platform_system_sepolicy/contexts/plat_file_contexts_test

1309 lines
102 KiB
Text
Raw Normal View History

Add checkfc mode to validate file_contexts against test data A new mode for checkfc is introduced (-t) which takes a file_contexts and a test data file. Each line in the test data file contains a path and the expected type. checkfc loads the file_contexts and repeatedly calls selabel_lookup(3) to verify that the computed type is as expected. This mode can be used to confirm that any modification to file_contexts or its build process is benign. A test data file (plat_file_contexts_test) is added. This file was manually created based on private/file_contexts. Each static path was copied as-is. Each regular expression was expanded into a couple of entries. For instance, /dev/adf[0-9]* generated /dev/adf, /dev/adf0 and /dev/adf123. libselinux keeps track of which specification is being hit when using selabel_lookup. When calling selabel_stats(3), the file backend will output a warning if a specification has not been used. This can be leveraged to ensure that each rule is at least hit once. This property will be leveraged in a follow-up change (by running the test as part of the build process), to ensure that the plat_file_contexts_test file remains up-to-date (that is, when an entry is added to private/file_contexts, the build will fail unless a test is also added to plat_file_contexts_test to exercice the specification/regular expression). Test: m checkfc && checkfc -t ./private/file_contexts ./tests/plat_file_contexts_test Bug: 299839280 Change-Id: Ibf56859a16bd17e1f878ce7b0570b2aead79c7e0
2023-10-05 00:44:24 +02:00
# Test data for private/file_contexts.
#
# It can be passed to checkfc to confirm that the regular expressions in
# file_contexts are matching the intended paths.
/ rootfs
/adb_keys adb_keys_file
/build.prop rootfs
/default.prop rootfs
/fstab.persist rootfs
/fstab.postinstall rootfs
/init.rc rootfs
/init.environ.rc rootfs
/res rootfs
/res/test rootfs
/selinux_version rootfs
/ueventd.rc rootfs
/ueventd.common.rc rootfs
/verity_key rootfs
/init init_exec
/sbin rootfs
/sbin/su rootfs
/lib rootfs
/lib/lib.so rootfs
/system_dlkm system_dlkm_file
/system_dlkm/lib/modules/modules.load system_dlkm_file
/lost+found rootfs
/acct cgroup
/config rootfs
/data_mirror mirror_data_file
/debug_ramdisk tmpfs
/mnt tmpfs
/proc rootfs
/second_stage_resources tmpfs
/sys sysfs
/apex apex_mnt_dir
/bootstrap-apex apex_mnt_dir
/postinstall postinstall_mnt_dir
/postinstall/apex postinstall_apex_mnt_dir
/apex/.bootstrap-apex-info-list.xml apex_info_file
/apex/.default-apex-info-list.xml apex_info_file
/apex/apex-info-list.xml apex_info_file
/bin rootfs
/bugreports rootfs
/charger rootfs
/d rootfs
/etc rootfs
/sdcard rootfs
/vendor_file_contexts file_contexts_file
/plat_file_contexts file_contexts_file
/product_file_contexts file_contexts_file
/mapping_sepolicy.cil sepolicy_file
/plat_sepolicy.cil sepolicy_file
/plat_property_contexts property_contexts_file
/product_property_contexts property_contexts_file
/vendor_property_contexts property_contexts_file
/seapp_contexts seapp_contexts_file
/vendor_seapp_contexts seapp_contexts_file
/plat_seapp_contexts seapp_contexts_file
/sepolicy sepolicy_file
/plat_service_contexts service_contexts_file
/plat_hwservice_contexts hwservice_contexts_file
/plat_keystore2_key_contexts keystore2_key_contexts_file
/vendor_service_contexts vendor_service_contexts_file
/vendor_hwservice_contexts hwservice_contexts_file
/vndservice_contexts vndservice_contexts_file
/dev device
/dev/does_not_exist device
/dev/adf graphics_device
/dev/adf0 graphics_device
/dev/adf123 graphics_device
/dev/adf-interface. graphics_device
/dev/adf-interface0. graphics_device
/dev/adf-interface.1 graphics_device
/dev/adf-interface2.3 graphics_device
/dev/adf-overlay-engine. graphics_device
/dev/adf-overlay-engine0. graphics_device
/dev/adf-overlay-engine.1 graphics_device
/dev/adf-overlay-engine2.3 graphics_device
/dev/ashmem ashmem_device
/dev/ashmemtest ashmem_libcutils_device
/dev/ashmem-test ashmem_libcutils_device
/dev/ashmem/test ashmem_libcutils_device
/dev/audio audio_device
/dev/audiotest audio_device
/dev/audio-test audio_device
/dev/audio/test audio_device
/dev/binder binder_device
/dev/block block_device
/dev/block/does_not_exist block_device
/dev/block123 device
/dev/block/by-name/zoned_device zoned_block_device
/dev/block/dm-0 dm_device
/dev/block/dm-123 dm_device
/dev/block/dm block_device
/dev/block/dm- block_device
/dev/block/ublkb0 ublk_block_device
/dev/block/ublkb123 ublk_block_device
/dev/block/ublkb block_device
/dev/block/loop0 loop_device
/dev/block/loop10 loop_device
/dev/block/loop loop_device
/dev/block/vda vd_device
/dev/block/vdb vd_device
/dev/block/vda0 vd_device
/dev/block/vda10 vd_device
/dev/block/vd block_device
/dev/block/vd1a block_device
/dev/block/vold block_device
/dev/block/vold/disk:253,32 vold_device
/dev/block/ram ram_device
/dev/block/ram0 ram_device
/dev/block/ram10 ram_device
/dev/block/zram ram_device
/dev/block/zram0 ram_device
/dev/block/zram10 ram_device
/dev/boringssl/selftest boringssl_self_test_marker
/dev/boringssl/selftest/test boringssl_self_test_marker
/dev/bus/usb usb_device
/dev/bus/usb/001 usb_device
/dev/console console_device
/dev/cpu_variant: dev_cpu_variant
/dev/cpu_variant:test dev_cpu_variant
/dev/dma_heap dmabuf_heap_device
/dev/dma_heap/test dmabuf_heap_device
/dev/dma_heap/system dmabuf_system_heap_device
/dev/dma_heap/system-uncached dmabuf_system_heap_device
/dev/dma_heap/system-secure dmabuf_system_secure_heap_device
