Merge "Allow bootanimation to talk to hwservicemanager."
diff --git a/private/audioserver.te b/private/audioserver.te
index 88007aa..95a7521 100644
--- a/private/audioserver.te
+++ b/private/audioserver.te
@@ -10,12 +10,8 @@
binder_call(audioserver, appdomain)
binder_service(audioserver)
-hwbinder_use(audioserver)
-binder_call(audioserver, hal_audio)
-hwallocator_use(audioserver)
+hal_client_domain(audioserver, hal_audio)
-r_dir_file(audioserver, proc)
-allow audioserver ion_device:chr_file r_file_perms;
allow audioserver system_file:dir r_dir_perms;
userdebug_or_eng(`
@@ -28,9 +24,6 @@
allow audioserver self:process ptrace;
')
-allow audioserver audio_device:dir r_dir_perms;
-allow audioserver audio_device:chr_file rw_file_perms;
-
add_service(audioserver, audioserver_service)
allow audioserver appops_service:service_manager find;
allow audioserver batterystats_service:service_manager find;
@@ -42,10 +35,6 @@
allow audioserver audio_data_file:dir ra_dir_perms;
allow audioserver audio_data_file:file create_file_perms;
-# Needed on some devices for playing audio on paired BT device,
-# but seems appropriate for all devices.
-unix_socket_connect(audioserver, bluetooth, bluetooth)
-
###
### neverallow rules
###
@@ -54,5 +43,14 @@
# domain transition
neverallow audioserver { file_type fs_type }:file execute_no_trans;
-# audioserver should never need network access. Disallow network sockets.
+# The goal of the mediaserver split is to place media processing code into
+# restrictive sandboxes with limited responsibilities and thus limited
+# permissions. Example: Audioserver is only responsible for controlling audio
+# hardware and processing audio content. Cameraserver does the same for camera
+# hardware/content. Etc.
+#
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
neverallow audioserver domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/private/bluetooth.te b/private/bluetooth.te
index 5ea6027..b2369c1 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -22,14 +22,6 @@
# Socket creation under /data/misc/bluedroid.
allow bluetooth bluetooth_socket:sock_file create_file_perms;
-# bluetooth factory file accesses.
-r_dir_file(bluetooth, bluetooth_efs_file)
-
-allow bluetooth { uhid_device hci_attach_dev }:chr_file rw_file_perms;
-
-# sysfs access.
-r_dir_file(bluetooth, sysfs_type)
-allow bluetooth sysfs_bluetooth_writable:file rw_file_perms;
allow bluetooth self:capability net_admin;
allow bluetooth self:capability2 wake_alarm;
@@ -64,9 +56,7 @@
# /data/data/com.android.shell/files/bugreports/bugreport-*.
allow bluetooth shell_data_file:file read;
-# Perform HwBinder IPC.
-hwbinder_use(bluetooth)
-binder_call(bluetooth, hal_bluetooth)
+hal_client_domain(bluetooth, hal_bluetooth)
binder_call(bluetooth, hal_telephony)
read_runtime_log_tags(bluetooth)
diff --git a/private/crash_dump.te b/private/crash_dump.te
deleted file mode 100644
index b3e4d9a..0000000
--- a/private/crash_dump.te
+++ /dev/null
@@ -1,4 +0,0 @@
-### HACK: Make crash_dump permissive temporarily to catch denials without breaking backtraces.
