Port from pcre to pcre2
am: a15ea578ff -s ours
Change-Id: I8acaaf29d6cd06291c45f3a1fb2e246718543922
diff --git a/Android.mk b/Android.mk
index 5cc4a24..5b430e1 100644
--- a/Android.mk
+++ b/Android.mk
@@ -5,7 +5,7 @@
# SELinux policy version.
# Must be <= /sys/fs/selinux/policyvers reported by the Android kernel.
# Must be within the compatibility range reported by checkpolicy -V.
-POLICYVERS ?= 29
+POLICYVERS ?= 30
MLS_SENS=1
MLS_CATS=1024
@@ -51,6 +51,7 @@
policy_capabilities \
te_macros \
attributes \
+ ioctl_defines \
ioctl_macros \
*.te \
roles \
diff --git a/adbd.te b/adbd.te
index 72273ff..45bed8e 100644
--- a/adbd.te
+++ b/adbd.te
@@ -34,9 +34,14 @@
allow adbd shell_data_file:dir create_dir_perms;
allow adbd shell_data_file:file create_file_perms;
+# adb pull /data/misc/profman.
+allow adbd profman_dump_data_file:dir r_dir_perms;
+allow adbd profman_dump_data_file:file r_file_perms;
+
# adb push/pull sdcard.
allow adbd tmpfs:dir search;
-allow adbd rootfs:lnk_file r_file_perms;
+allow adbd rootfs:lnk_file r_file_perms; # /sdcard symlink
+allow adbd tmpfs:lnk_file r_file_perms; # /mnt/sdcard symlink
allow adbd sdcard_type:dir create_dir_perms;
allow adbd sdcard_type:file create_file_perms;
@@ -77,9 +82,9 @@
')
# ndk-gdb invokes adb forward to forward the gdbserver socket.
-allow adbd app_data_file:dir search;
-allow adbd app_data_file:sock_file write;
-allow adbd appdomain:unix_stream_socket connectto;
+allow adbd { app_data_file autoplay_data_file }:dir search;
+allow adbd { app_data_file autoplay_data_file }:sock_file write;
+allow adbd { appdomain autoplay_app }:unix_stream_socket connectto;
# ndk-gdb invokes adb pull of app_process, linker, and libc.so.
allow adbd zygote_exec:file r_file_perms;
@@ -101,6 +106,12 @@
allow adbd mnt_user_file:dir r_dir_perms;
allow adbd mnt_user_file:lnk_file r_file_perms;
+# Access to /data/media.
+# This should be removed if sdcardfs is modified to alter the secontext for its
+# accesses to the underlying FS.
+allow adbd media_rw_data_file:dir create_dir_perms;
+allow adbd media_rw_data_file:file create_file_perms;
+
r_dir_file(adbd, apk_data_file)
allow adbd rootfs:dir r_dir_perms;
diff --git a/app.te b/app.te
index f166caa..27e6055 100644
--- a/app.te
+++ b/app.te
@@ -27,14 +27,15 @@
# Place process into foreground / background
allow appdomain cgroup:dir { search write };
-allow appdomain cgroup:file w_file_perms;
+allow appdomain cgroup:file rw_file_perms;
# Read /data/dalvik-cache.
allow appdomain dalvikcache_data_file:dir { search getattr };
allow appdomain dalvikcache_data_file:file r_file_perms;
-# Read the /sdcard symlink
+# Read the /sdcard and /mnt/sdcard symlinks
allow appdomain rootfs:lnk_file r_file_perms;
+allow appdomain tmpfs:lnk_file r_file_perms;
# Search /storage/emulated tmpfs mount.
allow appdomain tmpfs:dir r_dir_perms;
@@ -97,6 +98,15 @@
# Read/write wallpaper file (opened by system).
allow appdomain wallpaper_file:file { getattr read write };
+# Read/write cached ringtones (opened by system).
+allow appdomain ringtone_file:file { getattr read write };
+
+# Read ShortcutManager icon files (opened by system).
+allow appdomain shortcut_manager_icons:file { getattr read };
+
+# Read icon file (opened by system).
+allow appdomain icon_file:file { getattr read };
+
# Write to /data/anr/traces.txt.
allow appdomain anr_data_file:dir search;
allow appdomain anr_data_file:file { open append };
@@ -104,8 +114,20 @@
# Allow apps to send dump information to dumpstate
allow appdomain dumpstate:fd use;
allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown };
+allow appdomain dumpstate:fifo_file { write getattr };
allow appdomain shell_data_file:file { write getattr };
+# Write profiles /data/misc/profiles
+allow appdomain user_profile_data_file:dir { search write add_name };
+allow appdomain user_profile_data_file:file create_file_perms;
+# Profiles for foreign dex files are just markers and only need create permissions.
+allow appdomain user_profile_foreign_dex_data_file:dir { search write add_name };
+allow appdomain user_profile_foreign_dex_data_file:file create;
+# There is no way to create user_profile_foreign_dex_data_file without
+# generating open/read denials. These permissions should not be granted and the
+# denial is harmless. dontaudit to suppress the denial.
+dontaudit appdomain user_profile_foreign_dex_data_file:file { open read };
+
# Send heap dumps to system_server via an already open file descriptor
# % adb shell am set-watch-heap com.android.systemui 1048576
# % adb shell dumpsys procstats --start-testing
@@ -205,6 +227,10 @@
allow appdomain console_device:chr_file { read write };
+# only allow unprivileged socket ioctl commands
+allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket }
+ ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
+
allow { appdomain -isolated_app } ion_device:chr_file rw_file_perms;
# TODO: switch to meminfo service
@@ -406,6 +432,10 @@
tmpfs
}:lnk_file no_w_file_perms;
+# Foreign dex profiles are just markers. Prevent apps to do anything but touch them.
+neverallow appdomain user_profile_foreign_dex_data_file:file rw_file_perms;
+neverallow appdomain user_profile_foreign_dex_data_file:dir { open getattr read ioctl remove_name };
+
# Applications should use the activity model for receiving events
neverallow {
appdomain
diff --git a/attributes b/attributes
index 052f0dd..a846c34 100644
--- a/attributes
+++ b/attributes
@@ -67,6 +67,9 @@
# used by device specific properties
attribute core_property_type;
+# All properties used to configure log filtering.
+attribute log_property_type;
+
# All service_manager types created by system_server
attribute system_server_service;
diff --git a/audioserver.te b/audioserver.te
new file mode 100644
index 0000000..da12649
--- /dev/null
+++ b/audioserver.te
@@ -0,0 +1,55 @@
+# audioserver - audio services daemon
+type audioserver, domain;
+type audioserver_exec, exec_type, file_type;
+
+init_daemon_domain(audioserver)
+
+r_dir_file(audioserver, sdcard_type)
+
+binder_use(audioserver)
+binder_call(audioserver, binderservicedomain)
+binder_call(audioserver, { appdomain autoplay_app })
+binder_service(audioserver)
+
+r_dir_file(audioserver, proc)
+allow audioserver ion_device:chr_file r_file_perms;
+allow audioserver system_file:dir r_dir_perms;
+
+userdebug_or_eng(`
+ # used for TEE sink - pcm capture for debug.
+ allow audioserver media_data_file:dir create_dir_perms;
+ allow audioserver audioserver_data_file:dir create_dir_perms;
+ allow audioserver audioserver_data_file:file create_file_perms;
+
+ # ptrace to processes in the same domain for memory leak detection
+ allow audioserver self:process ptrace;
+')
+
+allow audioserver audio_device:dir r_dir_perms;
+allow audioserver audio_device:chr_file rw_file_perms;
+
+allow audioserver audioserver_service:service_manager { add find };
+allow audioserver appops_service:service_manager find;
+allow audioserver batterystats_service:service_manager find;
+allow audioserver permission_service:service_manager find;
+allow audioserver power_service:service_manager find;
+allow audioserver scheduling_policy_service:service_manager find;
+
+# Grant access to audio files to audioserver
+allow audioserver audio_data_file:dir ra_dir_perms;
+allow audioserver audio_data_file:file create_file_perms;
+
+# Needed on some devices for playing audio on paired BT device,
+# but seems appropriate for all devices.
+unix_socket_connect(audioserver, bluetooth, bluetooth)
+
+###
+### neverallow rules
+###
+
+# audioserver should never execute any executable without a
+# domain transition
+neverallow audioserver { file_type fs_type }:file execute_no_trans;
+
+# audioserver should never need network access. Disallow network sockets.
+neverallow audioserver domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/autoplay_app.te b/autoplay_app.te
new file mode 100644
index 0000000..f671d5d
--- /dev/null
+++ b/autoplay_app.te
@@ -0,0 +1,109 @@
+###
+### AutoPlay apps.
+###
+### This file defines the security policy for apps with the autoplay
+### feature.
+###
+### The autoplay_app domain is a reduced permissions sandbox allowing
+### ephemeral applications to be safely installed and run. Non ephemeral
+### applications may also opt-in to autoplay to take advantage of the
+### additional security features.
+###
+### PackageManager flags an app as autoplay at install time.
+type autoplay_app, domain;
+
+# allow JITing
+allow autoplay_app self:process execmem;
+allow autoplay_app ashmem_device:chr_file execute;
+
+# Define and allow access to our own type for ashmem regions.
+# Label ashmem objects with our own unique type.
+tmpfs_domain(autoplay_app)
+# Map with PROT_EXEC.
+allow autoplay_app autoplay_app_tmpfs:file execute;
+
+# Read system properties managed by zygote.
+allow autoplay_app zygote_tmpfs:file read;
+
+# Send logcat messages to logd.
+write_logd(autoplay_app)
+
+# Receive and use open file descriptors inherited from zygote.
+allow autoplay_app zygote:fd use;
+
+# Notify zygote of death;
+allow autoplay_app zygote:process sigchld;
+
+# application inherit logd write socket (urge is to deprecate this long term)
+allow autoplay_app zygote:unix_dgram_socket write;
+
+# App sandbox file accesses.
+allow autoplay_app autoplay_data_file:dir create_dir_perms;
+allow autoplay_app autoplay_data_file:{ file sock_file fifo_file } create_file_perms;
+
+# For art.
+allow autoplay_app dalvikcache_data_file:file { execute r_file_perms };
+allow autoplay_app dalvikcache_data_file:lnk_file r_file_perms;
+allow autoplay_app dalvikcache_data_file:dir getattr;
+
+# Grant GPU access. autoplay_app needs that to render the standard UI.
+allow autoplay_app gpu_device:chr_file rw_file_perms;
+
+# Use the Binder.
+binder_use(autoplay_app)
+# Perform binder IPC to binder services.
+binder_call(autoplay_app, surfaceflinger)
+binder_call(autoplay_app, system_server)
+
+# Allow read access to ion memory allocation device
+allow autoplay_app ion_device:chr_file { read open };
+
+# Use pipes and sockets provided by system_server via binder or local socket.
+allow autoplay_app system_server:fifo_file rw_file_perms;
+allow autoplay_app system_server:unix_stream_socket { read write setopt getattr getopt shutdown };
+allow autoplay_app system_server:tcp_socket { read write getattr getopt shutdown };
+
+# Inherit or receive open files from system_server.
+allow autoplay_app system_server:fd use;
+
+# Communicate with surfaceflinger.
+allow autoplay_app surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
+
+# Read files already opened under /data.
+allow autoplay_app system_data_file:file { getattr read };
+allow autoplay_app system_data_file:lnk_file read;
+
+# System file accesses. Check for libraries
+allow autoplay_app system_file:dir getattr;
+
+# services
+allow autoplay_app accessibility_service:service_manager find;
+allow autoplay_app activity_service:service_manager find;
+allow autoplay_app assetatlas_service:service_manager find;
+allow autoplay_app connectivity_service:service_manager find;
+allow autoplay_app display_service:service_manager find;
+allow autoplay_app graphicsstats_service:service_manager find;
+allow autoplay_app input_method_service:service_manager find;
+allow autoplay_app input_service:service_manager find;
+allow autoplay_app surfaceflinger_service:service_manager find;
+allow autoplay_app textservices_service:service_manager find;
+
+###
+### neverallow rules
+###
+
+# Receive or send uevent messages.
+neverallow autoplay_app domain:netlink_kobject_uevent_socket *;
+
+# Receive or send generic netlink messages
+neverallow autoplay_app domain:netlink_socket *;
+
+# Too much leaky information in debugfs. It's a security
+# best practice to ensure these files aren't readable.
+neverallow autoplay_app debugfs:file read;
+
+# execute gpu_device
+neverallow autoplay_app gpu_device:chr_file execute;
+
+# access files in /sys with the default sysfs label
+neverallow autoplay_app sysfs:file *;
diff --git a/binderservicedomain.te b/binderservicedomain.te
index 36993eb..a2157a4 100644
--- a/binderservicedomain.te
+++ b/binderservicedomain.te
@@ -3,6 +3,7 @@
# Allow dumpstate to collect information from binder services
allow binderservicedomain dumpstate:fd use;
allow binderservicedomain dumpstate:unix_stream_socket { read write getopt getattr };
+allow binderservicedomain dumpstate:fifo_file { getattr write };
allow binderservicedomain shell_data_file:file { getattr write };
# Allow dumpsys to work from adb shell or the serial console
diff --git a/bluetooth.te b/bluetooth.te
index f249e9b..4b20a58 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -24,6 +24,8 @@
allow bluetooth self:capability2 wake_alarm;
# tethering
+allow bluetooth self:packet_socket create_socket_perms;
+allow bluetooth self:capability { net_admin net_raw net_bind_service };
allow bluetooth self:tun_socket create_socket_perms;
allow bluetooth tun_device:chr_file rw_file_perms;
allow bluetooth efs_file:dir search;
@@ -34,8 +36,8 @@
# Allow write access to bluetooth specific properties
set_prop(bluetooth, bluetooth_prop)
set_prop(bluetooth, pan_result_prop)
-set_prop(bluetooth, ctl_dhcp_pan_prop)
+allow bluetooth audioserver_service:service_manager find;
allow bluetooth bluetooth_service:service_manager find;
allow bluetooth drmserver_service:service_manager find;
allow bluetooth mediaserver_service:service_manager find;
@@ -52,6 +54,12 @@
# /data/data/com.android.shell/files/bugreports/bugreport-*.
allow bluetooth shell_data_file:file read;
+# Access to /data/media.
+# This should be removed if sdcardfs is modified to alter the secontext for its
+# accesses to the underlying FS.
+allow bluetooth media_rw_data_file:dir create_dir_perms;
+allow bluetooth media_rw_data_file:file create_file_perms;
+
###
### Neverallow rules
###
@@ -59,6 +67,6 @@
###
# Superuser capabilities.
-# bluetooth requires net_admin, wake_alarm and block_suspend
-neverallow bluetooth self:capability ~net_admin;
+# bluetooth requires net_{admin,raw,bind_service} and wake_alarm and block_suspend.
+neverallow bluetooth self:capability ~{ net_admin net_raw net_bind_service };
neverallow bluetooth self:capability2 ~{ wake_alarm block_suspend };
diff --git a/bootanim.te b/bootanim.te
index fa0e4dc..91a50d5 100644
--- a/bootanim.te
+++ b/bootanim.te
@@ -23,6 +23,7 @@
# Read access to pseudo filesystems.
r_dir_file(bootanim, proc)
+allow bootanim proc_meminfo:file r_file_perms;
r_dir_file(bootanim, sysfs)
r_dir_file(bootanim, cgroup)
diff --git a/cameraserver.te b/cameraserver.te
new file mode 100644
index 0000000..4f50f8d
--- /dev/null
+++ b/cameraserver.te
@@ -0,0 +1,39 @@
+# cameraserver - camera daemon
+type cameraserver, domain;
+type cameraserver_exec, exec_type, file_type;
+
+init_daemon_domain(cameraserver)
+
+binder_use(cameraserver)
+binder_call(cameraserver, binderservicedomain)
+binder_call(cameraserver, appdomain)
+binder_service(cameraserver)
+
+# access /data/misc/camera
+allow cameraserver camera_data_file:dir create_dir_perms;
+allow cameraserver camera_data_file:file create_file_perms;
+
+allow cameraserver video_device:dir r_dir_perms;
+allow cameraserver video_device:chr_file rw_file_perms;
+allow cameraserver ion_device:chr_file rw_file_perms;
+
+allow cameraserver appops_service:service_manager find;
+allow cameraserver audioserver_service:service_manager find;
+allow cameraserver batterystats_service:service_manager find;
+allow cameraserver cameraproxy_service:service_manager find;
+allow cameraserver cameraserver_service:service_manager add;
+allow cameraserver mediaserver_service:service_manager find;
+allow cameraserver processinfo_service:service_manager find;
+allow cameraserver scheduling_policy_service:service_manager find;
+allow cameraserver surfaceflinger_service:service_manager find;
+
+###
+### neverallow rules
+###
+
+# cameraserver should never execute any executable without a
+# domain transition
+neverallow cameraserver { file_type fs_type }:file execute_no_trans;
+
+# cameraserver should never need network access. Disallow network sockets.
+neverallow cameraserver domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/debuggerd.te b/debuggerd.te
index 04dcb79..2b8d229 100644
--- a/debuggerd.te
+++ b/debuggerd.te
@@ -9,7 +9,16 @@
allow debuggerd domain:dir r_dir_perms;
allow debuggerd domain:file r_file_perms;
allow debuggerd domain:lnk_file read;
-allow debuggerd { domain -init -ueventd -watchdogd -healthd -adbd -keystore }:process { ptrace getattr };
+allow debuggerd {
+ domain
+ -adbd
+ -debuggerd
+ -healthd
+ -init
+ -keystore
+ -ueventd
+ -watchdogd
+}:process { ptrace getattr };
allow debuggerd tombstone_data_file:dir rw_dir_perms;
allow debuggerd tombstone_data_file:file create_file_perms;
allow debuggerd shared_relro_file:dir r_dir_perms;
@@ -21,7 +30,20 @@
# Allow debuggerd to redirect a dump_backtrace request to itself.
# This only happens on 64 bit systems, where all requests go to the 64 bit
# debuggerd and get redirected to the 32 bit debuggerd if the process is 32 bit.
-allow debuggerd { drmserver mediaserver sdcardd surfaceflinger inputflinger }:debuggerd dump_backtrace;
+
+allow debuggerd {
+ audioserver
+ bluetooth
+ cameraserver
+ drmserver
+ inputflinger
+ mediacodec
+ mediadrmserver
+ mediaextractor
+ mediaserver
+ sdcardd
+ surfaceflinger
+}:debuggerd dump_backtrace;
# Connect to system_server via /data/system/ndebugsocket.
unix_socket_connect(debuggerd, system_ndebug, system_server)
diff --git a/dex2oat.te b/dex2oat.te
index 83a7c8a..48daac3 100644
--- a/dex2oat.te
+++ b/dex2oat.te
@@ -3,7 +3,8 @@
type dex2oat_exec, exec_type, file_type;
allow dex2oat dalvikcache_data_file:file write;
-# Read symlinks in /data/dalvik-cache
+# Read symlinks in /data/dalvik-cache. This is required for PIC mode boot images, where
+# the oat file is symlinked to the original file in /system.
allow dex2oat dalvikcache_data_file:lnk_file read;
allow dex2oat installd:fd use;
@@ -14,3 +15,32 @@
allow dex2oat unlabeled:file read;
allow dex2oat oemfs:file read;
allow dex2oat apk_tmp_file:file read;
+allow dex2oat user_profile_data_file:file { getattr read lock };
+
+##################
+# A/B OTA Dexopt #
+##################
+
+# Allow dex2oat to use file descriptors from otapreopt.
+allow dex2oat postinstall_dexopt:fd use;
+
+allow dex2oat postinstall_file:dir getattr;
+
+# Allow dex2oat access to files in /data/ota.
+allow dex2oat ota_data_file:dir ra_dir_perms;
+allow dex2oat ota_data_file:file r_file_perms;
+
+# Create and read symlinks in /data/ota/dalvik-cache. This is required for PIC mode boot images,
+# where the oat file is symlinked to the original file in /system.
+allow dex2oat ota_data_file:lnk_file { create read };
+
+# It would be nice to tie this down, but currently, because of how images are written, we can't
+# pass file descriptors for the preopted boot image to dex2oat. So dex2oat needs to be able to
+# create them itself (and make them world-readable).
+allow dex2oat ota_data_file:file { create w_file_perms setattr };
+
+##############
+# Neverallow #
+##############
+
+neverallow dex2oat app_data_file:notdevfile_class_set open;
diff --git a/domain.te b/domain.te
index d02db11..a312acb 100644
--- a/domain.te
+++ b/domain.te
@@ -28,6 +28,7 @@
allow domain self:{ fifo_file file } rw_file_perms;
allow domain self:unix_dgram_socket { create_socket_perms sendto };
allow domain self:unix_stream_socket { create_stream_socket_perms connectto };
+allowxperm domain domain:{ unix_dgram_socket unix_stream_socket } ioctl unpriv_unix_sock_ioctls;
# Inherit or receive open files from others.
allow domain init:fd use;
@@ -38,7 +39,8 @@
allow domain su:fd use;
allow domain su:unix_stream_socket { getattr getopt read write shutdown };
- binder_call({ domain -init }, su)
+ allow { domain -init } su:binder { call transfer };
+ allow { domain -init } su:fd use;
# Running something like "pm dump com.android.bluetooth" requires
# fifo writes
@@ -82,6 +84,9 @@
# For now, everyone can access core property files
# Device specific properties are not granted by default
get_prop(domain, core_property_type)
+# Let everyone read log properties, so that liblog can avoid sending unloggable
+# messages to logd.
+get_prop(domain, log_property_type)
dontaudit domain property_type:file audit_access;
allow domain property_contexts:file r_file_perms;
@@ -105,6 +110,8 @@
# Lots of processes access current CPU information
r_dir_file(domain, sysfs_devices_system_cpu)
+r_dir_file(domain, sysfs_usb);
+
# files under /data.
allow domain system_data_file:dir { search getattr };
allow domain system_data_file:lnk_file read;
@@ -164,11 +171,20 @@
-init
-ueventd
-vold
- -recovery
} self:capability mknod;
-# Limit raw I/O to these whitelisted domains.
-neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -uncrypt -tee } self:capability sys_rawio;
+# Limit raw I/O to these whitelisted domains. Do not apply to debug builds.
+neverallow {
+ domain
+ userdebug_or_eng(`-domain')
+ -kernel
+ -init
+ -recovery
+ -ueventd
+ -healthd
+ -uncrypt
+ -tee
+} self:capability sys_rawio;
# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR).
neverallow * self:memprotect mmap_zero;
@@ -257,6 +273,7 @@
neverallow {
domain
-appdomain
+ -autoplay_app
-dumpstate
-shell
userdebug_or_eng(`-su')
@@ -269,7 +286,7 @@
-recovery # for /tmp/update_binary in tmpfs
} { fs_type -rootfs }:file execute;
# Files from cache should never be executed
-neverallow domain { cache_file cache_backup_file cache_recovery_file }:file execute;
+neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute;
# Protect most domains from executing arbitrary content from /data.
neverallow {
@@ -366,6 +383,7 @@
-init # TODO: limit init to relabelfrom for files
-zygote
-installd
+ -postinstall_dexopt
-dex2oat
} dalvikcache_data_file:file no_w_file_perms;
@@ -373,6 +391,7 @@
domain
-init
-installd
+ -postinstall_dexopt
-dex2oat
-zygote
} dalvikcache_data_file:dir no_w_dir_perms;
@@ -586,6 +605,14 @@
-vold
} fuse_device:chr_file *;
+# Profiles contain untrusted data and profman parses that. We should only run
+# in from installd forked processes.
+neverallow {
+ domain
+ -installd
+ -profman
+} profman_exec:file no_x_file_perms;
+
# Enforce restrictions on kernel module origin.
# Do not allow kernel module loading except from system,
# vendor, and boot partitions.
diff --git a/domain_deprecated.te b/domain_deprecated.te
index 2a35bcf..22bac86 100644
--- a/domain_deprecated.te
+++ b/domain_deprecated.te
@@ -53,10 +53,10 @@
# Read access to pseudo filesystems.
r_dir_file(domain_deprecated, proc)
-r_dir_file(domain_deprecated, sysfs)
+r_dir_file({ domain_deprecated -isolated_app }, sysfs)
r_dir_file(domain_deprecated, inotify)
r_dir_file(domain_deprecated, cgroup)
-r_dir_file(domain_deprecated, proc_meminfo)
+allow domain_deprecated proc_meminfo:file r_file_perms;
r_dir_file(domain_deprecated, proc_net)
# Get SELinux enforcing status.
diff --git a/drmserver.te b/drmserver.te
index 3b654cc..9a9cfc0 100644
--- a/drmserver.te
+++ b/drmserver.te
@@ -10,7 +10,7 @@
# Perform Binder IPC to system server.
binder_use(drmserver)
binder_call(drmserver, system_server)
-binder_call(drmserver, appdomain)
+binder_call(drmserver, { appdomain autoplay_app })
binder_service(drmserver)
# Perform Binder IPC to mediaserver
@@ -20,7 +20,7 @@
allow drmserver drm_data_file:dir create_dir_perms;
allow drmserver drm_data_file:file create_file_perms;
allow drmserver tee_device:chr_file rw_file_perms;
-allow drmserver app_data_file:file { read write getattr };
+allow drmserver { app_data_file autoplay_data_file}:file { read write getattr };
allow drmserver sdcard_type:file { read write getattr };
r_dir_file(drmserver, efs_file)
diff --git a/dumpstate.te b/dumpstate.te
index 4bb12c3..69504b9 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -49,13 +49,35 @@
allow dumpstate domain:process getattr;
# Signal java processes to dump their stack
-allow dumpstate { appdomain system_server }:process signal;
+allow dumpstate { appdomain autoplay_app system_server }:process signal;
# Signal native processes to dump their stack.
# This list comes from native_processes_to_dump in dumpstate/utils.c
-allow dumpstate { drmserver mediaserver sdcardd surfaceflinger }:process signal;
+allow dumpstate {
+ audioserver
+ cameraserver
+ drmserver
+ inputflinger
+ mediacodec
+ mediadrmserver
+ mediaextractor
+ mediaserver
+ sdcardd
+ surfaceflinger
+}:process signal;
# Ask debuggerd for the backtraces of these processes.
-allow dumpstate { drmserver mediaserver sdcardd surfaceflinger }:debuggerd dump_backtrace;
+allow dumpstate {
+ audioserver
+ cameraserver
+ drmserver
+ inputflinger
+ mediacodec
+ mediadrmserver
+ mediaextractor
+ mediaserver
+ sdcardd
+ surfaceflinger
+}:debuggerd dump_backtrace;
# Execute and transition to the vdc domain
domain_auto_trans(dumpstate, vdc_exec, vdc)
@@ -65,6 +87,9 @@
# TODO: create a new file class, instead of allowing write access to all of /sys
allow dumpstate sysfs:file w_file_perms;
+# TODO: added to match above sysfs rule. Remove me?
+allow dumpstate sysfs_usb:file w_file_perms;
+
# Other random bits of data we want to collect
allow dumpstate qtaguid_proc:file r_file_perms;
allow dumpstate debugfs:file r_file_perms;
@@ -75,7 +100,8 @@
# Allow dumpstate to make binder calls to any binder service
binder_call(dumpstate, binderservicedomain)
-binder_call(dumpstate, appdomain)
+binder_call(dumpstate, { appdomain autoplay_app netd })
+
# Reading /proc/PID/maps of other processes
allow dumpstate self:capability sys_ptrace;
@@ -143,5 +169,9 @@
allow dumpstate debugfs_trace_marker:file getattr;
allow dumpstate atrace_exec:file rx_file_perms;
+# Access to /data/media.
+# This should be removed if sdcardfs is modified to alter the secontext for its
+# accesses to the underlying FS.
+allow dumpstate media_rw_data_file:dir getattr;
allow dumpstate proc_interrupts:file r_file_perms;
allow dumpstate proc_zoneinfo:file r_file_perms;
diff --git a/file.te b/file.te
index 02112ef..235ac77 100644
--- a/file.te
+++ b/file.te
@@ -33,6 +33,7 @@
type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
type sysfs_wake_lock, fs_type, sysfs_type;
type sysfs_mac_address, fs_type, sysfs_type;
+type sysfs_usb, sysfs_type, file_type, mlstrustedobject;
type configfs, fs_type;
# /sys/devices/system/cpu
type sysfs_devices_system_cpu, fs_type, sysfs_type;
@@ -51,8 +52,6 @@
type fuse, sdcard_type, fs_type, mlstrustedobject;
type sdcardfs, sdcard_type, fs_type, mlstrustedobject;
type vfat, sdcard_type, fs_type, mlstrustedobject;
-typealias fuse alias sdcard_internal;
-typealias vfat alias sdcard_external;
type debugfs, fs_type;
type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
type debugfs_tracing, fs_type, debugfs_type;
@@ -94,6 +93,13 @@
type apk_private_tmp_file, file_type, data_file_type, mlstrustedobject;
# /data/dalvik-cache
type dalvikcache_data_file, file_type, data_file_type;
+# /data/ota
+type ota_data_file, file_type, data_file_type;
+# /data/misc/profiles
+type user_profile_data_file, file_type, data_file_type, mlstrustedobject;
+type user_profile_foreign_dex_data_file, file_type, data_file_type, mlstrustedobject;
+# /data/misc/profman
+type profman_dump_data_file, file_type, data_file_type;
# /data/resource-cache
type resourcecache_data_file, file_type, data_file_type;
# /data/local - writable by shell
@@ -106,6 +112,10 @@
type heapdump_data_file, file_type, data_file_type, mlstrustedobject;
# /data/nativetest
type nativetest_data_file, file_type, data_file_type;
+# /data/system_de/0/ringtones
+type ringtone_file, file_type, data_file_type, mlstrustedobject;
+# /data/preloads
+type preloads_data_file, file_type, data_file_type;
# Mount locations managed by vold
type mnt_media_rw_file, file_type;
@@ -125,6 +135,7 @@
# /data/misc subdirectories
type adb_keys_file, file_type, data_file_type;
type audio_data_file, file_type, data_file_type;
+type audioserver_data_file, file_type, data_file_type;
type bluetooth_data_file, file_type, data_file_type;
type bootstat_data_file, file_type, data_file_type;
type boottrace_data_file, file_type, data_file_type;
@@ -153,6 +164,7 @@
typealias audio_data_file alias audio_firmware_file;
# /data/data subdirectories - app sandboxes
type app_data_file, file_type, data_file_type;
+type autoplay_data_file, file_type, data_file_type;
# /data/data subdirectory for system UID apps.
type system_app_data_file, file_type, data_file_type, mlstrustedobject;
# Compatibility with type name used in Android 4.3 and 4.4.
@@ -160,15 +172,20 @@
typealias app_data_file alias download_file;
# Default type for anything under /cache
type cache_file, file_type, mlstrustedobject;
-# Type for /cache/.*\.{data|restore} and default
-# type for anything under /cache/backup
+# Type for /cache/backup_stage/* (fd interchange with apps)
type cache_backup_file, file_type, mlstrustedobject;
+# type for anything under /cache/backup (local transport storage)
+type cache_private_backup_file, file_type;
# Type for anything under /cache/recovery
type cache_recovery_file, file_type, mlstrustedobject;
# Default type for anything under /efs
type efs_file, file_type;
# Type for wallpaper file.
-type wallpaper_file, file_type, mlstrustedobject;
+type wallpaper_file, file_type, data_file_type, mlstrustedobject;
+# Type for shortcut manager icon file.
+type shortcut_manager_icons, file_type, data_file_type, mlstrustedobject;
+# Type for user icon file.
+type icon_file, file_type, data_file_type;
# /mnt/asec
type asec_apk_file, file_type, data_file_type, mlstrustedobject;
# Elements of asec files (/mnt/asec) that are world readable
@@ -208,6 +225,7 @@
type rild_debug_socket, file_type;
type system_wpa_socket, file_type;
type system_ndebug_socket, file_type;
+type uncrypt_socket, file_type;
type vold_socket, file_type;
type wpa_socket, file_type;
type zygote_socket, file_type;
diff --git a/file_contexts b/file_contexts
index 39c006d..e2bb95b 100644
--- a/file_contexts
+++ b/file_contexts
@@ -114,6 +114,7 @@
/dev/socket/racoon u:object_r:racoon_socket:s0
/dev/socket/rild u:object_r:rild_socket:s0
/dev/socket/rild-debug u:object_r:rild_debug_socket:s0
+/dev/socket/uncrypt u:object_r:uncrypt_socket:s0
/dev/socket/vold u:object_r:vold_socket:s0
/dev/socket/wpa_eth[0-9] u:object_r:wpa_socket:s0
/dev/socket/wpa_wlan[0-9] u:object_r:wpa_socket:s0
@@ -161,9 +162,15 @@
/system/bin/vold u:object_r:vold_exec:s0
/system/bin/netd u:object_r:netd_exec:s0
/system/bin/rild u:object_r:rild_exec:s0
+/system/bin/audioserver u:object_r:audioserver_exec:s0
+/system/bin/mediadrmserver u:object_r:mediadrmserver_exec:s0
/system/bin/mediaserver u:object_r:mediaserver_exec:s0
+/system/bin/cameraserver u:object_r:cameraserver_exec:s0
+/system/bin/mediaextractor u:object_r:mediaextractor_exec:s0
+/system/bin/mediacodec u:object_r:mediacodec_exec:s0
/system/bin/mdnsd u:object_r:mdnsd_exec:s0
/system/bin/installd u:object_r:installd_exec:s0
+/system/bin/otapreopt_chroot u:object_r:otapreopt_chroot_exec:s0
/system/bin/keystore u:object_r:keystore_exec:s0
/system/bin/fingerprintd u:object_r:fingerprintd_exec:s0
/system/bin/gatekeeperd u:object_r:gatekeeperd_exec:s0
@@ -195,6 +202,7 @@
/system/bin/dex2oat u:object_r:dex2oat_exec:s0
# patchoat executable has (essentially) the same requirements as dex2oat.
/system/bin/patchoat u:object_r:dex2oat_exec:s0
+/system/bin/profman u:object_r:profman_exec:s0
/system/bin/sgdisk u:object_r:sgdisk_exec:s0
/system/bin/blkid u:object_r:blkid_exec:s0
/system/bin/tzdatacheck u:object_r:tzdatacheck_exec:s0
@@ -229,6 +237,7 @@
/data/drm(/.*)? u:object_r:drm_data_file:s0
/data/resource-cache(/.*)? u:object_r:resourcecache_data_file:s0
/data/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0
+/data/ota(/.*)? u:object_r:ota_data_file:s0
/data/adb(/.*)? u:object_r:adb_data_file:s0
/data/anr(/.*)? u:object_r:anr_data_file:s0
/data/app(/.*)? u:object_r:apk_data_file:s0
@@ -243,10 +252,12 @@
/data/mediadrm(/.*)? u:object_r:media_data_file:s0
/data/nativetest(/.*)? u:object_r:nativetest_data_file:s0
/data/property(/.*)? u:object_r:property_data_file:s0
+/data/preloads(/.*)? u:object_r:preloads_data_file:s0
# Misc data
/data/misc/adb(/.*)? u:object_r:adb_keys_file:s0
/data/misc/audio(/.*)? u:object_r:audio_data_file:s0
+/data/misc/audioserver(/.*)? u:object_r:audioserver_data_file:s0
/data/misc/bootstat(/.*)? u:object_r:bootstat_data_file:s0
/data/misc/boottrace(/.*)? u:object_r:boottrace_data_file:s0
/data/misc/bluetooth(/.*)? u:object_r:bluetooth_data_file:s0
@@ -278,6 +289,12 @@
/data/misc/update_engine(/.*)? u:object_r:update_engine_data_file:s0
/data/system/heapdump(/.*)? u:object_r:heapdump_data_file:s0
/data/misc/trace(/.*)? u:object_r:method_trace_data_file:s0
+# TODO(calin) label profile reference differently so that only
+# profman run as a special user can write to them
+/data/misc/profiles/cur(/.*)? u:object_r:user_profile_data_file:s0
+/data/misc/profiles/cur/[0-9]+/foreign-dex(/.*)? u:object_r:user_profile_foreign_dex_data_file:s0
+/data/misc/profiles/ref(/.*)? u:object_r:user_profile_data_file:s0
+/data/misc/profman(/.*)? u:object_r:profman_dump_data_file:s0
# Fingerprint data
/data/system/users/[0-9]+/fpdata(/.*)? u:object_r:fingerprintd_data_file:s0
@@ -301,21 +318,44 @@
# coredump directory for userdebug/eng devices
/cores(/.*)? u:object_r:coredump_file:s0
-# Wallpaper file for other users
+# Wallpaper files
+/data/system/users/[0-9]+/wallpaper_lock_orig u:object_r:wallpaper_file:s0
+/data/system/users/[0-9]+/wallpaper_lock u:object_r:wallpaper_file:s0
+/data/system/users/[0-9]+/wallpaper_orig u:object_r:wallpaper_file:s0
/data/system/users/[0-9]+/wallpaper u:object_r:wallpaper_file:s0
+
+# Ringtone files
+/data/system_de/[0-9]+/ringtones(/.*)? u:object_r:ringtone_file:s0
+
+# ShortcutManager icons, e.g.
