatranscoding_exec, system_file_type, exec_type, file_type;
+type mediatranscoding_tmpfs, file_type;
typeattribute mediatranscoding coredomain;
init_daemon_domain(mediatranscoding)
+tmpfs_domain(mediatranscoding)
+allow mediatranscoding appdomain_tmpfs:file { getattr map read write };
+
+binder_use(mediatranscoding)
+binder_call(mediatranscoding, binderservicedomain)
+binder_call(mediatranscoding, appdomain)
+binder_service(mediatranscoding)
+
+add_service(mediatranscoding, mediatranscoding_service)
+
+hal_client_domain(mediatranscoding, hal_graphics_allocator)
+hal_client_domain(mediatranscoding, hal_configstore)
+hal_client_domain(mediatranscoding, hal_omx)
+hal_client_domain(mediatranscoding, hal_codec2)
+
+allow mediatranscoding mediaserver_service:service_manager find;
+allow mediatranscoding mediametrics_service:service_manager find;
+allow mediatranscoding mediaextractor_service:service_manager find;
+allow mediatranscoding package_native_service:service_manager find;
+allow mediatranscoding thermal_service:service_manager find;
+
+allow mediatranscoding system_server:fd use;
+allow mediatranscoding activity_service:service_manager find;
+
+# allow mediatranscoding service read/write permissions for file sources
+allow mediatranscoding sdcardfs:file { getattr read write };
+allow mediatranscoding media_rw_data_file:file { getattr read write };
+allow mediatranscoding apk_data_file:file { getattr read };
+allow mediatranscoding app_data_file:file { getattr read write };
+allow mediatranscoding shell_data_file:file { getattr read write };
+
+# allow mediatranscoding service write permission to statsd socket
+unix_socket_send(mediatranscoding, statsdw, statsd)
+
+# Allow mediatranscoding to access the DMA-BUF system heap
+allow mediatranscoding dmabuf_system_heap_device:chr_file r_file_perms;
+
+allow mediatranscoding gpu_device:dir search;
+
+# Allow mediatranscoding service to access media-related system properties
+get_prop(mediatranscoding, media_config_prop)
+
+# mediatranscoding should never execute any executable without a
+# domain transition
+neverallow mediatranscoding { file_type fs_type }:file execute_no_trans;
+
+# The goal of the mediaserver split is to place media processing code into
+# restrictive sandboxes with limited responsibilities and thus limited
+# permissions. Example: Audioserver is only responsible for controlling audio
+# hardware and processing audio content. Cameraserver does the same for camera
+# hardware/content. Etc.
+#
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
+neverallow mediatranscoding domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/private/mediatuner.te b/private/mediatuner.te
new file mode 100644
index 0000000..413d2e5
--- /dev/null
+++ b/private/mediatuner.te
@@ -0,0 +1,30 @@
+# mediatuner - mediatuner daemon
+type mediatuner, domain;
+type mediatuner_exec, system_file_type, exec_type, file_type;
+
+typeattribute mediatuner coredomain;
+
+init_daemon_domain(mediatuner)
+hal_client_domain(mediatuner, hal_tv_tuner)
+
+binder_use(mediatuner)
+binder_call(mediatuner, appdomain)
+binder_service(mediatuner)
+
+add_service(mediatuner, mediatuner_service)
+allow mediatuner system_server:fd use;
+allow mediatuner tv_tuner_resource_mgr_service:service_manager find;
+allow mediatuner package_native_service:service_manager find;
+binder_call(mediatuner, system_server)
+
+###
+### neverallow rules
+###
+
+# mediatuner should never execute any executable without a
+# domain transition
+neverallow mediatuner { file_type fs_type }:file execute_no_trans;
+
+# do not allow privileged socket ioctl commands
+neverallowxperm mediatuner domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+
diff --git a/private/mls b/private/mls
index 08d4e1f..955c27b 100644
--- a/private/mls
+++ b/private/mls
@@ -48,20 +48,28 @@
(l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject));
#
+# Userfaultfd constraints
+#
+# To enforce that anonymous inodes are self contained in the application's process.
+mlsconstrain anon_inode { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute open execmod }
+ (l1 eq l2);
+
+#
# Constraints for app data files only.
#
-# Only constrain open, not read/write.
+# Only constrain open, not read/write, so already open fds can be used.
# Also constrain other forms of manipulation, e.g. chmod/chown, unlink, rename, etc.
# Subject must dominate object unless the subject is trusted.
mlsconstrain dir { open search getattr setattr rename add_name remove_name reparent rmdir }
- ( (t2 != app_data_file and t2 != privapp_data_file ) or l1 dom l2 or t1 == mlstrustedsubject);
+ (t2 != app_data_file_type or l1 dom l2 or t1 == mlstrustedsubject);
mlsconstrain { file sock_file } { open setattr unlink link rename }
- ( (t2 != app_data_file and t2 != privapp_data_file and t2 != appdomain_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject);
-# For symlinks in app_data_file, require equivalence in order to manipulate or follow (read).
+ ( (t2 != app_data_file_type and t2 != appdomain_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject);
+
+# For symlinks in app data files, require equivalence in order to manipulate or follow (read).
mlsconstrain { lnk_file } { open setattr unlink link rename read }
- ( (t2 != app_data_file) or l1 eq l2 or t1 == mlstrustedsubject);
-# For priv_app_data_file, continue to use dominance for symlinks because dynamite relies on this.
+ ( (t2 != app_data_file_type or t2 == privapp_data_file) or l1 eq l2 or t1 == mlstrustedsubject);
+# But for priv_app_data_file, continue to use dominance for symlinks because dynamite relies on this.
# TODO: Migrate to equivalence when it's no longer needed.
mlsconstrain { lnk_file } { open setattr unlink link rename read }
( (t2 != privapp_data_file and t2 != appdomain_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject);
@@ -73,18 +81,19 @@
# Read operations: Subject must dominate object unless the subject
# or the object is trusted.
mlsconstrain dir { read getattr search }
- (t2 == app_data_file or t2 == privapp_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+ (t2 == app_data_file_type or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject
+ or (t1 == mlsvendorcompat and (t2 == system_data_file or t2 == user_profile_root_file) ) );
mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute }
- (t2 == app_data_file or t2 == privapp_data_file or t2 == appdomain_tmpfs or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+ (t2 == app_data_file_type or t2 == appdomain_tmpfs or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
# Write operations: Subject must be equivalent to the object unless the
# subject or the object is trusted.
mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir }
- (t2 == app_data_file or t2 == privapp_data_file or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+ (t2 == app_data_file_type or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename }
- (t2 == app_data_file or t2 == privapp_data_file or t2 == appdomain_tmpfs or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+ (t2 == app_data_file_type or t2 == appdomain_tmpfs or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
# Special case for FIFOs.
# These can be unnamed pipes, in which case they will be labeled with the
diff --git a/private/mlstrustedsubject.te b/private/mlstrustedsubject.te
new file mode 100644
index 0000000..22482d9
--- /dev/null
+++ b/private/mlstrustedsubject.te
@@ -0,0 +1,30 @@
+# MLS override can't be used to access private app data.
+
+# Apps should not normally be mlstrustedsubject, but if they must be
+# they cannot use this to access app private data files; their own app
+# data files must use a different label.
+
+neverallow {
+ mlstrustedsubject
+ -installd
+ -iorap_prefetcherd
+ -iorap_inode2filename
+} { app_data_file privapp_data_file }:file ~{ read write map getattr ioctl lock append };
+
+neverallow {
+ mlstrustedsubject
+ -installd
+ -iorap_prefetcherd
+ -iorap_inode2filename
+} { app_data_file privapp_data_file }:dir ~{ read getattr search };
+
+neverallow {
+ mlstrustedsubject
+ -installd
+ -iorap_prefetcherd
+ -iorap_inode2filename
+ -system_server
+ -adbd
+ -runas
+ -zygote
+} { app_data_file privapp_data_file }:dir { read getattr search };
diff --git a/private/mm_events.te b/private/mm_events.te
new file mode 100644
index 0000000..4875d40
--- /dev/null
+++ b/private/mm_events.te
@@ -0,0 +1,14 @@
+type mm_events, domain, coredomain;
+type mm_events_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(mm_events)
+
+allow mm_events shell_exec:file rx_file_perms;
+
+# Allow running the sleep command to rate limit attempts
+# to arm mm_events on failure.
+allow mm_events toolbox_exec:file rx_file_perms;
+
+allow mm_events perfetto_exec:file rx_file_perms;
+
+domain_auto_trans(mm_events, perfetto_exec, perfetto)
diff --git a/private/netd.te b/private/netd.te
index 41473b7..670a4bf 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -17,7 +17,13 @@
# TODO: Remove this permission when 4.9 kernel is deprecated.
allow netd self:key_socket create;
+set_prop(netd, ctl_mdnsd_prop)
+set_prop(netd, netd_stable_secret_prop)
+
+get_prop(netd, adbd_config_prop)
get_prop(netd, bpf_progs_loaded_prop)
+get_prop(netd, hwservicemanager_prop)
+get_prop(netd, device_config_netd_native_prop)
# Allow netd to write to statsd.
unix_socket_send(netd, statsdw, statsd)
@@ -28,3 +34,11 @@
# Allow netd to send dump info to dumpstate
allow netd dumpstate:fd use;
allow netd dumpstate:fifo_file { getattr write };
+
+# persist.netd.stable_secret contains RFC 7217 secret key which should never be
+# leaked to other processes. Make sure it never leaks.
+neverallow { domain -netd -init -dumpstate } netd_stable_secret_prop:file r_file_perms;
+
+# We want to ensure that no other process ever tries tampering with persist.netd.stable_secret,
+# the RFC 7217 secret key managed by netd. Doing so could compromise user privacy.
+neverallow { domain -netd -init } netd_stable_secret_prop:property_service set;
diff --git a/private/network_stack.te b/private/network_stack.te
index 1295a07..09a98b5 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -1,5 +1,5 @@
# Networking service app
-typeattribute network_stack coredomain;
+typeattribute network_stack coredomain, mlstrustedsubject;
app_domain(network_stack);
net_domain(network_stack);
@@ -23,12 +23,24 @@
allow network_stack app_api_service:service_manager find;
allow network_stack dnsresolver_service:service_manager find;
allow network_stack netd_service:service_manager find;
+allow network_stack network_watchlist_service:service_manager find;
allow network_stack radio_service:service_manager find;
+allow network_stack system_config_service:service_manager find;
allow network_stack radio_data_file:dir create_dir_perms;
allow network_stack radio_data_file:file create_file_perms;
binder_call(network_stack, netd);
+# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
+# TODO: Remove this permission when 4.9 kernel is deprecated.
+allow network_stack self:key_socket create;
+# Java's Os.close() in libcore/luni/src/main/java/libcore/io/BlockGuardOs.java;l=100
+# calls if (fd.isSocket$()) if (isLingerSocket(fd)) ...
+dontaudit network_stack self:key_socket getopt;
+
+# Grant read permission of connectivity namespace system property prefix.
+get_prop(network_stack, device_config_connectivity_prop)
+
# Create/use netlink_tcpdiag_socket to get tcp info
allow network_stack self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
############### Tethering Service app - Tethering.apk ##############
@@ -36,3 +48,15 @@
# Create and share netlink_netfilter_sockets for tetheroffload.
allow network_stack self:netlink_netfilter_socket create_socket_perms_no_ioctl;
allow network_stack network_stack_service:service_manager find;
+# allow Tethering(network_stack process) to run/update/read the eBPF maps to offload tethering traffic by eBPF.
+allow network_stack { fs_bpf fs_bpf_tethering }:dir search;
+allow network_stack { fs_bpf fs_bpf_tethering }:file { read write };
+allow network_stack bpfloader:bpf { map_read map_write prog_run };
+
+# Only the bpfloader and the network_stack should ever touch 'fs_bpf_tethering' programs/maps.
+# Unfortunately init/vendor_init have all sorts of extra privs
+neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:dir ~getattr;
+neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:file *;
+
+neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:dir ~{ getattr open read search setattr };
+neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:file ~{ map open read setattr };
diff --git a/private/nfc.te b/private/nfc.te
index 2e48eef..f1a08f7 100644
--- a/private/nfc.te
+++ b/private/nfc.te
@@ -1,5 +1,5 @@
# nfc subsystem
-typeattribute nfc coredomain;
+typeattribute nfc coredomain, mlstrustedsubject;
app_domain(nfc)
net_domain(nfc)
@@ -11,6 +11,8 @@
# Data file accesses.
allow nfc nfc_data_file:dir create_dir_perms;
allow nfc nfc_data_file:notdevfile_class_set create_file_perms;
+allow nfc nfc_logs_data_file:dir rw_dir_perms;
+allow nfc nfc_logs_data_file:file create_file_perms;
# SoundPool loading and playback
allow nfc audioserver_service:service_manager find;
diff --git a/private/notify_traceur.te b/private/notify_traceur.te
deleted file mode 100644
index ef1fd4f..0000000
--- a/private/notify_traceur.te
+++ /dev/null
@@ -1,12 +0,0 @@
-type notify_traceur, domain, coredomain;
-type notify_traceur_exec, system_file_type, exec_type, file_type;
-
-init_daemon_domain(notify_traceur);
-binder_use(notify_traceur);
-
-# This is to execute am
-allow notify_traceur activity_service:service_manager find;
-allow notify_traceur shell_exec:file rx_file_perms;
-allow notify_traceur system_file:file rx_file_perms;
-
-binder_call(notify_traceur, system_server);
diff --git a/private/odrefresh.te b/private/odrefresh.te
new file mode 100644
index 0000000..3ea8ad2
--- /dev/null
+++ b/private/odrefresh.te
@@ -0,0 +1,50 @@
+# odrefresh
+type odrefresh, domain, coredomain;
+type odrefresh_exec, system_file_type, exec_type, file_type;
+
+# Allow odrefresh to create files and directories for on device signing.
+allow odrefresh apex_module_data_file:dir { getattr search };
+allow odrefresh apex_art_data_file:dir { create_dir_perms relabelfrom };
+allow odrefresh apex_art_data_file:file create_file_perms;
+
+# Allow odrefresh to create data files (typically for metrics before statsd starts).
+allow odrefresh odrefresh_data_file:dir create_dir_perms;
+allow odrefresh odrefresh_data_file:file create_file_perms;
+
+userfaultfd_use(odrefresh)
+
+# Staging area labels (/data/misc/apexdata/com.android.art/staging). odrefresh
+# sets up files here and passes file descriptors for dex2oat to write to.
+allow odrefresh apex_art_staging_data_file:dir { create_dir_perms relabelto };
+allow odrefresh apex_art_staging_data_file:file create_file_perms;
+
+# Run dex2oat in its own sandbox.
+domain_auto_trans(odrefresh, dex2oat_exec, dex2oat)
+
+# Run dexoptanalyzer in its own sandbox.
+domain_auto_trans(odrefresh, dexoptanalyzer_exec, dexoptanalyzer)
+
+# Use devpts and fd from odsign (which exec()'s odrefresh)
+allow odrefresh odsign_devpts:chr_file { read write };
+allow odrefresh odsign:fd use;
+
+# Do not audit unused resources from parent processes (adb, shell, su).
+# These appear to be unnecessary for odrefresh.
+dontaudit odrefresh { adbd shell }:fd use;
+dontaudit odrefresh devpts:chr_file rw_file_perms;
+dontaudit odrefresh adbd:unix_stream_socket { getattr read write };
+
+# Allow odrefresh to read /apex/apex-info-list.xml to determine
+# whether current apex is in /system or /data.
+allow odrefresh apex_info_file:file r_file_perms;
+
+# No other processes should be creating files in the staging area.
+neverallow { domain -init -odrefresh } apex_art_staging_data_file:file open;
+
+# No processes other than init, odrefresh and system_server access
+# odrefresh_data_files.
+neverallow { domain -init -odrefresh -system_server } odrefresh_data_file:dir *;
+neverallow { domain -init -odrefresh -system_server } odrefresh_data_file:file *;
+
+# Allow updating boot animation status.
+set_prop(odrefresh, bootanim_system_prop)
diff --git a/private/odsign.te b/private/odsign.te
new file mode 100644
index 0000000..0ff3b7b
--- /dev/null
+++ b/private/odsign.te
@@ -0,0 +1,59 @@
+# odsign - on-device signing.
+type odsign, domain;
+
+# odsign - Binary for signing ART artifacts.
+typeattribute odsign coredomain;
+
+type odsign_exec, exec_type, file_type, system_file_type;
+
+# Allow init to start odsign
+init_daemon_domain(odsign)
+
+# Allow using persistent storage in /data/odsign
+allow odsign odsign_data_file:dir create_dir_perms;
+allow odsign odsign_data_file:file create_file_perms;
+
+# Create and use pty created by android_fork_execvp().
+create_pty(odsign)
+
+# FS_IOC_ENABLE_VERITY and FS_IOC_MEASURE_VERITY on ART data files
+allowxperm odsign apex_art_data_file:file ioctl {
+ FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY FS_IOC_GETFLAGS
+};
+
+# talk to binder services (for keystore)
+binder_use(odsign);
+
+# talk to keystore specifically
+use_keystore(odsign);
+
+# Use our dedicated keystore key
+allow odsign odsign_key:keystore2_key {
+ delete
+ get_info
+ rebind
+ use
+};
+
+# talk to keymaster
+hal_client_domain(odsign, hal_keymaster)
+
+# For ART apex data dir access
+allow odsign apex_module_data_file:dir { getattr search };
+
+allow odsign apex_art_data_file:dir { rw_dir_perms rmdir };
+allow odsign apex_art_data_file:file { rw_file_perms unlink };
+
+# Run odrefresh to refresh ART artifacts
+domain_auto_trans(odsign, odrefresh_exec, odrefresh)
+
+# Run fsverity_init to add key to fsverity keyring
+domain_auto_trans(odsign, fsverity_init_exec, fsverity_init)
+
+# only odsign can set odsign sysprop
+set_prop(odsign, odsign_prop)
+neverallow { domain -odsign -init } odsign_prop:property_service set;
+
+# Neverallows
+neverallow { domain -odsign -init -fsverity_init } odsign_data_file:dir *;
+neverallow { domain -odsign -init -fsverity_init } odsign_data_file:file *;
diff --git a/private/otapreopt_chroot.te b/private/otapreopt_chroot.te
index e2bc33e..ea9d4ee 100644
--- a/private/otapreopt_chroot.te
+++ b/private/otapreopt_chroot.te
@@ -1,10 +1,18 @@
# otapreopt_chroot executable
-type otapreopt_chroot, domain, coredomain;
-type otapreopt_chroot_exec, system_file_type, exec_type, file_type;
+typeattribute otapreopt_chroot coredomain;
+type otapreopt_chroot_exec, exec_type, file_type, system_file_type;
# Chroot preparation and execution.
# We need to create an unshared mount namespace, and then mount /data.
allow otapreopt_chroot postinstall_file:dir { search mounton };
+allow otapreopt_chroot apex_mnt_dir:dir mounton;
+allow otapreopt_chroot device:dir mounton;
+allow otapreopt_chroot linkerconfig_file:dir mounton;
+allow otapreopt_chroot rootfs:dir mounton;
+allow otapreopt_chroot sysfs:dir mounton;
+allow otapreopt_chroot system_data_root_file:dir mounton;
+allow otapreopt_chroot system_file:dir mounton;
+allow otapreopt_chroot vendor_file:dir mounton;
allow otapreopt_chroot self:global_capability_class_set { sys_admin sys_chroot };
# This is required to mount /vendor and mount/unmount ext4 images from
@@ -35,13 +43,20 @@
allow otapreopt_chroot update_engine:fifo_file write;
# Allow to transition to postinstall_dexopt, to run otapreopt in its own sandbox.
-domain_auto_trans(otapreopt_chroot, postinstall_file, postinstall_dexopt)
+domain_auto_trans(otapreopt_chroot, postinstall_dexopt_exec, postinstall_dexopt)
+domain_auto_trans(otapreopt_chroot, linkerconfig_exec, linkerconfig)
+domain_auto_trans(otapreopt_chroot, apexd_exec, apexd)
+
+# Allow otapreopt_chroot to control linkerconfig
+allow otapreopt_chroot linkerconfig_file:dir { create_dir_perms relabelto };
+allow otapreopt_chroot linkerconfig_file:file create_file_perms;
# Allow otapreopt_chroot to create loop devices with /dev/loop-control.
allow otapreopt_chroot loop_control_device:chr_file rw_file_perms;
# Allow otapreopt_chroot to access loop devices.
allow otapreopt_chroot loop_device:blk_file rw_file_perms;
allowxperm otapreopt_chroot loop_device:blk_file ioctl {
+ LOOP_CONFIGURE
LOOP_GET_STATUS64
LOOP_SET_STATUS64
LOOP_SET_FD
@@ -63,6 +78,7 @@
# Allow otapreopt_chroot to manipulate directory /postinstall/apex.
allow otapreopt_chroot postinstall_apex_mnt_dir:dir create_dir_perms;
+allow otapreopt_chroot postinstall_apex_mnt_dir:file create_file_perms;
# Allow otapreopt_chroot to mount APEX packages in /postinstall/apex.
allow otapreopt_chroot postinstall_apex_mnt_dir:dir mounton;
@@ -72,3 +88,11 @@
# Allow to access the linker through the symlink.
allow otapreopt_chroot postinstall_file:lnk_file r_file_perms;
+
+# Allow otapreopt_chroot to read ro.cold_boot_done prop.
+# This is a temporary solution to make sure that otapreopt_chroot doesn't block indefinetelly.
+# TODO(b/165948777): remove this once otapreopt_chroot is migrated to libapexmount.
+get_prop(otapreopt_chroot, cold_boot_done_prop)
+
+# allow otapreopt_chroot to run the linkerconfig from the new image.
+allow otapreopt_chroot linkerconfig_exec:file rx_file_perms;
diff --git a/private/perfetto.te b/private/perfetto.te
index 0161361..f9693da 100644
--- a/private/perfetto.te
+++ b/private/perfetto.te
@@ -1,5 +1,5 @@
# Perfetto command-line client. Can be used only from the domains that are
-# explicitly whitelisted with a domain_auto_trans(X, perfetto_exec, perfetto).
+# explicitly allowlisted with a domain_auto_trans(X, perfetto_exec, perfetto).
# This command line client accesses the privileged socket of the traced
# daemon.
@@ -24,11 +24,16 @@
binder_call(perfetto, system_server)
allow perfetto dropbox_service:service_manager find;
-# Allow perfetto to read the trace config from statsd and shell
+# Allow perfetto to read the trace config from /data/misc/perfetto-configs.
+# shell and adb can write files into that directory.
+allow perfetto perfetto_configs_data_file:dir r_dir_perms;
+allow perfetto perfetto_configs_data_file:file r_file_perms;
+
+# Allow perfetto to read the trace config from statsd, mm_events and shell
# (both root and non-root) on stdin and also to write the resulting trace to
# stdout.
-allow perfetto { statsd shell su }:fd use;
-allow perfetto { statsd shell su }:fifo_file { getattr read write };
+allow perfetto { statsd mm_events shell su }:fd use;
+allow perfetto { statsd mm_events shell su }:fifo_file { getattr read write };
# Allow to communicate use, read and write over the adb connection.
allow perfetto adbd:fd use;
@@ -82,6 +87,7 @@
-vendor_data_file
-zoneinfo_data_file
-perfetto_traces_data_file
+ -perfetto_configs_data_file
with_native_coverage(`-method_trace_data_file')
}:dir *;
neverallow perfetto { system_data_file -perfetto_traces_data_file }:dir ~{ getattr search };
@@ -91,5 +97,6 @@
data_file_type
-zoneinfo_data_file
-perfetto_traces_data_file
+ -perfetto_configs_data_file
with_native_coverage(`-method_trace_data_file')
}:file ~write;
diff --git a/private/permissioncontroller_app.te b/private/permissioncontroller_app.te
index 41185e3..5f81875 100644
--- a/private/permissioncontroller_app.te
+++ b/private/permissioncontroller_app.te
@@ -5,35 +5,18 @@
app_domain(permissioncontroller_app)
+allow permissioncontroller_app app_api_service:service_manager find;
+allow permissioncontroller_app system_api_service:service_manager find;
+
# Allow interaction with gpuservice
binder_call(permissioncontroller_app, gpuservice)
-allow permissioncontroller_app gpu_service:service_manager find;
-# Allow interaction with role_service
-allow permissioncontroller_app role_service:service_manager find;
-
-# Allow interaction with usagestats_service
-allow permissioncontroller_app usagestats_service:service_manager find;
-
-# Allow interaction with activity_service
-allow permissioncontroller_app activity_service:service_manager find;
-
-allow permissioncontroller_app activity_task_service:service_manager find;
-allow permissioncontroller_app audio_service:service_manager find;
-allow permissioncontroller_app autofill_service:service_manager find;
-allow permissioncontroller_app content_capture_service:service_manager find;
-allow permissioncontroller_app device_policy_service:service_manager find;
-allow permissioncontroller_app incidentcompanion_service:service_manager find;
-allow permissioncontroller_app IProxyService_service:service_manager find;
-allow permissioncontroller_app location_service:service_manager find;
-allow permissioncontroller_app media_session_service:service_manager find;
allow permissioncontroller_app radio_service:service_manager find;
-allow permissioncontroller_app surfaceflinger_service:service_manager find;
-allow permissioncontroller_app telecom_service:service_manager find;
-allow permissioncontroller_app trust_service:service_manager find;
# Allow the app to request and collect incident reports.
# (Also requires DUMP and PACKAGE_USAGE_STATS permissions)
allow permissioncontroller_app incident_service:service_manager find;
binder_call(permissioncontroller_app, incidentd)
allow permissioncontroller_app incidentd:fifo_file { read write };
+
+allow permissioncontroller_app gpu_device:dir search;
diff --git a/private/platform_app.te b/private/platform_app.te
index 3beec38..a112081 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -66,12 +66,8 @@
allow platform_app app_api_service:service_manager find;
allow platform_app system_api_service:service_manager find;
allow platform_app vr_manager_service:service_manager find;
-allow platform_app gpu_service:service_manager find;
allow platform_app stats_service:service_manager find;
-# Allow platform apps to interact with gpuservice
-binder_call(platform_app, gpuservice)
-
# Allow platform apps to log via statsd.
binder_call(platform_app, statsd)
@@ -91,9 +87,18 @@
# allow platform apps to connect to the property service
set_prop(platform_app, test_boot_reason_prop)
+# allow platform apps to read keyguard.no_require_sim
+get_prop(platform_app, keyguard_config_prop)
+
+# allow platform apps to read qemu.hw.mainkeys
+get_prop(platform_app, qemu_hw_prop)
+
# allow platform apps to create symbolic link
allow platform_app app_data_file:lnk_file create_file_perms;
+# suppress denials caused by debugfs_tracing
+dontaudit platform_app debugfs_tracing:file rw_file_perms;
+
###
### Neverallow rules
###
diff --git a/private/postinstall.te b/private/postinstall.te
index 363e362..7060c59 100644
--- a/private/postinstall.te
+++ b/private/postinstall.te
@@ -1,3 +1,5 @@
typeattribute postinstall coredomain;
-
+type postinstall_exec, system_file_type, exec_type, file_type;
domain_auto_trans(postinstall, otapreopt_chroot_exec, otapreopt_chroot)
+
+allow postinstall rootfs:dir r_dir_perms;
diff --git a/private/postinstall_dexopt.te b/private/postinstall_dexopt.te
index fd370c2..94af043 100644
--- a/private/postinstall_dexopt.te
+++ b/private/postinstall_dexopt.te
@@ -3,7 +3,9 @@
# Note: otapreopt is a driver for dex2oat, and reuses parts of installd. As such,
# this is derived and adapted from installd.te.
-type postinstall_dexopt, domain, coredomain;
+type postinstall_dexopt, domain, coredomain, mlstrustedsubject;
+type postinstall_dexopt_exec, system_file_type, exec_type, file_type;
+type postinstall_dexopt_tmpfs, file_type;
# Run dex2oat/patchoat in its own sandbox.
# We have to manually transition, as we don't have an entrypoint.
@@ -14,12 +16,20 @@
# with the `postinstall_file` type by update_engine.
domain_auto_trans(postinstall_dexopt, postinstall_file, dex2oat)
+# Run derive_classpath to get the current BCP.
+domain_auto_trans(postinstall_dexopt, derive_classpath_exec, derive_classpath)
+# Allow postinstall_dexopt to make a tempfile for derive_classpath to write into
+tmpfs_domain(postinstall_dexopt);
+allow postinstall_dexopt postinstall_dexopt_tmpfs:file open;
+
allow postinstall_dexopt self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid };
allow postinstall_dexopt postinstall_file:filesystem getattr;
allow postinstall_dexopt postinstall_file:dir { getattr read search };
allow postinstall_dexopt postinstall_file:lnk_file { getattr read };
allow postinstall_dexopt proc_filesystems:file { getattr open read };
+allow postinstall_dexopt rootfs:file r_file_perms;
+
allow postinstall_dexopt tmpfs:file read;
# Allow access to /postinstall/apex.
@@ -38,7 +48,7 @@
r_dir_file(postinstall_dexopt, dalvikcache_data_file)
# Read profile data.
-allow postinstall_dexopt user_profile_data_file:dir { getattr search };
+allow postinstall_dexopt { user_profile_root_file user_profile_data_file }:dir { getattr search };
allow postinstall_dexopt user_profile_data_file:file r_file_perms;
# Suppress deletion denial (we do not want to update the profile).
dontaudit postinstall_dexopt user_profile_data_file:file { write };
diff --git a/private/priv_app.te b/private/priv_app.te
index 44c81ee..63a9cbf 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -25,6 +25,10 @@
# TODO: Tighten (b/112357170)
allow priv_app privapp_data_file:file execute;
+# Chrome Crashpad uses the the dynamic linker to load native executables
+# from an APK (b/112050209, crbug.com/928422)
+allow priv_app system_linker_exec:file execute_no_trans;
+
allow priv_app privapp_data_file:lnk_file create_file_perms;
# Priv apps can find services that expose both @SystemAPI and normal APIs.
@@ -38,6 +42,7 @@
allow priv_app mediaextractor_service:service_manager find;
allow priv_app mediametrics_service:service_manager find;
allow priv_app mediaserver_service:service_manager find;
+allow priv_app music_recognition_service:service_manager find;
allow priv_app network_watchlist_service:service_manager find;
allow priv_app nfc_service:service_manager find;
allow priv_app oem_lock_service:service_manager find;
@@ -46,10 +51,6 @@
allow priv_app recovery_service:service_manager find;
allow priv_app stats_service:service_manager find;
-# Allow privileged apps to interact with gpuservice
-binder_call(priv_app, gpuservice)
-allow priv_app gpu_service:service_manager find;
-
# Write to /cache.
allow priv_app { cache_file cache_recovery_file }:dir create_dir_perms;
allow priv_app { cache_file cache_recovery_file }:file create_file_perms;
@@ -68,6 +69,21 @@
# Allow traceur to pass file descriptors through a content provider to betterbug
allow priv_app trace_data_file:file { getattr read };
+# Allow betterbug to read profile reports generated by profcollect.
+userdebug_or_eng(`
+ allow priv_app profcollectd_data_file:file r_file_perms;
+')
+
+# Allow the bug reporting frontend to read the presence and timestamp of the
+# trace attached to the bugreport (but not its contents, which will go in the
+# usual bugreport .zip file). This is used by the bug reporting UI to tell if
+# the bugreport will contain a system trace or not while the bugreport is still
+# in progress.
+allow priv_app perfetto_traces_bugreport_data_file:dir r_dir_perms;
+allow priv_app perfetto_traces_bugreport_data_file:file { getattr };
+# Required to traverse the parent dir (/data/misc/perfetto-traces).
+allow priv_app perfetto_traces_data_file:dir { search };
+
# Allow verifier to access staged apks.
allow priv_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
allow priv_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
@@ -138,8 +154,7 @@
dontaudit priv_app sysfs:file read;
dontaudit priv_app sysfs_android_usb:file read;
dontaudit priv_app sysfs_dm:file r_file_perms;
-dontaudit priv_app wifi_prop:file read;
-dontaudit priv_app { wifi_prop exported_wifi_prop }:file read;
+dontaudit priv_app { wifi_prop wifi_hal_prop }:file read;
# allow privileged apps to use UDP sockets provided by the system server but not
# modify them other than to connect
@@ -147,8 +162,13 @@
connect getattr read recvfrom sendto write getopt setopt };
# allow apps like Phonesky to check the file signature of an apk installed on
-# the Incremental File System, and fill missing blocks in the apk
-allowxperm priv_app apk_data_file:file ioctl { INCFS_IOCTL_READ_SIGNATURE INCFS_IOCTL_FILL_BLOCKS };
+# the Incremental File System, fill missing blocks and get the app status and loading progress
+allowxperm priv_app apk_data_file:file ioctl {
+ INCFS_IOCTL_READ_SIGNATURE
+ INCFS_IOCTL_FILL_BLOCKS
+ INCFS_IOCTL_GET_BLOCK_COUNT
+ INCFS_IOCTL_GET_FILLED_BLOCKS
+};
# allow privileged data loader apps (e.g. com.android.vending) to read logs from Incremental File System
allow priv_app incremental_control_file:file { read getattr ioctl };
@@ -157,9 +177,17 @@
# on the Incremental File System.
allowxperm priv_app incremental_control_file:file ioctl INCFS_IOCTL_PERMIT_FILL;
+# allow privileged apps to read the vendor property that indicates if Incremental File System is enabled
+get_prop(priv_app, incremental_prop)
+
# Required for Phonesky to be able to read APEX files under /data/apex/active/.
allow priv_app apex_data_file:dir search;
allow priv_app staging_data_file:file r_file_perms;
+# Required for Phonesky to be able to read staged files under /data/app-staging.
+allow priv_app staging_data_file:dir r_dir_perms;
+
+# allow priv app to access the system app data files for ContentProvider case.
+allow priv_app system_app_data_file:file { read getattr };
###
### neverallow rules
@@ -171,6 +199,9 @@
# Receive or send generic netlink messages
neverallow priv_app domain:netlink_socket *;
+# Read or write kernel printk buffer
+neverallow priv_app kmsg_device:chr_file no_rw_file_perms;
+
# Too much leaky information in debugfs. It's a security
# best practice to ensure these files aren't readable.
neverallow priv_app debugfs:file read;
@@ -211,6 +242,7 @@
# Do not allow priv_app access to cgroups.
neverallow priv_app cgroup:file *;
+neverallow priv_app cgroup_v2:file *;
# Do not allow loading executable code from non-privileged
# application home directories. Code loading across a security boundary
diff --git a/private/profcollectd.te b/private/profcollectd.te
new file mode 100644
index 0000000..efde321
--- /dev/null
+++ b/private/profcollectd.te
@@ -0,0 +1,61 @@
+# profcollectd - hardware profile collection daemon
+type profcollectd, domain, coredomain, mlstrustedsubject;
+type profcollectd_exec, system_file_type, exec_type, file_type;
+
+userdebug_or_eng(`
+ init_daemon_domain(profcollectd)
+
+ # profcollectd opens a file for writing in /data/misc/profcollectd.
+ allow profcollectd profcollectd_data_file:file create_file_perms;
+ allow profcollectd profcollectd_data_file:dir create_dir_perms;
+
+ # Allow profcollectd full use of perf_event_open(2), to enable system wide profiling.
+ allow profcollectd self:perf_event { cpu kernel open read write };
+
+ # Allow profcollectd to scan through /proc/pid for all processes.
+ r_dir_file(profcollectd, domain)
+
+ # Allow profcollectd to read executable binaries.
+ allow profcollectd system_file_type:file r_file_perms;
+ allow profcollectd vendor_file_type:file r_file_perms;
+
+ # Allow profcollectd to search for and read kernel modules.
+ allow profcollectd vendor_file:dir r_dir_perms;
+ allow profcollectd vendor_kernel_modules:file r_file_perms;
+
+ # Allow profcollectd to read system bootstrap libs.
+ allow profcollectd system_bootstrap_lib_file:dir search;
+ allow profcollectd system_bootstrap_lib_file:file r_file_perms;
+
+ # Allow profcollectd to access tracefs.
+ allow profcollectd debugfs_tracing:dir r_dir_perms;
+ allow profcollectd debugfs_tracing:file rw_file_perms;
+ allow profcollectd debugfs_tracing_debug:dir r_dir_perms;
+ allow profcollectd debugfs_tracing_debug:file rw_file_perms;
+
+ # Allow profcollectd to write to perf_event_paranoid under /proc.
+ allow profcollectd proc_perf:file write;
+
+ # Allow profcollectd to access cs_etm sysfs.
+ r_dir_file(profcollectd, sysfs_devices_cs_etm)
+
+ # Allow profcollectd to ptrace.
+ allow profcollectd self:global_capability_class_set sys_ptrace;
+
+ # Allow profcollectd to read its system properties.
+ get_prop(profcollectd, device_config_profcollect_native_boot_prop)
+ set_prop(profcollectd, profcollectd_node_id_prop)
+
+ # Allow profcollectd to publish a binder service and make binder calls.
+ binder_use(profcollectd)
+ add_service(profcollectd, profcollectd_service)
+
+ # Allow to temporarily lift the kptr_restrict setting and get kernel start address
+ # by reading /proc/kallsyms, get module start address by reading /proc/modules.
+ set_prop(profcollectd, lower_kptr_restrict_prop)
+ allow profcollectd proc_kallsyms:file r_file_perms;
+ allow profcollectd proc_modules:file r_file_perms;
+
+ # Allow profcollectd to read kernel build id.
+ allow profcollectd sysfs_kernel_notes:file r_file_perms;
+')
diff --git a/private/property.te b/private/property.te
new file mode 100644
index 0000000..267ff85
--- /dev/null
+++ b/private/property.te
@@ -0,0 +1,603 @@
+# Properties used only in /system
+system_internal_prop(adbd_prop)
+system_internal_prop(ctl_snapuserd_prop)
+system_internal_prop(device_config_profcollect_native_boot_prop)
+system_internal_prop(device_config_statsd_native_prop)
+system_internal_prop(device_config_statsd_native_boot_prop)
+system_internal_prop(device_config_storage_native_boot_prop)
+system_internal_prop(device_config_sys_traced_prop)
+system_internal_prop(device_config_window_manager_native_boot_prop)
+system_internal_prop(device_config_configuration_prop)
+system_internal_prop(device_config_connectivity_prop)
+system_internal_prop(device_config_swcodec_native_prop)
+system_internal_prop(fastbootd_protocol_prop)
+system_internal_prop(gsid_prop)
+system_internal_prop(init_perf_lsm_hooks_prop)
+system_internal_prop(init_service_status_private_prop)
+system_internal_prop(init_svc_debug_prop)
+system_internal_prop(keystore_listen_prop)
+system_internal_prop(last_boot_reason_prop)
+system_internal_prop(localization_prop)
+system_internal_prop(lower_kptr_restrict_prop)
+system_internal_prop(net_464xlat_fromvendor_prop)
+system_internal_prop(net_connectivity_prop)
+system_internal_prop(netd_stable_secret_prop)
+system_internal_prop(odsign_prop)
+system_internal_prop(perf_drop_caches_prop)
+system_internal_prop(pm_prop)
+system_internal_prop(profcollectd_node_id_prop)
+system_internal_prop(rollback_test_prop)
+system_internal_prop(setupwizard_prop)
+system_internal_prop(system_adbd_prop)
+system_internal_prop(traced_perf_enabled_prop)
+system_internal_prop(userspace_reboot_log_prop)
+system_internal_prop(userspace_reboot_test_prop)
+system_internal_prop(verity_status_prop)
+system_internal_prop(zygote_wrap_prop)
+
+###
+### Neverallow rules
+###
+
+treble_sysprop_neverallow(`
+
+enforce_sysprop_owner(`
+ neverallow domain {
+ property_type
+ -system_property_type
+ -product_property_type
+ -vendor_property_type
+ }:file no_rw_file_perms;
+')
+
+neverallow { domain -coredomain } {
+ system_property_type
+ system_internal_property_type
+ -system_restricted_property_type
+ -system_public_property_type
+}:file no_rw_file_perms;
+
+neverallow { domain -coredomain } {
+ system_property_type
+ -system_public_property_type
+}:property_service set;
+
+# init is in coredomain, but should be able to read/write all props.
+# dumpstate is also in coredomain, but should be able to read all props.
+neverallow { coredomain -init -dumpstate } {
+ vendor_property_type
+ vendor_internal_property_type
+ -vendor_restricted_property_type
+ -vendor_public_property_type
+}:file no_rw_file_perms;
+
+neverallow { coredomain -init } {
+ vendor_property_type
+ -vendor_public_property_type
+}:property_service set;
+
+')
+
+# There is no need to perform ioctl or advisory locking operations on
+# property files. If this neverallow is being triggered, it is
+# likely that the policy is using r_file_perms directly instead of
+# the get_prop() macro.
+neverallow domain property_type:file { ioctl lock };
+
+neverallow * {
+ core_property_type
+ -audio_prop
+ -config_prop
+ -cppreopt_prop
+ -dalvik_prop
+ -debuggerd_prop
+ -debug_prop
+ -dhcp_prop
+ -dumpstate_prop
+ -fingerprint_prop
+ -logd_prop
+ -net_radio_prop
+ -nfc_prop
+ -ota_prop
+ -pan_result_prop
+ -persist_debug_prop
+ -powerctl_prop
+ -radio_prop
+ -restorecon_prop
+ -shell_prop
+ -system_prop
+ -usb_prop
+ -vold_prop
+}:file no_rw_file_perms;
+
+# sigstop property is only used for debugging; should only be set by su which is permissive
+# for userdebug/eng
+neverallow {
+ domain
+ -init
+ -vendor_init
+} ctl_sigstop_prop:property_service set;
+
+# Don't audit legacy ctl. property handling. We only want the newer permission check to appear
+# in the audit log
+dontaudit domain {
+ ctl_bootanim_prop
+ ctl_bugreport_prop
+ ctl_console_prop
+ ctl_default_prop
+ ctl_dumpstate_prop
+ ctl_fuse_prop
+ ctl_mdnsd_prop
+ ctl_rildaemon_prop
+}:property_service set;
+
+neverallow {
+ domain
+ -init
+} init_svc_debug_prop:property_service set;
+
+neverallow {
+ domain
+ -init
+ -dumpstate
+ userdebug_or_eng(`-su')
+} init_svc_debug_prop:file no_rw_file_perms;
+
+compatible_property_only(`
+# Prevent properties from being set
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -vendor_init
+ } {
+ core_property_type
+ extended_core_property_type
+ exported_config_prop
+ exported_default_prop
+ exported_dumpstate_prop
+ exported_system_prop
+ exported3_system_prop
+ usb_control_prop
+ -nfc_prop
+ -powerctl_prop
+ -radio_prop
+ }:property_service set;
+
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -hal_nfc_server
+ } {
+ nfc_prop
+ }:property_service set;
+
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -hal_telephony_server
+ -vendor_init
+ } {
+ radio_control_prop
+ }:property_service set;
+
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -hal_telephony_server
+ } {
+ radio_prop
+ }:property_service set;
+
+ neverallow {
+ domain
+ -coredomain
+ -bluetooth
+ -hal_bluetooth_server
+ } {
+ bluetooth_prop
+ }:property_service set;
+
+ neverallow {
+ domain
+ -coredomain
+ -bluetooth
+ -hal_bluetooth_server
+ -vendor_init
+ } {
+ exported_bluetooth_prop
+ }:property_service set;
+
+ neverallow {
+ domain
+ -coredomain
+ -hal_camera_server
+ -cameraserver
+ -vendor_init
+ } {
+ exported_camera_prop
+ }:property_service set;
+
+ neverallow {
+ domain
+ -coredomain
+ -hal_wifi_server
+ -wificond
+ } {
+ wifi_prop
+ }:property_service set;
+
+ neverallow {
+ domain
+ -init
+ -dumpstate
+ -hal_wifi_server
+ -wificond
+ -vendor_init
+ } {
+ wifi_hal_prop
+ }:property_service set;
+
+# Prevent properties from being read
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -vendor_init
+ } {
+ core_property_type
+ dalvik_config_prop
+ extended_core_property_type
+ exported3_system_prop
+ systemsound_config_prop
+ -debug_prop
+ -logd_prop
+ -nfc_prop
+ -powerctl_prop
+ -radio_prop
+ }:file no_rw_file_perms;
+
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -hal_nfc_server
+ } {
+ nfc_prop
+ }:file no_rw_file_perms;
+
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -hal_telephony_server
+ } {
+ radio_prop
+ }:file no_rw_file_perms;
+
+ neverallow {
+ domain
+ -coredomain
+ -bluetooth
+ -hal_bluetooth_server
+ } {
+ bluetooth_prop
+ }:file no_rw_file_perms;
+
+ neverallow {
+ domain
+ -coredomain
+ -hal_wifi_server
+ -wificond
+ } {
+ wifi_prop
+ }:file no_rw_file_perms;
+
+ neverallow {
+ domain
+ -coredomain
+ -vendor_init
+ } {
+ suspend_prop
+ }:property_service set;
+')
+
+compatible_property_only(`
+ # Neverallow coredomain to set vendor properties
+ neverallow {
+ coredomain
+ -init
+ -system_writes_vendor_properties_violators
+ } {
+ property_type
+ -system_property_type
+ -extended_core_property_type
+ }:property_service set;
+')
+
+neverallow {
+ domain
+ -coredomain
+ -vendor_init
+} {
+ ffs_config_prop
+ ffs_control_prop
+}:file no_rw_file_perms;
+
+neverallow {
+ domain
+ -init
+ -system_server
+} {
+ userspace_reboot_log_prop
+}:property_service set;
+
+neverallow {
+ # Only allow init and system_server to set system_adbd_prop
+ domain
+ -init
+ -system_server
+} {
+ system_adbd_prop
+}:property_service set;
+
+# Let (vendor_)init, adbd, and system_server set service.adb.tcp.port
+neverallow {
+ domain
+ -init
+ -vendor_init
+ -adbd
+ -system_server
+} {
+ adbd_config_prop
+}:property_service set;
+
+neverallow {
+ # Only allow init and adbd to set adbd_prop
+ domain
+ -init
+ -adbd
+} {
+ adbd_prop
+}:property_service set;
+
+neverallow {
+ # Only allow init and shell to set userspace_reboot_test_prop
+ domain
+ -init
+ -shell
+} {
+ userspace_reboot_test_prop
+}:property_service set;
+
+neverallow {
+ domain
+ -init
+ -system_server
+ -vendor_init
+} {
+ surfaceflinger_color_prop
+}:property_service set;
+
+neverallow {
+ domain
+ -init
+} {
+ libc_debug_prop
+}:property_service set;
+
+# Allow the shell to set MTE props, so that non-root users with adb shell
+# access can control the settings on their device.
+neverallow {
+ domain
+ -init
+ -shell
+} {
+ arm64_memtag_prop
+}:property_service set;
+
+neverallow {
+ domain
+ -init
+ -system_server
+ -vendor_init
+} zram_control_prop:property_service set;
+
+neverallow {
+ domain
+ -init
+ -system_server
+ -vendor_init
+} dalvik_runtime_prop:property_service set;
+
+neverallow {
+ domain
+ -coredomain
+ -vendor_init
+} {
+ usb_config_prop
+ usb_control_prop
+}:property_service set;
+
+neverallow {
+ domain
+ -init
+ -system_server
+} {
+ provisioned_prop
+ retaildemo_prop
+}:property_service set;
+
+neverallow {
+ domain
+ -coredomain
+ -vendor_init
+} {
+ provisioned_prop
+ retaildemo_prop
+}:file no_rw_file_perms;
+
+neverallow {
+ domain
+ -init
+} {
+ init_service_status_private_prop
+ init_service_status_prop
+}:property_service set;
+
+neverallow {
+ domain
+ -init
+ -radio
+ -appdomain
+ -hal_telephony_server
+ not_compatible_property(`-vendor_init')
+} telephony_status_prop:property_service set;
+
+neverallow {
+ domain
+ -init
+ -vendor_init
+} {
+ graphics_config_prop
+}:property_service set;
+
+neverallow {
+ domain
+ -init
+ -surfaceflinger
+} {
+ surfaceflinger_display_prop
+}:property_service set;
+
+neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -vendor_init
+} packagemanager_config_prop:file no_rw_file_perms;
+
+neverallow {
+ domain
+ -coredomain
+ -vendor_init
+} keyguard_config_prop:file no_rw_file_perms;
+
+neverallow {
+ domain
+ -init
+} {
+ localization_prop
+}:property_service set;
+
+neverallow {
+ domain
+ -init
+ -vendor_init
+ -dumpstate
+ -system_app
+} oem_unlock_prop:file no_rw_file_perms;
+
+neverallow {
+ domain
+ -coredomain
+ -vendor_init
+} storagemanager_config_prop:file no_rw_file_perms;
+
+neverallow {
+ domain
+ -init
+ -vendor_init
+ -dumpstate
+ -appdomain
+} sendbug_config_prop:file no_rw_file_perms;
+
+neverallow {
+ domain
+ -init
+ -vendor_init
+ -dumpstate
+ -appdomain
+} camera_calibration_prop:file no_rw_file_perms;
+
+neverallow {
+ domain
+ -init
+ -dumpstate
+ -hal_dumpstate_server
+ not_compatible_property(`-vendor_init')
+} hal_dumpstate_config_prop:file no_rw_file_perms;
+
+neverallow {
+ domain
+ -init
+ userdebug_or_eng(`-profcollectd')
+ userdebug_or_eng(`-traced_probes')
+ userdebug_or_eng(`-traced_perf')
+} {
+ lower_kptr_restrict_prop
+}:property_service set;
+
+neverallow {
+ domain
+ -init
+} zygote_wrap_prop:property_service set;
+
+neverallow {
+ domain
+ -init
+} verity_status_prop:property_service set;
+
+neverallow {
+ domain
+ -init
+} setupwizard_prop:property_service set;
+
+# ro.product.property_source_order is useless after initialization of ro.product.* props.
+# So making it accessible only from init and vendor_init.
+neverallow {
+ domain
+ -init
+ -dumpstate
+ -vendor_init
+} build_config_prop:file no_rw_file_perms;
+
+neverallow {
+ domain
+ -init
+ -shell
+} sqlite_log_prop:property_service set;
+
+neverallow {
+ domain
+ -coredomain
+ -appdomain
+} sqlite_log_prop:file no_rw_file_perms;
+
+neverallow {
+ domain
+ -init
+} default_prop:property_service set;
+
+# Only one of system_property_type and vendor_property_type can be assigned.
+# Property types having both attributes won't be accessible from anywhere.
+neverallow domain system_and_vendor_property_type:{file property_service} *;
+
+neverallow {
+ # Only allow init and shell to set rollback_test_prop
+ domain
+ -init
+ -shell
+} rollback_test_prop:property_service set;
+
+neverallow {
+ # Only allow init and profcollectd to access profcollectd_node_id_prop
+ domain
+ -init
+ -dumpstate
+ -profcollectd
+} profcollectd_node_id_prop:file r_file_perms;
+
diff --git a/private/property_contexts b/private/property_contexts
index 7908bb1..5d1f117 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -9,7 +9,6 @@
net.lte u:object_r:net_radio_prop:s0
net.cdma u:object_r:net_radio_prop:s0
net.dns u:object_r:net_dns_prop:s0
-sys.usb.config u:object_r:system_radio_prop:s0
ril. u:object_r:radio_prop:s0
ro.ril. u:object_r:radio_prop:s0
gsm. u:object_r:radio_prop:s0
@@ -27,7 +26,6 @@
sys.cppreopt u:object_r:cppreopt_prop:s0
sys.lpdumpd u:object_r:lpdumpd_prop:s0
sys.powerctl u:object_r:powerctl_prop:s0
-sys.usb.ffs. u:object_r:ffs_prop:s0
service. u:object_r:system_prop:s0
dhcp. u:object_r:dhcp_prop:s0
dhcp.bt-pan.result u:object_r:pan_result_prop:s0
@@ -42,13 +40,12 @@
khungtask. u:object_r:llkd_prop:s0
ro.llk. u:object_r:llkd_prop:s0
ro.khungtask. u:object_r:llkd_prop:s0
-lmkd.reinit u:object_r:lmkd_prop:s0 exact int
log. u:object_r:log_prop:s0
log.tag u:object_r:log_tag_prop:s0
log.tag.WifiHAL u:object_r:wifi_log_prop:s0
security.perf_harden u:object_r:shell_prop:s0
+security.lower_kptr_restrict u:object_r:lower_kptr_restrict_prop:s0
service.adb.root u:object_r:shell_prop:s0
-service.adb.tcp.port u:object_r:shell_prop:s0
service.adb.tls.port u:object_r:adbd_prop:s0
persist.adb.wifi. u:object_r:adbd_prop:s0
persist.adb.tls_server.enable u:object_r:system_adbd_prop:s0
@@ -57,6 +54,7 @@
persist.bluetooth. u:object_r:bluetooth_prop:s0
persist.nfc_cfg. u:object_r:nfc_prop:s0
persist.debug. u:object_r:persist_debug_prop:s0
+logd. u:object_r:logd_prop:s0
persist.logd. u:object_r:logd_prop:s0
ro.logd. u:object_r:logd_prop:s0
persist.logd.security u:object_r:device_logging_prop:s0
@@ -66,6 +64,7 @@
persist.mmc. u:object_r:mmc_prop:s0
persist.netd.stable_secret u:object_r:netd_stable_secret_prop:s0
persist.pm.mock-upgrade u:object_r:mock_ota_prop:s0
+persist.profcollectd.node_id u:object_r:profcollectd_node_id_prop:s0 exact string
persist.sys. u:object_r:system_prop:s0
persist.sys.safemode u:object_r:safemode_prop:s0
persist.sys.theme u:object_r:theme_prop:s0
@@ -80,6 +79,7 @@
traced.lazy. u:object_r:traced_lazy_prop:s0
persist.heapprofd.enable u:object_r:heapprofd_enabled_prop:s0
persist.traced_perf.enable u:object_r:traced_perf_enabled_prop:s0
+persist.vendor.debug.wifi. u:object_r:persist_vendor_debug_wifi_prop:s0
persist.vendor.overlay. u:object_r:overlay_prop:s0
ro.boot.vendor.overlay. u:object_r:overlay_prop:s0
ro.boottime. u:object_r:boottime_prop:s0
@@ -96,10 +96,24 @@
test.userspace_reboot.requested u:object_r:userspace_reboot_test_prop:s0
sys.lmk. u:object_r:system_lmk_prop:s0
sys.trace. u:object_r:system_trace_prop:s0
+wrap. u:object_r:zygote_wrap_prop:s0 prefix string
+
+# Suspend service properties
+suspend.max_sleep_time_millis u:object_r:suspend_prop:s0 exact uint
+suspend.base_sleep_time_millis u:object_r:suspend_prop:s0 exact uint
+suspend.backoff_threshold_count u:object_r:suspend_prop:s0 exact uint
+suspend.short_suspend_threshold_millis u:object_r:suspend_prop:s0 exact uint
+suspend.sleep_time_scale_factor u:object_r:suspend_prop:s0 exact double
+suspend.failed_suspend_backoff_enabled u:object_r:suspend_prop:s0 exact bool
+suspend.short_suspend_backoff_enabled u:object_r:suspend_prop:s0 exact bool
# Fastbootd protocol control property
fastbootd.protocol u:object_r:fastbootd_protocol_prop:s0 exact enum usb tcp
+# adbd protoctl configuration property
+service.adb.tcp.port u:object_r:adbd_config_prop:s0 exact int
+service.adb.transport u:object_r:adbd_config_prop:s0 exact string
+
# Boolean property set by system server upon boot indicating
# if device is fully owned by organization instead of being
# a personal device.
@@ -117,7 +131,7 @@
# ro.build.fingerprint is either set in /system/build.prop, or is
# set at runtime by system_server.
-ro.build.fingerprint u:object_r:fingerprint_prop:s0
+ro.build.fingerprint u:object_r:fingerprint_prop:s0 exact string
ro.persistent_properties.ready u:object_r:persistent_properties_ready_prop:s0
@@ -131,7 +145,7 @@
ctl.console u:object_r:ctl_console_prop:s0
ctl. u:object_r:ctl_default_prop:s0
-# Don't allow blind access to all services
+# Don't allow uncontrolled access to all services
ctl.sigstop_on$ u:object_r:ctl_sigstop_prop:s0
ctl.sigstop_off$ u:object_r:ctl_sigstop_prop:s0
ctl.start$ u:object_r:ctl_start_prop:s0
@@ -157,6 +171,11 @@
# Restrict access to restart dumpstate
ctl.interface_restart$android.hardware.dumpstate u:object_r:ctl_dumpstate_prop:s0
+# Restrict access to control snapuserd
+ctl.start$snapuserd u:object_r:ctl_snapuserd_prop:s0
+ctl.stop$snapuserd u:object_r:ctl_snapuserd_prop:s0
+ctl.restart$snapuserd u:object_r:ctl_snapuserd_prop:s0
+
# NFC properties
nfc. u:object_r:nfc_prop:s0
@@ -168,6 +187,12 @@
dalvik. u:object_r:dalvik_prop:s0
ro.dalvik. u:object_r:dalvik_prop:s0
+# qemu_hw_prop is read/written by both system and vendor.
+qemu.hw.mainkeys u:object_r:qemu_hw_prop:s0 exact string
+
+# qemu_sf_lcd_density_prop is read/written by both system and vendor.
+qemu.sf.lcd_density u:object_r:qemu_sf_lcd_density_prop:s0 exact int
+
# Shared between system server and wificond
wifi. u:object_r:wifi_prop:s0
wlan. u:object_r:wifi_prop:s0
@@ -182,39 +207,49 @@
# hwservicemanager properties
hwservicemanager. u:object_r:hwservicemanager_prop:s0
-# Common default properties for vendor and odm.
+# Common default properties for vendor, odm, vendor_dlkm, and odm_dlkm.
init.svc.odm. u:object_r:vendor_default_prop:s0
init.svc.vendor. u:object_r:vendor_default_prop:s0
ro.hardware. u:object_r:vendor_default_prop:s0
ro.odm. u:object_r:vendor_default_prop:s0
ro.vendor. u:object_r:vendor_default_prop:s0
+ro.vendor_dlkm. u:object_r:vendor_default_prop:s0
+ro.odm_dlkm. u:object_r:vendor_default_prop:s0
odm. u:object_r:vendor_default_prop:s0
persist.odm. u:object_r:vendor_default_prop:s0
persist.vendor. u:object_r:vendor_default_prop:s0
vendor. u:object_r:vendor_default_prop:s0
-# ro.boot. properties are set based on kernel commandline arguments, which are vendor owned.