-userdebug_or_eng(`
- permissive crash_dump;
-')
diff --git a/private/domain.te b/private/domain.te
index b1171f4..6f8814e 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -8,7 +8,6 @@
neverallow {
domain
-vold
- -crash_dump
-dumpstate
-storaged
-system_server
diff --git a/private/file.te b/private/file.te
index 818a53d..da5f9ad 100644
--- a/private/file.te
+++ b/private/file.te
@@ -2,3 +2,6 @@
typealias audio_data_file alias audio_firmware_file;
typealias app_data_file alias platform_app_data_file;
typealias app_data_file alias download_file;
+
+# /proc/config.gz
+type config_gz, fs_type;
diff --git a/private/file_contexts b/private/file_contexts
index 31e813e..1754ffe 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -247,7 +247,7 @@
/system/bin/webview_zygote64 u:object_r:webview_zygote_exec:s0
/system/bin/virtual_touchpad u:object_r:virtual_touchpad_exec:s0
/system/bin/hw/android\.hardware\.bluetooth@1\.0-service u:object_r:hal_bluetooth_default_exec:s0
-/system/bin/hw/android\.hidl\.memory@1\.0-service u:object_r:hal_allocator_exec:s0
+/system/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_exec:s0
#############################
# Vendor files
diff --git a/private/genfs_contexts b/private/genfs_contexts
index efdfb42..0c50675 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -2,6 +2,7 @@
genfscon rootfs / u:object_r:rootfs:s0
# proc labeling can be further refined (longest matching prefix).
genfscon proc / u:object_r:proc:s0
+genfscon proc /config.gz u:object_r:config_gz:s0
genfscon proc /interrupts u:object_r:proc_interrupts:s0
genfscon proc /iomem u:object_r:proc_iomem:s0
genfscon proc /meminfo u:object_r:proc_meminfo:s0
diff --git a/private/hal_bluetooth_default.te b/private/hal_bluetooth_default.te
index 88fd42b..4fcb322 100644
--- a/private/hal_bluetooth_default.te
+++ b/private/hal_bluetooth_default.te
@@ -1,5 +1,5 @@
type hal_bluetooth_default, domain;
-hal_impl_domain(hal_bluetooth_default, hal_bluetooth)
+hal_server_domain(hal_bluetooth_default, hal_bluetooth)
type hal_bluetooth_default_exec, exec_type, file_type;
init_daemon_domain(hal_bluetooth_default)
diff --git a/private/hal_boot.te b/private/hal_boot.te
deleted file mode 100644
index 1307afd..0000000
--- a/private/hal_boot.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# may be started by init
-init_daemon_domain(hal_boot)
diff --git a/private/halclientdomain.te b/private/halclientdomain.te
new file mode 100644
index 0000000..aa224ec
--- /dev/null
+++ b/private/halclientdomain.te
@@ -0,0 +1,7 @@
+###
+### Rules for all domains which are clients of a HAL
+###
+
+# Find out whether a HAL in passthrough/in-process mode or
+# binderized/out-of-process mode
+hwbinder_use(halclientdomain)
diff --git a/private/haldomain.te b/private/haldomain.te
deleted file mode 100644
index 2700940..0000000
--- a/private/haldomain.te
+++ /dev/null
@@ -1,8 +0,0 @@
-###
-### Rules for all HAL implementations
-###
-
-hwbinder_use(haldomain)
-
-# find passthrough hals
-allow haldomain system_file:dir r_dir_perms;
diff --git a/private/halserverdomain.te b/private/halserverdomain.te
new file mode 100644
index 0000000..7be8360
--- /dev/null
+++ b/private/halserverdomain.te
@@ -0,0 +1,9 @@
+###
+### Rules for all domains which offer a HAL service over HwBinder
+###
+
+# Register the HAL service with hwservicemanager
+hwbinder_use(halserverdomain)
+
+# Find HAL implementations
+allow halserverdomain system_file:dir r_dir_perms;
diff --git a/private/system_server.te b/private/system_server.te
index cba1ab3..e23a33c 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -108,6 +108,7 @@
allow system_server audioserver:process { getsched setsched };
allow system_server hal_audio:process { getsched setsched };
allow system_server cameraserver:process { getsched setsched };
+allow system_server hal_camera:process { getsched setsched };
allow system_server mediaserver:process { getsched setsched };
allow system_server bootanim:process { getsched setsched };