/dev/dma_heap/system-secure-test dmabuf_system_secure_heap_device
/dev/dma_heap/system-secure/test dmabuf_system_secure_heap_device
/dev/dm-user dm_user_device
/dev/dm-user/test dm_user_device
/dev/ublk-control ublk_control_device
/dev/device-mapper dm_device
/dev/eac audio_device
/dev/event-log-tags runtime_event_log_tags_file
/dev/cgroup_info cgroup_rc_file
/dev/cgroup_info/cgroup.rc cgroup_rc_file
/dev/fscklogs fscklogs
/dev/fscklogs/fsck fscklogs
/dev/fuse fuse_device
/dev/gnss0 gnss_device
/dev/gnss10 gnss_device
/dev/graphics graphics_device
/dev/graphics/test graphics_device
/dev/hidraw0 hidraw_device
/dev/hidraw1 hidraw_device
Add checkfc mode to validate file_contexts against test data A new mode for checkfc is introduced (-t) which takes a file_contexts and a test data file. Each line in the test data file contains a path and the expected type. checkfc loads the file_contexts and repeatedly calls selabel_lookup(3) to verify that the computed type is as expected. This mode can be used to confirm that any modification to file_contexts or its build process is benign. A test data file (plat_file_contexts_test) is added. This file was manually created based on private/file_contexts. Each static path was copied as-is. Each regular expression was expanded into a couple of entries. For instance, /dev/adf[0-9]* generated /dev/adf, /dev/adf0 and /dev/adf123. libselinux keeps track of which specification is being hit when using selabel_lookup. When calling selabel_stats(3), the file backend will output a warning if a specification has not been used. This can be leveraged to ensure that each rule is at least hit once. This property will be leveraged in a follow-up change (by running the test as part of the build process), to ensure that the plat_file_contexts_test file remains up-to-date (that is, when an entry is added to private/file_contexts, the build will fail unless a test is also added to plat_file_contexts_test to exercice the specification/regular expression). Test: m checkfc && checkfc -t ./private/file_contexts ./tests/plat_file_contexts_test Bug: 299839280 Change-Id: Ibf56859a16bd17e1f878ce7b0570b2aead79c7e0
2023-10-05 00:44:24 +02:00
/dev/hw_random hw_random_device
/dev/hwbinder hwbinder_device
/dev/input input_device
/dev/input/event0 input_device
/dev/iio:device0 iio_device
/dev/iio:device1 iio_device
/dev/ion ion_device
/dev/keychord keychord_device
/dev/loop-control loop_control_device
/dev/modem radio_device
/dev/modem0 radio_device
/dev/modem-test radio_device
/dev/modem/test radio_device
/dev/mtp_usb mtp_device
/dev/pmsg0 pmsg_device
/dev/pn544 nfc_device
/dev/port port_device
/dev/ptmx ptmx_device
/dev/pvrsrvkm gpu_device
/dev/kmsg kmsg_device
/dev/kmsg_debug kmsg_debug_device
/dev/kvm kvm_device
/dev/null null_device
/dev/nvhdcp1 video_device
/dev/random random_device
/dev/rpmsg-omx0 rpmsg_device
/dev/rpmsg-omx1 rpmsg_device
/dev/rproc_user rpmsg_device
/dev/rtc0 rtc_device
/dev/rtc9 rtc_device
/dev/snd audio_device
/dev/snd/controlC0 audio_device
/dev/snd/timer audio_device
/dev/socket socket_device
/dev/socket/does_not_exist socket_device
/dev/socket/adbd adbd_socket
/dev/socket/aconfigd aconfigd_socket
Add checkfc mode to validate file_contexts against test data A new mode for checkfc is introduced (-t) which takes a file_contexts and a test data file. Each line in the test data file contains a path and the expected type. checkfc loads the file_contexts and repeatedly calls selabel_lookup(3) to verify that the computed type is as expected. This mode can be used to confirm that any modification to file_contexts or its build process is benign. A test data file (plat_file_contexts_test) is added. This file was manually created based on private/file_contexts. Each static path was copied as-is. Each regular expression was expanded into a couple of entries. For instance, /dev/adf[0-9]* generated /dev/adf, /dev/adf0 and /dev/adf123. libselinux keeps track of which specification is being hit when using selabel_lookup. When calling selabel_stats(3), the file backend will output a warning if a specification has not been used. This can be leveraged to ensure that each rule is at least hit once. This property will be leveraged in a follow-up change (by running the test as part of the build process), to ensure that the plat_file_contexts_test file remains up-to-date (that is, when an entry is added to private/file_contexts, the build will fail unless a test is also added to plat_file_contexts_test to exercice the specification/regular expression). Test: m checkfc && checkfc -t ./private/file_contexts ./tests/plat_file_contexts_test Bug: 299839280 Change-Id: Ibf56859a16bd17e1f878ce7b0570b2aead79c7e0
2023-10-05 00:44:24 +02:00
/dev/socket/dnsproxyd dnsproxyd_socket
/dev/socket/dumpstate dumpstate_socket
/dev/socket/fwmarkd fwmarkd_socket
/dev/socket/lmkd lmkd_socket
/dev/socket/logd logd_socket
/dev/socket/logdr logdr_socket
/dev/socket/logdw logdw_socket
/dev/socket/statsdw statsdw_socket
/dev/socket/mdns mdns_socket
/dev/socket/mdnsd mdnsd_socket
/dev/socket/ot-daemon/ ot_daemon_socket
/dev/socket/ot-daemon/thread-wpan ot_daemon_socket
/dev/socket/ot-daemon/100 ot_daemon_socket