-ro.boot. u:object_r:exported2_default_prop:s0
# Properties that relate to time / time zone detection behavior.
persist.time. u:object_r:time_prop:s0
# Properties that relate to server configurable flags
-device_config.reset_performed u:object_r:device_config_reset_performed_prop:s0
+device_config.reset_performed u:object_r:device_config_reset_performed_prop:s0
persist.device_config.activity_manager_native_boot. u:object_r:device_config_activity_manager_native_boot_prop:s0
-persist.device_config.attempted_boot_count u:object_r:device_config_boot_count_prop:s0
-persist.device_config.input_native_boot. u:object_r:device_config_input_native_boot_prop:s0
-persist.device_config.netd_native. u:object_r:device_config_netd_native_prop:s0
-persist.device_config.runtime_native. u:object_r:device_config_runtime_native_prop:s0
-persist.device_config.runtime_native_boot. u:object_r:device_config_runtime_native_boot_prop:s0
-persist.device_config.media_native. u:object_r:device_config_media_native_prop:s0
-persist.device_config.storage_native_boot. u:object_r:device_config_storage_native_boot_prop:s0
-persist.device_config.window_manager_native_boot. u:object_r:device_config_window_manager_native_boot_prop:s0
-persist.device_config.configuration. u:object_r:device_config_configuration_prop:s0
+persist.device_config.attempted_boot_count u:object_r:device_config_boot_count_prop:s0
+persist.device_config.configuration. u:object_r:device_config_configuration_prop:s0
+persist.device_config.connectivity. u:object_r:device_config_connectivity_prop:s0
+persist.device_config.input_native_boot. u:object_r:device_config_input_native_boot_prop:s0
+persist.device_config.media_native. u:object_r:device_config_media_native_prop:s0
+persist.device_config.netd_native. u:object_r:device_config_netd_native_prop:s0
+persist.device_config.profcollect_native_boot. u:object_r:device_config_profcollect_native_boot_prop:s0
+persist.device_config.runtime_native. u:object_r:device_config_runtime_native_prop:s0
+persist.device_config.runtime_native_boot. u:object_r:device_config_runtime_native_boot_prop:s0
+persist.device_config.statsd_native. u:object_r:device_config_statsd_native_prop:s0
+persist.device_config.statsd_native_boot. u:object_r:device_config_statsd_native_boot_prop:s0
+persist.device_config.storage_native_boot. u:object_r:device_config_storage_native_boot_prop:s0
+persist.device_config.swcodec_native. u:object_r:device_config_swcodec_native_prop:s0
+persist.device_config.window_manager_native_boot. u:object_r:device_config_window_manager_native_boot_prop:s0
+
+# MM Events config props
+persist.mm_events.enabled u:object_r:mm_events_config_prop:s0 exact bool
# Properties that relate to legacy server configurable flags
persist.device_config.global_settings.sys_traced u:object_r:device_config_sys_traced_prop:s0
apexd. u:object_r:apexd_prop:s0
+apexd.config.dm_delete.timeout u:object_r:apexd_config_prop:s0 exact uint
+apexd.config.dm_create.timeout u:object_r:apexd_config_prop:s0 exact uint
persist.apexd. u:object_r:apexd_prop:s0
bpf.progs_loaded u:object_r:bpf_progs_loaded_prop:s0
@@ -229,20 +264,35 @@
# Property that is set once ueventd finishes cold boot.
ro.cold_boot_done u:object_r:cold_boot_done_prop:s0
+# Properties that control performance operations.
+# Leave space to later set drop_caches to 1, 2, and 4.
+perf.drop_caches u:object_r:perf_drop_caches_prop:s0 exact enum 0 3
+
# Charger properties
-ro.charger. u:object_r:charger_prop:s0
+ro.charger. u:object_r:charger_prop:s0
+sys.boot_from_charger_mode u:object_r:charger_status_prop:s0 exact int
+ro.enable_boot_charger_mode u:object_r:charger_config_prop:s0 exact bool
# Virtual A/B properties
-ro.virtual_ab.enabled u:object_r:virtual_ab_prop:s0
-ro.virtual_ab.retrofit u:object_r:virtual_ab_prop:s0
+ro.virtual_ab.enabled u:object_r:virtual_ab_prop:s0 exact bool
+ro.virtual_ab.retrofit u:object_r:virtual_ab_prop:s0 exact bool
+ro.virtual_ab.compression.enabled u:object_r:virtual_ab_prop:s0 exact bool
+ro.product.ab_ota_partitions u:object_r:ota_prop:s0 exact string
# Property to set/clear the warm reset flag after an OTA update.
ota.warm_reset u:object_r:ota_prop:s0
+# The vbmeta digest for the inactive slot. It can be set after installing
+# ota updates to the b partition of a/b devices.
+ota.other.vbmeta_digest u:object_r:ota_prop:s0 exact string
# Module properties
com.android.sdkext. u:object_r:module_sdkextensions_prop:s0
persist.com.android.sdkext. u:object_r:module_sdkextensions_prop:s0
+# Connectivity module
+net.464xlat.cellular.enabled u:object_r:net_464xlat_fromvendor_prop:s0 exact bool
+net.tcp_def_init_rwnd u:object_r:net_connectivity_prop:s0 exact int
+
# Userspace reboot properties
sys.userspace_reboot.log. u:object_r:userspace_reboot_log_prop:s0
persist.sys.userspace_reboot.log. u:object_r:userspace_reboot_log_prop:s0
@@ -253,6 +303,707 @@
# history size.
ro.lib_gui.frame_event_history_size u:object_r:bq_config_prop:s0
+af.fast_track_multiplier u:object_r:audio_config_prop:s0 exact int
+ro.af.client_heap_size_kbyte u:object_r:audio_config_prop:s0 exact int
+ro.audio.flinger_standbytime_ms u:object_r:audio_config_prop:s0 exact int
+
+audio.camerasound.force u:object_r:audio_config_prop:s0 exact bool
+audio.deep_buffer.media u:object_r:audio_config_prop:s0 exact bool
+audio.offload.video u:object_r:audio_config_prop:s0 exact bool
+audio.offload.min.duration.secs u:object_r:audio_config_prop:s0 exact int
+
+ro.audio.ignore_effects u:object_r:audio_config_prop:s0 exact bool
+ro.audio.monitorRotation u:object_r:audio_config_prop:s0 exact bool
+
+persist.config.calibration_fac u:object_r:camera_calibration_prop:s0 exact string
+
+config.disable_cameraservice u:object_r:camera_config_prop:s0 exact bool
+
+camera.disable_zsl_mode u:object_r:camera_config_prop:s0 exact bool
+camera.fifo.disable u:object_r:camera_config_prop:s0 exact bool
+ro.camera.notify_nfc u:object_r:camera_config_prop:s0 exact bool
+ro.camera.enableLazyHal u:object_r:camera_config_prop:s0 exact bool
+
+ro.camerax.extensions.enabled u:object_r:camerax_extensions_prop:s0 exact bool
+
+# Should always_debuggable be bool? It's checked against the string "1".
+dalvik.vm.always_debuggable u:object_r:dalvik_config_prop:s0 exact int
+dalvik.vm.appimageformat u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.backgroundgctype u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.boot-dex2oat-cpu-set u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.boot-dex2oat-threads u:object_r:dalvik_config_prop:s0 exact int
+dalvik.vm.boot-image u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.bgdexopt.new-classes-percent u:object_r:dalvik_config_prop:s0 exact int
+dalvik.vm.bgdexopt.new-methods-percent u:object_r:dalvik_config_prop:s0 exact int
+dalvik.vm.checkjni u:object_r:dalvik_config_prop:s0 exact bool
+dalvik.vm.dex2oat-Xms u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.dex2oat-Xmx u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.dex2oat-cpu-set u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.dex2oat-filter u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.dex2oat-flags u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.dex2oat-max-image-block-size u:object_r:dalvik_config_prop:s0 exact int
+dalvik.vm.dex2oat-minidebuginfo u:object_r:dalvik_config_prop:s0 exact bool
+dalvik.vm.dex2oat-resolve-startup-strings u:object_r:dalvik_config_prop:s0 exact bool
+dalvik.vm.dex2oat-threads u:object_r:dalvik_config_prop:s0 exact int
+dalvik.vm.dex2oat-updatable-bcp-packages-file u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.dex2oat-very-large u:object_r:dalvik_config_prop:s0 exact int
+dalvik.vm.dex2oat-swap u:object_r:dalvik_config_prop:s0 exact bool
+dalvik.vm.dex2oat64.enabled u:object_r:dalvik_config_prop:s0 exact bool
+dalvik.vm.dexopt.secondary u:object_r:dalvik_config_prop:s0 exact bool
+dalvik.vm.execution-mode u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.extra-opts u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.foreground-heap-growth-multiplier u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.gctype u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.heapgrowthlimit u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.heapmaxfree u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.heapminfree u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.heapsize u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.heapstartsize u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.heaptargetutilization u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.hot-startup-method-samples u:object_r:dalvik_config_prop:s0 exact int
+dalvik.vm.image-dex2oat-Xms u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.image-dex2oat-Xmx u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.image-dex2oat-cpu-set u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.image-dex2oat-filter u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.image-dex2oat-flags u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.image-dex2oat-threads u:object_r:dalvik_config_prop:s0 exact int
+dalvik.vm.isa.arm.features u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.isa.arm.variant u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.isa.arm64.features u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.isa.arm64.variant u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.isa.mips.features u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.isa.mips.variant u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.isa.mips64.features u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.isa.mips64.variant u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.isa.unknown.features u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.isa.unknown.variant u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.isa.x86.features u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.isa.x86.variant u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.isa.x86_64.features u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.isa.x86_64.variant u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.jitinitialsize u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.jitmaxsize u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.jitprithreadweight u:object_r:dalvik_config_prop:s0 exact int
+dalvik.vm.jitthreshold u:object_r:dalvik_config_prop:s0 exact int
+dalvik.vm.jittransitionweight u:object_r:dalvik_config_prop:s0 exact int
+dalvik.vm.jniopts u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.lockprof.threshold u:object_r:dalvik_config_prop:s0 exact int
+dalvik.vm.method-trace u:object_r:dalvik_config_prop:s0 exact bool
+dalvik.vm.method-trace-file u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.method-trace-file-siz u:object_r:dalvik_config_prop:s0 exact int
+dalvik.vm.method-trace-stream u:object_r:dalvik_config_prop:s0 exact bool
+dalvik.vm.profilesystemserver u:object_r:dalvik_config_prop:s0 exact bool
+dalvik.vm.profilebootclasspath u:object_r:dalvik_config_prop:s0 exact bool
+dalvik.vm.ps-min-save-period-ms u:object_r:dalvik_config_prop:s0 exact int
+dalvik.vm.ps-resolved-classes-delay-ms u:object_r:dalvik_config_prop:s0 exact int
+dalvik.vm.restore-dex2oat-cpu-set u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.restore-dex2oat-threads u:object_r:dalvik_config_prop:s0 exact int
+dalvik.vm.usejit u:object_r:dalvik_config_prop:s0 exact bool
+dalvik.vm.usejitprofiles u:object_r:dalvik_config_prop:s0 exact bool
+dalvik.vm.zygote.max-boot-retry u:object_r:dalvik_config_prop:s0 exact int
+ro.zygote u:object_r:dalvik_config_prop:s0 exact string
+
+persist.sys.dalvik.vm.lib.2 u:object_r:dalvik_runtime_prop:s0 exact string
+
+keyguard.no_require_sim u:object_r:keyguard_config_prop:s0 exact bool
+
+media.c2.dmabuf.padding u:object_r:codec2_config_prop:s0 exact int
+
+media.recorder.show_manufacturer_and_model u:object_r:media_config_prop:s0 exact bool
+media.stagefright.cache-params u:object_r:media_config_prop:s0 exact string
+media.stagefright.enable-aac u:object_r:media_config_prop:s0 exact bool
+media.stagefright.enable-fma2dp u:object_r:media_config_prop:s0 exact bool
+media.stagefright.enable-http u:object_r:media_config_prop:s0 exact bool
+media.stagefright.enable-player u:object_r:media_config_prop:s0 exact bool
+media.stagefright.enable-qcp u:object_r:media_config_prop:s0 exact bool
+media.stagefright.enable-scan u:object_r:media_config_prop:s0 exact bool
+media.stagefright.thumbnail.prefer_hw_codecs u:object_r:media_config_prop:s0 exact bool
+persist.sys.media.avsync u:object_r:media_config_prop:s0 exact bool
+
+persist.bluetooth.a2dp_offload.cap u:object_r:bluetooth_a2dp_offload_prop:s0 exact string
+persist.bluetooth.a2dp_offload.disabled u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
+persist.bluetooth.bluetooth_audio_hal.disabled u:object_r:bluetooth_audio_hal_prop:s0 exact bool
+persist.bluetooth.btsnoopenable u:object_r:exported_bluetooth_prop:s0 exact bool
+
+persist.radio.multisim.config u:object_r:radio_control_prop:s0 exact string
+
+persist.sys.hdmi.keep_awake u:object_r:hdmi_config_prop:s0 exact bool
+ro.hdmi.cec_device_types u:object_r:hdmi_config_prop:s0 exact string
+ro.hdmi.device_type u:object_r:hdmi_config_prop:s0 exact string
+ro.hdmi.set_menu_language u:object_r:hdmi_config_prop:s0 exact bool
+ro.hdmi.cec.source.set_menu_language.enabled u:object_r:hdmi_config_prop:s0 exact bool
+ro.hdmi.property_sytem_audio_device_arc_port u:object_r:hdmi_config_prop:s0 exact string
+ro.hdmi.cec_audio_device_forward_volume_keys_system_audio_mode_off u:object_r:hdmi_config_prop:s0 exact bool
+ro.hdmi.property_is_device_hdmi_cec_switch u:object_r:hdmi_config_prop:s0 exact bool
+ro.hdmi.wake_on_hotplug u:object_r:hdmi_config_prop:s0 exact bool
+ro.hdmi.cec.source.send_standby_on_sleep u:object_r:hdmi_config_prop:s0 exact enum to_tv broadcast none
+ro.hdmi.cec.source.playback_device_action_on_routing_control u:object_r:hdmi_config_prop:s0 exact enum none wake_up_only wake_up_and_send_active_source
+
+pm.dexopt.ab-ota u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.bg-dexopt u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.boot u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.disable_bg_dexopt u:object_r:exported_pm_prop:s0 exact bool
+pm.dexopt.downgrade_after_inactive_days u:object_r:exported_pm_prop:s0 exact int
+pm.dexopt.first-boot u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.inactive u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.install u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.install-fast u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.install-bulk u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.install-bulk-secondary u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.install-bulk-downgraded u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.install-bulk-secondary-downgraded u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.shared u:object_r:exported_pm_prop:s0 exact string
+
+ro.apk_verity.mode u:object_r:apk_verity_prop:s0 exact int
+
+ro.bluetooth.a2dp_offload.supported u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
+
+ro.boot.vendor.overlay.theme u:object_r:exported_overlay_prop:s0 exact string
+
+ro.bt.bdaddr_path u:object_r:exported_bluetooth_prop:s0 exact string
+
+ro.config.alarm_alert u:object_r:systemsound_config_prop:s0 exact string
+ro.config.alarm_vol_default u:object_r:systemsound_config_prop:s0 exact int
+ro.config.alarm_vol_steps u:object_r:systemsound_config_prop:s0 exact int
+ro.config.media_vol_default u:object_r:systemsound_config_prop:s0 exact int
+ro.config.media_vol_steps u:object_r:systemsound_config_prop:s0 exact int
+ro.config.notification_sound u:object_r:systemsound_config_prop:s0 exact string
+ro.config.ringtone u:object_r:systemsound_config_prop:s0 exact string
+ro.config.system_vol_default u:object_r:systemsound_config_prop:s0 exact int
+ro.config.system_vol_steps u:object_r:systemsound_config_prop:s0 exact int
+ro.config.vc_call_vol_default u:object_r:systemsound_config_prop:s0 exact int
+
+ro.control_privapp_permissions u:object_r:packagemanager_config_prop:s0 exact enum disable enforce log
+ro.cp_system_other_odex u:object_r:packagemanager_config_prop:s0 exact bool
+
+ro.crypto.allow_encrypt_override u:object_r:vold_config_prop:s0 exact bool
+ro.crypto.dm_default_key.options_format.version u:object_r:vold_config_prop:s0 exact int
+ro.crypto.fde_algorithm u:object_r:vold_config_prop:s0 exact string
+ro.crypto.fde_sector_size u:object_r:vold_config_prop:s0 exact int
+ro.crypto.scrypt_params u:object_r:vold_config_prop:s0 exact string
+ro.crypto.set_dun u:object_r:vold_config_prop:s0 exact bool
+ro.crypto.volume.contents_mode u:object_r:vold_config_prop:s0 exact string
+ro.crypto.volume.filenames_mode u:object_r:vold_config_prop:s0 exact string
+ro.crypto.volume.metadata.encryption u:object_r:vold_config_prop:s0 exact string
+ro.crypto.volume.metadata.method u:object_r:vold_config_prop:s0 exact string
+ro.crypto.volume.options u:object_r:vold_config_prop:s0 exact string
+
+ro.dalvik.vm.native.bridge u:object_r:dalvik_config_prop:s0 exact string
+
+external_storage.projid.enabled u:object_r:storage_config_prop:s0 exact bool
+external_storage.casefold.enabled u:object_r:storage_config_prop:s0 exact bool
+external_storage.sdcardfs.enabled u:object_r:storage_config_prop:s0 exact bool
+external_storage.cross_user.enabled u:object_r:storage_config_prop:s0 exact bool
+
+ro.config.per_app_memcg u:object_r:lmkd_config_prop:s0 exact bool
+ro.lmk.critical u:object_r:lmkd_config_prop:s0 exact int
+ro.lmk.critical_upgrade u:object_r:lmkd_config_prop:s0 exact bool
+ro.lmk.debug u:object_r:lmkd_config_prop:s0 exact bool
+ro.lmk.downgrade_pressure u:object_r:lmkd_config_prop:s0 exact int
+ro.lmk.kill_heaviest_task u:object_r:lmkd_config_prop:s0 exact bool
+ro.lmk.kill_timeout_ms u:object_r:lmkd_config_prop:s0 exact int
+ro.lmk.log_stats u:object_r:lmkd_config_prop:s0 exact bool
+ro.lmk.low u:object_r:lmkd_config_prop:s0 exact int
+ro.lmk.medium u:object_r:lmkd_config_prop:s0 exact int
+ro.lmk.psi_partial_stall_ms u:object_r:lmkd_config_prop:s0 exact int
+ro.lmk.psi_complete_stall_ms u:object_r:lmkd_config_prop:s0 exact int
+ro.lmk.swap_free_low_percentage u:object_r:lmkd_config_prop:s0 exact int
+ro.lmk.swap_util_max u:object_r:lmkd_config_prop:s0 exact int
+ro.lmk.thrashing_limit u:object_r:lmkd_config_prop:s0 exact int
+ro.lmk.thrashing_limit_critical u:object_r:lmkd_config_prop:s0 exact int
+ro.lmk.thrashing_limit_decay u:object_r:lmkd_config_prop:s0 exact int
+ro.lmk.use_minfree_levels u:object_r:lmkd_config_prop:s0 exact bool
+ro.lmk.upgrade_pressure u:object_r:lmkd_config_prop:s0 exact int
+lmkd.reinit u:object_r:lmkd_prop:s0 exact int
+
+ro.media.xml_variant.codecs u:object_r:media_variant_prop:s0 exact string
+ro.media.xml_variant.codecs_performance u:object_r:media_variant_prop:s0 exact string
+ro.media.xml_variant.profiles u:object_r:media_variant_prop:s0 exact string
+
+ro.minui.default_rotation u:object_r:recovery_config_prop:s0 exact string
+ro.minui.overscan_percent u:object_r:recovery_config_prop:s0 exact int
+ro.minui.pixel_format u:object_r:recovery_config_prop:s0 exact string
+
+ro.oem_unlock_supported u:object_r:oem_unlock_prop:s0 exact int
+
+ro.rebootescrow.device u:object_r:rebootescrow_hal_prop:s0 exact string
+
+ro.storage_manager.enabled u:object_r:storagemanager_config_prop:s0 exact bool
+ro.storage_manager.show_opt_in u:object_r:storagemanager_config_prop:s0 exact bool
+
+ro.vehicle.hal u:object_r:vehicle_hal_prop:s0 exact string
+
+ro.vendor.build.security_patch u:object_r:vendor_security_patch_level_prop:s0 exact string
+
+ro.zram.mark_idle_delay_mins u:object_r:zram_config_prop:s0 exact int
+ro.zram.first_wb_delay_mins u:object_r:zram_config_prop:s0 exact int
+ro.zram.periodic_wb_delay_hours u:object_r:zram_config_prop:s0 exact int
+zram.force_writeback u:object_r:zram_config_prop:s0 exact bool
+persist.sys.zram_enabled u:object_r:zram_control_prop:s0 exact bool
+
+sendbug.preferred.domain u:object_r:sendbug_config_prop:s0 exact string
+
+persist.sys.usb.usbradio.config u:object_r:usb_control_prop:s0 exact string
+
+sys.usb.config u:object_r:usb_control_prop:s0 exact string
+sys.usb.configfs u:object_r:usb_control_prop:s0 exact int
+sys.usb.controller u:object_r:usb_control_prop:s0 exact string
+sys.usb.state u:object_r:usb_control_prop:s0 exact string
+
+sys.usb.mtp.device_type u:object_r:usb_config_prop:s0 exact int
+
+sys.usb.config. u:object_r:usb_prop:s0
+
+sys.usb.ffs.aio_compat u:object_r:ffs_config_prop:s0 exact bool
+sys.usb.ffs.max_read u:object_r:ffs_config_prop:s0 exact int
+sys.usb.ffs.max_write u:object_r:ffs_config_prop:s0 exact int
+
+sys.usb.ffs.ready u:object_r:ffs_control_prop:s0 exact bool
+sys.usb.ffs.mtp.ready u:object_r:ffs_control_prop:s0 exact bool
+
+tombstoned.max_tombstone_count u:object_r:tombstone_config_prop:s0 exact int
+
+vold.post_fs_data_done u:object_r:vold_post_fs_data_prop:s0 exact int
+
+apexd.status u:object_r:apexd_prop:s0 exact enum starting activated ready
+
+odsign.key.done u:object_r:odsign_prop:s0 exact bool
+odsign.verification.done u:object_r:odsign_prop:s0 exact bool
+odsign.verification.success u:object_r:odsign_prop:s0 exact bool
+
+dev.bootcomplete u:object_r:boot_status_prop:s0 exact bool
+sys.boot_completed u:object_r:boot_status_prop:s0 exact bool
+
+persist.sys.device_provisioned u:object_r:provisioned_prop:s0 exact string
+
+persist.sys.theme u:object_r:theme_prop:s0 exact string
+
+sys.retaildemo.enabled u:object_r:retaildemo_prop:s0 exact int
+
+sys.user.0.ce_available u:object_r:exported3_system_prop:s0 exact bool
+
+aac_drc_boost u:object_r:aac_drc_prop:s0 exact int
+aac_drc_cut u:object_r:aac_drc_prop:s0 exact int
+aac_drc_enc_target_level u:object_r:aac_drc_prop:s0 exact int
+aac_drc_heavy u:object_r:aac_drc_prop:s0 exact int
+aac_drc_reference_level u:object_r:aac_drc_prop:s0 exact int
+ro.aac_drc_effect_type u:object_r:aac_drc_prop:s0 exact int
+
+build.version.extensions. u:object_r:module_sdkextensions_prop:s0 prefix int
+
+drm.64bit.enabled u:object_r:mediadrm_config_prop:s0 exact bool
+media.mediadrmservice.enable u:object_r:mediadrm_config_prop:s0 exact bool
+
+drm.service.enabled u:object_r:drm_service_config_prop:s0 exact bool
+
+dumpstate.dry_run u:object_r:exported_dumpstate_prop:s0 exact bool
+dumpstate.unroot u:object_r:exported_dumpstate_prop:s0 exact bool
+persist.dumpstate.verbose_logging.enabled u:object_r:hal_dumpstate_config_prop:s0 exact bool
+
+hal.instrumentation.enable u:object_r:hal_instrumentation_prop:s0 exact bool
+
+# default contexts only accessible by coredomain
+init.svc. u:object_r:init_service_status_private_prop:s0 prefix string
+
+# Globally-readable init service props
+init.svc.adbd u:object_r:init_service_status_prop:s0 exact string
+init.svc.bugreport u:object_r:init_service_status_prop:s0 exact string
+init.svc.bugreportd u:object_r:init_service_status_prop:s0 exact string
+init.svc.console u:object_r:init_service_status_prop:s0 exact string
+init.svc.dumpstatez u:object_r:init_service_status_prop:s0 exact string
+init.svc.mediadrm u:object_r:init_service_status_prop:s0 exact string
+init.svc.statsd u:object_r:init_service_status_prop:s0 exact string
+init.svc.surfaceflinger u:object_r:init_service_status_prop:s0 exact string
+init.svc.tombstoned u:object_r:init_service_status_prop:s0 exact string
+init.svc.zygote u:object_r:init_service_status_prop:s0 exact string
+
+libc.debug.malloc.options u:object_r:libc_debug_prop:s0 exact string
+libc.debug.malloc.program u:object_r:libc_debug_prop:s0 exact string
+libc.debug.hooks.enable u:object_r:libc_debug_prop:s0 exact string
+
+# shell-only props for ARM memory tagging (MTE).
+arm64.memtag. u:object_r:arm64_memtag_prop:s0 prefix string
+
+net.redirect_socket_calls.hooked u:object_r:socket_hook_prop:s0 exact bool
+
+persist.sys.locale u:object_r:exported_system_prop:s0 exact string
+persist.sys.timezone u:object_r:exported_system_prop:s0 exact string
+persist.sys.test_harness u:object_r:test_harness_prop:s0 exact bool
+
+ro.arch u:object_r:build_prop:s0 exact string
+
+# ro.boot. properties are set based on kernel commandline arguments, which are vendor owned.
+ro.boot. u:object_r:bootloader_prop:s0
+ro.boot.avb_version u:object_r:bootloader_prop:s0 exact string
+ro.boot.baseband u:object_r:bootloader_prop:s0 exact string
+ro.boot.bootdevice u:object_r:bootloader_prop:s0 exact string
+ro.boot.bootloader u:object_r:bootloader_prop:s0 exact string
+ro.boot.boottime u:object_r:bootloader_prop:s0 exact string
+ro.boot.console u:object_r:bootloader_prop:s0 exact string
+ro.boot.hardware u:object_r:bootloader_prop:s0 exact string
+ro.boot.hardware.color u:object_r:bootloader_prop:s0 exact string
+ro.boot.hardware.sku u:object_r:bootloader_prop:s0 exact string
+ro.boot.keymaster u:object_r:bootloader_prop:s0 exact string
+ro.boot.mode u:object_r:bootloader_prop:s0 exact string
+# Populated on Android Studio Emulator (for emulator specific workarounds)
+ro.boot.qemu u:object_r:bootloader_prop:s0 exact bool
+ro.boot.revision u:object_r:bootloader_prop:s0 exact string
+ro.boot.vbmeta.avb_version u:object_r:bootloader_prop:s0 exact string
+ro.boot.verifiedbootstate u:object_r:bootloader_prop:s0 exact string
+ro.boot.veritymode u:object_r:bootloader_prop:s0 exact string
+
+# These ro.X properties are set to values of ro.boot.X by property_service.
+ro.baseband u:object_r:bootloader_prop:s0 exact string
+ro.bootloader u:object_r:bootloader_prop:s0 exact string
+ro.bootmode u:object_r:bootloader_prop:s0 exact string
+ro.hardware u:object_r:bootloader_prop:s0 exact string
+ro.revision u:object_r:bootloader_prop:s0 exact string
+
+ro.boot.dynamic_partitions u:object_r:exported_default_prop:s0 exact string
+ro.boot.dynamic_partitions_retrofit u:object_r:exported_default_prop:s0 exact string
+
+ro.boottime.init.mount.data u:object_r:boottime_public_prop:s0 exact string
+ro.boottime.init.fsck.data u:object_r:boottime_public_prop:s0 exact string
+
+ro.build.characteristics u:object_r:build_prop:s0 exact string
+ro.build.date u:object_r:build_prop:s0 exact string
+ro.build.date.utc u:object_r:build_prop:s0 exact int
+ro.build.description u:object_r:build_prop:s0 exact string
+ro.build.display.id u:object_r:build_prop:s0 exact string
+ro.build.flavor u:object_r:build_prop:s0 exact string
+ro.build.host u:object_r:build_prop:s0 exact string
+ro.build.id u:object_r:build_prop:s0 exact string
+ro.build.product u:object_r:build_prop:s0 exact string
+ro.build.system_root_image u:object_r:build_prop:s0 exact bool
+ro.build.tags u:object_r:build_prop:s0 exact string
+ro.build.type u:object_r:build_prop:s0 exact string
+ro.build.user u:object_r:build_prop:s0 exact string
+ro.build.version.all_codenames u:object_r:build_prop:s0 exact string
+ro.build.version.base_os u:object_r:build_prop:s0 exact string
+ro.build.version.codename u:object_r:build_prop:s0 exact string
+ro.build.version.incremental u:object_r:build_prop:s0 exact string
+ro.build.version.min_supported_target_sdk u:object_r:build_prop:s0 exact int
+ro.build.version.preview_sdk u:object_r:build_prop:s0 exact int
+ro.build.version.preview_sdk_fingerprint u:object_r:build_prop:s0 exact string
+ro.build.version.release u:object_r:build_prop:s0 exact string
+ro.build.version.release_or_codename u:object_r:build_prop:s0 exact string
+ro.build.version.sdk u:object_r:build_prop:s0 exact int
+ro.build.version.security_patch u:object_r:build_prop:s0 exact string
+
+ro.actionable_compatible_property.enabled u:object_r:build_prop:s0 exact bool
+
+ro.debuggable u:object_r:build_prop:s0 exact bool
+
+ro.treble.enabled u:object_r:build_prop:s0 exact bool
+
+ro.product.cpu.abi u:object_r:build_prop:s0 exact string
+ro.product.cpu.abilist u:object_r:build_prop:s0 exact string
+ro.product.cpu.abilist32 u:object_r:build_prop:s0 exact string
+ro.product.cpu.abilist64 u:object_r:build_prop:s0 exact string
+
+ro.product.system.brand u:object_r:build_prop:s0 exact string
+ro.product.system.device u:object_r:build_prop:s0 exact string
+ro.product.system.manufacturer u:object_r:build_prop:s0 exact string
+ro.product.system.model u:object_r:build_prop:s0 exact string
+ro.product.system.name u:object_r:build_prop:s0 exact string
+
+ro.system.build.date u:object_r:build_prop:s0 exact string
+ro.system.build.date.utc u:object_r:build_prop:s0 exact int
+ro.system.build.fingerprint u:object_r:build_prop:s0 exact string
+ro.system.build.id u:object_r:build_prop:s0 exact string
+ro.system.build.tags u:object_r:build_prop:s0 exact string
+ro.system.build.type u:object_r:build_prop:s0 exact string
+ro.system.build.version.incremental u:object_r:build_prop:s0 exact string
+ro.system.build.version.release u:object_r:build_prop:s0 exact string
+ro.system.build.version.release_or_codename u:object_r:build_prop:s0 exact string
+ro.system.build.version.sdk u:object_r:build_prop:s0 exact int
+
+ro.adb.secure u:object_r:build_prop:s0 exact bool
+ro.secure u:object_r:build_prop:s0 exact int
+
+ro.product.system_ext.brand u:object_r:build_prop:s0 exact string
+ro.product.system_ext.device u:object_r:build_prop:s0 exact string
+ro.product.system_ext.manufacturer u:object_r:build_prop:s0 exact string
+ro.product.system_ext.model u:object_r:build_prop:s0 exact string
+ro.product.system_ext.name u:object_r:build_prop:s0 exact string
+
+ro.system_ext.build.date u:object_r:build_prop:s0 exact string
+ro.system_ext.build.date.utc u:object_r:build_prop:s0 exact int
+ro.system_ext.build.fingerprint u:object_r:build_prop:s0 exact string
+ro.system_ext.build.id u:object_r:build_prop:s0 exact string
+ro.system_ext.build.tags u:object_r:build_prop:s0 exact string
+ro.system_ext.build.type u:object_r:build_prop:s0 exact string
+ro.system_ext.build.version.incremental u:object_r:build_prop:s0 exact string
+ro.system_ext.build.version.release u:object_r:build_prop:s0 exact string
+ro.system_ext.build.version.release_or_codename u:object_r:build_prop:s0 exact string
+ro.system_ext.build.version.sdk u:object_r:build_prop:s0 exact int
+
+# These ro.product.product.* and ro.product.build.* are set by /product/etc/build.prop
+ro.product.product.brand u:object_r:build_prop:s0 exact string
+ro.product.product.device u:object_r:build_prop:s0 exact string
+ro.product.product.manufacturer u:object_r:build_prop:s0 exact string
+ro.product.product.model u:object_r:build_prop:s0 exact string
+ro.product.product.name u:object_r:build_prop:s0 exact string
+
+ro.product.build.date u:object_r:build_prop:s0 exact string
+ro.product.build.date.utc u:object_r:build_prop:s0 exact int
+ro.product.build.fingerprint u:object_r:build_prop:s0 exact string
+ro.product.build.id u:object_r:build_prop:s0 exact string
+ro.product.build.tags u:object_r:build_prop:s0 exact string
+ro.product.build.type u:object_r:build_prop:s0 exact string
+ro.product.build.version.incremental u:object_r:build_prop:s0 exact string
+ro.product.build.version.release u:object_r:build_prop:s0 exact string
+ro.product.build.version.release_or_codename u:object_r:build_prop:s0 exact string
+ro.product.build.version.sdk u:object_r:build_prop:s0 exact int
+
+# These 5 properties are set by property_service
+ro.product.brand u:object_r:build_prop:s0 exact string
+ro.product.device u:object_r:build_prop:s0 exact string
+ro.product.manufacturer u:object_r:build_prop:s0 exact string
+ro.product.model u:object_r:build_prop:s0 exact string
+ro.product.name u:object_r:build_prop:s0 exact string
+
+# Sanitizer properties
+ro.sanitize.address u:object_r:build_prop:s0 exact bool
+ro.sanitize.cfi u:object_r:build_prop:s0 exact bool
+ro.sanitize.default-ub u:object_r:build_prop:s0 exact bool
+ro.sanitize.fuzzer u:object_r:build_prop:s0 exact bool
+ro.sanitize.hwaddress u:object_r:build_prop:s0 exact bool
+ro.sanitize.integer_overflow u:object_r:build_prop:s0 exact bool
+ro.sanitize.safe-stack u:object_r:build_prop:s0 exact bool
+ro.sanitize.scudo u:object_r:build_prop:s0 exact bool
+ro.sanitize.thread u:object_r:build_prop:s0 exact bool
+ro.sanitize.undefined u:object_r:build_prop:s0 exact bool
+
+# All odm build props are set by /odm/build.prop
+ro.odm.build.date u:object_r:build_odm_prop:s0 exact string
+ro.odm.build.date.utc u:object_r:build_odm_prop:s0 exact int
+ro.odm.build.fingerprint u:object_r:build_odm_prop:s0 exact string
+ro.odm.build.version.incremental u:object_r:build_odm_prop:s0 exact string
+ro.odm.build.media_performance_class u:object_r:build_odm_prop:s0 exact int
+
+ro.product.odm.brand u:object_r:build_odm_prop:s0 exact string
+ro.product.odm.device u:object_r:build_odm_prop:s0 exact string
+ro.product.odm.manufacturer u:object_r:build_odm_prop:s0 exact string
+ro.product.odm.model u:object_r:build_odm_prop:s0 exact string
+ro.product.odm.name u:object_r:build_odm_prop:s0 exact string
+
+# All vendor_dlkm build props are set by /vendor_dlkm/etc/build.prop
+ro.vendor_dlkm.build.date u:object_r:build_vendor_prop:s0 exact string
+ro.vendor_dlkm.build.date.utc u:object_r:build_vendor_prop:s0 exact int
+ro.vendor_dlkm.build.fingerprint u:object_r:build_vendor_prop:s0 exact string
+ro.vendor_dlkm.build.id u:object_r:build_vendor_prop:s0 exact string
+ro.vendor_dlkm.build.tags u:object_r:build_vendor_prop:s0 exact string
+ro.vendor_dlkm.build.type u:object_r:build_vendor_prop:s0 exact string
+ro.vendor_dlkm.build.version.incremental u:object_r:build_vendor_prop:s0 exact string
+ro.vendor_dlkm.build.version.release u:object_r:build_vendor_prop:s0 exact string
+ro.vendor_dlkm.build.version.release_or_codename u:object_r:build_vendor_prop:s0 exact string
+ro.vendor_dlkm.build.version.sdk u:object_r:build_vendor_prop:s0 exact int
+
+# All odm_dlkm build props are set by /odm_dlkm/etc/build.prop
+ro.product.odm_dlkm.brand u:object_r:build_odm_prop:s0 exact string
+ro.product.odm_dlkm.device u:object_r:build_odm_prop:s0 exact string
+ro.product.odm_dlkm.manufacturer u:object_r:build_odm_prop:s0 exact string
+ro.product.odm_dlkm.model u:object_r:build_odm_prop:s0 exact string
+ro.product.odm_dlkm.name u:object_r:build_odm_prop:s0 exact string
+
+ro.odm_dlkm.build.date u:object_r:build_odm_prop:s0 exact string
+ro.odm_dlkm.build.date.utc u:object_r:build_odm_prop:s0 exact int
+ro.odm_dlkm.build.fingerprint u:object_r:build_odm_prop:s0 exact string
+ro.odm_dlkm.build.id u:object_r:build_odm_prop:s0 exact string
+ro.odm_dlkm.build.tags u:object_r:build_odm_prop:s0 exact string
+ro.odm_dlkm.build.type u:object_r:build_odm_prop:s0 exact string
+ro.odm_dlkm.build.version.incremental u:object_r:build_odm_prop:s0 exact string
+ro.odm_dlkm.build.version.release u:object_r:build_odm_prop:s0 exact string
+ro.odm_dlkm.build.version.release_or_codename u:object_r:build_odm_prop:s0 exact string
+ro.odm_dlkm.build.version.sdk u:object_r:build_odm_prop:s0 exact int
+
+# enforces debugfs restrictions in non-user builds, set by /vendor/build.prop
+ro.product.debugfs_restrictions.enabled u:object_r:debugfs_restriction_prop:s0 exact bool
+
+# All vendor build props are set by /vendor/build.prop
+ro.vendor.build.date u:object_r:build_vendor_prop:s0 exact string
+ro.vendor.build.date.utc u:object_r:build_vendor_prop:s0 exact int
+ro.vendor.build.fingerprint u:object_r:build_vendor_prop:s0 exact string
+ro.vendor.build.id u:object_r:build_vendor_prop:s0 exact string
+ro.vendor.build.tags u:object_r:build_vendor_prop:s0 exact string
+ro.vendor.build.type u:object_r:build_vendor_prop:s0 exact string
+ro.vendor.build.version.incremental u:object_r:build_vendor_prop:s0 exact string
+ro.vendor.build.version.release u:object_r:build_vendor_prop:s0 exact string
+ro.vendor.build.version.release_or_codename u:object_r:build_vendor_prop:s0 exact string
+ro.vendor.build.version.sdk u:object_r:build_vendor_prop:s0 exact int
+
+# All vendor CPU abilist props are set by /vendor/build.prop
+ro.vendor.product.cpu.abilist u:object_r:build_vendor_prop:s0 exact string
+ro.vendor.product.cpu.abilist32 u:object_r:build_vendor_prop:s0 exact string
+ro.vendor.product.cpu.abilist64 u:object_r:build_vendor_prop:s0 exact string
+
+ro.product.board u:object_r:build_vendor_prop:s0 exact string
+ro.product.first_api_level u:object_r:build_vendor_prop:s0 exact int
+ro.product.vendor.brand u:object_r:build_vendor_prop:s0 exact string
+ro.product.vendor.device u:object_r:build_vendor_prop:s0 exact string
+ro.product.vendor.manufacturer u:object_r:build_vendor_prop:s0 exact string
+ro.product.vendor.model u:object_r:build_vendor_prop:s0 exact string
+ro.product.vendor.name u:object_r:build_vendor_prop:s0 exact string
+ro.product.vendor_dlkm.brand u:object_r:build_vendor_prop:s0 exact string
+ro.product.vendor_dlkm.device u:object_r:build_vendor_prop:s0 exact string
+ro.product.vendor_dlkm.manufacturer u:object_r:build_vendor_prop:s0 exact string
+ro.product.vendor_dlkm.model u:object_r:build_vendor_prop:s0 exact string
+ro.product.vendor_dlkm.name u:object_r:build_vendor_prop:s0 exact string
+
+# GRF property for the first api level of the vendor partition
+ro.board.first_api_level u:object_r:build_vendor_prop:s0 exact int
+ro.board.api_level u:object_r:build_vendor_prop:s0 exact int
+
+# Boot image build props set by /{second_stage_resources/,}boot/etc/build.prop
+ro.bootimage.build.date u:object_r:build_bootimage_prop:s0 exact string
+ro.bootimage.build.date.utc u:object_r:build_bootimage_prop:s0 exact int
+ro.bootimage.build.fingerprint u:object_r:build_bootimage_prop:s0 exact string
+ro.bootimage.build.id u:object_r:build_bootimage_prop:s0 exact string
+ro.bootimage.build.tags u:object_r:build_bootimage_prop:s0 exact string
+ro.bootimage.build.type u:object_r:build_bootimage_prop:s0 exact string
+ro.bootimage.build.version.incremental u:object_r:build_bootimage_prop:s0 exact string
+ro.bootimage.build.version.release u:object_r:build_bootimage_prop:s0 exact string
+ro.bootimage.build.version.release_or_codename u:object_r:build_bootimage_prop:s0 exact string
+ro.bootimage.build.version.sdk u:object_r:build_bootimage_prop:s0 exact int
+
+ro.product.bootimage.brand u:object_r:build_bootimage_prop:s0 exact string
+ro.product.bootimage.device u:object_r:build_bootimage_prop:s0 exact string
+ro.product.bootimage.manufacturer u:object_r:build_bootimage_prop:s0 exact string
+ro.product.bootimage.model u:object_r:build_bootimage_prop:s0 exact string
+ro.product.bootimage.name u:object_r:build_bootimage_prop:s0 exact string
+
+# ro.product.property_source_order is settable from any build.prop
+ro.product.property_source_order u:object_r:build_config_prop:s0 exact string
+
+ro.crypto.state u:object_r:vold_status_prop:s0 exact enum encrypted unencrypted unsupported
+ro.crypto.type u:object_r:vold_status_prop:s0 exact enum block file none
+
+ro.property_service.version u:object_r:property_service_version_prop:s0 exact int
+
+ro.vendor.redirect_socket_calls u:object_r:vendor_socket_hook_prop:s0 exact bool
+
+service.bootanim.exit u:object_r:bootanim_system_prop:s0 exact int
+service.bootanim.progress u:object_r:bootanim_system_prop:s0 exact int
+
+sys.init.userspace_reboot.in_progress u:object_r:userspace_reboot_exported_prop:s0 exact bool
+sys.use_memfd u:object_r:use_memfd_prop:s0 exact bool
+
+vold.decrypt u:object_r:vold_status_prop:s0 exact string
+
+aaudio.hw_burst_min_usec u:object_r:aaudio_config_prop:s0 exact int
+aaudio.minimum_sleep_usec u:object_r:aaudio_config_prop:s0 exact int
+aaudio.mixer_bursts u:object_r:aaudio_config_prop:s0 exact int
+aaudio.mmap_exclusive_policy u:object_r:aaudio_config_prop:s0 exact int
+aaudio.mmap_policy u:object_r:aaudio_config_prop:s0 exact int
+aaudio.wakeup_delay_usec u:object_r:aaudio_config_prop:s0 exact int
+
+persist.rcs.supported u:object_r:exported_default_prop:s0 exact int
+
+ro.bionic.2nd_arch u:object_r:cpu_variant_prop:s0 exact string
+ro.bionic.2nd_cpu_variant u:object_r:cpu_variant_prop:s0 exact string
+ro.bionic.arch u:object_r:cpu_variant_prop:s0 exact string
+ro.bionic.cpu_variant u:object_r:cpu_variant_prop:s0 exact string
+
+ro.board.platform u:object_r:exported_default_prop:s0 exact string
+
+ro.boot.fake_battery u:object_r:exported_default_prop:s0 exact int
+ro.boot.fstab_suffix u:object_r:exported_default_prop:s0 exact string
+ro.boot.hardware.revision u:object_r:exported_default_prop:s0 exact string
+ro.boot.product.hardware.sku u:object_r:exported_default_prop:s0 exact string
+ro.boot.product.vendor.sku u:object_r:exported_default_prop:s0 exact string
+ro.boot.slot_suffix u:object_r:exported_default_prop:s0 exact string
+
+ro.boringcrypto.hwrand u:object_r:exported_default_prop:s0 exact bool
+
+# Update related props
+ro.build.ab_update u:object_r:exported_default_prop:s0 exact string
+ro.build.ab_update.gki.prevent_downgrade_version u:object_r:ab_update_gki_prop:s0 exact bool
+ro.build.ab_update.gki.prevent_downgrade_spl u:object_r:ab_update_gki_prop:s0 exact bool
+
+ro.build.expect.baseband u:object_r:exported_default_prop:s0 exact string
+ro.build.expect.bootloader u:object_r:exported_default_prop:s0 exact string
+
+ro.carrier u:object_r:exported_default_prop:s0 exact string
+
+ro.config.low_ram u:object_r:exported_config_prop:s0 exact bool
+ro.config.vc_call_vol_steps u:object_r:exported_config_prop:s0 exact int
+
+ro.frp.pst u:object_r:exported_default_prop:s0 exact string
+
+ro.hardware.activity_recognition u:object_r:exported_default_prop:s0 exact string
+ro.hardware.audio u:object_r:exported_default_prop:s0 exact string
+ro.hardware.audio.a2dp u:object_r:exported_default_prop:s0 exact string
+ro.hardware.audio.hearing_aid u:object_r:exported_default_prop:s0 exact string
+ro.hardware.audio.primary u:object_r:exported_default_prop:s0 exact string
+ro.hardware.audio.usb u:object_r:exported_default_prop:s0 exact string
+ro.hardware.audio_policy u:object_r:exported_default_prop:s0 exact string
+ro.hardware.bootctrl u:object_r:exported_default_prop:s0 exact string
+ro.hardware.camera u:object_r:exported_default_prop:s0 exact string
+ro.hardware.consumerir u:object_r:exported_default_prop:s0 exact string
+ro.hardware.context_hub u:object_r:exported_default_prop:s0 exact string
+ro.hardware.egl u:object_r:exported_default_prop:s0 exact string
+ro.hardware.fingerprint u:object_r:exported_default_prop:s0 exact string
+ro.hardware.flp u:object_r:exported_default_prop:s0 exact string
+ro.hardware.gatekeeper u:object_r:exported_default_prop:s0 exact string
+ro.hardware.gps u:object_r:exported_default_prop:s0 exact string
+ro.hardware.gralloc u:object_r:exported_default_prop:s0 exact string
+ro.hardware.hdmi_cec u:object_r:exported_default_prop:s0 exact string
+ro.hardware.hwcomposer u:object_r:exported_default_prop:s0 exact string
+ro.hardware.input u:object_r:exported_default_prop:s0 exact string
+ro.hardware.keystore u:object_r:exported_default_prop:s0 exact string
+ro.hardware.keystore_desede u:object_r:exported_default_prop:s0 exact string
+ro.hardware.lights u:object_r:exported_default_prop:s0 exact string
+ro.hardware.local_time u:object_r:exported_default_prop:s0 exact string
+ro.hardware.memtrack u:object_r:exported_default_prop:s0 exact string
+ro.hardware.nfc u:object_r:exported_default_prop:s0 exact string
+ro.hardware.nfc_nci u:object_r:exported_default_prop:s0 exact string
+ro.hardware.nfc_tag u:object_r:exported_default_prop:s0 exact string
+ro.hardware.nvram u:object_r:exported_default_prop:s0 exact string
+ro.hardware.power u:object_r:exported_default_prop:s0 exact string
+ro.hardware.radio u:object_r:exported_default_prop:s0 exact string
+ro.hardware.sensors u:object_r:exported_default_prop:s0 exact string
+ro.hardware.sound_trigger u:object_r:exported_default_prop:s0 exact string
+ro.hardware.thermal u:object_r:exported_default_prop:s0 exact string
+ro.hardware.tv_input u:object_r:exported_default_prop:s0 exact string
+ro.hardware.type u:object_r:exported_default_prop:s0 exact string
+ro.hardware.vehicle u:object_r:exported_default_prop:s0 exact string
+ro.hardware.vibrator u:object_r:exported_default_prop:s0 exact string
+ro.hardware.virtual_device u:object_r:exported_default_prop:s0 exact string
+ro.hardware.vulkan u:object_r:exported_default_prop:s0 exact string
+
+ro.hw_timeout_multiplier u:object_r:hw_timeout_multiplier_prop:s0 exact int
+
+ro.hwui.use_vulkan u:object_r:exported_default_prop:s0 exact bool
+
+# ro.kernel.* properties are emulator specific and deprecated. Do not use.
+# Should be retired once presubmit allows.
+ro.kernel.qemu u:object_r:exported_default_prop:s0 exact bool
+ro.kernel.qemu. u:object_r:exported_default_prop:s0
+ro.kernel.android.bootanim u:object_r:exported_default_prop:s0 exact int
+
+ro.oem.key1 u:object_r:exported_default_prop:s0 exact string
+
+ro.product.vndk.version u:object_r:vndk_prop:s0 exact string
+
+ro.vndk.lite u:object_r:vndk_prop:s0 exact bool
+ro.vndk.version u:object_r:vndk_prop:s0 exact string
+
+ro.vts.coverage u:object_r:vts_config_prop:s0 exact int
+
+vts.native_server.on u:object_r:vts_status_prop:s0 exact bool
+
+wifi.active.interface u:object_r:wifi_hal_prop:s0 exact string
+wifi.aware.interface u:object_r:wifi_hal_prop:s0 exact string
+wifi.concurrent.interface u:object_r:wifi_hal_prop:s0 exact string
+wifi.direct.interface u:object_r:wifi_hal_prop:s0 exact string
+wifi.interface u:object_r:wifi_hal_prop:s0 exact string
+wlan.driver.status u:object_r:wifi_hal_prop:s0 exact enum ok unloaded
+
+ro.boot.wificountrycode u:object_r:wifi_config_prop:s0 exact string
+
+ro.apex.updatable u:object_r:exported_default_prop:s0 exact bool
+
# Property to enable incremental feature
ro.incremental.enable u:object_r:incremental_prop:s0
@@ -264,5 +1015,172 @@
init.userspace_reboot.userdata_remount.timeoutmillis u:object_r:userspace_reboot_config_prop:s0 exact int
init.userspace_reboot.watchdog.timeoutmillis u:object_r:userspace_reboot_config_prop:s0 exact int
+sys.shutdown.requested u:object_r:exported_system_prop:s0 exact string
+
+# surfaceflinger properties
+ro.surface_flinger.default_composition_dataspace u:object_r:surfaceflinger_prop:s0 exact int
+ro.surface_flinger.default_composition_pixel_format u:object_r:surfaceflinger_prop:s0 exact int
+ro.surface_flinger.force_hwc_copy_for_virtual_displays u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.has_HDR_display u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.has_wide_color_display u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.max_frame_buffer_acquired_buffers u:object_r:surfaceflinger_prop:s0 exact int
+ro.surface_flinger.max_graphics_height u:object_r:surfaceflinger_prop:s0 exact int
+ro.surface_flinger.max_graphics_width u:object_r:surfaceflinger_prop:s0 exact int
+ro.surface_flinger.max_virtual_display_dimension u:object_r:surfaceflinger_prop:s0 exact int
+ro.surface_flinger.primary_display_orientation u:object_r:surfaceflinger_prop:s0 exact enum ORIENTATION_0 ORIENTATION_180 ORIENTATION_270 ORIENTATION_90
+ro.surface_flinger.present_time_offset_from_vsync_ns u:object_r:surfaceflinger_prop:s0 exact int
+ro.surface_flinger.running_without_sync_framework u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.start_graphics_allocator_service u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.use_color_management u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.use_context_priority u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.use_vr_flinger u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.vsync_event_phase_offset_ns u:object_r:surfaceflinger_prop:s0 exact int
+ro.surface_flinger.vsync_sf_event_phase_offset_ns u:object_r:surfaceflinger_prop:s0 exact int
+ro.surface_flinger.wcg_composition_dataspace u:object_r:surfaceflinger_prop:s0 exact int
+ro.surface_flinger.wcg_composition_pixel_format u:object_r:surfaceflinger_prop:s0 exact int
+ro.surface_flinger.display_primary_red u:object_r:surfaceflinger_prop:s0 exact string
+ro.surface_flinger.display_primary_green u:object_r:surfaceflinger_prop:s0 exact string
+ro.surface_flinger.display_primary_blue u:object_r:surfaceflinger_prop:s0 exact string
+ro.surface_flinger.display_primary_white u:object_r:surfaceflinger_prop:s0 exact string
+ro.surface_flinger.protected_contents u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.set_idle_timer_ms u:object_r:surfaceflinger_prop:s0 exact int
+ro.surface_flinger.set_touch_timer_ms u:object_r:surfaceflinger_prop:s0 exact int
+ro.surface_flinger.set_display_power_timer_ms u:object_r:surfaceflinger_prop:s0 exact int
+ro.surface_flinger.support_kernel_idle_timer u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.supports_background_blur u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.use_smart_90_for_video u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.use_content_detection_for_refresh_rate u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.color_space_agnostic_dataspace u:object_r:surfaceflinger_prop:s0 exact int
+ro.surface_flinger.refresh_rate_switching u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.update_device_product_info_on_hotplug_reconnect u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.enable_frame_rate_override u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.enable_layer_caching u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.display_update_imminent_timeout_ms u:object_r:surfaceflinger_prop:s0 exact int
+
+ro.sf.disable_triple_buffer u:object_r:surfaceflinger_prop:s0 exact bool
+ro.sf.lcd_density u:object_r:surfaceflinger_prop:s0 exact int
+
+persist.sys.sf.color_mode u:object_r:surfaceflinger_color_prop:s0 exact int
+persist.sys.sf.color_saturation u:object_r:surfaceflinger_color_prop:s0 exact string
+persist.sys.sf.native_mode u:object_r:surfaceflinger_color_prop:s0 exact int
+
+# Binder cache properties. These are world-readable
+cache_key.app_inactive u:object_r:binder_cache_system_server_prop:s0
+cache_key.is_compat_change_enabled u:object_r:binder_cache_system_server_prop:s0
+cache_key.get_packages_for_uid u:object_r:binder_cache_system_server_prop:s0
+cache_key.has_system_feature u:object_r:binder_cache_system_server_prop:s0
+cache_key.is_interactive u:object_r:binder_cache_system_server_prop:s0
+cache_key.is_power_save_mode u:object_r:binder_cache_system_server_prop:s0
+cache_key.is_user_unlocked u:object_r:binder_cache_system_server_prop:s0
+cache_key.volume_list u:object_r:binder_cache_system_server_prop:s0
+cache_key.display_info u:object_r:binder_cache_system_server_prop:s0
+cache_key.location_enabled u:object_r:binder_cache_system_server_prop:s0
+cache_key.package_info u:object_r:binder_cache_system_server_prop:s0
+
+cache_key.bluetooth. u:object_r:binder_cache_bluetooth_server_prop:s0 prefix string
+cache_key.system_server. u:object_r:binder_cache_system_server_prop:s0 prefix string
+cache_key.telephony. u:object_r:binder_cache_telephony_server_prop:s0 prefix string
+
+# Framework watchdog configuration properties.
+framework_watchdog.fatal_count u:object_r:framework_watchdog_config_prop:s0 exact int
+framework_watchdog.fatal_window.second u:object_r:framework_watchdog_config_prop:s0 exact int
+
+gsm.sim.operator.numeric u:object_r:telephony_status_prop:s0 exact string
+persist.radio.airplane_mode_on u:object_r:telephony_status_prop:s0 exact bool
+
+ro.cdma.home.operator.alpha u:object_r:telephony_config_prop:s0 exact string
+ro.cdma.home.operator.numeric u:object_r:telephony_config_prop:s0 exact string
+ro.com.android.dataroaming u:object_r:telephony_config_prop:s0 exact bool
+ro.com.android.prov_mobiledata u:object_r:telephony_config_prop:s0 exact bool
+ro.radio.noril u:object_r:telephony_config_prop:s0 exact string
+ro.telephony.call_ring.multiple u:object_r:telephony_config_prop:s0 exact bool
+ro.telephony.default_cdma_sub u:object_r:telephony_config_prop:s0 exact int
+ro.telephony.default_network u:object_r:telephony_config_prop:s0 exact string
+ro.telephony.iwlan_operation_mode u:object_r:telephony_config_prop:s0 exact enum default legacy AP-assisted
+telephony.active_modems.max_count u:object_r:telephony_config_prop:s0 exact int
+telephony.lteOnCdmaDevice u:object_r:telephony_config_prop:s0 exact int
+persist.dbg.volte_avail_ovr u:object_r:telephony_config_prop:s0 exact int
+persist.dbg.vt_avail_ovr u:object_r:telephony_config_prop:s0 exact int
+persist.dbg.wfc_avail_ovr u:object_r:telephony_config_prop:s0 exact int
+
+# System locale list filter configuration
+ro.localization.locale_filter u:object_r:localization_prop:s0 exact string
+
+# Graphics related properties
+ro.opengles.version u:object_r:graphics_config_prop:s0 exact int
+
+ro.gfx.driver.0 u:object_r:graphics_config_prop:s0 exact string
+ro.gfx.driver.1 u:object_r:graphics_config_prop:s0 exact string
+ro.gfx.angle.supported u:object_r:graphics_config_prop:s0 exact bool
+ro.gfx.driver_build_time u:object_r:graphics_config_prop:s0 exact int
+
+graphics.gpu.profiler.support u:object_r:graphics_config_prop:s0 exact bool
+graphics.gpu.profiler.vulkan_layer_apk u:object_r:graphics_config_prop:s0 exact string
+
+ro.cpuvulkan.version u:object_r:graphics_config_prop:s0 exact int
+
# surfaceflinger-settable
graphics.display.kernel_idle_timer.enabled u:object_r:surfaceflinger_display_prop:s0 exact bool
+
+# Disable/enable charger input
+power.battery_input.suspended u:object_r:power_debug_prop:s0 exact bool
+
+# zygote config property
+zygote.critical_window.minute u:object_r:zygote_config_prop:s0 exact int
+
+ro.zygote.disable_gl_preload u:object_r:zygote_config_prop:s0 exact bool
+
+# Broadcast boot stages, which keystore listens to
+keystore.boot_level u:object_r:keystore_listen_prop:s0 exact int
+
+partition.system.verified u:object_r:verity_status_prop:s0 exact string
+partition.system_ext.verified u:object_r:verity_status_prop:s0 exact string
+partition.product.verified u:object_r:verity_status_prop:s0 exact string
+partition.vendor.verified u:object_r:verity_status_prop:s0 exact string
+
+partition.system.verified.hash_alg u:object_r:verity_status_prop:s0 exact string
+partition.system_ext.verified.hash_alg u:object_r:verity_status_prop:s0 exact string
+partition.product.verified.hash_alg u:object_r:verity_status_prop:s0 exact string
+partition.vendor.verified.hash_alg u:object_r:verity_status_prop:s0 exact string
+
+ro.setupwizard.enterprise_mode u:object_r:setupwizard_prop:s0 exact bool
+ro.setupwizard.esim_cid_ignore u:object_r:setupwizard_prop:s0 exact string
+ro.setupwizard.rotation_locked u:object_r:setupwizard_prop:s0 exact bool
+ro.setupwizard.wifi_on_exit u:object_r:setupwizard_prop:s0 exact bool
+
+setupwizard.enable_assist_gesture_training u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.avoid_duplicate_tos u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.baseline_setupwizard_enabled u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.day_night_mode_enabled u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.deferred_setup_low_ram_filter u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.deferred_setup_notification u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.deferred_setup_suggestion u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.device_default_dark_mode u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.esim_enabled u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.google_services_deferred_setup_pretend_not_suw u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.lock_mobile_data u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.lock_mobile_data.carrier-1 u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.portal_notification u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.predeferred_enabled u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.return_partner_customization_bundle u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.show_pixel_tos u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.use_biometric_lock u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.wallpaper_suggestion_after_restore u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.logging u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.metrics_debug_mode u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.theme u:object_r:setupwizard_prop:s0 exact string
+
+db.log.detailed u:object_r:sqlite_log_prop:s0 exact bool
+db.log.slow_query_threshold u:object_r:sqlite_log_prop:s0 exact int
+db.log.slow_query_threshold. u:object_r:sqlite_log_prop:s0 prefix int
+
+# SOC related props
+ro.soc.manufacturer u:object_r:soc_prop:s0 exact string
+ro.soc.model u:object_r:soc_prop:s0 exact string
+
+# set to true when running rollback tests to disable fallback-to-copy when enabling rollbacks
+# to detect failures where hard linking should work otherwise
+persist.rollback.is_test u:object_r:rollback_test_prop:s0 exact bool
+
+# bootanimation properties
+ro.bootanim.quiescent.enabled u:object_r:bootanim_config_prop:s0 exact bool
diff --git a/private/radio.te b/private/radio.te
index 00a5cda..2758289 100644
--- a/private/radio.te
+++ b/private/radio.te
@@ -1,9 +1,18 @@
-typeattribute radio coredomain;
+typeattribute radio coredomain, mlstrustedsubject;
app_domain(radio)
read_runtime_log_tags(radio)
+# Property service
+set_prop(radio, radio_control_prop)
+set_prop(radio, radio_prop)
+set_prop(radio, net_radio_prop)
+set_prop(radio, telephony_status_prop)
+
+# ctl interface
+set_prop(radio, ctl_rildaemon_prop)
+
# Telephony code contains time / time zone detection logic so it reads the associated properties.
get_prop(radio, time_prop)
@@ -16,10 +25,11 @@
allow radio emergency_data_file:dir r_dir_perms;
allow radio emergency_data_file:file r_file_perms;
-# allow sending pulled atoms to statsd
-binder_call(radio, statsd)
-
# allow telephony to access related cache properties
set_prop(radio, binder_cache_telephony_server_prop);
neverallow { domain -radio -init }
binder_cache_telephony_server_prop:property_service set;
+
+# allow sending pulled atoms to statsd
+binder_call(radio, statsd)
+
diff --git a/private/recovery.te b/private/recovery.te
index 2a7fdc7..00d7132 100644
--- a/private/recovery.te
+++ b/private/recovery.te
@@ -1 +1,46 @@
typeattribute recovery coredomain;
+
+# The allow rules are only included in the recovery policy.