@@ -180,7 +181,6 @@
# Perform HwBinder IPC.
hwbinder_use(system_server)
hwallocator_use(system_server)
-binder_call(system_server, hal_bluetooth)
binder_call(system_server, hal_boot)
binder_call(system_server, hal_contexthub)
binder_call(system_server, hal_fingerprint)
diff --git a/public/attributes b/public/attributes
index d9212fc..5c43d5e 100644
--- a/public/attributes
+++ b/public/attributes
@@ -117,13 +117,21 @@
# recovery for A/B devices.
attribute update_engine_common;
-# All domains used for HAL implementations
-attribute haldomain;
+# All HAL servers
+attribute halserverdomain;
+# All HAL clients
+attribute halclientdomain;
# HALs
attribute hal_audio;
+attribute hal_audio_client;
+attribute hal_audio_server;
attribute hal_bluetooth;
+attribute hal_bluetooth_client;
+attribute hal_bluetooth_server;
attribute hal_camera;
+attribute hal_camera_client;
+attribute hal_camera_server;
attribute hal_configstore;
attribute hal_contexthub;
attribute hal_drm;
diff --git a/public/cameraserver.te b/public/cameraserver.te
index a262940..f2364a7 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -7,19 +7,9 @@
binder_call(cameraserver, appdomain)
binder_service(cameraserver)
-hwbinder_use(cameraserver)
-binder_call(cameraserver, hal_camera)
-binder_call(cameraserver, hwservicemanager)
+hal_client_domain(cameraserver, hal_camera)
-# access /data/misc/camera
-allow cameraserver camera_data_file:dir create_dir_perms;
-allow cameraserver camera_data_file:file create_file_perms;
-
-allow cameraserver video_device:dir r_dir_perms;
-allow cameraserver video_device:chr_file rw_file_perms;
-allow cameraserver camera_device:chr_file rw_file_perms;
allow cameraserver ion_device:chr_file rw_file_perms;
-allow cameraserver hal_graphics_allocator:fd use;
add_service(cameraserver, cameraserver_service)
allow cameraserver appops_service:service_manager find;
@@ -31,9 +21,6 @@
allow cameraserver scheduling_policy_service:service_manager find;
allow cameraserver surfaceflinger_service:service_manager find;
-# For HIDL hwservicemanager
-allow cameraserver system_file:dir r_dir_perms;
-
###
### neverallow rules
###
@@ -42,5 +29,14 @@
# domain transition
neverallow cameraserver { file_type fs_type }:file execute_no_trans;
-# cameraserver should never need network access. Disallow network sockets.
+# The goal of the mediaserver split is to place media processing code into
+# restrictive sandboxes with limited responsibilities and thus limited
+# permissions. Example: Audioserver is only responsible for controlling audio
+# hardware and processing audio content. Cameraserver does the same for camera
+# hardware/content. Etc.
+#
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
neverallow cameraserver domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/public/crash_dump.te b/public/crash_dump.te
index e1327e4..a0e278a 100644
--- a/public/crash_dump.te
+++ b/public/crash_dump.te
@@ -19,7 +19,10 @@
# Use inherited file descriptors
allow crash_dump domain:fd use;
-allow crash_dump domain:fifo_file write;
+
+# Write to the IPC pipe inherited from crashing processes.
+# Append to pipes given to us by processes requesting dumps (e.g. dumpstate)
+allow crash_dump domain:fifo_file { write append };
r_dir_file(crash_dump, domain)
allow crash_dump exec_type:file r_file_perms;
@@ -28,6 +31,9 @@
allow crash_dump dalvikcache_data_file:dir { search getattr };
allow crash_dump dalvikcache_data_file:file r_file_perms;
+# Read APK files.
+r_dir_file(crash_dump, apk_data_file);
+
# Talk to tombstoned
unix_socket_connect(crash_dump, tombstoned_crash, tombstoned)
diff --git a/public/domain.te b/public/domain.te
index 9993f2f..e2c71da 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -378,7 +378,7 @@
-system_server
-shell # Shell is further restricted in shell.te
-ueventd # Further restricted in ueventd.te
-} frp_block_device:blk_file rw_file_perms;
+} frp_block_device:blk_file no_rw_file_perms;
# The metadata block device is set aside for device encryption and
# verified boot metadata. It may be reset at will and should not
diff --git a/public/fsck.te b/public/fsck.te
index 2f0a838..8f3b17a 100644
--- a/public/fsck.te
+++ b/public/fsck.te
@@ -19,9 +19,16 @@
allow fsck cache_block_device:blk_file rw_file_perms;
allow fsck dm_device:blk_file rw_file_perms;
-# fsck performs a stat() on swap to verify that it is a valid
-# swap device before setting the EXT2_MF_SWAP mount flag.
