Minimize microdroid public policy
Like core sepolicy.
Bug: 232023812
Test: atest MicrodroidHostTests MicrodroidTests
Change-Id: I704f8da4656d3bacf327792a2445d15aba8ecf2a
diff --git a/microdroid/system/private/init.te b/microdroid/system/private/init.te
index c83bcdb..4441d12 100644
--- a/microdroid/system/private/init.te
+++ b/microdroid/system/private/init.te
@@ -440,3 +440,7 @@
r_dir_file(init, vendor_kernel_modules)
allow init self:capability sys_module;
allow init vendor_kernel_modules:system module_load;
+
+allow init tmpfs:chr_file relabelfrom;
+allow init kmsg_device:chr_file { getattr write relabelto };
+allow init kmsg_debug_device:chr_file { open write relabelto };
diff --git a/microdroid/system/private/property.te b/microdroid/system/private/property.te
index 98c483a..daf6185 100644
--- a/microdroid/system/private/property.te
+++ b/microdroid/system/private/property.te
@@ -18,6 +18,11 @@
ctl_fuse_prop
}:property_service set;
+allow property_type tmpfs:filesystem associate;
+
+dontaudit { domain -init } default_prop:file no_rw_file_perms;
+dontaudit { domain -init } default_prop:property_service set;
+
###
### Neverallow rules
###
@@ -67,3 +72,7 @@
domain
-init
} non_existing_prop:property_service set;
+
+# Properties should be explicitly labeled in property_contexts
+neverallow { domain -init } default_prop:file no_rw_file_perms;
+neverallow { domain -init } default_prop:property_service set;
diff --git a/microdroid/system/private/shell.te b/microdroid/system/private/shell.te
index 5267348..0ea67a7 100644
--- a/microdroid/system/private/shell.te
+++ b/microdroid/system/private/shell.te
@@ -1,5 +1,76 @@
typeattribute shell coredomain;
+# Root fs.
+allow shell rootfs:dir r_dir_perms;
+
+# Access /data/local/tmp.
+allow shell shell_data_file:dir create_dir_perms;
+allow shell shell_data_file:file create_file_perms;
+allow shell shell_data_file:file rx_file_perms;
+allow shell shell_data_file:lnk_file create_file_perms;
+
+allow shell devpts:chr_file rw_file_perms;
+allow shell tty_device:chr_file rw_file_perms;
+allow shell console_device:chr_file rw_file_perms;
+
+r_dir_file(shell, system_file)
+allow shell system_file:file x_file_perms;
+allow shell toolbox_exec:file rx_file_perms;
+allow shell shell_exec:file rx_file_perms;
+
+# allow shell to look through /proc/ for lsmod, ps, top, netstat, vmstat.
+r_dir_file(shell, proc_net_type)
+
+allow shell {
+ proc_asound
+ proc_filesystems
+ proc_interrupts
+ proc_loadavg # b/124024827
+ proc_meminfo
+ proc_modules
+ proc_pid_max
+ proc_slabinfo
+ proc_stat
+ proc_timer
+ proc_uptime
+ proc_version
+ proc_vmstat
+ proc_zoneinfo
+}:file r_file_perms;
+
+# allow listing network interfaces under /sys/class/net.