+# Otherwise recovery is only allowed the domain rules.
+recovery_only(`
+ # Reboot the device
+ set_prop(recovery, powerctl_prop)
+
+ # Read serial number of the device from system properties
+ get_prop(recovery, serialno_prop)
+
+ # Set sys.usb.ffs.ready when starting minadbd for sideload.
+ get_prop(recovery, ffs_config_prop)
+ set_prop(recovery, ffs_control_prop)
+
+ # Set sys.usb.config when switching into fastboot.
+ set_prop(recovery, usb_control_prop)
+ set_prop(recovery, usb_prop)
+
+ # Read ro.boot.bootreason
+ get_prop(recovery, bootloader_boot_reason_prop)
+
+ # Read storage properties (for correctly formatting filesystems)
+ get_prop(recovery, storage_config_prop)
+
+ set_prop(recovery, gsid_prop)
+
+ # These are needed to allow recovery to manage network
+ allow recovery self:netlink_route_socket { create write read nlmsg_readpriv nlmsg_read };
+ allow recovery self:global_capability_class_set net_admin;
+ allow recovery self:tcp_socket { create ioctl };
+ allowxperm recovery self:tcp_socket ioctl { SIOCGIFFLAGS SIOCSIFFLAGS };
+
+ # Start snapuserd for merging VABC updates
+ set_prop(recovery, ctl_snapuserd_prop)
+
+ # Needed to communicate with snapuserd to complete merges.
+ allow recovery snapuserd_socket:sock_file write;
+ allow recovery snapuserd:unix_stream_socket connectto;
+ allow recovery dm_user_device:dir r_dir_perms;
+
+ # Set fastbootd protocol property
+ set_prop(recovery, fastbootd_protocol_prop)
+
+ get_prop(recovery, recovery_config_prop)
+')
diff --git a/private/remote_prov_app.te b/private/remote_prov_app.te
new file mode 100644
index 0000000..010c9bc
--- /dev/null
+++ b/private/remote_prov_app.te
@@ -0,0 +1,13 @@
+type remote_prov_app, domain;
+typeattribute remote_prov_app coredomain;
+
+app_domain(remote_prov_app)
+net_domain(remote_prov_app)
+
+# The app needs access to properly build a DeviceInfo package for the verifying server
+get_prop(remote_prov_app, vendor_security_patch_level_prop)
+
+allow remote_prov_app {
+ app_api_service
+ remoteprovisioning_service
+}:service_manager find;
diff --git a/private/seapp_contexts b/private/seapp_contexts
index a8c61be..b8e42ea 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -79,7 +79,8 @@
# domain= determines the label to be used for the app process; entries
# without domain= are ignored for this purpose.
# type= specifies the label to be used for the app data directory; entries
-# without type= are ignored for this purpose.
+# without type= are ignored for this purpose. The label specified must
+# have the app_data_file_type attribute.
# levelFrom and level are used to determine the level (sensitivity + categories)
# for MLS/MCS.
# levelFrom=none omits the level.
@@ -141,24 +142,26 @@
isSystemServer=true domain=system_server_startup
-user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
+user=_app isPrivApp=true name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
+user=_app isPrivApp=true name=com.android.remoteprovisioner domain=remote_prov_app type=app_data_file levelFrom=all
user=system seinfo=platform domain=system_app type=system_app_data_file
user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
-user=network_stack seinfo=network_stack domain=network_stack levelFrom=all type=radio_data_file
+user=network_stack seinfo=network_stack domain=network_stack type=radio_data_file
user=nfc seinfo=platform domain=nfc type=nfc_data_file
user=secure_element seinfo=platform domain=secure_element levelFrom=all
user=radio seinfo=platform domain=radio type=radio_data_file
-user=shared_relro domain=shared_relro
+user=shared_relro domain=shared_relro levelFrom=all
user=shell seinfo=platform domain=shell name=com.android.shell type=shell_data_file
user=webview_zygote seinfo=webview_zygote domain=webview_zygote
user=_isolated domain=isolated_app levelFrom=user
user=_app seinfo=app_zygote domain=app_zygote levelFrom=user
-user=_app seinfo=media domain=mediaprovider name=android.process.media type=app_data_file levelFrom=user
+user=_app seinfo=media domain=mediaprovider type=app_data_file levelFrom=user
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
user=_app isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=all
+user=_app minTargetSdkVersion=31 isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user
user=_app isPrivApp=true name=com.google.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
-user=_app isPrivApp=true name=com.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all
+user=_app seinfo=media isPrivApp=true name=com.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.google.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all
user=_app seinfo=platform isPrivApp=true name=com.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.android.vzwomatrigger domain=vzwomatrigger_app type=privapp_data_file levelFrom=all
diff --git a/private/security_classes b/private/security_classes
index 04ed814..200b030 100644
--- a/private/security_classes
+++ b/private/security_classes
@@ -15,6 +15,7 @@
# file-related classes
class filesystem
class file
+class anon_inode
class dir
class fd
class lnk_file
@@ -153,8 +154,14 @@
# hardware service manager # userspace
class hwservice_manager
-# Keystore Key
+# Legacy Keystore key permissions
class keystore_key # userspace
+# Keystore 2.0 permissions
+class keystore2 # userspace
+
+# Keystore 2.0 key permissions
+class keystore2_key # userspace
+
class drmservice # userspace
# FLASK
diff --git a/private/service.te b/private/service.te
index 6c17521..7f692f3 100644
--- a/private/service.te
+++ b/private/service.te
@@ -2,7 +2,11 @@
type dynamic_system_service, system_api_service, system_server_service, service_manager_type;
type gsi_service, service_manager_type;
type incidentcompanion_service, system_api_service, system_server_service, service_manager_type;
+type mediatuner_service, app_api_service, service_manager_type;
+type profcollectd_service, service_manager_type;
+type resolver_service, system_server_service, service_manager_type;
type stats_service, service_manager_type;
type statscompanion_service, system_server_service, service_manager_type;
type statsmanager_service, system_api_service, system_server_service, service_manager_type;
+type tracingproxy_service, system_server_service, service_manager_type;
type uce_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index 5c6f1a4..3357943 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -1,8 +1,26 @@
+android.hardware.authsecret.IAuthSecret/default u:object_r:hal_authsecret_service:s0
+android.hardware.automotive.audiocontrol.IAudioControl/default u:object_r:hal_audiocontrol_service:s0
+android.hardware.biometrics.face.IFace/default u:object_r:hal_face_service:s0
+android.hardware.biometrics.fingerprint.IFingerprint/default u:object_r:hal_fingerprint_service:s0
+android.hardware.gnss.IGnss/default u:object_r:hal_gnss_service:s0
+android.hardware.health.storage.IStorage/default u:object_r:hal_health_storage_service:s0
android.hardware.identity.IIdentityCredentialStore/default u:object_r:hal_identity_service:s0
android.hardware.light.ILights/default u:object_r:hal_light_service:s0
+android.hardware.memtrack.IMemtrack/default u:object_r:hal_memtrack_service:s0
+android.hardware.oemlock.IOemLock/default u:object_r:hal_oemlock_service:s0
android.hardware.power.IPower/default u:object_r:hal_power_service:s0
+android.hardware.power.stats.IPowerStats/default u:object_r:hal_power_stats_service:s0
android.hardware.rebootescrow.IRebootEscrow/default u:object_r:hal_rebootescrow_service:s0
+android.hardware.security.keymint.IKeyMintDevice/default u:object_r:hal_keymint_service:s0
+android.hardware.security.keymint.IRemotelyProvisionedComponent/default u:object_r:hal_remotelyprovisionedcomponent_service:s0
+android.hardware.security.secureclock.ISecureClock/default u:object_r:hal_secureclock_service:s0
+android.hardware.security.sharedsecret.ISharedSecret/default u:object_r:hal_sharedsecret_service:s0
+android.hardware.soundtrigger3.ISoundTriggerHw/default u:object_r:hal_audio_service:s0
android.hardware.vibrator.IVibrator/default u:object_r:hal_vibrator_service:s0
+android.hardware.vibrator.IVibratorManager/default u:object_r:hal_vibrator_service:s0
+android.hardware.weaver.IWeaver/default u:object_r:hal_weaver_service:s0
+android.frameworks.stats.IStats/default u:object_r:fwk_stats_service:s0
+android.system.keystore2.IKeystoreService/default u:object_r:keystore_service:s0
accessibility u:object_r:accessibility_service:s0
account u:object_r:account_service:s0
@@ -13,10 +31,18 @@
aidl_lazy_test_2 u:object_r:aidl_lazy_test_service:s0
alarm u:object_r:alarm_service:s0
android.os.UpdateEngineService u:object_r:update_engine_service:s0
+android.os.UpdateEngineStableService u:object_r:update_engine_stable_service:s0
+android.security.apc u:object_r:apc_service:s0
+android.security.authorization u:object_r:authorization_service:s0
+android.security.compat u:object_r:keystore_compat_hal_service:s0
android.security.identity u:object_r:credstore_service:s0
android.security.keystore u:object_r:keystore_service:s0
+android.security.maintenance u:object_r:keystore_maintenance_service:s0
+android.security.remoteprovisioning u:object_r:remoteprovisioning_service:s0
+android.security.vpnprofilestore u:object_r:vpnprofilestore_service:s0
android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
app_binding u:object_r:app_binding_service:s0
+app_hibernation u:object_r:app_hibernation_service:s0
app_integrity u:object_r:app_integrity_service:s0
app_prediction u:object_r:app_prediction_service:s0
app_search u:object_r:app_search_service:s0
@@ -25,6 +51,7 @@
gsiservice u:object_r:gsi_service:s0
appops u:object_r:appops_service:s0
appwidget u:object_r:appwidget_service:s0
+artd u:object_r:artd_service:s0
assetatlas u:object_r:assetatlas_service:s0
attention u:object_r:attention_service:s0
audio u:object_r:audio_service:s0
@@ -44,6 +71,7 @@
carrier_config u:object_r:radio_service:s0
clipboard u:object_r:clipboard_service:s0
com.android.net.IProxyService u:object_r:IProxyService_service:s0
+android.system.virtmanager u:object_r:virtualization_service:s0
companiondevice u:object_r:companion_device_service:s0
platform_compat u:object_r:platform_compat_service:s0
platform_compat_native u:object_r:platform_compat_service:s0
@@ -64,10 +92,12 @@
device_policy u:object_r:device_policy_service:s0
device_identifiers u:object_r:device_identifiers_service:s0
deviceidle u:object_r:deviceidle_service:s0
+device_state u:object_r:device_state_service:s0
devicestoragemonitor u:object_r:devicestoragemonitor_service:s0
diskstats u:object_r:diskstats_service:s0
display u:object_r:display_service:s0
dnsresolver u:object_r:dnsresolver_service:s0
+domain_verification u:object_r:domain_verification_service:s0
color_display u:object_r:color_display_service:s0
netd_listener u:object_r:netd_listener_service:s0
network_watchlist u:object_r:network_watchlist_service:s0
@@ -88,6 +118,7 @@
fingerprint u:object_r:fingerprint_service:s0
font u:object_r:font_service:s0
android.hardware.fingerprint.IFingerprintDaemon u:object_r:fingerprintd_service:s0
+game u:object_r:game_service:s0
gfxinfo u:object_r:gfxinfo_service:s0
graphicsstats u:object_r:graphicsstats_service:s0
gpu u:object_r:gpu_service:s0
@@ -118,8 +149,10 @@
isub u:object_r:radio_service:s0
jobscheduler u:object_r:jobscheduler_service:s0
launcherapps u:object_r:launcherapps_service:s0
+legacy_permission u:object_r:legacy_permission_service:s0
lights u:object_r:light_service:s0
location u:object_r:location_service:s0
+location_time_zone_manager u:object_r:location_time_zone_manager_service:s0
lock_settings u:object_r:lock_settings_service:s0
looper_stats u:object_r:looper_stats_service:s0
lpdump_service u:object_r:lpdump_service:s0
@@ -134,15 +167,21 @@
media.extractor u:object_r:mediaextractor_service:s0
media.transcoding u:object_r:mediatranscoding_service:s0
media.resource_manager u:object_r:mediaserver_service:s0
+media.resource_observer u:object_r:mediaserver_service:s0
media.sound_trigger_hw u:object_r:audioserver_service:s0
media.drm u:object_r:mediadrmserver_service:s0
+media.tuner u:object_r:mediatuner_service:s0
+media_communication u:object_r:media_communication_service:s0
+media_metrics u:object_r:media_metrics_service:s0
media_projection u:object_r:media_projection_service:s0
media_resource_monitor u:object_r:media_session_service:s0
media_router u:object_r:media_router_service:s0
media_session u:object_r:media_session_service:s0
meminfo u:object_r:meminfo_service:s0
+memtrack.proxy u:object_r:memtrackproxy_service:s0
midi u:object_r:midi_service:s0
mount u:object_r:mount_service:s0
+music_recognition u:object_r:music_recognition_service:s0
netd u:object_r:netd_service:s0
netpolicy u:object_r:netpolicy_service:s0
netstats u:object_r:netstats_service:s0
@@ -155,25 +194,33 @@
oem_lock u:object_r:oem_lock_service:s0
otadexopt u:object_r:otadexopt_service:s0
overlay u:object_r:overlay_service:s0
+pac_proxy u:object_r:pac_proxy_service:s0
package u:object_r:package_service:s0
package_native u:object_r:package_native_service:s0
+people u:object_r:people_service:s0
+performance_hint u:object_r:hint_service:s0
permission u:object_r:permission_service:s0
permissionmgr u:object_r:permissionmgr_service:s0
+permission_checker u:object_r:permission_checker_service:s0
persistent_data_block u:object_r:persistent_data_block_service:s0
phone_msim u:object_r:radio_service:s0
phone1 u:object_r:radio_service:s0
phone2 u:object_r:radio_service:s0
phone u:object_r:radio_service:s0
pinner u:object_r:pinner_service:s0
+power_stats u:object_r:power_stats_service:s0
power u:object_r:power_service:s0
print u:object_r:print_service:s0
processinfo u:object_r:processinfo_service:s0
procstats u:object_r:procstats_service:s0
+profcollectd u:object_r:profcollectd_service:s0
radio.phonesubinfo u:object_r:radio_service:s0
radio.phone u:object_r:radio_service:s0
radio.sms u:object_r:radio_service:s0
rcs u:object_r:radio_service:s0
+reboot_readiness u:object_r:reboot_readiness_service:s0
recovery u:object_r:recovery_service:s0
+resolver u:object_r:resolver_service:s0
restrictions u:object_r:restrictions_service:s0
role u:object_r:role_service:s0
rollback u:object_r:rollback_service:s0
@@ -182,6 +229,7 @@
samplingprofiler u:object_r:samplingprofiler_service:s0
scheduling_policy u:object_r:scheduling_policy_service:s0
search u:object_r:search_service:s0
+search_ui u:object_r:search_ui_service:s0
secure_element u:object_r:secure_element_service:s0
sec_key_att_app_id_provider u:object_r:sec_key_att_app_id_provider_service:s0
sensorservice u:object_r:sensorservice_service:s0
@@ -196,6 +244,8 @@
simphonebook u:object_r:radio_service:s0
sip u:object_r:radio_service:s0
slice u:object_r:slice_service:s0
+smartspace u:object_r:smartspace_service:s0
+speech_recognition u:object_r:speech_recognition_service:s0
stats u:object_r:stats_service:s0
statscompanion u:object_r:statscompanion_service:s0
statsmanager u:object_r:statsmanager_service:s0
@@ -207,7 +257,9 @@
storagestats u:object_r:storagestats_service:s0
SurfaceFlinger u:object_r:surfaceflinger_service:s0
suspend_control u:object_r:system_suspend_control_service:s0
+suspend_control_internal u:object_r:system_suspend_control_internal_service:s0
system_config u:object_r:system_config_service:s0
+system_server_dumper u:object_r:system_server_dumper_service:s0
system_update u:object_r:system_update_service:s0
task u:object_r:task_service:s0
telecom u:object_r:telecom_service:s0
@@ -217,10 +269,13 @@
tethering u:object_r:tethering_service:s0
textclassification u:object_r:textclassification_service:s0
textservices u:object_r:textservices_service:s0
+texttospeech u:object_r:texttospeech_service:s0
time_detector u:object_r:timedetector_service:s0
time_zone_detector u:object_r:timezonedetector_service:s0
timezone u:object_r:timezone_service:s0
thermalservice u:object_r:thermal_service:s0
+tracing.proxy u:object_r:tracingproxy_service:s0
+transformer u:object_r:transformer_service:s0
trust u:object_r:trust_service:s0
tv_input u:object_r:tv_input_service:s0
tv_tuner_resource_mgr u:object_r:tv_tuner_resource_mgr_service:s0
@@ -231,10 +286,14 @@
usagestats u:object_r:usagestats_service:s0
usb u:object_r:usb_service:s0
user u:object_r:user_service:s0
+uwb u:object_r:uwb_service:s0
+vcn_management u:object_r:vcn_management_service:s0
vibrator u:object_r:vibrator_service:s0
+vibrator_manager u:object_r:vibrator_manager_service:s0
virtual_touchpad u:object_r:virtual_touchpad_service:s0
voiceinteraction u:object_r:voiceinteraction_service:s0
vold u:object_r:vold_service:s0
+vpn_management u:object_r:vpn_management_service:s0
vr_hwc u:object_r:vr_hwc_service:s0
vrflinger_vsync u:object_r:vrflinger_vsync_service:s0
vrmanager u:object_r:vr_manager_service:s0
diff --git a/private/shared_relro.te b/private/shared_relro.te
index 02f7206..31fdb8c 100644
--- a/private/shared_relro.te
+++ b/private/shared_relro.te
@@ -3,3 +3,13 @@
# The shared relro process is a Java program forked from the zygote, so it
# inherits from app to get basic permissions it needs to run.
app_domain(shared_relro)
+
+allow shared_relro shared_relro_file:dir rw_dir_perms;
+allow shared_relro shared_relro_file:file create_file_perms;
+
+allow shared_relro activity_service:service_manager find;
+allow shared_relro webviewupdate_service:service_manager find;
+allow shared_relro package_service:service_manager find;
+
+# StrictMode may attempt to find this service, failure is harmless.
+dontaudit shared_relro network_management_service:service_manager find;
diff --git a/private/shell.te b/private/shell.te
index 43e4dd5..5831d54 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -1,4 +1,4 @@
-typeattribute shell coredomain;
+typeattribute shell coredomain, mlstrustedsubject;
# allow shell input injection
allow shell uhid_device:chr_file rw_file_perms;
@@ -48,9 +48,22 @@
# Allow shell to run adb shell cmd stats commands. Needed for CTS.
binder_call(shell, statsd);
+# Allow shell to read and unlink traces stored in /data/misc/a11ytraces.
+userdebug_or_eng(`
+ allow shell accessibility_trace_data_file:dir rw_dir_perms;
+ allow shell accessibility_trace_data_file:file { r_file_perms unlink };
+')
+
# Allow shell to read and unlink traces stored in /data/misc/perfetto-traces.
allow shell perfetto_traces_data_file:dir rw_dir_perms;
allow shell perfetto_traces_data_file:file { r_file_perms unlink };
+# ... and /data/misc/perfetto-traces/bugreport/ .
+allow shell perfetto_traces_bugreport_data_file:dir rw_dir_perms;
+allow shell perfetto_traces_bugreport_data_file:file { r_file_perms unlink };
+
+# Allow shell to create/remove configs stored in /data/misc/perfetto-configs.
+allow shell perfetto_configs_data_file:dir rw_dir_perms;
+allow shell perfetto_configs_data_file:file create_file_perms;
# Allow shell to run adb shell cmd gpu commands.
binder_call(shell, gpuservice);
@@ -69,6 +82,10 @@
# /system/bin/bcc (b/126388046)
allow shell rs_exec:file rx_file_perms;
+# Allow (host-driven) ART run-tests to execute dex2oat, in order to
+# check ART's compiler.
+allow shell dex2oat_exec:file rx_file_perms;
+
# Allow shell to start and comminicate with lpdumpd.
set_prop(shell, lpdumpd_prop);
binder_call(shell, lpdumpd)
@@ -77,6 +94,9 @@
# userspace reboot
set_prop(shell, userspace_reboot_test_prop)
+# Allow shell to set this property used for rollback tests
+set_prop(shell, rollback_test_prop)
+
# Allow shell to get encryption policy of /data/local/tmp/, for CTS
allowxperm shell shell_data_file:dir ioctl {
FS_IOC_GET_ENCRYPTION_POLICY
@@ -86,10 +106,94 @@
# Allow shell to execute simpleperf without a domain transition.
allow shell simpleperf_exec:file rx_file_perms;
+# Allow shell to execute profcollectctl without a domain transition.
+allow shell profcollectd_exec:file rx_file_perms;
+
# Allow shell to call perf_event_open for profiling other shell processes, but
# not the whole system.
allow shell self:perf_event { open read write kernel };
neverallow shell self:perf_event ~{ open read write kernel };
-# Allow to read graphics related properties.
-get_prop(shell, graphics_config_prop)
\ No newline at end of file
+# Set properties.
+set_prop(shell, shell_prop)
+set_prop(shell, ctl_bugreport_prop)
+set_prop(shell, ctl_dumpstate_prop)
+set_prop(shell, dumpstate_prop)
+set_prop(shell, exported_dumpstate_prop)
+set_prop(shell, debug_prop)
+set_prop(shell, perf_drop_caches_prop)
+set_prop(shell, powerctl_prop)
+set_prop(shell, log_tag_prop)
+set_prop(shell, wifi_log_prop)
+# Allow shell to start/stop traced via the persist.traced.enable
+# property (which also takes care of /data/misc initialization).
+set_prop(shell, traced_enabled_prop)
+# adjust is_loggable properties
+userdebug_or_eng(`set_prop(shell, log_prop)')
+# logpersist script
+userdebug_or_eng(`set_prop(shell, logpersistd_logging_prop)')
+# Allow shell to start/stop heapprofd via the persist.heapprofd.enable
+# property.
+set_prop(shell, heapprofd_enabled_prop)
+# Allow shell to start/stop traced_perf via the persist.traced_perf.enable
+# property.
+set_prop(shell, traced_perf_enabled_prop)
+# Allow shell to start/stop gsid via ctl.start|stop|restart gsid.
+set_prop(shell, ctl_gsid_prop)
+set_prop(shell, ctl_snapuserd_prop)
+# Allow shell to enable Dynamic System Update
+set_prop(shell, dynamic_system_prop)
+# Allow shell to mock an OTA using persist.pm.mock-upgrade
+set_prop(shell, mock_ota_prop)
+
+# Read device's serial number from system properties
+get_prop(shell, serialno_prop)
+
+# Allow shell to read the vendor security patch level for CTS
+get_prop(shell, vendor_security_patch_level_prop)
+
+# Read state of logging-related properties
+get_prop(shell, device_logging_prop)
+
+# Read state of boot reason properties
+get_prop(shell, bootloader_boot_reason_prop)
+get_prop(shell, last_boot_reason_prop)
+get_prop(shell, system_boot_reason_prop)
+
+# Allow reading the outcome of perf_event_open LSM support test for CTS.
+get_prop(shell, init_perf_lsm_hooks_prop)
+
+# Allow shell to read boot image timestamps and fingerprints.
+get_prop(shell, build_bootimage_prop)
+
+userdebug_or_eng(`set_prop(shell, persist_debug_prop)')
+
+# Allow to issue control commands to profcollectd binder service.
+userdebug_or_eng(`
+ allow shell profcollectd:binder call;
+')
+
+# Allow shell to read the keystore key contexts files. Used by native tests to test label lookup.
+allow shell keystore2_key_contexts_file:file r_file_perms;
+
+# Allow shell to access the keystore2_key namespace shell_key. Mainly used for native tests.
+allow shell shell_key:keystore2_key { delete rebind use get_info update };
+
+# Allow shell to write db.log.detailed, db.log.slow_query_threshold*
+set_prop(shell, sqlite_log_prop)
+
+# Allow shell to write MTE properties even on user builds.
+set_prop(shell, arm64_memtag_prop)
+
+# Allow shell to read the dm-verity props on user builds.
+get_prop(shell, verity_status_prop)
+
+# Allow shell to read Virtual A/B related properties
+get_prop(shell, virtual_ab_prop)
+
+# Never allow others to set or get the perf.drop_caches property.
+neverallow { domain -shell -init } perf_drop_caches_prop:property_service set;
+neverallow { domain -shell -init -dumpstate } perf_drop_caches_prop:file read;
+
+# Allow ReadDefaultFstab() for CTS.
+read_fstab(shell)
diff --git a/private/snapuserd.te b/private/snapuserd.te
new file mode 100644
index 0000000..d96b31e
--- /dev/null
+++ b/private/snapuserd.te
@@ -0,0 +1,26 @@
+# snapuserd - Daemon for servicing dm-user requests for Virtual A/B snapshots.
+type snapuserd, domain;
+type snapuserd_exec, exec_type, file_type, system_file_type;
+
+typeattribute snapuserd coredomain;
+
+init_daemon_domain(snapuserd)
+
+allow snapuserd kmsg_device:chr_file rw_file_perms;
+
+# Reading and writing to /dev/block/dm-* (device-mapper) nodes.
+allow snapuserd block_device:dir r_dir_perms;
+allow snapuserd dm_device:chr_file rw_file_perms;
+allow snapuserd dm_device:blk_file rw_file_perms;
+
+# Reading and writing to dm-user control nodes.
+allow snapuserd dm_user_device:dir r_dir_perms;
+allow snapuserd dm_user_device:chr_file rw_file_perms;
+
+# Reading and writing to /dev/socket/snapuserd.
+allow snapuserd snapuserd_socket:unix_stream_socket { accept listen getattr read write };
+
+# This arises due to first-stage init opening /dev/null without F_CLOEXEC
+# (see SetStdioToDevNull in init). When we fork() and execveat() snapuserd
+# again, the descriptor leaks into the new process.
+allow snapuserd kernel:fd use;
diff --git a/private/stats.te b/private/stats.te
index 3e8a3d5..db29072 100644
--- a/private/stats.te
+++ b/private/stats.te
@@ -43,6 +43,8 @@
-gmscore_app
-gpuservice
-incidentd
+ -keystore
+ -mediametrics
-platform_app
-priv_app
-shell
diff --git a/private/statsd.te b/private/statsd.te
index 1483156..444d82e 100644
--- a/private/statsd.te
+++ b/private/statsd.te
@@ -21,3 +21,7 @@
# Allow statsd to retrieve SF statistics over binder
binder_call(statsd, surfaceflinger);
+
+# Allow statsd to read its system properties
+get_prop(statsd, device_config_statsd_native_prop)
+get_prop(statsd, device_config_statsd_native_boot_prop)
diff --git a/private/storaged.te b/private/storaged.te
index b7d4ae9..bb39e5b 100644
--- a/private/storaged.te
+++ b/private/storaged.te
@@ -18,10 +18,12 @@
allow storaged storaged_data_file:dir rw_dir_perms;
allow storaged storaged_data_file:file create_file_perms;
-userdebug_or_eng(`
- # Read access to debugfs
- allow storaged debugfs_mmc:dir search;
- allow storaged debugfs_mmc:file r_file_perms;
+no_debugfs_restriction(`
+ userdebug_or_eng(`
+ # Read access to debugfs
+ allow storaged debugfs_mmc:dir search;
+ allow storaged debugfs_mmc:file r_file_perms;
+ ')
')
# Needed to provide debug dump output via dumpsys pipes.
diff --git a/private/su.te b/private/su.te
index 16e47bb..587f449 100644
--- a/private/su.te
+++ b/private/su.te
@@ -13,6 +13,9 @@
# Put the incident command into its domain so it is the same on user, userdebug and eng.
domain_auto_trans(su, incident_exec, incident)
+ # Put the odrefresh command into its domain.
+ domain_auto_trans(su, odrefresh_exec, odrefresh)
+
# Put the perfetto command into its domain so it is the same on user, userdebug and eng.
domain_auto_trans(su, perfetto_exec, perfetto)
@@ -20,4 +23,8 @@
permissive su;
app_domain(su)
+
+ # Do not audit accesses to keystore2 namespace for the su domain.
+ dontaudit su keystore2_key_type:{ keystore2 keystore2_key } *;
+
')
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 2e9ce19..7a92bd4 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -53,12 +53,15 @@
# Set properties.
set_prop(surfaceflinger, system_prop)
+set_prop(surfaceflinger, bootanim_system_prop)
set_prop(surfaceflinger, exported_system_prop)
-set_prop(surfaceflinger, exported2_system_prop)
set_prop(surfaceflinger, exported3_system_prop)
set_prop(surfaceflinger, ctl_bootanim_prop)
set_prop(surfaceflinger, surfaceflinger_display_prop)
+# Get properties.
+get_prop(surfaceflinger, qemu_sf_lcd_density_prop)
+
# Use open files supplied by an app.
allow surfaceflinger appdomain:fd use;
allow surfaceflinger { app_data_file privapp_data_file }:file { read write };
@@ -101,11 +104,13 @@
allow surfaceflinger self:global_capability_class_set sys_nice;
allow surfaceflinger proc_meminfo:file r_file_perms;
r_dir_file(surfaceflinger, cgroup)
+r_dir_file(surfaceflinger, cgroup_v2)
r_dir_file(surfaceflinger, system_file)
allow surfaceflinger tmpfs:dir r_dir_perms;
allow surfaceflinger system_server:fd use;
allow surfaceflinger system_server:unix_stream_socket { read write };
allow surfaceflinger ion_device:chr_file r_file_perms;
+allow surfaceflinger dmabuf_system_heap_device:chr_file r_file_perms;
# pdx IPC
pdx_server(surfaceflinger, display_client)
diff --git a/private/system_app.te b/private/system_app.te
index 0b77bb3..48d5f9d 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -4,7 +4,7 @@
### server.
###
-typeattribute system_app coredomain;
+typeattribute system_app coredomain, mlstrustedsubject;
app_domain(system_app)
net_domain(system_app)
@@ -21,9 +21,6 @@
allow system_app misc_user_data_file:dir create_dir_perms;
allow system_app misc_user_data_file:file create_file_perms;
-# Access to vold-mounted storage for measuring free space
-allow system_app mnt_media_rw_file:dir search;
-
# Access to apex files stored on /data (b/136063500)
# Needed so that Settings can access NOTICE files inside apex
# files located in the assets/ directory.
@@ -44,17 +41,16 @@
set_prop(system_app, system_prop)
set_prop(system_app, exported_bluetooth_prop)
set_prop(system_app, exported_system_prop)
-set_prop(system_app, exported2_system_prop)
set_prop(system_app, exported3_system_prop)
set_prop(system_app, logd_prop)
set_prop(system_app, net_radio_prop)
-set_prop(system_app, system_radio_prop)
-set_prop(system_app, exported_system_radio_prop)
+set_prop(system_app, usb_control_prop)
+set_prop(system_app, usb_prop)
set_prop(system_app, log_tag_prop)
userdebug_or_eng(`set_prop(system_app, logpersistd_logging_prop)')
auditallow system_app net_radio_prop:property_service set;
-auditallow system_app system_radio_prop:property_service set;
-auditallow system_app exported_system_radio_prop:property_service set;
+auditallow system_app usb_control_prop:property_service set;
+auditallow system_app usb_prop:property_service set;
# Allow Settings to enable Dynamic System Update
set_prop(system_app, dynamic_system_prop)
@@ -72,21 +68,12 @@
# Settings need to access app name and icon from asec
allow system_app asec_apk_file:file r_file_perms;
-# Allow system_app (adb data loader) to write data to /data/incremental
-allow system_app apk_data_file:file write;
-
-# Allow system app (adb data loader) to read logs
-allow system_app incremental_control_file:file r_file_perms;
-
# Allow system apps (like Settings) to interact with statsd
binder_call(system_app, statsd)
# Allow system apps to interact with incidentd
binder_call(system_app, incidentd)
-# Allow system apps to interact with gpuservice
-binder_call(system_app, gpuservice)
-
# Allow system app to interact with Dumpstate HAL
hal_client_domain(system_app, hal_dumpstate)
@@ -101,6 +88,7 @@
-iorapd_service
-lpdump_service
-netd_service
+ -system_suspend_control_internal_service
-system_suspend_control_service
-virtual_touchpad_service
-vold_service
@@ -119,6 +107,9 @@
vr_hwc_service
}:service_manager find;
+# suppress denials caused by debugfs_tracing
+dontaudit system_app debugfs_tracing:file rw_file_perms;
+
allow system_app keystore:keystore_key {
get_state
get
@@ -139,6 +130,24 @@
user_changed
};
+allow system_app keystore:keystore2_key {
+ delete
+ get_info
+ grant
+ rebind
+ update
+ use
+};
+
+# Allow Settings to manage WI-FI keys.
+allow system_app wifi_key:keystore2_key {
+ delete
+ get_info
+ rebind
+ update
+ use
+};
+
# settings app reads /proc/version
allow system_app {
proc_version
@@ -146,6 +155,7 @@
# Settings app writes to /dev/stune/foreground/tasks.
allow system_app cgroup:file w_file_perms;
+allow system_app cgroup_v2:file w_file_perms;
control_logd(system_app)
read_runtime_log_tags(system_app)
@@ -156,6 +166,9 @@
allow system_app system_server:udp_socket {
connect getattr read recvfrom sendto write getopt setopt };
+# Settings app reads ro.oem_unlock_supported
+get_prop(system_app, oem_unlock_prop)
+
###
### Neverallow rules
###
diff --git a/private/system_server.te b/private/system_server.te
index 213b3c8..dcccc5e 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -12,6 +12,8 @@
# Define a type for tmpfs-backed ashmem regions.
tmpfs_domain(system_server)
+userfaultfd_use(system_server)
+
# Create a socket for connections from crash_dump.
type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
@@ -24,16 +26,32 @@
# For Incremental Service to check if incfs is available
allow system_server proc_filesystems:file r_file_perms;
-# To create files and get permission to fill blocks on Incremental File System
+# To create files, get permission to fill blocks, and configure Incremental File System
allow system_server incremental_control_file:file { ioctl r_file_perms };
-allowxperm system_server incremental_control_file:file ioctl { INCFS_IOCTL_CREATE_FILE INCFS_IOCTL_PERMIT_FILL };
+allowxperm system_server incremental_control_file:file ioctl {
+ INCFS_IOCTL_CREATE_FILE
+ INCFS_IOCTL_CREATE_MAPPED_FILE
+ INCFS_IOCTL_PERMIT_FILL
+ INCFS_IOCTL_GET_READ_TIMEOUTS
+ INCFS_IOCTL_SET_READ_TIMEOUTS
+ INCFS_IOCTL_GET_LAST_READ_ERROR
+};
-# To get signature of an APK installed on Incremental File System and fill in data blocks
-allowxperm system_server apk_data_file:file ioctl { INCFS_IOCTL_READ_SIGNATURE INCFS_IOCTL_FILL_BLOCKS };
+# To get signature of an APK installed on Incremental File System, and fill in data
+# blocks and get the filesystem state
+allowxperm system_server apk_data_file:file ioctl {
+ INCFS_IOCTL_READ_SIGNATURE
+ INCFS_IOCTL_FILL_BLOCKS
+ INCFS_IOCTL_GET_FILLED_BLOCKS
+ INCFS_IOCTL_GET_BLOCK_COUNT
+};
+
+# For Incremental Service to check incfs metrics
+allow system_server sysfs_fs_incfs_metrics:file r_file_perms;
# For art.
-allow system_server dalvikcache_data_file:dir r_dir_perms;
-allow system_server dalvikcache_data_file:file r_file_perms;
+allow system_server { apex_art_data_file dalvikcache_data_file }:dir r_dir_perms;
+allow system_server { apex_art_data_file dalvikcache_data_file }:file r_file_perms;
# When running system server under --invoke-with, we'll try to load the boot image under the
# system server domain, following links to the system partition.
@@ -66,14 +84,14 @@
# system server gets network and bluetooth permissions.
net_domain(system_server)
-# in addition to ioctls whitelisted for all domains, also allow system_server
+# in addition to ioctls allowlisted for all domains, also allow system_server
# to use privileged ioctls commands. Needed to set up VPNs.
allowxperm system_server self:udp_socket ioctl priv_sock_ioctls;
bluetooth_domain(system_server)
# Allow setup of tcp keepalive offload. This gives system_server the permission to
# call ioctl on app domains' tcp sockets. Additional ioctl commands still need to
-# be granted individually, except for a small set of safe values whitelisted in
+# be granted individually, except for a small set of safe values allowlisted in
# public/domain.te.
allow system_server appdomain:tcp_socket ioctl;
@@ -118,7 +136,7 @@
# Use generic "sockets" where the address family is not known
# to the kernel. The ioctl permission is specifically omitted here, but may
# be added to device specific policy along with the ioctl commands to be
-# whitelisted.
+# allowlisted.
allow system_server self:socket create_socket_perms_no_ioctl;
# Set and get routes directly via netlink.
@@ -169,11 +187,24 @@
allow system_server stats_data_file:file unlink;
# Read /sys/kernel/debug/wakeup_sources.
-allow system_server debugfs_wakeup_sources:file r_file_perms;
+no_debugfs_restriction(`
+ allow system_server debugfs_wakeup_sources:file r_file_perms;
+')
# Read /sys/kernel/ion/*.
allow system_server sysfs_ion:file r_file_perms;
+# Read /sys/kernel/dma_heap/*.
+allow system_server sysfs_dma_heap:file r_file_perms;
+
+# Allow reading DMA-BUF sysfs stats from /sys/kernel/dmabuf.
+allow system_server sysfs_dmabuf_stats:dir r_dir_perms;
+allow system_server sysfs_dmabuf_stats:file r_file_perms;
+
+# Allow ActivityManager to look at the list of DMA-BUF heaps from /dev/dma_heap
+# for dumpsys meminfo
+allow system_server dmabuf_heap_device:dir r_dir_perms;
+
# The DhcpClient and WifiWatchdog use packet_sockets
allow system_server self:packet_socket create_socket_perms_no_ioctl;
@@ -214,7 +245,7 @@
binder_call(system_server, incidentd)
binder_call(system_server, iorapd)
binder_call(system_server, netd)
-binder_call(system_server, notify_traceur)
+userdebug_or_eng(`binder_call(system_server, profcollectd)')
binder_call(system_server, statsd)
binder_call(system_server, storaged)
binder_call(system_server, update_engine)
@@ -259,6 +290,10 @@
hal_client_domain(system_server, hal_wifi)
hal_client_domain(system_server, hal_wifi_hostapd)
hal_client_domain(system_server, hal_wifi_supplicant)
+# The bootctl is a pass through HAL mode under recovery mode. So we skip the
+# permission for recovery in order not to give system server the access to
+# the low level block devices.
+not_recovery(`hal_client_domain(system_server, hal_bootctl)')
# Talk with graphics composer fences
allow system_server hal_graphics_composer:fd use;
@@ -272,6 +307,7 @@
# List HAL interfaces to get ANR traces.
allow system_server hwservicemanager:hwservice_manager list;
+allow system_server servicemanager:service_manager list;
# Send signals to trigger ANR traces.
allow system_server {
@@ -288,6 +324,8 @@
mediametrics
mediaserver
mediaswcodec
+ mediatranscoding
+ mediatuner
netd
sdcardd
statsd
@@ -306,6 +344,7 @@
hal_graphics_allocator_server
hal_graphics_composer_server
hal_health_server
+ hal_light_server
hal_neuralnetworks_server
hal_omx_server
hal_power_stats_server
@@ -345,13 +384,14 @@
r_dir_file(system_server, sysfs_rtc)
r_dir_file(system_server, sysfs_switch)
-r_dir_file(system_server, sysfs_wakeup_reasons)
allow system_server sysfs_nfc_power_writable:file rw_file_perms;
allow system_server sysfs_power:dir search;
allow system_server sysfs_power:file rw_file_perms;
allow system_server sysfs_thermal:dir search;
allow system_server sysfs_thermal:file r_file_perms;
+allow system_server sysfs_uhid:dir r_dir_perms;
+allow system_server sysfs_uhid:file rw_file_perms;
# TODO: Remove when HALs are forced into separate processes
allow system_server sysfs_vibrator:file { write append };
@@ -476,6 +516,10 @@
allow system_server adb_keys_file:dir create_dir_perms;
allow system_server adb_keys_file:file create_file_perms;
+# Manage /data/misc/appcompat.
+allow system_server appcompat_data_file:dir rw_dir_perms;
+allow system_server appcompat_data_file:file create_file_perms;
+
# Manage /data/misc/emergencynumberdb
allow system_server emergency_data_file:dir create_dir_perms;
allow system_server emergency_data_file:file create_file_perms;
@@ -501,6 +545,9 @@
allow system_server tombstone_data_file:dir r_dir_perms;
allow system_server tombstone_data_file:file r_file_perms;
+# Allow write access to be able to truncate tombstones.
+allow system_server tombstone_data_file:file write;
+
# Manage /data/misc/vpn.
allow system_server vpn_data_file:dir create_dir_perms;
allow system_server vpn_data_file:file create_file_perms;
@@ -517,17 +564,11 @@
allow system_server staging_data_file:dir create_dir_perms;
allow system_server staging_data_file:file create_file_perms;
+# Manage /data/rollback.
+allow system_server staging_data_file:{ file lnk_file } { create_file_perms link };
+
# Walk /data/data subdirectories.
-# Types extracted from seapp_contexts type= fields.
-allow system_server {
- system_app_data_file
- bluetooth_data_file
- nfc_data_file
- radio_data_file
- shell_data_file
- app_data_file
- privapp_data_file
-}:dir { getattr read search };
+allow system_server app_data_file_type:dir { getattr read search };
# Also permit for unlabeled /data/data subdirectories and
# for unlabeled asec containers on upgrades from 4.2.
@@ -540,16 +581,7 @@
allow system_server system_app_data_file:file create_file_perms;
# Receive and use open app data files passed over binder IPC.
-# Types extracted from seapp_contexts type= fields.
-allow system_server {
- system_app_data_file
- bluetooth_data_file
- nfc_data_file
- radio_data_file
- shell_data_file
- app_data_file
- privapp_data_file
-}:file { getattr read write append map };
+allow system_server app_data_file_type:file { getattr read write append map };
# Access to /data/media for measuring disk usage.
allow system_server media_rw_data_file:dir { search getattr open read };
@@ -565,6 +597,11 @@
# Relabel apk files.
allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto };
allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto };
+# Allow PackageManager to:
+# 1. rename file from /data/app-staging folder to /data/app
+# 2. relabel files (linked to /data/rollback) under /data/app-staging
+# during staged apk/apex install.
+allow system_server { staging_data_file }:{ dir file } { relabelfrom relabelto };
# Relabel wallpaper.
allow system_server system_data_file:file relabelfrom;
@@ -598,20 +635,20 @@
# Property Service write
set_prop(system_server, system_prop)
+set_prop(system_server, bootanim_system_prop)
set_prop(system_server, exported_system_prop)
-set_prop(system_server, exported2_system_prop)
set_prop(system_server, exported3_system_prop)
set_prop(system_server, safemode_prop)
set_prop(system_server, theme_prop)
set_prop(system_server, dhcp_prop)
+set_prop(system_server, net_connectivity_prop)
set_prop(system_server, net_radio_prop)
set_prop(system_server, net_dns_prop)
-set_prop(system_server, system_radio_prop)
-set_prop(system_server, exported_system_radio_prop)
+set_prop(system_server, usb_control_prop)
+set_prop(system_server, usb_prop)
set_prop(system_server, debug_prop)
set_prop(system_server, powerctl_prop)
set_prop(system_server, fingerprint_prop)
-set_prop(system_server, exported_fingerprint_prop)
set_prop(system_server, device_logging_prop)
set_prop(system_server, dumpstate_options_prop)
set_prop(system_server, overlay_prop)
@@ -620,6 +657,10 @@
set_prop(system_server, exported_pm_prop)
set_prop(system_server, socket_hook_prop)
set_prop(system_server, audio_prop)
+set_prop(system_server, boot_status_prop)
+set_prop(system_server, surfaceflinger_color_prop)
+set_prop(system_server, provisioned_prop)
+set_prop(system_server, retaildemo_prop)
userdebug_or_eng(`set_prop(system_server, wifi_log_prop)')
# ctl interface
@@ -637,10 +678,15 @@
set_prop(system_server, device_config_runtime_native_boot_prop)
set_prop(system_server, device_config_runtime_native_prop)
set_prop(system_server, device_config_media_native_prop)
+set_prop(system_server, device_config_profcollect_native_boot_prop)
+set_prop(system_server, device_config_statsd_native_prop)
+set_prop(system_server, device_config_statsd_native_boot_prop)
set_prop(system_server, device_config_storage_native_boot_prop)
+set_prop(system_server, device_config_swcodec_native_prop)
set_prop(system_server, device_config_sys_traced_prop)
set_prop(system_server, device_config_window_manager_native_boot_prop)
set_prop(system_server, device_config_configuration_prop)
+set_prop(system_server, device_config_connectivity_prop)
# BootReceiver to read ro.boot.bootreason
get_prop(system_server, bootloader_boot_reason_prop)
@@ -656,9 +702,9 @@
# Read/write the property which keeps track of whether this is the first start of system_server
set_prop(system_server, firstboot_prop)
-# Audio service in system server can read exported audio properties,
+# Audio service in system server can read audio config properties,
# such as camera shutter enforcement
-get_prop(system_server, exported_audio_prop)
+get_prop(system_server, audio_config_prop)
# system server reads this property to keep track of whether server configurable flags have been
# reset during current boot.
@@ -682,6 +728,21 @@
# Read the vendor property that indicates if Incremental features is enabled
get_prop(system_server, incremental_prop)
+# Read ro.zram. properties
+get_prop(system_server, zram_config_prop)
+
+# Read/write persist.sys.zram_enabled
+set_prop(system_server, zram_control_prop)
+
+# Read/write persist.sys.dalvik.vm.lib.2
+set_prop(system_server, dalvik_runtime_prop)
+
+# Read ro.control_privapp_permissions and ro.cp_system_other_odex
+get_prop(system_server, packagemanager_config_prop)
+
+# Read the net.464xlat.cellular.enabled property (written by init).
+get_prop(system_server, net_464xlat_fromvendor_prop)
+
# Create a socket for connections from debuggerd.
allow system_server system_ndebug_socket:sock_file create_file_perms;
@@ -719,9 +780,6 @@
allow system_server usb_device:chr_file rw_file_perms;
allow system_server usb_device:dir r_dir_perms;
-# Read from HW RNG (needed by EntropyMixer).
-allow system_server hw_random_device:chr_file r_file_perms;
-
# Read and delete files under /dev/fscklogs.
r_dir_file(system_server, fscklogs)
allow system_server fscklogs:dir { write remove_name };
@@ -752,6 +810,7 @@
add_service(system_server, system_server_service);
allow system_server audioserver_service:service_manager find;
+allow system_server authorization_service:service_manager find;
allow system_server batteryproperties_service:service_manager find;
allow system_server cameraserver_service:service_manager find;
allow system_server dataloader_manager_service:service_manager find;
@@ -762,17 +821,18 @@
allow system_server gatekeeper_service:service_manager find;
allow system_server gpu_service:service_manager find;
allow system_server gsi_service:service_manager find;
-allow system_server hal_fingerprint_service:service_manager find;
allow system_server idmap_service:service_manager find;
allow system_server incident_service:service_manager find;
allow system_server incremental_service:service_manager find;
allow system_server installd_service:service_manager find;
allow system_server iorapd_service:service_manager find;
+allow system_server keystore_maintenance_service:service_manager find;
allow system_server keystore_service:service_manager find;
allow system_server mediaserver_service:service_manager find;
allow system_server mediametrics_service:service_manager find;
allow system_server mediaextractor_service:service_manager find;
allow system_server mediadrmserver_service:service_manager find;
+allow system_server mediatuner_service:service_manager find;
allow system_server netd_service:service_manager find;
allow system_server nfc_service:service_manager find;
allow system_server radio_service:service_manager find;
@@ -782,6 +842,9 @@
allow system_server update_engine_service:service_manager find;
allow system_server vold_service:service_manager find;
allow system_server wifinl80211_service:service_manager find;
+userdebug_or_eng(`
+ allow system_server profcollectd_service:service_manager find;
+')
add_service(system_server, batteryproperties_service)
@@ -806,14 +869,66 @@
user_changed
};
+allow system_server keystore:keystore2 {
+ add_auth
+ change_password
+ change_user
+ clear_ns
+ clear_uid
+ get_state
+ lock
+ reset
+ unlock
+};
+
+allow system_server keystore:keystore2_key {
+ delete
+ use_dev_id
+ grant
+ get_info
+ rebind
+ update
+ use
+};
+
+# Allow Wifi module to manage Wi-Fi keys.
+allow system_server wifi_key:keystore2_key {
+ delete
+ get_info
+ rebind
+ update
+ use
+};
+
+# Allow lock_settings service to manage RoR keys.
+allow system_server resume_on_reboot_key:keystore2_key {
+ delete
+ get_info
+ rebind
+ update
+ use
+};
+
+# Allow lock_settings service to manage locksettings keys (e.g. the synthetic password key).
+allow system_server locksettings_key:keystore2_key {
+ delete
+ get_info
+ rebind
+ update
+ use
+};
+
+
# Allow system server to search and write to the persistent factory reset
# protection partition. This block device does not get wiped in a factory reset.
allow system_server block_device:dir search;
allow system_server frp_block_device:blk_file rw_file_perms;
allowxperm system_server frp_block_device:blk_file ioctl { BLKSECDISCARD BLKDISCARD };
-# Clean up old cgroups
+# Create new process groups and clean up old cgroups
allow system_server cgroup:dir { remove_name rmdir };
+allow system_server cgroup_v2:dir create_dir_perms;
+allow system_server cgroup_v2:file { r_file_perms setattr };
# /oem access
r_dir_file(system_server, oemfs)
@@ -845,6 +960,10 @@
# Allow writing and removing window traces in /data/misc/wmtrace.
allow system_server wm_trace_data_file:dir rw_dir_perms;
allow system_server wm_trace_data_file:file { getattr setattr create unlink w_file_perms };
+
+ # Allow writing and removing accessibility traces in /data/misc/a11ytrace.
+ allow system_server accessibility_trace_data_file:dir rw_dir_perms;
+ allow system_server accessibility_trace_data_file:file { getattr setattr create unlink w_file_perms };
')
# For AppFuse.
@@ -892,9 +1011,13 @@
allow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdir };
r_dir_file(system_server, cgroup)
+r_dir_file(system_server, cgroup_v2)
allow system_server ion_device:chr_file r_file_perms;
-allow system_server cgroup_bpf:dir rw_dir_perms;
-allow system_server cgroup_bpf:file rw_file_perms;
+
+# Access to /dev/dma_heap/system
+allow system_server dmabuf_system_heap_device:chr_file r_file_perms;
+# Access to /dev/dma_heap/system-secure
+allow system_server dmabuf_system_secure_heap_device:chr_file r_file_perms;
r_dir_file(system_server, proc_asound)
r_dir_file(system_server, proc_net_type)
@@ -902,6 +1025,7 @@
allow system_server {
proc_cmdline
proc_loadavg
+ proc_locks
proc_meminfo
proc_pagetypeinfo
proc_pipe_conf
@@ -925,6 +1049,10 @@
allow system_server debugfs_wifi_tracing:dir search;
allow system_server debugfs_wifi_tracing:file rw_file_perms;
+# Allow BootReceiver to watch trace error_report events.
+allow system_server debugfs_bootreceiver_tracing:dir search;
+allow system_server debugfs_bootreceiver_tracing:file r_file_perms;
+
# Allow system_server to read tracepoint ids in order to attach BPF programs to them.
allow system_server debugfs_tracing:file r_file_perms;
@@ -947,7 +1075,7 @@
# Allow system_server to open profile snapshots for read.
# System server never reads the actual content. It passes the descriptor to
# to privileged apps which acquire the permissions to inspect the profiles.
-allow system_server user_profile_data_file:dir { getattr search };
+allow system_server { user_profile_root_file user_profile_data_file}:dir { getattr search };
allow system_server user_profile_data_file:file { getattr open read };
# System server may dump profile data for debuggable apps in the /data/misc/profman.
@@ -973,9 +1101,25 @@
# on low memory kills.
get_prop(system_server, system_lmk_prop)
+get_prop(system_server, wifi_config_prop)
+
# Only system server can access BINDER_FREEZE and BINDER_GET_FROZEN_INFO
allowxperm system_server binder_device:chr_file ioctl { BINDER_FREEZE BINDER_GET_FROZEN_INFO };
+# Watchdog prints debugging log to /dev/kmsg_debug.
+userdebug_or_eng(`
+ allow system_server kmsg_debug_device:chr_file { open append getattr };
+')
+# Watchdog reads sysprops framework_watchdog.fatal_* to handle watchdog timeout loop.
+get_prop(system_server, framework_watchdog_config_prop)
+
+
+# Font files are written by system server
+allow system_server font_data_file:file create_file_perms;
+allow system_server font_data_file:dir create_dir_perms;
+# Allow system process to setup fs-verity for font files
+allowxperm system_server font_data_file:file ioctl FS_IOC_ENABLE_VERITY;
+
###
### Neverallow rules
###
@@ -989,14 +1133,11 @@
# system server should never be operating on zygote spawned app data
# files directly. Rather, they should always be passed via a
# file descriptor.
-# Types extracted from seapp_contexts type= fields, excluding
-# those types that system_server needs to open directly.
+# Exclude those types that system_server needs to open directly.
neverallow system_server {
- bluetooth_data_file
- nfc_data_file
- shell_data_file
- app_data_file
- privapp_data_file
+ app_data_file_type
+ -system_app_data_file
+ -radio_data_file
}:file { open create unlink link };
# Forking and execing is inherently dangerous and racy. See, for
@@ -1036,6 +1177,7 @@
-flags_health_check
} {
device_config_activity_manager_native_boot_prop
+ device_config_connectivity_prop
device_config_input_native_boot_prop
device_config_netd_native_prop
device_config_runtime_native_boot_prop
@@ -1043,6 +1185,7 @@
device_config_media_native_prop
device_config_storage_native_boot_prop
device_config_sys_traced_prop
+ device_config_swcodec_native_prop
device_config_window_manager_native_boot_prop
}:property_service set;
@@ -1088,7 +1231,11 @@
# Allow system server to scan /apex for flattened APEXes
allow system_server apex_mnt_dir:dir r_dir_perms;
+# Allow system server to read /apex/apex-info-list.xml
+allow system_server apex_info_file:file r_file_perms;
+
# Allow system server to communicate to system-suspend's control interface
+allow system_server system_suspend_control_internal_service:service_manager find;
allow system_server system_suspend_control_service:service_manager find;
binder_call(system_server, system_suspend)
binder_call(system_suspend, system_server)
@@ -1113,6 +1260,8 @@
allow system_server apex_module_data_file:dir { getattr search };
allow system_server apex_permission_data_file:dir create_dir_perms;
allow system_server apex_permission_data_file:file create_file_perms;
+allow system_server apex_scheduling_data_file:dir create_dir_perms;
+allow system_server apex_scheduling_data_file:file create_file_perms;
allow system_server apex_wifi_data_file:dir create_dir_perms;
allow system_server apex_wifi_data_file:file create_file_perms;
@@ -1122,10 +1271,26 @@
allow system_server password_slot_metadata_file:dir rw_dir_perms;
allow system_server password_slot_metadata_file:file create_file_perms;
+allow system_server userspace_reboot_metadata_file:dir create_dir_perms;
+allow system_server userspace_reboot_metadata_file:file create_file_perms;
+
# Allow system server rw access to files in /metadata/staged-install folder
allow system_server staged_install_file:dir rw_dir_perms;
allow system_server staged_install_file:file create_file_perms;
+allow system_server watchdog_metadata_file:dir rw_dir_perms;
+allow system_server watchdog_metadata_file:file create_file_perms;
+
+allow system_server gsi_persistent_data_file:dir rw_dir_perms;
+allow system_server gsi_persistent_data_file:file create_file_perms;
+
+# Allow system server read and remove files under /data/misc/odrefresh
+allow system_server odrefresh_data_file:dir rw_dir_perms;
+allow system_server odrefresh_data_file:file { r_file_perms unlink };
+
+# Allow system server r access to /system/bin/surfaceflinger for PinnerService.
+allow system_server surfaceflinger_exec:file r_file_perms;
+
# Allow init to set sysprop used to compute stats about userspace reboot.
set_prop(system_server, userspace_reboot_log_prop)
@@ -1163,6 +1328,10 @@
} password_slot_metadata_file:notdevfile_class_set ~{ relabelto getattr };
neverallow { domain -init -system_server } password_slot_metadata_file:notdevfile_class_set *;
+# Only system_server/init should access /metadata/userspacereboot.