-allow fsck swap_block_device:blk_file getattr;
+# To determine if it is safe to run fsck on a filesystem, e2fsck
+# must first determine if the filesystem is mounted. To do that,
+# e2fsck scans through /proc/mounts and collects all the mounted
+# block devices. With that information, it runs stat() on each block
+# device, comparing the major and minor numbers to the filesystem
+# passed in on the command line. If there is a match, then the filesystem
+# is currently mounted and running fsck is dangerous.
+# Allow stat access to all block devices so that fsck can compare
+# major/minor values.
+allow fsck dev_type:blk_file getattr;
r_dir_file(fsck, proc)
allow fsck rootfs:dir r_dir_perms;
diff --git a/public/fsck_untrusted.te b/public/fsck_untrusted.te
index 98806dd..a9dd805 100644
--- a/public/fsck_untrusted.te
+++ b/public/fsck_untrusted.te
@@ -14,6 +14,17 @@
r_dir_file(fsck_untrusted, proc)
+# To determine if it is safe to run fsck on a filesystem, e2fsck
+# must first determine if the filesystem is mounted. To do that,
+# e2fsck scans through /proc/mounts and collects all the mounted
+# block devices. With that information, it runs stat() on each block
+# device, comparing the major and minor numbers to the filesystem
+# passed in on the command line. If there is a match, then the filesystem
+# is currently mounted and running fsck is dangerous.
+# Allow stat access to all block devices so that fsck can compare
+# major/minor values.
+allow fsck_untrusted dev_type:blk_file getattr;
+
###
### neverallow rules
###
diff --git a/public/hal_audio.te b/public/hal_audio.te
index 15d0e41..1d27c81 100644
--- a/public/hal_audio.te
+++ b/public/hal_audio.te
@@ -1,7 +1,10 @@
-binder_use(hal_audio)
-binder_call(hal_audio, audioserver)
-binder_call(hal_audio, system_server)
-hwallocator_use(hal_audio)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_audio_client, hal_audio_server)
+binder_call(hal_audio_server, hal_audio_client)
+
+# Both client and the server need to use hwallocator
+hwallocator_use(hal_audio_client)
+hwallocator_use(hal_audio_server)
allow hal_audio ion_device:chr_file r_file_perms;
@@ -17,8 +20,6 @@
allow hal_audio audio_device:dir r_dir_perms;
allow hal_audio audio_device:chr_file rw_file_perms;
-allow hal_audio scheduling_policy_service:service_manager find;
-
# Needed on some devices for playing audio on paired BT device,
# but seems appropriate for all devices.
unix_socket_connect(hal_audio, bluetooth, bluetooth)
@@ -27,10 +28,9 @@
### neverallow rules
###
-# hal_audio should never execute any executable without
-# a domain transition
+# Should never execute any executable without a domain transition
neverallow hal_audio { file_type fs_type }:file execute_no_trans;
-# hal_audio should never need network access.
+# Should never need network access.
