Merge "Policy for virtual_camera native service" into main
diff --git a/Android.bp b/Android.bp
index 1d06d7d..6c8fa2a 100644
--- a/Android.bp
+++ b/Android.bp
@@ -556,8 +556,8 @@
properties: ["vendor", "device_specific"],
}
-precompiled_se_policy_binary {
- name: "precompiled_sepolicy",
+filegroup {
+ name: "precompiled_sepolicy_srcs",
srcs: [
":plat_sepolicy.cil",
":plat_pub_versioned.cil",
@@ -569,6 +569,16 @@
":system_ext_mapping_file",
":product_mapping_file",
],
+ // Make precompiled_sepolicy_srcs as public so that OEMs have access to them.
+ // Useful when some partitions need to be bind mounted across VM boundaries.
+ visibility: ["//visibility:public"],
+}
+
+precompiled_se_policy_binary {
+ name: "precompiled_sepolicy",
+ srcs: [
+ ":precompiled_sepolicy_srcs",
+ ],
soong_config_variables: {
BOARD_USES_ODMIMAGE: {
device_specific: true,
diff --git a/apex/Android.bp b/apex/Android.bp
index 45a397a..21054fc 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -281,3 +281,10 @@
"com.android.devicelock-file_contexts",
],
}
+
+filegroup {
+ name: "com.android.telephonymodules-file_contexts",
+ srcs: [
+ "com.android.telephonymodules-file_contexts"
+ ],
+}
diff --git a/apex/com.android.nfcservices-file_contexts b/apex/com.android.nfcservices-file_contexts
new file mode 100644
index 0000000..f6b21da
--- /dev/null
+++ b/apex/com.android.nfcservices-file_contexts
@@ -0,0 +1,2 @@
+(/.*)? u:object_r:system_file:s0
+/lib(64)?(/.*) u:object_r:system_lib_file:s0
diff --git a/apex/com.android.telephonymodules-file_contexts b/apex/com.android.telephonymodules-file_contexts
new file mode 100644
index 0000000..4cee48b
--- /dev/null
+++ b/apex/com.android.telephonymodules-file_contexts
@@ -0,0 +1 @@
+(/.*)? u:object_r:system_file:s0
diff --git a/apex/com.android.tethering-file_contexts b/apex/com.android.tethering-file_contexts
index 53843ea..473b0f2 100644
--- a/apex/com.android.tethering-file_contexts
+++ b/apex/com.android.tethering-file_contexts
@@ -1,4 +1,5 @@
(/.*)? u:object_r:system_file:s0
/bin/for-system/clatd u:object_r:clatd_exec:s0
+/bin/netbpfload u:object_r:bpfloader_exec:s0
/bin/ot-daemon u:object_r:ot_daemon_exec:s0
/lib(64)?(/.*) u:object_r:system_lib_file:s0
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 9a3396e..44c3243 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -459,6 +459,7 @@
"vibrator": EXCEPTION_NO_FUZZER,
"vibrator_manager": EXCEPTION_NO_FUZZER,
"virtualdevice": EXCEPTION_NO_FUZZER,
+ "virtualdevice_native": EXCEPTION_NO_FUZZER,
"virtual_camera_service": EXCEPTION_NO_FUZZER,
"virtual_touchpad": EXCEPTION_NO_FUZZER,
"voiceinteraction": EXCEPTION_NO_FUZZER,
@@ -467,6 +468,7 @@
"vrmanager": EXCEPTION_NO_FUZZER,
"wallpaper": EXCEPTION_NO_FUZZER,
"wallpaper_effects_generation": EXCEPTION_NO_FUZZER,
+ "wearable_sensing": EXCEPTION_NO_FUZZER,
"webviewupdate": EXCEPTION_NO_FUZZER,
"wifip2p": EXCEPTION_NO_FUZZER,
"wifiscanner": EXCEPTION_NO_FUZZER,
diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index 3498680..e483237 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@@ -59,6 +59,7 @@
/dev/socket/adbd u:object_r:adbd_socket:s0
/dev/socket/prng_seeder u:object_r:prng_seeder_socket:s0
/dev/socket/property_service u:object_r:property_socket:s0
+/dev/socket/property_service_for_system u:object_r:property_socket:s0
/dev/socket/statsdw u:object_r:statsdw_socket:s0
/dev/socket/authfs_service u:object_r:authfs_service_socket:s0
/dev/socket/vm_payload_service u:object_r:vm_payload_service_socket:s0
diff --git a/prebuilts/api/34.0/private/property_contexts b/prebuilts/api/34.0/private/property_contexts
index d38dd4c..2c7557f 100644
--- a/prebuilts/api/34.0/private/property_contexts
+++ b/prebuilts/api/34.0/private/property_contexts
@@ -1326,6 +1326,7 @@
ro.surface_flinger.display_update_imminent_timeout_ms u:object_r:surfaceflinger_prop:s0 exact int
ro.surface_flinger.uclamp.min u:object_r:surfaceflinger_prop:s0 exact int
ro.surface_flinger.ignore_hdr_camera_layers u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.clear_slots_with_set_layer_buffer u:object_r:surfaceflinger_prop:s0 exact bool
ro.sf.disable_triple_buffer u:object_r:surfaceflinger_prop:s0 exact bool
ro.sf.lcd_density u:object_r:surfaceflinger_prop:s0 exact int
diff --git a/private/app.te b/private/app.te
index 59d9a5f..19cb2e0 100644
--- a/private/app.te
+++ b/private/app.te
@@ -176,11 +176,9 @@
control_logd({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all })
# application inherit logd write socket (urge is to deprecate this long term)
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore:keystore_key { get_state get insert delete exist list sign verify };
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore:keystore2_key { delete use get_info rebind update };
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore_maintenance_service:service_manager find;
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore:keystore2 get_state;
use_keystore({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all })
@@ -429,8 +427,8 @@
allow appdomain shared_relro_file:file r_file_perms;
# Allow apps to read/execute installed binaries
-allow appdomain apk_data_file:dir r_dir_perms;
-allow appdomain apk_data_file:file rx_file_perms;
+allow appdomain apk_data_file:dir { open getattr read search ioctl lock };
+allow appdomain apk_data_file:file { getattr open read ioctl lock map x_file_perms };
# /data/resource-cache
allow appdomain resourcecache_data_file:file r_file_perms;
@@ -532,3 +530,23 @@
appdomain
-device_as_webcam
} video_device:chr_file { read write };
+
+# Prevent calling inotify on APKs. This can be used as a side channel
+# to observer app launches, so it must be disallowed. b/231587164
+# Gate by targetSdkVersion to avoid breaking existing apps.
+neverallow {
+ appdomain
+ -untrusted_app_25
+ -untrusted_app_27
+ -untrusted_app_29
+ -untrusted_app_30
+ -untrusted_app_32
+} apk_data_file:dir { watch watch_reads };
+neverallow {
+ appdomain
+ -untrusted_app_25
+ -untrusted_app_27
+ -untrusted_app_29
+ -untrusted_app_30
+ -untrusted_app_32
+} apk_data_file:file { watch watch_reads };
diff --git a/private/artd.te b/private/artd.te
index 3b234bf..acab397 100644
--- a/private/artd.te
+++ b/private/artd.te
@@ -137,3 +137,8 @@
# This is needed for getting CPU time and wall time spent on subprocesses.
r_dir_file(artd, profman);
r_dir_file(artd, dex2oat);
+
+# Allow artd to reopen its own memfd.
+# artd needs to reopen a memfd with readonly in order to pass it to subprocesses
+# that don't have write permissions on memfds.
+allow artd artd_tmpfs:file open;
diff --git a/private/binderservicedomain.te b/private/binderservicedomain.te
index 21349df..b8ae9f4 100644
--- a/private/binderservicedomain.te
+++ b/private/binderservicedomain.te
@@ -18,8 +18,6 @@
# allow all services to run permission checks
allow binderservicedomain permission_service:service_manager find;
-allow binderservicedomain keystore:keystore_key { get_state get insert delete exist list sign verify };
-allow binderservicedomain keystore:keystore2 { get_state };
allow binderservicedomain keystore:keystore2_key { delete get_info rebind use };
use_keystore(binderservicedomain)
diff --git a/private/bug_map b/private/bug_map
index 0a1d741..f35fbca 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -1,6 +1,7 @@
dnsmasq netd fifo_file b/77868789
dnsmasq netd unix_stream_socket b/77868789
gmscore_app system_data_file dir b/146166941
+gmscore_app kernel security b/303319090
init app_data_file file b/77873135
init cache_file blk_file b/77873135
init logpersist file b/77873135
@@ -20,6 +21,7 @@
mediaprovider shell_data_file dir b/77925342
mediaswcodec ashmem_device chr_file b/142679232
platform_app nfc_data_file dir b/74331887
+platform_app system_data_file dir b/306090533
system_server overlayfs_file file b/142390309
system_server sdcardfs file b/77856826
system_server system_server capability b/228030183
diff --git a/private/compat/34.0/34.0.ignore.cil b/private/compat/34.0/34.0.ignore.cil
index cc240fe..2d1aea0 100644
--- a/private/compat/34.0/34.0.ignore.cil
+++ b/private/compat/34.0/34.0.ignore.cil
@@ -14,7 +14,10 @@
virtual_camera_service
ot_daemon_service
remote_auth_service
+ sysfs_sync_on_suspend
threadnetwork_service
device_config_aconfig_flags_prop
proc_memhealth
+ virtual_device_native_service
+ next_boot_prop
))
diff --git a/private/domain.te b/private/domain.te
index 1ecb7b6..0861fa5 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -214,7 +214,6 @@
} self:global_capability_class_set sys_ptrace;
# Limit ability to generate hardware unique device ID attestations to priv_apps
-neverallow { domain -priv_app -gmscore_app } *:keystore_key gen_unique_id;
neverallow { domain -priv_app -gmscore_app } *:keystore2_key gen_unique_id;
neverallow { domain -system_server } *:keystore2_key use_dev_id;
neverallow { domain -system_server } keystore:keystore2 { clear_ns lock reset unlock };
diff --git a/private/file_contexts b/private/file_contexts
index 259526d..3a9c04d 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -155,6 +155,7 @@
/dev/socket/pdx/system/vr/display/vsync u:object_r:pdx_display_vsync_endpoint_socket:s0
/dev/socket/prng_seeder u:object_r:prng_seeder_socket:s0
/dev/socket/property_service u:object_r:property_socket:s0
+/dev/socket/property_service_for_system u:object_r:property_socket:s0
/dev/socket/racoon u:object_r:racoon_socket:s0
/dev/socket/recovery u:object_r:recovery_socket:s0
/dev/socket/rild u:object_r:rild_socket:s0
@@ -344,7 +345,7 @@
/system/etc/passwd u:object_r:system_passwd_file:s0
/system/etc/seccomp_policy(/.*)? u:object_r:system_seccomp_policy_file:s0
/system/etc/security/cacerts(/.*)? u:object_r:system_security_cacerts_file:s0
-/system/etc/selinux/mapping/[0-9]+\.[0-9]+\.cil u:object_r:sepolicy_file:s0
+/system/etc/selinux/mapping/[0-9]+\.[0-9]+(\.compat)?\.cil u:object_r:sepolicy_file:s0
/system/etc/selinux/plat_mac_permissions\.xml u:object_r:mac_perms_file:s0
/system/etc/selinux/plat_property_contexts u:object_r:property_contexts_file:s0
/system/etc/selinux/plat_service_contexts u:object_r:service_contexts_file:s0
@@ -362,7 +363,7 @@
/system/bin/stats u:object_r:stats_exec:s0
/system/bin/statsd u:object_r:statsd_exec:s0
/system/bin/bpfloader u:object_r:bpfloader_exec:s0
-/system/bin/btfloader u:object_r:bpfloader_exec:s0
+/system/bin/netbpfload u:object_r:bpfloader_exec:s0
/system/bin/watchdogd u:object_r:watchdogd_exec:s0
/system/bin/apexd u:object_r:apexd_exec:s0
/system/bin/gsid u:object_r:gsid_exec:s0
diff --git a/private/flags_health_check.te b/private/flags_health_check.te
index 64da97b..b7f5808 100644
--- a/private/flags_health_check.te
+++ b/private/flags_health_check.te
@@ -33,6 +33,8 @@
set_prop(flags_health_check, device_config_memory_safety_native_prop)
set_prop(flags_health_check, device_config_remote_key_provisioning_native_prop)
set_prop(flags_health_check, device_config_camera_native_prop)
+set_prop(flags_health_check, device_config_tethering_u_or_later_native_prop)
+set_prop(flags_health_check, next_boot_prop)
# system property device_config_boot_count_prop is used for deciding when to perform server
# configurable flags related disaster recovery. Mistakenly set up by unrelated components can, at a
diff --git a/private/genfs_contexts b/private/genfs_contexts
index f35f268..3ec6ab1 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -157,6 +157,7 @@
genfscon sysfs /power/autosleep u:object_r:sysfs_power:s0
genfscon sysfs /power/state u:object_r:sysfs_power:s0
genfscon sysfs /power/suspend_stats u:object_r:sysfs_suspend_stats:s0
+genfscon sysfs /power/sync_on_suspend u:object_r:sysfs_sync_on_suspend:s0
genfscon sysfs /power/wakeup_count u:object_r:sysfs_power:s0
genfscon sysfs /power/wake_lock u:object_r:sysfs_wake_lock:s0
genfscon sysfs /power/wake_unlock u:object_r:sysfs_wake_lock:s0
@@ -286,6 +287,8 @@
genfscon tracefs /events/binder/binder_unlock/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/binder/binder_transaction_alloc_buf/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/binder/binder_set_priority/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_command/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_return/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/lowmemorykiller/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/sync/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/fence/ u:object_r:debugfs_tracing:s0
@@ -351,6 +354,8 @@
genfscon debugfs /tracing/events/binder/binder_unlock/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/binder/binder_transaction_alloc_buf/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/binder/binder_set_priority/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_command/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_return/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/lowmemorykiller/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/sync/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/fence/ u:object_r:debugfs_tracing:s0
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index 46b90c6..859c2ec 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -36,7 +36,6 @@
allow gmscore_app perfetto_traces_data_file:file { read getattr };
# Allow GMS core to generate unique hardware IDs
-allow gmscore_app keystore:keystore_key gen_unique_id;
allow gmscore_app keystore:keystore2_key gen_unique_id;
# Allow GMS core to access /sys/fs/selinux/policyvers for compatibility check
@@ -46,6 +45,7 @@
dontaudit gmscore_app exec_type:file r_file_perms;
dontaudit gmscore_app device:dir r_dir_perms;
dontaudit gmscore_app fs_bpf:dir r_dir_perms;
+dontaudit gmscore_app kernel:security *;
dontaudit gmscore_app net_dns_prop:file r_file_perms;
dontaudit gmscore_app proc:file r_file_perms;
dontaudit gmscore_app proc_interrupts:file r_file_perms;
diff --git a/private/keystore.te b/private/keystore.te
index cd2ef76..73961ac 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -26,7 +26,7 @@
# Allow keystore to write to statsd.
unix_socket_send(keystore, statsdw, statsd)
-# Keystore need access to the keystore_key context files to load the keystore key backend.