+neverallow { domain -init -system_server } userspace_reboot_metadata_file:dir *;
+neverallow { domain -init -system_server } userspace_reboot_metadata_file:file no_rw_file_perms;
+
# Allow systemserver to read/write the invalidation property
set_prop(system_server, binder_cache_system_server_prop)
neverallow { domain -system_server -init }
@@ -1176,8 +1345,34 @@
# Do not allow any domain other than init or system server to set the property
neverallow { domain -init -system_server } socket_hook_prop:property_service set;
+neverallow { domain -init -system_server } boot_status_prop:property_service set;
+
+neverallow {
+ domain
+ -init
+ -vendor_init
+ -dumpstate
+ -system_server
+} wifi_config_prop:file no_rw_file_perms;
+
+# Only allow system server to write uhid sysfs files
+neverallow {
+ domain
+ -init
+ -system_server
+ -ueventd
+ -vendor_init
+} sysfs_uhid:file no_w_file_perms;
+
# BINDER_FREEZE is used to block ipc transactions to frozen processes, so it
# can be accessed by system_server only (b/143717177)
# BINDER_GET_FROZEN_INFO is used by system_server to determine the state of a frozen binder
# interface
neverallowxperm { domain -system_server } binder_device:chr_file ioctl { BINDER_FREEZE BINDER_GET_FROZEN_INFO };
+
+# Only system server can write the font files.
+neverallow { domain -init -system_server } font_data_file:file no_w_file_perms;
+neverallow { domain -init -system_server } font_data_file:dir no_w_dir_perms;
+
+# Read qemu.hw.mainkeys property
+get_prop(system_server, qemu_hw_prop)
diff --git a/private/system_suspend.te b/private/system_suspend.te
index d33dc8e..caf8955 100644
--- a/private/system_suspend.te
+++ b/private/system_suspend.te
@@ -1,24 +1,36 @@
-type system_suspend, domain, coredomain, system_suspend_server;
+type system_suspend, domain, coredomain, system_suspend_server, system_suspend_internal_server;
type system_suspend_exec, system_file_type, exec_type, file_type;
init_daemon_domain(system_suspend)
-# To serve ISuspendControlService.aidl.
+# To serve ISuspendControlService.
binder_use(system_suspend)
add_service(system_suspend, system_suspend_control_service)
# Access to /sys/power/{ wakeup_count, state } suspend interface.
allow system_suspend sysfs_power:file rw_file_perms;
-# Access to wakeup and suspend stats.
+# Access to wakeup, suspend stats, and wakeup reasons.
r_dir_file(system_suspend, sysfs_suspend_stats)
r_dir_file(system_suspend, sysfs_wakeup)
+r_dir_file(system_suspend, sysfs_wakeup_reasons)
# To resolve arbitrary sysfs paths from /sys/class/wakeup/* symlinks.
allow system_suspend sysfs_type:dir search;
+# Access to suspend_hal system properties
+get_prop(system_suspend, suspend_prop)
+
+# To call BTAA registered callbacks
+allow system_suspend bluetooth:binder call;
+
+# For adding `dumpsys syspend_control` output to bugreport
+allow system_suspend dumpstate:fd use;
+allow system_suspend dumpstate:fifo_file write;
+
neverallow {
domain
-atrace # tracing
+ -bluetooth # support Bluetooth activity attribution (BTAA)
-dumpstate # bug reports
-system_suspend # implements system_suspend_control_service
-system_server # configures system_suspend via ISuspendControlService
diff --git a/private/technical_debt.cil b/private/technical_debt.cil
index fdcd0a3..9b3e3c6 100644
--- a/private/technical_debt.cil
+++ b/private/technical_debt.cil
@@ -63,3 +63,9 @@
; Unfortunately, we can't currently express this in module policy language:
; typeattribute { appdomain -isolated_app } hal_cas_client;
(typeattributeset hal_bufferhub_client ((and (appdomain) ((not (isolated_app))))))
+
+; Properties having both system_property_type and vendor_property_type are illegal
+; Unfortunately, we can't currently express this in module policy language:
+; typeattribute { system_property_type && vendor_property_type } system_and_vendor_property_type;
+(typeattribute system_and_vendor_property_type)
+(typeattributeset system_and_vendor_property_type ((and (system_property_type) (vendor_property_type))))
diff --git a/private/tombstoned.te b/private/tombstoned.te
index 305f9d0..b6dfd1e 100644
--- a/private/tombstoned.te
+++ b/private/tombstoned.te
@@ -1,3 +1,13 @@
typeattribute tombstoned coredomain;
init_daemon_domain(tombstoned)
+
+get_prop(tombstoned, tombstone_config_prop)
+
+neverallow {
+ domain
+ -init
+ -vendor_init
+ -dumpstate
+ -tombstoned
+} tombstone_config_prop:file no_rw_file_perms;
diff --git a/private/traced.te b/private/traced.te
index 2410d7e..6e3ad46 100644
--- a/private/traced.te
+++ b/private/traced.te
@@ -3,7 +3,6 @@
# type traced is defined under /public (because iorapd rules
# under public/ need to refer to it).
type traced_exec, system_file_type, exec_type, file_type;
-type traced_tmpfs, file_type;
# Allow init to exec the daemon.
init_daemon_domain(traced)
@@ -28,12 +27,20 @@
# Allow the service to create new files within /data/misc/perfetto-traces.
allow traced perfetto_traces_data_file:file create_file_perms;
allow traced perfetto_traces_data_file:dir rw_dir_perms;
+# ... and /data/misc/perfetto-traces/bugreport*
+allow traced perfetto_traces_bugreport_data_file:file create_file_perms;
+allow traced perfetto_traces_bugreport_data_file:dir rw_dir_perms;
# Allow traceur to pass open file descriptors to traced, so traced can directly
# write into the output file without doing roundtrips over IPC.
allow traced traceur_app:fd use;
allow traced trace_data_file:file { read write };
+# Allow perfetto to access the proxy service for notifying Traceur.
+allow traced tracingproxy_service:service_manager find;
+binder_use(traced);
+binder_call(traced, system_server);
+
# Allow iorapd to pass memfd descriptors to traced, so traced can directly
# write into the shmem buffer file without doing roundtrips over IPC.
allow traced iorapd:fd use;
@@ -62,6 +69,9 @@
# Allow to lazily start producers.
set_prop(traced, traced_lazy_prop)
+# Allow traced to talk to statsd for logging metrics.
+unix_socket_send(traced, statsdw, statsd)
+
###
### Neverallow rules
###
@@ -82,6 +92,7 @@
neverallow traced {
data_file_type
-perfetto_traces_data_file
+ -perfetto_traces_bugreport_data_file
-system_data_file
-system_data_root_file
# TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
@@ -97,6 +108,7 @@
data_file_type
-zoneinfo_data_file
-perfetto_traces_data_file
+ -perfetto_traces_bugreport_data_file
-trace_data_file
with_native_coverage(`-method_trace_data_file')
}:file ~write;
diff --git a/private/traced_perf.te b/private/traced_perf.te
index 9483e6c..96a7263 100644
--- a/private/traced_perf.te
+++ b/private/traced_perf.te
@@ -28,10 +28,24 @@
# Allow reading files for stack unwinding and symbolization.
r_dir_file(traced_perf, nativetest_data_file)
r_dir_file(traced_perf, system_file_type)
+r_dir_file(traced_perf, apex_art_data_file)
r_dir_file(traced_perf, apk_data_file)
r_dir_file(traced_perf, dalvikcache_data_file)
r_dir_file(traced_perf, vendor_file_type)
+# Allow to temporarily lift the kptr_restrict setting and build a symbolization
+# map reading /proc/kallsyms.
+userdebug_or_eng(`set_prop(traced_perf, lower_kptr_restrict_prop)')
+allow traced_perf proc_kallsyms:file r_file_perms;
+
+# Allow reading tracefs files to get the format and numeric ids of tracepoints.
+allow traced_perf debugfs_tracing:dir r_dir_perms;
+allow traced_perf debugfs_tracing:file r_file_perms;
+userdebug_or_eng(`
+ allow traced_perf debugfs_tracing_debug:dir r_dir_perms;
+ allow traced_perf debugfs_tracing_debug:file r_file_perms;
+')
+
# Do not audit the cases where traced_perf attempts to access /proc/[pid] for
# domains that it cannot read.
dontaudit traced_perf domain:dir { search getattr open };
@@ -45,7 +59,7 @@
neverallow traced_perf { app_data_file privapp_data_file system_app_data_file }:file *;
# Never allow profiling highly privileged processes.
-never_profile_heap(`{
+never_profile_perf(`{
bpfloader
init
kernel
diff --git a/private/traced_probes.te b/private/traced_probes.te
index dd6ece0..730a45c 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -14,9 +14,15 @@
allow traced_probes debugfs_tracing:dir r_dir_perms;
allow traced_probes debugfs_tracing:file rw_file_perms;
allow traced_probes debugfs_trace_marker:file getattr;
+allow traced_probes debugfs_tracing_printk_formats:file r_file_perms;
+
+# Allow traced_probes to access mm_events trace instance
+allow traced_probes debugfs_tracing_instances:dir search;
+allow traced_probes debugfs_mm_events_tracing:dir search;
+allow traced_probes debugfs_mm_events_tracing:file rw_file_perms;
# TODO(primiano): temporarily I/O tracing categories are still
-# userdebug only until we nail down the blacklist/whitelist.
+# userdebug only until we nail down the denylist/allowlist.
userdebug_or_eng(`
allow traced_probes debugfs_tracing_debug:dir r_dir_perms;
allow traced_probes debugfs_tracing_debug:file rw_file_perms;
@@ -29,6 +35,11 @@
# Allow procfs access
r_dir_file(traced_probes, domain)
+# Allow to temporarily lift the kptr_restrict setting and build a symbolization
+# map reading /proc/kallsyms.
+userdebug_or_eng(`set_prop(traced_probes, lower_kptr_restrict_prop)')
+allow traced_probes proc_kallsyms:file r_file_perms;
+
# Allow to read packages.list file.
allow traced_probes packages_list_file:file r_file_perms;
@@ -42,6 +53,7 @@
allow traced_probes self:global_capability_class_set dac_read_search;
allow traced_probes apk_data_file:dir { getattr open read search };
+allow traced_probes { apex_art_data_file apex_module_data_file }:dir { getattr open read search };
allow traced_probes dalvikcache_data_file:dir { getattr open read search };
userdebug_or_eng(`
# search and getattr are granted via domain and coredomain, respectively.
@@ -52,7 +64,7 @@
allow traced_probes bootstat_data_file:dir { getattr open read search };
allow traced_probes update_engine_data_file:dir { getattr open read search };
allow traced_probes update_engine_log_data_file:dir { getattr open read search };
-allow traced_probes user_profile_data_file:dir { getattr open read search };
+allow traced_probes { user_profile_root_file user_profile_data_file}:dir { getattr open read search };
# Allow traced_probes to run atrace. atrace pokes at system services to enable
# their userspace TRACE macros.
@@ -70,6 +82,10 @@
proc_stat
}:file r_file_perms;
+# Allow access to read /sys/class/devfreq/ and /$DEVICE/cur_freq files
+allow traced_probes sysfs_devfreq_dir:dir r_dir_perms;
+allow traced_probes sysfs_devfreq_cur:file r_file_perms;
+
# Allow access to the IHealth and IPowerStats HAL service for tracing battery counters.
hal_client_domain(traced_probes, hal_health)
hal_client_domain(traced_probes, hal_power_stats)
@@ -80,6 +96,9 @@
# On debug builds allow to ingest system logs into the trace.
userdebug_or_eng(`read_logd(traced_probes)')
+# Allow traced_probes to talk to statsd for logging metrics.
+unix_socket_send(traced_probes, statsdw, statsd)
+
###
### Neverallow rules
###
@@ -98,6 +117,8 @@
# Disallows access to /data files.
neverallow traced_probes {
data_file_type
+ -apex_module_data_file
+ -apex_art_data_file
-apk_data_file
-dalvikcache_data_file
-system_data_file
@@ -107,6 +128,7 @@
-bootstat_data_file
-update_engine_data_file
-update_engine_log_data_file
+ -user_profile_root_file
-user_profile_data_file
# TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
# subsequent neverallow. Currently only getattr and search are allowed.
@@ -127,3 +149,4 @@
# Only init is allowed to enter the traced_probes domain via exec()
neverallow { domain -init } traced_probes:process transition;
neverallow * traced_probes:process dyntransition;
+
diff --git a/private/traceur_app.te b/private/traceur_app.te
index 94841df..2937e26 100644
--- a/private/traceur_app.te
+++ b/private/traceur_app.te
@@ -20,3 +20,5 @@
unix_socket_connect(traceur_app, traced_consumer, traced)
dontaudit traceur_app debugfs_tracing_debug:file audit_access;
+
+set_prop(traceur_app, debug_prop)
diff --git a/private/ueventd.te b/private/ueventd.te
index 1bd6773..8bcdbf9 100644
--- a/private/ueventd.te
+++ b/private/ueventd.te
@@ -1,3 +1,7 @@
typeattribute ueventd coredomain;
tmpfs_domain(ueventd)
+
+# ueventd can set properties, particularly it sets ro.cold_boot_done to signal
+# to init that cold boot has completed.
+set_prop(ueventd, cold_boot_done_prop)
diff --git a/private/uncrypt.te b/private/uncrypt.te
index e4e9224..1a94cd1 100644
--- a/private/uncrypt.te
+++ b/private/uncrypt.te
@@ -1,3 +1,6 @@
typeattribute uncrypt coredomain;
init_daemon_domain(uncrypt)
+
+# Set a property to reboot the device.
+set_prop(uncrypt, powerctl_prop)
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index a1abc41..41cabe8 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -51,3 +51,4 @@
# allow binding to netlink route sockets and sending RTM_GETLINK messages.
allow untrusted_app_25 self:netlink_route_socket { bind nlmsg_readpriv };
+auditallow untrusted_app_25 self:netlink_route_socket { bind nlmsg_readpriv };
diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te
index b7b6d72..0993faa 100644
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@@ -39,3 +39,4 @@
# allow binding to netlink route sockets and sending RTM_GETLINK messages.
allow untrusted_app_27 self:netlink_route_socket { bind nlmsg_readpriv };
+auditallow untrusted_app_27 self:netlink_route_socket { bind nlmsg_readpriv };
diff --git a/private/untrusted_app_29.te b/private/untrusted_app_29.te
index 344ae89..c5652b1 100644
--- a/private/untrusted_app_29.te
+++ b/private/untrusted_app_29.te
@@ -17,3 +17,4 @@
# allow binding to netlink route sockets and sending RTM_GETLINK messages.
allow untrusted_app_29 self:netlink_route_socket { bind nlmsg_readpriv };
+auditallow untrusted_app_29 self:netlink_route_socket { bind nlmsg_readpriv };
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index d9fd5a1..6064c14 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -2,7 +2,8 @@
### Untrusted_app_all.
###
### This file defines the rules shared by all untrusted app domains except
-### ephemeral_app for instant apps.
+### ephemeral_app for instant apps and isolated_app (which has a reduced
+### permission set).
### Apps are labeled based on mac_permissions.xml (maps signer and
### optionally package name to seinfo value) and seapp_contexts (maps UID
### and optionally seinfo value to domain for process and type for data
@@ -63,6 +64,9 @@
neverallow untrusted_app_all trace_data_file:dir *;
neverallow untrusted_app_all trace_data_file:file { no_w_file_perms open };
+# neverallow untrusted apps accessing debugfs_tracing
+neverallow untrusted_app_all debugfs_tracing:file no_rw_file_perms;
+
# Allow to read staged apks.
allow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:file {read getattr};
@@ -80,10 +84,6 @@
allow untrusted_app_all media_rw_data_file:dir create_dir_perms;
allow untrusted_app_all media_rw_data_file:file create_file_perms;
-# Traverse into /mnt/media_rw for bypassing FUSE daemon
-# TODO: narrow this to just MediaProvider
-allow untrusted_app_all mnt_media_rw_file:dir search;
-
# allow cts to query all services
allow untrusted_app_all servicemanager:service_manager list;
@@ -98,10 +98,6 @@
allow untrusted_app_all radio_service:service_manager find;
allow untrusted_app_all app_api_service:service_manager find;
allow untrusted_app_all vr_manager_service:service_manager find;
-allow untrusted_app_all gpu_service:service_manager find;
-
-# Allow untrusted apps to interact with gpuservice
-binder_call(untrusted_app_all, gpuservice)
# gdbserver for ndk-gdb ptrace attaches to app process.
allow untrusted_app_all self:process ptrace;
@@ -149,6 +145,9 @@
# Allow the renderscript compiler to be run.
domain_auto_trans(untrusted_app_all, rs_exec, rs)
+# suppress denials caused by debugfs_tracing
+dontaudit untrusted_app_all debugfs_tracing:file rw_file_perms;
+
# This is allowed for targetSdkVersion <= 25 but disallowed on newer versions.
dontaudit untrusted_app_all net_dns_prop:file read;
@@ -167,6 +166,9 @@
userdebug_or_eng(`
allow untrusted_app_all debugfs_kcov:file rw_file_perms;
allowxperm untrusted_app_all debugfs_kcov:file ioctl { KCOV_INIT_TRACE KCOV_ENABLE KCOV_DISABLE };
+ # The use of debugfs kcov is considered a breach of the kernel integrity
+ # according to the heuristic of lockdown.
+ allow untrusted_app_all self:lockdown integrity;
')
# Allow signalling simpleperf domain, which is the domain that the simpleperf
diff --git a/private/update_engine.te b/private/update_engine.te
index e4e7009..d828e1f 100644
--- a/private/update_engine.te
+++ b/private/update_engine.te
@@ -5,3 +5,27 @@
# Allow to talk to gsid.
allow update_engine gsi_service:service_manager find;
binder_call(update_engine, gsid)
+
+# Allow to start gsid service.
+set_prop(update_engine, ctl_gsid_prop)
+
+# Allow to start snapuserd for dm-user communication.
+set_prop(update_engine, ctl_snapuserd_prop)
+
+# Allow to set the OTA related properties, e.g. ota.warm_reset.
+set_prop(update_engine, ota_prop)
+
+# Allow to get the DSU status
+get_prop(update_engine, gsid_prop)
+
+# Allow update_engine to call the callback function provided by GKI update hook.
+binder_call(update_engine, gki_apex_prepostinstall)
+
+# Allow to communicate with the snapuserd service, for dm-user snapshots.
+allow update_engine snapuserd:unix_stream_socket connectto;
+allow update_engine snapuserd_socket:sock_file write;
+
+# Allow to communicate with apexd for calculating and reserving space for
+# capex decompression
+allow update_engine apex_service:service_manager find;
+binder_call(update_engine, apexd)
diff --git a/private/update_engine_common.te b/private/update_engine_common.te
index a7fb584..8571ff6 100644
--- a/private/update_engine_common.te
+++ b/private/update_engine_common.te
@@ -1,5 +1,13 @@
# type_transition must be private policy the domain_trans rules could stay
# public, but conceptually should go with this
-# The postinstall program is run by update_engine_common and will always be tagged as a
-# postinstall_file regardless of its attributes in the new system.
+# The postinstall program is run by update_engine_common and must be tagged
+# with postinstall_exec in the new filesystem.
+# TODO Have build system attempt to verify this
+domain_auto_trans(update_engine_common, postinstall_exec, postinstall)
+
+# Vendor directories can have the transition as well during OTA. This is caused
+# by update_engine execing scripts in vendor to perform any update tasks needed
+# there.
domain_auto_trans(update_engine_common, postinstall_file, postinstall)
+
+allow update_engine_common labeledfs:filesystem { mount unmount relabelfrom };
diff --git a/private/update_verifier.te b/private/update_verifier.te
index 1b934d9..5e1b27b 100644
--- a/private/update_verifier.te
+++ b/private/update_verifier.te
@@ -1,3 +1,9 @@
typeattribute update_verifier coredomain;
init_daemon_domain(update_verifier)
+
+# Allow update_verifier to reboot the device.
+set_prop(update_verifier, powerctl_prop)
+
+# Allow to set the OTA related properties e.g. ota.warm_reset.
+set_prop(update_verifier, ota_prop)
diff --git a/private/usbd.te b/private/usbd.te
index 13a0ad7..42f2324 100644
--- a/private/usbd.te
+++ b/private/usbd.te
@@ -10,3 +10,6 @@
# start adbd during boot if adb is enabled
set_prop(usbd, ctl_default_prop)
+
+# Start/stop adbd via ctl.start adbd
+set_prop(usbd, ctl_adbd_prop)
diff --git a/private/vendor_init.te b/private/vendor_init.te
index 6a68f1f..2e616f3 100644
--- a/private/vendor_init.te
+++ b/private/vendor_init.te
@@ -5,3 +5,16 @@
# TODO(b/140259336) We want to remove vendor_init in the long term but allow for now
allow vendor_init system_data_root_file:dir rw_dir_perms;
+
+# Let vendor_init set service.adb.tcp.port.
+set_prop(vendor_init, adbd_config_prop)
+
+# chown/chmod on devices, e.g. /dev/ttyHS0
+allow vendor_init {
+ dev_type
+ -keychord_device
+ -kvm_device
+ -port_device
+ -lowpan_device
+ -hw_random_device
+}:chr_file setattr;
diff --git a/private/virtmanager.te b/private/virtmanager.te
new file mode 100644
index 0000000..467f7d4
--- /dev/null
+++ b/private/virtmanager.te
@@ -0,0 +1,17 @@
+type virtmanager, domain, coredomain;
+type virtmanager_exec, system_file_type, exec_type, file_type;
+
+# When init runs a file labelled with virtmanager_exec, run it in the virtmanager domain.
+init_daemon_domain(virtmanager)
+
+# Let the virtmanager domain use Binder.
+binder_use(virtmanager)
+
+# Let the virtmanager domain register the virtualization_service with ServiceManager.
+add_service(virtmanager, virtualization_service)
+
+# When virtmanager execs a file with the crosvm_exec label, run it in the crosvm domain.
+domain_auto_trans(virtmanager, crosvm_exec, crosvm)
+
+# Let virtmanager kill crosvm.
+allow virtmanager crosvm:process sigkill;
diff --git a/private/vold.te b/private/vold.te
index dea24a5..a802bdb 100644
--- a/private/vold.te
+++ b/private/vold.te
@@ -17,3 +17,51 @@
# from accidentally writing when the mount point isn't present.
type_transition vold storage_file:dir storage_stub_file;
type_transition vold mnt_media_rw_file:dir mnt_media_rw_stub_file;
+
+# Property Service
+get_prop(vold, vold_config_prop)
+get_prop(vold, storage_config_prop);
+get_prop(vold, incremental_prop);
+
+set_prop(vold, vold_post_fs_data_prop)
+set_prop(vold, vold_prop)
+set_prop(vold, vold_status_prop)
+set_prop(vold, powerctl_prop)
+set_prop(vold, ctl_fuse_prop)
+set_prop(vold, restorecon_prop)
+set_prop(vold, ota_prop)
+set_prop(vold, boottime_prop)
+set_prop(vold, boottime_public_prop)
+
+# Vold will use Keystore instead of using Keymint directly. But it still needs
+# to manage its Keymint blobs. This is why it needs the `manage_blob` permission.
+allow vold vold_key:keystore2_key {
+ convert_storage_key_to_ephemeral
+ delete
+ get_info
+ manage_blob
+ rebind
+ req_forced_op
+ update
+ use
+};
+
+# vold needs to call keystore methods
+allow vold keystore:binder call;
+
+# vold needs to find keystore2 services
+allow vold keystore_service:service_manager find;
+allow vold keystore_maintenance_service:service_manager find;
+
+# vold needs to be able to call earlyBootEnded()
+allow vold keystore:keystore2 early_boot_ended;
+
+neverallow {
+ domain
+ -system_server
+ -vdc
+ -vold
+ -update_verifier
+ -apexd
+ -gsid
+} vold_service:service_manager find;
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index f3ec058..1414f6c 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -1,5 +1,7 @@
domain_auto_trans(vold, vold_prepare_subdirs_exec, vold_prepare_subdirs)
+typeattribute vold_prepare_subdirs mlstrustedsubject;
+
allow vold_prepare_subdirs system_file:file execute_no_trans;
allow vold_prepare_subdirs shell_exec:file rx_file_perms;
allow vold_prepare_subdirs toolbox_exec:file rx_file_perms;
@@ -14,9 +16,11 @@
vendor_data_file
}:dir { open read write add_name remove_name rmdir relabelfrom };
allow vold_prepare_subdirs {
+ apex_art_data_file
apex_module_data_file
apex_permission_data_file
apex_rollback_data_file
+ apex_scheduling_data_file
apex_wifi_data_file
backup_data_file
face_vendor_data_file
@@ -24,12 +28,16 @@
iris_vendor_data_file
rollback_data_file
storaged_data_file
+ system_data_file
vold_data_file
}:dir { create_dir_perms relabelto };
allow vold_prepare_subdirs {
+ apex_art_data_file
+ apex_art_staging_data_file
apex_module_data_file
apex_permission_data_file
apex_rollback_data_file
+ apex_scheduling_data_file
apex_wifi_data_file
backup_data_file
face_vendor_data_file
@@ -41,5 +49,10 @@
vold_data_file
}:file { getattr unlink };
allow vold_prepare_subdirs apex_mnt_dir:dir { open read };
+allow vold_prepare_subdirs mnt_expand_file:dir search;
+allow vold_prepare_subdirs user_profile_data_file:dir { search getattr relabelfrom };
+allow vold_prepare_subdirs user_profile_root_file:dir { search getattr relabelfrom relabelto };
+# /data/misc is unlabeled during early boot.
+allow vold_prepare_subdirs unlabeled:dir search;
dontaudit vold_prepare_subdirs { proc unlabeled }:file r_file_perms;
diff --git a/private/wait_for_keymaster.te b/private/wait_for_keymaster.te
index 85a28da..8878acf 100644
--- a/private/wait_for_keymaster.te
+++ b/private/wait_for_keymaster.te
@@ -7,3 +7,9 @@
hal_client_domain(wait_for_keymaster, hal_keymaster)
allow wait_for_keymaster kmsg_device:chr_file w_file_perms;
+
+# wait_for_keymaster needs to find keystore and call methods with the returned
+# binder reference.
+allow wait_for_keymaster servicemanager:binder call;
+allow wait_for_keymaster keystore_service:service_manager find;
+allow wait_for_keymaster keystore:binder call;
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index 969ab9c..3f217e1 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -10,6 +10,8 @@
# a domain macro.
tmpfs_domain(webview_zygote);
+userfaultfd_use(webview_zygote)
+
# Allow reading/executing installed binaries to enable preloading the
# installed WebView implementation.
allow webview_zygote apk_data_file:dir r_dir_perms;
@@ -28,9 +30,10 @@
allow webview_zygote isolated_app:process dyntransition;
# For art.
-allow webview_zygote dalvikcache_data_file:dir r_dir_perms;
+allow webview_zygote { apex_art_data_file dalvikcache_data_file }:dir r_dir_perms;
allow webview_zygote dalvikcache_data_file:lnk_file r_file_perms;
-allow webview_zygote dalvikcache_data_file:file { r_file_perms execute };
+allow webview_zygote { apex_art_data_file dalvikcache_data_file }:file { r_file_perms execute };
+allow webview_zygote apex_module_data_file:dir search;
# Allow webview_zygote to create JIT memory.
allow webview_zygote self:process execmem;
@@ -103,15 +106,7 @@
neverallow webview_zygote property_type:property_service set;
# Should not have any access to app data files.
-neverallow webview_zygote {
- app_data_file
- privapp_data_file
- system_app_data_file
- bluetooth_data_file
- nfc_data_file
- radio_data_file
- shell_data_file
-}:file { rwx_file_perms };
+neverallow webview_zygote app_data_file_type:file { rwx_file_perms };
neverallow webview_zygote {
service_manager_type
diff --git a/private/wificond.te b/private/wificond.te
index 5476e33..8bf37ca 100644
--- a/private/wificond.te
+++ b/private/wificond.te
@@ -1,3 +1,9 @@
typeattribute wificond coredomain;
+set_prop(wificond, wifi_hal_prop)
+set_prop(wificond, wifi_prop)
+set_prop(wificond, ctl_default_prop)
+
+get_prop(wificond, hwservicemanager_prop)
+
init_daemon_domain(wificond)
diff --git a/private/zygote.te b/private/zygote.te
index 5f08f8d..9038c4f 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -24,6 +24,8 @@
allow zygote appdomain:dir { getattr search };
allow zygote appdomain:file { r_file_perms };
+userfaultfd_use(zygote)
+
# Move children into the peer process group.
allow zygote system_server:process { getpgid setpgid };
allow zygote appdomain:process { getpgid setpgid };
@@ -50,6 +52,13 @@
# is ensured by fsverity protection (checked in art_apex_boot_integrity).
allow zygote dalvikcache_data_file:file execute;
+# Allow zygote to find files in APEX data directories.
+allow zygote apex_module_data_file:dir search;
+
+# Allow zygote to find and map files created by on device signing.
+allow zygote apex_art_data_file:dir { getattr search };
+allow zygote apex_art_data_file:file { r_file_perms execute };
+
# Bind mount on /data/data and mounted volumes
allow zygote { system_data_file mnt_expand_file }:dir mounton;
@@ -61,7 +70,7 @@
allow zygote mnt_expand_file:dir { open read search relabelto };
# Bind mount subdirectories on /data/misc/profiles/cur
-allow zygote { user_profile_data_file }:dir { mounton search };
+allow zygote user_profile_root_file:dir { mounton search };
# Create and bind dirs on /data/data
allow zygote tmpfs:dir { create_dir_perms mounton };
@@ -69,6 +78,9 @@
# Goes into media directory and bind mount obb directory
allow zygote media_rw_data_file:dir { getattr search };
+# Bind mount on top of existing mounted obb and data directory
+allow zygote media_rw_data_file:dir { mounton };
+
# Read if sdcardfs is supported
allow zygote proc_filesystems:file r_file_perms;
@@ -77,15 +89,10 @@
allow zygote mirror_data_file:dir r_dir_perms;
-# Get inode of data directories
+# Get inode of directories for app data isolation
allow zygote {
+ app_data_file_type
system_data_file
- radio_data_file
- app_data_file
- shell_data_file
- bluetooth_data_file
- privapp_data_file
- nfc_data_file
mnt_expand_file
}:dir getattr;
@@ -106,6 +113,8 @@
# Control cgroups.
allow zygote cgroup:dir create_dir_perms;
allow zygote cgroup:{ file lnk_file } r_file_perms;
+allow zygote cgroup_v2:dir create_dir_perms;
+allow zygote cgroup_v2:{ file lnk_file } { r_file_perms setattr };
allow zygote self:global_capability_class_set sys_admin;
# Allow zygote to stat the files that it opens. The zygote must
@@ -172,6 +181,9 @@
allow zygote same_process_hal_file:file { execute read open getattr map };
+# Allow the zygote to access storage properties to check if sdcardfs is enabled.
+get_prop(zygote, storage_config_prop);
+
# Let the zygote access overlays so it can initialize the AssetManager.
get_prop(zygote, overlay_prop)
get_prop(zygote, exported_overlay_prop)
@@ -185,11 +197,16 @@
get_prop(zygote, device_config_window_manager_native_boot_prop)
# ingore spurious denials
-dontaudit zygote self:global_capability_class_set sys_resource;
+# fsetid can be checked as a consequence of chmod when using cgroup v2 uid/pid hierarchy. This is
+# done to determine if the file should inherit setgid. In this case, setgid on the file is
+# undesirable, so suppress the denial.
+dontaudit zygote self:global_capability_class_set { sys_resource fsetid };
-# Ignore spurious denials calling access() on fuse
+# Ignore spurious denials calling access() on fuse.
+# Also ignore read and open as sdcardfs may read and open dir when app tries to access a dir that
+# doesn't exist.
# TODO(b/151316657): avoid the denials
-dontaudit zygote media_rw_data_file:dir setattr;
+dontaudit zygote media_rw_data_file:dir { read open setattr };
# Allow zygote to use ashmem fds from system_server.
allow zygote system_server:fd use;
@@ -200,6 +217,15 @@
# Allow zygote to access media_variant_prop for static initialization
get_prop(zygote, media_variant_prop)
+# Allow zygote to read ro.control_privapp_permissions and ro.cp_system_other_odex
+get_prop(zygote, packagemanager_config_prop)
+
+# Allow zygote to read qemu.sf.lcd_density
+get_prop(zygote, qemu_sf_lcd_density_prop)
+
+# Allow zygote to read /apex/apex-info-list.xml
+allow zygote apex_info_file:file r_file_perms;
+
###
### neverallow rules
###
@@ -218,9 +244,12 @@
app_zygote
}:process dyntransition;
-# Zygote should never execute anything from /data except for /data/dalvik-cache files.
+# Zygote should never execute anything from /data except for
+# /data/dalvik-cache files or files generated during on-device
+# signing under /data/misc/apexdata/com.android.art/.
neverallow zygote {
data_file_type
+ -apex_art_data_file # map PROT_EXEC
-dalvikcache_data_file # map PROT_EXEC
}:file no_x_file_perms;
@@ -233,7 +262,4 @@
}:file create_file_perms;
# Zygote should not be able to access app private data.
-neverallow zygote {
- privapp_data_file
- app_data_file
-}:dir ~getattr;
+neverallow zygote app_data_file_type:dir ~getattr;
diff --git a/public/adbd.te b/public/adbd.te
index 4a1f633..5056b35 100644
--- a/public/adbd.te
+++ b/public/adbd.te
@@ -7,5 +7,7 @@
neverallow { domain -init } adbd:process transition;
neverallow * adbd:process dyntransition;
-# Allow adbd start/stop mdnsd via ctl.start
-set_prop(adbd, ctl_mdnsd_prop)
+# Access /data/local/tests.
+allow adbd shell_test_data_file:dir create_dir_perms;
+allow adbd shell_test_data_file:file create_file_perms;
+allow adbd shell_test_data_file:lnk_file create_file_perms;
diff --git a/public/apexd.te b/public/apexd.te
index 93c257f..53bc569 100644
--- a/public/apexd.te
+++ b/public/apexd.te
@@ -4,12 +4,8 @@
binder_use(apexd)
add_service(apexd, apex_service)
-set_prop(apexd, apexd_prop)
-neverallow { domain -init -apexd -system_server } apex_service:service_manager find;
-neverallow { domain -init -apexd -system_server -servicemanager } apexd:binder call;
+neverallow { domain -init -apexd -system_server -update_engine } apex_service:service_manager find;
+neverallow { domain -init -apexd -system_server -servicemanager -update_engine } apexd:binder call;
neverallow { domain userdebug_or_eng(`-crash_dump') } apexd:process ptrace;
-
-# only apexd can set apexd sysprop
-neverallow { domain -apexd -init } apexd_prop:property_service set;
diff --git a/public/app.te b/public/app.te
index e5b9fd6..ae8d7fd 100644
--- a/public/app.te
+++ b/public/app.te
@@ -66,8 +66,11 @@
allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
# App sandbox file accesses.
-allow { appdomain -isolated_app } { app_data_file privapp_data_file }:dir create_dir_perms;
-allow { appdomain -isolated_app } { app_data_file privapp_data_file }:file create_file_perms;
+allow { appdomain -isolated_app -mlstrustedsubject } { app_data_file privapp_data_file }:dir create_dir_perms;
+allow { appdomain -isolated_app -mlstrustedsubject } { app_data_file privapp_data_file }:file create_file_perms;
+
+# Access via already open fds is ok even for mlstrustedsubject.
+allow { appdomain -isolated_app } { app_data_file privapp_data_file }:file { getattr map read write };
# Traverse into expanded storage
allow appdomain mnt_expand_file:dir r_dir_perms;
@@ -117,8 +120,8 @@
r_dir_file(appdomain, vendor_framework_file)
# Allow apps read / execute access to vendor public libraries.
-allow appdomain vendor_public_lib_file:dir r_dir_perms;
-allow appdomain vendor_public_lib_file:file { execute read open getattr map };
+allow appdomain {vendor_public_framework_file vendor_public_lib_file}:dir r_dir_perms;
+allow appdomain {vendor_public_framework_file vendor_public_lib_file}:file { execute read open getattr map };
# Read/write wallpaper file (opened by system).
allow appdomain wallpaper_file:file { getattr read write map };
@@ -167,6 +170,7 @@
unix_socket_send(appdomain, statsdw, statsd)
# Write profiles /data/misc/profiles
+allow appdomain user_profile_root_file:dir search;
allow appdomain user_profile_data_file:dir { search write add_name };
allow appdomain user_profile_data_file:file create_file_perms;
@@ -219,6 +223,8 @@
binder_call(appdomain, appdomain)
# Perform binder IPC to ephemeral apps.
binder_call(appdomain, ephemeral_app)
+# Perform binder IPC to gpuservice.
+binder_call({ appdomain -isolated_app }, gpuservice)
# Talk with graphics composer fences
allow appdomain hal_graphics_composer:fd use;
@@ -290,6 +296,10 @@
allow appdomain zygote:unix_dgram_socket write;
allow { appdomain -isolated_app -ephemeral_app } keystore:keystore_key { get_state get insert delete exist list sign verify };
+allow { appdomain -isolated_app -ephemeral_app } keystore:keystore2_key { delete use get_info rebind update };
+
+allow { appdomain -isolated_app -ephemeral_app } keystore_maintenance_service:service_manager find;
+allow { appdomain -isolated_app -ephemeral_app } keystore:keystore2 get_state;
use_keystore({ appdomain -isolated_app -ephemeral_app })
@@ -302,6 +312,8 @@
ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
allow { appdomain -isolated_app } ion_device:chr_file r_file_perms;
+allow { appdomain -isolated_app } dmabuf_system_heap_device:chr_file r_file_perms;
+allow { appdomain -isolated_app } dmabuf_system_secure_heap_device:chr_file r_file_perms;
# Allow AAudio apps to use shared memory file descriptors from the HAL
allow { appdomain -isolated_app } hal_audio:fd use;
@@ -309,6 +321,9 @@
# Allow app to access shared memory created by camera HAL1
allow { appdomain -isolated_app } hal_camera:fd use;
+# Allow apps to access shared memory file descriptor from the tuner HAL
+allow {appdomain -isolated_app} hal_tv_tuner_server:fd use;
+
# RenderScript always-passthrough HAL
allow { appdomain -isolated_app } hal_renderscript_hwservice:hwservice_manager find;
allow appdomain same_process_hal_file:file { execute read open getattr map };
@@ -466,10 +481,10 @@
# Write to various other parts of /data.
neverallow appdomain drm_data_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -platform_app -system_app }
+neverallow { appdomain -platform_app }
apk_data_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -platform_app -system_app }
+neverallow { appdomain -platform_app }
apk_tmp_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
neverallow { appdomain -platform_app }
@@ -537,28 +552,13 @@
tmpfs
}:lnk_file no_w_file_perms;
-# Blacklist app domains not allowed to execute from /data
-neverallow {
- bluetooth
- isolated_app
- nfc
- radio
- shared_relro
- system_app
-} {
- data_file_type
- -dalvikcache_data_file
- -system_data_file # shared libs in apks
- -apk_data_file
-}:file no_x_file_perms;
-
# Applications should use the activity model for receiving events
neverallow {
appdomain
-shell # bugreport
} input_device:chr_file ~getattr;
-# Do not allow access to Bluetooth-related system properties except for a few whitelisted domains.
+# Do not allow access to Bluetooth-related system properties except for a few allowed domains.
# neverallow rules for access to Bluetooth-related data files are above.
neverallow {
appdomain
@@ -592,3 +592,6 @@
{ open read write append execute execute_no_trans map };
neverallow appdomain system_bootstrap_lib_file:dir
{ open read getattr search };
+
+# Allow to ro.camerax.extensions.enabled
+get_prop(appdomain, camerax_extensions_prop)
diff --git a/public/asan_extract.te b/public/asan_extract.te
index 15c5a09..d8a1b73 100644
--- a/public/asan_extract.te
+++ b/public/asan_extract.te
@@ -5,7 +5,7 @@
with_asan(`
type asan_extract, domain, coredomain;
- type asan_extract_exec, exec_type, file_type;
+ type asan_extract_exec, exec_type, file_type, system_file_type;
# Allow asan_extract to execute itself using #!/system/bin/sh
allow asan_extract shell_exec:file rx_file_perms;
@@ -30,7 +30,4 @@
# Restorecon will actually already try to run with sanitized libraries (libpackagelistparser).
allow asan_extract system_data_file:file execute;
-
- # We need to signal a reboot when done.
- set_prop(asan_extract, powerctl_prop)
')
diff --git a/public/atrace.te b/public/atrace.te
new file mode 100644
index 0000000..7327f84
--- /dev/null
+++ b/public/atrace.te
@@ -0,0 +1 @@
+type atrace, domain, coredomain;
diff --git a/public/attributes b/public/attributes
index 19623af..daef4bb 100644
--- a/public/attributes
+++ b/public/attributes
@@ -34,6 +34,11 @@
attribute core_data_file_type;
expandattribute core_data_file_type false;
+# All types used for app private data files in seapp_contexts.
+# Such types should not be applied to any other files.
+attribute app_data_file_type;
+expandattribute app_data_file_type false;
+
# All types in /system
attribute system_file_type;
@@ -57,6 +62,9 @@
# All types use for debugfs files.
attribute debugfs_type;
+# All types used for tracefs files.
+attribute tracefs_type;
+
# Attribute used for all sdcards
attribute sdcard_type;
@@ -91,35 +99,46 @@
# All properties defined by /system.
attribute system_property_type;
+expandattribute system_property_type false;
# All /system-defined properties used only in /system.
attribute system_internal_property_type;
+expandattribute system_internal_property_type false;
# All /system-defined properties which can't be written outside /system.
attribute system_restricted_property_type;
+expandattribute system_restricted_property_type false;
# All /system-defined properties with no restrictions.
attribute system_public_property_type;
+expandattribute system_public_property_type false;
+
+# All keystore2_key labels.
+attribute keystore2_key_type;
# All properties defined by /product.
# Currently there are no enforcements between /system and /product, so for now
# /product attributes are just replaced to /system attributes.
define(`product_property_type', `system_property_type')
-define(`product_internal_type', `system_internal_property_type')
-define(`product_restricted_type', `system_restricted_property_type')
-define(`product_public_type', `system_public_property_type')
+define(`product_internal_property_type', `system_internal_property_type')
+define(`product_restricted_property_type', `system_restricted_property_type')
+define(`product_public_property_type', `system_public_property_type')
# All properties defined by /vendor.
attribute vendor_property_type;
+expandattribute vendor_property_type false;
# All /vendor-defined properties used only in /vendor.
attribute vendor_internal_property_type;
+expandattribute vendor_internal_property_type false;
# All /vendor-defined properties which can't be written outside /vendor.
attribute vendor_restricted_property_type;
+expandattribute vendor_restricted_property_type false;
# All /vendor-defined properties with no restrictions.
attribute vendor_public_property_type;
+expandattribute vendor_public_property_type false;
# All service_manager types created by system_server
attribute system_server_service;
@@ -133,6 +152,9 @@
# services which export only system_api
attribute system_api_service;
+# services which are explicitly disallowed for untrusted apps to access
+attribute protected_service;
+
# services which served by vendor and also using the copy of libbinder on
# system (for instance via libbinder_ndk). services using a different copy
# of libbinder currently need their own context manager (e.g.
@@ -173,7 +195,7 @@
# All domains used for apps.
attribute appdomain;
-# All third party apps.
+# All third party apps (except isolated_app and ephemeral_app)
attribute untrusted_app_all;
# All domains used for apps with network access.
@@ -193,15 +215,13 @@
# All core domains (as opposed to vendor/device-specific domains)
attribute coredomain;
+# All vendor hwservice.
+attribute vendor_hwservice_type;
+
# All socket devices owned by core domain components
attribute coredomain_socket;
expandattribute coredomain_socket false;
-# All vendor domains which violate the requirement of not using Binder
-# TODO(b/35870313): Remove this once there are no violations
-attribute binder_in_vendor_violators;
-expandattribute binder_in_vendor_violators false;
-
# All vendor domains which violate the requirement of not using sockets for
# communicating with core components
# TODO(b/36577153): Remove this once there are no violations
@@ -317,6 +337,7 @@
hal_attribute(input_classifier);
hal_attribute(ir);
hal_attribute(keymaster);
+hal_attribute(keymint);
hal_attribute(light);
hal_attribute(lowpan);
hal_attribute(memtrack);
@@ -358,8 +379,16 @@
attribute scheduler_service_server;
attribute sensor_service_server;
attribute stats_service_server;
+attribute system_suspend_internal_server;
attribute system_suspend_server;
attribute wifi_keystore_service_server;
# All types used for super partition block devices.
attribute super_block_device_type;
+
+# All types used for DMA-BUF heaps
+attribute dmabuf_heap_device_type;
+expandattribute dmabuf_heap_device_type false;
+
+# All types used for DSU metadata files.
+attribute gsi_metadata_file_type;
diff --git a/public/bootanim.te b/public/bootanim.te
index bd2bec6..88fe173 100644
--- a/public/bootanim.te
+++ b/public/bootanim.te
@@ -27,6 +27,10 @@
# Allow access to ion memory allocation device
allow bootanim ion_device:chr_file rw_file_perms;
+
+# Allow access to DMA-BUF system heap
+allow bootanim dmabuf_system_heap_device:chr_file r_file_perms;
+
allow bootanim hal_graphics_allocator:fd use;
# Fences
@@ -37,7 +41,3 @@
# System file accesses.
allow bootanim system_file:dir r_dir_perms;
-
-# Read ro.boot.bootreason b/30654343
-get_prop(bootanim, bootloader_boot_reason_prop)
-
diff --git a/public/bootstat.te b/public/bootstat.te
index e91f2a5..5079c28 100644
--- a/public/bootstat.te
+++ b/public/bootstat.te
@@ -8,13 +8,6 @@
allow bootstat bootstat_data_file:dir rw_dir_perms;
allow bootstat bootstat_data_file:file create_file_perms;
-# Collect metrics on boot time created by init
-get_prop(bootstat, boottime_prop)
-
-# Read/Write [persist.]sys.boot.reason and ro.boot.bootreason (write if empty)
-set_prop(bootstat, bootloader_boot_reason_prop)
-set_prop(bootstat, system_boot_reason_prop)
-set_prop(bootstat, last_boot_reason_prop)
allow bootstat metadata_file:dir search;
allow bootstat metadata_bootstat_file:dir rw_dir_perms;
allow bootstat metadata_bootstat_file:file create_file_perms;
@@ -32,31 +25,6 @@
# Allow bootstat write to statsd.
unix_socket_send(bootstat, statsdw, statsd)
-# ToDo: end
-
-neverallow {
- domain
- -bootanim
- -bootstat
- -dumpstate
- userdebug_or_eng(`-incidentd')
- -init
- -recovery
- -shell
- -system_server
-} { bootloader_boot_reason_prop last_boot_reason_prop }:file r_file_perms;
-# ... and refine, as these components should not set the last boot reason
-neverallow { bootanim recovery } last_boot_reason_prop:file r_file_perms;
-
-neverallow {
- domain
- -bootstat
- -init
- -system_server
-} { bootloader_boot_reason_prop last_boot_reason_prop }:property_service set;
-# ... and refine ... for a ro propertly no less ... keep this _tight_
-neverallow system_server bootloader_boot_reason_prop:property_service set;
-
neverallow {
domain
-bootstat
diff --git a/public/cameraserver.te b/public/cameraserver.te
index 13ef1f7..7a29240 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -13,6 +13,7 @@
hal_client_domain(cameraserver, hal_graphics_allocator)
allow cameraserver ion_device:chr_file rw_file_perms;
+allow cameraserver dmabuf_system_heap_device:chr_file r_file_perms;
# Talk with graphics composer fences
allow cameraserver hal_graphics_composer:fd use;
@@ -26,6 +27,7 @@
allow cameraserver batterystats_service:service_manager find;
allow cameraserver cameraproxy_service:service_manager find;
allow cameraserver mediaserver_service:service_manager find;
+allow cameraserver package_native_service:service_manager find;
allow cameraserver processinfo_service:service_manager find;
allow cameraserver scheduling_policy_service:service_manager find;
allow cameraserver sensor_privacy_service:service_manager find;
diff --git a/public/charger.te b/public/charger.te
index 4b341ea..37359e3 100644
--- a/public/charger.te
+++ b/public/charger.te
@@ -7,6 +7,7 @@
# Read access to pseudo filesystems.
r_dir_file(charger, rootfs)
r_dir_file(charger, cgroup)
+r_dir_file(charger, cgroup_v2)
# Allow to read /sys/class/power_supply directory
allow charger sysfs_type:dir r_dir_perms;
@@ -36,13 +37,4 @@
allow charger tty_device:chr_file rw_file_perms;
allow charger proc_sysrq:file rw_file_perms;
-# charger needs to tell init to continue the boot
-# process when running in charger mode.
-set_prop(charger, system_prop)
-set_prop(charger, exported_system_prop)
-set_prop(charger, exported2_system_prop)
-set_prop(charger, exported3_system_prop)
-
-get_prop(charger, charger_prop)
-
hal_client_domain(charger, hal_health)
diff --git a/public/crash_dump.te b/public/crash_dump.te
index 5188d19..a6f0a94 100644
--- a/public/crash_dump.te
+++ b/public/crash_dump.te
@@ -21,6 +21,9 @@
# Append to pipes given to us by processes requesting dumps (e.g. dumpstate)
allow crash_dump domain:fifo_file { append };
+# Read information from /proc/$PID.
+allow crash_dump domain:process getattr;
+
r_dir_file(crash_dump, domain)
allow crash_dump exec_type:file r_file_perms;
@@ -28,6 +31,9 @@
allow crash_dump dalvikcache_data_file:dir { search getattr };
allow crash_dump dalvikcache_data_file:file r_file_perms;
+# Read APEX data directories.
+allow crash_dump apex_module_data_file:dir { getattr search };
+
# Read APK files.
r_dir_file(crash_dump, apk_data_file);
@@ -56,9 +62,13 @@
core_data_file_type
vendor_file_type
}:dir search;
-dontaudit crash_dump system_data_file:file read;
+dontaudit crash_dump system_data_file:{ lnk_file file } read;
dontaudit crash_dump property_type:file read;
+# Suppress denials for files in /proc that are passed
+# across exec().
+dontaudit crash_dump proc_type:file rw_file_perms;
+
###
### neverallow assertions
###
diff --git a/public/credstore.te b/public/credstore.te
index db16a8d..97d942d 100644
--- a/public/credstore.te
+++ b/public/credstore.te
@@ -12,5 +12,8 @@
add_service(credstore, credstore_service)
allow credstore sec_key_att_app_id_provider_service:service_manager find;
allow credstore dropbox_service:service_manager find;
+allow credstore authorization_service:service_manager find;
+allow credstore keystore:keystore2 get_auth_token;
r_dir_file(credstore, cgroup)
+r_dir_file(credstore, cgroup_v2)
diff --git a/public/device.te b/public/device.te
index 32563d6..686f955 100644
--- a/public/device.te
+++ b/public/device.te
@@ -9,6 +9,7 @@
type block_device, dev_type;
type camera_device, dev_type;
type dm_device, dev_type;
+type dm_user_device, dev_type;
type keychord_device, dev_type;
type loop_control_device, dev_type;
type loop_device, dev_type;
@@ -16,6 +17,7 @@
type radio_device, dev_type;
type ram_device, dev_type;
type rtc_device, dev_type;
+type vd_device, dev_type;
type vold_device, dev_type;
type console_device, dev_type;
type fscklogs, dev_type;
@@ -29,7 +31,7 @@
type mtp_device, dev_type, mlstrustedobject;
type nfc_device, dev_type;
type ptmx_device, dev_type, mlstrustedobject;
-type kmsg_device, dev_type;
+type kmsg_device, dev_type, mlstrustedobject;
type kmsg_debug_device, dev_type;
type null_device, dev_type, mlstrustedobject;
type random_device, dev_type, mlstrustedobject;
@@ -44,14 +46,18 @@
type fuse_device, dev_type, mlstrustedobject;
type iio_device, dev_type;
type ion_device, dev_type, mlstrustedobject;
+type dmabuf_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject;
+type dmabuf_system_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject;
+type dmabuf_system_secure_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject;
type qtaguid_device, dev_type;
type watchdog_device, dev_type;
-type uhid_device, dev_type;
+type uhid_device, dev_type, mlstrustedobject;
type uio_device, dev_type;
type tun_device, dev_type, mlstrustedobject;
type usbaccessory_device, dev_type, mlstrustedobject;
type usb_device, dev_type, mlstrustedobject;
type usb_serial_device, dev_type;
+type gnss_device, dev_type;
type properties_device, dev_type;
type properties_serial, dev_type;
type property_info, dev_type;
@@ -112,3 +118,6 @@
# separate device node. gsid, however, accesses the original devide node
# created through uevents, so we use a separate label.
type sdcard_block_device, dev_type;
+
+# Userdata device file for filesystem tunables
+type userdata_sysdev, dev_type;
diff --git a/public/dhcp.te b/public/dhcp.te
index 4f2369d..1d875ab 100644
--- a/public/dhcp.te
+++ b/public/dhcp.te
@@ -4,6 +4,7 @@
net_domain(dhcp)
allow dhcp cgroup:dir { create write add_name };
+allow dhcp cgroup_v2:dir { create write add_name };
allow dhcp self:global_capability_class_set { setgid setuid net_admin net_raw net_bind_service };
allow dhcp self:packet_socket create_socket_perms_no_ioctl;
allow dhcp self:netlink_route_socket nlmsg_write;
@@ -17,9 +18,6 @@
# For /proc/sys/net/ipv4/conf/*/promote_secondaries
allow dhcp proc_net_type:file write;
-set_prop(dhcp, dhcp_prop)
-set_prop(dhcp, pan_result_prop)
-
allow dhcp dhcp_data_file:dir create_dir_perms;
allow dhcp dhcp_data_file:file create_file_perms;
diff --git a/public/domain.te b/public/domain.te
index e1ca737..8244b9c 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -66,6 +66,7 @@
allow domain device:dir search;
allow domain dev_type:lnk_file r_file_perms;
allow domain devpts:dir search;
+allow domain dmabuf_heap_device:dir search;
allow domain socket_device:dir r_dir_perms;
allow domain owntty_device:chr_file rw_file_perms;
allow domain null_device:chr_file rw_file_perms;
@@ -82,7 +83,7 @@
# Restrict binder ioctls to an allowlist. Additional ioctl commands may be
# added to individual domains, but this sets safe defaults for all processes.
-allowxperm domain binder_device:chr_file ioctl unpriv_binder_ioctls;
+allowxperm domain binder_device:chr_file ioctl { unpriv_binder_ioctls };
# /dev/binderfs needs to be accessed by everyone too!
allow domain binderfs:dir { getattr search };
@@ -98,20 +99,34 @@
allow domain property_info:file r_file_perms;
# Public readable properties
+get_prop(domain, aaudio_config_prop)
+get_prop(domain, arm64_memtag_prop)
+get_prop(domain, bootloader_prop)
+get_prop(domain, build_odm_prop)
+get_prop(domain, build_prop)
+get_prop(domain, build_vendor_prop)
get_prop(domain, debug_prop)
get_prop(domain, exported_config_prop)
get_prop(domain, exported_default_prop)
get_prop(domain, exported_dumpstate_prop)
-get_prop(domain, exported_fingerprint_prop)
-get_prop(domain, exported_radio_prop)
get_prop(domain, exported_secure_prop)
get_prop(domain, exported_system_prop)
-get_prop(domain, exported_vold_prop)
-get_prop(domain, exported2_default_prop)
+get_prop(domain, fingerprint_prop)
+get_prop(domain, hal_instrumentation_prop)
+get_prop(domain, hw_timeout_multiplier_prop)
+get_prop(domain, init_service_status_prop)
+get_prop(domain, libc_debug_prop)
get_prop(domain, logd_prop)
+get_prop(domain, mediadrm_config_prop)
+get_prop(domain, property_service_version_prop)
+get_prop(domain, soc_prop)
get_prop(domain, socket_hook_prop)
+get_prop(domain, surfaceflinger_prop)
+get_prop(domain, telephony_status_prop)
get_prop(domain, vendor_socket_hook_prop)
get_prop(domain, vndk_prop)
+get_prop(domain, vold_status_prop)
+get_prop(domain, vts_config_prop)
# Binder cache properties are world-readable
get_prop(domain, binder_cache_bluetooth_server_prop)
@@ -260,23 +275,31 @@
allow domain debugfs_tracing_debug:dir search;
allow domain debugfs_trace_marker:file w_file_perms;
+# Linux lockdown mode offers coarse-grained definitions for access controls.
+# The "confidentiality" level detects access to tracefs or the perf subsystem.
+# This overlaps with more precise declarations in Android's policy. The
+# debugfs_trace_marker above is an example in which all processes should have
+# some access to tracefs. Therefore, allow all domains to access this level.
+# The "integrity" level is however enforced.
+allow domain self:lockdown confidentiality;
+
# Filesystem access.
allow domain fs_type:filesystem getattr;
allow domain fs_type:dir getattr;
-# Restrict all domains to a whitelist for common socket types. Additional
+# Restrict all domains to an allowlist for common socket types. Additional
# ioctl commands may be added to individual domains, but this sets safe
-# defaults for all processes. Note that granting this whitelist to domain does
+# defaults for all processes. Note that granting this allowlist to domain does
# not grant the ioctl permission on these socket types. That must be granted
# separately.
allowxperm domain domain:{ icmp_socket rawip_socket tcp_socket udp_socket }
ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
-# default whitelist for unix sockets.
+# default allowlist for unix sockets.
allowxperm domain { domain pdx_channel_socket_type }:{ unix_dgram_socket unix_stream_socket }
ioctl unpriv_unix_sock_ioctls;
-# Restrict PTYs to only whitelisted ioctls.
-# Note that granting this whitelist to domain does
+# Restrict PTYs to only allowed ioctls.
+# Note that granting this allowlist to domain does
# not grant the wider ioctl permission. That must be granted
# separately.
allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
@@ -292,7 +315,7 @@
# Allow a process to make a determination whether a file descriptor
# for a plain file or pipe (fifo_file) is a tty. Note that granting
-# this whitelist to domain does not grant the ioctl permission to
+# this allowlist to domain does not grant the ioctl permission to
# these files. That must be granted separately.
allowxperm domain { file_type fs_type }:file ioctl { TCGETS };
allowxperm domain domain:fifo_file ioctl { TCGETS };
@@ -335,7 +358,7 @@
###
# All ioctls on file-like objects (except chr_file and blk_file) and
-# sockets must be restricted to a whitelist.
+# sockets must be restricted to an allowlist.
neverallowxperm * *:{ dir notdevfile_class_set socket_class_set blk_file } ioctl { 0 };
# b/68014825 and https://android-review.googlesource.com/516535
@@ -350,7 +373,7 @@
# Do not allow any domain other than init to create unlabeled files.
neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
-# Limit device node creation to these whitelisted domains.
+# Limit device node creation to these allowed domains.
neverallow {
domain
-kernel
@@ -389,13 +412,11 @@
# that could be set from init.rc.
neverallow { domain -init } kernel:security setsecparam;
-# Only init, ueventd, shell and system_server should be able to access HW RNG
+# Only the kernel hwrng thread should be able to read from the HW RNG.
neverallow {
domain
- -init
- -shell # For CTS and is restricted to getattr in shell.te
- -system_server
- -ueventd
+ -shell # For CTS, restricted to just getattr in shell.te
+ -ueventd # To create the /dev/hw_random file
} hw_random_device:chr_file *;
# b/78174219 b/64114943
neverallow {
@@ -446,22 +467,17 @@
# Files from cache should never be executed
neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute;
-# Protect most domains from executing arbitrary content from /data.
