Move microdroid sepolicy to system/sepolicy
Bug: 190511750
Test: boot microdroid
Change-Id: I4aa4a56e9be5103d70469c3508110a973f3e4f12
diff --git a/microdroid/Android.bp b/microdroid/Android.bp
new file mode 100644
index 0000000..42909d8
--- /dev/null
+++ b/microdroid/Android.bp
@@ -0,0 +1,307 @@
+// Copyright (C) 2021 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package {
+ // http://go/android-license-faq
+ // A large-scale-change added 'default_applicable_licenses' to import
+ // the below license kinds from "system_sepolicy_license":
+ // SPDX-license-identifier-Apache-2.0
+ default_applicable_licenses: ["system_sepolicy_license"],
+}
+
+system_policy_files = [
+ "system/private/security_classes",
+ "system/private/initial_sids",
+ "system/private/access_vectors",
+ "system/public/global_macros",
+ "system/public/neverallow_macros",
+ "system/private/mls_macros",
+ "system/private/mls_decl",
+ "system/private/mls",
+ "system/private/policy_capabilities",
+ "system/public/te_macros",
+ "system/public/attributes",
+ "system/private/attributes",
+ "system/public/ioctl_defines",
+ "system/public/ioctl_macros",
+ "system/public/*.te",
+ "system/private/*.te",
+ "system/private/roles_decl",
+ "system/public/roles",
+ "system/private/users",
+ "system/private/initial_sid_contexts",
+ "system/private/fs_use",
+ "system/private/genfs_contexts",
+ "system/private/port_contexts",
+]
+
+reqd_mask_files = [
+ "reqd_mask/security_classes",
+ "reqd_mask/initial_sids",
+ "reqd_mask/access_vectors",
+ "reqd_mask/mls_macros",
+ "reqd_mask/mls_decl",
+ "reqd_mask/mls",
+ "reqd_mask/reqd_mask.te",
+ "reqd_mask/roles_decl",
+ "reqd_mask/roles",
+ "reqd_mask/users",
+ "reqd_mask/initial_sid_contexts",
+]
+
+system_public_policy_files = [
+ "reqd_mask/security_classes",
+ "reqd_mask/initial_sids",
+ "reqd_mask/access_vectors",
+ "system/public/global_macros",
+ "system/public/neverallow_macros",
+ "reqd_mask/mls_macros",
+ "reqd_mask/mls_decl",
+ "reqd_mask/mls",
+ "system/public/te_macros",
+ "system/public/attributes",
+ "system/public/ioctl_defines",
+ "system/public/ioctl_macros",
+ "system/public/*.te",
+ "reqd_mask/reqd_mask.te",
+ "reqd_mask/roles_decl",
+ "reqd_mask/roles",
+ "system/public/roles",
+ "reqd_mask/users",
+ "reqd_mask/initial_sid_contexts",
+]
+
+vendor_policy_files = [
+ "reqd_mask/security_classes",
+ "reqd_mask/initial_sids",
+ "reqd_mask/access_vectors",
+ "system/public/global_macros",
+ "system/public/neverallow_macros",
+ "reqd_mask/mls_macros",
+ "reqd_mask/mls_decl",
+ "reqd_mask/mls",
+ "system/public/te_macros",
+ "system/public/attributes",
+ "system/public/ioctl_defines",
+ "system/public/ioctl_macros",
+ "system/public/*.te",
+ "reqd_mask/reqd_mask.te",
+ "vendor/*.te",
+ "reqd_mask/roles_decl",
+ "reqd_mask/roles",
+ "system/public/roles",
+ "reqd_mask/users",
+ "reqd_mask/initial_sid_contexts",
+]
+
+se_policy_conf {
+ name: "microdroid_reqd_policy_mask.conf",
+ srcs: reqd_mask_files,
+ installable: false,
+}
+
+se_policy_cil {
+ name: "microdroid_reqd_policy_mask.cil",
+ src: ":microdroid_reqd_policy_mask.conf",
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "microdroid_plat_sepolicy.conf",
+ srcs: system_policy_files,
+ installable: false,
+}
+
+se_policy_cil {
+ name: "microdroid_plat_sepolicy.cil",
+ stem: "plat_sepolicy.cil",
+ src: ":microdroid_plat_sepolicy.conf",
+ installable: false,
+}
+
+se_policy_conf {
+ name: "microdroid_plat_pub_policy.conf",
+ srcs: system_public_policy_files,
+ installable: false,
+}
+
+se_policy_cil {
+ name: "microdroid_plat_pub_policy.cil",
+ src: ":microdroid_plat_pub_policy.conf",
+ filter_out: [":microdroid_reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_versioned_policy {
+ name: "microdroid_plat_mapping_file",
+ base: ":microdroid_plat_pub_policy.cil",
+ mapping: true,
+ version: "current",
+ relative_install_path: "mapping", // install to /system/etc/selinux/mapping
+ installable: false,
+}
+
+se_versioned_policy {
+ name: "microdroid_plat_pub_versioned.cil",
+ stem: "plat_pub_versioned.cil",
+ base: ":microdroid_plat_pub_policy.cil",
+ target_policy: ":microdroid_plat_pub_policy.cil",
+ version: "current",
+ dependent_cils: [
+ ":microdroid_plat_sepolicy.cil",
+ ":microdroid_plat_mapping_file",
+ ],
+ installable: false,
+}
+
+se_policy_conf {
+ name: "microdroid_vendor_sepolicy.conf",
+ srcs: vendor_policy_files,
+ installable: false,
+}
+
+se_policy_cil {
+ name: "microdroid_vendor_sepolicy.cil.raw",
+ src: ":microdroid_vendor_sepolicy.conf",
+ filter_out: [":microdroid_reqd_policy_mask.cil"],
+ secilc_check: false, // will be done in se_versioned_policy module
+ installable: false,
+}
+
+se_versioned_policy {
+ name: "microdroid_vendor_sepolicy.cil",
+ stem: "vendor_sepolicy.cil",
+ base: ":microdroid_plat_pub_policy.cil",
+ target_policy: ":microdroid_vendor_sepolicy.cil.raw",
+ version: "current", // microdroid is bundled to system
+ dependent_cils: [
+ ":microdroid_plat_sepolicy.cil",
+ ":microdroid_plat_pub_versioned.cil",
+ ":microdroid_plat_mapping_file",
+ ],
+ filter_out: [":microdroid_plat_pub_versioned.cil"],
+ installable: false,
+}
+
+sepolicy_vers {
+ name: "microdroid_plat_sepolicy_vers.txt",
+ version: "platform",
+ stem: "plat_sepolicy_vers.txt",
+ installable: false,
+}
+
+// sepolicy sha256 for vendor
+genrule {
+ name: "microdroid_plat_sepolicy_and_mapping.sha256_gen",
+ srcs: [":microdroid_plat_sepolicy.cil", ":microdroid_plat_mapping_file"],
+ out: ["microdroid_plat_sepolicy_and_mapping.sha256"],
+ cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)",
+}
+
+prebuilt_etc {
+ name: "microdroid_plat_sepolicy_and_mapping.sha256",
+ src: ":microdroid_plat_sepolicy_and_mapping.sha256_gen",
+ filename: "plat_sepolicy_and_mapping.sha256",
+ relative_install_path: "selinux",
+ installable: false,
+}
+
+prebuilt_etc {
+ name: "microdroid_precompiled_sepolicy.plat_sepolicy_and_mapping.sha256",
+ src: ":microdroid_plat_sepolicy_and_mapping.sha256_gen",
+ filename: "precompiled_sepolicy.plat_sepolicy_and_mapping.sha256",
+ relative_install_path: "selinux",
+ installable: false,
+}
+
+genrule {
+ name: "microdroid_precompiled_sepolicy_gen",
+ tools: ["secilc"],
+ srcs: [
+ ":microdroid_plat_sepolicy.cil",
+ ":microdroid_plat_mapping_file",
+ ":microdroid_plat_pub_versioned.cil",
+ ":microdroid_vendor_sepolicy.cil",
+ ],
+ out: ["precompiled_sepolicy"],
+ cmd: "$(location secilc) -m -M true -G -c 30 $(in) -o $(out) -f /dev/null",
+}
+
+prebuilt_etc {
+ name: "microdroid_precompiled_sepolicy",
+ src: ":microdroid_precompiled_sepolicy_gen",
+ filename: "precompiled_sepolicy",
+ relative_install_path: "selinux",
+ installable: false,
+}
+
+genrule {
+ name: "microdroid_file_contexts.gen",
+ srcs: ["system/private/file_contexts"],
+ tools: ["fc_sort"],
+ out: ["file_contexts"],
+ cmd: "sed -e 's/#.*$$//' -e '/^$$/d' $(in) > $(out).tmp && " +
+ "$(location fc_sort) -i $(out).tmp -o $(out)",
+}
+
+prebuilt_etc {
+ name: "microdroid_file_contexts",
+ filename: "plat_file_contexts",
+ src: ":microdroid_file_contexts.gen",
+ relative_install_path: "selinux",
+ installable: false,
+}
+
+genrule {
+ name: "microdroid_vendor_file_contexts.gen",
+ srcs: ["vendor/file_contexts"],
+ tools: ["fc_sort"],
+ out: ["file_contexts"],
+ cmd: "sed -e 's/#.*$$//' -e '/^$$/d' $(in) > $(out).tmp && " +
+ "$(location fc_sort) -i $(out).tmp -o $(out)",
+}
+
+prebuilt_etc {
+ name: "microdroid_hwservice_contexts",
+ filename: "plat_hwservice_contexts",
+ src: "system/private/hwservice_contexts",
+ relative_install_path: "selinux",
+ installable: false,
+}
+
+prebuilt_etc {
+ name: "microdroid_property_contexts",
+ filename: "plat_property_contexts",
+ src: "system/private/property_contexts",
+ relative_install_path: "selinux",
+ installable: false,
+}
+
+prebuilt_etc {
+ name: "microdroid_service_contexts",
+ filename: "plat_service_contexts",
+ src: "system/private/service_contexts",
+ relative_install_path: "selinux",
+ installable: false,
+}
+
+prebuilt_etc {
+ name: "microdroid_keystore2_key_contexts",
+ filename: "plat_keystore2_key_contexts",
+ src: "system/private/keystore2_key_contexts",
+ relative_install_path: "selinux",
+ installable: false,
+}
diff --git a/microdroid/reqd_mask/access_vectors b/microdroid/reqd_mask/access_vectors
new file mode 100644
index 0000000..22f2ffa
--- /dev/null
+++ b/microdroid/reqd_mask/access_vectors
@@ -0,0 +1,777 @@
+#
+# Define common prefixes for access vectors
+#
+# common common_name { permission_name ... }
+
+
+#
+# Define a common prefix for file access vectors.
+#
+
+common file
+{
+ ioctl
+ read
+ write
+ create
+ getattr
+ setattr
+ lock
+ relabelfrom
+ relabelto
+ append
+ map
+ unlink
+ link
+ rename
+ execute
+ quotaon
+ mounton
+ audit_access
+ open
+ execmod
+ watch
+ watch_mount
+ watch_sb
+ watch_with_perm
+ watch_reads
+}
+
+
+#
+# Define a common prefix for socket access vectors.
+#
+
+common socket
+{
+# inherited from file
+ ioctl
+ read
+ write
+ create
+ getattr
+ setattr
+ lock
+ relabelfrom
+ relabelto
+ append
+ map
+# socket-specific
+ bind
+ connect
+ listen
+ accept
+ getopt
+ setopt
+ shutdown
+ recvfrom
+ sendto
+ name_bind
+}
+
+#
+# Define a common prefix for ipc access vectors.
+#
+
+common ipc
+{
+ create
+ destroy
+ getattr
+ setattr
+ read
+ write
+ associate
+ unix_read
+ unix_write
+}
+
+#
+# Define a common for capability access vectors.
+#
+common cap
+{
+ # The capabilities are defined in include/linux/capability.h
+ # Capabilities >= 32 are defined in the cap2 common.
+ # Care should be taken to ensure that these are consistent with
+ # those definitions. (Order matters)
+
+ chown
+ dac_override
+ dac_read_search
+ fowner
+ fsetid
+ kill
+ setgid
+ setuid
+ setpcap
+ linux_immutable
+ net_bind_service
+ net_broadcast
+ net_admin
+ net_raw
+ ipc_lock
+ ipc_owner
+ sys_module
+ sys_rawio
+ sys_chroot
+ sys_ptrace
+ sys_pacct
+ sys_admin
+ sys_boot
+ sys_nice
+ sys_resource
+ sys_time
+ sys_tty_config
+ mknod
+ lease
+ audit_write
+ audit_control
+ setfcap
+}
+
+common cap2
+{
+ mac_override # unused by SELinux
+ mac_admin
+ syslog
+ wake_alarm
+ block_suspend
+ audit_read
+ perfmon
+}
+
+#
+# Define the access vectors.
+#
+# class class_name [ inherits common_name ] { permission_name ... }
+
+
+#
+# Define the access vector interpretation for file-related objects.
+#
+
+class filesystem
+{
+ mount
+ remount
+ unmount
+ getattr
+ relabelfrom
+ relabelto
+ associate
+ quotamod
+ quotaget
+ watch
+}
+
+class dir
+inherits file
+{
+ add_name
+ remove_name
+ reparent
+ search
+ rmdir
+}
+
+class file
+inherits file
+{
+ execute_no_trans
+ entrypoint
+}
+
+class anon_inode
+inherits file
+
+class lnk_file
+inherits file
+
+class chr_file
+inherits file
+{
+ execute_no_trans
+ entrypoint
+}
+
+class blk_file
+inherits file
+
+class sock_file
+inherits file
+
+class fifo_file
+inherits file
+
+class fd
+{
+ use
+}
+
+
+#
+# Define the access vector interpretation for network-related objects.
+#
+
+class socket
+inherits socket
+
+class tcp_socket
+inherits socket
+{
+ node_bind
+ name_connect
+}
+
+class udp_socket
+inherits socket
+{
+ node_bind
+}
+
+class rawip_socket
+inherits socket
+{
+ node_bind
+}
+
+class node
+{
+ recvfrom
+ sendto
+}
+
+class netif
+{
+ ingress
+ egress
+}
+
+class netlink_socket
+inherits socket
+
+class packet_socket
+inherits socket
+
+class key_socket
+inherits socket
+
+class unix_stream_socket
+inherits socket
+{
+ connectto
+}
+
+class unix_dgram_socket
+inherits socket
+
+#
+# Define the access vector interpretation for process-related objects
+#
+
+class process
+{
+ fork
+ transition
+ sigchld # commonly granted from child to parent
+ sigkill # cannot be caught or ignored
+ sigstop # cannot be caught or ignored
+ signull # for kill(pid, 0)
+ signal # all other signals
+ ptrace
+ getsched
+ setsched
+ getsession
+ getpgid
+ setpgid
+ getcap
+ setcap
+ share
+ getattr
+ setexec
+ setfscreate
+ noatsecure
+ siginh
+ setrlimit
+ rlimitinh
+ dyntransition
+ setcurrent
+ execmem
+ execstack
+ execheap
+ setkeycreate
+ setsockcreate
+ getrlimit
+}
+
+class process2
+{
+ nnp_transition
+ nosuid_transition
+}
+
+#
+# Define the access vector interpretation for ipc-related objects
+#
+
+class ipc
+inherits ipc
+
+class sem
+inherits ipc
+
+class msgq
+inherits ipc
+{
+ enqueue
+}
+
+class msg
+{
+ send
+ receive
+}
+
+class shm
+inherits ipc
+{
+ lock
+}
+
+
+#
+# Define the access vector interpretation for the security server.
+#
+
+class security
+{
+ compute_av
+ compute_create
+ compute_member
+ check_context
+ load_policy
+ compute_relabel
+ compute_user
+ setenforce # was avc_toggle in system class
+ setbool
+ setsecparam
+ setcheckreqprot
+ read_policy
+ validate_trans
+}
+
+
+#
+# Define the access vector interpretation for system operations.
+#
+
+class system
+{
+ ipc_info
+ syslog_read
+ syslog_mod
+ syslog_console
+ module_request
+ module_load
+}
+
+#
+# Define the access vector interpretation for controlling capabilities
+#
+
+class capability
+inherits cap
+
+class capability2
+inherits cap2
+
+#
+# Extended Netlink classes
+#
+class netlink_route_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+ nlmsg_readpriv
+}
+
+class netlink_tcpdiag_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+}
+
+class netlink_nflog_socket
+inherits socket
+
+class netlink_xfrm_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+}
+
+class netlink_selinux_socket
+inherits socket
+
+class netlink_audit_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+ nlmsg_relay
+ nlmsg_readpriv
+ nlmsg_tty_audit
+}
+
+class netlink_dnrt_socket
+inherits socket
+
+# Define the access vector interpretation for controlling
+# access to IPSec network data by association
+#
+class association
+{
+ sendto
+ recvfrom
+ setcontext
+ polmatch
+}
+
+# Updated Netlink class for KOBJECT_UEVENT family.
+class netlink_kobject_uevent_socket
+inherits socket
+
+class appletalk_socket
+inherits socket
+
+class packet
+{
+ send
+ recv
+ relabelto
+ forward_in
+ forward_out
+}
+
+class key
+{
+ view
+ read
+ write
+ search
+ link
+ setattr
+ create
+}
+
+class dccp_socket
+inherits socket
+{
+ node_bind
+ name_connect
+}
+
+class memprotect
+{
+ mmap_zero
+}
+
+# network peer labels
+class peer
+{
+ recv
+}
+
+class kernel_service
+{
+ use_as_override
+ create_files_as
+}
+
+class tun_socket
+inherits socket
+{
+ attach_queue
+}
+
+class binder
+{
+ impersonate
+ call
+ set_context_mgr
+ transfer
+}
+
+class netlink_iscsi_socket
+inherits socket
+
+class netlink_fib_lookup_socket
+inherits socket
+
+class netlink_connector_socket
+inherits socket
+
+class netlink_netfilter_socket
+inherits socket
+
+class netlink_generic_socket
+inherits socket
+
+class netlink_scsitransport_socket
+inherits socket
+
+class netlink_rdma_socket
+inherits socket
+
+class netlink_crypto_socket
+inherits socket
+
+class infiniband_pkey
+{
+ access
+}
+
+class infiniband_endport
+{
+ manage_subnet
+}
+
+#
+# Define the access vector interpretation for controlling capabilities
+# in user namespaces
+#
+
+class cap_userns
+inherits cap
+
+class cap2_userns
+inherits cap2
+
+
+#
+# Define the access vector interpretation for the new socket classes
+# enabled by the extended_socket_class policy capability.
+#
+
+#
+# The next two classes were previously mapped to rawip_socket and therefore
+# have the same definition as rawip_socket (until further permissions
+# are defined).
+#
+class sctp_socket
+inherits socket
+{
+ node_bind
+ name_connect
+ association
+}
+
+class icmp_socket
+inherits socket
+{
+ node_bind
+}
+
+#
+# The remaining network socket classes were previously
+# mapped to the socket class and therefore have the
+# same definition as socket.
+#
+
+class ax25_socket
+inherits socket
+
+class ipx_socket
+inherits socket
+
+class netrom_socket
+inherits socket
+
+class atmpvc_socket
+inherits socket
+
+class x25_socket
+inherits socket
+
+class rose_socket
+inherits socket
+
+class decnet_socket
+inherits socket
+
+class atmsvc_socket
+inherits socket
+
+class rds_socket
+inherits socket
+
+class irda_socket
+inherits socket
+
+class pppox_socket
+inherits socket
+
+class llc_socket
+inherits socket
+
+class can_socket
+inherits socket
+
+class tipc_socket
+inherits socket
+
+class bluetooth_socket
+inherits socket
+
+class iucv_socket
+inherits socket
+
+class rxrpc_socket
+inherits socket
+
+class isdn_socket
+inherits socket
+
+class phonet_socket
+inherits socket
+
+class ieee802154_socket
+inherits socket
+
+class caif_socket
+inherits socket
+
+class alg_socket
+inherits socket
+
+class nfc_socket
+inherits socket
+
+class vsock_socket
+inherits socket
+
+class kcm_socket
+inherits socket
+
+class qipcrtr_socket
+inherits socket
+
+class smc_socket
+inherits socket
+
+class bpf
+{
+ map_create
+ map_read
+ map_write
+ prog_load
+ prog_run
+}
+
+class property_service
+{
+ set
+}
+
+class service_manager
+{
+ add
+ find
+ list
+}
+
+class hwservice_manager
+{
+ add
+ find
+ list
+}
+
+class keystore_key
+{
+ get_state
+ get
+ insert
+ delete
+ exist
+ list
+ reset
+ password
+ lock
+ unlock
+ is_empty
+ sign
+ verify
+ grant
+ duplicate
+ clear_uid
+ add_auth
+ user_changed
+ gen_unique_id
+}
+
+class keystore2
+{
+ add_auth
+ change_password
+ change_user
+ clear_ns
+ clear_uid
+ early_boot_ended
+ get_auth_token
+ get_state
+ list
+ lock
+ report_off_body
+ reset
+ unlock
+}
+
+class keystore2_key
+{
+ convert_storage_key_to_ephemeral
+ delete
+ gen_unique_id
+ get_info
+ grant
+ manage_blob
+ rebind
+ req_forced_op
+ update
+ use
+ use_dev_id
+}
+
+class drmservice {
+ consumeRights
+ setPlaybackStatus
+ openDecryptSession
+ closeDecryptSession
+ initializeDecryptUnit
+ decrypt
+ finalizeDecryptUnit
+ pread
+}
+
+class xdp_socket
+inherits socket
+
+class perf_event
+{
+ open
+ cpu
+ kernel
+ tracepoint
+ read
+ write
+}
+
+class lockdown
+{
+ integrity
+ confidentiality
+}
diff --git a/microdroid/reqd_mask/initial_sid_contexts b/microdroid/reqd_mask/initial_sid_contexts
new file mode 100644
index 0000000..aa465cd
--- /dev/null
+++ b/microdroid/reqd_mask/initial_sid_contexts
@@ -0,0 +1 @@
+sid reqd_mask u:r:reqd_mask_type:s0
diff --git a/microdroid/reqd_mask/initial_sids b/microdroid/reqd_mask/initial_sids
new file mode 100644
index 0000000..366cfb1
--- /dev/null
+++ b/microdroid/reqd_mask/initial_sids
@@ -0,0 +1,3 @@
+sid reqd_mask
+
+# FLASK
diff --git a/microdroid/reqd_mask/keys.conf b/microdroid/reqd_mask/keys.conf
new file mode 100644
index 0000000..ce7166b
--- /dev/null
+++ b/microdroid/reqd_mask/keys.conf
@@ -0,0 +1,2 @@
+# empty keys.conf file - used to generate an empty nonplat_mac_permissions.xml
+# on devices without any keys.conf or mac_permissions additions.
diff --git a/microdroid/reqd_mask/mac_permissions.xml b/microdroid/reqd_mask/mac_permissions.xml
new file mode 100644
index 0000000..ef9c6dd
--- /dev/null
+++ b/microdroid/reqd_mask/mac_permissions.xml
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<policy>
+</policy>
diff --git a/microdroid/reqd_mask/mls b/microdroid/reqd_mask/mls
new file mode 100644
index 0000000..d276924
--- /dev/null
+++ b/microdroid/reqd_mask/mls
@@ -0,0 +1 @@
+mlsconstrain binder { set_context_mgr } (l1 eq l2);
diff --git a/microdroid/reqd_mask/mls_decl b/microdroid/reqd_mask/mls_decl
new file mode 100644
index 0000000..dd53bea
--- /dev/null
+++ b/microdroid/reqd_mask/mls_decl
@@ -0,0 +1,10 @@
+#########################################
+# MLS declarations
+#
+
+# Generate the desired number of sensitivities and categories.
+gen_sens(mls_num_sens)
+gen_cats(mls_num_cats)
+
+# Generate level definitions for each sensitivity and category.
+gen_levels(mls_num_sens,mls_num_cats)
diff --git a/microdroid/reqd_mask/mls_macros b/microdroid/reqd_mask/mls_macros
new file mode 100644
index 0000000..83e0542
--- /dev/null
+++ b/microdroid/reqd_mask/mls_macros
@@ -0,0 +1,54 @@
+########################################
+#
+# gen_cats(N)
+#
+# declares categores c0 to c(N-1)
+#
+define(`decl_cats',`dnl
+category c$1;
+ifelse(`$1',`$2',,`decl_cats(incr($1),$2)')dnl
+')
+
+define(`gen_cats',`decl_cats(0,decr($1))')
+
+########################################
+#
+# gen_sens(N)
+#
+# declares sensitivites s0 to s(N-1) with dominance
+# in increasing numeric order with s0 lowest, s(N-1) highest
+#
+define(`decl_sens',`dnl
+sensitivity s$1;
+ifelse(`$1',`$2',,`decl_sens(incr($1),$2)')dnl
+')
+
+define(`gen_dominance',`s$1 ifelse(`$1',`$2',,`gen_dominance(incr($1),$2)')')
+
+define(`gen_sens',`
+# Each sensitivity has a name and zero or more aliases.
+decl_sens(0,decr($1))
+
+# Define the ordering of the sensitivity levels (least to greatest)
+dominance { gen_dominance(0,decr($1)) }
+')
+
+########################################
+#
+# gen_levels(N,M)
+#
+# levels from s0 to (N-1) with categories c0 to (M-1)
+#
+define(`decl_levels',`dnl
+level s$1:c0.c$3;
+ifelse(`$1',`$2',,`decl_levels(incr($1),$2,$3)')dnl
+')
+
+define(`gen_levels',`decl_levels(0,decr($1),decr($2))')
+
+########################################
+#
+# Basic level names for system low and high
+#
+define(`mls_systemlow',`s0')
+define(`mls_systemhigh',`s`'decr(mls_num_sens):c0.c`'decr(mls_num_cats)')
diff --git a/microdroid/reqd_mask/property_contexts b/microdroid/reqd_mask/property_contexts
new file mode 100644
index 0000000..8e0bdbb
--- /dev/null
+++ b/microdroid/reqd_mask/property_contexts
@@ -0,0 +1,3 @@
+# empty property_contexts file - this file is used to generate an empty
+# non-platform property context for devices without any property_contexts
+# customizations.
diff --git a/microdroid/reqd_mask/reqd_mask.te b/microdroid/reqd_mask/reqd_mask.te
new file mode 100644
index 0000000..f77eef4
--- /dev/null
+++ b/microdroid/reqd_mask/reqd_mask.te
@@ -0,0 +1 @@
+type reqd_mask_type;
diff --git a/microdroid/reqd_mask/roles b/microdroid/reqd_mask/roles
new file mode 100644
index 0000000..926cb7a
--- /dev/null
+++ b/microdroid/reqd_mask/roles
@@ -0,0 +1 @@
+role r types reqd_mask_type;
diff --git a/microdroid/reqd_mask/roles_decl b/microdroid/reqd_mask/roles_decl
new file mode 100644
index 0000000..c84fcba
--- /dev/null
+++ b/microdroid/reqd_mask/roles_decl
@@ -0,0 +1 @@
+role r;
diff --git a/microdroid/reqd_mask/seapp_contexts b/microdroid/reqd_mask/seapp_contexts
new file mode 100644
index 0000000..0f4e0ad
--- /dev/null
+++ b/microdroid/reqd_mask/seapp_contexts
@@ -0,0 +1,2 @@
+# empty seapp_contexts file - used to generate an empty seapp_contexts for
+# devices without any non-platform seapp_contexts customizations.
diff --git a/microdroid/reqd_mask/security_classes b/microdroid/reqd_mask/security_classes
new file mode 100644
index 0000000..200b030
--- /dev/null
+++ b/microdroid/reqd_mask/security_classes
@@ -0,0 +1,167 @@
+# FLASK
+
+#
+# Define the security object classes
+#
+
+# Classes marked as userspace are classes
+# for userspace object managers
+
+class security
+class process
+class system
+class capability
+
+# file-related classes
+class filesystem
+class file
+class anon_inode
+class dir
+class fd
+class lnk_file
+class chr_file
+class blk_file
+class sock_file
+class fifo_file
+
+# network-related classes
+class socket
+class tcp_socket
+class udp_socket
+class rawip_socket
+class node
+class netif
+class netlink_socket
+class packet_socket
+class key_socket
+class unix_stream_socket
+class unix_dgram_socket
+
+# sysv-ipc-related classes
+class sem
+class msg
+class msgq
+class shm
+class ipc
+
+# extended netlink sockets
+class netlink_route_socket
+class netlink_tcpdiag_socket
+class netlink_nflog_socket
+class netlink_xfrm_socket
+class netlink_selinux_socket
+class netlink_audit_socket
+class netlink_dnrt_socket
+
+# IPSec association
+class association
+
+# Updated Netlink class for KOBJECT_UEVENT family.
+class netlink_kobject_uevent_socket
+
+class appletalk_socket
+
+class packet
+
+# Kernel access key retention
+class key
+
+class dccp_socket
+
+class memprotect
+
+# network peer labels
+class peer
+
+# Capabilities >= 32
+class capability2
+
+# kernel services that need to override task security, e.g. cachefiles
+class kernel_service
+
+class tun_socket
+
+class binder
+
+# Updated netlink classes for more recent netlink protocols.
+class netlink_iscsi_socket
+class netlink_fib_lookup_socket
+class netlink_connector_socket
+class netlink_netfilter_socket
+class netlink_generic_socket
+class netlink_scsitransport_socket
+class netlink_rdma_socket
+class netlink_crypto_socket
+
+# Infiniband
+class infiniband_pkey
+class infiniband_endport
+
+# Capability checks when on a non-init user namespace
+class cap_userns
+class cap2_userns
+
+# New socket classes introduced by extended_socket_class policy capability.
+# These two were previously mapped to rawip_socket.
+class sctp_socket
+class icmp_socket
+# These were previously mapped to socket.
+class ax25_socket
+class ipx_socket
+class netrom_socket
+class atmpvc_socket
+class x25_socket
+class rose_socket
+class decnet_socket
+class atmsvc_socket
+class rds_socket
+class irda_socket
+class pppox_socket
+class llc_socket
+class can_socket
+class tipc_socket
+class bluetooth_socket
+class iucv_socket
+class rxrpc_socket
+class isdn_socket
+class phonet_socket
+class ieee802154_socket
+class caif_socket
+class alg_socket
+class nfc_socket
+class vsock_socket
+class kcm_socket
+class qipcrtr_socket
+class smc_socket
+
+class process2
+
+class bpf
+
+class xdp_socket
+
+class perf_event
+
+# Introduced in https://github.com/torvalds/linux/commit/59438b46471ae6cdfb761afc8c9beaf1e428a331
+class lockdown
+
+# Property service
+class property_service # userspace
+
+# Service manager
+class service_manager # userspace
+
+# hardware service manager # userspace
+class hwservice_manager
+
+# Legacy Keystore key permissions
+class keystore_key # userspace
+
+# Keystore 2.0 permissions
+class keystore2 # userspace
+
+# Keystore 2.0 key permissions
+class keystore2_key # userspace
+
+class drmservice # userspace
+# FLASK
diff --git a/microdroid/reqd_mask/service_contexts b/microdroid/reqd_mask/service_contexts
new file mode 100644
index 0000000..481967b
--- /dev/null
+++ b/microdroid/reqd_mask/service_contexts
@@ -0,0 +1,3 @@
+# empty service_contexts file - this file is used to generate an empty
+# non-platform service_context for devices without any service_contexts
+# customizations.
diff --git a/microdroid/reqd_mask/users b/microdroid/reqd_mask/users
new file mode 100644
index 0000000..51b7b57
--- /dev/null
+++ b/microdroid/reqd_mask/users
@@ -0,0 +1 @@
+user u roles { r } level s0 range s0 - mls_systemhigh;
diff --git a/microdroid/system/private/access_vectors b/microdroid/system/private/access_vectors
new file mode 100644
index 0000000..22f2ffa
--- /dev/null
+++ b/microdroid/system/private/access_vectors
@@ -0,0 +1,777 @@
+#
+# Define common prefixes for access vectors
+#
+# common common_name { permission_name ... }
+
+
+#
+# Define a common prefix for file access vectors.
+#
+
+common file
+{
+ ioctl
+ read
+ write
+ create
+ getattr
+ setattr
+ lock
+ relabelfrom
+ relabelto
+ append
+ map
+ unlink
+ link
+ rename
+ execute
+ quotaon
+ mounton
+ audit_access
+ open
+ execmod
+ watch
+ watch_mount
+ watch_sb
+ watch_with_perm
+ watch_reads
+}
+
+
+#
+# Define a common prefix for socket access vectors.
+#
+
+common socket
+{
+# inherited from file
+ ioctl
+ read
+ write
+ create
+ getattr
+ setattr
+ lock
+ relabelfrom
+ relabelto
+ append
+ map
+# socket-specific
+ bind
+ connect
+ listen
+ accept
+ getopt
+ setopt
+ shutdown
+ recvfrom
+ sendto
+ name_bind
+}
+
+#
+# Define a common prefix for ipc access vectors.
+#
+
+common ipc
+{
+ create
+ destroy
+ getattr
+ setattr
+ read
+ write
+ associate
+ unix_read
+ unix_write
+}
+
+#
+# Define a common for capability access vectors.
+#
+common cap
+{
+ # The capabilities are defined in include/linux/capability.h
+ # Capabilities >= 32 are defined in the cap2 common.
+ # Care should be taken to ensure that these are consistent with
+ # those definitions. (Order matters)
+
+ chown
+ dac_override
+ dac_read_search
+ fowner
+ fsetid
+ kill
+ setgid
+ setuid
+ setpcap
+ linux_immutable
+ net_bind_service
+ net_broadcast
+ net_admin
+ net_raw
+ ipc_lock
+ ipc_owner
+ sys_module
+ sys_rawio
+ sys_chroot
+ sys_ptrace
+ sys_pacct
+ sys_admin
+ sys_boot
+ sys_nice
+ sys_resource
+ sys_time
+ sys_tty_config
+ mknod
+ lease
+ audit_write
+ audit_control
+ setfcap
+}
+
+common cap2
+{
+ mac_override # unused by SELinux
+ mac_admin
+ syslog
+ wake_alarm
+ block_suspend
+ audit_read
+ perfmon
+}
+
+#
+# Define the access vectors.
+#
+# class class_name [ inherits common_name ] { permission_name ... }
+
+
+#
+# Define the access vector interpretation for file-related objects.
+#
+
+class filesystem
+{
+ mount
+ remount
+ unmount
+ getattr
+ relabelfrom
+ relabelto
+ associate
+ quotamod
+ quotaget
+ watch
+}
+
+class dir
+inherits file
+{
+ add_name
+ remove_name
+ reparent
+ search
+ rmdir
+}
+
+class file
+inherits file
+{
+ execute_no_trans
+ entrypoint
+}
+
+class anon_inode
+inherits file
+
+class lnk_file
+inherits file
+
+class chr_file
+inherits file
+{
+ execute_no_trans
+ entrypoint
+}
+
+class blk_file
+inherits file
+
+class sock_file
+inherits file
+
+class fifo_file
+inherits file
+
+class fd
+{
+ use
+}
+
+
+#
+# Define the access vector interpretation for network-related objects.
+#
+
+class socket
+inherits socket
+
+class tcp_socket
+inherits socket
+{
+ node_bind
+ name_connect
+}
+
+class udp_socket
+inherits socket
+{
+ node_bind
+}
+
+class rawip_socket
+inherits socket
+{
+ node_bind
+}
+
+class node
+{
+ recvfrom
+ sendto
+}
+
+class netif
+{
+ ingress
+ egress
+}
+
+class netlink_socket
+inherits socket
+
+class packet_socket
+inherits socket
+
+class key_socket
+inherits socket
+
+class unix_stream_socket
+inherits socket
+{
+ connectto
+}
+
+class unix_dgram_socket
+inherits socket
+
+#
+# Define the access vector interpretation for process-related objects
+#
+
+class process
+{
+ fork
+ transition
+ sigchld # commonly granted from child to parent
+ sigkill # cannot be caught or ignored
+ sigstop # cannot be caught or ignored
+ signull # for kill(pid, 0)
+ signal # all other signals
+ ptrace
+ getsched
+ setsched
+ getsession
+ getpgid
+ setpgid
+ getcap
+ setcap
+ share
+ getattr
+ setexec
+ setfscreate
+ noatsecure
+ siginh
+ setrlimit
+ rlimitinh
+ dyntransition
+ setcurrent
+ execmem
+ execstack
+ execheap
+ setkeycreate
+ setsockcreate
+ getrlimit
+}
+
+class process2
+{
+ nnp_transition
+ nosuid_transition
+}
+
+#
+# Define the access vector interpretation for ipc-related objects
+#
+
+class ipc
+inherits ipc
+
+class sem
+inherits ipc
+
+class msgq
+inherits ipc
+{
+ enqueue
+}
+
+class msg
+{
+ send
+ receive
+}
+
+class shm
+inherits ipc
+{
+ lock
+}
+
+
+#
+# Define the access vector interpretation for the security server.
+#
+
+class security
+{
+ compute_av
+ compute_create
+ compute_member
+ check_context
+ load_policy
+ compute_relabel
+ compute_user
+ setenforce # was avc_toggle in system class
+ setbool
+ setsecparam
+ setcheckreqprot
+ read_policy
+ validate_trans
+}
+
+
+#
+# Define the access vector interpretation for system operations.
+#
+
+class system
+{
+ ipc_info
+ syslog_read
+ syslog_mod
+ syslog_console
+ module_request
+ module_load
+}
+
+#
+# Define the access vector interpretation for controlling capabilities
+#
+
+class capability
+inherits cap
+
+class capability2
+inherits cap2
+
+#
+# Extended Netlink classes
+#
+class netlink_route_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+ nlmsg_readpriv
+}
+
+class netlink_tcpdiag_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+}
+
+class netlink_nflog_socket
+inherits socket
+
+class netlink_xfrm_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+}
+
+class netlink_selinux_socket
+inherits socket
+
+class netlink_audit_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+ nlmsg_relay
+ nlmsg_readpriv
+ nlmsg_tty_audit
+}
+
+class netlink_dnrt_socket
+inherits socket
+
+# Define the access vector interpretation for controlling
+# access to IPSec network data by association
+#
+class association
+{
+ sendto
+ recvfrom
+ setcontext
+ polmatch
+}
+
+# Updated Netlink class for KOBJECT_UEVENT family.
+class netlink_kobject_uevent_socket
+inherits socket
+
+class appletalk_socket
+inherits socket
+
+class packet
+{
+ send
+ recv
+ relabelto
+ forward_in
+ forward_out
+}
+
+class key
+{
+ view
+ read
+ write
+ search
+ link
+ setattr
+ create
+}
+
+class dccp_socket
+inherits socket
+{
+ node_bind
+ name_connect
+}
+
+class memprotect
+{
+ mmap_zero
+}
+
+# network peer labels
+class peer
+{
+ recv
+}
+
+class kernel_service
+{
+ use_as_override
+ create_files_as
+}
+
+class tun_socket
+inherits socket
+{
+ attach_queue
+}
+
+class binder
+{
+ impersonate
+ call
+ set_context_mgr
+ transfer
+}
+
+class netlink_iscsi_socket
+inherits socket
+
+class netlink_fib_lookup_socket
+inherits socket
+
+class netlink_connector_socket
+inherits socket
+
+class netlink_netfilter_socket
+inherits socket
+
+class netlink_generic_socket
+inherits socket
+
+class netlink_scsitransport_socket
+inherits socket
+
+class netlink_rdma_socket
+inherits socket
+
+class netlink_crypto_socket
+inherits socket
+
+class infiniband_pkey
+{
+ access
+}
+
+class infiniband_endport
+{
+ manage_subnet
+}
+
+#
+# Define the access vector interpretation for controlling capabilities
+# in user namespaces
+#
+
+class cap_userns
+inherits cap
+
+class cap2_userns
+inherits cap2
+
+
+#
+# Define the access vector interpretation for the new socket classes
+# enabled by the extended_socket_class policy capability.
+#
+
+#
+# The next two classes were previously mapped to rawip_socket and therefore
+# have the same definition as rawip_socket (until further permissions
+# are defined).
+#
+class sctp_socket
+inherits socket
+{
+ node_bind
+ name_connect
+ association
+}
+
+class icmp_socket
+inherits socket
+{
+ node_bind
+}
+
+#
+# The remaining network socket classes were previously
+# mapped to the socket class and therefore have the
+# same definition as socket.
+#
+
+class ax25_socket
+inherits socket
+
+class ipx_socket
+inherits socket
+
+class netrom_socket
+inherits socket
+
+class atmpvc_socket
+inherits socket
+
+class x25_socket
+inherits socket
+
+class rose_socket
+inherits socket
+
+class decnet_socket
+inherits socket
+
+class atmsvc_socket
+inherits socket
+
+class rds_socket
+inherits socket
+
+class irda_socket
+inherits socket
+
+class pppox_socket
+inherits socket
+
+class llc_socket
+inherits socket
+
+class can_socket
+inherits socket
+
+class tipc_socket
+inherits socket
+
+class bluetooth_socket
+inherits socket
+
+class iucv_socket
+inherits socket
+
+class rxrpc_socket
+inherits socket
+
+class isdn_socket
+inherits socket
+
+class phonet_socket
+inherits socket
+
+class ieee802154_socket
+inherits socket
+
+class caif_socket
+inherits socket
+
+class alg_socket
+inherits socket
+
+class nfc_socket
+inherits socket
+
+class vsock_socket
+inherits socket
+
+class kcm_socket
+inherits socket
+
+class qipcrtr_socket
+inherits socket
+
+class smc_socket
+inherits socket
+
+class bpf
+{
+ map_create
+ map_read
+ map_write
+ prog_load
+ prog_run
+}
+
+class property_service
+{
+ set
+}
+
+class service_manager
+{
+ add
+ find
+ list
+}
+
+class hwservice_manager
+{
+ add
+ find
+ list
+}
+
+class keystore_key
+{
+ get_state
+ get
+ insert
+ delete
+ exist
+ list
+ reset
+ password
+ lock
+ unlock
+ is_empty
+ sign
+ verify
+ grant
+ duplicate
+ clear_uid
+ add_auth
+ user_changed
+ gen_unique_id
+}
+
+class keystore2
+{
+ add_auth
+ change_password
+ change_user
+ clear_ns
+ clear_uid
+ early_boot_ended
+ get_auth_token
+ get_state
+ list
+ lock
+ report_off_body
+ reset
+ unlock
+}
+
+class keystore2_key
+{
+ convert_storage_key_to_ephemeral
+ delete
+ gen_unique_id
+ get_info
+ grant
+ manage_blob
+ rebind
+ req_forced_op
+ update
+ use
+ use_dev_id
+}
+
+class drmservice {
+ consumeRights
+ setPlaybackStatus
+ openDecryptSession
+ closeDecryptSession
+ initializeDecryptUnit
+ decrypt
+ finalizeDecryptUnit
+ pread
+}
+
+class xdp_socket
+inherits socket
+
+class perf_event
+{
+ open
+ cpu
+ kernel
+ tracepoint
+ read
+ write
+}
+
+class lockdown
+{
+ integrity
+ confidentiality
+}
diff --git a/microdroid/system/private/adbd.te b/microdroid/system/private/adbd.te
new file mode 100644
index 0000000..2ebf9d8
--- /dev/null
+++ b/microdroid/system/private/adbd.te
@@ -0,0 +1,44 @@
+typeattribute adbd coredomain;
+typeattribute adbd mlstrustedsubject;
+
+init_daemon_domain(adbd)
+
+domain_auto_trans(adbd, shell_exec, shell)
+
+userdebug_or_eng(`
+ allow adbd self:process setcurrent;
+ allow adbd su:process dyntransition;
+')
+
+# Do not sanitize the environment or open fds of the shell. Allow signaling
+# created processes.
+allow adbd shell:process { noatsecure signal };
+
+# Set UID and GID to shell. Set supplementary groups.
+allow adbd self:global_capability_class_set { setuid setgid };
+
+# Drop capabilities from bounding set on user builds.
+allow adbd self:global_capability_class_set setpcap;
+
+# adbd probes for vsock support. Do not generate denials when
+# this occurs. (b/123569840)
+dontaudit adbd self:{ socket vsock_socket } create;
+
+# Allow adbd inside vm to forward vm's vsock.
+allow adbd self:vsock_socket { create_socket_perms_no_ioctl listen accept };
+
+# Use a pseudo tty.
+allow adbd devpts:chr_file rw_file_perms;
+
+# adb push/pull /data/local/tmp.
+allow adbd shell_data_file:dir create_dir_perms;
+allow adbd shell_data_file:file create_file_perms;
+
+allow adbd tmpfs:dir search;
+
+allow adbd rootfs:dir r_dir_perms;
+
+# Connect to shell and use a socket transferred from it.
+# Used for e.g. abb.
+allow adbd shell:unix_stream_socket { read write shutdown };
+allow adbd shell:fd use;
diff --git a/microdroid/system/private/apexd.te b/microdroid/system/private/apexd.te
new file mode 100644
index 0000000..621b1a8
--- /dev/null
+++ b/microdroid/system/private/apexd.te
@@ -0,0 +1,87 @@
+typeattribute apexd coredomain;
+
+init_daemon_domain(apexd)
+
+# allow apexd to create loop devices with /dev/loop-control
+allow apexd loop_control_device:chr_file rw_file_perms;
+# allow apexd to access loop devices
+allow apexd loop_device:blk_file rw_file_perms;
+allowxperm apexd loop_device:blk_file ioctl {
+ LOOP_GET_STATUS64
+ LOOP_SET_STATUS64
+ LOOP_SET_FD
+ LOOP_SET_BLOCK_SIZE
+ LOOP_SET_DIRECT_IO
+ LOOP_CLR_FD
+ BLKFLSBUF
+ LOOP_CONFIGURE
+};
+# allow apexd to access /dev/block
+allow apexd block_device:dir r_dir_perms;
+
+#allow apexd to access virtual disks
+allow apexd vd_device:blk_file r_file_perms;
+
+# allow apexd to access /dev/block/dm-* (device-mapper entries)
+allow apexd dm_device:chr_file rw_file_perms;
+allow apexd dm_device:blk_file rw_file_perms;
+
+# sys_admin is required to access the device-mapper and mount
+# dac_override, chown, and fowner are needed for snapshot and restore
+allow apexd self:global_capability_class_set { sys_admin chown dac_override dac_read_search fowner };
+
+# Note: fsetid is deliberately not included above. fsetid checks are
+# triggered by chmod on a directory or file owned by a group other
+# than one of the groups assigned to the current process to see if
+# the setgid bit should be cleared, regardless of whether the setgid
+# bit was even set. We do not appear to truly need this capability
+# for apexd to operate.
+dontaudit apexd self:global_capability_class_set fsetid;
+
+# allow apexd to create a mount point in /apex
+allow apexd apex_mnt_dir:dir create_dir_perms;
+# allow apexd to mount in /apex
+allow apexd apex_mnt_dir:filesystem { mount unmount };
+allow apexd apex_mnt_dir:dir mounton;
+# allow apexd to create symlinks in /apex
+allow apexd apex_mnt_dir:lnk_file create_file_perms;
+# allow apexd to create /apex/apex-info-list.xml and relabel to apex_info_file
+allow apexd apex_mnt_dir:file { create_file_perms relabelfrom mounton };
+allow apexd apex_info_file:file relabelto;
+# apexd needs to update /apex/apex-info-list.xml after non-staged APEX update.
+allow apexd apex_info_file:file rw_file_perms;
+
+# Unmount and mount filesystems
+allow apexd labeledfs:filesystem { mount unmount };
+
+# /sys directory tree traversal
+allow apexd sysfs_type:dir search;
+# Configure read-ahead of dm-verity and loop devices
+# for dm-X
+allow apexd sysfs_dm:dir r_dir_perms;
+allow apexd sysfs_dm:file rw_file_perms;
+# for loopX
+allow apexd sysfs_loop:dir r_dir_perms;
+allow apexd sysfs_loop:file rw_file_perms;
+
+# Allow apexd to log to the kernel.
+allow apexd kmsg_device:chr_file w_file_perms;
+
+# Apex pre- & post-install permission.
+
+# Allow self-execute for the fork mount helper.
+allow apexd apexd_exec:file execute_no_trans;
+
+# Unshare and make / private so that hooks cannot influence the
+# running system.
+allow apexd rootfs:dir mounton;
+
+# apexd is using bootstrap bionic
+allow apexd system_bootstrap_lib_file:dir r_dir_perms;
+allow apexd system_bootstrap_lib_file:file { execute read open getattr map };
+
+# Allow apexd to read file contexts when performing restorecon
+allow apexd file_contexts_file:file r_file_perms;
+
+#-------------------------------------------
+allow apexd kmsg_device:chr_file w_file_perms;
diff --git a/microdroid/system/private/apkdmverity.te b/microdroid/system/private/apkdmverity.te
new file mode 100644
index 0000000..8974a1d
--- /dev/null
+++ b/microdroid/system/private/apkdmverity.te
@@ -0,0 +1,29 @@
+# apkdmverity is a program that protects a signed APK file using dm-verity.
+
+type apkdmverity, domain, coredomain;
+type apkdmverity_exec, exec_type, file_type, system_file_type;
+
+# allow domain transition from init
+init_daemon_domain(apkdmverity)
+
+# apkdmverity accesses "payload metadata disk" which points to
+# a /dev/vd* block device file.
+allow apkdmverity block_device:dir r_dir_perms;
+allow apkdmverity block_device:lnk_file r_file_perms;
+allow apkdmverity vd_device:blk_file r_file_perms;
+
+# allow apkdmverity to create dm-verity devices
+allow apkdmverity dm_device:{chr_file blk_file} rw_file_perms;
+# sys_admin is required to access the device-mapper and mount
+allow apkdmverity self:global_capability_class_set sys_admin;
+
+# allow apkdmverity to create loop devices with /dev/loop-control
+allow apkdmverity loop_control_device:chr_file rw_file_perms;
+
+# allow apkdmverity to access loop devices
+allow apkdmverity loop_device:blk_file rw_file_perms;
+allowxperm apkdmverity loop_device:blk_file ioctl {
+ LOOP_SET_STATUS64
+ LOOP_SET_FD
+ LOOP_SET_DIRECT_IO
+};
diff --git a/microdroid/system/private/attributes b/microdroid/system/private/attributes
new file mode 100644
index 0000000..991bac1
--- /dev/null
+++ b/microdroid/system/private/attributes
@@ -0,0 +1,12 @@
+hal_attribute(lazy_test);
+
+# This is applied to apps on vendor images with SDK <=30 only,
+# to exempt them from recent mls changes. It must not be applied
+# to any domain on newer system or vendor image.
+attribute mlsvendorcompat;
+
+# Attributes for property types having both system_property_type
+# and vendor_property_type. Such types are ill-formed because
+# property owner attributes must be exclusive.
+attribute system_and_vendor_property_type;
+expandattribute system_and_vendor_property_type false;
diff --git a/microdroid/system/private/binderservicedomain.te b/microdroid/system/private/binderservicedomain.te
new file mode 100644
index 0000000..99006bf
--- /dev/null
+++ b/microdroid/system/private/binderservicedomain.te
@@ -0,0 +1,5 @@
+allow binderservicedomain keystore:keystore_key { get_state get insert delete exist list sign verify };
+allow binderservicedomain keystore:keystore2 { get_state };
+allow binderservicedomain keystore:keystore2_key { delete get_info rebind use };
+
+use_keystore(binderservicedomain)
diff --git a/microdroid/system/private/bug_map b/microdroid/system/private/bug_map
new file mode 100644
index 0000000..5b042ae
--- /dev/null
+++ b/microdroid/system/private/bug_map
@@ -0,0 +1,35 @@
+dnsmasq netd fifo_file b/77868789
+dnsmasq netd unix_stream_socket b/77868789
+gmscore_app system_data_file dir b/146166941
+init app_data_file file b/77873135
+init cache_file blk_file b/77873135
+init logpersist file b/77873135
+init nativetest_data_file dir b/77873135
+init pstorefs dir b/77873135
+init shell_data_file dir b/77873135
+init shell_data_file file b/77873135
+init shell_data_file lnk_file b/77873135
+init shell_data_file sock_file b/77873135
+init system_data_file chr_file b/77873135
+isolated_app privapp_data_file dir b/119596573
+isolated_app app_data_file dir b/120394782
+mediaextractor app_data_file file b/77923736
+mediaextractor radio_data_file file b/77923736
+mediaprovider cache_file blk_file b/77925342
+mediaprovider mnt_media_rw_file dir b/77925342
+mediaprovider shell_data_file dir b/77925342
+mediaswcodec ashmem_device chr_file b/142679232
+netd priv_app unix_stream_socket b/77870037
+netd untrusted_app unix_stream_socket b/77870037
+netd untrusted_app_25 unix_stream_socket b/77870037
+netd untrusted_app_27 unix_stream_socket b/77870037
+netd untrusted_app_29 unix_stream_socket b/77870037
+platform_app nfc_data_file dir b/74331887
+system_server crash_dump process b/73128755
+system_server overlayfs_file file b/142390309
+system_server sdcardfs file b/77856826
+system_server zygote process b/77856826
+untrusted_app untrusted_app netlink_route_socket b/155595000
+vold system_data_file file b/124108085
+zygote untrusted_app_25 process b/77925912
+zygote labeledfs filesystem b/170748799
diff --git a/microdroid/system/private/crash_dump.te b/microdroid/system/private/crash_dump.te
new file mode 100644
index 0000000..90587fa
--- /dev/null
+++ b/microdroid/system/private/crash_dump.te
@@ -0,0 +1,71 @@
+# crash_dump might inherit CAP_SYS_PTRACE from a privileged process,
+# which will result in an audit log even when it's allowed to trace.
+dontaudit crash_dump self:global_capability_class_set { sys_ptrace };
+
+allow crash_dump kmsg_debug_device:chr_file { open append };
+
+# Use inherited file descriptors
+allow crash_dump domain:fd use;
+
+# Read/write IPC pipes inherited from crashing processes.
+allow crash_dump domain:fifo_file { read write };
+
+# Append to pipes given to us by processes requesting dumps (e.g. dumpstate)
+allow crash_dump domain:fifo_file { append };
+
+# Read information from /proc/$PID.
+allow crash_dump domain:process getattr;
+
+r_dir_file(crash_dump, domain)
+allow crash_dump exec_type:file r_file_perms;
+
+# Read all /vendor
+r_dir_file(crash_dump, vendor_file)
+
+# Talk to tombstoned
+unix_socket_connect(crash_dump, tombstoned_crash, tombstoned)
+
+# Append to tombstone files.
+allow crash_dump tombstone_data_file:file { append getattr };
+
+# crash_dump writes out logcat logs at the bottom of tombstones,
+# which is super useful in some cases.
+unix_socket_connect(crash_dump, logdr, logd)
+
+# Crash dump is not intended to access the following files. Since these
+# are WAI, suppress the denials to clean up the logs.
+dontaudit crash_dump {
+ core_data_file_type
+ vendor_file_type
+}:dir search;
+dontaudit crash_dump system_data_file:{ lnk_file file } read;
+dontaudit crash_dump property_type:file read;
+
+# Suppress denials for files in /proc that are passed
+# across exec().
+dontaudit crash_dump proc_type:file rw_file_perms;
+
+typeattribute crash_dump coredomain;
+
+# Crash dump does not need to access devices passed across exec().
+dontaudit crash_dump { devpts dev_type }:chr_file { read write };
+
+allow crash_dump {
+ domain
+ -apexd
+ -crash_dump
+ -init
+ -kernel
+ -keystore
+ -logd
+ -ueventd
+ -vendor_init
+}:process { ptrace signal sigchld sigstop sigkill };
+
+userdebug_or_eng(`
+ allow crash_dump {
+ apexd
+ keystore
+ logd
+ }:process { ptrace signal sigchld sigstop sigkill };
+')
diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te
new file mode 100644
index 0000000..fe4d072
--- /dev/null
+++ b/microdroid/system/private/domain.te
@@ -0,0 +1,254 @@
+# Rules for all domains.
+
+# Allow reaping by init.
+allow domain init:process sigchld;
+
+# Intra-domain accesses.
+allow domain self:process {
+ fork
+ sigchld
+ sigkill
+ sigstop
+ signull
+ signal
+ getsched
+ setsched
+ getsession
+ getpgid
+ setpgid
+ getcap
+ setcap
+ getattr
+ setrlimit
+};
+allow domain self:fd use;
+allow domain proc:dir r_dir_perms;
+allow domain proc_net_type:dir search;
+r_dir_file(domain, self)
+allow domain self:{ fifo_file file } rw_file_perms;
+allow domain self:unix_dgram_socket { create_socket_perms sendto };
+allow domain self:unix_stream_socket { create_stream_socket_perms connectto };
+
+# Inherit or receive open files from others.
+allow domain init:fd use;
+
+# Root fs.