+# /data/system_ce/0/shortcut_service/bitmaps/com.example.app/1457472879282.png
+/data/system_ce/[0-9]+/shortcut_service/bitmaps(/.*)? u:object_r:shortcut_manager_icons:s0
+
+# User icon files
+/data/system/users/[0-9]+/photo.png u:object_r:icon_file:s0
+
#############################
# efs files
#
/efs(/.*)? u:object_r:efs_file:s0
+
#############################
# Cache files
#
/cache(/.*)? u:object_r:cache_file:s0
-/cache/.*\.data u:object_r:cache_backup_file:s0
-/cache/.*\.restore u:object_r:cache_backup_file:s0
-# LocalTransport (backup) uses this directory
-/cache/backup(/.*)? u:object_r:cache_backup_file:s0
/cache/recovery(/.*)? u:object_r:cache_recovery_file:s0
+# General backup/restore interchange with apps
+/cache/backup_stage(/.*)? u:object_r:cache_backup_file:s0
+# LocalTransport (backup) uses this subtree
+/cache/backup(/.*)? u:object_r:cache_private_backup_file:s0
+
+/data/cache(/.*)? u:object_r:cache_file:s0
+/data/cache/recovery(/.*)? u:object_r:cache_recovery_file:s0
+# General backup/restore interchange with apps
+/data/cache/backup_stage(/.*)? u:object_r:cache_backup_file:s0
+# LocalTransport (backup) uses this subtree
+/data/cache/backup(/.*)? u:object_r:cache_private_backup_file:s0
+
#############################
# sysfs files
#
diff --git a/gatekeeperd.te b/gatekeeperd.te
index 81d7fdf..e394af3 100644
--- a/gatekeeperd.te
+++ b/gatekeeperd.te
@@ -24,4 +24,7 @@
allow gatekeeperd gatekeeper_data_file:dir rw_dir_perms;
allow gatekeeperd gatekeeper_data_file:file create_file_perms;
+# For hardware properties retrieval
+allow gatekeeperd hardware_properties_service:service_manager find;
+
neverallow { domain -gatekeeperd } gatekeeper_service:service_manager add;
diff --git a/healthd.te b/healthd.te
index f54d716..2658ef8 100644
--- a/healthd.te
+++ b/healthd.te
@@ -19,6 +19,9 @@
# TODO: Split into a separate type?
allow healthd sysfs:file write;
+# TODO: added to match above sysfs rule. Remove me?
+allow healthd sysfs_usb:file write;
+
allow healthd sysfs_batteryinfo:file r_file_perms;
###
diff --git a/init.te b/init.te
index 2b64953..e55bc96 100644
--- a/init.te
+++ b/init.te
@@ -344,6 +344,9 @@
unix_socket_connect(init, vold, vold)
+# Raw writes to misc block device
+allow init misc_block_device:blk_file w_file_perms;
+
###
### neverallow rules
###
diff --git a/installd.te b/installd.te
index 1f83501..e832e92 100644
--- a/installd.te
+++ b/installd.te
@@ -64,9 +64,17 @@
# Run dex2oat in its own sandbox.
domain_auto_trans(installd, dex2oat_exec, dex2oat)
+# Run profman in its own sandbox.
+domain_auto_trans(installd, profman_exec, profman)
+
# Run idmap in its own sandbox.
domain_auto_trans(installd, idmap_exec, idmap)
+# Run otapreopt in its own sandbox.
+domain_auto_trans(installd, otapreopt_chroot_exec, otapreopt_chroot)
+# otapreopt_chroot will transition into postinstall_dexopt, which will spawn a child.
+allow installd postinstall_dexopt:process sigchld;
+
# Upgrade from unlabeled userdata.
# Just need enough to remove and/or relabel it.
allow installd unlabeled:dir { getattr search relabelfrom rw_dir_perms rmdir };
@@ -84,8 +92,37 @@
# setting owner/mode, creating symlinks within them, and deleting them
# upon package uninstall.
# Types extracted from seapp_contexts type= fields.
-allow installd { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:dir { create_dir_perms relabelfrom relabelto };
-allow installd { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:notdevfile_class_set { create_file_perms relabelfrom relabelto };
+allow installd {
+ system_app_data_file
+ bluetooth_data_file
+ nfc_data_file
+ radio_data_file
+ shell_data_file
+ app_data_file
+ autoplay_data_file
+}:dir { create_dir_perms relabelfrom relabelto };
+
+allow installd {
+ system_app_data_file
+ bluetooth_data_file
+ nfc_data_file
+ radio_data_file
+ shell_data_file
+ app_data_file
+ autoplay_data_file
+}:notdevfile_class_set { create_file_perms relabelfrom relabelto };
+
+# Similar for the files under /data/misc/profiles/
+allow installd user_profile_data_file:dir create_dir_perms;
+allow installd user_profile_data_file:file create_file_perms;
+allow installd user_profile_data_file:dir rmdir;
+allow installd user_profile_data_file:file unlink;
+allow installd user_profile_foreign_dex_data_file:dir { add_name getattr rmdir open read write search remove_name };
+allow installd user_profile_foreign_dex_data_file:file { getattr rename unlink };
+
+# Files created/updated by profman dumps.
+allow installd profman_dump_data_file:dir { search add_name write };
+allow installd profman_dump_data_file:file { create setattr open write };
# Create and use pty created by android_fork_execvp().
allow installd devpts:chr_file rw_file_perms;
diff --git a/ioctl_defines b/ioctl_defines
new file mode 100644
index 0000000..5b65b2d
--- /dev/null
+++ b/ioctl_defines
@@ -0,0 +1,2694 @@
+define(`FIBMAP', `0x00000001')
+define(`FIGETBSZ', `0x00000002')
+define(`FDCLRPRM', `0x00000241')
+define(`FDMSGON', `0x00000245')
+define(`FDMSGOFF', `0x00000246')
+define(`FDFMTBEG', `0x00000247')
+define(`FDFMTEND', `0x00000249')
+define(`FDSETEMSGTRESH', `0x0000024a')
+define(`FDFLUSH', `0x0000024b')
+define(`FDRESET', `0x00000254')
+define(`FDWERRORCLR', `0x00000256')
+define(`FDRAWCMD', `0x00000258')
+define(`FDTWADDLE', `0x00000259')
+define(`FDEJECT', `0x0000025a')
+define(`HDIO_GETGEO', `0x00000301')
+define(`HDIO_GET_UNMASKINTR', `0x00000302')
+define(`HDIO_GET_MULTCOUNT', `0x00000304')
+define(`HDIO_GET_QDMA', `0x00000305')
+define(`HDIO_SET_XFER', `0x00000306')
+define(`HDIO_OBSOLETE_IDENTITY', `0x00000307')
+define(`HDIO_GET_KEEPSETTINGS', `0x00000308')
+define(`HDIO_GET_32BIT', `0x00000309')
+define(`HDIO_GET_NOWERR', `0x0000030a')
+define(`HDIO_GET_DMA', `0x0000030b')
+define(`HDIO_GET_NICE', `0x0000030c')
+define(`HDIO_GET_IDENTITY', `0x0000030d')
+define(`HDIO_GET_WCACHE', `0x0000030e')
+define(`HDIO_GET_ACOUSTIC', `0x0000030f')
+define(`HDIO_GET_ADDRESS', `0x00000310')
+define(`HDIO_GET_BUSSTATE', `0x0000031a')
+define(`HDIO_TRISTATE_HWIF', `0x0000031b')
+define(`HDIO_DRIVE_RESET', `0x0000031c')
+define(`HDIO_DRIVE_TASKFILE', `0x0000031d')
+define(`HDIO_DRIVE_TASK', `0x0000031e')
+define(`HDIO_DRIVE_CMD', `0x0000031f')
+define(`HDIO_SET_MULTCOUNT', `0x00000321')
+define(`HDIO_SET_UNMASKINTR', `0x00000322')
+define(`HDIO_SET_KEEPSETTINGS', `0x00000323')
+define(`HDIO_SET_32BIT', `0x00000324')
+define(`HDIO_SET_NOWERR', `0x00000325')
+define(`HDIO_SET_DMA', `0x00000326')
+define(`HDIO_SET_PIO_MODE', `0x00000327')
+define(`HDIO_SCAN_HWIF', `0x00000328')
+define(`HDIO_SET_NICE', `0x00000329')
+define(`HDIO_UNREGISTER_HWIF', `0x0000032a')
+define(`HDIO_SET_WCACHE', `0x0000032b')
+define(`HDIO_SET_ACOUSTIC', `0x0000032c')
+define(`HDIO_SET_BUSSTATE', `0x0000032d')
+define(`HDIO_SET_QDMA', `0x0000032e')
+define(`HDIO_SET_ADDRESS', `0x0000032f')
+define(`IOCTL_VMCI_VERSION', `0x0000079f')
+define(`IOCTL_VMCI_INIT_CONTEXT', `0x000007a0')
+define(`IOCTL_VMCI_QUEUEPAIR_SETVA', `0x000007a4')
+define(`IOCTL_VMCI_NOTIFY_RESOURCE', `0x000007a5')
+define(`IOCTL_VMCI_NOTIFICATIONS_RECEIVE', `0x000007a6')
+define(`IOCTL_VMCI_VERSION2', `0x000007a7')
+define(`IOCTL_VMCI_QUEUEPAIR_ALLOC', `0x000007a8')
+define(`IOCTL_VMCI_QUEUEPAIR_SETPAGEFILE', `0x000007a9')
+define(`IOCTL_VMCI_QUEUEPAIR_DETACH', `0x000007aa')
+define(`IOCTL_VMCI_DATAGRAM_SEND', `0x000007ab')
+define(`IOCTL_VMCI_DATAGRAM_RECEIVE', `0x000007ac')
+define(`IOCTL_VMCI_CTX_ADD_NOTIFICATION', `0x000007af')
+define(`IOCTL_VMCI_CTX_REMOVE_NOTIFICATION', `0x000007b0')
+define(`IOCTL_VMCI_CTX_GET_CPT_STATE', `0x000007b1')
+define(`IOCTL_VMCI_CTX_SET_CPT_STATE', `0x000007b2')
+define(`IOCTL_VMCI_GET_CONTEXT_ID', `0x000007b3')
+define(`IOCTL_VMCI_SOCKETS_VERSION', `0x000007b4')
+define(`IOCTL_VMCI_SOCKETS_GET_AF_VALUE', `0x000007b8')
+define(`IOCTL_VMCI_SOCKETS_GET_LOCAL_CID', `0x000007b9')
+define(`IOCTL_VM_SOCKETS_GET_LOCAL_CID', `0x000007b9')
+define(`IOCTL_VMCI_SET_NOTIFY', `0x000007cb')
+define(`RAID_AUTORUN', `0x00000914')
+define(`CLEAR_ARRAY', `0x00000920')
+define(`HOT_REMOVE_DISK', `0x00000922')
+define(`SET_DISK_INFO', `0x00000924')
+define(`WRITE_RAID_INFO', `0x00000925')
+define(`UNPROTECT_ARRAY', `0x00000926')
+define(`PROTECT_ARRAY', `0x00000927')
+define(`HOT_ADD_DISK', `0x00000928')
+define(`SET_DISK_FAULTY', `0x00000929')
+define(`HOT_GENERATE_ERROR', `0x0000092a')
+define(`STOP_ARRAY', `0x00000932')
+define(`STOP_ARRAY_RO', `0x00000933')
+define(`RESTART_ARRAY_RW', `0x00000934')
+define(`BLKROSET', `0x0000125d')
+define(`BLKROGET', `0x0000125e')
+define(`BLKRRPART', `0x0000125f')
+define(`BLKGETSIZE', `0x00001260')
+define(`BLKFLSBUF', `0x00001261')
+define(`BLKRASET', `0x00001262')
+define(`BLKRAGET', `0x00001263')
+define(`BLKFRASET', `0x00001264')
+define(`BLKFRAGET', `0x00001265')
+define(`BLKSECTSET', `0x00001266')
+define(`BLKSECTGET', `0x00001267')
+define(`BLKSSZGET', `0x00001268')
+define(`BLKPG', `0x00001269')
+define(`BLKTRACESTART', `0x00001274')
+define(`BLKTRACESTOP', `0x00001275')
+define(`BLKTRACETEARDOWN', `0x00001276')
+define(`BLKDISCARD', `0x00001277')
+define(`BLKIOMIN', `0x00001278')
+define(`BLKIOOPT', `0x00001279')
+define(`BLKALIGNOFF', `0x0000127a')
+define(`BLKPBSZGET', `0x0000127b')
+define(`BLKDISCARDZEROES', `0x0000127c')
+define(`BLKSECDISCARD', `0x0000127d')
+define(`BLKROTATIONAL', `0x0000127e')
+define(`BLKZEROOUT', `0x0000127f')
+define(`IB_USER_MAD_ENABLE_PKEY', `0x00001b03')
+define(`SG_SET_TIMEOUT', `0x00002201')
+define(`SG_GET_TIMEOUT', `0x00002202')
+define(`SG_EMULATED_HOST', `0x00002203')
+define(`SG_SET_TRANSFORM', `0x00002204')
+define(`SG_GET_TRANSFORM', `0x00002205')
+define(`SG_GET_COMMAND_Q', `0x00002270')
+define(`SG_SET_COMMAND_Q', `0x00002271')
+define(`SG_GET_RESERVED_SIZE', `0x00002272')
+define(`SG_SET_RESERVED_SIZE', `0x00002275')
+define(`SG_GET_SCSI_ID', `0x00002276')
+define(`SG_SET_FORCE_LOW_DMA', `0x00002279')
+define(`SG_GET_LOW_DMA', `0x0000227a')
+define(`SG_SET_FORCE_PACK_ID', `0x0000227b')
+define(`SG_GET_PACK_ID', `0x0000227c')
+define(`SG_GET_NUM_WAITING', `0x0000227d')
+define(`SG_SET_DEBUG', `0x0000227e')
+define(`SG_GET_SG_TABLESIZE', `0x0000227f')
+define(`SG_GET_VERSION_NUM', `0x00002282')
+define(`SG_NEXT_CMD_LEN', `0x00002283')
+define(`SG_SCSI_RESET', `0x00002284')
+define(`SG_IO', `0x00002285')
+define(`SG_GET_REQUEST_TABLE', `0x00002286')
+define(`SG_SET_KEEP_ORPHAN', `0x00002287')
+define(`SG_GET_KEEP_ORPHAN', `0x00002288')
+define(`SG_GET_ACCESS_COUNT', `0x00002289')
+define(`FW_CDEV_IOC_GET_SPEED', `0x00002311')
+define(`PERF_EVENT_IOC_ENABLE', `0x00002400')
+define(`PERF_EVENT_IOC_DISABLE', `0x00002401')
+define(`PERF_EVENT_IOC_REFRESH', `0x00002402')
+define(`PERF_EVENT_IOC_RESET', `0x00002403')
+define(`PERF_EVENT_IOC_SET_OUTPUT', `0x00002405')
+define(`SNAPSHOT_FREEZE', `0x00003301')
+define(`SNAPSHOT_UNFREEZE', `0x00003302')
+define(`SNAPSHOT_ATOMIC_RESTORE', `0x00003304')
+define(`SNAPSHOT_FREE', `0x00003305')
+define(`SNAPSHOT_FREE_SWAP_PAGES', `0x00003309')
+define(`SNAPSHOT_S2RAM', `0x0000330b')
+define(`SNAPSHOT_PLATFORM_SUPPORT', `0x0000330f')
+define(`SNAPSHOT_POWER_OFF', `0x00003310')
+define(`SNAPSHOT_PREF_IMAGE_SIZE', `0x00003312')
+define(`VFIO_GET_API_VERSION', `0x00003b64')
+define(`VFIO_CHECK_EXTENSION', `0x00003b65')
+define(`VFIO_SET_IOMMU', `0x00003b66')
+define(`VFIO_GROUP_GET_STATUS', `0x00003b67')
+define(`VFIO_GROUP_SET_CONTAINER', `0x00003b68')
+define(`VFIO_GROUP_UNSET_CONTAINER', `0x00003b69')
+define(`VFIO_GROUP_GET_DEVICE_FD', `0x00003b6a')
+define(`VFIO_DEVICE_GET_INFO', `0x00003b6b')
+define(`VFIO_DEVICE_GET_REGION_INFO', `0x00003b6c')
+define(`VFIO_DEVICE_GET_IRQ_INFO', `0x00003b6d')
+define(`VFIO_DEVICE_SET_IRQS', `0x00003b6e')
+define(`VFIO_DEVICE_RESET', `0x00003b6f')
+define(`VFIO_DEVICE_GET_PCI_HOT_RESET_INFO', `0x00003b70')
+define(`VFIO_IOMMU_GET_INFO', `0x00003b70')
+define(`VFIO_IOMMU_SPAPR_TCE_GET_INFO', `0x00003b70')
+define(`VFIO_DEVICE_PCI_HOT_RESET', `0x00003b71')
+define(`VFIO_IOMMU_MAP_DMA', `0x00003b71')
+define(`VFIO_IOMMU_UNMAP_DMA', `0x00003b72')
+define(`VFIO_IOMMU_ENABLE', `0x00003b73')
+define(`VFIO_IOMMU_DISABLE', `0x00003b74')
+define(`VFIO_EEH_PE_OP', `0x00003b79')
+define(`AGPIOC_ACQUIRE', `0x00004101')
+define(`APM_IOC_STANDBY', `0x00004101')
+define(`AGPIOC_RELEASE', `0x00004102')
+define(`APM_IOC_SUSPEND', `0x00004102')
+define(`AGPIOC_CHIPSET_FLUSH', `0x0000410a')
+define(`SNDRV_PCM_IOCTL_HW_FREE', `0x00004112')
+define(`SNDRV_PCM_IOCTL_HWSYNC', `0x00004122')
+define(`SNDRV_PCM_IOCTL_PREPARE', `0x00004140')
+define(`SNDRV_PCM_IOCTL_RESET', `0x00004141')
+define(`SNDRV_PCM_IOCTL_START', `0x00004142')
+define(`SNDRV_PCM_IOCTL_DROP', `0x00004143')
+define(`SNDRV_PCM_IOCTL_DRAIN', `0x00004144')
+define(`SNDRV_PCM_IOCTL_RESUME', `0x00004147')
+define(`SNDRV_PCM_IOCTL_XRUN', `0x00004148')
+define(`SNDRV_PCM_IOCTL_UNLINK', `0x00004161')
+define(`IOCTL_XENBUS_BACKEND_EVTCHN', `0x00004200')
+define(`PMU_IOC_SLEEP', `0x00004200')
+define(`IOCTL_XENBUS_BACKEND_SETUP', `0x00004201')
+define(`CCISS_REVALIDVOLS', `0x0000420a')
+define(`CCISS_DEREGDISK', `0x0000420c')
+define(`CCISS_REGNEWD', `0x0000420e')
+define(`CCISS_RESCANDISK', `0x00004210')
+define(`SNDCTL_COPR_RESET', `0x00004300')
+define(`SNDRV_COMPRESS_PAUSE', `0x00004330')
+define(`SNDRV_COMPRESS_RESUME', `0x00004331')
+define(`SNDRV_COMPRESS_START', `0x00004332')
+define(`SNDRV_COMPRESS_STOP', `0x00004333')
+define(`SNDRV_COMPRESS_DRAIN', `0x00004334')
+define(`SNDRV_COMPRESS_NEXT_TRACK', `0x00004335')
+define(`SNDRV_COMPRESS_PARTIAL_DRAIN', `0x00004336')
+define(`IOCTL_EVTCHN_RESET', `0x00004505')
+define(`FBIOGET_VSCREENINFO', `0x00004600')
+define(`FBIOPUT_VSCREENINFO', `0x00004601')
+define(`FBIOGET_FSCREENINFO', `0x00004602')
+define(`FBIOGETCMAP', `0x00004604')
+define(`FBIOPUTCMAP', `0x00004605')
+define(`FBIOPAN_DISPLAY', `0x00004606')
+define(`FBIOGET_CON2FBMAP', `0x0000460f')
+define(`FBIOPUT_CON2FBMAP', `0x00004610')
+define(`FBIOBLANK', `0x00004611')
+define(`FBIO_ALLOC', `0x00004613')
+define(`FBIO_FREE', `0x00004614')
+define(`FBIOGET_GLYPH', `0x00004615')
+define(`FBIOGET_HWCINFO', `0x00004616')
+define(`FBIOPUT_MODEINFO', `0x00004617')
+define(`FBIOGET_DISPINFO', `0x00004618')
+define(`FBIO_WAITEVENT', `0x00004688')
+define(`GSMIOC_DISABLE_NET', `0x00004703')
+define(`HIDIOCAPPLICATION', `0x00004802')
+define(`HIDIOCINITREPORT', `0x00004805')
+define(`SNDRV_SB_CSP_IOCTL_UNLOAD_CODE', `0x00004812')
+define(`SNDRV_SB_CSP_IOCTL_STOP', `0x00004814')
+define(`SNDRV_SB_CSP_IOCTL_PAUSE', `0x00004815')
+define(`SNDRV_SB_CSP_IOCTL_RESTART', `0x00004816')
+define(`SNDRV_DM_FM_IOCTL_RESET', `0x00004821')
+define(`SNDRV_DM_FM_IOCTL_CLEAR_PATCHES', `0x00004840')
+define(`SNDRV_EMU10K1_IOCTL_STOP', `0x00004880')
+define(`SNDRV_EMU10K1_IOCTL_CONTINUE', `0x00004881')
+define(`SNDRV_EMU10K1_IOCTL_ZERO_TRAM_COUNTER', `0x00004882')
+define(`SNDRV_EMUX_IOCTL_RESET_SAMPLES', `0x00004882')
+define(`SNDRV_EMUX_IOCTL_REMOVE_LAST_SAMPLES', `0x00004883')
+define(`SNDRV_FIREWIRE_IOCTL_LOCK', `0x000048f9')
+define(`SNDRV_FIREWIRE_IOCTL_UNLOCK', `0x000048fa')
+define(`IIOCNETAIF', `0x00004901')
+define(`IIOCNETDIF', `0x00004902')
+define(`IIOCNETSCF', `0x00004903')
+define(`IIOCNETGCF', `0x00004904')
+define(`IIOCNETANM', `0x00004905')
+define(`IIOCNETDNM', `0x00004906')
+define(`IIOCNETGNM', `0x00004907')
+define(`IIOCGETSET', `0x00004908')
+define(`IIOCSETSET', `0x00004909')
+define(`IIOCSETVER', `0x0000490a')
+define(`IIOCNETHUP', `0x0000490b')
+define(`IIOCSETGST', `0x0000490c')
+define(`IIOCSETBRJ', `0x0000490d')
+define(`IIOCSIGPRF', `0x0000490e')
+define(`IIOCGETPRF', `0x0000490f')
+define(`IIOCSETPRF', `0x00004910')
+define(`IIOCGETMAP', `0x00004911')
+define(`IIOCSETMAP', `0x00004912')
+define(`IIOCNETASL', `0x00004913')
+define(`IIOCNETDIL', `0x00004914')
+define(`IIOCGETCPS', `0x00004915')
+define(`IIOCGETDVR', `0x00004916')
+define(`IIOCNETLCR', `0x00004917')
+define(`IIOCNETDWRSET', `0x00004918')
+define(`IIOCNETALN', `0x00004920')
+define(`IIOCNETDLN', `0x00004921')
+define(`IIOCNETGPN', `0x00004922')
+define(`IIOCDBGVAR', `0x0000497f')
+define(`IIOCDRVCTL', `0x00004980')
+define(`ION_IOC_TEST_SET_FD', `0x000049f0')
+define(`KIOCSOUND', `0x00004b2f')
+define(`KDMKTONE', `0x00004b30')
+define(`KDGETLED', `0x00004b31')
+define(`KDSETLED', `0x00004b32')
+define(`KDGKBTYPE', `0x00004b33')
+define(`KDADDIO', `0x00004b34')
+define(`KDDELIO', `0x00004b35')
+define(`KDENABIO', `0x00004b36')
+define(`KDDISABIO', `0x00004b37')
+define(`KDSETMODE', `0x00004b3a')
+define(`KDGETMODE', `0x00004b3b')
+define(`KDMAPDISP', `0x00004b3c')
+define(`KDUNMAPDISP', `0x00004b3d')
+define(`GIO_SCRNMAP', `0x00004b40')
+define(`PIO_SCRNMAP', `0x00004b41')
+define(`KDGKBMODE', `0x00004b44')
+define(`KDSKBMODE', `0x00004b45')
+define(`KDGKBENT', `0x00004b46')
+define(`KDSKBENT', `0x00004b47')
+define(`KDGKBSENT', `0x00004b48')
+define(`KDSKBSENT', `0x00004b49')
+define(`KDGKBDIACR', `0x00004b4a')
+define(`KDSKBDIACR', `0x00004b4b')
+define(`KDGETKEYCODE', `0x00004b4c')
+define(`KDSETKEYCODE', `0x00004b4d')
+define(`KDSIGACCEPT', `0x00004b4e')
+define(`KDKBDREP', `0x00004b52')
+define(`GIO_FONT', `0x00004b60')
+define(`PIO_FONT', `0x00004b61')
+define(`KDGKBMETA', `0x00004b62')
+define(`KDSKBMETA', `0x00004b63')
+define(`KDGKBLED', `0x00004b64')
+define(`KDSKBLED', `0x00004b65')
+define(`GIO_UNIMAP', `0x00004b66')
+define(`PIO_UNIMAP', `0x00004b67')
+define(`PIO_UNIMAPCLR', `0x00004b68')
+define(`GIO_UNISCRNMAP', `0x00004b69')
+define(`PIO_UNISCRNMAP', `0x00004b6a')
+define(`GIO_FONTX', `0x00004b6b')
+define(`PIO_FONTX', `0x00004b6c')
+define(`PIO_FONTRESET', `0x00004b6d')
+define(`GIO_CMAP', `0x00004b70')
+define(`PIO_CMAP', `0x00004b71')
+define(`KDFONTOP', `0x00004b72')
+define(`KDGKBDIACRUC', `0x00004bfa')
+define(`KDSKBDIACRUC', `0x00004bfb')
+define(`LOOP_SET_FD', `0x00004c00')
+define(`LOOP_CLR_FD', `0x00004c01')
+define(`LOOP_SET_STATUS', `0x00004c02')
+define(`LOOP_GET_STATUS', `0x00004c03')
+define(`LOOP_SET_STATUS64', `0x00004c04')
+define(`LOOP_GET_STATUS64', `0x00004c05')
+define(`LOOP_CHANGE_FD', `0x00004c06')
+define(`LOOP_SET_CAPACITY', `0x00004c07')
+define(`LOOP_CTL_ADD', `0x00004c80')
+define(`LOOP_CTL_REMOVE', `0x00004c81')
+define(`LOOP_CTL_GET_FREE', `0x00004c82')
+define(`MTDFILEMODE', `0x00004d13')
+define(`NVME_IOCTL_ID', `0x00004e40')
+define(`UBI_IOCVOLRMBLK', `0x00004f08')
+define(`OMAPFB_SYNC_GFX', `0x00004f25')
+define(`OMAPFB_VSYNC', `0x00004f26')
+define(`OMAPFB_WAITFORVSYNC', `0x00004f39')
+define(`OMAPFB_WAITFORGO', `0x00004f3c')
+define(`SNDCTL_DSP_RESET', `0x00005000')
+define(`SNDCTL_DSP_SYNC', `0x00005001')
+define(`SNDCTL_DSP_POST', `0x00005008')
+define(`SNDCTL_DSP_NONBLOCK', `0x0000500e')
+define(`SNDCTL_DSP_SETSYNCRO', `0x00005015')
+define(`SNDCTL_DSP_SETDUPLEX', `0x00005016')
+define(`SNDCTL_SEQ_RESET', `0x00005100')
+define(`SNDCTL_SEQ_SYNC', `0x00005101')
+define(`SNDCTL_SEQ_PANIC', `0x00005111')
+define(`RFKILL_IOCTL_NOINPUT', `0x00005201')
+define(`RNDZAPENTCNT', `0x00005204')
+define(`RNDCLEARPOOL', `0x00005206')
+define(`CDROMPAUSE', `0x00005301')
+define(`CDROMRESUME', `0x00005302')
+define(`CDROMPLAYMSF', `0x00005303')
+define(`CDROMPLAYTRKIND', `0x00005304')
+define(`CDROMREADTOCHDR', `0x00005305')
+define(`CDROMREADTOCENTRY', `0x00005306')
+define(`CDROMSTOP', `0x00005307')
+define(`CDROMSTART', `0x00005308')
+define(`CDROMEJECT', `0x00005309')
+define(`CDROMVOLCTRL', `0x0000530a')
+define(`CDROMSUBCHNL', `0x0000530b')
+define(`CDROMREADMODE2', `0x0000530c')
+define(`CDROMREADMODE1', `0x0000530d')
+define(`CDROMREADAUDIO', `0x0000530e')
+define(`CDROMEJECT_SW', `0x0000530f')
+define(`CDROMMULTISESSION', `0x00005310')
+define(`CDROM_GET_MCN', `0x00005311')
+define(`CDROMRESET', `0x00005312')
+define(`CDROMVOLREAD', `0x00005313')
+define(`CDROMREADRAW', `0x00005314')
+define(`CDROMREADCOOKED', `0x00005315')
+define(`CDROMSEEK', `0x00005316')
+define(`CDROMPLAYBLK', `0x00005317')
+define(`CDROMREADALL', `0x00005318')
+define(`CDROMCLOSETRAY', `0x00005319')
+define(`CDROMGETSPINDOWN', `0x0000531d')
+define(`CDROMSETSPINDOWN', `0x0000531e')
+define(`CDROM_SET_OPTIONS', `0x00005320')
+define(`CDROM_CLEAR_OPTIONS', `0x00005321')
+define(`CDROM_SELECT_SPEED', `0x00005322')
+define(`CDROM_SELECT_DISC', `0x00005323')
+define(`CDROM_MEDIA_CHANGED', `0x00005325')
+define(`CDROM_DRIVE_STATUS', `0x00005326')
+define(`CDROM_DISC_STATUS', `0x00005327')
+define(`CDROM_CHANGER_NSLOTS', `0x00005328')
+define(`CDROM_LOCKDOOR', `0x00005329')
+define(`CDROM_DEBUG', `0x00005330')
+define(`CDROM_GET_CAPABILITY', `0x00005331')
+define(`SCSI_IOCTL_DOORLOCK', `0x00005380')
+define(`SCSI_IOCTL_DOORUNLOCK', `0x00005381')
+define(`CDROMAUDIOBUFSIZ', `0x00005382')
+define(`SCSI_IOCTL_GET_IDLUN', `0x00005382')
+define(`SCSI_IOCTL_PROBE_HOST', `0x00005385')
+define(`SCSI_IOCTL_GET_BUS_NUMBER', `0x00005386')
+define(`SCSI_IOCTL_GET_PCI', `0x00005387')
+define(`DVD_READ_STRUCT', `0x00005390')
+define(`DVD_WRITE_STRUCT', `0x00005391')
+define(`DVD_AUTH', `0x00005392')
+define(`CDROM_SEND_PACKET', `0x00005393')
+define(`CDROM_NEXT_WRITABLE', `0x00005394')
+define(`CDROM_LAST_WRITTEN', `0x00005395')
+define(`TCGETS', `0x00005401')
+define(`SNDCTL_TMR_START', `0x00005402')
+define(`TCSETS', `0x00005402')
+define(`SNDCTL_TMR_STOP', `0x00005403')
+define(`TCSETSW', `0x00005403')
+define(`SNDCTL_TMR_CONTINUE', `0x00005404')
+define(`TCSETSF', `0x00005404')
+define(`TCGETA', `0x00005405')
+define(`TCSETA', `0x00005406')
+define(`TCSETAW', `0x00005407')
+define(`TCSETAF', `0x00005408')
+define(`TCSBRK', `0x00005409')
+define(`TCXONC', `0x0000540a')
+define(`TCFLSH', `0x0000540b')
+define(`TIOCEXCL', `0x0000540c')
+define(`TIOCNXCL', `0x0000540d')
+define(`TIOCSCTTY', `0x0000540e')
+define(`TIOCGPGRP', `0x0000540f')
+define(`TIOCSPGRP', `0x00005410')
+define(`TIOCOUTQ', `0x00005411')
+define(`TIOCSTI', `0x00005412')
+define(`TIOCGWINSZ', `0x00005413')
+define(`TIOCSWINSZ', `0x00005414')
+define(`TIOCMGET', `0x00005415')
+define(`TIOCMBIS', `0x00005416')
+define(`TIOCMBIC', `0x00005417')
+define(`TIOCMSET', `0x00005418')
+define(`TIOCGSOFTCAR', `0x00005419')
+define(`TIOCSSOFTCAR', `0x0000541a')
+define(`FIONREAD', `0x0000541b')
+define(`TIOCLINUX', `0x0000541c')
+define(`TIOCCONS', `0x0000541d')
+define(`TIOCGSERIAL', `0x0000541e')
+define(`TIOCSSERIAL', `0x0000541f')
+define(`TIOCPKT', `0x00005420')
+define(`FIONBIO', `0x00005421')
+define(`TIOCNOTTY', `0x00005422')
+define(`TIOCSETD', `0x00005423')
+define(`TIOCGETD', `0x00005424')
+define(`TCSBRKP', `0x00005425')
+define(`TIOCSBRK', `0x00005427')
+define(`TIOCCBRK', `0x00005428')
+define(`TIOCGSID', `0x00005429')
+define(`TIOCGRS485', `0x0000542e')
+define(`TIOCSRS485', `0x0000542f')
+define(`TCGETX', `0x00005432')
+define(`TCSETX', `0x00005433')
+define(`TCSETXF', `0x00005434')
+define(`TCSETXW', `0x00005435')
+define(`TIOCVHANGUP', `0x00005437')
+define(`FIONCLEX', `0x00005450')
+define(`FIOCLEX', `0x00005451')
+define(`FIOASYNC', `0x00005452')
+define(`TIOCSERCONFIG', `0x00005453')
+define(`TIOCSERGWILD', `0x00005454')
+define(`TIOCSERSWILD', `0x00005455')
+define(`TIOCGLCKTRMIOS', `0x00005456')
+define(`TIOCSLCKTRMIOS', `0x00005457')
+define(`TIOCSERGSTRUCT', `0x00005458')
+define(`TIOCSERGETLSR', `0x00005459')
+define(`TIOCSERGETMULTI', `0x0000545a')
+define(`TIOCSERSETMULTI', `0x0000545b')
+define(`TIOCMIWAIT', `0x0000545c')
+define(`TIOCGICOUNT', `0x0000545d')
+define(`FIOQSIZE', `0x00005460')
+define(`SNDRV_TIMER_IOCTL_START', `0x000054a0')
+define(`SNDRV_TIMER_IOCTL_STOP', `0x000054a1')
+define(`SNDRV_TIMER_IOCTL_CONTINUE', `0x000054a2')
+define(`SNDRV_TIMER_IOCTL_PAUSE', `0x000054a3')
+define(`UI_DEV_CREATE', `0x00005501')
+define(`UI_DEV_DESTROY', `0x00005502')
+define(`USBDEVFS_DISCARDURB', `0x0000550b')
+define(`USBDEVFS_RESET', `0x00005514')
+define(`USBDEVFS_DISCONNECT', `0x00005516')
+define(`USBDEVFS_CONNECT', `0x00005517')
+define(`VT_OPENQRY', `0x00005600')
+define(`VIDIOC_RESERVED', `0x00005601')
+define(`VT_GETMODE', `0x00005601')
+define(`VT_SETMODE', `0x00005602')
+define(`VT_GETSTATE', `0x00005603')
+define(`VT_SENDSIG', `0x00005604')
+define(`VT_RELDISP', `0x00005605')
+define(`VT_ACTIVATE', `0x00005606')
+define(`VT_WAITACTIVE', `0x00005607')
+define(`VT_DISALLOCATE', `0x00005608')
+define(`VT_RESIZE', `0x00005609')
+define(`VT_RESIZEX', `0x0000560a')
+define(`VT_LOCKSWITCH', `0x0000560b')
+define(`VT_UNLOCKSWITCH', `0x0000560c')
+define(`VT_GETHIFONTMASK', `0x0000560d')
+define(`VT_WAITEVENT', `0x0000560e')
+define(`VT_SETACTIVATE', `0x0000560f')