# Disallow network sockets.
neverallow hal_audio domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/public/hal_bluetooth.te b/public/hal_bluetooth.te
index 3e132b9..207f718 100644
--- a/public/hal_bluetooth.te
+++ b/public/hal_bluetooth.te
@@ -1,7 +1,6 @@
-r_dir_file(hal_bluetooth, system_file)
-
-# call into the Bluetooth process (callbacks)
-binder_call(hal_bluetooth, bluetooth)
+# HwBinder IPC from clients into server, and callbacks
+binder_call(hal_bluetooth_client, hal_bluetooth_server)
+binder_call(hal_bluetooth_server, hal_bluetooth_client)
wakelock_use(hal_bluetooth);
diff --git a/public/hal_boot.te b/public/hal_boot.te
index 4e7ba9e..870f1e4 100644
--- a/public/hal_boot.te
+++ b/public/hal_boot.te
@@ -1,8 +1,5 @@
# boot_control subsystem
type hal_boot, domain, boot_control_hal;
-hal_impl_domain(hal_boot)
-
-type hal_boot_exec, exec_type, file_type;
# call into system_server process (callbacks)
binder_call(hal_boot, system_server)
diff --git a/public/hal_camera.te b/public/hal_camera.te
index b879c98..02b8e77 100644
--- a/public/hal_camera.te
+++ b/public/hal_camera.te
@@ -1,5 +1,6 @@
-hwbinder_use(hal_camera)
-binder_call(hal_camera, cameraserver)
+# HwBinder IPC from clients to server and callbacks
+binder_call(hal_camera_client, hal_camera_server)
+binder_call(hal_camera_server, hal_camera_client)
# access /data/misc/camera
allow hal_camera camera_data_file:dir create_dir_perms;
@@ -9,7 +10,8 @@
allow hal_camera video_device:chr_file rw_file_perms;
allow hal_camera camera_device:chr_file rw_file_perms;
allow hal_camera ion_device:chr_file rw_file_perms;
-allow hal_camera hal_graphics_allocator:fd use;
+# Both the client and the server need to use the graphics allocator
+allow { hal_camera_client hal_camera_server } hal_graphics_allocator:fd use;
###
diff --git a/public/mediacodec.te b/public/mediacodec.te
index 6b4d677..f8986de 100644
--- a/public/mediacodec.te
+++ b/public/mediacodec.te
@@ -31,5 +31,14 @@
# domain transition
neverallow mediacodec { file_type fs_type }:file execute_no_trans;
-# mediacodec should never need network access. Disallow network sockets.
+# The goal of the mediaserver split is to place media processing code into
+# restrictive sandboxes with limited responsibilities and thus limited
+# permissions. Example: Audioserver is only responsible for controlling audio
+# hardware and processing audio content. Cameraserver does the same for camera
+# hardware/content. Etc.
+#
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
neverallow mediacodec domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index deecc00..dc7c90e 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -25,5 +25,14 @@
# domain transition
neverallow mediaextractor { file_type fs_type }:file execute_no_trans;
-# mediaextractor should never need network access. Disallow network sockets.
+# The goal of the mediaserver split is to place media processing code into
+# restrictive sandboxes with limited responsibilities and thus limited
+# permissions. Example: Audioserver is only responsible for controlling audio
+# hardware and processing audio content. Cameraserver does the same for camera
+# hardware/content. Etc.
+#
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
neverallow mediaextractor domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/public/mediametrics.te b/public/mediametrics.te
index 84d184b..ce2dab7 100644
--- a/public/mediametrics.te
+++ b/public/mediametrics.te
@@ -22,5 +22,14 @@
# domain transition
neverallow mediametrics { file_type fs_type }:file execute_no_trans;
-# mediametrics should never need network access. Disallow network sockets.
+# The goal of the mediaserver split is to place media processing code into
+# restrictive sandboxes with limited responsibilities and thus limited
+# permissions. Example: Audioserver is only responsible for controlling audio
+# hardware and processing audio content. Cameraserver does the same for camera
+# hardware/content. Etc.
+#
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
neverallow mediametrics domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/public/te_macros b/public/te_macros
index 4e33427..a98ba7e 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -148,6 +148,7 @@
typeattribute $1 bluetoothdomain;
')
+# TODO: Remove hal_impl_domain once all uses have been switched to hal_server_domain.