+allow domain tmpfs:dir { getattr search };
+allow domain rootfs:dir search;
+allow domain rootfs:lnk_file { read getattr };
+
+# Device accesses.
+allow domain device:dir search;
+allow domain dev_type:lnk_file r_file_perms;
+allow domain devpts:dir search;
+allow domain socket_device:dir r_dir_perms;
+allow domain owntty_device:chr_file rw_file_perms;
+allow domain null_device:chr_file rw_file_perms;
+allow domain zero_device:chr_file rw_file_perms;
+
+# /dev/binder can be accessed by ... everyone! :)
+allow { domain -hwservicemanager } binder_device:chr_file rw_file_perms;
+
+# Restrict binder ioctls to an allowlist. Additional ioctl commands may be
+# added to individual domains, but this sets safe defaults for all processes.
+allowxperm domain binder_device:chr_file ioctl { unpriv_binder_ioctls };
+
+# /dev/binderfs needs to be accessed by everyone too!
+allow domain binderfs:dir { getattr search };
+allow domain binderfs_logs_proc:dir search;
+
+allow { domain -servicemanager } hwbinder_device:chr_file rw_file_perms;
+allow domain ptmx_device:chr_file rw_file_perms;
+allow domain random_device:chr_file rw_file_perms;
+allow domain proc_random:dir r_dir_perms;
+allow domain proc_random:file r_file_perms;
+allow domain properties_device:dir { search getattr };
+allow domain properties_serial:file r_file_perms;
+allow domain property_info:file r_file_perms;
+
+allow domain property_contexts_file:file r_file_perms;
+
+dontaudit domain property_type:file audit_access;
+
+allow domain init:key search;
+
+# logd access
+unix_socket_send(domain, logdw, logd)
+
+# Directory/link file access for path resolution.
+allow domain {
+ system_file
+ system_lib_file
+ system_seccomp_policy_file
+ system_security_cacerts_file
+}:dir r_dir_perms;
+allow domain system_file:lnk_file { getattr read };
+
+# Global access to /system/etc/security/cacerts/*, /system/etc/seccomp_policy/*, /system/lib[64]/*,
+# /(system|product|system_ext)/etc/(group|passwd), linker and its config.
+allow domain system_seccomp_policy_file:file r_file_perms;
+# cacerts are accessible from public Java API.
+allow domain system_security_cacerts_file:file r_file_perms;
+allow domain system_group_file:file r_file_perms;
+allow domain system_passwd_file:file r_file_perms;
+allow domain system_linker_exec:file { execute read open getattr map };
+allow domain system_linker_config_file:file r_file_perms;
+allow domain system_lib_file:file { execute read open getattr map };
+# To allow following symlinks at /system/bin/linker, /system/lib/libc.so, etc.
+allow domain system_linker_exec:lnk_file { read open getattr };
+allow domain system_lib_file:lnk_file { read open getattr };
+
+allow domain system_event_log_tags_file:file r_file_perms;
+
+allow coredomain system_file:file { execute read open getattr map };
+
+# All domains get access to /vendor/etc
+allow domain vendor_configs_file:dir r_dir_perms;
+allow domain vendor_configs_file:file { read open getattr map };
+
+# Allow all domains to be able to follow /system/vendor and/or
+# /vendor/odm symlinks.
+allow domain vendor_file_type:lnk_file { getattr open read };
+
+# This is required to be able to search & read /vendor/lib64
+# in order to lookup vendor libraries. The execute permission
+# for coredomains is granted *only* for same process HALs
+allow domain vendor_file:dir { getattr search };
+
+# Allow reading and executing out of /vendor to all vendor domains
+allow { domain -coredomain } vendor_file_type:dir r_dir_perms;
+allow { domain -coredomain } vendor_file_type:file { read open getattr execute map };
+allow { domain -coredomain } vendor_file_type:lnk_file { getattr read };
+
+# read and stat any sysfs symlinks
+allow domain sysfs:lnk_file { getattr read };
+
+# Lots of processes access current CPU information
+r_dir_file(domain, sysfs_devices_system_cpu)
+
+# If kernel CONFIG_TRANSPARENT_HUGEPAGE is enabled, libjemalloc5 (statically
+# included by libc) reads /sys/kernel/mm/transparent_hugepage/enabled.
+allow domain sysfs_transparent_hugepage:dir search;
+allow domain sysfs_transparent_hugepage:file r_file_perms;
+
+allow coredomain system_data_file:dir getattr;
+# /data has the label system_data_root_file. Vendor components need the search
+# permission on system_data_root_file for path traversal to /data/vendor.
+allow domain system_data_root_file:dir { search getattr } ;
+allow domain system_data_file:dir search;
+# TODO restrict this to non-coredomain
+allow domain vendor_data_file:dir { getattr search };
+
+# required by the dynamic linker
+allow domain proc:lnk_file { getattr read };
+
+# /proc/cpuinfo
+allow domain proc_cpuinfo:file r_file_perms;
+
+# profiling needs to read /proc/sys/kernel/perf_event_max_sample_rate
+allow domain proc_perf:file r_file_perms;
+
+# toybox loads libselinux which stats /sys/fs/selinux/
+allow domain selinuxfs:dir search;
+allow domain selinuxfs:file getattr;
+allow domain sysfs:dir search;
+allow domain selinuxfs:filesystem getattr;
+
+# Almost all processes log tracing information to
+# /sys/kernel/debug/tracing/trace_marker
+# The reason behind this is documented in b/6513400
+allow domain debugfs:dir search;
+allow domain debugfs_tracing:dir search;
+allow domain debugfs_tracing_debug:dir search;
+allow domain debugfs_trace_marker:file w_file_perms;
+
+# Linux lockdown mode offers coarse-grained definitions for access controls.
+# The "confidentiality" level detects access to tracefs or the perf subsystem.
+# This overlaps with more precise declarations in Android's policy. The
+# debugfs_trace_marker above is an example in which all processes should have
+# some access to tracefs. Therefore, allow all domains to access this level.
+# The "integrity" level is however enforced.
+allow domain self:lockdown confidentiality;
+
+# Filesystem access.
+allow domain fs_type:filesystem getattr;
+allow domain fs_type:dir getattr;
+
+# Restrict all domains to an allowlist for common socket types. Additional
+# ioctl commands may be added to individual domains, but this sets safe
+# defaults for all processes. Note that granting this allowlist to domain does
+# not grant the ioctl permission on these socket types. That must be granted
+# separately.
+allowxperm domain domain:{ icmp_socket rawip_socket tcp_socket udp_socket }
+ ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
+# default allowlist for unix sockets.
+allowxperm domain { domain pdx_channel_socket_type }:{ unix_dgram_socket unix_stream_socket }
+ ioctl unpriv_unix_sock_ioctls;
+
+# Restrict PTYs to only allowed ioctls.
+# Note that granting this allowlist to domain does
+# not grant the wider ioctl permission. That must be granted
+# separately.
+allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
+
+# All domains must clearly enumerate what ioctls they use
+# on filesystem objects (plain files, directories, symbolic links,
+# named pipes, and named sockets). We start off with a safe set.
+allowxperm domain { file_type fs_type domain dev_type }:{ dir notdevfile_class_set blk_file } ioctl { FIOCLEX FIONCLEX };
+
+# If a domain has ioctl access to tun_device, it must clearly enumerate the
+# ioctls used. Safe defaults are listed below.
+allowxperm domain tun_device:chr_file ioctl { FIOCLEX FIONCLEX };
+
+# Allow a process to make a determination whether a file descriptor
+# for a plain file or pipe (fifo_file) is a tty. Note that granting
+# this allowlist to domain does not grant the ioctl permission to
+# these files. That must be granted separately.
+allowxperm domain { file_type fs_type }:file ioctl { TCGETS };
+allowxperm domain domain:fifo_file ioctl { TCGETS };
+
+# If a domain has access to perform an ioctl on a block device, allow these
+# very common, benign ioctls
+allowxperm domain dev_type:blk_file ioctl { BLKGETSIZE64 BLKSSZGET };
+
+# read APEX dir and stat any symlink pointing to APEXs.
+allow domain apex_mnt_dir:dir { getattr search };
+allow domain apex_mnt_dir:lnk_file r_file_perms;
+
+allow domain self:global_capability_class_set audit_control;
+allow domain self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write };
+
+# workaround for supressing property accesses.
+# TODO: remove these
+set_prop(domain, property_type -vmsecret_keymint_prop)
+# auditallow { domain -init } property_type:property_service set;
+# auditallow { domain -init } property_type:file rw_file_perms;
+
+allow domain linkerconfig_file:dir search;
+allow domain linkerconfig_file:file r_file_perms;
+
+#-----------------------------------------
+# Path resolution access in cgroups.
+allow domain cgroup:dir search;
+allow { domain } cgroup:dir w_dir_perms;
+allow { domain } cgroup:file w_file_perms;
+
+allow domain cgroup_v2:dir search;
+allow { domain } cgroup_v2:dir w_dir_perms;
+allow { domain } cgroup_v2:file w_file_perms;
+
+allow domain cgroup_rc_file:dir search;
+allow domain cgroup_rc_file:file r_file_perms;
+allow domain task_profiles_file:file r_file_perms;
+allow domain task_profiles_api_file:file r_file_perms;
+
+#-----------------------------------------
+# Allow access to fsverity keyring.
+allow domain kernel:key search;
+
+# Transition to crash_dump when /system/bin/crash_dump* is executed.
+# This occurs when the process crashes.
+# We do not apply this to the su domain to avoid interfering with
+# tests (b/114136122)
+domain_auto_trans(domain, crash_dump_exec, crash_dump);
+allow domain crash_dump:process sigchld;
diff --git a/microdroid/system/private/file.te b/microdroid/system/private/file.te
new file mode 100644
index 0000000..1989d7e
--- /dev/null
+++ b/microdroid/system/private/file.te
@@ -0,0 +1,12 @@
+allow fs_type self:filesystem associate;
+allow cgroup tmpfs:filesystem associate;
+allow cgroup_v2 tmpfs:filesystem associate;
+allow cgroup_rc_file tmpfs:filesystem associate;
+allow debugfs_type { debugfs debugfs_tracing debugfs_tracing_debug }:filesystem associate;
+allow dev_type tmpfs:filesystem associate;
+allow file_type labeledfs:filesystem associate;
+allow file_type tmpfs:filesystem associate;
+allow file_type rootfs:filesystem associate;
+allow proc_net proc:filesystem associate;
+allow sysfs_type sysfs:filesystem associate;
+allow system_data_file tmpfs:filesystem associate;
diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
new file mode 100644
index 0000000..97e756d
--- /dev/null
+++ b/microdroid/system/private/file_contexts
@@ -0,0 +1,166 @@
+###########################################
+# Root
+/ u:object_r:rootfs:s0
+
+# Data files
+/build\.prop u:object_r:rootfs:s0
+/init\..* u:object_r:rootfs:s0
+
+# Executables
+/init u:object_r:init_exec:s0
+
+# For kernel modules
+/lib(/.*)? u:object_r:rootfs:s0
+
+# Empty directories
+/lost\+found u:object_r:rootfs:s0
+/debug_ramdisk u:object_r:tmpfs:s0
+/mnt u:object_r:tmpfs:s0
+/proc u:object_r:rootfs:s0
+/second_stage_resources u:object_r:tmpfs:s0
+/sys u:object_r:sysfs:s0
+/apex u:object_r:apex_mnt_dir:s0
+
+/apex/(\.(bootstrap|default)-)?apex-info-list.xml u:object_r:apex_info_file:s0
+
+# Symlinks
+/bin u:object_r:rootfs:s0
+/d u:object_r:rootfs:s0
+/etc u:object_r:rootfs:s0
+
+##########################
+# Devices
+#
+/dev(/.*)? u:object_r:device:s0
+/dev/ashmem u:object_r:ashmem_device:s0
+/dev/ashmem(.*)? u:object_r:ashmem_libcutils_device:s0
+/dev/binder u:object_r:binder_device:s0
+/dev/block(/.*)? u:object_r:block_device:s0
+/dev/block/dm-[0-9]+ u:object_r:dm_device:s0
+/dev/block/loop[0-9]* u:object_r:loop_device:s0
+/dev/block/vd[a-z][0-9]* u:object_r:vd_device:s0
+/dev/block/ram[0-9]* u:object_r:ram_device:s0
+/dev/block/zram[0-9]* u:object_r:ram_device:s0
+/dev/console u:object_r:console_device:s0
+/dev/dma_heap(/.*)? u:object_r:dmabuf_heap_device:s0
+/dev/dma_heap/system u:object_r:dmabuf_system_heap_device:s0
+/dev/dma_heap/system-uncached u:object_r:dmabuf_system_heap_device:s0
+/dev/dma_heap/system-secure(.*) u:object_r:dmabuf_system_secure_heap_device:s0
+/dev/dm-user(/.*)? u:object_r:dm_user_device:s0
+/dev/device-mapper u:object_r:dm_device:s0
+/dev/event-log-tags u:object_r:runtime_event_log_tags_file:s0
+/dev/cgroup_info(/.*)? u:object_r:cgroup_rc_file:s0
+/dev/fuse u:object_r:fuse_device:s0
+/dev/hw_random u:object_r:hw_random_device:s0
+/dev/hwbinder u:object_r:hwbinder_device:s0
+/dev/loop-control u:object_r:loop_control_device:s0
+/dev/ppp u:object_r:ppp_device:s0
+/dev/ptmx u:object_r:ptmx_device:s0
+/dev/kmsg u:object_r:kmsg_device:s0
+/dev/kmsg_debug u:object_r:kmsg_debug_device:s0
+/dev/kvm u:object_r:kvm_device:s0
+/dev/null u:object_r:null_device:s0
+/dev/random u:object_r:random_device:s0
+/dev/rtc[0-9] u:object_r:rtc_device:s0
+/dev/socket(/.*)? u:object_r:socket_device:s0
+/dev/socket/adbd u:object_r:adbd_socket:s0
+/dev/socket/logd u:object_r:logd_socket:s0
+/dev/socket/logdr u:object_r:logdr_socket:s0
+/dev/socket/logdw u:object_r:logdw_socket:s0
+/dev/socket/property_service u:object_r:property_socket:s0
+/dev/socket/statsdw u:object_r:statsdw_socket:s0
+/dev/socket/tombstoned_crash u:object_r:tombstoned_crash_socket:s0
+/dev/socket/tombstoned_java_trace u:object_r:tombstoned_java_trace_socket:s0
+/dev/socket/tombstoned_intercept u:object_r:tombstoned_intercept_socket:s0
+/dev/sys/block/by-name/userdata(/.*)? u:object_r:userdata_sysdev:s0
+/dev/sys/fs/by-name/userdata(/.*)? u:object_r:userdata_sysdev:s0
+/dev/tty u:object_r:owntty_device:s0
+/dev/tty[0-9]* u:object_r:tty_device:s0
+/dev/ttyS[0-9]* u:object_r:serial_device:s0
+/dev/tun u:object_r:tun_device:s0
+/dev/uhid u:object_r:uhid_device:s0
+/dev/uinput u:object_r:uhid_device:s0
+/dev/uio[0-9]* u:object_r:uio_device:s0
+/dev/urandom u:object_r:random_device:s0
+/dev/vhost-vsock u:object_r:kvm_device:s0
+/dev/vndbinder u:object_r:vndbinder_device:s0
+/dev/zero u:object_r:zero_device:s0
+/dev/__properties__ u:object_r:properties_device:s0
+/dev/__properties__/property_info u:object_r:property_info:s0
+#############################
+# Linker configuration
+#
+/linkerconfig(/.*)? u:object_r:linkerconfig_file:s0
+#############################
+# System files
+#
+/system(/.*)? u:object_r:system_file:s0
+/system/lib(64)?(/.*)? u:object_r:system_lib_file:s0
+/system/lib(64)?/bootstrap(/.*)? u:object_r:system_bootstrap_lib_file:s0
+/system/bin/apexd u:object_r:apexd_exec:s0
+/system/bin/linker(64)? u:object_r:system_linker_exec:s0
+/system/bin/linkerconfig u:object_r:linkerconfig_exec:s0
+/system/bin/bootstrap/linker(64)? u:object_r:system_linker_exec:s0
+/system/bin/bootstrap/linkerconfig u:object_r:linkerconfig_exec:s0
+/system/bin/servicemanager u:object_r:servicemanager_exec:s0
+/system/bin/hwservicemanager u:object_r:hwservicemanager_exec:s0
+/system/bin/init u:object_r:init_exec:s0
+/system/bin/keystore2 u:object_r:keystore_exec:s0
+/system/bin/logcat -- u:object_r:logcat_exec:s0
+/system/bin/logd u:object_r:logd_exec:s0
+/system/bin/run-as -- u:object_r:runas_exec:s0
+/system/bin/sh -- u:object_r:shell_exec:s0
+/system/bin/tombstoned u:object_r:tombstoned_exec:s0
+/system/bin/toolbox -- u:object_r:toolbox_exec:s0
+/system/bin/toybox -- u:object_r:toolbox_exec:s0
+/system/bin/zipfuse u:object_r:zipfuse_exec:s0
+/system/bin/microdroid_launcher u:object_r:microdroid_app_exec:s0
+/system/bin/microdroid_manager u:object_r:microdroid_manager_exec:s0
+/system/bin/apkdmverity u:object_r:apkdmverity_exec:s0
+/system/etc/cgroups\.json u:object_r:cgroup_desc_file:s0
+/system/etc/task_profiles/cgroups_[0-9]+\.json u:object_r:cgroup_desc_api_file:s0
+/system/etc/event-log-tags u:object_r:system_event_log_tags_file:s0
+/system/etc/group u:object_r:system_group_file:s0
+/system/etc/ld\.config.* u:object_r:system_linker_config_file:s0
+/system/etc/passwd u:object_r:system_passwd_file:s0
+/system/etc/seccomp_policy(/.*)? u:object_r:system_seccomp_policy_file:s0
+/system/etc/security/cacerts(/.*)? u:object_r:system_security_cacerts_file:s0
+/system/etc/selinux/mapping/[0-9]+\.[0-9]+\.cil u:object_r:sepolicy_file:s0
+/system/etc/selinux/plat_mac_permissions\.xml u:object_r:mac_perms_file:s0
+/system/etc/selinux/plat_property_contexts u:object_r:property_contexts_file:s0
+/system/etc/selinux/plat_service_contexts u:object_r:service_contexts_file:s0
+/system/etc/selinux/plat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
+/system/etc/selinux/plat_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0
+/system/etc/selinux/plat_file_contexts u:object_r:file_contexts_file:s0
+/system/etc/selinux/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
+/system/etc/selinux/plat_sepolicy\.cil u:object_r:sepolicy_file:s0
+/system/etc/selinux/plat_and_mapping_sepolicy\.cil\.sha256 u:object_r:sepolicy_file:s0
+/system/etc/task_profiles\.json u:object_r:task_profiles_file:s0
+/system/etc/task_profiles/task_profiles_[0-9]+\.json u:object_r:task_profiles_api_file:s0
+
+#############################
+# Vendor files
+#
+/vendor(/.*)? u:object_r:vendor_file:s0
+/vendor/etc(/.*)? u:object_r:vendor_configs_file:s0
+/vendor/etc/vintf(/.*)? u:object_r:vendor_configs_file:s0
+
+#############################
+# Data files
+#
+# NOTE: When modifying existing label rules, changes may also need to
+# propagate to the "Expanded data files" section.
+#
+/data u:object_r:system_data_root_file:s0
+/data/(.*)? u:object_r:system_data_file:s0
+/data/local/tests(/.*)? u:object_r:shell_test_data_file:s0
+/data/local/tmp(/.*)? u:object_r:shell_data_file:s0
+/data/local/tmp/ltp(/.*)? u:object_r:nativetest_data_file:s0
+/data/local/traces(/.*)? u:object_r:trace_data_file:s0
+/data/misc/keystore(/.*)? u:object_r:keystore_data_file:s0
+/data/tombstones(/.*)? u:object_r:tombstone_data_file:s0
+/data/vendor(/.*)? u:object_r:vendor_data_file:s0
+
+# microdroid doesn't use anr, but tombstoned tries to read this.
+# So marking /data/anr as tombstone_data_file
+/data/anr(/.*)? u:object_r:tombstone_data_file:s0
diff --git a/microdroid/system/private/fs_use b/microdroid/system/private/fs_use
new file mode 100644
index 0000000..93d7f1b
--- /dev/null
+++ b/microdroid/system/private/fs_use
@@ -0,0 +1,27 @@
+# Label inodes via getxattr.
+fs_use_xattr yaffs2 u:object_r:labeledfs:s0;
+fs_use_xattr jffs2 u:object_r:labeledfs:s0;
+fs_use_xattr ext2 u:object_r:labeledfs:s0;
+fs_use_xattr ext3 u:object_r:labeledfs:s0;
+fs_use_xattr ext4 u:object_r:labeledfs:s0;
+fs_use_xattr xfs u:object_r:labeledfs:s0;
+fs_use_xattr btrfs u:object_r:labeledfs:s0;
+fs_use_xattr f2fs u:object_r:labeledfs:s0;
+fs_use_xattr squashfs u:object_r:labeledfs:s0;
+fs_use_xattr overlay u:object_r:labeledfs:s0;
+fs_use_xattr erofs u:object_r:labeledfs:s0;
+fs_use_xattr incremental-fs u:object_r:labeledfs:s0;
+fs_use_xattr virtiofs u:object_r:labeledfs:s0;
+
+# Label inodes from task label.
+fs_use_task pipefs u:object_r:pipefs:s0;
+fs_use_task sockfs u:object_r:sockfs:s0;
+
+# Label inodes from combination of task label and fs label.
+# Define type_transition rules if you want per-domain types.
+fs_use_trans devpts u:object_r:devpts:s0;
+fs_use_trans tmpfs u:object_r:tmpfs:s0;
+fs_use_trans devtmpfs u:object_r:device:s0;
+fs_use_trans shm u:object_r:shm:s0;
+fs_use_trans mqueue u:object_r:mqueue:s0;
+
diff --git a/microdroid/system/private/genfs_contexts b/microdroid/system/private/genfs_contexts
new file mode 100644
index 0000000..3499aa0
--- /dev/null
+++ b/microdroid/system/private/genfs_contexts
@@ -0,0 +1,378 @@
+# Label inodes with the fs label.
+genfscon rootfs / u:object_r:rootfs:s0
+# proc labeling can be further refined (longest matching prefix).
+genfscon proc / u:object_r:proc:s0
+genfscon proc /asound u:object_r:proc_asound:s0
+genfscon proc /bootconfig u:object_r:proc_bootconfig:s0
+genfscon proc /buddyinfo u:object_r:proc_buddyinfo:s0
+genfscon proc /cmdline u:object_r:proc_cmdline:s0
+genfscon proc /config.gz u:object_r:config_gz:s0
+genfscon proc /diskstats u:object_r:proc_diskstats:s0
+genfscon proc /filesystems u:object_r:proc_filesystems:s0
+genfscon proc /interrupts u:object_r:proc_interrupts:s0
+genfscon proc /iomem u:object_r:proc_iomem:s0
+genfscon proc /kallsyms u:object_r:proc_kallsyms:s0
+genfscon proc /keys u:object_r:proc_keys:s0
+genfscon proc /kmsg u:object_r:proc_kmsg:s0
+genfscon proc /loadavg u:object_r:proc_loadavg:s0
+genfscon proc /locks u:object_r:proc_locks:s0
+genfscon proc /lowmemorykiller u:object_r:proc_lowmemorykiller:s0
+genfscon proc /meminfo u:object_r:proc_meminfo:s0
+genfscon proc /misc u:object_r:proc_misc:s0
+genfscon proc /modules u:object_r:proc_modules:s0
+genfscon proc /mounts u:object_r:proc_mounts:s0
+genfscon proc /net u:object_r:proc_net:s0
+genfscon proc /net/tcp u:object_r:proc_net_tcp_udp:s0
+genfscon proc /net/udp u:object_r:proc_net_tcp_udp:s0
+genfscon proc /net/xt_qtaguid/ctrl u:object_r:proc_qtaguid_ctrl:s0
+genfscon proc /net/xt_qtaguid/ u:object_r:proc_qtaguid_stat:s0
+genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0
+genfscon proc /pagetypeinfo u:object_r:proc_pagetypeinfo:s0
+genfscon proc /pressure/cpu u:object_r:proc_pressure_cpu:s0
+genfscon proc /pressure/io u:object_r:proc_pressure_io:s0
+genfscon proc /pressure/memory u:object_r:proc_pressure_mem:s0
+genfscon proc /slabinfo u:object_r:proc_slabinfo:s0
+genfscon proc /softirqs u:object_r:proc_timer:s0
+genfscon proc /stat u:object_r:proc_stat:s0
+genfscon proc /swaps u:object_r:proc_swaps:s0
+genfscon proc /sysrq-trigger u:object_r:proc_sysrq:s0
+genfscon proc /kpageflags u:object_r:proc_kpageflags:s0
+genfscon proc /sys/abi/swp u:object_r:proc_abi:s0
+genfscon proc /sys/fs/pipe-max-size u:object_r:proc_pipe_conf:s0
+genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0
+genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0
+genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0
+genfscon proc /sys/fs/verity/require_signatures u:object_r:proc_fs_verity:s0
+genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/core_pipe_limit u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/domainname u:object_r:proc_hostname:s0
+genfscon proc /sys/kernel/dmesg_restrict u:object_r:proc_security:s0
+genfscon proc /sys/kernel/hostname u:object_r:proc_hostname:s0
+genfscon proc /sys/kernel/hotplug u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/hung_task_ u:object_r:proc_hung_task:s0
+genfscon proc /sys/kernel/kptr_restrict u:object_r:proc_security:s0
+genfscon proc /sys/kernel/modprobe u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/modules_disabled u:object_r:proc_security:s0
+genfscon proc /sys/kernel/panic_on_oops u:object_r:proc_panic:s0
+genfscon proc /sys/kernel/perf_event_max_sample_rate u:object_r:proc_perf:s0
+genfscon proc /sys/kernel/perf_event_paranoid u:object_r:proc_perf:s0
+genfscon proc /sys/kernel/perf_cpu_time_max_percent u:object_r:proc_perf:s0
+genfscon proc /sys/kernel/perf_event_mlock_kb u:object_r:proc_perf:s0
+genfscon proc /sys/kernel/pid_max u:object_r:proc_pid_max:s0
+genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/random u:object_r:proc_random:s0
+genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0
+genfscon proc /sys/kernel/sched_child_runs_first u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_latency_ns u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_rt_period_us u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_rt_runtime_us u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_schedstats u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_tunable_scaling u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_util_clamp_max u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_util_clamp_min u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_util_clamp_min_rt_default u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_wakeup_granularity_ns u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sysrq u:object_r:proc_sysrq:s0
+genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
+genfscon proc /sys/net u:object_r:proc_net:s0
+genfscon proc /sys/vm/dirty_background_ratio u:object_r:proc_dirty:s0
+genfscon proc /sys/vm/dirty_expire_centisecs u:object_r:proc_dirty:s0
+genfscon proc /sys/vm/extra_free_kbytes u:object_r:proc_extra_free_kbytes:s0
+genfscon proc /sys/vm/max_map_count u:object_r:proc_max_map_count:s0
+genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0
+genfscon proc /sys/vm/mmap_rnd_bits u:object_r:proc_security:s0
+genfscon proc /sys/vm/mmap_rnd_compat_bits u:object_r:proc_security:s0
+genfscon proc /sys/vm/page-cluster u:object_r:proc_page_cluster:s0
+genfscon proc /sys/vm/drop_caches u:object_r:proc_drop_caches:s0
+genfscon proc /sys/vm/overcommit_memory u:object_r:proc_overcommit_memory:s0
+genfscon proc /sys/vm/min_free_order_shift u:object_r:proc_min_free_order_shift:s0
+genfscon proc /timer_list u:object_r:proc_timer:s0
+genfscon proc /timer_stats u:object_r:proc_timer:s0
+genfscon proc /tty/drivers u:object_r:proc_tty_drivers:s0
+genfscon proc /uid/ u:object_r:proc_uid_time_in_state:s0
+genfscon proc /uid_cputime/show_uid_stat u:object_r:proc_uid_cputime_showstat:s0
+genfscon proc /uid_cputime/remove_uid_range u:object_r:proc_uid_cputime_removeuid:s0
+genfscon proc /uid_io/stats u:object_r:proc_uid_io_stats:s0
+genfscon proc /uid_procstat/set u:object_r:proc_uid_procstat_set:s0
+genfscon proc /uid_time_in_state u:object_r:proc_uid_time_in_state:s0
+genfscon proc /uid_concurrent_active_time u:object_r:proc_uid_concurrent_active_time:s0
+genfscon proc /uid_concurrent_policy_time u:object_r:proc_uid_concurrent_policy_time:s0
+genfscon proc /uid_cpupower/ u:object_r:proc_uid_cpupower:s0
+genfscon proc /uptime u:object_r:proc_uptime:s0
+genfscon proc /version u:object_r:proc_version:s0
+genfscon proc /vmallocinfo u:object_r:proc_vmallocinfo:s0
+genfscon proc /vmstat u:object_r:proc_vmstat:s0
+genfscon proc /zoneinfo u:object_r:proc_zoneinfo:s0
+
+genfscon fusectl / u:object_r:fusectlfs:s0
+
+# selinuxfs booleans can be individually labeled.
+genfscon selinuxfs / u:object_r:selinuxfs:s0
+genfscon cgroup / u:object_r:cgroup:s0
+genfscon cgroup2 / u:object_r:cgroup_v2:s0
+# sysfs labels can be set by userspace.
+genfscon sysfs / u:object_r:sysfs:s0
+genfscon sysfs /devices/cs_etm u:object_r:sysfs_devices_cs_etm:s0
+genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0
+genfscon sysfs /class/android_usb u:object_r:sysfs_android_usb:s0
+genfscon sysfs /class/extcon u:object_r:sysfs_extcon:s0
+genfscon sysfs /class/leds u:object_r:sysfs_leds:s0
+genfscon sysfs /class/net u:object_r:sysfs_net:s0
+genfscon sysfs /class/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0
+genfscon sysfs /class/rfkill/rfkill1/state u:object_r:sysfs_bluetooth_writable:s0
+genfscon sysfs /class/rfkill/rfkill2/state u:object_r:sysfs_bluetooth_writable:s0
+genfscon sysfs /class/rfkill/rfkill3/state u:object_r:sysfs_bluetooth_writable:s0
+genfscon sysfs /class/rtc u:object_r:sysfs_rtc:s0
+genfscon sysfs /class/switch u:object_r:sysfs_switch:s0
+genfscon sysfs /class/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/nfc-power/nfc_power u:object_r:sysfs_nfc_power_writable:s0
+genfscon sysfs /devices/virtual/android_usb u:object_r:sysfs_android_usb:s0
+genfscon sysfs /devices/virtual/block/ u:object_r:sysfs_devices_block:s0
+genfscon sysfs /devices/virtual/block/dm- u:object_r:sysfs_dm:s0
+genfscon sysfs /devices/virtual/block/loop u:object_r:sysfs_loop:s0
+genfscon sysfs /devices/virtual/block/zram0 u:object_r:sysfs_zram:s0
+genfscon sysfs /devices/virtual/block/zram1 u:object_r:sysfs_zram:s0
+genfscon sysfs /devices/virtual/block/zram0/uevent u:object_r:sysfs_zram_uevent:s0
+genfscon sysfs /devices/virtual/block/zram1/uevent u:object_r:sysfs_zram_uevent:s0
+genfscon sysfs /devices/virtual/misc/hw_random u:object_r:sysfs_hwrandom:s0
+genfscon sysfs /devices/virtual/net u:object_r:sysfs_net:s0
+genfscon sysfs /devices/virtual/switch u:object_r:sysfs_switch:s0
+genfscon sysfs /devices/virtual/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /firmware/devicetree/base/firmware/android u:object_r:sysfs_dt_firmware_android:s0
+genfscon sysfs /fs/ext4/features u:object_r:sysfs_fs_ext4_features:s0
+genfscon sysfs /fs/f2fs u:object_r:sysfs_fs_f2fs:s0
+genfscon sysfs /fs/incremental-fs/features u:object_r:sysfs_fs_incfs_features:s0
+genfscon sysfs /fs/incremental-fs/instances u:object_r:sysfs_fs_incfs_metrics:s0
+genfscon sysfs /power/autosleep u:object_r:sysfs_power:s0
+genfscon sysfs /power/state u:object_r:sysfs_power:s0
+genfscon sysfs /power/suspend_stats u:object_r:sysfs_suspend_stats:s0
+genfscon sysfs /power/wakeup_count u:object_r:sysfs_power:s0
+genfscon sysfs /power/wake_lock u:object_r:sysfs_wake_lock:s0
+genfscon sysfs /power/wake_unlock u:object_r:sysfs_wake_lock:s0
+genfscon sysfs /kernel/memory_state_time u:object_r:sysfs_power:s0
+genfscon sysfs /kernel/dma_heap u:object_r:sysfs_dma_heap:s0
+genfscon sysfs /kernel/ion u:object_r:sysfs_ion:s0
+genfscon sysfs /kernel/ipv4 u:object_r:sysfs_ipv4:s0
+genfscon sysfs /kernel/mm/transparent_hugepage u:object_r:sysfs_transparent_hugepage:s0
+genfscon sysfs /kernel/notes u:object_r:sysfs_kernel_notes:s0
+genfscon sysfs /kernel/uevent_helper u:object_r:sysfs_usermodehelper:s0
+genfscon sysfs /kernel/wakeup_reasons u:object_r:sysfs_wakeup_reasons:s0
+genfscon sysfs /kernel/dmabuf/buffers u:object_r:sysfs_dmabuf_stats:s0
+genfscon sysfs /module/dm_verity/parameters/prefetch_cluster u:object_r:sysfs_dm_verity:s0
+genfscon sysfs /module/lowmemorykiller u:object_r:sysfs_lowmemorykiller:s0
+genfscon sysfs /module/tcp_cubic/parameters u:object_r:sysfs_net:s0
+genfscon sysfs /module/wlan/parameters/fwpath u:object_r:sysfs_wlan_fwpath:s0
+genfscon sysfs /devices/virtual/timed_output/vibrator/enable u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/virtual/misc/uhid u:object_r:sysfs_uhid:s0
+
+genfscon debugfs /kprobes u:object_r:debugfs_kprobes:s0
+genfscon debugfs /mmc0 u:object_r:debugfs_mmc:s0
+genfscon debugfs /tracing u:object_r:debugfs_tracing_debug:s0
+genfscon tracefs / u:object_r:debugfs_tracing_debug:s0
+genfscon debugfs /tracing/tracing_on u:object_r:debugfs_tracing:s0
+genfscon tracefs /tracing_on u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/trace u:object_r:debugfs_tracing:s0
+genfscon tracefs /trace u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/per_cpu/cpu u:object_r:debugfs_tracing:s0
+genfscon tracefs /per_cpu/cpu u:object_r:debugfs_tracing:s0
+
+genfscon debugfs /tracing/instances u:object_r:debugfs_tracing_instances:s0
+genfscon tracefs /instances u:object_r:debugfs_tracing_instances:s0
+genfscon debugfs /tracing/instances/bootreceiver u:object_r:debugfs_bootreceiver_tracing:s0
+genfscon tracefs /instances/bootreceiver u:object_r:debugfs_bootreceiver_tracing:s0
+genfscon debugfs /tracing/instances/mm_events u:object_r:debugfs_mm_events_tracing:s0
+genfscon tracefs /instances/mm_events u:object_r:debugfs_mm_events_tracing:s0
+genfscon debugfs /tracing/instances/wifi u:object_r:debugfs_wifi_tracing:s0
+genfscon tracefs /instances/wifi u:object_r:debugfs_wifi_tracing:s0
+genfscon debugfs /tracing/trace_marker u:object_r:debugfs_trace_marker:s0
+genfscon tracefs /trace_marker u:object_r:debugfs_trace_marker:s0
+genfscon debugfs /wakeup_sources u:object_r:debugfs_wakeup_sources:s0
+genfscon debugfs /tracing/printk_formats u:object_r:debugfs_tracing_printk_formats:s0
+genfscon tracefs /printk_formats u:object_r:debugfs_tracing_printk_formats:s0
+
+genfscon debugfs /tracing/events/header_page u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/f2fs/f2fs_get_data_block/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/f2fs/f2fs_iget/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/f2fs/f2fs_sync_file_enter/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/f2fs/f2fs_sync_file_exit/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/f2fs/f2fs_write_begin/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/f2fs/f2fs_write_end/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/ext4/ext4_da_write_begin/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/ext4/ext4_da_write_end/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/ext4/ext4_es_lookup_extent_enter/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/ext4/ext4_es_lookup_extent_exit/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/ext4/ext4_load_inode/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/ext4/ext4_sync_file_enter/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/ext4/ext4_sync_file_exit/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/block/block_rq_issue/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/block/block_rq_complete/ u:object_r:debugfs_tracing:s0
+
+genfscon tracefs /events/header_page u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/f2fs/f2fs_get_data_block/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/f2fs/f2fs_iget/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/f2fs/f2fs_sync_file_enter/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/f2fs/f2fs_sync_file_exit/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/f2fs/f2fs_write_begin/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/f2fs/f2fs_write_end/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/ext4/ext4_da_write_begin/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/ext4/ext4_da_write_end/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/ext4/ext4_es_lookup_extent_enter/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/ext4/ext4_es_lookup_extent_exit/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/ext4/ext4_load_inode/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/ext4/ext4_sync_file_enter/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/ext4/ext4_sync_file_exit/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/block/block_rq_issue/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/block/block_rq_complete/ u:object_r:debugfs_tracing:s0
+
+genfscon tracefs /trace_clock u:object_r:debugfs_tracing:s0
+genfscon tracefs /buffer_size_kb u:object_r:debugfs_tracing:s0
+genfscon tracefs /options/overwrite u:object_r:debugfs_tracing:s0
+genfscon tracefs /options/print-tgid u:object_r:debugfs_tracing:s0
+genfscon tracefs /options/record-tgid u:object_r:debugfs_tracing:s0
+genfscon tracefs /saved_cmdlines_size u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_switch/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_wakeup/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_wakeup_new/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_waking/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_blocked_reason/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_cpu_hotplug/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_process_exit/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_process_free/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_pi_setprio/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/cgroup/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/cpu_frequency/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/cpu_idle/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/clock_enable/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/clock_disable/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/clock_set_rate/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/cpu_frequency_limits/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/gpu_frequency/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/suspend_resume/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/cpufreq_interactive/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/vmscan/mm_vmscan_direct_reclaim_begin/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/vmscan/mm_vmscan_direct_reclaim_end/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/vmscan/mm_vmscan_kswapd_wake/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/vmscan/mm_vmscan_kswapd_sleep/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_transaction/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_transaction_received/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_lock/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_locked/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_unlock/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_transaction_alloc_buf/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_set_priority/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/lowmemorykiller/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sync/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/fence/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/dma_fence/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/filemap/mm_filemap_add_to_page_cache/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/filemap/mm_filemap_delete_from_page_cache/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/kmem/rss_stat/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/kmem/ion_heap_grow/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/kmem/ion_heap_shrink/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/ion/ion_stat/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/mm_event/mm_event_record/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/oom/oom_score_adj_update/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/oom/mark_victim/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/task/task_rename/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/task/task_newtask/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/ftrace/print/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/gpu_mem/gpu_mem_total u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/thermal/thermal_temperature/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/thermal/cdev_update/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/cpuhp/cpuhp_enter/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/cpuhp/cpuhp_exit/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/cpuhp/cpuhp_pause/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/ipi/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/irq/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/clk/clk_enable/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/clk/clk_disable/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/clk/clk_set_rate/ u:object_r:debugfs_tracing:s0
+
+genfscon debugfs /tracing/trace_clock u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/buffer_size_kb u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/options/overwrite u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/options/print-tgid u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/options/record-tgid u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/saved_cmdlines_size u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_switch/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_wakeup/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_wakeup_new/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_waking/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_blocked_reason/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_cpu_hotplug/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_process_exit/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_process_free/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_pi_setprio/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/cgroup/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/cpu_frequency/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/cpu_idle/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/clock_enable/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/clock_disable/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/clock_set_rate/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/cpu_frequency_limits/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/gpu_frequency/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/suspend_resume/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/cpufreq_interactive/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_begin/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_end/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/vmscan/mm_vmscan_kswapd_wake/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/vmscan/mm_vmscan_kswapd_sleep/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_transaction/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_transaction_received/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_lock/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_locked/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_unlock/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_transaction_alloc_buf/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_set_priority/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/lowmemorykiller/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sync/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/fence/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/dma_fence/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/filemap/mm_filemap_add_to_page_cache/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/filemap/mm_filemap_delete_from_page_cache/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/kmem/rss_stat/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/kmem/ion_heap_grow/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/kmem/ion_heap_shrink/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/ion/ion_stat/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/mm_event/mm_event_record/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/oom/oom_score_adj_update/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/oom/mark_victim/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/task/task_rename/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/task/task_newtask/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/ftrace/print/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/gpu_mem/gpu_mem_total u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/thermal/thermal_temperature/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/thermal/cdev_update/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/cpuhp/cpuhp_enter/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/cpuhp/cpuhp_exit/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/ipi/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/irq/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/clk/clk_enable/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/clk/clk_disable/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/clk/clk_set_rate/ u:object_r:debugfs_tracing:s0
+
+genfscon debugfs /kcov u:object_r:debugfs_kcov:s0
+
+genfscon securityfs / u:object_r:securityfs:s0
+
+genfscon binder /binder u:object_r:binder_device:s0
+genfscon binder /hwbinder u:object_r:hwbinder_device:s0
+genfscon binder /vndbinder u:object_r:vndbinder_device:s0
+genfscon binder /binder_logs u:object_r:binderfs_logs:s0
+genfscon binder /binder_logs/proc u:object_r:binderfs_logs_proc:s0
+
+genfscon inotifyfs / u:object_r:inotify:s0
+genfscon vfat / u:object_r:vfat:s0
+genfscon binder / u:object_r:binderfs:s0
+genfscon exfat / u:object_r:exfat:s0
+genfscon debugfs / u:object_r:debugfs:s0
+genfscon fuse / u:object_r:fuse:s0
+genfscon configfs / u:object_r:configfs:s0
+genfscon sdcardfs / u:object_r:sdcardfs:s0
+genfscon esdfs / u:object_r:sdcardfs:s0
+genfscon pstore / u:object_r:pstorefs:s0
+genfscon functionfs / u:object_r:functionfs:s0
+genfscon usbfs / u:object_r:usbfs:s0
+genfscon binfmt_misc / u:object_r:binfmt_miscfs:s0
+genfscon bpf / u:object_r:fs_bpf:s0
+genfscon bpf /tethering u:object_r:fs_bpf_tethering:s0
diff --git a/microdroid/system/private/halclientdomain.te b/microdroid/system/private/halclientdomain.te
new file mode 100644
index 0000000..5f2afb3
--- /dev/null
+++ b/microdroid/system/private/halclientdomain.te
@@ -0,0 +1,10 @@
+###
+### Rules for all domains which are clients of a HAL
+###
+
+# Find out whether a HAL in passthrough/in-process mode or
+# binderized/out-of-process mode
+hwbinder_use(halclientdomain)
+
+# Wait for HAL server to be up (used by getService)
+allow halclientdomain hidl_manager_hwservice:hwservice_manager find;
diff --git a/microdroid/system/private/hwservice_contexts b/microdroid/system/private/hwservice_contexts
new file mode 100644
index 0000000..9b47b06
--- /dev/null
+++ b/microdroid/system/private/hwservice_contexts
@@ -0,0 +1,7 @@
+android.hardware.keymaster::IKeymasterDevice u:object_r:hal_keymaster_hwservice:s0
+android.hidl.allocator::IAllocator u:object_r:hidl_allocator_hwservice:s0
+android.hidl.base::IBase u:object_r:hidl_base_hwservice:s0
+android.hidl.manager::IServiceManager u:object_r:hidl_manager_hwservice:s0
+android.hidl.memory::IMapper u:object_r:hidl_memory_hwservice:s0
+android.hidl.token::ITokenManager u:object_r:hidl_token_hwservice:s0
+* u:object_r:default_android_hwservice:s0
diff --git a/microdroid/system/private/hwservicemanager.te b/microdroid/system/private/hwservicemanager.te
new file mode 100644
index 0000000..17456db
--- /dev/null
+++ b/microdroid/system/private/hwservicemanager.te
@@ -0,0 +1,25 @@
+typeattribute hwservicemanager coredomain;
+
+init_daemon_domain(hwservicemanager)
+
+allow hwservicemanager vendor_configs_file:file { open getattr };
+
+# Note that we do not use the binder_* macros here.
+# hwservicemanager provides name service (aka context manager)
+# for hwbinder.
+# Additionally, it initiates binder IPC calls to
+# clients who request service notifications. The permission
+# to do this is granted in the hwbinder_use macro.
+allow hwservicemanager self:binder set_context_mgr;
+
+# Scan through /system/lib64/hw looking for installed HALs
+allow hwservicemanager system_file:dir r_dir_perms;
+
+# Read hwservice_contexts
+allow hwservicemanager hwservice_contexts_file:file r_file_perms;
+
+# Check SELinux permissions.
+selinux_check_access(hwservicemanager)
+
+add_hwservice(hwservicemanager, hidl_manager_hwservice)
+add_hwservice(hwservicemanager, hidl_token_hwservice)
diff --git a/microdroid/system/private/init.te b/microdroid/system/private/init.te
new file mode 100644
index 0000000..ff3f6f5
--- /dev/null
+++ b/microdroid/system/private/init.te
@@ -0,0 +1,446 @@
+typeattribute init coredomain;
+
+tmpfs_domain(init)
+
+domain_trans(init, shell_exec, shell)
+domain_trans(init, init_exec, ueventd)
+domain_trans(init, init_exec, vendor_init)
+
+# Allow init to figure out name of dm-device from it's /dev/block/dm-XX path.
+# This is useful in case of remounting ext4 userdata into checkpointing mode,
+# since it potentially requires tearing down dm-devices (e.g. dm-bow, dm-crypto)
+# that userdata is mounted onto.
+allow init sysfs_dm:file read;
+
+# Second-stage init performs a test for whether the kernel has SELinux hooks
+# for the perf_event_open() syscall. This is done by testing for the syscall
+# outcomes corresponding to this policy.
+allow init self:perf_event { open cpu };
+allow init self:global_capability2_class_set perfmon;
+dontaudit init self:perf_event { kernel tracepoint read write };
+
+# Allow init to restore contexts of vd_device(/dev/block/vd[..]) when labeling
+# /dev/block.
+allow init vd_device:blk_file relabelto;
+
+# chown/chmod on devices.
+allow init {
+ dev_type
+ -hw_random_device
+ -kvm_device
+}:chr_file setattr;
+
+# /dev/__null__ node created by init.
+allow init tmpfs:chr_file { create setattr unlink rw_file_perms };
+
+# /dev/__properties__
+allow init properties_device:dir relabelto;
+allow init properties_serial:file { write relabelto };
+allow init property_type:file { append create getattr map open read relabelto rename setattr unlink write };
+# /dev/__properties__/property_info
+allow init properties_device:file create_file_perms;
+allow init property_info:file relabelto;
+# /dev/event-log-tags
+allow init device:file relabelfrom;
+allow init runtime_event_log_tags_file:file { open write setattr relabelto create };
+# /dev/socket
+allow init { device socket_device dm_user_device }:dir relabelto;
+# Relabel /dev nodes created in first stage init, /dev/null, /dev/ptmx, /dev/random, /dev/urandom
+allow init { null_device ptmx_device random_device } : chr_file relabelto;
+# /dev/device-mapper, /dev/block(/.*)?
+allow init tmpfs:{ chr_file blk_file } relabelfrom;
+allow init tmpfs:blk_file getattr;
+allow init block_device:{ dir blk_file lnk_file } relabelto;
+allow init dm_device:{ chr_file blk_file } relabelto;
+allow init dm_user_device:chr_file relabelto;
+allow init kernel:fd use;
+# restorecon for early mount device symlinks
+allow init tmpfs:lnk_file { getattr read relabelfrom };
+
+# setrlimit
+allow init self:global_capability_class_set sys_resource;
+
+# Remove /dev/.booting and load /debug_ramdisk/* files
+allow init tmpfs:file { getattr unlink };
+
+# Access pty created for fsck.
+allow init devpts:chr_file { read write open };
+
+# Access /dev/__null__ node created prior to initial policy load.
+allow init tmpfs:chr_file write;
+
+# Access /dev/console.
+allow init console_device:chr_file rw_file_perms;
+
+# Access /dev/tty0.
+allow init tty_device:chr_file rw_file_perms;
+
+# Call mount(2).
+allow init self:global_capability_class_set sys_admin;
+
+# Call setns(2).
+allow init self:global_capability_class_set sys_chroot;
+
+# Create and mount on directories in /.
+allow init rootfs:dir create_dir_perms;
+allow init {
+ rootfs
+ cgroup
+ linkerconfig_file
+ system_data_file
+ system_data_root_file
+ system_file
+ vendor_file
+}:dir mounton;
+
+# Mount bpf fs on sys/fs/bpf
+allow init fs_bpf:dir mounton;
+
+# Mount on /dev/usb-ffs/adb.
+allow init device:dir mounton;
+
+# Mount tmpfs on /apex
+allow init apex_mnt_dir:dir mounton;
+
+# Create and remove symlinks in /.
+allow init rootfs:lnk_file { create unlink };
+
+# Mount debugfs on /sys/kernel/debug.
+allow init sysfs:dir mounton;
+
+# Create cgroups mount points in tmpfs and mount cgroups on them.
+allow init tmpfs:dir create_dir_perms;
+allow init tmpfs:dir mounton;
+allow init cgroup:dir create_dir_perms;
+allow init cgroup:file rw_file_perms;
+allow init cgroup_rc_file:file rw_file_perms;
+allow init cgroup_desc_file:file r_file_perms;
+allow init cgroup_desc_api_file:file r_file_perms;
+allow init cgroup_v2:dir { mounton create_dir_perms};
+allow init cgroup_v2:file rw_file_perms;
+
+# Use tmpfs as /data, used for booting when /data is encrypted
+allow init tmpfs:dir relabelfrom;
+
+# Create directories under /dev/cpuctl after chowning it to system.
+allow init self:global_capability_class_set { dac_override dac_read_search };
+
+allow init self:global_capability_class_set { sys_rawio mknod };
+
+# Mounting filesystems from block devices.
+allow init dev_type:blk_file r_file_perms;
+allowxperm init dev_type:blk_file ioctl BLKROSET;
+
+# Mounting filesystems.
+# Only allow relabelto for types used in context= mount options,
+# which should all be assigned the contextmount_type attribute.
+# This can be done in device-specific policy via type or typeattribute
+# declarations.
+allow init {
+ fs_type
+}:filesystem ~relabelto;
+
+# Allow init to mount tracefs in /sys/kernel/tracing
+allow init debugfs_tracing_debug:filesystem mount;
+
+allow init unlabeled:filesystem ~relabelto;
+allow init contextmount_type:filesystem relabelto;
+
+# Allow read-only access to context= mounted filesystems.
+allow init contextmount_type:dir r_dir_perms;
+allow init contextmount_type:notdevfile_class_set r_file_perms;
+
+# restorecon /adb_keys or any other rootfs files and directories to a more
+# specific type.
+allow init rootfs:{ dir file } relabelfrom;
+
+# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
+# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
+# system/core/init.rc requires at least cache_file and data_file_type.
+# init.<board>.rc files often include device-specific types, so
+# we just allow all file types except /system files here.
+allow init self:global_capability_class_set { chown fowner fsetid };
+
+allow init {
+ file_type
+ -exec_type
+ -system_file_type
+ -vendor_file_type
+}:dir { create search getattr open read setattr ioctl };
+
+allow init {
+ file_type
+ -exec_type
+ -keystore_data_file
+ -shell_data_file
+ -system_file_type
+ -vendor_file_type
+}:dir { write add_name remove_name rmdir relabelfrom };
+
+allow init {
+ file_type
+ -apex_info_file
+ -exec_type
+ -keystore_data_file
+ -runtime_event_log_tags_file
+ -shell_data_file
+ -system_file_type
+ -vendor_file_type
+}:file { create getattr open read write setattr relabelfrom unlink map };
+
+allow init tracefs_type:file { create_file_perms relabelfrom };
+
+allow init {
+ file_type
+ -exec_type
+ -keystore_data_file
+ -shell_data_file
+ -system_file_type
+ -vendor_file_type
+}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
+
+allow init {
+ file_type
+ -apex_mnt_dir
+ -exec_type
+ -keystore_data_file
+ -shell_data_file
+ -system_file_type
+ -vendor_file_type
+}:lnk_file { create getattr setattr relabelfrom unlink };
+
+allow init {
+ file_type
+ -system_file_type
+ -vendor_file_type
+ -exec_type
+}:dir_file_class_set relabelto;
+
+allow init { sysfs debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
+allow init { sysfs_type tracefs_type }:{ dir file lnk_file } { relabelto getattr };
+allow init dev_type:dir create_dir_perms;
+allow init dev_type:lnk_file create;
+
+# chown/chmod on pseudo files.
+allow init {
+ fs_type
+ -contextmount_type
+ -proc_type
+ -fusefs_type
+ -sysfs_type
+ -rootfs
+}:file { open read setattr };
+allow init { fs_type -contextmount_type -fusefs_type -rootfs }:dir { open read setattr search };
+
+allow init {
+ binder_device
+ console_device
+ devpts
+ dm_device
+ hwbinder_device
+ kmsg_device
+ null_device
+ owntty_device
+ ptmx_device
+ random_device
+ tty_device
+ zero_device
+}:chr_file { read open };
+
+# Any operation that can modify the kernel ring buffer, e.g. clear
+# or a read that consumes the messages that were read.
+allow init kernel:system syslog_mod;
+allow init self:global_capability2_class_set syslog;
+
+# init access to /proc.
+r_dir_file(init, proc_net_type)
+allow init proc_filesystems:file r_file_perms;
+
+allow init {
+ proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
+ proc_bootconfig
+ proc_cmdline
+ proc_diskstats
+ proc_kmsg # Open /proc/kmsg for logd service.
+ proc_meminfo
+ proc_stat # Read /proc/stat for bootchart.
+ proc_uptime
+ proc_version
+}:file r_file_perms;
+
+allow init {
+ proc_abi
+ proc_dirty
+ proc_hostname
+ proc_hung_task
+ proc_extra_free_kbytes
+ proc_net_type
+ proc_max_map_count
+ proc_min_free_order_shift
+ proc_overcommit_memory # /proc/sys/vm/overcommit_memory
+ proc_panic
+ proc_page_cluster
+ proc_perf
+ proc_sched
+ proc_sysrq
+}:file w_file_perms;
+
+allow init {
+ proc_security
+}:file rw_file_perms;
+
+# init chmod/chown access to /proc files.
+allow init {
+ proc_cmdline
+ proc_bootconfig
+ proc_kmsg
+ proc_net
+ proc_pagetypeinfo
+ proc_qtaguid_stat
+ proc_slabinfo
+ proc_sysrq
+ proc_qtaguid_ctrl
+ proc_vmallocinfo
+}:file setattr;
+
+# init access to /sys files.
+allow init {
+ sysfs_android_usb
+ sysfs_dm_verity
+ sysfs_leds
+ sysfs_power
+ sysfs_fs_f2fs
+ sysfs_dm
+}:file w_file_perms;
+
+allow init {
+ sysfs_dt_firmware_android
+ sysfs_fs_ext4_features
+}:file r_file_perms;
+
+allow init {
+ sysfs_zram
+}:file rw_file_perms;
+
+# allow init to create loop devices with /dev/loop-control
+allow init loop_control_device:chr_file rw_file_perms;
+allow init loop_device:blk_file rw_file_perms;
+allowxperm init loop_device:blk_file ioctl {
+ LOOP_SET_FD
+ LOOP_CLR_FD
+ LOOP_CTL_GET_FREE
+ LOOP_SET_BLOCK_SIZE
+ LOOP_SET_DIRECT_IO
+ LOOP_GET_STATUS
+};
+
+# init chmod/chown access to /sys files.
+allow init {
+ sysfs_android_usb
+ sysfs_devices_system_cpu
+ sysfs_ipv4
+ sysfs_leds
+ sysfs_lowmemorykiller
+ sysfs_power
+ sysfs_vibrator
+ sysfs_wake_lock
+ sysfs_zram
+}:file setattr;
+
+allow init self:global_capability_class_set net_admin;
+
+# Reboot.
+allow init self:global_capability_class_set sys_boot;
+
+# Support "adb shell stop"
+allow init self:global_capability_class_set kill;
+allow init domain:process { getpgid sigkill signal };
+
+# Init creates keystore's directory on boot, and walks through
+# the directory as part of a recursive restorecon.