Add checkfc mode to validate file_contexts against test data A new mode for checkfc is introduced (-t) which takes a file_contexts and a test data file. Each line in the test data file contains a path and the expected type. checkfc loads the file_contexts and repeatedly calls selabel_lookup(3) to verify that the computed type is as expected. This mode can be used to confirm that any modification to file_contexts or its build process is benign. A test data file (plat_file_contexts_test) is added. This file was manually created based on private/file_contexts. Each static path was copied as-is. Each regular expression was expanded into a couple of entries. For instance, /dev/adf[0-9]* generated /dev/adf, /dev/adf0 and /dev/adf123. libselinux keeps track of which specification is being hit when using selabel_lookup. When calling selabel_stats(3), the file backend will output a warning if a specification has not been used. This can be leveraged to ensure that each rule is at least hit once. This property will be leveraged in a follow-up change (by running the test as part of the build process), to ensure that the plat_file_contexts_test file remains up-to-date (that is, when an entry is added to private/file_contexts, the build will fail unless a test is also added to plat_file_contexts_test to exercice the specification/regular expression). Test: m checkfc && checkfc -t ./private/file_contexts ./tests/plat_file_contexts_test Bug: 299839280 Change-Id: Ibf56859a16bd17e1f878ce7b0570b2aead79c7e0
2023-10-05 00:44:24 +02:00
/dev/socket/pdx/system/buffer_hub pdx_bufferhub_dir
/dev/socket/pdx/system/buffer_hub/client pdx_bufferhub_client_endpoint_socket
/dev/socket/pdx/system/performance pdx_performance_dir
/dev/socket/pdx/system/performance/client pdx_performance_client_endpoint_socket
/dev/socket/pdx/system/vr/display pdx_display_dir
/dev/socket/pdx/system/vr/display/client pdx_display_client_endpoint_socket
/dev/socket/pdx/system/vr/display/manager pdx_display_manager_endpoint_socket
/dev/socket/pdx/system/vr/display/screenshot pdx_display_screenshot_endpoint_socket
/dev/socket/pdx/system/vr/display/vsync pdx_display_vsync_endpoint_socket
/dev/socket/prng_seeder prng_seeder_socket
/dev/socket/property_service property_socket
/dev/socket/property_service_for_system property_socket
Add checkfc mode to validate file_contexts against test data A new mode for checkfc is introduced (-t) which takes a file_contexts and a test data file. Each line in the test data file contains a path and the expected type. checkfc loads the file_contexts and repeatedly calls selabel_lookup(3) to verify that the computed type is as expected. This mode can be used to confirm that any modification to file_contexts or its build process is benign. A test data file (plat_file_contexts_test) is added. This file was manually created based on private/file_contexts. Each static path was copied as-is. Each regular expression was expanded into a couple of entries. For instance, /dev/adf[0-9]* generated /dev/adf, /dev/adf0 and /dev/adf123. libselinux keeps track of which specification is being hit when using selabel_lookup. When calling selabel_stats(3), the file backend will output a warning if a specification has not been used. This can be leveraged to ensure that each rule is at least hit once. This property will be leveraged in a follow-up change (by running the test as part of the build process), to ensure that the plat_file_contexts_test file remains up-to-date (that is, when an entry is added to private/file_contexts, the build will fail unless a test is also added to plat_file_contexts_test to exercice the specification/regular expression). Test: m checkfc && checkfc -t ./private/file_contexts ./tests/plat_file_contexts_test Bug: 299839280 Change-Id: Ibf56859a16bd17e1f878ce7b0570b2aead79c7e0
2023-10-05 00:44:24 +02:00
/dev/socket/recovery recovery_socket
/dev/socket/rild rild_socket
/dev/socket/rild-debug rild_debug_socket
/dev/socket/snapuserd snapuserd_socket
/dev/socket/snapuserd_proxy snapuserd_proxy_socket
/dev/socket/tombstoned_crash tombstoned_crash_socket
/dev/socket/tombstoned_java_trace tombstoned_java_trace_socket
/dev/socket/tombstoned_intercept tombstoned_intercept_socket
/dev/socket/traced_consumer traced_consumer_socket
/dev/socket/traced_perf traced_perf_socket
/dev/socket/traced_producer traced_producer_socket
/dev/socket/heapprofd heapprofd_socket
/dev/socket/uncrypt uncrypt_socket
/dev/socket/wpa_eth0 wpa_socket
/dev/socket/wpa_eth9 wpa_socket
/dev/socket/wpa_wlan0 wpa_socket
/dev/socket/wpa_wlan9 wpa_socket
/dev/socket/zygote zygote_socket
/dev/socket/zygote_secondary zygote_socket
/dev/socket/usap_pool_primary zygote_socket
/dev/socket/usap_pool_secondary zygote_socket
/dev/spdif_out audio_device
/dev/spdif_out-test audio_device
/dev/spdif_out/test audio_device
/dev/sys/block/by-name/rootdisk rootdisk_sysdev
/dev/sys/block/by-name/rootdisk/test rootdisk_sysdev
/dev/sys/block/by-name/rootdisk-test device
/dev/sys/block/by-name/userdata userdata_sysdev
/dev/sys/block/by-name/userdata/test userdata_sysdev
/dev/sys/block/by-name/userdata-test device
/dev/sys/fs/by-name/userdata userdata_sysdev
/dev/sys/fs/by-name/userdata/test userdata_sysdev
/dev/sys/fs/by-name/userdata-test device
/dev/tty owntty_device
/dev/tty0 tty_device
/dev/tty1 tty_device
/dev/ttyS serial_device
/dev/ttyS0 serial_device
/dev/ttyS99 serial_device
/dev/ttyUSB usb_serial_device
/dev/ttyUSB0 usb_serial_device
/dev/ttyUSB99 usb_serial_device
/dev/ttyACM usb_serial_device
/dev/ttyACM0 usb_serial_device
/dev/ttyACM99 usb_serial_device
/dev/tun tun_device
/dev/uhid uhid_device
/dev/uinput uhid_device
/dev/uio uio_device
/dev/uio0 uio_device
/dev/uio9 uio_device
/dev/urandom random_device
/dev/usb_accessory usbaccessory_device
/dev/v4l-touch input_device
/dev/v4l-touch0 input_device
/dev/v4l-touch10 input_device
/dev/vfio vfio_device
/dev/vfio/test vfio_device
/dev/vfio-test device
/dev/vhost-vsock kvm_device
/dev/video video_device
/dev/video0 video_device
/dev/video99 video_device