#####################################
# hal_impl_domain(domain[, hal_type_attr])
# Allow a base set of permissions required for a domain to host a
@@ -163,11 +164,47 @@
# hal_impl_domain(hal_foo_default, hal_foo)
#
define(`hal_impl_domain', `
-typeattribute $1 haldomain;
+print(`deprecated: hal_impl_domain($1, $2) Please use hal_server_domain($1, $2) instead.');
+typeattribute $1 halserverdomain;
ifelse($2, `', `', `typeattribute $1 $2;')
')
#####################################
+# hal_server_domain(domain, hal_type)
+# Allow a base set of permissions required for a domain to offer a
+# HAL implementation of the specified type over HwBinder.
+#
+# For example, default implementation of Foo HAL:
+# type hal_foo_default, domain;
+# hal_server_domain(hal_foo_default, hal_foo)
+#
+define(`hal_server_domain', `
+typeattribute $1 halserverdomain;
+typeattribute $1 $2_server;
+typeattribute $1 $2;
+')
+
+#####################################
+# hal_client_domain(domain, hal_type)
+# Allow a base set of permissions required for a domain to be a
+# client of a HAL of the specified type.
+#
+# For example, make some_domain a client of Foo HAL:
+# hal_client_domain(some_domain, hal_foo)
+#
+define(`hal_client_domain', `
+typeattribute $1 halclientdomain;
+typeattribute $1 $2_client;
+
+# TODO(b/34170079): Make the inclusion of the rules below conditional,
+# once we know at build time whether a HAL is going to run in
+# passthrough or binderized mode.
+typeattribute $1 $2;
+# Find passthrough HAL implementations
+allow $2 system_file:dir r_dir_perms;
+')
+
+#####################################
# unix_socket_connect(clientdomain, socket, serverdomain)
# Allow a local socket connection from clientdomain via
# socket to serverdomain.
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 7fc467e..7fda294 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -1,28 +1,28 @@
#############################
# Default HALs
#
-/vendor/bin/hw/android\.hardware\.audio@2\.0-service u:object_r:hal_audio_default_exec:s0
-/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service u:object_r:hal_fingerprint_default_exec:s0
-/vendor/bin/hw/android\.hardware\.boot@1\.0-service u:object_r:hal_boot_exec:s0
-/vendor/bin/hw/android\.hardware\.camera\.provider@2\.4-service u:object_r:hal_camera_default_exec:s0
-/vendor/bin/hw/android\.hardware\.configstore@1\.0-service u:object_r:hal_configstore_default_exec:s0
-/vendor/bin/hw/android\.hardware\.contexthub@1\.0-service u:object_r:hal_contexthub_default_exec:s0
-/vendor/bin/hw/android\.hardware\.drm@1\.0-service u:object_r:hal_drm_default_exec:s0
-/vendor/bin/hw/android\.hardware\.dumpstate@1\.0-service u:object_r:hal_dumpstate_default_exec:s0
-/vendor/bin/hw/android\.hardware\.gatekeeper@1\.0-service u:object_r:hal_gatekeeper_default_exec:s0
-/vendor/bin/hw/android\.hardware\.gnss@1\.0-service u:object_r:hal_gnss_default_exec:s0
-/vendor/bin/hw/android\.hardware\.graphics\.allocator@2\.0-service u:object_r:hal_graphics_allocator_default_exec:s0
-/vendor/bin/hw/android\.hardware\.graphics\.composer@2\.1-service u:object_r:hal_graphics_composer_default_exec:s0
-/vendor/bin/hw/android\.hardware\.health@1\.0-service u:object_r:hal_health_default_exec:s0
-/vendor/bin/hw/android\.hardware\.ir@1\.0-service u:object_r:hal_ir_default_exec:s0
-/vendor/bin/hw/android\.hardware\.keymaster@3\.0-service u:object_r:hal_keymaster_default_exec:s0
-/vendor/bin/hw/android\.hardware\.light@2\.0-service u:object_r:hal_light_default_exec:s0
-/vendor/bin/hw/android\.hardware\.memtrack@1\.0-service u:object_r:hal_memtrack_default_exec:s0
-/vendor/bin/hw/android\.hardware\.nfc@1\.0-service u:object_r:hal_nfc_default_exec:s0
-/vendor/bin/hw/android\.hardware\.power@1\.0-service u:object_r:hal_power_default_exec:s0
-/vendor/bin/hw/android\.hardware\.sensors@1\.0-service u:object_r:hal_sensors_default_exec:s0