+allow init keystore_data_file:dir { open create read getattr setattr search };
+allow init keystore_data_file:file { getattr };
+
+# Init creates /data/local/tmp at boot
+allow init shell_data_file:dir { open create read getattr setattr search };
+allow init shell_data_file:file { getattr };
+
+# Set UID, GID, and adjust capability bounding set for services.
+allow init self:global_capability_class_set { setuid setgid setpcap };
+
+# For bootchart to read the /proc/$pid/cmdline file of each process,
+# we need to have following line to allow init to have access
+# to different domains.
+r_dir_file(init, domain)
+
+# Use setexeccon(), setfscreatecon(), and setsockcreatecon().
+# setexec is for services with seclabel options.
+# setfscreate is for labeling directories and socket files.
+# setsockcreate is for labeling local/unix domain sockets.
+allow init self:process { setexec setfscreate setsockcreate };
+
+# Get file context
+allow init file_contexts_file:file r_file_perms;
+
+# sepolicy access
+allow init sepolicy_file:file r_file_perms;
+
+# Perform SELinux access checks on setting properties.
+selinux_check_access(init)
+
+# Ask the kernel for the new context on services to label their sockets.
+allow init kernel:security compute_create;
+
+# Create sockets for the services.
+allow init domain:unix_stream_socket { create bind setopt };
+allow init domain:unix_dgram_socket { create bind setopt };
+
+# Set any property.
+allow init property_type:property_service set;
+
+# Send an SELinux userspace denial to the kernel audit subsystem,
+# so it can be picked up and processed by logd. These denials are
+# generated when an attempt to set a property is denied by policy.
+allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay };
+allow init self:global_capability_class_set audit_write;
+
+# Run "ifup lo" to bring up the localhost interface
+allow init self:udp_socket { create ioctl };
+# in addition to unpriv ioctls granted to all domains, init also needs:
+allowxperm init self:udp_socket ioctl SIOCSIFFLAGS;
+allow init self:global_capability_class_set net_raw;
+
+# Set scheduling info for psi monitor thread.
+# TODO: delete or revise this line b/131761776
+allow init kernel:process { getsched setsched };
+
+# Create and access /dev files without a specific type,
+# e.g. /dev/.coldboot_done, /dev/.booting
+# TODO: Move these files into their own type unless they are
+# only ever accessed by init.
+allow init device:file create_file_perms;
+
+# Access device mapper for setting up dm-verity
+allow init dm_device:chr_file rw_file_perms;
+allow init dm_device:blk_file rw_file_perms;
+
+# linux keyring configuration
+allow init init:key { write search setattr };
+
+r_dir_file(init, system_file)
+r_dir_file(init, vendor_file_type)
+
+allow init system_data_file:file { getattr read };
+allow init system_data_file:lnk_file r_file_perms;
+
+# Allow init to touch PSI monitors
+allow init proc_pressure_mem:file { rw_file_perms setattr };
+
+# init is using bootstrap bionic
+allow init system_bootstrap_lib_file:dir r_dir_perms;
+allow init system_bootstrap_lib_file:file { execute read open getattr map };
+
+# stat the root dir of fuse filesystems (for the mount handler)
+allow init fuse:dir { search getattr };
+
+set_prop(init, property_type)
diff --git a/microdroid/system/private/initial_sid_contexts b/microdroid/system/private/initial_sid_contexts
new file mode 100644
index 0000000..9819051
--- /dev/null
+++ b/microdroid/system/private/initial_sid_contexts
@@ -0,0 +1,27 @@
+sid kernel u:r:kernel:s0
+sid security u:object_r:kernel:s0
+sid unlabeled u:object_r:unlabeled:s0
+sid fs u:object_r:labeledfs:s0
+sid file u:object_r:unlabeled:s0
+sid file_labels u:object_r:unlabeled:s0
+sid init u:object_r:unlabeled:s0
+sid any_socket u:object_r:unlabeled:s0
+sid port u:object_r:port:s0
+sid netif u:object_r:netif:s0
+sid netmsg u:object_r:unlabeled:s0
+sid node u:object_r:node:s0
+sid igmp_packet u:object_r:unlabeled:s0
+sid icmp_socket u:object_r:unlabeled:s0
+sid tcp_socket u:object_r:unlabeled:s0
+sid sysctl_modprobe u:object_r:unlabeled:s0
+sid sysctl u:object_r:proc:s0
+sid sysctl_fs u:object_r:unlabeled:s0
+sid sysctl_kernel u:object_r:unlabeled:s0
+sid sysctl_net u:object_r:unlabeled:s0
+sid sysctl_net_unix u:object_r:unlabeled:s0
+sid sysctl_vm u:object_r:unlabeled:s0
+sid sysctl_dev u:object_r:unlabeled:s0
+sid kmod u:object_r:unlabeled:s0
+sid policy u:object_r:unlabeled:s0
+sid scmp_packet u:object_r:unlabeled:s0
+sid devnull u:object_r:null_device:s0
diff --git a/microdroid/system/private/initial_sids b/microdroid/system/private/initial_sids
new file mode 100644
index 0000000..91ac816
--- /dev/null
+++ b/microdroid/system/private/initial_sids
@@ -0,0 +1,35 @@
+# FLASK
+
+#
+# Define initial security identifiers
+#
+
+sid kernel
+sid security
+sid unlabeled
+sid fs
+sid file
+sid file_labels
+sid init
+sid any_socket
+sid port
+sid netif
+sid netmsg
+sid node
+sid igmp_packet
+sid icmp_socket
+sid tcp_socket
+sid sysctl_modprobe
+sid sysctl
+sid sysctl_fs
+sid sysctl_kernel
+sid sysctl_net
+sid sysctl_net_unix
+sid sysctl_vm
+sid sysctl_dev
+sid kmod
+sid policy
+sid scmp_packet
+sid devnull
+
+# FLASK
diff --git a/microdroid/system/private/kernel.te b/microdroid/system/private/kernel.te
new file mode 100644
index 0000000..1d03c4a
--- /dev/null
+++ b/microdroid/system/private/kernel.te
@@ -0,0 +1,83 @@
+typeattribute kernel coredomain;
+
+domain_auto_trans(kernel, init_exec, init)
+
+# The following sections are for the transition period during a Virtual A/B
+# OTA. Once sepolicy is loaded, snapuserd must be re-launched in the correct
+# context, and with properly labelled devices. This must be done before
+# enabling enforcement, eg, in permissive mode while still in the kernel
+# context.
+allow kernel tmpfs:blk_file { getattr relabelfrom };
+allow kernel tmpfs:chr_file { getattr relabelfrom };
+allow kernel tmpfs:lnk_file { getattr relabelfrom };
+allow kernel tmpfs:dir { open read relabelfrom };
+
+allow kernel block_device:blk_file relabelto;
+allow kernel block_device:lnk_file relabelto;
+allow kernel dm_device:chr_file relabelto;
+allow kernel dm_device:blk_file relabelto;
+allow kernel dm_user_device:dir { read open search relabelto };
+allow kernel dm_user_device:chr_file relabelto;
+allow kernel kmsg_device:chr_file relabelto;
+allow kernel null_device:chr_file relabelto;
+allow kernel random_device:chr_file relabelto;
+allow kernel kmsg_device:chr_file write;
+allow kernel vd_device:blk_file read;
+
+allow kernel self:global_capability_class_set sys_nice;
+
+# Root fs.
+r_dir_file(kernel, rootfs)
+
+# Used to read androidboot.selinux property
+allow kernel {
+ proc_bootconfig
+ proc_cmdline
+}:file r_file_perms;
+
+# Get SELinux enforcing status.
+allow kernel selinuxfs:dir r_dir_perms;
+allow kernel selinuxfs:file r_file_perms;
+
+# Get file contexts during first stage
+allow kernel file_contexts_file:file r_file_perms;
+
+# Allow init relabel itself.
+allow kernel rootfs:file relabelfrom;
+allow kernel init_exec:file relabelto;
+# TODO: investigate why we need this.
+allow kernel init:process share;
+
+# cgroup filesystem initialization prior to setting the cgroup root directory label.
+allow kernel unlabeled:dir search;
+
+# Initial setenforce by init prior to switching to init domain.
+# We use dontaudit instead of allow to prevent a kernel spawned userspace
+# process from turning off SELinux once enabled.
+dontaudit kernel self:security setenforce;
+
+# Init reboot before switching selinux domains under certain error
+# conditions. Allow it.
+# As part of rebooting, init writes "u" to /proc/sysrq-trigger to
+# remount filesystems read-only. /data is not mounted at this point,
+# so we could ignore this. For now, we allow it.
+allow kernel self:global_capability_class_set sys_boot;
+allow kernel proc_sysrq:file w_file_perms;
+
+# Allow writing to /dev/kmsg which was created prior to loading policy.
+allow kernel tmpfs:chr_file write;
+
+# Set checkreqprot by init.rc prior to switching to init domain.
+allow kernel selinuxfs:file write;
+allow kernel self:security setcheckreqprot;
+
+# kernel thread "loop0", used by the loop block device, for ASECs (b/17158723)
+allow kernel { sdcard_type fuse }:file { read write };
+
+# Allow the kernel to read APEX file descriptors and (staged) data files;
+# Needed because APEX uses the loopback driver, which issues requests from
+# a kernel thread in earlier kernel version.
+allow kernel apexd:fd use;
+
+#-----------------------------------------
+allow kernel apkdmverity:fd use;
diff --git a/microdroid/system/private/keys.conf b/microdroid/system/private/keys.conf
new file mode 100644
index 0000000..362e73d
--- /dev/null
+++ b/microdroid/system/private/keys.conf
@@ -0,0 +1,28 @@
+#
+# Maps an arbitrary tag [TAGNAME] with the string contents found in
+# TARGET_BUILD_VARIANT. Common convention is to start TAGNAME with an @ and
+# name it after the base file name of the pem file.
+#
+# Each tag (section) then allows one to specify any string found in
+# TARGET_BUILD_VARIANT. Typcially this is user, eng, and userdebug. Another
+# option is to use ALL which will match ANY TARGET_BUILD_VARIANT string.
+#
+
+[@PLATFORM]
+ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/platform.x509.pem
+
+[@MEDIA]
+ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/media.x509.pem
+
+[@NETWORK_STACK]
+ALL : $MAINLINE_SEPOLICY_DEV_CERTIFICATES/networkstack.x509.pem
+
+[@SHARED]
+ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/shared.x509.pem
+
+# Example of ALL TARGET_BUILD_VARIANTS
+[@RELEASE]
+ENG : $DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem
+USER : $DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem
+USERDEBUG : $DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem
+
diff --git a/microdroid/system/private/keystore.te b/microdroid/system/private/keystore.te
new file mode 100644
index 0000000..ac3ada1
--- /dev/null
+++ b/microdroid/system/private/keystore.te
@@ -0,0 +1,15 @@
+typeattribute keystore coredomain;
+
+init_daemon_domain(keystore)
+
+# talk to keymint
+hal_client_domain(keystore, hal_keymint)
+
+# Allow keystore to write to statsd.
+unix_socket_send(keystore, statsdw, statsd)
+
+# Keystore need access to the keystore_key context files to load the keystore key backend.
+allow keystore keystore2_key_contexts_file:file r_file_perms;
+
+# microdroid doesn't use keymaster HAL
+dontaudit keystore hal_keymaster_hwservice:hwservice_manager find;
diff --git a/microdroid/system/private/keystore2_key_contexts b/microdroid/system/private/keystore2_key_contexts
new file mode 100644
index 0000000..02cdd5e
--- /dev/null
+++ b/microdroid/system/private/keystore2_key_contexts
@@ -0,0 +1,11 @@
+# Keystore 2.0 key contexts.
+# This file defines Keystore 2.0 namespaces and maps them to labels.
+# Format:
+# <namespace> <label>
+#
+# <namespace> must be an integer in the interval [0 ... 2^31)
+
+# vm_payload_key is a keystore2_key namespace intended for microdroid VM payloads.
+# TODO(b/191843770): sort out a longer term policy
+140 u:object_r:vm_payload_key:s0
+
diff --git a/microdroid/system/private/linkerconfig.te b/microdroid/system/private/linkerconfig.te
new file mode 100644
index 0000000..4d8db0c
--- /dev/null
+++ b/microdroid/system/private/linkerconfig.te
@@ -0,0 +1,21 @@
+type linkerconfig, domain, coredomain;
+type linkerconfig_exec, exec_type, file_type, system_file_type;
+
+init_daemon_domain(linkerconfig)
+
+## Read and write linkerconfig subdirectory.
+allow linkerconfig linkerconfig_file:dir create_dir_perms;
+allow linkerconfig linkerconfig_file:file create_file_perms;
+
+# Allow linkerconfig to log to the kernel.
+allow linkerconfig kmsg_device:chr_file w_file_perms;
+
+# Allow linkerconfig to be invoked with logwrapper from init.
+allow linkerconfig devpts:chr_file { read write };
+
+# Allow linkerconfig to scan for apex modules
+allow linkerconfig apex_mnt_dir:dir r_dir_perms;
+
+# Allow linkerconfig to read apex-info-list.xml
+allow linkerconfig apex_info_file:file r_file_perms;
+
diff --git a/microdroid/system/private/logd.te b/microdroid/system/private/logd.te
new file mode 100644
index 0000000..0cc6e96
--- /dev/null
+++ b/microdroid/system/private/logd.te
@@ -0,0 +1,43 @@
+typeattribute logd coredomain;
+
+init_daemon_domain(logd)
+
+allow logd adbd:dir search;
+allow logd adbd:file { getattr open read };
+allow logd device:dir search;
+allow logd hwservicemanager:dir search;
+allow logd hwservicemanager:file { open read };
+allow logd init:dir search;
+allow logd init:fd use;
+allow logd init:file { getattr open read };
+allow logd kernel:dir search;
+allow logd kernel:file { getattr open read };
+allow logd kernel:system { syslog_mod syslog_read };
+allow logd keystore:dir search;
+allow logd keystore:file { getattr open read };
+allow logd linkerconfig_file:dir search;
+allow logd microdroid_manager:dir search;
+allow logd microdroid_manager:file { getattr open read };
+allow logd null_device:chr_file { open read };
+#allow logd proc_kmsg:file read;
+r_dir_file(logd, cgroup)
+r_dir_file(logd, cgroup_v2)
+r_dir_file(logd, proc_kmsg)
+r_dir_file(logd, proc_meminfo)
+allow logd self:fifo_file { read write };
+allow logd self:file { getattr open read };
+allow logd self:global_capability_class_set { setuid setgid setpcap sys_nice audit_control };
+allow logd self:global_capability2_class_set syslog;
+#allow logd self:netlink_audit_socket getopt;
+allow logd self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write };
+allow logd kmsg_device:chr_file { getattr w_file_perms };
+r_dir_file(logd, domain)
+allow logd self:unix_stream_socket { accept getopt setopt shutdown };
+allow logd servicemanager:dir search;
+allow logd servicemanager:file { open read };
+allow logd tombstoned:dir search;
+allow logd tombstoned:file { getattr open read };
+allow logd ueventd:dir search;
+allow logd ueventd:file { getattr open read };
+control_logd(logd)
+read_runtime_log_tags(logd)
diff --git a/microdroid/system/private/mac_permissions.xml b/microdroid/system/private/mac_permissions.xml
new file mode 100644
index 0000000..7fc37c1
--- /dev/null
+++ b/microdroid/system/private/mac_permissions.xml
@@ -0,0 +1,62 @@
+<?xml version="1.0" encoding="utf-8"?>
+<policy>
+
+<!--
+
+ * A signature is a hex encoded X.509 certificate or a tag defined in
+ keys.conf and is required for each signer tag. The signature can
+ either appear as a set of attached cert child tags or as an attribute.
+ * A signer tag must contain a seinfo tag XOR multiple package stanzas.
+ * Each signer/package tag is allowed to contain one seinfo tag. This tag
+ represents additional info that each app can use in setting a SELinux security
+ context on the eventual process as well as the apps data directory.
+ * seinfo assignments are made according to the following rules:
+ - Stanzas with package name refinements will be checked first.
+ - Stanzas w/o package name refinements will be checked second.
+ - The "default" seinfo label is automatically applied.
+
+ * valid stanzas can take one of the following forms:
+
+ // single cert protecting seinfo
+ <signer signature="@PLATFORM" >
+ <seinfo value="platform" />
+ </signer>
+
+ // multiple certs protecting seinfo (all contained certs must match)
+ <signer>
+ <cert signature="@PLATFORM1"/>
+ <cert signature="@PLATFORM2"/>
+ <seinfo value="platform" />
+ </signer>
+
+ // single cert protecting explicitly named app
+ <signer signature="@PLATFORM" >
+ <package name="com.android.foo">
+ <seinfo value="bar" />
+ </package>
+ </signer>
+
+ // multiple certs protecting explicitly named app (all certs must match)
+ <signer>
+ <cert signature="@PLATFORM1"/>
+ <cert signature="@PLATFORM2"/>
+ <package name="com.android.foo">
+ <seinfo value="bar" />
+ </package>
+ </signer>
+-->
+
+ <!-- Platform dev key in AOSP -->
+ <signer signature="@PLATFORM" >
+ <seinfo value="platform" />
+ </signer>
+
+ <!-- Media key in AOSP -->
+ <signer signature="@MEDIA" >
+ <seinfo value="media" />
+ </signer>
+
+ <signer signature="@NETWORK_STACK" >
+ <seinfo value="network_stack" />
+ </signer>
+</policy>
diff --git a/microdroid/system/private/microdroid_app.te b/microdroid/system/private/microdroid_app.te
new file mode 100644
index 0000000..820ec68
--- /dev/null
+++ b/microdroid/system/private/microdroid_app.te
@@ -0,0 +1,51 @@
+# microdroid_app is a domain for microdroid_launcher, which is a binary that
+# loads a shared library from an apk and executes it by calling an entry point
+# in the library. This can be considered as the native counterpart of
+# app_process for Java.
+#
+# Both microdroid_launcher and payload from the shared library run in the
+# context of microdroid_app.
+
+type microdroid_app, domain, coredomain;
+type microdroid_app_exec, exec_type, file_type, system_file_type;
+
+# Allow to communicate use, read and write over the adb connection.
+allow microdroid_app adbd:fd use;
+allow microdroid_app adbd:unix_stream_socket { read write };
+
+# microdroid_launcher is launched by microdroid_manager with fork/execvp.
+allow microdroid_app microdroid_manager:fd use;
+
+# Allow to use FDs inherited from the shell. This includes the FD opened for
+# the microdroid_launcher executable itself and the FD for adb connection.
+# TODO(b/186396070) remove this when this is executed from microdroid_manager
+userdebug_or_eng(`
+ allow microdroid_app shell:fd use;
+')
+
+# Allow to use terminal
+allow microdroid_app devpts:chr_file rw_file_perms;
+
+# Allow to set debug prop
+set_prop(microdroid_app, debug_prop)
+
+# Talk to binder services (for keystore)
+binder_use(microdroid_app);
+
+# Allow payloads to use keystore
+use_keystore(microdroid_app);
+
+# Allow payloads to use and manage their keys
+allow microdroid_app vm_payload_key:keystore2_key {
+ delete
+ get_info
+ manage_blob
+ rebind
+ use
+};
+
+# Allow microdroid_app to use vsock inherited from microdroid_manager
+allow microdroid_app microdroid_manager:vsock_socket { read write };
+
+# Write to /dev/kmsg.
+allow microdroid_app kmsg_device:chr_file rw_file_perms;
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
new file mode 100644
index 0000000..074024f
--- /dev/null
+++ b/microdroid/system/private/microdroid_manager.te
@@ -0,0 +1,37 @@
+# microdroid_manager is a daemon running in the microdroid.
+
+type microdroid_manager, domain, coredomain;
+type microdroid_manager_exec, exec_type, file_type, system_file_type;
+
+# allow domain transition from init
+init_daemon_domain(microdroid_manager)
+
+# microdroid_manager accesses a virtual disk block device to read VM payload
+allow microdroid_manager block_device:dir r_dir_perms;
+allow microdroid_manager block_device:lnk_file r_file_perms;
+allow microdroid_manager vd_device:blk_file r_file_perms;
+
+# microdroid_manager start payload task via microdroid_launcher
+domain_auto_trans(microdroid_manager, microdroid_app_exec, microdroid_app);
+
+# Let microdroid_manager exec other files (e.g. payload command) in the same domain.
+# TODO(b/189706019) we need to a domain for the app process.
+allow microdroid_manager system_file:file execute_no_trans;
+# Until then, allow microdroid_manager to execute the shell or other system executables.
+allow microdroid_manager {shell_exec toolbox_exec}:file rx_file_perms;
+
+# Let microdroid_manager kernel-log.
+allow microdroid_manager kmsg_device:chr_file w_file_perms;
+
+# Let microdroid_manager initialize the derived VM secrets.
+set_prop(microdroid_manager, vmsecret_keymint_prop);
+
+# Let microdroid_manager read a config file from /mnt/apk (fusefs)
+# TODO(b/188400186) remove the below two rules
+userdebug_or_eng(`
+ allow microdroid_manager fuse:dir r_dir_perms;
+ allow microdroid_manager fuse:file rx_file_perms;
+')
+
+# Let microdroid_manager to create a vsock connection back to the host VM
+allow microdroid_manager self:vsock_socket { create_socket_perms_no_ioctl };
diff --git a/microdroid/system/private/mls b/microdroid/system/private/mls
new file mode 100644
index 0000000..303df81
--- /dev/null
+++ b/microdroid/system/private/mls
@@ -0,0 +1,89 @@
+#################################################
+# MLS policy constraints
+#
+
+#
+# Process constraints
+#
+
+# Process transition: Require equivalence unless the subject is trusted.
+mlsconstrain process { transition dyntransition }
+ ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);
+
+# Process read operations: No read up unless trusted.
+mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share }
+ (l1 dom l2 or t1 == mlstrustedsubject);
+
+# Process write operations: Require equivalence unless trusted.
+mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setrlimit ptrace share }
+ (l1 eq l2 or t1 == mlstrustedsubject);
+
+#
+# Socket constraints
+#
+
+# Create/relabel operations: Subject must be equivalent to object unless
+# the subject is trusted. Sockets inherit the range of their creator.
+mlsconstrain socket_class_set { create relabelfrom relabelto }
+ ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);
+
+# Datagram send: Sender must be equivalent to the receiver unless one of them
+# is trusted.
+mlsconstrain unix_dgram_socket { sendto }
+ (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
+
+# Stream connect: Client must be equivalent to server unless one of them
+# is trusted.
+mlsconstrain unix_stream_socket { connectto }
+ (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
+
+#
+# Directory/file constraints
+#
+
+# Create/relabel operations: Subject must be equivalent to object unless
+# the subject is trusted. Also, files should always be single-level.
+# Do NOT exempt mlstrustedobject types from this constraint.
+mlsconstrain dir_file_class_set { create relabelfrom relabelto }
+ (l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject));
+
+#
+# Constraints for file types other than app data files.
+#
+
+# Read operations: Subject must dominate object unless the subject
+# or the object is trusted.
+mlsconstrain dir { read getattr search }
+ (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject
+ or (t1 == mlsvendorcompat and t2 == system_data_file) );
+
+mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute }
+ (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+
+# Write operations: Subject must be equivalent to the object unless the
+# subject or the object is trusted.
+mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir }
+ (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+
+mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename }
+ (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+
+# Special case for FIFOs.
+# These can be unnamed pipes, in which case they will be labeled with the
+# creating process' label. Thus we also have an exemption when the "object"
+# is a domain type, so that processes can communicate via unnamed pipes
+# passed by binder or local socket IPC.
+mlsconstrain fifo_file { read getattr }
+ (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain);
+
+mlsconstrain fifo_file { write setattr append unlink link rename }
+ (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain);
+
+#
+# Binder IPC constraints
+#
+# Presently commented out, as apps are expected to call one another.
+# This would only make sense if apps were assigned categories
+# based on allowable communications rather than per-app categories.
+#mlsconstrain binder call
+# (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
diff --git a/microdroid/system/private/mls_decl b/microdroid/system/private/mls_decl
new file mode 100644
index 0000000..dd53bea
--- /dev/null
+++ b/microdroid/system/private/mls_decl
@@ -0,0 +1,10 @@
+#########################################
+# MLS declarations
+#
+
+# Generate the desired number of sensitivities and categories.
+gen_sens(mls_num_sens)
+gen_cats(mls_num_cats)
+
+# Generate level definitions for each sensitivity and category.
+gen_levels(mls_num_sens,mls_num_cats)
diff --git a/microdroid/system/private/mls_macros b/microdroid/system/private/mls_macros
new file mode 100644
index 0000000..83e0542
--- /dev/null
+++ b/microdroid/system/private/mls_macros
@@ -0,0 +1,54 @@
+########################################
+#
+# gen_cats(N)
+#
+# declares categores c0 to c(N-1)
+#
+define(`decl_cats',`dnl
+category c$1;
+ifelse(`$1',`$2',,`decl_cats(incr($1),$2)')dnl
+')
+
+define(`gen_cats',`decl_cats(0,decr($1))')
+
+########################################
+#
+# gen_sens(N)
+#
+# declares sensitivites s0 to s(N-1) with dominance
+# in increasing numeric order with s0 lowest, s(N-1) highest
+#
+define(`decl_sens',`dnl
+sensitivity s$1;
+ifelse(`$1',`$2',,`decl_sens(incr($1),$2)')dnl
+')
+
+define(`gen_dominance',`s$1 ifelse(`$1',`$2',,`gen_dominance(incr($1),$2)')')
+
+define(`gen_sens',`
+# Each sensitivity has a name and zero or more aliases.
+decl_sens(0,decr($1))
+
+# Define the ordering of the sensitivity levels (least to greatest)
+dominance { gen_dominance(0,decr($1)) }
+')
+
+########################################
+#
+# gen_levels(N,M)
+#
+# levels from s0 to (N-1) with categories c0 to (M-1)
+#
+define(`decl_levels',`dnl
+level s$1:c0.c$3;
+ifelse(`$1',`$2',,`decl_levels(incr($1),$2,$3)')dnl
+')
+
+define(`gen_levels',`decl_levels(0,decr($1),decr($2))')
+
+########################################
+#
+# Basic level names for system low and high
+#
+define(`mls_systemlow',`s0')
+define(`mls_systemhigh',`s`'decr(mls_num_sens):c0.c`'decr(mls_num_cats)')
diff --git a/microdroid/system/private/net.te b/microdroid/system/private/net.te
new file mode 100644
index 0000000..1b2fd41
--- /dev/null
+++ b/microdroid/system/private/net.te
@@ -0,0 +1,16 @@
+## Network types
+type node, node_type;
+type netif, netif_type;
+type port, port_type;
+
+###
+### Domain with network access
+###
+
+allow netdomain self:tcp_socket create_stream_socket_perms;
+allow netdomain self:{ icmp_socket udp_socket rawip_socket } create_socket_perms;
+
+allow netdomain port_type:tcp_socket name_connect;
+allow netdomain node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind;
+allow netdomain port_type:udp_socket name_bind;
+allow netdomain port_type:tcp_socket name_bind;
diff --git a/microdroid/system/private/policy_capabilities b/microdroid/system/private/policy_capabilities
new file mode 100644
index 0000000..9290e3a
--- /dev/null
+++ b/microdroid/system/private/policy_capabilities
@@ -0,0 +1,20 @@
+# Enable new networking controls.
+policycap network_peer_controls;
+
+# Enable open permission check.
+policycap open_perms;
+
+# Enable separate security classes for
+# all network address families previously
+# mapped to the socket class and for
+# ICMP and SCTP sockets previously mapped
+# to the rawip_socket class.
+policycap extended_socket_class;
+
+# Enable NoNewPrivileges support. Requires libsepol 2.7+
+# and kernel 4.14 (estimated).
+#
+# Checks enabled;
+# process2: nnp_transition, nosuid_transition
+#
+policycap nnp_nosuid_transition;
diff --git a/microdroid/system/private/port_contexts b/microdroid/system/private/port_contexts
new file mode 100644
index 0000000..2f40b38
--- /dev/null
+++ b/microdroid/system/private/port_contexts
@@ -0,0 +1 @@
+# This file can't be empty, but is unused on microdroid
diff --git a/microdroid/system/private/property.te b/microdroid/system/private/property.te
new file mode 100644
index 0000000..d3d413e
--- /dev/null
+++ b/microdroid/system/private/property.te
@@ -0,0 +1,16 @@
+###
+### Neverallow rules
+###
+
+neverallow {
+ domain
+ -init
+ -microdroid_manager
+} vmsecret_keymint_prop:property_service set;
+
+neverallow {
+ domain
+ -init
+ -microdroid_manager
+ -hal_keymint_server
+} vmsecret_keymint_prop:file no_rw_file_perms;
diff --git a/microdroid/system/private/property_contexts b/microdroid/system/private/property_contexts
new file mode 100644
index 0000000..c8be9d9
--- /dev/null
+++ b/microdroid/system/private/property_contexts
@@ -0,0 +1,97 @@
+# property contexts for microdroid
+# microdroid only uses much fewer properties than normal Android, so every property is listed here.
+# The only exceptions are "debug.", "init.svc_debug_pid.", and "ctl." properties.
+
+debug. u:object_r:debug_prop:s0 prefix
+
+init.svc_debug_pid. u:object_r:init_svc_debug_prop:s0 prefix int
+
+ctl.sigstop_on$ u:object_r:ctl_sigstop_prop:s0
+ctl.sigstop_off$ u:object_r:ctl_sigstop_prop:s0
+ctl.start$ u:object_r:ctl_start_prop:s0
+ctl.stop$ u:object_r:ctl_stop_prop:s0
+ctl.restart$ u:object_r:ctl_restart_prop:s0
+ctl.interface_start$ u:object_r:ctl_interface_start_prop:s0
+ctl.interface_stop$ u:object_r:ctl_interface_stop_prop:s0
+ctl.interface_restart$ u:object_r:ctl_interface_restart_prop:s0
+
+ctl.start$adbd u:object_r:ctl_adbd_prop:s0
+ctl.stop$adbd u:object_r:ctl_adbd_prop:s0
+ctl.restart$adbd u:object_r:ctl_adbd_prop:s0
+
+ctl.stop$apexd u:object_r:ctl_apexd_prop:s0
+
+ctl.fuse_ u:object_r:ctl_fuse_prop:s0
+ctl.console u:object_r:ctl_console_prop:s0
+ctl. u:object_r:ctl_default_prop:s0
+
+sys.init.perf_lsm_hooks u:object_r:init_perf_lsm_hooks_prop:s0 exact bool
+
+service.adb.root u:object_r:shell_prop:s0 exact bool
+
+ro.logd.kernel u:object_r:logd_prop:s0 exact bool
+
+ro.boottime.adbd u:object_r:boottime_prop:s0 exact int
+ro.boottime.hwservicemanager u:object_r:boottime_prop:s0 exact int
+ro.boottime.init u:object_r:boottime_prop:s0 exact int
+ro.boottime.init.cold_boot_wait u:object_r:boottime_prop:s0 exact int
+ro.boottime.init.first_stage u:object_r:boottime_prop:s0 exact int
+ro.boottime.init.modules u:object_r:boottime_prop:s0 exact int
+ro.boottime.init.selinux u:object_r:boottime_prop:s0 exact int
+ro.boottime.keystore2 u:object_r:boottime_prop:s0 exact int
+ro.boottime.logd u:object_r:boottime_prop:s0 exact int
+ro.boottime.logd-reinit u:object_r:boottime_prop:s0 exact int
+ro.boottime.microdroid_manager u:object_r:boottime_prop:s0 exact int
+ro.boottime.servicemanager u:object_r:boottime_prop:s0 exact int
+ro.boottime.tombstoned u:object_r:boottime_prop:s0 exact int
+ro.boottime.ueventd u:object_r:boottime_prop:s0 exact int
+ro.boottime.vendor.keymint-microdroid u:object_r:boottime_prop:s0 exact int
+ro.boottime.zipfuse u:object_r:boottime_prop:s0 exact int
+
+ro.build.fingerprint u:object_r:fingerprint_prop:s0 exact string
+
+ro.vmsecret.keymint u:object_r:vmsecret_keymint_prop:s0 exact string
+
+hwservicemanager.ready u:object_r:hwservicemanager_prop:s0 exact bool
+
+apexd.status u:object_r:apexd_prop:s0 exact enum starting activated ready
+
+ro.cold_boot_done u:object_r:cold_boot_done_prop:s0 exact bool
+
+sys.usb.controller u:object_r:usb_control_prop:s0 exact string
+
+init.svc.hwservicemanager u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.keystore2 u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.logd u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.logd-reinit u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.microdroid_manager u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.servicemanager u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.ueventd u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.zipfuse u:object_r:init_service_status_private_prop:s0 exact string
+
+init.svc.adbd u:object_r:init_service_status_prop:s0 exact string
+init.svc.tombstoned u:object_r:init_service_status_prop:s0 exact string
+
+init.svc.vendor.keymint-microdroid u:object_r:vendor_default_prop:s0 exact string
+
+ro.boot.hardware u:object_r:bootloader_prop:s0 exact string
+ro.baseband u:object_r:bootloader_prop:s0 exact string
+ro.bootloader u:object_r:bootloader_prop:s0 exact string
+ro.bootmode u:object_r:bootloader_prop:s0 exact string
+ro.hardware u:object_r:bootloader_prop:s0 exact string
+ro.revision u:object_r:bootloader_prop:s0 exact string
+
+ro.build.id u:object_r:build_prop:s0 exact string
+ro.build.version.release u:object_r:build_prop:s0 exact string
+ro.build.version.security_patch u:object_r:build_prop:s0 exact string
+ro.debuggable u:object_r:build_prop:s0 exact bool
+ro.product.cpu.abilist u:object_r:build_prop:s0 exact string
+ro.adb.secure u:object_r:build_prop:s0 exact bool
+
+ro.property_service.version u:object_r:property_service_version_prop:s0 exact int
+
+ro.boot.slot_suffix u:object_r:exported_default_prop:s0 exact string
+
+ro.apex.updatable u:object_r:exported_default_prop:s0 exact bool
+
+keystore.boot_level u:object_r:keystore_listen_prop:s0 exact int
diff --git a/microdroid/system/private/roles_decl b/microdroid/system/private/roles_decl
new file mode 100644
index 0000000..c84fcba
--- /dev/null
+++ b/microdroid/system/private/roles_decl
@@ -0,0 +1 @@
+role r;
diff --git a/microdroid/system/private/seapp_contexts b/microdroid/system/private/seapp_contexts
new file mode 100644
index 0000000..2f40b38
--- /dev/null
+++ b/microdroid/system/private/seapp_contexts
@@ -0,0 +1 @@
+# This file can't be empty, but is unused on microdroid
diff --git a/microdroid/system/private/security_classes b/microdroid/system/private/security_classes
new file mode 100644
index 0000000..200b030
--- /dev/null
+++ b/microdroid/system/private/security_classes
@@ -0,0 +1,167 @@
+# FLASK
+
+#
+# Define the security object classes
+#
+
+# Classes marked as userspace are classes
+# for userspace object managers
+
+class security
+class process
+class system
+class capability
+
+# file-related classes
+class filesystem
+class file
+class anon_inode
+class dir
+class fd
+class lnk_file
+class chr_file
+class blk_file
+class sock_file
+class fifo_file
+
+# network-related classes
+class socket
+class tcp_socket
+class udp_socket
+class rawip_socket
+class node
+class netif
+class netlink_socket
+class packet_socket
+class key_socket
+class unix_stream_socket
+class unix_dgram_socket
+
+# sysv-ipc-related classes
+class sem
+class msg
+class msgq
+class shm
+class ipc
+
+# extended netlink sockets
+class netlink_route_socket
+class netlink_tcpdiag_socket
+class netlink_nflog_socket
+class netlink_xfrm_socket
+class netlink_selinux_socket
+class netlink_audit_socket
+class netlink_dnrt_socket
+
+# IPSec association
+class association
+
+# Updated Netlink class for KOBJECT_UEVENT family.
+class netlink_kobject_uevent_socket
+
+class appletalk_socket
+
+class packet
+
+# Kernel access key retention
+class key
+
+class dccp_socket
+
+class memprotect
+
+# network peer labels
+class peer
+
+# Capabilities >= 32
+class capability2
+
+# kernel services that need to override task security, e.g. cachefiles
+class kernel_service
+
+class tun_socket
+
+class binder
+
+# Updated netlink classes for more recent netlink protocols.
+class netlink_iscsi_socket
+class netlink_fib_lookup_socket
+class netlink_connector_socket
+class netlink_netfilter_socket
+class netlink_generic_socket
+class netlink_scsitransport_socket
+class netlink_rdma_socket
+class netlink_crypto_socket
+
+# Infiniband
+class infiniband_pkey
+class infiniband_endport
+
+# Capability checks when on a non-init user namespace
+class cap_userns
+class cap2_userns
+
+# New socket classes introduced by extended_socket_class policy capability.
+# These two were previously mapped to rawip_socket.
+class sctp_socket
+class icmp_socket
+# These were previously mapped to socket.
+class ax25_socket
+class ipx_socket
+class netrom_socket
+class atmpvc_socket
+class x25_socket
+class rose_socket
+class decnet_socket
+class atmsvc_socket
+class rds_socket
+class irda_socket
+class pppox_socket
+class llc_socket
+class can_socket
+class tipc_socket
+class bluetooth_socket
+class iucv_socket
+class rxrpc_socket
+class isdn_socket
+class phonet_socket
+class ieee802154_socket
+class caif_socket
+class alg_socket
+class nfc_socket
+class vsock_socket
+class kcm_socket
+class qipcrtr_socket
+class smc_socket
+
+class process2
+
+class bpf
+
+class xdp_socket
+
+class perf_event
+
+# Introduced in https://github.com/torvalds/linux/commit/59438b46471ae6cdfb761afc8c9beaf1e428a331
+class lockdown
+
+# Property service
+class property_service # userspace
+
+# Service manager
+class service_manager # userspace
+
+# hardware service manager # userspace
+class hwservice_manager
+
+# Legacy Keystore key permissions
+class keystore_key # userspace
+
+# Keystore 2.0 permissions
+class keystore2 # userspace
+
+# Keystore 2.0 key permissions
+class keystore2_key # userspace
+
+class drmservice # userspace
+# FLASK
diff --git a/microdroid/system/private/service_contexts b/microdroid/system/private/service_contexts
new file mode 100644
index 0000000..5857a0f
--- /dev/null
+++ b/microdroid/system/private/service_contexts
@@ -0,0 +1,18 @@
+android.hardware.security.keymint.IKeyMintDevice/default u:object_r:hal_keymint_service:s0
+android.hardware.security.keymint.IRemotelyProvisionedComponent/default u:object_r:hal_remotelyprovisionedcomponent_service:s0
+android.hardware.security.secureclock.ISecureClock/default u:object_r:hal_secureclock_service:s0
+android.hardware.security.sharedsecret.ISharedSecret/default u:object_r:hal_sharedsecret_service:s0
+android.system.keystore2.IKeystoreService/default u:object_r:keystore_service:s0
+
+adb u:object_r:adb_service:s0
+android.security.apc u:object_r:apc_service:s0
+android.security.authorization u:object_r:authorization_service:s0
+android.security.compat u:object_r:keystore_compat_hal_service:s0
+android.security.identity u:object_r:credstore_service:s0
+android.security.keystore u:object_r:keystore_service:s0
+android.security.legacykeystore u:object_r:legacykeystore_service:s0
+android.security.maintenance u:object_r:keystore_maintenance_service:s0
+android.security.metrics u:object_r:keystore_metrics_service:s0
+android.security.remoteprovisioning u:object_r:remoteprovisioning_service:s0
+apexservice u:object_r:apex_service:s0
+* u:object_r:default_android_service:s0
diff --git a/microdroid/system/private/servicemanager.te b/microdroid/system/private/servicemanager.te
new file mode 100644
index 0000000..8ff964f
--- /dev/null
+++ b/microdroid/system/private/servicemanager.te
@@ -0,0 +1,23 @@
+typeattribute servicemanager coredomain;
+
+init_daemon_domain(servicemanager)
+
+selinux_check_access(servicemanager)
+
+# Note that we do not use the binder_* macros here.
+# servicemanager is unique in that it only provides
+# name service (aka context manager) for Binder.
+# As such, it only ever receives and transfers other references
+# created by other domains. It never passes its own references
+# or initiates a Binder IPC.
+allow servicemanager self:binder set_context_mgr;
+allow servicemanager {
+ domain
+ -init
+ -vendor_init
+ -hwservicemanager
+}:binder transfer;
+
+allow servicemanager service_contexts_file:file r_file_perms;
+
+allow servicemanager vendor_service_contexts_file:file r_file_perms;
diff --git a/microdroid/system/private/shell.te b/microdroid/system/private/shell.te
new file mode 100644
index 0000000..fc51ad8
--- /dev/null
+++ b/microdroid/system/private/shell.te
@@ -0,0 +1,31 @@
+typeattribute shell coredomain, mlstrustedsubject;
+
+# allow shell input injection
+allow shell uhid_device:chr_file rw_file_perms;
+
+# Perform SELinux access checks, needed for CTS
+selinux_check_access(shell)
+selinux_check_context(shell)
+
+# Allow shell to run adb shell cmd stats commands. Needed for CTS.
+binder_call(shell, statsd);
+
+# Allow shell to launch microdroid_launcher in its own domain
+# TODO(b/186396070) remove this when microdroid_manager can do this
+domain_auto_trans(shell, microdroid_app_exec, microdroid_app)
+domain_auto_trans(shell, microdroid_manager_exec, microdroid_manager)
+
+# Connect to adbd and use a socket transferred from it.
+# This is used for e.g. adb backup/restore.
+allow shell adbd:unix_stream_socket connectto;
+allow shell adbd:fd use;
+allow shell adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
+
+# filesystem test for insecure chr_file's is done
+# via a host side test
+allow shell dev_type:dir r_dir_perms;
+allow shell dev_type:chr_file getattr;
+
+# filesystem test for insucre blk_file's is done
+# via hostside test
+allow shell dev_type:blk_file getattr;
diff --git a/microdroid/system/private/statsd.te b/microdroid/system/private/statsd.te
new file mode 100644
index 0000000..437f505
--- /dev/null
+++ b/microdroid/system/private/statsd.te
@@ -0,0 +1,3 @@
+typeattribute statsd coredomain;
+
+init_daemon_domain(statsd)
diff --git a/microdroid/system/private/su.te b/microdroid/system/private/su.te
new file mode 100644
index 0000000..55b7308
--- /dev/null
+++ b/microdroid/system/private/su.te
@@ -0,0 +1,12 @@
+userdebug_or_eng(`
+ typeattribute su coredomain;
+
+ domain_auto_trans(shell, su_exec, su)
+
+ # su is also permissive to permit setenforce.
+ permissive su;
+
+ # Do not audit accesses to keystore2 namespace for the su domain.
+ dontaudit su keystore2_key_type:{ keystore2 keystore2_key } *;
+
+')
diff --git a/microdroid/system/private/tombstoned.te b/microdroid/system/private/tombstoned.te
new file mode 100644
index 0000000..2567a23
--- /dev/null
+++ b/microdroid/system/private/tombstoned.te
@@ -0,0 +1,12 @@
+typeattribute tombstoned coredomain;
+
+init_daemon_domain(tombstoned)
+
+# Write to arbitrary pipes given to us.
+allow tombstoned domain:fd use;
+allow tombstoned domain:fifo_file write;
+
+allow tombstoned domain:dir r_dir_perms;
+allow tombstoned domain:file r_file_perms;
+allow tombstoned tombstone_data_file:dir rw_dir_perms;
+allow tombstoned tombstone_data_file:file { create_file_perms link };
diff --git a/microdroid/system/private/toolbox.te b/microdroid/system/private/toolbox.te
new file mode 100644
index 0000000..a2b958d
--- /dev/null
+++ b/microdroid/system/private/toolbox.te
@@ -0,0 +1,3 @@
+typeattribute toolbox coredomain;
+
+init_daemon_domain(toolbox)
diff --git a/microdroid/system/private/ueventd.te b/microdroid/system/private/ueventd.te
new file mode 100644
index 0000000..eb06672
--- /dev/null
+++ b/microdroid/system/private/ueventd.te
@@ -0,0 +1,52 @@
+typeattribute ueventd coredomain;
+
+tmpfs_domain(ueventd)
+
+# Write to /dev/kmsg.
+allow ueventd kmsg_device:chr_file rw_file_perms;
+
+allow ueventd self:global_capability_class_set { chown mknod net_admin setgid fsetid sys_rawio dac_override dac_read_search fowner setuid };
+allow ueventd device:file create_file_perms;
+
+r_dir_file(ueventd, rootfs)
+
+# ueventd needs write access to files in /sys to regenerate uevents
+allow ueventd sysfs_type:file w_file_perms;
+r_dir_file(ueventd, sysfs_type)
+allow ueventd sysfs_type:{ file lnk_file } { relabelfrom relabelto setattr };
+allow ueventd sysfs_type:dir { relabelfrom relabelto setattr };
+allow ueventd tmpfs:chr_file rw_file_perms;
+allow ueventd dev_type:dir create_dir_perms;
+allow ueventd dev_type:lnk_file { create unlink };
+allow ueventd dev_type:chr_file { getattr create setattr unlink };
+allow ueventd dev_type:blk_file { getattr relabelfrom relabelto create setattr unlink };
+allow ueventd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+# Get SELinux enforcing status.
+r_dir_file(ueventd, selinuxfs)
+
+# Access for /vendor/ueventd.rc and /vendor/firmware
+r_dir_file(ueventd, vendor_file_type)
+
+# Access for /apex/*/firmware
+allow ueventd apex_mnt_dir:dir r_dir_perms;
+
+# Get file contexts for new device nodes
+allow ueventd file_contexts_file:file r_file_perms;
+
+# Use setfscreatecon() to label /dev directories and files.
+allow ueventd self:process setfscreate;
+
+# Allow ueventd to read androidboot.android_dt_dir from kernel cmdline or bootconfig.
+allow ueventd proc_cmdline:file r_file_perms;
+allow ueventd proc_bootconfig:file r_file_perms;
+
+# ueventd loads modules in response to modalias events.
+allow ueventd self:global_capability_class_set sys_module;
+allow ueventd vendor_file:system module_load;
+allow ueventd kernel:key search;
+
+# ueventd is using bootstrap bionic
+allow ueventd system_bootstrap_lib_file:dir r_dir_perms;
+allow ueventd system_bootstrap_lib_file:file { execute read open getattr map };
+
diff --git a/microdroid/system/private/users b/microdroid/system/private/users
new file mode 100644
index 0000000..51b7b57
--- /dev/null
+++ b/microdroid/system/private/users
@@ -0,0 +1 @@
+user u roles { r } level s0 range s0 - mls_systemhigh;
diff --git a/microdroid/system/private/zipfuse.te b/microdroid/system/private/zipfuse.te
new file mode 100644
index 0000000..fb7527b
--- /dev/null
+++ b/microdroid/system/private/zipfuse.te
@@ -0,0 +1,34 @@
+# zipfuse is a FUSE daemon running in the microdroid. It mounts
+# /dev/block/by-name/microdroid-apk whose content is from an apk file on
+# /mnt/apk so that the entries in the apk file are seen as regular files. See
+# packages/modules/Virtualization/zipfuse.
+
+type zipfuse, domain, coredomain;
+type zipfuse_exec, exec_type, file_type, system_file_type;
+
+# allow domain transition from init
+init_daemon_domain(zipfuse)
+
+# allow basic rules to implement FUSE
+allow zipfuse fuse_device:chr_file rw_file_perms;
+allow zipfuse self:global_capability_class_set sys_admin;
+
+# allow access to /dev/vd* block device files and also access to the symlinks
+# /dev/block/by-name/*
+allow zipfuse block_device:dir r_dir_perms;
+allow zipfuse block_device:lnk_file r_file_perms;
+
+# /dev/block/by-name/microdroid-apk is mapped to /dev/block/dm-*
+allow zipfuse dm_device:blk_file r_file_perms;
+
+# allow mounting on /mnt/apk
+allow zipfuse tmpfs:dir mounton;
+
+# allow mounting with fscontext=u:object_r:zipfusefs:s0
+type zipfusefs, fs_type, contextmount_type;
+allow zipfuse fuse:filesystem relabelfrom;
+allow zipfuse zipfusefs:filesystem { mount relabelfrom relabelto };
+
+# allow mounting with context=u:object_r:system_file:s0 so that files provided
+# by zipfuse are treated the same as the other files in /system or /apex
+allow system_file zipfusefs:filesystem associate;
diff --git a/microdroid/system/public/adbd.te b/microdroid/system/public/adbd.te
new file mode 100644
index 0000000..a41d4a3
--- /dev/null
+++ b/microdroid/system/public/adbd.te
@@ -0,0 +1,2 @@
+type adbd, domain;
+type adbd_exec, exec_type, file_type, system_file_type;
diff --git a/microdroid/system/public/apexd.te b/microdroid/system/public/apexd.te
new file mode 100644
index 0000000..f80c1da
--- /dev/null
+++ b/microdroid/system/public/apexd.te
@@ -0,0 +1,5 @@
+type apexd, domain, coredomain;
+type apexd_exec, file_type, exec_type, system_file_type;
+
+binder_use(apexd)
+add_service(apexd, apex_service)
diff --git a/microdroid/system/public/attributes b/microdroid/system/public/attributes
new file mode 100644
index 0000000..c82c0c8
--- /dev/null
+++ b/microdroid/system/public/attributes
@@ -0,0 +1,395 @@
+######################################
+# Attribute declarations
+#
+
+# All types used for devices.
+# On change, update CHECK_FC_ASSERT_ATTRS
+# in tools/checkfc.c
+attribute dev_type;
+
+# All types used for processes.
+attribute domain;
+
+# All types used for filesystems.
+# On change, update CHECK_FC_ASSERT_ATTRS
+# definition in tools/checkfc.c.
+attribute fs_type;
+
+# All types used for context= mounts.
+attribute contextmount_type;
+
+# All types used for files that can exist on a labeled fs.
+# Do not use for pseudo file types.
+# On change, update CHECK_FC_ASSERT_ATTRS
+# definition in tools/checkfc.c.
+attribute file_type;
+
+# All types used for domain entry points.
+attribute exec_type;
+
+# All types used for /data files.
+attribute data_file_type;
+expandattribute data_file_type false;
+# All types in /data, not in /data/vendor
+attribute core_data_file_type;
+expandattribute core_data_file_type false;
+
+# All types used for app private data files in seapp_contexts.
+# Such types should not be applied to any other files.
+attribute app_data_file_type;
+expandattribute app_data_file_type false;
+
+# All types in /system
+attribute system_file_type;
+
+# All types in /vendor
+attribute vendor_file_type;
+
+# All types used for procfs files.
+attribute proc_type;
+expandattribute proc_type false;
+
+# Types in /proc/net, excluding qtaguid types.
+# TODO(b/9496886) Lock down access to /proc/net.
+# This attribute is used to audit access to proc_net. it is temporary and will
+# be removed.
+attribute proc_net_type;
+expandattribute proc_net_type true;
+
+# All types used for sysfs files.
+attribute sysfs_type;
+
+# All types use for debugfs files.
+attribute debugfs_type;
+
+# All types used for tracefs files.
+attribute tracefs_type;
+
+# Attribute used for all sdcards
+attribute sdcard_type;
+
+# All types used for nodes/hosts.
+attribute node_type;
+
+# All types used for network interfaces.
+attribute netif_type;
+
+# All types used for network ports.
+attribute port_type;
+
+# All types used for property service
+# On change, update CHECK_PC_ASSERT_ATTRS
+# definition in tools/checkfc.c.
+attribute property_type;
+
+# All properties defined in core SELinux policy. Should not be
+# used by device specific properties
+attribute core_property_type;
+
+# All properties used to configure log filtering.
+attribute log_property_type;
+
+# All properties that are not specific to device but are added from
+# outside of AOSP. (e.g. OEM-specific properties)
+# These properties are not accessible from device-specific domains
+attribute extended_core_property_type;
+
+# Properties used for representing ownership. All properties should have one
+# of: system_property_type, product_property_type, or vendor_property_type.
+
+# All properties defined by /system.
+attribute system_property_type;
+expandattribute system_property_type false;
+
+# All /system-defined properties used only in /system.
+attribute system_internal_property_type;
+expandattribute system_internal_property_type false;
+
+# All /system-defined properties which can't be written outside /system.
+attribute system_restricted_property_type;
+expandattribute system_restricted_property_type false;
+
+# All /system-defined properties with no restrictions.
+attribute system_public_property_type;
+expandattribute system_public_property_type false;
+
+# All keystore2_key labels.
+attribute keystore2_key_type;
+
+# All properties defined by /product.
+# Currently there are no enforcements between /system and /product, so for now
+# /product attributes are just replaced to /system attributes.
+define(`product_property_type', `system_property_type')
+define(`product_internal_property_type', `system_internal_property_type')
+define(`product_restricted_property_type', `system_restricted_property_type')
+define(`product_public_property_type', `system_public_property_type')
+
+# All properties defined by /vendor.
+attribute vendor_property_type;
+expandattribute vendor_property_type false;
+
+# All /vendor-defined properties used only in /vendor.
+attribute vendor_internal_property_type;
+expandattribute vendor_internal_property_type false;
+
+# All /vendor-defined properties which can't be written outside /vendor.
+attribute vendor_restricted_property_type;
+expandattribute vendor_restricted_property_type false;
+
+# All /vendor-defined properties with no restrictions.
+attribute vendor_public_property_type;
+expandattribute vendor_public_property_type false;
+
+# All service_manager types created by system_server
+attribute system_server_service;
+
+# services which should be available to all but isolated apps
+attribute app_api_service;
+
+# services which should be available to all ephemeral apps
+attribute ephemeral_app_api_service;
+
+# services which export only system_api
+attribute system_api_service;
+
+# services which are explicitly disallowed for untrusted apps to access
+attribute protected_service;
+
+# services which served by vendor and also using the copy of libbinder on
+# system (for instance via libbinder_ndk). services using a different copy
+# of libbinder currently need their own context manager (e.g.
+# vndservicemanager)
+attribute vendor_service;
+
+# All types used for services managed by servicemanager.
+# On change, update CHECK_SC_ASSERT_ATTRS
+# definition in tools/checkfc.c.
+attribute service_manager_type;
+
+# All types used for services managed by hwservicemanager
+attribute hwservice_manager_type;
+
+# All HwBinder services guaranteed to be passthrough. These services always run
+# in the process of their clients, and thus operate with the same access as
+# their clients.
+attribute same_process_hwservice;
+
+# All HwBinder services guaranteed to be offered only by core domain components
+attribute coredomain_hwservice;
+
+# All HwBinder services that untrusted apps can't directly access
+attribute protected_hwservice;
+
+# All types used for services managed by vndservicemanager
+attribute vndservice_manager_type;
+
+
+# All domains that can override MLS restrictions.
+# i.e. processes that can read up and write down.
+attribute mlstrustedsubject;
+
+# All types that can override MLS restrictions.
+# i.e. files that can be read by lower and written by higher
+attribute mlstrustedobject;
+
+# All domains used for apps.
+attribute appdomain;
+
+# All third party apps (except isolated_app and ephemeral_app)
+attribute untrusted_app_all;
+
+# All domains used for apps with network access.
+attribute netdomain;
+
+# All domains used for apps with bluetooth access.
+attribute bluetoothdomain;
+
+# All domains used for binder service domains.
+attribute binderservicedomain;
+
+# update_engine related domains that need to apply an update and run
+# postinstall. This includes the background daemon and the sideload tool from
+# recovery for A/B devices.
+attribute update_engine_common;
+
+# All core domains (as opposed to vendor/device-specific domains)
+attribute coredomain;
+
+# All vendor hwservice.
+attribute vendor_hwservice_type;
+
+# All socket devices owned by core domain components
+attribute coredomain_socket;
+expandattribute coredomain_socket false;
+
+# All vendor domains which violate the requirement of not using sockets for
+# communicating with core components
+# TODO(b/36577153): Remove this once there are no violations
+attribute socket_between_core_and_vendor_violators;
+expandattribute socket_between_core_and_vendor_violators false;
+
+# All vendor domains which violate the requirement of not executing
+# system processes
+# TODO(b/36463595)
+attribute vendor_executes_system_violators;
+expandattribute vendor_executes_system_violators false;
+
+# All domains which violate the requirement of not sharing files by path
+# between between vendor and core domains.
+# TODO(b/34980020)
+attribute data_between_core_and_vendor_violators;
+expandattribute data_between_core_and_vendor_violators false;
+
+# All system domains which violate the requirement of not executing vendor
+# binaries/libraries.
+# TODO(b/62041836)
+attribute system_executes_vendor_violators;
+expandattribute system_executes_vendor_violators false;
+
+# All system domains which violate the requirement of not writing vendor
+# properties.