+define(`VIDIOC_LOG_STATUS', `0x00005646')
+define(`ADV7842_CMD_RAM_TEST', `0x000056c0')
+define(`USBTMC_IOCTL_INDICATOR_PULSE', `0x00005b01')
+define(`USBTMC_IOCTL_CLEAR', `0x00005b02')
+define(`USBTMC_IOCTL_ABORT_BULK_OUT', `0x00005b03')
+define(`USBTMC_IOCTL_ABORT_BULK_IN', `0x00005b04')
+define(`USBTMC_IOCTL_CLEAR_OUT_HALT', `0x00005b06')
+define(`USBTMC_IOCTL_CLEAR_IN_HALT', `0x00005b07')
+define(`ANDROID_ALARM_WAIT', `0x00006101')
+define(`NS_ADJBUFLEV', `0x00006163')
+define(`SIOCSIFATMTCP', `0x00006180')
+define(`ATMTCP_CREATE', `0x0000618e')
+define(`ATMTCP_REMOVE', `0x0000618f')
+define(`ATMLEC_CTRL', `0x000061d0')
+define(`ATMLEC_DATA', `0x000061d1')
+define(`ATMLEC_MCAST', `0x000061d2')
+define(`ATMMPC_CTRL', `0x000061d8')
+define(`ATMMPC_DATA', `0x000061d9')
+define(`SIOCMKCLIP', `0x000061e0')
+define(`ATMARPD_CTRL', `0x000061e1')
+define(`ATMARP_MKIP', `0x000061e2')
+define(`ATMARP_SETENTRY', `0x000061e3')
+define(`ATMARP_ENCAP', `0x000061e5')
+define(`ATMSIGD_CTRL', `0x000061f0')
+define(`BT819_FIFO_RESET_LOW', `0x00006200')
+define(`BT819_FIFO_RESET_HIGH', `0x00006201')
+define(`CM_IOCSRDR', `0x00006303')
+define(`CM_IOCARDOFF', `0x00006304')
+define(`BC_REGISTER_LOOPER', `0x0000630b')
+define(`BC_ENTER_LOOPER', `0x0000630c')
+define(`BC_EXIT_LOOPER', `0x0000630d')
+define(`CHIOINITELEM', `0x00006311')
+define(`DRM_IOCTL_SET_MASTER', `0x0000641e')
+define(`DRM_IOCTL_DROP_MASTER', `0x0000641f')
+define(`DRM_IOCTL_AGP_ACQUIRE', `0x00006430')
+define(`DRM_IOCTL_AGP_RELEASE', `0x00006431')
+define(`DRM_IOCTL_I915_FLUSH', `0x00006441')
+define(`DRM_IOCTL_R128_CCE_START', `0x00006441')
+define(`DRM_IOCTL_RADEON_CP_START', `0x00006441')
+define(`DRM_IOCTL_I915_FLIP', `0x00006442')
+define(`DRM_IOCTL_MGA_RESET', `0x00006442')
+define(`DRM_IOCTL_I810_FLUSH', `0x00006443')
+define(`DRM_IOCTL_MGA_SWAP', `0x00006443')
+define(`DRM_IOCTL_R128_CCE_RESET', `0x00006443')
+define(`DRM_IOCTL_RADEON_CP_RESET', `0x00006443')
+define(`DRM_IOCTL_I810_GETAGE', `0x00006444')
+define(`DRM_IOCTL_R128_CCE_IDLE', `0x00006444')
+define(`DRM_IOCTL_RADEON_CP_IDLE', `0x00006444')
+define(`DRM_IOCTL_RADEON_RESET', `0x00006445')
+define(`DRM_IOCTL_I810_SWAP', `0x00006446')
+define(`DRM_IOCTL_R128_RESET', `0x00006446')
+define(`DRM_IOCTL_R128_SWAP', `0x00006447')
+define(`DRM_IOCTL_RADEON_SWAP', `0x00006447')
+define(`DRM_IOCTL_I810_DOCOPY', `0x00006448')
+define(`DRM_IOCTL_VIA_FLUSH', `0x00006449')
+define(`DRM_IOCTL_I810_FSTATUS', `0x0000644a')
+define(`DRM_IOCTL_I810_OV0FLIP', `0x0000644b')
+define(`DRM_IOCTL_I810_RSTATUS', `0x0000644d')
+define(`DRM_IOCTL_I810_FLIP', `0x0000644e')
+define(`DRM_IOCTL_RADEON_FLIP', `0x00006452')
+define(`DRM_IOCTL_R128_FLIP', `0x00006453')
+define(`DRM_IOCTL_I915_GEM_THROTTLE', `0x00006458')
+define(`DRM_IOCTL_RADEON_CP_RESUME', `0x00006458')
+define(`DRM_IOCTL_I915_GEM_ENTERVT', `0x00006459')
+define(`DRM_IOCTL_I915_GEM_LEAVEVT', `0x0000645a')
+define(`S5P_FIMC_TX_END_NOTIFY', `0x00006500')
+define(`FUNCTIONFS_FIFO_STATUS', `0x00006701')
+define(`GADGETFS_FIFO_STATUS', `0x00006701')
+define(`FUNCTIONFS_FIFO_FLUSH', `0x00006702')
+define(`GADGETFS_FIFO_FLUSH', `0x00006702')
+define(`FUNCTIONFS_CLEAR_HALT', `0x00006703')
+define(`GADGETFS_CLEAR_HALT', `0x00006703')
+define(`FUNCTIONFS_INTERFACE_REVMAP', `0x00006780')
+define(`FUNCTIONFS_ENDPOINT_REVMAP', `0x00006781')
+define(`HPET_IE_ON', `0x00006801')
+define(`HPET_IE_OFF', `0x00006802')
+define(`HPET_EPI', `0x00006804')
+define(`HPET_DPI', `0x00006805')
+define(`LIRC_NOTIFY_DECODE', `0x00006920')
+define(`LIRC_SETUP_START', `0x00006921')
+define(`LIRC_SETUP_END', `0x00006922')
+define(`KYRO_IOCTL_OVERLAY_CREATE', `0x00006b00')
+define(`KYRO_IOCTL_OVERLAY_VIEWPORT_SET', `0x00006b01')
+define(`KYRO_IOCTL_SET_VIDEO_MODE', `0x00006b02')
+define(`KYRO_IOCTL_UVSTRIDE', `0x00006b03')
+define(`KYRO_IOCTL_OVERLAY_OFFSET', `0x00006b04')
+define(`KYRO_IOCTL_STRIDE', `0x00006b05')
+define(`HSC_RESET', `0x00006b10')
+define(`HSC_SET_PM', `0x00006b11')
+define(`HSC_SEND_BREAK', `0x00006b12')
+define(`MMTIMER_GETOFFSET', `0x00006d00')
+define(`MGSL_IOCSTXIDLE', `0x00006d02')
+define(`MGSL_IOCGTXIDLE', `0x00006d03')
+define(`MGSL_IOCTXENABLE', `0x00006d04')
+define(`MMTIMER_GETBITS', `0x00006d04')
+define(`MGSL_IOCRXENABLE', `0x00006d05')
+define(`MGSL_IOCTXABORT', `0x00006d06')
+define(`MMTIMER_MMAPAVAIL', `0x00006d06')
+define(`MGSL_IOCGSTATS', `0x00006d07')
+define(`MGSL_IOCLOOPTXDONE', `0x00006d09')
+define(`MGSL_IOCSIF', `0x00006d0a')
+define(`MGSL_IOCGIF', `0x00006d0b')
+define(`MGSL_IOCCLRMODCOUNT', `0x00006d0f')
+define(`MGSL_IOCSXSYNC', `0x00006d13')
+define(`MGSL_IOCGXSYNC', `0x00006d14')
+define(`MGSL_IOCSXCTRL', `0x00006d15')
+define(`MGSL_IOCGXCTRL', `0x00006d16')
+define(`NCP_IOC_CONN_LOGGED_IN', `0x00006e03')
+define(`AUDIO_STOP', `0x00006f01')
+define(`AUDIO_PLAY', `0x00006f02')
+define(`AUDIO_PAUSE', `0x00006f03')
+define(`AUDIO_CONTINUE', `0x00006f04')
+define(`AUDIO_SELECT_SOURCE', `0x00006f05')
+define(`AUDIO_SET_MUTE', `0x00006f06')
+define(`AUDIO_SET_AV_SYNC', `0x00006f07')
+define(`AUDIO_SET_BYPASS_MODE', `0x00006f08')
+define(`AUDIO_CHANNEL_SELECT', `0x00006f09')
+define(`AUDIO_CLEAR_BUFFER', `0x00006f0c')
+define(`AUDIO_SET_ID', `0x00006f0d')
+define(`AUDIO_SET_STREAMTYPE', `0x00006f0f')
+define(`AUDIO_SET_EXT_ID', `0x00006f10')
+define(`AUDIO_BILINGUAL_CHANNEL_SELECT', `0x00006f14')
+define(`VIDEO_STOP', `0x00006f15')
+define(`VIDEO_PLAY', `0x00006f16')
+define(`VIDEO_FREEZE', `0x00006f17')
+define(`VIDEO_CONTINUE', `0x00006f18')
+define(`VIDEO_SELECT_SOURCE', `0x00006f19')
+define(`VIDEO_SET_BLANK', `0x00006f1a')
+define(`VIDEO_SET_DISPLAY_FORMAT', `0x00006f1d')
+define(`VIDEO_FAST_FORWARD', `0x00006f1f')
+define(`VIDEO_SLOWMOTION', `0x00006f20')
+define(`VIDEO_CLEAR_BUFFER', `0x00006f22')
+define(`VIDEO_SET_ID', `0x00006f23')
+define(`VIDEO_SET_STREAMTYPE', `0x00006f24')
+define(`VIDEO_SET_FORMAT', `0x00006f25')
+define(`VIDEO_SET_SYSTEM', `0x00006f26')
+define(`DMX_START', `0x00006f29')
+define(`DMX_STOP', `0x00006f2a')
+define(`DMX_SET_BUFFER_SIZE', `0x00006f2d')
+define(`NET_REMOVE_IF', `0x00006f35')
+define(`VIDEO_SET_ATTRIBUTES', `0x00006f35')
+define(`FE_DISEQC_RESET_OVERLOAD', `0x00006f3e')
+define(`FE_DISEQC_SEND_BURST', `0x00006f41')
+define(`FE_SET_TONE', `0x00006f42')
+define(`FE_SET_VOLTAGE', `0x00006f43')
+define(`FE_ENABLE_HIGH_LNB_VOLTAGE', `0x00006f44')
+define(`FE_DISHNETWORK_SEND_LEGACY_CMD', `0x00006f50')
+define(`FE_SET_FRONTEND_TUNE_MODE', `0x00006f51')
+define(`CA_RESET', `0x00006f80')
+define(`RTC_AIE_ON', `0x00007001')
+define(`RTC_AIE_OFF', `0x00007002')
+define(`RTC_UIE_ON', `0x00007003')
+define(`PHN_NOT_OH', `0x00007004')
+define(`RTC_UIE_OFF', `0x00007004')
+define(`RTC_PIE_ON', `0x00007005')
+define(`RTC_PIE_OFF', `0x00007006')
+define(`RTC_WIE_ON', `0x0000700f')
+define(`RTC_WIE_OFF', `0x00007010')
+define(`RTC_VL_CLR', `0x00007014')
+define(`NVRAM_INIT', `0x00007040')
+define(`NVRAM_SETCKS', `0x00007041')
+define(`PPCLAIM', `0x0000708b')
+define(`PPRELEASE', `0x0000708c')
+define(`PPYIELD', `0x0000708d')
+define(`PPEXCL', `0x0000708f')
+define(`PHONE_CAPABILITIES', `0x00007180')
+define(`PHONE_RING', `0x00007183')
+define(`PHONE_HOOKSTATE', `0x00007184')
+define(`OLD_PHONE_RING_START', `0x00007187')
+define(`PHONE_RING_STOP', `0x00007188')
+define(`PHONE_REC_START', `0x0000718a')
+define(`PHONE_REC_STOP', `0x0000718b')
+define(`PHONE_REC_LEVEL', `0x0000718f')
+define(`PHONE_PLAY_START', `0x00007191')
+define(`PHONE_PLAY_STOP', `0x00007192')
+define(`PHONE_PLAY_LEVEL', `0x00007195')
+define(`PHONE_GET_TONE_ON_TIME', `0x0000719e')
+define(`PHONE_GET_TONE_OFF_TIME', `0x0000719f')
+define(`PHONE_GET_TONE_STATE', `0x000071a0')
+define(`PHONE_BUSY', `0x000071a1')
+define(`PHONE_RINGBACK', `0x000071a2')
+define(`PHONE_DIALTONE', `0x000071a3')
+define(`PHONE_CPT_STOP', `0x000071a4')
+define(`PHONE_PSTN_GET_STATE', `0x000071a5')
+define(`PHONE_PSTN_LINETEST', `0x000071a8')
+define(`IXJCTL_DSP_RESET', `0x000071c0')
+define(`IXJCTL_DSP_IDLE', `0x000071c5')
+define(`IXJCTL_TESTRAM', `0x000071c6')
+define(`IXJCTL_AEC_STOP', `0x000071cc')
+define(`IXJCTL_AEC_GET_LEVEL', `0x000071cd')
+define(`IXJCTL_PSTN_LINETEST', `0x000071d3')
+define(`IXJCTL_PLAY_CID', `0x000071d7')
+define(`IXJCTL_DRYBUFFER_CLEAR', `0x000071e7')
+define(`BR_OK', `0x00007201')
+define(`BR_DEAD_REPLY', `0x00007205')
+define(`BR_TRANSACTION_COMPLETE', `0x00007206')
+define(`BR_NOOP', `0x0000720c')
+define(`BR_SPAWN_LOOPER', `0x0000720d')
+define(`BR_FINISHED', `0x0000720e')
+define(`BR_FAILED_REPLY', `0x00007211')
+define(`PPPIOCDISCONN', `0x00007439')
+define(`PPPIOCXFERUNIT', `0x0000744e')
+define(`MEYEIOC_STILLCAPT', `0x000076c4')
+define(`ASHMEM_GET_SIZE', `0x00007704')
+define(`ASHMEM_GET_PROT_MASK', `0x00007706')
+define(`ASHMEM_GET_PIN_STATUS', `0x00007709')
+define(`ASHMEM_PURGE_ALL_CACHES', `0x0000770a')
+define(`FIOSETOWN', `0x00008901')
+define(`SIOCSPGRP', `0x00008902')
+define(`FIOGETOWN', `0x00008903')
+define(`SIOCGPGRP', `0x00008904')
+define(`SIOCATMARK', `0x00008905')
+define(`SIOCGSTAMP', `0x00008906')
+define(`SIOCGSTAMPNS', `0x00008907')
+define(`SIOCADDRT', `0x0000890b')
+define(`SIOCDELRT', `0x0000890c')
+define(`SIOCRTMSG', `0x0000890d')
+define(`SIOCGIFNAME', `0x00008910')
+define(`SIOCSIFLINK', `0x00008911')
+define(`SIOCGIFCONF', `0x00008912')
+define(`SIOCGIFFLAGS', `0x00008913')
+define(`SIOCSIFFLAGS', `0x00008914')
+define(`SIOCGIFADDR', `0x00008915')
+define(`SIOCSIFADDR', `0x00008916')
+define(`SIOCGIFDSTADDR', `0x00008917')
+define(`SIOCSIFDSTADDR', `0x00008918')
+define(`SIOCGIFBRDADDR', `0x00008919')
+define(`SIOCSIFBRDADDR', `0x0000891a')
+define(`SIOCGIFNETMASK', `0x0000891b')
+define(`SIOCSIFNETMASK', `0x0000891c')
+define(`SIOCGIFMETRIC', `0x0000891d')
+define(`SIOCSIFMETRIC', `0x0000891e')
+define(`SIOCGIFMEM', `0x0000891f')
+define(`SIOCSIFMEM', `0x00008920')
+define(`SIOCGIFMTU', `0x00008921')
+define(`SIOCSIFMTU', `0x00008922')
+define(`SIOCSIFNAME', `0x00008923')
+define(`SIOCSIFHWADDR', `0x00008924')
+define(`SIOCGIFENCAP', `0x00008925')
+define(`SIOCSIFENCAP', `0x00008926')
+define(`SIOCGIFHWADDR', `0x00008927')
+define(`SIOCGIFSLAVE', `0x00008929')
+define(`SIOCSIFSLAVE', `0x00008930')
+define(`SIOCADDMULTI', `0x00008931')
+define(`SIOCDELMULTI', `0x00008932')
+define(`SIOCGIFINDEX', `0x00008933')
+define(`SIOCSIFPFLAGS', `0x00008934')
+define(`SIOCGIFPFLAGS', `0x00008935')
+define(`SIOCDIFADDR', `0x00008936')
+define(`SIOCSIFHWBROADCAST', `0x00008937')
+define(`SIOCGIFCOUNT', `0x00008938')
+define(`SIOCKILLADDR', `0x00008939')
+define(`SIOCGIFBR', `0x00008940')
+define(`SIOCSIFBR', `0x00008941')
+define(`SIOCGIFTXQLEN', `0x00008942')
+define(`SIOCSIFTXQLEN', `0x00008943')
+define(`SIOCETHTOOL', `0x00008946')
+define(`SIOCGMIIPHY', `0x00008947')
+define(`SIOCGMIIREG', `0x00008948')
+define(`SIOCSMIIREG', `0x00008949')
+define(`SIOCWANDEV', `0x0000894a')
+define(`SIOCOUTQNSD', `0x0000894b')
+define(`SIOCDARP', `0x00008953')
+define(`SIOCGARP', `0x00008954')
+define(`SIOCSARP', `0x00008955')
+define(`SIOCDRARP', `0x00008960')
+define(`SIOCGRARP', `0x00008961')
+define(`SIOCSRARP', `0x00008962')
+define(`SIOCGIFMAP', `0x00008970')
+define(`SIOCSIFMAP', `0x00008971')
+define(`SIOCADDDLCI', `0x00008980')
+define(`SIOCDELDLCI', `0x00008981')
+define(`SIOCGIFVLAN', `0x00008982')
+define(`SIOCSIFVLAN', `0x00008983')
+define(`SIOCBONDENSLAVE', `0x00008990')
+define(`SIOCBONDRELEASE', `0x00008991')
+define(`SIOCBONDSETHWADDR', `0x00008992')
+define(`SIOCBONDSLAVEINFOQUERY', `0x00008993')
+define(`SIOCBONDINFOQUERY', `0x00008994')
+define(`SIOCBONDCHANGEACTIVE', `0x00008995')
+define(`SIOCBRADDBR', `0x000089a0')
+define(`SIOCBRDELBR', `0x000089a1')
+define(`SIOCBRADDIF', `0x000089a2')
+define(`SIOCBRDELIF', `0x000089a3')
+define(`SIOCSHWTSTAMP', `0x000089b0')
+define(`SIOCGHWTSTAMP', `0x000089b1')
+define(`SIOCPROTOPRIVATE', `0x000089e0')
+define(`SIOCPROTOPRIVATE_1', `0x000089e1')
+define(`SIOCPROTOPRIVATE_2', `0x000089e2')
+define(`SIOCPROTOPRIVATE_3', `0x000089e3')
+define(`SIOCPROTOPRIVATE_4', `0x000089e4')
+define(`SIOCPROTOPRIVATE_5', `0x000089e5')
+define(`SIOCPROTOPRIVATE_6', `0x000089e6')
+define(`SIOCPROTOPRIVATE_7', `0x000089e7')
+define(`SIOCPROTOPRIVATE_8', `0x000089e8')
+define(`SIOCPROTOPRIVATE_9', `0x000089e9')
+define(`SIOCPROTOPRIVATE_A', `0x000089ea')
+define(`SIOCPROTOPRIVATE_B', `0x000089eb')
+define(`SIOCPROTOPRIVATE_C', `0x000089ec')
+define(`SIOCPROTOPRIVATE_D', `0x000089ed')
+define(`SIOCPROTOPRIVATE_E', `0x000089ee')
+define(`SIOCPROTOPRIVLAST', `0x000089ef')
+define(`SIOCDEVPRIVATE', `0x000089f0')
+define(`SIOCDEVPRIVATE_1', `0x000089f1')
+define(`SIOCDEVPRIVATE_2', `0x000089f2')
+define(`SIOCDEVPRIVATE_3', `0x000089f3')
+define(`SIOCDEVPRIVATE_4', `0x000089f4')
+define(`SIOCDEVPRIVATE_5', `0x000089f5')
+define(`SIOCDEVPRIVATE_6', `0x000089f6')
+define(`SIOCDEVPRIVATE_7', `0x000089f7')
+define(`SIOCDEVPRIVATE_8', `0x000089f8')
+define(`SIOCDEVPRIVATE_9', `0x000089f9')
+define(`SIOCDEVPRIVATE_A', `0x000089fa')
+define(`SIOCDEVPRIVATE_B', `0x000089fb')
+define(`SIOCDEVPRIVATE_C', `0x000089fc')
+define(`SIOCDEVPRIVATE_D', `0x000089fd')
+define(`SIOCDEVPRIVATE_E', `0x000089fe')
+define(`SIOCDEVPRIVLAST', `0x000089ff')
+define(`SIOCIWFIRST', `0x00008b00')
+define(`SIOCSIWCOMMIT', `0x00008b00')
+define(`SIOCGIWNAME', `0x00008b01')
+define(`SIOCSIWNWID', `0x00008b02')
+define(`SIOCGIWNWID', `0x00008b03')
+define(`SIOCSIWFREQ', `0x00008b04')
+define(`SIOCGIWFREQ', `0x00008b05')
+define(`SIOCSIWMODE', `0x00008b06')
+define(`SIOCGIWMODE', `0x00008b07')
+define(`SIOCSIWSENS', `0x00008b08')
+define(`SIOCGIWSENS', `0x00008b09')
+define(`SIOCSIWRANGE', `0x00008b0a')
+define(`SIOCGIWRANGE', `0x00008b0b')
+define(`SIOCSIWPRIV', `0x00008b0c')
+define(`SIOCGIWPRIV', `0x00008b0d')
+define(`SIOCSIWSTATS', `0x00008b0e')
+define(`SIOCGIWSTATS', `0x00008b0f')
+define(`SIOCSIWSPY', `0x00008b10')
+define(`SIOCGIWSPY', `0x00008b11')
+define(`SIOCSIWTHRSPY', `0x00008b12')
+define(`SIOCGIWTHRSPY', `0x00008b13')
+define(`SIOCSIWAP', `0x00008b14')
+define(`SIOCGIWAP', `0x00008b15')
+define(`SIOCSIWMLME', `0x00008b16')
+define(`SIOCGIWAPLIST', `0x00008b17')
+define(`SIOCSIWSCAN', `0x00008b18')
+define(`SIOCGIWSCAN', `0x00008b19')
+define(`SIOCSIWESSID', `0x00008b1a')
+define(`SIOCGIWESSID', `0x00008b1b')
+define(`SIOCSIWNICKN', `0x00008b1c')
+define(`SIOCGIWNICKN', `0x00008b1d')
+define(`SIOCSIWRATE', `0x00008b20')
+define(`SIOCGIWRATE', `0x00008b21')
+define(`SIOCSIWRTS', `0x00008b22')
+define(`SIOCGIWRTS', `0x00008b23')
+define(`SIOCSIWFRAG', `0x00008b24')
+define(`SIOCGIWFRAG', `0x00008b25')
+define(`SIOCSIWTXPOW', `0x00008b26')
+define(`SIOCGIWTXPOW', `0x00008b27')
+define(`SIOCSIWRETRY', `0x00008b28')
+define(`SIOCGIWRETRY', `0x00008b29')
+define(`SIOCSIWENCODE', `0x00008b2a')
+define(`SIOCGIWENCODE', `0x00008b2b')
+define(`SIOCSIWPOWER', `0x00008b2c')
+define(`SIOCGIWPOWER', `0x00008b2d')
+define(`SIOCSIWGENIE', `0x00008b30')
+define(`SIOCGIWGENIE', `0x00008b31')
+define(`SIOCSIWAUTH', `0x00008b32')
+define(`SIOCGIWAUTH', `0x00008b33')
+define(`SIOCSIWENCODEEXT', `0x00008b34')
+define(`SIOCGIWENCODEEXT', `0x00008b35')
+define(`SIOCSIWPMKSA', `0x00008b36')
+define(`SIOCIWFIRSTPRIV', `0x00008be0')
+define(`SIOCIWFIRSTPRIV_01', `0x00008be1')
+define(`SIOCIWFIRSTPRIV_02', `0x00008be2')
+define(`SIOCIWFIRSTPRIV_03', `0x00008be3')
+define(`SIOCIWFIRSTPRIV_04', `0x00008be4')
+define(`SIOCIWFIRSTPRIV_05', `0x00008be5')
+define(`SIOCIWFIRSTPRIV_06', `0x00008be6')
+define(`SIOCIWFIRSTPRIV_07', `0x00008be7')
+define(`SIOCIWFIRSTPRIV_08', `0x00008be8')
+define(`SIOCIWFIRSTPRIV_09', `0x00008be9')
+define(`SIOCIWFIRSTPRIV_0A', `0x00008bea')
+define(`SIOCIWFIRSTPRIV_0B', `0x00008beb')
+define(`SIOCIWFIRSTPRIV_0C', `0x00008bec')
+define(`SIOCIWFIRSTPRIV_0D', `0x00008bed')
+define(`SIOCIWFIRSTPRIV_0E', `0x00008bee')
+define(`SIOCIWFIRSTPRIV_0F', `0x00008bef')
+define(`SIOCIWFIRSTPRIV_10', `0x00008bf0')
+define(`SIOCIWFIRSTPRIV_11', `0x00008bf1')
+define(`SIOCIWFIRSTPRIV_12', `0x00008bf2')
+define(`SIOCIWFIRSTPRIV_13', `0x00008bf3')
+define(`SIOCIWFIRSTPRIV_14', `0x00008bf4')
+define(`SIOCIWFIRSTPRIV_15', `0x00008bf5')
+define(`SIOCIWFIRSTPRIV_16', `0x00008bf6')
+define(`SIOCIWFIRSTPRIV_17', `0x00008bf7')
+define(`SIOCIWFIRSTPRIV_18', `0x00008bf8')
+define(`SIOCIWFIRSTPRIV_19', `0x00008bf9')
+define(`SIOCIWFIRSTPRIV_1A', `0x00008bfa')
+define(`SIOCIWFIRSTPRIV_1B', `0x00008bfb')
+define(`SIOCIWFIRSTPRIV_1C', `0x00008bfc')
+define(`SIOCIWFIRSTPRIV_1D', `0x00008bfd')
+define(`SIOCIWFIRSTPRIV_1E', `0x00008bfe')
+define(`SIOCIWLASTPRIV', `0x00008bff')
+define(`AUTOFS_IOC_READY', `0x00009360')
+define(`AUTOFS_IOC_FAIL', `0x00009361')
+define(`AUTOFS_IOC_CATATONIC', `0x00009362')
+define(`BTRFS_IOC_TRANS_START', `0x00009406')
+define(`BTRFS_IOC_TRANS_END', `0x00009407')
+define(`BTRFS_IOC_SYNC', `0x00009408')
+define(`BTRFS_IOC_SCRUB_CANCEL', `0x0000941c')
+define(`BTRFS_IOC_QUOTA_RESCAN_WAIT', `0x0000942e')
+define(`NBD_SET_SOCK', `0x0000ab00')
+define(`NBD_SET_BLKSIZE', `0x0000ab01')
+define(`NBD_SET_SIZE', `0x0000ab02')
+define(`NBD_DO_IT', `0x0000ab03')
+define(`NBD_CLEAR_SOCK', `0x0000ab04')
+define(`NBD_CLEAR_QUE', `0x0000ab05')
+define(`NBD_PRINT_DEBUG', `0x0000ab06')
+define(`NBD_SET_SIZE_BLOCKS', `0x0000ab07')
+define(`NBD_DISCONNECT', `0x0000ab08')
+define(`NBD_SET_TIMEOUT', `0x0000ab09')
+define(`NBD_SET_FLAGS', `0x0000ab0a')
+define(`RAW_SETBIND', `0x0000ac00')
+define(`RAW_GETBIND', `0x0000ac01')
+define(`KVM_GET_API_VERSION', `0x0000ae00')
+define(`KVM_CREATE_VM', `0x0000ae01')
+define(`LOGGER_GET_LOG_BUF_SIZE', `0x0000ae01')
+define(`LOGGER_GET_LOG_LEN', `0x0000ae02')
+define(`KVM_CHECK_EXTENSION', `0x0000ae03')
+define(`LOGGER_GET_NEXT_ENTRY_LEN', `0x0000ae03')
+define(`KVM_GET_VCPU_MMAP_SIZE', `0x0000ae04')
+define(`LOGGER_FLUSH_LOG', `0x0000ae04')
+define(`LOGGER_GET_VERSION', `0x0000ae05')
+define(`KVM_S390_ENABLE_SIE', `0x0000ae06')
+define(`LOGGER_SET_VERSION', `0x0000ae06')
+define(`KVM_CREATE_VCPU', `0x0000ae41')
+define(`KVM_SET_NR_MMU_PAGES', `0x0000ae44')
+define(`KVM_GET_NR_MMU_PAGES', `0x0000ae45')
+define(`KVM_SET_TSS_ADDR', `0x0000ae47')
+define(`KVM_CREATE_IRQCHIP', `0x0000ae60')
+define(`KVM_CREATE_PIT', `0x0000ae64')
+define(`KVM_REINJECT_CONTROL', `0x0000ae71')
+define(`KVM_SET_BOOT_CPU_ID', `0x0000ae78')
+define(`KVM_RUN', `0x0000ae80')
+define(`KVM_S390_INITIAL_RESET', `0x0000ae97')
+define(`KVM_NMI', `0x0000ae9a')
+define(`KVM_SET_TSC_KHZ', `0x0000aea2')
+define(`KVM_GET_TSC_KHZ', `0x0000aea3')
+define(`KVM_KVMCLOCK_CTRL', `0x0000aead')
+define(`VHOST_SET_OWNER', `0x0000af01')
+define(`VHOST_RESET_OWNER', `0x0000af02')
+define(`PPPOEIOCDFWD', `0x0000b101')
+define(`IOCTL_EVTCHN_BIND_VIRQ', `0x00044500')
+define(`IOCTL_EVTCHN_BIND_UNBOUND_PORT', `0x00044502')
+define(`IOCTL_EVTCHN_UNBIND', `0x00044503')
+define(`IOCTL_EVTCHN_NOTIFY', `0x00044504')
+define(`IOCTL_EVTCHN_BIND_INTERDOMAIN', `0x00084501')
+define(`SNDRV_SEQ_IOCTL_SET_QUEUE_OWNER', `0x40005344')
+define(`MFB_SET_ALPHA', `0x40014d00')
+define(`MFB_SET_GAMMA', `0x40014d01')
+define(`MFB_SET_BRIGHTNESS', `0x40014d03')
+define(`SPI_IOC_WR_MODE', `0x40016b01')
+define(`SPI_IOC_WR_LSB_FIRST', `0x40016b02')
+define(`SPI_IOC_WR_BITS_PER_WORD', `0x40016b03')
+define(`PPWCONTROL', `0x40017084')
+define(`PPWDATA', `0x40017086')
+define(`PPWCTLONIRQ', `0x40017092')
+define(`PHONE_MAXRINGS', `0x40017185')
+define(`PHONE_PLAY_TONE', `0x4001719b')
+define(`SONYPI_IOCSBRT', `0x40017600')
+define(`SONYPI_IOCSBLUE', `0x40017609')
+define(`SONYPI_IOCSFAN', `0x4001760b')
+define(`ATM_SETBACKEND', `0x400261f2')
+define(`ATM_NEWBACKENDIF', `0x400261f3')
+define(`NCP_IOC_GETMOUNTUID', `0x40026e02')
+define(`AUDIO_SET_ATTRIBUTES', `0x40026f11')
+define(`DMX_ADD_PID', `0x40026f33')
+define(`DMX_REMOVE_PID', `0x40026f34')
+define(`PPFCONTROL', `0x4002708e')
+define(`PHONE_RING_CADENCE', `0x40027186')
+define(`SET_BITMAP_FILE', `0x4004092b')
+define(`IB_USER_MAD_UNREGISTER_AGENT', `0x40041b02')
+define(`FW_CDEV_IOC_DEALLOCATE', `0x40042303')
+define(`FW_CDEV_IOC_INITIATE_BUS_RESET', `0x40042305')
+define(`FW_CDEV_IOC_REMOVE_DESCRIPTOR', `0x40042307')
+define(`FW_CDEV_IOC_STOP_ISO', `0x4004230b')
+define(`FW_CDEV_IOC_DEALLOCATE_ISO_RESOURCE', `0x4004230e')
+define(`FW_CDEV_IOC_FLUSH_ISO', `0x40042318')
+define(`BLKI2OSRSTRAT', `0x40043203')
+define(`BLKI2OSWSTRAT', `0x40043204')
+define(`SNAPSHOT_CREATE_IMAGE', `0x40043311')
+define(`PTP_ENABLE_PPS', `0x40043d04')
+define(`SYNC_IOC_WAIT', `0x40043e00')
+define(`SNDRV_PCM_IOCTL_TSTAMP', `0x40044102')
+define(`SNDRV_PCM_IOCTL_TTSTAMP', `0x40044103')
+define(`AGPIOC_DEALLOCATE', `0x40044107')
+define(`SNDRV_PCM_IOCTL_PAUSE', `0x40044145')
+define(`SNDRV_PCM_IOCTL_LINK', `0x40044160')
+define(`CCISS_REGNEWDISK', `0x4004420d')
+define(`EVIOCRMFF', `0x40044581')
+define(`EVIOCGRAB', `0x40044590')
+define(`EVIOCREVOKE', `0x40044591')
+define(`EVIOCSCLOCKID', `0x400445a0')
+define(`FBIOPUT_CONTRAST', `0x40044602')
+define(`FBIPUT_BRIGHTNESS', `0x40044603')
+define(`FBIPUT_COLOR', `0x40044606')
+define(`FBIPUT_HSYNC', `0x40044609')
+define(`FBIPUT_VSYNC', `0x4004460a')
+define(`FBIO_WAITFORVSYNC', `0x40044620')
+define(`SSTFB_SET_VGAPASS', `0x400446dd')
+define(`HIDIOCSFLAG', `0x4004480f')
+define(`SNDRV_EMU10K1_IOCTL_TRAM_SETUP', `0x40044820')
+define(`SNDRV_DM_FM_IOCTL_SET_MODE', `0x40044825')
+define(`SNDRV_DM_FM_IOCTL_SET_CONNECTION', `0x40044826')
+define(`SNDRV_EMU10K1_IOCTL_SINGLE_STEP', `0x40044883')
+define(`SNDRV_EMUX_IOCTL_MEM_AVAIL', `0x40044884')
+define(`HCIDEVUP', `0x400448c9')
+define(`HCIDEVDOWN', `0x400448ca')
+define(`HCIDEVRESET', `0x400448cb')
+define(`HCIDEVRESTAT', `0x400448cc')
+define(`HCISETRAW', `0x400448dc')
+define(`HCISETSCAN', `0x400448dd')
+define(`HCISETAUTH', `0x400448de')
+define(`HCISETENCRYPT', `0x400448df')
+define(`HCISETPTYPE', `0x400448e0')
+define(`HCISETLINKPOL', `0x400448e1')
+define(`HCISETLINKMODE', `0x400448e2')
+define(`HCISETACLMTU', `0x400448e3')
+define(`HCISETSCOMTU', `0x400448e4')
+define(`HCIBLOCKADDR', `0x400448e6')
+define(`HCIUNBLOCKADDR', `0x400448e7')
+define(`MFB_SET_PIXFMT', `0x40044d08')
+define(`OTPGETREGIONCOUNT', `0x40044d0e')
+define(`UBI_IOCEBER', `0x40044f01')
+define(`UBI_IOCEBCH', `0x40044f02')
+define(`UBI_IOCEBUNMAP', `0x40044f04')
+define(`OMAPFB_MIRROR', `0x40044f1f')
+define(`OMAPFB_SET_UPDATE_MODE', `0x40044f28')
+define(`OMAPFB_GET_UPDATE_MODE', `0x40044f2b')
+define(`OMAPFB_LCD_TEST', `0x40044f2d')
+define(`OMAPFB_CTRL_TEST', `0x40044f2e')
+define(`SNDCTL_DSP_SETTRIGGER', `0x40045010')
+define(`SNDCTL_DSP_PROFILE', `0x40045017')
+define(`SNDCTL_DSP_SETSPDIF', `0x40045042')
+define(`SNDCTL_SEQ_PERCMODE', `0x40045106')
+define(`SNDCTL_SEQ_TESTMIDI', `0x40045108')
+define(`SNDCTL_SEQ_RESETSAMPLES', `0x40045109')
+define(`SNDCTL_SEQ_THRESHOLD', `0x4004510d')
+define(`SNDCTL_FM_4OP_ENABLE', `0x4004510f')
+define(`RNDADDTOENTCNT', `0x40045201')
+define(`SAA6588_CMD_CLOSE', `0x40045202')
+define(`RFCOMMCREATEDEV', `0x400452c8')
+define(`RFCOMMRELEASEDEV', `0x400452c9')
+define(`RFCOMMSTEALDLC', `0x400452dc')
+define(`SNDRV_TIMER_IOCTL_TREAD', `0x40045402')
+define(`SNDCTL_TMR_METRONOME', `0x40045407')
+define(`SNDCTL_TMR_SELECT', `0x40045408')
+define(`TIOCSPTLCK', `0x40045431')
+define(`TIOCSIG', `0x40045436')
+define(`TUNSETNOCSUM', `0x400454c8')
+define(`TUNSETDEBUG', `0x400454c9')
+define(`TUNSETIFF', `0x400454ca')
+define(`TUNSETPERSIST', `0x400454cb')
+define(`TUNSETOWNER', `0x400454cc')
+define(`TUNSETLINK', `0x400454cd')
+define(`TUNSETGROUP', `0x400454ce')
+define(`TUNSETOFFLOAD', `0x400454d0')
+define(`TUNSETTXFILTER', `0x400454d1')
+define(`TUNSETSNDBUF', `0x400454d4')
+define(`TUNSETVNETHDRSZ', `0x400454d8')
+define(`TUNSETQUEUE', `0x400454d9')
+define(`TUNSETIFINDEX', `0x400454da')
+define(`TUNSETVNETLE', `0x400454dc')
+define(`USBDEVFS_REAPURB32', `0x4004550c')
+define(`USBDEVFS_REAPURBNDELAY32', `0x4004550d')
+define(`SNDRV_CTL_IOCTL_PCM_PREFER_SUBDEVICE', `0x40045532')
+define(`SNDRV_CTL_IOCTL_RAWMIDI_PREFER_SUBDEVICE', `0x40045542')
+define(`UI_SET_EVBIT', `0x40045564')
+define(`UI_SET_KEYBIT', `0x40045565')
+define(`UI_SET_RELBIT', `0x40045566')
+define(`UI_SET_ABSBIT', `0x40045567')
+define(`UI_SET_MSCBIT', `0x40045568')
+define(`UI_SET_LEDBIT', `0x40045569')
+define(`UI_SET_SNDBIT', `0x4004556a')
+define(`UI_SET_FFBIT', `0x4004556b')
+define(`UI_SET_SWBIT', `0x4004556d')
+define(`UI_SET_PROPBIT', `0x4004556e')
+define(`VIDIOC_OVERLAY', `0x4004560e')
+define(`VIDIOC_STREAMON', `0x40045612')
+define(`VIDIOC_STREAMOFF', `0x40045613')
+define(`VIDIOC_S_PRIORITY', `0x40045644')