+allow shell sysfs_net:dir r_dir_perms;
+
+r_dir_file(shell, cgroup)
+allow shell cgroup_desc_file:file r_file_perms;
+allow shell cgroup_desc_api_file:file r_file_perms;
+r_dir_file(shell, cgroup_v2)
+allow shell domain:dir { search open read getattr };
+allow shell domain:{ file lnk_file } { open read getattr };
+
+# statvfs() of /proc and other labeled filesystems
+# (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs, overlay)
+allow shell { proc labeledfs }:filesystem getattr;
+
+# stat() of /dev
+allow shell device:dir getattr;
+
+# allow shell to read /proc/pid/attr/current for ps -Z
+allow shell domain:process getattr;
+
+# Allow pulling the SELinux policy for CTS purposes
+allow shell selinuxfs:dir r_dir_perms;
+allow shell selinuxfs:file r_file_perms;
+
+# /dev/fd is a symlink
+allow shell proc:lnk_file getattr;
+
+# read selinux policy files
+allow shell file_contexts_file:file r_file_perms;
+allow shell property_contexts_file:file r_file_perms;
+allow shell service_contexts_file:file r_file_perms;
+allow shell sepolicy_file:file r_file_perms;
+
# Perform SELinux access checks, needed for CTS
selinux_check_access(shell)
selinux_check_context(shell)
diff --git a/microdroid/system/private/statsd.te b/microdroid/system/private/statsd.te
index 437f505..d802602 100644
--- a/microdroid/system/private/statsd.te
+++ b/microdroid/system/private/statsd.te
@@ -1,3 +1,22 @@
typeattribute statsd coredomain;
init_daemon_domain(statsd)
+
+# Allow statsd to scan through /proc/pid for all processes.
+r_dir_file(statsd, domain)
+
+# Allow executing files on system, such as running a shell or running:
+# /system/bin/toolbox
+# /system/bin/logcat
+# /system/bin/dumpsys
+allow statsd devpts:chr_file { getattr ioctl read write };
+allow statsd shell_exec:file rx_file_perms;
+allow statsd system_file:file execute_no_trans;
+allow statsd toolbox_exec:file rx_file_perms;
+
+# Allow 'adb shell cmd' to upload configs and download output.
+allow statsd adbd:fd use;
+allow statsd adbd:unix_stream_socket { getattr read write };
+allow statsd shell:fifo_file { getattr read write };
+
+unix_socket_send(statsd, statsdw, statsd)
diff --git a/microdroid/system/private/su.te b/microdroid/system/private/su.te
index 533b328..9b8e2d0 100644
--- a/microdroid/system/private/su.te
+++ b/microdroid/system/private/su.te
@@ -2,3 +2,34 @@
# su is also permissive to permit setenforce.
permissive su;
+
+# Add su to various domains
+dontaudit su self:capability_class_set *;
+dontaudit su self:capability2 *;
+dontaudit su kernel:security *;
+dontaudit su { kernel file_type }:system *;
+dontaudit su self:memprotect *;
+dontaudit su domain:{ process process2 } *;
+dontaudit su domain:fd *;
+dontaudit su domain:dir *;
+dontaudit su domain:lnk_file *;
+dontaudit su domain:{ fifo_file file } *;
+dontaudit su domain:socket_class_set *;
+dontaudit su domain:ipc_class_set *;
+dontaudit su domain:key *;
+dontaudit su fs_type:filesystem *;
+dontaudit su {fs_type dev_type file_type}:dir_file_class_set *;
+dontaudit su node_type:node *;
+dontaudit su node_type:{ tcp_socket udp_socket rawip_socket } *;
+dontaudit su netif_type:netif *;
+dontaudit su port_type:socket_class_set *;
+dontaudit su port_type:{ tcp_socket dccp_socket } *;
+dontaudit su domain:peer *;
+dontaudit su domain:binder *;
+dontaudit su property_type:property_service *;
+dontaudit su property_type:file *;
+dontaudit su domain:drmservice *;
+dontaudit su unlabeled:filesystem *;
+dontaudit su domain:bpf *;
+dontaudit su unlabeled:vsock_socket *;
+dontaudit su self:perf_event *;
diff --git a/microdroid/system/private/vendor_init.te b/microdroid/system/private/vendor_init.te
new file mode 100644
index 0000000..669f69a
--- /dev/null
+++ b/microdroid/system/private/vendor_init.te
@@ -0,0 +1,144 @@
+# Communication to the main init process
+allow vendor_init init:unix_stream_socket { read write };
+
+# Logging to kmsg
+allow vendor_init kmsg_device:chr_file { open getattr write };
+
+# Mount on /dev/usb-ffs/adb.
+allow vendor_init device:dir mounton;
+
+# Create and remove symlinks in /.