+# TODO(b/78598545): Remove this once there are no violations
+attribute system_writes_vendor_properties_violators;
+expandattribute system_writes_vendor_properties_violators false;
+
+# All system domains which violate the requirement of not writing to
+# /mnt/vendor/*. Must not be used on devices launched with P or later.
+attribute system_writes_mnt_vendor_violators;
+expandattribute system_writes_mnt_vendor_violators false;
+
+# hwservices that are accessible from untrusted applications
+# WARNING: Use of this attribute should be avoided unless
+# absolutely necessary. It is a temporary allowance to aid the
+# transition to treble and will be removed in a future platform
+# version, requiring all hwservices that are labeled with this
+# attribute to be submitted to AOSP in order to maintain their
+# app-visibility.
+attribute untrusted_app_visible_hwservice_violators;
+expandattribute untrusted_app_visible_hwservice_violators false;
+
+# halserver domains that are accessible to untrusted applications. These
+# domains are typically those hosting hwservices attributed by the
+# untrusted_app_visible_hwservice_violators.
+# WARNING: Use of this attribute should be avoided unless absolutely necessary.
+# It is a temporary allowance to aid the transition to treble and will be
+# removed in the future platform version, requiring all halserver domains that
+# are labeled with this attribute to be submitted to AOSP in order to maintain
+# their app-visibility.
+attribute untrusted_app_visible_halserver_violators;
+expandattribute untrusted_app_visible_halserver_violators false;
+
+# PDX services
+attribute pdx_endpoint_dir_type;
+attribute pdx_endpoint_socket_type;
+expandattribute pdx_endpoint_socket_type false;
+attribute pdx_channel_socket_type;
+expandattribute pdx_channel_socket_type false;
+
+pdx_service_attributes(display_client)
+pdx_service_attributes(display_manager)
+pdx_service_attributes(display_screenshot)
+pdx_service_attributes(display_vsync)
+pdx_service_attributes(performance_client)
+pdx_service_attributes(bufferhub_client)
+
+# All HAL servers
+attribute halserverdomain;
+# All HAL clients
+attribute halclientdomain;
+expandattribute halclientdomain true;
+
+# Exempt for halserverdomain to access sockets. Only builds for automotive
+# device types are allowed to use this attribute (enforced by CTS).
+# Unlike phone, in a car many modules are external from Android perspective and
+# HALs should be able to communicate with those devices through sockets.
+attribute hal_automotive_socket_exemption;
+
+# HALs
+hal_attribute(allocator);
+hal_attribute(atrace);
+hal_attribute(audio);
+hal_attribute(audiocontrol);
+hal_attribute(authsecret);
+hal_attribute(bluetooth);
+hal_attribute(bootctl);
+hal_attribute(bufferhub);
+hal_attribute(broadcastradio);
+hal_attribute(camera);
+hal_attribute(can_bus);
+hal_attribute(can_controller);
+hal_attribute(cas);
+hal_attribute(codec2);
+hal_attribute(configstore);
+hal_attribute(confirmationui);
+hal_attribute(contexthub);
+hal_attribute(drm);
+hal_attribute(evs);
+hal_attribute(face);
+hal_attribute(fingerprint);
+hal_attribute(gatekeeper);
+hal_attribute(gnss);
+hal_attribute(graphics_allocator);
+hal_attribute(graphics_composer);
+hal_attribute(health);
+hal_attribute(health_storage);
+hal_attribute(identity);
+hal_attribute(input_classifier);
+hal_attribute(ir);
+hal_attribute(keymaster);
+hal_attribute(keymint);
+hal_attribute(light);
+hal_attribute(lowpan);
+hal_attribute(memtrack);
+hal_attribute(neuralnetworks);
+hal_attribute(nfc);
+hal_attribute(oemlock);
+hal_attribute(omx);
+hal_attribute(power);
+hal_attribute(power_stats);
+hal_attribute(rebootescrow);
+hal_attribute(secure_element);
+hal_attribute(sensors);
+hal_attribute(telephony);
+hal_attribute(tetheroffload);
+hal_attribute(thermal);
+hal_attribute(tv_cec);
+hal_attribute(tv_input);
+hal_attribute(tv_tuner);
+hal_attribute(usb);
+hal_attribute(usb_gadget);
+hal_attribute(vehicle);
+hal_attribute(vibrator);
+hal_attribute(vr);
+hal_attribute(weaver);
+hal_attribute(wifi);
+hal_attribute(wifi_hostapd);
+hal_attribute(wifi_supplicant);
+
+# HwBinder services offered across the core-vendor boundary
+#
+# We annotate server domains with x_server to loosen the coupling between
+# system and vendor images. For example, it should be possible to move a service
+# from one core domain to another, without having to update the vendor image
+# which contains clients of this service.
+
+attribute automotive_display_service_server;
+attribute camera_service_server;
+attribute display_service_server;
+attribute scheduler_service_server;
+attribute sensor_service_server;
+attribute stats_service_server;
+attribute system_suspend_internal_server;
+attribute system_suspend_server;
+attribute wifi_keystore_service_server;
+
+# All types used for super partition block devices.
+attribute super_block_device_type;
+
+# All types used for DMA-BUF heaps
+attribute dmabuf_heap_device_type;
+expandattribute dmabuf_heap_device_type false;
+
+# All types used for DSU metadata files.
+attribute gsi_metadata_file_type;
+
+attribute fusefs_type;
diff --git a/microdroid/system/public/crash_dump.te b/microdroid/system/public/crash_dump.te
new file mode 100644
index 0000000..d59b034
--- /dev/null
+++ b/microdroid/system/public/crash_dump.te
@@ -0,0 +1,2 @@
+type crash_dump, domain;
+type crash_dump_exec, system_file_type, exec_type, file_type;
diff --git a/microdroid/system/public/device.te b/microdroid/system/public/device.te
new file mode 100644
index 0000000..8d286a6
--- /dev/null
+++ b/microdroid/system/public/device.te
@@ -0,0 +1,39 @@
+type ashmem_device, dev_type, mlstrustedobject;
+type ashmem_libcutils_device, dev_type, mlstrustedobject;
+type binder_device, dev_type, mlstrustedobject;
+type block_device, dev_type;
+type console_device, dev_type;
+type device, dev_type, fs_type;
+type dm_device, dev_type;
+type dm_user_device, dev_type;
+type dmabuf_heap_device, dev_type, mlstrustedobject, dmabuf_heap_device_type;
+type dmabuf_system_heap_device, dev_type, mlstrustedobject, dmabuf_heap_device_type;
+type dmabuf_system_secure_heap_device, dev_type, mlstrustedobject, dmabuf_heap_device_type;
+type fuse_device, dev_type, mlstrustedobject;
+type hw_random_device, dev_type;
+type hwbinder_device, dev_type, mlstrustedobject;
+type kmsg_debug_device, dev_type;
+type kmsg_device, dev_type, mlstrustedobject;
+type kvm_device, dev_type;
+type loop_control_device, dev_type;
+type loop_device, dev_type;
+type null_device, dev_type, mlstrustedobject;
+type owntty_device, dev_type, mlstrustedobject;
+type ppp_device, dev_type;
+type properties_device, dev_type;
+type properties_serial, dev_type;
+type property_info, dev_type;
+type ptmx_device, dev_type, mlstrustedobject;
+type ram_device, dev_type;
+type random_device, dev_type, mlstrustedobject;
+type rtc_device, dev_type;
+type serial_device, dev_type;
+type socket_device, dev_type;
+type tty_device, dev_type;
+type tun_device, dev_type, mlstrustedobject;
+type uhid_device, dev_type, mlstrustedobject;
+type uio_device, dev_type;
+type userdata_sysdev, dev_type;
+type vd_device, dev_type;
+type vndbinder_device, dev_type;
+type zero_device, dev_type, mlstrustedobject;
diff --git a/microdroid/system/public/file.te b/microdroid/system/public/file.te
new file mode 100644
index 0000000..67d5068
--- /dev/null
+++ b/microdroid/system/public/file.te
@@ -0,0 +1,204 @@
+type system_linker_exec, file_type, system_file_type;
+
+# file types
+type adbd_socket, file_type, coredomain_socket;
+type apc_service, service_manager_type;
+type anr_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+type apex_info_file, file_type;
+type apex_mnt_dir, file_type;
+type cgroup_desc_api_file, file_type, system_file_type;
+type cgroup_desc_file, file_type, system_file_type;
+type cgroup_rc_file, file_type;
+type file_contexts_file, file_type, system_file_type;
+type hwservice_contexts_file, file_type, system_file_type;
+type keystore2_key_contexts_file, file_type, system_file_type;
+type keystore_data_file, file_type, data_file_type, core_data_file_type;
+type linkerconfig_file, file_type;
+type logd_socket, file_type, mlstrustedobject, coredomain_socket;
+type logdr_socket, file_type, mlstrustedobject, coredomain_socket;
+type logdw_socket, file_type, mlstrustedobject, coredomain_socket;
+type mac_perms_file, file_type, system_file_type;
+type nativetest_data_file, file_type, data_file_type, core_data_file_type;
+type property_contexts_file, file_type, system_file_type;
+type property_socket, file_type, mlstrustedobject, coredomain_socket;
+type runtime_event_log_tags_file, file_type;
+type seapp_contexts_file, file_type, system_file_type;
+type sepolicy_file, file_type, system_file_type;
+type service_contexts_file, file_type, system_file_type;
+type shell_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type, mlstrustedobject;
+type shell_test_data_file, file_type, data_file_type, core_data_file_type;
+type statsdw_socket, file_type, coredomain_socket, mlstrustedobject;
+type system_bootstrap_lib_file, file_type, system_file_type;
+type system_data_file, file_type, data_file_type, core_data_file_type;
+type system_data_root_file, file_type, data_file_type, core_data_file_type;
+type system_event_log_tags_file, file_type, system_file_type;
+type system_file, file_type, system_file_type;
+type system_group_file, file_type, system_file_type;
+type system_lib_file, file_type, system_file_type;
+type system_linker_config_file, file_type, system_file_type;
+type system_passwd_file, file_type, system_file_type;
+type system_seccomp_policy_file, file_type, system_file_type;
+type system_security_cacerts_file, file_type, system_file_type;
+type task_profiles_api_file, file_type, system_file_type;
+type task_profiles_file, file_type, system_file_type;
+type tombstone_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+type tombstoned_crash_socket, file_type, mlstrustedobject, coredomain_socket;
+type tombstoned_intercept_socket, file_type, coredomain_socket;
+type tombstoned_java_trace_socket, file_type, mlstrustedobject;
+type trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+type unlabeled, file_type;
+type vendor_configs_file, file_type, vendor_file_type;
+type vendor_data_file, file_type, data_file_type;
+type vendor_file, file_type, vendor_file_type;
+type vendor_service_contexts_file, vendor_file_type, file_type;
+
+# file system types
+type binderfs, fs_type;
+type binderfs_logs, fs_type;
+type binderfs_logs_proc, fs_type;
+type binfmt_miscfs, fs_type;
+type cgroup, fs_type, mlstrustedobject;
+type cgroup_v2, fs_type;
+type config_gz, fs_type, proc_type;
+type configfs, fs_type;
+type debugfs, fs_type, debugfs_type;
+type debugfs_bootreceiver_tracing, fs_type, debugfs_type, tracefs_type;
+type debugfs_kcov, fs_type, debugfs_type;
+type debugfs_kprobes, fs_type, debugfs_type;
+type debugfs_mm_events_tracing, fs_type, debugfs_type, tracefs_type;
+type debugfs_mmc, fs_type, debugfs_type;
+type debugfs_trace_marker, fs_type, debugfs_type, tracefs_type, mlstrustedobject;
+type debugfs_tracing, fs_type, debugfs_type, tracefs_type, mlstrustedobject;
+type debugfs_tracing_debug, fs_type, debugfs_type, tracefs_type, mlstrustedobject;
+type debugfs_tracing_instances, fs_type, debugfs_type, tracefs_type;
+type debugfs_tracing_printk_formats, fs_type, debugfs_type, tracefs_type;
+type debugfs_wakeup_sources, fs_type, debugfs_type;
+type debugfs_wifi_tracing, fs_type, debugfs_type, tracefs_type;
+type devpts, fs_type, mlstrustedobject;
+type devtmpfs;
+type exfat, fs_type, sdcard_type, mlstrustedobject;
+type fs_bpf, fs_type;
+type fs_bpf_tethering, fs_type;
+type functionfs, fs_type, mlstrustedobject;
+type fuse, fs_type, fusefs_type, mlstrustedobject;
+type fusectlfs, fs_type;
+type inotify, fs_type, mlstrustedobject;
+type labeledfs, fs_type;
+type mqueue, fs_type;
+type pipefs, fs_type;
+type proc, fs_type, proc_type;
+type proc_abi, fs_type, proc_type;
+type proc_asound, fs_type, proc_type;
+type proc_bootconfig, fs_type, proc_type;
+type proc_buddyinfo, fs_type, proc_type;
+type proc_cmdline, fs_type, proc_type;
+type proc_cpuinfo, fs_type, proc_type;
+type proc_dirty, fs_type, proc_type;
+type proc_diskstats, fs_type, proc_type;
+type proc_drop_caches, fs_type, proc_type;
+type proc_extra_free_kbytes, fs_type, proc_type;
+type proc_filesystems, fs_type, proc_type;
+type proc_fs_verity, fs_type, proc_type;
+type proc_hostname, fs_type, proc_type;
+type proc_hung_task, fs_type, proc_type;
+type proc_interrupts, fs_type, proc_type;
+type proc_iomem, fs_type, proc_type;
+type proc_kallsyms, fs_type, proc_type;
+type proc_keys, fs_type, proc_type;
+type proc_kmsg, fs_type, proc_type;
+type proc_kpageflags, fs_type, proc_type;
+type proc_loadavg, fs_type, proc_type;
+type proc_locks, fs_type, proc_type;
+type proc_lowmemorykiller, fs_type, proc_type;
+type proc_max_map_count, fs_type, proc_type;
+type proc_meminfo, fs_type, proc_type;
+type proc_min_free_order_shift, fs_type, proc_type;
+type proc_misc, fs_type, proc_type;
+type proc_modules, fs_type, proc_type;
+type proc_mounts, fs_type, proc_type;
+type proc_net, fs_type, proc_type, proc_net_type;
+type proc_net_tcp_udp, fs_type, proc_type;
+type proc_overcommit_memory, fs_type, proc_type;
+type proc_page_cluster, fs_type, proc_type;
+type proc_pagetypeinfo, fs_type, proc_type;
+type proc_panic, fs_type, proc_type;
+type proc_perf, fs_type, proc_type;
+type proc_pid_max, fs_type, proc_type;
+type proc_pipe_conf, fs_type, proc_type;
+type proc_pressure_cpu, fs_type, proc_type;
+type proc_pressure_io, fs_type, proc_type;
+type proc_pressure_mem, fs_type, proc_type;
+type proc_qtaguid_ctrl, fs_type, proc_type, mlstrustedobject;
+type proc_qtaguid_stat, fs_type, proc_type, mlstrustedobject;
+type proc_random, fs_type, proc_type;
+type proc_sched, fs_type, proc_type;
+type proc_security, fs_type, proc_type;
+type proc_slabinfo, fs_type, proc_type;
+type proc_stat, fs_type, proc_type;
+type proc_swaps, fs_type, proc_type;
+type proc_sysrq, fs_type, proc_type;
+type proc_timer, fs_type, proc_type;
+type proc_tty_drivers, fs_type, proc_type;
+type proc_uid_concurrent_active_time, fs_type, proc_type;
+type proc_uid_concurrent_policy_time, fs_type, proc_type;
+type proc_uid_cpupower, fs_type, proc_type;
+type proc_uid_cputime_removeuid, fs_type, proc_type;
+type proc_uid_cputime_showstat, fs_type, proc_type;
+type proc_uid_io_stats, fs_type, proc_type;
+type proc_uid_procstat_set, fs_type, proc_type;
+type proc_uid_time_in_state, fs_type, proc_type;
+type proc_uptime, fs_type, proc_type;
+type proc_version, fs_type, proc_type;
+type proc_vmallocinfo, fs_type, proc_type;
+type proc_vmstat, fs_type, proc_type;
+type proc_zoneinfo, fs_type, proc_type;
+type pstorefs, fs_type;
+type rootfs, fs_type;
+type sdcardfs, fs_type, sdcard_type, mlstrustedobject;
+type securityfs, fs_type;
+type selinuxfs, fs_type, mlstrustedobject;
+type shm, fs_type;
+type sockfs, fs_type;
+type sysfs, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_android_usb, fs_type, sysfs_type;
+type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_devices_block, fs_type, sysfs_type;
+type sysfs_devices_cs_etm, fs_type, sysfs_type;
+type sysfs_devices_system_cpu, fs_type, sysfs_type;
+type sysfs_dm, fs_type, sysfs_type;
+type sysfs_dm_verity, fs_type, sysfs_type;
+type sysfs_dma_heap, fs_type, sysfs_type;
+type sysfs_dmabuf_stats, fs_type, sysfs_type;
+type sysfs_dt_firmware_android, fs_type, sysfs_type;
+type sysfs_extcon, fs_type, sysfs_type;
+type sysfs_fs_ext4_features, fs_type, sysfs_type;
+type sysfs_fs_f2fs, fs_type, sysfs_type;
+type sysfs_fs_incfs_features, fs_type, sysfs_type;
+type sysfs_fs_incfs_metrics, fs_type, sysfs_type;
+type sysfs_hwrandom, fs_type, sysfs_type;
+type sysfs_ion, fs_type, sysfs_type;
+type sysfs_ipv4, fs_type, sysfs_type;
+type sysfs_kernel_notes, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_leds, fs_type, sysfs_type;
+type sysfs_loop, fs_type, sysfs_type;
+type sysfs_lowmemorykiller, fs_type, sysfs_type;
+type sysfs_net, fs_type, sysfs_type;
+type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_power, fs_type, sysfs_type;
+type sysfs_rtc, fs_type, sysfs_type;
+type sysfs_suspend_stats, fs_type, sysfs_type;
+type sysfs_switch, fs_type, sysfs_type;
+type sysfs_transparent_hugepage, fs_type, sysfs_type;
+type sysfs_uhid, fs_type, sysfs_type;
+type sysfs_usermodehelper, fs_type, sysfs_type;
+type sysfs_vibrator, fs_type, sysfs_type;
+type sysfs_wake_lock, fs_type, sysfs_type;
+type sysfs_wakeup, fs_type, sysfs_type;
+type sysfs_wakeup_reasons, fs_type, sysfs_type;
+type sysfs_wlan_fwpath, fs_type, sysfs_type;
+type sysfs_zram, fs_type, sysfs_type;
+type sysfs_zram_uevent, fs_type, sysfs_type;
+type tmpfs, fs_type;
+type usbfs, fs_type;
+type usermodehelper, fs_type, proc_type;
+type vfat, fs_type, sdcard_type, mlstrustedobject;
diff --git a/microdroid/system/public/global_macros b/microdroid/system/public/global_macros
new file mode 100644
index 0000000..2c87fde
--- /dev/null
+++ b/microdroid/system/public/global_macros
@@ -0,0 +1,51 @@
+#####################################
+# Common groupings of object classes.
+#
+define(`capability_class_set', `{ capability capability2 cap_userns cap2_userns }')
+define(`global_capability_class_set', `{ capability cap_userns }')
+define(`global_capability2_class_set', `{ capability2 cap2_userns }')
+
+define(`devfile_class_set', `{ chr_file blk_file }')
+define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }')
+define(`file_class_set', `{ devfile_class_set notdevfile_class_set }')
+define(`dir_file_class_set', `{ dir file_class_set }')
+
+define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket xdp_socket }')
+define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }')
+define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket sctp_socket }')
+define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket sctp_socket }')
+define(`network_socket_class_set', `{ icmp_socket rawip_socket tcp_socket udp_socket }')
+
+define(`ipc_class_set', `{ sem msgq shm ipc }')
+
+#####################################
+# Common groupings of permissions.
+#
+define(`x_file_perms', `{ getattr execute execute_no_trans map }')
+define(`r_file_perms', `{ getattr open read ioctl lock map watch watch_reads }')
+define(`w_file_perms', `{ open append write lock map }')
+define(`rx_file_perms', `{ r_file_perms x_file_perms }')
+define(`ra_file_perms', `{ r_file_perms append }')
+define(`rw_file_perms', `{ r_file_perms w_file_perms }')
+define(`rwx_file_perms', `{ rw_file_perms x_file_perms }')
+define(`create_file_perms', `{ create rename setattr unlink rw_file_perms }')
+
+define(`r_dir_perms', `{ open getattr read search ioctl lock watch watch_reads }')
+define(`w_dir_perms', `{ open search write add_name remove_name lock }')
+define(`ra_dir_perms', `{ r_dir_perms add_name write }')
+define(`rw_dir_perms', `{ r_dir_perms w_dir_perms }')
+define(`create_dir_perms', `{ create reparent rename rmdir setattr rw_dir_perms }')
+
+define(`r_ipc_perms', `{ getattr read associate unix_read }')
+define(`w_ipc_perms', `{ write unix_write }')
+define(`rw_ipc_perms', `{ r_ipc_perms w_ipc_perms }')
+define(`create_ipc_perms', `{ create setattr destroy rw_ipc_perms }')
+
+#####################################
+# Common socket permission sets.
+define(`rw_socket_perms', `{ ioctl read getattr write setattr lock append bind connect getopt setopt shutdown map }')
+define(`rw_socket_perms_no_ioctl', `{ read getattr write setattr lock append bind connect getopt setopt shutdown map }')
+define(`create_socket_perms', `{ create rw_socket_perms }')
+define(`create_socket_perms_no_ioctl', `{ create rw_socket_perms_no_ioctl }')
+define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }')
+define(`create_stream_socket_perms', `{ create rw_stream_socket_perms }')
diff --git a/microdroid/system/public/hal_keymint.te b/microdroid/system/public/hal_keymint.te
new file mode 100644
index 0000000..7570188
--- /dev/null
+++ b/microdroid/system/public/hal_keymint.te
@@ -0,0 +1,4 @@
+binder_call(hal_keymint_client, hal_keymint_server)
+
+hal_attribute_service(hal_keymint, hal_keymint_service)
+binder_call(hal_keymint_server, servicemanager)
diff --git a/microdroid/system/public/hwservicemanager.te b/microdroid/system/public/hwservicemanager.te
new file mode 100644
index 0000000..5421b11
--- /dev/null
+++ b/microdroid/system/public/hwservicemanager.te
@@ -0,0 +1,2 @@
+type hwservicemanager, domain, mlstrustedsubject;
+type hwservicemanager_exec, file_type, exec_type, system_file_type;
diff --git a/microdroid/system/public/init.te b/microdroid/system/public/init.te
new file mode 100644
index 0000000..bccdb70
--- /dev/null
+++ b/microdroid/system/public/init.te
@@ -0,0 +1,8 @@
+# init is its own domain.
+type init, domain, mlstrustedsubject;
+type init_exec, system_file_type, exec_type, file_type;
+type init_tmpfs, file_type;
+
+allow init tmpfs:chr_file relabelfrom;
+allow init kmsg_device:chr_file { getattr write relabelto };
+allow init kmsg_debug_device:chr_file { open write relabelto };
diff --git a/microdroid/system/public/ioctl_defines b/microdroid/system/public/ioctl_defines
new file mode 100644
index 0000000..5ac4d94
--- /dev/null
+++ b/microdroid/system/public/ioctl_defines
@@ -0,0 +1,2751 @@
+define(`ADD_NEW_DISK', `0x40140921')
+define(`ADV7842_CMD_RAM_TEST', `0x000056c0')
+define(`AGPIOC_ACQUIRE', `0x00004101')
+define(`AGPIOC_ALLOCATE', `0xc0084106')
+define(`AGPIOC_BIND', `0x40084108')
+define(`AGPIOC_CHIPSET_FLUSH', `0x0000410a')
+define(`AGPIOC_DEALLOCATE', `0x40044107')
+define(`AGPIOC_INFO', `0x80084100')
+define(`AGPIOC_PROTECT', `0x40084105')
+define(`AGPIOC_RELEASE', `0x00004102')
+define(`AGPIOC_RESERVE', `0x40084104')
+define(`AGPIOC_SETUP', `0x40084103')
+define(`AGPIOC_UNBIND', `0x40084109')
+define(`AMDKFD_IOC_CREATE_QUEUE', `0xc0584b02')
+define(`AMDKFD_IOC_DESTROY_QUEUE', `0xc0084b03')
+define(`AMDKFD_IOC_GET_CLOCK_COUNTERS', `0xc0284b05')
+define(`AMDKFD_IOC_GET_PROCESS_APERTURES', `0x81904b06')
+define(`AMDKFD_IOC_GET_VERSION', `0x80084b01')
+define(`AMDKFD_IOC_SET_MEMORY_POLICY', `0x40204b04')
+define(`AMDKFD_IOC_UPDATE_QUEUE', `0x40184b07')
+define(`ANDROID_ALARM_SET_RTC', `0x40106105')
+define(`ANDROID_ALARM_WAIT', `0x00006101')
+define(`APEI_ERST_CLEAR_RECORD', `0x40084501')
+define(`APEI_ERST_GET_RECORD_COUNT', `0x80044502')
+define(`APM_IOC_STANDBY', `0x00004101')
+define(`APM_IOC_SUSPEND', `0x00004102')
+define(`ASHMEM_GET_NAME', `0x81007702')
+define(`ASHMEM_GET_PIN_STATUS', `0x00007709')
+define(`ASHMEM_GET_PROT_MASK', `0x00007706')
+define(`ASHMEM_GET_SIZE', `0x00007704')
+define(`ASHMEM_PIN', `0x40087707')
+define(`ASHMEM_PURGE_ALL_CACHES', `0x0000770a')
+define(`ASHMEM_SET_NAME', `0x41007701')
+define(`ASHMEM_SET_PROT_MASK', `0x40087705')
+define(`ASHMEM_SET_SIZE', `0x40087703')
+define(`ASHMEM_UNPIN', `0x40087708')
+define(`ATM_ADDADDR', `0x40106188')
+define(`ATM_ADDLECSADDR', `0x4010618e')
+define(`ATM_ADDPARTY', `0x401061f4')
+define(`ATMARPD_CTRL', `0x000061e1')
+define(`ATMARP_ENCAP', `0x000061e5')
+define(`ATMARP_MKIP', `0x000061e2')
+define(`ATMARP_SETENTRY', `0x000061e3')
+define(`ATM_DELADDR', `0x40106189')
+define(`ATM_DELLECSADDR', `0x4010618f')
+define(`ATM_DROPPARTY', `0x400461f5')
+define(`ATM_GETADDR', `0x40106186')
+define(`ATM_GETCIRANGE', `0x4010618a')
+define(`ATM_GETESI', `0x40106185')
+define(`ATM_GETLECSADDR', `0x40106190')
+define(`ATM_GETLINKRATE', `0x40106181')
+define(`ATM_GETLOOP', `0x40106152')
+define(`ATM_GETNAMES', `0x40106183')
+define(`ATM_GETSTAT', `0x40106150')
+define(`ATM_GETSTATZ', `0x40106151')
+define(`ATM_GETTYPE', `0x40106184')
+define(`ATMLEC_CTRL', `0x000061d0')
+define(`ATMLEC_DATA', `0x000061d1')
+define(`ATMLEC_MCAST', `0x000061d2')
+define(`ATMMPC_CTRL', `0x000061d8')
+define(`ATMMPC_DATA', `0x000061d9')
+define(`ATM_NEWBACKENDIF', `0x400261f3')
+define(`ATM_QUERYLOOP', `0x40106154')
+define(`ATM_RSTADDR', `0x40106187')
+define(`ATM_SETBACKEND', `0x400261f2')
+define(`ATM_SETCIRANGE', `0x4010618b')
+define(`ATM_SETESI', `0x4010618c')
+define(`ATM_SETESIF', `0x4010618d')
+define(`ATM_SETLOOP', `0x40106153')
+define(`ATM_SETSC', `0x400461f1')
+define(`ATMSIGD_CTRL', `0x000061f0')
+define(`ATMTCP_CREATE', `0x0000618e')
+define(`ATMTCP_REMOVE', `0x0000618f')
+define(`AUDIO_BILINGUAL_CHANNEL_SELECT', `0x00006f14')
+define(`AUDIO_CHANNEL_SELECT', `0x00006f09')
+define(`AUDIO_CLEAR_BUFFER', `0x00006f0c')
+define(`AUDIO_CONTINUE', `0x00006f04')
+define(`AUDIO_GET_CAPABILITIES', `0x80046f0b')
+define(`AUDIO_GET_PTS', `0x80086f13')
+define(`AUDIO_GET_STATUS', `0x80206f0a')
+define(`AUDIO_PAUSE', `0x00006f03')
+define(`AUDIO_PLAY', `0x00006f02')
+define(`AUDIO_SELECT_SOURCE', `0x00006f05')
+define(`AUDIO_SET_ATTRIBUTES', `0x40026f11')
+define(`AUDIO_SET_AV_SYNC', `0x00006f07')
+define(`AUDIO_SET_BYPASS_MODE', `0x00006f08')
+define(`AUDIO_SET_EXT_ID', `0x00006f10')
+define(`AUDIO_SET_ID', `0x00006f0d')
+define(`AUDIO_SET_KARAOKE', `0x400c6f12')
+define(`AUDIO_SET_MIXER', `0x40086f0e')
+define(`AUDIO_SET_MUTE', `0x00006f06')
+define(`AUDIO_SET_STREAMTYPE', `0x00006f0f')
+define(`AUDIO_STOP', `0x00006f01')
+define(`AUTOFS_DEV_IOCTL_ASKUMOUNT', `0xc018937d')
+define(`AUTOFS_DEV_IOCTL_CATATONIC', `0xc0189379')
+define(`AUTOFS_DEV_IOCTL_CLOSEMOUNT', `0xc0189375')
+define(`AUTOFS_DEV_IOCTL_EXPIRE', `0xc018937c')
+define(`AUTOFS_DEV_IOCTL_FAIL', `0xc0189377')
+define(`AUTOFS_DEV_IOCTL_ISMOUNTPOINT', `0xc018937e')
+define(`AUTOFS_DEV_IOCTL_OPENMOUNT', `0xc0189374')
+define(`AUTOFS_DEV_IOCTL_PROTOSUBVER', `0xc0189373')
+define(`AUTOFS_DEV_IOCTL_PROTOVER', `0xc0189372')
+define(`AUTOFS_DEV_IOCTL_READY', `0xc0189376')
+define(`AUTOFS_DEV_IOCTL_REQUESTER', `0xc018937b')
+define(`AUTOFS_DEV_IOCTL_SETPIPEFD', `0xc0189378')
+define(`AUTOFS_DEV_IOCTL_TIMEOUT', `0xc018937a')
+define(`AUTOFS_DEV_IOCTL_VERSION', `0xc0189371')
+define(`AUTOFS_IOC_ASKUMOUNT', `0x80049370')
+define(`AUTOFS_IOC_CATATONIC', `0x00009362')
+define(`AUTOFS_IOC_EXPIRE', `0x810c9365')
+define(`AUTOFS_IOC_EXPIRE_MULTI', `0x40049366')
+define(`AUTOFS_IOC_FAIL', `0x00009361')
+define(`AUTOFS_IOC_PROTOSUBVER', `0x80049367')
+define(`AUTOFS_IOC_PROTOVER', `0x80049363')
+define(`AUTOFS_IOC_READY', `0x00009360')
+define(`AUTOFS_IOC_SETTIMEOUT', `0xc0089364')
+define(`AUTOFS_IOC_SETTIMEOUT32', `0xc0049364')
+define(`BC_ACQUIRE', `0x40046305')
+define(`BC_ACQUIRE_DONE', `0x40106309')
+define(`BC_ACQUIRE_RESULT', `0x40046302')
+define(`BC_ATTEMPT_ACQUIRE', `0x4008630a')
+define(`BC_CLEAR_DEATH_NOTIFICATION', `0x400c630f')
+define(`BC_DEAD_BINDER_DONE', `0x40086310')
+define(`BC_DECREFS', `0x40046307')
+define(`BC_ENTER_LOOPER', `0x0000630c')
+define(`BC_EXIT_LOOPER', `0x0000630d')
+define(`BC_FREE_BUFFER', `0x40086303')
+define(`BC_INCREFS', `0x40046304')
+define(`BC_INCREFS_DONE', `0x40106308')
+define(`BC_REGISTER_LOOPER', `0x0000630b')
+define(`BC_RELEASE', `0x40046306')
+define(`BC_REPLY', `0x40406301')
+define(`BC_REQUEST_DEATH_NOTIFICATION', `0x400c630e')
+define(`BC_TRANSACTION', `0x40406300')
+define(`BINDER_ENABLE_ONEWAY_SPAM_DETECTION', `0x40046210')
+define(`BINDER_FREEZE', `0x400c620e')
+define(`BINDER_GET_FROZEN_INFO', `0xc00c620f')
+define(`BINDER_GET_NODE_DEBUG_INFO', `0xc018620b')
+define(`BINDER_GET_NODE_INFO_FOR_REF', `0xc018620c')
+define(`BINDER_SET_CONTEXT_MGR', `0x40046207')
+define(`BINDER_SET_CONTEXT_MGR_EXT', `0x4018620d')
+define(`BINDER_SET_IDLE_PRIORITY', `0x40046206')
+define(`BINDER_SET_IDLE_TIMEOUT', `0x40086203')
+define(`BINDER_SET_MAX_THREADS', `0x40046205')
+define(`BINDER_THREAD_EXIT', `0x40046208')
+define(`BINDER_VERSION', `0xc0046209')
+define(`BINDER_WRITE_READ', `0xc0306201')
+define(`BLKALIGNOFF', `0x0000127a')
+define(`BLKBSZGET', `0x80081270')
+define(`BLKBSZSET', `0x40081271')
+define(`BLKDISCARD', `0x00001277')
+define(`BLKDISCARDZEROES', `0x0000127c')
+define(`BLKFLSBUF', `0x00001261')
+define(`BLKFRAGET', `0x00001265')
+define(`BLKFRASET', `0x00001264')
+define(`BLKGETSIZE', `0x00001260')
+define(`BLKGETSIZE64', `0x80081272')
+define(`BLKI2OGRSTRAT', `0x80043201')
+define(`BLKI2OGWSTRAT', `0x80043202')
+define(`BLKI2OSRSTRAT', `0x40043203')
+define(`BLKI2OSWSTRAT', `0x40043204')
+define(`BLKIOMIN', `0x00001278')
+define(`BLKIOOPT', `0x00001279')
+define(`BLKPBSZGET', `0x0000127b')
+define(`BLKPG', `0x00001269')
+define(`BLKRAGET', `0x00001263')
+define(`BLKRASET', `0x00001262')
+define(`BLKROGET', `0x0000125e')
+define(`BLKROSET', `0x0000125d')
+define(`BLKROTATIONAL', `0x0000127e')
+define(`BLKRRPART', `0x0000125f')
+define(`BLKSECDISCARD', `0x0000127d')
+define(`BLKSECTGET', `0x00001267')
+define(`BLKSECTSET', `0x00001266')
+define(`BLKSSZGET', `0x00001268')
+define(`BLKTRACESETUP', `0xc0481273')
+define(`BLKTRACESTART', `0x00001274')
+define(`BLKTRACESTOP', `0x00001275')
+define(`BLKTRACETEARDOWN', `0x00001276')
+define(`BLKZEROOUT', `0x0000127f')
+define(`BR2684_SETFILT', `0x401c6190')
+define(`BR_ACQUIRE', `0x80107208')
+define(`BR_ACQUIRE_RESULT', `0x80047204')
+define(`BR_ATTEMPT_ACQUIRE', `0x8018720b')
+define(`BR_CLEAR_DEATH_NOTIFICATION_DONE', `0x80087210')
+define(`BR_DEAD_BINDER', `0x8008720f')
+define(`BR_DEAD_REPLY', `0x00007205')
+define(`BR_DECREFS', `0x8010720a')
+define(`BR_ERROR', `0x80047200')
+define(`BR_FAILED_REPLY', `0x00007211')
+define(`BR_FINISHED', `0x0000720e')
+define(`BR_INCREFS', `0x80107207')
+define(`BR_NOOP', `0x0000720c')
+define(`BR_OK', `0x00007201')
+define(`BR_ONEWAY_SPAM_SUSPECT', `0x00007213')
+define(`BR_RELEASE', `0x80107209')
+define(`BR_REPLY', `0x80407203')
+define(`BR_SPAWN_LOOPER', `0x0000720d')
+define(`BR_TRANSACTION', `0x80407202')
+define(`BR_TRANSACTION_COMPLETE', `0x00007206')
+define(`BT819_FIFO_RESET_HIGH', `0x00006201')
+define(`BT819_FIFO_RESET_LOW', `0x00006200')
+define(`BTRFS_IOC_ADD_DEV', `0x5000940a')
+define(`BTRFS_IOC_BALANCE', `0x5000940c')
+define(`BTRFS_IOC_BALANCE_CTL', `0x40049421')
+define(`BTRFS_IOC_BALANCE_PROGRESS', `0x84009422')
+define(`BTRFS_IOC_BALANCE_V2', `0xc4009420')
+define(`BTRFS_IOC_CLONE', `0x40049409')
+define(`BTRFS_IOC_CLONE_RANGE', `0x4020940d')
+define(`BTRFS_IOC_DEFAULT_SUBVOL', `0x40089413')
+define(`BTRFS_IOC_DEFRAG', `0x50009402')
+define(`BTRFS_IOC_DEFRAG_RANGE', `0x40309410')
+define(`BTRFS_IOC_DEVICES_READY', `0x90009427')
+define(`BTRFS_IOC_DEV_INFO', `0xd000941e')
+define(`BTRFS_IOC_DEV_REPLACE', `0xca289435')
+define(`BTRFS_IOC_FILE_EXTENT_SAME', `0xc0189436')
+define(`BTRFS_IOC_FS_INFO', `0x8400941f')
+define(`BTRFS_IOC_GET_DEV_STATS', `0xc4089434')
+define(`BTRFS_IOC_GET_FEATURES', `0x80189439')
+define(`BTRFS_IOC_GET_FSLABEL', `0x81009431')
+define(`BTRFS_IOC_GET_SUPPORTED_FEATURES', `0x80489439')
+define(`BTRFS_IOC_INO_LOOKUP', `0xd0009412')
+define(`BTRFS_IOC_INO_PATHS', `0xc0389423')
+define(`BTRFS_IOC_LOGICAL_INO', `0xc0389424')
+define(`BTRFS_IOC_QGROUP_ASSIGN', `0x40189429')
+define(`BTRFS_IOC_QGROUP_CREATE', `0x4010942a')
+define(`BTRFS_IOC_QGROUP_LIMIT', `0x8030942b')
+define(`BTRFS_IOC_QUOTA_CTL', `0xc0109428')
+define(`BTRFS_IOC_QUOTA_RESCAN', `0x4040942c')
+define(`BTRFS_IOC_QUOTA_RESCAN_STATUS', `0x8040942d')
+define(`BTRFS_IOC_QUOTA_RESCAN_WAIT', `0x0000942e')
+define(`BTRFS_IOC_RESIZE', `0x50009403')
+define(`BTRFS_IOC_RM_DEV', `0x5000940b')
+define(`BTRFS_IOC_SCAN_DEV', `0x50009404')
+define(`BTRFS_IOC_SCRUB', `0xc400941b')
+define(`BTRFS_IOC_SCRUB_CANCEL', `0x0000941c')
+define(`BTRFS_IOC_SCRUB_PROGRESS', `0xc400941d')
+define(`BTRFS_IOC_SEND', `0x40489426')
+define(`BTRFS_IOC_SET_FEATURES', `0x40309439')
+define(`BTRFS_IOC_SET_FSLABEL', `0x41009432')
+define(`BTRFS_IOC_SET_RECEIVED_SUBVOL', `0xc0c89425')
+define(`BTRFS_IOC_SNAP_CREATE', `0x50009401')
+define(`BTRFS_IOC_SNAP_CREATE_V2', `0x50009417')
+define(`BTRFS_IOC_SNAP_DESTROY', `0x5000940f')
+define(`BTRFS_IOC_SPACE_INFO', `0xc0109414')
+define(`BTRFS_IOC_START_SYNC', `0x80089418')
+define(`BTRFS_IOC_SUBVOL_CREATE', `0x5000940e')
+define(`BTRFS_IOC_SUBVOL_CREATE_V2', `0x50009418')
+define(`BTRFS_IOC_SUBVOL_GETFLAGS', `0x80089419')
+define(`BTRFS_IOC_SUBVOL_SETFLAGS', `0x4008941a')
+define(`BTRFS_IOC_SYNC', `0x00009408')
+define(`BTRFS_IOC_TRANS_END', `0x00009407')
+define(`BTRFS_IOC_TRANS_START', `0x00009406')
+define(`BTRFS_IOC_TREE_SEARCH', `0xd0009411')
+define(`BTRFS_IOC_TREE_SEARCH_V2', `0xc0709411')
+define(`BTRFS_IOC_WAIT_SYNC', `0x40089416')
+define(`CA_GET_CAP', `0x80106f81')
+define(`CA_GET_DESCR_INFO', `0x80086f83')
+define(`CA_GET_MSG', `0x810c6f84')
+define(`CA_GET_SLOT_INFO', `0x800c6f82')
+define(`CAPI_CLR_FLAGS', `0x80044325')
+define(`CAPI_GET_ERRCODE', `0x80024321')
+define(`CAPI_GET_FLAGS', `0x80044323')
+define(`CAPI_GET_MANUFACTURER', `0xc0044306')
+define(`CAPI_GET_PROFILE', `0xc0404309')
+define(`CAPI_GET_SERIAL', `0xc0044308')
+define(`CAPI_GET_VERSION', `0xc0104307')
+define(`CAPI_INSTALLED', `0x80024322')
+define(`CAPI_MANUFACTURER_CMD', `0xc0104320')
+define(`CAPI_NCCI_GETUNIT', `0x80044327')
+define(`CAPI_NCCI_OPENCOUNT', `0x80044326')
+define(`CAPI_REGISTER', `0x400c4301')
+define(`CAPI_SET_FLAGS', `0x80044324')
+define(`CA_RESET', `0x00006f80')
+define(`CA_SEND_MSG', `0x410c6f85')
+define(`CA_SET_DESCR', `0x40106f86')
+define(`CA_SET_PID', `0x40086f87')
+define(`CCISS_BIG_PASSTHRU', `0xc0604212')
+define(`CCISS_DEREGDISK', `0x0000420c')
+define(`CCISS_GETBUSTYPES', `0x80044207')
+define(`CCISS_GETDRIVVER', `0x80044209')
+define(`CCISS_GETFIRMVER', `0x80044208')
+define(`CCISS_GETHEARTBEAT', `0x80044206')
+define(`CCISS_GETINTINFO', `0x80084202')
+define(`CCISS_GETLUNINFO', `0x800c4211')
+define(`CCISS_GETNODENAME', `0x80104204')
+define(`CCISS_GETPCIINFO', `0x80084201')
+define(`CCISS_PASSTHRU', `0xc058420b')
+define(`CCISS_REGNEWD', `0x0000420e')
+define(`CCISS_REGNEWDISK', `0x4004420d')
+define(`CCISS_RESCANDISK', `0x00004210')
+define(`CCISS_REVALIDVOLS', `0x0000420a')
+define(`CCISS_SETINTINFO', `0x40084203')
+define(`CCISS_SETNODENAME', `0x40104205')
+define(`CDROMAUDIOBUFSIZ', `0x00005382')
+define(`CDROM_CHANGER_NSLOTS', `0x00005328')
+define(`CDROM_CLEAR_OPTIONS', `0x00005321')
+define(`CDROMCLOSETRAY', `0x00005319')
+define(`CDROM_DEBUG', `0x00005330')
+define(`CDROM_DISC_STATUS', `0x00005327')
+define(`CDROM_DRIVE_STATUS', `0x00005326')
+define(`CDROMEJECT', `0x00005309')
+define(`CDROMEJECT_SW', `0x0000530f')
+define(`CDROM_GET_CAPABILITY', `0x00005331')
+define(`CDROM_GET_MCN', `0x00005311')
+define(`CDROMGETSPINDOWN', `0x0000531d')
+define(`CDROM_LAST_WRITTEN', `0x00005395')
+define(`CDROM_LOCKDOOR', `0x00005329')
+define(`CDROM_MEDIA_CHANGED', `0x00005325')
+define(`CDROMMULTISESSION', `0x00005310')
+define(`CDROM_NEXT_WRITABLE', `0x00005394')
+define(`CDROMPAUSE', `0x00005301')
+define(`CDROMPLAYBLK', `0x00005317')
+define(`CDROMPLAYMSF', `0x00005303')
+define(`CDROMPLAYTRKIND', `0x00005304')
+define(`CDROMREADALL', `0x00005318')
+define(`CDROMREADAUDIO', `0x0000530e')
+define(`CDROMREADCOOKED', `0x00005315')
+define(`CDROMREADMODE1', `0x0000530d')
+define(`CDROMREADMODE2', `0x0000530c')
+define(`CDROMREADRAW', `0x00005314')
+define(`CDROMREADTOCENTRY', `0x00005306')
+define(`CDROMREADTOCHDR', `0x00005305')
+define(`CDROMRESET', `0x00005312')
+define(`CDROMRESUME', `0x00005302')
+define(`CDROMSEEK', `0x00005316')
+define(`CDROM_SELECT_DISC', `0x00005323')
+define(`CDROM_SELECT_SPEED', `0x00005322')
+define(`CDROM_SEND_PACKET', `0x00005393')
+define(`CDROM_SET_OPTIONS', `0x00005320')
+define(`CDROMSETSPINDOWN', `0x0000531e')
+define(`CDROMSTART', `0x00005308')
+define(`CDROMSTOP', `0x00005307')
+define(`CDROMSUBCHNL', `0x0000530b')
+define(`CDROMVOLCTRL', `0x0000530a')
+define(`CDROMVOLREAD', `0x00005313')
+define(`CHIOEXCHANGE', `0x401c6302')
+define(`CHIOGELEM', `0x406c6310')
+define(`CHIOGPARAMS', `0x80146306')
+define(`CHIOGPICKER', `0x80046304')
+define(`CHIOGSTATUS', `0x40106308')
+define(`CHIOGVPARAMS', `0x80706313')
+define(`CHIOINITELEM', `0x00006311')
+define(`CHIOMOVE', `0x40146301')
+define(`CHIOPOSITION', `0x400c6303')
+define(`CHIOSPICKER', `0x40046305')
+define(`CHIOSVOLTAG', `0x40306312')
+define(`CIOC_KERNEL_VERSION', `0xc008630a')
+define(`CLEAR_ARRAY', `0x00000920')
+define(`CM_IOCARDOFF', `0x00006304')
+define(`CM_IOCGATR', `0xc0086301')
+define(`CM_IOCGSTATUS', `0x80086300')
+define(`CM_IOCSPTS', `0x40086302')
+define(`CM_IOCSRDR', `0x00006303')
+define(`CM_IOSDBGLVL', `0x400863fa')
+define(`CXL_IOCTL_GET_PROCESS_ELEMENT', `0x8004ca01')
+define(`CXL_IOCTL_START_WORK', `0x4040ca00')
+define(`DM_DEV_CREATE', `0xc138fd03')
+define(`DM_DEV_REMOVE', `0xc138fd04')
+define(`DM_DEV_RENAME', `0xc138fd05')