+define(`IVTV_IOC_PASSTHROUGH_MODE', `0x400456c1')
+define(`SW_SYNC_IOC_INC', `0x40045701')
+define(`SNDRV_RAWMIDI_IOCTL_DROP', `0x40045730')
+define(`SNDRV_RAWMIDI_IOCTL_DRAIN', `0x40045731')
+define(`SONET_SETFRAMING', `0x40046115')
+define(`ATM_SETSC', `0x400461f1')
+define(`ATM_DROPPARTY', `0x400461f5')
+define(`BINDER_SET_MAX_THREADS', `0x40046205')
+define(`BINDER_SET_IDLE_PRIORITY', `0x40046206')
+define(`BINDER_SET_CONTEXT_MGR', `0x40046207')
+define(`BINDER_THREAD_EXIT', `0x40046208')
+define(`BC_ACQUIRE_RESULT', `0x40046302')
+define(`BC_INCREFS', `0x40046304')
+define(`BC_ACQUIRE', `0x40046305')
+define(`CHIOSPICKER', `0x40046305')
+define(`BC_RELEASE', `0x40046306')
+define(`BC_DECREFS', `0x40046307')
+define(`DRM_IOCTL_AUTH_MAGIC', `0x40046411')
+define(`DRM_IOCTL_I915_IRQ_WAIT', `0x40046445')
+define(`DRM_IOCTL_MSM_GEM_CPU_FINI', `0x40046445')
+define(`DRM_IOCTL_RADEON_FULLSCREEN', `0x40046446')
+define(`DRM_IOCTL_MGA_SET_FENCE', `0x4004644a')
+define(`DRM_IOCTL_I915_DESTROY_HEAP', `0x4004644c')
+define(`DRM_IOCTL_I915_SET_VBLANK_PIPE', `0x4004644d')
+define(`DRM_IOCTL_R128_FULLSCREEN', `0x40046450')
+define(`DRM_IOCTL_RADEON_IRQ_WAIT', `0x40046457')
+define(`DRM_IOCTL_RADEON_SURF_FREE', `0x4004645b')
+define(`DRM_IOCTL_I915_GEM_SW_FINISH', `0x40046460')
+define(`VIDIOC_INT_RESET', `0x40046466')
+define(`DRM_IOCTL_NOUVEAU_GEM_CPU_FINI', `0x40046483')
+define(`FS_IOC32_SETFLAGS', `0x40046602')
+define(`LIRC_SET_SEND_MODE', `0x40046911')
+define(`LIRC_SET_REC_MODE', `0x40046912')
+define(`LIRC_SET_SEND_CARRIER', `0x40046913')
+define(`LIRC_SET_REC_CARRIER', `0x40046914')
+define(`LIRC_SET_SEND_DUTY_CYCLE', `0x40046915')
+define(`LIRC_SET_REC_DUTY_CYCLE', `0x40046916')
+define(`LIRC_SET_TRANSMITTER_MASK', `0x40046917')
+define(`LIRC_SET_REC_TIMEOUT', `0x40046918')
+define(`LIRC_SET_REC_TIMEOUT_REPORTS', `0x40046919')
+define(`LIRC_SET_REC_FILTER_PULSE', `0x4004691a')
+define(`LIRC_SET_REC_FILTER_SPACE', `0x4004691b')
+define(`LIRC_SET_REC_FILTER', `0x4004691c')
+define(`LIRC_SET_MEASURE_CARRIER_MODE', `0x4004691d')
+define(`LIRC_SET_REC_DUTY_CYCLE_RANGE', `0x4004691e')
+define(`IPMICTL_SET_MAINTENANCE_MODE_CMD', `0x4004691f')
+define(`LIRC_SET_REC_CARRIER_RANGE', `0x4004691f')
+define(`LIRC_SET_WIDEBAND_RECEIVER', `0x40046923')
+define(`SPI_IOC_WR_MAX_SPEED_HZ', `0x40046b04')
+define(`SPI_IOC_WR_MODE32', `0x40046b05')
+define(`MSMFB_GRP_DISP', `0x40046d01')
+define(`MSMFB_BLIT', `0x40046d02')
+define(`NCP_IOC_SET_SIGN_WANTED', `0x40046e06')
+define(`NCP_IOC_GETDENTRYTTL', `0x40046e0c')
+define(`SISFB_SET_AUTOMAXIMIZE_OLD', `0x40046efa')
+define(`UBI_IOCRMVOL', `0x40046f01')
+define(`DMX_SET_SOURCE', `0x40046f31')
+define(`UBI_IOCDET', `0x40046f41')
+define(`PPSETMODE', `0x40047080')
+define(`PPDATADIR', `0x40047090')
+define(`PPNEGOT', `0x40047091')
+define(`PPSETPHASE', `0x40047094')
+define(`PPSETFLAGS', `0x4004709b')
+define(`PHONE_REC_CODEC', `0x40047189')
+define(`PHONE_REC_DEPTH', `0x4004718c')
+define(`PHONE_FRAME', `0x4004718d')
+define(`PHONE_REC_VOLUME', `0x4004718e')
+define(`PHONE_PLAY_CODEC', `0x40047190')
+define(`PHONE_PLAY_DEPTH', `0x40047193')
+define(`PHONE_PLAY_VOLUME', `0x40047194')
+define(`PHONE_DTMF_OOB', `0x40047199')
+define(`PHONE_SET_TONE_ON_TIME', `0x4004719c')
+define(`PHONE_SET_TONE_OFF_TIME', `0x4004719d')
+define(`PHONE_PSTN_SET_STATE', `0x400471a4')
+define(`PHONE_WINK_DURATION', `0x400471a6')
+define(`PHONE_VAD', `0x400471a9')
+define(`PHONE_WINK', `0x400471aa')
+define(`IXJCTL_GET_FILTER_HIST', `0x400471c8')
+define(`IXJCTL_AEC_START', `0x400471cb')
+define(`IXJCTL_SET_LED', `0x400471ce')
+define(`IXJCTL_MIXER', `0x400471cf')
+define(`IXJCTL_DAA_COEFF_SET', `0x400471d0')
+define(`IXJCTL_PORT', `0x400471d1')
+define(`IXJCTL_DAA_AGAIN', `0x400471d2')
+define(`IXJCTL_POTS_PSTN', `0x400471d5')
+define(`PHONE_REC_VOLUME_LINEAR', `0x400471db')
+define(`PHONE_PLAY_VOLUME_LINEAR', `0x400471dc')
+define(`IXJCTL_HZ', `0x400471e0')
+define(`IXJCTL_RATE', `0x400471e1')
+define(`IXJCTL_DTMF_PRESCALE', `0x400471e8')
+define(`IXJCTL_SC_RXG', `0x400471ea')
+define(`IXJCTL_SC_TXG', `0x400471eb')
+define(`IXJCTL_INTERCOM_START', `0x400471fd')
+define(`IXJCTL_INTERCOM_STOP', `0x400471fe')
+define(`FAT_IOCTL_SET_ATTRIBUTES', `0x40047211')
+define(`PPPIOCATTCHAN', `0x40047438')
+define(`PPPIOCCONNECT', `0x4004743a')
+define(`PPPIOCSMRRU', `0x4004743b')
+define(`PPPIOCDETACH', `0x4004743c')
+define(`PPPIOCATTACH', `0x4004743d')
+define(`PPPIOCSDEBUG', `0x40047440')
+define(`PPPIOCSMAXCID', `0x40047451')
+define(`PPPIOCSMRU', `0x40047452')
+define(`PPPIOCSRASYNCMAP', `0x40047454')
+define(`PPPIOCSASYNCMAP', `0x40047457')
+define(`PPPIOCSFLAGS', `0x40047459')
+define(`PPPIOCBUNDLE', `0x40047481')
+define(`PPPIOCSMPFLAGS', `0x40047483')
+define(`PPPIOCSMPMTU', `0x40047484')
+define(`PPPIOCSMPMRU', `0x40047485')
+define(`PPPIOCSCOMPRESSOR', `0x40047487')
+define(`V4L2_SUBDEV_IR_RX_NOTIFY', `0x40047600')
+define(`V4L2_SUBDEV_IR_TX_NOTIFY', `0x40047601')
+define(`FS_IOC32_SETVERSION', `0x40047602')
+define(`MEYEIOC_QBUF_CAPT', `0x400476c2')
+define(`OSIOCSNETADDR', `0x400489e0')
+define(`SIOCSNETADDR', `0x400489e0')
+define(`AUTOFS_IOC_EXPIRE_MULTI', `0x40049366')
+define(`BTRFS_IOC_CLONE', `0x40049409')
+define(`BTRFS_IOC_BALANCE_CTL', `0x40049421')
+define(`KVM_INTERRUPT', `0x4004ae86')
+define(`KVM_SET_SIGNAL_MASK', `0x4004ae8b')
+define(`KVM_SET_MP_STATE', `0x4004ae99')
+define(`VHOST_SET_LOG_FD', `0x4004af07')
+define(`VHOST_SCSI_GET_ABI_VERSION', `0x4004af42')
+define(`VHOST_SCSI_SET_EVENTS_MISSED', `0x4004af43')
+define(`VHOST_SCSI_GET_EVENTS_MISSED', `0x4004af44')
+define(`SISFB_SET_AUTOMAXIMIZE', `0x4004f303')
+define(`SISFB_SET_TVPOSOFFSET', `0x4004f304')
+define(`SISFB_SET_LOCK', `0x4004f306')
+define(`GIGASET_BRKCHARS', `0x40064702')
+define(`MEYEIOC_S_PARAMS', `0x400676c1')
+define(`FE_DISEQC_SEND_MASTER_CMD', `0x40076f3f')
+define(`BLKBSZSET', `0x40081271')
+define(`FW_CDEV_IOC_RECEIVE_PHY_PACKETS', `0x40082316')
+define(`PERF_EVENT_IOC_PERIOD', `0x40082404')
+define(`PERF_EVENT_IOC_SET_FILTER', `0x40082406')
+define(`FBIO_RADEON_SET_MIRROR', `0x40084004')
+define(`AGPIOC_SETUP', `0x40084103')
+define(`AGPIOC_RESERVE', `0x40084104')
+define(`AGPIOC_PROTECT', `0x40084105')
+define(`AGPIOC_BIND', `0x40084108')
+define(`AGPIOC_UNBIND', `0x40084109')
+define(`SNDRV_PCM_IOCTL_REWIND', `0x40084146')
+define(`SNDRV_PCM_IOCTL_FORWARD', `0x40084149')
+define(`PMU_IOC_SET_BACKLIGHT', `0x40084202')
+define(`CCISS_SETINTINFO', `0x40084203')
+define(`APEI_ERST_CLEAR_RECORD', `0x40084501')
+define(`EVIOCSREP', `0x40084503')
+define(`EVIOCSKEYCODE', `0x40084504')
+define(`SNDRV_SB_CSP_IOCTL_START', `0x40084813')
+define(`SNDRV_HDSP_IOCTL_UPLOAD_FIRMWARE', `0x40084842')
+define(`MEMERASE', `0x40084d02')
+define(`MFB_SET_AOID', `0x40084d04')
+define(`MEMLOCK', `0x40084d05')
+define(`MEMUNLOCK', `0x40084d06')
+define(`MEMGETBADBLOCK', `0x40084d0b')
+define(`MEMSETBADBLOCK', `0x40084d0c')
+define(`UBI_IOCVOLUP', `0x40084f00')
+define(`UBI_IOCEBMAP', `0x40084f03')
+define(`OMAPFB_SETUP_MEM', `0x40084f37')
+define(`OMAPFB_QUERY_MEM', `0x40084f38')
+define(`OMAPFB_SET_TEARSYNC', `0x40084f3e')
+define(`SNDCTL_SEQ_OUTOFBAND', `0x40085112')
+define(`RNDADDENTROPY', `0x40085203')
+define(`TFD_IOC_SET_TICKS', `0x40085400')
+define(`USBDEVFS_REAPURB', `0x4008550c')
+define(`USBDEVFS_REAPURBNDELAY', `0x4008550d')
+define(`USBDEVFS_CONNECTINFO', `0x40085511')
+define(`UI_SET_PHYS', `0x4008556c')
+define(`VIDIOC_S_STD', `0x40085618')
+define(`VPFE_CMD_S_CCDC_RAW_PARAMS', `0x400856c1')
+define(`BINDER_SET_IDLE_TIMEOUT', `0x40086203')
+define(`CM_IOCSPTS', `0x40086302')
+define(`BC_FREE_BUFFER', `0x40086303')
+define(`BC_ATTEMPT_ACQUIRE', `0x4008630a')
+define(`BC_DEAD_BINDER_DONE', `0x40086310')
+define(`CM_IOSDBGLVL', `0x400863fa')
+define(`DRM_IOCTL_MODESET_CTL', `0x40086408')
+define(`DRM_IOCTL_GEM_CLOSE', `0x40086409')
+define(`DRM_IOCTL_CONTROL', `0x40086414')
+define(`DRM_IOCTL_MOD_CTX', `0x40086422')
+define(`DRM_IOCTL_SWITCH_CTX', `0x40086424')
+define(`DRM_IOCTL_NEW_CTX', `0x40086425')
+define(`DRM_IOCTL_LOCK', `0x4008642a')
+define(`DRM_IOCTL_UNLOCK', `0x4008642b')
+define(`DRM_IOCTL_FINISH', `0x4008642c')
+define(`DRM_IOCTL_AGP_ENABLE', `0x40086432')
+define(`DRM_IOCTL_MGA_FLUSH', `0x40086441')
+define(`DRM_IOCTL_R128_CCE_STOP', `0x40086442')
+define(`DRM_IOCTL_RADEON_CP_STOP', `0x40086442')
+define(`DRM_IOCTL_SAVAGE_BCI_EVENT_WAIT', `0x40086443')
+define(`DRM_IOCTL_OMAP_GEM_CPU_PREP', `0x40086444')
+define(`DRM_IOCTL_QXL_CLIENTCAP', `0x40086445')
+define(`DRM_IOCTL_I915_SETPARAM', `0x40086447')
+define(`DRM_IOCTL_I915_FREE', `0x40086449')
+define(`DRM_IOCTL_RADEON_STIPPLE', `0x4008644c')
+define(`DRM_IOCTL_R128_STIPPLE', `0x4008644d')
+define(`DRM_IOCTL_VIA_BLIT_SYNC', `0x4008644f')
+define(`DRM_IOCTL_RADEON_FREE', `0x40086454')
+define(`DRM_IOCTL_I915_GEM_UNPIN', `0x40086456')
+define(`DRM_IOCTL_RADEON_GEM_WAIT_IDLE', `0x40086464')
+define(`DRM_IOCTL_I915_GEM_CONTEXT_DESTROY', `0x4008646e')
+define(`DRM_IOCTL_I915_GEM_SET_CACHING', `0x4008646f')
+define(`DRM_IOCTL_NOUVEAU_GEM_CPU_PREP', `0x40086482')
+define(`FS_IOC_SETFLAGS', `0x40086602')
+define(`HPET_IRQFREQ', `0x40086806')
+define(`MTIOCTOP', `0x40086d01')
+define(`NCP_IOC_GETMOUNTUID2', `0x40086e02')
+define(`NILFS_IOCTL_DELETE_CHECKPOINT', `0x40086e81')
+define(`NILFS_IOCTL_RESIZE', `0x40086e8b')
+define(`MATROXFB_SET_OUTPUT_CONNECTION', `0x40086ef8')
+define(`MATROXFB_SET_OUTPUT_MODE', `0x40086efa')
+define(`AUDIO_SET_MIXER', `0x40086f0e')
+define(`VIDEO_SET_SPU', `0x40086f32')
+define(`CA_SET_PID', `0x40086f87')
+define(`PHN_SET_REG', `0x40087001')
+define(`PHN_SET_REGS', `0x40087003')
+define(`PHN_SETREG', `0x40087006')
+define(`RTC_IRQP_SET', `0x4008700c')
+define(`RTC_EPOCH_SET', `0x4008700e')
+define(`PPS_SETPARAMS', `0x400870a2')
+define(`PPS_KC_BIND', `0x400870a5')
+define(`SPIOCSTYPE', `0x40087101')
+define(`PHONE_CAPABILITIES_CHECK', `0x40087182')
+define(`PHONE_RING_START', `0x40087187')
+define(`IXJCTL_SET_FILTER', `0x400871c7')
+define(`IXJCTL_INIT_TONE', `0x400871c9')
+define(`IXJCTL_TONE_CADENCE', `0x400871ca')
+define(`IXJCTL_FILTER_CADENCE', `0x400871d6')
+define(`IXJCTL_CIDCW', `0x400871d9')
+define(`IXJCTL_SET_FILTER_RAW', `0x400871dd')
+define(`IXJCTL_SIGCTL', `0x400871e9')
+define(`PPPIOCSNPMODE', `0x4008744b')
+define(`FS_IOC_SETVERSION', `0x40087602')
+define(`ASHMEM_SET_SIZE', `0x40087703')
+define(`ASHMEM_SET_PROT_MASK', `0x40087705')
+define(`ASHMEM_PIN', `0x40087707')
+define(`ASHMEM_UNPIN', `0x40087708')
+define(`BTRFS_IOC_DEFAULT_SUBVOL', `0x40089413')
+define(`BTRFS_IOC_WAIT_SYNC', `0x40089416')
+define(`BTRFS_IOC_SUBVOL_SETFLAGS', `0x4008941a')
+define(`KVM_SET_IDENTITY_MAP_ADDR', `0x4008ae48')
+define(`KVM_S390_VCPU_FAULT', `0x4008ae52')
+define(`KVM_IRQ_LINE', `0x4008ae61')
+define(`KVM_SET_GSI_ROUTING', `0x4008ae6a')
+define(`KVM_ASSIGN_SET_MSIX_NR', `0x4008ae73')
+define(`KVM_SET_MSRS', `0x4008ae89')
+define(`KVM_SET_CPUID', `0x4008ae8a')
+define(`KVM_SET_CPUID2', `0x4008ae90')
+define(`KVM_SET_VAPIC_ADDR', `0x4008ae93')
+define(`KVM_S390_STORE_STATUS', `0x4008ae95')
+define(`KVM_X86_SETUP_MCE', `0x4008ae9c')
+define(`VHOST_SET_FEATURES', `0x4008af00')
+define(`VHOST_SET_MEM_TABLE', `0x4008af03')
+define(`VHOST_SET_LOG_BASE', `0x4008af04')
+define(`VHOST_SET_VRING_NUM', `0x4008af10')
+define(`VHOST_SET_VRING_BASE', `0x4008af12')
+define(`VHOST_SET_VRING_KICK', `0x4008af20')
+define(`VHOST_SET_VRING_CALL', `0x4008af21')
+define(`VHOST_SET_VRING_ERR', `0x4008af22')
+define(`VHOST_NET_SET_BACKEND', `0x4008af30')
+define(`PPPOEIOCSFWD', `0x4008b100')
+define(`IOW_WRITE', `0x4008c001')
+define(`IOW_READ', `0x4008c002')
+define(`REISERFS_IOC_UNPACK', `0x4008cd01')
+define(`SNDRV_DM_FM_IOCTL_SET_PARAMS', `0x40094824')
+define(`FDFMTTRK', `0x400c0248')
+define(`RUN_ARRAY', `0x400c0930')
+define(`SNAPSHOT_SET_SWAP_AREA', `0x400c330d')
+define(`CAPI_REGISTER', `0x400c4301')
+define(`HIDIOCGREPORT', `0x400c4807')
+define(`HIDIOCSREPORT', `0x400c4808')
+define(`SNDRV_DM_FM_IOCTL_PLAY_NOTE', `0x400c4822')
+define(`MFB_SET_CHROMA_KEY', `0x400c4d01')
+define(`OTPGETREGIONINFO', `0x400c4d0f')
+define(`UI_END_FF_ERASE', `0x400c55cb')
+define(`CHIOPOSITION', `0x400c6303')
+define(`BC_REQUEST_DEATH_NOTIFICATION', `0x400c630e')
+define(`BC_CLEAR_DEATH_NOTIFICATION', `0x400c630f')
+define(`DRM_IOCTL_I810_VERTEX', `0x400c6441')
+define(`DRM_IOCTL_I810_CLEAR', `0x400c6442')
+define(`DRM_IOCTL_MGA_VERTEX', `0x400c6445')
+define(`DRM_IOCTL_MGA_ILOAD', `0x400c6447')
+define(`DRM_IOCTL_I915_INIT_HEAP', `0x400c644a')
+define(`DRM_IOCTL_RADEON_INIT_HEAP', `0x400c6455')
+define(`DRM_IOCTL_RADEON_SURF_ALLOC', `0x400c645a')
+define(`DRM_IOCTL_I915_GEM_SET_DOMAIN', `0x400c645f')
+define(`I2OEVTREG', `0x400c690a')
+define(`HSC_SET_RX', `0x400c6b13')
+define(`HSC_GET_RX', `0x400c6b14')
+define(`NCP_IOC_GETROOT', `0x400c6e08')
+define(`UBI_IOCRSVOL', `0x400c6f02')
+define(`AUDIO_SET_KARAOKE', `0x400c6f12')
+define(`KVM_CREATE_SPAPR_TCE', `0x400caea8')
+define(`MBXFB_IOCS_REG', `0x400cf404')
+define(`FW_CDEV_IOC_START_ISO', `0x4010230a')
+define(`FW_CDEV_IOC_SET_ISO_CHANNELS', `0x40102317')
+define(`PTP_EXTTS_REQUEST', `0x40103d02')
+define(`CCISS_SETNODENAME', `0x40104205')
+define(`SNDRV_EMU10K1_IOCTL_TRAM_POKE', `0x40104821')
+define(`MTRRIOC_ADD_ENTRY', `0x40104d00')
+define(`MTRRIOC_SET_ENTRY', `0x40104d01')
+define(`MTRRIOC_DEL_ENTRY', `0x40104d02')
+define(`MTRRIOC_KILL_ENTRY', `0x40104d04')
+define(`MTRRIOC_ADD_PAGE_ENTRY', `0x40104d05')
+define(`MTRRIOC_SET_PAGE_ENTRY', `0x40104d06')
+define(`MTRRIOC_DEL_PAGE_ENTRY', `0x40104d07')
+define(`MTRRIOC_KILL_PAGE_ENTRY', `0x40104d09')
+define(`MEMERASE64', `0x40104d14')
+define(`UBI_IOCSETVOLPROP', `0x40104f06')
+define(`OMAPFB_SET_COLOR_KEY', `0x40104f32')
+define(`OMAPFB_GET_COLOR_KEY', `0x40104f33')
+define(`TUNATTACHFILTER', `0x401054d5')
+define(`TUNDETACHFILTER', `0x401054d6')
+define(`ANDROID_ALARM_SET_RTC', `0x40106105')
+define(`IDT77105_GETSTAT', `0x40106132')
+define(`IDT77105_GETSTATZ', `0x40106133')
+define(`ATM_GETSTAT', `0x40106150')
+define(`ATM_GETSTATZ', `0x40106151')
+define(`ATM_GETLOOP', `0x40106152')
+define(`ATM_SETLOOP', `0x40106153')
+define(`ATM_QUERYLOOP', `0x40106154')
+define(`ENI_MEMDUMP', `0x40106160')
+define(`HE_GET_REG', `0x40106160')
+define(`ZATM_GETPOOL', `0x40106161')
+define(`NS_SETBUFLEV', `0x40106162')
+define(`ZATM_GETPOOLZ', `0x40106162')
+define(`ZATM_SETPOOL', `0x40106163')
+define(`ENI_SETMULT', `0x40106167')
+define(`ATM_GETLINKRATE', `0x40106181')
+define(`ATM_GETNAMES', `0x40106183')
+define(`ATM_GETTYPE', `0x40106184')
+define(`ATM_GETESI', `0x40106185')
+define(`ATM_GETADDR', `0x40106186')
+define(`ATM_RSTADDR', `0x40106187')
+define(`ATM_ADDADDR', `0x40106188')
+define(`ATM_DELADDR', `0x40106189')
+define(`ATM_GETCIRANGE', `0x4010618a')
+define(`ATM_SETCIRANGE', `0x4010618b')
+define(`ATM_SETESI', `0x4010618c')
+define(`ATM_SETESIF', `0x4010618d')
+define(`ATM_ADDLECSADDR', `0x4010618e')
+define(`ATM_DELLECSADDR', `0x4010618f')
+define(`ATM_GETLECSADDR', `0x40106190')
+define(`ATM_ADDPARTY', `0x401061f4')
+define(`BC_INCREFS_DONE', `0x40106308')
+define(`CHIOGSTATUS', `0x40106308')
+define(`BC_ACQUIRE_DONE', `0x40106309')
+define(`DRM_IOCTL_SET_CLIENT_CAP', `0x4010640d')
+define(`DRM_IOCTL_SET_UNIQUE', `0x40106410')
+define(`DRM_IOCTL_FREE_BUFS', `0x4010641a')
+define(`DRM_IOCTL_SET_SAREA_CTX', `0x4010641c')
+define(`DRM_IOCTL_AGP_BIND', `0x40106436')
+define(`DRM_IOCTL_AGP_UNBIND', `0x40106437')
+define(`DRM_IOCTL_SG_FREE', `0x40106439')
+define(`DRM_IOCTL_OMAP_SET_PARAM', `0x40106441')
+define(`DRM_IOCTL_QXL_EXECBUFFER', `0x40106442')
+define(`DRM_IOCTL_OMAP_GEM_CPU_FINI', `0x40106445')
+define(`DRM_IOCTL_VIA_DEC_FUTEX', `0x40106445')
+define(`DRM_IOCTL_MGA_INDICES', `0x40106446')
+define(`DRM_IOCTL_I810_COPY', `0x40106447')
+define(`DRM_IOCTL_VIA_CMDBUFFER', `0x40106448')
+define(`DRM_IOCTL_R128_VERTEX', `0x40106449')
+define(`DRM_IOCTL_RADEON_VERTEX', `0x40106449')
+define(`DRM_IOCTL_VIA_PCICMD', `0x4010644a')
+define(`DRM_IOCTL_I915_HWS_ADDR', `0x40106451')
+define(`DRM_IOCTL_I915_GEM_INIT', `0x40106453')
+define(`DRM_IOCTL_SIS_FB_INIT', `0x40106456')
+define(`DRM_IOCTL_RADEON_SETPARAM', `0x40106459')
+define(`TUNER_SET_CONFIG', `0x4010645c')
+define(`HSC_SET_TX', `0x40106b15')
+define(`HSC_GET_TX', `0x40106b16')
+define(`MGSL_IOCSGPIO', `0x40106d10')
+define(`NILFS_IOCTL_CHANGE_CPMODE', `0x40106e80')
+define(`NILFS_IOCTL_SET_ALLOC_RANGE', `0x40106e8c')
+define(`VIDEO_STILLPICTURE', `0x40106f1e')
+define(`VIDEO_SET_HIGHLIGHT', `0x40106f27')
+define(`VIDEO_SET_SPU_PALETTE', `0x40106f33')
+define(`FE_SET_PROPERTY', `0x40106f52')
+define(`CA_SET_DESCR', `0x40106f86')
+define(`PPSETTIME', `0x40107096')
+define(`PPPIOCSACTIVE', `0x40107446')
+define(`PPPIOCSPASS', `0x40107447')
+define(`PPPIOCSCOMPRESS', `0x4010744d')
+define(`BTRFS_IOC_QGROUP_CREATE', `0x4010942a')
+define(`GENWQE_WRITE_REG64', `0x4010a51f')
+define(`GENWQE_WRITE_REG32', `0x4010a521')
+define(`GENWQE_WRITE_REG16', `0x4010a523')
+define(`KVM_GET_DIRTY_LOG', `0x4010ae42')
+define(`KVM_REGISTER_COALESCED_MMIO', `0x4010ae67')
+define(`KVM_UNREGISTER_COALESCED_MMIO', `0x4010ae68')
+define(`KVM_ASSIGN_SET_MSIX_ENTRY', `0x4010ae74')
+define(`KVM_S390_INTERRUPT', `0x4010ae94')
+define(`KVM_S390_SET_INITIAL_PSW', `0x4010ae96')
+define(`KVM_DIRTY_TLB', `0x4010aeaa')
+define(`KVM_ARM_SET_DEVICE_ADDR', `0x4010aeab')
+define(`KVM_GET_ONE_REG', `0x4010aeab')
+define(`KVM_SET_ONE_REG', `0x4010aeac')
+define(`SNDRV_DM_FM_IOCTL_SET_VOICE', `0x40124823')
+define(`FDSETMAXERRS', `0x4014024c')
+define(`ADD_NEW_DISK', `0x40140921')
+define(`SNDCTL_COPR_WDATA', `0x40144304')
+define(`SNDCTL_COPR_WCODE', `0x40144305')
+define(`OMAPFB_UPDATE_WINDOW_OLD', `0x40144f2f')
+define(`VIDIOC_S_CROP', `0x4014563c')
+define(`CHIOMOVE', `0x40146301')
+define(`DRM_IOCTL_MGA_CLEAR', `0x40146444')
+define(`DRM_IOCTL_R128_CLEAR', `0x40146448')
+define(`DRM_IOCTL_R128_INDICES', `0x4014644a')
+define(`DRM_IOCTL_RADEON_INDICES', `0x4014644a')
+define(`DMX_SET_PES_FILTER', `0x40146f2c')
+define(`FW_CDEV_IOC_SEND_RESPONSE', `0x40182304')
+define(`FW_CDEV_IOC_ALLOCATE_ISO_RESOURCE_ONCE', `0x4018230f')
+define(`FW_CDEV_IOC_DEALLOCATE_ISO_RESOURCE_ONCE', `0x40182310')
+define(`SNDRV_PCM_IOCTL_WRITEI_FRAMES', `0x40184150')
+define(`SNDRV_PCM_IOCTL_WRITEN_FRAMES', `0x40184152')
+define(`HIDIOCSUSAGE', `0x4018480c')
+define(`HIDIOCGCOLLECTIONINDEX', `0x40184810')
+define(`AMDKFD_IOC_UPDATE_QUEUE', `0x40184b07')
+define(`IVTVFB_IOC_DMA_FRAME', `0x401856c0')
+define(`DRM_IOCTL_UPDATE_DRAW', `0x4018643f')
+define(`DRM_IOCTL_QXL_UPDATE_AREA', `0x40186443')
+define(`DRM_IOCTL_MSM_GEM_CPU_PREP', `0x40186444')
+define(`DRM_IOCTL_MSM_WAIT_FENCE', `0x40186447')
+define(`DRM_IOCTL_R128_BLIT', `0x4018644b')
+define(`NILFS_IOCTL_SET_SUINFO', `0x40186e8d')
+define(`UBI_IOCATT', `0x40186f40')
+define(`BTRFS_IOC_QGROUP_ASSIGN', `0x40189429')
+define(`KVM_SET_MEMORY_REGION', `0x4018ae40')
+define(`KVM_S390_UCAS_MAP', `0x4018ae50')
+define(`KVM_S390_UCAS_UNMAP', `0x4018ae51')
+define(`KVM_SET_DEVICE_ATTR', `0x4018aee1')
+define(`KVM_GET_DEVICE_ATTR', `0x4018aee2')
+define(`KVM_HAS_DEVICE_ATTR', `0x4018aee3')
+define(`MBXFB_IOCS_ALPHA', `0x4018f402')
+define(`BR2684_SETFILT', `0x401c6190')
+define(`CHIOEXCHANGE', `0x401c6302')
+define(`FDSETPRM', `0x40200242')
+define(`FDDEFPRM', `0x40200243')
+define(`ION_IOC_TEST_DMA_MAPPING', `0x402049f1')
+define(`ION_IOC_TEST_KERNEL_MAPPING', `0x402049f2')
+define(`AMDKFD_IOC_SET_MEMORY_POLICY', `0x40204b04')
+define(`VIDIOC_SUBSCRIBE_EVENT', `0x4020565a')
+define(`VIDIOC_UNSUBSCRIBE_EVENT', `0x4020565b')
+define(`DRM_IOCTL_MARK_BUFS', `0x40206417')
+define(`DRM_IOCTL_AGP_FREE', `0x40206435')
+define(`DRM_IOCTL_VIA_FREEMEM', `0x40206441')
+define(`DRM_IOCTL_I915_BATCHBUFFER', `0x40206443')
+define(`DRM_IOCTL_SIS_FB_FREE', `0x40206445')
+define(`DRM_IOCTL_RADEON_CLEAR', `0x40206448')
+define(`DRM_IOCTL_I915_CMDBUFFER', `0x4020644b')
+define(`DRM_IOCTL_I810_MC', `0x4020644c')
+define(`DRM_IOCTL_RADEON_CMDBUF', `0x40206450')
+define(`DRM_IOCTL_SIS_AGP_FREE', `0x40206455')
+define(`DRM_IOCTL_I915_GEM_PREAD', `0x4020645c')
+define(`DRM_IOCTL_I915_GEM_PWRITE', `0x4020645d')
+define(`OSD_SEND_CMD', `0x40206fa0')
+define(`RTC_PLL_SET', `0x40207012')
+define(`PPPIOCSXASYNCMAP', `0x4020744f')
+define(`BTRFS_IOC_CLONE_RANGE', `0x4020940d')
+define(`KVM_SET_MEMORY_ALIAS', `0x4020ae43')
+define(`KVM_SET_USER_MEMORY_REGION', `0x4020ae46')
+define(`KVM_IRQFD', `0x4020ae76')
+define(`KVM_SIGNAL_MSI', `0x4020aea5')
+define(`KVM_PPC_GET_HTAB_FD', `0x4020aeaa')
+define(`KVM_ARM_VCPU_INIT', `0x4020aeae')
+define(`SNDRV_COMPRESS_SET_METADATA', `0x40244314')
+define(`JSIOCSCORR', `0x40246a21')
+define(`FE_SET_FRONTEND', `0x40246f4c')
+define(`RTC_ALM_SET', `0x40247007')
+define(`RTC_SET_TIME', `0x4024700a')
+define(`FW_CDEV_IOC_SEND_REQUEST', `0x40282301')
+define(`FW_CDEV_IOC_SEND_BROADCAST_REQUEST', `0x40282312')
+define(`FW_CDEV_IOC_SEND_STREAM_PACKET', `0x40282313')
+define(`EVIOCSKEYCODE_V2', `0x40284504')
+define(`SNDCTL_FM_LOAD_INSTR', `0x40285107')
+define(`DRM_IOCTL_RM_MAP', `0x4028641b')
+define(`DRM_IOCTL_R128_DEPTH', `0x4028644c')
+define(`DRM_IOCTL_RADEON_VERTEX2', `0x4028644f')
+define(`DRM_IOCTL_I915_GEM_EXECBUFFER', `0x40286454')
+define(`PHN_SETREGS', `0x40287008')
+define(`RTC_WKALM_SET', `0x4028700f')
+define(`VHOST_SET_VRING_ADDR', `0x4028af11')
+define(`SNDRV_SEQ_IOCTL_SET_QUEUE_TEMPO', `0x402c5342')
+define(`TCSETS2', `0x402c542b')
+define(`TCSETSW2', `0x402c542c')
+define(`TCSETSF2', `0x402c542d')
+define(`VIDIOC_S_FREQUENCY', `0x402c5639')
+define(`DRM_IOCTL_I915_OVERLAY_PUT_IMAGE', `0x402c6467')
+define(`EVIOCSFF', `0x40304580')
+define(`NVME_IOCTL_SUBMIT_IO', `0x40304e42')
+define(`VIDIOC_S_FBUF', `0x4030560b')
+define(`VIDIOC_S_HW_FREQ_SEEK', `0x40305652')
+define(`CHIOSVOLTAG', `0x40306312')
+define(`DRM_IOCTL_VIA_DMA_BLIT', `0x4030644e')
+define(`MGSL_IOCSPARAMS', `0x40306d00')
+define(`BTRFS_IOC_DEFRAG_RANGE', `0x40309410')
+define(`BTRFS_IOC_SET_FEATURES', `0x40309439')
+define(`KVM_SET_CLOCK', `0x4030ae7b')
+define(`GSMIOC_ENABLE_NET', `0x40344702')
+define(`SNDRV_TIMER_IOCTL_SELECT', `0x40345410')
+define(`VIDIOC_S_AUDIO', `0x40345622')
+define(`VIDIOC_S_AUDOUT', `0x40345632')
+define(`DRM_IOCTL_MGA_BLIT', `0x40346448')
+define(`PTP_PEROUT_REQUEST', `0x40383d03')
+define(`VIDIOC_DBG_S_REGISTER', `0x4038564f')
+define(`DRM_IOCTL_SAVAGE_BCI_CMDBUF', `0x40386441')
+define(`KVM_XEN_HVM_CONFIG', `0x4038ae7a')
+define(`DMX_SET_FILTER', `0x403c6f2b')
+define(`SNDRV_SEQ_IOCTL_REMOVE_EVENTS', `0x4040534e')
+define(`SNDRV_CTL_IOCTL_ELEM_LOCK', `0x40405514')
+define(`SNDRV_CTL_IOCTL_ELEM_UNLOCK', `0x40405515')
+define(`IVTV_IOC_DMA_FRAME', `0x404056c0')
+define(`BC_TRANSACTION', `0x40406300')
+define(`BC_REPLY', `0x40406301')
+define(`DRM_IOCTL_I810_INIT', `0x40406440')
+define(`DRM_IOCTL_I915_GEM_EXECBUFFER2', `0x40406469')
+define(`JSIOCSAXMAP', `0x40406a31')
+define(`BTRFS_IOC_QUOTA_RESCAN', `0x4040942c')
+define(`KVM_ASSIGN_DEV_IRQ', `0x4040ae70')
+define(`KVM_DEASSIGN_PCI_DEVICE', `0x4040ae72')
+define(`KVM_DEASSIGN_DEV_IRQ', `0x4040ae75')
+define(`KVM_CREATE_PIT2', `0x4040ae77')
+define(`KVM_IOEVENTFD', `0x4040ae79')
+define(`KVM_X86_SET_MCE', `0x4040ae9e')
+define(`KVM_SET_VCPU_EVENTS', `0x4040aea0')
+define(`KVM_ASSIGN_SET_INTX_MASK', `0x4040aea4')
+define(`CXL_IOCTL_START_WORK', `0x4040ca00')
+define(`OMAPFB_SETUP_PLANE', `0x40444f34')
+define(`OMAPFB_QUERY_PLANE', `0x40444f35')
+define(`OMAPFB_UPDATE_WINDOW', `0x40444f36')
+define(`VIDIOC_S_MODULATOR', `0x40445637')
+define(`DRM_IOCTL_I915_INIT', `0x40446440')
+define(`SET_ARRAY_INFO', `0x40480923')
+define(`SNDRV_EMU10K1_IOCTL_PCM_POKE', `0x40484830')
+define(`SNDRV_TIMER_IOCTL_GPARAMS', `0x40485404')
+define(`BTRFS_IOC_SEND', `0x40489426')
+define(`KVM_SET_GUEST_DEBUG', `0x4048ae9b')
+define(`GSMIOC_SETCONF', `0x404c4701')
+define(`SNDRV_SEQ_IOCTL_SET_QUEUE_CLIENT', `0x404c534a')
+define(`SNDRV_SEQ_IOCTL_SUBSCRIBE_PORT', `0x40505330')
+define(`SNDRV_SEQ_IOCTL_UNSUBSCRIBE_PORT', `0x40505331')
+define(`SNDRV_TIMER_IOCTL_PARAMS', `0x40505412')
+define(`VIDIOC_S_TUNER', `0x4054561e')
+define(`SNDRV_SEQ_IOCTL_SET_CLIENT_POOL', `0x4058534c')
+define(`PTP_PIN_SETFUNC', `0x40603d07')
+define(`SNDRV_HWDEP_IOCTL_DSP_LOAD', `0x40604803')
+define(`SNDRV_SEQ_IOCTL_SET_QUEUE_TIMER', `0x40605346')
+define(`DRM_IOCTL_SAVAGE_BCI_INIT', `0x40606440')
+define(`UI_END_FF_UPLOAD', `0x406855c9')
+define(`KVM_ENABLE_CAP', `0x4068aea3')
+define(`CHIOGELEM', `0x406c6310')
+define(`KVM_SET_PIT2', `0x4070aea0')