+# Keystore need access to the keystore2_key_contexts file to load the keystore key backend.
allow keystore keystore2_key_contexts_file:file r_file_perms;
# Allow keystore to listen to changing boot levels
diff --git a/private/keystore2_key_contexts b/private/keystore2_key_contexts
index 3833971..868bf15 100644
--- a/private/keystore2_key_contexts
+++ b/private/keystore2_key_contexts
@@ -4,10 +4,10 @@
# <namespace> <label>
#
# <namespace> must be an integer in the interval [0 ... 2^31)
-# su_key is a keystore_key namespace for the su domain intended for native tests.
+# su_key is a keystore2_key namespace for the su domain intended for native tests.
0 u:object_r:su_key:s0
-# shell_key is a keystore_key namespace for the shell domain intended for native tests.
+# shell_key is a keystore2_key namespace for the shell domain intended for native tests.
1 u:object_r:shell_key:s0
# vold_key is a keystore2_key namespace for vold. It allows using raw Keymint blobs.
diff --git a/private/network_stack.te b/private/network_stack.te
index d9135a1..84c8d4d 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -63,6 +63,8 @@
allow network_stack { fs_bpf_net_private fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_tethering }:dir search;
allow network_stack { fs_bpf_net_private fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_tethering }:file { getattr read write };
allow network_stack bpfloader:bpf { map_read map_write prog_run };
+# allow Tethering(network_stack process) to read flag value in tethering_u_or_later_native namespace
+get_prop(network_stack, device_config_tethering_u_or_later_native_prop)
# Use XFRM (IPsec) netlink sockets
allow network_stack self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
diff --git a/private/priv_app.te b/private/priv_app.te
index b911bc0..cadefe1 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -150,7 +150,7 @@
dontaudit priv_app sysfs:file read;
dontaudit priv_app sysfs_android_usb:file read;
dontaudit priv_app sysfs_dm:file r_file_perms;
-dontaudit priv_app { wifi_prop wifi_hal_prop }:file read;
+dontaudit priv_app { wifi_prop wifi_config_prop wifi_hal_prop }:file read;
# allow privileged apps to use UDP sockets provided by the system server but not
# modify them other than to connect
diff --git a/private/profman.te b/private/profman.te
index 390f83e..7ad49b2 100644
--- a/private/profman.te
+++ b/private/profman.te
@@ -10,3 +10,8 @@
# Allow profman to use file descriptors passed from privileged programs.
allow profman { artd installd }:fd use;
+
+# Allow profman to read from memfd created by artd.
+# profman needs to read the embedded profile that artd extracts from an APK,
+# which is passed by a memfd.
+allow profman artd_tmpfs:file { getattr read map lock };
diff --git a/private/property.te b/private/property.te
index 5f8f044..8be4d01 100644
--- a/private/property.te
+++ b/private/property.te
@@ -15,6 +15,7 @@
system_internal_prop(device_config_configuration_prop)
system_internal_prop(device_config_connectivity_prop)
system_internal_prop(device_config_swcodec_native_prop)
+system_internal_prop(device_config_tethering_u_or_later_native_prop)
system_internal_prop(dmesgd_start_prop)
system_internal_prop(fastbootd_protocol_prop)
system_internal_prop(gsid_prop)
@@ -30,6 +31,7 @@
system_internal_prop(net_464xlat_fromvendor_prop)
system_internal_prop(net_connectivity_prop)
system_internal_prop(netd_stable_secret_prop)
+system_internal_prop(next_boot_prop)
system_internal_prop(odsign_prop)
system_internal_prop(perf_drop_caches_prop)
system_internal_prop(pm_prop)
diff --git a/private/property_contexts b/private/property_contexts
index b009c60..9d1439d 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -277,6 +277,10 @@
persist.device_config.window_manager_native_boot. u:object_r:device_config_window_manager_native_boot_prop:s0
persist.device_config.memory_safety_native_boot. u:object_r:device_config_memory_safety_native_boot_prop:s0
persist.device_config.memory_safety_native. u:object_r:device_config_memory_safety_native_prop:s0
+persist.device_config.tethering_u_or_later_native. u:object_r:device_config_tethering_u_or_later_native_prop:s0
+
+# Properties that is for staging
+next_boot. u:object_r:next_boot_prop:s0
# F2FS smart idle maint prop
persist.device_config.storage_native_boot.smart_idle_maint_enabled u:object_r:smart_idle_maint_enabled_prop:s0 exact bool
@@ -579,6 +583,7 @@
bluetooth.profile.pan.panu.enabled u:object_r:bluetooth_config_prop:s0 exact bool
bluetooth.profile.pbap.client.enabled u:object_r:bluetooth_config_prop:s0 exact bool
bluetooth.profile.pbap.server.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.pbap.sim.enabled u:object_r:bluetooth_config_prop:s0 exact bool
bluetooth.profile.sap.server.enabled u:object_r:bluetooth_config_prop:s0 exact bool
bluetooth.profile.vcp.controller.enabled u:object_r:bluetooth_config_prop:s0 exact bool
@@ -670,6 +675,7 @@
ro.config.alarm_alert u:object_r:systemsound_config_prop:s0 exact string
ro.config.alarm_vol_default u:object_r:systemsound_config_prop:s0 exact int
ro.config.alarm_vol_steps u:object_r:systemsound_config_prop:s0 exact int
+ro.config.assistant_vol_min u:object_r:systemsound_config_prop:s0 exact int
ro.config.media_vol_default u:object_r:systemsound_config_prop:s0 exact int
ro.config.media_vol_steps u:object_r:systemsound_config_prop:s0 exact int
ro.config.notification_sound u:object_r:systemsound_config_prop:s0 exact string
@@ -1338,6 +1344,7 @@
ro.surface_flinger.uclamp.min u:object_r:surfaceflinger_prop:s0 exact int
ro.surface_flinger.ignore_hdr_camera_layers u:object_r:surfaceflinger_prop:s0 exact bool
ro.surface_flinger.clear_slots_with_set_layer_buffer u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.prime_shader_cache.ultrahdr u:object_r:surfaceflinger_prop:s0 exact bool
ro.sf.disable_triple_buffer u:object_r:surfaceflinger_prop:s0 exact bool
ro.sf.lcd_density u:object_r:surfaceflinger_prop:s0 exact int
diff --git a/private/service.te b/private/service.te
index ccb9e17..861afb3 100644
--- a/private/service.te
+++ b/private/service.te
@@ -23,3 +23,4 @@
type transparency_service, system_server_service, service_manager_type;
type vfio_handler_service, service_manager_type;
type uce_service, service_manager_type;
+type wearable_sensing_service, system_api_service, system_server_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index 746cde1..a1fb06b 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -435,6 +435,7 @@
vibrator u:object_r:vibrator_service:s0
vibrator_manager u:object_r:vibrator_manager_service:s0
virtualdevice u:object_r:virtual_device_service:s0
+virtualdevice_native u:object_r:virtual_device_native_service:s0
virtual_touchpad u:object_r:virtual_touchpad_service:s0
voiceinteraction u:object_r:voiceinteraction_service:s0
vold u:object_r:vold_service:s0
@@ -442,6 +443,7 @@
vrmanager u:object_r:vr_manager_service:s0
wallpaper u:object_r:wallpaper_service:s0
wallpaper_effects_generation u:object_r:wallpaper_effects_generation_service:s0
+wearable_sensing u:object_r:wearable_sensing_service:s0
webviewupdate u:object_r:webviewupdate_service:s0
wifip2p u:object_r:wifip2p_service:s0
wifiscanner u:object_r:wifiscanner_service:s0
diff --git a/private/system_app.te b/private/system_app.te
index d0d88e9..4f344cc 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -120,26 +120,6 @@
# Ignore access to zram when Debug.getMemInfo is called.
dontaudit system_app sysfs_zram:dir search;
-allow system_app keystore:keystore_key {
- get_state
- get
- insert
- delete
- exist
- list
- reset
- password
- lock
- unlock
- is_empty
- sign
- verify
- grant
- duplicate
- clear_uid
- user_changed
-};
-
allow system_app keystore:keystore2_key {
delete
get_info
diff --git a/private/system_server.te b/private/system_server.te
index 5594874..f9627e3 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -770,9 +770,13 @@
set_prop(system_server, device_config_memory_safety_native_boot_prop)
set_prop(system_server, device_config_memory_safety_native_prop)
set_prop(system_server, device_config_remote_key_provisioning_native_prop)
+set_prop(system_server, device_config_tethering_u_or_later_native_prop)
set_prop(system_server, smart_idle_maint_enabled_prop)
set_prop(system_server, arm64_memtag_prop)
+# staged flag properties
+set_prop(system_server, next_boot_prop)
+
# Allow query ART device config properties
get_prop(system_server, device_config_runtime_native_boot_prop)
get_prop(system_server, device_config_runtime_native_prop)
@@ -969,34 +973,12 @@
add_service(system_server, batteryproperties_service)
-allow system_server keystore:keystore_key {
- get_state
- get
- insert
- delete
- exist
- list
- reset
- password
- lock
- unlock
- is_empty
- sign
- verify
- grant
- duplicate
- clear_uid
- add_auth
- user_changed
-};
-
allow system_server keystore:keystore2 {
add_auth
change_password
change_user
clear_ns
clear_uid
- get_state
lock
pull_metrics
reset
@@ -1335,6 +1317,8 @@
device_config_swcodec_native_prop
device_config_aconfig_flags_prop
device_config_window_manager_native_boot_prop
+ device_config_tethering_u_or_later_native_prop
+ next_boot_prop
}:property_service set;
# Only allow system_server and init to set tuner_server_ctl_prop
diff --git a/private/system_suspend.te b/private/system_suspend.te
index bef7c6d..683d913 100644
--- a/private/system_suspend.te
+++ b/private/system_suspend.te
@@ -37,6 +37,9 @@
allow system_suspend sysfs_wake_lock:file rw_file_perms;
allow system_suspend self:global_capability2_class_set block_suspend;
+# Allow init to set /sys/power/sync_on_suspend.
+allow init sysfs_sync_on_suspend:file w_file_perms;
+
neverallow {
domain
-atrace # tracing
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index 2c0391f..d59245c 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -59,3 +59,12 @@
auditallow untrusted_app_25 mdnsd_socket:sock_file write;
auditallow untrusted_app_25 mdnsd:unix_stream_socket connectto;
')
+
+# Allow calling inotify on APKs for backwards compatibility. This is disallowed
+# for targetSdkVersion>=34 to remove a sidechannel.
+allow untrusted_app_25 apk_data_file:dir { watch watch_reads };
+allow untrusted_app_25 apk_data_file:file { watch watch_reads };
+userdebug_or_eng(`
+ auditallow untrusted_app_25 apk_data_file:dir { watch watch_reads };
+ auditallow untrusted_app_25 apk_data_file:file { watch watch_reads };
+')
diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te
index 163803a..8c970d8 100644
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@@ -47,3 +47,12 @@
auditallow untrusted_app_27 mdnsd_socket:sock_file write;
auditallow untrusted_app_27 mdnsd:unix_stream_socket connectto;
')
+
+# Allow calling inotify on APKs for backwards compatibility. This is disallowed
+# for targetSdkVersion>=34 to remove a sidechannel.
+allow untrusted_app_27 apk_data_file:dir { watch watch_reads };
+allow untrusted_app_27 apk_data_file:file { watch watch_reads };
+userdebug_or_eng(`
+ auditallow untrusted_app_27 apk_data_file:dir { watch watch_reads };
+ auditallow untrusted_app_27 apk_data_file:file { watch watch_reads };
+')
diff --git a/private/untrusted_app_29.te b/private/untrusted_app_29.te
index 758ed23..ed0bbfc 100644
--- a/private/untrusted_app_29.te
+++ b/private/untrusted_app_29.te
@@ -25,3 +25,12 @@
auditallow untrusted_app_29 mdnsd_socket:sock_file write;
auditallow untrusted_app_29 mdnsd:unix_stream_socket connectto;
')
+
+# Allow calling inotify on APKs for backwards compatibility. This is disallowed
+# for targetSdkVersion>=34 to remove a sidechannel.