+define(`DM_DEV_SET_GEOMETRY', `0xc138fd0f')
+define(`DM_DEV_STATUS', `0xc138fd07')
+define(`DM_DEV_SUSPEND', `0xc138fd06')
+define(`DM_DEV_WAIT', `0xc138fd08')
+define(`DM_LIST_DEVICES', `0xc138fd02')
+define(`DM_LIST_VERSIONS', `0xc138fd0d')
+define(`DM_REMOVE_ALL', `0xc138fd01')
+define(`DM_TABLE_CLEAR', `0xc138fd0a')
+define(`DM_TABLE_DEPS', `0xc138fd0b')
+define(`DM_TABLE_LOAD', `0xc138fd09')
+define(`DM_TABLE_STATUS', `0xc138fd0c')
+define(`DM_TARGET_MSG', `0xc138fd0e')
+define(`DM_VERSION', `0xc138fd00')
+define(`DMX_ADD_PID', `0x40026f33')
+define(`DMX_GET_CAPS', `0x80086f30')
+define(`DMX_GET_PES_PIDS', `0x800a6f2f')
+define(`DMX_GET_STC', `0xc0106f32')
+define(`DMX_REMOVE_PID', `0x40026f34')
+define(`DMX_SET_BUFFER_SIZE', `0x00006f2d')
+define(`DMX_SET_FILTER', `0x403c6f2b')
+define(`DMX_SET_PES_FILTER', `0x40146f2c')
+define(`DMX_SET_SOURCE', `0x40046f31')
+define(`DMX_START', `0x00006f29')
+define(`DMX_STOP', `0x00006f2a')
+define(`DRM_IOCTL_ADD_BUFS', `0xc0206416')
+define(`DRM_IOCTL_ADD_CTX', `0xc0086420')
+define(`DRM_IOCTL_ADD_DRAW', `0xc0046427')
+define(`DRM_IOCTL_ADD_MAP', `0xc0286415')
+define(`DRM_IOCTL_AGP_ACQUIRE', `0x00006430')
+define(`DRM_IOCTL_AGP_ALLOC', `0xc0206434')
+define(`DRM_IOCTL_AGP_BIND', `0x40106436')
+define(`DRM_IOCTL_AGP_ENABLE', `0x40086432')
+define(`DRM_IOCTL_AGP_FREE', `0x40206435')
+define(`DRM_IOCTL_AGP_INFO', `0x80386433')
+define(`DRM_IOCTL_AGP_RELEASE', `0x00006431')
+define(`DRM_IOCTL_AGP_UNBIND', `0x40106437')
+define(`DRM_IOCTL_AUTH_MAGIC', `0x40046411')
+define(`DRM_IOCTL_BLOCK', `0xc0046412')
+define(`DRM_IOCTL_CONTROL', `0x40086414')
+define(`DRM_IOCTL_DMA', `0xc0406429')
+define(`DRM_IOCTL_DROP_MASTER', `0x0000641f')
+define(`DRM_IOCTL_EXYNOS_G2D_EXEC', `0xc0086462')
+define(`DRM_IOCTL_EXYNOS_G2D_GET_VER', `0xc0086460')
+define(`DRM_IOCTL_EXYNOS_G2D_SET_CMDLIST', `0xc0286461')
+define(`DRM_IOCTL_EXYNOS_GEM_CREATE', `0xc0106440')
+define(`DRM_IOCTL_EXYNOS_GEM_GET', `0xc0106444')
+define(`DRM_IOCTL_EXYNOS_IPP_CMD_CTRL', `0xc0086473')
+define(`DRM_IOCTL_EXYNOS_IPP_GET_PROPERTY', `0xc0506470')
+define(`DRM_IOCTL_EXYNOS_IPP_QUEUE_BUF', `0xc0286472')
+define(`DRM_IOCTL_EXYNOS_IPP_SET_PROPERTY', `0xc0606471')
+define(`DRM_IOCTL_EXYNOS_VIDI_CONNECTION', `0xc0106447')
+define(`DRM_IOCTL_FINISH', `0x4008642c')
+define(`DRM_IOCTL_FREE_BUFS', `0x4010641a')
+define(`DRM_IOCTL_GEM_CLOSE', `0x40086409')
+define(`DRM_IOCTL_GEM_FLINK', `0xc008640a')
+define(`DRM_IOCTL_GEM_OPEN', `0xc010640b')
+define(`DRM_IOCTL_GET_CAP', `0xc010640c')
+define(`DRM_IOCTL_GET_CLIENT', `0xc0286405')
+define(`DRM_IOCTL_GET_CTX', `0xc0086423')
+define(`DRM_IOCTL_GET_MAGIC', `0x80046402')
+define(`DRM_IOCTL_GET_MAP', `0xc0286404')
+define(`DRM_IOCTL_GET_SAREA_CTX', `0xc010641d')
+define(`DRM_IOCTL_GET_STATS', `0x80f86406')
+define(`DRM_IOCTL_GET_UNIQUE', `0xc0106401')
+define(`DRM_IOCTL_I810_CLEAR', `0x400c6442')
+define(`DRM_IOCTL_I810_COPY', `0x40106447')
+define(`DRM_IOCTL_I810_DOCOPY', `0x00006448')
+define(`DRM_IOCTL_I810_FLIP', `0x0000644e')
+define(`DRM_IOCTL_I810_FLUSH', `0x00006443')
+define(`DRM_IOCTL_I810_FSTATUS', `0x0000644a')
+define(`DRM_IOCTL_I810_GETAGE', `0x00006444')
+define(`DRM_IOCTL_I810_GETBUF', `0xc0186445')
+define(`DRM_IOCTL_I810_INIT', `0x40406440')
+define(`DRM_IOCTL_I810_MC', `0x4020644c')
+define(`DRM_IOCTL_I810_OV0FLIP', `0x0000644b')
+define(`DRM_IOCTL_I810_OV0INFO', `0x80086449')
+define(`DRM_IOCTL_I810_RSTATUS', `0x0000644d')
+define(`DRM_IOCTL_I810_SWAP', `0x00006446')
+define(`DRM_IOCTL_I810_VERTEX', `0x400c6441')
+define(`DRM_IOCTL_I915_ALLOC', `0xc0186448')
+define(`DRM_IOCTL_I915_BATCHBUFFER', `0x40206443')
+define(`DRM_IOCTL_I915_CMDBUFFER', `0x4020644b')
+define(`DRM_IOCTL_I915_DESTROY_HEAP', `0x4004644c')
+define(`DRM_IOCTL_I915_FLIP', `0x00006442')
+define(`DRM_IOCTL_I915_FLUSH', `0x00006441')
+define(`DRM_IOCTL_I915_FREE', `0x40086449')
+define(`DRM_IOCTL_I915_GEM_BUSY', `0xc0086457')
+define(`DRM_IOCTL_I915_GEM_CONTEXT_CREATE', `0xc008646d')
+define(`DRM_IOCTL_I915_GEM_CONTEXT_DESTROY', `0x4008646e')
+define(`DRM_IOCTL_I915_GEM_CREATE', `0xc010645b')
+define(`DRM_IOCTL_I915_GEM_ENTERVT', `0x00006459')
+define(`DRM_IOCTL_I915_GEM_EXECBUFFER', `0x40286454')
+define(`DRM_IOCTL_I915_GEM_EXECBUFFER2', `0x40406469')
+define(`DRM_IOCTL_I915_GEM_GET_APERTURE', `0x80106463')
+define(`DRM_IOCTL_I915_GEM_GET_CACHING', `0xc0086470')
+define(`DRM_IOCTL_I915_GEM_GET_TILING', `0xc0106462')
+define(`DRM_IOCTL_I915_GEM_INIT', `0x40106453')
+define(`DRM_IOCTL_I915_GEM_LEAVEVT', `0x0000645a')
+define(`DRM_IOCTL_I915_GEM_MADVISE', `0xc00c6466')
+define(`DRM_IOCTL_I915_GEM_MMAP', `0xc020645e')
+define(`DRM_IOCTL_I915_GEM_MMAP_GTT', `0xc0106464')
+define(`DRM_IOCTL_I915_GEM_PIN', `0xc0186455')
+define(`DRM_IOCTL_I915_GEM_PREAD', `0x4020645c')
+define(`DRM_IOCTL_I915_GEM_PWRITE', `0x4020645d')
+define(`DRM_IOCTL_I915_GEM_SET_CACHING', `0x4008646f')
+define(`DRM_IOCTL_I915_GEM_SET_DOMAIN', `0x400c645f')
+define(`DRM_IOCTL_I915_GEM_SET_TILING', `0xc0106461')
+define(`DRM_IOCTL_I915_GEM_SW_FINISH', `0x40046460')
+define(`DRM_IOCTL_I915_GEM_THROTTLE', `0x00006458')
+define(`DRM_IOCTL_I915_GEM_UNPIN', `0x40086456')
+define(`DRM_IOCTL_I915_GEM_USERPTR', `0xc0186473')
+define(`DRM_IOCTL_I915_GEM_WAIT', `0xc010646c')
+define(`DRM_IOCTL_I915_GETPARAM', `0xc0106446')
+define(`DRM_IOCTL_I915_GET_PIPE_FROM_CRTC_ID', `0xc0086465')
+define(`DRM_IOCTL_I915_GET_RESET_STATS', `0xc0186472')
+define(`DRM_IOCTL_I915_GET_SPRITE_COLORKEY', `0xc014646b')
+define(`DRM_IOCTL_I915_GET_VBLANK_PIPE', `0x8004644e')
+define(`DRM_IOCTL_I915_HWS_ADDR', `0x40106451')
+define(`DRM_IOCTL_I915_INIT', `0x40446440')
+define(`DRM_IOCTL_I915_INIT_HEAP', `0x400c644a')
+define(`DRM_IOCTL_I915_IRQ_EMIT', `0xc0086444')
+define(`DRM_IOCTL_I915_IRQ_WAIT', `0x40046445')
+define(`DRM_IOCTL_I915_OVERLAY_ATTRS', `0xc02c6468')
+define(`DRM_IOCTL_I915_OVERLAY_PUT_IMAGE', `0x402c6467')
+define(`DRM_IOCTL_I915_REG_READ', `0xc0106471')
+define(`DRM_IOCTL_I915_SETPARAM', `0x40086447')
+define(`DRM_IOCTL_I915_SET_SPRITE_COLORKEY', `0xc014646b')
+define(`DRM_IOCTL_I915_SET_VBLANK_PIPE', `0x4004644d')
+define(`DRM_IOCTL_I915_VBLANK_SWAP', `0xc00c644f')
+define(`DRM_IOCTL_INFO_BUFS', `0xc0106418')
+define(`DRM_IOCTL_IRQ_BUSID', `0xc0106403')
+define(`DRM_IOCTL_LOCK', `0x4008642a')
+define(`DRM_IOCTL_MAP_BUFS', `0xc0186419')
+define(`DRM_IOCTL_MARK_BUFS', `0x40206417')
+define(`DRM_IOCTL_MGA_BLIT', `0x40346448')
+define(`DRM_IOCTL_MGA_CLEAR', `0x40146444')
+define(`DRM_IOCTL_MGA_DMA_BOOTSTRAP', `0xc020644c')
+define(`DRM_IOCTL_MGA_FLUSH', `0x40086441')
+define(`DRM_IOCTL_MGA_GETPARAM', `0xc0106449')
+define(`DRM_IOCTL_MGA_ILOAD', `0x400c6447')
+define(`DRM_IOCTL_MGA_INDICES', `0x40106446')
+define(`DRM_IOCTL_MGA_INIT', `0x40806440')
+define(`DRM_IOCTL_MGA_RESET', `0x00006442')
+define(`DRM_IOCTL_MGA_SET_FENCE', `0x4004644a')
+define(`DRM_IOCTL_MGA_SWAP', `0x00006443')
+define(`DRM_IOCTL_MGA_VERTEX', `0x400c6445')
+define(`DRM_IOCTL_MGA_WAIT_FENCE', `0xc004644b')
+define(`DRM_IOCTL_MOD_CTX', `0x40086422')
+define(`DRM_IOCTL_MODE_ADDFB', `0xc01c64ae')
+define(`DRM_IOCTL_MODE_ADDFB2', `0xc04464b8')
+define(`DRM_IOCTL_MODE_ATTACHMODE', `0xc04864a8')
+define(`DRM_IOCTL_MODE_CREATE_DUMB', `0xc02064b2')
+define(`DRM_IOCTL_MODE_CURSOR', `0xc01c64a3')
+define(`DRM_IOCTL_MODE_CURSOR2', `0xc02464bb')
+define(`DRM_IOCTL_MODE_DESTROY_DUMB', `0xc00464b4')
+define(`DRM_IOCTL_MODE_DETACHMODE', `0xc04864a9')
+define(`DRM_IOCTL_MODE_DIRTYFB', `0xc01864b1')
+define(`DRM_IOCTL_MODE_GETCONNECTOR', `0xc05064a7')
+define(`DRM_IOCTL_MODE_GETCRTC', `0xc06864a1')
+define(`DRM_IOCTL_MODE_GETENCODER', `0xc01464a6')
+define(`DRM_IOCTL_MODE_GETFB', `0xc01c64ad')
+define(`DRM_IOCTL_MODE_GETGAMMA', `0xc02064a4')
+define(`DRM_IOCTL_MODE_GETPLANE', `0xc02064b6')
+define(`DRM_IOCTL_MODE_GETPLANERESOURCES', `0xc01064b5')
+define(`DRM_IOCTL_MODE_GETPROPBLOB', `0xc01064ac')
+define(`DRM_IOCTL_MODE_GETPROPERTY', `0xc04064aa')
+define(`DRM_IOCTL_MODE_GETRESOURCES', `0xc04064a0')
+define(`DRM_IOCTL_MODE_MAP_DUMB', `0xc01064b3')
+define(`DRM_IOCTL_MODE_OBJ_GETPROPERTIES', `0xc02064b9')
+define(`DRM_IOCTL_MODE_OBJ_SETPROPERTY', `0xc01864ba')
+define(`DRM_IOCTL_MODE_PAGE_FLIP', `0xc01864b0')
+define(`DRM_IOCTL_MODE_RMFB', `0xc00464af')
+define(`DRM_IOCTL_MODE_SETCRTC', `0xc06864a2')
+define(`DRM_IOCTL_MODESET_CTL', `0x40086408')
+define(`DRM_IOCTL_MODE_SETGAMMA', `0xc02064a5')
+define(`DRM_IOCTL_MODE_SETPLANE', `0xc03064b7')
+define(`DRM_IOCTL_MODE_SETPROPERTY', `0xc01064ab')
+define(`DRM_IOCTL_MSM_GEM_CPU_FINI', `0x40046445')
+define(`DRM_IOCTL_MSM_GEM_CPU_PREP', `0x40186444')
+define(`DRM_IOCTL_MSM_GEM_INFO', `0xc0106443')
+define(`DRM_IOCTL_MSM_GEM_NEW', `0xc0106442')
+define(`DRM_IOCTL_MSM_GEM_SUBMIT', `0xc0206446')
+define(`DRM_IOCTL_MSM_GET_PARAM', `0xc0106440')
+define(`DRM_IOCTL_MSM_WAIT_FENCE', `0x40186447')
+define(`DRM_IOCTL_NEW_CTX', `0x40086425')
+define(`DRM_IOCTL_NOUVEAU_GEM_CPU_FINI', `0x40046483')
+define(`DRM_IOCTL_NOUVEAU_GEM_CPU_PREP', `0x40086482')
+define(`DRM_IOCTL_NOUVEAU_GEM_INFO', `0xc0286484')
+define(`DRM_IOCTL_NOUVEAU_GEM_NEW', `0xc0306480')
+define(`DRM_IOCTL_NOUVEAU_GEM_PUSHBUF', `0xc0406481')
+define(`DRM_IOCTL_OMAP_GEM_CPU_FINI', `0x40106445')
+define(`DRM_IOCTL_OMAP_GEM_CPU_PREP', `0x40086444')
+define(`DRM_IOCTL_OMAP_GEM_INFO', `0xc0186446')
+define(`DRM_IOCTL_OMAP_GEM_NEW', `0xc0106443')
+define(`DRM_IOCTL_OMAP_GET_PARAM', `0xc0106440')
+define(`DRM_IOCTL_OMAP_SET_PARAM', `0x40106441')
+define(`DRM_IOCTL_PRIME_FD_TO_HANDLE', `0xc00c642e')
+define(`DRM_IOCTL_PRIME_HANDLE_TO_FD', `0xc00c642d')
+define(`DRM_IOCTL_QXL_ALLOC', `0xc0086440')
+define(`DRM_IOCTL_QXL_ALLOC_SURF', `0xc0186446')
+define(`DRM_IOCTL_QXL_CLIENTCAP', `0x40086445')
+define(`DRM_IOCTL_QXL_EXECBUFFER', `0x40106442')
+define(`DRM_IOCTL_QXL_GETPARAM', `0xc0106444')
+define(`DRM_IOCTL_QXL_MAP', `0xc0106441')
+define(`DRM_IOCTL_QXL_UPDATE_AREA', `0x40186443')
+define(`DRM_IOCTL_R128_BLIT', `0x4018644b')
+define(`DRM_IOCTL_R128_CCE_IDLE', `0x00006444')
+define(`DRM_IOCTL_R128_CCE_RESET', `0x00006443')
+define(`DRM_IOCTL_R128_CCE_START', `0x00006441')
+define(`DRM_IOCTL_R128_CCE_STOP', `0x40086442')
+define(`DRM_IOCTL_R128_CLEAR', `0x40146448')
+define(`DRM_IOCTL_R128_DEPTH', `0x4028644c')
+define(`DRM_IOCTL_R128_FLIP', `0x00006453')
+define(`DRM_IOCTL_R128_FULLSCREEN', `0x40046450')
+define(`DRM_IOCTL_R128_GETPARAM', `0xc0106452')
+define(`DRM_IOCTL_R128_INDICES', `0x4014644a')
+define(`DRM_IOCTL_R128_INDIRECT', `0xc010644f')
+define(`DRM_IOCTL_R128_INIT', `0x40786440')
+define(`DRM_IOCTL_R128_RESET', `0x00006446')
+define(`DRM_IOCTL_R128_STIPPLE', `0x4008644d')
+define(`DRM_IOCTL_R128_SWAP', `0x00006447')
+define(`DRM_IOCTL_R128_VERTEX', `0x40106449')
+define(`DRM_IOCTL_RADEON_ALLOC', `0xc0186453')
+define(`DRM_IOCTL_RADEON_CLEAR', `0x40206448')
+define(`DRM_IOCTL_RADEON_CMDBUF', `0x40206450')
+define(`DRM_IOCTL_RADEON_CP_IDLE', `0x00006444')
+define(`DRM_IOCTL_RADEON_CP_INIT', `0x40786440')
+define(`DRM_IOCTL_RADEON_CP_RESET', `0x00006443')
+define(`DRM_IOCTL_RADEON_CP_RESUME', `0x00006458')
+define(`DRM_IOCTL_RADEON_CP_START', `0x00006441')
+define(`DRM_IOCTL_RADEON_CP_STOP', `0x40086442')
+define(`DRM_IOCTL_RADEON_CS', `0xc0206466')
+define(`DRM_IOCTL_RADEON_FLIP', `0x00006452')
+define(`DRM_IOCTL_RADEON_FREE', `0x40086454')
+define(`DRM_IOCTL_RADEON_FULLSCREEN', `0x40046446')
+define(`DRM_IOCTL_RADEON_GEM_BUSY', `0xc008646a')
+define(`DRM_IOCTL_RADEON_GEM_CREATE', `0xc020645d')
+define(`DRM_IOCTL_RADEON_GEM_GET_TILING', `0xc00c6469')
+define(`DRM_IOCTL_RADEON_GEM_INFO', `0xc018645c')
+define(`DRM_IOCTL_RADEON_GEM_MMAP', `0xc020645e')
+define(`DRM_IOCTL_RADEON_GEM_OP', `0xc010646c')
+define(`DRM_IOCTL_RADEON_GEM_PREAD', `0xc0206461')
+define(`DRM_IOCTL_RADEON_GEM_PWRITE', `0xc0206462')
+define(`DRM_IOCTL_RADEON_GEM_SET_DOMAIN', `0xc00c6463')
+define(`DRM_IOCTL_RADEON_GEM_SET_TILING', `0xc00c6468')
+define(`DRM_IOCTL_RADEON_GEM_USERPTR', `0xc018646d')
+define(`DRM_IOCTL_RADEON_GEM_VA', `0xc018646b')
+define(`DRM_IOCTL_RADEON_GEM_WAIT_IDLE', `0x40086464')
+define(`DRM_IOCTL_RADEON_GETPARAM', `0xc0106451')
+define(`DRM_IOCTL_RADEON_INDICES', `0x4014644a')
+define(`DRM_IOCTL_RADEON_INDIRECT', `0xc010644d')
+define(`DRM_IOCTL_RADEON_INFO', `0xc0106467')
+define(`DRM_IOCTL_RADEON_INIT_HEAP', `0x400c6455')
+define(`DRM_IOCTL_RADEON_IRQ_EMIT', `0xc0086456')
+define(`DRM_IOCTL_RADEON_IRQ_WAIT', `0x40046457')
+define(`DRM_IOCTL_RADEON_RESET', `0x00006445')
+define(`DRM_IOCTL_RADEON_SETPARAM', `0x40106459')
+define(`DRM_IOCTL_RADEON_STIPPLE', `0x4008644c')
+define(`DRM_IOCTL_RADEON_SURF_ALLOC', `0x400c645a')
+define(`DRM_IOCTL_RADEON_SURF_FREE', `0x4004645b')
+define(`DRM_IOCTL_RADEON_SWAP', `0x00006447')
+define(`DRM_IOCTL_RADEON_TEXTURE', `0xc020644e')
+define(`DRM_IOCTL_RADEON_VERTEX', `0x40106449')
+define(`DRM_IOCTL_RADEON_VERTEX2', `0x4028644f')
+define(`DRM_IOCTL_RES_CTX', `0xc0106426')
+define(`DRM_IOCTL_RM_CTX', `0xc0086421')
+define(`DRM_IOCTL_RM_DRAW', `0xc0046428')
+define(`DRM_IOCTL_RM_MAP', `0x4028641b')
+define(`DRM_IOCTL_SAVAGE_BCI_CMDBUF', `0x40386441')
+define(`DRM_IOCTL_SAVAGE_BCI_EVENT_EMIT', `0xc0086442')
+define(`DRM_IOCTL_SAVAGE_BCI_EVENT_WAIT', `0x40086443')
+define(`DRM_IOCTL_SAVAGE_BCI_INIT', `0x40606440')
+define(`DRM_IOCTL_SET_CLIENT_CAP', `0x4010640d')
+define(`DRM_IOCTL_SET_MASTER', `0x0000641e')
+define(`DRM_IOCTL_SET_SAREA_CTX', `0x4010641c')
+define(`DRM_IOCTL_SET_UNIQUE', `0x40106410')
+define(`DRM_IOCTL_SET_VERSION', `0xc0106407')
+define(`DRM_IOCTL_SG_ALLOC', `0xc0106438')
+define(`DRM_IOCTL_SG_FREE', `0x40106439')
+define(`DRM_IOCTL_SIS_AGP_ALLOC', `0xc0206454')
+define(`DRM_IOCTL_SIS_AGP_FREE', `0x40206455')
+define(`DRM_IOCTL_SIS_AGP_INIT', `0xc0106453')
+define(`DRM_IOCTL_SIS_FB_ALLOC', `0xc0206444')
+define(`DRM_IOCTL_SIS_FB_FREE', `0x40206445')
+define(`DRM_IOCTL_SIS_FB_INIT', `0x40106456')
+define(`DRM_IOCTL_SWITCH_CTX', `0x40086424')
+define(`DRM_IOCTL_TEGRA_CLOSE_CHANNEL', `0xc0106446')
+define(`DRM_IOCTL_TEGRA_GEM_CREATE', `0xc0106440')
+define(`DRM_IOCTL_TEGRA_GEM_GET_FLAGS', `0xc008644d')
+define(`DRM_IOCTL_TEGRA_GEM_GET_TILING', `0xc010644b')
+define(`DRM_IOCTL_TEGRA_GEM_MMAP', `0xc0086441')
+define(`DRM_IOCTL_TEGRA_GEM_SET_FLAGS', `0xc008644c')
+define(`DRM_IOCTL_TEGRA_GEM_SET_TILING', `0xc010644a')
+define(`DRM_IOCTL_TEGRA_GET_SYNCPT', `0xc0106447')
+define(`DRM_IOCTL_TEGRA_GET_SYNCPT_BASE', `0xc0106449')
+define(`DRM_IOCTL_TEGRA_OPEN_CHANNEL', `0xc0106445')
+define(`DRM_IOCTL_TEGRA_SUBMIT', `0xc0586448')
+define(`DRM_IOCTL_TEGRA_SYNCPT_INCR', `0xc0086443')
+define(`DRM_IOCTL_TEGRA_SYNCPT_READ', `0xc0086442')
+define(`DRM_IOCTL_TEGRA_SYNCPT_WAIT', `0xc0106444')
+define(`DRM_IOCTL_UNBLOCK', `0xc0046413')
+define(`DRM_IOCTL_UNLOCK', `0x4008642b')
+define(`DRM_IOCTL_UPDATE_DRAW', `0x4018643f')
+define(`DRM_IOCTL_VERSION', `0xc0406400')
+define(`DRM_IOCTL_VIA_AGP_INIT', `0xc0086442')
+define(`DRM_IOCTL_VIA_ALLOCMEM', `0xc0206440')
+define(`DRM_IOCTL_VIA_BLIT_SYNC', `0x4008644f')
+define(`DRM_IOCTL_VIA_CMDBUFFER', `0x40106448')
+define(`DRM_IOCTL_VIA_CMDBUF_SIZE', `0xc00c644b')
+define(`DRM_IOCTL_VIA_DEC_FUTEX', `0x40106445')
+define(`DRM_IOCTL_VIA_DMA_BLIT', `0x4030644e')
+define(`DRM_IOCTL_VIA_DMA_INIT', `0xc0206447')
+define(`DRM_IOCTL_VIA_FB_INIT', `0xc0086443')
+define(`DRM_IOCTL_VIA_FLUSH', `0x00006449')
+define(`DRM_IOCTL_VIA_FREEMEM', `0x40206441')
+define(`DRM_IOCTL_VIA_MAP_INIT', `0xc0286444')
+define(`DRM_IOCTL_VIA_PCICMD', `0x4010644a')
+define(`DRM_IOCTL_VIA_WAIT_IRQ', `0xc018644d')
+define(`DRM_IOCTL_WAIT_VBLANK', `0xc018643a')
+define(`DVD_AUTH', `0x00005392')
+define(`DVD_READ_STRUCT', `0x00005390')
+define(`DVD_WRITE_STRUCT', `0x00005391')
+define(`ECCGETLAYOUT', `0x81484d11')
+define(`ECCGETSTATS', `0x80104d12')
+define(`ENI_MEMDUMP', `0x40106160')
+define(`ENI_SETMULT', `0x40106167')
+define(`EVIOCGEFFECTS', `0x80044584')
+define(`EVIOCGID', `0x80084502')
+define(`EVIOCGKEYCODE', `0x80084504')
+define(`EVIOCGKEYCODE_V2', `0x80284504')
+define(`EVIOCGRAB', `0x40044590')
+define(`EVIOCGREP', `0x80084503')
+define(`EVIOCGVERSION', `0x80044501')
+define(`EVIOCREVOKE', `0x40044591')
+define(`EVIOCRMFF', `0x40044581')
+define(`EVIOCSCLOCKID', `0x400445a0')
+define(`EVIOCSFF', `0x40304580')
+define(`EVIOCSKEYCODE', `0x40084504')
+define(`EVIOCSKEYCODE_V2', `0x40284504')
+define(`EVIOCSREP', `0x40084503')
+define(`F2FS_IOC_START_ATOMIC_WRITE', `0xf501')
+define(`F2FS_IOC_COMMIT_ATOMIC_WRITE', `0xf502')
+define(`F2FS_IOC_START_VOLATILE_WRITE', `0xf503')
+define(`F2FS_IOC_RELEASE_VOLATILE_WRITE', `0xf504')
+define(`F2FS_IOC_ABORT_VOLATILE_WRITE', `0xf505')
+define(`F2FS_IOC_GARBAGE_COLLECT', `0xf506')
+define(`F2FS_IOC_WRITE_CHECKPOINT', `0xf507')
+define(`F2FS_IOC_DEFRAGMENT', `0xf508')
+define(`F2FS_IOC_MOVE_RANGE', `0xf509')
+define(`F2FS_IOC_FLUSH_DEVICE', `0xf50a')
+define(`F2FS_IOC_GARBAGE_COLLECT_RANGE', `0xf50b')
+define(`F2FS_IOC_GET_FEATURES', `0xf50c')
+define(`F2FS_IOC_SET_PIN_FILE', `0xf50d')
+define(`F2FS_IOC_GET_PIN_FILE', `0xf50e')
+define(`F2FS_IOC_PRECACHE_EXTENTS', `0xf50f')
+define(`F2FS_IOC_RESIZE_FS', `0xf510')
+define(`F2FS_IOC_GET_COMPRESS_BLOCKS', `0xf511')
+define(`F2FS_IOC_RELEASE_COMPRESS_BLOCKS', `0xf512')
+define(`F2FS_IOC_RESERVE_COMPRESS_BLOCKS', `0xf513')
+define(`F2FS_IOC_SEC_TRIM_FILE', `0xf514')
+define(`F2FS_IOC_GET_COMPRESS_OPTION', `0xf515')
+define(`F2FS_IOC_SET_COMPRESS_OPTION', `0xf516')
+define(`F2FS_IOC_DECOMPRESS_FILE', `0xf517')
+define(`F2FS_IOC_COMPRESS_FILE', `0xf518')
+define(`FAT_IOCTL_GET_ATTRIBUTES', `0x80047210')
+define(`FAT_IOCTL_GET_VOLUME_ID', `0x80047213')
+define(`FAT_IOCTL_SET_ATTRIBUTES', `0x40047211')
+define(`FBIGET_BRIGHTNESS', `0x80044603')
+define(`FBIGET_COLOR', `0x80044605')
+define(`FBIO_ALLOC', `0x00004613')
+define(`FBIOBLANK', `0x00004611')
+define(`FBIO_CURSOR', `0xc0684608')
+define(`FBIO_FREE', `0x00004614')
+define(`FBIOGETCMAP', `0x00004604')
+define(`FBIOGET_CON2FBMAP', `0x0000460f')
+define(`FBIOGET_CONTRAST', `0x80044601')
+define(`FBIO_GETCONTROL2', `0x80084689')
+define(`FBIOGET_DISPINFO', `0x00004618')
+define(`FBIOGET_FSCREENINFO', `0x00004602')
+define(`FBIOGET_GLYPH', `0x00004615')
+define(`FBIOGET_HWCINFO', `0x00004616')
+define(`FBIOGET_VBLANK', `0x80204612')
+define(`FBIOGET_VSCREENINFO', `0x00004600')
+define(`FBIOPAN_DISPLAY', `0x00004606')
+define(`FBIOPUTCMAP', `0x00004605')
+define(`FBIOPUT_CON2FBMAP', `0x00004610')
+define(`FBIOPUT_CONTRAST', `0x40044602')
+define(`FBIOPUT_MODEINFO', `0x00004617')
+define(`FBIOPUT_VSCREENINFO', `0x00004601')
+define(`FBIO_RADEON_GET_MIRROR', `0x80084003')
+define(`FBIO_RADEON_SET_MIRROR', `0x40084004')
+define(`FBIO_WAITEVENT', `0x00004688')
+define(`FBIO_WAITFORVSYNC', `0x40044620')
+define(`FBIPUT_BRIGHTNESS', `0x40044603')
+define(`FBIPUT_COLOR', `0x40044606')
+define(`FBIPUT_HSYNC', `0x40044609')
+define(`FBIPUT_VSYNC', `0x4004460a')
+define(`FDCLRPRM', `0x00000241')
+define(`FDDEFPRM', `0x40200243')
+define(`FDEJECT', `0x0000025a')
+define(`FDFLUSH', `0x0000024b')
+define(`FDFMTBEG', `0x00000247')
+define(`FDFMTEND', `0x00000249')
+define(`FDFMTTRK', `0x400c0248')
+define(`FDGETDRVPRM', `0x80800211')
+define(`FDGETDRVSTAT', `0x80500212')
+define(`FDGETDRVTYP', `0x8010020f')
+define(`FDGETFDCSTAT', `0x80280215')
+define(`FDGETMAXERRS', `0x8014020e')
+define(`FDGETPRM', `0x80200204')
+define(`FDMSGOFF', `0x00000246')
+define(`FDMSGON', `0x00000245')
+define(`FDPOLLDRVSTAT', `0x80500213')
+define(`FDRAWCMD', `0x00000258')
+define(`FDRESET', `0x00000254')
+define(`FDSETDRVPRM', `0x40800290')
+define(`FDSETEMSGTRESH', `0x0000024a')
+define(`FDSETMAXERRS', `0x4014024c')
+define(`FDSETPRM', `0x40200242')
+define(`FDTWADDLE', `0x00000259')
+define(`FDWERRORCLR', `0x00000256')
+define(`FDWERRORGET', `0x80280217')
+define(`FE_DISEQC_RECV_SLAVE_REPLY', `0x800c6f40')
+define(`FE_DISEQC_RESET_OVERLOAD', `0x00006f3e')
+define(`FE_DISEQC_SEND_BURST', `0x00006f41')
+define(`FE_DISEQC_SEND_MASTER_CMD', `0x40076f3f')
+define(`FE_DISHNETWORK_SEND_LEGACY_CMD', `0x00006f50')
+define(`FE_ENABLE_HIGH_LNB_VOLTAGE', `0x00006f44')
+define(`FE_GET_EVENT', `0x80286f4e')
+define(`FE_GET_FRONTEND', `0x80246f4d')
+define(`FE_GET_INFO', `0x80a86f3d')
+define(`FE_GET_PROPERTY', `0x80106f53')
+define(`FE_READ_BER', `0x80046f46')
+define(`FE_READ_SIGNAL_STRENGTH', `0x80026f47')
+define(`FE_READ_SNR', `0x80026f48')
+define(`FE_READ_STATUS', `0x80046f45')
+define(`FE_READ_UNCORRECTED_BLOCKS', `0x80046f49')
+define(`FE_SET_FRONTEND', `0x40246f4c')
+define(`FE_SET_FRONTEND_TUNE_MODE', `0x00006f51')
+define(`FE_SET_PROPERTY', `0x40106f52')
+define(`FE_SET_TONE', `0x00006f42')
+define(`FE_SET_VOLTAGE', `0x00006f43')
+define(`FIBMAP', `0x00000001')
+define(`FIFREEZE', `0xc0045877')
+define(`FIGETBSZ', `0x00000002')
+define(`FIOASYNC', `0x00005452')
+define(`FIOCLEX', ifelse(target_arch, mips, 0x00006601, 0x00005451))
+define(`FIOGETOWN', `0x00008903')
+define(`FIONBIO', `0x00005421')
+define(`FIONCLEX', ifelse(target_arch, mips, 0x00006602, 0x00005450))
+define(`FIONREAD', ifelse(target_arch, mips, 0x0000467f, 0x0000541b))
+define(`FIOQSIZE', `0x00005460')
+define(`FIOSETOWN', `0x00008901')
+define(`FITHAW', `0xc0045878')
+define(`FITRIM', `0xc0185879')
+define(`FS_IOC32_GETFLAGS', `0x80046601')
+define(`FS_IOC32_GETVERSION', `0x80047601')
+define(`FS_IOC32_SETFLAGS', `0x40046602')
+define(`FS_IOC32_SETVERSION', `0x40047602')
+define(`FS_IOC_ADD_ENCRYPTION_KEY', `0xc0506617')
+define(`FS_IOC_ENABLE_VERITY', `0x6685')
+define(`FS_IOC_FIEMAP', `0xc020660b')
+define(`FS_IOC_FSGETXATTR', `0x801c581f')
+define(`FS_IOC_FSSETXATTR', `0x401c5820')
+define(`FS_IOC_GET_ENCRYPTION_POLICY', `0x400c6615')
+define(`FS_IOC_GET_ENCRYPTION_POLICY_EX', `0xc0096616')
+define(`FS_IOC_GET_ENCRYPTION_PWSALT', `0x40106614')
+define(`FS_IOC_GETFLAGS', `0x80086601')
+define(`FS_IOC_GETVERSION', `0x80087601')
+define(`FS_IOC_MEASURE_VERITY', `0x6686')
+define(`FS_IOC_REMOVE_ENCRYPTION_KEY', `0xc0406618')
+define(`FS_IOC_SET_ENCRYPTION_POLICY', `0x800c6613')
+define(`FS_IOC_SETFLAGS', `0x40086602')
+define(`FS_IOC_SETVERSION', `0x40087602')
+define(`FSL_HV_IOCTL_DOORBELL', `0xc008af06')
+define(`FSL_HV_IOCTL_GETPROP', `0xc028af07')
+define(`FSL_HV_IOCTL_MEMCPY', `0xc028af05')
+define(`FSL_HV_IOCTL_PARTITION_GET_STATUS', `0xc00caf02')
+define(`FSL_HV_IOCTL_PARTITION_RESTART', `0xc008af01')
+define(`FSL_HV_IOCTL_PARTITION_START', `0xc010af03')
+define(`FSL_HV_IOCTL_PARTITION_STOP', `0xc008af04')
+define(`FSL_HV_IOCTL_SETPROP', `0xc028af08')
+define(`FUNCTIONFS_CLEAR_HALT', `0x00006703')
+define(`FUNCTIONFS_ENDPOINT_DESC', `0x80096782')
+define(`FUNCTIONFS_ENDPOINT_REVMAP', `0x00006781')
+define(`FUNCTIONFS_FIFO_FLUSH', `0x00006702')
+define(`FUNCTIONFS_FIFO_STATUS', `0x00006701')
+define(`FUNCTIONFS_INTERFACE_REVMAP', `0x00006780')
+define(`FW_CDEV_IOC_ADD_DESCRIPTOR', `0xc0182306')
+define(`FW_CDEV_IOC_ALLOCATE', `0xc0202302')
+define(`FW_CDEV_IOC_ALLOCATE_ISO_RESOURCE', `0xc018230d')
+define(`FW_CDEV_IOC_ALLOCATE_ISO_RESOURCE_ONCE', `0x4018230f')
+define(`FW_CDEV_IOC_CREATE_ISO_CONTEXT', `0xc0202308')
+define(`FW_CDEV_IOC_DEALLOCATE', `0x40042303')
+define(`FW_CDEV_IOC_DEALLOCATE_ISO_RESOURCE', `0x4004230e')
+define(`FW_CDEV_IOC_DEALLOCATE_ISO_RESOURCE_ONCE', `0x40182310')
+define(`FW_CDEV_IOC_FLUSH_ISO', `0x40042318')
+define(`FW_CDEV_IOC_GET_CYCLE_TIMER', `0x8010230c')
+define(`FW_CDEV_IOC_GET_CYCLE_TIMER2', `0xc0182314')
+define(`FW_CDEV_IOC_GET_INFO', `0xc0282300')
+define(`FW_CDEV_IOC_GET_SPEED', `0x00002311')
+define(`FW_CDEV_IOC_INITIATE_BUS_RESET', `0x40042305')
+define(`FW_CDEV_IOC_QUEUE_ISO', `0xc0182309')
+define(`FW_CDEV_IOC_RECEIVE_PHY_PACKETS', `0x40082316')
+define(`FW_CDEV_IOC_REMOVE_DESCRIPTOR', `0x40042307')
+define(`FW_CDEV_IOC_SEND_BROADCAST_REQUEST', `0x40282312')
+define(`FW_CDEV_IOC_SEND_PHY_PACKET', `0xc0182315')
+define(`FW_CDEV_IOC_SEND_REQUEST', `0x40282301')
+define(`FW_CDEV_IOC_SEND_RESPONSE', `0x40182304')
+define(`FW_CDEV_IOC_SEND_STREAM_PACKET', `0x40282313')
+define(`FW_CDEV_IOC_SET_ISO_CHANNELS', `0x40102317')
+define(`FW_CDEV_IOC_START_ISO', `0x4010230a')
+define(`FW_CDEV_IOC_STOP_ISO', `0x4004230b')
+define(`GADGETFS_CLEAR_HALT', `0x00006703')
+define(`GADGETFS_FIFO_FLUSH', `0x00006702')
+define(`GADGETFS_FIFO_STATUS', `0x00006701')
+define(`GADGET_GET_PRINTER_STATUS', `0x80016721')
+define(`GADGET_SET_PRINTER_STATUS', `0xc0016722')
+define(`GENWQE_EXECUTE_DDCB', `0xc0e8a532')
+define(`GENWQE_EXECUTE_RAW_DDCB', `0xc0e8a533')
+define(`GENWQE_GET_CARD_STATE', `0x8004a524')
+define(`GENWQE_PIN_MEM', `0xc020a528')
+define(`GENWQE_READ_REG16', `0x8010a522')
+define(`GENWQE_READ_REG32', `0x8010a520')
+define(`GENWQE_READ_REG64', `0x8010a51e')
+define(`GENWQE_SLU_READ', `0xc038a551')
+define(`GENWQE_SLU_UPDATE', `0xc038a550')
+define(`GENWQE_UNPIN_MEM', `0xc020a529')
+define(`GENWQE_WRITE_REG16', `0x4010a523')
+define(`GENWQE_WRITE_REG32', `0x4010a521')
+define(`GENWQE_WRITE_REG64', `0x4010a51f')
+define(`GET_ARRAY_INFO', `0x80480911')
+define(`GET_BITMAP_FILE', `0x90000915')
+define(`GET_DISK_INFO', `0x80140912')
+define(`GIGASET_BRKCHARS', `0x40064702')
+define(`GIGASET_CONFIG', `0xc0044701')
+define(`GIGASET_REDIR', `0xc0044700')
+define(`GIGASET_VERSION', `0xc0104703')
+define(`GIO_CMAP', `0x00004b70')
+define(`GIO_FONT', `0x00004b60')
+define(`GIO_FONTX', `0x00004b6b')
+define(`GIO_SCRNMAP', `0x00004b40')
+define(`GIO_UNIMAP', `0x00004b66')
+define(`GIO_UNISCRNMAP', `0x00004b69')
+define(`GSMIOC_DISABLE_NET', `0x00004703')
+define(`GSMIOC_ENABLE_NET', `0x40344702')
+define(`GSMIOC_GETCONF', `0x804c4700')
+define(`GSMIOC_SETCONF', `0x404c4701')
+define(`HCIBLOCKADDR', `0x400448e6')
+define(`HCIDEVDOWN', `0x400448ca')
+define(`HCIDEVRESET', `0x400448cb')
+define(`HCIDEVRESTAT', `0x400448cc')
+define(`HCIDEVUP', `0x400448c9')
+define(`HCIGETAUTHINFO', `0x800448d7')
+define(`HCIGETCONNINFO', `0x800448d5')
+define(`HCIGETCONNLIST', `0x800448d4')
+define(`HCIGETDEVINFO', `0x800448d3')
+define(`HCIGETDEVLIST', `0x800448d2')
+define(`HCIINQUIRY', `0x800448f0')
+define(`HCISETACLMTU', `0x400448e3')
+define(`HCISETAUTH', `0x400448de')
+define(`HCISETENCRYPT', `0x400448df')
+define(`HCISETLINKMODE', `0x400448e2')
+define(`HCISETLINKPOL', `0x400448e1')
+define(`HCISETPTYPE', `0x400448e0')
+define(`HCISETRAW', `0x400448dc')
+define(`HCISETSCAN', `0x400448dd')
+define(`HCISETSCOMTU', `0x400448e4')
+define(`HCIUNBLOCKADDR', `0x400448e7')
+define(`HDA_IOCTL_GET_WCAP', `0xc0084812')
+define(`HDA_IOCTL_PVERSION', `0x80044810')
+define(`HDA_IOCTL_VERB_WRITE', `0xc0084811')
+define(`HDIO_DRIVE_CMD', `0x0000031f')
+define(`HDIO_DRIVE_RESET', `0x0000031c')
+define(`HDIO_DRIVE_TASK', `0x0000031e')
+define(`HDIO_DRIVE_TASKFILE', `0x0000031d')
+define(`HDIO_GET_32BIT', `0x00000309')
+define(`HDIO_GET_ACOUSTIC', `0x0000030f')
+define(`HDIO_GET_ADDRESS', `0x00000310')
+define(`HDIO_GET_BUSSTATE', `0x0000031a')
+define(`HDIO_GET_DMA', `0x0000030b')
+define(`HDIO_GETGEO', `0x00000301')
+define(`HDIO_GET_IDENTITY', `0x0000030d')
+define(`HDIO_GET_KEEPSETTINGS', `0x00000308')
+define(`HDIO_GET_MULTCOUNT', `0x00000304')
+define(`HDIO_GET_NICE', `0x0000030c')
+define(`HDIO_GET_NOWERR', `0x0000030a')
+define(`HDIO_GET_QDMA', `0x00000305')
+define(`HDIO_GET_UNMASKINTR', `0x00000302')
+define(`HDIO_GET_WCACHE', `0x0000030e')
+define(`HDIO_OBSOLETE_IDENTITY', `0x00000307')
+define(`HDIO_SCAN_HWIF', `0x00000328')
+define(`HDIO_SET_32BIT', `0x00000324')
+define(`HDIO_SET_ACOUSTIC', `0x0000032c')
+define(`HDIO_SET_ADDRESS', `0x0000032f')
+define(`HDIO_SET_BUSSTATE', `0x0000032d')
+define(`HDIO_SET_DMA', `0x00000326')
+define(`HDIO_SET_KEEPSETTINGS', `0x00000323')
+define(`HDIO_SET_MULTCOUNT', `0x00000321')
+define(`HDIO_SET_NICE', `0x00000329')
+define(`HDIO_SET_NOWERR', `0x00000325')
+define(`HDIO_SET_PIO_MODE', `0x00000327')
+define(`HDIO_SET_QDMA', `0x0000032e')
+define(`HDIO_SET_UNMASKINTR', `0x00000322')
+define(`HDIO_SET_WCACHE', `0x0000032b')
+define(`HDIO_SET_XFER', `0x00000306')
+define(`HDIO_TRISTATE_HWIF', `0x0000031b')
+define(`HDIO_UNREGISTER_HWIF', `0x0000032a')
+define(`HE_GET_REG', `0x40106160')
+define(`HIDIOCAPPLICATION', `0x00004802')
+define(`HIDIOCGCOLLECTIONINDEX', `0x40184810')
+define(`HIDIOCGCOLLECTIONINFO', `0xc0104811')
+define(`HIDIOCGDEVINFO', `0x801c4803')
+define(`HIDIOCGFIELDINFO', `0xc038480a')
+define(`HIDIOCGFLAG', `0x8004480e')
+define(`HIDIOCGRAWINFO', `0x80084803')
+define(`HIDIOCGRDESC', `0x90044802')
+define(`HIDIOCGRDESCSIZE', `0x80044801')
+define(`HIDIOCGREPORT', `0x400c4807')
+define(`HIDIOCGREPORTINFO', `0xc00c4809')
+define(`HIDIOCGSTRING', `0x81044804')
+define(`HIDIOCGUCODE', `0xc018480d')
+define(`HIDIOCGUSAGE', `0xc018480b')
+define(`HIDIOCGUSAGES', `0xd01c4813')
+define(`HIDIOCGVERSION', `0x80044801')
+define(`HIDIOCINITREPORT', `0x00004805')
+define(`HIDIOCSFLAG', `0x4004480f')
+define(`HIDIOCSREPORT', `0x400c4808')
+define(`HIDIOCSUSAGE', `0x4018480c')
+define(`HIDIOCSUSAGES', `0x501c4814')
+define(`HOT_ADD_DISK', `0x00000928')
+define(`HOT_GENERATE_ERROR', `0x0000092a')
+define(`HOT_REMOVE_DISK', `0x00000922')
+define(`HPET_DPI', `0x00006805')
+define(`HPET_EPI', `0x00006804')
+define(`HPET_IE_OFF', `0x00006802')
+define(`HPET_IE_ON', `0x00006801')
+define(`HPET_INFO', `0x80186803')
+define(`HPET_IRQFREQ', `0x40086806')
+define(`HSC_GET_RX', `0x400c6b14')
+define(`HSC_GET_TX', `0x40106b16')
+define(`HSC_RESET', `0x00006b10')
+define(`HSC_SEND_BREAK', `0x00006b12')
+define(`HSC_SET_PM', `0x00006b11')
+define(`HSC_SET_RX', `0x400c6b13')
+define(`HSC_SET_TX', `0x40106b15')
+define(`I2OEVTGET', `0x8068690b')
+define(`I2OEVTREG', `0x400c690a')
+define(`I2OGETIOPS', `0x80206900')
+define(`I2OHRTGET', `0xc0186901')
+define(`I2OHTML', `0xc0306909')
+define(`I2OLCTGET', `0xc0186902')
+define(`I2OPARMGET', `0xc0286904')
+define(`I2OPARMSET', `0xc0286903')
+define(`I2OPASSTHRU', `0x8010690c')
+define(`I2OPASSTHRU32', `0x8008690c')
+define(`I2OSWDEL', `0xc0306907')
+define(`I2OSWDL', `0xc0306905')
+define(`I2OSWUL', `0xc0306906')
+define(`I2OVALIDATE', `0x80046908')
+define(`I8K_BIOS_VERSION', `0x80046980')
+define(`I8K_FN_STATUS', `0x80086983')
+define(`I8K_GET_FAN', `0xc0086986')
+define(`I8K_GET_SPEED', `0xc0086985')
+define(`I8K_GET_TEMP', `0x80086984')
+define(`I8K_MACHINE_ID', `0x80046981')
+define(`I8K_POWER_STATUS', `0x80086982')
+define(`I8K_SET_FAN', `0xc0086987')
+define(`IB_USER_MAD_ENABLE_PKEY', `0x00001b03')
+define(`IB_USER_MAD_REGISTER_AGENT', `0xc01c1b01')
+define(`IB_USER_MAD_REGISTER_AGENT2', `0xc0281b04')
+define(`IB_USER_MAD_UNREGISTER_AGENT', `0x40041b02')
+define(`IDT77105_GETSTAT', `0x40106132')
+define(`IDT77105_GETSTATZ', `0x40106133')
+define(`IIOCDBGVAR', `0x0000497f')
+define(`IIOCDRVCTL', `0x00004980')
+define(`IIOCGETCPS', `0x00004915')
+define(`IIOCGETDVR', `0x00004916')
+define(`IIOCGETMAP', `0x00004911')
+define(`IIOCGETPRF', `0x0000490f')
+define(`IIOCGETSET', `0x00004908')
+define(`IIOCNETAIF', `0x00004901')
+define(`IIOCNETALN', `0x00004920')
+define(`IIOCNETANM', `0x00004905')
+define(`IIOCNETASL', `0x00004913')
+define(`IIOCNETDIF', `0x00004902')
+define(`IIOCNETDIL', `0x00004914')
+define(`IIOCNETDLN', `0x00004921')
+define(`IIOCNETDNM', `0x00004906')
+define(`IIOCNETDWRSET', `0x00004918')
+define(`IIOCNETGCF', `0x00004904')
+define(`IIOCNETGNM', `0x00004907')
+define(`IIOCNETGPN', `0x00004922')
+define(`IIOCNETHUP', `0x0000490b')
+define(`IIOCNETLCR', `0x00004917')
+define(`IIOCNETSCF', `0x00004903')
+define(`IIOCSETBRJ', `0x0000490d')
+define(`IIOCSETGST', `0x0000490c')
+define(`IIOCSETMAP', `0x00004912')
+define(`IIOCSETPRF', `0x00004910')
+define(`IIOCSETSET', `0x00004909')
+define(`IIOCSETVER', `0x0000490a')
+define(`IIOCSIGPRF', `0x0000490e')
+define(`IIO_GET_EVENT_FD_IOCTL', `0x80046990')
+define(`IMADDTIMER', `0x80044940')
+define(`IMCLEAR_L2', `0x80044946')
+define(`IMCTRLREQ', `0x80044945')
+define(`IMDELTIMER', `0x80044941')
+define(`IMGETCOUNT', `0x80044943')
+define(`IMGETDEVINFO', `0x80044944')
+define(`IMGETVERSION', `0x80044942')
+define(`IMHOLD_L1', `0x80044948')
+define(`IMSETDEVNAME', `0x80184947')
+define(`INCFS_IOCTL_CREATE_FILE', `0x0000671e')
+define(`INCFS_IOCTL_READ_SIGNATURE', `0x0000671f')
+define(`INCFS_IOCTL_FILL_BLOCKS', `0x00006720')
+define(`INCFS_IOCTL_PERMIT_FILL', `0x00006721')
+define(`INCFS_IOCTL_GET_FILLED_BLOCKS', `0x00006722')
+define(`INCFS_IOCTL_CREATE_MAPPED_FILE', `0x00006723')
+define(`INCFS_IOCTL_GET_BLOCK_COUNT', `0x00006724')
+define(`INCFS_IOCTL_GET_READ_TIMEOUTS', `0x00006725')
+define(`INCFS_IOCTL_SET_READ_TIMEOUTS', `0x00006726')
+define(`INCFS_IOCTL_GET_LAST_READ_ERROR', `0x00006727')
+define(`IOCTL_EVTCHN_BIND_INTERDOMAIN', `0x00084501')
+define(`IOCTL_EVTCHN_BIND_UNBOUND_PORT', `0x00044502')
+define(`IOCTL_EVTCHN_BIND_VIRQ', `0x00044500')
+define(`IOCTL_EVTCHN_NOTIFY', `0x00044504')
+define(`IOCTL_EVTCHN_RESET', `0x00004505')
+define(`IOCTL_EVTCHN_UNBIND', `0x00044503')
+define(`IOCTL_MEI_CONNECT_CLIENT', `0xc0104801')
+define(`IOCTL_VMCI_CTX_ADD_NOTIFICATION', `0x000007af')
+define(`IOCTL_VMCI_CTX_GET_CPT_STATE', `0x000007b1')
+define(`IOCTL_VMCI_CTX_REMOVE_NOTIFICATION', `0x000007b0')
+define(`IOCTL_VMCI_CTX_SET_CPT_STATE', `0x000007b2')
+define(`IOCTL_VMCI_DATAGRAM_RECEIVE', `0x000007ac')
+define(`IOCTL_VMCI_DATAGRAM_SEND', `0x000007ab')
+define(`IOCTL_VMCI_GET_CONTEXT_ID', `0x000007b3')
+define(`IOCTL_VMCI_INIT_CONTEXT', `0x000007a0')
+define(`IOCTL_VMCI_NOTIFICATIONS_RECEIVE', `0x000007a6')
+define(`IOCTL_VMCI_NOTIFY_RESOURCE', `0x000007a5')
+define(`IOCTL_VMCI_QUEUEPAIR_ALLOC', `0x000007a8')
+define(`IOCTL_VMCI_QUEUEPAIR_DETACH', `0x000007aa')
+define(`IOCTL_VMCI_QUEUEPAIR_SETPAGEFILE', `0x000007a9')
+define(`IOCTL_VMCI_QUEUEPAIR_SETVA', `0x000007a4')
+define(`IOCTL_VMCI_SET_NOTIFY', `0x000007cb')
+define(`IOCTL_VMCI_SOCKETS_GET_AF_VALUE', `0x000007b8')
+define(`IOCTL_VMCI_SOCKETS_GET_LOCAL_CID', `0x000007b9')
+define(`IOCTL_VMCI_SOCKETS_VERSION', `0x000007b4')
+define(`IOCTL_VMCI_VERSION', `0x0000079f')
+define(`IOCTL_VMCI_VERSION2', `0x000007a7')
+define(`IOCTL_VM_SOCKETS_GET_LOCAL_CID', `0x000007b9')
+define(`IOCTL_WDM_MAX_COMMAND', `0x800248a0')
+define(`IOCTL_XENBUS_BACKEND_EVTCHN', `0x00004200')
+define(`IOCTL_XENBUS_BACKEND_SETUP', `0x00004201')
+define(`ION_IOC_ALLOC', `0xc0204900')
+define(`ION_IOC_CUSTOM', `0xc0104906')
+define(`ION_IOC_FREE', `0xc0044901')
+define(`ION_IOC_IMPORT', `0xc0084905')
+define(`ION_IOC_MAP', `0xc0084902')
+define(`ION_IOC_SHARE', `0xc0084904')
+define(`ION_IOC_SYNC', `0xc0084907')
+define(`ION_IOC_TEST_DMA_MAPPING', `0x402049f1')
+define(`ION_IOC_TEST_KERNEL_MAPPING', `0x402049f2')
+define(`ION_IOC_TEST_SET_FD', `0x000049f0')
+define(`IOW_GETINFO', `0x8028c003')
+define(`IOW_READ', `0x4008c002')
+define(`IOW_WRITE', `0x4008c001')
+define(`IPMICTL_GET_MAINTENANCE_MODE_CMD', `0x8004691e')
+define(`IPMICTL_GET_MY_ADDRESS_CMD', `0x80046912')
+define(`IPMICTL_GET_MY_CHANNEL_ADDRESS_CMD', `0x80046919')
+define(`IPMICTL_GET_MY_CHANNEL_LUN_CMD', `0x8004691b')
+define(`IPMICTL_GET_MY_LUN_CMD', `0x80046914')
+define(`IPMICTL_GET_TIMING_PARMS_CMD', `0x80086917')
+define(`IPMICTL_RECEIVE_MSG', `0xc030690c')
+define(`IPMICTL_RECEIVE_MSG_TRUNC', `0xc030690b')
+define(`IPMICTL_REGISTER_FOR_CMD', `0x8002690e')
+define(`IPMICTL_REGISTER_FOR_CMD_CHANS', `0x800c691c')
+define(`IPMICTL_SEND_COMMAND', `0x8028690d')
+define(`IPMICTL_SEND_COMMAND_SETTIME', `0x80306915')
+define(`IPMICTL_SET_GETS_EVENTS_CMD', `0x80046910')
+define(`IPMICTL_SET_MAINTENANCE_MODE_CMD', `0x4004691f')
+define(`IPMICTL_SET_MY_ADDRESS_CMD', `0x80046911')
+define(`IPMICTL_SET_MY_CHANNEL_ADDRESS_CMD', `0x80046918')
+define(`IPMICTL_SET_MY_CHANNEL_LUN_CMD', `0x8004691a')
+define(`IPMICTL_SET_MY_LUN_CMD', `0x80046913')
+define(`IPMICTL_SET_TIMING_PARMS_CMD', `0x80086916')
+define(`IPMICTL_UNREGISTER_FOR_CMD', `0x8002690f')
+define(`IPMICTL_UNREGISTER_FOR_CMD_CHANS', `0x800c691d')
+define(`IVTVFB_IOC_DMA_FRAME', `0x401856c0')
+define(`IVTV_IOC_DMA_FRAME', `0x404056c0')
+define(`IVTV_IOC_PASSTHROUGH_MODE', `0x400456c1')
+define(`IXJCTL_AEC_GET_LEVEL', `0x000071cd')
+define(`IXJCTL_AEC_START', `0x400471cb')
+define(`IXJCTL_AEC_STOP', `0x000071cc')
+define(`IXJCTL_CARDTYPE', `0x800471c1')
+define(`IXJCTL_CID', `0x800871d4')
+define(`IXJCTL_CIDCW', `0x400871d9')
+define(`IXJCTL_DAA_AGAIN', `0x400471d2')
+define(`IXJCTL_DAA_COEFF_SET', `0x400471d0')
+define(`IXJCTL_DRYBUFFER_CLEAR', `0x000071e7')
+define(`IXJCTL_DRYBUFFER_READ', `0x800871e6')
+define(`IXJCTL_DSP_IDLE', `0x000071c5')
+define(`IXJCTL_DSP_RESET', `0x000071c0')
+define(`IXJCTL_DSP_TYPE', `0x800471c3')
+define(`IXJCTL_DSP_VERSION', `0x800471c4')
+define(`IXJCTL_DTMF_PRESCALE', `0x400471e8')
+define(`IXJCTL_FILTER_CADENCE', `0x400871d6')