+define(`DRM_IOCTL_R128_INIT', `0x40786440')
+define(`DRM_IOCTL_RADEON_CP_INIT', `0x40786440')
+define(`NILFS_IOCTL_CLEAN_SEGMENTS', `0x40786e88')
+define(`FDSETDRVPRM', `0x40800290')
+define(`UBI_IOCVOLCRBLK', `0x40804f07')
+define(`DRM_IOCTL_MGA_INIT', `0x40806440')
+define(`KVM_PPC_GET_PVINFO', `0x4080aea1')
+define(`KVM_SET_DEBUGREGS', `0x4080aea2')
+define(`KVM_PPC_RTAS_DEFINE_TOKEN', `0x4080aeac')
+define(`SNDRV_COMPRESS_SET_PARAMS', `0x40844312')
+define(`SNDRV_SEQ_IOCTL_DELETE_QUEUE', `0x408c5333')
+define(`VIDIOC_S_JPEGCOMP', `0x408c563e')
+define(`KVM_SET_REGS', `0x4090ae82')
+define(`UBI_IOCMKVOL', `0x40986f00')
+define(`SNDRV_SEQ_IOCTL_DELETE_PORT', `0x40a85321')
+define(`SNDRV_SEQ_IOCTL_SET_PORT_INFO', `0x40a85323')
+define(`SNDRV_SEQ_IOCTL_SET_CLIENT_INFO', `0x40bc5311')
+define(`VHOST_SCSI_SET_ENDPOINT', `0x40e8af40')
+define(`VHOST_SCSI_CLEAR_ENDPOINT', `0x40e8af41')
+define(`ASHMEM_SET_NAME', `0x41007701')
+define(`BTRFS_IOC_SET_FSLABEL', `0x41009432')
+define(`USBDEVFS_GETDRIVER', `0x41045508')
+define(`CA_SEND_MSG', `0x410c6f85')
+define(`KVM_SET_SREGS', `0x4138ae84')
+define(`KVM_SET_XCRS', `0x4188aea7')
+define(`KVM_SET_FPU', `0x41a0ae8d')
+define(`SNDRV_EMU10K1_IOCTL_CODE_POKE', `0x41b04811')
+define(`PTP_SYS_OFFSET', `0x43403d05')
+define(`JSIOCSBTNMAP', `0x44006a33')
+define(`KVM_SET_LAPIC', `0x4400ae8f')
+define(`BTRFS_IOC_SNAP_CREATE', `0x50009401')
+define(`BTRFS_IOC_DEFRAG', `0x50009402')
+define(`BTRFS_IOC_RESIZE', `0x50009403')
+define(`BTRFS_IOC_SCAN_DEV', `0x50009404')
+define(`BTRFS_IOC_ADD_DEV', `0x5000940a')
+define(`BTRFS_IOC_RM_DEV', `0x5000940b')
+define(`BTRFS_IOC_BALANCE', `0x5000940c')
+define(`BTRFS_IOC_SUBVOL_CREATE', `0x5000940e')
+define(`BTRFS_IOC_SNAP_DESTROY', `0x5000940f')
+define(`BTRFS_IOC_SNAP_CREATE_V2', `0x50009417')
+define(`BTRFS_IOC_SUBVOL_CREATE_V2', `0x50009418')
+define(`KVM_SET_XSAVE', `0x5000aea5')
+define(`HIDIOCSUSAGES', `0x501c4814')
+define(`UBI_IOCRNVOL', `0x51106f03')
+define(`SNDRV_SB_CSP_IOCTL_LOAD_CODE', `0x70124811')
+define(`MFB_GET_ALPHA', `0x80014d00')
+define(`MFB_GET_GAMMA', `0x80014d01')
+define(`GADGET_GET_PRINTER_STATUS', `0x80016721')
+define(`JSIOCGAXES', `0x80016a11')
+define(`JSIOCGBUTTONS', `0x80016a12')
+define(`SPI_IOC_RD_MODE', `0x80016b01')
+define(`SPI_IOC_RD_LSB_FIRST', `0x80016b02')
+define(`SPI_IOC_RD_BITS_PER_WORD', `0x80016b03')
+define(`PPRSTATUS', `0x80017081')
+define(`PPRCONTROL', `0x80017083')
+define(`PPRDATA', `0x80017085')
+define(`SONYPI_IOCGBRT', `0x80017600')
+define(`SONYPI_IOCGBATFLAGS', `0x80017607')
+define(`SONYPI_IOCGBLUE', `0x80017608')
+define(`SONYPI_IOCGFAN', `0x8001760a')
+define(`SONYPI_IOCGTEMP', `0x8001760c')
+define(`CAPI_GET_ERRCODE', `0x80024321')
+define(`CAPI_INSTALLED', `0x80024322')
+define(`SNDRV_DM_FM_IOCTL_INFO', `0x80024820')
+define(`IOCTL_WDM_MAX_COMMAND', `0x800248a0')
+define(`IPMICTL_REGISTER_FOR_CMD', `0x8002690e')
+define(`IPMICTL_UNREGISTER_FOR_CMD', `0x8002690f')
+define(`FE_READ_SIGNAL_STRENGTH', `0x80026f47')
+define(`FE_READ_SNR', `0x80026f48')
+define(`SONYPI_IOCGBAT1CAP', `0x80027602')
+define(`SONYPI_IOCGBAT1REM', `0x80027603')
+define(`SONYPI_IOCGBAT2CAP', `0x80027604')
+define(`SONYPI_IOCGBAT2REM', `0x80027605')
+define(`MBXFB_IOCS_PLANEORDER', `0x8002f403')
+define(`BLKI2OGRSTRAT', `0x80043201')
+define(`BLKI2OGWSTRAT', `0x80043202')
+define(`SNDRV_PCM_IOCTL_PVERSION', `0x80044100')
+define(`CCISS_GETHEARTBEAT', `0x80044206')
+define(`CCISS_GETBUSTYPES', `0x80044207')
+define(`CCISS_GETFIRMVER', `0x80044208')
+define(`CCISS_GETDRIVVER', `0x80044209')
+define(`SNDRV_COMPRESS_IOCTL_VERSION', `0x80044300')
+define(`CAPI_GET_FLAGS', `0x80044323')
+define(`CAPI_SET_FLAGS', `0x80044324')
+define(`CAPI_CLR_FLAGS', `0x80044325')
+define(`CAPI_NCCI_OPENCOUNT', `0x80044326')
+define(`CAPI_NCCI_GETUNIT', `0x80044327')
+define(`EVIOCGVERSION', `0x80044501')
+define(`APEI_ERST_GET_RECORD_COUNT', `0x80044502')
+define(`EVIOCGEFFECTS', `0x80044584')
+define(`FBIOGET_CONTRAST', `0x80044601')
+define(`FBIGET_BRIGHTNESS', `0x80044603')
+define(`FBIGET_COLOR', `0x80044605')
+define(`SSTFB_GET_VGAPASS', `0x800446dd')
+define(`SNDRV_HWDEP_IOCTL_PVERSION', `0x80044800')
+define(`HIDIOCGRDESCSIZE', `0x80044801')
+define(`HIDIOCGVERSION', `0x80044801')
+define(`HIDIOCGFLAG', `0x8004480e')
+define(`HDA_IOCTL_PVERSION', `0x80044810')
+define(`SNDRV_EMU10K1_IOCTL_PVERSION', `0x80044840')
+define(`SNDRV_EMUX_IOCTL_VERSION', `0x80044880')
+define(`SNDRV_EMU10K1_IOCTL_DBG_READ', `0x80044884')
+define(`HCIGETDEVLIST', `0x800448d2')
+define(`HCIGETDEVINFO', `0x800448d3')
+define(`HCIGETCONNLIST', `0x800448d4')
+define(`HCIGETCONNINFO', `0x800448d5')
+define(`HCIGETAUTHINFO', `0x800448d7')
+define(`HCIINQUIRY', `0x800448f0')
+define(`ROCCATIOCGREPSIZE', `0x800448f1')
+define(`IMADDTIMER', `0x80044940')
+define(`IMDELTIMER', `0x80044941')
+define(`IMGETVERSION', `0x80044942')
+define(`IMGETCOUNT', `0x80044943')
+define(`IMGETDEVINFO', `0x80044944')
+define(`IMCTRLREQ', `0x80044945')
+define(`IMCLEAR_L2', `0x80044946')
+define(`IMHOLD_L1', `0x80044948')
+define(`MCE_GET_RECORD_LEN', `0x80044d01')
+define(`MCE_GET_LOG_LEN', `0x80044d02')
+define(`MCE_GETCLEAR_FLAGS', `0x80044d03')
+define(`MEMGETREGIONCOUNT', `0x80044d07')
+define(`MFB_GET_PIXFMT', `0x80044d08')
+define(`OTPSELECT', `0x80044d0d')
+define(`OSS_GETVERSION', `0x80044d76')
+define(`UBI_IOCEBISMAP', `0x80044f05')
+define(`SOUND_PCM_READ_RATE', `0x80045002')
+define(`SOUND_PCM_READ_BITS', `0x80045005')
+define(`SOUND_PCM_READ_CHANNELS', `0x80045006')
+define(`SOUND_PCM_READ_FILTER', `0x80045007')
+define(`SNDCTL_DSP_GETFMTS', `0x8004500b')
+define(`SNDCTL_DSP_GETCAPS', `0x8004500f')
+define(`SNDCTL_DSP_GETTRIGGER', `0x80045010')
+define(`SNDCTL_DSP_GETODELAY', `0x80045017')
+define(`SNDCTL_DSP_GETSPDIF', `0x80045043')
+define(`SNDCTL_SEQ_GETOUTCOUNT', `0x80045104')
+define(`SNDCTL_SEQ_GETINCOUNT', `0x80045105')
+define(`SNDCTL_SEQ_NRSYNTHS', `0x8004510a')
+define(`SNDCTL_SEQ_NRMIDIS', `0x8004510b')
+define(`SNDCTL_SEQ_GETTIME', `0x80045113')
+define(`RNDGETENTCNT', `0x80045200')
+define(`SAA6588_CMD_READ', `0x80045203')
+define(`SAA6588_CMD_POLL', `0x80045204')
+define(`RFCOMMGETDEVLIST', `0x800452d2')
+define(`RFCOMMGETDEVINFO', `0x800452d3')
+define(`SNDRV_SEQ_IOCTL_PVERSION', `0x80045300')
+define(`SNDRV_SEQ_IOCTL_CLIENT_ID', `0x80045301')
+define(`SNDRV_TIMER_IOCTL_PVERSION', `0x80045400')
+define(`TIOCGPTN', `0x80045430')
+define(`TIOCGDEV', `0x80045432')
+define(`TIOCGPKT', `0x80045438')
+define(`TIOCGPTLCK', `0x80045439')
+define(`TIOCGEXCL', `0x80045440')
+define(`TUNGETFEATURES', `0x800454cf')
+define(`TUNGETIFF', `0x800454d2')
+define(`TUNGETSNDBUF', `0x800454d3')
+define(`TUNGETVNETHDRSZ', `0x800454d7')
+define(`TUNGETVNETLE', `0x800454dd')
+define(`SNDRV_CTL_IOCTL_PVERSION', `0x80045500')
+define(`USBDEVFS_RESETEP', `0x80045503')
+define(`USBDEVFS_SETCONFIGURATION', `0x80045505')
+define(`USBDEVFS_CLAIMINTERFACE', `0x8004550f')
+define(`USBDEVFS_RELEASEINTERFACE', `0x80045510')
+define(`USBDEVFS_CLEAR_HALT', `0x80045515')
+define(`USBDEVFS_CLAIM_PORT', `0x80045518')
+define(`USBDEVFS_RELEASE_PORT', `0x80045519')
+define(`USBDEVFS_GET_CAPABILITIES', `0x8004551a')
+define(`UI_GET_VERSION', `0x8004552d')
+define(`SNDRV_CTL_IOCTL_PCM_NEXT_DEVICE', `0x80045530')
+define(`SNDRV_CTL_IOCTL_POWER_STATE', `0x800455d1')
+define(`VIDIOC_G_INPUT', `0x80045626')
+define(`VIDIOC_G_OUTPUT', `0x8004562e')
+define(`VIDIOC_G_PRIORITY', `0x80045643')
+define(`SNDRV_RAWMIDI_IOCTL_PVERSION', `0x80045700')
+define(`WDIOC_GETSTATUS', `0x80045701')
+define(`WDIOC_GETBOOTSTATUS', `0x80045702')
+define(`WDIOC_GETTEMP', `0x80045703')
+define(`WDIOC_SETOPTIONS', `0x80045704')
+define(`WDIOC_KEEPALIVE', `0x80045705')
+define(`WDIOC_GETTIMEOUT', `0x80045707')
+define(`WDIOC_GETPRETIMEOUT', `0x80045709')
+define(`WDIOC_GETTIMELEFT', `0x8004570a')
+define(`SONET_GETDIAG', `0x80046114')
+define(`SONET_GETFRAMING', `0x80046116')
+define(`CHIOGPICKER', `0x80046304')
+define(`DRM_IOCTL_GET_MAGIC', `0x80046402')
+define(`DRM_IOCTL_I915_GET_VBLANK_PIPE', `0x8004644e')
+define(`FS_IOC32_GETFLAGS', `0x80046601')
+define(`LIRC_GET_FEATURES', `0x80046900')
+define(`LIRC_GET_SEND_MODE', `0x80046901')
+define(`LIRC_GET_REC_MODE', `0x80046902')
+define(`LIRC_GET_SEND_CARRIER', `0x80046903')
+define(`LIRC_GET_REC_CARRIER', `0x80046904')
+define(`LIRC_GET_SEND_DUTY_CYCLE', `0x80046905')
+define(`LIRC_GET_REC_DUTY_CYCLE', `0x80046906')
+define(`LIRC_GET_REC_RESOLUTION', `0x80046907')
+define(`I2OVALIDATE', `0x80046908')
+define(`LIRC_GET_MIN_TIMEOUT', `0x80046908')
+define(`LIRC_GET_MAX_TIMEOUT', `0x80046909')
+define(`LIRC_GET_MIN_FILTER_PULSE', `0x8004690a')
+define(`LIRC_GET_MAX_FILTER_PULSE', `0x8004690b')
+define(`LIRC_GET_MIN_FILTER_SPACE', `0x8004690c')
+define(`LIRC_GET_MAX_FILTER_SPACE', `0x8004690d')
+define(`LIRC_GET_LENGTH', `0x8004690f')
+define(`IPMICTL_SET_GETS_EVENTS_CMD', `0x80046910')
+define(`IPMICTL_SET_MY_ADDRESS_CMD', `0x80046911')
+define(`IPMICTL_GET_MY_ADDRESS_CMD', `0x80046912')
+define(`IPMICTL_SET_MY_LUN_CMD', `0x80046913')
+define(`IPMICTL_GET_MY_LUN_CMD', `0x80046914')
+define(`IPMICTL_SET_MY_CHANNEL_ADDRESS_CMD', `0x80046918')
+define(`IPMICTL_GET_MY_CHANNEL_ADDRESS_CMD', `0x80046919')
+define(`IPMICTL_SET_MY_CHANNEL_LUN_CMD', `0x8004691a')
+define(`IPMICTL_GET_MY_CHANNEL_LUN_CMD', `0x8004691b')
+define(`IPMICTL_GET_MAINTENANCE_MODE_CMD', `0x8004691e')
+define(`I8K_BIOS_VERSION', `0x80046980')
+define(`I8K_MACHINE_ID', `0x80046981')
+define(`IIO_GET_EVENT_FD_IOCTL', `0x80046990')
+define(`JSIOCGVERSION', `0x80046a01')
+define(`SPI_IOC_RD_MAX_SPEED_HZ', `0x80046b04')
+define(`SPI_IOC_RD_MODE32', `0x80046b05')
+define(`UDF_GETEASIZE', `0x80046c40')
+define(`NCP_IOC_SIGN_WANTED', `0x80046e06')
+define(`NCP_IOC_SETDENTRYTTL', `0x80046e0c')
+define(`SISFB_GET_INFO_OLD', `0x80046ef8')
+define(`SISFB_GET_VBRSTATUS_OLD', `0x80046ef9')
+define(`SISFB_GET_AUTOMAXIMIZE_OLD', `0x80046efa')
+define(`AUDIO_GET_CAPABILITIES', `0x80046f0b')
+define(`VIDEO_GET_CAPABILITIES', `0x80046f21')
+define(`VIDEO_GET_FRAME_RATE', `0x80046f38')
+define(`FE_READ_STATUS', `0x80046f45')
+define(`FE_READ_BER', `0x80046f46')
+define(`FE_READ_UNCORRECTED_BLOCKS', `0x80046f49')
+define(`RTC_VL_READ', `0x80047013')
+define(`PPCLRIRQ', `0x80047093')
+define(`PPGETMODES', `0x80047097')
+define(`PPGETMODE', `0x80047098')
+define(`PPGETPHASE', `0x80047099')
+define(`PPGETFLAGS', `0x8004709a')
+define(`PHONE_DTMF_READY', `0x80047196')
+define(`PHONE_GET_DTMF', `0x80047197')
+define(`PHONE_GET_DTMF_ASCII', `0x80047198')
+define(`PHONE_EXCEPTION', `0x8004719a')
+define(`IXJCTL_CARDTYPE', `0x800471c1')
+define(`IXJCTL_SERIAL', `0x800471c2')
+define(`IXJCTL_DSP_TYPE', `0x800471c3')
+define(`IXJCTL_DSP_VERSION', `0x800471c4')
+define(`IXJCTL_VMWI', `0x800471d8')
+define(`BR_ERROR', `0x80047200')
+define(`BR_ACQUIRE_RESULT', `0x80047204')
+define(`FAT_IOCTL_GET_ATTRIBUTES', `0x80047210')
+define(`FAT_IOCTL_GET_VOLUME_ID', `0x80047213')
+define(`PPPIOCGCHAN', `0x80047437')
+define(`PPPIOCGDEBUG', `0x80047441')
+define(`PPPIOCGMRU', `0x80047453')
+define(`PPPIOCGRASYNCMAP', `0x80047455')
+define(`PPPIOCGUNIT', `0x80047456')
+define(`PPPIOCGASYNCMAP', `0x80047458')
+define(`PPPIOCGFLAGS', `0x8004745a')
+define(`PPPIOCGMPFLAGS', `0x80047482')
+define(`FS_IOC32_GETVERSION', `0x80047601')
+define(`MEYEIOC_STILLJCAPT', `0x800476c5')
+define(`OSIOCGNETADDR', `0x800489e1')
+define(`SIOCGNETADDR', `0x800489e1')
+define(`AUTOFS_IOC_PROTOVER', `0x80049363')
+define(`AUTOFS_IOC_PROTOSUBVER', `0x80049367')
+define(`AUTOFS_IOC_ASKUMOUNT', `0x80049370')
+define(`GENWQE_GET_CARD_STATE', `0x8004a524')
+define(`KVM_GET_MP_STATE', `0x8004ae98')
+define(`CXL_IOCTL_GET_PROCESS_ELEMENT', `0x8004ca01')
+define(`SISFB_GET_INFO_SIZE', `0x8004f300')
+define(`SISFB_GET_VBRSTATUS', `0x8004f302')
+define(`SISFB_GET_AUTOMAXIMIZE', `0x8004f303')
+define(`SISFB_GET_TVPOSOFFSET', `0x8004f304')
+define(`SONET_GETFRSENSE', `0x80066117')
+define(`MEYEIOC_G_PARAMS', `0x800676c0')
+define(`BLKBSZGET', `0x80081270')
+define(`BLKGETSIZE64', `0x80081272')
+define(`PERF_EVENT_IOC_ID', `0x80082407')
+define(`SNAPSHOT_GET_IMAGE_SIZE', `0x8008330e')
+define(`SNAPSHOT_AVAIL_SWAP_SIZE', `0x80083313')
+define(`SNAPSHOT_ALLOC_SWAP_PAGE', `0x80083314')
+define(`FBIO_RADEON_GET_MIRROR', `0x80084003')
+define(`AGPIOC_INFO', `0x80084100')
+define(`SNDRV_PCM_IOCTL_DELAY', `0x80084121')
+define(`CCISS_GETPCIINFO', `0x80084201')
+define(`PMU_IOC_GET_BACKLIGHT', `0x80084201')
+define(`CCISS_GETINTINFO', `0x80084202')
+define(`PMU_IOC_GET_MODEL', `0x80084203')
+define(`PMU_IOC_HAS_ADB', `0x80084204')
+define(`PMU_IOC_CAN_SLEEP', `0x80084205')
+define(`PMU_IOC_GRAB_BACKLIGHT', `0x80084206')
+define(`EVIOCGID', `0x80084502')
+define(`EVIOCGREP', `0x80084503')
+define(`EVIOCGKEYCODE', `0x80084504')
+define(`FBIO_GETCONTROL2', `0x80084689')
+define(`HIDIOCGRAWINFO', `0x80084803')
+define(`SNDRV_HDSP_IOCTL_GET_VERSION', `0x80084843')
+define(`SNDRV_HDSPM_IOCTL_GET_MIXER', `0x80084844')
+define(`SNDRV_HDSP_IOCTL_GET_9632_AEB', `0x80084845')
+define(`AMDKFD_IOC_GET_VERSION', `0x80084b01')
+define(`MFB_GET_AOID', `0x80084d04')
+define(`MEMISLOCKED', `0x80084d17')
+define(`RNDGETPOOL', `0x80085202')
+define(`USBDEVFS_SETINTERFACE', `0x80085504')
+define(`USBDEVFS_DISCSIGNAL32', `0x8008550e')
+define(`USBDEVFS_ALLOC_STREAMS', `0x8008551c')
+define(`USBDEVFS_FREE_STREAMS', `0x8008551d')
+define(`VIDIOC_G_STD', `0x80085617')
+define(`VIDIOC_QUERYSTD', `0x8008563f')
+define(`CM_IOCGSTATUS', `0x80086300')
+define(`DRM_IOCTL_I810_OV0INFO', `0x80086449')
+define(`FS_IOC_GETFLAGS', `0x80086601')
+define(`I2OPASSTHRU32', `0x8008690c')
+define(`IPMICTL_SET_TIMING_PARMS_CMD', `0x80086916')
+define(`IPMICTL_GET_TIMING_PARMS_CMD', `0x80086917')
+define(`I8K_POWER_STATUS', `0x80086982')
+define(`I8K_FN_STATUS', `0x80086983')
+define(`I8K_GET_TEMP', `0x80086984')
+define(`UDF_GETEABLOCK', `0x80086c41')
+define(`UDF_GETVOLIDENT', `0x80086c42')
+define(`MMTIMER_GETRES', `0x80086d01')
+define(`MMTIMER_GETFREQ', `0x80086d02')
+define(`MTIOCPOS', `0x80086d03')
+define(`MMTIMER_GETCOUNTER', `0x80086d09')
+define(`NILFS_IOCTL_SYNC', `0x80086e8a')
+define(`MATROXFB_GET_OUTPUT_CONNECTION', `0x80086ef8')
+define(`MATROXFB_GET_AVAILABLE_OUTPUTS', `0x80086ef9')
+define(`MATROXFB_GET_ALL_OUTPUTS', `0x80086efb')
+define(`AUDIO_GET_PTS', `0x80086f13')
+define(`DMX_GET_CAPS', `0x80086f30')
+define(`VIDEO_GET_PTS', `0x80086f39')
+define(`VIDEO_GET_FRAME_COUNT', `0x80086f3a')
+define(`CA_GET_DESCR_INFO', `0x80086f83')
+define(`RTC_IRQP_READ', `0x8008700b')
+define(`RTC_EPOCH_READ', `0x8008700d')
+define(`PPS_GETPARAMS', `0x800870a1')
+define(`PPS_GETCAP', `0x800870a3')
+define(`PHONE_CAPABILITIES_LIST', `0x80087181')
+define(`IXJCTL_CID', `0x800871d4')
+define(`IXJCTL_VERSION', `0x800871da')
+define(`IXJCTL_FRAMES_READ', `0x800871e2')
+define(`IXJCTL_FRAMES_WRITTEN', `0x800871e3')
+define(`IXJCTL_READ_WAIT', `0x800871e4')
+define(`IXJCTL_WRITE_WAIT', `0x800871e5')
+define(`IXJCTL_DRYBUFFER_READ', `0x800871e6')
+define(`BR_DEAD_BINDER', `0x8008720f')
+define(`BR_CLEAR_DEATH_NOTIFICATION_DONE', `0x80087210')
+define(`FS_IOC_GETVERSION', `0x80087601')
+define(`BTRFS_IOC_START_SYNC', `0x80089418')
+define(`BTRFS_IOC_SUBVOL_GETFLAGS', `0x80089419')
+define(`KVM_X86_GET_MCE_CAP_SUPPORTED', `0x8008ae9d')
+define(`KVM_ALLOCATE_RMA', `0x8008aea9')
+define(`VHOST_GET_FEATURES', `0x8008af00')
+define(`FUNCTIONFS_ENDPOINT_DESC', `0x80096782')
+define(`DMX_GET_PES_PIDS', `0x800a6f2f')
+define(`RAID_VERSION', `0x800c0910')
+define(`CCISS_GETLUNINFO', `0x800c4211')
+define(`OTPLOCK', `0x800c4d10')
+define(`OMAPFB_GET_CAPS', `0x800c4f2a')
+define(`SNDCTL_DSP_GETIPTR', `0x800c5011')
+define(`SNDCTL_DSP_GETOPTR', `0x800c5012')
+define(`IPMICTL_REGISTER_FOR_CMD_CHANS', `0x800c691c')
+define(`IPMICTL_UNREGISTER_FOR_CMD_CHANS', `0x800c691d')
+define(`NCP_IOC_SETROOT', `0x800c6e08')
+define(`VIDEO_GET_SIZE', `0x800c6f37')
+define(`FE_DISEQC_RECV_SLAVE_REPLY', `0x800c6f40')
+define(`CA_GET_SLOT_INFO', `0x800c6f82')
+define(`FDGETDRVTYP', `0x8010020f')
+define(`FW_CDEV_IOC_GET_CYCLE_TIMER', `0x8010230c')
+define(`CCISS_GETNODENAME', `0x80104204')
+define(`SNDRV_HDSPM_IOCTL_GET_LTC', `0x80104846')
+define(`ECCGETSTATS', `0x80104d12')
+define(`SNDCTL_DSP_GETOSPACE', `0x8010500c')
+define(`SNDCTL_DSP_GETISPACE', `0x8010500d')
+define(`SNDCTL_DSP_MAPINBUF', `0x80105013')
+define(`SNDCTL_DSP_MAPOUTBUF', `0x80105014')
+define(`TUNGETFILTER', `0x801054db')
+define(`USBDEVFS_DISCSIGNAL', `0x8010550e')
+define(`DRM_IOCTL_I915_GEM_GET_APERTURE', `0x80106463')
+define(`I2OPASSTHRU', `0x8010690c')
+define(`MGSL_IOCGGPIO', `0x80106d11')
+define(`NCP_IOC_NCPREQUEST', `0x80106e01')
+define(`NCP_IOC_SETPRIVATEDATA', `0x80106e0a')
+define(`FE_GET_PROPERTY', `0x80106f53')
+define(`CA_GET_CAP', `0x80106f81')
+define(`OSD_GET_CAPABILITY', `0x80106fa1')
+define(`PPGETTIME', `0x80107095')
+define(`BR_INCREFS', `0x80107207')
+define(`BR_ACQUIRE', `0x80107208')
+define(`BR_RELEASE', `0x80107209')
+define(`BR_DECREFS', `0x8010720a')
+define(`PPPIOCGIDLE', `0x8010743f')
+define(`PPPIOCGIFNAME', `0x80107488')
+define(`GENWQE_READ_REG64', `0x8010a51e')
+define(`GENWQE_READ_REG32', `0x8010a520')
+define(`GENWQE_READ_REG16', `0x8010a522')
+define(`FDGETMAXERRS', `0x8014020e')
+define(`GET_DISK_INFO', `0x80140912')
+define(`SNDRV_COMPRESS_TSTAMP', `0x80144320')
+define(`CHIOGPARAMS', `0x80146306')
+define(`NCP_IOC_LOCKUNLOCK', `0x80146e07')
+define(`VIDEO_GET_STATUS', `0x80146f1b')
+define(`SNDRV_PCM_IOCTL_CHANNEL_INFO', `0x80184132')
+define(`SNDRV_PCM_IOCTL_READI_FRAMES', `0x80184151')
+define(`SNDRV_PCM_IOCTL_READN_FRAMES', `0x80184153')
+define(`SNDRV_HDSPM_IOCTL_GET_CONFIG', `0x80184841')
+define(`IMSETDEVNAME', `0x80184947')
+define(`OMAPFB_MEMORY_READ', `0x80184f3a')
+define(`HPET_INFO', `0x80186803')
+define(`NCP_IOC_SIGN_INIT', `0x80186e05')
+define(`NCP_IOC_SETOBJECTNAME', `0x80186e09')
+define(`NILFS_IOCTL_GET_CPINFO', `0x80186e82')
+define(`NILFS_IOCTL_GET_CPSTAT', `0x80186e83')
+define(`NILFS_IOCTL_GET_SUINFO', `0x80186e84')
+define(`BR_ATTEMPT_ACQUIRE', `0x8018720b')
+define(`BTRFS_IOC_GET_FEATURES', `0x80189439')
+define(`MBXFB_IOCG_ALPHA', `0x8018f401')
+define(`SNDRV_COMPRESS_AVAIL', `0x801c4321')
+define(`HIDIOCGDEVINFO', `0x801c4803')
+define(`FDGETPRM', `0x80200204')
+define(`FBIOGET_VBLANK', `0x80204612')
+define(`SNDRV_HDSPM_IOCTL_GET_STATUS', `0x80204847')
+define(`SNDRV_FIREWIRE_IOCTL_GET_INFO', `0x802048f8')
+define(`MEMGETINFO', `0x80204d01')
+define(`OMAPFB_GET_VRAM_INFO', `0x80204f3d')
+define(`OMAPFB_GET_DISPLAY_INFO', `0x80204f3f')
+define(`I2OGETIOPS', `0x80206900')
+define(`AUDIO_GET_STATUS', `0x80206f0a')
+define(`VIDEO_GET_EVENT', `0x80206f1c')
+define(`RTC_PLL_GET', `0x80207011')
+define(`PPPIOCGXASYNCMAP', `0x80207450')
+define(`KVM_ARM_PREFERRED_TARGET', `0x8020aeaf')
+define(`SNDRV_HDSP_IOCTL_GET_CONFIG_INFO', `0x80244841')
+define(`SNDRV_HDSPM_IOCTL_GET_VERSION', `0x80244848')
+define(`SONET_GETSTAT', `0x80246110')
+define(`SONET_GETSTATZ', `0x80246111')
+define(`JSIOCGCORR', `0x80246a22')
+define(`FE_GET_FRONTEND', `0x80246f4d')
+define(`RTC_ALM_READ', `0x80247008')
+define(`RTC_RD_TIME', `0x80247009')
+define(`FDGETFDCSTAT', `0x80280215')
+define(`FDWERRORGET', `0x80280217')
+define(`EVIOCGKEYCODE_V2', `0x80284504')
+define(`SNDRV_SB_CSP_IOCTL_INFO', `0x80284810')
+define(`WDIOC_GETSUPPORT', `0x80285700')
+define(`IPMICTL_SEND_COMMAND', `0x8028690d')
+define(`FE_GET_EVENT', `0x80286f4e')
+define(`RTC_WKALM_RD', `0x80287010')
+define(`IOW_GETINFO', `0x8028c003')
+define(`USBDEVFS_SUBMITURB32', `0x802a550a')
+define(`NCP_IOC_SETCHARSETS', `0x802a6e0b')
+define(`TCGETS2', `0x802c542a')
+define(`SOUND_OLD_MIXER_INFO', `0x80304d65')
+define(`VIDIOC_G_FBUF', `0x8030560a')
+define(`IPMICTL_SEND_COMMAND_SETTIME', `0x80306915')
+define(`MGSL_IOCGPARAMS', `0x80306d01')
+define(`MTIOCGET', `0x80306d02')
+define(`NILFS_IOCTL_GET_SUSTAT', `0x80306e85')
+define(`BTRFS_IOC_QGROUP_LIMIT', `0x8030942b')
+define(`KVM_GET_CLOCK', `0x8030ae7c')
+define(`VIDIOC_G_AUDIO', `0x80345621')
+define(`VIDIOC_G_AUDOUT', `0x80345631')
+define(`USBDEVFS_SUBMITURB', `0x8038550a')
+define(`DRM_IOCTL_AGP_INFO', `0x80386433')
+define(`OMAPFB_GET_OVERLAY_COLORMODE', `0x803c4f3b')
+define(`SNDRV_HWDEP_IOCTL_DSP_STATUS', `0x80404802')
+define(`JSIOCGAXMAP', `0x80406a32')
+define(`BR_TRANSACTION', `0x80407202')
+define(`BR_REPLY', `0x80407203')
+define(`PPPIOCGCOMPRESSORS', `0x80407486')
+define(`BTRFS_IOC_QUOTA_RESCAN_STATUS', `0x8040942d')
+define(`KVM_ASSIGN_PCI_DEVICE', `0x8040ae69')
+define(`KVM_GET_VCPU_EVENTS', `0x8040ae9f')
+define(`GET_ARRAY_INFO', `0x80480911')
+define(`PPPIOCGL2TPSTATS', `0x80487436')
+define(`BTRFS_IOC_GET_SUPPORTED_FEATURES', `0x80489439')
+define(`KVM_SET_PIT', `0x8048ae66')
+define(`GSMIOC_GETCONF', `0x804c4700')
+define(`FDGETDRVSTAT', `0x80500212')
+define(`FDPOLLDRVSTAT', `0x80500213')
+define(`PTP_CLOCK_GETCAPS', `0x80503d01')
+define(`SOUND_MIXER_INFO', `0x805c4d65')
+define(`SNDRV_TIMER_IOCTL_STATUS', `0x80605414')
+define(`VIDIOC_QUERYCAP', `0x80685600')
+define(`I2OEVTGET', `0x8068690b')
+define(`CHIOGVPARAMS', `0x80706313')
+define(`KVM_GET_PIT2', `0x8070ae9f')
+define(`SNDRV_COMPRESS_GET_PARAMS', `0x80784313')
+define(`FDGETDRVPRM', `0x80800211')
+define(`USBDEVFS_HUB_PORTINFO', `0x80805513')
+define(`KVM_GET_DEBUGREGS', `0x8080aea1')
+define(`VIDIOC_QUERY_DV_TIMINGS', `0x80845663')
+define(`VIDIOC_SUBDEV_QUERY_DV_TIMINGS', `0x80845663')
+define(`VIDIOC_DQEVENT', `0x80885659')
+define(`VIDIOC_G_JPEGCOMP', `0x808c563d')
+define(`KVM_GET_REGS', `0x8090ae81')
+define(`SNDRV_PCM_IOCTL_STATUS', `0x80984120')
+define(`FE_GET_INFO', `0x80a86f3d')
+define(`MEMGETOOBSEL', `0x80c84d0a')
+define(`SNDRV_HWDEP_IOCTL_INFO', `0x80dc4801')
+define(`SNDRV_CTL_IOCTL_HWDEP_INFO', `0x80dc5521')
+define(`SNDRV_TIMER_IOCTL_INFO', `0x80e85411')
+define(`DRM_IOCTL_GET_STATS', `0x80f86406')
+define(`ASHMEM_GET_NAME', `0x81007702')
+define(`BTRFS_IOC_GET_FSLABEL', `0x81009431')
+define(`HIDIOCGSTRING', `0x81044804')
+define(`USBDEVFS_DISCONNECT_CLAIM', `0x8108551b')
+define(`SNDRV_RAWMIDI_IOCTL_INFO', `0x810c5701')
+define(`CA_GET_MSG', `0x810c6f84')
+define(`AUTOFS_IOC_EXPIRE', `0x810c9365')
+define(`SISFB_GET_INFO', `0x811cf301')
+define(`SNDRV_PCM_IOCTL_INFO', `0x81204101')
+define(`KVM_GET_SREGS', `0x8138ae83')
+define(`ECCGETLAYOUT', `0x81484d11')
+define(`SNDRV_CTL_IOCTL_CARD_INFO', `0x81785501')
+define(`KVM_GET_XCRS', `0x8188aea6')
+define(`AMDKFD_IOC_GET_PROCESS_APERTURES', `0x81904b06')
+define(`KVM_GET_FPU', `0x81a0ae8c')
+define(`KVM_SET_IRQCHIP', `0x8208ae63')
+define(`VFAT_IOCTL_READDIR_BOTH', `0x82307201')
+define(`VFAT_IOCTL_READDIR_SHORT', `0x82307202')
+define(`KVM_PPC_GET_SMMU_INFO', `0x8250aea6')
+define(`SNDRV_HDSP_IOCTL_GET_PEAK_RMS', `0x83b04840')
+define(`JSIOCGBTNMAP', `0x84006a34')
+define(`BTRFS_IOC_FS_INFO', `0x8400941f')
+define(`BTRFS_IOC_BALANCE_PROGRESS', `0x84009422')
+define(`KVM_GET_LAPIC', `0x8400ae8e')
+define(`VIDEO_GET_NAVI', `0x84046f34')
+define(`SNDRV_EMU10K1_IOCTL_INFO', `0x880c4810')
+define(`VIDIOC_G_ENC_INDEX', `0x8818564c')
+define(`SNDRV_HDSPM_IOCTL_GET_PEAK_RMS', `0x89084842')
+define(`SNDCTL_COPR_RCVMSG', `0x8fa44309')
+define(`GET_BITMAP_FILE', `0x90000915')
+define(`SNDRV_HDSP_IOCTL_GET_MIXER', `0x90004844')
+define(`BTRFS_IOC_DEVICES_READY', `0x90009427')
+define(`KVM_GET_XSAVE', `0x9000aea4')
+define(`HIDIOCGRDESC', `0x90044802')
+define(`SNDRV_SEQ_IOCTL_GET_QUEUE_OWNER', `0xc0005343')
+define(`GADGET_SET_PRINTER_STATUS', `0xc0016722')
+define(`CAPI_GET_MANUFACTURER', `0xc0044306')
+define(`CAPI_GET_SERIAL', `0xc0044308')
+define(`GIGASET_REDIR', `0xc0044700')
+define(`GIGASET_CONFIG', `0xc0044701')
+define(`ION_IOC_FREE', `0xc0044901')
+define(`SOUND_MIXER_AGC', `0xc0044d67')
+define(`SOUND_MIXER_3DSE', `0xc0044d68')
+define(`SOUND_MIXER_PRIVATE1', `0xc0044d6f')
+define(`SOUND_MIXER_PRIVATE2', `0xc0044d70')
+define(`SOUND_MIXER_PRIVATE3', `0xc0044d71')
+define(`SOUND_MIXER_PRIVATE4', `0xc0044d72')
+define(`SOUND_MIXER_PRIVATE5', `0xc0044d73')
+define(`SNDCTL_DSP_SPEED', `0xc0045002')
+define(`SNDCTL_DSP_STEREO', `0xc0045003')
+define(`SNDCTL_DSP_GETBLKSIZE', `0xc0045004')
+define(`SNDCTL_DSP_SETFMT', `0xc0045005')
+define(`SNDCTL_DSP_CHANNELS', `0xc0045006')
+define(`SOUND_PCM_WRITE_FILTER', `0xc0045007')
+define(`SNDCTL_DSP_SUBDIVIDE', `0xc0045009')
+define(`SNDCTL_DSP_SETFRAGMENT', `0xc004500a')
+define(`SNDCTL_DSP_GETCHANNELMASK', `0xc0045040')
+define(`SNDCTL_DSP_BIND_CHANNEL', `0xc0045041')