+allow vendor_init rootfs:lnk_file { create unlink };
+
+# Create cgroups mount points in tmpfs and mount cgroups on them.
+allow vendor_init cgroup:dir create_dir_perms;
+allow vendor_init cgroup:file w_file_perms;
+allow vendor_init cgroup_v2:dir create_dir_perms;
+allow vendor_init cgroup_v2:file w_file_perms;
+
+# /config
+allow vendor_init configfs:dir mounton;
+allow vendor_init configfs:dir create_dir_perms;
+allow vendor_init configfs:{ file lnk_file } create_file_perms;
+
+# Create directories under /dev/cpuctl after chowning it to system.
+allow vendor_init self:global_capability_class_set { dac_override dac_read_search };
+
+# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
+# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
+# system/core/init.rc requires at least cache_file and data_file_type.
+# init.<board>.rc files often include device-specific types, so
+# we just allow all file types except /system files here.
+allow vendor_init self:global_capability_class_set { chown fowner fsetid };
+
+allow vendor_init system_data_file:dir getattr;
+
+allow vendor_init {
+ file_type
+ -exec_type
+ -system_file_type
+ -unlabeled
+ -vendor_file_type
+}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
+
+allow vendor_init unlabeled:{ dir notdevfile_class_set } { getattr relabelfrom };
+
+allow vendor_init {
+ file_type
+ -exec_type
+ -system_file_type
+ -unlabeled
+ -vendor_file_type
+ -apex_info_file
+ enforce_debugfs_restriction(`-debugfs_type')
+}:file { create getattr open read write setattr relabelfrom unlink map };
+
+allow vendor_init {
+ file_type
+ -exec_type
+ -system_file_type
+ -unlabeled
+ -vendor_file_type
+}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
+
+allow vendor_init {
+ file_type
+ -apex_mnt_dir
+ -exec_type
+ -system_file_type
+ -unlabeled
+ -vendor_file_type
+}:lnk_file { create getattr setattr relabelfrom unlink };
+
+allow vendor_init {
+ file_type
+ -exec_type
+ -system_file_type
+ -vendor_file_type
+}:dir_file_class_set relabelto;
+
+allow vendor_init dev_type:dir create_dir_perms;
+allow vendor_init dev_type:lnk_file create;
+
+# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
+allow vendor_init debugfs_tracing:file w_file_perms;
+
+# chown/chmod on pseudo files.
+allow vendor_init {
+ fs_type
+ -fusefs_type
+ -rootfs
+ -proc_uid_time_in_state
+ -proc_uid_concurrent_active_time
+ -proc_uid_concurrent_policy_time
+ enforce_debugfs_restriction(`-debugfs_type')
+}:file { open read setattr map };
+
+allow vendor_init tracefs_type:file { open read setattr map };
+
+allow vendor_init {
+ fs_type
+ -fusefs_type
+ -rootfs
+ -proc_uid_time_in_state
+ -proc_uid_concurrent_active_time
+ -proc_uid_concurrent_policy_time
+}:dir { open read setattr search };
+
+allow vendor_init dev_type:blk_file getattr;
+
+# Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.
+r_dir_file(vendor_init, proc_net_type)
+allow vendor_init proc_net_type:file w_file_perms;
+allow vendor_init self:global_capability_class_set net_admin;
+
+# Write to /proc/sys/vm/page-cluster
+allow vendor_init proc_page_cluster:file w_file_perms;
+
+# Write to sysfs nodes.
+allow vendor_init sysfs_type:dir r_dir_perms;
+allow vendor_init sysfs_type:lnk_file read;
+allow vendor_init { sysfs_type -sysfs_usermodehelper }:file rw_file_perms;
+
+# setfscreatecon() for labeling directories and socket files.