+define(`IXJCTL_FRAMES_READ', `0x800871e2')
+define(`IXJCTL_FRAMES_WRITTEN', `0x800871e3')
+define(`IXJCTL_GET_FILTER_HIST', `0x400471c8')
+define(`IXJCTL_HZ', `0x400471e0')
+define(`IXJCTL_INIT_TONE', `0x400871c9')
+define(`IXJCTL_INTERCOM_START', `0x400471fd')
+define(`IXJCTL_INTERCOM_STOP', `0x400471fe')
+define(`IXJCTL_MIXER', `0x400471cf')
+define(`IXJCTL_PLAY_CID', `0x000071d7')
+define(`IXJCTL_PORT', `0x400471d1')
+define(`IXJCTL_POTS_PSTN', `0x400471d5')
+define(`IXJCTL_PSTN_LINETEST', `0x000071d3')
+define(`IXJCTL_RATE', `0x400471e1')
+define(`IXJCTL_READ_WAIT', `0x800871e4')
+define(`IXJCTL_SC_RXG', `0x400471ea')
+define(`IXJCTL_SC_TXG', `0x400471eb')
+define(`IXJCTL_SERIAL', `0x800471c2')
+define(`IXJCTL_SET_FILTER', `0x400871c7')
+define(`IXJCTL_SET_FILTER_RAW', `0x400871dd')
+define(`IXJCTL_SET_LED', `0x400471ce')
+define(`IXJCTL_SIGCTL', `0x400871e9')
+define(`IXJCTL_TESTRAM', `0x000071c6')
+define(`IXJCTL_TONE_CADENCE', `0x400871ca')
+define(`IXJCTL_VERSION', `0x800871da')
+define(`IXJCTL_VMWI', `0x800471d8')
+define(`IXJCTL_WRITE_WAIT', `0x800871e5')
+define(`JSIOCGAXES', `0x80016a11')
+define(`JSIOCGAXMAP', `0x80406a32')
+define(`JSIOCGBTNMAP', `0x84006a34')
+define(`JSIOCGBUTTONS', `0x80016a12')
+define(`JSIOCGCORR', `0x80246a22')
+define(`JSIOCGVERSION', `0x80046a01')
+define(`JSIOCSAXMAP', `0x40406a31')
+define(`JSIOCSBTNMAP', `0x44006a33')
+define(`JSIOCSCORR', `0x40246a21')
+define(`KCOV_DISABLE', `0x00006365')
+define(`KCOV_ENABLE', `0x00006364')
+define(`KCOV_INIT_TRACE', `0x80086301')
+define(`KDADDIO', `0x00004b34')
+define(`KDDELIO', `0x00004b35')
+define(`KDDISABIO', `0x00004b37')
+define(`KDENABIO', `0x00004b36')
+define(`KDFONTOP', `0x00004b72')
+define(`KDGETKEYCODE', `0x00004b4c')
+define(`KDGETLED', `0x00004b31')
+define(`KDGETMODE', `0x00004b3b')
+define(`KDGKBDIACR', `0x00004b4a')
+define(`KDGKBDIACRUC', `0x00004bfa')
+define(`KDGKBENT', `0x00004b46')
+define(`KDGKBLED', `0x00004b64')
+define(`KDGKBMETA', `0x00004b62')
+define(`KDGKBMODE', `0x00004b44')
+define(`KDGKBSENT', `0x00004b48')
+define(`KDGKBTYPE', `0x00004b33')
+define(`KDKBDREP', `0x00004b52')
+define(`KDMAPDISP', `0x00004b3c')
+define(`KDMKTONE', `0x00004b30')
+define(`KDSETKEYCODE', `0x00004b4d')
+define(`KDSETLED', `0x00004b32')
+define(`KDSETMODE', `0x00004b3a')
+define(`KDSIGACCEPT', `0x00004b4e')
+define(`KDSKBDIACR', `0x00004b4b')
+define(`KDSKBDIACRUC', `0x00004bfb')
+define(`KDSKBENT', `0x00004b47')
+define(`KDSKBLED', `0x00004b65')
+define(`KDSKBMETA', `0x00004b63')
+define(`KDSKBMODE', `0x00004b45')
+define(`KDSKBSENT', `0x00004b49')
+define(`KDUNMAPDISP', `0x00004b3d')
+define(`KIOCSOUND', `0x00004b2f')
+define(`KVM_ALLOCATE_RMA', `0x8008aea9')
+define(`KVM_ARM_PREFERRED_TARGET', `0x8020aeaf')
+define(`KVM_ARM_SET_DEVICE_ADDR', `0x4010aeab')
+define(`KVM_ARM_VCPU_INIT', `0x4020aeae')
+define(`KVM_ASSIGN_DEV_IRQ', `0x4040ae70')
+define(`KVM_ASSIGN_PCI_DEVICE', `0x8040ae69')
+define(`KVM_ASSIGN_SET_INTX_MASK', `0x4040aea4')
+define(`KVM_ASSIGN_SET_MSIX_ENTRY', `0x4010ae74')
+define(`KVM_ASSIGN_SET_MSIX_NR', `0x4008ae73')
+define(`KVM_CHECK_EXTENSION', `0x0000ae03')
+define(`KVM_CREATE_DEVICE', `0xc00caee0')
+define(`KVM_CREATE_IRQCHIP', `0x0000ae60')
+define(`KVM_CREATE_PIT', `0x0000ae64')
+define(`KVM_CREATE_PIT2', `0x4040ae77')
+define(`KVM_CREATE_SPAPR_TCE', `0x400caea8')
+define(`KVM_CREATE_VCPU', `0x0000ae41')
+define(`KVM_CREATE_VM', `0x0000ae01')
+define(`KVM_DEASSIGN_DEV_IRQ', `0x4040ae75')
+define(`KVM_DEASSIGN_PCI_DEVICE', `0x4040ae72')
+define(`KVM_DIRTY_TLB', `0x4010aeaa')
+define(`KVM_ENABLE_CAP', `0x4068aea3')
+define(`KVM_GET_API_VERSION', `0x0000ae00')
+define(`KVM_GET_CLOCK', `0x8030ae7c')
+define(`KVM_GET_CPUID2', `0xc008ae91')
+define(`KVM_GET_DEBUGREGS', `0x8080aea1')
+define(`KVM_GET_DEVICE_ATTR', `0x4018aee2')
+define(`KVM_GET_DIRTY_LOG', `0x4010ae42')
+define(`KVM_GET_EMULATED_CPUID', `0xc008ae09')
+define(`KVM_GET_FPU', `0x81a0ae8c')
+define(`KVM_GET_IRQCHIP', `0xc208ae62')
+define(`KVM_GET_LAPIC', `0x8400ae8e')
+define(`KVM_GET_MP_STATE', `0x8004ae98')
+define(`KVM_GET_MSR_INDEX_LIST', `0xc004ae02')
+define(`KVM_GET_MSRS', `0xc008ae88')
+define(`KVM_GET_NR_MMU_PAGES', `0x0000ae45')
+define(`KVM_GET_ONE_REG', `0x4010aeab')
+define(`KVM_GET_PIT', `0xc048ae65')
+define(`KVM_GET_PIT2', `0x8070ae9f')
+define(`KVM_GET_REG_LIST', `0xc008aeb0')
+define(`KVM_GET_REGS', `0x8090ae81')
+define(`KVM_GET_SREGS', `0x8138ae83')
+define(`KVM_GET_SUPPORTED_CPUID', `0xc008ae05')
+define(`KVM_GET_TSC_KHZ', `0x0000aea3')
+define(`KVM_GET_VCPU_EVENTS', `0x8040ae9f')
+define(`KVM_GET_VCPU_MMAP_SIZE', `0x0000ae04')
+define(`KVM_GET_XCRS', `0x8188aea6')
+define(`KVM_GET_XSAVE', `0x9000aea4')
+define(`KVM_HAS_DEVICE_ATTR', `0x4018aee3')
+define(`KVM_INTERRUPT', `0x4004ae86')
+define(`KVM_IOEVENTFD', `0x4040ae79')
+define(`KVM_IRQFD', `0x4020ae76')
+define(`KVM_IRQ_LINE', `0x4008ae61')
+define(`KVM_IRQ_LINE_STATUS', `0xc008ae67')
+define(`KVM_KVMCLOCK_CTRL', `0x0000aead')
+define(`KVM_NMI', `0x0000ae9a')
+define(`KVM_PPC_ALLOCATE_HTAB', `0xc004aea7')
+define(`KVM_PPC_GET_HTAB_FD', `0x4020aeaa')
+define(`KVM_PPC_GET_PVINFO', `0x4080aea1')
+define(`KVM_PPC_GET_SMMU_INFO', `0x8250aea6')
+define(`KVM_PPC_RTAS_DEFINE_TOKEN', `0x4080aeac')
+define(`KVM_REGISTER_COALESCED_MMIO', `0x4010ae67')
+define(`KVM_REINJECT_CONTROL', `0x0000ae71')
+define(`KVM_RUN', `0x0000ae80')
+define(`KVM_S390_ENABLE_SIE', `0x0000ae06')
+define(`KVM_S390_INITIAL_RESET', `0x0000ae97')
+define(`KVM_S390_INTERRUPT', `0x4010ae94')
+define(`KVM_S390_SET_INITIAL_PSW', `0x4010ae96')
+define(`KVM_S390_STORE_STATUS', `0x4008ae95')
+define(`KVM_S390_UCAS_MAP', `0x4018ae50')
+define(`KVM_S390_UCAS_UNMAP', `0x4018ae51')
+define(`KVM_S390_VCPU_FAULT', `0x4008ae52')
+define(`KVM_SET_BOOT_CPU_ID', `0x0000ae78')
+define(`KVM_SET_CLOCK', `0x4030ae7b')
+define(`KVM_SET_CPUID', `0x4008ae8a')
+define(`KVM_SET_CPUID2', `0x4008ae90')
+define(`KVM_SET_DEBUGREGS', `0x4080aea2')
+define(`KVM_SET_DEVICE_ATTR', `0x4018aee1')
+define(`KVM_SET_FPU', `0x41a0ae8d')
+define(`KVM_SET_GSI_ROUTING', `0x4008ae6a')
+define(`KVM_SET_GUEST_DEBUG', `0x4048ae9b')
+define(`KVM_SET_IDENTITY_MAP_ADDR', `0x4008ae48')
+define(`KVM_SET_IRQCHIP', `0x8208ae63')
+define(`KVM_SET_LAPIC', `0x4400ae8f')
+define(`KVM_SET_MEMORY_ALIAS', `0x4020ae43')
+define(`KVM_SET_MEMORY_REGION', `0x4018ae40')
+define(`KVM_SET_MP_STATE', `0x4004ae99')
+define(`KVM_SET_MSRS', `0x4008ae89')
+define(`KVM_SET_NR_MMU_PAGES', `0x0000ae44')
+define(`KVM_SET_ONE_REG', `0x4010aeac')
+define(`KVM_SET_PIT', `0x8048ae66')
+define(`KVM_SET_PIT2', `0x4070aea0')
+define(`KVM_SET_REGS', `0x4090ae82')
+define(`KVM_SET_SIGNAL_MASK', `0x4004ae8b')
+define(`KVM_SET_SREGS', `0x4138ae84')
+define(`KVM_SET_TSC_KHZ', `0x0000aea2')
+define(`KVM_SET_TSS_ADDR', `0x0000ae47')
+define(`KVM_SET_USER_MEMORY_REGION', `0x4020ae46')
+define(`KVM_SET_VAPIC_ADDR', `0x4008ae93')
+define(`KVM_SET_VCPU_EVENTS', `0x4040aea0')
+define(`KVM_SET_XCRS', `0x4188aea7')
+define(`KVM_SET_XSAVE', `0x5000aea5')
+define(`KVM_SIGNAL_MSI', `0x4020aea5')
+define(`KVM_TPR_ACCESS_REPORTING', `0xc028ae92')
+define(`KVM_TRANSLATE', `0xc018ae85')
+define(`KVM_UNREGISTER_COALESCED_MMIO', `0x4010ae68')
+define(`KVM_X86_GET_MCE_CAP_SUPPORTED', `0x8008ae9d')
+define(`KVM_X86_SET_MCE', `0x4040ae9e')
+define(`KVM_X86_SETUP_MCE', `0x4008ae9c')
+define(`KVM_XEN_HVM_CONFIG', `0x4038ae7a')
+define(`KYRO_IOCTL_OVERLAY_CREATE', `0x00006b00')
+define(`KYRO_IOCTL_OVERLAY_OFFSET', `0x00006b04')
+define(`KYRO_IOCTL_OVERLAY_VIEWPORT_SET', `0x00006b01')
+define(`KYRO_IOCTL_SET_VIDEO_MODE', `0x00006b02')
+define(`KYRO_IOCTL_STRIDE', `0x00006b05')
+define(`KYRO_IOCTL_UVSTRIDE', `0x00006b03')
+define(`LIRC_GET_FEATURES', `0x80046900')
+define(`LIRC_GET_LENGTH', `0x8004690f')
+define(`LIRC_GET_MAX_FILTER_PULSE', `0x8004690b')
+define(`LIRC_GET_MAX_FILTER_SPACE', `0x8004690d')
+define(`LIRC_GET_MAX_TIMEOUT', `0x80046909')
+define(`LIRC_GET_MIN_FILTER_PULSE', `0x8004690a')
+define(`LIRC_GET_MIN_FILTER_SPACE', `0x8004690c')
+define(`LIRC_GET_MIN_TIMEOUT', `0x80046908')
+define(`LIRC_GET_REC_CARRIER', `0x80046904')
+define(`LIRC_GET_REC_DUTY_CYCLE', `0x80046906')
+define(`LIRC_GET_REC_MODE', `0x80046902')
+define(`LIRC_GET_REC_RESOLUTION', `0x80046907')
+define(`LIRC_GET_SEND_CARRIER', `0x80046903')
+define(`LIRC_GET_SEND_DUTY_CYCLE', `0x80046905')
+define(`LIRC_GET_SEND_MODE', `0x80046901')
+define(`LIRC_NOTIFY_DECODE', `0x00006920')
+define(`LIRC_SET_MEASURE_CARRIER_MODE', `0x4004691d')
+define(`LIRC_SET_REC_CARRIER', `0x40046914')
+define(`LIRC_SET_REC_CARRIER_RANGE', `0x4004691f')
+define(`LIRC_SET_REC_DUTY_CYCLE', `0x40046916')
+define(`LIRC_SET_REC_DUTY_CYCLE_RANGE', `0x4004691e')
+define(`LIRC_SET_REC_FILTER', `0x4004691c')
+define(`LIRC_SET_REC_FILTER_PULSE', `0x4004691a')
+define(`LIRC_SET_REC_FILTER_SPACE', `0x4004691b')
+define(`LIRC_SET_REC_MODE', `0x40046912')
+define(`LIRC_SET_REC_TIMEOUT', `0x40046918')
+define(`LIRC_SET_REC_TIMEOUT_REPORTS', `0x40046919')
+define(`LIRC_SET_SEND_CARRIER', `0x40046913')
+define(`LIRC_SET_SEND_DUTY_CYCLE', `0x40046915')
+define(`LIRC_SET_SEND_MODE', `0x40046911')
+define(`LIRC_SET_TRANSMITTER_MASK', `0x40046917')
+define(`LIRC_SETUP_END', `0x00006922')
+define(`LIRC_SETUP_START', `0x00006921')
+define(`LIRC_SET_WIDEBAND_RECEIVER', `0x40046923')
+define(`LOGGER_FLUSH_LOG', `0x0000ae04')
+define(`LOGGER_GET_LOG_BUF_SIZE', `0x0000ae01')
+define(`LOGGER_GET_LOG_LEN', `0x0000ae02')
+define(`LOGGER_GET_NEXT_ENTRY_LEN', `0x0000ae03')
+define(`LOGGER_GET_VERSION', `0x0000ae05')
+define(`LOGGER_SET_VERSION', `0x0000ae06')
+define(`LOOP_CHANGE_FD', `0x00004c06')
+define(`LOOP_CLR_FD', `0x00004c01')
+define(`LOOP_CONFIGURE', `0x00004c0a')
+define(`LOOP_CTL_ADD', `0x00004c80')
+define(`LOOP_CTL_GET_FREE', `0x00004c82')
+define(`LOOP_CTL_REMOVE', `0x00004c81')
+define(`LOOP_GET_STATUS', `0x00004c03')
+define(`LOOP_GET_STATUS64', `0x00004c05')
+define(`LOOP_SET_BLOCK_SIZE', `0x00004c09')
+define(`LOOP_SET_CAPACITY', `0x00004c07')
+define(`LOOP_SET_DIRECT_IO', `0x00004c08')
+define(`LOOP_SET_FD', `0x00004c00')
+define(`LOOP_SET_STATUS', `0x00004c02')
+define(`LOOP_SET_STATUS64', `0x00004c04')
+define(`MATROXFB_GET_ALL_OUTPUTS', `0x80086efb')
+define(`MATROXFB_GET_AVAILABLE_OUTPUTS', `0x80086ef9')
+define(`MATROXFB_GET_OUTPUT_CONNECTION', `0x80086ef8')
+define(`MATROXFB_GET_OUTPUT_MODE', `0xc0086efa')
+define(`MATROXFB_SET_OUTPUT_CONNECTION', `0x40086ef8')
+define(`MATROXFB_SET_OUTPUT_MODE', `0x40086efa')
+define(`MBXFB_IOCG_ALPHA', `0x8018f401')
+define(`MBXFB_IOCS_ALPHA', `0x4018f402')
+define(`MBXFB_IOCS_PLANEORDER', `0x8002f403')
+define(`MBXFB_IOCS_REG', `0x400cf404')
+define(`MBXFB_IOCX_OVERLAY', `0xc030f400')
+define(`MBXFB_IOCX_REG', `0xc00cf405')
+define(`MCE_GETCLEAR_FLAGS', `0x80044d03')
+define(`MCE_GET_LOG_LEN', `0x80044d02')
+define(`MCE_GET_RECORD_LEN', `0x80044d01')
+define(`MEDIA_IOC_DEVICE_INFO', `0xc1007c00')
+define(`MEDIA_IOC_ENUM_ENTITIES', `0xc1007c01')
+define(`MEDIA_IOC_ENUM_LINKS', `0xc0287c02')
+define(`MEDIA_IOC_SETUP_LINK', `0xc0347c03')
+define(`MEMERASE', `0x40084d02')
+define(`MEMERASE64', `0x40104d14')
+define(`MEMGETBADBLOCK', `0x40084d0b')
+define(`MEMGETINFO', `0x80204d01')
+define(`MEMGETOOBSEL', `0x80c84d0a')
+define(`MEMGETREGIONCOUNT', `0x80044d07')
+define(`MEMGETREGIONINFO', `0xc0104d08')
+define(`MEMISLOCKED', `0x80084d17')
+define(`MEMLOCK', `0x40084d05')
+define(`MEMREADOOB', `0xc0104d04')
+define(`MEMREADOOB64', `0xc0184d16')
+define(`MEMSETBADBLOCK', `0x40084d0c')
+define(`MEMUNLOCK', `0x40084d06')
+define(`MEMWRITE', `0xc0304d18')
+define(`MEMWRITEOOB', `0xc0104d03')
+define(`MEMWRITEOOB64', `0xc0184d15')
+define(`MEYEIOC_G_PARAMS', `0x800676c0')
+define(`MEYEIOC_QBUF_CAPT', `0x400476c2')
+define(`MEYEIOC_S_PARAMS', `0x400676c1')
+define(`MEYEIOC_STILLCAPT', `0x000076c4')
+define(`MEYEIOC_STILLJCAPT', `0x800476c5')
+define(`MEYEIOC_SYNC', `0xc00476c3')
+define(`MFB_GET_ALPHA', `0x80014d00')
+define(`MFB_GET_AOID', `0x80084d04')
+define(`MFB_GET_GAMMA', `0x80014d01')
+define(`MFB_GET_PIXFMT', `0x80044d08')
+define(`MFB_SET_ALPHA', `0x40014d00')
+define(`MFB_SET_AOID', `0x40084d04')
+define(`MFB_SET_BRIGHTNESS', `0x40014d03')
+define(`MFB_SET_CHROMA_KEY', `0x400c4d01')
+define(`MFB_SET_GAMMA', `0x40014d01')
+define(`MFB_SET_PIXFMT', `0x40044d08')
+define(`MGSL_IOCCLRMODCOUNT', `0x00006d0f')
+define(`MGSL_IOCGGPIO', `0x80106d11')
+define(`MGSL_IOCGIF', `0x00006d0b')
+define(`MGSL_IOCGPARAMS', `0x80306d01')
+define(`MGSL_IOCGSTATS', `0x00006d07')
+define(`MGSL_IOCGTXIDLE', `0x00006d03')
+define(`MGSL_IOCGXCTRL', `0x00006d16')
+define(`MGSL_IOCGXSYNC', `0x00006d14')
+define(`MGSL_IOCLOOPTXDONE', `0x00006d09')
+define(`MGSL_IOCRXENABLE', `0x00006d05')
+define(`MGSL_IOCSGPIO', `0x40106d10')
+define(`MGSL_IOCSIF', `0x00006d0a')
+define(`MGSL_IOCSPARAMS', `0x40306d00')
+define(`MGSL_IOCSTXIDLE', `0x00006d02')
+define(`MGSL_IOCSXCTRL', `0x00006d15')
+define(`MGSL_IOCSXSYNC', `0x00006d13')
+define(`MGSL_IOCTXABORT', `0x00006d06')
+define(`MGSL_IOCTXENABLE', `0x00006d04')
+define(`MGSL_IOCWAITEVENT', `0xc0046d08')
+define(`MGSL_IOCWAITGPIO', `0xc0106d12')
+define(`MIC_VIRTIO_ADD_DEVICE', `0xc0087301')
+define(`MIC_VIRTIO_CONFIG_CHANGE', `0xc0087305')
+define(`MIC_VIRTIO_COPY_DESC', `0xc0087302')
+define(`MMC_IOC_CMD', `0xc048b300')
+define(`MMTIMER_GETBITS', `0x00006d04')
+define(`MMTIMER_GETCOUNTER', `0x80086d09')
+define(`MMTIMER_GETFREQ', `0x80086d02')
+define(`MMTIMER_GETOFFSET', `0x00006d00')
+define(`MMTIMER_GETRES', `0x80086d01')
+define(`MMTIMER_MMAPAVAIL', `0x00006d06')
+define(`MSMFB_BLIT', `0x40046d02')
+define(`MSMFB_GRP_DISP', `0x40046d01')
+define(`MTDFILEMODE', `0x00004d13')
+define(`MTIOCGET', `0x80306d02')
+define(`MTIOCPOS', `0x80086d03')
+define(`MTIOCTOP', `0x40086d01')
+define(`MTRRIOC_ADD_ENTRY', `0x40104d00')
+define(`MTRRIOC_ADD_PAGE_ENTRY', `0x40104d05')
+define(`MTRRIOC_DEL_ENTRY', `0x40104d02')
+define(`MTRRIOC_DEL_PAGE_ENTRY', `0x40104d07')
+define(`MTRRIOC_GET_ENTRY', `0xc0184d03')
+define(`MTRRIOC_GET_PAGE_ENTRY', `0xc0184d08')
+define(`MTRRIOC_KILL_ENTRY', `0x40104d04')
+define(`MTRRIOC_KILL_PAGE_ENTRY', `0x40104d09')
+define(`MTRRIOC_SET_ENTRY', `0x40104d01')
+define(`MTRRIOC_SET_PAGE_ENTRY', `0x40104d06')
+define(`NBD_CLEAR_QUE', `0x0000ab05')
+define(`NBD_CLEAR_SOCK', `0x0000ab04')
+define(`NBD_DISCONNECT', `0x0000ab08')
+define(`NBD_DO_IT', `0x0000ab03')
+define(`NBD_PRINT_DEBUG', `0x0000ab06')
+define(`NBD_SET_BLKSIZE', `0x0000ab01')
+define(`NBD_SET_FLAGS', `0x0000ab0a')
+define(`NBD_SET_SIZE', `0x0000ab02')
+define(`NBD_SET_SIZE_BLOCKS', `0x0000ab07')
+define(`NBD_SET_SOCK', `0x0000ab00')
+define(`NBD_SET_TIMEOUT', `0x0000ab09')
+define(`NCP_IOC_CONN_LOGGED_IN', `0x00006e03')
+define(`NCP_IOC_GETCHARSETS', `0xc02a6e0b')
+define(`NCP_IOC_GETDENTRYTTL', `0x40046e0c')
+define(`NCP_IOC_GET_FS_INFO', `0xc0286e04')
+define(`NCP_IOC_GET_FS_INFO_V2', `0xc0306e04')
+define(`NCP_IOC_GETMOUNTUID', `0x40026e02')
+define(`NCP_IOC_GETMOUNTUID2', `0x40086e02')
+define(`NCP_IOC_GETOBJECTNAME', `0xc0186e09')
+define(`NCP_IOC_GETPRIVATEDATA', `0xc0106e0a')
+define(`NCP_IOC_GETROOT', `0x400c6e08')
+define(`NCP_IOC_LOCKUNLOCK', `0x80146e07')
+define(`NCP_IOC_NCPREQUEST', `0x80106e01')
+define(`NCP_IOC_SETCHARSETS', `0x802a6e0b')
+define(`NCP_IOC_SETDENTRYTTL', `0x80046e0c')
+define(`NCP_IOC_SETOBJECTNAME', `0x80186e09')
+define(`NCP_IOC_SETPRIVATEDATA', `0x80106e0a')
+define(`NCP_IOC_SETROOT', `0x800c6e08')
+define(`NCP_IOC_SET_SIGN_WANTED', `0x40046e06')
+define(`NCP_IOC_SIGN_INIT', `0x80186e05')
+define(`NCP_IOC_SIGN_WANTED', `0x80046e06')
+define(`NET_ADD_IF', `0xc0066f34')
+define(`NET_GET_IF', `0xc0066f36')
+define(`NET_REMOVE_IF', `0x00006f35')
+define(`NILFS_IOCTL_CHANGE_CPMODE', `0x40106e80')
+define(`NILFS_IOCTL_CLEAN_SEGMENTS', `0x40786e88')
+define(`NILFS_IOCTL_DELETE_CHECKPOINT', `0x40086e81')
+define(`NILFS_IOCTL_GET_BDESCS', `0xc0186e87')
+define(`NILFS_IOCTL_GET_CPINFO', `0x80186e82')
+define(`NILFS_IOCTL_GET_CPSTAT', `0x80186e83')
+define(`NILFS_IOCTL_GET_SUINFO', `0x80186e84')
+define(`NILFS_IOCTL_GET_SUSTAT', `0x80306e85')
+define(`NILFS_IOCTL_GET_VINFO', `0xc0186e86')
+define(`NILFS_IOCTL_RESIZE', `0x40086e8b')
+define(`NILFS_IOCTL_SET_ALLOC_RANGE', `0x40106e8c')
+define(`NILFS_IOCTL_SET_SUINFO', `0x40186e8d')
+define(`NILFS_IOCTL_SYNC', `0x80086e8a')
+define(`NS_ADJBUFLEV', `0x00006163')
+define(`NS_GETPSTAT', `0xc0106161')
+define(`NS_SETBUFLEV', `0x40106162')
+define(`NVME_IOCTL_ADMIN_CMD', `0xc0484e41')
+define(`NVME_IOCTL_ID', `0x00004e40')
+define(`NVME_IOCTL_IO_CMD', `0xc0484e43')
+define(`NVME_IOCTL_SUBMIT_IO', `0x40304e42')
+define(`NVRAM_INIT', `0x00007040')
+define(`NVRAM_SETCKS', `0x00007041')
+define(`OLD_PHONE_RING_START', `0x00007187')
+define(`OMAPFB_CTRL_TEST', `0x40044f2e')
+define(`OMAPFB_GET_CAPS', `0x800c4f2a')
+define(`OMAPFB_GET_COLOR_KEY', `0x40104f33')
+define(`OMAPFB_GET_DISPLAY_INFO', `0x80204f3f')
+define(`OMAPFB_GET_OVERLAY_COLORMODE', `0x803c4f3b')
+define(`OMAPFB_GET_UPDATE_MODE', `0x40044f2b')
+define(`OMAPFB_GET_VRAM_INFO', `0x80204f3d')
+define(`OMAPFB_LCD_TEST', `0x40044f2d')
+define(`OMAPFB_MEMORY_READ', `0x80184f3a')
+define(`OMAPFB_MIRROR', `0x40044f1f')
+define(`OMAPFB_QUERY_MEM', `0x40084f38')
+define(`OMAPFB_QUERY_PLANE', `0x40444f35')
+define(`OMAPFB_SET_COLOR_KEY', `0x40104f32')
+define(`OMAPFB_SET_TEARSYNC', `0x40084f3e')
+define(`OMAPFB_SET_UPDATE_MODE', `0x40044f28')
+define(`OMAPFB_SETUP_MEM', `0x40084f37')
+define(`OMAPFB_SETUP_PLANE', `0x40444f34')
+define(`OMAPFB_SYNC_GFX', `0x00004f25')
+define(`OMAPFB_UPDATE_WINDOW', `0x40444f36')
+define(`OMAPFB_UPDATE_WINDOW_OLD', `0x40144f2f')
+define(`OMAPFB_VSYNC', `0x00004f26')
+define(`OMAPFB_WAITFORGO', `0x00004f3c')
+define(`OMAPFB_WAITFORVSYNC', `0x00004f39')
+define(`OSD_GET_CAPABILITY', `0x80106fa1')
+define(`OSD_SEND_CMD', `0x40206fa0')
+define(`OSIOCGNETADDR', `0x800489e1')
+define(`OSIOCSNETADDR', `0x400489e0')
+define(`OSS_GETVERSION', `0x80044d76')
+define(`OTPGETREGIONCOUNT', `0x40044d0e')
+define(`OTPGETREGIONINFO', `0x400c4d0f')
+define(`OTPLOCK', `0x800c4d10')
+define(`OTPSELECT', `0x80044d0d')
+define(`PACKET_CTRL_CMD', `0xc0185801')
+define(`PERF_EVENT_IOC_DISABLE', `0x00002401')
+define(`PERF_EVENT_IOC_ENABLE', `0x00002400')
+define(`PERF_EVENT_IOC_ID', `0x80082407')
+define(`PERF_EVENT_IOC_PERIOD', `0x40082404')
+define(`PERF_EVENT_IOC_REFRESH', `0x00002402')
+define(`PERF_EVENT_IOC_RESET', `0x00002403')
+define(`PERF_EVENT_IOC_SET_FILTER', `0x40082406')
+define(`PERF_EVENT_IOC_SET_OUTPUT', `0x00002405')
+define(`PHN_GET_REG', `0xc0087000')
+define(`PHN_GETREG', `0xc0087005')
+define(`PHN_GET_REGS', `0xc0087002')
+define(`PHN_GETREGS', `0xc0287007')
+define(`PHN_NOT_OH', `0x00007004')
+define(`PHN_SET_REG', `0x40087001')
+define(`PHN_SETREG', `0x40087006')
+define(`PHN_SET_REGS', `0x40087003')
+define(`PHN_SETREGS', `0x40287008')
+define(`PHONE_BUSY', `0x000071a1')
+define(`PHONE_CAPABILITIES', `0x00007180')
+define(`PHONE_CAPABILITIES_CHECK', `0x40087182')
+define(`PHONE_CAPABILITIES_LIST', `0x80087181')
+define(`PHONE_CPT_STOP', `0x000071a4')
+define(`PHONE_DIALTONE', `0x000071a3')
+define(`PHONE_DTMF_OOB', `0x40047199')
+define(`PHONE_DTMF_READY', `0x80047196')
+define(`PHONE_EXCEPTION', `0x8004719a')
+define(`PHONE_FRAME', `0x4004718d')
+define(`PHONE_GET_DTMF', `0x80047197')
+define(`PHONE_GET_DTMF_ASCII', `0x80047198')
+define(`PHONE_GET_TONE_OFF_TIME', `0x0000719f')
+define(`PHONE_GET_TONE_ON_TIME', `0x0000719e')
+define(`PHONE_GET_TONE_STATE', `0x000071a0')
+define(`PHONE_HOOKSTATE', `0x00007184')
+define(`PHONE_MAXRINGS', `0x40017185')
+define(`PHONE_PLAY_CODEC', `0x40047190')
+define(`PHONE_PLAY_DEPTH', `0x40047193')
+define(`PHONE_PLAY_LEVEL', `0x00007195')
+define(`PHONE_PLAY_START', `0x00007191')
+define(`PHONE_PLAY_STOP', `0x00007192')
+define(`PHONE_PLAY_TONE', `0x4001719b')
+define(`PHONE_PLAY_VOLUME', `0x40047194')
+define(`PHONE_PLAY_VOLUME_LINEAR', `0x400471dc')
+define(`PHONE_PSTN_GET_STATE', `0x000071a5')
+define(`PHONE_PSTN_LINETEST', `0x000071a8')
+define(`PHONE_PSTN_SET_STATE', `0x400471a4')
+define(`PHONE_QUERY_CODEC', `0xc00871a7')
+define(`PHONE_REC_CODEC', `0x40047189')
+define(`PHONE_REC_DEPTH', `0x4004718c')
+define(`PHONE_REC_LEVEL', `0x0000718f')
+define(`PHONE_REC_START', `0x0000718a')
+define(`PHONE_REC_STOP', `0x0000718b')
+define(`PHONE_REC_VOLUME', `0x4004718e')
+define(`PHONE_REC_VOLUME_LINEAR', `0x400471db')
+define(`PHONE_RING', `0x00007183')
+define(`PHONE_RINGBACK', `0x000071a2')
+define(`PHONE_RING_CADENCE', `0x40027186')
+define(`PHONE_RING_START', `0x40087187')
+define(`PHONE_RING_STOP', `0x00007188')
+define(`PHONE_SET_TONE_OFF_TIME', `0x4004719d')
+define(`PHONE_SET_TONE_ON_TIME', `0x4004719c')
+define(`PHONE_VAD', `0x400471a9')
+define(`PHONE_WINK', `0x400471aa')
+define(`PHONE_WINK_DURATION', `0x400471a6')
+define(`PIO_CMAP', `0x00004b71')
+define(`PIO_FONT', `0x00004b61')
+define(`PIO_FONTRESET', `0x00004b6d')
+define(`PIO_FONTX', `0x00004b6c')
+define(`PIO_SCRNMAP', `0x00004b41')
+define(`PIO_UNIMAP', `0x00004b67')
+define(`PIO_UNIMAPCLR', `0x00004b68')
+define(`PIO_UNISCRNMAP', `0x00004b6a')
+define(`PMU_IOC_CAN_SLEEP', `0x80084205')
+define(`PMU_IOC_GET_BACKLIGHT', `0x80084201')
+define(`PMU_IOC_GET_MODEL', `0x80084203')
+define(`PMU_IOC_GRAB_BACKLIGHT', `0x80084206')
+define(`PMU_IOC_HAS_ADB', `0x80084204')
+define(`PMU_IOC_SET_BACKLIGHT', `0x40084202')
+define(`PMU_IOC_SLEEP', `0x00004200')
+define(`PPCLAIM', `0x0000708b')
+define(`PPCLRIRQ', `0x80047093')
+define(`PPDATADIR', `0x40047090')
+define(`PPEXCL', `0x0000708f')
+define(`PPFCONTROL', `0x4002708e')
+define(`PPGETFLAGS', `0x8004709a')
+define(`PPGETMODE', `0x80047098')
+define(`PPGETMODES', `0x80047097')
+define(`PPGETPHASE', `0x80047099')
+define(`PPGETTIME', `0x80107095')
+define(`PPNEGOT', `0x40047091')
+define(`PPPIOCATTACH', `0x743d')
+define(`PPPIOCATTCHAN', `0x7438')
+define(`PPPIOCBUNDLE', `0x7481')
+define(`PPPIOCCONNECT', `0x743a')
+define(`PPPIOCDETACH', `0x743c')
+define(`PPPIOCDISCONN', `0x7439')
+define(`PPPIOCGASYNCMAP', `0x7458')
+define(`PPPIOCGCALLINFO', `0x7480')
+define(`PPPIOCGCHAN', `0x7437')
+define(`PPPIOCGCOMPRESSORS', `0x7486')
+define(`PPPIOCGDEBUG', `0x7441')
+define(`PPPIOCGFLAGS', `0x745a')
+define(`PPPIOCGIDLE', `0x743f')
+define(`PPPIOCGIFNAME', `0x7488')
+define(`PPPIOCGL2TPSTATS', `0x7436')
+define(`PPPIOCGMPFLAGS', `0x7482')
+define(`PPPIOCGMRU', `0x7453')
+define(`PPPIOCGNPMODE', `0x744c')
+define(`PPPIOCGRASYNCMAP', `0x7455')
+define(`PPPIOCGUNIT', `0x7456')
+define(`PPPIOCGXASYNCMAP', `0x7450')
+define(`PPPIOCNEWUNIT', `0x743e')
+define(`PPPIOCSACTIVE', `0x7446')
+define(`PPPIOCSASYNCMAP', `0x7457')
+define(`PPPIOCSCOMPRESS', `0x744d')
+define(`PPPIOCSCOMPRESSOR', `0x7487')
+define(`PPPIOCSDEBUG', `0x7440')
+define(`PPPIOCSFLAGS', `0x7459')
+define(`PPPIOCSMAXCID', `0x7451')
+define(`PPPIOCSMPFLAGS', `0x7483')
+define(`PPPIOCSMPMRU', `0x7485')
+define(`PPPIOCSMPMTU', `0x7484')
+define(`PPPIOCSMRRU', `0x743b')
+define(`PPPIOCSMRU', `0x7452')
+define(`PPPIOCSNPMODE', `0x744b')
+define(`PPPIOCSPASS', `0x7447')
+define(`PPPIOCSRASYNCMAP', `0x7454')
+define(`PPPIOCSXASYNCMAP', `0x744f')
+define(`PPPIOCXFERUNIT', `0x744e')
+define(`PPPOEIOCDFWD', `0x0000b101')
+define(`PPPOEIOCSFWD', `0x4008b100')
+define(`PPRCONTROL', `0x80017083')
+define(`PPRDATA', `0x80017085')
+define(`PPRELEASE', `0x0000708c')
+define(`PPRSTATUS', `0x80017081')
+define(`PPSETFLAGS', `0x4004709b')
+define(`PPSETMODE', `0x40047080')
+define(`PPSETPHASE', `0x40047094')
+define(`PPSETTIME', `0x40107096')
+define(`PPS_FETCH', `0xc00870a4')
+define(`PPS_GETCAP', `0x800870a3')
+define(`PPS_GETPARAMS', `0x800870a1')
+define(`PPS_KC_BIND', `0x400870a5')
+define(`PPS_SETPARAMS', `0x400870a2')
+define(`PPWCONTROL', `0x40017084')
+define(`PPWCTLONIRQ', `0x40017092')
+define(`PPWDATA', `0x40017086')
+define(`PPYIELD', `0x0000708d')
+define(`PROTECT_ARRAY', `0x00000927')
+define(`PTP_CLOCK_GETCAPS', `0x80503d01')
+define(`PTP_ENABLE_PPS', `0x40043d04')
+define(`PTP_EXTTS_REQUEST', `0x40103d02')
+define(`PTP_PEROUT_REQUEST', `0x40383d03')
+define(`PTP_PIN_GETFUNC', `0xc0603d06')
+define(`PTP_PIN_SETFUNC', `0x40603d07')
+define(`PTP_SYS_OFFSET', `0x43403d05')
+define(`RAID_AUTORUN', `0x00000914')
+define(`RAID_VERSION', `0x800c0910')
+define(`RAW_GETBIND', `0x0000ac01')
+define(`RAW_SETBIND', `0x0000ac00')
+define(`REISERFS_IOC_UNPACK', `0x4008cd01')
+define(`RESTART_ARRAY_RW', `0x00000934')
+define(`RFCOMMCREATEDEV', `0x400452c8')
+define(`RFCOMMGETDEVINFO', `0x800452d3')
+define(`RFCOMMGETDEVLIST', `0x800452d2')
+define(`RFCOMMRELEASEDEV', `0x400452c9')
+define(`RFCOMMSTEALDLC', `0x400452dc')
+define(`RFKILL_IOCTL_NOINPUT', `0x00005201')
+define(`RNDADDENTROPY', `0x40085203')
+define(`RNDADDTOENTCNT', `0x40045201')
+define(`RNDCLEARPOOL', `0x00005206')
+define(`RNDGETENTCNT', `0x80045200')
+define(`RNDGETPOOL', `0x80085202')
+define(`RNDZAPENTCNT', `0x00005204')
+define(`ROCCATIOCGREPSIZE', `0x800448f1')
+define(`RTC_AIE_OFF', `0x00007002')
+define(`RTC_AIE_ON', `0x00007001')
+define(`RTC_ALM_READ', `0x80247008')
+define(`RTC_ALM_SET', `0x40247007')
+define(`RTC_EPOCH_READ', `0x8008700d')
+define(`RTC_EPOCH_SET', `0x4008700e')
+define(`RTC_IRQP_READ', `0x8008700b')
+define(`RTC_IRQP_SET', `0x4008700c')
+define(`RTC_PIE_OFF', `0x00007006')
+define(`RTC_PIE_ON', `0x00007005')
+define(`RTC_PLL_GET', `0x80207011')
+define(`RTC_PLL_SET', `0x40207012')
+define(`RTC_RD_TIME', `0x80247009')
+define(`RTC_SET_TIME', `0x4024700a')
+define(`RTC_UIE_OFF', `0x00007004')
+define(`RTC_UIE_ON', `0x00007003')
+define(`RTC_VL_CLR', `0x00007014')
+define(`RTC_VL_READ', `0x80047013')
+define(`RTC_WIE_OFF', `0x00007010')
+define(`RTC_WIE_ON', `0x0000700f')
+define(`RTC_WKALM_RD', `0x80287010')
+define(`RTC_WKALM_SET', `0x4028700f')
+define(`RUN_ARRAY', `0x400c0930')
+define(`S5P_FIMC_TX_END_NOTIFY', `0x00006500')
+define(`SAA6588_CMD_CLOSE', `0x40045202')
+define(`SAA6588_CMD_POLL', `0x80045204')
+define(`SAA6588_CMD_READ', `0x80045203')
+define(`SCSI_IOCTL_DOORLOCK', `0x00005380')
+define(`SCSI_IOCTL_DOORUNLOCK', `0x00005381')
+define(`SCSI_IOCTL_GET_BUS_NUMBER', `0x00005386')
+define(`SCSI_IOCTL_GET_IDLUN', `0x00005382')
+define(`SCSI_IOCTL_GET_PCI', `0x00005387')
+define(`SCSI_IOCTL_PROBE_HOST', `0x00005385')
+define(`SET_ARRAY_INFO', `0x40480923')
+define(`SET_BITMAP_FILE', `0x4004092b')
+define(`SET_DISK_FAULTY', `0x00000929')
+define(`SET_DISK_INFO', `0x00000924')
+define(`SG_EMULATED_HOST', `0x00002203')
+define(`SG_GET_ACCESS_COUNT', `0x00002289')
+define(`SG_GET_COMMAND_Q', `0x00002270')
+define(`SG_GET_KEEP_ORPHAN', `0x00002288')
+define(`SG_GET_LOW_DMA', `0x0000227a')
+define(`SG_GET_NUM_WAITING', `0x0000227d')
+define(`SG_GET_PACK_ID', `0x0000227c')
+define(`SG_GET_REQUEST_TABLE', `0x00002286')
+define(`SG_GET_RESERVED_SIZE', `0x00002272')
+define(`SG_GET_SCSI_ID', `0x00002276')
+define(`SG_GET_SG_TABLESIZE', `0x0000227f')
+define(`SG_GET_TIMEOUT', `0x00002202')
+define(`SG_GET_TRANSFORM', `0x00002205')
+define(`SG_GET_VERSION_NUM', `0x00002282')
+define(`SG_IO', `0x00002285')
+define(`SG_NEXT_CMD_LEN', `0x00002283')
+define(`SG_SCSI_RESET', `0x00002284')
+define(`SG_SET_COMMAND_Q', `0x00002271')
+define(`SG_SET_DEBUG', `0x0000227e')
+define(`SG_SET_FORCE_LOW_DMA', `0x00002279')
+define(`SG_SET_FORCE_PACK_ID', `0x0000227b')
+define(`SG_SET_KEEP_ORPHAN', `0x00002287')
+define(`SG_SET_RESERVED_SIZE', `0x00002275')
+define(`SG_SET_TIMEOUT', `0x00002201')
+define(`SG_SET_TRANSFORM', `0x00002204')
+define(`SI4713_IOC_MEASURE_RNL', `0xc01c56c0')
+define(`SIOCADDDLCI', `0x00008980')
+define(`SIOCADDMULTI', `0x00008931')
+define(`SIOCADDRT', `0x0000890b')
+define(`SIOCATMARK', `0x00008905')
+define(`SIOCBONDCHANGEACTIVE', `0x00008995')
+define(`SIOCBONDENSLAVE', `0x00008990')
+define(`SIOCBONDINFOQUERY', `0x00008994')
+define(`SIOCBONDRELEASE', `0x00008991')
+define(`SIOCBONDSETHWADDR', `0x00008992')
+define(`SIOCBONDSLAVEINFOQUERY', `0x00008993')
+define(`SIOCBRADDBR', `0x000089a0')
+define(`SIOCBRADDIF', `0x000089a2')
+define(`SIOCBRDELBR', `0x000089a1')
+define(`SIOCBRDELIF', `0x000089a3')
+define(`SIOCDARP', `0x00008953')
+define(`SIOCDELDLCI', `0x00008981')
+define(`SIOCDELMULTI', `0x00008932')
+define(`SIOCDELRT', `0x0000890c')
+define(`SIOCDEVPRIVATE', `0x000089f0')
+define(`SIOCDEVPRIVATE_1', `0x000089f1')
+define(`SIOCDEVPRIVATE_2', `0x000089f2')
+define(`SIOCDEVPRIVATE_3', `0x000089f3')
+define(`SIOCDEVPRIVATE_4', `0x000089f4')
+define(`SIOCDEVPRIVATE_5', `0x000089f5')
+define(`SIOCDEVPRIVATE_6', `0x000089f6')
+define(`SIOCDEVPRIVATE_7', `0x000089f7')
+define(`SIOCDEVPRIVATE_8', `0x000089f8')
+define(`SIOCDEVPRIVATE_9', `0x000089f9')
+define(`SIOCDEVPRIVATE_A', `0x000089fa')
+define(`SIOCDEVPRIVATE_B', `0x000089fb')
+define(`SIOCDEVPRIVATE_C', `0x000089fc')
+define(`SIOCDEVPRIVATE_D', `0x000089fd')
+define(`SIOCDEVPRIVATE_E', `0x000089fe')
+define(`SIOCDEVPRIVLAST', `0x000089ff')
+define(`SIOCDIFADDR', `0x00008936')
+define(`SIOCDRARP', `0x00008960')
+define(`SIOCETHTOOL', `0x00008946')
+define(`SIOCGARP', `0x00008954')
+define(`SIOCGHWTSTAMP', `0x000089b1')
+define(`SIOCGIFADDR', `0x00008915')
+define(`SIOCGIFBR', `0x00008940')
+define(`SIOCGIFBRDADDR', `0x00008919')
+define(`SIOCGIFCONF', `0x00008912')
+define(`SIOCGIFCOUNT', `0x00008938')
+define(`SIOCGIFDSTADDR', `0x00008917')
+define(`SIOCGIFENCAP', `0x00008925')
+define(`SIOCGIFFLAGS', `0x00008913')
+define(`SIOCGIFHWADDR', `0x00008927')
+define(`SIOCGIFINDEX', `0x00008933')
+define(`SIOCGIFMAP', `0x00008970')
+define(`SIOCGIFMEM', `0x0000891f')
+define(`SIOCGIFMETRIC', `0x0000891d')
+define(`SIOCGIFMTU', `0x00008921')
+define(`SIOCGIFNAME', `0x00008910')
+define(`SIOCGIFNETMASK', `0x0000891b')
+define(`SIOCGIFPFLAGS', `0x00008935')
+define(`SIOCGIFSLAVE', `0x00008929')
+define(`SIOCGIFTXQLEN', `0x00008942')
+define(`SIOCGIFVLAN', `0x00008982')
+define(`SIOCGIWAP', `0x00008b15')
+define(`SIOCGIWAPLIST', `0x00008b17')
+define(`SIOCGIWAUTH', `0x00008b33')
+define(`SIOCGIWENCODE', `0x00008b2b')
+define(`SIOCGIWENCODEEXT', `0x00008b35')
+define(`SIOCGIWESSID', `0x00008b1b')
+define(`SIOCGIWFRAG', `0x00008b25')
+define(`SIOCGIWFREQ', `0x00008b05')
+define(`SIOCGIWGENIE', `0x00008b31')
+define(`SIOCGIWMODE', `0x00008b07')
+define(`SIOCGIWNAME', `0x00008b01')
+define(`SIOCGIWNICKN', `0x00008b1d')
+define(`SIOCGIWNWID', `0x00008b03')
+define(`SIOCGIWPOWER', `0x00008b2d')
+define(`SIOCGIWPRIV', `0x00008b0d')
+define(`SIOCGIWRANGE', `0x00008b0b')
+define(`SIOCGIWRATE', `0x00008b21')
+define(`SIOCGIWRETRY', `0x00008b29')
+define(`SIOCGIWRTS', `0x00008b23')
+define(`SIOCGIWSCAN', `0x00008b19')
+define(`SIOCGIWSENS', `0x00008b09')
+define(`SIOCGIWSPY', `0x00008b11')
+define(`SIOCGIWSTATS', `0x00008b0f')
+define(`SIOCGIWTHRSPY', `0x00008b13')
+define(`SIOCGIWTXPOW', `0x00008b27')
+define(`SIOCGMIIPHY', `0x00008947')
+define(`SIOCGMIIREG', `0x00008948')
+define(`SIOCGNETADDR', `0x800489e1')
+define(`SIOCGPGRP', `0x00008904')
+define(`SIOCGRARP', `0x00008961')
+define(`SIOCGSTAMP', `0x00008906')
+define(`SIOCGSTAMPNS', `0x00008907')
+define(`SIOCIWFIRST', `0x00008b00')
+define(`SIOCIWFIRSTPRIV_01', `0x00008be1')
+define(`SIOCIWFIRSTPRIV_02', `0x00008be2')
+define(`SIOCIWFIRSTPRIV_03', `0x00008be3')
+define(`SIOCIWFIRSTPRIV_04', `0x00008be4')
+define(`SIOCIWFIRSTPRIV_05', `0x00008be5')
+define(`SIOCIWFIRSTPRIV_06', `0x00008be6')
+define(`SIOCIWFIRSTPRIV_07', `0x00008be7')
+define(`SIOCIWFIRSTPRIV_08', `0x00008be8')
+define(`SIOCIWFIRSTPRIV_09', `0x00008be9')
+define(`SIOCIWFIRSTPRIV_0A', `0x00008bea')
+define(`SIOCIWFIRSTPRIV_0B', `0x00008beb')
+define(`SIOCIWFIRSTPRIV_0C', `0x00008bec')
+define(`SIOCIWFIRSTPRIV_0D', `0x00008bed')
+define(`SIOCIWFIRSTPRIV_0E', `0x00008bee')
+define(`SIOCIWFIRSTPRIV_0F', `0x00008bef')
+define(`SIOCIWFIRSTPRIV', `0x00008be0')
+define(`SIOCIWFIRSTPRIV_10', `0x00008bf0')
+define(`SIOCIWFIRSTPRIV_11', `0x00008bf1')
+define(`SIOCIWFIRSTPRIV_12', `0x00008bf2')
+define(`SIOCIWFIRSTPRIV_13', `0x00008bf3')
+define(`SIOCIWFIRSTPRIV_14', `0x00008bf4')
+define(`SIOCIWFIRSTPRIV_15', `0x00008bf5')
+define(`SIOCIWFIRSTPRIV_16', `0x00008bf6')
+define(`SIOCIWFIRSTPRIV_17', `0x00008bf7')
+define(`SIOCIWFIRSTPRIV_18', `0x00008bf8')
+define(`SIOCIWFIRSTPRIV_19', `0x00008bf9')
+define(`SIOCIWFIRSTPRIV_1A', `0x00008bfa')
+define(`SIOCIWFIRSTPRIV_1B', `0x00008bfb')
+define(`SIOCIWFIRSTPRIV_1C', `0x00008bfc')
+define(`SIOCIWFIRSTPRIV_1D', `0x00008bfd')
+define(`SIOCIWFIRSTPRIV_1E', `0x00008bfe')
+define(`SIOCIWLASTPRIV', `0x00008bff')
+define(`SIOCKILLADDR', `0x00008939')
+define(`SIOCMKCLIP', `0x000061e0')
+define(`SIOCOUTQNSD', `0x0000894b')
+define(`SIOCPROTOPRIVATE', `0x000089e0')
+define(`SIOCPROTOPRIVATE_1', `0x000089e1')
+define(`SIOCPROTOPRIVATE_2', `0x000089e2')
+define(`SIOCPROTOPRIVATE_3', `0x000089e3')
+define(`SIOCPROTOPRIVATE_4', `0x000089e4')
+define(`SIOCPROTOPRIVATE_5', `0x000089e5')
+define(`SIOCPROTOPRIVATE_6', `0x000089e6')
+define(`SIOCPROTOPRIVATE_7', `0x000089e7')
+define(`SIOCPROTOPRIVATE_8', `0x000089e8')
+define(`SIOCPROTOPRIVATE_9', `0x000089e9')
+define(`SIOCPROTOPRIVATE_A', `0x000089ea')
+define(`SIOCPROTOPRIVATE_B', `0x000089eb')
+define(`SIOCPROTOPRIVATE_C', `0x000089ec')
+define(`SIOCPROTOPRIVATE_D', `0x000089ed')
+define(`SIOCPROTOPRIVATE_E', `0x000089ee')
+define(`SIOCPROTOPRIVLAST', `0x000089ef')
+define(`SIOCRTMSG', `0x0000890d')
+define(`SIOCSARP', `0x00008955')
+define(`SIOCSHWTSTAMP', `0x000089b0')
+define(`SIOCSIFADDR', `0x00008916')
+define(`SIOCSIFATMTCP', `0x00006180')
+define(`SIOCSIFBR', `0x00008941')
+define(`SIOCSIFBRDADDR', `0x0000891a')
+define(`SIOCSIFDSTADDR', `0x00008918')
+define(`SIOCSIFENCAP', `0x00008926')
+define(`SIOCSIFFLAGS', `0x00008914')
+define(`SIOCSIFHWADDR', `0x00008924')
+define(`SIOCSIFHWBROADCAST', `0x00008937')
+define(`SIOCSIFLINK', `0x00008911')
+define(`SIOCSIFMAP', `0x00008971')
+define(`SIOCSIFMEM', `0x00008920')
+define(`SIOCSIFMETRIC', `0x0000891e')
+define(`SIOCSIFMTU', `0x00008922')
+define(`SIOCSIFNAME', `0x00008923')
+define(`SIOCSIFNETMASK', `0x0000891c')
+define(`SIOCSIFPFLAGS', `0x00008934')
+define(`SIOCSIFSLAVE', `0x00008930')
+define(`SIOCSIFTXQLEN', `0x00008943')
+define(`SIOCSIFVLAN', `0x00008983')
+define(`SIOCSIWAP', `0x00008b14')
+define(`SIOCSIWAUTH', `0x00008b32')
+define(`SIOCSIWCOMMIT', `0x00008b00')
+define(`SIOCSIWENCODE', `0x00008b2a')
+define(`SIOCSIWENCODEEXT', `0x00008b34')
+define(`SIOCSIWESSID', `0x00008b1a')
+define(`SIOCSIWFRAG', `0x00008b24')
+define(`SIOCSIWFREQ', `0x00008b04')
+define(`SIOCSIWGENIE', `0x00008b30')
+define(`SIOCSIWMLME', `0x00008b16')
+define(`SIOCSIWMODE', `0x00008b06')
+define(`SIOCSIWNICKN', `0x00008b1c')
+define(`SIOCSIWNWID', `0x00008b02')
+define(`SIOCSIWPMKSA', `0x00008b36')
+define(`SIOCSIWPOWER', `0x00008b2c')
+define(`SIOCSIWPRIV', `0x00008b0c')
+define(`SIOCSIWRANGE', `0x00008b0a')
+define(`SIOCSIWRATE', `0x00008b20')
+define(`SIOCSIWRETRY', `0x00008b28')
+define(`SIOCSIWRTS', `0x00008b22')
+define(`SIOCSIWSCAN', `0x00008b18')
+define(`SIOCSIWSENS', `0x00008b08')
+define(`SIOCSIWSPY', `0x00008b10')
+define(`SIOCSIWSTATS', `0x00008b0e')
+define(`SIOCSIWTHRSPY', `0x00008b12')
+define(`SIOCSIWTXPOW', `0x00008b26')
+define(`SIOCSMIIREG', `0x00008949')
+define(`SIOCSNETADDR', `0x400489e0')
+define(`SIOCSPGRP', `0x00008902')
+define(`SIOCSRARP', `0x00008962')
+define(`SIOCWANDEV', `0x0000894a')
+define(`SISFB_COMMAND', `0xc054f305')
+define(`SISFB_GET_AUTOMAXIMIZE', `0x8004f303')
+define(`SISFB_GET_AUTOMAXIMIZE_OLD', `0x80046efa')
+define(`SISFB_GET_INFO', `0x811cf301')
+define(`SISFB_GET_INFO_OLD', `0x80046ef8')
+define(`SISFB_GET_INFO_SIZE', `0x8004f300')
+define(`SISFB_GET_TVPOSOFFSET', `0x8004f304')
+define(`SISFB_GET_VBRSTATUS', `0x8004f302')
+define(`SISFB_GET_VBRSTATUS_OLD', `0x80046ef9')
+define(`SISFB_SET_AUTOMAXIMIZE', `0x4004f303')
+define(`SISFB_SET_AUTOMAXIMIZE_OLD', `0x40046efa')
+define(`SISFB_SET_LOCK', `0x4004f306')
+define(`SISFB_SET_TVPOSOFFSET', `0x4004f304')
+define(`SNAPSHOT_ALLOC_SWAP_PAGE', `0x80083314')
+define(`SNAPSHOT_ATOMIC_RESTORE', `0x00003304')
+define(`SNAPSHOT_AVAIL_SWAP_SIZE', `0x80083313')
+define(`SNAPSHOT_CREATE_IMAGE', `0x40043311')
+define(`SNAPSHOT_FREE', `0x00003305')
+define(`SNAPSHOT_FREE_SWAP_PAGES', `0x00003309')
+define(`SNAPSHOT_FREEZE', `0x00003301')
+define(`SNAPSHOT_GET_IMAGE_SIZE', `0x8008330e')
+define(`SNAPSHOT_PLATFORM_SUPPORT', `0x0000330f')
+define(`SNAPSHOT_POWER_OFF', `0x00003310')
+define(`SNAPSHOT_PREF_IMAGE_SIZE', `0x00003312')
+define(`SNAPSHOT_S2RAM', `0x0000330b')
+define(`SNAPSHOT_SET_SWAP_AREA', `0x400c330d')
+define(`SNAPSHOT_UNFREEZE', `0x00003302')