+define(`SNDCTL_SEQ_CTRLRATE', `0xc0045103')
+define(`SNDCTL_SYNTH_MEMAVL', `0xc004510e')
+define(`SNDCTL_TMR_TIMEBASE', `0xc0045401')
+define(`SNDCTL_TMR_TEMPO', `0xc0045405')
+define(`SNDCTL_TMR_SOURCE', `0xc0045406')
+define(`SNDRV_CTL_IOCTL_SUBSCRIBE_EVENTS', `0xc0045516')
+define(`SNDRV_CTL_IOCTL_HWDEP_NEXT_DEVICE', `0xc0045520')
+define(`SNDRV_CTL_IOCTL_RAWMIDI_NEXT_DEVICE', `0xc0045540')
+define(`SNDRV_CTL_IOCTL_POWER', `0xc00455d0')
+define(`VIDIOC_S_INPUT', `0xc0045627')
+define(`VIDIOC_S_OUTPUT', `0xc004562f')
+define(`WDIOC_SETTIMEOUT', `0xc0045706')
+define(`WDIOC_SETPRETIMEOUT', `0xc0045708')
+define(`FIFREEZE', `0xc0045877')
+define(`FITHAW', `0xc0045878')
+define(`SONET_SETDIAG', `0xc0046112')
+define(`SONET_CLRDIAG', `0xc0046113')
+define(`BINDER_VERSION', `0xc0046209')
+define(`DRM_IOCTL_BLOCK', `0xc0046412')
+define(`DRM_IOCTL_UNBLOCK', `0xc0046413')
+define(`DRM_IOCTL_ADD_DRAW', `0xc0046427')
+define(`DRM_IOCTL_RM_DRAW', `0xc0046428')
+define(`DRM_IOCTL_MGA_WAIT_FENCE', `0xc004644b')
+define(`DRM_IOCTL_MODE_RMFB', `0xc00464af')
+define(`DRM_IOCTL_MODE_DESTROY_DUMB', `0xc00464b4')
+define(`SNDCTL_MIDI_PRETIME', `0xc0046d00')
+define(`SNDCTL_MIDI_MPUMODE', `0xc0046d01')
+define(`MGSL_IOCWAITEVENT', `0xc0046d08')
+define(`PPPIOCNEWUNIT', `0xc004743e')
+define(`TOSH_SMM', `0xc0047490')
+define(`MEYEIOC_SYNC', `0xc00476c3')
+define(`AUTOFS_IOC_SETTIMEOUT32', `0xc0049364')
+define(`KVM_GET_MSR_INDEX_LIST', `0xc004ae02')
+define(`KVM_PPC_ALLOCATE_HTAB', `0xc004aea7')
+define(`NET_ADD_IF', `0xc0066f34')
+define(`NET_GET_IF', `0xc0066f36')
+define(`AGPIOC_ALLOCATE', `0xc0084106')
+define(`HDA_IOCTL_VERB_WRITE', `0xc0084811')
+define(`HDA_IOCTL_GET_WCAP', `0xc0084812')
+define(`ION_IOC_MAP', `0xc0084902')
+define(`ION_IOC_SHARE', `0xc0084904')
+define(`ION_IOC_IMPORT', `0xc0084905')
+define(`ION_IOC_SYNC', `0xc0084907')
+define(`AMDKFD_IOC_DESTROY_QUEUE', `0xc0084b03')
+define(`SNDRV_CTL_IOCTL_TLV_READ', `0xc008551a')
+define(`SNDRV_CTL_IOCTL_TLV_WRITE', `0xc008551b')
+define(`SNDRV_CTL_IOCTL_TLV_COMMAND', `0xc008551c')
+define(`VIDIOC_G_CTRL', `0xc008561b')
+define(`VIDIOC_S_CTRL', `0xc008561c')
+define(`VIDIOC_OMAP3ISP_STAT_EN', `0xc00856c7')
+define(`CM_IOCGATR', `0xc0086301')
+define(`CIOC_KERNEL_VERSION', `0xc008630a')
+define(`DRM_IOCTL_GEM_FLINK', `0xc008640a')
+define(`DRM_IOCTL_ADD_CTX', `0xc0086420')
+define(`DRM_IOCTL_RM_CTX', `0xc0086421')
+define(`DRM_IOCTL_GET_CTX', `0xc0086423')
+define(`DRM_IOCTL_QXL_ALLOC', `0xc0086440')
+define(`DRM_IOCTL_TEGRA_GEM_MMAP', `0xc0086441')
+define(`DRM_IOCTL_SAVAGE_BCI_EVENT_EMIT', `0xc0086442')
+define(`DRM_IOCTL_TEGRA_SYNCPT_READ', `0xc0086442')
+define(`DRM_IOCTL_VIA_AGP_INIT', `0xc0086442')
+define(`DRM_IOCTL_TEGRA_SYNCPT_INCR', `0xc0086443')
+define(`DRM_IOCTL_VIA_FB_INIT', `0xc0086443')
+define(`DRM_IOCTL_I915_IRQ_EMIT', `0xc0086444')
+define(`DRM_IOCTL_TEGRA_GEM_SET_FLAGS', `0xc008644c')
+define(`DRM_IOCTL_TEGRA_GEM_GET_FLAGS', `0xc008644d')
+define(`DRM_IOCTL_RADEON_IRQ_EMIT', `0xc0086456')
+define(`DRM_IOCTL_I915_GEM_BUSY', `0xc0086457')
+define(`DRM_IOCTL_EXYNOS_G2D_GET_VER', `0xc0086460')
+define(`DRM_IOCTL_EXYNOS_G2D_EXEC', `0xc0086462')
+define(`DRM_IOCTL_I915_GET_PIPE_FROM_CRTC_ID', `0xc0086465')
+define(`DRM_IOCTL_RADEON_GEM_BUSY', `0xc008646a')
+define(`DRM_IOCTL_I915_GEM_CONTEXT_CREATE', `0xc008646d')
+define(`DRM_IOCTL_I915_GEM_GET_CACHING', `0xc0086470')
+define(`DRM_IOCTL_EXYNOS_IPP_CMD_CTRL', `0xc0086473')
+define(`I8K_GET_SPEED', `0xc0086985')
+define(`I8K_GET_FAN', `0xc0086986')
+define(`I8K_SET_FAN', `0xc0086987')
+define(`UDF_RELOCATE_BLOCKS', `0xc0086c43')
+define(`MATROXFB_GET_OUTPUT_MODE', `0xc0086efa')
+define(`PHN_GET_REG', `0xc0087000')
+define(`PHN_GET_REGS', `0xc0087002')
+define(`PHN_GETREG', `0xc0087005')
+define(`PPS_FETCH', `0xc00870a4')
+define(`PHONE_QUERY_CODEC', `0xc00871a7')
+define(`MIC_VIRTIO_ADD_DEVICE', `0xc0087301')
+define(`MIC_VIRTIO_COPY_DESC', `0xc0087302')
+define(`MIC_VIRTIO_CONFIG_CHANGE', `0xc0087305')
+define(`PPPIOCGNPMODE', `0xc008744c')
+define(`AUTOFS_IOC_SETTIMEOUT', `0xc0089364')
+define(`KVM_GET_SUPPORTED_CPUID', `0xc008ae05')
+define(`KVM_GET_EMULATED_CPUID', `0xc008ae09')
+define(`KVM_IRQ_LINE_STATUS', `0xc008ae67')
+define(`KVM_GET_MSRS', `0xc008ae88')
+define(`KVM_GET_CPUID2', `0xc008ae91')
+define(`KVM_GET_REG_LIST', `0xc008aeb0')
+define(`FSL_HV_IOCTL_PARTITION_RESTART', `0xc008af01')
+define(`FSL_HV_IOCTL_PARTITION_STOP', `0xc008af04')
+define(`FSL_HV_IOCTL_DOORBELL', `0xc008af06')
+define(`VHOST_GET_VRING_BASE', `0xc008af12')
+define(`HIDIOCGREPORTINFO', `0xc00c4809')
+define(`SNDCTL_SYNTH_REMOVESAMPLE', `0xc00c5116')
+define(`USBDEVFS_IOCTL32', `0xc00c5512')
+define(`UI_BEGIN_FF_ERASE', `0xc00c55ca')
+define(`DRM_IOCTL_PRIME_HANDLE_TO_FD', `0xc00c642d')
+define(`DRM_IOCTL_PRIME_FD_TO_HANDLE', `0xc00c642e')
+define(`DRM_IOCTL_VIA_CMDBUF_SIZE', `0xc00c644b')
+define(`DRM_IOCTL_I915_VBLANK_SWAP', `0xc00c644f')
+define(`DRM_IOCTL_RADEON_GEM_SET_DOMAIN', `0xc00c6463')
+define(`DRM_IOCTL_I915_GEM_MADVISE', `0xc00c6466')
+define(`DRM_IOCTL_RADEON_GEM_SET_TILING', `0xc00c6468')
+define(`DRM_IOCTL_RADEON_GEM_GET_TILING', `0xc00c6469')
+define(`KVM_CREATE_DEVICE', `0xc00caee0')
+define(`FSL_HV_IOCTL_PARTITION_GET_STATUS', `0xc00caf02')
+define(`MBXFB_IOCX_REG', `0xc00cf405')
+define(`CAPI_GET_VERSION', `0xc0104307')
+define(`CAPI_MANUFACTURER_CMD', `0xc0104320')
+define(`GIGASET_VERSION', `0xc0104703')
+define(`IOCTL_MEI_CONNECT_CLIENT', `0xc0104801')
+define(`HIDIOCGCOLLECTIONINFO', `0xc0104811')
+define(`SNDRV_EMU10K1_IOCTL_TRAM_PEEK', `0xc0104822')
+define(`SNDRV_EMUX_IOCTL_LOAD_PATCH', `0xc0104881')
+define(`SNDRV_EMUX_IOCTL_MISC_MODE', `0xc0104884')
+define(`ION_IOC_CUSTOM', `0xc0104906')
+define(`MEMWRITEOOB', `0xc0104d03')
+define(`MEMREADOOB', `0xc0104d04')
+define(`MEMGETREGIONINFO', `0xc0104d08')
+define(`SNDRV_SEQ_IOCTL_RUNNING_MODE', `0xc0105303')
+define(`USBDEVFS_CONTROL32', `0xc0105500')
+define(`USBDEVFS_BULK32', `0xc0105502')
+define(`USBDEVFS_IOCTL', `0xc0105512')
+define(`NS_GETPSTAT', `0xc0106161')
+define(`DRM_IOCTL_GET_UNIQUE', `0xc0106401')
+define(`DRM_IOCTL_IRQ_BUSID', `0xc0106403')
+define(`DRM_IOCTL_SET_VERSION', `0xc0106407')
+define(`DRM_IOCTL_GEM_OPEN', `0xc010640b')
+define(`DRM_IOCTL_GET_CAP', `0xc010640c')
+define(`DRM_IOCTL_INFO_BUFS', `0xc0106418')
+define(`DRM_IOCTL_GET_SAREA_CTX', `0xc010641d')
+define(`DRM_IOCTL_RES_CTX', `0xc0106426')
+define(`DRM_IOCTL_SG_ALLOC', `0xc0106438')
+define(`DRM_IOCTL_EXYNOS_GEM_CREATE', `0xc0106440')
+define(`DRM_IOCTL_MSM_GET_PARAM', `0xc0106440')
+define(`DRM_IOCTL_OMAP_GET_PARAM', `0xc0106440')
+define(`DRM_IOCTL_TEGRA_GEM_CREATE', `0xc0106440')
+define(`DRM_IOCTL_QXL_MAP', `0xc0106441')
+define(`DRM_IOCTL_MSM_GEM_NEW', `0xc0106442')
+define(`DRM_IOCTL_MSM_GEM_INFO', `0xc0106443')
+define(`DRM_IOCTL_OMAP_GEM_NEW', `0xc0106443')
+define(`DRM_IOCTL_EXYNOS_GEM_GET', `0xc0106444')
+define(`DRM_IOCTL_QXL_GETPARAM', `0xc0106444')
+define(`DRM_IOCTL_TEGRA_SYNCPT_WAIT', `0xc0106444')
+define(`DRM_IOCTL_TEGRA_OPEN_CHANNEL', `0xc0106445')
+define(`DRM_IOCTL_I915_GETPARAM', `0xc0106446')
+define(`DRM_IOCTL_TEGRA_CLOSE_CHANNEL', `0xc0106446')
+define(`DRM_IOCTL_EXYNOS_VIDI_CONNECTION', `0xc0106447')
+define(`DRM_IOCTL_TEGRA_GET_SYNCPT', `0xc0106447')
+define(`DRM_IOCTL_MGA_GETPARAM', `0xc0106449')
+define(`DRM_IOCTL_TEGRA_GET_SYNCPT_BASE', `0xc0106449')
+define(`DRM_IOCTL_TEGRA_GEM_SET_TILING', `0xc010644a')
+define(`DRM_IOCTL_TEGRA_GEM_GET_TILING', `0xc010644b')
+define(`DRM_IOCTL_RADEON_INDIRECT', `0xc010644d')
+define(`DRM_IOCTL_R128_INDIRECT', `0xc010644f')
+define(`DRM_IOCTL_RADEON_GETPARAM', `0xc0106451')
+define(`DRM_IOCTL_R128_GETPARAM', `0xc0106452')
+define(`DRM_IOCTL_SIS_AGP_INIT', `0xc0106453')
+define(`DRM_IOCTL_I915_GEM_CREATE', `0xc010645b')
+define(`DRM_IOCTL_I915_GEM_SET_TILING', `0xc0106461')
+define(`DRM_IOCTL_I915_GEM_GET_TILING', `0xc0106462')
+define(`DRM_IOCTL_I915_GEM_MMAP_GTT', `0xc0106464')
+define(`DRM_IOCTL_RADEON_INFO', `0xc0106467')
+define(`DRM_IOCTL_I915_GEM_WAIT', `0xc010646c')
+define(`DRM_IOCTL_RADEON_GEM_OP', `0xc010646c')
+define(`DRM_IOCTL_I915_REG_READ', `0xc0106471')
+define(`DRM_IOCTL_MODE_SETPROPERTY', `0xc01064ab')
+define(`DRM_IOCTL_MODE_GETPROPBLOB', `0xc01064ac')
+define(`DRM_IOCTL_MODE_MAP_DUMB', `0xc01064b3')
+define(`DRM_IOCTL_MODE_GETPLANERESOURCES', `0xc01064b5')
+define(`MGSL_IOCWAITGPIO', `0xc0106d12')
+define(`NCP_IOC_GETPRIVATEDATA', `0xc0106e0a')
+define(`DMX_GET_STC', `0xc0106f32')
+define(`UVCIOC_CTRL_QUERY', `0xc0107521')
+define(`BTRFS_IOC_SPACE_INFO', `0xc0109414')
+define(`BTRFS_IOC_QUOTA_CTL', `0xc0109428')
+define(`FSL_HV_IOCTL_PARTITION_START', `0xc010af03')
+define(`SNDCTL_COPR_RDATA', `0xc0144302')
+define(`SNDCTL_COPR_RCODE', `0xc0144303')
+define(`SNDCTL_COPR_RUN', `0xc0144306')
+define(`SNDCTL_COPR_HALT', `0xc0144307')
+define(`SNDRV_TIMER_IOCTL_NEXT_DEVICE', `0xc0145401')
+define(`VIDIOC_REQBUFS', `0xc0145608')
+define(`VIDIOC_G_CROP', `0xc014563b')
+define(`DRM_IOCTL_I915_GET_SPRITE_COLORKEY', `0xc014646b')
+define(`DRM_IOCTL_I915_SET_SPRITE_COLORKEY', `0xc014646b')
+define(`DRM_IOCTL_MODE_GETENCODER', `0xc01464a6')
+define(`FW_CDEV_IOC_ADD_DESCRIPTOR', `0xc0182306')
+define(`FW_CDEV_IOC_QUEUE_ISO', `0xc0182309')
+define(`FW_CDEV_IOC_ALLOCATE_ISO_RESOURCE', `0xc018230d')
+define(`FW_CDEV_IOC_GET_CYCLE_TIMER2', `0xc0182314')
+define(`FW_CDEV_IOC_SEND_PHY_PACKET', `0xc0182315')
+define(`HIDIOCGUSAGE', `0xc018480b')
+define(`HIDIOCGUCODE', `0xc018480d')
+define(`MTRRIOC_GET_ENTRY', `0xc0184d03')
+define(`MTRRIOC_GET_PAGE_ENTRY', `0xc0184d08')
+define(`MEMWRITEOOB64', `0xc0184d15')
+define(`MEMREADOOB64', `0xc0184d16')
+define(`USBDEVFS_CONTROL', `0xc0185500')
+define(`USBDEVFS_BULK', `0xc0185502')
+define(`PACKET_CTRL_CMD', `0xc0185801')
+define(`FITRIM', `0xc0185879')
+define(`DRM_IOCTL_MAP_BUFS', `0xc0186419')
+define(`DRM_IOCTL_WAIT_VBLANK', `0xc018643a')
+define(`DRM_IOCTL_I810_GETBUF', `0xc0186445')
+define(`DRM_IOCTL_OMAP_GEM_INFO', `0xc0186446')
+define(`DRM_IOCTL_QXL_ALLOC_SURF', `0xc0186446')
+define(`DRM_IOCTL_I915_ALLOC', `0xc0186448')
+define(`DRM_IOCTL_VIA_WAIT_IRQ', `0xc018644d')
+define(`DRM_IOCTL_RADEON_ALLOC', `0xc0186453')
+define(`DRM_IOCTL_I915_GEM_PIN', `0xc0186455')
+define(`DRM_IOCTL_RADEON_GEM_INFO', `0xc018645c')
+define(`DRM_IOCTL_RADEON_GEM_VA', `0xc018646b')
+define(`DRM_IOCTL_RADEON_GEM_USERPTR', `0xc018646d')
+define(`DRM_IOCTL_I915_GET_RESET_STATS', `0xc0186472')
+define(`DRM_IOCTL_I915_GEM_USERPTR', `0xc0186473')
+define(`DRM_IOCTL_MODE_PAGE_FLIP', `0xc01864b0')
+define(`DRM_IOCTL_MODE_DIRTYFB', `0xc01864b1')
+define(`DRM_IOCTL_MODE_OBJ_SETPROPERTY', `0xc01864ba')
+define(`I2OHRTGET', `0xc0186901')
+define(`I2OLCTGET', `0xc0186902')
+define(`NCP_IOC_GETOBJECTNAME', `0xc0186e09')
+define(`NILFS_IOCTL_GET_VINFO', `0xc0186e86')
+define(`NILFS_IOCTL_GET_BDESCS', `0xc0186e87')
+define(`AUTOFS_DEV_IOCTL_VERSION', `0xc0189371')
+define(`AUTOFS_DEV_IOCTL_PROTOVER', `0xc0189372')
+define(`AUTOFS_DEV_IOCTL_PROTOSUBVER', `0xc0189373')
+define(`AUTOFS_DEV_IOCTL_OPENMOUNT', `0xc0189374')
+define(`AUTOFS_DEV_IOCTL_CLOSEMOUNT', `0xc0189375')
+define(`AUTOFS_DEV_IOCTL_READY', `0xc0189376')
+define(`AUTOFS_DEV_IOCTL_FAIL', `0xc0189377')
+define(`AUTOFS_DEV_IOCTL_SETPIPEFD', `0xc0189378')
+define(`AUTOFS_DEV_IOCTL_CATATONIC', `0xc0189379')
+define(`AUTOFS_DEV_IOCTL_TIMEOUT', `0xc018937a')
+define(`AUTOFS_DEV_IOCTL_REQUESTER', `0xc018937b')
+define(`AUTOFS_DEV_IOCTL_EXPIRE', `0xc018937c')
+define(`AUTOFS_DEV_IOCTL_ASKUMOUNT', `0xc018937d')
+define(`AUTOFS_DEV_IOCTL_ISMOUNTPOINT', `0xc018937e')
+define(`BTRFS_IOC_FILE_EXTENT_SAME', `0xc0189436')
+define(`KVM_TRANSLATE', `0xc018ae85')
+define(`IB_USER_MAD_REGISTER_AGENT', `0xc01c1b01')
+define(`SI4713_IOC_MEASURE_RNL', `0xc01c56c0')
+define(`DRM_IOCTL_MODE_CURSOR', `0xc01c64a3')
+define(`DRM_IOCTL_MODE_GETFB', `0xc01c64ad')
+define(`DRM_IOCTL_MODE_ADDFB', `0xc01c64ae')
+define(`FW_CDEV_IOC_ALLOCATE', `0xc0202302')
+define(`FW_CDEV_IOC_CREATE_ISO_CONTEXT', `0xc0202308')
+define(`ION_IOC_ALLOC', `0xc0204900')
+define(`VIDIOC_G_EXT_CTRLS', `0xc0205647')
+define(`VIDIOC_S_EXT_CTRLS', `0xc0205648')
+define(`VIDIOC_TRY_EXT_CTRLS', `0xc0205649')
+define(`VIDIOC_OMAP3ISP_AEWB_CFG', `0xc02056c3')
+define(`X86_IOC_RDMSR_REGS', `0xc02063a0')
+define(`X86_IOC_WRMSR_REGS', `0xc02063a1')
+define(`DRM_IOCTL_ADD_BUFS', `0xc0206416')
+define(`DRM_IOCTL_AGP_ALLOC', `0xc0206434')
+define(`DRM_IOCTL_VIA_ALLOCMEM', `0xc0206440')
+define(`DRM_IOCTL_SIS_FB_ALLOC', `0xc0206444')
+define(`DRM_IOCTL_MSM_GEM_SUBMIT', `0xc0206446')
+define(`DRM_IOCTL_VIA_DMA_INIT', `0xc0206447')
+define(`DRM_IOCTL_MGA_DMA_BOOTSTRAP', `0xc020644c')
+define(`DRM_IOCTL_RADEON_TEXTURE', `0xc020644e')
+define(`DRM_IOCTL_SIS_AGP_ALLOC', `0xc0206454')
+define(`DRM_IOCTL_RADEON_GEM_CREATE', `0xc020645d')
+define(`DRM_IOCTL_I915_GEM_MMAP', `0xc020645e')
+define(`DRM_IOCTL_RADEON_GEM_MMAP', `0xc020645e')
+define(`DRM_IOCTL_RADEON_GEM_PREAD', `0xc0206461')
+define(`DRM_IOCTL_RADEON_GEM_PWRITE', `0xc0206462')
+define(`DRM_IOCTL_RADEON_CS', `0xc0206466')
+define(`DRM_IOCTL_MODE_GETGAMMA', `0xc02064a4')
+define(`DRM_IOCTL_MODE_SETGAMMA', `0xc02064a5')
+define(`DRM_IOCTL_MODE_CREATE_DUMB', `0xc02064b2')
+define(`DRM_IOCTL_MODE_GETPLANE', `0xc02064b6')
+define(`DRM_IOCTL_MODE_OBJ_GETPROPERTIES', `0xc02064b9')
+define(`FS_IOC_FIEMAP', `0xc020660b')
+define(`GENWQE_PIN_MEM', `0xc020a528')
+define(`GENWQE_UNPIN_MEM', `0xc020a529')
+define(`SNDCTL_MIDI_MPUCMD', `0xc0216d02')
+define(`SNDRV_COMPRESS_GET_METADATA', `0xc0244315')
+define(`DRM_IOCTL_MODE_CURSOR2', `0xc02464bb')
+define(`IB_USER_MAD_REGISTER_AGENT2', `0xc0281b04')
+define(`FW_CDEV_IOC_GET_INFO', `0xc0282300')
+define(`SYNC_IOC_MERGE', `0xc0283e01')
+define(`SYNC_IOC_FENCE_INFO', `0xc0283e02')
+define(`AMDKFD_IOC_GET_CLOCK_COUNTERS', `0xc0284b05')
+define(`VIDIOC_G_EDID', `0xc0285628')
+define(`VIDIOC_SUBDEV_G_EDID', `0xc0285628')
+define(`VIDIOC_SUBDEV_S_EDID', `0xc0285629')
+define(`VIDIOC_S_EDID', `0xc0285629')
+define(`VIDIOC_ENCODER_CMD', `0xc028564d')
+define(`VIDIOC_TRY_ENCODER_CMD', `0xc028564e')
+define(`VIDIOC_OMAP3ISP_STAT_REQ', `0xc02856c6')
+define(`SW_SYNC_IOC_CREATE_FENCE', `0xc0285700')
+define(`DRM_IOCTL_GET_MAP', `0xc0286404')
+define(`DRM_IOCTL_GET_CLIENT', `0xc0286405')
+define(`DRM_IOCTL_ADD_MAP', `0xc0286415')
+define(`DRM_IOCTL_VIA_MAP_INIT', `0xc0286444')
+define(`DRM_IOCTL_EXYNOS_G2D_SET_CMDLIST', `0xc0286461')
+define(`DRM_IOCTL_EXYNOS_IPP_QUEUE_BUF', `0xc0286472')
+define(`DRM_IOCTL_NOUVEAU_GEM_INFO', `0xc0286484')
+define(`I2OPARMSET', `0xc0286903')
+define(`I2OPARMGET', `0xc0286904')
+define(`NCP_IOC_GET_FS_INFO', `0xc0286e04')
+define(`PHN_GETREGS', `0xc0287007')
+define(`MEDIA_IOC_ENUM_LINKS', `0xc0287c02')
+define(`KVM_TPR_ACCESS_REPORTING', `0xc028ae92')
+define(`FSL_HV_IOCTL_MEMCPY', `0xc028af05')
+define(`FSL_HV_IOCTL_GETPROP', `0xc028af07')
+define(`FSL_HV_IOCTL_SETPROP', `0xc028af08')
+define(`NCP_IOC_GETCHARSETS', `0xc02a6e0b')
+define(`SNDRV_SEQ_IOCTL_GET_QUEUE_TEMPO', `0xc02c5341')
+define(`VIDIOC_QUERYMENU', `0xc02c5625')
+define(`VIDIOC_G_FREQUENCY', `0xc02c5638')
+define(`VIDIOC_CROPCAP', `0xc02c563a')
+define(`VIDIOC_ENUM_FRAMESIZES', `0xc02c564a')
+define(`DRM_IOCTL_I915_OVERLAY_ATTRS', `0xc02c6468')
+define(`MEMWRITE', `0xc0304d18')
+define(`SNDRV_SEQ_IOCTL_SYSTEM_INFO', `0xc0305302')
+define(`VIDIOC_SUBDEV_ENUM_MBUS_CODE', `0xc0305602')
+define(`VIDIOC_SUBDEV_G_FRAME_INTERVAL', `0xc0305615')
+define(`VIDIOC_SUBDEV_S_FRAME_INTERVAL', `0xc0305616')
+define(`VIDIOC_OMAP3ISP_HIST_CFG', `0xc03056c4')
+define(`SNDRV_RAWMIDI_IOCTL_PARAMS', `0xc0305710')
+define(`BINDER_WRITE_READ', `0xc0306201')
+define(`DRM_IOCTL_NOUVEAU_GEM_NEW', `0xc0306480')
+define(`DRM_IOCTL_MODE_SETPLANE', `0xc03064b7')
+define(`I2OSWDL', `0xc0306905')
+define(`I2OSWUL', `0xc0306906')
+define(`I2OSWDEL', `0xc0306907')
+define(`I2OHTML', `0xc0306909')
+define(`IPMICTL_RECEIVE_MSG_TRUNC', `0xc030690b')
+define(`IPMICTL_RECEIVE_MSG', `0xc030690c')
+define(`NCP_IOC_GET_FS_INFO_V2', `0xc0306e04')
+define(`MBXFB_IOCX_OVERLAY', `0xc030f400')
+define(`VIDIOC_ENUMAUDIO', `0xc0345641')
+define(`VIDIOC_ENUMAUDOUT', `0xc0345642')
+define(`VIDIOC_ENUM_FRAMEINTERVALS', `0xc034564b')
+define(`MEDIA_IOC_SETUP_LINK', `0xc0347c03')
+define(`HIDIOCGFIELDINFO', `0xc038480a')
+define(`VIDIOC_SUBDEV_G_CROP', `0xc038563b')
+define(`VIDIOC_SUBDEV_S_CROP', `0xc038563c')
+define(`VIDIOC_DBG_G_REGISTER', `0xc0385650')
+define(`VIDIOC_OMAP3ISP_CCDC_CFG', `0xc03856c1')
+define(`SNDRV_RAWMIDI_IOCTL_STATUS', `0xc0385720')
+define(`BTRFS_IOC_INO_PATHS', `0xc0389423')
+define(`BTRFS_IOC_LOGICAL_INO', `0xc0389424')
+define(`GENWQE_SLU_UPDATE', `0xc038a550')
+define(`GENWQE_SLU_READ', `0xc038a551')
+define(`CAPI_GET_PROFILE', `0xc0404309')
+define(`SNDRV_CTL_IOCTL_ELEM_REMOVE', `0xc0405519')
+define(`VIDIOC_ENUM_FMT', `0xc0405602')
+define(`VIDIOC_EXPBUF', `0xc0405610')
+define(`VIDIOC_SUBDEV_G_SELECTION', `0xc040563d')
+define(`VIDIOC_SUBDEV_S_SELECTION', `0xc040563e')
+define(`VIDIOC_SUBDEV_ENUM_FRAME_SIZE', `0xc040564a')
+define(`VIDIOC_SUBDEV_ENUM_FRAME_INTERVAL', `0xc040564b')
+define(`VIDIOC_G_SELECTION', `0xc040565e')
+define(`VIDIOC_S_SELECTION', `0xc040565f')
+define(`VIDIOC_ENUM_FREQ_BANDS', `0xc0405665')
+define(`DRM_IOCTL_VERSION', `0xc0406400')
+define(`DRM_IOCTL_DMA', `0xc0406429')
+define(`DRM_IOCTL_NOUVEAU_GEM_PUSHBUF', `0xc0406481')
+define(`DRM_IOCTL_MODE_GETRESOURCES', `0xc04064a0')
+define(`DRM_IOCTL_MODE_GETPROPERTY', `0xc04064aa')
+define(`VIDIOC_QUERYCTRL', `0xc0445624')
+define(`VIDIOC_G_MODULATOR', `0xc0445636')
+define(`DRM_IOCTL_MODE_ADDFB2', `0xc04464b8')
+define(`BLKTRACESETUP', `0xc0481273')
+define(`SNDRV_EMU10K1_IOCTL_PCM_PEEK', `0xc0484831')
+define(`NVME_IOCTL_ADMIN_CMD', `0xc0484e41')
+define(`NVME_IOCTL_IO_CMD', `0xc0484e43')
+define(`VIDIOC_ENUMSTD', `0xc0485619')
+define(`VIDIOC_ENUMOUTPUT', `0xc0485630')
+define(`VIDIOC_DECODER_CMD', `0xc0485660')
+define(`VIDIOC_TRY_DECODER_CMD', `0xc0485661')
+define(`DRM_IOCTL_MODE_ATTACHMODE', `0xc04864a8')
+define(`DRM_IOCTL_MODE_DETACHMODE', `0xc04864a9')
+define(`VIDEO_COMMAND', `0xc0486f3b')
+define(`VIDEO_TRY_COMMAND', `0xc0486f3c')
+define(`KVM_GET_PIT', `0xc048ae65')
+define(`MMC_IOC_CMD', `0xc048b300')
+define(`SNDRV_SEQ_IOCTL_GET_QUEUE_CLIENT', `0xc04c5349')
+define(`VIDIOC_OMAP3ISP_AF_CFG', `0xc04c56c5')
+define(`SNDRV_SEQ_IOCTL_GET_SUBSCRIPTION', `0xc0505350')
+define(`SNDRV_TIMER_IOCTL_GSTATUS', `0xc0505405')
+define(`SNDRV_CTL_IOCTL_ELEM_LIST', `0xc0505510')
+define(`VIDIOC_ENUMINPUT', `0xc050561a')
+define(`DRM_IOCTL_EXYNOS_IPP_GET_PROPERTY', `0xc0506470')
+define(`DRM_IOCTL_MODE_GETCONNECTOR', `0xc05064a7')
+define(`VIDIOC_G_TUNER', `0xc054561d')
+define(`SISFB_COMMAND', `0xc054f305')
+define(`CCISS_PASSTHRU', `0xc058420b')
+define(`AMDKFD_IOC_CREATE_QUEUE', `0xc0584b02')
+define(`SNDRV_SEQ_IOCTL_GET_CLIENT_POOL', `0xc058534b')
+define(`SNDRV_SEQ_IOCTL_QUERY_SUBS', `0xc058534f')
+define(`VIDIOC_SUBDEV_G_FMT', `0xc0585604')
+define(`VIDIOC_SUBDEV_S_FMT', `0xc0585605')
+define(`VIDIOC_QUERYBUF', `0xc0585609')
+define(`VIDIOC_QBUF', `0xc058560f')
+define(`VIDIOC_DQBUF', `0xc0585611')
+define(`VIDIOC_PREPARE_BUF', `0xc058565d')
+define(`DRM_IOCTL_TEGRA_SUBMIT', `0xc0586448')
+define(`SNDRV_SEQ_IOCTL_GET_QUEUE_STATUS', `0xc05c5340')
+define(`PTP_PIN_GETFUNC', `0xc0603d06')
+define(`CCISS_BIG_PASSTHRU', `0xc0604212')
+define(`SNDRV_SEQ_IOCTL_GET_QUEUE_TIMER', `0xc0605345')
+define(`DRM_IOCTL_EXYNOS_IPP_SET_PROPERTY', `0xc0606471')
+define(`UVCIOC_CTRL_MAP', `0xc0607520')
+define(`FBIO_CURSOR', `0xc0684608')
+define(`UI_BEGIN_FF_UPLOAD', `0xc06855c8')
+define(`DRM_IOCTL_MODE_GETCRTC', `0xc06864a1')
+define(`DRM_IOCTL_MODE_SETCRTC', `0xc06864a2')
+define(`VIDIOC_OMAP3ISP_PRV_CFG', `0xc07056c2')
+define(`BTRFS_IOC_TREE_SEARCH_V2', `0xc0709411')
+define(`SNDCTL_MIDI_INFO', `0xc074510c')
+define(`VIDIOC_G_SLICED_VBI_CAP', `0xc0745645')
+define(`SOUND_MIXER_ACCESS', `0xc0804d66')
+define(`VIDIOC_SUBDEV_S_DV_TIMINGS', `0xc0845657')
+define(`VIDIOC_S_DV_TIMINGS', `0xc0845657')
+define(`VIDIOC_G_DV_TIMINGS', `0xc0845658')
+define(`VIDIOC_SUBDEV_G_DV_TIMINGS', `0xc0845658')
+define(`SNDRV_PCM_IOCTL_SW_PARAMS', `0xc0884113')
+define(`SNDRV_PCM_IOCTL_SYNC_PTR', `0xc0884123')
+define(`PPPIOCGCALLINFO', `0xc0887480')
+define(`SNDCTL_SYNTH_INFO', `0xc08c5102')
+define(`SNDCTL_SYNTH_ID', `0xc08c5114')
+define(`SNDRV_SEQ_IOCTL_CREATE_QUEUE', `0xc08c5332')
+define(`SNDRV_SEQ_IOCTL_GET_QUEUE_INFO', `0xc08c5334')
+define(`SNDRV_SEQ_IOCTL_SET_QUEUE_INFO', `0xc08c5335')
+define(`SNDRV_SEQ_IOCTL_GET_NAMED_QUEUE', `0xc08c5336')
+define(`VIDIOC_DV_TIMINGS_CAP', `0xc0905664')
+define(`VIDIOC_SUBDEV_DV_TIMINGS_CAP', `0xc0905664')
+define(`VIDIOC_ENUM_DV_TIMINGS', `0xc0945662')
+define(`VIDIOC_SUBDEV_ENUM_DV_TIMINGS', `0xc0945662')
+define(`SOUND_MIXER_GETLEVELS', `0xc0a44d74')
+define(`SOUND_MIXER_SETLEVELS', `0xc0a44d75')
+define(`SNDRV_SEQ_IOCTL_CREATE_PORT', `0xc0a85320')
+define(`SNDRV_SEQ_IOCTL_GET_PORT_INFO', `0xc0a85322')
+define(`SNDRV_SEQ_IOCTL_QUERY_NEXT_PORT', `0xc0a85352')
+define(`SNDRV_SEQ_IOCTL_GET_CLIENT_INFO', `0xc0bc5310')
+define(`SNDRV_SEQ_IOCTL_QUERY_NEXT_CLIENT', `0xc0bc5351')
+define(`SNDRV_COMPRESS_GET_CAPS', `0xc0c44310')
+define(`VIDIOC_DBG_G_CHIP_INFO', `0xc0c85666')
+define(`BTRFS_IOC_SET_RECEIVED_SUBVOL', `0xc0c89425')
+define(`VIDIOC_G_PARM', `0xc0cc5615')
+define(`VIDIOC_S_PARM', `0xc0cc5616')
+define(`VIDIOC_G_FMT', `0xc0d05604')
+define(`VIDIOC_S_FMT', `0xc0d05605')
+define(`VIDIOC_TRY_FMT', `0xc0d05640')
+define(`VIDIOC_QUERY_EXT_CTRL', `0xc0e85667')
+define(`GENWQE_EXECUTE_DDCB', `0xc0e8a532')
+define(`GENWQE_EXECUTE_RAW_DDCB', `0xc0e8a533')
+define(`SNDRV_TIMER_IOCTL_GINFO', `0xc0f85403')
+define(`VIDIOC_CREATE_BUFS', `0xc100565c')
+define(`MEDIA_IOC_DEVICE_INFO', `0xc1007c00')
+define(`MEDIA_IOC_ENUM_ENTITIES', `0xc1007c01')
+define(`SNDRV_CTL_IOCTL_RAWMIDI_INFO', `0xc10c5541')
+define(`SNDRV_CTL_IOCTL_ELEM_INFO', `0xc1105511')
+define(`SNDRV_CTL_IOCTL_ELEM_ADD', `0xc1105517')
+define(`SNDRV_CTL_IOCTL_ELEM_REPLACE', `0xc1105518')
+define(`SNDRV_CTL_IOCTL_PCM_INFO', `0xc1205531')
+define(`DM_VERSION', `0xc138fd00')
+define(`DM_REMOVE_ALL', `0xc138fd01')
+define(`DM_LIST_DEVICES', `0xc138fd02')
+define(`DM_DEV_CREATE', `0xc138fd03')
+define(`DM_DEV_REMOVE', `0xc138fd04')
+define(`DM_DEV_RENAME', `0xc138fd05')
+define(`DM_DEV_SUSPEND', `0xc138fd06')
+define(`DM_DEV_STATUS', `0xc138fd07')
+define(`DM_DEV_WAIT', `0xc138fd08')
+define(`DM_TABLE_LOAD', `0xc138fd09')
+define(`DM_TABLE_CLEAR', `0xc138fd0a')
+define(`DM_TABLE_DEPS', `0xc138fd0b')
+define(`DM_TABLE_STATUS', `0xc138fd0c')
+define(`DM_LIST_VERSIONS', `0xc138fd0d')
+define(`DM_TARGET_MSG', `0xc138fd0e')
+define(`DM_DEV_SET_GEOMETRY', `0xc138fd0f')
+define(`SNDRV_EMU10K1_IOCTL_CODE_PEEK', `0xc1b04812')
+define(`KVM_GET_IRQCHIP', `0xc208ae62')
+define(`SNDRV_PCM_IOCTL_HW_REFINE', `0xc2604110')
+define(`SNDRV_PCM_IOCTL_HW_PARAMS', `0xc2604111')
+define(`VIDIOC_VSP1_LUT_CONFIG', `0xc40056c1')
+define(`BTRFS_IOC_SCRUB', `0xc400941b')
+define(`BTRFS_IOC_SCRUB_PROGRESS', `0xc400941d')
+define(`BTRFS_IOC_BALANCE_V2', `0xc4009420')
+define(`BTRFS_IOC_GET_DEV_STATS', `0xc4089434')
+define(`SNDRV_CTL_IOCTL_ELEM_READ', `0xc4c85512')
+define(`SNDRV_CTL_IOCTL_ELEM_WRITE', `0xc4c85513')
+define(`BTRFS_IOC_DEV_REPLACE', `0xca289435')
+define(`SNDCTL_COPR_SENDMSG', `0xcfa44308')
+define(`SNDCTL_SYNTH_CONTROL', `0xcfa45115')
+define(`SNDCTL_COPR_LOAD', `0xcfb04301')
+define(`BTRFS_IOC_TREE_SEARCH', `0xd0009411')
+define(`BTRFS_IOC_INO_LOOKUP', `0xd0009412')
+define(`BTRFS_IOC_DEV_INFO', `0xd000941e')
+define(`HIDIOCGUSAGES', `0xd01c4813')
+define(`SNDRV_COMPRESS_GET_CODEC_CAPS', `0xeb884311')
+define(`WAN_IOC_ADD_FLT_RULE', `0x00006900')
+define(`WAN_IOC_ADD_FLT_INDEX', `0x00006902')
diff --git a/ioctl_macros b/ioctl_macros
index e71e0ce..858bd78 100644
--- a/ioctl_macros
+++ b/ioctl_macros
@@ -1,11 +1,48 @@
# socket ioctls allowed to unprivileged apps
define(`unpriv_sock_ioctls', `
{
-# all socket ioctls except the Mac address SIOCGIFHWADDR 0x8927
-0x8900-0x8926 0x8928-0x89ff
-# all wireless extensions ioctls except get/set essid
-# IOCSIWESSID 0x8B1A SIOCGIWESSID 0x8B1B
-0x8B00-0x8B09 0x8B1C-0x8BFF
-# commonly used TTY ioctls
-0x5411 0x5451
+# Socket ioctls for gathering information about the interface
+SIOCGSTAMP SIOCGSTAMPNS
+SIOCGIFNAME SIOCGIFCONF SIOCGIFFLAGS SIOCGIFADDR SIOCGIFDSTADDR SIOCGIFBRDADDR
+SIOCGIFNETMASK SIOCGIFMTU SIOCGIFINDEX SIOCGIFCOUNT SIOCGIFTXQLEN
+# Wireless extension ioctls. Primarily get functions.