+allow vendor_init self:process { setfscreate };
+
+r_dir_file(vendor_init, vendor_file_type)
+
+# Vendor init can perform operations on trusted and security Extended Attributes
+allow vendor_init self:global_capability_class_set sys_admin;
+
+# vendor_init is using bootstrap bionic
+use_bootstrap_libs(vendor_init)
+
+# Get file context
+allow vendor_init file_contexts_file:file r_file_perms;
+
+# Allow vendor_init to (re)set nice
+allow vendor_init self:capability sys_nice;
+
+# chown/chmod on devices, e.g. /dev/ttyHS0
+allow vendor_init {
+ dev_type
+ -hw_random_device
+}:chr_file setattr;
diff --git a/microdroid/system/public/adbd.te b/microdroid/system/public/adbd.te
index a41d4a3..f773eab 100644
--- a/microdroid/system/public/adbd.te
+++ b/microdroid/system/public/adbd.te
@@ -1,2 +1,6 @@
type adbd, domain;
type adbd_exec, exec_type, file_type, system_file_type;
+
+# public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to private/*.te.
diff --git a/microdroid/system/public/apexd.te b/microdroid/system/public/apexd.te
index d14da93..7d34e63 100644
--- a/microdroid/system/public/apexd.te
+++ b/microdroid/system/public/apexd.te
@@ -1,2 +1,6 @@
type apexd, domain, coredomain;
type apexd_exec, file_type, exec_type, system_file_type;
+
+# public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to private/*.te.
diff --git a/microdroid/system/public/crash_dump.te b/microdroid/system/public/crash_dump.te
index d59b034..bac3012 100644
--- a/microdroid/system/public/crash_dump.te
+++ b/microdroid/system/public/crash_dump.te
@@ -1,2 +1,6 @@
type crash_dump, domain;
type crash_dump_exec, system_file_type, exec_type, file_type;
+
+# public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to private/*.te.
diff --git a/microdroid/system/public/device.te b/microdroid/system/public/device.te
index dfae6f9..c8a05f5 100644
--- a/microdroid/system/public/device.te
+++ b/microdroid/system/public/device.te
@@ -27,3 +27,7 @@
type vd_device, dev_type;
type vsock_device, dev_type;
type zero_device, dev_type;
+
+# public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to private/*.te.
diff --git a/microdroid/system/public/file.te b/microdroid/system/public/file.te
index 201a07e..8d3f76a 100644
--- a/microdroid/system/public/file.te
+++ b/microdroid/system/public/file.te
@@ -191,3 +191,7 @@
type usbfs, fs_type;
type usermodehelper, fs_type, proc_type;
type vfat, fs_type, sdcard_type;
+
+# public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to private/*.te.
diff --git a/microdroid/system/public/init.te b/microdroid/system/public/init.te
index b4def39..79f537d 100644
--- a/microdroid/system/public/init.te
+++ b/microdroid/system/public/init.te
@@ -3,6 +3,6 @@
type init_exec, system_file_type, exec_type, file_type;
type init_tmpfs, file_type;
-allow init tmpfs:chr_file relabelfrom;
-allow init kmsg_device:chr_file { getattr write relabelto };
-allow init kmsg_debug_device:chr_file { open write relabelto };
+# public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to private/*.te.
diff --git a/microdroid/system/public/kernel.te b/microdroid/system/public/kernel.te
index 9ea35c1..c8f0038 100644
--- a/microdroid/system/public/kernel.te
+++ b/microdroid/system/public/kernel.te
@@ -1,2 +1,6 @@
# Life begins with the kernel.
type kernel, domain;
+
+# public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to private/*.te.
diff --git a/microdroid/system/public/property.te b/microdroid/system/public/property.te
index c2e5ebd..7db53d0 100644
--- a/microdroid/system/public/property.te
+++ b/microdroid/system/public/property.te
@@ -50,11 +50,6 @@
type vendor_default_prop, property_type;
type powerctl_prop, property_type;
-allow property_type tmpfs:filesystem associate;
-
-# Properties should be explicitly labeled in property_contexts
-neverallow { domain -init } default_prop:file no_rw_file_perms;
-neverallow { domain -init } default_prop:property_service set;
-
-dontaudit { domain -init } default_prop:file no_rw_file_perms;
-dontaudit { domain -init } default_prop:property_service set;
+# public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to private/*.te.
diff --git a/microdroid/system/public/shell.te b/microdroid/system/public/shell.te
index 0bcb29d..0d0c63f 100644
--- a/microdroid/system/public/shell.te
+++ b/microdroid/system/public/shell.te
@@ -2,73 +2,6 @@
type shell, domain;
type shell_exec, system_file_type, exec_type, file_type;
-# Root fs.