/dev/vndbinder vndbinder_device
/dev/watchdog watchdog_device
/dev/xt_qtaguid qtaguid_device
/dev/zero zero_device
/dev/__properties__ properties_device
/dev/__properties__/property_info property_info
/dev/__properties__/appcompat_override properties_device
/dev/__properties__/appcompat_override/property_info property_info
Add checkfc mode to validate file_contexts against test data A new mode for checkfc is introduced (-t) which takes a file_contexts and a test data file. Each line in the test data file contains a path and the expected type. checkfc loads the file_contexts and repeatedly calls selabel_lookup(3) to verify that the computed type is as expected. This mode can be used to confirm that any modification to file_contexts or its build process is benign. A test data file (plat_file_contexts_test) is added. This file was manually created based on private/file_contexts. Each static path was copied as-is. Each regular expression was expanded into a couple of entries. For instance, /dev/adf[0-9]* generated /dev/adf, /dev/adf0 and /dev/adf123. libselinux keeps track of which specification is being hit when using selabel_lookup. When calling selabel_stats(3), the file backend will output a warning if a specification has not been used. This can be leveraged to ensure that each rule is at least hit once. This property will be leveraged in a follow-up change (by running the test as part of the build process), to ensure that the plat_file_contexts_test file remains up-to-date (that is, when an entry is added to private/file_contexts, the build will fail unless a test is also added to plat_file_contexts_test to exercice the specification/regular expression). Test: m checkfc && checkfc -t ./private/file_contexts ./tests/plat_file_contexts_test Bug: 299839280 Change-Id: Ibf56859a16bd17e1f878ce7b0570b2aead79c7e0
2023-10-05 00:44:24 +02:00
/linkerconfig linkerconfig_file
/linkerconfig/test linkerconfig_file
/system system_file
/system/does_not_exist system_file
/system/apex/com.android.art art_apex_dir
/system/lib system_lib_file
/system/lib64 system_lib_file
/system/lib/does_not_exist system_lib_file
/system/lib64/does_not_exist system_lib_file
/system/lib/bootstrap system_bootstrap_lib_file
/system/lib64/bootstrap system_bootstrap_lib_file
/system/lib/bootstrap/test system_bootstrap_lib_file
/system/lib64/bootstrap/test system_bootstrap_lib_file
/system/bin/mm_events mm_events_exec
/system/bin/atrace atrace_exec
/system/bin/auditctl auditctl_exec
/system/bin/bcc rs_exec
/system/bin/blank_screen blank_screen_exec
/system/bin/boringssl_self_test32 boringssl_self_test_exec
/system/bin/boringssl_self_test64 boringssl_self_test_exec
/system/bin/boringssl_self_test31 system_file
/system/bin/prng_seeder prng_seeder_exec
/system/bin/charger charger_exec
/system/bin/e2fsdroid e2fs_exec
/system/bin/mke2fs e2fs_exec
/system/bin/e2fsck fsck_exec
/system/bin/extra_free_kbytes.sh extra_free_kbytes_exec
/system/bin/fsck.exfat fsck_exec
/system/bin/fsck.f2fs fsck_exec
/system/bin/init init_exec
/system/bin/mini-keyctl toolbox_exec
/system/bin/fsverity_init fsverity_init_exec
/system/bin/sload_f2fs e2fs_exec
/system/bin/make_f2fs e2fs_exec
/system/bin/fsck_msdos fsck_exec
/system/bin/tcpdump tcpdump_exec
/system/bin/tune2fs fsck_exec
/system/bin/resize2fs fsck_exec
/system/bin/toolbox toolbox_exec
/system/bin/toybox toolbox_exec
/system/bin/ld.mc rs_exec
/system/bin/logcat logcat_exec
/system/bin/logcatd logcat_exec
/system/bin/sh shell_exec
/system/bin/run-as runas_exec
/system/bin/bootanimation bootanim_exec
/system/bin/bootstat bootstat_exec
/system/bin/app_process32 zygote_exec
/system/bin/app_process64 zygote_exec
/system/bin/servicemanager servicemanager_exec
/system/bin/surfaceflinger surfaceflinger_exec
/system/bin/gpuservice gpuservice_exec
/system/bin/bufferhubd bufferhubd_exec
/system/bin/performanced performanced_exec
/system/bin/drmserver drmserver_exec
/system/bin/drmserver32 drmserver_exec
/system/bin/drmserver64 drmserver_exec
/system/bin/dumpstate dumpstate_exec
/system/bin/incident incident_exec
/system/bin/incidentd incidentd_exec
/system/bin/incident_helper incident_helper_exec
/system/bin/iw iw_exec
/system/bin/netutils-wrapper-1.0 netutils_wrapper_exec
/system/bin/vold vold_exec
/system/bin/netd netd_exec
/system/bin/wificond wificond_exec
/system/bin/audioserver audioserver_exec
/system/bin/mediadrmserver mediadrmserver_exec
/system/bin/mediaserver mediaserver_exec
/system/bin/mediaserver32 mediaserver_exec
/system/bin/mediaserver64 mediaserver_exec
/system/bin/mediametrics mediametrics_exec
/system/bin/cameraserver cameraserver_exec
/system/bin/mediaextractor mediaextractor_exec
/system/bin/mediaswcodec mediaswcodec_exec
/system/bin/mediatranscoding mediatranscoding_exec
/system/bin/mediatuner mediatuner_exec
/system/bin/mdnsd mdnsd_exec
/system/bin/ot-ctl ot_ctl_exec