-neverallow {
- domain
- -appdomain
-} {
- data_file_type
- -dalvikcache_data_file
- -system_data_file # shared libs in apks
- -apk_data_file
-}:file no_x_file_perms;
-
# The test files and executables MUST not be accessible to any domain
neverallow { domain userdebug_or_eng(`-kernel') } nativetest_data_file:file_class_set no_w_file_perms;
neverallow domain nativetest_data_file:dir no_w_dir_perms;
neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms;
+neverallow { domain -shell -init -adbd } shell_test_data_file:file_class_set no_w_file_perms;
+neverallow { domain -shell -init -adbd } shell_test_data_file:dir no_w_dir_perms;
+neverallow { domain -shell -init -adbd -heapprofd } shell_test_data_file:file *;
+neverallow heapprofd shell_test_data_file:file { no_w_file_perms no_x_file_perms };
+neverallow { domain -shell -init -adbd } shell_test_data_file:sock_file *;
+
# Only the init property service should write to /data/property and /dev/__properties__
neverallow { domain -init } property_data_file:dir no_w_dir_perms;
neverallow { domain -init } property_data_file:file { no_w_file_perms no_x_file_perms };
@@ -487,7 +503,6 @@
# Don't allow mounting on top of /system files or directories
neverallow * exec_type:dir_file_class_set mounton;
-neverallow { domain -init } { system_file_type vendor_file_type }:dir_file_class_set mounton;
# Nothing should be writing to files in the rootfs.
neverallow * rootfs:file { create write setattr relabelto append unlink link rename };
@@ -523,32 +538,28 @@
# Require that domains explicitly label unknown properties, and do not allow
# anyone but init to modify unknown properties.
-neverallow { domain -init -vendor_init } default_prop:property_service set;
neverallow { domain -init -vendor_init } mmc_prop:property_service set;
neverallow { domain -init -vendor_init } vndk_prop:property_service set;
compatible_property_only(`
- neverallow { domain -init } default_prop:property_service set;
neverallow { domain -init } mmc_prop:property_service set;
neverallow { domain -init -vendor_init } exported_default_prop:property_service set;
neverallow { domain -init } exported_secure_prop:property_service set;
- neverallow { domain -init } exported2_default_prop:property_service set;
- neverallow { domain -init -vendor_init } exported3_default_prop:property_service set;
neverallow { domain -init -vendor_init } vendor_default_prop:property_service set;
neverallow { domain -init -vendor_init } storage_config_prop:property_service set;
+ neverallow { domain -init -vendor_init } hw_timeout_multiplier_prop:property_service set;
')
-# Only core domains are allowed to access package_manager properties
-neverallow { domain -init -system_server } pm_prop:property_service set;
-neverallow { domain -coredomain } pm_prop:file no_rw_file_perms;
-
compatible_property_only(`
neverallow { domain -init -system_server -vendor_init } exported_pm_prop:property_service set;
neverallow { domain -coredomain -vendor_init } exported_pm_prop:file no_rw_file_perms;
')
+neverallow { domain -init } aac_drc_prop:property_service set;
+neverallow { domain -init } build_prop:property_service set;
+
# Do not allow reading device's serial number from system properties except form
-# a few whitelisted domains.
+# a few allowed domains.
neverallow {
domain
-adbd
@@ -567,9 +578,6 @@
-vendor_init
} serialno_prop:file r_file_perms;
-# Do not allow reading the last boot timestamp from system properties
-neverallow { domain -init -system_server -dumpstate } firstboot_prop:file r_file_perms;
-
neverallow {
domain
-init
@@ -641,7 +649,6 @@
neverallow {
domain
-coredomain
- -binder_in_vendor_violators # TODO(b/131617943) remove once all violators are gone
} {
service_manager_type
-vendor_service
@@ -651,18 +658,24 @@
full_treble_only(`
# Vendor apps are permited to use only stable public services. If they were to use arbitrary
# services which can change any time framework/core is updated, breakage is likely.
+ #
+ # Note, this same logic applies to untrusted apps, but neverallows for these are separate.
neverallow {
appdomain
-coredomain
} {
service_manager_type
+
-app_api_service
+ -vendor_service # must be @VintfStability to be used by an app
-ephemeral_app_api_service
+
+ -apc_service
-audioserver_service # TODO(b/36783122) remove exemptions below once app_api_service is fixed
-cameraserver_service
-drmserver_service
- -hal_light_service # TODO(b/148154485) remove once all violators are gone
-credstore_service
+ -keystore_maintenance_service
-keystore_service
-mediadrmserver_service
-mediaextractor_service
@@ -671,8 +684,10 @@
-nfc_service
-radio_service
-virtual_touchpad_service
+ -vpnprofilestore_service
-vr_hwc_service
-vr_manager_service
+ userdebug_or_eng(`-hal_face_service')
}:service_manager find;
')
@@ -723,25 +738,6 @@
-socket_between_core_and_vendor_violators
});
')
- # Vendor domains are not permitted to initiate communications to core domain sockets
-full_treble_only(`
- neverallow_establish_socket_comms({
- domain
- -coredomain
- -appdomain
- -socket_between_core_and_vendor_violators
- }, {
- coredomain
- -logd # Logging by writing to logd Unix domain socket is public API
- -netd # netdomain needs this
- -mdnsd # netdomain needs this
- userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds
- -init
- -tombstoned # linker to tombstoned
- userdebug_or_eng(`-heapprofd')
- userdebug_or_eng(`-traced_perf')
- });
-')
# Vendor domains are not permitted to initiate create/open sockets owned by core domains
full_treble_only(`
@@ -785,6 +781,7 @@
dev_type
-coredomain_socket
-core_data_file_type
+ -app_data_file_type
-unlabeled
}:sock_file ~{ append getattr ioctl read write };
')
@@ -809,6 +806,7 @@
} {
data_file_type
-core_data_file_type
+ -app_data_file_type
}:file_class_set ~{ append getattr ioctl read write map };
')
full_treble_only(`
@@ -821,6 +819,7 @@
} {
data_file_type
-core_data_file_type
+ -app_data_file_type
# TODO(b/72998741) Remove exemption. Further restricted in a subsequent
# neverallow. Currently only getattr and search are allowed.
-vendor_data_file
@@ -938,7 +937,7 @@
full_treble_only(`
# Do not allow vendor components to execute files from system
- # except for the ones whitelist here.
+ # except for the ones allowed here.
neverallow {
domain
-coredomain
@@ -958,8 +957,25 @@
')
full_treble_only(`
+ # Do not allow coredomain to access entrypoint for files other
+ # than system_file_type and postinstall_file
+ neverallow coredomain {
+ file_type
+ -system_file_type
+ -postinstall_file
+ }:file entrypoint;
+ # Do not allow domains other than coredomain to access entrypoint
+ # for anything but vendor_file_type and init_exec for vendor_init.
+ neverallow { domain -coredomain } {
+ file_type
+ -vendor_file_type
+ -init_exec
+ }:file entrypoint;
+')
+
+full_treble_only(`
# Do not allow system components to execute files from vendor
- # except for the ones whitelisted here.
+ # except for the ones allowed here.
neverallow {
coredomain
-init
@@ -971,6 +987,7 @@
-same_process_hal_file
-vndk_sp_file
-vendor_app_file
+ -vendor_public_framework_file
-vendor_public_lib_file
}:file execute;
')
@@ -987,43 +1004,8 @@
')
full_treble_only(`
- # Do not allow system components access to /vendor files except for the
- # ones whitelisted here.
- neverallow {
- coredomain
- # TODO(b/37168747): clean up fwk access to /vendor
- -crash_dump
- -init # starts vendor executables
- -iorap_inode2filename
- -iorap_prefetcherd
- -kernel # loads /vendor/firmware
- userdebug_or_eng(`-heapprofd')
- -shell
- -system_executes_vendor_violators
- -traced_perf # library/binary access for symbolization
- -ueventd # reads /vendor/ueventd.rc
- -vold # loads incremental fs driver
- } {
- vendor_file_type
- -same_process_hal_file
- -vendor_app_file
- -vendor_apex_file
- -vendor_configs_file
- -vendor_service_contexts_file
- -vendor_framework_file
- -vendor_idc_file
- -vendor_keychars_file
- -vendor_keylayout_file
- -vendor_overlay_file
- -vendor_public_lib_file
- -vendor_task_profiles_file
- -vndk_sp_file
- }:file *;
-')
-
-full_treble_only(`
# Do not allow vendor components access to /system files except for the
- # ones whitelisted here.
+ # ones allowed here.
neverallow {
domain
-appdomain
@@ -1049,6 +1031,7 @@
-system_seccomp_policy_file
-system_security_cacerts_file
-system_zoneinfo_file
+ -task_profiles_api_file
-task_profiles_file
userdebug_or_eng(`-tcpdump_exec')
}:file *;
@@ -1081,6 +1064,9 @@
neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:sock_file write;
neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:unix_stream_socket connectto;
+# Never allow anyone but system_server to read heapdumps in /data/system/heapdump.
+neverallow { domain -init -system_server } heapdump_data_file:file read;
+
# Android does not support System V IPCs.
#
# The reason for this is due to the fact that, by design, they lead to global
@@ -1216,7 +1202,7 @@
# In addition to the symlink reading restrictions above, restrict
# write access to shell owned directories. The /data/local/tmp
-# directory is untrustworthy, and non-whitelisted domains should
+# directory is untrustworthy, and non-allowed domains should
# not be trusting any content in those directories.
neverallow {
domain
@@ -1235,6 +1221,7 @@
-dumpstate
-init
-installd
+ -iorap_inode2filename
-simpleperf_app_runner
-system_server # why?
userdebug_or_eng(`-uncrypt')
@@ -1323,24 +1310,6 @@
# separate server process).
neverallow * same_process_hwservice:hwservice_manager add;
-# On TREBLE devices, most coredomains should not access vendor_files.
-# TODO(b/71553434): Remove exceptions here.
-full_treble_only(`
- neverallow {
- coredomain
- -appdomain
- -bootanim
- -crash_dump
- -heapprofd
- -init
- -iorap_inode2filename
- -iorap_prefetcherd
- -kernel
- -traced_perf
- -ueventd
- } vendor_file:file { no_w_file_perms no_x_file_perms open };
-')
-
# If an already existing file is opened with O_CREAT, the kernel might generate
# a false report of a create denial. Silence these denials and make sure that
# inappropriate permissions are not granted.
@@ -1354,10 +1323,12 @@
# cgroupfs directories can be created, but not files within them.
neverallow domain cgroup:file create;
+neverallow domain cgroup_v2:file create;
dontaudit domain proc_type:dir write;
dontaudit domain sysfs_type:dir write;
dontaudit domain cgroup:file create;
+dontaudit domain cgroup_v2:file create;
# These are only needed in permissive mode - in enforcing mode the
# directory write check fails and so these are never attempted.
@@ -1382,7 +1353,7 @@
neverallow {
coredomain
-appdomain
- } vendor_public_lib_file:file { execute execute_no_trans };
+ } {vendor_public_framework_file vendor_public_lib_file}:file { execute execute_no_trans };
')
# Vendor domian must not have access to /mnt/product.
@@ -1422,3 +1393,8 @@
-untrusted_app_25
-untrusted_app_27
} ashmem_device:chr_file open;
+
+neverallow { domain -traced_probes -init -vendor_init } debugfs_tracing_printk_formats:file *;
+
+# Linux lockdown "integrity" level is enforced for user builds.
+neverallow { domain userdebug_or_eng(`-domain') } self:lockdown integrity;
diff --git a/public/drmserver.te b/public/drmserver.te
index e2c6638..eede0fc 100644
--- a/public/drmserver.te
+++ b/public/drmserver.te
@@ -30,7 +30,9 @@
# /data/app/tlcd_sock socket file.
# Clearly, /data/app is the most logical place to create a socket. Not.
allow drmserver apk_data_file:dir rw_dir_perms;
+auditallow drmserver apk_data_file:dir { add_name write };
allow drmserver drmserver_socket:sock_file create_file_perms;
+auditallow drmserver drmserver_socket:sock_file create;
# Delete old socket file if present.
allow drmserver apk_data_file:sock_file unlink;
@@ -59,4 +61,5 @@
selinux_check_access(drmserver)
r_dir_file(drmserver, cgroup)
+r_dir_file(drmserver, cgroup_v2)
r_dir_file(drmserver, system_file)
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 0609d92..85a5796 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -41,8 +41,8 @@
# TODO: scope this down.
allow dumpstate system_data_file:file r_file_perms;
-# Allow dumpstate to append into privileged apps private files.
-allow dumpstate privapp_data_file:file append;
+# Allow dumpstate to append into apps' private files.
+allow dumpstate { privapp_data_file app_data_file }:file append;
# Read dmesg
allow dumpstate self:global_capability2_class_set syslog;
@@ -113,10 +113,12 @@
}:file r_file_perms;
# Other random bits of data we want to collect
-allow dumpstate debugfs:file r_file_perms;
-auditallow dumpstate debugfs:file r_file_perms;
+no_debugfs_restriction(`
+ allow dumpstate debugfs:file r_file_perms;
+ auditallow dumpstate debugfs:file r_file_perms;
-allow dumpstate debugfs_mmc:file r_file_perms;
+ allow dumpstate debugfs_mmc:file r_file_perms;
+')
# df for
allow dumpstate {
@@ -134,16 +136,25 @@
# Read /dev/cpuctl and /dev/cpuset
r_dir_file(dumpstate, cgroup)
+r_dir_file(dumpstate, cgroup_v2)
# Allow dumpstate to make binder calls to any binder service
binder_call(dumpstate, binderservicedomain)
binder_call(dumpstate, { appdomain netd wificond })
-dump_hal(hal_identity)
dump_hal(hal_dumpstate)
dump_hal(hal_wifi)
dump_hal(hal_graphics_allocator)
+dump_hal(hal_light)
dump_hal(hal_neuralnetworks)
+dump_hal(hal_thermal)
+dump_hal(hal_power)
+dump_hal(hal_power_stats)
+dump_hal(hal_identity)
+dump_hal(hal_face)
+dump_hal(hal_fingerprint)
+dump_hal(hal_gnss)
+
# Vibrate the device after we are done collecting the bugreport
hal_client_domain(dumpstate, hal_vibrator)
@@ -167,6 +178,10 @@
allow dumpstate bluetooth_logs_data_file:dir r_dir_perms;
allow dumpstate bluetooth_logs_data_file:file r_file_perms;
+# For Nfc
+allow dumpstate nfc_logs_data_file:dir r_dir_perms;
+allow dumpstate nfc_logs_data_file:file r_file_perms;
+
# Dumpstate calls screencap, which grabs a screenshot. Needs gpu access
allow dumpstate gpu_device:chr_file rw_file_perms;
@@ -217,7 +232,7 @@
# Access /data/misc/profiles/{cur,ref}/
userdebug_or_eng(`
- allow dumpstate user_profile_data_file:dir r_dir_perms;
+ allow dumpstate { user_profile_root_file user_profile_data_file}:dir r_dir_perms;
allow dumpstate user_profile_data_file:file r_file_perms;
')
@@ -260,13 +275,6 @@
allow dumpstate devpts:chr_file rw_file_perms;
-# Set properties.
-# dumpstate_prop is used to share state with the Shell app.
-set_prop(dumpstate, dumpstate_prop)
-set_prop(dumpstate, exported_dumpstate_prop)
-# dumpstate_options_prop is used to pass extra command-line args.
-set_prop(dumpstate, dumpstate_options_prop)
-
# Read any system properties
get_prop(dumpstate, property_type)
@@ -290,6 +298,9 @@
allow dumpstate proc_pressure_mem:file r_file_perms;
allow dumpstate proc_pressure_io:file r_file_perms;
+# Allow dumpstate to run ps
+allow dumpstate proc_pid_max:file r_file_perms;
+
# Allow dumpstate to talk to installd over binder
binder_call(dumpstate, installd);
@@ -334,8 +345,25 @@
allow hal_rebootescrow_server dumpstate:fifo_file write;
allow hal_rebootescrow_server dumpstate:fd use;
-# Allow dumpstate to kill vendor dumpstate service by init
-set_prop(dumpstate, ctl_dumpstate_prop)
+binder_call(dumpstate, hal_authsecret_server)
+allow hal_authsecret_server dumpstate:fifo_file write;
+allow hal_authsecret_server dumpstate:fd use;
+
+binder_call(dumpstate, hal_keymint_server)
+allow hal_keymint_server dumpstate:fifo_file write;
+allow hal_keymint_server dumpstate:fd use;
+
+binder_call(dumpstate, hal_memtrack_server)
+allow hal_memtrack_server dumpstate:fifo_file write;
+allow hal_memtrack_server dumpstate:fd use;
+
+binder_call(dumpstate, hal_oemlock_server)
+allow hal_oemlock_server dumpstate:fifo_file write;
+allow hal_oemlock_server dumpstate:fd use;
+
+binder_call(dumpstate, hal_weaver_server)
+allow hal_weaver_server dumpstate:fifo_file write;
+allow hal_weaver_server dumpstate:fd use;
#Access /data/misc/snapshotctl_log
allow dumpstate snapshotctl_log_data_file:dir r_dir_perms;
@@ -344,6 +372,9 @@
#Allow access to /dev/binderfs/binder_logs
allow dumpstate binderfs_logs:dir r_dir_perms;
allow dumpstate binderfs_logs:file r_file_perms;
+allow dumpstate binderfs_logs_proc:file r_file_perms;
+
+allow dumpstate apex_info_file:file getattr;
###
### neverallow rules
diff --git a/public/fastbootd.te b/public/fastbootd.te
index 8787817..e167a5e 100644
--- a/public/fastbootd.te
+++ b/public/fastbootd.te
@@ -23,22 +23,12 @@
allow fastbootd device:dir r_dir_perms;
- # Reboot the device
- set_prop(fastbootd, powerctl_prop)
-
- # Read serial number of the device from system properties
- get_prop(fastbootd, serialno_prop)
-
# For dev/block/by-name dir
allow fastbootd block_device:dir r_dir_perms;
# Needed for DM_DEV_CREATE ioctl call
allow fastbootd self:capability sys_admin;
- # Set sys.usb.ffs.ready.
- set_prop(fastbootd, ffs_prop)
- set_prop(fastbootd, exported_ffs_prop)
-
unix_socket_connect(fastbootd, recovery, recovery)
# Required for flashing
@@ -58,9 +48,9 @@
# libfiemap.
allow fastbootd metadata_block_device:blk_file r_file_perms;
allow fastbootd {rootfs tmpfs}:dir mounton;
- allow fastbootd metadata_file:dir { search getattr };
- allow fastbootd gsi_metadata_file:dir rw_dir_perms;
- allow fastbootd gsi_metadata_file:file create_file_perms;
+ allow fastbootd metadata_file:dir { search getattr mounton };
+ allow fastbootd gsi_metadata_file_type:dir rw_dir_perms;
+ allow fastbootd gsi_metadata_file_type:file create_file_perms;
allowxperm fastbootd super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
@@ -107,27 +97,14 @@
vendor_file_type
}:{ file lnk_file } unlink;
allow fastbootd tmpfs:dir rw_dir_perms;
- allow fastbootd labeledfs:filesystem { mount unmount };
- get_prop(fastbootd, persistent_properties_ready_prop)
+ # Fetch vendor_boot partition
+ allow fastbootd boot_block_device:blk_file r_file_perms;
')
# Allow using libfiemap/gsid directly (no binder in recovery).
- set_prop(fastbootd, gsid_prop)
- allow fastbootd gsi_metadata_file:dir search;
+ allow fastbootd gsi_metadata_file_type:dir search;
allow fastbootd ota_metadata_file:dir rw_dir_perms;
allow fastbootd ota_metadata_file:file create_file_perms;
-
- # Determine allocation scheme (whether B partitions needs to be
- # at the second half of super.
- get_prop(fastbootd, virtual_ab_prop)
-
- # Needed for TCP protocol
- allow fastbootd node:tcp_socket node_bind;
- allow fastbootd port:tcp_socket name_bind;
- allow fastbootd self:tcp_socket { create_socket_perms_no_ioctl listen accept };
-
- # Get fastbootd protocol property
- get_prop(fastbootd, fastbootd_protocol_prop)
')
###
diff --git a/public/file.te b/public/file.te
index 91257e2..2250482 100644
--- a/public/file.te
+++ b/public/file.te
@@ -21,6 +21,7 @@
type proc_bluetooth_writable, fs_type, proc_type;
type proc_abi, fs_type, proc_type;
type proc_asound, fs_type, proc_type;
+type proc_bootconfig, fs_type, proc_type;
type proc_buddyinfo, fs_type, proc_type;
type proc_cmdline, fs_type, proc_type;
type proc_cpuinfo, fs_type, proc_type;
@@ -33,9 +34,11 @@
type proc_hung_task, fs_type, proc_type;
type proc_interrupts, fs_type, proc_type;
type proc_iomem, fs_type, proc_type;
+type proc_kallsyms, fs_type, proc_type;
type proc_keys, fs_type, proc_type;
type proc_kmsg, fs_type, proc_type;
type proc_loadavg, fs_type, proc_type;
+type proc_locks, fs_type, proc_type;
type proc_lowmemorykiller, fs_type, proc_type;
type proc_max_map_count, fs_type, proc_type;
type proc_meminfo, fs_type, proc_type;
@@ -77,15 +80,19 @@
type selinuxfs, fs_type, mlstrustedobject;
type fusectlfs, fs_type;
type cgroup, fs_type, mlstrustedobject;
-type cgroup_bpf, fs_type;
+type cgroup_v2, fs_type;
type sysfs, fs_type, sysfs_type, mlstrustedobject;
type sysfs_android_usb, fs_type, sysfs_type;
type sysfs_uio, sysfs_type, fs_type;
type sysfs_batteryinfo, fs_type, sysfs_type;
type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_devfreq_cur, fs_type, sysfs_type;
+type sysfs_devfreq_dir, fs_type, sysfs_type;
type sysfs_devices_block, fs_type, sysfs_type;
type sysfs_dm, fs_type, sysfs_type;
type sysfs_dm_verity, fs_type, sysfs_type;
+type sysfs_dma_heap, fs_type, sysfs_type;
+type sysfs_dmabuf_stats, fs_type, sysfs_type;
type sysfs_dt_firmware_android, fs_type, sysfs_type;
type sysfs_extcon, fs_type, sysfs_type;
type sysfs_ion, fs_type, sysfs_type;
@@ -107,8 +114,13 @@
type sysfs_wakeup_reasons, fs_type, sysfs_type;
type sysfs_fs_ext4_features, sysfs_type, fs_type;
type sysfs_fs_f2fs, sysfs_type, fs_type;
+type sysfs_fs_incfs_features, sysfs_type, fs_type;
+type sysfs_fs_incfs_metrics, sysfs_type, fs_type;
type fs_bpf, fs_type;
+type fs_bpf_tethering, fs_type;
type configfs, fs_type;
+# /sys/devices/cs_etm
+type sysfs_devices_cs_etm, fs_type, sysfs_type;
# /sys/devices/system/cpu
type sysfs_devices_system_cpu, fs_type, sysfs_type;
# /sys/module/lowmemorykiller
@@ -116,7 +128,7 @@
# /sys/module/wlan/parameters/fwpath
type sysfs_wlan_fwpath, fs_type, sysfs_type;
type sysfs_vibrator, fs_type, sysfs_type;
-
+type sysfs_uhid, fs_type, sysfs_type;
type sysfs_thermal, sysfs_type, fs_type;
type sysfs_zram, fs_type, sysfs_type;
@@ -133,12 +145,14 @@
type debugfs, fs_type, debugfs_type;
type debugfs_kprobes, fs_type, debugfs_type;
type debugfs_mmc, fs_type, debugfs_type;
-type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
-type debugfs_tracing, fs_type, debugfs_type, mlstrustedobject;
-type debugfs_tracing_debug, fs_type, debugfs_type, mlstrustedobject;
-type debugfs_tracing_instances, fs_type, debugfs_type;
+type debugfs_mm_events_tracing, fs_type, debugfs_type, tracefs_type;
+type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject, tracefs_type;
+type debugfs_tracing, fs_type, debugfs_type, mlstrustedobject, tracefs_type;
+type debugfs_tracing_debug, fs_type, debugfs_type, mlstrustedobject, tracefs_type;
+type debugfs_tracing_instances, fs_type, debugfs_type, tracefs_type;
+type debugfs_tracing_printk_formats, fs_type, debugfs_type, tracefs_type;
type debugfs_wakeup_sources, fs_type, debugfs_type;
-type debugfs_wifi_tracing, fs_type, debugfs_type;
+type debugfs_wifi_tracing, fs_type, debugfs_type, tracefs_type;
type securityfs, fs_type;
type pstorefs, fs_type;
@@ -179,10 +193,14 @@
type system_zoneinfo_file, system_file_type, file_type;
# Cgroups description file under /system/etc/cgroups.json
type cgroup_desc_file, system_file_type, file_type;
+# Cgroups description file under /system/etc/task_profiles/cgroups_*.json
+type cgroup_desc_api_file, system_file_type, file_type;
# Vendor cgroups description file under /vendor/etc/cgroups.json
type vendor_cgroup_desc_file, vendor_file_type, file_type;
# Task profiles file under /system/etc/task_profiles.json
type task_profiles_file, system_file_type, file_type;
+# Task profiles file under /system/etc/task_profiles/task_profiles_*.json
+type task_profiles_api_file, system_file_type, file_type;
# Vendor task profiles file under /vendor/etc/task_profiles.json
type vendor_task_profiles_file, vendor_file_type, file_type;
# Type for /system/apex/com.android.art
@@ -213,6 +231,9 @@
# Type for all vendor public libraries. These libs should only be exposed to
# apps. ABI stability of these libs is vendor's responsibility.
type vendor_public_lib_file, vendor_file_type, file_type;
+# Type for all vendor public libraries for system. These libs should only be exposed to
+# system. ABI stability of these libs is vendor's responsibility.
+type vendor_public_framework_file, vendor_file_type, file_type;
# Input configuration
type vendor_keylayout_file, vendor_file_type, file_type;
@@ -224,7 +245,9 @@
# Vold files within /metadata
type vold_metadata_file, file_type;
# GSI files within /metadata
-type gsi_metadata_file, file_type;
+type gsi_metadata_file, gsi_metadata_file_type, file_type;
+# DSU (GSI) files within /metadata that are globally readable.
+type gsi_public_metadata_file, gsi_metadata_file_type, file_type;
# system_server shares Weaver slot information in /metadata
type password_slot_metadata_file, file_type;
# APEX files within /metadata
@@ -233,8 +256,12 @@
type ota_metadata_file, file_type;
# property files within /metadata/bootstat
type metadata_bootstat_file, file_type;
+# userspace reboot files within /metadata/userspacereboot
+type userspace_reboot_metadata_file, file_type;
# Staged install files within /metadata/staged-install
type staged_install_file, file_type;
+# Metadata information within /metadata/watchdog
+type watchdog_metadata_file, file_type;
# Type for /dev/cpu_variant:.*.
type dev_cpu_variant, file_type;
@@ -285,6 +312,7 @@
# /data/ota_package
type ota_package_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/misc/profiles
+type user_profile_root_file, file_type, data_file_type, core_data_file_type;
type user_profile_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/misc/profman
type profman_dump_data_file, file_type, data_file_type, core_data_file_type;
@@ -293,7 +321,7 @@
# /data/resource-cache
type resourcecache_data_file, file_type, data_file_type, core_data_file_type;
# /data/local - writable by shell
-type shell_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+type shell_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type, mlstrustedobject;
# /data/property
type property_data_file, file_type, data_file_type, core_data_file_type;
# /data/bootchart
@@ -304,6 +332,8 @@
type heapdump_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/nativetest
type nativetest_data_file, file_type, data_file_type, core_data_file_type;
+# /data/local/tests
+type shell_test_data_file, file_type, data_file_type, core_data_file_type;
# /data/system_de/0/ringtones
type ringtone_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/preloads
@@ -340,6 +370,9 @@
# Mount point used for APEX images
type apex_mnt_dir, file_type;
+# /apex/apex-info-list.xml created by apexd
+type apex_info_file, file_type;
+
# /postinstall: Mount point used by update_engine to run postinstall.
type postinstall_mnt_dir, file_type;
# Files inside the /postinstall mountpoint are all labeled as postinstall_file.
@@ -353,12 +386,15 @@
# /data/misc subdirectories
type adb_keys_file, file_type, data_file_type, core_data_file_type;
type apex_module_data_file, file_type, data_file_type, core_data_file_type;
+type apex_ota_reserved_file, file_type, data_file_type, core_data_file_type;
type apex_permission_data_file, file_type, data_file_type, core_data_file_type;
type apex_rollback_data_file, file_type, data_file_type, core_data_file_type;
+type apex_scheduling_data_file, file_type, data_file_type, core_data_file_type;
type apex_wifi_data_file, file_type, data_file_type, core_data_file_type;
+type appcompat_data_file, file_type, data_file_type, core_data_file_type;
type audio_data_file, file_type, data_file_type, core_data_file_type;
type audioserver_data_file, file_type, data_file_type, core_data_file_type;
-type bluetooth_data_file, file_type, data_file_type, core_data_file_type;
+type bluetooth_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
type bluetooth_logs_data_file, file_type, data_file_type, core_data_file_type;
type bootstat_data_file, file_type, data_file_type, core_data_file_type;
type boottrace_data_file, file_type, data_file_type, core_data_file_type;
@@ -373,10 +409,11 @@
type misc_user_data_file, file_type, data_file_type, core_data_file_type;
type net_data_file, file_type, data_file_type, core_data_file_type;
type network_watchlist_data_file, file_type, data_file_type, core_data_file_type;
-type nfc_data_file, file_type, data_file_type, core_data_file_type;
-type radio_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+type nfc_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
+type nfc_logs_data_file, file_type, data_file_type, core_data_file_type;
+type radio_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type, mlstrustedobject;
type recovery_data_file, file_type, data_file_type, core_data_file_type;
-type shared_relro_file, file_type, data_file_type, core_data_file_type;
+type shared_relro_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
type snapshotctl_log_data_file, file_type, data_file_type, core_data_file_type;
type stats_data_file, file_type, data_file_type, core_data_file_type;
type systemkeys_data_file, file_type, data_file_type, core_data_file_type;
@@ -393,13 +430,14 @@
# /data/misc/trace for method traces on userdebug / eng builds
type method_trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
type gsi_data_file, file_type, data_file_type, core_data_file_type;
+type radio_core_data_file, file_type, data_file_type, core_data_file_type;
# /data/data subdirectories - app sandboxes
-type app_data_file, file_type, data_file_type, core_data_file_type;
+type app_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
# /data/data subdirectories - priv-app sandboxes
-type privapp_data_file, file_type, data_file_type, core_data_file_type;
+type privapp_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
# /data/data subdirectory for system UID apps.
-type system_app_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+type system_app_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type, mlstrustedobject;
# Compatibility with type name used in Android 4.3 and 4.4.
# Default type for anything under /cache
type cache_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
@@ -461,6 +499,7 @@
type recovery_socket, file_type, coredomain_socket;
type rild_socket, file_type;
type rild_debug_socket, file_type;
+type snapuserd_socket, file_type, coredomain_socket;
type statsdw_socket, file_type, coredomain_socket, mlstrustedobject;
type system_wpa_socket, file_type, data_file_type, core_data_file_type, coredomain_socket;
type system_ndebug_socket, file_type, data_file_type, core_data_file_type, coredomain_socket, mlstrustedobject;
@@ -508,6 +547,9 @@
# service_contexts file
type service_contexts_file, system_file_type, file_type;
+# keystore2_key_contexts_file
+type keystore2_key_contexts_file, system_file_type, file_type;
+
# vendor service_contexts file
type vendor_service_contexts_file, vendor_file_type, file_type;
@@ -520,10 +562,16 @@
# vndservice_contexts file
type vndservice_contexts_file, file_type;
+# /sys/kernel/tracing/instances/bootreceiver for monitoring kernel memory corruptions.
+type debugfs_bootreceiver_tracing, fs_type, debugfs_type, tracefs_type;
+
+# kernel modules
+type vendor_kernel_modules, vendor_file_type, file_type;
+
# Allow files to be created in their appropriate filesystems.
allow fs_type self:filesystem associate;
allow cgroup tmpfs:filesystem associate;
-allow cgroup_bpf tmpfs:filesystem associate;
+allow cgroup_v2 tmpfs:filesystem associate;
allow cgroup_rc_file tmpfs:filesystem associate;
allow sysfs_type sysfs:filesystem associate;
allow debugfs_type { debugfs debugfs_tracing debugfs_tracing_debug }:filesystem associate;
@@ -533,6 +581,7 @@
allow dev_type tmpfs:filesystem associate;
allow app_fuse_file app_fusefs:filesystem associate;
allow postinstall_file self:filesystem associate;
+allow proc_net proc:filesystem associate;
# asanwrapper (run a sanitized app_process, to be used with wrap properties)
with_asan(`type asanwrapper_exec, exec_type, file_type;')
diff --git a/public/fingerprintd.te b/public/fingerprintd.te
index ff7a884..8cf2411 100644
--- a/public/fingerprintd.te
+++ b/public/fingerprintd.te
@@ -18,6 +18,7 @@
# Need to add auth tokens to KeyStore
use_keystore(fingerprintd)
allow fingerprintd keystore:keystore_key { add_auth };
+allow fingerprintd keystore:keystore2 { add_auth };
# For permissions checking
binder_call(fingerprintd, system_server);
diff --git a/public/flags_health_check.te b/public/flags_health_check.te
index 6315d44..25a7768 100644
--- a/public/flags_health_check.te
+++ b/public/flags_health_check.te
@@ -2,33 +2,9 @@
type flags_health_check, domain, coredomain;
type flags_health_check_exec, system_file_type, exec_type, file_type;
-set_prop(flags_health_check, device_config_boot_count_prop)
-set_prop(flags_health_check, device_config_reset_performed_prop)
-set_prop(flags_health_check, device_config_runtime_native_boot_prop)
-set_prop(flags_health_check, device_config_runtime_native_prop)
-set_prop(flags_health_check, device_config_input_native_boot_prop)
-set_prop(flags_health_check, device_config_netd_native_prop)
-set_prop(flags_health_check, device_config_activity_manager_native_boot_prop)
-set_prop(flags_health_check, device_config_media_native_prop)
-set_prop(flags_health_check, device_config_storage_native_boot_prop)
-set_prop(flags_health_check, device_config_sys_traced_prop)
-set_prop(flags_health_check, device_config_window_manager_native_boot_prop)
-set_prop(flags_health_check, device_config_configuration_prop)
-
allow flags_health_check server_configurable_flags_data_file:dir rw_dir_perms;
allow flags_health_check server_configurable_flags_data_file:file create_file_perms;
-# system property device_config_boot_count_prop is used for deciding when to perform server
-# configurable flags related disaster recovery. Mistakenly set up by unrelated components can, at a
-# wrong timing, trigger server configurable flag related disaster recovery, which will override
-# server configured values of all flags with default values.
-neverallow { domain -init -flags_health_check } device_config_boot_count_prop:property_service set;
-
-# system property device_config_reset_performed_prop is used for indicating whether server
-# configurable flags have been reset during booting. Mistakenly modified by unrelated components can
-# cause bad server configurable flags synced back to device.
-neverallow { domain -init -flags_health_check } device_config_reset_performed_prop:property_service set;
-
# server_configurable_flags_data_file is used for storing whether server configurable flags which
# have been reset during current booting. Mistakenly modified by unrelated components can
# cause bad server configurable flags synced back to device.
diff --git a/public/gatekeeperd.te b/public/gatekeeperd.te
index dc46d07..d48c5f8 100644
--- a/public/gatekeeperd.te
+++ b/public/gatekeeperd.te
@@ -23,6 +23,9 @@
# Need to add auth tokens to KeyStore
use_keystore(gatekeeperd)
allow gatekeeperd keystore:keystore_key { add_auth };
+allow gatekeeperd keystore:keystore2 { add_auth };
+allow gatekeeperd authorization_service:service_manager find;
+
# For permissions checking
allow gatekeeperd system_server:binder call;
@@ -35,7 +38,5 @@
# For hardware properties retrieval
allow gatekeeperd hardware_properties_service:service_manager find;
-# For checking whether GSI is running
-get_prop(gatekeeperd, gsid_prop)
-
r_dir_file(gatekeeperd, cgroup)
+r_dir_file(gatekeeperd, cgroup_v2)
diff --git a/public/hal_audio.te b/public/hal_audio.te
index 5958f2c..d1970b9 100644
--- a/public/hal_audio.te
+++ b/public/hal_audio.te
@@ -3,6 +3,7 @@
binder_call(hal_audio_server, hal_audio_client)
hal_attribute_hwservice(hal_audio, hal_audio_hwservice)
+hal_attribute_service(hal_audio, hal_audio_service)
allow hal_audio ion_device:chr_file r_file_perms;
@@ -33,5 +34,6 @@
# Only audio HAL may directly access the audio hardware
neverallow { halserverdomain -hal_audio_server -hal_omx_server } audio_device:chr_file *;
+get_prop(hal_audio, audio_config_prop)
get_prop(hal_audio, bluetooth_a2dp_offload_prop)
get_prop(hal_audio, bluetooth_audio_hal_prop)
diff --git a/public/hal_audiocontrol.te b/public/hal_audiocontrol.te
index 4a52b89..6f45b0e 100644
--- a/public/hal_audiocontrol.te
+++ b/public/hal_audiocontrol.te
@@ -3,3 +3,6 @@
binder_call(hal_audiocontrol_server, hal_audiocontrol_client)
hal_attribute_hwservice(hal_audiocontrol, hal_audiocontrol_hwservice)
+hal_attribute_service(hal_audiocontrol, hal_audiocontrol_service)
+
+binder_call(hal_audiocontrol_server, servicemanager)
diff --git a/public/hal_authsecret.te b/public/hal_authsecret.te
index daf8d48..bbcdb9a 100644
--- a/public/hal_authsecret.te
+++ b/public/hal_authsecret.te
@@ -2,3 +2,6 @@
binder_call(hal_authsecret_client, hal_authsecret_server)
hal_attribute_hwservice(hal_authsecret, hal_authsecret_hwservice)
+hal_attribute_service(hal_authsecret, hal_authsecret_service)
+
+binder_call(hal_authsecret_server, servicemanager)
diff --git a/public/hal_bootctl.te b/public/hal_bootctl.te
index be9975f..a1f3d7f 100644
--- a/public/hal_bootctl.te
+++ b/public/hal_bootctl.te
@@ -3,3 +3,4 @@
binder_call(hal_bootctl_server, hal_bootctl_client)
hal_attribute_hwservice(hal_bootctl, hal_bootctl_hwservice)
+allow hal_bootctl_server proc_bootconfig:file r_file_perms;
diff --git a/public/hal_camera.te b/public/hal_camera.te
index 77216e4..45fad56 100644
--- a/public/hal_camera.te
+++ b/public/hal_camera.te
@@ -9,6 +9,8 @@
allow hal_camera video_device:chr_file rw_file_perms;
allow hal_camera camera_device:chr_file rw_file_perms;
allow hal_camera ion_device:chr_file rw_file_perms;
+allow hal_camera dmabuf_system_heap_device:chr_file r_file_perms;
+
# Both the client and the server need to use the graphics allocator
allow { hal_camera_client hal_camera_server } hal_graphics_allocator:fd use;
diff --git a/public/hal_can.te b/public/hal_can.te
index c75495b..959d1d9 100644
--- a/public/hal_can.te
+++ b/public/hal_can.te
@@ -1,9 +1,9 @@
# CAN controller
binder_call(hal_can_controller_client, hal_can_controller_server)
-add_hwservice(hal_can_controller_server, hal_can_controller_hwservice)
-allow hal_can_controller_client hal_can_controller_hwservice:hwservice_manager find;
+binder_call(hal_can_controller_server, hal_can_controller_client)
+hal_attribute_hwservice(hal_can_controller, hal_can_controller_hwservice)
# CAN bus
binder_call(hal_can_bus_client, hal_can_bus_server)
-add_hwservice(hal_can_bus_server, hal_can_bus_hwservice)
-allow hal_can_bus_client hal_can_bus_hwservice:hwservice_manager find;
+binder_call(hal_can_bus_server, hal_can_bus_client)
+hal_attribute_hwservice(hal_can_bus, hal_can_bus_hwservice)
diff --git a/public/hal_cas.te b/public/hal_cas.te
index 7de6a13..e699a6b 100644
--- a/public/hal_cas.te
+++ b/public/hal_cas.te
@@ -16,6 +16,10 @@
allow hal_cas cgroup:dir { search write };
allow hal_cas cgroup:file w_file_perms;
+r_dir_file(hal_cas, cgroup_v2)
+allow hal_cas cgroup_v2:dir { search write };
+allow hal_cas cgroup_v2:file w_file_perms;
+
# Allow access to ion memory allocation device
allow hal_cas ion_device:chr_file rw_file_perms;
allow hal_cas hal_graphics_allocator:fd use;
diff --git a/public/hal_codec2.te b/public/hal_codec2.te
index 8c7816a..a379bb3 100644
--- a/public/hal_codec2.te
+++ b/public/hal_codec2.te
@@ -1,5 +1,7 @@
get_prop(hal_codec2_client, media_variant_prop)
get_prop(hal_codec2_server, media_variant_prop)
+get_prop(hal_codec2_client, codec2_config_prop)
+get_prop(hal_codec2_server, codec2_config_prop)
binder_call(hal_codec2_client, hal_codec2_server)
binder_call(hal_codec2_server, hal_codec2_client)
diff --git a/public/hal_drm.te b/public/hal_drm.te
index 5987491..bb1bd91 100644
--- a/public/hal_drm.te
+++ b/public/hal_drm.te
@@ -20,6 +20,10 @@
allow hal_drm cgroup:dir { search write };
allow hal_drm cgroup:file w_file_perms;
+r_dir_file(hal_drm, cgroup_v2)
+allow hal_drm cgroup_v2:dir { search write };
+allow hal_drm cgroup_v2:file w_file_perms;
+
# Allow access to ion memory allocation device
allow hal_drm ion_device:chr_file rw_file_perms;
allow hal_drm hal_graphics_allocator:fd use;
diff --git a/public/hal_dumpstate.te b/public/hal_dumpstate.te
index b7676ed..9f854e3 100644
--- a/public/hal_dumpstate.te
+++ b/public/hal_dumpstate.te
@@ -2,6 +2,8 @@
binder_call(hal_dumpstate_client, hal_dumpstate_server)
binder_call(hal_dumpstate_server, hal_dumpstate_client)
+set_prop(hal_dumpstate_server, hal_dumpstate_config_prop)
+
hal_attribute_hwservice(hal_dumpstate, hal_dumpstate_hwservice)
# write bug reports in /data/data/com.android.shell/files/bugreports/bugreport
diff --git a/public/hal_face.te b/public/hal_face.te
index b250586..0134576 100644
--- a/public/hal_face.te
+++ b/public/hal_face.te
@@ -3,6 +3,9 @@
binder_call(hal_face_server, hal_face_client)
hal_attribute_hwservice(hal_face, hal_face_hwservice)
+hal_attribute_service(hal_face, hal_face_service)
+
+binder_call(hal_face_server, servicemanager)
# Allow access to the ion memory allocation device.
allow hal_face ion_device:chr_file r_file_perms;
diff --git a/public/hal_fingerprint.te b/public/hal_fingerprint.te
index b673e29..444cfda 100644
--- a/public/hal_fingerprint.te
+++ b/public/hal_fingerprint.te
@@ -3,6 +3,9 @@
binder_call(hal_fingerprint_server, hal_fingerprint_client)
hal_attribute_hwservice(hal_fingerprint, hal_fingerprint_hwservice)
+hal_attribute_service(hal_fingerprint, hal_fingerprint_service)
+
+binder_call(hal_fingerprint_server, servicemanager)
# For memory allocation
allow hal_fingerprint ion_device:chr_file r_file_perms;
@@ -11,6 +14,7 @@
allow hal_fingerprint fingerprint_vendor_data_file:dir rw_dir_perms;
r_dir_file(hal_fingerprint, cgroup)
+r_dir_file(hal_fingerprint, cgroup_v2)
r_dir_file(hal_fingerprint, sysfs)
diff --git a/public/hal_gnss.te b/public/hal_gnss.te
index 9bfc4ec..832bc8d 100644
--- a/public/hal_gnss.te
+++ b/public/hal_gnss.te
@@ -3,3 +3,7 @@
binder_call(hal_gnss_server, hal_gnss_client)
hal_attribute_hwservice(hal_gnss, hal_gnss_hwservice)
+hal_attribute_service(hal_gnss, hal_gnss_service)
+binder_call(hal_gnss_server, servicemanager)
+binder_call(hal_gnss_client, servicemanager)
+
diff --git a/public/hal_graphics_allocator.te b/public/hal_graphics_allocator.te
index 991e147..3ec6b96 100644
--- a/public/hal_graphics_allocator.te
+++ b/public/hal_graphics_allocator.te
@@ -8,6 +8,7 @@
# GPU device access
allow hal_graphics_allocator gpu_device:chr_file rw_file_perms;
allow hal_graphics_allocator ion_device:chr_file r_file_perms;
+allow hal_graphics_allocator dmabuf_system_heap_device:chr_file r_file_perms;
# allow to run with real-time scheduling policy
allow hal_graphics_allocator self:global_capability_class_set sys_nice;
diff --git a/public/hal_graphics_composer.te b/public/hal_graphics_composer.te
index cb4a130..1c69c99 100644
--- a/public/hal_graphics_composer.te
+++ b/public/hal_graphics_composer.te
@@ -16,6 +16,7 @@
# GPU device access
allow hal_graphics_composer gpu_device:chr_file rw_file_perms;
allow hal_graphics_composer ion_device:chr_file r_file_perms;
+allow hal_graphics_composer dmabuf_system_heap_device:chr_file r_file_perms;
allow hal_graphics_composer hal_graphics_allocator:fd use;
# Access /dev/graphics/fb0.
diff --git a/public/hal_health_storage.te b/public/hal_health_storage.te
index 61e609b..4938a16 100644
--- a/public/hal_health_storage.te
+++ b/public/hal_health_storage.te
@@ -2,4 +2,10 @@
binder_call(hal_health_storage_client, hal_health_storage_server)
binder_call(hal_health_storage_server, hal_health_storage_client)
+binder_use(hal_health_storage_server)
+
hal_attribute_hwservice(hal_health_storage, hal_health_storage_hwservice)
+hal_attribute_service(hal_health_storage, hal_health_storage_service)
+
+# Allow ReadDefaultFstab().
+read_fstab(hal_health_storage_server)
diff --git a/public/hal_identity.te b/public/hal_identity.te
index 3a95743..8d558ad 100644
--- a/public/hal_identity.te
+++ b/public/hal_identity.te
@@ -1,7 +1,6 @@
# HwBinder IPC from client to server
binder_call(hal_identity_client, hal_identity_server)
-add_service(hal_identity_server, hal_identity_service)
-binder_call(hal_identity_server, servicemanager)
+hal_attribute_service(hal_identity, hal_identity_service)
-allow hal_identity_client hal_identity_service:service_manager find;
+binder_call(hal_identity_server, servicemanager)
diff --git a/public/hal_keymint.te b/public/hal_keymint.te
new file mode 100644
index 0000000..e56ab99
--- /dev/null
+++ b/public/hal_keymint.te
@@ -0,0 +1,5 @@
+binder_call(hal_keymint_client, hal_keymint_server)
+
+hal_attribute_service(hal_keymint, hal_keymint_service)
+hal_attribute_service(hal_keymint, hal_remotelyprovisionedcomponent_service)
+binder_call(hal_keymint_server, servicemanager)
diff --git a/public/hal_light.te b/public/hal_light.te
index 7054d7b..40829b6 100644
--- a/public/hal_light.te
+++ b/public/hal_light.te
@@ -3,14 +3,10 @@
binder_call(hal_light_server, hal_light_client)
hal_attribute_hwservice(hal_light, hal_light_hwservice)
+hal_attribute_service(hal_light, hal_light_service)
-# client finds and uses server via service_manager
-allow hal_light_client hal_light_service:service_manager find;
-binder_use(hal_light_client)
-
-# server adds itself via service_manager
-add_service(hal_light_server, hal_light_service)
binder_call(hal_light_server, servicemanager)
+binder_use(hal_light_client)
allow hal_light_server dumpstate:fifo_file write;
diff --git a/public/hal_memtrack.te b/public/hal_memtrack.te
index ed93a29..30a4480 100644
--- a/public/hal_memtrack.te
+++ b/public/hal_memtrack.te
@@ -2,3 +2,6 @@
binder_call(hal_memtrack_client, hal_memtrack_server)
hal_attribute_hwservice(hal_memtrack, hal_memtrack_hwservice)
+
+hal_attribute_service(hal_memtrack, hal_memtrack_service)
+binder_call(hal_memtrack_server, servicemanager)
diff --git a/public/hal_neuralnetworks.te b/public/hal_neuralnetworks.te
index 228d990..7497dec 100644
--- a/public/hal_neuralnetworks.te
+++ b/public/hal_neuralnetworks.te
@@ -21,6 +21,9 @@
# Allow NN HAL service to use a client-provided fd residing in /storage
allow hal_neuralnetworks_server storage_file:file { getattr map read };
+# Allow NN HAL service to read a client-provided fd residing in /data/app/.
+allow hal_neuralnetworks_server apk_data_file:file { getattr map read };
+
# Allow NN HAL client to check the ro.nnapi.extensions.deny_on_product
# property to determine whether to deny NNAPI extensions use for apps
# on product partition (apps in GSI are not allowed to use NNAPI extensions).
@@ -28,3 +31,11 @@
# This property is only expected to be found in /product/build.prop,
# allow to be set only by init.
neverallow { domain -init } nnapi_ext_deny_product_prop:property_service set;
+
+# Define sepolicy for NN AIDL HAL service
+hal_attribute_service(hal_neuralnetworks, hal_neuralnetworks_service)
+binder_call(hal_neuralnetworks_server, servicemanager)
+
+binder_use(hal_neuralnetworks_server)
+
+allow hal_neuralnetworks_server dumpstate:fifo_file write;
diff --git a/public/hal_oemlock.te b/public/hal_oemlock.te
index 26b2b42..9f38fa5 100644
--- a/public/hal_oemlock.te
+++ b/public/hal_oemlock.te
@@ -2,3 +2,6 @@
binder_call(hal_oemlock_client, hal_oemlock_server)
hal_attribute_hwservice(hal_oemlock, hal_oemlock_hwservice)
+hal_attribute_service(hal_oemlock, hal_oemlock_service)
+
+binder_call(hal_oemlock_server, servicemanager)
diff --git a/public/hal_power.te b/public/hal_power.te
index c94771b..aae32a0 100644
--- a/public/hal_power.te
+++ b/public/hal_power.te
@@ -3,8 +3,7 @@
binder_call(hal_power_server, hal_power_client)
hal_attribute_hwservice(hal_power, hal_power_hwservice)
+hal_attribute_service(hal_power, hal_power_service)
-add_service(hal_power_server, hal_power_service)
binder_call(hal_power_server, servicemanager)
binder_call(hal_power_client, servicemanager)
-allow hal_power_client hal_power_service:service_manager find;
diff --git a/public/hal_power_stats.te b/public/hal_power_stats.te
index 2c04008..4076eff 100644
--- a/public/hal_power_stats.te
+++ b/public/hal_power_stats.te
@@ -3,3 +3,7 @@
binder_call(hal_power_stats_server, hal_power_stats_client)
hal_attribute_hwservice(hal_power_stats, hal_power_stats_hwservice)
+hal_attribute_service(hal_power_stats, hal_power_stats_service)
+
+binder_call(hal_power_stats_server, servicemanager)
+binder_call(hal_power_stats_client, servicemanager)
diff --git a/public/hal_rebootescrow.te b/public/hal_rebootescrow.te
index 4352630..d16333b 100644
--- a/public/hal_rebootescrow.te
+++ b/public/hal_rebootescrow.te
@@ -1,7 +1,6 @@
# HwBinder IPC from client to server
binder_call(hal_rebootescrow_client, hal_rebootescrow_server)
-add_service(hal_rebootescrow_server, hal_rebootescrow_service)
-binder_use(hal_rebootescrow_server)
+hal_attribute_service(hal_rebootescrow, hal_rebootescrow_service)
-allow hal_rebootescrow_client hal_rebootescrow_service:service_manager find;
+binder_use(hal_rebootescrow_server)
diff --git a/public/hal_telephony.te b/public/hal_telephony.te
index 3e4b65d..f0cf075 100644
--- a/public/hal_telephony.te
+++ b/public/hal_telephony.te
@@ -11,6 +11,8 @@
allow hal_telephony_server self:global_capability_class_set { setpcap setgid setuid net_admin net_raw };
allow hal_telephony_server cgroup:dir create_dir_perms;
allow hal_telephony_server cgroup:{ file lnk_file } r_file_perms;
+allow hal_telephony_server cgroup_v2:dir create_dir_perms;
+allow hal_telephony_server cgroup_v2:{ file lnk_file } r_file_perms;
allow hal_telephony_server radio_device:chr_file rw_file_perms;
allow hal_telephony_server radio_device:blk_file r_file_perms;
allow hal_telephony_server efs_file:dir create_dir_perms;
@@ -20,10 +22,10 @@
allow hal_telephony_server bluetooth_efs_file:dir r_dir_perms;
# property service
+get_prop(hal_telephony_server, telephony_config_prop)
+set_prop(hal_telephony_server, radio_control_prop)
set_prop(hal_telephony_server, radio_prop)
-set_prop(hal_telephony_server, exported_radio_prop)
-set_prop(hal_telephony_server, exported2_radio_prop)
-set_prop(hal_telephony_server, exported3_radio_prop)
+set_prop(hal_telephony_server, telephony_status_prop)
allow hal_telephony_server tty_device:chr_file rw_file_perms;
diff --git a/public/hal_vibrator.te b/public/hal_vibrator.te
index a34621d..c902495 100644
--- a/public/hal_vibrator.te
+++ b/public/hal_vibrator.te
@@ -3,12 +3,10 @@
binder_call(hal_vibrator_server, hal_vibrator_client);
hal_attribute_hwservice(hal_vibrator, hal_vibrator_hwservice)
+hal_attribute_service(hal_vibrator, hal_vibrator_service)
-add_service(hal_vibrator_server, hal_vibrator_service)
binder_call(hal_vibrator_server, servicemanager)
-allow hal_vibrator_client hal_vibrator_service:service_manager find;
-
allow hal_vibrator_server dumpstate:fifo_file write;
# vibrator sysfs rw access
diff --git a/public/hal_weaver.te b/public/hal_weaver.te
index 36d1306..2b34989 100644
--- a/public/hal_weaver.te
+++ b/public/hal_weaver.te
@@ -2,3 +2,6 @@
binder_call(hal_weaver_client, hal_weaver_server)
hal_attribute_hwservice(hal_weaver, hal_weaver_hwservice)
+hal_attribute_service(hal_weaver, hal_weaver_service)
+
+binder_call(hal_weaver_server, servicemanager)
diff --git a/public/hal_wifi.te b/public/hal_wifi.te
index ecc1359..2e4fa78 100644
--- a/public/hal_wifi.te
+++ b/public/hal_wifi.te
@@ -7,8 +7,9 @@
r_dir_file(hal_wifi, proc_net_type)
r_dir_file(hal_wifi, sysfs_type)
-set_prop(hal_wifi, exported_wifi_prop)
+set_prop(hal_wifi_server, wifi_hal_prop)
set_prop(hal_wifi, wifi_prop)
+userdebug_or_eng(`get_prop(hal_wifi, persist_vendor_debug_wifi_prop)')
# allow hal wifi set interfaces up and down and get the factory MAC
allow hal_wifi self:udp_socket create_socket_perms;
diff --git a/public/hal_wifi_supplicant.te b/public/hal_wifi_supplicant.te
index 6004c33..7361af1 100644
--- a/public/hal_wifi_supplicant.te
+++ b/public/hal_wifi_supplicant.te
@@ -4,7 +4,7 @@
hal_attribute_hwservice(hal_wifi_supplicant, hal_wifi_supplicant_hwservice)
-# in addition to ioctls whitelisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
+# in addition to ioctls allowlisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls;
r_dir_file(hal_wifi_supplicant, sysfs_type)
@@ -13,12 +13,22 @@
allow hal_wifi_supplicant kernel:system module_request;
allow hal_wifi_supplicant self:global_capability_class_set { setuid net_admin setgid net_raw };
allow hal_wifi_supplicant cgroup:dir create_dir_perms;
+allow hal_wifi_supplicant cgroup_v2:dir create_dir_perms;
allow hal_wifi_supplicant self:netlink_route_socket nlmsg_write;
allow hal_wifi_supplicant self:netlink_socket create_socket_perms_no_ioctl;
allow hal_wifi_supplicant self:netlink_generic_socket create_socket_perms_no_ioctl;
allow hal_wifi_supplicant self:packet_socket create_socket_perms;
allowxperm hal_wifi_supplicant self:packet_socket ioctl { unpriv_sock_ioctls priv_sock_ioctls unpriv_tty_ioctls };
+use_keystore(hal_wifi_supplicant)
+binder_use(hal_wifi_supplicant_server)
+
+# Allow the WI-FI HAL to use keys in the keystore namespace wifi_key.
+allow hal_wifi_supplicant wifi_key:keystore2_key {
+ get_info
+ use
+};
+
###
### neverallow rules
###
diff --git a/public/healthd.te b/public/healthd.te
index 7ea23e1..05acb84 100644
--- a/public/healthd.te
+++ b/public/healthd.te
@@ -11,6 +11,7 @@
allow healthd sysfs:dir r_dir_perms;
r_dir_file(healthd, rootfs)
r_dir_file(healthd, cgroup)
+r_dir_file(healthd, cgroup_v2)
allow healthd self:global_capability_class_set { sys_tty_config };
allow healthd self:global_capability_class_set sys_boot;
@@ -47,10 +48,3 @@
allow healthd tty_device:chr_file rw_file_perms;
allow healthd ashmem_device:chr_file execute;
allow healthd proc_sysrq:file rw_file_perms;
-
-# Healthd needs to tell init to continue the boot
-# process when running in charger mode.