+define(`SNDCTL_COPR_HALT', `0xc0144307')
+define(`SNDCTL_COPR_LOAD', `0xcfb04301')
+define(`SNDCTL_COPR_RCODE', `0xc0144303')
+define(`SNDCTL_COPR_RCVMSG', `0x8fa44309')
+define(`SNDCTL_COPR_RDATA', `0xc0144302')
+define(`SNDCTL_COPR_RESET', `0x00004300')
+define(`SNDCTL_COPR_RUN', `0xc0144306')
+define(`SNDCTL_COPR_SENDMSG', `0xcfa44308')
+define(`SNDCTL_COPR_WCODE', `0x40144305')
+define(`SNDCTL_COPR_WDATA', `0x40144304')
+define(`SNDCTL_DSP_BIND_CHANNEL', `0xc0045041')
+define(`SNDCTL_DSP_CHANNELS', `0xc0045006')
+define(`SNDCTL_DSP_GETBLKSIZE', `0xc0045004')
+define(`SNDCTL_DSP_GETCAPS', `0x8004500f')
+define(`SNDCTL_DSP_GETCHANNELMASK', `0xc0045040')
+define(`SNDCTL_DSP_GETFMTS', `0x8004500b')
+define(`SNDCTL_DSP_GETIPTR', `0x800c5011')
+define(`SNDCTL_DSP_GETISPACE', `0x8010500d')
+define(`SNDCTL_DSP_GETODELAY', `0x80045017')
+define(`SNDCTL_DSP_GETOPTR', `0x800c5012')
+define(`SNDCTL_DSP_GETOSPACE', `0x8010500c')
+define(`SNDCTL_DSP_GETSPDIF', `0x80045043')
+define(`SNDCTL_DSP_GETTRIGGER', `0x80045010')
+define(`SNDCTL_DSP_MAPINBUF', `0x80105013')
+define(`SNDCTL_DSP_MAPOUTBUF', `0x80105014')
+define(`SNDCTL_DSP_NONBLOCK', `0x0000500e')
+define(`SNDCTL_DSP_POST', `0x00005008')
+define(`SNDCTL_DSP_PROFILE', `0x40045017')
+define(`SNDCTL_DSP_RESET', `0x00005000')
+define(`SNDCTL_DSP_SETDUPLEX', `0x00005016')
+define(`SNDCTL_DSP_SETFMT', `0xc0045005')
+define(`SNDCTL_DSP_SETFRAGMENT', `0xc004500a')
+define(`SNDCTL_DSP_SETSPDIF', `0x40045042')
+define(`SNDCTL_DSP_SETSYNCRO', `0x00005015')
+define(`SNDCTL_DSP_SETTRIGGER', `0x40045010')
+define(`SNDCTL_DSP_SPEED', `0xc0045002')
+define(`SNDCTL_DSP_STEREO', `0xc0045003')
+define(`SNDCTL_DSP_SUBDIVIDE', `0xc0045009')
+define(`SNDCTL_DSP_SYNC', `0x00005001')
+define(`SNDCTL_FM_4OP_ENABLE', `0x4004510f')
+define(`SNDCTL_FM_LOAD_INSTR', `0x40285107')
+define(`SNDCTL_MIDI_INFO', `0xc074510c')
+define(`SNDCTL_MIDI_MPUCMD', `0xc0216d02')
+define(`SNDCTL_MIDI_MPUMODE', `0xc0046d01')
+define(`SNDCTL_MIDI_PRETIME', `0xc0046d00')
+define(`SNDCTL_SEQ_CTRLRATE', `0xc0045103')
+define(`SNDCTL_SEQ_GETINCOUNT', `0x80045105')
+define(`SNDCTL_SEQ_GETOUTCOUNT', `0x80045104')
+define(`SNDCTL_SEQ_GETTIME', `0x80045113')
+define(`SNDCTL_SEQ_NRMIDIS', `0x8004510b')
+define(`SNDCTL_SEQ_NRSYNTHS', `0x8004510a')
+define(`SNDCTL_SEQ_OUTOFBAND', `0x40085112')
+define(`SNDCTL_SEQ_PANIC', `0x00005111')
+define(`SNDCTL_SEQ_PERCMODE', `0x40045106')
+define(`SNDCTL_SEQ_RESET', `0x00005100')
+define(`SNDCTL_SEQ_RESETSAMPLES', `0x40045109')
+define(`SNDCTL_SEQ_SYNC', `0x00005101')
+define(`SNDCTL_SEQ_TESTMIDI', `0x40045108')
+define(`SNDCTL_SEQ_THRESHOLD', `0x4004510d')
+define(`SNDCTL_SYNTH_CONTROL', `0xcfa45115')
+define(`SNDCTL_SYNTH_ID', `0xc08c5114')
+define(`SNDCTL_SYNTH_INFO', `0xc08c5102')
+define(`SNDCTL_SYNTH_MEMAVL', `0xc004510e')
+define(`SNDCTL_SYNTH_REMOVESAMPLE', `0xc00c5116')
+define(`SNDCTL_TMR_CONTINUE', `0x00005404')
+define(`SNDCTL_TMR_METRONOME', `0x40045407')
+define(`SNDCTL_TMR_SELECT', `0x40045408')
+define(`SNDCTL_TMR_SOURCE', `0xc0045406')
+define(`SNDCTL_TMR_START', `0x00005402')
+define(`SNDCTL_TMR_STOP', `0x00005403')
+define(`SNDCTL_TMR_TEMPO', `0xc0045405')
+define(`SNDCTL_TMR_TIMEBASE', `0xc0045401')
+define(`SNDRV_COMPRESS_AVAIL', `0x801c4321')
+define(`SNDRV_COMPRESS_DRAIN', `0x00004334')
+define(`SNDRV_COMPRESS_GET_CAPS', `0xc0c44310')
+define(`SNDRV_COMPRESS_GET_CODEC_CAPS', `0xeb884311')
+define(`SNDRV_COMPRESS_GET_METADATA', `0xc0244315')
+define(`SNDRV_COMPRESS_GET_PARAMS', `0x80784313')
+define(`SNDRV_COMPRESS_IOCTL_VERSION', `0x80044300')
+define(`SNDRV_COMPRESS_NEXT_TRACK', `0x00004335')
+define(`SNDRV_COMPRESS_PARTIAL_DRAIN', `0x00004336')
+define(`SNDRV_COMPRESS_PAUSE', `0x00004330')
+define(`SNDRV_COMPRESS_RESUME', `0x00004331')
+define(`SNDRV_COMPRESS_SET_METADATA', `0x40244314')
+define(`SNDRV_COMPRESS_SET_PARAMS', `0x40844312')
+define(`SNDRV_COMPRESS_START', `0x00004332')
+define(`SNDRV_COMPRESS_STOP', `0x00004333')
+define(`SNDRV_COMPRESS_TSTAMP', `0x80144320')
+define(`SNDRV_CTL_IOCTL_CARD_INFO', `0x81785501')
+define(`SNDRV_CTL_IOCTL_ELEM_ADD', `0xc1105517')
+define(`SNDRV_CTL_IOCTL_ELEM_INFO', `0xc1105511')
+define(`SNDRV_CTL_IOCTL_ELEM_LIST', `0xc0505510')
+define(`SNDRV_CTL_IOCTL_ELEM_LOCK', `0x40405514')
+define(`SNDRV_CTL_IOCTL_ELEM_READ', `0xc4c85512')
+define(`SNDRV_CTL_IOCTL_ELEM_REMOVE', `0xc0405519')
+define(`SNDRV_CTL_IOCTL_ELEM_REPLACE', `0xc1105518')
+define(`SNDRV_CTL_IOCTL_ELEM_UNLOCK', `0x40405515')
+define(`SNDRV_CTL_IOCTL_ELEM_WRITE', `0xc4c85513')
+define(`SNDRV_CTL_IOCTL_HWDEP_INFO', `0x80dc5521')
+define(`SNDRV_CTL_IOCTL_HWDEP_NEXT_DEVICE', `0xc0045520')
+define(`SNDRV_CTL_IOCTL_PCM_INFO', `0xc1205531')
+define(`SNDRV_CTL_IOCTL_PCM_NEXT_DEVICE', `0x80045530')
+define(`SNDRV_CTL_IOCTL_PCM_PREFER_SUBDEVICE', `0x40045532')
+define(`SNDRV_CTL_IOCTL_POWER', `0xc00455d0')
+define(`SNDRV_CTL_IOCTL_POWER_STATE', `0x800455d1')
+define(`SNDRV_CTL_IOCTL_PVERSION', `0x80045500')
+define(`SNDRV_CTL_IOCTL_RAWMIDI_INFO', `0xc10c5541')
+define(`SNDRV_CTL_IOCTL_RAWMIDI_NEXT_DEVICE', `0xc0045540')
+define(`SNDRV_CTL_IOCTL_RAWMIDI_PREFER_SUBDEVICE', `0x40045542')
+define(`SNDRV_CTL_IOCTL_SUBSCRIBE_EVENTS', `0xc0045516')
+define(`SNDRV_CTL_IOCTL_TLV_COMMAND', `0xc008551c')
+define(`SNDRV_CTL_IOCTL_TLV_READ', `0xc008551a')
+define(`SNDRV_CTL_IOCTL_TLV_WRITE', `0xc008551b')
+define(`SNDRV_DM_FM_IOCTL_CLEAR_PATCHES', `0x00004840')
+define(`SNDRV_DM_FM_IOCTL_INFO', `0x80024820')
+define(`SNDRV_DM_FM_IOCTL_PLAY_NOTE', `0x400c4822')
+define(`SNDRV_DM_FM_IOCTL_RESET', `0x00004821')
+define(`SNDRV_DM_FM_IOCTL_SET_CONNECTION', `0x40044826')
+define(`SNDRV_DM_FM_IOCTL_SET_MODE', `0x40044825')
+define(`SNDRV_DM_FM_IOCTL_SET_PARAMS', `0x40094824')
+define(`SNDRV_DM_FM_IOCTL_SET_VOICE', `0x40124823')
+define(`SNDRV_EMU10K1_IOCTL_CODE_PEEK', `0xc1b04812')
+define(`SNDRV_EMU10K1_IOCTL_CODE_POKE', `0x41b04811')
+define(`SNDRV_EMU10K1_IOCTL_CONTINUE', `0x00004881')
+define(`SNDRV_EMU10K1_IOCTL_DBG_READ', `0x80044884')
+define(`SNDRV_EMU10K1_IOCTL_INFO', `0x880c4810')
+define(`SNDRV_EMU10K1_IOCTL_PCM_PEEK', `0xc0484831')
+define(`SNDRV_EMU10K1_IOCTL_PCM_POKE', `0x40484830')
+define(`SNDRV_EMU10K1_IOCTL_PVERSION', `0x80044840')
+define(`SNDRV_EMU10K1_IOCTL_SINGLE_STEP', `0x40044883')
+define(`SNDRV_EMU10K1_IOCTL_STOP', `0x00004880')
+define(`SNDRV_EMU10K1_IOCTL_TRAM_PEEK', `0xc0104822')
+define(`SNDRV_EMU10K1_IOCTL_TRAM_POKE', `0x40104821')
+define(`SNDRV_EMU10K1_IOCTL_TRAM_SETUP', `0x40044820')
+define(`SNDRV_EMU10K1_IOCTL_ZERO_TRAM_COUNTER', `0x00004882')
+define(`SNDRV_EMUX_IOCTL_LOAD_PATCH', `0xc0104881')
+define(`SNDRV_EMUX_IOCTL_MEM_AVAIL', `0x40044884')
+define(`SNDRV_EMUX_IOCTL_MISC_MODE', `0xc0104884')
+define(`SNDRV_EMUX_IOCTL_REMOVE_LAST_SAMPLES', `0x00004883')
+define(`SNDRV_EMUX_IOCTL_RESET_SAMPLES', `0x00004882')
+define(`SNDRV_EMUX_IOCTL_VERSION', `0x80044880')
+define(`SNDRV_FIREWIRE_IOCTL_GET_INFO', `0x802048f8')
+define(`SNDRV_FIREWIRE_IOCTL_LOCK', `0x000048f9')
+define(`SNDRV_FIREWIRE_IOCTL_UNLOCK', `0x000048fa')
+define(`SNDRV_HDSP_IOCTL_GET_9632_AEB', `0x80084845')
+define(`SNDRV_HDSP_IOCTL_GET_CONFIG_INFO', `0x80244841')
+define(`SNDRV_HDSP_IOCTL_GET_MIXER', `0x90004844')
+define(`SNDRV_HDSP_IOCTL_GET_PEAK_RMS', `0x83b04840')
+define(`SNDRV_HDSP_IOCTL_GET_VERSION', `0x80084843')
+define(`SNDRV_HDSP_IOCTL_UPLOAD_FIRMWARE', `0x40084842')
+define(`SNDRV_HDSPM_IOCTL_GET_CONFIG', `0x80184841')
+define(`SNDRV_HDSPM_IOCTL_GET_LTC', `0x80104846')
+define(`SNDRV_HDSPM_IOCTL_GET_MIXER', `0x80084844')
+define(`SNDRV_HDSPM_IOCTL_GET_PEAK_RMS', `0x89084842')
+define(`SNDRV_HDSPM_IOCTL_GET_STATUS', `0x80204847')
+define(`SNDRV_HDSPM_IOCTL_GET_VERSION', `0x80244848')
+define(`SNDRV_HWDEP_IOCTL_DSP_LOAD', `0x40604803')
+define(`SNDRV_HWDEP_IOCTL_DSP_STATUS', `0x80404802')
+define(`SNDRV_HWDEP_IOCTL_INFO', `0x80dc4801')
+define(`SNDRV_HWDEP_IOCTL_PVERSION', `0x80044800')
+define(`SNDRV_PCM_IOCTL_CHANNEL_INFO', `0x80184132')
+define(`SNDRV_PCM_IOCTL_DELAY', `0x80084121')
+define(`SNDRV_PCM_IOCTL_DRAIN', `0x00004144')
+define(`SNDRV_PCM_IOCTL_DROP', `0x00004143')
+define(`SNDRV_PCM_IOCTL_FORWARD', `0x40084149')
+define(`SNDRV_PCM_IOCTL_HW_FREE', `0x00004112')
+define(`SNDRV_PCM_IOCTL_HW_PARAMS', `0xc2604111')
+define(`SNDRV_PCM_IOCTL_HW_REFINE', `0xc2604110')
+define(`SNDRV_PCM_IOCTL_HWSYNC', `0x00004122')
+define(`SNDRV_PCM_IOCTL_INFO', `0x81204101')
+define(`SNDRV_PCM_IOCTL_LINK', `0x40044160')
+define(`SNDRV_PCM_IOCTL_PAUSE', `0x40044145')
+define(`SNDRV_PCM_IOCTL_PREPARE', `0x00004140')
+define(`SNDRV_PCM_IOCTL_PVERSION', `0x80044100')
+define(`SNDRV_PCM_IOCTL_READI_FRAMES', `0x80184151')
+define(`SNDRV_PCM_IOCTL_READN_FRAMES', `0x80184153')
+define(`SNDRV_PCM_IOCTL_RESET', `0x00004141')
+define(`SNDRV_PCM_IOCTL_RESUME', `0x00004147')
+define(`SNDRV_PCM_IOCTL_REWIND', `0x40084146')
+define(`SNDRV_PCM_IOCTL_START', `0x00004142')
+define(`SNDRV_PCM_IOCTL_STATUS', `0x80984120')
+define(`SNDRV_PCM_IOCTL_SW_PARAMS', `0xc0884113')
+define(`SNDRV_PCM_IOCTL_SYNC_PTR', `0xc0884123')
+define(`SNDRV_PCM_IOCTL_TSTAMP', `0x40044102')
+define(`SNDRV_PCM_IOCTL_TTSTAMP', `0x40044103')
+define(`SNDRV_PCM_IOCTL_UNLINK', `0x00004161')
+define(`SNDRV_PCM_IOCTL_WRITEI_FRAMES', `0x40184150')
+define(`SNDRV_PCM_IOCTL_WRITEN_FRAMES', `0x40184152')
+define(`SNDRV_PCM_IOCTL_XRUN', `0x00004148')
+define(`SNDRV_RAWMIDI_IOCTL_DRAIN', `0x40045731')
+define(`SNDRV_RAWMIDI_IOCTL_DROP', `0x40045730')
+define(`SNDRV_RAWMIDI_IOCTL_INFO', `0x810c5701')
+define(`SNDRV_RAWMIDI_IOCTL_PARAMS', `0xc0305710')
+define(`SNDRV_RAWMIDI_IOCTL_PVERSION', `0x80045700')
+define(`SNDRV_RAWMIDI_IOCTL_STATUS', `0xc0385720')
+define(`SNDRV_SB_CSP_IOCTL_INFO', `0x80284810')
+define(`SNDRV_SB_CSP_IOCTL_LOAD_CODE', `0x70124811')
+define(`SNDRV_SB_CSP_IOCTL_PAUSE', `0x00004815')
+define(`SNDRV_SB_CSP_IOCTL_RESTART', `0x00004816')
+define(`SNDRV_SB_CSP_IOCTL_START', `0x40084813')
+define(`SNDRV_SB_CSP_IOCTL_STOP', `0x00004814')
+define(`SNDRV_SB_CSP_IOCTL_UNLOAD_CODE', `0x00004812')
+define(`SNDRV_SEQ_IOCTL_CLIENT_ID', `0x80045301')
+define(`SNDRV_SEQ_IOCTL_CREATE_PORT', `0xc0a85320')
+define(`SNDRV_SEQ_IOCTL_CREATE_QUEUE', `0xc08c5332')
+define(`SNDRV_SEQ_IOCTL_DELETE_PORT', `0x40a85321')
+define(`SNDRV_SEQ_IOCTL_DELETE_QUEUE', `0x408c5333')
+define(`SNDRV_SEQ_IOCTL_GET_CLIENT_INFO', `0xc0bc5310')
+define(`SNDRV_SEQ_IOCTL_GET_CLIENT_POOL', `0xc058534b')
+define(`SNDRV_SEQ_IOCTL_GET_NAMED_QUEUE', `0xc08c5336')
+define(`SNDRV_SEQ_IOCTL_GET_PORT_INFO', `0xc0a85322')
+define(`SNDRV_SEQ_IOCTL_GET_QUEUE_CLIENT', `0xc04c5349')
+define(`SNDRV_SEQ_IOCTL_GET_QUEUE_INFO', `0xc08c5334')
+define(`SNDRV_SEQ_IOCTL_GET_QUEUE_OWNER', `0xc0005343')
+define(`SNDRV_SEQ_IOCTL_GET_QUEUE_STATUS', `0xc05c5340')
+define(`SNDRV_SEQ_IOCTL_GET_QUEUE_TEMPO', `0xc02c5341')
+define(`SNDRV_SEQ_IOCTL_GET_QUEUE_TIMER', `0xc0605345')
+define(`SNDRV_SEQ_IOCTL_GET_SUBSCRIPTION', `0xc0505350')
+define(`SNDRV_SEQ_IOCTL_PVERSION', `0x80045300')
+define(`SNDRV_SEQ_IOCTL_QUERY_NEXT_CLIENT', `0xc0bc5351')
+define(`SNDRV_SEQ_IOCTL_QUERY_NEXT_PORT', `0xc0a85352')
+define(`SNDRV_SEQ_IOCTL_QUERY_SUBS', `0xc058534f')
+define(`SNDRV_SEQ_IOCTL_REMOVE_EVENTS', `0x4040534e')
+define(`SNDRV_SEQ_IOCTL_RUNNING_MODE', `0xc0105303')
+define(`SNDRV_SEQ_IOCTL_SET_CLIENT_INFO', `0x40bc5311')
+define(`SNDRV_SEQ_IOCTL_SET_CLIENT_POOL', `0x4058534c')
+define(`SNDRV_SEQ_IOCTL_SET_PORT_INFO', `0x40a85323')
+define(`SNDRV_SEQ_IOCTL_SET_QUEUE_CLIENT', `0x404c534a')
+define(`SNDRV_SEQ_IOCTL_SET_QUEUE_INFO', `0xc08c5335')
+define(`SNDRV_SEQ_IOCTL_SET_QUEUE_OWNER', `0x40005344')
+define(`SNDRV_SEQ_IOCTL_SET_QUEUE_TEMPO', `0x402c5342')
+define(`SNDRV_SEQ_IOCTL_SET_QUEUE_TIMER', `0x40605346')
+define(`SNDRV_SEQ_IOCTL_SUBSCRIBE_PORT', `0x40505330')
+define(`SNDRV_SEQ_IOCTL_SYSTEM_INFO', `0xc0305302')
+define(`SNDRV_SEQ_IOCTL_UNSUBSCRIBE_PORT', `0x40505331')
+define(`SNDRV_TIMER_IOCTL_CONTINUE', `0x000054a2')
+define(`SNDRV_TIMER_IOCTL_GINFO', `0xc0f85403')
+define(`SNDRV_TIMER_IOCTL_GPARAMS', `0x40485404')
+define(`SNDRV_TIMER_IOCTL_GSTATUS', `0xc0505405')
+define(`SNDRV_TIMER_IOCTL_INFO', `0x80e85411')
+define(`SNDRV_TIMER_IOCTL_NEXT_DEVICE', `0xc0145401')
+define(`SNDRV_TIMER_IOCTL_PARAMS', `0x40505412')
+define(`SNDRV_TIMER_IOCTL_PAUSE', `0x000054a3')
+define(`SNDRV_TIMER_IOCTL_PVERSION', `0x80045400')
+define(`SNDRV_TIMER_IOCTL_SELECT', `0x40345410')
+define(`SNDRV_TIMER_IOCTL_START', `0x000054a0')
+define(`SNDRV_TIMER_IOCTL_STATUS', `0x80605414')
+define(`SNDRV_TIMER_IOCTL_STOP', `0x000054a1')
+define(`SNDRV_TIMER_IOCTL_TREAD', `0x40045402')
+define(`SONET_CLRDIAG', `0xc0046113')
+define(`SONET_GETDIAG', `0x80046114')
+define(`SONET_GETFRAMING', `0x80046116')
+define(`SONET_GETFRSENSE', `0x80066117')
+define(`SONET_GETSTAT', `0x80246110')
+define(`SONET_GETSTATZ', `0x80246111')
+define(`SONET_SETDIAG', `0xc0046112')
+define(`SONET_SETFRAMING', `0x40046115')
+define(`SONYPI_IOCGBAT1CAP', `0x80027602')
+define(`SONYPI_IOCGBAT1REM', `0x80027603')
+define(`SONYPI_IOCGBAT2CAP', `0x80027604')
+define(`SONYPI_IOCGBAT2REM', `0x80027605')
+define(`SONYPI_IOCGBATFLAGS', `0x80017607')
+define(`SONYPI_IOCGBLUE', `0x80017608')
+define(`SONYPI_IOCGBRT', `0x80017600')
+define(`SONYPI_IOCGFAN', `0x8001760a')
+define(`SONYPI_IOCGTEMP', `0x8001760c')
+define(`SONYPI_IOCSBLUE', `0x40017609')
+define(`SONYPI_IOCSBRT', `0x40017600')
+define(`SONYPI_IOCSFAN', `0x4001760b')
+define(`SOUND_MIXER_3DSE', `0xc0044d68')
+define(`SOUND_MIXER_ACCESS', `0xc0804d66')
+define(`SOUND_MIXER_AGC', `0xc0044d67')
+define(`SOUND_MIXER_GETLEVELS', `0xc0a44d74')
+define(`SOUND_MIXER_INFO', `0x805c4d65')
+define(`SOUND_MIXER_PRIVATE1', `0xc0044d6f')
+define(`SOUND_MIXER_PRIVATE2', `0xc0044d70')
+define(`SOUND_MIXER_PRIVATE3', `0xc0044d71')
+define(`SOUND_MIXER_PRIVATE4', `0xc0044d72')
+define(`SOUND_MIXER_PRIVATE5', `0xc0044d73')
+define(`SOUND_MIXER_SETLEVELS', `0xc0a44d75')
+define(`SOUND_OLD_MIXER_INFO', `0x80304d65')
+define(`SOUND_PCM_READ_BITS', `0x80045005')
+define(`SOUND_PCM_READ_CHANNELS', `0x80045006')
+define(`SOUND_PCM_READ_FILTER', `0x80045007')
+define(`SOUND_PCM_READ_RATE', `0x80045002')
+define(`SOUND_PCM_WRITE_FILTER', `0xc0045007')
+define(`SPI_IOC_RD_BITS_PER_WORD', `0x80016b03')
+define(`SPI_IOC_RD_LSB_FIRST', `0x80016b02')
+define(`SPI_IOC_RD_MAX_SPEED_HZ', `0x80046b04')
+define(`SPI_IOC_RD_MODE', `0x80016b01')
+define(`SPI_IOC_RD_MODE32', `0x80046b05')
+define(`SPI_IOC_WR_BITS_PER_WORD', `0x40016b03')
+define(`SPI_IOC_WR_LSB_FIRST', `0x40016b02')
+define(`SPI_IOC_WR_MAX_SPEED_HZ', `0x40046b04')
+define(`SPI_IOC_WR_MODE', `0x40016b01')
+define(`SPI_IOC_WR_MODE32', `0x40046b05')
+define(`SPIOCSTYPE', `0x40087101')
+define(`SSTFB_GET_VGAPASS', `0x800446dd')
+define(`SSTFB_SET_VGAPASS', `0x400446dd')
+define(`STOP_ARRAY', `0x00000932')
+define(`STOP_ARRAY_RO', `0x00000933')
+define(`SW_SYNC_IOC_CREATE_FENCE', `0xc0285700')
+define(`SW_SYNC_IOC_INC', `0x40045701')
+define(`SYNC_IOC_FENCE_INFO', `0xc0283e02')
+define(`SYNC_IOC_MERGE', `0xc0283e01')
+define(`SYNC_IOC_WAIT', `0x40043e00')
+define(`TCFLSH', `0x0000540b')
+define(`TCGETA', `0x00005405')
+define(`TCGETS2', `0x802c542a')
+define(`TCGETS', ifelse(target_arch, mips, 0x0000540d, 0x00005401))
+define(`TCGETX', `0x00005432')
+define(`TCSBRK', `0x00005409')
+define(`TCSBRKP', `0x00005425')
+define(`TCSETA', `0x00005406')
+define(`TCSETAF', `0x00005408')
+define(`TCSETAW', `0x00005407')
+define(`TCSETS', `0x00005402')
+define(`TCSETS2', `0x402c542b')
+define(`TCSETSF', `0x00005404')
+define(`TCSETSF2', `0x402c542d')
+define(`TCSETSW', `0x00005403')
+define(`TCSETSW2', `0x402c542c')
+define(`TCSETX', `0x00005433')
+define(`TCSETXF', `0x00005434')
+define(`TCSETXW', `0x00005435')
+define(`TCXONC', `0x0000540a')
+define(`TFD_IOC_SET_TICKS', `0x40085400')
+define(`TIOCCBRK', `0x00005428')
+define(`TIOCCONS', `0x0000541d')
+define(`TIOCEXCL', `0x0000540c')
+define(`TIOCGDEV', `0x80045432')
+define(`TIOCGETD', `0x00005424')
+define(`TIOCGEXCL', `0x80045440')
+define(`TIOCGICOUNT', `0x0000545d')
+define(`TIOCGLCKTRMIOS', `0x00005456')
+define(`TIOCGPGRP', `0x0000540f')
+define(`TIOCGPKT', `0x80045438')
+define(`TIOCGPTLCK', `0x80045439')
+define(`TIOCGPTN', `0x80045430')
+define(`TIOCGRS485', `0x0000542e')
+define(`TIOCGSERIAL', `0x0000541e')
+define(`TIOCGSID', `0x00005429')
+define(`TIOCGSOFTCAR', `0x00005419')
+define(`TIOCGWINSZ', ifelse(target_arch, mips, 0x80087468, 0x00005413))
+define(`TIOCLINUX', `0x0000541c')
+define(`TIOCMBIC', `0x00005417')
+define(`TIOCMBIS', `0x00005416')
+define(`TIOCMGET', `0x00005415')
+define(`TIOCMIWAIT', `0x0000545c')
+define(`TIOCMSET', `0x00005418')
+define(`TIOCNOTTY', `0x00005422')
+define(`TIOCNXCL', `0x0000540d')
+define(`TIOCOUTQ', ifelse(target_arch, mips, 0x00007472, 0x00005411))
+define(`TIOCPKT', `0x00005420')
+define(`TIOCSBRK', `0x00005427')
+define(`TIOCSCTTY', ifelse(target_arch, mips, 0x00005480, 0x0000540e))
+define(`TIOCSERCONFIG', `0x00005453')
+define(`TIOCSERGETLSR', `0x00005459')
+define(`TIOCSERGETMULTI', `0x0000545a')
+define(`TIOCSERGSTRUCT', `0x00005458')
+define(`TIOCSERGWILD', `0x00005454')
+define(`TIOCSERSETMULTI', `0x0000545b')
+define(`TIOCSERSWILD', `0x00005455')
+define(`TIOCSETD', `0x00005423')
+define(`TIOCSIG', `0x40045436')
+define(`TIOCSLCKTRMIOS', `0x00005457')
+define(`TIOCSPGRP', `0x00005410')
+define(`TIOCSPTLCK', `0x40045431')
+define(`TIOCSRS485', `0x0000542f')
+define(`TIOCSSERIAL', `0x0000541f')
+define(`TIOCSSOFTCAR', `0x0000541a')
+define(`TIOCSTI', `0x00005412')
+define(`TIOCSWINSZ', ifelse(target_arch, mips, 0x40087467, 0x00005414))
+define(`TIOCVHANGUP', `0x00005437')
+define(`TOSH_SMM', `0xc0047490')
+define(`TUNATTACHFILTER', `0x401054d5')
+define(`TUNDETACHFILTER', `0x401054d6')
+define(`TUNER_SET_CONFIG', `0x4010645c')
+define(`TUNGETFEATURES', `0x800454cf')
+define(`TUNGETFILTER', `0x801054db')
+define(`TUNGETIFF', `0x800454d2')
+define(`TUNGETSNDBUF', `0x800454d3')
+define(`TUNGETVNETHDRSZ', `0x800454d7')
+define(`TUNGETVNETLE', `0x800454dd')
+define(`TUNSETDEBUG', `0x400454c9')
+define(`TUNSETGROUP', `0x400454ce')
+define(`TUNSETIFF', `0x400454ca')
+define(`TUNSETIFINDEX', `0x400454da')
+define(`TUNSETLINK', `0x400454cd')
+define(`TUNSETNOCSUM', `0x400454c8')
+define(`TUNSETOFFLOAD', `0x400454d0')
+define(`TUNSETOWNER', `0x400454cc')
+define(`TUNSETPERSIST', `0x400454cb')
+define(`TUNSETQUEUE', `0x400454d9')
+define(`TUNSETSNDBUF', `0x400454d4')
+define(`TUNSETTXFILTER', `0x400454d1')
+define(`TUNSETVNETHDRSZ', `0x400454d8')
+define(`TUNSETVNETLE', `0x400454dc')
+define(`UBI_IOCATT', `0x40186f40')
+define(`UBI_IOCDET', `0x40046f41')
+define(`UBI_IOCEBCH', `0x40044f02')
+define(`UBI_IOCEBER', `0x40044f01')
+define(`UBI_IOCEBISMAP', `0x80044f05')
+define(`UBI_IOCEBMAP', `0x40084f03')
+define(`UBI_IOCEBUNMAP', `0x40044f04')
+define(`UBI_IOCMKVOL', `0x40986f00')
+define(`UBI_IOCRMVOL', `0x40046f01')
+define(`UBI_IOCRNVOL', `0x51106f03')
+define(`UBI_IOCRSVOL', `0x400c6f02')
+define(`UBI_IOCSETVOLPROP', `0x40104f06')
+define(`UBI_IOCVOLCRBLK', `0x40804f07')
+define(`UBI_IOCVOLRMBLK', `0x00004f08')
+define(`UBI_IOCVOLUP', `0x40084f00')
+define(`UDF_GETEABLOCK', `0x80086c41')
+define(`UDF_GETEASIZE', `0x80046c40')
+define(`UDF_GETVOLIDENT', `0x80086c42')
+define(`UDF_RELOCATE_BLOCKS', `0xc0086c43')
+define(`UI_BEGIN_FF_ERASE', `0xc00c55ca')
+define(`UI_BEGIN_FF_UPLOAD', `0xc06855c8')
+define(`UI_DEV_CREATE', `0x00005501')
+define(`UI_DEV_DESTROY', `0x00005502')
+define(`UI_END_FF_ERASE', `0x400c55cb')
+define(`UI_END_FF_UPLOAD', `0x406855c9')
+define(`UI_GET_VERSION', `0x8004552d')
+define(`UI_SET_ABSBIT', `0x40045567')
+define(`UI_SET_EVBIT', `0x40045564')
+define(`UI_SET_FFBIT', `0x4004556b')
+define(`UI_SET_KEYBIT', `0x40045565')
+define(`UI_SET_LEDBIT', `0x40045569')
+define(`UI_SET_MSCBIT', `0x40045568')
+define(`UI_SET_PHYS', `0x4008556c')
+define(`UI_SET_PROPBIT', `0x4004556e')
+define(`UI_SET_RELBIT', `0x40045566')
+define(`UI_SET_SNDBIT', `0x4004556a')
+define(`UI_SET_SWBIT', `0x4004556d')
+define(`UNPROTECT_ARRAY', `0x00000926')
+define(`USBDEVFS_ALLOC_STREAMS', `0x8008551c')
+define(`USBDEVFS_BULK', `0xc0185502')
+define(`USBDEVFS_BULK32', `0xc0105502')
+define(`USBDEVFS_CLAIMINTERFACE', `0x8004550f')
+define(`USBDEVFS_CLAIM_PORT', `0x80045518')
+define(`USBDEVFS_CLEAR_HALT', `0x80045515')
+define(`USBDEVFS_CONNECT', `0x00005517')
+define(`USBDEVFS_CONNECTINFO', `0x40085511')
+define(`USBDEVFS_CONTROL', `0xc0185500')
+define(`USBDEVFS_CONTROL32', `0xc0105500')
+define(`USBDEVFS_DISCARDURB', `0x0000550b')
+define(`USBDEVFS_DISCONNECT', `0x00005516')
+define(`USBDEVFS_DISCONNECT_CLAIM', `0x8108551b')
+define(`USBDEVFS_DISCSIGNAL', `0x8010550e')
+define(`USBDEVFS_DISCSIGNAL32', `0x8008550e')
+define(`USBDEVFS_FREE_STREAMS', `0x8008551d')
+define(`USBDEVFS_GET_CAPABILITIES', `0x8004551a')
+define(`USBDEVFS_GETDRIVER', `0x41045508')
+define(`USBDEVFS_HUB_PORTINFO', `0x80805513')
+define(`USBDEVFS_IOCTL', `0xc0105512')
+define(`USBDEVFS_IOCTL32', `0xc00c5512')
+define(`USBDEVFS_REAPURB', `0x4008550c')
+define(`USBDEVFS_REAPURB32', `0x4004550c')
+define(`USBDEVFS_REAPURBNDELAY', `0x4008550d')
+define(`USBDEVFS_REAPURBNDELAY32', `0x4004550d')
+define(`USBDEVFS_RELEASEINTERFACE', `0x80045510')
+define(`USBDEVFS_RELEASE_PORT', `0x80045519')
+define(`USBDEVFS_RESET', `0x00005514')
+define(`USBDEVFS_RESETEP', `0x80045503')
+define(`USBDEVFS_SETCONFIGURATION', `0x80045505')
+define(`USBDEVFS_SETINTERFACE', `0x80085504')
+define(`USBDEVFS_SUBMITURB', `0x8038550a')
+define(`USBDEVFS_SUBMITURB32', `0x802a550a')
+define(`USBTMC_IOCTL_ABORT_BULK_IN', `0x00005b04')
+define(`USBTMC_IOCTL_ABORT_BULK_OUT', `0x00005b03')
+define(`USBTMC_IOCTL_CLEAR', `0x00005b02')
+define(`USBTMC_IOCTL_CLEAR_IN_HALT', `0x00005b07')
+define(`USBTMC_IOCTL_CLEAR_OUT_HALT', `0x00005b06')
+define(`USBTMC_IOCTL_INDICATOR_PULSE', `0x00005b01')
+define(`UVCIOC_CTRL_MAP', `0xc0607520')
+define(`UVCIOC_CTRL_QUERY', `0xc0107521')
+define(`V4L2_SUBDEV_IR_RX_NOTIFY', `0x40047600')
+define(`V4L2_SUBDEV_IR_TX_NOTIFY', `0x40047601')
+define(`VFAT_IOCTL_READDIR_BOTH', `0x82307201')
+define(`VFAT_IOCTL_READDIR_SHORT', `0x82307202')
+define(`VFIO_CHECK_EXTENSION', `0x00003b65')
+define(`VFIO_DEVICE_GET_INFO', `0x00003b6b')
+define(`VFIO_DEVICE_GET_IRQ_INFO', `0x00003b6d')
+define(`VFIO_DEVICE_GET_PCI_HOT_RESET_INFO', `0x00003b70')
+define(`VFIO_DEVICE_GET_REGION_INFO', `0x00003b6c')
+define(`VFIO_DEVICE_PCI_HOT_RESET', `0x00003b71')
+define(`VFIO_DEVICE_RESET', `0x00003b6f')
+define(`VFIO_DEVICE_SET_IRQS', `0x00003b6e')
+define(`VFIO_EEH_PE_OP', `0x00003b79')
+define(`VFIO_GET_API_VERSION', `0x00003b64')
+define(`VFIO_GROUP_GET_DEVICE_FD', `0x00003b6a')
+define(`VFIO_GROUP_GET_STATUS', `0x00003b67')
+define(`VFIO_GROUP_SET_CONTAINER', `0x00003b68')
+define(`VFIO_GROUP_UNSET_CONTAINER', `0x00003b69')
+define(`VFIO_IOMMU_DISABLE', `0x00003b74')
+define(`VFIO_IOMMU_ENABLE', `0x00003b73')
+define(`VFIO_IOMMU_GET_INFO', `0x00003b70')
+define(`VFIO_IOMMU_MAP_DMA', `0x00003b71')
+define(`VFIO_IOMMU_SPAPR_TCE_GET_INFO', `0x00003b70')
+define(`VFIO_IOMMU_UNMAP_DMA', `0x00003b72')
+define(`VFIO_SET_IOMMU', `0x00003b66')
+define(`VHOST_GET_FEATURES', `0x8008af00')
+define(`VHOST_GET_VRING_BASE', `0xc008af12')
+define(`VHOST_NET_SET_BACKEND', `0x4008af30')
+define(`VHOST_RESET_OWNER', `0x0000af02')
+define(`VHOST_SCSI_CLEAR_ENDPOINT', `0x40e8af41')
+define(`VHOST_SCSI_GET_ABI_VERSION', `0x4004af42')
+define(`VHOST_SCSI_GET_EVENTS_MISSED', `0x4004af44')
+define(`VHOST_SCSI_SET_ENDPOINT', `0x40e8af40')
+define(`VHOST_SCSI_SET_EVENTS_MISSED', `0x4004af43')
+define(`VHOST_SET_FEATURES', `0x4008af00')
+define(`VHOST_SET_LOG_BASE', `0x4008af04')
+define(`VHOST_SET_LOG_FD', `0x4004af07')
+define(`VHOST_SET_MEM_TABLE', `0x4008af03')
+define(`VHOST_SET_OWNER', `0x0000af01')
+define(`VHOST_SET_VRING_ADDR', `0x4028af11')
+define(`VHOST_SET_VRING_BASE', `0x4008af12')
+define(`VHOST_SET_VRING_CALL', `0x4008af21')
+define(`VHOST_SET_VRING_ERR', `0x4008af22')
+define(`VHOST_SET_VRING_KICK', `0x4008af20')
+define(`VHOST_SET_VRING_NUM', `0x4008af10')
+define(`VIDEO_CLEAR_BUFFER', `0x00006f22')
+define(`VIDEO_COMMAND', `0xc0486f3b')
+define(`VIDEO_CONTINUE', `0x00006f18')
+define(`VIDEO_FAST_FORWARD', `0x00006f1f')
+define(`VIDEO_FREEZE', `0x00006f17')
+define(`VIDEO_GET_CAPABILITIES', `0x80046f21')
+define(`VIDEO_GET_EVENT', `0x80206f1c')
+define(`VIDEO_GET_FRAME_COUNT', `0x80086f3a')
+define(`VIDEO_GET_FRAME_RATE', `0x80046f38')
+define(`VIDEO_GET_NAVI', `0x84046f34')
+define(`VIDEO_GET_PTS', `0x80086f39')
+define(`VIDEO_GET_SIZE', `0x800c6f37')
+define(`VIDEO_GET_STATUS', `0x80146f1b')
+define(`VIDEO_PLAY', `0x00006f16')
+define(`VIDEO_SELECT_SOURCE', `0x00006f19')
+define(`VIDEO_SET_ATTRIBUTES', `0x00006f35')
+define(`VIDEO_SET_BLANK', `0x00006f1a')
+define(`VIDEO_SET_DISPLAY_FORMAT', `0x00006f1d')
+define(`VIDEO_SET_FORMAT', `0x00006f25')
+define(`VIDEO_SET_HIGHLIGHT', `0x40106f27')
+define(`VIDEO_SET_ID', `0x00006f23')
+define(`VIDEO_SET_SPU', `0x40086f32')
+define(`VIDEO_SET_SPU_PALETTE', `0x40106f33')
+define(`VIDEO_SET_STREAMTYPE', `0x00006f24')
+define(`VIDEO_SET_SYSTEM', `0x00006f26')
+define(`VIDEO_SLOWMOTION', `0x00006f20')
+define(`VIDEO_STILLPICTURE', `0x40106f1e')
+define(`VIDEO_STOP', `0x00006f15')
+define(`VIDEO_TRY_COMMAND', `0xc0486f3c')
+define(`VIDIOC_CREATE_BUFS', `0xc100565c')
+define(`VIDIOC_CROPCAP', `0xc02c563a')
+define(`VIDIOC_DBG_G_CHIP_INFO', `0xc0c85666')
+define(`VIDIOC_DBG_G_REGISTER', `0xc0385650')
+define(`VIDIOC_DBG_S_REGISTER', `0x4038564f')
+define(`VIDIOC_DECODER_CMD', `0xc0485660')
+define(`VIDIOC_DQBUF', `0xc0585611')
+define(`VIDIOC_DQEVENT', `0x80885659')
+define(`VIDIOC_DV_TIMINGS_CAP', `0xc0905664')
+define(`VIDIOC_ENCODER_CMD', `0xc028564d')
+define(`VIDIOC_ENUMAUDIO', `0xc0345641')
+define(`VIDIOC_ENUMAUDOUT', `0xc0345642')
+define(`VIDIOC_ENUM_DV_TIMINGS', `0xc0945662')
+define(`VIDIOC_ENUM_FMT', `0xc0405602')
+define(`VIDIOC_ENUM_FRAMEINTERVALS', `0xc034564b')
+define(`VIDIOC_ENUM_FRAMESIZES', `0xc02c564a')
+define(`VIDIOC_ENUM_FREQ_BANDS', `0xc0405665')
+define(`VIDIOC_ENUMINPUT', `0xc050561a')
+define(`VIDIOC_ENUMOUTPUT', `0xc0485630')
+define(`VIDIOC_ENUMSTD', `0xc0485619')
+define(`VIDIOC_EXPBUF', `0xc0405610')
+define(`VIDIOC_G_AUDIO', `0x80345621')
+define(`VIDIOC_G_AUDOUT', `0x80345631')
+define(`VIDIOC_G_CROP', `0xc014563b')
+define(`VIDIOC_G_CTRL', `0xc008561b')
+define(`VIDIOC_G_DV_TIMINGS', `0xc0845658')
+define(`VIDIOC_G_EDID', `0xc0285628')
+define(`VIDIOC_G_ENC_INDEX', `0x8818564c')
+define(`VIDIOC_G_EXT_CTRLS', `0xc0205647')
+define(`VIDIOC_G_FBUF', `0x8030560a')
+define(`VIDIOC_G_FMT', `0xc0d05604')
+define(`VIDIOC_G_FREQUENCY', `0xc02c5638')
+define(`VIDIOC_G_INPUT', `0x80045626')
+define(`VIDIOC_G_JPEGCOMP', `0x808c563d')
+define(`VIDIOC_G_MODULATOR', `0xc0445636')
+define(`VIDIOC_G_OUTPUT', `0x8004562e')
+define(`VIDIOC_G_PARM', `0xc0cc5615')
+define(`VIDIOC_G_PRIORITY', `0x80045643')
+define(`VIDIOC_G_SELECTION', `0xc040565e')
+define(`VIDIOC_G_SLICED_VBI_CAP', `0xc0745645')
+define(`VIDIOC_G_STD', `0x80085617')
+define(`VIDIOC_G_TUNER', `0xc054561d')
+define(`VIDIOC_INT_RESET', `0x40046466')
+define(`VIDIOC_LOG_STATUS', `0x00005646')
+define(`VIDIOC_OMAP3ISP_AEWB_CFG', `0xc02056c3')
+define(`VIDIOC_OMAP3ISP_AF_CFG', `0xc04c56c5')
+define(`VIDIOC_OMAP3ISP_CCDC_CFG', `0xc03856c1')
+define(`VIDIOC_OMAP3ISP_HIST_CFG', `0xc03056c4')
+define(`VIDIOC_OMAP3ISP_PRV_CFG', `0xc07056c2')
+define(`VIDIOC_OMAP3ISP_STAT_EN', `0xc00856c7')
+define(`VIDIOC_OMAP3ISP_STAT_REQ', `0xc02856c6')
+define(`VIDIOC_OVERLAY', `0x4004560e')
+define(`VIDIOC_PREPARE_BUF', `0xc058565d')
+define(`VIDIOC_QBUF', `0xc058560f')
+define(`VIDIOC_QUERYBUF', `0xc0585609')
+define(`VIDIOC_QUERYCAP', `0x80685600')
+define(`VIDIOC_QUERYCTRL', `0xc0445624')
+define(`VIDIOC_QUERY_DV_TIMINGS', `0x80845663')
+define(`VIDIOC_QUERY_EXT_CTRL', `0xc0e85667')
+define(`VIDIOC_QUERYMENU', `0xc02c5625')
+define(`VIDIOC_QUERYSTD', `0x8008563f')
+define(`VIDIOC_REQBUFS', `0xc0145608')
+define(`VIDIOC_RESERVED', `0x00005601')
+define(`VIDIOC_S_AUDIO', `0x40345622')
+define(`VIDIOC_S_AUDOUT', `0x40345632')
+define(`VIDIOC_S_CROP', `0x4014563c')
+define(`VIDIOC_S_CTRL', `0xc008561c')
+define(`VIDIOC_S_DV_TIMINGS', `0xc0845657')
+define(`VIDIOC_S_EDID', `0xc0285629')
+define(`VIDIOC_S_EXT_CTRLS', `0xc0205648')
+define(`VIDIOC_S_FBUF', `0x4030560b')
+define(`VIDIOC_S_FMT', `0xc0d05605')
+define(`VIDIOC_S_FREQUENCY', `0x402c5639')
+define(`VIDIOC_S_HW_FREQ_SEEK', `0x40305652')
+define(`VIDIOC_S_INPUT', `0xc0045627')
+define(`VIDIOC_S_JPEGCOMP', `0x408c563e')
+define(`VIDIOC_S_MODULATOR', `0x40445637')
+define(`VIDIOC_S_OUTPUT', `0xc004562f')
+define(`VIDIOC_S_PARM', `0xc0cc5616')
+define(`VIDIOC_S_PRIORITY', `0x40045644')
+define(`VIDIOC_S_SELECTION', `0xc040565f')
+define(`VIDIOC_S_STD', `0x40085618')
+define(`VIDIOC_STREAMOFF', `0x40045613')
+define(`VIDIOC_STREAMON', `0x40045612')
+define(`VIDIOC_S_TUNER', `0x4054561e')
+define(`VIDIOC_SUBDEV_DV_TIMINGS_CAP', `0xc0905664')
+define(`VIDIOC_SUBDEV_ENUM_DV_TIMINGS', `0xc0945662')
+define(`VIDIOC_SUBDEV_ENUM_FRAME_INTERVAL', `0xc040564b')
+define(`VIDIOC_SUBDEV_ENUM_FRAME_SIZE', `0xc040564a')
+define(`VIDIOC_SUBDEV_ENUM_MBUS_CODE', `0xc0305602')
+define(`VIDIOC_SUBDEV_G_CROP', `0xc038563b')
+define(`VIDIOC_SUBDEV_G_DV_TIMINGS', `0xc0845658')
+define(`VIDIOC_SUBDEV_G_EDID', `0xc0285628')
+define(`VIDIOC_SUBDEV_G_FMT', `0xc0585604')
+define(`VIDIOC_SUBDEV_G_FRAME_INTERVAL', `0xc0305615')
+define(`VIDIOC_SUBDEV_G_SELECTION', `0xc040563d')
+define(`VIDIOC_SUBDEV_QUERY_DV_TIMINGS', `0x80845663')
+define(`VIDIOC_SUBDEV_S_CROP', `0xc038563c')
+define(`VIDIOC_SUBDEV_S_DV_TIMINGS', `0xc0845657')
+define(`VIDIOC_SUBDEV_S_EDID', `0xc0285629')
+define(`VIDIOC_SUBDEV_S_FMT', `0xc0585605')
+define(`VIDIOC_SUBDEV_S_FRAME_INTERVAL', `0xc0305616')
+define(`VIDIOC_SUBDEV_S_SELECTION', `0xc040563e')
+define(`VIDIOC_SUBSCRIBE_EVENT', `0x4020565a')
+define(`VIDIOC_TRY_DECODER_CMD', `0xc0485661')
+define(`VIDIOC_TRY_ENCODER_CMD', `0xc028564e')
+define(`VIDIOC_TRY_EXT_CTRLS', `0xc0205649')
+define(`VIDIOC_TRY_FMT', `0xc0d05640')
+define(`VIDIOC_UNSUBSCRIBE_EVENT', `0x4020565b')
+define(`VIDIOC_VSP1_LUT_CONFIG', `0xc40056c1')
+define(`VPFE_CMD_S_CCDC_RAW_PARAMS', `0x400856c1')
+define(`VT_ACTIVATE', `0x00005606')
+define(`VT_DISALLOCATE', `0x00005608')
+define(`VT_GETHIFONTMASK', `0x0000560d')
+define(`VT_GETMODE', `0x00005601')
+define(`VT_GETSTATE', `0x00005603')
+define(`VT_LOCKSWITCH', `0x0000560b')
+define(`VT_OPENQRY', `0x00005600')
+define(`VT_RELDISP', `0x00005605')
+define(`VT_RESIZE', `0x00005609')
+define(`VT_RESIZEX', `0x0000560a')
+define(`VT_SENDSIG', `0x00005604')
+define(`VT_SETACTIVATE', `0x0000560f')
+define(`VT_SETMODE', `0x00005602')
+define(`VT_UNLOCKSWITCH', `0x0000560c')
+define(`VT_WAITACTIVE', `0x00005607')
+define(`VT_WAITEVENT', `0x0000560e')
+define(`WAN_IOC_ADD_FLT_INDEX', `0x00006902')
+define(`WAN_IOC_ADD_FLT_RULE', `0x00006900')
+define(`WDIOC_GETBOOTSTATUS', `0x80045702')
+define(`WDIOC_GETPRETIMEOUT', `0x80045709')
+define(`WDIOC_GETSTATUS', `0x80045701')
+define(`WDIOC_GETSUPPORT', `0x80285700')
+define(`WDIOC_GETTEMP', `0x80045703')
+define(`WDIOC_GETTIMELEFT', `0x8004570a')
+define(`WDIOC_GETTIMEOUT', `0x80045707')
+define(`WDIOC_KEEPALIVE', `0x80045705')
+define(`WDIOC_SETOPTIONS', `0x80045704')
+define(`WDIOC_SETPRETIMEOUT', `0xc0045708')
+define(`WDIOC_SETTIMEOUT', `0xc0045706')
+define(`WRITE_RAID_INFO', `0x00000925')
+define(`X86_IOC_RDMSR_REGS', `0xc02063a0')
+define(`X86_IOC_WRMSR_REGS', `0xc02063a1')
+define(`ZATM_GETPOOL', `0x40106161')
+define(`ZATM_GETPOOLZ', `0x40106162')
+define(`ZATM_SETPOOL', `0x40106163')
diff --git a/microdroid/system/public/ioctl_macros b/microdroid/system/public/ioctl_macros
new file mode 100644
index 0000000..47a5157
--- /dev/null
+++ b/microdroid/system/public/ioctl_macros
@@ -0,0 +1,76 @@
+# socket ioctls allowed to unprivileged apps
+define(`unpriv_sock_ioctls', `
+{
+# Socket ioctls for gathering information about the interface
+SIOCGSTAMP SIOCGSTAMPNS
+SIOCGIFNAME SIOCGIFCONF SIOCGIFFLAGS SIOCGIFADDR SIOCGIFDSTADDR SIOCGIFBRDADDR
+SIOCGIFNETMASK SIOCGIFMTU SIOCGIFINDEX SIOCGIFCOUNT SIOCGIFTXQLEN
+# Wireless extension ioctls. Primarily get functions.
+SIOCGIWNAME SIOCGIWFREQ SIOCGIWMODE SIOCGIWSENS SIOCGIWRANGE SIOCGIWPRIV
+SIOCGIWSTATS SIOCGIWSPY SIOCSIWTHRSPY SIOCGIWTHRSPY SIOCGIWRATE SIOCGIWRTS
+SIOCGIWFRAG SIOCGIWTXPOW SIOCGIWRETRY SIOCGIWPOWER
+}')
+
+# socket ioctls never allowed to unprivileged apps
+define(`priv_sock_ioctls', `
+{
+# qualcomm rmnet ioctls
+WAN_IOC_ADD_FLT_RULE WAN_IOC_ADD_FLT_INDEX
+# socket ioctls
+SIOCADDRT SIOCDELRT SIOCRTMSG SIOCSIFLINK SIOCSIFFLAGS SIOCSIFADDR
+SIOCSIFDSTADDR SIOCSIFBRDADDR SIOCSIFNETMASK SIOCGIFMETRIC SIOCSIFMETRIC SIOCGIFMEM
+SIOCSIFMEM SIOCSIFMTU SIOCSIFNAME SIOCSIFHWADDR SIOCGIFENCAP SIOCSIFENCAP
+SIOCGIFHWADDR SIOCGIFSLAVE SIOCSIFSLAVE SIOCADDMULTI SIOCDELMULTI
+SIOCSIFPFLAGS SIOCGIFPFLAGS SIOCDIFADDR SIOCSIFHWBROADCAST SIOCKILLADDR SIOCGIFBR SIOCSIFBR
+SIOCSIFTXQLEN SIOCETHTOOL SIOCGMIIPHY SIOCGMIIREG SIOCSMIIREG SIOCWANDEV
+SIOCOUTQNSD SIOCDARP SIOCGARP SIOCSARP SIOCDRARP SIOCGRARP SIOCSRARP SIOCGIFMAP
+SIOCSIFMAP SIOCADDDLCI SIOCDELDLCI SIOCGIFVLAN SIOCSIFVLAN SIOCBONDENSLAVE
+SIOCBONDRELEASE SIOCBONDSETHWADDR SIOCBONDSLAVEINFOQUERY SIOCBONDINFOQUERY
+SIOCBONDCHANGEACTIVE SIOCBRADDBR SIOCBRDELBR SIOCBRADDIF SIOCBRDELIF SIOCSHWTSTAMP
+# device and protocol specific ioctls
+SIOCDEVPRIVATE-SIOCDEVPRIVLAST
+SIOCPROTOPRIVATE-SIOCPROTOPRIVLAST
+# Wireless extension ioctls
+SIOCSIWCOMMIT SIOCSIWNWID SIOCSIWFREQ SIOCSIWMODE SIOCSIWSENS SIOCSIWRANGE
+SIOCSIWPRIV SIOCSIWSTATS SIOCSIWSPY SIOCSIWAP SIOCGIWAP SIOCSIWMLME SIOCGIWAPLIST
+SIOCSIWSCAN SIOCGIWSCAN SIOCSIWESSID SIOCGIWESSID SIOCSIWNICKN SIOCGIWNICKN
+SIOCSIWRATE SIOCSIWRTS SIOCSIWFRAG SIOCSIWTXPOW SIOCSIWRETRY SIOCSIWENCODE
+SIOCGIWENCODE SIOCSIWPOWER SIOCSIWGENIE SIOCGIWGENIE SIOCSIWAUTH SIOCGIWAUTH
+SIOCSIWENCODEEXT SIOCGIWENCODEEXT SIOCSIWPMKSA
+# Dev private ioctl i.e. hardware specific ioctls
+SIOCIWFIRSTPRIV-SIOCIWLASTPRIV
+}')
+
+# commonly used ioctls on unix sockets
+define(`unpriv_unix_sock_ioctls', `{
+ TIOCOUTQ FIOCLEX FIONCLEX TCGETS TIOCGWINSZ TIOCSWINSZ FIONREAD
+}')
+
+# commonly used TTY ioctls
+# merge with unpriv_unix_sock_ioctls?
+define(`unpriv_tty_ioctls', `{
+ TIOCOUTQ FIOCLEX FIONCLEX TCGETS TCSETS TCSETSW TCSETSF TIOCGWINSZ TIOCSWINSZ
+ TIOCSCTTY TCFLSH TIOCSPGRP TIOCGPGRP
+}')
+
+# point to point ioctls
+define(`ppp_ioctls', `{
+PPPIOCGL2TPSTATS PPPIOCGCHAN PPPIOCATTCHAN PPPIOCDISCONN
+PPPIOCCONNECT PPPIOCSMRRU PPPIOCDETACH PPPIOCATTACH
+PPPIOCNEWUNIT PPPIOCGIDLE PPPIOCSDEBUG PPPIOCGDEBUG
+PPPIOCSACTIVE PPPIOCSPASS PPPIOCSNPMODE PPPIOCGNPMODE
+PPPIOCSCOMPRESS PPPIOCXFERUNIT PPPIOCSXASYNCMAP
+PPPIOCGXASYNCMAP PPPIOCSMAXCID PPPIOCSMRU PPPIOCGMRU
+PPPIOCSRASYNCMAP PPPIOCGRASYNCMAP PPPIOCGUNIT PPPIOCSASYNCMAP
+PPPIOCGASYNCMAP PPPIOCSFLAGS PPPIOCGFLAGS PPPIOCGCALLINFO
+PPPIOCBUNDLE PPPIOCGMPFLAGS PPPIOCSMPFLAGS PPPIOCSMPMTU
+PPPIOCSMPMRU PPPIOCGCOMPRESSORS PPPIOCSCOMPRESSOR PPPIOCGIFNAME
+}')
+
+# unprivileged binder ioctls
+define(`unpriv_binder_ioctls', `{
+BINDER_WRITE_READ BINDER_SET_IDLE_TIMEOUT BINDER_SET_MAX_THREADS
+BINDER_SET_IDLE_PRIORITY BINDER_SET_CONTEXT_MGR BINDER_THREAD_EXIT
+BINDER_VERSION BINDER_GET_NODE_DEBUG_INFO BINDER_GET_NODE_INFO_FOR_REF
+BINDER_SET_CONTEXT_MGR_EXT BINDER_ENABLE_ONEWAY_SPAM_DETECTION
+}')
diff --git a/microdroid/system/public/kernel.te b/microdroid/system/public/kernel.te
new file mode 100644
index 0000000..c117a1a
--- /dev/null
+++ b/microdroid/system/public/kernel.te
@@ -0,0 +1,2 @@
+# Life begins with the kernel.
+type kernel, domain, mlstrustedsubject;
diff --git a/microdroid/system/public/keystore.te b/microdroid/system/public/keystore.te
new file mode 100644
index 0000000..295d3d9
--- /dev/null
+++ b/microdroid/system/public/keystore.te
@@ -0,0 +1,26 @@
+type keystore, domain;
+type keystore_exec, file_type, exec_type, system_file_type;
+
+# keystore daemon
+typeattribute keystore mlstrustedsubject;
+binder_use(keystore)
+binder_service(keystore)
+
+allow keystore keystore_data_file:dir create_dir_perms;
+allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
+allow keystore keystore_exec:file { getattr };
+
+add_service(keystore, keystore_service)
+add_service(keystore, remoteprovisioning_service)
+add_service(keystore, apc_service)
+add_service(keystore, keystore_compat_hal_service)
+add_service(keystore, authorization_service)
+add_service(keystore, keystore_maintenance_service)
+add_service(keystore, keystore_metrics_service)
+add_service(keystore, legacykeystore_service)
+
+# Check SELinux permissions.