Add checkfc mode to validate file_contexts against test data A new mode for checkfc is introduced (-t) which takes a file_contexts and a test data file. Each line in the test data file contains a path and the expected type. checkfc loads the file_contexts and repeatedly calls selabel_lookup(3) to verify that the computed type is as expected. This mode can be used to confirm that any modification to file_contexts or its build process is benign. A test data file (plat_file_contexts_test) is added. This file was manually created based on private/file_contexts. Each static path was copied as-is. Each regular expression was expanded into a couple of entries. For instance, /dev/adf[0-9]* generated /dev/adf, /dev/adf0 and /dev/adf123. libselinux keeps track of which specification is being hit when using selabel_lookup. When calling selabel_stats(3), the file backend will output a warning if a specification has not been used. This can be leveraged to ensure that each rule is at least hit once. This property will be leveraged in a follow-up change (by running the test as part of the build process), to ensure that the plat_file_contexts_test file remains up-to-date (that is, when an entry is added to private/file_contexts, the build will fail unless a test is also added to plat_file_contexts_test to exercice the specification/regular expression). Test: m checkfc && checkfc -t ./private/file_contexts ./tests/plat_file_contexts_test Bug: 299839280 Change-Id: Ibf56859a16bd17e1f878ce7b0570b2aead79c7e0
2023-10-05 00:44:24 +02:00
/system/bin/installd installd_exec
/system/bin/otapreopt_chroot otapreopt_chroot_exec
/system/bin/otapreopt_slot otapreopt_slot_exec
/system/bin/credstore credstore_exec
/system/bin/keystore keystore_exec
/system/bin/keystore2 keystore_exec
/system/bin/fingerprintd fingerprintd_exec
/system/bin/gatekeeperd gatekeeperd_exec
/system/bin/tombstoned tombstoned_exec
/system/bin/recovery-persist recovery_persist_exec
/system/bin/recovery-refresh recovery_refresh_exec
/system/bin/sdcard sdcardd_exec
/system/bin/snapshotctl snapshotctl_exec
/system/bin/remount remount_exec
/system/bin/dhcpcd dhcp_exec
/system/bin/dhcpcd-6.8.2 dhcp_exec
/system/bin/dmesgd dmesgd_exec
/system/xbin/su su_exec
/system/bin/dnsmasq dnsmasq_exec
/system/bin/linker system_linker_exec
/system/bin/linker64 system_linker_exec
/system/bin/linker63 system_file
/system/bin/linkerconfig linkerconfig_exec
/system/bin/bootstrap/linker system_linker_exec
/system/bin/bootstrap/linker64 system_linker_exec
/system/bin/bootstrap/linker63 system_file
/system/bin/bootstrap/linkerconfig linkerconfig_exec
/system/bin/llkd llkd_exec
/system/bin/lmkd lmkd_exec
/system/bin/usbd usbd_exec
/system/bin/inputflinger inputflinger_exec
/system/bin/logd logd_exec
/system/bin/lpdumpd lpdumpd_exec
/system/bin/rss_hwm_reset rss_hwm_reset_exec
/system/bin/perfetto perfetto_exec
/system/bin/misctrl misctrl_exec
Add checkfc mode to validate file_contexts against test data A new mode for checkfc is introduced (-t) which takes a file_contexts and a test data file. Each line in the test data file contains a path and the expected type. checkfc loads the file_contexts and repeatedly calls selabel_lookup(3) to verify that the computed type is as expected. This mode can be used to confirm that any modification to file_contexts or its build process is benign. A test data file (plat_file_contexts_test) is added. This file was manually created based on private/file_contexts. Each static path was copied as-is. Each regular expression was expanded into a couple of entries. For instance, /dev/adf[0-9]* generated /dev/adf, /dev/adf0 and /dev/adf123. libselinux keeps track of which specification is being hit when using selabel_lookup. When calling selabel_stats(3), the file backend will output a warning if a specification has not been used. This can be leveraged to ensure that each rule is at least hit once. This property will be leveraged in a follow-up change (by running the test as part of the build process), to ensure that the plat_file_contexts_test file remains up-to-date (that is, when an entry is added to private/file_contexts, the build will fail unless a test is also added to plat_file_contexts_test to exercice the specification/regular expression). Test: m checkfc && checkfc -t ./private/file_contexts ./tests/plat_file_contexts_test Bug: 299839280 Change-Id: Ibf56859a16bd17e1f878ce7b0570b2aead79c7e0
2023-10-05 00:44:24 +02:00
/system/bin/mtectrl mtectrl_exec
/system/bin/kcmdlinectrl kcmdlinectrl_exec
Add checkfc mode to validate file_contexts against test data A new mode for checkfc is introduced (-t) which takes a file_contexts and a test data file. Each line in the test data file contains a path and the expected type. checkfc loads the file_contexts and repeatedly calls selabel_lookup(3) to verify that the computed type is as expected. This mode can be used to confirm that any modification to file_contexts or its build process is benign. A test data file (plat_file_contexts_test) is added. This file was manually created based on private/file_contexts. Each static path was copied as-is. Each regular expression was expanded into a couple of entries. For instance, /dev/adf[0-9]* generated /dev/adf, /dev/adf0 and /dev/adf123. libselinux keeps track of which specification is being hit when using selabel_lookup. When calling selabel_stats(3), the file backend will output a warning if a specification has not been used. This can be leveraged to ensure that each rule is at least hit once. This property will be leveraged in a follow-up change (by running the test as part of the build process), to ensure that the plat_file_contexts_test file remains up-to-date (that is, when an entry is added to private/file_contexts, the build will fail unless a test is also added to plat_file_contexts_test to exercice the specification/regular expression). Test: m checkfc && checkfc -t ./private/file_contexts ./tests/plat_file_contexts_test Bug: 299839280 Change-Id: Ibf56859a16bd17e1f878ce7b0570b2aead79c7e0
2023-10-05 00:44:24 +02:00
/system/bin/traced traced_exec
/system/bin/traced_perf traced_perf_exec
/system/bin/traced_probes traced_probes_exec
/system/bin/heapprofd heapprofd_exec
/system/bin/uncrypt uncrypt_exec
/system/bin/update_verifier update_verifier_exec
/system/bin/logwrapper system_file
/system/bin/vdc vdc_exec