-set_prop(healthd, system_prop)
-set_prop(healthd, exported_system_prop)
-set_prop(healthd, exported2_system_prop)
-set_prop(healthd, exported3_system_prop)
diff --git a/public/hwservice.te b/public/hwservice.te
index 6f223dd..11b77f0 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -58,7 +58,6 @@
type system_net_netd_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
type system_suspend_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
type system_wifi_keystore_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
-type thermalcallback_hwservice, hwservice_manager_type, protected_hwservice;
# Following is the hwservices that are explicitly not marked with protected_hwservice.
# These are directly accessible from untrusted apps.
diff --git a/public/hwservicemanager.te b/public/hwservicemanager.te
index 7f03815..7ec1872 100644
--- a/public/hwservicemanager.te
+++ b/public/hwservicemanager.te
@@ -10,8 +10,6 @@
# to do this is granted in the hwbinder_use macro.
allow hwservicemanager self:binder set_context_mgr;
-set_prop(hwservicemanager, hwservicemanager_prop)
-
# Scan through /system/lib64/hw looking for installed HALs
allow hwservicemanager system_file:dir r_dir_perms;
diff --git a/public/init.te b/public/init.te
index cc51a2b..ea5a979 100644
--- a/public/init.te
+++ b/public/init.te
@@ -16,6 +16,12 @@
userdebug_or_eng(`
allow init kmsg_debug_device:chr_file { open write relabelto };
')
+
+# allow init to mount and unmount debugfs in debug builds
+userdebug_or_eng(`
+ allow init debugfs:dir mounton;
+')
+
# /dev/__properties__
allow init properties_device:dir relabelto;
allow init properties_serial:file { write relabelto };
@@ -27,7 +33,7 @@
allow init device:file relabelfrom;
allow init runtime_event_log_tags_file:file { open write setattr relabelto create };
# /dev/socket
-allow init { device socket_device }:dir relabelto;
+allow init { device socket_device dm_user_device }:dir relabelto;
# allow init to establish connection and communicate with lmkd
unix_socket_connect(init, lmkd, lmkd)
# Relabel /dev nodes created in first stage init, /dev/null, /dev/ptmx, /dev/random, /dev/urandom
@@ -37,6 +43,7 @@
allow init tmpfs:blk_file getattr;
allow init block_device:{ dir blk_file lnk_file } relabelto;
allow init dm_device:{ chr_file blk_file } relabelto;
+allow init dm_user_device:chr_file relabelto;
allow init kernel:fd use;
# restorecon for early mount device symlinks
allow init tmpfs:lnk_file { getattr read relabelfrom };
@@ -96,7 +103,6 @@
postinstall_mnt_dir
mirror_data_file
}:dir mounton;
-allow init cgroup_bpf:dir { mounton create_dir_perms };
# Mount bpf fs on sys/fs/bpf
allow init fs_bpf:dir mounton;
@@ -123,7 +129,10 @@
allow init cgroup:file rw_file_perms;
allow init cgroup_rc_file:file rw_file_perms;
allow init cgroup_desc_file:file r_file_perms;
+allow init cgroup_desc_api_file:file r_file_perms;
allow init vendor_cgroup_desc_file:file r_file_perms;
+allow init cgroup_v2:dir { mounton create_dir_perms};
+allow init cgroup_v2:file rw_file_perms;
# /config
allow init configfs:dir mounton;
@@ -153,7 +162,19 @@
# which should all be assigned the contextmount_type attribute.
# This can be done in device-specific policy via type or typeattribute
# declarations.
-allow init fs_type:filesystem ~relabelto;
+allow init {
+ fs_type
+ enforce_debugfs_restriction(`-debugfs_type')
+}:filesystem ~relabelto;
+
+# Allow init to mount/unmount debugfs in non-user builds.
+enforce_debugfs_restriction(`
+ userdebug_or_eng(`allow init debugfs_type:filesystem { mount unmount };')
+')
+
+# Allow init to mount tracefs in /sys/kernel/tracing
+allow init debugfs_tracing_debug:filesystem mount;
+
allow init unlabeled:filesystem ~relabelto;
allow init contextmount_type:filesystem relabelto;
@@ -203,6 +224,7 @@
allow init {
file_type
+ -apex_info_file
-app_data_file
-exec_type
-gsi_data_file
@@ -218,8 +240,11 @@
-system_file_type
-vendor_file_type
-vold_data_file
+ enforce_debugfs_restriction(`-debugfs_type')
}:file { create getattr open read write setattr relabelfrom unlink map };
+allow init tracefs_type:file { create_file_perms relabelfrom };
+
allow init {
file_type
-app_data_file
@@ -268,8 +293,8 @@
-privapp_data_file
}:dir_file_class_set relabelto;
-allow init { sysfs debugfs debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
-allow init { sysfs_type debugfs_type }:{ dir file lnk_file } { relabelto getattr };
+allow init { sysfs no_debugfs_restriction(`debugfs') debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
+allow init { sysfs_type no_debugfs_restriction(`debugfs_type') tracefs_type }:{ dir file lnk_file } { relabelto getattr };
allow init dev_type:dir create_dir_perms;
allow init dev_type:lnk_file create;
@@ -290,6 +315,7 @@
-sdcard_type
-sysfs_type
-rootfs
+ enforce_debugfs_restriction(`-debugfs_type')
}:file { open read setattr };
allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir { open read setattr search };
@@ -299,7 +325,6 @@
devpts
dm_device
hwbinder_device
- hw_random_device
input_device
kmsg_device
null_device
@@ -311,13 +336,6 @@
zero_device
}:chr_file { read open };
-# chown/chmod on devices.
-allow init {
- dev_type
- -keychord_device
- -port_device
-}:chr_file setattr;
-
# Unlabeled file access for upgrades from 4.2.
allow init unlabeled:dir { create_dir_perms relabelfrom };
allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
@@ -340,6 +358,7 @@
allow init {
proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
+ proc_bootconfig
proc_cmdline
proc_diskstats
proc_kmsg # Open /proc/kmsg for logd service.
@@ -373,8 +392,10 @@
# init chmod/chown access to /proc files.
allow init {
proc_cmdline
+ proc_bootconfig
proc_kmsg
proc_net
+ proc_pagetypeinfo
proc_qtaguid_stat
proc_slabinfo
proc_sysrq
@@ -410,6 +431,7 @@
LOOP_CTL_GET_FREE
LOOP_SET_BLOCK_SIZE
LOOP_SET_DIRECT_IO
+ LOOP_GET_STATUS
};
# Allow init to write to vibrator/trigger
@@ -521,10 +543,6 @@
# system/core/fs_mgr/fs_mgr.c - fs_mgr_swapon_all
allow init swap_block_device:blk_file rw_file_perms;
-# Read from /dev/hw_random if present.
-# system/core/init/init.c - mix_hwrng_into_linux_rng_action
-allow init hw_random_device:chr_file r_file_perms;
-
# Create and access /dev files without a specific type,
# e.g. /dev/.coldboot_done, /dev/.booting
# TODO: Move these files into their own type unless they are
@@ -539,6 +557,9 @@
allow init dm_device:chr_file rw_file_perms;
allow init dm_device:blk_file rw_file_perms;
+# Access dm-user for OTA boot
+allow init dm_user_device:chr_file rw_file_perms;
+
# Access metadata block device for storing dm-verity state
allow init metadata_block_device:blk_file rw_file_perms;
@@ -577,6 +598,7 @@
allow init vold_metadata_file:file getattr;
allow init metadata_bootstat_file:dir create_dir_perms;
allow init metadata_bootstat_file:file w_file_perms;
+allow init userspace_reboot_metadata_file:file w_file_perms;
# Allow init to touch PSI monitors
allow init proc_pressure_mem:file { rw_file_perms setattr };
@@ -588,6 +610,9 @@
# stat the root dir of fuse filesystems (for the mount handler)
allow init fuse:dir { search getattr };
+# allow filesystem tuning
+allow init userdata_sysdev:file create_file_perms;
+
###
### neverallow rules
###
diff --git a/public/inputflinger.te b/public/inputflinger.te
index c3f4da8..b62c06d 100644
--- a/public/inputflinger.te
+++ b/public/inputflinger.te
@@ -13,3 +13,4 @@
allow inputflinger input_device:chr_file rw_file_perms;
r_dir_file(inputflinger, cgroup)
+r_dir_file(inputflinger, cgroup_v2)
diff --git a/public/installd.te b/public/installd.te
index c8cc89d..eb13cfa 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -26,6 +26,7 @@
allow installd oemfs:dir r_dir_perms;
allow installd oemfs:file r_file_perms;
allow installd cgroup:dir create_dir_perms;
+allow installd cgroup_v2:dir create_dir_perms;
allow installd mnt_expand_file:dir { search getattr };
# Check validity of SELinux context before use.
selinux_check_context(installd)
@@ -111,37 +112,18 @@
# upon creation via setfilecon or running restorecon_recursive,
# setting owner/mode, creating symlinks within them, and deleting them
# upon package uninstall.
+allow installd app_data_file_type:dir { create_dir_perms relabelfrom relabelto };
+allow installd app_data_file_type:notdevfile_class_set { create_file_perms relabelfrom relabelto };
-# Types extracted from seapp_contexts type= fields.
-allow installd {
- system_app_data_file
- bluetooth_data_file
- nfc_data_file
- radio_data_file
- shell_data_file
- app_data_file
- privapp_data_file
-}:dir { create_dir_perms relabelfrom relabelto };
-
-allow installd {
- system_app_data_file
- bluetooth_data_file
- nfc_data_file
- radio_data_file
- shell_data_file
- app_data_file
- privapp_data_file
-}:notdevfile_class_set { create_file_perms relabelfrom relabelto };
+# Similar for the files under /data/misc/profiles/
+allow installd user_profile_root_file:dir { create_dir_perms relabelfrom };
+allow installd user_profile_data_file:dir { create_dir_perms relabelto };
+allow installd user_profile_data_file:file create_file_perms;
+allow installd user_profile_data_file:file unlink;
# Allow zygote to unmount mirror directories
allow installd labeledfs:filesystem unmount;
-# Similar for the files under /data/misc/profiles/
-allow installd user_profile_data_file:dir create_dir_perms;
-allow installd user_profile_data_file:file create_file_perms;
-allow installd user_profile_data_file:dir rmdir;
-allow installd user_profile_data_file:file unlink;
-
# Files created/updated by profman dumps.
allow installd profman_dump_data_file:dir { search add_name write };
allow installd profman_dump_data_file:file { create setattr open write };
@@ -175,6 +157,9 @@
# Allow installd to read /proc/filesystems
allow installd proc_filesystems:file r_file_perms;
+#add for move app to sd card
+get_prop(installd, storage_config_prop)
+
###
### Neverallow rules
###
diff --git a/public/ioctl_defines b/public/ioctl_defines
index 6e2ed65..afb0b2d 100644
--- a/public/ioctl_defines
+++ b/public/ioctl_defines
@@ -132,6 +132,7 @@
define(`BC_REPLY', `0x40406301')
define(`BC_REQUEST_DEATH_NOTIFICATION', `0x400c630e')
define(`BC_TRANSACTION', `0x40406300')
+define(`BINDER_ENABLE_ONEWAY_SPAM_DETECTION', `0x40046210')
define(`BINDER_FREEZE', `0x400c620e')
define(`BINDER_GET_FROZEN_INFO', `0xc00c620f')
define(`BINDER_GET_NODE_DEBUG_INFO', `0xc018620b')
@@ -191,6 +192,7 @@
define(`BR_INCREFS', `0x80107207')
define(`BR_NOOP', `0x0000720c')
define(`BR_OK', `0x00007201')
+define(`BR_ONEWAY_SPAM_SUSPECT', `0x00007213')
define(`BR_RELEASE', `0x80107209')
define(`BR_REPLY', `0x80407203')
define(`BR_SPAWN_LOOPER', `0x0000720d')
@@ -707,6 +709,7 @@
define(`F2FS_IOC_MOVE_RANGE', `0xf509')
define(`F2FS_IOC_PRECACHE_EXTENTS', `0xf50f')
define(`F2FS_IOC_RELEASE_VOLATILE_WRITE', `0xf504')
+define(`F2FS_IOC_SEC_TRIM_FILE', `0xf514')
define(`F2FS_IOC_SET_PIN_FILE', `0xf50d')
define(`F2FS_IOC_START_ATOMIC_WRITE', `0xf501')
define(`F2FS_IOC_START_VOLATILE_WRITE', `0xf503')
@@ -1064,6 +1067,12 @@
define(`INCFS_IOCTL_READ_SIGNATURE', `0x0000671f')
define(`INCFS_IOCTL_FILL_BLOCKS', `0x00006720')
define(`INCFS_IOCTL_PERMIT_FILL', `0x00006721')
+define(`INCFS_IOCTL_GET_FILLED_BLOCKS', `0x00006722')
+define(`INCFS_IOCTL_CREATE_MAPPED_FILE', `0x00006723')
+define(`INCFS_IOCTL_GET_BLOCK_COUNT', `0x00006724')
+define(`INCFS_IOCTL_GET_READ_TIMEOUTS', `0x00006725')
+define(`INCFS_IOCTL_SET_READ_TIMEOUTS', `0x00006726')
+define(`INCFS_IOCTL_GET_LAST_READ_ERROR', `0x00006727')
define(`IOCTL_EVTCHN_BIND_INTERDOMAIN', `0x00084501')
define(`IOCTL_EVTCHN_BIND_UNBOUND_PORT', `0x00044502')
define(`IOCTL_EVTCHN_BIND_VIRQ', `0x00044500')
diff --git a/public/ioctl_macros b/public/ioctl_macros
index 4538962..47a5157 100644
--- a/public/ioctl_macros
+++ b/public/ioctl_macros
@@ -49,8 +49,8 @@
# commonly used TTY ioctls
# merge with unpriv_unix_sock_ioctls?
define(`unpriv_tty_ioctls', `{
- TIOCOUTQ FIOCLEX FIONCLEX TCGETS TCSETS TIOCGWINSZ TIOCSWINSZ TIOCSCTTY
- TCSETSW TCFLSH TIOCSPGRP TIOCGPGRP
+ TIOCOUTQ FIOCLEX FIONCLEX TCGETS TCSETS TCSETSW TCSETSF TIOCGWINSZ TIOCSWINSZ
+ TIOCSCTTY TCFLSH TIOCSPGRP TIOCGPGRP
}')
# point to point ioctls
@@ -72,5 +72,5 @@
BINDER_WRITE_READ BINDER_SET_IDLE_TIMEOUT BINDER_SET_MAX_THREADS
BINDER_SET_IDLE_PRIORITY BINDER_SET_CONTEXT_MGR BINDER_THREAD_EXIT
BINDER_VERSION BINDER_GET_NODE_DEBUG_INFO BINDER_GET_NODE_INFO_FOR_REF
-BINDER_SET_CONTEXT_MGR_EXT
+BINDER_SET_CONTEXT_MGR_EXT BINDER_ENABLE_ONEWAY_SPAM_DETECTION
}')
diff --git a/public/iorap_inode2filename.te b/public/iorap_inode2filename.te
index 4041ddd..6f119ee 100644
--- a/public/iorap_inode2filename.te
+++ b/public/iorap_inode2filename.te
@@ -21,24 +21,18 @@
allow iorap_inode2filename apex_mnt_dir:file { getattr };
allow iorap_inode2filename apk_data_file:dir { getattr open read search };
allow iorap_inode2filename apk_data_file:file { getattr };
-allow iorap_inode2filename app_data_file:dir { getattr open read search };
-allow iorap_inode2filename app_data_file:file { getattr };
+allow iorap_inode2filename app_data_file_type:dir { getattr open read search };
+allow iorap_inode2filename app_data_file_type:file { getattr };
allow iorap_inode2filename backup_data_file:dir { getattr open read search };
allow iorap_inode2filename backup_data_file:file { getattr };
-allow iorap_inode2filename bluetooth_data_file:dir { getattr open read search };
-allow iorap_inode2filename bluetooth_data_file:file { getattr };
allow iorap_inode2filename bootchart_data_file:dir { getattr open read search };
allow iorap_inode2filename bootchart_data_file:file { getattr };
allow iorap_inode2filename metadata_file:dir { getattr open read search search };
allow iorap_inode2filename metadata_file:file { getattr };
allow iorap_inode2filename packages_list_file:dir { getattr open read search };
allow iorap_inode2filename packages_list_file:file { getattr };
-allow iorap_inode2filename privapp_data_file:dir { getattr open read search };
-allow iorap_inode2filename privapp_data_file:file { getattr };
allow iorap_inode2filename property_data_file:dir { getattr open read search };
allow iorap_inode2filename property_data_file:file { getattr };
-allow iorap_inode2filename radio_data_file:dir { getattr open read search };
-allow iorap_inode2filename radio_data_file:file { getattr };
allow iorap_inode2filename resourcecache_data_file:dir { getattr open read search };
allow iorap_inode2filename resourcecache_data_file:file { getattr };
allow iorap_inode2filename recovery_data_file:dir { getattr open read search };
@@ -51,8 +45,6 @@
allow iorap_inode2filename staging_data_file:file { getattr };
allow iorap_inode2filename system_bootstrap_lib_file:dir { getattr open read search };
allow iorap_inode2filename system_bootstrap_lib_file:file { getattr };
-allow iorap_inode2filename system_app_data_file:dir { getattr open read search };
-allow iorap_inode2filename system_app_data_file:file { getattr };
allow iorap_inode2filename system_data_file:dir { getattr open read search };
allow iorap_inode2filename system_data_file:file { getattr };
allow iorap_inode2filename system_data_file:lnk_file { getattr open read };
@@ -60,6 +52,7 @@
allow iorap_inode2filename textclassifier_data_file:dir { getattr open read search };
allow iorap_inode2filename textclassifier_data_file:file { getattr };
allow iorap_inode2filename toolbox_exec:file getattr;
+allow iorap_inode2filename user_profile_root_file:dir { getattr open read search };
allow iorap_inode2filename user_profile_data_file:dir { getattr open read search };
allow iorap_inode2filename user_profile_data_file:file { getattr };
allow iorap_inode2filename unencrypted_data_file:dir { getattr open read search };
diff --git a/public/iorap_prefetcherd.te b/public/iorap_prefetcherd.te
index ad9db14..4b218fb 100644
--- a/public/iorap_prefetcherd.te
+++ b/public/iorap_prefetcherd.te
@@ -39,6 +39,7 @@
allow iorap_prefetcherd system_data_file:dir { open read search };
allow iorap_prefetcherd system_data_file:file { open read };
allow iorap_prefetcherd system_data_file:lnk_file { open read };
+allow iorap_prefetcherd user_profile_root_file:dir { open read search };
allow iorap_prefetcherd user_profile_data_file:dir { open read search };
allow iorap_prefetcherd user_profile_data_file:file { open read };
allow iorap_prefetcherd vendor_overlay_file:dir { open read search };
diff --git a/public/kernel.te b/public/kernel.te
index 35018e9..9aa40cc 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -5,7 +5,12 @@
# Root fs.
r_dir_file(kernel, rootfs)
-allow kernel proc_cmdline:file r_file_perms;
+
+# Used to read androidboot.selinux property
+allow kernel {
+ proc_bootconfig
+ proc_cmdline
+}:file r_file_perms;
# Get SELinux enforcing status.
allow kernel selinuxfs:dir r_dir_perms;
diff --git a/public/keystore.te b/public/keystore.te
index 27c4624..155322c 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -1,4 +1,4 @@
-type keystore, domain;
+type keystore, domain, keystore2_key_type;
type keystore_exec, system_file_type, exec_type, file_type;
# keystore daemon
@@ -13,13 +13,20 @@
allow keystore keystore_exec:file { getattr };
add_service(keystore, keystore_service)
+add_service(keystore, remoteprovisioning_service)
allow keystore sec_key_att_app_id_provider_service:service_manager find;
allow keystore dropbox_service:service_manager find;
+add_service(keystore, apc_service)
+add_service(keystore, keystore_compat_hal_service)
+add_service(keystore, authorization_service)
+add_service(keystore, keystore_maintenance_service)
+add_service(keystore, vpnprofilestore_service)
# Check SELinux permissions.
selinux_check_access(keystore)
r_dir_file(keystore, cgroup)
+r_dir_file(keystore, cgroup_v2)
###
### Neverallow rules
@@ -33,4 +40,5 @@
neverallow { domain -keystore -init } keystore_data_file:dir *;
neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *;
-neverallow * keystore:process ptrace;
+# TODO(b/186868271): Remove the crash dump exception soon-ish (maybe by May 14, 2021?)
+neverallow { domain userdebug_or_eng(`-crash_dump') } keystore:process ptrace;
diff --git a/public/keystore_keys.te b/public/keystore_keys.te
new file mode 100644
index 0000000..3c35984
--- /dev/null
+++ b/public/keystore_keys.te
@@ -0,0 +1,2 @@
+# A keystore2 namespace for WI-FI.
+type wifi_key, keystore2_key_type;
diff --git a/public/lmkd.te b/public/lmkd.te
index 67e93e1..de6052d 100644
--- a/public/lmkd.te
+++ b/public/lmkd.te
@@ -26,9 +26,11 @@
# Clean up old cgroups
allow lmkd cgroup:dir { remove_name rmdir };
+allow lmkd cgroup_v2:dir { remove_name rmdir };
# Allow to read memcg stats
allow lmkd cgroup:file r_file_perms;
+allow lmkd cgroup_v2:file r_file_perms;
# Set self to SCHED_FIFO
allow lmkd self:global_capability_class_set sys_nice;
@@ -36,9 +38,6 @@
allow lmkd proc_zoneinfo:file r_file_perms;
allow lmkd proc_vmstat:file r_file_perms;
-# Set sys.lmk.* properties.
-set_prop(lmkd, system_lmk_prop)
-
# live lock watchdog process allowed to look through /proc/
allow lmkd domain:dir { search open read };
allow lmkd domain:file { open read };
diff --git a/public/logd.te b/public/logd.te
index 57e29d9..8187179 100644
--- a/public/logd.te
+++ b/public/logd.te
@@ -4,6 +4,7 @@
# Read access to pseudo filesystems.
r_dir_file(logd, cgroup)
+r_dir_file(logd, cgroup_v2)
r_dir_file(logd, proc_kmsg)
r_dir_file(logd, proc_meminfo)
@@ -23,9 +24,6 @@
')
allow logd runtime_event_log_tags_file:file rw_file_perms;
-# Access device logging gating property
-get_prop(logd, device_logging_prop)
-
r_dir_file(logd, domain)
allow logd kernel:system syslog_mod;
@@ -41,6 +39,9 @@
# expected to be locally cached).
dontaudit domain runtime_event_log_tags_file:file { map open read };
+# Logd sets defaults if certain properties are empty.
+set_prop(logd, logd_prop)
+
###
### Neverallow rules
###
diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index 859ec9c..06f7928 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -20,6 +20,7 @@
hal_client_domain(mediaextractor, hal_allocator)
r_dir_file(mediaextractor, cgroup)
+r_dir_file(mediaextractor, cgroup_v2)
allow mediaextractor proc_meminfo:file r_file_perms;
crash_dump_fallback(mediaextractor)
@@ -40,8 +41,6 @@
# scan extractor library directory to dynamically load extractors
allow mediaextractor system_file:dir { read open };
-get_prop(mediaextractor, device_config_media_native_prop)
-
###
### neverallow rules
###
diff --git a/public/mediametrics.te b/public/mediametrics.te
index 0e56b07..468c0d0 100644
--- a/public/mediametrics.te
+++ b/public/mediametrics.te
@@ -12,6 +12,7 @@
allow mediametrics system_server:fd use;
r_dir_file(mediametrics, cgroup)
+r_dir_file(mediametrics, cgroup_v2)
allow mediametrics proc_meminfo:file r_file_perms;
# allows interactions with dumpsys to GMScore
diff --git a/public/mediaserver.te b/public/mediaserver.te
index 52d3581..388001d 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -9,6 +9,7 @@
r_dir_file(mediaserver, sdcard_type)
r_dir_file(mediaserver, cgroup)
+r_dir_file(mediaserver, cgroup_v2)
# stat /proc/self
allow mediaserver proc:lnk_file getattr;
@@ -34,8 +35,6 @@
allow mediaserver video_device:dir r_dir_perms;
allow mediaserver video_device:chr_file rw_file_perms;
-set_prop(mediaserver, audio_prop)
-
# Read resources from open apk files passed over Binder.
allow mediaserver apk_data_file:file { read getattr };
allow mediaserver asec_apk_file:file { read getattr };
@@ -121,6 +120,8 @@
allow mediaserver preloads_media_file:file { getattr read ioctl };
allow mediaserver ion_device:chr_file r_file_perms;
+allow mediaserver dmabuf_system_heap_device:chr_file r_file_perms;
+allow mediaserver dmabuf_system_secure_heap_device:chr_file r_file_perms;
allow mediaserver hal_graphics_allocator:fd use;
allow mediaserver hal_graphics_composer:fd use;
allow mediaserver hal_camera:fd use;
diff --git a/public/mediaswcodec.te b/public/mediaswcodec.te
index 2acdeea..5726842 100644
--- a/public/mediaswcodec.te
+++ b/public/mediaswcodec.te
@@ -11,8 +11,6 @@
hal_client_domain(mediaswcodec, hal_allocator)
hal_client_domain(mediaswcodec, hal_graphics_allocator)
-get_prop(mediaswcodec, device_config_media_native_prop)
-
crash_dump_fallback(mediaswcodec)
# mediaswcodec_server should never execute any executable without a
@@ -25,3 +23,5 @@
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
neverallow mediaswcodec domain:{ tcp_socket udp_socket rawip_socket } *;
+allow mediaswcodec dmabuf_system_heap_device:chr_file r_file_perms;
+allow mediaswcodec dmabuf_system_secure_heap_device:chr_file r_file_perms;
diff --git a/public/mediatranscoding.te b/public/mediatranscoding.te
deleted file mode 100644
index 386535b..0000000
--- a/public/mediatranscoding.te
+++ /dev/null
@@ -1,26 +0,0 @@
-# mediatranscoding - daemon for transcoding video and image.
-type mediatranscoding, domain;
-type mediatranscoding_exec, system_file_type, exec_type, file_type;
-
-binder_use(mediatranscoding)
-binder_service(mediatranscoding)
-
-add_service(mediatranscoding, mediatranscoding_service)
-
-allow mediatranscoding system_server:fd use;
-
-# mediatranscoding should never execute any executable without a
-# domain transition
-neverallow mediatranscoding { file_type fs_type }:file execute_no_trans;
-
-# The goal of the mediaserver split is to place media processing code into
-# restrictive sandboxes with limited responsibilities and thus limited
-# permissions. Example: Audioserver is only responsible for controlling audio
-# hardware and processing audio content. Cameraserver does the same for camera
-# hardware/content. Etc.
-#
-# Media processing code is inherently risky and thus should have limited
-# permissions and be isolated from the rest of the system and network.
-# Lengthier explanation here:
-# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediatranscoding domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/public/netd.te b/public/netd.te
index 8005406..ff0bff6 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -3,7 +3,7 @@
type netd_exec, system_file_type, exec_type, file_type;
net_domain(netd)
-# in addition to ioctls whitelisted for all domains, grant netd priv_sock_ioctls.
+# in addition to ioctls allowlisted for all domains, grant netd priv_sock_ioctls.
allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
r_dir_file(netd, cgroup)
@@ -36,8 +36,10 @@
not_full_treble(`allow netd vendor_file:file x_file_perms;')
allow netd devpts:chr_file rw_file_perms;
-# Acquire advisory lock on /system/etc/xtables.lock
+# Acquire advisory lock on /system/etc/xtables.lock. If this file doesn't
+# exist, suppress the denial.
allow netd system_file:file lock;
+dontaudit netd system_file:dir write;
# Allow netd to write to qtaguid ctrl file.
# TODO: Add proper rules to prevent other process to access qtaguid_proc file
@@ -60,7 +62,7 @@
# TODO: added to match above sysfs rule. Remove me?
allow netd sysfs_usb:file write;
-r_dir_file(netd, cgroup_bpf)
+r_dir_file(netd, cgroup_v2)
allow netd fs_bpf:dir search;
allow netd fs_bpf:file { read write };
@@ -81,9 +83,6 @@
# Allow netd to spawn dnsmasq in it's own domain
allow netd dnsmasq:process signal;
-set_prop(netd, ctl_mdnsd_prop)
-set_prop(netd, netd_stable_secret_prop)
-
# Allow netd to publish a binder service and make binder calls.
binder_use(netd)
add_service(netd, netd_service)
@@ -113,8 +112,6 @@
# Allow netd to register as hal server.
add_hwservice(netd, system_net_netd_hwservice)
hwbinder_use(netd)
-get_prop(netd, hwservicemanager_prop)
-get_prop(netd, device_config_netd_native_prop)
###
### Neverallow rules
@@ -131,7 +128,7 @@
neverallow netd system_file:dir_file_class_set write;
# Write to files in /data/data or system files on /data
-neverallow netd { app_data_file privapp_data_file system_data_file }:dir_file_class_set write;
+neverallow netd { app_data_file_type system_data_file }:dir_file_class_set write;
# only system_server, dumpstate and network stack app may find netd service
neverallow {
@@ -157,14 +154,6 @@
neverallow { appdomain -network_stack } netd:binder call;
neverallow netd { appdomain -network_stack userdebug_or_eng(`-su') }:binder call;
-# persist.netd.stable_secret contains RFC 7217 secret key which should never be
-# leaked to other processes. Make sure it never leaks.
-neverallow { domain -netd -init -dumpstate } netd_stable_secret_prop:file r_file_perms;
-
-# We want to ensure that no other process ever tries tampering with persist.netd.stable_secret,
-# the RFC 7217 secret key managed by netd. Doing so could compromise user privacy.
-neverallow { domain -netd -init } netd_stable_secret_prop:property_service set;
-
# If an already existing file is opened with O_CREATE, the kernel might generate
# a false report of a create denial. Silence these denials and make sure that
# inappropriate permissions are not granted.
@@ -183,3 +172,5 @@
dontaudit netd self:capability sys_module;
dontaudit netd kernel:system module_request;
+
+dontaudit netd appdomain:unix_stream_socket { read write };
diff --git a/public/otapreopt_chroot.te b/public/otapreopt_chroot.te
new file mode 100644
index 0000000..db8dd1a
--- /dev/null
+++ b/public/otapreopt_chroot.te
@@ -0,0 +1,4 @@
+# otapreopt_chroot seclabel
+
+# TODO: Only present to allow mediatek/wembley-sepolicy to see it for validation reasons.
+type otapreopt_chroot, domain;
diff --git a/public/performanced.te b/public/performanced.te
index 7dcb5ea..d694fda 100644
--- a/public/performanced.te
+++ b/public/performanced.te
@@ -28,3 +28,4 @@
# Access /dev/cpuset/cpuset.cpus
r_dir_file(performanced, cgroup)
+r_dir_file(performanced, cgroup_v2)
diff --git a/public/property.te b/public/property.te
index 9a93518..5edb59e 100644
--- a/public/property.te
+++ b/public/property.te
@@ -1,4 +1,8 @@
# Properties used only in /system
+#
+# DO NOT ADD system_internal_prop here.
+# Instead, add to private/property.te.
+# TODO(b/150331497): move these to private/property.te
system_internal_prop(apexd_prop)
system_internal_prop(bootloader_boot_reason_prop)
system_internal_prop(device_config_activity_manager_native_boot_prop)
@@ -9,23 +13,7 @@
system_internal_prop(device_config_reset_performed_prop)
system_internal_prop(device_config_runtime_native_boot_prop)
system_internal_prop(device_config_runtime_native_prop)
-system_internal_prop(device_config_storage_native_boot_prop)
-system_internal_prop(device_config_sys_traced_prop)
-system_internal_prop(device_config_window_manager_native_boot_prop)
-system_internal_prop(device_config_configuration_prop)
system_internal_prop(firstboot_prop)
-system_internal_prop(fastbootd_protocol_prop)
-system_internal_prop(gsid_prop)
-system_internal_prop(init_perf_lsm_hooks_prop)
-system_internal_prop(init_svc_debug_prop)
-system_internal_prop(last_boot_reason_prop)
-system_internal_prop(netd_stable_secret_prop)
-system_internal_prop(pm_prop)
-system_internal_prop(userspace_reboot_log_prop)
-system_internal_prop(userspace_reboot_test_prop)
-system_internal_prop(system_adbd_prop)
-system_internal_prop(adbd_prop)
-system_internal_prop(traced_perf_enabled_prop)
compatible_property_only(`
# DO NOT ADD ANY PROPERTIES HERE
@@ -66,21 +54,40 @@
')
# Properties which can't be written outside system
-
-# Properties used by binder caches
+system_restricted_prop(aac_drc_prop)
+system_restricted_prop(arm64_memtag_prop)
system_restricted_prop(binder_cache_bluetooth_server_prop)
system_restricted_prop(binder_cache_system_server_prop)
system_restricted_prop(binder_cache_telephony_server_prop)
+system_restricted_prop(boot_status_prop)
+system_restricted_prop(bootanim_system_prop)
+system_restricted_prop(bootloader_prop)
system_restricted_prop(boottime_public_prop)
system_restricted_prop(bq_config_prop)
+system_restricted_prop(build_bootimage_prop)
+system_restricted_prop(build_prop)
+system_restricted_prop(charger_status_prop)
+system_restricted_prop(fingerprint_prop)
+system_restricted_prop(hal_instrumentation_prop)
+system_restricted_prop(init_service_status_prop)
+system_restricted_prop(libc_debug_prop)
system_restricted_prop(module_sdkextensions_prop)
system_restricted_prop(nnapi_ext_deny_product_prop)
+system_restricted_prop(power_debug_prop)
+system_restricted_prop(property_service_version_prop)
+system_restricted_prop(provisioned_prop)
system_restricted_prop(restorecon_prop)
+system_restricted_prop(retaildemo_prop)
system_restricted_prop(socket_hook_prop)
+system_restricted_prop(sqlite_log_prop)
system_restricted_prop(surfaceflinger_display_prop)
system_restricted_prop(system_boot_reason_prop)
system_restricted_prop(system_jvmti_agent_prop)
+system_restricted_prop(ab_update_gki_prop)
+system_restricted_prop(usb_prop)
system_restricted_prop(userspace_reboot_exported_prop)
+system_restricted_prop(vold_status_prop)
+system_restricted_prop(vts_status_prop)
compatible_property_only(`
# DO NOT ADD ANY PROPERTIES HERE
@@ -88,24 +95,17 @@
system_restricted_prop(cppreopt_prop)
system_restricted_prop(dalvik_prop)
system_restricted_prop(debuggerd_prop)
- system_restricted_prop(default_prop)
system_restricted_prop(device_logging_prop)
system_restricted_prop(dhcp_prop)
system_restricted_prop(dumpstate_prop)
- system_restricted_prop(exported2_default_prop)
system_restricted_prop(exported3_system_prop)
system_restricted_prop(exported_dumpstate_prop)
- system_restricted_prop(exported_fingerprint_prop)
system_restricted_prop(exported_secure_prop)
- system_restricted_prop(exported_vold_prop)
- system_restricted_prop(ffs_prop)
- system_restricted_prop(fingerprint_prop)
system_restricted_prop(heapprofd_prop)
system_restricted_prop(net_radio_prop)
system_restricted_prop(pan_result_prop)
system_restricted_prop(persist_debug_prop)
system_restricted_prop(shell_prop)
- system_restricted_prop(system_radio_prop)
system_restricted_prop(test_harness_prop)
system_restricted_prop(theme_prop)
system_restricted_prop(use_memfd_prop)
@@ -113,25 +113,65 @@
')
# Properties which can be written only by vendor_init
+system_vendor_config_prop(apexd_config_prop)
+system_vendor_config_prop(aaudio_config_prop)
system_vendor_config_prop(apk_verity_prop)
+system_vendor_config_prop(audio_config_prop)
+system_vendor_config_prop(bootanim_config_prop)
+system_vendor_config_prop(build_config_prop)
+system_vendor_config_prop(build_odm_prop)
+system_vendor_config_prop(build_vendor_prop)
+system_vendor_config_prop(camera_calibration_prop)
+system_vendor_config_prop(camera_config_prop)
+system_vendor_config_prop(camerax_extensions_prop)
+system_vendor_config_prop(charger_config_prop)
+system_vendor_config_prop(codec2_config_prop)
system_vendor_config_prop(cpu_variant_prop)
-system_vendor_config_prop(exported_audio_prop)
+system_vendor_config_prop(dalvik_config_prop)
+system_vendor_config_prop(debugfs_restriction_prop)
+system_vendor_config_prop(drm_service_config_prop)
system_vendor_config_prop(exported_camera_prop)
system_vendor_config_prop(exported_config_prop)
system_vendor_config_prop(exported_default_prop)
-system_vendor_config_prop(exported3_default_prop)
+system_vendor_config_prop(ffs_config_prop)
+system_vendor_config_prop(framework_watchdog_config_prop)
system_vendor_config_prop(graphics_config_prop)
+system_vendor_config_prop(hdmi_config_prop)
+system_vendor_config_prop(hw_timeout_multiplier_prop)
system_vendor_config_prop(incremental_prop)
+system_vendor_config_prop(keyguard_config_prop)
+system_vendor_config_prop(lmkd_config_prop)
+system_vendor_config_prop(media_config_prop)
system_vendor_config_prop(media_variant_prop)
+system_vendor_config_prop(mediadrm_config_prop)
+system_vendor_config_prop(mm_events_config_prop)
+system_vendor_config_prop(oem_unlock_prop)
+system_vendor_config_prop(packagemanager_config_prop)
+system_vendor_config_prop(recovery_config_prop)
+system_vendor_config_prop(sendbug_config_prop)
+system_vendor_config_prop(soc_prop)
system_vendor_config_prop(storage_config_prop)
+system_vendor_config_prop(storagemanager_config_prop)
+system_vendor_config_prop(surfaceflinger_prop)
+system_vendor_config_prop(suspend_prop)
+system_vendor_config_prop(systemsound_config_prop)
+system_vendor_config_prop(telephony_config_prop)
+system_vendor_config_prop(tombstone_config_prop)
+system_vendor_config_prop(usb_config_prop)
system_vendor_config_prop(userspace_reboot_config_prop)
system_vendor_config_prop(vehicle_hal_prop)
system_vendor_config_prop(vendor_security_patch_level_prop)
system_vendor_config_prop(vendor_socket_hook_prop)
-system_vendor_config_prop(vndk_prop)
system_vendor_config_prop(virtual_ab_prop)
+system_vendor_config_prop(vndk_prop)
+system_vendor_config_prop(vts_config_prop)
+system_vendor_config_prop(vold_config_prop)
+system_vendor_config_prop(wifi_config_prop)
+system_vendor_config_prop(zram_config_prop)
+system_vendor_config_prop(zygote_config_prop)
# Properties with no restrictions
+system_public_prop(adbd_config_prop)
system_public_prop(audio_prop)
system_public_prop(bluetooth_a2dp_offload_prop)
system_public_prop(bluetooth_audio_hal_prop)
@@ -140,22 +180,15 @@
system_public_prop(ctl_interface_start_prop)
system_public_prop(ctl_start_prop)
system_public_prop(ctl_stop_prop)
+system_public_prop(dalvik_runtime_prop)
system_public_prop(debug_prop)
system_public_prop(dumpstate_options_prop)
system_public_prop(exported_system_prop)
-system_public_prop(exported2_config_prop)
-system_public_prop(exported2_radio_prop)
-system_public_prop(exported2_system_prop)
-system_public_prop(exported2_vold_prop)
-system_public_prop(exported3_radio_prop)
system_public_prop(exported_bluetooth_prop)
-system_public_prop(exported_dalvik_prop)
-system_public_prop(exported_ffs_prop)
system_public_prop(exported_overlay_prop)
system_public_prop(exported_pm_prop)
-system_public_prop(exported_radio_prop)
-system_public_prop(exported_system_radio_prop)
-system_public_prop(exported_wifi_prop)
+system_public_prop(ffs_control_prop)
+system_public_prop(hal_dumpstate_config_prop)
system_public_prop(sota_prop)
system_public_prop(hwservicemanager_prop)
system_public_prop(lmkd_prop)
@@ -167,15 +200,29 @@
system_public_prop(nfc_prop)
system_public_prop(ota_prop)
system_public_prop(powerctl_prop)
+system_public_prop(qemu_hw_prop)
+system_public_prop(qemu_sf_lcd_density_prop)
+system_public_prop(radio_control_prop)
system_public_prop(radio_prop)
system_public_prop(serialno_prop)
+system_public_prop(surfaceflinger_color_prop)
system_public_prop(system_prop)
+system_public_prop(telephony_status_prop)
+system_public_prop(usb_control_prop)
+system_public_prop(vold_post_fs_data_prop)
+system_public_prop(wifi_hal_prop)
system_public_prop(wifi_log_prop)
system_public_prop(wifi_prop)
+system_public_prop(zram_control_prop)
+
+# Properties which don't have entries on property_contexts
+system_internal_prop(default_prop)
# Properties used in default HAL implementations
vendor_internal_prop(rebootescrow_hal_prop)
+vendor_public_prop(persist_vendor_debug_wifi_prop)
+
# Properties which are public for devices launching with Android O or earlier
# This should not be used for any new properties.
not_compatible_property(`
@@ -219,31 +266,30 @@
system_public_prop(cppreopt_prop)
system_public_prop(dalvik_prop)
system_public_prop(debuggerd_prop)
- system_public_prop(default_prop)
system_public_prop(device_logging_prop)
system_public_prop(dhcp_prop)
system_public_prop(dumpstate_prop)
- system_public_prop(exported2_default_prop)
system_public_prop(exported3_system_prop)
system_public_prop(exported_dumpstate_prop)
- system_public_prop(exported_fingerprint_prop)
system_public_prop(exported_secure_prop)
- system_public_prop(exported_vold_prop)
- system_public_prop(ffs_prop)
- system_public_prop(fingerprint_prop)
system_public_prop(heapprofd_prop)
system_public_prop(net_radio_prop)
system_public_prop(pan_result_prop)
system_public_prop(persist_debug_prop)
system_public_prop(shell_prop)
- system_public_prop(system_radio_prop)
system_public_prop(test_harness_prop)
system_public_prop(theme_prop)
system_public_prop(use_memfd_prop)
system_public_prop(vold_prop)
')
-type vendor_default_prop, property_type;
+not_compatible_property(`
+ vendor_public_prop(vendor_default_prop)
+')
+
+compatible_property_only(`
+ vendor_internal_prop(vendor_default_prop)
+')
typeattribute log_prop log_property_type;
typeattribute log_tag_prop log_property_type;
@@ -251,54 +297,6 @@
allow property_type tmpfs:filesystem associate;
-###
-### Neverallow rules
-###
-
-treble_sysprop_neverallow(`
-
-# TODO(b/131162102): uncomment these after assigning ownership attributes to all properties
-# neverallow domain {
-# property_type
-# -system_property_type
-# -product_property_type
-# -vendor_property_type
-# }:file no_rw_file_perms;
-
-neverallow { domain -coredomain } {
- system_property_type
- system_internal_property_type
- -system_restricted_property_type
- -system_public_property_type
-}:file no_rw_file_perms;
-
-neverallow { domain -coredomain } {
- system_property_type
- -system_public_property_type
-}:property_service set;
-
-# init is in coredomain, but should be able to read/write all props.
-# dumpstate is also in coredomain, but should be able to read all props.
-neverallow { coredomain -init -dumpstate } {
- vendor_property_type
- vendor_internal_property_type
- -vendor_restricted_property_type
- -vendor_public_property_type
-}:file no_rw_file_perms;
-
-neverallow { coredomain -init } {
- vendor_property_type
- -vendor_public_property_type
-}:property_service set;
-
-')
-
-# There is no need to perform ioctl or advisory locking operations on
-# property files. If this neverallow is being triggered, it is
-# likely that the policy is using r_file_perms directly instead of
-# the get_prop() macro.