-/vendor/bin/hw/android\.hardware\.thermal@1\.0-service u:object_r:hal_thermal_default_exec:s0
-/vendor/bin/hw/android\.hardware\.usb@1\.0-service u:object_r:hal_usb_default_exec:s0
-/vendor/bin/hw/android\.hardware\.vibrator@1\.0-service u:object_r:hal_vibrator_default_exec:s0
-/vendor/bin/hw/android\.hardware\.vr@1\.0-service u:object_r:hal_vr_default_exec:s0
-/vendor/bin/hw/android\.hardware\.wifi@1\.0-service u:object_r:hal_wifi_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.audio@2\.0-service u:object_r:hal_audio_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service u:object_r:hal_fingerprint_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.boot@1\.0-service u:object_r:hal_boot_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.4-service u:object_r:hal_camera_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.configstore@1\.0-service u:object_r:hal_configstore_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub@1\.0-service u:object_r:hal_contexthub_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service u:object_r:hal_drm_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate@1\.0-service u:object_r:hal_dumpstate_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.gatekeeper@1\.0-service u:object_r:hal_gatekeeper_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@1\.0-service u:object_r:hal_gnss_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator@2\.0-service u:object_r:hal_graphics_allocator_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.composer@2\.1-service u:object_r:hal_graphics_composer_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.health@1\.0-service u:object_r:hal_health_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.ir@1\.0-service u:object_r:hal_ir_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@3\.0-service u:object_r:hal_keymaster_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service u:object_r:hal_light_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack@1\.0-service u:object_r:hal_memtrack_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.0-service u:object_r:hal_nfc_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.power@1\.0-service u:object_r:hal_power_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors@1\.0-service u:object_r:hal_sensors_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@1\.0-service u:object_r:hal_thermal_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.0-service u:object_r:hal_usb_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.vibrator@1\.0-service u:object_r:hal_vibrator_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.vr@1\.0-service u:object_r:hal_vr_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.wifi@1\.0-service u:object_r:hal_wifi_default_exec:s0
diff --git a/private/hal_audio_default.te b/vendor/hal_audio_default.te
similarity index 71%
rename from private/hal_audio_default.te
rename to vendor/hal_audio_default.te
index 93ffd8e..4811f4d 100644
--- a/private/hal_audio_default.te
+++ b/vendor/hal_audio_default.te
@@ -1,5 +1,5 @@
type hal_audio_default, domain;
-hal_impl_domain(hal_audio_default, hal_audio)
+hal_server_domain(hal_audio_default, hal_audio)
type hal_audio_default_exec, exec_type, file_type;
init_daemon_domain(hal_audio_default)
diff --git a/vendor/hal_boot.te b/vendor/hal_boot.te
new file mode 100644
index 0000000..666eacd
--- /dev/null
+++ b/vendor/hal_boot.te
@@ -0,0 +1,6 @@
+# boot_control subsystem
+
+hal_impl_domain(hal_boot)
+
+type hal_boot_exec, exec_type, file_type;
+init_daemon_domain(hal_boot)
diff --git a/private/hal_camera_default.te b/vendor/hal_camera_default.te
similarity index 71%
rename from private/hal_camera_default.te
rename to vendor/hal_camera_default.te
index a97989a..8fdb4f0 100644
--- a/private/hal_camera_default.te
+++ b/vendor/hal_camera_default.te
@@ -1,5 +1,5 @@
type hal_camera_default, domain;
-hal_impl_domain(hal_camera_default, hal_camera)