-allow shell rootfs:dir r_dir_perms;
-
-# Access /data/local/tmp.
-allow shell shell_data_file:dir create_dir_perms;
-allow shell shell_data_file:file create_file_perms;
-allow shell shell_data_file:file rx_file_perms;
-allow shell shell_data_file:lnk_file create_file_perms;
-
-allow shell devpts:chr_file rw_file_perms;
-allow shell tty_device:chr_file rw_file_perms;
-allow shell console_device:chr_file rw_file_perms;
-
-r_dir_file(shell, system_file)
-allow shell system_file:file x_file_perms;
-allow shell toolbox_exec:file rx_file_perms;
-allow shell shell_exec:file rx_file_perms;
-
-# allow shell to look through /proc/ for lsmod, ps, top, netstat, vmstat.
-r_dir_file(shell, proc_net_type)
-
-allow shell {
- proc_asound
- proc_filesystems
- proc_interrupts
- proc_loadavg # b/124024827
- proc_meminfo
- proc_modules
- proc_pid_max
- proc_slabinfo
- proc_stat
- proc_timer
- proc_uptime
- proc_version
- proc_vmstat
- proc_zoneinfo
-}:file r_file_perms;
-
-# allow listing network interfaces under /sys/class/net.
-allow shell sysfs_net:dir r_dir_perms;
-
-r_dir_file(shell, cgroup)
-allow shell cgroup_desc_file:file r_file_perms;
-allow shell cgroup_desc_api_file:file r_file_perms;
-r_dir_file(shell, cgroup_v2)
-allow shell domain:dir { search open read getattr };
-allow shell domain:{ file lnk_file } { open read getattr };
-
-# statvfs() of /proc and other labeled filesystems
-# (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs, overlay)
-allow shell { proc labeledfs }:filesystem getattr;
-
-# stat() of /dev
-allow shell device:dir getattr;
-
-# allow shell to read /proc/pid/attr/current for ps -Z
-allow shell domain:process getattr;
-
-# Allow pulling the SELinux policy for CTS purposes
-allow shell selinuxfs:dir r_dir_perms;
-allow shell selinuxfs:file r_file_perms;
-
-# /dev/fd is a symlink
-allow shell proc:lnk_file getattr;
-
-# read selinux policy files
-allow shell file_contexts_file:file r_file_perms;
-allow shell property_contexts_file:file r_file_perms;
-allow shell service_contexts_file:file r_file_perms;
-allow shell sepolicy_file:file r_file_perms;
+# public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to private/*.te.
diff --git a/microdroid/system/public/statsd.te b/microdroid/system/public/statsd.te
index 0807126..5a37179 100644
--- a/microdroid/system/public/statsd.te
+++ b/microdroid/system/public/statsd.te
@@ -1,22 +1,6 @@
type statsd, domain;
-
type statsd_exec, system_file_type, exec_type, file_type;
-# Allow statsd to scan through /proc/pid for all processes.
-r_dir_file(statsd, domain)
-
-# Allow executing files on system, such as running a shell or running:
-# /system/bin/toolbox
-# /system/bin/logcat
-# /system/bin/dumpsys
-allow statsd devpts:chr_file { getattr ioctl read write };
-allow statsd shell_exec:file rx_file_perms;
-allow statsd system_file:file execute_no_trans;
-allow statsd toolbox_exec:file rx_file_perms;
-
-# Allow 'adb shell cmd' to upload configs and download output.