-neverallow domain property_type:file { ioctl lock };
-
# core_property_type should not be used for new properties or
# device specific properties. Properties with this attribute
# are readable to everyone, which is overly broad and should
@@ -312,11 +310,8 @@
typeattribute dalvik_prop core_property_type;
typeattribute debuggerd_prop core_property_type;
typeattribute debug_prop core_property_type;
-typeattribute default_prop core_property_type;
typeattribute dhcp_prop core_property_type;
typeattribute dumpstate_prop core_property_type;
-typeattribute ffs_prop core_property_type;
-typeattribute fingerprint_prop core_property_type;
typeattribute logd_prop core_property_type;
typeattribute net_radio_prop core_property_type;
typeattribute nfc_prop core_property_type;
@@ -328,293 +323,6 @@
typeattribute restorecon_prop core_property_type;
typeattribute shell_prop core_property_type;
typeattribute system_prop core_property_type;
-typeattribute system_radio_prop core_property_type;
+typeattribute usb_prop core_property_type;
typeattribute vold_prop core_property_type;
-neverallow * {
- core_property_type
- -audio_prop
- -config_prop
- -cppreopt_prop
- -dalvik_prop
- -debuggerd_prop
- -debug_prop
- -default_prop
- -dhcp_prop
- -dumpstate_prop
- -ffs_prop
- -fingerprint_prop
- -logd_prop
- -net_radio_prop
- -nfc_prop
- -ota_prop
- -pan_result_prop
- -persist_debug_prop
- -powerctl_prop
- -radio_prop
- -restorecon_prop
- -shell_prop
- -system_prop
- -system_radio_prop
- -vold_prop
-}:file no_rw_file_perms;
-
-# sigstop property is only used for debugging; should only be set by su which is permissive
-# for userdebug/eng
-neverallow {
- domain
- -init
- -vendor_init
-} ctl_sigstop_prop:property_service set;
-
-# Don't audit legacy ctl. property handling. We only want the newer permission check to appear
-# in the audit log
-dontaudit domain {
- ctl_bootanim_prop
- ctl_bugreport_prop
- ctl_console_prop
- ctl_default_prop
- ctl_dumpstate_prop
- ctl_fuse_prop
- ctl_mdnsd_prop
- ctl_rildaemon_prop
-}:property_service set;
-
-neverallow {
- domain
- -init
-} init_svc_debug_prop:property_service set;
-
-neverallow {
- domain
- -init
- -dumpstate
- userdebug_or_eng(`-su')
-} init_svc_debug_prop:file no_rw_file_perms;
-
-compatible_property_only(`
-# Prevent properties from being set
- neverallow {
- domain
- -coredomain
- -appdomain
- -vendor_init
- } {
- core_property_type
- extended_core_property_type
- exported_config_prop
- exported_dalvik_prop
- exported_default_prop
- exported_dumpstate_prop
- exported_ffs_prop
- exported_fingerprint_prop
- exported_system_prop
- exported_system_radio_prop
- exported_vold_prop
- exported2_config_prop
- exported2_default_prop
- exported2_system_prop
- exported2_vold_prop
- exported3_default_prop
- exported3_system_prop
- -nfc_prop
- -powerctl_prop
- -radio_prop
- }:property_service set;
-
- neverallow {
- domain
- -coredomain
- -appdomain
- -hal_nfc_server
- } {
- nfc_prop
- }:property_service set;
-
- neverallow {
- domain
- -coredomain
- -appdomain
- -hal_telephony_server
- -vendor_init
- } {
- exported_radio_prop
- exported3_radio_prop
- }:property_service set;
-
- neverallow {
- domain
- -coredomain
- -appdomain
- -hal_telephony_server
- } {
- exported2_radio_prop
- radio_prop
- }:property_service set;
-
- neverallow {
- domain
- -coredomain
- -bluetooth
- -hal_bluetooth_server
- } {
- bluetooth_prop
- }:property_service set;
-
- neverallow {
- domain
- -coredomain
- -bluetooth
- -hal_bluetooth_server
- -vendor_init
- } {
- exported_bluetooth_prop
- }:property_service set;
-
- neverallow {
- domain
- -coredomain
- -hal_camera_server
- -cameraserver
- -vendor_init
- } {
- exported_camera_prop
- }:property_service set;
-
- neverallow {
- domain
- -coredomain
- -hal_wifi_server
- -wificond
- } {
- wifi_prop
- }:property_service set;
-
- neverallow {
- domain
- -coredomain
- -hal_wifi_server
- -wificond
- -vendor_init
- } {
- exported_wifi_prop
- }:property_service set;
-
-# Prevent properties from being read
- neverallow {
- domain
- -coredomain
- -appdomain
- -vendor_init
- } {
- core_property_type
- extended_core_property_type
- exported_dalvik_prop
- exported_ffs_prop
- exported_system_radio_prop
- exported2_config_prop
- exported2_system_prop
- exported2_vold_prop
- exported3_default_prop
- exported3_system_prop
- -debug_prop
- -logd_prop
- -nfc_prop
- -powerctl_prop
- -radio_prop
- }:file no_rw_file_perms;
-
- neverallow {
- domain
- -coredomain
- -appdomain
- -hal_nfc_server
- } {
- nfc_prop
- }:file no_rw_file_perms;
-
- neverallow {
- domain
- -coredomain
- -appdomain
- -hal_telephony_server
- } {
- radio_prop
- }:file no_rw_file_perms;
-
- neverallow {
- domain
- -coredomain
- -bluetooth
- -hal_bluetooth_server
- } {
- bluetooth_prop
- }:file no_rw_file_perms;
-
- neverallow {
- domain
- -coredomain
- -hal_wifi_server
- -wificond
- } {
- wifi_prop
- }:file no_rw_file_perms;
-')
-
-compatible_property_only(`
- # Neverallow coredomain to set vendor properties
- neverallow {
- coredomain
- -init
- -system_writes_vendor_properties_violators
- } {
- property_type
- -system_property_type
- -extended_core_property_type
- }:property_service set;
-')
-
-neverallow {
- -init
- -system_server
-} {
- userspace_reboot_log_prop
-}:property_service set;
-
-neverallow {
- # Only allow init and system_server to set system_adbd_prop
- -init
- -system_server
-} {
- system_adbd_prop
-}:property_service set;
-
-neverallow {
- # Only allow init and adbd to set adbd_prop
- -init
- -adbd
-} {
- adbd_prop
-}:property_service set;
-
-neverallow {
- # Only allow init and shell to set userspace_reboot_test_prop
- -init
- -shell
-} {
- userspace_reboot_test_prop
-}:property_service set;
-
-neverallow {
- -init
- -vendor_init
-} {
- graphics_config_prop
-}:property_service set;
-
-neverallow {
- -init
- -surfaceflinger
-} {
- surfaceflinger_display_prop
-}:property_service set;
diff --git a/public/property_contexts b/public/property_contexts
deleted file mode 100644
index 4607ef3..0000000
--- a/public/property_contexts
+++ /dev/null
@@ -1,479 +0,0 @@
-# vendor-init-readable
-persist.radio.airplane_mode_on u:object_r:exported2_radio_prop:s0 exact bool
-
-# vendor-init-settable
-af.fast_track_multiplier u:object_r:exported3_default_prop:s0 exact int
-audio.camerasound.force u:object_r:exported_audio_prop:s0 exact bool
-audio.deep_buffer.media u:object_r:exported3_default_prop:s0 exact bool
-audio.offload.video u:object_r:exported3_default_prop:s0 exact bool
-audio.offload.min.duration.secs u:object_r:exported3_default_prop:s0 exact int
-camera.disable_zsl_mode u:object_r:exported3_default_prop:s0 exact bool
-camera.fifo.disable u:object_r:exported3_default_prop:s0 exact int
-dalvik.vm.appimageformat u:object_r:exported_dalvik_prop:s0 exact string
-dalvik.vm.backgroundgctype u:object_r:exported_dalvik_prop:s0 exact string
-dalvik.vm.boot-dex2oat-cpu-set u:object_r:exported_dalvik_prop:s0 exact string
-dalvik.vm.boot-dex2oat-threads u:object_r:exported_dalvik_prop:s0 exact int
-dalvik.vm.boot-image u:object_r:exported_dalvik_prop:s0 exact string
-dalvik.vm.checkjni u:object_r:exported_dalvik_prop:s0 exact bool
-dalvik.vm.dex2oat-Xms u:object_r:exported_dalvik_prop:s0 exact string
-dalvik.vm.dex2oat-Xmx u:object_r:exported_dalvik_prop:s0 exact string
-dalvik.vm.dex2oat-cpu-set u:object_r:exported_dalvik_prop:s0 exact string
-dalvik.vm.dex2oat-filter u:object_r:exported_dalvik_prop:s0 exact string
-dalvik.vm.dex2oat-flags u:object_r:exported_dalvik_prop:s0 exact string
-dalvik.vm.dex2oat-threads u:object_r:exported_dalvik_prop:s0 exact int
-dalvik.vm.dex2oat64.enabled u:object_r:exported_dalvik_prop:s0 exact bool
-dalvik.vm.dexopt.secondary u:object_r:exported_dalvik_prop:s0 exact bool
-dalvik.vm.execution-mode u:object_r:exported_dalvik_prop:s0 exact string
-dalvik.vm.extra-opts u:object_r:exported_dalvik_prop:s0 exact string
-dalvik.vm.foreground-heap-growth-multiplier u:object_r:exported_dalvik_prop:s0 exact string
-dalvik.vm.gctype u:object_r:exported_dalvik_prop:s0 exact string
-dalvik.vm.heapgrowthlimit u:object_r:exported_dalvik_prop:s0 exact string
-dalvik.vm.heapmaxfree u:object_r:exported_dalvik_prop:s0 exact string
-dalvik.vm.heapminfree u:object_r:exported_dalvik_prop:s0 exact string
-dalvik.vm.heapsize u:object_r:exported_dalvik_prop:s0 exact string
-dalvik.vm.heapstartsize u:object_r:exported_dalvik_prop:s0 exact string
-dalvik.vm.heaptargetutilization u:object_r:exported_dalvik_prop:s0 exact string
-dalvik.vm.hot-startup-method-samples u:object_r:exported_dalvik_prop:s0 exact int
-dalvik.vm.image-dex2oat-Xms u:object_r:exported_dalvik_prop:s0 exact string
-dalvik.vm.image-dex2oat-Xmx u:object_r:exported_dalvik_prop:s0 exact string
-dalvik.vm.image-dex2oat-cpu-set u:object_r:exported_dalvik_prop:s0 exact string
-dalvik.vm.image-dex2oat-filter u:object_r:exported_dalvik_prop:s0 exact string
-dalvik.vm.image-dex2oat-flags u:object_r:exported_dalvik_prop:s0 exact string
-dalvik.vm.image-dex2oat-threads u:object_r:exported_dalvik_prop:s0 exact int
-dalvik.vm.isa.arm.features u:object_r:exported_dalvik_prop:s0 exact string
-dalvik.vm.isa.arm.variant u:object_r:exported_dalvik_prop:s0 exact string
-dalvik.vm.isa.arm64.features u:object_r:exported_dalvik_prop:s0 exact string
-dalvik.vm.isa.arm64.variant u:object_r:exported_dalvik_prop:s0 exact string
-dalvik.vm.isa.mips.features u:object_r:exported_dalvik_prop:s0 exact string
-dalvik.vm.isa.mips.variant u:object_r:exported_dalvik_prop:s0 exact string
-dalvik.vm.isa.mips64.features u:object_r:exported_dalvik_prop:s0 exact string
-dalvik.vm.isa.mips64.variant u:object_r:exported_dalvik_prop:s0 exact string
-dalvik.vm.isa.unknown.features u:object_r:exported_dalvik_prop:s0 exact string
-dalvik.vm.isa.unknown.variant u:object_r:exported_dalvik_prop:s0 exact string
-dalvik.vm.isa.x86.features u:object_r:exported_dalvik_prop:s0 exact string
-dalvik.vm.isa.x86.variant u:object_r:exported_dalvik_prop:s0 exact string
-dalvik.vm.isa.x86_64.features u:object_r:exported_dalvik_prop:s0 exact string
-dalvik.vm.isa.x86_64.variant u:object_r:exported_dalvik_prop:s0 exact string
-dalvik.vm.jitinitialsize u:object_r:exported_dalvik_prop:s0 exact string
-dalvik.vm.jitmaxsize u:object_r:exported_dalvik_prop:s0 exact string
-dalvik.vm.jitprithreadweight u:object_r:exported_dalvik_prop:s0 exact int
-dalvik.vm.jitthreshold u:object_r:exported_dalvik_prop:s0 exact int
-dalvik.vm.jittransitionweight u:object_r:exported_dalvik_prop:s0 exact int
-dalvik.vm.jniopts u:object_r:exported_dalvik_prop:s0 exact string
-dalvik.vm.lockprof.threshold u:object_r:exported_dalvik_prop:s0 exact int
-dalvik.vm.method-trace u:object_r:exported_dalvik_prop:s0 exact bool
-dalvik.vm.method-trace-file u:object_r:exported_dalvik_prop:s0 exact string
-dalvik.vm.method-trace-file-siz u:object_r:exported_dalvik_prop:s0 exact int
-dalvik.vm.method-trace-stream u:object_r:exported_dalvik_prop:s0 exact bool
-dalvik.vm.profilesystemserver u:object_r:exported_dalvik_prop:s0 exact bool
-dalvik.vm.profilebootclasspath u:object_r:exported_dalvik_prop:s0 exact bool
-dalvik.vm.restore-dex2oat-cpu-set u:object_r:exported_dalvik_prop:s0 exact string
-dalvik.vm.restore-dex2oat-threads u:object_r:exported_dalvik_prop:s0 exact int
-dalvik.vm.usejit u:object_r:exported_dalvik_prop:s0 exact bool
-dalvik.vm.usejitprofiles u:object_r:exported_dalvik_prop:s0 exact bool
-dalvik.vm.zygote.max-boot-retry u:object_r:exported_dalvik_prop:s0 exact int
-drm.service.enabled u:object_r:exported3_default_prop:s0 exact bool
-external_storage.projid.enabled u:object_r:storage_config_prop:s0 exact bool
-external_storage.casefold.enabled u:object_r:storage_config_prop:s0 exact bool
-external_storage.sdcardfs.enabled u:object_r:storage_config_prop:s0 exact bool
-keyguard.no_require_sim u:object_r:exported3_default_prop:s0 exact bool
-media.recorder.show_manufacturer_and_model u:object_r:exported3_default_prop:s0 exact bool
-media.stagefright.cache-params u:object_r:exported3_default_prop:s0 exact string
-media.stagefright.thumbnail.prefer_hw_codecs u:object_r:exported3_default_prop:s0 exact bool
-persist.bluetooth.a2dp_offload.cap u:object_r:bluetooth_a2dp_offload_prop:s0 exact string
-persist.bluetooth.a2dp_offload.disabled u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
-persist.bluetooth.bluetooth_audio_hal.disabled u:object_r:bluetooth_audio_hal_prop:s0 exact bool
-persist.bluetooth.btsnoopenable u:object_r:exported_bluetooth_prop:s0 exact bool
-persist.config.calibration_fac u:object_r:exported3_default_prop:s0 exact string
-persist.dbg.volte_avail_ovr u:object_r:exported3_default_prop:s0 exact int
-persist.dbg.vt_avail_ovr u:object_r:exported3_default_prop:s0 exact int
-persist.dbg.wfc_avail_ovr u:object_r:exported3_default_prop:s0 exact int
-persist.radio.multisim.config u:object_r:exported3_radio_prop:s0 exact string
-persist.sys.dalvik.vm.lib.2 u:object_r:exported2_system_prop:s0 exact string
-persist.sys.media.avsync u:object_r:exported2_system_prop:s0 exact bool
-persist.sys.hdmi.keep_awake u:object_r:exported2_system_prop:s0 exact bool
-persist.sys.sf.color_mode u:object_r:exported2_system_prop:s0 exact int
-persist.sys.sf.color_saturation u:object_r:exported2_system_prop:s0 exact string
-persist.sys.sf.native_mode u:object_r:exported2_system_prop:s0 exact int
-pm.dexopt.ab-ota u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.bg-dexopt u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.boot u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.disable_bg_dexopt u:object_r:exported_pm_prop:s0 exact bool
-pm.dexopt.downgrade_after_inactive_days u:object_r:exported_pm_prop:s0 exact int
-pm.dexopt.first-boot u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.inactive u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.install u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.shared u:object_r:exported_pm_prop:s0 exact string
-ro.af.client_heap_size_kbyte u:object_r:exported3_default_prop:s0 exact int
-ro.apk_verity.mode u:object_r:apk_verity_prop:s0 exact int
-ro.audio.monitorRotation u:object_r:exported3_default_prop:s0 exact bool
-ro.bluetooth.a2dp_offload.supported u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
-ro.boot.vendor.overlay.theme u:object_r:exported_overlay_prop:s0 exact string
-ro.boot.wificountrycode u:object_r:exported3_default_prop:s0 exact string
-ro.bt.bdaddr_path u:object_r:exported_bluetooth_prop:s0 exact string
-ro.camera.notify_nfc u:object_r:exported3_default_prop:s0 exact int
-ro.camera.enableLazyHal u:object_r:exported3_default_prop:s0 exact bool
-ro.com.android.dataroaming u:object_r:exported3_default_prop:s0 exact bool
-ro.com.android.prov_mobiledata u:object_r:exported3_default_prop:s0 exact bool
-ro.config.alarm_alert u:object_r:exported2_config_prop:s0 exact string
-ro.config.media_vol_steps u:object_r:exported2_config_prop:s0 exact int
-ro.config.notification_sound u:object_r:exported2_config_prop:s0 exact string
-ro.config.per_app_memcg u:object_r:exported3_default_prop:s0 exact bool
-ro.config.ringtone u:object_r:exported2_config_prop:s0 exact string
-ro.control_privapp_permissions u:object_r:exported3_default_prop:s0 exact string
-ro.cp_system_other_odex u:object_r:exported3_default_prop:s0 exact int
-ro.crypto.allow_encrypt_override u:object_r:exported2_vold_prop:s0 exact bool
-ro.crypto.dm_default_key.options_format.version u:object_r:exported2_vold_prop:s0 exact int
-ro.crypto.fde_algorithm u:object_r:exported2_vold_prop:s0 exact string
-ro.crypto.fde_sector_size u:object_r:exported2_vold_prop:s0 exact int
-ro.crypto.scrypt_params u:object_r:exported2_vold_prop:s0 exact string
-ro.crypto.set_dun u:object_r:exported2_vold_prop:s0 exact bool
-ro.crypto.volume.contents_mode u:object_r:exported2_vold_prop:s0 exact string
-ro.crypto.volume.filenames_mode u:object_r:exported2_vold_prop:s0 exact string
-ro.crypto.volume.metadata.encryption u:object_r:exported2_vold_prop:s0 exact string
-ro.crypto.volume.metadata.method u:object_r:exported2_vold_prop:s0 exact string
-ro.crypto.volume.options u:object_r:exported2_vold_prop:s0 exact string
-ro.dalvik.vm.native.bridge u:object_r:exported_dalvik_prop:s0 exact string
-ro.enable_boot_charger_mode u:object_r:exported3_default_prop:s0 exact bool
-ro.gfx.driver.0 u:object_r:exported3_default_prop:s0 exact string
-ro.gfx.angle.supported u:object_r:exported3_default_prop:s0 exact bool
-ro.hdmi.device_type u:object_r:exported3_default_prop:s0 exact string
-ro.hdmi.wake_on_hotplug u:object_r:exported3_default_prop:s0 exact bool
-ro.lmk.critical u:object_r:exported3_default_prop:s0 exact int
-ro.lmk.critical_upgrade u:object_r:exported3_default_prop:s0 exact bool
-ro.lmk.debug u:object_r:exported3_default_prop:s0 exact bool
-ro.lmk.downgrade_pressure u:object_r:exported3_default_prop:s0 exact int
-ro.lmk.kill_heaviest_task u:object_r:exported3_default_prop:s0 exact bool
-ro.lmk.kill_timeout_ms u:object_r:exported3_default_prop:s0 exact int
-ro.lmk.low u:object_r:exported3_default_prop:s0 exact int
-ro.lmk.medium u:object_r:exported3_default_prop:s0 exact int
-ro.lmk.psi_partial_stall_ms u:object_r:exported3_default_prop:s0 exact int
-ro.lmk.psi_complete_stall_ms u:object_r:exported3_default_prop:s0 exact int
-ro.lmk.swap_free_low_percentage u:object_r:exported3_default_prop:s0 exact int
-ro.lmk.thrashing_limit u:object_r:exported3_default_prop:s0 exact int
-ro.lmk.thrashing_limit_decay u:object_r:exported3_default_prop:s0 exact int
-ro.lmk.use_minfree_levels u:object_r:exported3_default_prop:s0 exact bool
-ro.lmk.upgrade_pressure u:object_r:exported3_default_prop:s0 exact int
-ro.minui.default_rotation u:object_r:exported3_default_prop:s0 exact string
-ro.minui.overscan_percent u:object_r:exported3_default_prop:s0 exact int
-ro.minui.pixel_format u:object_r:exported3_default_prop:s0 exact string
-ro.oem_unlock_supported u:object_r:exported3_default_prop:s0 exact int
-ro.opengles.version u:object_r:exported3_default_prop:s0 exact int
-ro.radio.noril u:object_r:exported3_default_prop:s0 exact string
-ro.rebootescrow.device u:object_r:rebootescrow_hal_prop:s0 exact string
-ro.retaildemo.video_path u:object_r:exported3_default_prop:s0 exact string
-ro.statsd.enable u:object_r:exported3_default_prop:s0 exact bool
-ro.sf.disable_triple_buffer u:object_r:exported3_default_prop:s0 exact bool
-ro.sf.lcd_density u:object_r:exported3_default_prop:s0 exact int
-ro.storage_manager.enabled u:object_r:exported3_default_prop:s0 exact bool
-ro.telephony.call_ring.multiple u:object_r:exported3_default_prop:s0 exact bool
-ro.telephony.default_cdma_sub u:object_r:exported3_default_prop:s0 exact int
-ro.telephony.default_network u:object_r:exported3_default_prop:s0 exact string
-ro.vehicle.hal u:object_r:vehicle_hal_prop:s0 exact string
-ro.vendor.build.security_patch u:object_r:vendor_security_patch_level_prop:s0 exact string
-ro.media.xml_variant.codecs u:object_r:media_variant_prop:s0 exact string
-ro.media.xml_variant.codecs_performance u:object_r:media_variant_prop:s0 exact string
-ro.media.xml_variant.profiles u:object_r:media_variant_prop:s0 exact string
-ro.zram.mark_idle_delay_mins u:object_r:exported3_default_prop:s0 exact int
-ro.zram.first_wb_delay_mins u:object_r:exported3_default_prop:s0 exact int
-ro.zram.periodic_wb_delay_hours u:object_r:exported3_default_prop:s0 exact int
-ro.zygote u:object_r:exported3_default_prop:s0 exact string
-sendbug.preferred.domain u:object_r:exported3_default_prop:s0 exact string
-sys.usb.controller u:object_r:exported2_system_prop:s0 exact string
-sys.usb.ffs.max_read u:object_r:exported_ffs_prop:s0 exact int
-sys.usb.ffs.max_write u:object_r:exported_ffs_prop:s0 exact int
-sys.usb.ffs.ready u:object_r:exported_ffs_prop:s0 exact bool
-sys.usb.mtp.device_type u:object_r:exported2_system_prop:s0 exact int
-sys.usb.ffs.mtp.ready u:object_r:exported_ffs_prop:s0 exact bool
-sys.usb.state u:object_r:exported2_system_prop:s0 exact string
-telephony.lteOnCdmaDevice u:object_r:exported3_default_prop:s0 exact int
-telephony.active_modems.max_count u:object_r:exported3_default_prop:s0 exact int
-tombstoned.max_tombstone_count u:object_r:exported3_default_prop:s0 exact int
-vold.post_fs_data_done u:object_r:exported2_vold_prop:s0 exact int
-vts.native_server.on u:object_r:exported3_default_prop:s0 exact bool
-wlan.driver.status u:object_r:exported_wifi_prop:s0 exact enum ok unloaded
-zram.force_writeback u:object_r:exported3_default_prop:s0 exact bool
-
-# vendor-init-readable
-apexd.status u:object_r:apexd_prop:s0 exact enum starting activated ready
-dev.bootcomplete u:object_r:exported3_system_prop:s0 exact bool
-persist.sys.device_provisioned u:object_r:exported3_system_prop:s0 exact string
-persist.sys.theme u:object_r:theme_prop:s0 exact string
-persist.sys.usb.usbradio.config u:object_r:exported3_system_prop:s0 exact string
-sys.boot_completed u:object_r:exported3_system_prop:s0 exact bool
-sys.retaildemo.enabled u:object_r:exported3_system_prop:s0 exact int
-sys.user.0.ce_available u:object_r:exported3_system_prop:s0 exact bool
-sys.vdso u:object_r:exported3_system_prop:s0 exact string
-
-# vendor-init-settable
-persist.sys.zram_enabled u:object_r:exported2_system_prop:s0 exact bool
-sys.usb.config u:object_r:exported_system_radio_prop:s0 exact string
-sys.usb.configfs u:object_r:exported_system_radio_prop:s0 exact int
-
-# public-readable
-aac_drc_boost u:object_r:exported2_default_prop:s0 exact int
-aac_drc_cut u:object_r:exported2_default_prop:s0 exact int
-aac_drc_enc_target_level u:object_r:exported2_default_prop:s0 exact int
-aac_drc_heavy u:object_r:exported2_default_prop:s0 exact int
-aac_drc_reference_level u:object_r:exported2_default_prop:s0 exact int
-build.version.extensions. u:object_r:module_sdkextensions_prop:s0 prefix int
-ro.aac_drc_effect_type u:object_r:exported2_default_prop:s0 exact int
-drm.64bit.enabled u:object_r:exported2_default_prop:s0 exact bool
-dumpstate.dry_run u:object_r:exported_dumpstate_prop:s0 exact bool
-dumpstate.unroot u:object_r:exported_dumpstate_prop:s0 exact bool
-hal.instrumentation.enable u:object_r:exported2_default_prop:s0 exact bool
-init.svc.bugreport u:object_r:exported2_default_prop:s0 exact string
-init.svc.bugreportd u:object_r:exported2_default_prop:s0 exact string
-init.svc.console u:object_r:exported2_default_prop:s0 exact string
-init.svc.dumpstatez u:object_r:exported2_default_prop:s0 exact string
-init.svc.mediadrm u:object_r:exported2_default_prop:s0 exact string
-init.svc.surfaceflinger u:object_r:exported2_default_prop:s0 exact string
-init.svc.tombstoned u:object_r:exported2_default_prop:s0 exact string
-init.svc.zygote u:object_r:exported2_default_prop:s0 exact string
-libc.debug.malloc.options u:object_r:exported2_default_prop:s0 exact string
-libc.debug.malloc.program u:object_r:exported2_default_prop:s0 exact string
-libc.debug.hooks.enable u:object_r:exported2_default_prop:s0 exact string
-net.redirect_socket_calls.hooked u:object_r:socket_hook_prop:s0 exact bool
-persist.sys.locale u:object_r:exported_system_prop:s0 exact string
-persist.sys.timezone u:object_r:exported_system_prop:s0 exact string
-persist.sys.test_harness u:object_r:test_harness_prop:s0 exact bool
-ro.adb.secure u:object_r:exported_secure_prop:s0 exact bool
-ro.arch u:object_r:exported2_default_prop:s0 exact string
-ro.audio.ignore_effects u:object_r:exported2_default_prop:s0 exact bool
-ro.baseband u:object_r:exported2_default_prop:s0 exact string
-ro.boot.avb_version u:object_r:exported2_default_prop:s0 exact string
-ro.boot.baseband u:object_r:exported2_default_prop:s0 exact string
-ro.boot.bootdevice u:object_r:exported2_default_prop:s0 exact string
-ro.boot.bootloader u:object_r:exported2_default_prop:s0 exact string
-ro.boot.boottime u:object_r:exported2_default_prop:s0 exact string
-ro.boottime.init.mount.data u:object_r:boottime_public_prop:s0 exact string
-ro.boottime.init.fsck.data u:object_r:boottime_public_prop:s0 exact string
-ro.boot.console u:object_r:exported2_default_prop:s0 exact string
-ro.boot.hardware u:object_r:exported2_default_prop:s0 exact string
-ro.boot.hardware.color u:object_r:exported2_default_prop:s0 exact string
-ro.boot.hardware.sku u:object_r:exported2_default_prop:s0 exact string
-ro.boot.keymaster u:object_r:exported2_default_prop:s0 exact string
-ro.boot.mode u:object_r:exported2_default_prop:s0 exact string
-ro.boot.vbmeta.avb_version u:object_r:exported2_default_prop:s0 exact string
-ro.boot.verifiedbootstate u:object_r:exported2_default_prop:s0 exact string
-ro.boot.veritymode u:object_r:exported2_default_prop:s0 exact string
-ro.boot.dynamic_partitions u:object_r:exported_default_prop:s0 exact string
-ro.boot.dynamic_partitions_retrofit u:object_r:exported_default_prop:s0 exact string
-ro.bootloader u:object_r:exported2_default_prop:s0 exact string
-ro.build.date u:object_r:exported2_default_prop:s0 exact string
-ro.build.date.utc u:object_r:exported2_default_prop:s0 exact int
-ro.build.description u:object_r:exported2_default_prop:s0 exact string
-ro.build.display.id u:object_r:exported2_default_prop:s0 exact string
-ro.build.fingerprint u:object_r:exported_fingerprint_prop:s0 exact string
-ro.build.host u:object_r:exported2_default_prop:s0 exact string
-ro.build.id u:object_r:exported2_default_prop:s0 exact string
-ro.build.product u:object_r:exported2_default_prop:s0 exact string
-ro.build.system_root_image u:object_r:exported2_default_prop:s0 exact bool
-ro.build.tags u:object_r:exported2_default_prop:s0 exact string
-ro.build.user u:object_r:exported2_default_prop:s0 exact string
-ro.build.version.base_os u:object_r:exported2_default_prop:s0 exact string
-ro.build.version.codename u:object_r:exported2_default_prop:s0 exact string
-ro.build.version.incremental u:object_r:exported2_default_prop:s0 exact string
-ro.build.version.preview_sdk u:object_r:exported2_default_prop:s0 exact int
-ro.build.version.release u:object_r:exported2_default_prop:s0 exact string
-ro.build.version.release_or_codename u:object_r:exported2_default_prop:s0 exact string
-ro.build.version.sdk u:object_r:exported2_default_prop:s0 exact int
-ro.build.version.security_patch u:object_r:exported2_default_prop:s0 exact string
-ro.crypto.state u:object_r:exported_vold_prop:s0 exact enum encrypted unencrypted unsupported
-ro.crypto.type u:object_r:exported_vold_prop:s0 exact enum block file none
-ro.debuggable u:object_r:exported2_default_prop:s0 exact int
-ro.hardware u:object_r:exported2_default_prop:s0 exact string
-ro.product.brand u:object_r:exported2_default_prop:s0 exact string
-ro.product.cpu.abi u:object_r:exported2_default_prop:s0 exact string
-ro.product.cpu.abilist u:object_r:exported2_default_prop:s0 exact string
-ro.product.device u:object_r:exported2_default_prop:s0 exact string
-ro.product.manufacturer u:object_r:exported2_default_prop:s0 exact string
-ro.product.model u:object_r:exported2_default_prop:s0 exact string
-ro.product.name u:object_r:exported2_default_prop:s0 exact string
-ro.property_service.version u:object_r:exported2_default_prop:s0 exact int
-ro.revision u:object_r:exported2_default_prop:s0 exact string
-ro.secure u:object_r:exported_secure_prop:s0 exact int
-ro.vendor.redirect_socket_calls u:object_r:vendor_socket_hook_prop:s0 exact bool
-service.bootanim.exit u:object_r:exported_system_prop:s0 exact int
-sys.boot_from_charger_mode u:object_r:exported_system_prop:s0 exact int
-sys.init.userspace_reboot.in_progress u:object_r:userspace_reboot_exported_prop:s0 exact bool
-sys.use_memfd u:object_r:use_memfd_prop:s0 exact bool
-vold.decrypt u:object_r:exported_vold_prop:s0 exact string
-
-# vendor-init-settable|public-readable
-aaudio.hw_burst_min_usec u:object_r:exported_default_prop:s0 exact int
-aaudio.minimum_sleep_usec u:object_r:exported_default_prop:s0 exact int
-aaudio.mixer_bursts u:object_r:exported_default_prop:s0 exact int
-aaudio.mmap_exclusive_policy u:object_r:exported_default_prop:s0 exact int
-aaudio.mmap_policy u:object_r:exported_default_prop:s0 exact int
-aaudio.wakeup_delay_usec u:object_r:exported_default_prop:s0 exact int
-config.disable_cameraservice u:object_r:exported_camera_prop:s0 exact bool
-gsm.sim.operator.numeric u:object_r:exported_radio_prop:s0 exact string
-media.mediadrmservice.enable u:object_r:exported_default_prop:s0 exact bool
-persist.rcs.supported u:object_r:exported_default_prop:s0 exact int
-rcs.publish.status u:object_r:exported_radio_prop:s0 exact string
-ro.bionic.2nd_arch u:object_r:cpu_variant_prop:s0 exact string
-ro.bionic.2nd_cpu_variant u:object_r:cpu_variant_prop:s0 exact string
-ro.bionic.arch u:object_r:cpu_variant_prop:s0 exact string
-ro.bionic.cpu_variant u:object_r:cpu_variant_prop:s0 exact string
-ro.board.platform u:object_r:exported_default_prop:s0 exact string
-ro.boot.fake_battery u:object_r:exported_default_prop:s0 exact int
-ro.boot.fstab_suffix u:object_r:exported_default_prop:s0 exact string
-ro.boot.hardware.revision u:object_r:exported_default_prop:s0 exact string
-ro.boot.product.hardware.sku u:object_r:exported_default_prop:s0 exact string
-ro.boot.product.vendor.sku u:object_r:exported_default_prop:s0 exact string
-ro.boot.slot_suffix u:object_r:exported_default_prop:s0 exact string
-ro.bootimage.build.date u:object_r:exported_default_prop:s0 exact string
-ro.bootimage.build.date.utc u:object_r:exported_default_prop:s0 exact int
-ro.bootimage.build.fingerprint u:object_r:exported_default_prop:s0 exact string
-ro.boringcrypto.hwrand u:object_r:exported_default_prop:s0 exact bool
-ro.build.ab_update u:object_r:exported_default_prop:s0 exact string
-ro.build.expect.baseband u:object_r:exported_default_prop:s0 exact string
-ro.build.expect.bootloader u:object_r:exported_default_prop:s0 exact string
-ro.carrier u:object_r:exported_default_prop:s0 exact string
-ro.config.low_ram u:object_r:exported_config_prop:s0 exact bool
-ro.config.vc_call_vol_steps u:object_r:exported_config_prop:s0 exact int
-ro.frp.pst u:object_r:exported_default_prop:s0 exact string
-ro.hardware.activity_recognition u:object_r:exported_default_prop:s0 exact string
-ro.hardware.audio u:object_r:exported_default_prop:s0 exact string
-ro.hardware.audio.a2dp u:object_r:exported_default_prop:s0 exact string
-ro.hardware.audio.hearing_aid u:object_r:exported_default_prop:s0 exact string
-ro.hardware.audio.primary u:object_r:exported_default_prop:s0 exact string
-ro.hardware.audio.usb u:object_r:exported_default_prop:s0 exact string
-ro.hardware.audio_policy u:object_r:exported_default_prop:s0 exact string
-ro.hardware.bootctrl u:object_r:exported_default_prop:s0 exact string
-ro.hardware.camera u:object_r:exported_default_prop:s0 exact string
-ro.hardware.consumerir u:object_r:exported_default_prop:s0 exact string
-ro.hardware.context_hub u:object_r:exported_default_prop:s0 exact string
-ro.hardware.egl u:object_r:exported_default_prop:s0 exact string
-ro.hardware.fingerprint u:object_r:exported_default_prop:s0 exact string
-ro.hardware.flp u:object_r:exported_default_prop:s0 exact string
-ro.hardware.gatekeeper u:object_r:exported_default_prop:s0 exact string
-ro.hardware.gps u:object_r:exported_default_prop:s0 exact string
-ro.hardware.gralloc u:object_r:exported_default_prop:s0 exact string
-ro.hardware.hdmi_cec u:object_r:exported_default_prop:s0 exact string
-ro.hardware.hwcomposer u:object_r:exported_default_prop:s0 exact string
-ro.hardware.input u:object_r:exported_default_prop:s0 exact string
-ro.hardware.keystore u:object_r:exported_default_prop:s0 exact string
-ro.hardware.keystore_desede u:object_r:exported_default_prop:s0 exact string
-ro.hardware.lights u:object_r:exported_default_prop:s0 exact string
-ro.hardware.local_time u:object_r:exported_default_prop:s0 exact string
-ro.hardware.memtrack u:object_r:exported_default_prop:s0 exact string
-ro.hardware.nfc u:object_r:exported_default_prop:s0 exact string
-ro.hardware.nfc_nci u:object_r:exported_default_prop:s0 exact string
-ro.hardware.nfc_tag u:object_r:exported_default_prop:s0 exact string
-ro.hardware.nvram u:object_r:exported_default_prop:s0 exact string
-ro.hardware.power u:object_r:exported_default_prop:s0 exact string
-ro.hardware.radio u:object_r:exported_default_prop:s0 exact string
-ro.hardware.sensors u:object_r:exported_default_prop:s0 exact string
-ro.hardware.sound_trigger u:object_r:exported_default_prop:s0 exact string
-ro.hardware.thermal u:object_r:exported_default_prop:s0 exact string
-ro.hardware.tv_input u:object_r:exported_default_prop:s0 exact string
-ro.hardware.type u:object_r:exported_default_prop:s0 exact string
-ro.hardware.vehicle u:object_r:exported_default_prop:s0 exact string
-ro.hardware.vibrator u:object_r:exported_default_prop:s0 exact string
-ro.hardware.virtual_device u:object_r:exported_default_prop:s0 exact string
-ro.hardware.vulkan u:object_r:exported_default_prop:s0 exact string
-ro.hwui.use_vulkan u:object_r:exported_default_prop:s0 exact bool
-ro.kernel.qemu u:object_r:exported_default_prop:s0 exact bool
-ro.kernel.qemu. u:object_r:exported_default_prop:s0
-ro.kernel.android.bootanim u:object_r:exported_default_prop:s0 exact int
-ro.kernel.ebpf.supported u:object_r:exported_default_prop:s0 exact bool
-ro.odm.build.date u:object_r:exported_default_prop:s0 exact string
-ro.odm.build.date.utc u:object_r:exported_default_prop:s0 exact int
-ro.odm.build.fingerprint u:object_r:exported_default_prop:s0 exact string
-ro.odm.build.version.incremental u:object_r:exported_default_prop:s0 exact string
-ro.oem.key1 u:object_r:exported_default_prop:s0 exact string
-ro.product.board u:object_r:exported_default_prop:s0 exact string
-ro.product.cpu.abilist32 u:object_r:exported_default_prop:s0 exact string
-ro.product.cpu.abilist64 u:object_r:exported_default_prop:s0 exact string
-ro.product.first_api_level u:object_r:exported_default_prop:s0 exact int
-ro.product.odm.brand u:object_r:exported_default_prop:s0 exact string
-ro.product.odm.device u:object_r:exported_default_prop:s0 exact string
-ro.product.odm.manufacturer u:object_r:exported_default_prop:s0 exact string
-ro.product.odm.model u:object_r:exported_default_prop:s0 exact string
-ro.product.odm.name u:object_r:exported_default_prop:s0 exact string
-ro.product.vendor.brand u:object_r:exported_default_prop:s0 exact string
-ro.product.vendor.device u:object_r:exported_default_prop:s0 exact string
-ro.product.vendor.manufacturer u:object_r:exported_default_prop:s0 exact string
-ro.product.vendor.model u:object_r:exported_default_prop:s0 exact string
-ro.product.vendor.name u:object_r:exported_default_prop:s0 exact string
-ro.product.vndk.version u:object_r:vndk_prop:s0 exact string
-ro.telephony.iwlan_operation_mode u:object_r:exported_radio_prop:s0 exact enum default legacy AP-assisted
-ro.vendor.build.date u:object_r:exported_default_prop:s0 exact string
-ro.vendor.build.date.utc u:object_r:exported_default_prop:s0 exact int
-ro.vendor.build.fingerprint u:object_r:exported_default_prop:s0 exact string
-ro.vendor.build.version.incremental u:object_r:exported_default_prop:s0 exact string
-ro.vendor.build.version.sdk u:object_r:exported_default_prop:s0 exact int
-ro.vndk.lite u:object_r:vndk_prop:s0 exact bool
-ro.vndk.version u:object_r:vndk_prop:s0 exact string
-ro.vts.coverage u:object_r:exported_default_prop:s0 exact int
-wifi.active.interface u:object_r:exported_wifi_prop:s0 exact string
-wifi.aware.interface u:object_r:exported_wifi_prop:s0 exact string
-wifi.concurrent.interface u:object_r:exported_default_prop:s0 exact string
-wifi.direct.interface u:object_r:exported_default_prop:s0 exact string
-wifi.interface u:object_r:exported_default_prop:s0 exact string
-ro.apex.updatable u:object_r:exported_default_prop:s0 exact bool
-ro.init.userspace_reboot.is_supported u:object_r:userspace_reboot_config_prop:s0 exact bool
-
-# public-readable
-ro.boot.revision u:object_r:exported2_default_prop:s0 exact string
-ro.bootmode u:object_r:exported2_default_prop:s0 exact string
-ro.build.type u:object_r:exported2_default_prop:s0 exact string
-sys.shutdown.requested u:object_r:exported_system_prop:s0 exact string
-
-# Using Sysprop as API. So the ro.surface_flinger.* are guaranteed to be API-stable
-ro.surface_flinger.default_composition_dataspace u:object_r:exported_default_prop:s0 exact int
-ro.surface_flinger.default_composition_pixel_format u:object_r:exported_default_prop:s0 exact int
-ro.surface_flinger.force_hwc_copy_for_virtual_displays u:object_r:exported_default_prop:s0 exact bool
-ro.surface_flinger.has_HDR_display u:object_r:exported_default_prop:s0 exact bool
-ro.surface_flinger.has_wide_color_display u:object_r:exported_default_prop:s0 exact bool
-ro.surface_flinger.max_frame_buffer_acquired_buffers u:object_r:exported_default_prop:s0 exact int
-ro.surface_flinger.max_graphics_height u:object_r:exported3_default_prop:s0 exact int
-ro.surface_flinger.max_graphics_width u:object_r:exported3_default_prop:s0 exact int
-ro.surface_flinger.max_virtual_display_dimension u:object_r:exported_default_prop:s0 exact int
-ro.surface_flinger.primary_display_orientation u:object_r:exported_default_prop:s0 exact enum ORIENTATION_0 ORIENTATION_180 ORIENTATION_270 ORIENTATION_90
-ro.surface_flinger.present_time_offset_from_vsync_ns u:object_r:exported_default_prop:s0 exact int
-ro.surface_flinger.running_without_sync_framework u:object_r:exported_default_prop:s0 exact bool
-ro.surface_flinger.start_graphics_allocator_service u:object_r:exported_default_prop:s0 exact bool
-ro.surface_flinger.use_color_management u:object_r:exported_default_prop:s0 exact bool
-ro.surface_flinger.use_context_priority u:object_r:exported_default_prop:s0 exact bool
-ro.surface_flinger.use_vr_flinger u:object_r:exported_default_prop:s0 exact bool
-ro.surface_flinger.vsync_event_phase_offset_ns u:object_r:exported_default_prop:s0 exact int
-ro.surface_flinger.vsync_sf_event_phase_offset_ns u:object_r:exported_default_prop:s0 exact int
-ro.surface_flinger.wcg_composition_dataspace u:object_r:exported_default_prop:s0 exact int
-ro.surface_flinger.wcg_composition_pixel_format u:object_r:exported_default_prop:s0 exact int
-ro.surface_flinger.display_primary_red u:object_r:exported_default_prop:s0 exact string
-ro.surface_flinger.display_primary_green u:object_r:exported_default_prop:s0 exact string
-ro.surface_flinger.display_primary_blue u:object_r:exported_default_prop:s0 exact string
-ro.surface_flinger.display_primary_white u:object_r:exported_default_prop:s0 exact string
-ro.surface_flinger.protected_contents u:object_r:exported_default_prop:s0 exact bool
-ro.surface_flinger.set_idle_timer_ms u:object_r:exported_default_prop:s0 exact int
-ro.surface_flinger.set_touch_timer_ms u:object_r:exported_default_prop:s0 exact int
-ro.surface_flinger.set_display_power_timer_ms u:object_r:exported_default_prop:s0 exact int
-ro.surface_flinger.support_kernel_idle_timer u:object_r:exported_default_prop:s0 exact bool
-ro.surface_flinger.use_smart_90_for_video u:object_r:exported_default_prop:s0 exact bool
-ro.surface_flinger.use_content_detection_for_refresh_rate u:object_r:exported_default_prop:s0 exact bool
-ro.surface_flinger.color_space_agnostic_dataspace u:object_r:exported_default_prop:s0 exact int
-ro.surface_flinger.refresh_rate_switching u:object_r:exported_default_prop:s0 exact bool
-
-# Binder cache properties. These are world-readable
-cache_key.app_inactive u:object_r:binder_cache_system_server_prop:s0
-cache_key.is_compat_change_enabled u:object_r:binder_cache_system_server_prop:s0
-cache_key.get_packages_for_uid u:object_r:binder_cache_system_server_prop:s0
-cache_key.has_system_feature u:object_r:binder_cache_system_server_prop:s0
-cache_key.is_interactive u:object_r:binder_cache_system_server_prop:s0
-cache_key.is_power_save_mode u:object_r:binder_cache_system_server_prop:s0
-cache_key.is_user_unlocked u:object_r:binder_cache_system_server_prop:s0
-cache_key.volume_list u:object_r:binder_cache_system_server_prop:s0
-cache_key.display_info u:object_r:binder_cache_system_server_prop:s0
-cache_key.location_enabled u:object_r:binder_cache_system_server_prop:s0
-cache_key.package_info u:object_r:binder_cache_system_server_prop:s0
-
-cache_key.bluetooth. u:object_r:binder_cache_bluetooth_server_prop:s0 prefix string
-cache_key.system_server. u:object_r:binder_cache_system_server_prop:s0 prefix string
-cache_key.telephony. u:object_r:binder_cache_telephony_server_prop:s0 prefix string
-
-# Graphics related properties
-graphics.gpu.profiler.support u:object_r:graphics_config_prop:s0 exact bool
-graphics.gpu.profiler.vulkan_layer_apk u:object_r:graphics_config_prop:s0 exact string
diff --git a/public/racoon.te b/public/racoon.te
index 6888740..e4b299e 100644
--- a/public/racoon.te
+++ b/public/racoon.te
@@ -12,6 +12,7 @@
allow racoon tun_device:chr_file r_file_perms;
allowxperm racoon tun_device:chr_file ioctl TUNSETIFF;
allow racoon cgroup:dir { add_name create };
+allow racoon cgroup_v2:dir { add_name create };
allow racoon kernel:system module_request;
allow racoon self:key_socket create_socket_perms_no_ioctl;
diff --git a/public/radio.te b/public/radio.te
index 34eaf83..e03b706 100644
--- a/public/radio.te
+++ b/public/radio.te
@@ -11,21 +11,12 @@
# Data file accesses.
allow radio radio_data_file:dir create_dir_perms;
allow radio radio_data_file:notdevfile_class_set create_file_perms;
-
+allow radio radio_core_data_file:dir r_dir_perms;
+allow radio radio_core_data_file:file r_file_perms;
allow radio net_data_file:dir search;
allow radio net_data_file:file r_file_perms;
-# Property service
-set_prop(radio, radio_prop)
-set_prop(radio, exported_radio_prop)
-set_prop(radio, exported2_radio_prop)
-set_prop(radio, exported3_radio_prop)
-set_prop(radio, net_radio_prop)
-
-# ctl interface
-set_prop(radio, ctl_rildaemon_prop)
-
add_service(radio, radio_service)
allow radio audioserver_service:service_manager find;
allow radio cameraserver_service:service_manager find;
diff --git a/public/recovery.te b/public/recovery.te
index 63a9cea..3649888 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -32,7 +32,7 @@
# Mount filesystems.
allow recovery rootfs:dir mounton;
allow recovery tmpfs:dir mounton;
- allow recovery fs_type:filesystem ~relabelto;
+ allow recovery { fs_type enforce_debugfs_restriction(`-debugfs_type') }:filesystem ~relabelto;
allow recovery unlabeled:filesystem ~relabelto;
allow recovery contextmount_type:filesystem relabelto;
@@ -108,26 +108,6 @@
# Read files on /oem.
r_dir_file(recovery, oemfs);
- # Reboot the device
- set_prop(recovery, powerctl_prop)
-
- # Read serial number of the device from system properties
- get_prop(recovery, serialno_prop)
-
- # Set sys.usb.ffs.ready when starting minadbd for sideload.
- set_prop(recovery, ffs_prop)
- set_prop(recovery, exported_ffs_prop)
-
- # Set sys.usb.config when switching into fastboot.
- set_prop(recovery, system_radio_prop)
- set_prop(recovery, exported_system_radio_prop)
-
- # Read ro.boot.bootreason
- get_prop(recovery, bootloader_boot_reason_prop)
-
- # Read storage properties (for correctly formatting filesystems)
- get_prop(recovery, storage_config_prop)
-
# Use setfscreatecon() to label files for OTA updates.
allow recovery self:process setfscreate;
@@ -147,22 +127,12 @@
allowxperm recovery super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
# Allow using libfiemap/gsid directly (no binder in recovery).
- set_prop(recovery, gsid_prop)
- allow recovery gsi_metadata_file:dir search;
+ allow recovery gsi_metadata_file_type:dir search;
allow recovery ota_metadata_file:dir rw_dir_perms;
allow recovery ota_metadata_file:file create_file_perms;
# Allow mounting /metadata for writing update states
allow recovery metadata_file:dir { getattr mounton };
-
- # These are needed to allow recovery to manage network
- allow recovery self:netlink_route_socket { create write read nlmsg_readpriv nlmsg_read };
- allow recovery self:global_capability_class_set net_admin;
- allow recovery self:tcp_socket { create ioctl };
- allowxperm recovery self:tcp_socket ioctl { SIOCGIFFLAGS SIOCSIFFLAGS };
-
- # Set fastbootd protocol property
- set_prop(recovery, fastbootd_protocol_prop)
')
###
diff --git a/public/sdcardd.te b/public/sdcardd.te
index 1ae3770..bb1c919 100644
--- a/public/sdcardd.te
+++ b/public/sdcardd.te
@@ -2,6 +2,7 @@
type sdcardd_exec, system_file_type, exec_type, file_type;
allow sdcardd cgroup:dir create_dir_perms;
+allow sdcardd cgroup_v2:dir create_dir_perms;
allow sdcardd fuse_device:chr_file rw_file_perms;
allow sdcardd rootfs:dir mounton; # TODO: deprecated in M
allow sdcardd sdcardfs:filesystem remount;
diff --git a/public/service.te b/public/service.te
index f27772e..74dc104 100644
--- a/public/service.te
+++ b/public/service.te
@@ -1,6 +1,9 @@
type aidl_lazy_test_service, service_manager_type;
+type apc_service, service_manager_type;
type apex_service, service_manager_type;
+type artd_service, service_manager_type;
type audioserver_service, service_manager_type;
+type authorization_service, service_manager_type;
type batteryproperties_service, app_api_service, ephemeral_app_api_service, service_manager_type;
type bluetooth_service, service_manager_type;
type cameraserver_service, service_manager_type;
@@ -9,14 +12,15 @@
type drmserver_service, service_manager_type;
type dumpstate_service, service_manager_type;
type fingerprintd_service, service_manager_type;
-type hal_fingerprint_service, service_manager_type;
type gatekeeper_service, app_api_service, service_manager_type;
-type gpu_service, app_api_service, service_manager_type;
+type gpu_service, app_api_service, ephemeral_app_api_service, service_manager_type;
type idmap_service, service_manager_type;
type iorapd_service, service_manager_type;
type incident_service, service_manager_type;
type installd_service, service_manager_type;
type credstore_service, app_api_service, service_manager_type;
+type keystore_compat_hal_service, service_manager_type;
+type keystore_maintenance_service, service_manager_type;
type keystore_service, service_manager_type;
type lpdump_service, service_manager_type;
type mediaserver_service, service_manager_type;
@@ -27,15 +31,20 @@
type netd_service, service_manager_type;
type nfc_service, service_manager_type;
type radio_service, service_manager_type;
+type remoteprovisioning_service, service_manager_type;
type secure_element_service, service_manager_type;
type service_manager_service, service_manager_type;
type storaged_service, service_manager_type;
type surfaceflinger_service, app_api_service, ephemeral_app_api_service, service_manager_type;
type system_app_service, service_manager_type;
+type system_suspend_control_internal_service, service_manager_type;
type system_suspend_control_service, service_manager_type;
type update_engine_service, service_manager_type;
+type update_engine_stable_service, service_manager_type;
+type virtualization_service, service_manager_type;
type virtual_touchpad_service, service_manager_type;
type vold_service, service_manager_type;
+type vpnprofilestore_service, service_manager_type;
type vr_hwc_service, service_manager_type;
type vrflinger_vsync_service, service_manager_type;
@@ -47,6 +56,7 @@
type adb_service, system_api_service, system_server_service, service_manager_type;
type alarm_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type app_binding_service, system_server_service, service_manager_type;
+type app_hibernation_service, system_api_service, system_server_service, service_manager_type;
type app_integrity_service, system_api_service, system_server_service, service_manager_type;
type app_prediction_service, app_api_service, system_server_service, service_manager_type;
type app_search_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -85,11 +95,13 @@
type dbinfo_service, system_api_service, system_server_service, service_manager_type;
type device_config_service, system_server_service, service_manager_type;
type device_policy_service, app_api_service, system_server_service, service_manager_type;
+type device_state_service, app_api_service, system_api_service, system_server_service, service_manager_type;
type deviceidle_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type device_identifiers_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type devicestoragemonitor_service, system_server_service, service_manager_type;
type diskstats_service, system_api_service, system_server_service, service_manager_type;
type display_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type domain_verification_service, app_api_service, system_server_service, service_manager_type;
type color_display_service, system_api_service, system_server_service, service_manager_type;
type external_vibrator_service, system_server_service, service_manager_type;
type file_integrity_service, app_api_service, system_server_service, service_manager_type;
@@ -102,15 +114,18 @@
type lowpan_service, system_api_service, system_server_service, service_manager_type;
type ethernet_service, app_api_service, system_server_service, service_manager_type;
type biometric_service, app_api_service, system_server_service, service_manager_type;
-type bugreport_service, system_api_service, system_server_service, service_manager_type;
+type bugreport_service, app_api_service, system_server_service, service_manager_type;
type platform_compat_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type face_service, app_api_service, system_server_service, service_manager_type;
type fingerprint_service, app_api_service, system_server_service, service_manager_type;
+type fwk_stats_service, app_api_service, system_server_service, service_manager_type;
+type game_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
type graphicsstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type hardware_service, system_server_service, service_manager_type;
type hardware_properties_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type hdmi_control_service, system_api_service, system_server_service, service_manager_type;
+type hdmi_control_service, app_api_service, system_server_service, service_manager_type;
+type hint_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type imms_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type incremental_service, system_server_service, service_manager_type;
type input_method_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -119,16 +134,22 @@
type iris_service, app_api_service, system_server_service, service_manager_type;
type jobscheduler_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type launcherapps_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type legacy_permission_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type light_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type location_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type lock_settings_service, system_api_service, system_server_service, service_manager_type;
+type location_time_zone_manager_service, system_server_service, service_manager_type;
+type lock_settings_service, app_api_service, system_api_service, system_server_service, service_manager_type;
type looper_stats_service, system_server_service, service_manager_type;
+type media_communication_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type media_metrics_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type media_projection_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type media_router_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type media_session_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type meminfo_service, system_api_service, system_server_service, service_manager_type;
+type memtrackproxy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type midi_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type mount_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type music_recognition_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type netpolicy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type netstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type network_management_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -139,16 +160,21 @@
type oem_lock_service, system_api_service, system_server_service, service_manager_type;
type otadexopt_service, system_server_service, service_manager_type;
type overlay_service, system_api_service, system_server_service, service_manager_type;
+type pac_proxy_service, system_server_service, service_manager_type;
type package_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type package_native_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type people_service, app_api_service, system_server_service, service_manager_type;
type permission_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type permissionmgr_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type permission_checker_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type persistent_data_block_service, system_api_service, system_server_service, service_manager_type;
type pinner_service, system_server_service, service_manager_type;
+type power_stats_service, app_api_service, system_server_service, service_manager_type;
type power_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type print_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type processinfo_service, system_server_service, service_manager_type;
type procstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type reboot_readiness_service, app_api_service, system_server_service, service_manager_type;
type recovery_service, system_server_service, service_manager_type;
type registry_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type restrictions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -159,6 +185,7 @@
type samplingprofiler_service, system_server_service, service_manager_type;
type scheduling_policy_service, system_server_service, service_manager_type;
type search_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type search_ui_service, app_api_service, system_server_service, service_manager_type;
type sec_key_att_app_id_provider_service, app_api_service, system_server_service, service_manager_type;
type sensorservice_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type sensor_privacy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -167,20 +194,25 @@
type settings_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type shortcut_service, app_api_service, system_server_service, service_manager_type;
type slice_service, app_api_service, system_server_service, service_manager_type;
+type smartspace_service, app_api_service, system_server_service, service_manager_type;
type statusbar_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type storagestats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type system_config_service, system_api_service, system_server_service, service_manager_type;
+type system_server_dumper_service, system_api_service, system_server_service, service_manager_type;
type system_update_service, system_server_service, service_manager_type;
type soundtrigger_middleware_service, system_server_service, service_manager_type;
+type speech_recognition_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type task_service, system_server_service, service_manager_type;
type testharness_service, system_server_service, service_manager_type;
type textclassification_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type textservices_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type texttospeech_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type telecom_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type thermal_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type timedetector_service, system_server_service, service_manager_type;
+type timedetector_service, app_api_service, system_server_service, service_manager_type;
type timezone_service, system_server_service, service_manager_type;
-type timezonedetector_service, system_server_service, service_manager_type;
+type timezonedetector_service, app_api_service, system_server_service, service_manager_type;
+type transformer_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type trust_service, app_api_service, system_server_service, service_manager_type;
type tv_input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type tv_tuner_resource_mgr_service, app_api_service, system_server_service, service_manager_type;
@@ -190,8 +222,12 @@
type usagestats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type usb_service, app_api_service, system_server_service, service_manager_type;
type user_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type uwb_service, app_api_service, system_server_service, service_manager_type;
+type vcn_management_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type vibrator_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type vibrator_manager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type voiceinteraction_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type vpn_management_service, app_api_service, system_server_service, service_manager_type;
type vr_manager_service, system_server_service, service_manager_type;
type wallpaper_service, app_api_service, system_server_service, service_manager_type;
type webviewupdate_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -210,11 +246,27 @@
### HAL Services
###
-type hal_identity_service, vendor_service, service_manager_type;
-type hal_light_service, vendor_service, service_manager_type;
-type hal_power_service, vendor_service, service_manager_type;
-type hal_rebootescrow_service, vendor_service, service_manager_type;
-type hal_vibrator_service, vendor_service, service_manager_type;
+type hal_audio_service, vendor_service, protected_service, service_manager_type;
+type hal_audiocontrol_service, vendor_service, service_manager_type;
+type hal_authsecret_service, vendor_service, protected_service, service_manager_type;
+type hal_face_service, vendor_service, protected_service, service_manager_type;
+type hal_fingerprint_service, vendor_service, protected_service, service_manager_type;
+type hal_gnss_service, vendor_service, protected_service, service_manager_type;
+type hal_health_storage_service, vendor_service, protected_service, service_manager_type;
+type hal_identity_service, vendor_service, protected_service, service_manager_type;
+type hal_keymint_service, vendor_service, protected_service, service_manager_type;
+type hal_light_service, vendor_service, protected_service, service_manager_type;
+type hal_memtrack_service, vendor_service, protected_service, service_manager_type;
+type hal_neuralnetworks_service, vendor_service, service_manager_type;
+type hal_oemlock_service, vendor_service, protected_service, service_manager_type;
+type hal_power_service, vendor_service, protected_service, service_manager_type;
+type hal_power_stats_service, vendor_service, protected_service, service_manager_type;
+type hal_rebootescrow_service, vendor_service, protected_service, service_manager_type;
+type hal_remotelyprovisionedcomponent_service, vendor_service, protected_service, service_manager_type;
+type hal_secureclock_service, vendor_service, protected_service, service_manager_type;
+type hal_sharedsecret_service, vendor_service, protected_service, service_manager_type;
+type hal_vibrator_service, vendor_service, protected_service, service_manager_type;
+type hal_weaver_service, vendor_service, protected_service, service_manager_type;
###
### Neverallow rules
diff --git a/public/shared_relro.te b/public/shared_relro.te
index 8e58e42..6dd5bd7 100644
--- a/public/shared_relro.te
+++ b/public/shared_relro.te
@@ -1,11 +1,2 @@
# Process which creates/updates shared RELRO files to be used by other apps.
type shared_relro, domain;
-
-# Grant write access to the shared relro files/directory.
-allow shared_relro shared_relro_file:dir rw_dir_perms;
-allow shared_relro shared_relro_file:file create_file_perms;
-
-# Needs to contact the "webviewupdate" and "activity" services
-allow shared_relro activity_service:service_manager find;
-allow shared_relro webviewupdate_service:service_manager find;
-allow shared_relro package_service:service_manager find;
diff --git a/public/shell.te b/public/shell.te
index c0412eb..29c07a4 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -25,6 +25,13 @@
allow shell shell_data_file:file rx_file_perms;
allow shell shell_data_file:lnk_file create_file_perms;
+# Access /data/local/tests.
+allow shell shell_test_data_file:dir create_dir_perms;
+allow shell shell_test_data_file:file create_file_perms;
+allow shell shell_test_data_file:file rx_file_perms;
+allow shell shell_test_data_file:lnk_file create_file_perms;
+allow shell shell_test_data_file:sock_file create_file_perms;
+
# Read and delete from /data/local/traces.
allow shell trace_data_file:file { r_file_perms unlink };
allow shell trace_data_file:dir { r_dir_perms remove_name write };
@@ -58,60 +65,12 @@
r_dir_file(shell, apk_data_file)
-# Set properties.
-set_prop(shell, shell_prop)
-set_prop(shell, ctl_bugreport_prop)
-set_prop(shell, ctl_dumpstate_prop)
-set_prop(shell, dumpstate_prop)
-set_prop(shell, exported_dumpstate_prop)
-set_prop(shell, debug_prop)
-set_prop(shell, powerctl_prop)
-set_prop(shell, log_tag_prop)
-set_prop(shell, wifi_log_prop)
-# Allow shell to start/stop traced via the persist.traced.enable
-# property (which also takes care of /data/misc initialization).
-set_prop(shell, traced_enabled_prop)
-# adjust is_loggable properties
-userdebug_or_eng(`set_prop(shell, log_prop)')
-# logpersist script
-userdebug_or_eng(`set_prop(shell, logpersistd_logging_prop)')
-# Allow shell to start/stop heapprofd via the persist.heapprofd.enable
-# property.
-set_prop(shell, heapprofd_enabled_prop)
-# Allow shell to start/stop traced_perf via the persist.traced_perf.enable
-# property.
-set_prop(shell, traced_perf_enabled_prop)
-# Allow shell to start/stop gsid via ctl.start|stop|restart gsid.
-set_prop(shell, ctl_gsid_prop)
-# Allow shell to enable Dynamic System Update
-set_prop(shell, dynamic_system_prop)
-# Allow shell to mock an OTA using persist.pm.mock-upgrade
-set_prop(shell, mock_ota_prop)
-
userdebug_or_eng(`
# "systrace --boot" support - allow boottrace service to run
allow shell boottrace_data_file:dir rw_dir_perms;
allow shell boottrace_data_file:file create_file_perms;
- set_prop(shell, persist_debug_prop)
')
-# Read device's serial number from system properties
-get_prop(shell, serialno_prop)
-
-# Allow shell to read the vendor security patch level for CTS
-get_prop(shell, vendor_security_patch_level_prop)
-
-# Read state of logging-related properties
-get_prop(shell, device_logging_prop)
-
-# Read state of boot reason properties
-get_prop(shell, bootloader_boot_reason_prop)
-get_prop(shell, last_boot_reason_prop)
-get_prop(shell, system_boot_reason_prop)
-
-# Allow reading the outcome of perf_event_open LSM support test for CTS.
-get_prop(shell, init_perf_lsm_hooks_prop)
-
# allow shell access to services
allow shell servicemanager:service_manager list;
# don't allow shell to access GateKeeper service
@@ -126,6 +85,7 @@
-installd_service
-iorapd_service
-netd_service
+ -system_suspend_control_internal_service
-system_suspend_control_service
-virtual_touchpad_service
-vold_service
@@ -163,6 +123,10 @@
allow shell sysfs_net:dir r_dir_perms;
r_dir_file(shell, cgroup)
+allow shell cgroup_desc_file:file r_file_perms;
+allow shell cgroup_desc_api_file:file r_file_perms;
+allow shell vendor_cgroup_desc_file:file r_file_perms;
+r_dir_file(shell, cgroup_v2)
allow shell domain:dir { search open read getattr };
allow shell domain:{ file lnk_file } { open read getattr };
diff --git a/public/stats_service_server.te b/public/stats_service_server.te
index 564ae23..ab8e58a 100644
--- a/public/stats_service_server.te
+++ b/public/stats_service_server.te
@@ -1 +1,4 @@
add_hwservice(stats_service_server, fwk_stats_hwservice)
+add_service(stats_service_server, fwk_stats_service)
+
+binder_use(stats_service_server)
diff --git a/public/statsd.te b/public/statsd.te
index 435bbdf..670f4c7 100644
--- a/public/statsd.te
+++ b/public/statsd.te
@@ -33,6 +33,14 @@
allow statsd gpu_service:service_manager find;
binder_call(statsd, gpuservice)
+# Allow statsd to interact with keystore to pull atoms
+allow statsd keystore_service:service_manager find;
+binder_call(statsd, keystore)
+
+# Allow statsd to interact with mediametrics
+allow statsd mediametrics_service:service_manager find;
+binder_call(statsd, mediametrics)
+
# Allow logd access.
read_logd(statsd)
control_logd(statsd)
diff --git a/public/su.te b/public/su.te
index 99d4603..074ff2e 100644
--- a/public/su.te
+++ b/public/su.te
@@ -18,6 +18,7 @@
vndbinder_use(su)
dontaudit su self:capability_class_set *;
+ dontaudit su self:capability2 *;
dontaudit su kernel:security *;
dontaudit su { kernel file_type }:system *;
dontaudit su self:memprotect *;
@@ -47,6 +48,7 @@
dontaudit su hwservicemanager:hwservice_manager list;
dontaudit su vndservicemanager:service_manager list;
dontaudit su keystore:keystore_key *;
+ dontaudit su keystore:keystore2 *;
dontaudit su domain:drmservice *;
dontaudit su unlabeled:filesystem *;
dontaudit su postinstall_file:filesystem *;
diff --git a/public/system_server.te b/public/system_server.te
index ff18bdf..edefadf 100644
--- a/public/system_server.te
+++ b/public/system_server.te
@@ -4,3 +4,14 @@
#
type system_server, domain;
type system_server_tmpfs, file_type, mlstrustedobject;
+
+# Power controls for debugging/diagnostics
+get_prop(system_server, power_debug_prop)
+set_prop(system_server, power_debug_prop)
+
+neverallow {
+ domain
+ -init
+ -vendor_init
+ -system_server
+} power_debug_prop:property_service set;
diff --git a/public/system_suspend_internal_server.te b/public/system_suspend_internal_server.te
new file mode 100644
index 0000000..67bff77
--- /dev/null
+++ b/public/system_suspend_internal_server.te
@@ -0,0 +1,11 @@
+# To serve ISuspendControlServiceInternal.
+add_service(system_suspend_internal_server, system_suspend_control_internal_service)
+
+neverallow {
+ domain
+ -atrace # tracing
+ -dumpstate # bug reports
+ -system_suspend_internal_server # implements system_suspend_control_internal_service
+ -system_server # configures system_suspend via ISuspendControlServiceInternal
+ -traceur_app # tracing
+} system_suspend_control_internal_service:service_manager find;
diff --git a/public/te_macros b/public/te_macros
index 56f9775..8d15d47 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -163,6 +163,21 @@
domain_auto_trans(init, $1_exec, $1)
')
+####################################
+# userfaultfd_use(domain)
+# Allow domain to create/use userfaultfd.
+define(`userfaultfd_use', `
+# Set up a type_transition to "userfaultfd" named anonymous inode object.
+type $1_userfaultfd;
+type_transition $1 $1:anon_inode $1_userfaultfd "[userfaultfd]";
+# Allow domain to create/use userfaultfd anon_inode.
+allow $1 $1_userfaultfd:anon_inode { create ioctl read };
+# Other domains may not use userfaultfd anon_inodes created by this domain.
+neverallow { domain -$1 } $1_userfaultfd:anon_inode *;
+# This domain may not use userfaultfd anon_inodes created by other domains.
+neverallow $1 ~$1_userfaultfd:anon_inode *;
+')
+
#####################################
# app_domain(domain)
# Allow a base set of permissions required for all apps.
@@ -170,6 +185,7 @@
typeattribute $1 appdomain;
# Label tmpfs objects for all apps.
type_transition $1 tmpfs:file appdomain_tmpfs;
+userfaultfd_use($1)
allow $1 appdomain_tmpfs:file { execute getattr map read write };
neverallow { $1 -runas_app -shell -simpleperf } { domain -$1 }:file no_rw_file_perms;
neverallow { appdomain -runas_app -shell -simpleperf -$1 } $1:file no_rw_file_perms;
@@ -467,6 +483,12 @@
define(`recovery_only', ifelse(target_recovery, `true', $1, ))
#####################################
+# Not recovery
+# SELinux rules which apply only to non-recovery (normal) mode
+#
+define(`not_recovery', ifelse(target_recovery, `true', , $1))
+
+#####################################
# Full TREBLE only
# SELinux rules which apply only to full TREBLE devices
#
@@ -484,6 +506,23 @@
define(`not_full_treble', ifelse(target_full_treble, `true', , $1))
#####################################
+# enforce_debugfs_restriction
+# SELinux rules which apply to devices that enable debugfs restrictions.
+# The keyword "cts" is used to insert markers to only CTS test the neverallows
+# added by the macro for S-launch devices and newer.
+define(`enforce_debugfs_restriction', ifelse(target_enforce_debugfs_restriction, `true', $1,
+ifelse(target_enforce_debugfs_restriction, `cts',
+# BEGIN_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
+$1
+# END_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
+, )))
+
+#####################################
+# no_debugfs_restriction
+# SELinux rules which apply to devices that do not have debugfs restrictions in non-user builds.
+define(`no_debugfs_restriction', ifelse(target_enforce_debugfs_restriction, `true', , $1))
+
+#####################################
# Compatible property only
# SELinux rules which apply only to devices with compatible property
#
@@ -594,7 +633,9 @@
allow keystore $1:dir search;
allow keystore $1:file { read open };
allow keystore $1:process getattr;
+ allow $1 apc_service:service_manager find;
allow $1 keystore_service:service_manager find;
+ allow $1 vpnprofilestore_service:service_manager find;
binder_call($1, keystore)
binder_call(keystore, $1)
')
@@ -654,46 +695,47 @@
add_hwservice($1_server, $2)
build_test_only(`
+ # if you are hitting this neverallow, try using:
+ # hal_client_domain(<your domain>, hal_<foo>)
+ # instead
neverallow { domain -$1_client -$1_server } $2:hwservice_manager find;
')
')
+###########################################
+# hal_attribute_service(attribute, service)
+# Ability for domain to get a service to service_manager
+# and find it. It also creates a neverallow preventing
+# others from adding it.
+#
+# Used to pair hal_foo_client with hal_foo_service
+define(`hal_attribute_service', `
+ allow $1_client $2:service_manager find;
+ add_service($1_server, $2)
+
+ build_test_only(`
+ # if you are hitting this neverallow, try using:
+ # hal_client_domain(<your domain>, hal_<foo>)
+ # instead
+ neverallow {
+ domain
+ -$1_client
+ -$1_server
+ # some services are allowed to find all services
+ -atrace
+ -dumpstate
+ -shell
+ -system_app
+ -traceur_app
+ } $2:service_manager find;
+ ')
+')
+
###################################
# can_profile_heap(domain)
-# Allow processes within the domain to have their heap profiled by heapprofd.
-#
-# Note that profiling is performed differently between debug and user builds.
-# There are two modes for profiling:
-# * forked
-# * central.
-# On user builds, the default is to allow only forked mode. If it is desired
-# to allow central mode as well for a domain, use can_profile_heap_central.
-# On userdebug, this macro allows both forked and central.
-define(`can_profile_heap', `
- # Allow central daemon to send signal for client initialization.
- allow heapprofd $1:process signal;
-
- # Allow executing a private heapprofd process to handle profiling on
- # user builds (also debug builds for testing & development purposes).
- allow $1 heapprofd_exec:file rx_file_perms;
-
- # Allow directory & file read to the central heapprofd daemon, as it scans
- # /proc/[pid]/cmdline for by-process-name profiling configs.
- # Note that this excludes /proc/[pid]/mem, as it requires ptrace capabilities.
- allow heapprofd $1:file r_file_perms;
- allow heapprofd $1:dir r_dir_perms;
-
- # Profilability on user implies profilability on userdebug and eng.
- userdebug_or_eng(`
- can_profile_heap_central($1)
- ')
-')
-
-###################################
-# can_profile_heap_central(domain)
# Allow processes within the domain to have their heap profiled by central
# heapprofd.
-define(`can_profile_heap_central', `
+define(`can_profile_heap', `
# Allow central daemon to send signal for client initialization.
allow heapprofd $1:process signal;
# Allow connecting to the daemon.
@@ -784,19 +826,19 @@
#####################################
# treble_sysprop_neverallow(rules)
-# SELinux neverallow rules which enforces the owner of each property and accessibility
+# SELinux neverallow rules which enforces the accessibility of each property
# outside the owner.
#
-# For devices launching with R or later, all properties must be explicitly marked as one of:
-# system_property_type, vendor_property_type, or product_property_type.
-# Also, exported properties must be explicitly marked as "restricted" or "public",
-# depending on the accessibility outside the owner.
+# For devices launching with R or later, exported properties must be explicitly marked as
+# "restricted" or "public", depending on the accessibility outside the owner.
# For devices launching with Q or eariler, this neverallow rules can be relaxed with defining
# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true on BoardConfig.mk.
# See {partition}_{accessibility}_prop macros below.
#
# CTS uses these rules only for devices launching with R or later.
#
+# TODO(b/131162102): deprecate BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW
+#
define(`treble_sysprop_neverallow', ifelse(target_treble_sysprop_neverallow, `true', $1,
ifelse(target_treble_sysprop_neverallow, `cts',
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
@@ -804,6 +846,25 @@
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
, )))
+#####################################
+# enforce_sysprop_owner(rules)
+# SELinux neverallow rules which enforces the owner of each property.
+#
+# For devices launching with S or later, all properties must be explicitly marked as one of:
+# system_property_type, vendor_property_type, or product_property_type.
+# For devices launching with R or eariler, this neverallow rules can be relaxed with defining
+# BUILD_BROKEN_ENFORCE_SYSPROP_OWNER := true on BoardConfig.mk.
+# See {partition}_{accessibility}_prop macros below.
+#
+# CTS uses these ules only for devices launching with S or later.
+#
+define(`enforce_sysprop_owner', ifelse(target_enforce_sysprop_owner, `true', $1,
+ifelse(target_enforce_sysprop_owner, `cts',
+# BEGIN_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
+$1
+# END_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
+, )))
+
###########################################
# define_prop(name, owner, scope)
# Define a property with given owner and scope
@@ -921,3 +982,12 @@
# Define a /vendor-owned property with no restrictions
#
define(`vendor_public_prop', `define_prop($1, vendor, public)')
+
+#####################################
+# read_fstab(domain)
+# Ability to call ReadDefaultFstab() and ReadFstabFromFile().