+allow untrusted_app_29 apk_data_file:dir { watch watch_reads };
+allow untrusted_app_29 apk_data_file:file { watch watch_reads };
+userdebug_or_eng(`
+ auditallow untrusted_app_29 apk_data_file:dir { watch watch_reads };
+ auditallow untrusted_app_29 apk_data_file:file { watch watch_reads };
+')
diff --git a/private/untrusted_app_30.te b/private/untrusted_app_30.te
index 830106d..c87548e 100644
--- a/private/untrusted_app_30.te
+++ b/private/untrusted_app_30.te
@@ -27,3 +27,12 @@
auditallow untrusted_app_30 mdnsd_socket:sock_file write;
auditallow untrusted_app_30 mdnsd:unix_stream_socket connectto;
')
+
+# Allow calling inotify on APKs for backwards compatibility. This is disallowed
+# for targetSdkVersion>=34 to remove a sidechannel.
+allow untrusted_app_30 apk_data_file:dir { watch watch_reads };
+allow untrusted_app_30 apk_data_file:file { watch watch_reads };
+userdebug_or_eng(`
+ auditallow untrusted_app_30 apk_data_file:dir { watch watch_reads };
+ auditallow untrusted_app_30 apk_data_file:file { watch watch_reads };
+')
diff --git a/private/untrusted_app_32.te b/private/untrusted_app_32.te
index 643c122..6e95fd1 100644
--- a/private/untrusted_app_32.te
+++ b/private/untrusted_app_32.te
@@ -28,3 +28,12 @@
auditallow untrusted_app_32 mdnsd_socket:sock_file write;
auditallow untrusted_app_32 mdnsd:unix_stream_socket connectto;
')
+
+# Allow calling inotify on APKs for backwards compatibility. This is disallowed
+# for targetSdkVersion>=34 to remove a sidechannel.
+allow untrusted_app_32 apk_data_file:dir { watch watch_reads };
+allow untrusted_app_32 apk_data_file:file { watch watch_reads };
+userdebug_or_eng(`
+ auditallow untrusted_app_32 apk_data_file:dir { watch watch_reads };
+ auditallow untrusted_app_32 apk_data_file:file { watch watch_reads };
+')
diff --git a/public/file.te b/public/file.te
index 74aca61..72f511b 100644
--- a/public/file.te
+++ b/public/file.te
@@ -116,6 +116,7 @@
type sysfs_rtc, fs_type, sysfs_type;
type sysfs_suspend_stats, fs_type, sysfs_type;
type sysfs_switch, fs_type, sysfs_type;
+type sysfs_sync_on_suspend, fs_type, sysfs_type;
type sysfs_transparent_hugepage, fs_type, sysfs_type;
type sysfs_lru_gen_enabled, fs_type, sysfs_type;
type sysfs_usb, fs_type, sysfs_type;
diff --git a/public/fingerprintd.te b/public/fingerprintd.te
index 8cf2411..eab38dd 100644
--- a/public/fingerprintd.te
+++ b/public/fingerprintd.te
@@ -17,7 +17,6 @@
# Need to add auth tokens to KeyStore
use_keystore(fingerprintd)
-allow fingerprintd keystore:keystore_key { add_auth };
allow fingerprintd keystore:keystore2 { add_auth };
# For permissions checking
diff --git a/public/gatekeeperd.te b/public/gatekeeperd.te
index d48c5f8..0035bc6 100644
--- a/public/gatekeeperd.te
+++ b/public/gatekeeperd.te
@@ -22,7 +22,6 @@
# Need to add auth tokens to KeyStore
use_keystore(gatekeeperd)
-allow gatekeeperd keystore:keystore_key { add_auth };
allow gatekeeperd keystore:keystore2 { add_auth };
allow gatekeeperd authorization_service:service_manager find;
diff --git a/public/racoon.te b/public/racoon.te
index 00d10a4..b0383f0 100644
--- a/public/racoon.te
+++ b/public/racoon.te
@@ -25,10 +25,3 @@
allow racoon vpn_data_file:dir w_dir_perms;
use_keystore(racoon)
-
-# Racoon (VPN) has a restricted set of permissions from the default.
-allow racoon keystore:keystore_key {
- get
- sign
- verify
-};
diff --git a/public/service.te b/public/service.te
index 8cc5acc..e018e40 100644
--- a/public/service.te
+++ b/public/service.te
@@ -83,7 +83,7 @@
type binder_calls_stats_service, system_server_service, service_manager_type;
type blob_store_service, app_api_service, system_server_service, service_manager_type;
type bluetooth_manager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type broadcastradio_service, system_server_service, service_manager_type;
+type broadcastradio_service, app_api_service, system_server_service, service_manager_type;
type cacheinfo_service, system_api_service, system_server_service, service_manager_type;
type cameraproxy_service, system_server_service, service_manager_type;
type clipboard_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -256,6 +256,7 @@
type vibrator_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type vibrator_manager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type virtual_device_service, app_api_service, system_server_service, service_manager_type;
+type virtual_device_native_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type voiceinteraction_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type vpn_management_service, app_api_service, system_server_service, service_manager_type;
type vr_manager_service, system_server_service, service_manager_type;
diff --git a/public/shell.te b/public/shell.te
index 6c67cea..d4d13e3 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -63,8 +63,6 @@
allow shell shell_exec:file rx_file_perms;
allow shell zygote_exec:file rx_file_perms;
-r_dir_file(shell, apk_data_file)
-
userdebug_or_eng(`
# "systrace --boot" support - allow boottrace service to run
allow shell boottrace_data_file:dir rw_dir_perms;
diff --git a/public/su.te b/public/su.te
index bcdc322..2887740 100644
--- a/public/su.te
+++ b/public/su.te
@@ -48,7 +48,6 @@
dontaudit su servicemanager:service_manager list;
dontaudit su hwservicemanager:hwservice_manager list;
dontaudit su vndservicemanager:service_manager list;
- dontaudit su keystore:keystore_key *;
dontaudit su keystore:keystore2 *;
dontaudit su domain:drmservice *;
dontaudit su unlabeled:filesystem *;
diff --git a/public/wificond.te b/public/wificond.te
index 98db0d7..1bd89f5 100644
--- a/public/wificond.te
+++ b/public/wificond.te
@@ -33,11 +33,8 @@
typeattribute wificond wifi_keystore_service_server;
add_hwservice(wificond, system_wifi_keystore_hwservice)
-# Allow keystore binder access to serve the HwBinder service.
-allow wificond keystore_service:service_manager find;
-allow wificond keystore:keystore_key get;
-
# Allow keystore2 binder access to serve the HwBinder service.
+allow wificond keystore_service:service_manager find;
allow wificond wifi_key:keystore2_key {
get_info
use
diff --git a/tests/plat_file_contexts_test b/tests/plat_file_contexts_test
new file mode 100644
index 0000000..9d8d906
--- /dev/null
+++ b/tests/plat_file_contexts_test
@@ -0,0 +1,1261 @@
+# Test data for private/file_contexts.
+#
+# It can be passed to checkfc to confirm that the regular expressions in
+# file_contexts are matching the intended paths.
+/ rootfs
+/adb_keys adb_keys_file
+/build.prop rootfs
+/default.prop rootfs
+/fstab.persist rootfs
+/fstab.postinstall rootfs
+/init.rc rootfs
+/init.environ.rc rootfs
+/res rootfs
+/res/test rootfs
+/selinux_version rootfs
+/ueventd.rc rootfs
+/ueventd.common.rc rootfs
+/verity_key rootfs
+
+/init init_exec
+/sbin rootfs
+/sbin/su rootfs
+
+/lib rootfs
+/lib/lib.so rootfs
+/system_dlkm system_dlkm_file
+/system_dlkm/lib/modules/modules.load system_dlkm_file
+
+/lost+found rootfs
+/acct cgroup
+/config rootfs
+/data_mirror mirror_data_file
+/debug_ramdisk tmpfs
+/mnt tmpfs
+/proc rootfs
+/second_stage_resources tmpfs
+/sys sysfs
+/apex apex_mnt_dir
+/bootstrap-apex apex_mnt_dir
+
+/postinstall postinstall_mnt_dir
+/postinstall/apex postinstall_apex_mnt_dir
+
+/apex/.bootstrap-apex-info-list.xml apex_info_file
+/apex/.default-apex-info-list.xml apex_info_file
+/apex/apex-info-list.xml apex_info_file
+
+/bin rootfs
+/bugreports rootfs
+/charger rootfs
+/d rootfs
+/etc rootfs
+/sdcard rootfs
+
+/vendor_file_contexts file_contexts_file
+/plat_file_contexts file_contexts_file
+/product_file_contexts file_contexts_file
+/mapping_sepolicy.cil sepolicy_file
+/plat_sepolicy.cil sepolicy_file
+/plat_property_contexts property_contexts_file
+/product_property_contexts property_contexts_file
+/vendor_property_contexts property_contexts_file
+/seapp_contexts seapp_contexts_file
+/vendor_seapp_contexts seapp_contexts_file
+/plat_seapp_contexts seapp_contexts_file
+/sepolicy sepolicy_file
+/plat_service_contexts service_contexts_file
+/plat_hwservice_contexts hwservice_contexts_file
+/plat_keystore2_key_contexts keystore2_key_contexts_file
+/vendor_service_contexts vendor_service_contexts_file
+/vendor_hwservice_contexts hwservice_contexts_file
+/vndservice_contexts vndservice_contexts_file
+
+/dev device
+/dev/does_not_exist device
+/dev/adf graphics_device
+/dev/adf0 graphics_device
+/dev/adf123 graphics_device
+/dev/adf-interface. graphics_device
+/dev/adf-interface0. graphics_device
+/dev/adf-interface.1 graphics_device
+/dev/adf-interface2.3 graphics_device
+/dev/adf-overlay-engine. graphics_device
+/dev/adf-overlay-engine0. graphics_device
+/dev/adf-overlay-engine.1 graphics_device
+/dev/adf-overlay-engine2.3 graphics_device
+/dev/ashmem ashmem_device
+/dev/ashmemtest ashmem_libcutils_device
+/dev/ashmem-test ashmem_libcutils_device
+/dev/ashmem/test ashmem_libcutils_device
+/dev/audio audio_device
+/dev/audiotest audio_device
+/dev/audio-test audio_device
+/dev/audio/test audio_device
+/dev/binder binder_device
+/dev/block block_device
+/dev/block/does_not_exist block_device
+/dev/block123 device
+/dev/block/by-name/zoned_device zoned_block_device
+/dev/block/dm-0 dm_device
+/dev/block/dm-123 dm_device
+/dev/block/dm block_device
+/dev/block/dm- block_device
+/dev/block/ublkb0 ublk_block_device
+/dev/block/ublkb123 ublk_block_device
+/dev/block/ublkb block_device
+/dev/block/loop0 loop_device
+/dev/block/loop10 loop_device
+/dev/block/loop loop_device
+/dev/block/vda vd_device
+/dev/block/vdb vd_device
+/dev/block/vda0 vd_device
+/dev/block/vda10 vd_device
+/dev/block/vd block_device
+/dev/block/vd1a block_device
+/dev/block/vold block_device
+/dev/block/vold/disk:253,32 vold_device
+/dev/block/ram ram_device
+/dev/block/ram0 ram_device
+/dev/block/ram10 ram_device
+/dev/block/zram ram_device
+/dev/block/zram0 ram_device
+/dev/block/zram10 ram_device
+/dev/boringssl/selftest boringssl_self_test_marker
+/dev/boringssl/selftest/test boringssl_self_test_marker
+/dev/bus/usb usb_device
+/dev/bus/usb/001 usb_device
+/dev/console console_device
+/dev/cpu_variant: dev_cpu_variant
+/dev/cpu_variant:test dev_cpu_variant
+/dev/dma_heap dmabuf_heap_device
+/dev/dma_heap/test dmabuf_heap_device
+/dev/dma_heap/system dmabuf_system_heap_device
+/dev/dma_heap/system-uncached dmabuf_system_heap_device
+/dev/dma_heap/system-secure dmabuf_system_secure_heap_device
+/dev/dma_heap/system-secure-test dmabuf_system_secure_heap_device
+/dev/dma_heap/system-secure/test dmabuf_system_secure_heap_device
+/dev/dm-user dm_user_device
+/dev/dm-user/test dm_user_device
+/dev/ublk-control ublk_control_device
+/dev/device-mapper dm_device
+/dev/eac audio_device
+/dev/event-log-tags runtime_event_log_tags_file
+/dev/cgroup_info cgroup_rc_file
+/dev/cgroup_info/cgroup.rc cgroup_rc_file
+/dev/fscklogs fscklogs
+/dev/fscklogs/fsck fscklogs
+/dev/fuse fuse_device
+/dev/gnss0 gnss_device
+/dev/gnss10 gnss_device
+/dev/graphics graphics_device
+/dev/graphics/test graphics_device
+/dev/hw_random hw_random_device
+/dev/hwbinder hwbinder_device
+/dev/input input_device
+/dev/input/event0 input_device
+/dev/iio:device0 iio_device
+/dev/iio:device1 iio_device
+/dev/ion ion_device
+/dev/keychord keychord_device
+/dev/loop-control loop_control_device
+/dev/modem radio_device
+/dev/modem0 radio_device
+/dev/modem-test radio_device
+/dev/modem/test radio_device
+/dev/mtp_usb mtp_device
+/dev/pmsg0 pmsg_device
+/dev/pn544 nfc_device
+/dev/port port_device
+/dev/ppp ppp_device
+/dev/ptmx ptmx_device
+/dev/pvrsrvkm gpu_device
+/dev/kmsg kmsg_device
+/dev/kmsg_debug kmsg_debug_device
+/dev/kvm kvm_device
+/dev/null null_device
+/dev/nvhdcp1 video_device
+/dev/random random_device
+/dev/rpmsg-omx0 rpmsg_device
+/dev/rpmsg-omx1 rpmsg_device
+/dev/rproc_user rpmsg_device
+/dev/rtc0 rtc_device
+/dev/rtc9 rtc_device
+/dev/snd audio_device