/system/bin/cppreopts.sh cppreopts_exec
/system/bin/preloads_copy.sh preloads_copy_exec
/system/bin/preopt2cachename preopt2cachename_exec
/system/bin/viewcompiler viewcompiler_exec
/system/bin/sgdisk sgdisk_exec
/system/bin/blkid blkid_exec
/system/bin/flags_health_check flags_health_check_exec
/system/bin/idmap2 idmap_exec
/system/bin/idmap2d idmap_exec
/system/bin/update_engine update_engine_exec
/system/bin/update_engine_nostats update_engine_exec
Add checkfc mode to validate file_contexts against test data A new mode for checkfc is introduced (-t) which takes a file_contexts and a test data file. Each line in the test data file contains a path and the expected type. checkfc loads the file_contexts and repeatedly calls selabel_lookup(3) to verify that the computed type is as expected. This mode can be used to confirm that any modification to file_contexts or its build process is benign. A test data file (plat_file_contexts_test) is added. This file was manually created based on private/file_contexts. Each static path was copied as-is. Each regular expression was expanded into a couple of entries. For instance, /dev/adf[0-9]* generated /dev/adf, /dev/adf0 and /dev/adf123. libselinux keeps track of which specification is being hit when using selabel_lookup. When calling selabel_stats(3), the file backend will output a warning if a specification has not been used. This can be leveraged to ensure that each rule is at least hit once. This property will be leveraged in a follow-up change (by running the test as part of the build process), to ensure that the plat_file_contexts_test file remains up-to-date (that is, when an entry is added to private/file_contexts, the build will fail unless a test is also added to plat_file_contexts_test to exercice the specification/regular expression). Test: m checkfc && checkfc -t ./private/file_contexts ./tests/plat_file_contexts_test Bug: 299839280 Change-Id: Ibf56859a16bd17e1f878ce7b0570b2aead79c7e0
2023-10-05 00:44:24 +02:00
/system/bin/profcollectd profcollectd_exec
/system/bin/profcollectctl profcollectd_exec
/system/bin/storaged storaged_exec
/system/bin/virtual_camera virtual_camera_exec
Add checkfc mode to validate file_contexts against test data A new mode for checkfc is introduced (-t) which takes a file_contexts and a test data file. Each line in the test data file contains a path and the expected type. checkfc loads the file_contexts and repeatedly calls selabel_lookup(3) to verify that the computed type is as expected. This mode can be used to confirm that any modification to file_contexts or its build process is benign. A test data file (plat_file_contexts_test) is added. This file was manually created based on private/file_contexts. Each static path was copied as-is. Each regular expression was expanded into a couple of entries. For instance, /dev/adf[0-9]* generated /dev/adf, /dev/adf0 and /dev/adf123. libselinux keeps track of which specification is being hit when using selabel_lookup. When calling selabel_stats(3), the file backend will output a warning if a specification has not been used. This can be leveraged to ensure that each rule is at least hit once. This property will be leveraged in a follow-up change (by running the test as part of the build process), to ensure that the plat_file_contexts_test file remains up-to-date (that is, when an entry is added to private/file_contexts, the build will fail unless a test is also added to plat_file_contexts_test to exercice the specification/regular expression). Test: m checkfc && checkfc -t ./private/file_contexts ./tests/plat_file_contexts_test Bug: 299839280 Change-Id: Ibf56859a16bd17e1f878ce7b0570b2aead79c7e0
2023-10-05 00:44:24 +02:00
/system/bin/virtual_touchpad virtual_touchpad_exec
/system/bin/hw/android.frameworks.bufferhub@1.0-service fwk_bufferhub_exec
/system/bin/hw/android.system.suspend-service system_suspend_exec
/system/etc/aconfig system_aconfig_storage_file
Add checkfc mode to validate file_contexts against test data A new mode for checkfc is introduced (-t) which takes a file_contexts and a test data file. Each line in the test data file contains a path and the expected type. checkfc loads the file_contexts and repeatedly calls selabel_lookup(3) to verify that the computed type is as expected. This mode can be used to confirm that any modification to file_contexts or its build process is benign. A test data file (plat_file_contexts_test) is added. This file was manually created based on private/file_contexts. Each static path was copied as-is. Each regular expression was expanded into a couple of entries. For instance, /dev/adf[0-9]* generated /dev/adf, /dev/adf0 and /dev/adf123. libselinux keeps track of which specification is being hit when using selabel_lookup. When calling selabel_stats(3), the file backend will output a warning if a specification has not been used. This can be leveraged to ensure that each rule is at least hit once. This property will be leveraged in a follow-up change (by running the test as part of the build process), to ensure that the plat_file_contexts_test file remains up-to-date (that is, when an entry is added to private/file_contexts, the build will fail unless a test is also added to plat_file_contexts_test to exercice the specification/regular expression). Test: m checkfc && checkfc -t ./private/file_contexts ./tests/plat_file_contexts_test Bug: 299839280 Change-Id: Ibf56859a16bd17e1f878ce7b0570b2aead79c7e0
2023-10-05 00:44:24 +02:00
/system/etc/cgroups.json cgroup_desc_file
/system/etc/task_profiles/cgroups_0.json cgroup_desc_api_file