+hal_server_domain(hal_camera_default, hal_camera)
type hal_camera_default_exec, exec_type, file_type;
init_daemon_domain(hal_camera_default)
diff --git a/private/hal_configstore_default.te b/vendor/hal_configstore_default.te
similarity index 100%
rename from private/hal_configstore_default.te
rename to vendor/hal_configstore_default.te
diff --git a/private/hal_contexthub_default.te b/vendor/hal_contexthub_default.te
similarity index 100%
rename from private/hal_contexthub_default.te
rename to vendor/hal_contexthub_default.te
diff --git a/private/hal_drm_default.te b/vendor/hal_drm_default.te
similarity index 100%
rename from private/hal_drm_default.te
rename to vendor/hal_drm_default.te
diff --git a/private/hal_dumpstate_default.te b/vendor/hal_dumpstate_default.te
similarity index 100%
rename from private/hal_dumpstate_default.te
rename to vendor/hal_dumpstate_default.te
diff --git a/private/hal_fingerprint_default.te b/vendor/hal_fingerprint_default.te
similarity index 100%
rename from private/hal_fingerprint_default.te
rename to vendor/hal_fingerprint_default.te
diff --git a/private/hal_gatekeeper_default.te b/vendor/hal_gatekeeper_default.te
similarity index 100%
rename from private/hal_gatekeeper_default.te
rename to vendor/hal_gatekeeper_default.te
diff --git a/private/hal_gnss_default.te b/vendor/hal_gnss_default.te
similarity index 100%
rename from private/hal_gnss_default.te
rename to vendor/hal_gnss_default.te
diff --git a/private/hal_graphics_allocator_default.te b/vendor/hal_graphics_allocator_default.te
similarity index 100%
rename from private/hal_graphics_allocator_default.te
rename to vendor/hal_graphics_allocator_default.te
diff --git a/private/hal_health_default.te b/vendor/hal_health_default.te
similarity index 100%
rename from private/hal_health_default.te
rename to vendor/hal_health_default.te
diff --git a/private/hal_ir_default.te b/vendor/hal_ir_default.te
similarity index 100%
rename from private/hal_ir_default.te
rename to vendor/hal_ir_default.te
diff --git a/private/hal_keymaster.te b/vendor/hal_keymaster_default.te
similarity index 100%
rename from private/hal_keymaster.te
rename to vendor/hal_keymaster_default.te
diff --git a/private/hal_light_default.te b/vendor/hal_light_default.te
similarity index 100%
rename from private/hal_light_default.te
rename to vendor/hal_light_default.te
diff --git a/private/hal_memtrack_default.te b/vendor/hal_memtrack_default.te
similarity index 100%
rename from private/hal_memtrack_default.te
rename to vendor/hal_memtrack_default.te
diff --git a/private/hal_nfc_default.te b/vendor/hal_nfc_default.te
similarity index 100%
rename from private/hal_nfc_default.te
rename to vendor/hal_nfc_default.te
diff --git a/private/hal_power_default.te b/vendor/hal_power_default.te
similarity index 100%
rename from private/hal_power_default.te
rename to vendor/hal_power_default.te
diff --git a/private/hal_sensors_default.te b/vendor/hal_sensors_default.te
similarity index 100%
rename from private/hal_sensors_default.te
rename to vendor/hal_sensors_default.te
diff --git a/private/hal_thermal_default.te b/vendor/hal_thermal_default.te
similarity index 100%
rename from private/hal_thermal_default.te
rename to vendor/hal_thermal_default.te
diff --git a/private/hal_usb_default.te b/vendor/hal_usb_default.te
similarity index 100%
rename from private/hal_usb_default.te
rename to vendor/hal_usb_default.te
diff --git a/private/hal_vibrator_default.te b/vendor/hal_vibrator_default.te
similarity index 100%
rename from private/hal_vibrator_default.te
rename to vendor/hal_vibrator_default.te
diff --git a/private/hal_vr_default.te b/vendor/hal_vr_default.te
similarity index 100%
rename from private/hal_vr_default.te
rename to vendor/hal_vr_default.te
diff --git a/private/hal_wifi_default.te b/vendor/hal_wifi_default.te
similarity index 100%
rename from private/hal_wifi_default.te
rename to vendor/hal_wifi_default.te