+#
+define(`read_fstab', `
+ allow $1 { metadata_file gsi_metadata_file_type }:dir search;
+ allow $1 gsi_public_metadata_file:file r_file_perms;
+')
diff --git a/public/traced.te b/public/traced.te
index ec5b850..922d46e 100644
--- a/public/traced.te
+++ b/public/traced.te
@@ -1,2 +1,3 @@
type traced, domain, coredomain, mlstrustedsubject;
+type traced_tmpfs, file_type;
diff --git a/public/traceur_app.te b/public/traceur_app.te
index 7e2cc84..ce9b844 100644
--- a/public/traceur_app.te
+++ b/public/traceur_app.te
@@ -3,11 +3,6 @@
allow traceur_app servicemanager:service_manager list;
allow traceur_app hwservicemanager:hwservice_manager list;
-# Allow Traceur to enable traced if necessary.
-set_prop(traceur_app, traced_enabled_prop)
-
-set_prop(traceur_app, debug_prop)
-
allow traceur_app {
service_manager_type
-apex_service
diff --git a/public/ueventd.te b/public/ueventd.te
index fc503b8..d5d4301 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -31,14 +31,18 @@
# Access for /vendor/ueventd.rc and /vendor/firmware
r_dir_file(ueventd, { vendor_file_type -vendor_app_file -vendor_overlay_file })
+# Access for /apex/*/firmware
+allow ueventd apex_mnt_dir:dir r_dir_perms;
+
# Get file contexts for new device nodes
allow ueventd file_contexts_file:file r_file_perms;
# Use setfscreatecon() to label /dev directories and files.
allow ueventd self:process setfscreate;
-# Allow ueventd to read androidboot.android_dt_dir from kernel cmdline.
+# Allow ueventd to read androidboot.android_dt_dir from kernel cmdline or bootconfig.
allow ueventd proc_cmdline:file r_file_perms;
+allow ueventd proc_bootconfig:file r_file_perms;
# Everything is labeled as rootfs in recovery mode. ueventd has to execute
# the dynamic linker and shared libraries.
@@ -59,10 +63,6 @@
allow ueventd system_bootstrap_lib_file:dir r_dir_perms;
allow ueventd system_bootstrap_lib_file:file { execute read open getattr map };
-# ueventd can set properties, particularly it sets ro.cold_boot_done to signal
-# to init that cold boot has completed.
-set_prop(ueventd, cold_boot_done_prop)
-
# Allow ueventd to run shell scripts from vendor
allow ueventd vendor_shell_exec:file execute;
diff --git a/public/uncrypt.te b/public/uncrypt.te
index 4114b2a..0f549c9 100644
--- a/public/uncrypt.te
+++ b/public/uncrypt.te
@@ -22,9 +22,6 @@
# Write to /dev/socket/uncrypt
unix_socket_connect(uncrypt, uncrypt, uncrypt)
-# Set a property to reboot the device.
-set_prop(uncrypt, powerctl_prop)
-
# Raw writes to block device
allow uncrypt self:global_capability_class_set sys_rawio;
allow uncrypt misc_block_device:blk_file w_file_perms;
@@ -41,6 +38,5 @@
# Read files in /sys
r_dir_file(uncrypt, sysfs_dt_firmware_android)
-# Suppress the denials coming from ReadDefaultFstab call.
-dontaudit uncrypt gsi_metadata_file:dir search;
-dontaudit uncrypt metadata_file:dir search;
+# Allow ReadDefaultFstab().
+read_fstab(uncrypt)
diff --git a/public/update_engine.te b/public/update_engine.te
index 8b767be..ab7090b 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -35,6 +35,7 @@
# Register the service to perform Binder IPC.
binder_use(update_engine)
add_service(update_engine, update_engine_service)
+add_service(update_engine, update_engine_stable_service)
# Allow update_engine to call the callback function provided by priv_app/GMS core.
binder_call(update_engine, priv_app)
@@ -63,21 +64,11 @@
# read directories on /system and /vendor
allow update_engine system_file:dir r_dir_perms;
-# Allow to start gsid service.
-set_prop(update_engine, ctl_gsid_prop)
-
-# Allow to set the OTA related properties, e.g. ota.warm_reset.
-set_prop(update_engine, ota_prop)
-
-# Allow to get the DSU status
-get_prop(update_engine, gsid_prop)
-
+# Allow ReadDefaultFstab().
# update_engine tries to determine the parent path for all devices (e.g.
# /dev/block/by-name) by reading the default fstab and looking for the misc
-# device. ReadDefaultFstab() checks whether a GSI is running by checking
-# gsi_metadata_file. We never apply OTAs when GSI is running, so just deny
-# the access.
-dontaudit update_engine gsi_metadata_file:dir search;
+# device.
+read_fstab(update_engine)
# Allow to write to snapshotctl_log logs.
# TODO(b/148818798) revert when parent bug is fixed.
diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index 57d8e7e..e8fd29e 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -33,7 +33,7 @@
# labels on the mounted filesystem to postinstall_file.
allow update_engine_common postinstall_mnt_dir:dir { mounton getattr search };
allow update_engine_common postinstall_file:filesystem { mount unmount relabelfrom relabelto };
-allow update_engine_common labeledfs:filesystem relabelfrom;
+allow update_engine_common labeledfs:filesystem { mount unmount relabelfrom };
# Allow update_engine_common to read and execute postinstall_file.
allow update_engine_common postinstall_file:file rx_file_perms;
@@ -59,12 +59,20 @@
# Needed because libdm reads sysfs to validate when a dm path is ready.
r_dir_file(update_engine_common, sysfs_dm)
+# Scan files in /sys/fs/ext4 and /sys/fs/f2fs for device-mapper diagnostics.
+allow update_engine_common sysfs:dir r_dir_perms;
+allow update_engine_common sysfs_fs_f2fs:dir r_dir_perms;
+
# read / write on /dev/device-mapper to map / unmap devices
allow update_engine_common dm_device:chr_file rw_file_perms;
# apply / verify updates on devices mapped via device mapper
allow update_engine_common dm_device:blk_file rw_file_perms;
+# read /dev/dm-user, so that we can inotify wait for control devices to be
+# asynchronously created by ueventd.
+allow update_engine dm_user_device:dir r_dir_perms;
+
# read / write metadata on super device to resize partitions
allow update_engine_common super_block_device_type:blk_file rw_file_perms;
@@ -80,6 +88,10 @@
# Allow to read Virtual A/B feature flags.
get_prop(update_engine_common, virtual_ab_prop)
+# Allow to read GKI related flags.
+get_prop(update_engine_common, ab_update_gki_prop)
+get_prop(update_engine_common, build_bootimage_prop)
+
# Allow to read/write/create OTA metadata files for snapshot status and COW file status.
allow update_engine_common metadata_file:dir search;
allow update_engine_common ota_metadata_file:dir rw_dir_perms;
diff --git a/public/update_verifier.te b/public/update_verifier.te
index f881aeb..68b43f0 100644
--- a/public/update_verifier.te
+++ b/public/update_verifier.te
@@ -24,12 +24,6 @@
# Write to kernel message.
allow update_verifier kmsg_device:chr_file { getattr w_file_perms };
-# Allow update_verifier to reboot the device.
-set_prop(update_verifier, powerctl_prop)
-
-# Allow to set the OTA related properties e.g. ota.warm_reset.
-set_prop(update_verifier, ota_prop)
-
# Use Boot Control HAL
hal_client_domain(update_verifier, hal_bootctl)
diff --git a/public/usbd.te b/public/usbd.te
index 991e7be..6f34954 100644
--- a/public/usbd.te
+++ b/public/usbd.te
@@ -1,5 +1,2 @@
type usbd, domain;
type usbd_exec, system_file_type, exec_type, file_type;
-
-# Start/stop adbd via ctl.start adbd
-set_prop(usbd, ctl_adbd_prop)
diff --git a/public/userdata_sysdev.te b/public/userdata_sysdev.te
new file mode 100644
index 0000000..9974f36
--- /dev/null
+++ b/public/userdata_sysdev.te
@@ -0,0 +1 @@
+allow userdata_sysdev sysfs:filesystem associate;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 36bb5cb..7e96cb1 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -16,6 +16,8 @@
# Create cgroups mount points in tmpfs and mount cgroups on them.
allow vendor_init cgroup:dir create_dir_perms;
allow vendor_init cgroup:file w_file_perms;
+allow vendor_init cgroup_v2:dir create_dir_perms;
+allow vendor_init cgroup_v2:file w_file_perms;
# /config
allow vendor_init configfs:dir mounton;
@@ -55,8 +57,9 @@
-unlabeled
-vendor_file_type
-vold_metadata_file
- -gsi_metadata_file
+ -gsi_metadata_file_type
-apex_metadata_file
+ -userspace_reboot_metadata_file
}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
allow vendor_init unlabeled:{ dir notdevfile_class_set } { getattr relabelfrom };
@@ -72,8 +75,11 @@
-unlabeled
-vendor_file_type
-vold_metadata_file
- -gsi_metadata_file
+ -gsi_metadata_file_type
-apex_metadata_file
+ -apex_info_file
+ -userspace_reboot_metadata_file
+ enforce_debugfs_restriction(`-debugfs_type')
}:file { create getattr open read write setattr relabelfrom unlink map };
allow vendor_init {
@@ -86,8 +92,9 @@
-unlabeled
-vendor_file_type
-vold_metadata_file
- -gsi_metadata_file
+ -gsi_metadata_file_type
-apex_metadata_file
+ -userspace_reboot_metadata_file
}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
allow vendor_init {
@@ -101,8 +108,9 @@
-unlabeled
-vendor_file_type
-vold_metadata_file
- -gsi_metadata_file
+ -gsi_metadata_file_type
-apex_metadata_file
+ -userspace_reboot_metadata_file
}:lnk_file { create getattr setattr relabelfrom unlink };
allow vendor_init {
@@ -115,8 +123,9 @@
-system_file_type
-vendor_file_type
-vold_metadata_file
- -gsi_metadata_file
+ -gsi_metadata_file_type
-apex_metadata_file
+ -userspace_reboot_metadata_file
}:dir_file_class_set relabelto;
allow vendor_init dev_type:dir create_dir_perms;
@@ -135,8 +144,11 @@
-proc_uid_time_in_state
-proc_uid_concurrent_active_time
-proc_uid_concurrent_policy_time
+ enforce_debugfs_restriction(`-debugfs_type')
}:file { open read setattr map };
+allow vendor_init tracefs_type:file { open read setattr map };
+
allow vendor_init {
fs_type
-contextmount_type
@@ -147,15 +159,6 @@
-proc_uid_concurrent_policy_time
}:dir { open read setattr search };
-# chown/chmod on devices, e.g. /dev/ttyHS0
-allow vendor_init {
- dev_type
- -keychord_device
- -port_device
- -lowpan_device
- -hw_random_device
-}:chr_file setattr;
-
allow vendor_init dev_type:blk_file getattr;
# Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.
@@ -189,6 +192,9 @@
allow vendor_init system_bootstrap_lib_file:dir r_dir_perms;
allow vendor_init system_bootstrap_lib_file:file { execute read open getattr map };
+# allow filesystem tuning
+allow vendor_init userdata_sysdev:file create_file_perms;
+
# Everything is labeled as rootfs in recovery mode. Vendor init has to execute
# the dynamic linker and shared libraries.
recovery_only(`
@@ -206,50 +212,57 @@
# Get file context
allow vendor_init file_contexts_file:file r_file_perms;
+# Allow vendor_init to (re)set nice
+allow vendor_init self:capability sys_nice;
+
set_prop(vendor_init, apk_verity_prop)
set_prop(vendor_init, bluetooth_a2dp_offload_prop)
set_prop(vendor_init, bluetooth_audio_hal_prop)
+set_prop(vendor_init, camerax_extensions_prop)
set_prop(vendor_init, cpu_variant_prop)
+set_prop(vendor_init, dalvik_runtime_prop)
set_prop(vendor_init, debug_prop)
-set_prop(vendor_init, exported_audio_prop)
set_prop(vendor_init, exported_bluetooth_prop)
set_prop(vendor_init, exported_camera_prop)
set_prop(vendor_init, exported_config_prop)
-set_prop(vendor_init, exported_dalvik_prop)
set_prop(vendor_init, exported_default_prop)
-set_prop(vendor_init, exported_ffs_prop)
set_prop(vendor_init, exported_overlay_prop)
set_prop(vendor_init, exported_pm_prop)
-set_prop(vendor_init, exported_radio_prop)
-set_prop(vendor_init, exported_system_radio_prop)
-set_prop(vendor_init, exported_wifi_prop)
-set_prop(vendor_init, exported2_config_prop)
-set_prop(vendor_init, exported2_system_prop)
-set_prop(vendor_init, exported2_vold_prop)
-set_prop(vendor_init, exported3_default_prop)
-set_prop(vendor_init, exported3_radio_prop)
+set_prop(vendor_init, ffs_control_prop)
+set_prop(vendor_init, hw_timeout_multiplier_prop)
set_prop(vendor_init, incremental_prop)
set_prop(vendor_init, lmkd_prop)
set_prop(vendor_init, logd_prop)
set_prop(vendor_init, log_tag_prop)
set_prop(vendor_init, log_prop)
+set_prop(vendor_init, qemu_hw_prop)
+set_prop(vendor_init, radio_control_prop)
set_prop(vendor_init, rebootescrow_hal_prop)
set_prop(vendor_init, serialno_prop)
-set_prop(vendor_init, storage_config_prop)
+set_prop(vendor_init, soc_prop)
+set_prop(vendor_init, surfaceflinger_color_prop)
+set_prop(vendor_init, usb_control_prop)
set_prop(vendor_init, userspace_reboot_config_prop)
set_prop(vendor_init, vehicle_hal_prop)
set_prop(vendor_init, vendor_default_prop)
set_prop(vendor_init, vendor_security_patch_level_prop)
set_prop(vendor_init, vndk_prop)
set_prop(vendor_init, virtual_ab_prop)
+set_prop(vendor_init, vold_post_fs_data_prop)
+set_prop(vendor_init, wifi_hal_prop)
set_prop(vendor_init, wifi_log_prop)
+set_prop(vendor_init, zram_control_prop)
-get_prop(vendor_init, exported2_radio_prop)
+get_prop(vendor_init, boot_status_prop)
get_prop(vendor_init, exported3_system_prop)
+get_prop(vendor_init, ota_prop)
+get_prop(vendor_init, power_debug_prop)
+get_prop(vendor_init, provisioned_prop)
+get_prop(vendor_init, retaildemo_prop)
get_prop(vendor_init, surfaceflinger_display_prop)
+get_prop(vendor_init, test_harness_prop)
get_prop(vendor_init, theme_prop)
-get_prop(vendor_init, ota_prop)
###
### neverallow rules
diff --git a/public/vendor_misc_writer.te b/public/vendor_misc_writer.te
index dee9941..3bc3a9f 100644
--- a/public/vendor_misc_writer.te
+++ b/public/vendor_misc_writer.te
@@ -8,6 +8,9 @@
# Silence the denial when calling libfstab's ReadDefaultFstab, which tries to
# load DT fstab.
-dontaudit vendor_misc_writer proc_cmdline:file read;
-dontaudit vendor_misc_writer metadata_file:dir search;
+dontaudit vendor_misc_writer proc_cmdline:file r_file_perms;
dontaudit vendor_misc_writer sysfs_dt_firmware_android:dir search;
+dontaudit vendor_misc_writer proc_bootconfig:file r_file_perms;
+
+# Allow ReadDefaultFstab().
+read_fstab(vendor_misc_writer)
diff --git a/public/vendor_modprobe.te b/public/vendor_modprobe.te
new file mode 100644
index 0000000..529c4aa
--- /dev/null
+++ b/public/vendor_modprobe.te
@@ -0,0 +1 @@
+type vendor_modprobe, domain;
diff --git a/public/vendor_shell.te b/public/vendor_shell.te
index 7d30acb..5d7cb31 100644
--- a/public/vendor_shell.te
+++ b/public/vendor_shell.te
@@ -17,3 +17,5 @@
allow vendor_shell console_device:chr_file rw_file_perms;
allow vendor_shell input_device:dir r_dir_perms;
allow vendor_shell input_device:chr_file rw_file_perms;
+
+userdebug_or_eng(`set_prop(vendor_shell, persist_vendor_debug_wifi_prop)')
diff --git a/public/vendor_toolbox.te b/public/vendor_toolbox.te
index eb292ca..63f938d 100644
--- a/public/vendor_toolbox.te
+++ b/public/vendor_toolbox.te
@@ -7,7 +7,7 @@
# or read, execute the vendor_toolbox file.
full_treble_only(`
# Do not allow non-vendor domains to transition
- # to vendor toolbox except for the whitelisted domains.
+ # to vendor toolbox except for the allowlisted domains.
neverallow {
coredomain
-init
diff --git a/public/vold.te b/public/vold.te
index 1d125d3..7796ba8 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -23,6 +23,7 @@
r_dir_file(vold, metadata_file)
allow vold {
proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
+ proc_bootconfig
proc_cmdline
proc_drop_caches
proc_filesystems
@@ -66,9 +67,14 @@
-vold
} data_file_type:dir ioctl { FS_IOC_ADD_ENCRYPTION_KEY FS_IOC_REMOVE_ENCRYPTION_KEY };
-# Find the location on the raw block device where the
-# crypto key is stored so it can be destroyed
-allowxperm vold vold_data_file:file ioctl {
+# Allow securely erasing crypto key files. F2FS_IOC_SEC_TRIM_FILE is
+# tried first. Otherwise, FS_IOC_FIEMAP is needed to get the
+# location of the file's blocks on the raw block device to erase.
+allowxperm vold {
+ vold_data_file
+ vold_metadata_file
+}:file ioctl {
+ F2FS_IOC_SEC_TRIM_FILE
FS_IOC_FIEMAP
};
@@ -124,7 +130,7 @@
# Allow to mount incremental file system on /data/incremental and create files
allow vold apk_data_file:dir { mounton rw_dir_perms };
# Allow to create and write files in /data/incremental
-allow vold apk_data_file:file rw_file_perms;
+allow vold apk_data_file:file { rw_file_perms unlink };
# Allow to bind-mount incremental file system on /data/app/vmdl*.tmp and read files
allow vold apk_tmp_file:dir { mounton r_dir_perms };
# Allow to read incremental control file and call selinux restorecon on it
@@ -148,7 +154,7 @@
allowxperm vold vold_device:blk_file ioctl { BLKDISCARD BLKGETSIZE };
allow vold dm_device:chr_file rw_file_perms;
allow vold dm_device:blk_file rw_file_perms;
-allowxperm vold dm_device:blk_file ioctl BLKSECDISCARD;
+allowxperm vold dm_device:blk_file ioctl { BLKDISCARD BLKSECDISCARD };
# For vold Process::killProcessesWithOpenFiles function.
allow vold domain:dir r_dir_perms;
allow vold domain:{ file lnk_file } r_file_perms;
@@ -191,19 +197,6 @@
# Set scheduling policy of kernel processes
allow vold kernel:process setsched;
-# Property Service
-set_prop(vold, vold_prop)
-set_prop(vold, exported_vold_prop)
-set_prop(vold, exported2_vold_prop)
-set_prop(vold, powerctl_prop)
-set_prop(vold, ctl_fuse_prop)
-set_prop(vold, restorecon_prop)
-set_prop(vold, ota_prop)
-set_prop(vold, boottime_prop)
-set_prop(vold, boottime_public_prop)
-get_prop(vold, storage_config_prop)
-get_prop(vold, incremental_prop)
-
# ASEC
allow vold asec_image_file:file create_file_perms;
allow vold asec_image_file:dir rw_dir_perms;
@@ -248,6 +241,7 @@
# Access metadata block device used for encryption meta-data.
allow vold metadata_block_device:blk_file rw_file_perms;
+allowxperm vold metadata_block_device:blk_file ioctl BLKSECDISCARD;
# Allow vold to manipulate /data/unencrypted
allow vold unencrypted_data_file:{ file } create_file_perms;
@@ -287,7 +281,7 @@
allow vold toolbox_exec:file rx_file_perms;
# Prepare profile dir for users.
-allow vold user_profile_data_file:dir create_dir_perms;
+allow vold { user_profile_data_file user_profile_root_file }:dir create_dir_perms;
# Raw writes to misc block device
allow vold misc_block_device:blk_file w_file_perms;
@@ -297,9 +291,11 @@
dontaudit vold self:global_capability_class_set sys_resource;
-# vold needs to know whether we're running a GSI.
-allow vold gsi_metadata_file:dir r_dir_perms;
-allow vold gsi_metadata_file:file r_file_perms;
+# Allow ReadDefaultFstab().
+read_fstab(vold)
+
+# vold might need to search loopback apex files
+allow vold vendor_apex_file:file r_file_perms;
neverallow {
domain
@@ -344,15 +340,6 @@
neverallow { domain -vold -init } restorecon_prop:property_service set;
-neverallow {
- domain
- -system_server
- -vdc
- -vold
- -update_verifier
- -apexd
-} vold_service:service_manager find;
-
neverallow vold {
domain
-hal_health_storage_server
@@ -362,6 +349,7 @@
-healthd
-hwservicemanager
-iorapd_service
+ -keystore
-servicemanager
-system_server
userdebug_or_eng(`-su')
diff --git a/public/wificond.te b/public/wificond.te
index b429884..254fcbc 100644
--- a/public/wificond.te
+++ b/public/wificond.te
@@ -8,10 +8,6 @@
add_service(wificond, wifinl80211_service)
-set_prop(wificond, exported_wifi_prop)
-set_prop(wificond, wifi_prop)
-set_prop(wificond, ctl_default_prop)
-
# create sockets to set interfaces up and down
allow wificond self:udp_socket create_socket_perms;
# setting interface state up/down is a privileged ioctl
@@ -33,10 +29,15 @@
#### Offer the Wifi Keystore HwBinder service ###
hwbinder_use(wificond)
-get_prop(wificond, hwservicemanager_prop)
typeattribute wificond wifi_keystore_service_server;
add_hwservice(wificond, system_wifi_keystore_hwservice)
# Allow keystore binder access to serve the HwBinder service.
allow wificond keystore_service:service_manager find;
allow wificond keystore:keystore_key get;
+
+# Allow keystore2 binder access to serve the HwBinder service.
+allow wificond wifi_key:keystore2_key {
+ get_info
+ use
+};
diff --git a/seapp_contexts.mk b/seapp_contexts.mk
index 462fa27..b33b820 100644
--- a/seapp_contexts.mk
+++ b/seapp_contexts.mk
@@ -1,5 +1,8 @@
include $(CLEAR_VARS)
LOCAL_MODULE := plat_seapp_contexts
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
@@ -20,6 +23,9 @@
##################################
include $(CLEAR_VARS)
LOCAL_MODULE := system_ext_seapp_contexts
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_OUT_SYSTEM_EXT)/etc/selinux
@@ -43,6 +49,9 @@
##################################
include $(CLEAR_VARS)
LOCAL_MODULE := product_seapp_contexts
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/etc/selinux
@@ -66,6 +75,9 @@
##################################
include $(CLEAR_VARS)
LOCAL_MODULE := vendor_seapp_contexts
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
@@ -89,6 +101,9 @@
##################################
include $(CLEAR_VARS)
LOCAL_MODULE := odm_seapp_contexts
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
@@ -112,6 +127,9 @@
##################################
include $(CLEAR_VARS)
LOCAL_MODULE := plat_seapp_neverallows
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := tests
diff --git a/tests/Android.bp b/tests/Android.bp
index 926b5e4..6a86188 100644
--- a/tests/Android.bp
+++ b/tests/Android.bp
@@ -1,3 +1,11 @@
+package {
+ // http://go/android-license-faq
+ // A large-scale-change added 'default_applicable_licenses' to import
+ // the below license kinds from "system_sepolicy_license":
+ // SPDX-license-identifier-Apache-2.0
+ default_applicable_licenses: ["system_sepolicy_license"],
+}
+
cc_library_host_shared {
name: "libsepolwrap",
srcs: ["sepol_wrap.cpp"],
@@ -79,3 +87,8 @@
],
defaults: ["py2_only"],
}
+
+python_binary_host {
+ name: "check_prop_prefix",
+ srcs: ["check_prop_prefix.py"],
+}
diff --git a/tests/check_prop_prefix.py b/tests/check_prop_prefix.py
new file mode 100644
index 0000000..68511ce
--- /dev/null
+++ b/tests/check_prop_prefix.py
@@ -0,0 +1,89 @@
+#!/usr/bin/env python3
+
+# Copyright 2021 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import argparse
+import re
+import sys
+
+# A line should look like:
+# {prop_name} u:object_r:{context_name}:s0
+line_regex = re.compile(r'^(\S+)\s+u:object_r:([^:]+):s0.*$')
+
+# Parses a line in property_contexts and return a (prop, ctx) tuple.
+# Raises an error for any malformed entries.
+def parse_line(line):
+ matched = line_regex.match(line)
+ if not matched:
+ raise ValueError('malformed entry "' + line + '" in property_contexts')
+
+ return matched.group(1, 2)
+
+def parse_args():
+ parser = argparse.ArgumentParser(
+ description="Finds any violations in property_contexts, with given allowed prefixes. "
+ "If any violations are found, return a nonzero (failure) exit code.")
+ parser.add_argument("--property-contexts", help="Path to property_contexts file.")
+ parser.add_argument("--allowed-property-prefix", action="extend", nargs="*",
+ help="Allowed property prefixes. If empty, any properties are allowed.")
+ parser.add_argument("--allowed-context-prefix", action="extend", nargs="*",
+ help="Allowed context prefixes. If empty, any contexts are allowed.")
+ parser.add_argument('--strict', action='store_true',
+ help="Make the script fail if any violations are found.")
+
+ return parser.parse_args()
+
+args = parse_args()
+
+violations = []
+
+with open(args.property_contexts, 'r') as f:
+ lines = f.read().split('\n')
+
+for line in lines:
+ tokens = line.strip()
+ # if this line empty or a comment, skip
+ if tokens == '' or tokens[0] == '#':
+ continue
+
+ prop, context = parse_line(line)
+
+ violated = False
+
+ if args.allowed_property_prefix and not prop.startswith(tuple(args.allowed_property_prefix)):
+ violated = True
+
+ if args.allowed_context_prefix and not context.startswith(tuple(args.allowed_context_prefix)):
+ violated = True
+
+ if violated:
+ violations.append(line)
+
+if len(violations) > 0:
+ print('******************************')
+ print('%d violations found:' % len(violations))
+ print('\n'.join(violations))
+ print('******************************')
+ print('%s contains properties which are not properly namespaced.' % args.property_contexts)
+ print('This is enforced by VTS, so please fix such offending properties.')
+ if args.allowed_property_prefix:
+ print('Allowed property prefixes for %s: %s' % (args.property_contexts, args.allowed_property_prefix))
+ if args.allowed_context_prefix:
+ print('Allowed context prefixes for %s: %s' % (args.property_contexts, args.allowed_context_prefix))
+ if args.strict:
+ print('You can temporarily disable this check with setting BUILD_BROKEN_VENDOR_PROPERTY_NAMESPACE := true in BoardConfig.mk.')
+ print('But property namespace is enforced by VTS, and you will need to fix such violations to pass VTS.')
+ print('See test/vts-testcase/security/system_property/vts_treble_sys_prop_test.py for the detail of the VTS.')
+ sys.exit(1)
diff --git a/tests/policy.py b/tests/policy.py
index 0f51e2f..40229b8 100644
--- a/tests/policy.py
+++ b/tests/policy.py
@@ -52,11 +52,11 @@
__policydbP = None
__BUFSIZE = 2048
- def AssertPathTypesDoNotHaveAttr(self, MatchPrefix, DoNotMatchPrefix, Attr):
+ def AssertPathTypesDoNotHaveAttr(self, MatchPrefix, DoNotMatchPrefix, Attr, ExcludedTypes = []):
# Query policy for the types associated with Attr
- TypesPol = self.QueryTypeAttribute(Attr, True)
+ TypesPol = self.QueryTypeAttribute(Attr, True) - set(ExcludedTypes)
# Search file_contexts to find types associated with input paths.
- TypesFc = self.__GetTypesByFilePathPrefix(MatchPrefix, DoNotMatchPrefix)
+ TypesFc, Files = self.__GetTypesAndFilesByFilePathPrefix(MatchPrefix, DoNotMatchPrefix)
violators = TypesFc.intersection(TypesPol)
ret = ""
if len(violators) > 0:
@@ -65,6 +65,8 @@
ret += " must not be associated with the "
ret += "\"" + Attr + "\" attribute: "
ret += " ".join(str(x) for x in sorted(violators)) + "\n"
+ ret += " corresponding to files: "
+ ret += " ".join(str(x) for x in sorted(Files)) + "\n"
return ret
# Check that all types for "filesystem" have "attribute" associated with them
@@ -91,7 +93,7 @@
TypesPol = self.QueryTypeAttribute(Attr, True)
# Search file_contexts to find paths/types that should be associated with
# Attr.
- TypesFc = self.__GetTypesByFilePathPrefix(MatchPrefix, DoNotMatchPrefix)
+ TypesFc, Files = self.__GetTypesAndFilesByFilePathPrefix(MatchPrefix, DoNotMatchPrefix)
violators = TypesFc.difference(TypesPol)
ret = ""
@@ -101,6 +103,19 @@
ret += " must be associated with the "
ret += "\"" + Attr + "\" attribute: "
ret += " ".join(str(x) for x in sorted(violators)) + "\n"
+ ret += " corresponding to files: "
+ ret += " ".join(str(x) for x in sorted(Files)) + "\n"
+ return ret
+
+ def AssertPropertyOwnersAreExclusive(self):
+ systemProps = self.QueryTypeAttribute('system_property_type', True)
+ vendorProps = self.QueryTypeAttribute('vendor_property_type', True)
+ violators = systemProps.intersection(vendorProps)
+ ret = ""
+ if len(violators) > 0:
+ ret += "The following types have both system_property_type "
+ ret += "and vendor_property_type: "
+ ret += " ".join(str(x) for x in sorted(violators)) + "\n"
return ret
# Return all file_contexts entries that map to the input Type.
@@ -261,8 +276,9 @@
# Return types that match MatchPrefixes but do not match
# DoNotMatchPrefixes
- def __GetTypesByFilePathPrefix(self, MatchPrefixes, DoNotMatchPrefixes):
+ def __GetTypesAndFilesByFilePathPrefix(self, MatchPrefixes, DoNotMatchPrefixes):
Types = set()
+ Files = set()
MatchPrefixesWithIndex = []
for MatchPrefix in MatchPrefixes:
@@ -274,7 +290,8 @@
if MatchPathPrefixes(PathType[0], DoNotMatchPrefixes):
continue
Types.add(PathType[1])
- return Types
+ Files.add(PathType[0])
+ return Types, Files
def __GetTERules(self, policydbP, avtabIterP, Rules):
if Rules is None:
diff --git a/tests/sepolicy_tests.py b/tests/sepolicy_tests.py
index f8dc466..edd1708 100644
--- a/tests/sepolicy_tests.py
+++ b/tests/sepolicy_tests.py
@@ -12,7 +12,22 @@
return pol.AssertPathTypesHaveAttr(["/data/"], [], "data_file_type")
def TestSystemTypeViolations(pol):
- return pol.AssertPathTypesHaveAttr(["/system/"], [], "system_file_type")
+ partitions = ["/system/", "/system_ext/", "/product/"]
+ exceptions = [
+ # devices before treble don't have a vendor partition
+ "/system/vendor/",
+
+ # overlay files are mounted over vendor
+ "/product/overlay/",
+ "/product/vendor_overlay/",
+ "/system/overlay/",
+ "/system/product/overlay/",
+ "/system/product/vendor_overlay/",
+ "/system/system_ext/overlay/",
+ "/system_ext/overlay/",
+ ]
+
+ return pol.AssertPathTypesHaveAttr(partitions, exceptions, "system_file_type")
def TestProcTypeViolations(pol):
return pol.AssertGenfsFilesystemTypesHaveAttr("proc", "proc_type")
@@ -31,12 +46,48 @@
return ret
def TestVendorTypeViolations(pol):
- return pol.AssertPathTypesHaveAttr(["/vendor/"], [], "vendor_file_type")
+ partitions = ["/vendor/", "/odm/"]
+ exceptions = [
+ "/vendor/etc/selinux/",
+ "/vendor/odm/etc/selinux/",
+ "/odm/etc/selinux/",
+ ]
+ return pol.AssertPathTypesHaveAttr(partitions, exceptions, "vendor_file_type")
def TestCoreDataTypeViolations(pol):
return pol.AssertPathTypesHaveAttr(["/data/"], ["/data/vendor",
"/data/vendor_ce", "/data/vendor_de"], "core_data_file_type")
+def TestPropertyTypeViolations(pol):
+ return pol.AssertPropertyOwnersAreExclusive()
+
+def TestAppDataTypeViolations(pol):
+ # Types with the app_data_file_type should only be used for app data files
+ # (/data/data/package.name etc) via seapp_contexts, and never applied
+ # explicitly to other files.
+ partitions = [
+ "/data/",
+ "/vendor/",
+ "/odm/",
+ "/product/",
+ ]
+ exceptions = [
+ # These are used for app data files for the corresponding user and
+ # assorted other files.
+ # TODO(b/172812577): Use different types for the different purposes
+ "shell_data_file",
+ "bluetooth_data_file",
+ "nfc_data_file",
+ "radio_data_file",
+ ]
+ return pol.AssertPathTypesDoNotHaveAttr(partitions, [], "app_data_file_type",
+ exceptions)
+def TestDmaHeapDevTypeViolations(pol):
+ return pol.AssertPathTypesHaveAttr(["/dev/dma_heap/"], [],
+ "dmabuf_heap_device_type")
+
+
+
###
# extend OptionParser to allow the same option flag to be used multiple times.
# This is used to allow multiple file_contexts files and tests to be
@@ -62,6 +113,9 @@
"TestDebugfsTypeViolations",
"TestVendorTypeViolations",
"TestCoreDataTypeViolations",
+ "TestPropertyTypeViolations",
+ "TestAppDataTypeViolations",
+ "TestDmaHeapDevTypeViolations",
]
if __name__ == '__main__':
@@ -115,6 +169,12 @@
results += TestVendorTypeViolations(pol)
if options.test is None or "TestCoreDataTypeViolations" in options.test:
results += TestCoreDataTypeViolations(pol)
+ if options.test is None or "TestPropertyTypeViolations" in options.test:
+ results += TestPropertyTypeViolations(pol)
+ if options.test is None or "TestAppDataTypeViolations" in options.test:
+ results += TestAppDataTypeViolations(pol)
+ if options.test is None or "TestDmaHeapDevTypeViolations" in options.test:
+ results += TestDmaHeapDevTypeViolations(pol)
if len(results) > 0:
sys.exit(results)
diff --git a/tests/treble_sepolicy_tests.py b/tests/treble_sepolicy_tests.py
index cf1e856..9209b66 100644
--- a/tests/treble_sepolicy_tests.py
+++ b/tests/treble_sepolicy_tests.py
@@ -13,33 +13,15 @@
Use file_contexts and policy to verify Treble requirements
are not violated.
'''
-###
-# Differentiate between domains that are part of the core Android platform and
-# domains introduced by vendors
-coreAppdomain = {
- 'bluetooth',
- 'ephemeral_app',
- 'isolated_app',
- 'nfc',
- 'platform_app',
- 'priv_app',
- 'radio',
- 'shared_relro',
- 'shell',
- 'system_app',
- 'untrusted_app',
- 'untrusted_app_25',
- }
-coredomainWhitelist = {
- 'adbd',
- 'kernel',
- 'postinstall',
- 'postinstall_dexopt',
- 'recovery',
- 'system_server',
+coredomainAllowlist = {
+ # TODO: how do we make sure vendor_init doesn't have bad coupling with
+ # /vendor? It is the only system process which is not coredomain.
'vendor_init',
+ # TODO(b/152813275): need to avoid allowlist for rootdir
+ "modprobe",
+ "slideshow",
+ "healthd",
}
-coredomainWhitelist |= coreAppdomain
class scontext:
def __init__(self):
@@ -50,6 +32,7 @@
self.attributes = set()
self.entrypoints = []
self.entrypointpaths = []
+ self.error = ""
def PrintScontexts():
for d in sorted(alldomains.keys()):
@@ -102,32 +85,42 @@
global alldomains
global coredomains
for d in alldomains:
+ domain = alldomains[d]
# TestCoredomainViolations will verify if coredomain was incorrectly
# applied.
- if "coredomain" in alldomains[d].attributes:
- alldomains[d].coredomain = True
+ if "coredomain" in domain.attributes:
+ domain.coredomain = True
coredomains.add(d)
# check whether domains are executed off of /system or /vendor
- if d in coredomainWhitelist:
+ if d in coredomainAllowlist:
continue
- # TODO, add checks to prevent app domains from being incorrectly
- # labeled as coredomain. Apps don't have entrypoints as they're always
- # dynamically transitioned to by zygote.
+ # TODO(b/153112003): add checks to prevent app domains from being
+ # incorrectly labeled as coredomain. Apps don't have entrypoints as
+ # they're always dynamically transitioned to by zygote.
if d in appdomains:
continue
- if not alldomains[d].entrypointpaths:
+ # TODO(b/153112747): need to handle cases where there is a dynamic
+ # transition OR there happens to be no context in AOSP files.
+ if not domain.entrypointpaths:
continue
- for path in alldomains[d].entrypointpaths:
- # Processes with entrypoint on /system
- if ((MatchPathPrefix(path, "/system") and not
- MatchPathPrefix(path, "/system/vendor")) or
- MatchPathPrefix(path, "/init") or
- MatchPathPrefix(path, "/charger")):
- alldomains[d].fromSystem = True
- # Processes with entrypoint on /vendor or /system/vendor
- if (MatchPathPrefix(path, "/vendor") or
- MatchPathPrefix(path, "/system/vendor")):
- alldomains[d].fromVendor = True
+
+ for path in domain.entrypointpaths:
+ vendor = any(MatchPathPrefix(path, prefix) for prefix in
+ ["/vendor", "/odm"])
+ system = any(MatchPathPrefix(path, prefix) for prefix in
+ ["/init", "/system_ext", "/product" ])
+
+ # only mark entrypoint as system if it is not in legacy /system/vendor
+ if MatchPathPrefix(path, "/system/vendor"):
+ vendor = True
+ elif MatchPathPrefix(path, "/system"):
+ system = True
+
+ if not vendor and not system:
+ domain.error += "Unrecognized entrypoint for " + d + " at " + path + "\n"
+
+ domain.fromSystem = domain.fromSystem or system
+ domain.fromVendor = domain.fromVendor or vendor
###
# Add the entrypoint type and path(s) to each domain.
@@ -195,6 +188,15 @@
# verify that all domains launched from /system have the coredomain
# attribute
ret = ""
+
+ for d in alldomains:
+ domain = alldomains[d]
+ if domain.fromSystem and domain.fromVendor:
+ ret += "The following domain is system and vendor: " + d + "\n"
+
+ for domain in alldomains.values():
+ ret += domain.error
+
violators = []
for d in alldomains:
domain = alldomains[d]
@@ -292,7 +294,7 @@
return ret
def TestViolatorAttributes():
- ret = TestViolatorAttribute("binder_in_vendor_violators")
+ ret = ""
ret += TestViolatorAttribute("socket_between_core_and_vendor_violators")
ret += TestViolatorAttribute("vendor_executes_system_violators")
return ret
diff --git a/tools/Android.bp b/tools/Android.bp
index 2809c9d..a6a15a5 100644
--- a/tools/Android.bp
+++ b/tools/Android.bp
@@ -14,6 +14,14 @@
* limitations under the License.
*/
+package {
+ // http://go/android-license-faq
+ // A large-scale-change added 'default_applicable_licenses' to import
+ // the below license kinds from "system_sepolicy_license":
+ // SPDX-license-identifier-Apache-2.0
+ default_applicable_licenses: ["system_sepolicy_license"],
+}
+
cc_defaults {
name: "sepolicy_tools_defaults",
cflags: [
diff --git a/tools/check_seapp.c b/tools/check_seapp.c
index 6d60a12..2b06c11 100644
--- a/tools/check_seapp.c
+++ b/tools/check_seapp.c
@@ -20,6 +20,8 @@
#define log_warn(fmt, ...) log_msg(stderr, "Warning: ", fmt, ##__VA_ARGS__)
#define log_info(fmt, ...) if (logging_verbose ) { log_msg(stdout, "Info: ", fmt, ##__VA_ARGS__); }
+#define APP_DATA_REQUIRED_ATTRIB "app_data_file_type"
+
/**
* Initializes an empty, static list.
*/
@@ -192,7 +194,8 @@
/* validation call backs */
static bool validate_bool(char *value, char **errmsg);
static bool validate_levelFrom(char *value, char **errmsg);
-static bool validate_selinux_type(char *value, char **errmsg);
+static bool validate_domain(char *value, char **errmsg);
+static bool validate_type(char *value, char **errmsg);
static bool validate_selinux_level(char *value, char **errmsg);
static bool validate_uint(char *value, char **errmsg);
@@ -213,8 +216,8 @@
{ .name = "minTargetSdkVersion", .dir = dir_in, .fn_validate = validate_uint },
{ .name = "fromRunAs", .dir = dir_in, .fn_validate = validate_bool },
/*Outputs*/
- { .name = "domain", .dir = dir_out, .fn_validate = validate_selinux_type },
- { .name = "type", .dir = dir_out, .fn_validate = validate_selinux_type },
+ { .name = "domain", .dir = dir_out, .fn_validate = validate_domain },
+ { .name = "type", .dir = dir_out, .fn_validate = validate_type },
{ .name = "levelFromUid", .dir = dir_out, .fn_validate = validate_bool },
{ .name = "levelFrom", .dir = dir_out, .fn_validate = validate_levelFrom },
{ .name = "level", .dir = dir_out, .fn_validate = validate_selinux_level },
@@ -295,28 +298,39 @@
}
/**
- * Checks for a type in the policy.
+ * Look up a type in the policy.
* @param db
* The policy db to search
* @param type
* The type to search for
+ * @param flavor
+ * The expected flavor of type
* @return
- * 1 if the type is found, 0 otherwise.
+ * Pointer to the type's datum if it exists in the policy with the expected
+ * flavor, NULL otherwise.
* @warning
- * This function always returns 1 if libsepol is not linked
- * statically to this executable and LINK_SEPOL_STATIC is not
- * defined.
+ * This function should not be called if libsepol is not linked statically
+ * to this executable and LINK_SEPOL_STATIC is not defined.
*/
-static int check_type(sepol_policydb_t *db, char *type) {
+static type_datum_t *find_type(sepol_policydb_t *db, char *type, uint32_t flavor) {
- int rc = 1;
-#if defined(LINK_SEPOL_STATIC)
- policydb_t *d = (policydb_t *)db;
- hashtab_datum_t dat;
- dat = hashtab_search(d->p_types.table, type);
- rc = (dat == NULL) ? 0 : 1;
-#endif
- return rc;
+ policydb_t *d = &db->p;
+ hashtab_datum_t dat = hashtab_search(d->p_types.table, type);
+ if (!dat) {
+ return NULL;
+ }
+ type_datum_t *type_dat = (type_datum_t *) dat;
+ if (type_dat->flavor != flavor) {
+ return NULL;
+ }
+ return type_dat;
+}
+
+static bool type_has_attribute(sepol_policydb_t *db, type_datum_t *type_dat,
+ type_datum_t *attrib_dat) {
+ policydb_t *d = &db->p;
+ ebitmap_t *attr_bits = &d->type_attr_map[type_dat->s.value - 1];
+ return ebitmap_get_bit(attr_bits, attrib_dat->s.value - 1) != 0;
}
static bool match_regex(key_map *assert, const key_map *check) {
@@ -375,7 +389,7 @@
static bool validate_levelFrom(char *value, char **errmsg) {
- if(strcasecmp(value, "none") && strcasecmp(value, "all") &&
+ if (strcasecmp(value, "none") && strcasecmp(value, "all") &&
strcasecmp(value, "app") && strcasecmp(value, "user")) {
*errmsg = "Expecting one of: \"none\", \"all\", \"app\" or \"user\"";
return false;
@@ -383,8 +397,9 @@
return true;
}
-static bool validate_selinux_type(char *value, char **errmsg) {
+static bool validate_domain(char *value, char **errmsg) {
+#if defined(LINK_SEPOL_STATIC)
/*
* No policy file present means we cannot check
* SE Linux types
@@ -393,10 +408,45 @@
return true;
}
- if(!check_type(pol.db, value)) {
+ if (!find_type(pol.db, value, TYPE_TYPE)) {
*errmsg = "Expecting a valid SELinux type";
return false;
}
+#endif
+
+ return true;
+}
+
+static bool validate_type(char *value, char **errmsg) {
+
+#if defined(LINK_SEPOL_STATIC)
+ /*
+ * No policy file present means we cannot check
+ * SE Linux types
+ */
+ if (!pol.policy_file) {
+ return true;
+ }
+
+ type_datum_t *type_dat = find_type(pol.db, value, TYPE_TYPE);
+ if (!type_dat) {
+ *errmsg = "Expecting a valid SELinux type";
+ return false;
+ }
+
+ type_datum_t *attrib_dat = find_type(pol.db, APP_DATA_REQUIRED_ATTRIB,
+ TYPE_ATTRIB);
+ if (!attrib_dat) {
+ /* If the policy doesn't contain the attribute, we can't check it */
+ return true;
+ }
+
+ if (!type_has_attribute(pol.db, type_dat, attrib_dat)) {
+ *errmsg = "Missing required attribute " APP_DATA_REQUIRED_ATTRIB;
+ return false;
+ }
+
+#endif
return true;
}
@@ -459,7 +509,7 @@
log_info("Validating %s=%s\n", key, value);
/*
- * Neverallows are completely skipped from sanity checking so you can match
+ * Neverallows are completely skipped from validity checking so you can match
* un-unspecified inputs.
*/
if (is_neverallow) {
@@ -807,7 +857,7 @@
oom:
log_error("Out of memory!\n");
err:
- if(new_map) {
+ if (new_map) {
rule_map_free(new_map, false);
for (; i < num_of_keys; i++) {
k = &(keys[i]);
@@ -1013,7 +1063,7 @@
* when you want to override the outputs for a given input set, as well as
* checking for duplicate entries.
*/
- if(f) {
+ if (f) {
log_info("Existing entry found!\n");
tmp = (hash_entry *)f->data;
cmp = rule_map_cmp(rm, tmp->r);
@@ -1035,7 +1085,7 @@
e.data = entry;
f = hsearch(e, ENTER);
- if(f == NULL) {
+ if (f == NULL) {
goto oom;
}
@@ -1143,7 +1193,7 @@
err:
log_error("Reading file: \"%s\" line: %zu name: \"%s\" value: \"%s\"\n",
in_file->name, lineno, name, value);
- if(found_whitespace && name && !strcasecmp(name, "neverallow")) {
+ if (found_whitespace && name && !strcasecmp(name, "neverallow")) {
log_error("perhaps whitespace before neverallow\n");
}
exit(EXIT_FAILURE);
diff --git a/tools/insertkeys.py b/tools/insertkeys.py
index ca1e432..51b4ab6 100755
--- a/tools/insertkeys.py
+++ b/tools/insertkeys.py
@@ -56,7 +56,7 @@
# If we ended the certificate trip the flag
inCert = False
- # Sanity check the input
+ # Check the input
if len(base64Key) == 0:
sys.exit("Empty certficate , certificate "+ str(certNo) + " found in file: "
+ path)
diff --git a/tools/sepolicy-analyze/Android.bp b/tools/sepolicy-analyze/Android.bp
index ff40c16..bb6b701 100644
--- a/tools/sepolicy-analyze/Android.bp
+++ b/tools/sepolicy-analyze/Android.bp
@@ -1,3 +1,11 @@
+package {
+ // http://go/android-license-faq
+ // A large-scale-change added 'default_applicable_licenses' to import
+ // the below license kinds from "system_sepolicy_license":
+ // legacy_unencumbered
+ default_applicable_licenses: ["system_sepolicy_license"],
+}
+
cc_binary_host {
name: "sepolicy-analyze",
defaults: ["sepolicy_tools_defaults"],
diff --git a/treble_sepolicy_tests_for_release.mk b/treble_sepolicy_tests_for_release.mk
index 0195e5f..fdfe9ee 100644
--- a/treble_sepolicy_tests_for_release.mk
+++ b/treble_sepolicy_tests_for_release.mk
@@ -5,6 +5,9 @@
# permissions granted do not violate the treble model. Also ensure that treble
# compatibility guarantees are upheld between SELinux version bumps.
LOCAL_MODULE := treble_sepolicy_tests_$(version)
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 1b2bc23..12e5d9f 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -3,15 +3,20 @@
#
/(vendor|system/vendor)/bin/hw/android\.hardware\.atrace@1\.0-service u:object_r:hal_atrace_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.audio(@2\.0-|\.)service u:object_r:hal_audio_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol@1\.0-service u:object_r:hal_audiocontrol_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol@2\.0-service u:object_r:hal_audiocontrol_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.audio@7\.0-service\.example u:object_r:hal_audio_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol@1\.0-service u:object_r:hal_audiocontrol_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol@2\.0-service u:object_r:hal_audiocontrol_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol-service.example u:object_r:hal_audiocontrol_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.can@1\.0-service u:object_r:hal_can_socketcan_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.evs@1\.[0-9]-service u:object_r:hal_evs_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@2\.0-(service|protocan-service) u:object_r:hal_vehicle_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service u:object_r:hal_bluetooth_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service\.btlinux u:object_r:hal_bluetooth_btlinux_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service u:object_r:hal_fingerprint_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.face@1\.[0-9]+-service\.example u:object_r:hal_face_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.face-service\.example u:object_r:hal_face_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service u:object_r:hal_fingerprint_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.2-service\.example u:object_r:hal_fingerprint_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.example u:object_r:hal_fingerprint_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.boot@1\.[0-9]+-service u:object_r:hal_bootctl_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.broadcastradio@\d+\.\d+-service u:object_r:hal_broadcastradio_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-service_64 u:object_r:hal_camera_default_exec:s0
@@ -28,6 +33,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[0-2]-service-lazy u:object_r:hal_cas_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate@1\.[0-1]-service\.example u:object_r:hal_dumpstate_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.gatekeeper@1\.0-service u:object_r:hal_gatekeeper_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.gnss-service.example u:object_r:hal_gnss_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@[0-9]\.[0-9]-service u:object_r:hal_gnss_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator@2\.0-service u:object_r:hal_graphics_allocator_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator@3\.0-service u:object_r:hal_graphics_allocator_default_exec:s0
@@ -37,6 +43,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@2\.0-service u:object_r:hal_health_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@2\.1-service u:object_r:hal_health_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health\.storage@1\.0-service u:object_r:hal_health_storage_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.health\.storage-service\.default u:object_r:hal_health_storage_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.identity-service.example u:object_r:hal_identity_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.input\.classifier@1\.0-service u:object_r:hal_input_classifier_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.ir@1\.0-service u:object_r:hal_ir_default_exec:s0
@@ -48,12 +55,14 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.lights-service\.example u:object_r:hal_light_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.lowpan@1\.0-service u:object_r:hal_lowpan_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack@1\.0-service u:object_r:hal_memtrack_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack-service.example u:object_r:hal_memtrack_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.0-service u:object_r:hal_nfc_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.1-service u:object_r:hal_nfc_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.2-service u:object_r:hal_nfc_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.media\.omx@1\.0-service u:object_r:mediacodec_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.power@1\.0-service u:object_r:hal_power_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.power-service.example u:object_r:hal_power_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.power-service\.example u:object_r:hal_power_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.power.stats-service\.example u:object_r:hal_power_stats_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.power\.stats@1\.0-service u:object_r:hal_power_stats_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.radio\.config@1\.0-service u:object_r:hal_radio_config_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.radio@1\.2-radio-service u:object_r:hal_radio_default_exec:s0
@@ -61,11 +70,12 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.rebootescrow-service\.default u:object_r:hal_rebootescrow_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors@[0-9]\.[0-9]-service(\.multihal)? u:object_r:hal_sensors_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.0-service u:object_r:hal_secure_element_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.keymint-service u:object_r:hal_keymint_default_exec:s0
/(vendor|system/vendor)/bin/hw/rild u:object_r:rild_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@1\.[01]-service u:object_r:hal_thermal_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.cec@1\.0-service u:object_r:hal_tv_cec_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.cec@1\.[01]-service u:object_r:hal_tv_cec_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.input@1\.0-service u:object_r:hal_tv_input_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.tuner@1\.0-service u:object_r:hal_tv_tuner_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.tuner@1\.[01]-service u:object_r:hal_tv_tuner_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.0-service u:object_r:hal_usb_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.usb\.gadget@1\.1-service u:object_r:hal_usb_gadget_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.vibrator@1\.0-service u:object_r:hal_vibrator_default_exec:s0
@@ -75,6 +85,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.wifi@1\.0-service-lazy u:object_r:hal_wifi_default_exec:s0
/(vendor|system/vendor)/bin/hw/hostapd u:object_r:hal_wifi_hostapd_default_exec:s0
/(vendor|system/vendor)/bin/hw/wpa_supplicant u:object_r:hal_wifi_supplicant_default_exec:s0
+/(vendor|system/vendor)/bin/install-recovery\.sh u:object_r:vendor_install_recovery_exec:s0
/(vendor|system/vendor)/bin/vndservicemanager u:object_r:vndservicemanager_exec:s0
#############################
diff --git a/vendor/hal_bootctl_default.te b/vendor/hal_bootctl_default.te
index ac30370..2b94313 100644
--- a/vendor/hal_bootctl_default.te
+++ b/vendor/hal_bootctl_default.te
@@ -9,10 +9,7 @@
allow hal_bootctl_default proc_cmdline:file r_file_perms;
allow hal_bootctl_default sysfs_dt_firmware_android:dir search;
allow hal_bootctl_default sysfs_dt_firmware_android:file r_file_perms;
-
-# ReadDefaultFstab looks for /metadata/gsi/booted. We don't care about getting
-# a GSI-corrected fstab.
-dontaudit hal_bootctl_default metadata_file:dir search;
+read_fstab(hal_bootctl_default)
# Needed for reading/writing misc partition.
allow hal_bootctl_default block_device:dir search;
diff --git a/vendor/hal_can_socketcan.te b/vendor/hal_can_socketcan.te
index afa1311..7498788 100644
--- a/vendor/hal_can_socketcan.te
+++ b/vendor/hal_can_socketcan.te
@@ -25,6 +25,8 @@
# Un-publishing ICanBus interfaces
allow hal_can_socketcan hidl_manager_hwservice:hwservice_manager find;
+allow hal_can_socketcan sysfs:dir r_dir_perms;
+
allow hal_can_socketcan usb_serial_device:chr_file { ioctl read write open };
allowxperm hal_can_socketcan usb_serial_device:chr_file ioctl {
TCGETS
diff --git a/vendor/hal_gnss_default.te b/vendor/hal_gnss_default.te
index 92af53b..cea362f 100644
--- a/vendor/hal_gnss_default.te
+++ b/vendor/hal_gnss_default.te
@@ -3,3 +3,5 @@
type hal_gnss_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_gnss_default)
+
+allow hal_gnss_default gnss_device:chr_file rw_file_perms;
diff --git a/vendor/hal_keymint_default.te b/vendor/hal_keymint_default.te
new file mode 100644
index 0000000..3b86a1b
--- /dev/null
+++ b/vendor/hal_keymint_default.te
@@ -0,0 +1,10 @@
+type hal_keymint_default, domain;
+hal_server_domain(hal_keymint_default, hal_keymint)
+
+type hal_keymint_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_keymint_default)
+
+hal_attribute_service(hal_keymint, hal_secureclock_service)
+hal_attribute_service(hal_keymint, hal_sharedsecret_service)
+
+get_prop(hal_keymint_default, vendor_security_patch_level_prop);
diff --git a/vendor/hal_oemlock_default.te b/vendor/hal_oemlock_default.te
new file mode 100644
index 0000000..8597f2c
--- /dev/null
+++ b/vendor/hal_oemlock_default.te
@@ -0,0 +1,5 @@
+type hal_oemlock_default, domain;
+hal_server_domain(hal_oemlock_default, hal_oemlock)
+
+type hal_oemlock_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_oemlock_default)
diff --git a/vendor/hal_sensors_default.te b/vendor/hal_sensors_default.te
index f00b25a..8752364 100644
--- a/vendor/hal_sensors_default.te
+++ b/vendor/hal_sensors_default.te
@@ -13,6 +13,7 @@
# android.hardware.graphics.allocator
allow hal_sensors_default hal_graphics_allocator_default:fd use;
allow hal_sensors_default ion_device:chr_file r_file_perms;
+allow hal_sensors_default dmabuf_system_heap_device:chr_file r_file_perms;
# allow sensor hal to use lock for keeping system awake for wake up
# events delivery.
diff --git a/vendor/hal_tv_tuner_default.te b/vendor/hal_tv_tuner_default.te
index abe1e77..639c7bd 100644
--- a/vendor/hal_tv_tuner_default.te
+++ b/vendor/hal_tv_tuner_default.te
@@ -5,3 +5,6 @@
init_daemon_domain(hal_tv_tuner_default)
allow hal_tv_tuner_default ion_device:chr_file r_file_perms;
+
+# Access to /dev/dma_heap/system
+allow hal_tv_tuner_default dmabuf_system_heap_device:chr_file r_file_perms;
diff --git a/vendor/hal_vehicle_default.te b/vendor/hal_vehicle_default.te
index dcb03a8..56a47b7 100644
--- a/vendor/hal_vehicle_default.te
+++ b/vendor/hal_vehicle_default.te
@@ -7,6 +7,4 @@
init_daemon_domain(hal_vehicle_default)
# communication with CAN bus HAL
-allow hal_vehicle_default hal_can_bus_hwservice:hwservice_manager find;
-allow hal_vehicle_default hal_can_socketcan:binder { call transfer };
-allow hal_can_socketcan hal_vehicle_default:binder { call transfer };
+hal_client_domain(hal_vehicle_default, hal_can_bus)
diff --git a/vendor/hal_weaver_default.te b/vendor/hal_weaver_default.te
new file mode 100644
index 0000000..0dd7679
--- /dev/null
+++ b/vendor/hal_weaver_default.te
@@ -0,0 +1,5 @@
+type hal_weaver_default, domain;
+hal_server_domain(hal_weaver_default, hal_weaver)
+
+type hal_weaver_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_weaver_default)
diff --git a/vendor/mediacodec.te b/vendor/mediacodec.te
index d6d0de1..f78b58f 100644
--- a/vendor/mediacodec.te
+++ b/vendor/mediacodec.te
@@ -18,11 +18,15 @@
allow mediacodec gpu_device:chr_file rw_file_perms;
allow mediacodec ion_device:chr_file rw_file_perms;
+allow mediacodec dmabuf_system_heap_device:chr_file r_file_perms;
allow mediacodec video_device:chr_file rw_file_perms;
allow mediacodec video_device:dir search;
crash_dump_fallback(mediacodec)
+# get aac_drc_* properties
+get_prop(mediacodec, aac_drc_prop)
+
# mediacodec should never execute any executable without a domain transition
neverallow mediacodec { file_type fs_type }:file execute_no_trans;
diff --git a/vendor/vendor_modprobe.te b/vendor/vendor_modprobe.te
index 61df9e0..3f5918c 100644
--- a/vendor/vendor_modprobe.te
+++ b/vendor/vendor_modprobe.te
@@ -1,10 +1,9 @@
-type vendor_modprobe, domain;
-
# For the use of /vendor/bin/modprobe from vendor init.rc fragments
domain_trans(init, vendor_toolbox_exec, vendor_modprobe)
allow vendor_modprobe proc_modules:file r_file_perms;
allow vendor_modprobe proc_cmdline:file r_file_perms;
+allow vendor_modprobe kmsg_device:chr_file w_file_perms;
allow vendor_modprobe self:global_capability_class_set sys_module;
allow vendor_modprobe kernel:key search;