/system/etc/task_profiles/cgroups_999.json cgroup_desc_api_file
/system/etc/event-log-tags system_event_log_tags_file
/system/etc/font_fallback.xml system_font_fallback_file
/system/etc/group system_group_file
/system/etc/ld.config. system_linker_config_file
/system/etc/ld.config.test system_linker_config_file
/system/etc/passwd system_passwd_file
/system/etc/perfetto/persistent_cfg.pbtxt system_perfetto_config_file
Add checkfc mode to validate file_contexts against test data A new mode for checkfc is introduced (-t) which takes a file_contexts and a test data file. Each line in the test data file contains a path and the expected type. checkfc loads the file_contexts and repeatedly calls selabel_lookup(3) to verify that the computed type is as expected. This mode can be used to confirm that any modification to file_contexts or its build process is benign. A test data file (plat_file_contexts_test) is added. This file was manually created based on private/file_contexts. Each static path was copied as-is. Each regular expression was expanded into a couple of entries. For instance, /dev/adf[0-9]* generated /dev/adf, /dev/adf0 and /dev/adf123. libselinux keeps track of which specification is being hit when using selabel_lookup. When calling selabel_stats(3), the file backend will output a warning if a specification has not been used. This can be leveraged to ensure that each rule is at least hit once. This property will be leveraged in a follow-up change (by running the test as part of the build process), to ensure that the plat_file_contexts_test file remains up-to-date (that is, when an entry is added to private/file_contexts, the build will fail unless a test is also added to plat_file_contexts_test to exercice the specification/regular expression). Test: m checkfc && checkfc -t ./private/file_contexts ./tests/plat_file_contexts_test Bug: 299839280 Change-Id: Ibf56859a16bd17e1f878ce7b0570b2aead79c7e0
2023-10-05 00:44:24 +02:00
/system/etc/seccomp_policy system_seccomp_policy_file
/system/etc/seccomp_policy/crash_dump.x86.policy system_seccomp_policy_file
/system/etc/security/cacerts system_security_cacerts_file
/system/etc/security/cacerts/123 system_security_cacerts_file
/system/etc/selinux/mapping/30.0.cil sepolicy_file
#/system/etc/selinux/mapping/30.compat.0.cil sepolicy_file
/system/etc/selinux/plat_mac_permissions.xml mac_perms_file
/system/etc/selinux/plat_property_contexts property_contexts_file
/system/etc/selinux/plat_service_contexts service_contexts_file
/system/etc/selinux/plat_hwservice_contexts hwservice_contexts_file
/system/etc/selinux/plat_keystore2_key_contexts keystore2_key_contexts_file
/system/etc/selinux/plat_file_contexts file_contexts_file
/system/etc/selinux/plat_seapp_contexts seapp_contexts_file
/system/etc/selinux/plat_sepolicy.cil sepolicy_file
/system/etc/selinux/plat_and_mapping_sepolicy.cil.sha256 sepolicy_file
/system/etc/task_profiles.json task_profiles_file
/system/etc/task_profiles/task_profiles_0.json task_profiles_api_file
/system/etc/task_profiles/task_profiles_99.json task_profiles_api_file
/system/usr/share/zoneinfo system_zoneinfo_file
/system/usr/share/zoneinfo/0 system_zoneinfo_file
/system/bin/adbd adbd_exec
/system/bin/aconfigd aconfigd_exec
Add checkfc mode to validate file_contexts against test data A new mode for checkfc is introduced (-t) which takes a file_contexts and a test data file. Each line in the test data file contains a path and the expected type. checkfc loads the file_contexts and repeatedly calls selabel_lookup(3) to verify that the computed type is as expected. This mode can be used to confirm that any modification to file_contexts or its build process is benign. A test data file (plat_file_contexts_test) is added. This file was manually created based on private/file_contexts. Each static path was copied as-is. Each regular expression was expanded into a couple of entries. For instance, /dev/adf[0-9]* generated /dev/adf, /dev/adf0 and /dev/adf123. libselinux keeps track of which specification is being hit when using selabel_lookup. When calling selabel_stats(3), the file backend will output a warning if a specification has not been used. This can be leveraged to ensure that each rule is at least hit once. This property will be leveraged in a follow-up change (by running the test as part of the build process), to ensure that the plat_file_contexts_test file remains up-to-date (that is, when an entry is added to private/file_contexts, the build will fail unless a test is also added to plat_file_contexts_test to exercice the specification/regular expression). Test: m checkfc && checkfc -t ./private/file_contexts ./tests/plat_file_contexts_test Bug: 299839280 Change-Id: Ibf56859a16bd17e1f878ce7b0570b2aead79c7e0
2023-10-05 00:44:24 +02:00
/system/bin/vold_prepare_subdirs vold_prepare_subdirs_exec
/system/bin/stats stats_exec
/system/bin/statsd statsd_exec
/system/bin/bpfloader bpfloader_exec
/system/bin/netbpfload bpfloader_exec
/system/bin/watchdogd watchdogd_exec
/system/bin/apexd apexd_exec
/system/bin/gsid gsid_exec
/system/bin/simpleperf simpleperf_exec
/system/bin/simpleperf_app_runner simpleperf_app_runner_exec
/system/bin/migrate_legacy_obb_data migrate_legacy_obb_data_exec
/system/bin/android.frameworks.automotive.display@1.0-service automotive_display_service_exec
/system/bin/snapuserd snapuserd_exec
/system/bin/odsign odsign_exec
/system/bin/vehicle_binding_util vehicle_binding_util_exec
/system/bin/cardisplayproxyd automotive_display_service_exec
/system/bin/evsmanagerd evsmanagerd_exec
/system/bin/android.automotive.evs.manager@1.0 evsmanagerd_exec