+SIOCGIWNAME SIOCGIWFREQ SIOCGIWMODE SIOCGIWSENS SIOCGIWRANGE SIOCGIWPRIV
+SIOCGIWSTATS SIOCGIWSPY SIOCSIWTHRSPY SIOCGIWTHRSPY SIOCGIWRATE SIOCGIWRTS
+SIOCGIWFRAG SIOCGIWTXPOW SIOCGIWRETRY SIOCGIWPOWER
}')
+
+# socket ioctls never allowed to unprivileged apps
+define(`priv_sock_ioctls', `
+{
+# qualcomm rmnet ioctls
+WAN_IOC_ADD_FLT_RULE WAN_IOC_ADD_FLT_INDEX
+# socket ioctls
+SIOCADDRT SIOCDELRT SIOCRTMSG SIOCSIFLINK SIOCSIFFLAGS SIOCSIFADDR
+SIOCSIFDSTADDR SIOCSIFBRDADDR SIOCSIFNETMASK SIOCGIFMETRIC SIOCSIFMETRIC SIOCGIFMEM
+SIOCSIFMEM SIOCSIFMTU SIOCSIFNAME SIOCSIFHWADDR SIOCGIFENCAP SIOCSIFENCAP
+SIOCGIFHWADDR SIOCGIFSLAVE SIOCSIFSLAVE SIOCADDMULTI SIOCDELMULTI
+SIOCSIFPFLAGS SIOCGIFPFLAGS SIOCDIFADDR SIOCSIFHWBROADCAST SIOCGIFBR SIOCSIFBR
+SIOCSIFTXQLEN SIOCETHTOOL SIOCGMIIPHY SIOCGMIIREG SIOCSMIIREG SIOCWANDEV
+SIOCOUTQNSD SIOCDARP SIOCGARP SIOCSARP SIOCDRARP SIOCGRARP SIOCSRARP SIOCGIFMAP
+SIOCSIFMAP SIOCADDDLCI SIOCDELDLCI SIOCGIFVLAN SIOCSIFVLAN SIOCBONDENSLAVE
+SIOCBONDRELEASE SIOCBONDSETHWADDR SIOCBONDSLAVEINFOQUERY SIOCBONDINFOQUERY
+SIOCBONDCHANGEACTIVE SIOCBRADDBR SIOCBRDELBR SIOCBRADDIF SIOCBRDELIF SIOCSHWTSTAMP
+# device and protocol specific ioctls
+SIOCDEVPRIVATE-SIOCDEVPRIVLAST
+SIOCPROTOPRIVATE-SIOCPROTOPRIVLAST
+# Wireless extension ioctls
+SIOCSIWCOMMIT SIOCSIWNWID SIOCSIWFREQ SIOCSIWMODE SIOCSIWSENS SIOCSIWRANGE
+SIOCSIWPRIV SIOCSIWSTATS SIOCSIWSPY SIOCSIWAP SIOCGIWAP SIOCSIWMLME SIOCGIWAPLIST
+SIOCSIWSCAN SIOCGIWSCAN SIOCSIWESSID SIOCGIWESSID SIOCSIWNICKN SIOCGIWNICKN
+SIOCSIWRATE SIOCSIWRTS SIOCSIWFRAG SIOCSIWTXPOW SIOCSIWRETRY SIOCSIWENCODE
+SIOCGIWENCODE SIOCSIWPOWER SIOCSIWGENIE SIOCGIWGENIE SIOCSIWAUTH SIOCGIWAUTH
+SIOCSIWENCODEEXT SIOCGIWENCODEEXT SIOCSIWPMKSA
+# Dev private ioctl i.e. hardware specific ioctls
+SIOCIWFIRSTPRIV-SIOCIWLASTPRIV
+}')
+
+# commonly used ioctls on unix sockets
+define(`unpriv_unix_sock_ioctls', `{TIOCOUTQ FIOCLEX TCGETS TIOCGWINSZ TIOCSWINSZ FIONREAD }')
+
+# commonly used TTY ioctls
+define(`unpriv_tty_ioctls', `{ TIOCOUTQ FIOCLEX }')
diff --git a/isolated_app.te b/isolated_app.te
index 124fde9..53dfbc4 100644
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -17,6 +17,7 @@
allow isolated_app activity_service:service_manager find;
allow isolated_app display_service:service_manager find;
+allow isolated_app webviewupdate_service:service_manager find;
# Google Breakpad (crash reporter for Chrome) relies on ptrace
# functionality. Without the ability to ptrace, the crash reporter
@@ -46,12 +47,13 @@
neverallow isolated_app anr_data_file:dir ~search;
# b/17487348
-# Isolated apps can only access two services,
-# activity_service and display_service
+# Isolated apps can only access three services,
+# activity_service, display_service and webviewupdate_service.
neverallow isolated_app {
service_manager_type
-activity_service
-display_service
+ -webviewupdate_service
}:service_manager find;
# Isolated apps shouldn't be able to access the driver directly.
@@ -60,3 +62,17 @@
# Do not allow isolated_app access to /cache
neverallow isolated_app cache_file:dir ~{ r_dir_perms };
neverallow isolated_app cache_file:file ~{ read getattr };
+
+# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
+# ioctl permission, or 3. disallow the socket class.
+neverallowxperm isolated_app domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+neverallow isolated_app *:{ netlink_route_socket netlink_selinux_socket } ioctl;
+neverallow isolated_app *:{
+ socket netlink_socket packet_socket key_socket appletalk_socket
+ netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket
+ netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket
+ netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
+ netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
+ netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
+ netlink_rdma_socket netlink_crypto_socket
+} *;
diff --git a/kernel.te b/kernel.te
index adab085..bcd0935 100644
--- a/kernel.te
+++ b/kernel.te
@@ -70,6 +70,12 @@
domain_auto_trans(kernel, init_exec, init)
+# Access to /data/media.
+# This should be removed if sdcardfs is modified to alter the secontext for its
+# accesses to the underlying FS.
+allow kernel media_rw_data_file:dir create_dir_perms;
+allow kernel media_rw_data_file:file create_file_perms;
+
###
### neverallow rules
###
diff --git a/lmkd.te b/lmkd.te
index ee731c5..5302bcd 100644
--- a/lmkd.te
+++ b/lmkd.te
@@ -16,6 +16,8 @@
## TODO: maybe scope this down?
r_dir_file(lmkd, appdomain)
allow lmkd appdomain:file write;
+r_dir_file(lmkd, autoplay_app)
+allow lmkd autoplay_app:file write;
r_dir_file(lmkd, system_server)
allow lmkd system_server:file write;
diff --git a/mediacodec.te b/mediacodec.te
new file mode 100644
index 0000000..3d3625a
--- /dev/null
+++ b/mediacodec.te
@@ -0,0 +1,30 @@
+# mediacodec - audio and video codecs live here
+type mediacodec, domain;
+type mediacodec_exec, exec_type, file_type;
+
+typeattribute mediacodec mlstrustedsubject;
+
+init_daemon_domain(mediacodec)
+
+binder_use(mediacodec)
+binder_call(mediacodec, binderservicedomain)
+binder_call(mediacodec, appdomain)
+binder_service(mediacodec)
+
+allow mediacodec mediacodec_service:service_manager add;
+allow mediacodec surfaceflinger_service:service_manager find;
+allow mediacodec gpu_device:chr_file rw_file_perms;
+allow mediacodec video_device:chr_file rw_file_perms;
+allow mediacodec video_device:dir search;
+allow mediacodec ion_device:chr_file rw_file_perms;
+
+###
+### neverallow rules
+###
+
+# mediacodec should never execute any executable without a
+# domain transition
+neverallow mediacodec { file_type fs_type }:file execute_no_trans;
+
+# mediacodec should never need network access. Disallow network sockets.
+neverallow mediacodec domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/mediadrmserver.te b/mediadrmserver.te
new file mode 100644
index 0000000..cfa4b28
--- /dev/null
+++ b/mediadrmserver.te
@@ -0,0 +1,66 @@
+# mediadrmserver - mediadrm daemon
+type mediadrmserver, domain;
+type mediadrmserver_exec, exec_type, file_type;
+
+typeattribute mediadrmserver mlstrustedsubject;
+
+net_domain(mediadrmserver)
+init_daemon_domain(mediadrmserver)
+
+binder_use(mediadrmserver)
+binder_call(mediadrmserver, binderservicedomain)
+binder_call(mediadrmserver, appdomain)
+binder_service(mediadrmserver)
+
+# Required by Widevine DRM (b/22990512)
+allow mediadrmserver self:process execmem;
+
+# System file accesses.
+allow mediadrmserver system_file:dir r_dir_perms;
+allow mediadrmserver system_file:file r_file_perms;
+allow mediadrmserver system_file:lnk_file r_file_perms;
+
+# Read files already opened under /data.
+allow mediadrmserver system_data_file:dir { search getattr };
+allow mediadrmserver system_data_file:file { getattr read };
+allow mediadrmserver system_data_file:lnk_file r_file_perms;
+
+# Read access to pseudo filesystems.
+r_dir_file(mediadrmserver, cgroup)
+allow mediadrmserver cgroup:dir { search write };
+allow mediadrmserver cgroup:file w_file_perms;
+
+# Allow access to ion memory allocation device
+allow mediadrmserver ion_device:chr_file rw_file_perms;
+
+# Allow access to app_data and media_data_files
+allow mediadrmserver media_data_file:dir create_dir_perms;
+allow mediadrmserver media_data_file:file create_file_perms;
+allow mediadrmserver media_data_file:file { getattr read };
+
+allow mediadrmserver tee_device:chr_file rw_file_perms;
+
+# XXX Label with a specific type?
+allow mediadrmserver sysfs:file r_file_perms;
+
+# Connect to tee service.
+allow mediadrmserver tee:unix_stream_socket connectto;
+
+allow mediadrmserver mediadrmserver_service:service_manager { add find };
+allow mediadrmserver mediaserver_service:service_manager { add find };
+allow mediadrmserver processinfo_service:service_manager find;
+
+# only allow unprivileged socket ioctl commands
+allowxperm mediadrmserver self:{ rawip_socket tcp_socket udp_socket }
+ ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
+
+###
+### neverallow rules
+###
+
+# mediadrmserver should never execute any executable without a
+# domain transition
+neverallow mediadrmserver { file_type fs_type }:file execute_no_trans;
+
+# do not allow privileged socket ioctl commands
+neverallowxperm mediadrmserver domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
diff --git a/mediaextractor.te b/mediaextractor.te
new file mode 100644
index 0000000..3ebb5b7
--- /dev/null
+++ b/mediaextractor.te
@@ -0,0 +1,25 @@
+# mediaextractor - multimedia daemon
+type mediaextractor, domain, domain_deprecated;
+type mediaextractor_exec, exec_type, file_type;
+
+typeattribute mediaextractor mlstrustedsubject;
+
+init_daemon_domain(mediaextractor)
+
+binder_use(mediaextractor)
+binder_call(mediaextractor, binderservicedomain)
+binder_call(mediaextractor, appdomain)
+binder_service(mediaextractor)
+
+allow mediaextractor mediaextractor_service:service_manager add;
+
+###
+### neverallow rules
+###
+
+# mediaextractor should never execute any executable without a
+# domain transition
+neverallow mediaextractor { file_type fs_type }:file execute_no_trans;
+
+# mediaextractor should never need network access. Disallow network sockets.
+neverallow mediaextractor domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/mediaserver.te b/mediaserver.te
index 7e20002..5fbaa30 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -15,15 +15,16 @@
# open /vendor/lib/mediadrm
allow mediaserver system_file:dir r_dir_perms;
+userdebug_or_eng(`
+ # ptrace to processes in the same domain for memory leak detection
+ allow mediaserver self:process ptrace;
+')
+
binder_use(mediaserver)
binder_call(mediaserver, binderservicedomain)
-binder_call(mediaserver, appdomain)
+binder_call(mediaserver, { appdomain autoplay_app })
binder_service(mediaserver)
-# Required by Widevine DRM (b/22990512)
-allow mediaserver self:process execmem;
-
-allow mediaserver kernel:system module_request;
allow mediaserver media_data_file:dir create_dir_perms;
allow mediaserver media_data_file:file create_file_perms;
allow mediaserver app_data_file:dir search;
@@ -32,40 +33,30 @@
allow mediaserver gpu_device:chr_file rw_file_perms;
allow mediaserver video_device:dir r_dir_perms;
allow mediaserver video_device:chr_file rw_file_perms;
-allow mediaserver audio_device:dir r_dir_perms;
-allow mediaserver tee_device:chr_file rw_file_perms;
set_prop(mediaserver, audio_prop)
-# Access audio devices at all.
-allow mediaserver audio_device:chr_file rw_file_perms;
-
# XXX Label with a specific type?
allow mediaserver sysfs:file r_file_perms;
# Read resources from open apk files passed over Binder.
allow mediaserver apk_data_file:file { read getattr };
allow mediaserver asec_apk_file:file { read getattr };
+allow mediaserver ringtone_file:file { read getattr };
# Read /data/data/com.android.providers.telephony files passed over Binder.
allow mediaserver radio_data_file:file { read getattr };
# Use pipes passed over Binder from app domains.
-allow mediaserver appdomain:fifo_file { getattr read write };
+allow mediaserver { appdomain autoplay_app }:fifo_file { getattr read write };
allow mediaserver rpmsg_device:chr_file rw_file_perms;
# Inter System processes communicate over named pipe (FIFO)
allow mediaserver system_server:fifo_file r_file_perms;
-# Camera data
-r_dir_file(mediaserver, camera_data_file)
r_dir_file(mediaserver, media_rw_data_file)
-# Grant access to audio files to mediaserver
-allow mediaserver audio_data_file:dir ra_dir_perms;
-allow mediaserver audio_data_file:file create_file_perms;
-
# Grant access to read files on appfuse.
allow mediaserver app_fuse_file:file { read getattr };
@@ -89,10 +80,14 @@
allow mediaserver activity_service:service_manager find;
allow mediaserver appops_service:service_manager find;
-allow mediaserver cameraproxy_service:service_manager find;
+allow mediaserver audioserver_service:service_manager find;
+allow mediaserver cameraserver_service:service_manager find;
allow mediaserver batterystats_service:service_manager find;
allow mediaserver drmserver_service:service_manager find;
+allow mediaserver mediaextractor_service:service_manager find;
+allow mediaserver mediacodec_service:service_manager find;
allow mediaserver mediaserver_service:service_manager { add find };
+allow mediaserver media_session_service:service_manager find;
allow mediaserver permission_service:service_manager find;
allow mediaserver power_service:service_manager find;
allow mediaserver processinfo_service:service_manager find;
@@ -115,6 +110,19 @@
pread
};
+# only allow unprivileged socket ioctl commands
+allowxperm mediaserver self:{ rawip_socket tcp_socket udp_socket }
+ ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
+
+# Access to /data/media.
+# This should be removed if sdcardfs is modified to alter the secontext for its
+# accesses to the underlying FS.
+allow mediaserver media_rw_data_file:dir create_dir_perms;
+allow mediaserver media_rw_data_file:file create_file_perms;
+
+# Access to /data/preloads
+allow mediaserver preloads_data_file:file { getattr read ioctl };
+
###
### neverallow rules
###
@@ -122,3 +130,6 @@
# mediaserver should never execute any executable without a
# domain transition
neverallow mediaserver { file_type fs_type }:file execute_no_trans;
+
+# do not allow privileged socket ioctl commands
+neverallowxperm mediaserver domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
diff --git a/net.te b/net.te
index 6aa12f2..4616eb1 100644
--- a/net.te
+++ b/net.te
@@ -13,7 +13,7 @@
allow netdomain port_type:udp_socket name_bind;
allow netdomain port_type:tcp_socket name_bind;
# See changes to the routing table.
-allow netdomain self:netlink_route_socket { create_socket_perms nlmsg_read };
+allow netdomain self:netlink_route_socket { create read getattr write setattr lock append bind connect getopt setopt shutdown nlmsg_read };
# Talks to netd via dnsproxyd socket.
unix_socket_connect(netdomain, dnsproxyd, netd)
diff --git a/netd.te b/netd.te
index d6c715c..9b44e4b 100644
--- a/netd.te
+++ b/netd.te
@@ -32,14 +32,8 @@
# XXX Split into its own type.
allow netd sysfs:file write;
-# Set dhcp lease for PAN connection
-set_prop(netd, dhcp_prop)
-set_prop(netd, system_prop)
-auditallow netd system_prop:property_service set;
-
-# Connect to PAN
-domain_auto_trans(netd, dhcp_exec, dhcp)
-allow netd dhcp:process signal;
+# TODO: added to match above sysfs rule. Remove me?
+allow netd sysfs_usb:file write;
# Needed to update /data/misc/wifi/hostapd.conf
# TODO: See what we can do to reduce the need for
@@ -66,10 +60,23 @@
set_prop(netd, ctl_mdnsd_prop)
+# Allow netd to publish a binder service and make binder calls.
+binder_use(netd)
+allow netd netd_service:service_manager add;
+allow netd dumpstate:fifo_file { getattr write };
+
+# Allow netd to call into the system server so it can check permissions.
+allow netd system_server:binder call;
+allow netd permission_service:service_manager find;
+
+# Allow netd to talk to the framework service which collects DNS query metrics.
+allow netd dns_listener_service:service_manager find;
+
# Allow netd to operate on sockets that are passed to it.
allow netd netdomain:{tcp_socket udp_socket rawip_socket dccp_socket tun_socket} {read write getattr setattr getopt setopt};
allow netd netdomain:fd use;
+
###
### Neverallow rules
###
@@ -86,3 +93,8 @@
# Write to files in /data/data or system files on /data
neverallow netd { app_data_file system_data_file }:dir_file_class_set write;
+
+# only system_server and dumpstate may interact with netd over binder
+neverallow { domain -system_server -dumpstate } netd_service:service_manager find;
+neverallow { domain -system_server -dumpstate } netd:binder call;
+neverallow netd { domain -system_server -servicemanager userdebug_or_eng(`-su') }:binder call;
diff --git a/nfc.te b/nfc.te
index 85572e2..5b7f4b9 100644
--- a/nfc.te
+++ b/nfc.te
@@ -17,8 +17,15 @@
allow nfc sysfs_nfc_power_writable:file rw_file_perms;
allow nfc sysfs:file write;
-allow nfc drmserver_service:service_manager find;
+# TODO: added to match above sysfs rule. Remove me?
+allow nfc sysfs_usb:file write;
+
+# SoundPool loading and playback
allow nfc mediaserver_service:service_manager find;
+allow nfc audioserver_service:service_manager find;
+allow nfc mediaextractor_service:service_manager find;
+allow nfc mediacodec_service:service_manager find;
+
allow nfc nfc_service:service_manager { add find };
allow nfc radio_service:service_manager find;
allow nfc surfaceflinger_service:service_manager find;
diff --git a/otapreopt_chroot.te b/otapreopt_chroot.te
new file mode 100644
index 0000000..b3f8807
--- /dev/null
+++ b/otapreopt_chroot.te
@@ -0,0 +1,14 @@
+# otapreopt_chroot executable
+type otapreopt_chroot, domain;
+type otapreopt_chroot_exec, exec_type, file_type;
+
+# Chroot preparation and execution.
+# We need to create an unshared mount namespace, and then mount /data.
+allow otapreopt_chroot postinstall_file:dir { search mounton };
+allow otapreopt_chroot self:capability { sys_admin sys_chroot };
+
+# Allow to transition to postinstall_ota, to run otapreopt in its own sandbox.
+domain_auto_trans(otapreopt_chroot, postinstall_file, postinstall_dexopt)
+
+# Allow otapreopt to use file descriptors from installd.
+allow otapreopt_chroot installd:fd use;
diff --git a/platform_app.te b/platform_app.te
index 0381288..0d3bdba 100644
--- a/platform_app.te
+++ b/platform_app.te
@@ -11,6 +11,7 @@
# Read from /data/local/tmp or /data/data/com.android.shell.
allow platform_app shell_data_file:dir search;
allow platform_app shell_data_file:file { open getattr read };
+allow platform_app icon_file:file { open getattr read };
# Populate /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files
# created by system server.
allow platform_app { apk_tmp_file apk_private_tmp_file }:dir rw_dir_perms;
@@ -38,10 +39,19 @@
allow platform_app vfat:dir create_dir_perms;
allow platform_app vfat:file create_file_perms;
+allow platform_app audioserver_service:service_manager find;
+allow platform_app cameraserver_service:service_manager find;
allow platform_app drmserver_service:service_manager find;
allow platform_app mediaserver_service:service_manager find;
+allow platform_app mediaextractor_service:service_manager find;
+allow platform_app mediacodec_service:service_manager find;
allow platform_app persistent_data_block_service:service_manager find;
allow platform_app radio_service:service_manager find;
allow platform_app surfaceflinger_service:service_manager find;
allow platform_app app_api_service:service_manager find;
allow platform_app system_api_service:service_manager find;
+allow platform_app vr_manager_service:service_manager find;
+
+# Access to /data/preloads
+allow platform_app preloads_data_file:file r_file_perms;
+allow platform_app preloads_data_file:dir r_dir_perms;
diff --git a/postinstall.te b/postinstall.te
index dd89886..7fd4dc6 100644
--- a/postinstall.te
+++ b/postinstall.te
@@ -19,6 +19,17 @@
allow postinstall system_file:file rx_file_perms;
allow postinstall toolbox_exec:file rx_file_perms;
+#
+# For OTA dexopt.
+#
+
+# Allow postinstall scripts to talk to the system server.
+binder_use(postinstall)
+binder_call(postinstall, system_server)
+
+# Need to talk to the otadexopt service.
+allow postinstall otadexopt_service:service_manager find;
+
# No domain other than update_engine and recovery (via update_engine_sideload)
# should transition to postinstall, as it is only meant to run during the
# update.
diff --git a/postinstall_dexopt.te b/postinstall_dexopt.te
new file mode 100644
index 0000000..dbc76df
--- /dev/null
+++ b/postinstall_dexopt.te
@@ -0,0 +1,57 @@
+# Domain for the otapreopt executable, running under postinstall_dexopt
+#
+# Note: otapreopt is a driver for dex2oat, and reuses parts of installd. As such,
+# this is derived and adapted from installd.te.
+
+type postinstall_dexopt, domain;
+
+# init_daemon_domain(otapreopt)
+allow postinstall_dexopt self:capability { chown dac_override fowner setgid setuid };
+
+allow postinstall_dexopt postinstall_file:dir getattr;
+allow postinstall_dexopt proc:file { getattr open read };
+allow postinstall_dexopt tmpfs:file read;
+
+# Note: /data/ota is created by init (see system/core/rootdir/init.rc) to avoid giving access
+# here and having to relabel the directory.
+
+# Read app data (APKs) as input to dex2oat.
+r_dir_file(postinstall_dexopt, apk_data_file)
+# Access to app oat directory.
+r_dir_file(postinstall_dexopt, dalvikcache_data_file)
+
+# Read profile data.
+allow postinstall_dexopt user_profile_data_file:dir { getattr search };
+allow postinstall_dexopt user_profile_data_file:file r_file_perms;
+
+# Write to /data/ota(/*). Create symlinks in /data/ota(/*)
+allow postinstall_dexopt ota_data_file:dir create_dir_perms;
+allow postinstall_dexopt ota_data_file:file create_file_perms;
+allow postinstall_dexopt ota_data_file:lnk_file create_file_perms;
+
+# Need to write .b files, which are dalvikcache_data_file, not ota_data_file.
+# TODO: See whether we can apply ota_data_file?
+allow postinstall_dexopt dalvikcache_data_file:dir rw_dir_perms;
+allow postinstall_dexopt dalvikcache_data_file:file create_file_perms;
+
+# Allow labeling of files under /data/app/com.example/oat/
+# TODO: Restrict to .b suffix?
+allow postinstall_dexopt dalvikcache_data_file:dir relabelto;
+allow postinstall_dexopt dalvikcache_data_file:file { relabelto link };
+
+allow postinstall_dexopt selinuxfs:dir r_dir_perms;
+
+# Check validity of SELinux context before use.
+selinux_check_context(postinstall_dexopt)
+selinux_check_access(postinstall_dexopt)
+
+# Run dex2oat/patchoat in its own sandbox.
+# We have to manually transition, as we don't have an entrypoint.
+domain_auto_trans(postinstall_dexopt, postinstall_file, dex2oat)
+
+# installd wants to know about our child.
+allow postinstall_dexopt installd:process sigchld;
+
+# Allow otapreopt to use file descriptors from otapreopt_chroot.
+# TODO: Probably we can actually close file descriptors...
+allow postinstall_dexopt otapreopt_chroot:fd use;
diff --git a/priv_app.te b/priv_app.te
index 9146263..d380a67 100644
--- a/priv_app.te
+++ b/priv_app.te
@@ -8,6 +8,9 @@
# Access bluetooth.
bluetooth_domain(priv_app)
+# webview crash handling depends on self ptrace (b/27697529, b/20150694, b/19277529#comment7)
+allow priv_app self:process ptrace;
+
# Some apps ship with shared libraries and binaries that they write out
# to their sandbox directory and then execute.
allow priv_app app_data_file:file rx_file_perms;
@@ -19,7 +22,12 @@
# Used by: https://play.privileged.com/store/apps/details?id=jackpal.androidterm
create_pty(priv_app)
+allow priv_app audioserver_service:service_manager find;
+allow priv_app cameraserver_service:service_manager find;
allow priv_app drmserver_service:service_manager find;
+allow priv_app mediacodec_service:service_manager find;
+allow priv_app mediadrmserver_service:service_manager find;
+allow priv_app mediaextractor_service:service_manager find;
allow priv_app mediaserver_service:service_manager find;
allow priv_app nfc_service:service_manager find;
allow priv_app radio_service:service_manager find;
@@ -61,9 +69,8 @@
allow priv_app perfprofd_data_file:dir r_dir_perms;
')
-# Allow GMS core to stat files and executables on
-# the system partition
-allow priv_app exec_type:file getattr;
+# Allow GMS core to scan executables on the system partition
+allow priv_app exec_type:file { getattr read open };
# For AppFuse.
allow priv_app vold:fd use;
@@ -75,10 +82,20 @@
allow priv_app sysfs_zram:dir search;
allow priv_app sysfs_zram:file r_file_perms;
+# access the mac address
+allowxperm priv_app self:udp_socket ioctl SIOCGIFHWADDR;
+
# Allow GMS core to communicate with update_engine for A/B update.
binder_call(priv_app, update_engine)
allow priv_app update_engine_service:service_manager find;
+# Allow Phone to read/write cached ringtones (opened by system).
+allow priv_app ringtone_file:file { getattr read write };
+
+# Access to /data/preloads
+allow priv_app preloads_data_file:file r_file_perms;
+allow priv_app preloads_data_file:dir r_dir_perms;
+
###
### neverallow rules
###
diff --git a/profman.te b/profman.te
new file mode 100644
index 0000000..fa3df94
--- /dev/null
+++ b/profman.te
@@ -0,0 +1,17 @@
+# profman
+type profman, domain;
+type profman_exec, exec_type, file_type;
+
+allow profman user_profile_data_file:file { getattr read write lock };
+
+# Dumping profile info opens the application APK file for pretty printing.
+allow profman asec_apk_file:file { read };
+allow profman apk_data_file:file { read };
+allow profman oemfs:file { read };
+# Reading an APK opens a ZipArchive, which unpack to tmpfs.
+allow profman tmpfs:file { read };
+allow profman profman_dump_data_file:file { write };
+
+allow profman installd:fd use;
+
+neverallow profman app_data_file:notdevfile_class_set open;
diff --git a/property.te b/property.te
index 6d3ba4f..5075e29 100644
--- a/property.te
+++ b/property.te
@@ -12,9 +12,9 @@
type system_radio_prop, property_type, core_property_type;
type system_prop, property_type, core_property_type;
type vold_prop, property_type, core_property_type;
+type wifi_log_prop, property_type, log_property_type;
type ctl_bootanim_prop, property_type;
type ctl_default_prop, property_type;
-type ctl_dhcp_pan_prop, property_type;
type ctl_dumpstate_prop, property_type;
type ctl_fuse_prop, property_type;
type ctl_mdnsd_prop, property_type;
@@ -22,6 +22,8 @@
type ctl_bugreport_prop, property_type;
type ctl_console_prop, property_type;
type audio_prop, property_type, core_property_type;
+type log_prop, property_type, log_property_type;
+type log_tag_prop, property_type, log_property_type;
type logd_prop, property_type, core_property_type;
type logpersistd_logging_prop, property_type;
type mmc_prop, property_type;
diff --git a/property_contexts b/property_contexts
index bbfea8a..cd4068e 100644
--- a/property_contexts
+++ b/property_contexts
@@ -32,7 +32,9 @@
debug. u:object_r:debug_prop:s0
debug.db. u:object_r:debuggerd_prop:s0
dumpstate. u:object_r:dumpstate_prop:s0
-log. u:object_r:shell_prop:s0
+log. u:object_r:log_prop:s0
+log.tag u:object_r:log_tag_prop:s0
+log.tag.WifiHAL u:object_r:wifi_log_prop:s0
security.perf_harden u:object_r:shell_prop:s0
service.adb.root u:object_r:shell_prop:s0
service.adb.tcp.port u:object_r:shell_prop:s0
@@ -44,10 +46,11 @@
persist.logd.security u:object_r:device_logging_prop:s0
persist.logd.logpersistd u:object_r:logpersistd_logging_prop:s0
logd.logpersistd u:object_r:logpersistd_logging_prop:s0
-persist.log.tag u:object_r:logd_prop:s0
+persist.log.tag u:object_r:log_tag_prop:s0
persist.mmc. u:object_r:mmc_prop:s0
persist.sys. u:object_r:system_prop:s0
persist.sys.safemode u:object_r:safemode_prop:s0
+ro.sys.safemode u:object_r:safemode_prop:s0
persist.sys.audit_safemode u:object_r:safemode_prop:s0
persist.service. u:object_r:system_prop:s0
persist.service.bdroid. u:object_r:bluetooth_prop:s0
@@ -79,7 +82,6 @@
ctl.mdnsd u:object_r:ctl_mdnsd_prop:s0
ctl.ril-daemon u:object_r:ctl_rildaemon_prop:s0
ctl.bugreport u:object_r:ctl_bugreport_prop:s0
-ctl.dhcpcd_bt-pan u:object_r:ctl_dhcp_pan_prop:s0
ctl.console u:object_r:ctl_console_prop:s0
ctl. u:object_r:ctl_default_prop:s0
diff --git a/radio.te b/radio.te
index 448fdb5..591c3bc 100644
--- a/radio.te
+++ b/radio.te
@@ -27,8 +27,11 @@
# ctl interface
set_prop(radio, ctl_rildaemon_prop)
+allow radio audioserver_service:service_manager find;
+allow radio cameraserver_service:service_manager find;
allow radio drmserver_service:service_manager find;
allow radio mediaserver_service:service_manager find;
+allow radio nfc_service:service_manager find;
allow radio radio_service:service_manager { add find };
allow radio surfaceflinger_service:service_manager find;
allow radio app_api_service:service_manager find;
diff --git a/seapp_contexts b/seapp_contexts
index d8d2240..5d5ad75 100644
--- a/seapp_contexts
+++ b/seapp_contexts
@@ -1,5 +1,6 @@
# Input selectors:
# isSystemServer (boolean)
+# isAutoPlayApp (boolean)
# isOwner (boolean)
# user (string)
# seinfo (string)
@@ -8,6 +9,7 @@
# isPrivApp (boolean)
# isSystemServer=true can only be used once.
# An unspecified isSystemServer defaults to false.
+# isAutoPlayApp=true will match apps marked by PackageManager as AutoPlay
# isOwner=true will only match for the owner/primary user.
# isOwner=false will only match for secondary users.
# If unspecified, the entry can match either case.
@@ -22,15 +24,16 @@
#
# Precedence rules:
# (1) isSystemServer=true before isSystemServer=false.
-# (2) Specified isOwner= before unspecified isOwner= boolean.
-# (3) Specified user= string before unspecified user= string.
-# (4) Fixed user= string before user= prefix (i.e. ending in *).
-# (5) Longer user= prefix before shorter user= prefix.
-# (6) Specified seinfo= string before unspecified seinfo= string.
+# (2) Specified isAutoPlayApp= before unspecified isAutoPlayApp= boolean.
+# (3) Specified isOwner= before unspecified isOwner= boolean.
+# (4) Specified user= string before unspecified user= string.
+# (5) Fixed user= string before user= prefix (i.e. ending in *).
+# (6) Longer user= prefix before shorter user= prefix.
+# (7) Specified seinfo= string before unspecified seinfo= string.
# ':' character is reserved and may not be used.
-# (7) Specified name= string before unspecified name= string.
-# (8) Specified path= string before unspecified path= string.