+/dev/snd/controlC0 audio_device
+/dev/snd/timer audio_device
+/dev/socket socket_device
+/dev/socket/does_not_exist socket_device
+/dev/socket/adbd adbd_socket
+/dev/socket/dnsproxyd dnsproxyd_socket
+/dev/socket/dumpstate dumpstate_socket
+/dev/socket/fwmarkd fwmarkd_socket
+/dev/socket/lmkd lmkd_socket
+/dev/socket/logd logd_socket
+/dev/socket/logdr logdr_socket
+/dev/socket/logdw logdw_socket
+/dev/socket/statsdw statsdw_socket
+/dev/socket/mdns mdns_socket
+/dev/socket/mdnsd mdnsd_socket
+/dev/socket/mtpd mtpd_socket
+/dev/socket/pdx/system/buffer_hub pdx_bufferhub_dir
+/dev/socket/pdx/system/buffer_hub/client pdx_bufferhub_client_endpoint_socket
+/dev/socket/pdx/system/performance pdx_performance_dir
+/dev/socket/pdx/system/performance/client pdx_performance_client_endpoint_socket
+/dev/socket/pdx/system/vr/display pdx_display_dir
+/dev/socket/pdx/system/vr/display/client pdx_display_client_endpoint_socket
+/dev/socket/pdx/system/vr/display/manager pdx_display_manager_endpoint_socket
+/dev/socket/pdx/system/vr/display/screenshot pdx_display_screenshot_endpoint_socket
+/dev/socket/pdx/system/vr/display/vsync pdx_display_vsync_endpoint_socket
+/dev/socket/prng_seeder prng_seeder_socket
+/dev/socket/property_service property_socket
+/dev/socket/racoon racoon_socket
+/dev/socket/recovery recovery_socket
+/dev/socket/rild rild_socket
+/dev/socket/rild-debug rild_debug_socket
+/dev/socket/snapuserd snapuserd_socket
+/dev/socket/snapuserd_proxy snapuserd_proxy_socket
+/dev/socket/tombstoned_crash tombstoned_crash_socket
+/dev/socket/tombstoned_java_trace tombstoned_java_trace_socket
+/dev/socket/tombstoned_intercept tombstoned_intercept_socket
+/dev/socket/traced_consumer traced_consumer_socket
+/dev/socket/traced_perf traced_perf_socket
+/dev/socket/traced_producer traced_producer_socket
+/dev/socket/heapprofd heapprofd_socket
+/dev/socket/uncrypt uncrypt_socket
+/dev/socket/wpa_eth0 wpa_socket
+/dev/socket/wpa_eth9 wpa_socket
+/dev/socket/wpa_wlan0 wpa_socket
+/dev/socket/wpa_wlan9 wpa_socket
+/dev/socket/zygote zygote_socket
+/dev/socket/zygote_secondary zygote_socket
+/dev/socket/usap_pool_primary zygote_socket
+/dev/socket/usap_pool_secondary zygote_socket
+/dev/spdif_out audio_device
+/dev/spdif_out-test audio_device
+/dev/spdif_out/test audio_device
+/dev/sys/block/by-name/rootdisk rootdisk_sysdev
+/dev/sys/block/by-name/rootdisk/test rootdisk_sysdev
+/dev/sys/block/by-name/rootdisk-test device
+/dev/sys/block/by-name/userdata userdata_sysdev
+/dev/sys/block/by-name/userdata/test userdata_sysdev
+/dev/sys/block/by-name/userdata-test device
+/dev/sys/fs/by-name/userdata userdata_sysdev
+/dev/sys/fs/by-name/userdata/test userdata_sysdev
+/dev/sys/fs/by-name/userdata-test device
+/dev/tty owntty_device
+/dev/tty0 tty_device
+/dev/tty1 tty_device
+/dev/ttyS serial_device
+/dev/ttyS0 serial_device
+/dev/ttyS99 serial_device
+/dev/ttyUSB usb_serial_device
+/dev/ttyUSB0 usb_serial_device
+/dev/ttyUSB99 usb_serial_device
+/dev/ttyACM usb_serial_device
+/dev/ttyACM0 usb_serial_device
+/dev/ttyACM99 usb_serial_device
+/dev/tun tun_device
+/dev/uhid uhid_device
+/dev/uinput uhid_device
+/dev/uio uio_device
+/dev/uio0 uio_device
+/dev/uio9 uio_device
+/dev/urandom random_device
+/dev/usb_accessory usbaccessory_device
+/dev/v4l-touch input_device
+/dev/v4l-touch0 input_device
+/dev/v4l-touch10 input_device
+/dev/vfio vfio_device
+/dev/vfio/test vfio_device
+/dev/vfio-test device
+/dev/vhost-vsock kvm_device
+/dev/video video_device
+/dev/video0 video_device
+/dev/video99 video_device
+/dev/vndbinder vndbinder_device
+/dev/watchdog watchdog_device
+/dev/xt_qtaguid qtaguid_device
+/dev/zero zero_device
+/dev/__properties__ properties_device
+/dev/__properties__/property_info property_info
+
+/linkerconfig linkerconfig_file
+/linkerconfig/test linkerconfig_file
+
+/system system_file
+/system/does_not_exist system_file
+/system/apex/com.android.art art_apex_dir
+/system/lib system_lib_file
+/system/lib64 system_lib_file
+/system/lib/does_not_exist system_lib_file
+/system/lib64/does_not_exist system_lib_file
+/system/lib/bootstrap system_bootstrap_lib_file
+/system/lib64/bootstrap system_bootstrap_lib_file
+/system/lib/bootstrap/test system_bootstrap_lib_file
+/system/lib64/bootstrap/test system_bootstrap_lib_file
+/system/bin/mm_events mm_events_exec
+/system/bin/atrace atrace_exec
+/system/bin/auditctl auditctl_exec
+/system/bin/bcc rs_exec
+/system/bin/blank_screen blank_screen_exec
+/system/bin/boringssl_self_test32 boringssl_self_test_exec
+/system/bin/boringssl_self_test64 boringssl_self_test_exec
+/system/bin/boringssl_self_test31 system_file
+/system/bin/prng_seeder prng_seeder_exec
+/system/bin/charger charger_exec
+/system/bin/e2fsdroid e2fs_exec
+/system/bin/mke2fs e2fs_exec
+/system/bin/e2fsck fsck_exec
+/system/bin/extra_free_kbytes.sh extra_free_kbytes_exec
+/system/bin/fsck.exfat fsck_exec
+/system/bin/fsck.f2fs fsck_exec
+/system/bin/init init_exec
+/system/bin/mini-keyctl toolbox_exec
+/system/bin/fsverity_init fsverity_init_exec
+/system/bin/sload_f2fs e2fs_exec
+/system/bin/make_f2fs e2fs_exec
+/system/bin/fsck_msdos fsck_exec
+/system/bin/tcpdump tcpdump_exec
+/system/bin/tune2fs fsck_exec
+/system/bin/resize2fs fsck_exec
+/system/bin/toolbox toolbox_exec
+/system/bin/toybox toolbox_exec
+/system/bin/ld.mc rs_exec
+/system/bin/logcat logcat_exec
+/system/bin/logcatd logcat_exec
+/system/bin/sh shell_exec
+/system/bin/run-as runas_exec
+/system/bin/bootanimation bootanim_exec
+/system/bin/bootstat bootstat_exec
+/system/bin/app_process32 zygote_exec
+/system/bin/app_process64 zygote_exec
+/system/bin/servicemanager servicemanager_exec
+/system/bin/surfaceflinger surfaceflinger_exec
+/system/bin/gpuservice gpuservice_exec
+/system/bin/bufferhubd bufferhubd_exec
+/system/bin/performanced performanced_exec
+/system/bin/drmserver drmserver_exec
+/system/bin/drmserver32 drmserver_exec
+/system/bin/drmserver64 drmserver_exec
+/system/bin/dumpstate dumpstate_exec
+/system/bin/incident incident_exec
+/system/bin/incidentd incidentd_exec
+/system/bin/incident_helper incident_helper_exec
+/system/bin/iw iw_exec
+/system/bin/netutils-wrapper-1.0 netutils_wrapper_exec
+/system/bin/vold vold_exec
+/system/bin/netd netd_exec
+/system/bin/wificond wificond_exec
+/system/bin/audioserver audioserver_exec
+/system/bin/mediadrmserver mediadrmserver_exec
+/system/bin/mediaserver mediaserver_exec
+/system/bin/mediaserver32 mediaserver_exec
+/system/bin/mediaserver64 mediaserver_exec
+/system/bin/mediametrics mediametrics_exec
+/system/bin/cameraserver cameraserver_exec
+/system/bin/mediaextractor mediaextractor_exec
+/system/bin/mediaswcodec mediaswcodec_exec
+/system/bin/mediatranscoding mediatranscoding_exec
+/system/bin/mediatuner mediatuner_exec
+/system/bin/mdnsd mdnsd_exec
+/system/bin/installd installd_exec
+/system/bin/otapreopt_chroot otapreopt_chroot_exec
+/system/bin/otapreopt_slot otapreopt_slot_exec
+/system/bin/credstore credstore_exec
+/system/bin/keystore keystore_exec
+/system/bin/keystore2 keystore_exec
+/system/bin/fingerprintd fingerprintd_exec
+/system/bin/gatekeeperd gatekeeperd_exec
+/system/bin/tombstoned tombstoned_exec
+/system/bin/recovery-persist recovery_persist_exec
+/system/bin/recovery-refresh recovery_refresh_exec
+/system/bin/sdcard sdcardd_exec
+/system/bin/snapshotctl snapshotctl_exec
+/system/bin/remount remount_exec
+/system/bin/dhcpcd dhcp_exec
+/system/bin/dhcpcd-6.8.2 dhcp_exec
+/system/bin/dmesgd dmesgd_exec
+/system/bin/mtpd mtp_exec
+/system/bin/pppd ppp_exec
+/system/bin/racoon racoon_exec
+/system/xbin/su su_exec
+/system/bin/dnsmasq dnsmasq_exec
+/system/bin/linker system_linker_exec
+/system/bin/linker64 system_linker_exec
+/system/bin/linker63 system_file
+/system/bin/linkerconfig linkerconfig_exec
+/system/bin/bootstrap/linker system_linker_exec
+/system/bin/bootstrap/linker64 system_linker_exec
+/system/bin/bootstrap/linker63 system_file
+/system/bin/bootstrap/linkerconfig linkerconfig_exec
+/system/bin/llkd llkd_exec
+/system/bin/lmkd lmkd_exec
+/system/bin/usbd usbd_exec
+/system/bin/inputflinger inputflinger_exec
+/system/bin/logd logd_exec
+/system/bin/lpdumpd lpdumpd_exec
+/system/bin/rss_hwm_reset rss_hwm_reset_exec
+/system/bin/perfetto perfetto_exec
+/system/bin/mtectrl mtectrl_exec
+/system/bin/traced traced_exec
+/system/bin/traced_perf traced_perf_exec
+/system/bin/traced_probes traced_probes_exec
+/system/bin/heapprofd heapprofd_exec
+/system/bin/uncrypt uncrypt_exec
+/system/bin/update_verifier update_verifier_exec
+/system/bin/logwrapper system_file
+/system/bin/vdc vdc_exec
+/system/bin/cppreopts.sh cppreopts_exec
+/system/bin/preloads_copy.sh preloads_copy_exec
+/system/bin/preopt2cachename preopt2cachename_exec
+/system/bin/viewcompiler viewcompiler_exec
+/system/bin/sgdisk sgdisk_exec
+/system/bin/blkid blkid_exec
+/system/bin/flags_health_check flags_health_check_exec
+/system/bin/idmap2 idmap_exec
+/system/bin/idmap2d idmap_exec
+/system/bin/update_engine update_engine_exec
+/system/bin/profcollectd profcollectd_exec
+/system/bin/profcollectctl profcollectd_exec
+/system/bin/storaged storaged_exec
+/system/bin/virtual_touchpad virtual_touchpad_exec
+/system/bin/hw/android.frameworks.bufferhub@1.0-service fwk_bufferhub_exec
+/system/bin/hw/android.system.suspend-service system_suspend_exec
+/system/etc/cgroups.json cgroup_desc_file
+/system/etc/task_profiles/cgroups_0.json cgroup_desc_api_file
+/system/etc/task_profiles/cgroups_999.json cgroup_desc_api_file
+/system/etc/event-log-tags system_event_log_tags_file
+/system/etc/font_fallback.xml system_font_fallback_file
+/system/etc/group system_group_file
+/system/etc/ld.config. system_linker_config_file
+/system/etc/ld.config.test system_linker_config_file
+/system/etc/passwd system_passwd_file
+/system/etc/seccomp_policy system_seccomp_policy_file
+/system/etc/seccomp_policy/crash_dump.x86.policy system_seccomp_policy_file
+/system/etc/security/cacerts system_security_cacerts_file
+/system/etc/security/cacerts/123 system_security_cacerts_file
+/system/etc/selinux/mapping/30.0.cil sepolicy_file
+#/system/etc/selinux/mapping/30.compat.0.cil sepolicy_file
+/system/etc/selinux/plat_mac_permissions.xml mac_perms_file
+/system/etc/selinux/plat_property_contexts property_contexts_file
+/system/etc/selinux/plat_service_contexts service_contexts_file
+/system/etc/selinux/plat_hwservice_contexts hwservice_contexts_file
+/system/etc/selinux/plat_keystore2_key_contexts keystore2_key_contexts_file
+/system/etc/selinux/plat_file_contexts file_contexts_file
+/system/etc/selinux/plat_seapp_contexts seapp_contexts_file
+/system/etc/selinux/plat_sepolicy.cil sepolicy_file
+/system/etc/selinux/plat_and_mapping_sepolicy.cil.sha256 sepolicy_file
+/system/etc/task_profiles.json task_profiles_file
+/system/etc/task_profiles/task_profiles_0.json task_profiles_api_file
+/system/etc/task_profiles/task_profiles_99.json task_profiles_api_file
+/system/usr/share/zoneinfo system_zoneinfo_file
+/system/usr/share/zoneinfo/0 system_zoneinfo_file
+/system/bin/adbd adbd_exec
+/system/bin/vold_prepare_subdirs vold_prepare_subdirs_exec
+/system/bin/stats stats_exec
+/system/bin/statsd statsd_exec
+/system/bin/bpfloader bpfloader_exec
+/system/bin/netbpfload bpfloader_exec
+/system/bin/watchdogd watchdogd_exec
+/system/bin/apexd apexd_exec
+/system/bin/gsid gsid_exec
+/system/bin/simpleperf simpleperf_exec
+/system/bin/simpleperf_app_runner simpleperf_app_runner_exec
+/system/bin/migrate_legacy_obb_data migrate_legacy_obb_data_exec
+/system/bin/android.frameworks.automotive.display@1.0-service automotive_display_service_exec
+/system/bin/snapuserd snapuserd_exec
+/system/bin/odsign odsign_exec
+/system/bin/vehicle_binding_util vehicle_binding_util_exec
+/system/bin/cardisplayproxyd automotive_display_service_exec