-allow statsd adbd:fd use;
-allow statsd adbd:unix_stream_socket { getattr read write };
-allow statsd shell:fifo_file { getattr read write };
-
-unix_socket_send(statsd, statsdw, statsd)
+# public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to private/*.te.
diff --git a/microdroid/system/public/su.te b/microdroid/system/public/su.te
index 5f41e37..d425015 100644
--- a/microdroid/system/public/su.te
+++ b/microdroid/system/public/su.te
@@ -5,33 +5,6 @@
# that adb root works on debuggable VMs even for user builds.
type su, domain;
-# Add su to various domains
-dontaudit su self:capability_class_set *;
-dontaudit su self:capability2 *;
-dontaudit su kernel:security *;
-dontaudit su { kernel file_type }:system *;
-dontaudit su self:memprotect *;
-dontaudit su domain:{ process process2 } *;
-dontaudit su domain:fd *;
-dontaudit su domain:dir *;
-dontaudit su domain:lnk_file *;
-dontaudit su domain:{ fifo_file file } *;
-dontaudit su domain:socket_class_set *;
-dontaudit su domain:ipc_class_set *;
-dontaudit su domain:key *;
-dontaudit su fs_type:filesystem *;
-dontaudit su {fs_type dev_type file_type}:dir_file_class_set *;
-dontaudit su node_type:node *;
-dontaudit su node_type:{ tcp_socket udp_socket rawip_socket } *;
-dontaudit su netif_type:netif *;
-dontaudit su port_type:socket_class_set *;
-dontaudit su port_type:{ tcp_socket dccp_socket } *;
-dontaudit su domain:peer *;
-dontaudit su domain:binder *;
-dontaudit su property_type:property_service *;
-dontaudit su property_type:file *;
-dontaudit su domain:drmservice *;
-dontaudit su unlabeled:filesystem *;
-dontaudit su domain:bpf *;
-dontaudit su unlabeled:vsock_socket *;
-dontaudit su self:perf_event *;
+# public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to private/*.te.
diff --git a/microdroid/system/public/toolbox.te b/microdroid/system/public/toolbox.te
index 0a6e649..96565f2 100644
--- a/microdroid/system/public/toolbox.te
+++ b/microdroid/system/public/toolbox.te
@@ -1,2 +1,6 @@
type toolbox, domain;
type toolbox_exec, file_type, exec_type, system_file_type;
+
+# public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to private/*.te.
diff --git a/microdroid/system/public/type.te b/microdroid/system/public/type.te
index efc1aa3..44d1f96 100644
--- a/microdroid/system/public/type.te
+++ b/microdroid/system/public/type.te
@@ -1,3 +1,7 @@
# Miscellaneous types
type system_linker;
type vm_payload_key;
+
+# public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to private/*.te.
diff --git a/microdroid/system/public/ueventd.te b/microdroid/system/public/ueventd.te
index 7bf7888..bc49479 100644
--- a/microdroid/system/public/ueventd.te
+++ b/microdroid/system/public/ueventd.te
@@ -2,3 +2,7 @@
# it lives in the rootfs and has no unique file type.
type ueventd, domain;
type ueventd_tmpfs, file_type;
+
+# public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to private/*.te.
diff --git a/microdroid/system/public/vendor_init.te b/microdroid/system/public/vendor_init.te
index 3db899a..5f5721c 100644
--- a/microdroid/system/public/vendor_init.te
+++ b/microdroid/system/public/vendor_init.te
@@ -1,147 +1,6 @@
# vendor_init is its own domain.
type vendor_init, domain;
-# Communication to the main init process
-allow vendor_init init:unix_stream_socket { read write };
-
-# Logging to kmsg
-allow vendor_init kmsg_device:chr_file { open getattr write };
-
-# Mount on /dev/usb-ffs/adb.
-allow vendor_init device:dir mounton;
-
-# Create and remove symlinks in /.
-allow vendor_init rootfs:lnk_file { create unlink };
-
-# Create cgroups mount points in tmpfs and mount cgroups on them.