-# (9) Specified isPrivApp= before unspecified isPrivApp= boolean.
+# (8) Specified name= string before unspecified name= string.
+# (9) Specified path= string before unspecified path= string.
+# (10) Specified isPrivApp= before unspecified isPrivApp= boolean.
#
# Outputs:
# domain (string)
@@ -79,6 +82,9 @@
# uid's can be in shell domain
neverallow user=shell domain=((?!shell).)*
+# AutoPlay Apps must run in the autoplay_app domain
+neverallow isAutoPlayApp=true domain=((?!autoplay_app).)*
+
isSystemServer=true domain=system_server
user=system seinfo=platform domain=system_app type=system_app_data_file
user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
@@ -88,5 +94,6 @@
user=shell seinfo=platform domain=shell type=shell_data_file
user=_isolated domain=isolated_app levelFrom=user
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
+user=_app isAutoPlayApp=true domain=autoplay_app type=autoplay_data_file levelFrom=all
user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user
user=_app domain=untrusted_app type=app_data_file levelFrom=user
diff --git a/service.te b/service.te
index fb5b9f4..6b5838c 100644
--- a/service.te
+++ b/service.te
@@ -1,12 +1,19 @@
+type audioserver_service, service_manager_type;
type bluetooth_service, service_manager_type;
+type cameraserver_service, service_manager_type;
type default_android_service, service_manager_type;
type drmserver_service, service_manager_type;
type gatekeeper_service, app_api_service, service_manager_type;
type fingerprintd_service, service_manager_type;
type batteryproperties_service, app_api_service, service_manager_type;
+type gpu_service, service_manager_type;
type inputflinger_service, service_manager_type;
type keystore_service, service_manager_type;
type mediaserver_service, service_manager_type;
+type mediaextractor_service, service_manager_type;
+type mediacodec_service, service_manager_type;
+type mediadrmserver_service, service_manager_type;
+type netd_service, service_manager_type;
type nfc_service, service_manager_type;
type radio_service, service_manager_type;
type surfaceflinger_service, service_manager_type;
@@ -28,7 +35,8 @@
type bluetooth_manager_service, app_api_service, system_server_service, service_manager_type;
type cameraproxy_service, system_server_service, service_manager_type;
type clipboard_service, app_api_service, system_server_service, service_manager_type;
-type IProxyService_service, system_api_service, system_server_service, service_manager_type;
+type contexthub_service, app_api_service, system_server_service, service_manager_type;
+type IProxyService_service, app_api_service, system_server_service, service_manager_type;
type commontime_management_service, system_server_service, service_manager_type;
type connectivity_service, app_api_service, system_server_service, service_manager_type;
type consumer_ir_service, app_api_service, system_server_service, service_manager_type;
@@ -41,6 +49,7 @@
type devicestoragemonitor_service, system_server_service, service_manager_type;
type diskstats_service, system_api_service, system_server_service, service_manager_type;
type display_service, app_api_service, system_server_service, service_manager_type;
+type dns_listener_service, system_server_service, service_manager_type;
type DockObserver_service, system_server_service, service_manager_type;
type dreams_service, app_api_service, system_server_service, service_manager_type;
type dropbox_service, app_api_service, system_server_service, service_manager_type;
@@ -49,6 +58,7 @@
type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
type graphicsstats_service, app_api_service, system_server_service, service_manager_type;
type hardware_service, system_server_service, service_manager_type;
+type hardware_properties_service, app_api_service, system_server_service, service_manager_type;
type hdmi_control_service, system_api_service, system_server_service, service_manager_type;
type input_method_service, app_api_service, system_server_service, service_manager_type;
type input_service, app_api_service, system_server_service, service_manager_type;
@@ -67,10 +77,13 @@
type netstats_service, app_api_service, system_server_service, service_manager_type;
type network_management_service, app_api_service, system_server_service, service_manager_type;
type network_score_service, system_api_service, system_server_service, service_manager_type;
+type network_time_update_service, system_server_service, service_manager_type;
type notification_service, app_api_service, system_server_service, service_manager_type;
+type otadexopt_service, system_server_service, service_manager_type;
type package_service, app_api_service, system_server_service, service_manager_type;
type permission_service, app_api_service, system_server_service, service_manager_type;
type persistent_data_block_service, system_api_service, system_server_service, service_manager_type;
+type pinner_service, system_server_service, service_manager_type;
type power_service, app_api_service, system_server_service, service_manager_type;
type print_service, app_api_service, system_server_service, service_manager_type;
type processinfo_service, system_server_service, service_manager_type;
@@ -85,6 +98,7 @@
type sensorservice_service, app_api_service, system_server_service, service_manager_type;
type serial_service, system_api_service, system_server_service, service_manager_type;
type servicediscovery_service, app_api_service, system_server_service, service_manager_type;
+type shortcut_service, app_api_service, system_server_service, service_manager_type;
type statusbar_service, app_api_service, system_server_service, service_manager_type;
type task_service, system_server_service, service_manager_type;
type textservices_service, app_api_service, system_server_service, service_manager_type;
@@ -98,6 +112,7 @@
type user_service, app_api_service, system_server_service, service_manager_type;
type vibrator_service, app_api_service, system_server_service, service_manager_type;
type voiceinteraction_service, app_api_service, system_server_service, service_manager_type;
+type vr_manager_service, system_server_service, service_manager_type;
type wallpaper_service, app_api_service, system_server_service, service_manager_type;
type webviewupdate_service, app_api_service, system_server_service, service_manager_type;
type wifip2p_service, app_api_service, system_server_service, service_manager_type;
diff --git a/service_contexts b/service_contexts
index 0e77818..0ddbdc1 100644
--- a/service_contexts
+++ b/service_contexts
@@ -24,6 +24,7 @@
connectivity u:object_r:connectivity_service:s0
consumer_ir u:object_r:consumer_ir_service:s0
content u:object_r:content_service:s0
+contexthub_service u:object_r:contexthub_service:s0
country_detector u:object_r:country_detector_service:s0
cpuinfo u:object_r:cpuinfo_service:s0
dbinfo u:object_r:dbinfo_service:s0
@@ -33,6 +34,7 @@
diskstats u:object_r:diskstats_service:s0
display.qservice u:object_r:surfaceflinger_service:s0
display u:object_r:display_service:s0
+dns_listener u:object_r:dns_listener_service:s0
DockObserver u:object_r:DockObserver_service:s0
dreams u:object_r:dreams_service:s0
drm.drmManager u:object_r:drmserver_service:s0
@@ -42,7 +44,9 @@
android.hardware.fingerprint.IFingerprintDaemon u:object_r:fingerprintd_service:s0
gfxinfo u:object_r:gfxinfo_service:s0
graphicsstats u:object_r:graphicsstats_service:s0
+gpu u:object_r:gpu_service:s0
hardware u:object_r:hardware_service:s0
+hardware_properties u:object_r:hardware_properties_service:s0
hdmi_control u:object_r:hdmi_control_service:s0
inputflinger u:object_r:inputflinger_service:s0
input_method u:object_r:input_method_service:s0
@@ -60,27 +64,34 @@
launcherapps u:object_r:launcherapps_service:s0
location u:object_r:location_service:s0
lock_settings u:object_r:lock_settings_service:s0
-media.audio_flinger u:object_r:mediaserver_service:s0
-media.audio_policy u:object_r:mediaserver_service:s0
-media.camera u:object_r:mediaserver_service:s0
+media.audio_flinger u:object_r:audioserver_service:s0
+media.audio_policy u:object_r:audioserver_service:s0
+media.camera u:object_r:cameraserver_service:s0
media.camera.proxy u:object_r:cameraproxy_service:s0
-media.log u:object_r:mediaserver_service:s0
+media.log u:object_r:audioserver_service:s0
media.player u:object_r:mediaserver_service:s0
+media.extractor u:object_r:mediaextractor_service:s0
+media.codec u:object_r:mediacodec_service:s0
media.resource_manager u:object_r:mediaserver_service:s0
-media.radio u:object_r:mediaserver_service:s0
-media.sound_trigger_hw u:object_r:mediaserver_service:s0
+media.radio u:object_r:audioserver_service:s0
+media.sound_trigger_hw u:object_r:audioserver_service:s0
+media.drm u:object_r:mediadrmserver_service:s0
media_projection u:object_r:media_projection_service:s0
+media_resource_monitor u:object_r:media_session_service:s0
media_router u:object_r:media_router_service:s0
media_session u:object_r:media_session_service:s0
meminfo u:object_r:meminfo_service:s0
midi u:object_r:midi_service:s0
mount u:object_r:mount_service:s0
+netd u:object_r:netd_service:s0
netpolicy u:object_r:netpolicy_service:s0
netstats u:object_r:netstats_service:s0
network_management u:object_r:network_management_service:s0
network_score u:object_r:network_score_service:s0
+network_time_update_service u:object_r:network_time_update_service:s0
nfc u:object_r:nfc_service:s0
notification u:object_r:notification_service:s0
+otadexopt u:object_r:otadexopt_service:s0
package u:object_r:package_service:s0
permission u:object_r:permission_service:s0
persistent_data_block u:object_r:persistent_data_block_service:s0
@@ -88,6 +99,7 @@
phone1 u:object_r:radio_service:s0
phone2 u:object_r:radio_service:s0
phone u:object_r:radio_service:s0
+pinner u:object_r:pinner_service:s0
power u:object_r:power_service:s0
print u:object_r:print_service:s0
processinfo u:object_r:processinfo_service:s0
@@ -104,10 +116,12 @@
sensorservice u:object_r:sensorservice_service:s0
serial u:object_r:serial_service:s0
servicediscovery u:object_r:servicediscovery_service:s0
+shortcut u:object_r:shortcut_service:s0
simphonebook_msim u:object_r:radio_service:s0
simphonebook2 u:object_r:radio_service:s0
simphonebook u:object_r:radio_service:s0
sip u:object_r:radio_service:s0
+soundtrigger u:object_r:voiceinteraction_service:s0
statusbar u:object_r:statusbar_service:s0
SurfaceFlinger u:object_r:surfaceflinger_service:s0
task u:object_r:task_service:s0
@@ -123,6 +137,7 @@
user u:object_r:user_service:s0
vibrator u:object_r:vibrator_service:s0
voiceinteraction u:object_r:voiceinteraction_service:s0
+vrmanager u:object_r:vr_manager_service:s0
wallpaper u:object_r:wallpaper_service:s0
webviewupdate u:object_r:webviewupdate_service:s0
wifip2p u:object_r:wifip2p_service:s0
diff --git a/shell.te b/shell.te
index b7b4e03..a31b153 100644
--- a/shell.te
+++ b/shell.te
@@ -34,6 +34,10 @@
allow shell shell_data_file:file rx_file_perms;
allow shell shell_data_file:lnk_file create_file_perms;
+# Access /data/misc/profman.
+allow shell profman_dump_data_file:dir { search getattr write remove_name };
+allow shell profman_dump_data_file:file { getattr unlink };
+
# Read/execute files in /data/nativetest
userdebug_or_eng(`
allow shell nativetest_data_file:dir r_dir_perms;
@@ -63,6 +67,9 @@
set_prop(shell, dumpstate_prop)
set_prop(shell, debug_prop)
set_prop(shell, powerctl_prop)
+set_prop(shell, log_tag_prop)
+set_prop(shell, wifi_log_prop)
+userdebug_or_eng(`set_prop(shell, log_prop)')
userdebug_or_eng(`set_prop(shell, logpersistd_logging_prop)')
# systrace support - allow atrace to run
@@ -84,7 +91,7 @@
# allow shell access to services
allow shell servicemanager:service_manager list;
# don't allow shell to access GateKeeper service
-allow shell { service_manager_type -gatekeeper_service }:service_manager find;
+allow shell { service_manager_type -gatekeeper_service -netd_service }:service_manager find;
# allow shell to look through /proc/ for ps, top, netstat
r_dir_file(shell, proc)
@@ -128,6 +135,12 @@
# Allow access to ion memory allocation device.
allow shell ion_device:chr_file rw_file_perms;
+# Access to /data/media.
+# This should be removed if sdcardfs is modified to alter the secontext for its
+# accesses to the underlying FS.
+allow shell media_rw_data_file:dir create_dir_perms;
+allow shell media_rw_data_file:file create_file_perms;
+
#
# filesystem test for insecure chr_file's is done
# via a host side test
@@ -156,6 +169,9 @@
# capability.
neverallow shell file_type:file link;
+# Do not allow privileged socket ioctl commands
+neverallowxperm shell domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+
# limit shell access to sensitive char drivers to
# only getattr required for host side test.
neverallow shell {
diff --git a/surfaceflinger.te b/surfaceflinger.te
index fbe1dd0..38f1dad 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -8,7 +8,7 @@
# Perform Binder IPC.
binder_use(surfaceflinger)
binder_call(surfaceflinger, binderservicedomain)
-binder_call(surfaceflinger, appdomain)
+binder_call(surfaceflinger, { appdomain autoplay_app })
binder_call(surfaceflinger, bootanim)
binder_service(surfaceflinger)
@@ -17,7 +17,7 @@
# Read /proc/pid files for Binder clients.
r_dir_file(surfaceflinger, binderservicedomain)
-r_dir_file(surfaceflinger, appdomain)
+r_dir_file(surfaceflinger, { appdomain autoplay_app })
# Access the GPU.
allow surfaceflinger gpu_device:chr_file rw_file_perms;
@@ -38,6 +38,7 @@
set_prop(surfaceflinger, ctl_bootanim_prop)
# Use open files supplied by an app.
+allow surfaceflinger { appdomain autoplay_app }:fd use;
allow surfaceflinger app_data_file:file { read write };
# Allow a dumpstate triggered screenshot
@@ -55,6 +56,7 @@
allow surfaceflinger mediaserver_service:service_manager find;
allow surfaceflinger permission_service:service_manager find;
allow surfaceflinger power_service:service_manager find;
+allow surfaceflinger gpu_service:service_manager { add find };
allow surfaceflinger surfaceflinger_service:service_manager { add find };
allow surfaceflinger window_service:service_manager find;
diff --git a/system_app.te b/system_app.te
index 4c9c136..3db5f21 100644
--- a/system_app.te
+++ b/system_app.te
@@ -22,6 +22,9 @@
# Read wallpaper file.
allow system_app wallpaper_file:file r_file_perms;
+# Read icon file.
+allow system_app icon_file:file r_file_perms;
+
# Write to properties
set_prop(system_app, bluetooth_prop)
set_prop(system_app, debug_prop)
@@ -29,6 +32,7 @@
set_prop(system_app, logd_prop)
set_prop(system_app, net_radio_prop)
set_prop(system_app, system_radio_prop)
+set_prop(system_app, log_tag_prop)
userdebug_or_eng(`set_prop(system_app, logpersistd_logging_prop)')
auditallow system_app net_radio_prop:property_service set;
auditallow system_app system_radio_prop:property_service set;
@@ -45,7 +49,7 @@
allow system_app asec_apk_file:file r_file_perms;
allow system_app servicemanager:service_manager list;
-allow system_app service_manager_type:service_manager find;
+allow system_app { service_manager_type -netd_service }:service_manager find;
allow system_app keystore:keystore_key {
get_state
diff --git a/system_server.te b/system_server.te
index cb06d6d..868a830 100644
--- a/system_server.te
+++ b/system_server.te
@@ -11,6 +11,13 @@
allow system_server dalvikcache_data_file:file execute;
allow system_server dalvikcache_data_file:dir r_dir_perms;
+# Enable system server to check the foreign dex usage markers.
+# We need search on top level directories so that we can get to the files
+allow system_server user_profile_data_file:dir search;
+allow system_server user_profile_data_file:file getattr;
+allow system_server user_profile_foreign_dex_data_file:dir { add_name open read write search remove_name };
+allow system_server user_profile_foreign_dex_data_file:file { getattr rename unlink };
+
# /data/resource-cache
allow system_server resourcecache_data_file:file r_file_perms;
allow system_server resourcecache_data_file:dir r_dir_perms;
@@ -39,6 +46,7 @@
# These are the capabilities assigned by the zygote to the
# system server.
allow system_server self:capability {
+ ipc_lock
kill
net_admin
net_bind_service
@@ -77,15 +85,18 @@
allow system_server self:netlink_route_socket nlmsg_write;
# Kill apps.
-allow system_server appdomain:process { sigkill signal };
+allow system_server { appdomain autoplay_app }:process { sigkill signal };
# Set scheduling info for apps.
-allow system_server appdomain:process { getsched setsched };
+allow system_server { appdomain autoplay_app }:process { getsched setsched };
+allow system_server audioserver:process { getsched setsched };
+allow system_server cameraserver:process { getsched setsched };
allow system_server mediaserver:process { getsched setsched };
# Read /proc/pid data for all domains. This is used by ProcessCpuTracker
# within system_server to keep track of memory and CPU usage for
-# all processes on the device.
+# all processes on the device. In addition, /proc/pid files access is needed
+# for dumping stack traces of native processes.
r_dir_file(system_server, domain)
# Read/Write to /proc/net/xt_qtaguid/ctrl and and /dev/xt_qtaguid.
@@ -126,6 +137,7 @@
unix_socket_connect(system_server, zygote, zygote)
unix_socket_connect(system_server, racoon, racoon)
unix_socket_send(system_server, wpa, wpa)
+unix_socket_connect(system_server, uncrypt, uncrypt)
# Communicate over a socket created by surfaceflinger.
allow system_server surfaceflinger:unix_stream_socket { read write setopt };
@@ -135,23 +147,40 @@
binder_call(system_server, binderservicedomain)
binder_call(system_server, gatekeeperd)
binder_call(system_server, fingerprintd)
-binder_call(system_server, appdomain)
+binder_call(system_server, { appdomain autoplay_app })
binder_call(system_server, dumpstate)
+binder_call(system_server, netd)
binder_service(system_server)
# Ask debuggerd to dump backtraces for native stacks of interest.
-allow system_server { mediaserver sdcardd surfaceflinger inputflinger }:debuggerd dump_backtrace;
-
-# Read /proc/pid files for dumping stack traces of native processes.
-r_dir_file(system_server, mediaserver)
-r_dir_file(system_server, sdcardd)
-r_dir_file(system_server, surfaceflinger)
-r_dir_file(system_server, inputflinger)
+#
+# This is derived from the list that system server defines as interesting native processes
+# to dump during ANRs or watchdog aborts, defined in NATIVE_STACKS_OF_INTEREST in
+# frameworks/base/services/core/java/com/android/server/Watchdog.java.
+allow system_server {
+ audioserver
+ bluetooth
+ cameraserver
+ drmserver
+ inputflinger
+ mediacodec
+ mediadrmserver
+ mediaextractor
+ mediaserver
+ sdcardd
+ surfaceflinger
+}:debuggerd dump_backtrace;
# Use sockets received over binder from various services.
+allow system_server audioserver:tcp_socket rw_socket_perms;
+allow system_server audioserver:udp_socket rw_socket_perms;
allow system_server mediaserver:tcp_socket rw_socket_perms;
allow system_server mediaserver:udp_socket rw_socket_perms;
+# Use sockets received over binder from various services.
+allow system_server mediadrmserver:tcp_socket rw_socket_perms;
+allow system_server mediadrmserver:udp_socket rw_socket_perms;
+
# Check SELinux permissions.
selinux_check_access(system_server)
@@ -163,6 +192,9 @@
allow system_server sysfs_thermal:dir search;
allow system_server sysfs_thermal:file r_file_perms;
+# TODO: added to match above sysfs rule. Remove me?
+allow system_server sysfs_usb:file w_file_perms;
+
# Access devices.
allow system_server device:dir r_dir_perms;
allow system_server mdns_socket:sock_file rw_file_perms;
@@ -252,7 +284,7 @@
# Walk /data/data subdirectories.
# Types extracted from seapp_contexts type= fields.
-allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:dir { getattr read search };
+allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file autoplay_data_file }:dir { getattr read search };
# Also permit for unlabeled /data/data subdirectories and
# for unlabeled asec containers on upgrades from 4.2.
allow system_server unlabeled:dir r_dir_perms;
@@ -277,7 +309,23 @@
# Relabel wallpaper.
allow system_server system_data_file:file relabelfrom;
allow system_server wallpaper_file:file relabelto;
-allow system_server wallpaper_file:file { rw_file_perms unlink };
+allow system_server wallpaper_file:file { rw_file_perms rename unlink };
+
+# Backup of wallpaper imagery uses temporary hard links to avoid data churn
+allow system_server { system_data_file wallpaper_file }:file link;
+
+# ShortcutManager icons
+allow system_server system_data_file:dir relabelfrom;
+allow system_server shortcut_manager_icons:dir { create_dir_perms relabelto };
+allow system_server shortcut_manager_icons:file create_file_perms;
+
+# Manage ringtones.
+allow system_server ringtone_file:dir { create_dir_perms relabelto };
+allow system_server ringtone_file:file create_file_perms;
+
+# Relabel icon file.
+allow system_server icon_file:file relabelto;
+allow system_server icon_file:file { rw_file_perms unlink };
# FingerprintService.java does a restorecon of the directory /data/system/users/[0-9]+/fpdata(/.*)?
allow system_server system_data_file:dir relabelfrom;
@@ -292,10 +340,10 @@
set_prop(system_server, powerctl_prop)
set_prop(system_server, fingerprint_prop)
set_prop(system_server, device_logging_prop)
+userdebug_or_eng(`set_prop(system_server, wifi_log_prop)')
# ctl interface
set_prop(system_server, ctl_default_prop)
-set_prop(system_server, ctl_dhcp_pan_prop)
set_prop(system_server, ctl_bugreport_prop)
# Create a socket for receiving info from wpa.
@@ -325,20 +373,18 @@
allow system_server gps_control:file rw_file_perms;
# Allow system_server to use app-created sockets and pipes.
-allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown };
-allow system_server appdomain:{ fifo_file unix_stream_socket } { getattr read write };
+allow system_server { appdomain autoplay_app }:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown };
+allow system_server { appdomain autoplay_app }:{ fifo_file unix_stream_socket } { getattr read write };
# Allow abstract socket connection
allow system_server rild:unix_stream_socket connectto;
-# BackupManagerService lets PMS create a data backup file
+# BackupManagerService needs to manipulate backup data files
+allow system_server cache_backup_file:dir rw_dir_perms;
allow system_server cache_backup_file:file create_file_perms;
-# Relabel /data/backup
-allow system_server backup_data_file:dir { relabelto relabelfrom };
-# Relabel /cache/.*\.{data|restore}
-allow system_server cache_backup_file:file { relabelto relabelfrom };
-# LocalTransport creates and relabels /cache/backup
-allow system_server cache_backup_file:dir { relabelto relabelfrom create_dir_perms };
+# LocalTransport works inside /cache/backup
+allow system_server cache_private_backup_file:dir create_dir_perms;
+allow system_server cache_private_backup_file:file create_file_perms;
# Allow system to talk to usb device
allow system_server usb_device:chr_file rw_file_perms;
@@ -377,12 +423,18 @@
allow system_server sysfs_zram:dir search;
allow system_server sysfs_zram:file r_file_perms;
+allow system_server audioserver_service:service_manager find;
+allow system_server cameraserver_service:service_manager find;
allow system_server drmserver_service:service_manager find;
allow system_server batteryproperties_service:service_manager find;
allow system_server keystore_service:service_manager find;
allow system_server gatekeeper_service:service_manager find;
allow system_server fingerprintd_service:service_manager find;
allow system_server mediaserver_service:service_manager find;
+allow system_server mediaextractor_service:service_manager find;
+allow system_server mediacodec_service:service_manager find;
+allow system_server mediadrmserver_service:service_manager find;
+allow system_server netd_service:service_manager find;
allow system_server nfc_service:service_manager find;
allow system_server radio_service:service_manager find;
allow system_server system_server_service:service_manager { add find };
@@ -436,10 +488,16 @@
allow system_server fingerprintd_data_file:dir { r_dir_perms remove_name rmdir relabelto write };
allow system_server fingerprintd_data_file:file { getattr unlink };
+# Allow system process to read network MAC address
+allow system_server sysfs_mac_address:file r_file_perms;
+
userdebug_or_eng(`
# Allow system server to create and write method traces in /data/misc/trace.
allow system_server method_trace_data_file:dir w_dir_perms;
allow system_server method_trace_data_file:file { create w_file_perms };
+
+ # Allow system server to read dmesg
+ allow system_server kernel:system syslog_read;
')
# For AppFuse.
@@ -456,6 +514,27 @@
allow system_server adbd:fd use;
allow system_server adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
+# Access to /data/media.
+# This should be removed if sdcardfs is modified to alter the secontext for its
+# accesses to the underlying FS.
+allow system_server media_rw_data_file:dir search;
+
+# Allow invoking tools like "timeout"
+allow system_server toolbox_exec:file rx_file_perms;
+
+# Postinstall
+#
+# For OTA dexopt, allow calls coming from postinstall.
+binder_call(system_server, postinstall)
+
+allow system_server postinstall:fifo_file write;
+allow system_server update_engine:fd use;
+allow system_server update_engine:fifo_file write;
+
+# Access to /data/preloads
+allow system_server preloads_data_file:file { r_file_perms unlink };
+allow system_server preloads_data_file:dir { r_dir_perms write remove_name };
+
###
### Neverallow rules
###
diff --git a/te_macros b/te_macros
index ec97b3f..eb1b921 100644
--- a/te_macros
+++ b/te_macros
@@ -221,7 +221,7 @@
define(`selinux_check_access', `
allow $1 selinuxfs:file rw_file_perms;
allow $1 kernel:security compute_av;
-allow $1 self:netlink_selinux_socket *;
+allow $1 self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind };
')
#####################################
diff --git a/tools/Android.mk b/tools/Android.mk
index 7ded3a3..98f562c 100644
--- a/tools/Android.mk
+++ b/tools/Android.mk
@@ -5,11 +5,12 @@
LOCAL_MODULE := checkseapp
LOCAL_MODULE_TAGS := optional
LOCAL_C_INCLUDES := \
+ external/pcre \
external/selinux/libsepol/include
LOCAL_CFLAGS := -DLINK_SEPOL_STATIC -Wall -Werror
LOCAL_SRC_FILES := check_seapp.c
LOCAL_STATIC_LIBRARIES := libsepol
-LOCAL_WHOLE_STATIC_LIBRARIES := libpcre2
+LOCAL_WHOLE_STATIC_LIBRARIES := libpcre
LOCAL_CXX_STL := none
include $(BUILD_HOST_EXECUTABLE)
diff --git a/tools/check_seapp.c b/tools/check_seapp.c
index 26a47b5..ecff183 100644
--- a/tools/check_seapp.c
+++ b/tools/check_seapp.c
@@ -11,7 +11,7 @@
#include <stdbool.h>
#include <sepol/sepol.h>
#include <sepol/policydb/policydb.h>
-#include <pcre2.h>
+#include <pcre.h>
#define TABLE_SIZE 1024
#define KVP_NUM_OF_RULES (sizeof(rules) / sizeof(key_map))
@@ -91,8 +91,8 @@
};
struct key_map_regex {
- pcre2_code *compiled;
- pcre2_match_data *match_data;
+ pcre *compiled;
+ pcre_extra *extra;
};
/**
@@ -202,6 +202,7 @@
key_map rules[] = {
/*Inputs*/
{ .name = "isSystemServer", .dir = dir_in, .fn_validate = validate_bool },
+ { .name = "isAutoPlayApp", .dir = dir_in, .fn_validate = validate_bool },
{ .name = "isOwner", .dir = dir_in, .fn_validate = validate_bool },
{ .name = "user", .dir = dir_in, },
{ .name = "seinfo", .dir = dir_in, },
@@ -319,15 +320,14 @@
char *tomatch = check->data;
- int ret = pcre2_match(assert->regex.compiled, (PCRE2_SPTR) tomatch,
- PCRE2_ZERO_TERMINATED, 0, 0,
- assert->regex.match_data, NULL);
+ int ret = pcre_exec(assert->regex.compiled, assert->regex.extra, tomatch,
+ strlen(tomatch), 0, 0, NULL, 0);
- /* ret > 0 from pcre2_match means matched */
- return ret > 0;
+ /* 0 from pcre_exec means matched */
+ return !ret;
}
-static bool compile_regex(key_map *km, int *errcode, PCRE2_SIZE *erroff) {
+static bool compile_regex(key_map *km, const char **errbuf, int *erroff) {
size_t size;
char *anchored;
@@ -341,21 +341,13 @@
anchored = alloca(size);
sprintf(anchored, "^%s$", km->data);
- km->regex.compiled = pcre2_compile((PCRE2_SPTR) anchored,
- PCRE2_ZERO_TERMINATED,
- PCRE2_DOTALL,
- errcode, erroff,
- NULL);
+ km->regex.compiled = pcre_compile(anchored, PCRE_DOTALL, errbuf, erroff,
+ NULL );
if (!km->regex.compiled) {
return false;
}
- km->regex.match_data = pcre2_match_data_create_from_pattern(
- km->regex.compiled, NULL);
- if (!km->regex.match_data) {
- pcre2_code_free(km->regex.compiled);
- return false;
- }
+ km->regex.extra = pcre_study(km->regex.compiled, 0, errbuf);
return true;
}
@@ -431,13 +423,12 @@
static bool key_map_validate(key_map *m, const char *filename, int lineno,
bool is_neverallow) {
- PCRE2_SIZE erroff;
- int errcode;
+ int erroff;
+ const char *errbuf;
bool rc = true;
char *key = m->name;
char *value = m->data;
char *errmsg = NULL;
- char errstr[256];
log_info("Validating %s=%s\n", key, value);
@@ -447,13 +438,10 @@
*/
if (is_neverallow) {
if (!m->regex.compiled) {
- rc = compile_regex(m, &errcode, &erroff);
+ rc = compile_regex(m, &errbuf, &erroff);
if (!rc) {
- pcre2_get_error_message(errcode,
- (PCRE2_UCHAR*) errstr,
- sizeof(errstr));
- log_error("Invalid regex on line %d : %s PCRE error: %s at offset %lu",
- lineno, value, errstr, erroff);
+ log_error("Invalid regex on line %d : %s PCRE error: %s at offset %d",
+ lineno, value, errbuf, erroff);
}
}
goto out;
@@ -584,11 +572,11 @@
free(m->data);
if (m->regex.compiled) {
- pcre2_code_free(m->regex.compiled);
+ pcre_free(m->regex.compiled);
}
- if (m->regex.match_data) {
- pcre2_match_data_free(m->regex.match_data);
+ if (m->regex.extra) {
+ pcre_free_study(m->regex.extra);
}
}
diff --git a/tools/sepolicy-analyze/Android.mk b/tools/sepolicy-analyze/Android.mk
index 7568351..61f1a26 100644
--- a/tools/sepolicy-analyze/Android.mk
+++ b/tools/sepolicy-analyze/Android.mk
@@ -11,4 +11,6 @@
LOCAL_STATIC_LIBRARIES := libsepol
LOCAL_CXX_STL := none
+LOCAL_COMPATIBILITY_SUITE := cts
+
include $(BUILD_HOST_EXECUTABLE)
diff --git a/ueventd.te b/ueventd.te
index f1576e7..d4c769f 100644
--- a/ueventd.te
+++ b/ueventd.te
@@ -10,6 +10,7 @@
allow ueventd device:file create_file_perms;
allow ueventd device:chr_file rw_file_perms;
allow ueventd sysfs:file rw_file_perms;
+allow ueventd sysfs_usb:file w_file_perms;
allow ueventd sysfs_hwrandom:file w_file_perms;
allow ueventd sysfs_zram_uevent:file w_file_perms;
allow ueventd sysfs_type:{ file lnk_file } { relabelfrom relabelto setattr getattr };
diff --git a/uncrypt.te b/uncrypt.te
index 9231a4d..2ebde86 100644
--- a/uncrypt.te
+++ b/uncrypt.te
@@ -16,10 +16,11 @@
# Read /cache/recovery/command
# Read /cache/recovery/uncrypt_file
-# Write to pipe file /cache/recovery/uncrypt_status
allow uncrypt cache_recovery_file:dir rw_dir_perms;
allow uncrypt cache_recovery_file:file create_file_perms;
-allow uncrypt cache_recovery_file:fifo_file w_file_perms;
+
+# Write to /dev/socket/uncrypt
+unix_socket_connect(uncrypt, uncrypt, uncrypt)
# Set a property to reboot the device.
set_prop(uncrypt, powerctl_prop)
diff --git a/untrusted_app.te b/untrusted_app.te
index 23c933b..6b24a62 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -67,8 +67,13 @@
# allow cts to query all services
allow untrusted_app servicemanager:service_manager list;
+allow untrusted_app audioserver_service:service_manager find;
+allow untrusted_app cameraserver_service:service_manager find;
allow untrusted_app drmserver_service:service_manager find;
allow untrusted_app mediaserver_service:service_manager find;
+allow untrusted_app mediaextractor_service:service_manager find;
+allow untrusted_app mediacodec_service:service_manager find;
+allow untrusted_app mediadrmserver_service:service_manager find;
allow untrusted_app nfc_service:service_manager find;
allow untrusted_app radio_service:service_manager find;
allow untrusted_app surfaceflinger_service:service_manager find;
@@ -138,6 +143,20 @@
# Do not allow untrusted_app to access network MAC address file
neverallow untrusted_app sysfs_mac_address:file no_rw_file_perms;
+# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
+# ioctl permission, or 3. disallow the socket class.
+neverallowxperm untrusted_app domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+neverallow untrusted_app *:{ netlink_route_socket netlink_selinux_socket } ioctl;
+neverallow untrusted_app *:{
+ socket netlink_socket packet_socket key_socket appletalk_socket
+ netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket
+ netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket
+ netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
+ netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
+ netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
+ netlink_rdma_socket netlink_crypto_socket
+} *;
+
# Do not allow untrusted_app access to /cache
neverallow untrusted_app { cache_file cache_recovery_file }:dir ~{ r_dir_perms };
neverallow untrusted_app { cache_file cache_recovery_file }:file ~{ read getattr };
@@ -156,6 +175,8 @@
-app_data_file # The apps sandbox itself
-media_rw_data_file # Internal storage. Known that apps can
# leave artfacts here after uninstall.
+ -user_profile_data_file # Access to profile files
+ -user_profile_foreign_dex_data_file # Access to profile files
userdebug_or_eng(`
-method_trace_data_file # only on ro.debuggable=1
-coredump_file # userdebug/eng only
diff --git a/vdc.te b/vdc.te
index 5478965..d31be65 100644
--- a/vdc.te
+++ b/vdc.te
@@ -21,3 +21,6 @@
# Why?
allow vdc dumpstate:unix_dgram_socket { read write };
+
+# vdc can be invoked with logwrapper, so let it write to pty
+allow vdc devpts:chr_file rw_file_perms;
diff --git a/vold.te b/vold.te
index 737037d..81ed18b 100644
--- a/vold.te
+++ b/vold.te
@@ -90,6 +90,9 @@
# XXX Label sysfs files with a specific type?
allow vold sysfs:file rw_file_perms;
+# TODO: added to match above sysfs rule. Remove me?
+allow vold sysfs_usb:file w_file_perms;
+
allow vold kmsg_device:chr_file rw_file_perms;
# Run fsck in the fsck domain.
@@ -184,6 +187,13 @@
# MoveTask.cpp executes cp and rm
allow vold toolbox_exec:file rx_file_perms;
+# Prepare profile dir for users.
+allow vold user_profile_data_file:dir create_dir_perms;
+allow vold user_profile_foreign_dex_data_file:dir { getattr setattr };
+
+# Raw writes to misc block device
+allow vold misc_block_device:blk_file w_file_perms;
+
neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
neverallow { domain -vold } vold_data_file:notdevfile_class_set ~{ relabelto getattr };
neverallow { domain -vold -init } vold_data_file:dir *;
diff --git a/zygote.te b/zygote.te
index 83f2c76..9e155ef 100644
--- a/zygote.te
+++ b/zygote.te
@@ -11,13 +11,13 @@
# Switch SELinux context to app domains.
allow zygote self:process setcurrent;
allow zygote system_server:process dyntransition;
-allow zygote appdomain:process dyntransition;
+allow zygote { appdomain autoplay_app }:process dyntransition;
# Allow zygote to read app /proc/pid dirs (b/10455872)
-allow zygote appdomain:dir { getattr search };
-allow zygote appdomain:file { r_file_perms };
+allow zygote { appdomain autoplay_app }:dir { getattr search };
+allow zygote { appdomain autoplay_app }:file { r_file_perms };
# Move children into the peer process group.
allow zygote system_server:process { getpgid setpgid };
-allow zygote appdomain:process { getpgid setpgid };
+allow zygote { appdomain autoplay_app }:process { getpgid setpgid };
# Read system data.
allow zygote system_data_file:dir r_dir_perms;
allow zygote system_data_file:file r_file_perms;
@@ -80,6 +80,31 @@
')
###
+### A/B OTA
+###
+
+# The zygote is responsible for detecting A/B OTA artifacts and moving them into
+# the actual dalvik-cache.
+
+# Allow zygote access to files in /data/ota.
+# This includes reading symlinks in /data/ota/dalvik-cache. This is required for PIC mode boot
+# images, where the oat file is symlinked to the original file in /system.
+r_dir_file(zygote, ota_data_file)
+
+# The zygote renames the OTA dalvik-cache to the regular dalvik-cache.
+allow zygote ota_data_file:dir { rw_dir_perms rename reparent };
+
+# And needs to relabel the entries, so as to have the dalvikcache_data_file label.
+allow zygote ota_data_file:{ dir file lnk_file } relabelfrom;
+allow zygote dalvikcache_data_file:{ dir file lnk_file } relabelto;
+
+# The zygote also cleans up the now-empty dalvik-cache directory after an OTA.
+# In case something goes wrong in relabelling, we also need to be able to delete the files that
+# have already been moved.
+allow zygote ota_data_file:dir rmdir;
+allow zygote ota_data_file:{ file lnk_file } unlink;
+
+###
### neverallow rules
###
@@ -89,7 +114,7 @@
# This is achieved by ensuring that it is impossible for zygote to
# setcon (dyntransition) to any types other than those associated
# with appdomain plus system_server.
-neverallow zygote ~{ appdomain system_server }:process dyntransition;
+neverallow zygote ~{ appdomain autoplay_app system_server }:process dyntransition;
# Zygote should never execute anything from /data except for /data/dalvik-cache files.
neverallow zygote {