+/system/bin/evsmanagerd evsmanagerd_exec
+/system/bin/android.automotive.evs.manager@1.0 evsmanagerd_exec
+/system/bin/android.automotive.evs.manager@1.99 evsmanagerd_exec
+/system/bin/uprobestats uprobestats_exec
+
+/vendor vendor_file
+/vendor/does_not_exist vendor_file
+/system/vendor vendor_file
+/system/vendor/does_not_exist vendor_file
+/vendor/bin/sh vendor_shell_exec
+/system/vendor/bin/sh vendor_shell_exec
+/vendor/bin/toybox_vendor vendor_toolbox_exec
+/system/vendor/bin/toybox_vendor vendor_toolbox_exec
+/vendor/bin/toolbox vendor_toolbox_exec
+/system/vendor/bin/toolbox vendor_toolbox_exec
+/vendor/etc vendor_configs_file
+/vendor/etc/does_not_exist vendor_configs_file
+/system/vendor/etc vendor_configs_file
+/system/vendor/etc/does_not_exist vendor_configs_file
+/vendor/etc/cgroups.json vendor_cgroup_desc_file
+/system/vendor/etc/cgroups.json vendor_cgroup_desc_file
+/vendor/etc/task_profiles.json vendor_task_profiles_file
+/system/vendor/etc/task_profiles.json vendor_task_profiles_file
+
+/vendor/lib/egl same_process_hal_file
+/vendor/lib64/egl same_process_hal_file
+/vendor/lib/egl/test same_process_hal_file
+/vendor/lib64/egl/test same_process_hal_file
+/system/vendor/lib/egl same_process_hal_file
+/system/vendor/lib64/egl same_process_hal_file
+/system/vendor/lib/egl/test same_process_hal_file
+/system/vendor/lib64/egl/test same_process_hal_file
+
+/vendor/lib/vndk-sp vndk_sp_file
+/vendor/lib64/vndk-sp vndk_sp_file
+/vendor/lib/vndk-sp/test vndk_sp_file
+/vendor/lib64/vndk-sp/test vndk_sp_file
+/system/vendor/lib/vndk-sp vndk_sp_file
+/system/vendor/lib64/vndk-sp vndk_sp_file
+/system/vendor/lib/vndk-sp/test vndk_sp_file
+/system/vendor/lib64/vndk-sp/test vndk_sp_file
+
+/vendor/manifest.xml vendor_configs_file
+/system/vendor/manifest.xml vendor_configs_file
+/vendor/compatibility_matrix.xml vendor_configs_file
+/system/vendor/compatibility_matrix.xml vendor_configs_file
+/vendor/etc/vintf vendor_configs_file
+/vendor/etc/vintf/test vendor_configs_file
+/system/vendor/etc/vintf vendor_configs_file
+/system/vendor/etc/vintf/test vendor_configs_file
+/vendor/app vendor_app_file
+/vendor/app/test vendor_app_file
+/system/vendor/app vendor_app_file
+/system/vendor/app/test vendor_app_file
+/vendor/priv-app vendor_app_file
+/vendor/priv-app/test vendor_app_file
+/system/vendor/priv-app vendor_app_file
+/system/vendor/priv-app/test vendor_app_file
+/vendor/overlay vendor_overlay_file
+/vendor/overlay/test vendor_overlay_file
+/system/vendor/overlay vendor_overlay_file
+/system/vendor/overlay/test vendor_overlay_file
+/vendor/framework vendor_framework_file
+/vendor/framework/test vendor_framework_file
+/system/vendor/framework vendor_framework_file
+/system/vendor/framework/test vendor_framework_file
+
+/vendor/apex vendor_apex_file
+/vendor/apex/test vendor_apex_file
+/vendor/apex/test/test vendor_apex_file
+/vendor/apex/test/test/test vendor_file
+/system/vendor/apex vendor_apex_file
+/system/vendor/apex/test vendor_apex_file
+/system/vendor/apex/test/test vendor_apex_file
+/system/vendor/apex/test/test/test vendor_file
+/vendor/bin/misc_writer vendor_misc_writer_exec
+/system/vendor/bin/misc_writer vendor_misc_writer_exec
+/vendor/bin/boringssl_self_test32 vendor_boringssl_self_test_exec
+/vendor/bin/boringssl_self_test64 vendor_boringssl_self_test_exec
+/system/vendor/bin/boringssl_self_test32 vendor_boringssl_self_test_exec
+/system/vendor/bin/boringssl_self_test64 vendor_boringssl_self_test_exec
+
+/vendor/lib/hw vendor_hal_file
+/vendor/lib64/hw vendor_hal_file
+/system/vendor/lib/hw vendor_hal_file
+/system/vendor/lib64/hw vendor_hal_file
+
+/vendor/etc/selinux/vendor_service_contexts vendor_service_contexts_file
+/system/vendor/etc/selinux/vendor_service_contexts vendor_service_contexts_file
+
+/odm vendor_file
+/odm/does_not_exist vendor_file
+/vendor/odm vendor_file
+/vendor/does_not_exist vendor_file
+/odm/lib/egl same_process_hal_file
+/odm/lib64/egl same_process_hal_file
+/odm/lib/egl/test same_process_hal_file
+/odm/lib64/egl/test same_process_hal_file
+/vendor/odm/lib/egl same_process_hal_file
+/vendor/odm/lib64/egl same_process_hal_file
+/vendor/odm/lib/egl/test same_process_hal_file
+/vendor/odm/lib64/egl/test same_process_hal_file
+/odm/lib/hw vendor_hal_file
+/odm/lib64/hw vendor_hal_file
+/vendor/odm/lib/hw vendor_hal_file
+/vendor/odm/lib64/hw vendor_hal_file
+/odm/lib/vndk-sp vndk_sp_file
+/odm/lib64/vndk-sp vndk_sp_file
+/odm/lib/vndk-sp/test vndk_sp_file
+/odm/lib64/vndk-sp/test vndk_sp_file
+/vendor/odm/lib/vndk-sp vndk_sp_file
+/vendor/odm/lib64/vndk-sp vndk_sp_file
+/vendor/odm/lib/vndk-sp/test vndk_sp_file
+/vendor/odm/lib64/vndk-sp/test vndk_sp_file
+
+/odm/bin/sh vendor_shell_exec
+/vendor/odm/bin/sh vendor_shell_exec
+/odm/etc vendor_configs_file
+/odm/etc/test vendor_configs_file
+/vendor/odm/etc vendor_configs_file
+/vendor/odm/etc/test vendor_configs_file
+/odm/app vendor_app_file
+/odm/app/test vendor_app_file
+/vendor/odm/app vendor_app_file
+/vendor/odm/app/test vendor_app_file
+/odm/priv-app vendor_app_file
+/odm/priv-app/test vendor_app_file
+/vendor/odm/priv-app vendor_app_file
+/vendor/odm/priv-app/test vendor_app_file
+/odm/overlay vendor_overlay_file
+/odm/overlay/test vendor_overlay_file
+/vendor/odm/overlay vendor_overlay_file
+/vendor/odm/overlay/test vendor_overlay_file
+/odm/framework vendor_framework_file
+/odm/framework/test vendor_framework_file
+/vendor/odm/framework vendor_framework_file
+/vendor/odm/framework/test vendor_framework_file
+
+/odm/etc/hal_uuid_map_.xml vendor_uuid_mapping_config_file
+/odm/etc/hal_uuid_map_test.xml vendor_uuid_mapping_config_file
+/vendor/odm/etc/hal_uuid_map_.xml vendor_uuid_mapping_config_file
+/vendor/odm/etc/hal_uuid_map_test.xml vendor_uuid_mapping_config_file
+/vendor/etc/hal_uuid_map_.xml vendor_uuid_mapping_config_file
+/vendor/etc/hal_uuid_map_test.xml vendor_uuid_mapping_config_file
+/system/vendor/etc/hal_uuid_map_.xml vendor_uuid_mapping_config_file
+/system/vendor/etc/hal_uuid_map_test.xml vendor_uuid_mapping_config_file
+
+/odm/usr/keylayout.kl vendor_keylayout_file
+/odm/usr/keylayout/test.kl vendor_keylayout_file
+/vendor/odm/usr/keylayout.kl vendor_keylayout_file
+/vendor/odm/usr/keylayout/test.kl vendor_keylayout_file
+/vendor/usr/keylayout.kl vendor_keylayout_file
+/vendor/usr/keylayout/test.kl vendor_keylayout_file
+/system/vendor/usr/keylayout.kl vendor_keylayout_file
+/system/vendor/usr/keylayout/test.kl vendor_keylayout_file
+/odm/usr/keychars.kcm vendor_keychars_file
+/odm/usr/keychars/test.kcm vendor_keychars_file
+/vendor/odm/usr/keychars.kcm vendor_keychars_file
+/vendor/odm/usr/keychars/test.kcm vendor_keychars_file
+/vendor/usr/keychars.kcm vendor_keychars_file
+/vendor/usr/keychars/test.kcm vendor_keychars_file
+/system/vendor/usr/keychars.kcm vendor_keychars_file
+/system/vendor/usr/keychars/test.kcm vendor_keychars_file
+/odm/usr/idc.idc vendor_idc_file
+/odm/usr/idc/test.idc vendor_idc_file
+/vendor/odm/usr/idc.idc vendor_idc_file
+/vendor/odm/usr/idc/test.idc vendor_idc_file
+/vendor/usr/idc.idc vendor_idc_file
+/vendor/usr/idc/test.idc vendor_idc_file
+/system/vendor/usr/idc.idc vendor_idc_file
+/system/vendor/usr/idc/test.idc vendor_idc_file
+
+/oem oemfs
+/oem/does_not_exist oemfs
+/oem/overlay vendor_overlay_file
+/oem/overlay/does_not_exist vendor_overlay_file
+
+/odm/etc/selinux/precompiled_sepolicy sepolicy_file
+/odm/etc/selinux/precompiled_sepolicy.plat_and_mapping.sha256 sepolicy_file
+
+/odm/etc/selinux/odm_sepolicy.cil sepolicy_file
+/vendor/odm/etc/selinux/odm_sepolicy.cil sepolicy_file
+/odm/etc/selinux/odm_file_contexts file_contexts_file
+/vendor/odm/etc/selinux/odm_file_contexts file_contexts_file
+/odm/etc/selinux/odm_seapp_contexts seapp_contexts_file
+/vendor/odm/etc/selinux/odm_seapp_contexts seapp_contexts_file
+/odm/etc/selinux/odm_property_contexts property_contexts_file
+/vendor/odm/etc/selinux/odm_property_contexts property_contexts_file
+/odm/etc/selinux/odm_service_contexts vendor_service_contexts_file
+/vendor/odm/etc/selinux/odm_service_contexts vendor_service_contexts_file
+/odm/etc/selinux/odm_hwservice_contexts hwservice_contexts_file
+/vendor/odm/etc/selinux/odm_hwservice_contexts hwservice_contexts_file
+/odm/etc/selinux/odm_keystore2_key_contexts keystore2_key_contexts_file
+/vendor/odm/etc/selinux/odm_keystore2_key_contexts keystore2_key_contexts_file
+/odm/etc/selinux/odm_mac_permissions.xml mac_perms_file
+/vendor/odm/etc/selinux/odm_mac_permissions.xml mac_perms_file
+
+/product system_file
+/product/does_not_exist system_file
+/system/product system_file
+/system/product/does_not_exist system_file
+/product/etc/group system_group_file
+/system/product/etc/group system_group_file
+/product/etc/passwd system_passwd_file
+/system/product/etc/passwd system_passwd_file
+/product/overlay system_file
+/product/overlay/does_not_exist system_file
+/system/product/overlay system_file
+/system/product/overlay/does_not_exist system_file
+
+/product/etc/selinux/product_file_contexts file_contexts_file
+/system/product/etc/selinux/product_file_contexts file_contexts_file
+/product/etc/selinux/product_hwservice_contexts hwservice_contexts_file
+/system/product/etc/selinux/product_hwservice_contexts hwservice_contexts_file
+/product/etc/selinux/product_keystore2_key_contexts keystore2_key_contexts_file
+/system/product/etc/selinux/product_keystore2_key_contexts keystore2_key_contexts_file
+/product/etc/selinux/product_property_contexts property_contexts_file
+/system/product/etc/selinux/product_property_contexts property_contexts_file
+/product/etc/selinux/product_seapp_contexts seapp_contexts_file
+/system/product/etc/selinux/product_seapp_contexts seapp_contexts_file
+/product/etc/selinux/product_service_contexts service_contexts_file
+/system/product/etc/selinux/product_service_contexts service_contexts_file
+/product/etc/selinux/product_mac_permissions.xml mac_perms_file
+/system/product/etc/selinux/product_mac_permissions.xml mac_perms_file
+
+/product/lib system_lib_file
+/product/lib/does_not_exist system_lib_file
+/product/lib64 system_lib_file
+/product/lib64/does_not_exist system_lib_file
+/system/product/lib system_lib_file
+/system/product/lib/does_not_exist system_lib_file
+/system/product/lib64 system_lib_file
+/system/product/lib64/does_not_exist system_lib_file
+
+/system_ext system_file
+/system_ext/does_not_exist system_file
+/system/system_ext system_file
+/system/system_ext/does_not_exist system_file
+/system_ext/etc/group system_group_file
+/system/system_ext/etc/group system_group_file
+/system_ext/etc/passwd system_passwd_file
+/system/system_ext/etc/passwd system_passwd_file
+/system_ext/overlay vendor_overlay_file
+/system_ext/overlay/does_not_exist vendor_overlay_file
+/system/system_ext/overlay vendor_overlay_file
+/system/system_ext/overlay/does_not_exist vendor_overlay_file
+
+/system_ext/etc/selinux/system_ext_file_contexts file_contexts_file
+/system/system_ext/etc/selinux/system_ext_file_contexts file_contexts_file
+/system_ext/etc/selinux/system_ext_hwservice_contexts hwservice_contexts_file
+/system/system_ext/etc/selinux/system_ext_hwservice_contexts hwservice_contexts_file
+/system_ext/etc/selinux/system_ext_keystore2_key_contexts keystore2_key_contexts_file
+/system/system_ext/etc/selinux/system_ext_keystore2_key_contexts keystore2_key_contexts_file
+/system_ext/etc/selinux/system_ext_property_contexts property_contexts_file
+/system/system_ext/etc/selinux/system_ext_property_contexts property_contexts_file
+/system_ext/etc/selinux/system_ext_seapp_contexts seapp_contexts_file
+/system/system_ext/etc/selinux/system_ext_seapp_contexts seapp_contexts_file
+/system_ext/etc/selinux/system_ext_service_contexts service_contexts_file
+/system/system_ext/etc/selinux/system_ext_service_contexts service_contexts_file