-allow vendor_init cgroup:dir create_dir_perms;
-allow vendor_init cgroup:file w_file_perms;
-allow vendor_init cgroup_v2:dir create_dir_perms;
-allow vendor_init cgroup_v2:file w_file_perms;
-
-# /config
-allow vendor_init configfs:dir mounton;
-allow vendor_init configfs:dir create_dir_perms;
-allow vendor_init configfs:{ file lnk_file } create_file_perms;
-
-# Create directories under /dev/cpuctl after chowning it to system.
-allow vendor_init self:global_capability_class_set { dac_override dac_read_search };
-
-# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
-# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
-# system/core/init.rc requires at least cache_file and data_file_type.
-# init.<board>.rc files often include device-specific types, so
-# we just allow all file types except /system files here.
-allow vendor_init self:global_capability_class_set { chown fowner fsetid };
-
-allow vendor_init system_data_file:dir getattr;
-
-allow vendor_init {
- file_type
- -exec_type
- -system_file_type
- -unlabeled
- -vendor_file_type
-}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
-
-allow vendor_init unlabeled:{ dir notdevfile_class_set } { getattr relabelfrom };
-
-allow vendor_init {
- file_type
- -exec_type
- -system_file_type
- -unlabeled
- -vendor_file_type
- -apex_info_file
- enforce_debugfs_restriction(`-debugfs_type')
-}:file { create getattr open read write setattr relabelfrom unlink map };
-
-allow vendor_init {
- file_type
- -exec_type
- -system_file_type
- -unlabeled
- -vendor_file_type
-}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
-
-allow vendor_init {
- file_type
- -apex_mnt_dir
- -exec_type
- -system_file_type
- -unlabeled
- -vendor_file_type
-}:lnk_file { create getattr setattr relabelfrom unlink };
-
-allow vendor_init {
- file_type
- -exec_type
- -system_file_type
- -vendor_file_type
-}:dir_file_class_set relabelto;
-
-allow vendor_init dev_type:dir create_dir_perms;
-allow vendor_init dev_type:lnk_file create;
-
-# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
-allow vendor_init debugfs_tracing:file w_file_perms;
-
-# chown/chmod on pseudo files.
-allow vendor_init {
- fs_type
- -fusefs_type
- -rootfs
- -proc_uid_time_in_state
- -proc_uid_concurrent_active_time
- -proc_uid_concurrent_policy_time
- enforce_debugfs_restriction(`-debugfs_type')
-}:file { open read setattr map };
-
-allow vendor_init tracefs_type:file { open read setattr map };
-
-allow vendor_init {
- fs_type
- -fusefs_type
- -rootfs
- -proc_uid_time_in_state
- -proc_uid_concurrent_active_time
- -proc_uid_concurrent_policy_time
-}:dir { open read setattr search };
-
-allow vendor_init dev_type:blk_file getattr;
-
-# Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.
-r_dir_file(vendor_init, proc_net_type)
-allow vendor_init proc_net_type:file w_file_perms;
-allow vendor_init self:global_capability_class_set net_admin;
-
-# Write to /proc/sys/vm/page-cluster
-allow vendor_init proc_page_cluster:file w_file_perms;
-
-# Write to sysfs nodes.
-allow vendor_init sysfs_type:dir r_dir_perms;
-allow vendor_init sysfs_type:lnk_file read;
-allow vendor_init { sysfs_type -sysfs_usermodehelper }:file rw_file_perms;
-
-# setfscreatecon() for labeling directories and socket files.
-allow vendor_init self:process { setfscreate };
-
-r_dir_file(vendor_init, vendor_file_type)
-
-# Vendor init can perform operations on trusted and security Extended Attributes
-allow vendor_init self:global_capability_class_set sys_admin;
-
-# vendor_init is using bootstrap bionic
-use_bootstrap_libs(vendor_init)
-
-# Get file context
-allow vendor_init file_contexts_file:file r_file_perms;
-
-# Allow vendor_init to (re)set nice
-allow vendor_init self:capability sys_nice;
-
-# chown/chmod on devices, e.g. /dev/ttyHS0
-allow vendor_init {
- dev_type
- -hw_random_device
-}:chr_file setattr;
+# public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to private/*.te.