+selinux_check_access(keystore)
+
+r_dir_file(keystore, cgroup)
+r_dir_file(keystore, cgroup_v2)
diff --git a/microdroid/system/public/logcat.te b/microdroid/system/public/logcat.te
new file mode 100644
index 0000000..902fd8a
--- /dev/null
+++ b/microdroid/system/public/logcat.te
@@ -0,0 +1,2 @@
+type logcat;
+type logcat_exec, file_type, exec_type, system_file_type;
diff --git a/microdroid/system/public/logd.te b/microdroid/system/public/logd.te
new file mode 100644
index 0000000..67f601c
--- /dev/null
+++ b/microdroid/system/public/logd.te
@@ -0,0 +1,2 @@
+type logd, domain;
+type logd_exec, file_type, exec_type, system_file_type;
diff --git a/microdroid/system/public/neverallow_macros b/microdroid/system/public/neverallow_macros
new file mode 100644
index 0000000..59fa441
--- /dev/null
+++ b/microdroid/system/public/neverallow_macros
@@ -0,0 +1,15 @@
+#
+# Common neverallow permissions
+define(`no_w_file_perms', `{ append create link unlink relabelfrom rename setattr write }')
+define(`no_rw_file_perms', `{ no_w_file_perms open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }')
+define(`no_x_file_perms', `{ execute execute_no_trans }')
+define(`no_w_dir_perms', `{ add_name create link relabelfrom remove_name rename reparent rmdir setattr write }')
+
+#####################################
+# neverallow_establish_socket_comms(src, dst)
+# neverallow src domain establishing socket connections to dst domain.
+#
+define(`neverallow_establish_socket_comms', `
+ neverallow $1 $2:socket_class_set { connect sendto };
+ neverallow $1 $2:unix_stream_socket connectto;
+')
diff --git a/microdroid/system/public/property.te b/microdroid/system/public/property.te
new file mode 100644
index 0000000..f5dc758
--- /dev/null
+++ b/microdroid/system/public/property.te
@@ -0,0 +1,40 @@
+type apexd_prop, property_type;
+type bootloader_prop, property_type;
+type boottime_prop, property_type;
+type build_prop, property_type;
+type cold_boot_done_prop, property_type;
+type ctl_adbd_prop, property_type;
+type ctl_apexd_prop, property_type;
+type ctl_console_prop, property_type;
+type ctl_default_prop, property_type;
+type ctl_fuse_prop, property_type;
+type ctl_interface_restart_prop, property_type;
+type ctl_interface_start_prop, property_type;
+type ctl_interface_stop_prop, property_type;
+type ctl_restart_prop, property_type;
+type ctl_sigstop_prop, property_type;
+type ctl_start_prop, property_type;
+type ctl_stop_prop, property_type;
+type debug_prop, property_type;
+type default_prop, property_type;
+type exported_default_prop, property_type;
+type fingerprint_prop, property_type;
+type hwservicemanager_prop, property_type;
+type init_perf_lsm_hooks_prop, property_type;
+type init_service_status_private_prop, property_type;
+type init_service_status_prop, property_type;
+type init_svc_debug_prop, property_type;
+type keystore_listen_prop, property_type;
+type logd_prop, property_type;
+type property_service_version_prop, property_type;
+type shell_prop, property_type;
+type usb_control_prop, property_type;
+type vendor_default_prop, property_type;
+type vmsecret_keymint_prop, property_type;
+
+allow property_type tmpfs:filesystem associate;
+
+#----------------------------------------
+type adbd_config_prop, property_type;
+
+type module_sdkextensions_prop, property_type;
diff --git a/microdroid/system/public/roles b/microdroid/system/public/roles
new file mode 100644
index 0000000..ca92934
--- /dev/null
+++ b/microdroid/system/public/roles
@@ -0,0 +1 @@
+role r types domain;
diff --git a/microdroid/system/public/runas.te b/microdroid/system/public/runas.te
new file mode 100644
index 0000000..4d8a6b3
--- /dev/null
+++ b/microdroid/system/public/runas.te
@@ -0,0 +1,2 @@
+type runas, domain, mlstrustedsubject, coredomain;
+type runas_exec, file_type, exec_type, system_file_type;
diff --git a/microdroid/system/public/servicemanager.te b/microdroid/system/public/servicemanager.te
new file mode 100644
index 0000000..41a1096
--- /dev/null
+++ b/microdroid/system/public/servicemanager.te
@@ -0,0 +1,2 @@
+type servicemanager, domain;
+type servicemanager_exec, file_type, exec_type, system_file_type;
diff --git a/microdroid/system/public/shell.te b/microdroid/system/public/shell.te
new file mode 100644
index 0000000..c84e377
--- /dev/null
+++ b/microdroid/system/public/shell.te
@@ -0,0 +1,82 @@
+# Domain for shell processes spawned by ADB or console service.
+type shell, domain, mlstrustedsubject;
+type shell_exec, system_file_type, exec_type, file_type;
+
+# Create and use network sockets.
+net_domain(shell)
+
+# logcat
+read_logd(shell)
+control_logd(shell)
+
+# Root fs.
+allow shell rootfs:dir r_dir_perms;
+
+# Access /data/local/tmp.
+allow shell shell_data_file:dir create_dir_perms;
+allow shell shell_data_file:file create_file_perms;
+allow shell shell_data_file:file rx_file_perms;
+allow shell shell_data_file:lnk_file create_file_perms;
+
+allow shell devpts:chr_file rw_file_perms;
+allow shell tty_device:chr_file rw_file_perms;
+allow shell console_device:chr_file rw_file_perms;
+
+r_dir_file(shell, system_file)
+allow shell system_file:file x_file_perms;
+allow shell toolbox_exec:file rx_file_perms;
+allow shell shell_exec:file rx_file_perms;
+
+# allow shell to look through /proc/ for lsmod, ps, top, netstat, vmstat.
+r_dir_file(shell, proc_net_type)
+
+allow shell {
+ proc_asound
+ proc_filesystems
+ proc_interrupts
+ proc_loadavg # b/124024827
+ proc_meminfo
+ proc_modules
+ proc_pid_max
+ proc_slabinfo
+ proc_stat
+ proc_timer
+ proc_uptime
+ proc_version
+ proc_vmstat
+ proc_zoneinfo
+}:file r_file_perms;
+
+# allow listing network interfaces under /sys/class/net.
+allow shell sysfs_net:dir r_dir_perms;
+
+r_dir_file(shell, cgroup)
+allow shell cgroup_desc_file:file r_file_perms;
+allow shell cgroup_desc_api_file:file r_file_perms;
+r_dir_file(shell, cgroup_v2)
+allow shell domain:dir { search open read getattr };
+allow shell domain:{ file lnk_file } { open read getattr };
+
+# statvfs() of /proc and other labeled filesystems
+# (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs, overlay)
+allow shell { proc labeledfs }:filesystem getattr;
+
+# stat() of /dev
+allow shell device:dir getattr;
+
+# allow shell to read /proc/pid/attr/current for ps -Z
+allow shell domain:process getattr;
+
+# Allow pulling the SELinux policy for CTS purposes
+allow shell selinuxfs:dir r_dir_perms;
+allow shell selinuxfs:file r_file_perms;
+
+# /dev/fd is a symlink
+allow shell proc:lnk_file getattr;
+
+# read selinux policy files
+allow shell file_contexts_file:file r_file_perms;
+allow shell property_contexts_file:file r_file_perms;
+allow shell seapp_contexts_file:file r_file_perms;
+allow shell service_contexts_file:file r_file_perms;
+allow shell sepolicy_file:file r_file_perms;
diff --git a/microdroid/system/public/statsd.te b/microdroid/system/public/statsd.te
new file mode 100644
index 0000000..5da3ec9
--- /dev/null
+++ b/microdroid/system/public/statsd.te
@@ -0,0 +1,31 @@
+type statsd, domain, mlstrustedsubject;
+
+type statsd_exec, system_file_type, exec_type, file_type;
+binder_use(statsd)
+
+# Allow statsd to scan through /proc/pid for all processes.
+r_dir_file(statsd, domain)
+
+# Allow executing files on system, such as running a shell or running:
+# /system/bin/toolbox
+# /system/bin/logcat
+# /system/bin/dumpsys
+allow statsd devpts:chr_file { getattr ioctl read write };
+allow statsd shell_exec:file rx_file_perms;
+allow statsd system_file:file execute_no_trans;
+allow statsd toolbox_exec:file rx_file_perms;
+
+# Allow statsd to interact with keystore to pull atoms
+allow statsd keystore_service:service_manager find;
+binder_call(statsd, keystore)
+
+# Allow logd access.
+read_logd(statsd)
+control_logd(statsd)
+
+# Allow 'adb shell cmd' to upload configs and download output.
+allow statsd adbd:fd use;
+allow statsd adbd:unix_stream_socket { getattr read write };
+allow statsd shell:fifo_file { getattr read write };
+
+unix_socket_send(statsd, statsdw, statsd)
diff --git a/microdroid/system/public/su.te b/microdroid/system/public/su.te
new file mode 100644
index 0000000..a440c21
--- /dev/null
+++ b/microdroid/system/public/su.te
@@ -0,0 +1,52 @@
+# All types must be defined regardless of build variant to ensure
+# policy compilation succeeds with userdebug/user combination at boot
+type su, domain;
+
+# File types must be defined for file_contexts.
+type su_exec, system_file_type, exec_type, file_type;
+
+userdebug_or_eng(`
+ # Domain used for su processes, as well as for adbd and adb shell
+ # after performing an adb root command. The domain definition is
+ # wrapped to ensure that it does not exist at all on -user builds.
+ typeattribute su mlstrustedsubject;
+
+ # Add su to various domains
+ net_domain(su)
+
+ dontaudit su self:capability_class_set *;
+ dontaudit su self:capability2 *;
+ dontaudit su kernel:security *;
+ dontaudit su { kernel file_type }:system *;
+ dontaudit su self:memprotect *;
+ dontaudit su domain:{ process process2 } *;
+ dontaudit su domain:fd *;
+ dontaudit su domain:dir *;
+ dontaudit su domain:lnk_file *;
+ dontaudit su domain:{ fifo_file file } *;
+ dontaudit su domain:socket_class_set *;
+ dontaudit su domain:ipc_class_set *;
+ dontaudit su domain:key *;
+ dontaudit su fs_type:filesystem *;
+ dontaudit su {fs_type dev_type file_type}:dir_file_class_set *;
+ dontaudit su node_type:node *;
+ dontaudit su node_type:{ tcp_socket udp_socket rawip_socket } *;
+ dontaudit su netif_type:netif *;
+ dontaudit su port_type:socket_class_set *;
+ dontaudit su port_type:{ tcp_socket dccp_socket } *;
+ dontaudit su domain:peer *;
+ dontaudit su domain:binder *;
+ dontaudit su property_type:property_service *;
+ dontaudit su property_type:file *;
+ dontaudit su service_manager_type:service_manager *;
+ dontaudit su hwservice_manager_type:hwservice_manager *;
+ dontaudit su servicemanager:service_manager list;
+ dontaudit su hwservicemanager:hwservice_manager list;
+ dontaudit su keystore:keystore_key *;
+ dontaudit su keystore:keystore2 *;
+ dontaudit su domain:drmservice *;
+ dontaudit su unlabeled:filesystem *;
+ dontaudit su domain:bpf *;
+ dontaudit su unlabeled:vsock_socket *;
+ dontaudit su self:perf_event *;
+')
diff --git a/microdroid/system/public/te_macros b/microdroid/system/public/te_macros
new file mode 100644
index 0000000..9e73292
--- /dev/null
+++ b/microdroid/system/public/te_macros
@@ -0,0 +1,988 @@
+#####################################
+# domain_trans(olddomain, type, newdomain)
+# Allow a transition from olddomain to newdomain
+# upon executing a file labeled with type.
+# This only allows the transition; it does not
+# cause it to occur automatically - use domain_auto_trans
+# if that is what you want.
+#
+define(`domain_trans', `
+# Old domain may exec the file and transition to the new domain.
+allow $1 $2:file { getattr open read execute map };
+allow $1 $3:process transition;
+# New domain is entered by executing the file.
+allow $3 $2:file { entrypoint open read execute getattr map };
+# New domain can send SIGCHLD to its caller.
+ifelse($1, `init', `', `allow $3 $1:process sigchld;')
+# Enable AT_SECURE, i.e. libc secure mode.
+dontaudit $1 $3:process noatsecure;
+# XXX dontaudit candidate but requires further study.
+allow $1 $3:process { siginh rlimitinh };
+')
+
+#####################################
+# domain_auto_trans(olddomain, type, newdomain)
+# Automatically transition from olddomain to newdomain
+# upon executing a file labeled with type.
+#
+define(`domain_auto_trans', `
+# Allow the necessary permissions.
+domain_trans($1,$2,$3)
+# Make the transition occur by default.
+type_transition $1 $2:process $3;
+')
+
+#####################################
+# file_type_trans(domain, dir_type, file_type)
+# Allow domain to create a file labeled file_type in a
+# directory labeled dir_type.
+# This only allows the transition; it does not
+# cause it to occur automatically - use file_type_auto_trans
+# if that is what you want.
+#
+define(`file_type_trans', `
+# Allow the domain to add entries to the directory.
+allow $1 $2:dir ra_dir_perms;
+# Allow the domain to create the file.
+allow $1 $3:notdevfile_class_set create_file_perms;
+allow $1 $3:dir create_dir_perms;
+')
+
+#####################################
+# file_type_auto_trans(domain, dir_type, file_type)
+# Automatically label new files with file_type when
+# they are created by domain in directories labeled dir_type.
+#
+define(`file_type_auto_trans', `
+# Allow the necessary permissions.
+file_type_trans($1, $2, $3)
+# Make the transition occur by default.
+type_transition $1 $2:dir $3;
+type_transition $1 $2:notdevfile_class_set $3;
+')
+
+#####################################
+# r_dir_file(domain, type)
+# Allow the specified domain to read directories, files
+# and symbolic links of the specified type.
+define(`r_dir_file', `
+allow $1 $2:dir r_dir_perms;
+allow $1 $2:{ file lnk_file } r_file_perms;
+')
+
+#####################################
+# tmpfs_domain(domain)
+# Allow access to a unique type for this domain when creating tmpfs / ashmem files.
+define(`tmpfs_domain', `
+type_transition $1 tmpfs:file $1_tmpfs;
+allow $1 $1_tmpfs:file { read write getattr map };
+')
+
+# pdx macros for IPC. pdx is a high-level name which contains transport-specific
+# rules from underlying transport (e.g. UDS-based implementation).
+
+#####################################
+# pdx_service_attributes(service)
+# Defines type attribute used to identify various service-related types.
+define(`pdx_service_attributes', `
+attribute pdx_$1_endpoint_dir_type;
+attribute pdx_$1_endpoint_socket_type;
+attribute pdx_$1_channel_socket_type;
+attribute pdx_$1_server_type;
+')
+
+#####################################
+# pdx_service_socket_types(service, endpoint_dir_t)
+# Define types for endpoint and channel sockets.
+define(`pdx_service_socket_types', `
+typeattribute $2 pdx_$1_endpoint_dir_type;
+type pdx_$1_endpoint_socket, pdx_$1_endpoint_socket_type, pdx_endpoint_socket_type, file_type, coredomain_socket, mlstrustedobject, mlstrustedsubject;
+type pdx_$1_channel_socket, pdx_$1_channel_socket_type, pdx_channel_socket_type, coredomain_socket;
+userdebug_or_eng(`
+dontaudit su pdx_$1_endpoint_socket:unix_stream_socket *;
+dontaudit su pdx_$1_channel_socket:unix_stream_socket *;
+')
+')
+
+#####################################
+# pdx_server(server_domain, service)
+define(`pdx_server', `
+# Mark the server domain as a PDX server.
+typeattribute $1 pdx_$2_server_type;
+# Allow the init process to create the initial endpoint socket.
+allow init pdx_$2_endpoint_socket_type:unix_stream_socket { create bind };
+# Allow the server domain to use the endpoint socket and accept connections on it.
+# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights
+# than we need (e.g. we don"t need "bind" or "connect").
+allow $1 pdx_$2_endpoint_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown listen accept };
+# Allow the server domain to apply security context label to the channel socket pair (allow process to use setsockcreatecon_raw()).
+allow $1 self:process setsockcreate;
+# Allow the server domain to create a client channel socket.
+allow $1 pdx_$2_channel_socket_type:unix_stream_socket create_stream_socket_perms;
+# Prevent other processes from claiming to be a server for the same service.
+neverallow {domain -$1} pdx_$2_endpoint_socket_type:unix_stream_socket { listen accept };
+')
+
+#####################################
+# pdx_connect(client, service)
+define(`pdx_connect', `
+# Allow client to open the service endpoint file.
+allow $1 pdx_$2_endpoint_dir_type:dir r_dir_perms;
+allow $1 pdx_$2_endpoint_socket_type:sock_file rw_file_perms;
+# Allow the client to connect to endpoint socket.
+allow $1 pdx_$2_endpoint_socket_type:unix_stream_socket { connectto read write shutdown };
+')
+
+#####################################
+# pdx_use(client, service)
+define(`pdx_use', `
+# Allow the client to use the PDX channel socket.
+# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights
+# than we need (e.g. we don"t need "bind" or "connect").
+allow $1 pdx_$2_channel_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown };
+# Client needs to use an channel event fd from the server.
+allow $1 pdx_$2_server_type:fd use;
+# Servers may receive sync fences, gralloc buffers, etc, from clients.
+# This could be tightened on a per-server basis, but keeping track of service
+# clients is error prone.
+allow pdx_$2_server_type $1:fd use;
+')
+
+#####################################
+# pdx_client(client, service)
+define(`pdx_client', `
+pdx_connect($1, $2)
+pdx_use($1, $2)
+')
+
+#####################################
+# init_daemon_domain(domain)
+# Set up a transition from init to the daemon domain
+# upon executing its binary.
+define(`init_daemon_domain', `
+domain_auto_trans(init, $1_exec, $1)
+')
+
+####################################
+# userfaultfd_use(domain)
+# Allow domain to create/use userfaultfd.
+define(`userfaultfd_use', `
+# Set up a type_transition to "userfaultfd" named anonymous inode object.
+type $1_userfaultfd;
+type_transition $1 $1:anon_inode $1_userfaultfd "[userfaultfd]";
+# Allow domain to create/use userfaultfd anon_inode.
+allow $1 $1_userfaultfd:anon_inode { create ioctl read };
+# Other domains may not use userfaultfd anon_inodes created by this domain.
+neverallow { domain -$1 } $1_userfaultfd:anon_inode *;
+# This domain may not use userfaultfd anon_inodes created by other domains.
+neverallow $1 ~$1_userfaultfd:anon_inode *;
+')
+
+#####################################
+# app_domain(domain)
+# Allow a base set of permissions required for all apps.
+define(`app_domain', `
+typeattribute $1 appdomain;
+# Label tmpfs objects for all apps.
+type_transition $1 tmpfs:file appdomain_tmpfs;
+userfaultfd_use($1)
+allow $1 appdomain_tmpfs:file { execute getattr map read write };
+neverallow { $1 -runas_app -shell -simpleperf } { domain -$1 }:file no_rw_file_perms;
+neverallow { appdomain -runas_app -shell -simpleperf -$1 } $1:file no_rw_file_perms;
+# The Android security model guarantees the confidentiality and integrity
+# of application data and execution state. Ptrace bypasses those
+# confidentiality guarantees. Disallow ptrace access from system components to
+# apps. crash_dump is excluded, as it needs ptrace access to produce stack
+# traces. runas_app is excluded, as it operates only on debuggable apps.
+# simpleperf is excluded, as it operates only on debuggable or profileable
+# apps. llkd is excluded, as it needs ptrace access to inspect stack traces for
+# live lock conditions.
+neverallow { domain -$1 -crash_dump userdebug_or_eng(`-llkd') -runas_app -simpleperf } $1:process ptrace;
+')
+
+#####################################
+# untrusted_app_domain(domain)
+# Allow a base set of permissions required for all untrusted apps.
+define(`untrusted_app_domain', `
+typeattribute $1 untrusted_app_all;
+')
+
+#####################################
+# net_domain(domain)
+# Allow a base set of permissions required for network access.
+define(`net_domain', `
+typeattribute $1 netdomain;
+')
+
+#####################################
+# bluetooth_domain(domain)
+# Allow a base set of permissions required for bluetooth access.
+define(`bluetooth_domain', `
+typeattribute $1 bluetoothdomain;
+')
+
+#####################################
+# hal_attribute(hal_name)
+# Add an attribute for hal implementations along with necessary
+# restrictions.
+define(`hal_attribute', `
+attribute hal_$1;
+expandattribute hal_$1 true;
+attribute hal_$1_client;
+expandattribute hal_$1_client true;
+attribute hal_$1_server;
+expandattribute hal_$1_server false;
+
+neverallow { hal_$1_server -halserverdomain } domain:process fork;
+# hal_*_client and halclientdomain attributes are always expanded for
+# performance reasons. Neverallow rules targeting expanded attributes can not be
+# verified by CTS since these attributes are already expanded by that time.
+build_test_only(`
+neverallow { hal_$1_server -hal_$1 } domain:process fork;
+neverallow { hal_$1_client -halclientdomain } domain:process fork;
+')
+')
+
+#####################################
+# hal_server_domain(domain, hal_type)
+# Allow a base set of permissions required for a domain to offer a
+# HAL implementation of the specified type over HwBinder.
+#
+# For example, default implementation of Foo HAL:
+# type hal_foo_default, domain;
+# hal_server_domain(hal_foo_default, hal_foo)
+#
+define(`hal_server_domain', `
+typeattribute $1 halserverdomain;
+typeattribute $1 $2_server;
+typeattribute $1 $2;
+')
+
+#####################################
+# hal_client_domain(domain, hal_type)
+# Allow a base set of permissions required for a domain to be a
+# client of a HAL of the specified type.
+#
+# For example, make some_domain a client of Foo HAL:
+# hal_client_domain(some_domain, hal_foo)
+#
+define(`hal_client_domain', `
+typeattribute $1 halclientdomain;
+typeattribute $1 $2_client;
+
+# TODO(b/34170079): Make the inclusion of the rules below conditional also on
+# non-Treble devices. For now, on non-Treble device, always grant clients of a
+# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
+not_full_treble(`
+typeattribute $1 $2;
+# Find passthrough HAL implementations
+allow $2 system_file:dir r_dir_perms;
+allow $2 vendor_file:dir r_dir_perms;
+allow $2 vendor_file:file { read open getattr execute map };
+')
+')
+
+#####################################
+# passthrough_hal_client_domain(domain, hal_type)
+# Allow a base set of permissions required for a domain to be a
+# client of a passthrough HAL of the specified type.
+#
+# For example, make some_domain a client of passthrough Foo HAL:
+# passthrough_hal_client_domain(some_domain, hal_foo)
+#
+define(`passthrough_hal_client_domain', `
+typeattribute $1 halclientdomain;
+typeattribute $1 $2_client;
+typeattribute $1 $2;
+# Find passthrough HAL implementations
+allow $2 system_file:dir r_dir_perms;
+allow $2 vendor_file:dir r_dir_perms;
+allow $2 vendor_file:file { read open getattr execute map };
+')
+
+#####################################
+# unix_socket_connect(clientdomain, socket, serverdomain)
+# Allow a local socket connection from clientdomain via
+# socket to serverdomain.
+#
+# Note: If you see denial records that distill to the
+# following allow rules:
+# allow clientdomain property_socket:sock_file write;
+# allow clientdomain init:unix_stream_socket connectto;
+# allow clientdomain something_prop:property_service set;
+#
+# This sequence is indicative of attempting to set a property.
+# use set_prop(sourcedomain, targetproperty)
+#
+define(`unix_socket_connect', `
+allow $1 $2_socket:sock_file write;
+allow $1 $3:unix_stream_socket connectto;
+')
+
+#####################################
+# set_prop(sourcedomain, targetproperty)
+# Allows source domain to set the
+# targetproperty.
+#
+define(`set_prop', `
+unix_socket_connect($1, property, init)
+allow $1 $2:property_service set;
+get_prop($1, $2)
+')
+
+#####################################
+# get_prop(sourcedomain, targetproperty)
+# Allows source domain to read the
+# targetproperty.
+#
+define(`get_prop', `
+allow $1 $2:file { getattr open read map };
+')
+
+#####################################
+# unix_socket_send(clientdomain, socket, serverdomain)
+# Allow a local socket send from clientdomain via
+# socket to serverdomain.
+define(`unix_socket_send', `
+allow $1 $2_socket:sock_file write;
+allow $1 $3:unix_dgram_socket sendto;
+')
+
+#####################################
+# binder_use(domain)
+# Allow domain to use Binder IPC.
+define(`binder_use', `
+# Call the servicemanager and transfer references to it.
+allow $1 servicemanager:binder { call transfer };
+# Allow servicemanager to send out callbacks
+allow servicemanager $1:binder { call transfer };
+# servicemanager performs getpidcon on clients.
+allow servicemanager $1:dir search;
+allow servicemanager $1:file { read open };
+allow servicemanager $1:process getattr;
+# rw access to /dev/binder and /dev/ashmem is presently granted to
+# all domains in domain.te.
+')
+
+#####################################
+# hwbinder_use(domain)
+# Allow domain to use HwBinder IPC.
+define(`hwbinder_use', `
+# Call the hwservicemanager and transfer references to it.
+allow $1 hwservicemanager:binder { call transfer };
+# Allow hwservicemanager to send out callbacks
+allow hwservicemanager $1:binder { call transfer };
+# hwservicemanager performs getpidcon on clients.
+allow hwservicemanager $1:dir search;
+allow hwservicemanager $1:file { read open map };
+allow hwservicemanager $1:process getattr;
+# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
+# all domains in domain.te.
+')
+
+#####################################
+# vndbinder_use(domain)
+# Allow domain to use Binder IPC.
+define(`vndbinder_use', `
+# Talk to the vndbinder device node
+allow $1 vndbinder_device:chr_file rw_file_perms;
+# Call the vndservicemanager and transfer references to it.
+allow $1 vndservicemanager:binder { call transfer };
+# vndservicemanager performs getpidcon on clients.
+allow vndservicemanager $1:dir search;
+allow vndservicemanager $1:file { read open map };
+allow vndservicemanager $1:process getattr;
+')
+
+#####################################
+# binder_call(clientdomain, serverdomain)
+# Allow clientdomain to perform binder IPC to serverdomain.
+define(`binder_call', `
+# Call the server domain and optionally transfer references to it.
+allow $1 $2:binder { call transfer };
+# Allow the serverdomain to transfer references to the client on the reply.
+allow $2 $1:binder transfer;
+# Receive and use open files from the server.
+allow $1 $2:fd use;
+')
+
+#####################################
+# binder_service(domain)
+# Mark a domain as being a Binder service domain.
+# Used to allow binder IPC to the various system services.
+define(`binder_service', `
+typeattribute $1 binderservicedomain;
+')
+
+#####################################
+# wakelock_use(domain)
+# Allow domain to manage wake locks
+define(`wakelock_use', `
+# TODO(b/115946999): Remove /sys/power/* permissions once CONFIG_PM_WAKELOCKS is
+# deprecated.
+# Access /sys/power/wake_lock and /sys/power/wake_unlock
+allow $1 sysfs_wake_lock:file rw_file_perms;
+# Accessing these files requires CAP_BLOCK_SUSPEND
+allow $1 self:global_capability2_class_set block_suspend;
+# system_suspend permissions
+binder_call($1, system_suspend_server)
+allow $1 system_suspend_hwservice:hwservice_manager find;
+# halclientdomain permissions
+hwbinder_use($1)
+get_prop($1, hwservicemanager_prop)
+allow $1 hidl_manager_hwservice:hwservice_manager find;
+')
+
+#####################################
+# selinux_check_access(domain)
+# Allow domain to check SELinux permissions via selinuxfs.
+define(`selinux_check_access', `
+r_dir_file($1, selinuxfs)
+allow $1 selinuxfs:file w_file_perms;
+allow $1 kernel:security compute_av;
+allow $1 self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind };
+')
+
+#####################################
+# selinux_check_context(domain)
+# Allow domain to check SELinux contexts via selinuxfs.
+define(`selinux_check_context', `
+r_dir_file($1, selinuxfs)
+allow $1 selinuxfs:file w_file_perms;
+allow $1 kernel:security check_context;
+')
+
+#####################################
+# create_pty(domain)
+# Allow domain to create and use a pty, isolated from any other domain ptys.
+define(`create_pty', `
+# Each domain gets a unique devpts type.
+type $1_devpts, fs_type;
+# Label the pty with the unique type when created.
+type_transition $1 devpts:chr_file $1_devpts;
+# Allow use of the pty after creation.
+allow $1 $1_devpts:chr_file { open getattr read write ioctl };
+allowxperm $1 $1_devpts:chr_file ioctl unpriv_tty_ioctls;
+# TIOCSTI is only ever used for exploits. Block it.
+# b/33073072, b/7530569
+# http://www.openwall.com/lists/oss-security/2016/09/26/14
+neverallowxperm * $1_devpts:chr_file ioctl TIOCSTI;
+# Note: devpts:dir search and ptmx_device:chr_file rw_file_perms
+# allowed to everyone via domain.te.
+')
+
+#####################################
+# Non system_app application set
+#
+define(`non_system_app_set', `{ appdomain -system_app }')
+
+#####################################
+# Recovery only
+# SELinux rules which apply only to recovery mode
+#
+define(`recovery_only', ifelse(target_recovery, `true', $1, ))
+
+#####################################
+# Not recovery
+# SELinux rules which apply only to non-recovery (normal) mode
+#
+define(`not_recovery', ifelse(target_recovery, `true', , $1))
+
+#####################################
+# Full TREBLE only
+# SELinux rules which apply only to full TREBLE devices
+#
+define(`full_treble_only', ifelse(target_full_treble, `true', $1,
+ifelse(target_full_treble, `cts',
+# BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify
+$1
+# END_TREBLE_ONLY -- this marker is used by CTS -- do not modify
+, )))
+
+#####################################
+# Not full TREBLE
+# SELinux rules which apply only to devices which are not full TREBLE devices
+#
+define(`not_full_treble', ifelse(target_full_treble, `true', , $1))
+
+#####################################
+# enforce_debugfs_restriction
+# SELinux rules which apply to devices that enable debugfs restrictions.
+# The keyword "cts" is used to insert markers to only CTS test the neverallows
+# added by the macro for S-launch devices and newer.
+define(`enforce_debugfs_restriction', ifelse(target_enforce_debugfs_restriction, `true', $1,
+ifelse(target_enforce_debugfs_restriction, `cts',
+# BEGIN_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
+$1
+# END_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
+, )))
+
+#####################################
+# no_debugfs_restriction
+# SELinux rules which apply to devices that do not have debugfs restrictions in non-user builds.
+define(`no_debugfs_restriction', ifelse(target_enforce_debugfs_restriction, `true', , $1))
+
+#####################################
+# Compatible property only
+# SELinux rules which apply only to devices with compatible property
+#
+define(`compatible_property_only', ifelse(target_compatible_property, `true', $1,
+ifelse(target_compatible_property, `cts',
+# BEGIN_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify
+$1
+# END_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify
+, )))
+
+#####################################
+# Not compatible property
+# SELinux rules which apply only to devices without compatible property
+#
+define(`not_compatible_property', ifelse(target_compatible_property, `true', , $1))
+
+#####################################
+# Userdebug or eng builds
+# SELinux rules which apply only to userdebug or eng builds
+#
+define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1)))
+
+#####################################
+# asan builds
+# SELinux rules which apply only to asan builds
+#
+define(`with_asan', ifelse(target_with_asan, `true', userdebug_or_eng(`$1'), ))
+
+#####################################
+# native coverage builds
+# SELinux rules which apply only to builds with native coverage
+#
+define(`with_native_coverage', ifelse(target_with_native_coverage, `true', userdebug_or_eng(`$1'), ))
+
+#####################################
+# Build-time-only test
+# SELinux rules which are verified during build, but not as part of *TS testing.
+#
+define(`build_test_only', ifelse(target_exclude_build_test, `true', , $1))
+
+####################################
+# Fallback crash handling for processes that can't exec crash_dump (e.g. because of seccomp).
+#
+define(`crash_dump_fallback', `
+userdebug_or_eng(`
+ allow $1 su:fifo_file append;
+')
+allow $1 anr_data_file:file append;
+allow $1 dumpstate:fd use;
+allow $1 incidentd:fd use;
+# TODO: Figure out why write is needed.
+allow $1 dumpstate:fifo_file { append write };
+allow $1 incidentd:fifo_file { append write };
+allow $1 system_server:fifo_file { append write };
+allow $1 tombstoned:unix_stream_socket connectto;
+allow $1 tombstoned:fd use;
+allow $1 tombstoned_crash_socket:sock_file write;
+allow $1 tombstone_data_file:file append;
+')
+
+#####################################
+# WITH_DEXPREOPT builds
+# SELinux rules which apply only when pre-opting.
+#
+define(`with_dexpreopt', ifelse(target_with_dexpreopt, `true', $1))
+
+#####################################
+# write_logd(domain)
+# Ability to write to android log
+# daemon via sockets
+define(`write_logd', `
+unix_socket_send($1, logdw, logd)
+allow $1 pmsg_device:chr_file w_file_perms;
+')
+
+#####################################
+# read_logd(domain)
+# Ability to run logcat and read from android
+# log daemon via sockets
+define(`read_logd', `
+allow $1 logcat_exec:file rx_file_perms;
+unix_socket_connect($1, logdr, logd)
+')
+
+#####################################
+# read_runtime_log_tags(domain)
+# ability to directly map the runtime event log tags
+define(`read_runtime_log_tags', `
+allow $1 runtime_event_log_tags_file:file r_file_perms;
+')
+
+#####################################
+# control_logd(domain)
+# Ability to control
+# android log daemon via sockets
+define(`control_logd', `
+# Group AID_LOG checked by filesystem & logd
+# to permit control commands
+unix_socket_connect($1, logd, logd)
+')
+
+#####################################
+# use_keystore(domain)
+# Ability to use keystore.
+# Keystore is requires the following permissions
+# to call getpidcon.
+define(`use_keystore', `
+ allow keystore $1:dir search;
+ allow keystore $1:file { read open };
+ allow keystore $1:process getattr;
+ allow $1 apc_service:service_manager find;
+ allow $1 keystore_service:service_manager find;
+ allow $1 legacykeystore_service:service_manager find;
+ binder_call($1, keystore)
+ binder_call(keystore, $1)
+')
+
+#####################################
+# use_credstore(domain)
+# Ability to use credstore.
+define(`use_credstore', `
+ allow credstore $1:dir search;
+ allow credstore $1:file { read open };
+ allow credstore $1:process getattr;
+ allow $1 credstore_service:service_manager find;
+ binder_call($1, credstore)
+ binder_call(credstore, $1)
+')
+
+###########################################
+# use_drmservice(domain)
+# Ability to use DrmService which requires
+# DrmService to call getpidcon.
+define(`use_drmservice', `
+ allow drmserver $1:dir search;
+ allow drmserver $1:file { read open };
+ allow drmserver $1:process getattr;
+')
+
+###########################################
+# add_service(domain, service)
+# Ability for domain to add a service to service_manager
+# and find it. It also creates a neverallow preventing
+# others from adding it.
+define(`add_service', `
+ allow $1 $2:service_manager { add find };
+ neverallow { domain -$1 } $2:service_manager add;
+')
+
+###########################################
+# add_hwservice(domain, service)
+# Ability for domain to add a service to hwservice_manager
+# and find it. It also creates a neverallow preventing
+# others from adding it.
+define(`add_hwservice', `
+ allow $1 $2:hwservice_manager { add find };
+ allow $1 hidl_base_hwservice:hwservice_manager add;
+ neverallow { domain -$1 } $2:hwservice_manager add;
+')
+
+###########################################
+# hal_attribute_hwservice(attribute, service)
+# Ability for domain to get a service to hwservice_manager
+# and find it. It also creates a neverallow preventing
+# others from adding it.
+#
+# Used to pair hal_foo_client with hal_foo_hwservice
+define(`hal_attribute_hwservice', `
+ allow $1_client $2:hwservice_manager find;
+ add_hwservice($1_server, $2)
+
+ build_test_only(`
+ # if you are hitting this neverallow, try using:
+ # hal_client_domain(<your domain>, hal_<foo>)
+ # instead
+ neverallow { domain -$1_client -$1_server } $2:hwservice_manager find;
+ ')
+')
+
+###########################################
+# hal_attribute_service(attribute, service)
+# Ability for domain to get a service to service_manager
+# and find it. It also creates a neverallow preventing
+# others from adding it.
+#
+# Used to pair hal_foo_client with hal_foo_service
+define(`hal_attribute_service', `
+ allow $1_client $2:service_manager find;
+ add_service($1_server, $2)
+
+ build_test_only(`
+ # if you are hitting this neverallow, try using:
+ # hal_client_domain(<your domain>, hal_<foo>)
+ # instead
+ neverallow {
+ domain
+ -$1_client
+ -$1_server
+ -shell
+ } $2:service_manager find;
+ ')
+')
+
+###################################
+# can_profile_heap(domain)
+# Allow processes within the domain to have their heap profiled by central
+# heapprofd.
+define(`can_profile_heap', `
+ # Allow central daemon to send signal for client initialization.
+ allow heapprofd $1:process signal;
+ # Allow connecting to the daemon.
+ unix_socket_connect($1, heapprofd, heapprofd)
+ # Allow daemon to use the passed fds.
+ allow heapprofd $1:fd use;
+ # Allow to read and write to heapprofd shmem.
+ # The client needs to read the read and write pointers in order to write.
+ allow $1 heapprofd_tmpfs:file { read write getattr map };
+ # Use shared memory received over the unix socket.
+ allow $1 heapprofd:fd use;
+
+ # To read and write from the received file descriptors.
+ # /proc/[pid]/maps and /proc/[pid]/mem have the same SELinux label as the
+ # process they relate to.
+ # We need to write to /proc/$PID/page_idle to find idle allocations.
+ # The client only opens /proc/self/page_idle with RDWR, everything else
+ # with RDONLY.
+ # heapprofd cannot open /proc/$PID/mem itself, as it does not have
+ # sys_ptrace.
+ allow heapprofd $1:file rw_file_perms;
+ # Allow searching the /proc/[pid] directory for cmdline.
+ allow heapprofd $1:dir r_dir_perms;
+')
+
+###################################
+# never_profile_heap(domain)
+# Opt out of heap profiling by heapprofd.
+define(`never_profile_heap', `
+ neverallow heapprofd $1:file read;
+ neverallow heapprofd $1:process signal;
+')
+
+###################################
+# can_profile_perf(domain)
+# Allow processes within the domain to be profiled, and have their stacks
+# sampled, by traced_perf.
+define(`can_profile_perf', `
+ # Allow directory & file read to traced_perf, as it stat(2)s /proc/[pid], and
+ # reads /proc/[pid]/cmdline.
+ allow traced_perf $1:file r_file_perms;
+ allow traced_perf $1:dir r_dir_perms;
+
+ # Allow central daemon to send signal to request /proc/[pid]/maps and
+ # /proc/[pid]/mem fds from this process.
+ allow traced_perf $1:process signal;
+
+ # Allow connecting to the daemon.
+ unix_socket_connect($1, traced_perf, traced_perf)
+ # Allow daemon to use the passed fds.
+ allow traced_perf $1:fd use;
+')
+
+###################################
+# never_profile_perf(domain)
+# Opt out of profiling by traced_perf.
+define(`never_profile_perf', `
+ neverallow traced_perf $1:file read;
+ neverallow traced_perf $1:process signal;
+')
+
+###################################
+# perfetto_producer(domain)
+# Allow processes within the domain to write data to Perfetto.
+# When applying this macro, you might need to also allow traced to use the
+# producer tmpfs domain, if the producer will be the one creating the shared
+# memory.
+define(`perfetto_producer', `
+ allow $1 traced:fd use;
+ allow $1 traced_tmpfs:file { read write getattr map };
+ unix_socket_connect($1, traced_producer, traced)
+
+ # Also allow the service to use the producer file descriptors. This is
+ # necessary when the producer is creating the shared memory, as it will be
+ # passed to the service as a file descriptor (obtained from memfd_create).
+ allow traced $1:fd use;
+')
+
+###########################################
+# dump_hal(hal_type)
+# Ability to dump the hal debug info
+#
+define(`dump_hal', `
+ hal_client_domain(dumpstate, $1);
+ allow $1_server dumpstate:fifo_file write;
+ allow $1_server dumpstate:fd use;
+')
+
+#####################################
+# treble_sysprop_neverallow(rules)
+# SELinux neverallow rules which enforces the accessibility of each property
+# outside the owner.
+#
+# For devices launching with R or later, exported properties must be explicitly marked as
+# "restricted" or "public", depending on the accessibility outside the owner.
+# For devices launching with Q or eariler, this neverallow rules can be relaxed with defining
+# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true on BoardConfig.mk.
+# See {partition}_{accessibility}_prop macros below.
+#
+# CTS uses these rules only for devices launching with R or later.
+#
+# TODO(b/131162102): deprecate BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW
+#
+define(`treble_sysprop_neverallow', ifelse(target_treble_sysprop_neverallow, `true', $1,
+ifelse(target_treble_sysprop_neverallow, `cts',
+# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
+$1
+# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
+, )))
+
+#####################################
+# enforce_sysprop_owner(rules)
+# SELinux neverallow rules which enforces the owner of each property.
+#
+# For devices launching with S or later, all properties must be explicitly marked as one of:
+# system_property_type, vendor_property_type, or product_property_type.
+# For devices launching with R or eariler, this neverallow rules can be relaxed with defining
+# BUILD_BROKEN_ENFORCE_SYSPROP_OWNER := true on BoardConfig.mk.
+# See {partition}_{accessibility}_prop macros below.
+#
+# CTS uses these ules only for devices launching with S or later.
+#
+define(`enforce_sysprop_owner', ifelse(target_enforce_sysprop_owner, `true', $1,
+ifelse(target_enforce_sysprop_owner, `cts',
+# BEGIN_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
+$1
+# END_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
+, )))
+
+###########################################
+# define_prop(name, owner, scope)
+# Define a property with given owner and scope
+#
+define(`define_prop', `
+ type $1, property_type, $2_property_type, $2_$3_property_type;
+')
+
+###########################################
+# system_internal_prop(name)
+# Define a /system-owned property used only in /system
+# For devices launching with Q or eariler, this restriction can be relaxed with
+# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
+#
+define(`system_internal_prop', `
+ define_prop($1, system, internal)
+ treble_sysprop_neverallow(`
+ neverallow { domain -coredomain } $1:file no_rw_file_perms;
+ ')
+')
+
+###########################################
+# system_restricted_prop(name)
+# Define a /system-owned property which can't be written outside /system
+# For devices launching with Q or eariler, this restriction can be relaxed with
+# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
+#
+define(`system_restricted_prop', `
+ define_prop($1, system, restricted)
+ treble_sysprop_neverallow(`
+ neverallow { domain -coredomain } $1:property_service set;
+ ')
+')
+
+###########################################
+# system_public_prop(name)
+# Define a /system-owned property with no restrictions
+#
+define(`system_public_prop', `define_prop($1, system, public)')
+
+###########################################
+# system_vendor_config_prop(name)
+# Define a /system-owned property which can only be written by vendor_init
+# This is a macro for vendor-specific configuration properties which is meant
+# to be set once from vendor_init.
+#
+define(`system_vendor_config_prop', `
+ system_public_prop($1)
+ set_prop(vendor_init, $1)
+ neverallow { domain -init -vendor_init } $1:property_service set;
+')
+
+###########################################
+# product_internal_prop(name)
+# Define a /product-owned property used only in /product
+# For devices launching with Q or eariler, this restriction can be relaxed with
+# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
+#
+define(`product_internal_prop', `
+ define_prop($1, product, internal)
+ treble_sysprop_neverallow(`
+ neverallow { domain -coredomain } $1:file no_rw_file_perms;
+ ')
+')
+
+###########################################
+# product_restricted_prop(name)
+# Define a /product-owned property which can't be written outside /product
+# For devices launching with Q or eariler, this restriction can be relaxed with
+# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
+#
+define(`product_restricted_prop', `
+ define_prop($1, product, restricted)
+ treble_sysprop_neverallow(`
+ neverallow { domain -coredomain } $1:property_service set;
+ ')
+')
+
+###########################################
+# product_public_prop(name)
+# Define a /product-owned property with no restrictions
+#
+define(`product_public_prop', `define_prop($1, product, public)')
+
+###########################################
+# vendor_internal_prop(name)
+# Define a /vendor-owned property used only in /vendor
+# For devices launching with Q or eariler, this restriction can be relaxed with
+# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
+#
+define(`vendor_internal_prop', `
+ define_prop($1, vendor, internal)
+ treble_sysprop_neverallow(`
+# init and dumpstate are in coredomain, but should be able to read all props.
+ neverallow { coredomain -init -dumpstate } $1:file no_rw_file_perms;
+ ')
+')
+
+###########################################
+# vendor_restricted_prop(name)
+# Define a /vendor-owned property which can't be written outside /vendor
+# For devices launching with Q or eariler, this restriction can be relaxed with
+# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
+#
+define(`vendor_restricted_prop', `
+ define_prop($1, vendor, restricted)
+ treble_sysprop_neverallow(`
+# init is in coredomain, but should be able to write all props.
+ neverallow { coredomain -init } $1:property_service set;
+ ')
+')
+
+###########################################
+# vendor_public_prop(name)
+# Define a /vendor-owned property with no restrictions
+#
+define(`vendor_public_prop', `define_prop($1, vendor, public)')
+
+#####################################
+# read_fstab(domain)
+# Ability to call ReadDefaultFstab() and ReadFstabFromFile().
+#
+define(`read_fstab', `
+ allow $1 { metadata_file gsi_metadata_file_type }:dir search;
+ allow $1 gsi_public_metadata_file:file r_file_perms;
+')
diff --git a/microdroid/system/public/tombstoned.te b/microdroid/system/public/tombstoned.te
new file mode 100644
index 0000000..bd1626d
--- /dev/null
+++ b/microdroid/system/public/tombstoned.te
@@ -0,0 +1,2 @@
+type tombstoned, domain;
+type tombstoned_exec, file_type, exec_type, system_file_type;
diff --git a/microdroid/system/public/toolbox.te b/microdroid/system/public/toolbox.te
new file mode 100644
index 0000000..0a6e649
--- /dev/null
+++ b/microdroid/system/public/toolbox.te
@@ -0,0 +1,2 @@
+type toolbox, domain;
+type toolbox_exec, file_type, exec_type, system_file_type;
diff --git a/microdroid/system/public/type.te b/microdroid/system/public/type.te
new file mode 100644
index 0000000..c31509c
--- /dev/null
+++ b/microdroid/system/public/type.te
@@ -0,0 +1,23 @@
+# Miscellaneous types
+type adb_service, system_server_service, system_api_service, service_manager_type;
+type apex_service, service_manager_type;
+type authorization_service, service_manager_type;
+type credstore_service, app_api_service, service_manager_type;
+type default_android_hwservice, hwservice_manager_type, protected_hwservice;
+type default_android_service, service_manager_type;
+type hal_keymint_service, protected_service, vendor_service, service_manager_type;
+type hal_remotelyprovisionedcomponent_service, protected_service, vendor_service, service_manager_type;
+type hidl_allocator_hwservice, hwservice_manager_type, coredomain_hwservice;
+type hidl_base_hwservice, hwservice_manager_type;
+type hidl_manager_hwservice, hwservice_manager_type, coredomain_hwservice;
+type hidl_memory_hwservice, hwservice_manager_type, coredomain_hwservice;
+type hidl_token_hwservice, hwservice_manager_type, coredomain_hwservice;
+type hal_keymaster_hwservice, hwservice_manager_type, protected_hwservice;
+type keystore_compat_hal_service, service_manager_type;
+type keystore_maintenance_service, service_manager_type;
+type keystore_metrics_service, service_manager_type;
+type keystore_service, service_manager_type;
+type legacykeystore_service, service_manager_type;
+type remoteprovisioning_service, service_manager_type;
+type system_linker;
+type vm_payload_key;
diff --git a/microdroid/system/public/ueventd.te b/microdroid/system/public/ueventd.te
new file mode 100644
index 0000000..7bf7888
--- /dev/null
+++ b/microdroid/system/public/ueventd.te
@@ -0,0 +1,4 @@
+# ueventd seclabel is specified in init.rc since
+# it lives in the rootfs and has no unique file type.
+type ueventd, domain;
+type ueventd_tmpfs, file_type;
diff --git a/microdroid/system/public/vendor_init.te b/microdroid/system/public/vendor_init.te
new file mode 100644
index 0000000..b66caa9
--- /dev/null
+++ b/microdroid/system/public/vendor_init.te
@@ -0,0 +1,150 @@
+# vendor_init is its own domain.
+type vendor_init, domain, mlstrustedsubject;
+
+# Communication to the main init process
+allow vendor_init init:unix_stream_socket { read write };
+
+# Logging to kmsg
+allow vendor_init kmsg_device:chr_file { open getattr write };
+
+# Mount on /dev/usb-ffs/adb.
+allow vendor_init device:dir mounton;
+
+# Create and remove symlinks in /.
+allow vendor_init rootfs:lnk_file { create unlink };
+
+# Create cgroups mount points in tmpfs and mount cgroups on them.
+allow vendor_init cgroup:dir create_dir_perms;
+allow vendor_init cgroup:file w_file_perms;
+allow vendor_init cgroup_v2:dir create_dir_perms;
+allow vendor_init cgroup_v2:file w_file_perms;
+
+# /config
+allow vendor_init configfs:dir mounton;
+allow vendor_init configfs:dir create_dir_perms;
+allow vendor_init configfs:{ file lnk_file } create_file_perms;
+
+# Create directories under /dev/cpuctl after chowning it to system.
+allow vendor_init self:global_capability_class_set { dac_override dac_read_search };
+
+# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
+# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
+# system/core/init.rc requires at least cache_file and data_file_type.
+# init.<board>.rc files often include device-specific types, so
+# we just allow all file types except /system files here.
+allow vendor_init self:global_capability_class_set { chown fowner fsetid };
+
+allow vendor_init system_data_file:dir getattr;
+
+allow vendor_init {
+ file_type
+ -exec_type
+ -system_file_type
+ -unlabeled
+ -vendor_file_type
+}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
+
+allow vendor_init unlabeled:{ dir notdevfile_class_set } { getattr relabelfrom };
+
+allow vendor_init {
+ file_type
+ -exec_type
+ -runtime_event_log_tags_file
+ -system_file_type
+ -unlabeled
+ -vendor_file_type
+ -apex_info_file
+ enforce_debugfs_restriction(`-debugfs_type')
+}:file { create getattr open read write setattr relabelfrom unlink map };
+
+allow vendor_init {
+ file_type
+ -exec_type
+ -system_file_type
+ -unlabeled
+ -vendor_file_type
+}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
+
+allow vendor_init {
+ file_type
+ -apex_mnt_dir
+ -exec_type
+ -system_file_type
+ -unlabeled
+ -vendor_file_type
+}:lnk_file { create getattr setattr relabelfrom unlink };
+
+allow vendor_init {
+ file_type
+ -exec_type
+ -system_file_type
+ -vendor_file_type
+}:dir_file_class_set relabelto;
+
+allow vendor_init dev_type:dir create_dir_perms;
+allow vendor_init dev_type:lnk_file create;
+
+# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
+allow vendor_init debugfs_tracing:file w_file_perms;
+
+# chown/chmod on pseudo files.
+allow vendor_init {
+ fs_type
+ -fusefs_type
+ -rootfs
+ -proc_uid_time_in_state
+ -proc_uid_concurrent_active_time
+ -proc_uid_concurrent_policy_time
+ enforce_debugfs_restriction(`-debugfs_type')
+}:file { open read setattr map };
+
+allow vendor_init tracefs_type:file { open read setattr map };
+
+allow vendor_init {
+ fs_type
+ -fusefs_type
+ -rootfs
+ -proc_uid_time_in_state
+ -proc_uid_concurrent_active_time
+ -proc_uid_concurrent_policy_time
+}:dir { open read setattr search };
+
+allow vendor_init dev_type:blk_file getattr;
+
+# Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.
+r_dir_file(vendor_init, proc_net_type)
+allow vendor_init proc_net_type:file w_file_perms;
+allow vendor_init self:global_capability_class_set net_admin;
+
+# Write to /proc/sys/vm/page-cluster
+allow vendor_init proc_page_cluster:file w_file_perms;
+
+# Write to sysfs nodes.
+allow vendor_init sysfs_type:dir r_dir_perms;
+allow vendor_init sysfs_type:lnk_file read;
+allow vendor_init { sysfs_type -sysfs_usermodehelper }:file rw_file_perms;
+
+# setfscreatecon() for labeling directories and socket files.
+allow vendor_init self:process { setfscreate };
+
+r_dir_file(vendor_init, vendor_file_type)
+
+# Vendor init can perform operations on trusted and security Extended Attributes
+allow vendor_init self:global_capability_class_set sys_admin;
+
+# vendor_init is using bootstrap bionic
+allow vendor_init system_bootstrap_lib_file:dir r_dir_perms;
+allow vendor_init system_bootstrap_lib_file:file { execute read open getattr map };
+
+# Get file context
+allow vendor_init file_contexts_file:file r_file_perms;
+
+# Allow vendor_init to (re)set nice
+allow vendor_init self:capability sys_nice;
+
+# chown/chmod on devices, e.g. /dev/ttyHS0
+allow vendor_init {
+ dev_type
+ -kvm_device
+ -hw_random_device
+}:chr_file setattr;
diff --git a/microdroid/vendor/file_contexts b/microdroid/vendor/file_contexts
new file mode 100644
index 0000000..0aa85cf
--- /dev/null
+++ b/microdroid/vendor/file_contexts
@@ -0,0 +1,38 @@
+# TODO(jiyong): clean this up
+#############################
+# Vendor files
+#
+(/.*)? u:object_r:vendor_file:s0
+/bin/sh u:object_r:vendor_shell_exec:s0
+/bin/toybox_vendor u:object_r:vendor_toolbox_exec:s0
+/bin/toolbox u:object_r:vendor_toolbox_exec:s0
+/etc(/.*)? u:object_r:vendor_configs_file:s0
+/etc/cgroups\.json u:object_r:vendor_cgroup_desc_file:s0
+/etc/task_profiles\.json u:object_r:vendor_task_profiles_file:s0
+
+/lib(64)?/egl(/.*)? u:object_r:same_process_hal_file:s0
+
+/lib(64)?/vndk-sp(/.*)? u:object_r:vndk_sp_file:s0
+
+/manifest\.xml u:object_r:vendor_configs_file:s0
+/compatibility_matrix\.xml u:object_r:vendor_configs_file:s0
+/etc/vintf(/.*)? u:object_r:vendor_configs_file:s0
+/app(/.*)? u:object_r:vendor_app_file:s0
+/priv-app(/.*)? u:object_r:vendor_app_file:s0
+/overlay(/.*)? u:object_r:vendor_overlay_file:s0
+/framework(/.*)? u:object_r:vendor_framework_file:s0
+
+/apex(/[^/]+){0,2} u:object_r:vendor_apex_file:s0
+/bin/misc_writer u:object_r:vendor_misc_writer_exec:s0
+/bin/boringssl_self_test(32|64) u:object_r:vendor_boringssl_self_test_exec:s0
+
+# HAL location
+/lib(64)?/hw u:object_r:vendor_hal_file:s0
+
+/etc/selinux/nonplat_service_contexts u:object_r:nonplat_service_contexts_file:s0
+
+/etc/selinux/vendor_service_contexts u:object_r:vendor_service_contexts_file:s0
+
+/bin/install-recovery\.sh u:object_r:vendor_install_recovery_exec:s0
+
+/bin/hw/android\.hardware\.security\.keymint-service\.microdroid u:object_r:hal_keymint_default_exec:s0
diff --git a/microdroid/vendor/hal_keymint_default.te b/microdroid/vendor/hal_keymint_default.te
new file mode 100644
index 0000000..359ca60
--- /dev/null
+++ b/microdroid/vendor/hal_keymint_default.te
@@ -0,0 +1,13 @@
+type hal_keymint_default, domain;
+hal_server_domain(hal_keymint_default, hal_keymint)
+
+type hal_keymint_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_keymint_default)
+
+allow hal_keymint_default keystore:binder transfer;
+allow hal_keymint_default system_lib_file:file execute;
+
+allow logd hal_keymint_default:dir search;
+allow logd hal_keymint_default:file { getattr open read };
+
+get_prop(hal_keymint_default, vmsecret_keymint_prop);