+/system_ext/etc/selinux/system_ext_mac_permissions.xml mac_perms_file
+/system/system_ext/etc/selinux/system_ext_mac_permissions.xml mac_perms_file
+/system_ext/etc/selinux/userdebug_plat_sepolicy.cil sepolicy_file
+/system/system_ext/etc/selinux/userdebug_plat_sepolicy.cil sepolicy_file
+
+/system_ext/bin/aidl_lazy_test_server aidl_lazy_test_server_exec
+/system/system_ext/bin/aidl_lazy_test_server aidl_lazy_test_server_exec
+/system_ext/bin/aidl_lazy_cb_test_server aidl_lazy_test_server_exec
+/system/system_ext/bin/aidl_lazy_cb_test_server aidl_lazy_test_server_exec
+/system_ext/bin/hidl_lazy_test_server hidl_lazy_test_server_exec
+/system/system_ext/bin/hidl_lazy_test_server hidl_lazy_test_server_exec
+/system_ext/bin/hidl_lazy_cb_test_server hidl_lazy_test_server_exec
+/system/system_ext/bin/hidl_lazy_cb_test_server hidl_lazy_test_server_exec
+/system_ext/bin/hwservicemanager hwservicemanager_exec
+/system/system_ext/bin/hwservicemanager hwservicemanager_exec
+/system_ext/bin/hw/android.hidl.allocator@1.0-service hal_allocator_default_exec
+/system/system_ext/bin/hw/android.hidl.allocator@1.0-service hal_allocator_default_exec
+
+
+/system_ext/bin/canhalconfigurator canhalconfigurator_exec
+/system_ext/bin/canhalconfigurator-aidl canhalconfigurator_exec
+/system/system_ext/bin/canhalconfigurator canhalconfigurator_exec
+/system/system_ext/bin/canhalconfigurator-aidl canhalconfigurator_exec
+
+/system_ext/lib system_lib_file
+/system_ext/lib/does_not_exist system_lib_file
+/system_ext/lib64 system_lib_file
+/system_ext/lib64/does_not_exist system_lib_file
+/system/system_ext/lib system_lib_file
+/system/system_ext/lib/does_not_exist system_lib_file
+/system/system_ext/lib64 system_lib_file
+/system/system_ext/lib64/does_not_exist system_lib_file
+
+/vendor_dlkm vendor_file
+/vendor_dlkm/does_not_exist vendor_file
+/vendor/vendor_dlkm vendor_file
+/vendor/vendor_dlkm/does_not_exist vendor_file
+/system/vendor/vendor_dlkm vendor_file
+/system/vendor/vendor_dlkm/does_not_exist vendor_file
+/vendor_dlkm/etc vendor_configs_file
+/vendor_dlkm/etc/does_not_exist vendor_configs_file
+/vendor/vendor_dlkm/etc vendor_configs_file
+/vendor/vendor_dlkm/etc/does_not_exist vendor_configs_file
+/system/vendor/vendor_dlkm/etc vendor_configs_file
+/system/vendor/vendor_dlkm/etc/does_not_exist vendor_configs_file
+
+/odm_dlkm vendor_file
+/odm_dlkm/does_not_exist vendor_file
+/vendor/odm_dlkm vendor_file
+/vendor/odm_dlkm/does_not_exist vendor_file
+/system/vendor/odm_dlkm vendor_file
+/system/vendor/odm_dlkm/does_not_exist vendor_file
+/odm_dlkm/etc vendor_configs_file
+/odm_dlkm/etc/does_not_exist vendor_configs_file
+/vendor/odm_dlkm/etc vendor_configs_file
+/vendor/odm_dlkm/etc/does_not_exist vendor_configs_file
+/system/vendor/odm_dlkm/etc vendor_configs_file
+/system/vendor/odm_dlkm/etc/does_not_exist vendor_configs_file
+
+/product/vendor_overlay/0/test vendor_file
+/product/vendor_overlay/1/test vendor_file
+/system/product/vendor_overlay/0/test vendor_file
+/system/product/vendor_overlay/1/test vendor_file
+
+/data system_data_root_file
+/data/does_not_exist system_data_file
+/data/system/environ environ_system_data_file
+/data/system/environ/test environ_system_data_file
+/data/system/packages.list packages_list_file
+/data/system/game_mode_intervention.list game_mode_intervention_list_file
+/data/unencrypted unencrypted_data_file
+/data/unencrypted/test unencrypted_data_file
+/data/backup backup_data_file
+/data/backup/test backup_data_file
+/data/secure/backup backup_data_file
+/data/secure/backup/test backup_data_file
+/data/system/ndebugsocket system_ndebug_socket
+/data/system/unsolzygotesocket system_unsolzygote_socket
+/data/drm drm_data_file
+/data/drm/test drm_data_file
+/data/resource-cache resourcecache_data_file
+/data/resource-cache/test resourcecache_data_file
+/data/dalvik-cache dalvikcache_data_file
+/data/dalvik-cache/test dalvikcache_data_file
+/data/ota ota_data_file
+/data/ota/test ota_data_file
+/data/ota_package ota_package_file
+/data/ota_package/test ota_package_file
+/data/adb adb_data_file
+/data/adb/test adb_data_file
+/data/anr anr_data_file
+/data/anr/test anr_data_file
+/data/apex apex_data_file
+/data/apex/test apex_data_file
+/data/apex/active/test staging_data_file
+/data/apex/backup/test staging_data_file
+/data/apex/decompressed/test staging_data_file
+/data/apex/ota_reserved apex_ota_reserved_file
+/data/apex/ota_reserved/test apex_ota_reserved_file
+/data/app apk_data_file
+/data/app/test apk_data_file
+/data/app/test01/oat dalvikcache_data_file
+/data/app/test01/oat/test dalvikcache_data_file
+/data/app/test01/test02/oat dalvikcache_data_file
+/data/app/test01/test02/oat/test dalvikcache_data_file
+/data/app/vmdltest01.tmp apk_tmp_file
+/data/app/vmdltest01.tmp/test apk_tmp_file
+/data/app/vmdltest02.tmp/oat dalvikcache_data_file
+/data/app/vmdltest02.tmp/oat/test dalvikcache_data_file
+/data/app-private apk_private_data_file
+/data/app-private/test apk_private_data_file
+/data/app-private/vmdltest.tmp apk_private_tmp_file
+/data/app-private/vmdltest/does_not_exist.tmp apk_private_tmp_file
+/data/app-private/vmdltest.tmp/test apk_private_tmp_file
+/data/gsi gsi_data_file
+/data/gsi/test gsi_data_file
+/data/gsi_persistent_data gsi_persistent_data_file
+/data/gsi/ota ota_image_data_file
+/data/gsi/ota/test ota_image_data_file
+/data/tombstones tombstone_data_file
+/data/tombstones/test tombstone_data_file
+/data/vendor/tombstones/wifi tombstone_wifi_data_file
+/data/vendor/tombstones/wifi/test tombstone_wifi_data_file
+/data/local/tests shell_test_data_file
+/data/local/tests/test shell_test_data_file
+/data/local/tmp shell_data_file
+/data/local/tmp/test shell_data_file
+/data/local/tmp/ltp nativetest_data_file
+/data/local/tmp/ltp/test nativetest_data_file
+/data/local/traces trace_data_file
+/data/local/traces/test trace_data_file
+/data/media media_userdir_file
+/data/media/test media_rw_data_file
+/data/mediadrm media_data_file
+/data/mediadrm/test media_data_file
+/data/nativetest nativetest_data_file
+/data/nativetest/test nativetest_data_file
+/data/nativetest64 nativetest_data_file
+/data/nativetest64/test nativetest_data_file
+/data/pkg_staging staging_data_file
+/data/pkg_staging/test staging_data_file
+/data/property property_data_file
+/data/property/test property_data_file
+/data/preloads preloads_data_file
+/data/preloads/test preloads_data_file
+/data/preloads/media preloads_media_file
+/data/preloads/media/test preloads_media_file
+/data/preloads/demo preloads_media_file
+/data/preloads/demo/test preloads_media_file
+/data/server_configurable_flags server_configurable_flags_data_file
+/data/server_configurable_flags/test server_configurable_flags_data_file
+/data/app-staging staging_data_file
+/data/app-staging/test staging_data_file
+/data/rollback/0/test/test.apk apk_data_file
+/data/rollback/999/test/test.apex staging_data_file
+/data/fonts/files font_data_file
+/data/fonts/files/test font_data_file
+/data/misc_ce system_userdir_file
+/data/misc_de system_userdir_file
+/data/system_ce system_userdir_file
+/data/system_de system_userdir_file
+/data/user system_userdir_file
+/data/user_de system_userdir_file
+
+/data/misc/adb adb_keys_file
+/data/misc/adb/test adb_keys_file
+/data/misc/a11ytrace accessibility_trace_data_file
+/data/misc/a11ytrace/test accessibility_trace_data_file
+/data/misc/apexdata apex_module_data_file
+/data/misc/apexdata/test apex_module_data_file
+/data/misc/apexdata/com.android.art apex_art_data_file
+/data/misc/apexdata/com.android.art/test apex_art_data_file
+/data/misc/apexdata/com.android.compos apex_compos_data_file
+/data/misc/apexdata/com.android.compos/test apex_compos_data_file
+/data/misc/apexdata/com.android.virt apex_virt_data_file
+/data/misc/apexdata/com.android.virt/test apex_virt_data_file
+/data/misc/apexdata/com.android.permission apex_system_server_data_file
+/data/misc/apexdata/com.android.permission/test apex_system_server_data_file
+/data/misc/apexdata/com.android.scheduling apex_system_server_data_file
+/data/misc/apexdata/com.android.scheduling/test apex_system_server_data_file
+/data/misc/apexdata/com.android.tethering apex_system_server_data_file
+/data/misc/apexdata/com.android.tethering/test apex_system_server_data_file
+/data/misc/apexdata/com.android.uwb apex_system_server_data_file
+/data/misc/apexdata/com.android.uwb/test apex_system_server_data_file
+/data/misc/apexdata/com.android.wifi apex_system_server_data_file
+/data/misc/apexdata/com.android.wifi/test apex_system_server_data_file
+/data/misc/apexrollback apex_rollback_data_file
+/data/misc/apexrollback/test apex_rollback_data_file
+/data/misc/apns radio_data_file
+/data/misc/apns/test radio_data_file
+/data/misc/appcompat appcompat_data_file
+/data/misc/appcompat/test appcompat_data_file
+/data/misc/audio audio_data_file
+/data/misc/audio/test audio_data_file
+/data/misc/audioserver audioserver_data_file
+/data/misc/audioserver/test audioserver_data_file
+/data/misc/audiohal audiohal_data_file
+/data/misc/audiohal/test audiohal_data_file
+/data/misc/bootstat bootstat_data_file
+/data/misc/bootstat/test bootstat_data_file
+/data/misc/boottrace boottrace_data_file
+/data/misc/boottrace/test boottrace_data_file
+/data/misc/bluetooth bluetooth_data_file
+/data/misc/bluetooth/test bluetooth_data_file
+/data/misc/bluetooth/logs bluetooth_logs_data_file
+/data/misc/bluetooth/logs/test bluetooth_logs_data_file
+/data/misc/bluedroid bluetooth_data_file
+/data/misc/bluedroid/test bluetooth_data_file
+/data/misc/bluedroid/.a2dp_ctrl bluetooth_socket
+/data/misc/bluedroid/.a2dp_data bluetooth_socket
+/data/misc/camera camera_data_file
+/data/misc/camera/test camera_data_file
+/data/misc/carrierid radio_data_file
+/data/misc/carrierid/test radio_data_file
+/data/misc/dhcp dhcp_data_file
+/data/misc/dhcp/test dhcp_data_file
+/data/misc/dhcp-6.8.2 dhcp_data_file
+/data/misc/dhcp-6.8.2/test dhcp_data_file
+/data/misc/dmesgd dmesgd_data_file
+/data/misc/dmesgd/test dmesgd_data_file
+/data/misc/emergencynumberdb emergency_data_file
+/data/misc/emergencynumberdb/test emergency_data_file
+/data/misc/gatekeeper gatekeeper_data_file
+/data/misc/gatekeeper/test gatekeeper_data_file
+/data/misc/incidents incident_data_file
+/data/misc/incidents/test incident_data_file
+/data/misc/installd install_data_file
+/data/misc/installd/test install_data_file
+/data/misc/keychain keychain_data_file
+/data/misc/keychain/test keychain_data_file
+/data/misc/credstore credstore_data_file
+/data/misc/credstore/test credstore_data_file
+/data/misc/keystore keystore_data_file
+/data/misc/keystore/test keystore_data_file
+/data/misc/logd misc_logd_file
+/data/misc/logd/test misc_logd_file
+/data/misc/media media_data_file
+/data/misc/media/test media_data_file
+/data/misc/net net_data_file
+/data/misc/net/test net_data_file
+/data/misc/network_watchlist network_watchlist_data_file
+/data/misc/network_watchlist/test network_watchlist_data_file
+/data/misc/nfc/logs nfc_logs_data_file
+/data/misc/nfc/logs/test nfc_logs_data_file
+/data/misc/odrefresh odrefresh_data_file
+/data/misc/odrefresh/test odrefresh_data_file
+/data/misc/odsign odsign_data_file
+/data/misc/odsign/test odsign_data_file
+/data/misc/odsign/metrics odsign_metrics_file
+/data/misc/odsign/metrics/test odsign_metrics_file
+/data/misc/perfetto-traces/bugreport perfetto_traces_bugreport_data_file
+/data/misc/perfetto-traces/bugreport/test perfetto_traces_bugreport_data_file
+/data/misc/perfetto-traces perfetto_traces_data_file
+/data/misc/perfetto-traces/test perfetto_traces_data_file
+/data/misc/perfetto-configs perfetto_configs_data_file
+/data/misc/perfetto-configs/test perfetto_configs_data_file
+/data/misc/prereboot prereboot_data_file
+/data/misc/prereboot/test prereboot_data_file
+/data/misc/profcollectd profcollectd_data_file
+/data/misc/profcollectd/test profcollectd_data_file
+/data/misc/radio radio_core_data_file
+/data/misc/radio/test radio_core_data_file
+/data/misc/recovery recovery_data_file
+/data/misc/recovery/test recovery_data_file
+/data/misc/shared_relro shared_relro_file
+/data/misc/shared_relro/test shared_relro_file
+/data/misc/sms radio_data_file
+/data/misc/sms/test radio_data_file
+/data/misc/snapshotctl_log snapshotctl_log_data_file
+/data/misc/snapshotctl_log/test snapshotctl_log_data_file
+/data/misc/stats-active-metric stats_data_file
+/data/misc/stats-active-metric/test stats_data_file
+/data/misc/stats-data stats_data_file
+/data/misc/stats-data/test stats_data_file
+/data/misc/stats-service stats_config_data_file
+/data/misc/stats-service/test stats_config_data_file
+/data/misc/stats-metadata stats_data_file
+/data/misc/stats-metadata/test stats_data_file
+/data/misc/systemkeys systemkeys_data_file
+/data/misc/systemkeys/test systemkeys_data_file
+/data/misc/textclassifier textclassifier_data_file
+/data/misc/textclassifier/test textclassifier_data_file
+/data/misc/threadnetwork threadnetwork_data_file
+/data/misc/threadnetwork/test threadnetwork_data_file
+/data/misc/train-info stats_data_file
+/data/misc/train-info/test stats_data_file
+/data/misc/user misc_user_data_file
+/data/misc/user/test misc_user_data_file
+/data/misc/virtualizationservice virtualizationservice_data_file
+/data/misc/virtualizationservice/test virtualizationservice_data_file
+/data/misc/vpn vpn_data_file
+/data/misc/vpn/test vpn_data_file
+/data/misc/wifi wifi_data_file
+/data/misc/wifi/test wifi_data_file
+/data/misc_ce/0/wifi wifi_data_file
+/data/misc_ce/99/wifi/test wifi_data_file
+/data/misc/wifi/sockets wpa_socket
+/data/misc/wifi/sockets/test wpa_socket
+/data/misc/wifi/sockets/wpa_ctrl_test system_wpa_socket
+/data/misc/wifi/sockets/wpa_ctrl.rc system_wpa_socket
+/data/misc/vold vold_data_file
+/data/misc/vold/test vold_data_file
+/data/misc/update_engine update_engine_data_file
+/data/misc/update_engine/test update_engine_data_file
+/data/misc/update_engine_log update_engine_log_data_file
+/data/misc/update_engine_log/test update_engine_log_data_file
+/data/misc/snapuserd_log snapuserd_log_data_file
+/data/misc/snapuserd_log/test snapuserd_log_data_file
+/data/system/dropbox dropbox_data_file
+/data/system/dropbox/test dropbox_data_file
+/data/system/heapdump heapdump_data_file
+/data/system/heapdump/test heapdump_data_file
+/data/misc/trace method_trace_data_file
+/data/misc/trace/test method_trace_data_file
+/data/misc/wmtrace wm_trace_data_file
+/data/misc/wmtrace/test wm_trace_data_file
+/data/misc/profiles/cur/0 user_profile_root_file
+/data/misc/profiles/cur/9 user_profile_root_file
+/data/misc/profiles/cur/0/test user_profile_data_file
+/data/misc/profiles/ref user_profile_data_file
+/data/misc/profiles/ref/test user_profile_data_file
+/data/misc/profman profman_dump_data_file
+/data/misc/profman/test profman_dump_data_file
+/data/vendor vendor_data_file
+/data/vendor/test vendor_data_file
+/data/vendor_ce vendor_userdir_file
+/data/vendor_ce/test vendor_data_file
+/data/vendor_de vendor_userdir_file
+/data/vendor_de/test vendor_data_file
+
+/data/misc_de/0/storaged storaged_data_file
+/data/misc_de/99/storaged/test storaged_data_file
+/data/misc_ce/0/storaged storaged_data_file
+/data/misc_ce/99/storaged/test storaged_data_file
+
+/data/misc_ce/0/checkin checkin_data_file
+/data/misc_ce/99/checkin/test checkin_data_file
+
+/data/system/users/0/fpdata fingerprintd_data_file
+/data/system/users/99/fpdata/test fingerprintd_data_file
+/data/vendor_de/0/fpdata fingerprint_vendor_data_file
+/data/vendor_de/99/fpdata/test fingerprint_vendor_data_file
+/data/vendor_de/0/facedata face_vendor_data_file
+/data/vendor_de/99/facedata/test face_vendor_data_file
+/data/vendor_ce/0/facedata face_vendor_data_file
+/data/vendor_ce/99/facedata/test face_vendor_data_file
+/data/vendor_de/0/irisdata iris_vendor_data_file
+/data/vendor_de/99/irisdata/test iris_vendor_data_file
+
+/data/bootchart bootchart_data_file
+/data/bootchart/test bootchart_data_file
+
+/data/misc_de/0/sdksandbox sdk_sandbox_system_data_file
+/data/misc_de/99/sdksandbox sdk_sandbox_system_data_file
+/data/misc_ce/0/sdksandbox sdk_sandbox_system_data_file
+/data/misc_ce/99/sdksandbox sdk_sandbox_system_data_file
+
+/data/misc_de/0/rollback rollback_data_file
+/data/misc_de/99/rollback/test rollback_data_file
+/data/misc_ce/0/rollback rollback_data_file
+/data/misc_ce/99/rollback/test rollback_data_file
+
+/data/misc_de/0/apexdata apex_module_data_file
+/data/misc_de/99/apexdata/test apex_module_data_file
+/data/misc_ce/0/apexdata apex_module_data_file
+/data/misc_ce/99/apexdata/test apex_module_data_file
+/data/misc_ce/0/apexdata/com.android.appsearch apex_system_server_data_file
+/data/misc_ce/99/apexdata/com.android.appsearch/test apex_system_server_data_file
+/data/misc_de/0/apexdata/com.android.permission apex_system_server_data_file
+/data/misc_de/99/apexdata/com.android.permission/test apex_system_server_data_file
+/data/misc_ce/0/apexdata/com.android.permission apex_system_server_data_file
+/data/misc_ce/99/apexdata/com.android.permission/test apex_system_server_data_file
+/data/misc_de/0/apexdata/com.android.wifi apex_system_server_data_file
+/data/misc_de/99/apexdata/com.android.wifi/test apex_system_server_data_file
+/data/misc_ce/0/apexdata/com.android.wifi apex_system_server_data_file
+/data/misc_ce/99/apexdata/com.android.wifi/test apex_system_server_data_file
+/data/misc_de/0/apexdata/com.android.uwb apex_system_server_data_file
+/data/misc_de/99/apexdata/com.android.uwb/test apex_system_server_data_file
+/data/misc_ce/0/apexdata/com.android.uwb apex_system_server_data_file
+/data/misc_ce/99/apexdata/com.android.uwb/test apex_system_server_data_file
+
+/data/misc_de/0/apexrollback apex_rollback_data_file
+/data/misc_de/99/apexrollback/test apex_rollback_data_file
+/data/misc_ce/0/apexrollback apex_rollback_data_file
+/data/misc_ce/99/apexrollback/test apex_rollback_data_file
+
+/data/incremental apk_data_file
+/data/incremental/test apk_data_file
+/data/incremental/MT_test/mount/.pending_reads incremental_control_file
+/data/incremental/MT_test/mount/.log incremental_control_file
+/data/incremental/MT_test/mount/.blocks_written incremental_control_file
+
+/data/misc/bootanim bootanim_data_file
+/data/misc/bootanim/test bootanim_data_file
+/mnt/expand mnt_expand_file
+/mnt/expand/does_not_exist system_data_file
+/mnt/expand/test/test system_data_file
+/mnt/expand/test/app apk_data_file
+/mnt/expand/test/app/test apk_data_file
+/mnt/expand/test/app/test/oat dalvikcache_data_file
+/mnt/expand/test/app/test/oat/test dalvikcache_data_file
+/mnt/expand/test/app/test/test/oat dalvikcache_data_file
+/mnt/expand/test/app/test/test/oat/test dalvikcache_data_file
+/mnt/expand/test/app/vmdltest.tmp apk_tmp_file
+/mnt/expand/test/app/vmdltest.tmp/test apk_tmp_file
+/mnt/expand/test/app/vmdltest.tmp/oat dalvikcache_data_file
+/mnt/expand/test/app/vmdltest.tmp/oat/test dalvikcache_data_file
+/mnt/expand/test/local/tmp shell_data_file
+/mnt/expand/test/local/tmp/test shell_data_file
+/mnt/expand/test/media media_userdir_file
+/mnt/expand/test/media/test media_rw_data_file
+/mnt/expand/test/misc/vold vold_data_file
+/mnt/expand/test/misc/vold/test vold_data_file
+/mnt/expand/test/misc_ce system_userdir_file
+/mnt/expand/test/misc_de system_userdir_file
+/mnt/expand/test/user system_userdir_file
+/mnt/expand/test/user_de system_userdir_file
+
+/cores coredump_file
+/cores/test coredump_file
+
+/data/system/users/0/wallpaper_lock_orig wallpaper_file
+/data/system/users/99/wallpaper_lock wallpaper_file
+/data/system/users/0/wallpaper_orig wallpaper_file
+/data/system/users/10/wallpaper wallpaper_file
+
+/data/system_de/0/ringtones ringtone_file
+/data/system_de/0/ringtones/test ringtone_file
+
+/data/system_ce/0/shortcut_service/bitmaps shortcut_manager_icons
+/data/system_ce/9/shortcut_service/bitmaps/test shortcut_manager_icons
+
+/data/system/users/10/photo.png icon_file
+
+/data/system/shutdown-checkpoints shutdown_checkpoints_system_data_file
+/data/system/shutdown-checkpoints/test shutdown_checkpoints_system_data_file
+
+/data/misc_de/0/vold vold_data_file
+/data/misc_de/99/vold/test vold_data_file
+/data/misc_ce/0/vold vold_data_file
+/data/misc_ce/99/vold/test vold_data_file
+
+/data/system_ce/0/backup backup_data_file
+/data/system_ce/99/backup/test backup_data_file
+/data/system_ce/0/backup_stage backup_data_file
+/data/system_ce/99/backup_stage/test backup_data_file
+
+/efs efs_file
+/efs/test efs_file
+
+/cache cache_file
+/cache/test cache_file
+/cache/recovery cache_recovery_file
+/cache/recovery/test cache_recovery_file
+/cache/backup_stage cache_backup_file
+/cache/backup_stage/test cache_backup_file
+/cache/backup cache_private_backup_file
+/cache/backup/test cache_private_backup_file
+
+/cache/overlay overlayfs_file
+/cache/overlay/test overlayfs_file
+/mnt/scratch overlayfs_file
+/mnt/scratch/test overlayfs_file
+
+/data/cache cache_file
+/data/cache/test cache_file
+/data/cache/recovery cache_recovery_file
+/data/cache/recovery/test cache_recovery_file
+/data/cache/backup_stage cache_backup_file
+/data/cache/backup_stage/test cache_backup_file
+/data/cache/backup cache_private_backup_file
+/data/cache/backup/test cache_private_backup_file
+
+/metadata metadata_file
+/metadata/test metadata_file
+/metadata/apex apex_metadata_file
+/metadata/apex/test apex_metadata_file
+/metadata/vold vold_metadata_file
+/metadata/vold/test vold_metadata_file
+/metadata/gsi gsi_metadata_file
+/metadata/gsi/test gsi_metadata_file
+/metadata/gsi/dsu/active gsi_public_metadata_file
+/metadata/gsi/dsu/booted gsi_public_metadata_file
+/metadata/gsi/dsu/lp_names gsi_public_metadata_file
+/metadata/gsi/dsu/test/metadata_encryption_dir gsi_public_metadata_file
+/metadata/gsi/ota ota_metadata_file
+/metadata/gsi/ota/test ota_metadata_file
+/metadata/password_slots password_slot_metadata_file
+/metadata/password_slots/test password_slot_metadata_file
+/metadata/ota ota_metadata_file
+/metadata/ota/test ota_metadata_file
+/metadata/bootstat metadata_bootstat_file
+/metadata/bootstat/test metadata_bootstat_file
+/metadata/staged-install staged_install_file
+/metadata/staged-install/test staged_install_file
+/metadata/userspacereboot userspace_reboot_metadata_file
+/metadata/userspacereboot/test userspace_reboot_metadata_file
+/metadata/watchdog watchdog_metadata_file
+/metadata/watchdog/test watchdog_metadata_file
+
+/mnt/asec asec_apk_file
+/mnt/asec/test asec_apk_file
+/mnt/asec/test/test.zip asec_public_file
+/mnt/asec/test/lib asec_public_file
+/mnt/asec/test/lib/test asec_public_file
+/data/app-asec asec_image_file
+/data/app-asec/test asec_image_file
+
+/mnt/media_rw mnt_media_rw_file
+/mnt/media_rw/test mnt_media_rw_file
+/mnt/user mnt_user_file
+/mnt/user/test mnt_user_file
+/mnt/pass_through mnt_pass_through_file
+/mnt/pass_through/test mnt_pass_through_file
+/mnt/sdcard mnt_sdcard_file
+/mnt/runtime storage_file
+/mnt/runtime/test storage_file
+/storage storage_file
+/storage/test storage_file
+
+/mnt/vendor mnt_vendor_file
+/mnt/vendor/test mnt_vendor_file
+
+/mnt/product mnt_product_file
+/mnt/product/test mnt_product_file
+
+/system/bin/check_dynamic_partitions postinstall_exec
+/product/bin/check_dynamic_partitions postinstall_exec
+/system/bin/otapreopt_script postinstall_exec
+/product/bin/otapreopt_script postinstall_exec
+/system/bin/otapreopt postinstall_dexopt_exec
+/product/bin/otapreopt postinstall_dexopt_exec
diff --git a/tests/policy.py b/tests/policy.py
index 9fdc43c..8fc2ef7 100644
--- a/tests/policy.py
+++ b/tests/policy.py
@@ -109,17 +109,22 @@
# Query policy for the types associated with Attr
TypesPol = self.QueryTypeAttribute(Attr, True) - set(ExcludedTypes)
# Search file_contexts to find types associated with input paths.
- TypesFc, Files = self.__GetTypesAndFilesByFilePathPrefix(MatchPrefix, DoNotMatchPrefix)
- violators = TypesFc.intersection(TypesPol)
+ PathTypes = self.__GetTypesAndFilesByFilePathPrefix(MatchPrefix, DoNotMatchPrefix)
+ violators = set()
+ for PathType in PathTypes:
+ filepath, filetype = PathType
+ if filetype in TypesPol:
+ violators.add((str(filetype), str(filepath)))
+
ret = ""
if len(violators) > 0:
ret += "The following types on "
ret += " ".join(str(x) for x in sorted(MatchPrefix))
ret += " must not be associated with the "
- ret += "\"" + Attr + "\" attribute: "
- ret += " ".join(str(x) for x in sorted(violators)) + "\n"
- ret += " corresponding to files: "
- ret += " ".join(str(x) for x in sorted(Files)) + "\n"
+ ret += "\"" + Attr + "\" attribute.\n"
+ ret += "Violator types and corresponding paths:\n"
+ ret += "\n".join(str(x) for x in sorted(violators))
+ ret += "\n"
return ret
# Check that all types for "filesystem" have "attribute" associated with them
@@ -146,18 +151,22 @@
TypesPol = self.QueryTypeAttribute(Attr, True)
# Search file_contexts to find paths/types that should be associated with
# Attr.
- TypesFc, Files = self.__GetTypesAndFilesByFilePathPrefix(MatchPrefix, DoNotMatchPrefix)
- violators = TypesFc.difference(TypesPol)
+ PathTypes = self.__GetTypesAndFilesByFilePathPrefix(MatchPrefix, DoNotMatchPrefix)
+ violators = set()
+ for PathType in PathTypes:
+ filepath, filetype = PathType
+ if filetype not in TypesPol:
+ violators.add((str(filetype), str(filepath)))
ret = ""
if len(violators) > 0:
ret += "The following types on "
ret += " ".join(str(x) for x in sorted(MatchPrefix))
ret += " must be associated with the "
- ret += "\"" + Attr + "\" attribute: "
- ret += " ".join(str(x) for x in sorted(violators)) + "\n"
- ret += " corresponding to files: "
- ret += " ".join(str(x) for x in sorted(Files)) + "\n"
+ ret += "\"" + Attr + "\" attribute.\n"
+ ret += "Violator types and corresponding paths:\n"
+ ret += "\n".join(str(x) for x in sorted(violators))
+ ret += "\n"
return ret
def AssertPropertyOwnersAreExclusive(self):
@@ -334,8 +343,7 @@
# Return types that match MatchPrefixes but do not match
# DoNotMatchPrefixes
def __GetTypesAndFilesByFilePathPrefix(self, MatchPrefixes, DoNotMatchPrefixes):
- Types = set()
- Files = set()
+ ret = []
MatchPrefixesWithIndex = []
for MatchPrefix in MatchPrefixes:
@@ -346,9 +354,8 @@
for PathType in PathTypes:
if MatchPathPrefixes(PathType[0], DoNotMatchPrefixes):
continue
- Types.add(PathType[1])
- Files.add(PathType[0])
- return Types, Files
+ ret.append(PathType)
+ return ret
def __GetTERules(self, policydbP, avtabIterP, Rules):
if Rules is None:
diff --git a/tools/checkfc.c b/tools/checkfc.c
index 83c631e..05826f9 100644
--- a/tools/checkfc.c
+++ b/tools/checkfc.c
@@ -7,6 +7,7 @@
#include <sepol/module.h>
#include <sepol/policydb/policydb.h>
#include <sepol/sepol.h>
+#include <selinux/context.h>
#include <selinux/selinux.h>
#include <selinux/label.h>
#include <sys/stat.h>
@@ -209,8 +210,14 @@
"If -e is specified, then the context_file is allowed to be empty.\n\n"
"usage2: %s -c file_contexts1 file_contexts2\n\n"
- "Compares two file contexts files and reports one of subset, equal, superset, or incomparable.\n\n",
- name, name);
+ "Compares two file contexts files and reports one of \n"
+ "subset, equal, superset, or incomparable.\n\n"
+
+ "usage3: %s -t file_contexts test_data\n\n"
+ "Validates a file contexts file against test_data.\n"
+ "test_data is a text file where each line has the format:\n"
+ " path expected_type\n\n\n",
+ name, name, name);
exit(1);
}
@@ -264,6 +271,67 @@
printf("%s\n", result_str[result]);
}
+static void do_test_data_and_die_on_error(struct selinux_opt opts[], unsigned int backend,
+ char *paths[])
+{
+ opts[0].value = NULL; /* not validating against a policy */
+ opts[1].value = paths[0];
+ global_state.sepolicy.sehnd[0] = selabel_open(backend, opts, 2);
+ if (!global_state.sepolicy.sehnd[0]) {
+ fprintf(stderr, "Error: could not load context file from %s: %s\n",
+ paths[0], strerror(errno));
+ exit(1);
+ }
+
+ FILE* test_data = fopen(paths[1], "r");
+ if (test_data == NULL) {
+ fprintf(stderr, "Error: could not load test file from %s : %s\n",
+ paths[1], strerror(errno));
+ exit(1);
+ }
+
+ char line[1024];
+ while (fgets(line, sizeof(line), test_data)) {
+ char *path;
+ char *expected_type;
+
+ if (!strcmp(line, "\n") || line[0] == '#') {
+ continue;
+ }
+
+ int ret = sscanf(line, "%ms %ms", &path, &expected_type);
+ if (ret != 2) {
+ fprintf(stderr, "Error: unable to parse the line %s\n", line);
+ exit(1);
+ }
+
+ char *found_context;
+ ret = selabel_lookup(global_state.sepolicy.sehnd[0], &found_context, path, 0);
+ if (ret != 0) {
+ fprintf(stderr, "Error: unable to lookup the path for %s\n", line);
+ exit(1);
+ }
+
+ context_t found = context_new(found_context);
+ const char *found_type = context_type_get(found);
+
+ if (strcmp(found_type, expected_type)) {
+ fprintf(stderr, "Incorrect type for %s: resolved to %s, expected %s\n",
+ path, found_type, expected_type);
+ }
+
+ free(found_context);
+ context_free(found);
+ free(path);
+ free(expected_type);
+ }
+ fclose(test_data);
+
+ // Prints the coverage of file_contexts on the test data. It includes
+ // warnings for rules that have not been hit by any test example.
+ selabel_stats(global_state.sepolicy.sehnd[0]);
+}
+
static void do_fc_check_and_die_on_error(struct selinux_opt opts[], unsigned int backend, filemode mode,
const char *sepolicy_file, const char *context_file, bool allow_empty)
{
@@ -345,11 +413,12 @@
bool allow_empty = false;
bool compare = false;
+ bool test_data = false;
char c;
filemode mode = filemode_file_contexts;
- while ((c = getopt(argc, argv, "clpsve")) != -1) {
+ while ((c = getopt(argc, argv, "clpsvet")) != -1) {
switch (c) {
case 'c':
compare = true;
@@ -373,6 +442,9 @@
mode = filemode_vendor_service_contexts;
backend = SELABEL_CTX_ANDROID_SERVICE;
break;
+ case 't':
+ test_data = true;
+ break;
case 'h':
default:
usage(argv[0]);
@@ -385,7 +457,7 @@
usage(argv[0]);
}
- if (compare && backend != SELABEL_CTX_FILE) {
+ if ((compare || test_data) && backend != SELABEL_CTX_FILE) {
usage(argv[0]);
}
@@ -393,6 +465,8 @@
if (compare) {
do_compare_and_die_on_error(opts, backend, &(argv[index]));
+ } else if (test_data) {
+ do_test_data_and_die_on_error(opts, backend, &(argv[index]));
} else {
/* remaining args are sepolicy file and context file */
char *sepolicy_file = argv[index];
diff --git a/tools/finalize-sdk-rel.sh b/tools/finalize-sdk-rel.sh
new file mode 100755
index 0000000..80c6fa8
--- /dev/null
+++ b/tools/finalize-sdk-rel.sh
@@ -0,0 +1,95 @@
+#!/bin/bash
+
+# Copyright (C) 2023 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+if [ $# -ne 2 ]; then
+ echo "Usage: $0 <top> <ver>"
+ exit 1
+fi
+
+top=$1
+ver=$2
+
+mkdir -p "$top/system/sepolicy/prebuilts/api/${ver}.0/"
+cp -r "$top/system/sepolicy/public/" "$top/system/sepolicy/prebuilts/api/${ver}.0/"
+cp -r "$top/system/sepolicy/private/" "$top/system/sepolicy/prebuilts/api/${ver}.0/"
+
+cat > "$top/system/sepolicy/prebuilts/api/${ver}.0/Android.bp" <<EOF
+// Automatically generated file, do not edit!
+se_policy_conf {
+ name: "${ver}.0_plat_pub_policy.conf",
+ srcs: [":se_build_files{.plat_public_${ver}.0}", ":se_build_files{.reqd_mask}"],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "${ver}.0_plat_pub_policy.cil",
+ src: ":${ver}.0_plat_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "${ver}.0_product_pub_policy.conf",
+ srcs: [
+ ":se_build_files{.plat_public_${ver}.0}",
+ ":se_build_files{.system_ext_public_${ver}.0}",
+ ":se_build_files{.product_public_${ver}.0}",
+ ":se_build_files{.reqd_mask}",
+ ],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "${ver}.0_product_pub_policy.cil",
+ src: ":${ver}.0_product_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "${ver}.0_plat_policy.conf",
+ srcs: [
+ ":se_build_files{.plat_public_${ver}.0}",
+ ":se_build_files{.plat_private_${ver}.0}",
+ ":se_build_files{.system_ext_public_${ver}.0}",
+ ":se_build_files{.system_ext_private_${ver}.0}",
+ ":se_build_files{.product_public_${ver}.0}",
+ ":se_build_files{.product_private_${ver}.0}",
+ ],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "${ver}.0_plat_policy.cil",
+ src: ":${ver}.0_plat_policy.conf",
+ additional_cil_files: [":sepolicy_technical_debt{.plat_private_${ver}.0}"],
+ installable: false,
+}
+
+se_policy_binary {
+ name: "${ver}.0_plat_policy",
+ srcs: [":${ver}.0_plat_policy.cil"],
+ installable: false,
+ dist: {
+ targets: ["base-sepolicy-files-for-mapping"],
+ },
+}
+EOF
diff --git a/vendor/hal_evs_default.te b/vendor/hal_evs_default.te
index 0bdb7fd..9ed7a8a 100644
--- a/vendor/hal_evs_default.te
+++ b/vendor/hal_evs_default.te
@@ -32,3 +32,7 @@
# allow to access graphics related properties
get_prop(hal_evs_default, graphics_config_prop);
+get_prop(hal_evs_default, graphics_config_writable_prop)
+
+# allow to use binder IPC.
+binder_use(hal_evs_default)