/system/bin/android.automotive.evs.manager@1.99 evsmanagerd_exec
/system/bin/uprobestats uprobestats_exec
/system/bin/trace_redactor trace_redactor_exec
Add checkfc mode to validate file_contexts against test data A new mode for checkfc is introduced (-t) which takes a file_contexts and a test data file. Each line in the test data file contains a path and the expected type. checkfc loads the file_contexts and repeatedly calls selabel_lookup(3) to verify that the computed type is as expected. This mode can be used to confirm that any modification to file_contexts or its build process is benign. A test data file (plat_file_contexts_test) is added. This file was manually created based on private/file_contexts. Each static path was copied as-is. Each regular expression was expanded into a couple of entries. For instance, /dev/adf[0-9]* generated /dev/adf, /dev/adf0 and /dev/adf123. libselinux keeps track of which specification is being hit when using selabel_lookup. When calling selabel_stats(3), the file backend will output a warning if a specification has not been used. This can be leveraged to ensure that each rule is at least hit once. This property will be leveraged in a follow-up change (by running the test as part of the build process), to ensure that the plat_file_contexts_test file remains up-to-date (that is, when an entry is added to private/file_contexts, the build will fail unless a test is also added to plat_file_contexts_test to exercice the specification/regular expression). Test: m checkfc && checkfc -t ./private/file_contexts ./tests/plat_file_contexts_test Bug: 299839280 Change-Id: Ibf56859a16bd17e1f878ce7b0570b2aead79c7e0
2023-10-05 00:44:24 +02:00
/vendor vendor_file
/vendor/does_not_exist vendor_file
/system/vendor vendor_file
/system/vendor/does_not_exist vendor_file
/vendor/bin/sh vendor_shell_exec
/system/vendor/bin/sh vendor_shell_exec
/vendor/bin/toybox_vendor vendor_toolbox_exec
/system/vendor/bin/toybox_vendor vendor_toolbox_exec
/vendor/bin/toolbox vendor_toolbox_exec
/system/vendor/bin/toolbox vendor_toolbox_exec
/vendor/etc vendor_configs_file
/vendor/etc/does_not_exist vendor_configs_file
/vendor/etc/aconfig vendor_aconfig_storage_file
Add checkfc mode to validate file_contexts against test data A new mode for checkfc is introduced (-t) which takes a file_contexts and a test data file. Each line in the test data file contains a path and the expected type. checkfc loads the file_contexts and repeatedly calls selabel_lookup(3) to verify that the computed type is as expected. This mode can be used to confirm that any modification to file_contexts or its build process is benign. A test data file (plat_file_contexts_test) is added. This file was manually created based on private/file_contexts. Each static path was copied as-is. Each regular expression was expanded into a couple of entries. For instance, /dev/adf[0-9]* generated /dev/adf, /dev/adf0 and /dev/adf123. libselinux keeps track of which specification is being hit when using selabel_lookup. When calling selabel_stats(3), the file backend will output a warning if a specification has not been used. This can be leveraged to ensure that each rule is at least hit once. This property will be leveraged in a follow-up change (by running the test as part of the build process), to ensure that the plat_file_contexts_test file remains up-to-date (that is, when an entry is added to private/file_contexts, the build will fail unless a test is also added to plat_file_contexts_test to exercice the specification/regular expression). Test: m checkfc && checkfc -t ./private/file_contexts ./tests/plat_file_contexts_test Bug: 299839280 Change-Id: Ibf56859a16bd17e1f878ce7b0570b2aead79c7e0
2023-10-05 00:44:24 +02:00
/system/vendor/etc vendor_configs_file
/system/vendor/etc/does_not_exist vendor_configs_file
/vendor/etc/cgroups.json vendor_cgroup_desc_file
/system/vendor/etc/cgroups.json vendor_cgroup_desc_file
/vendor/etc/task_profiles.json vendor_task_profiles_file
/system/vendor/etc/task_profiles.json vendor_task_profiles_file
/vendor/lib/egl same_process_hal_file
/vendor/lib64/egl same_process_hal_file
/vendor/lib/egl/test same_process_hal_file
/vendor/lib64/egl/test same_process_hal_file
/system/vendor/lib/egl same_process_hal_file
/system/vendor/lib64/egl same_process_hal_file
/system/vendor/lib/egl/test same_process_hal_file
/system/vendor/lib64/egl/test same_process_hal_file
/vendor/lib/vndk-sp vndk_sp_file
/vendor/lib64/vndk-sp vndk_sp_file
/vendor/lib/vndk-sp/test vndk_sp_file
/vendor/lib64/vndk-sp/test vndk_sp_file
/system/vendor/lib/vndk-sp vndk_sp_file
/system/vendor/lib64/vndk-sp vndk_sp_file
/system/vendor/lib/vndk-sp/test vndk_sp_file
/system/vendor/lib64/vndk-sp/test vndk_sp_file
/vendor/manifest.xml vendor_configs_file
/system/vendor/manifest.xml vendor_configs_file
/vendor/compatibility_matrix.xml vendor_configs_file
/system/vendor/compatibility_matrix.xml vendor_configs_file
/vendor/etc/vintf vendor_configs_file
/vendor/etc/vintf/test vendor_configs_file
/system/vendor/etc/vintf vendor_configs_file
/system/vendor/etc/vintf/test vendor_configs_file
/vendor/app vendor_app_file
/vendor/app/test vendor_app_file
/system/vendor/app vendor_app_file
/system/vendor/app/test vendor_app_file
/vendor/priv-app vendor_app_file
/vendor/priv-app/test vendor_app_file
/system/vendor/priv-app vendor_app_file
/system/vendor/priv-app/test vendor_app_file
/vendor/boot_otas/ vendor_boot_ota_file
/vendor/boot_otas/test vendor_boot_ota_file
Add checkfc mode to validate file_contexts against test data A new mode for checkfc is introduced (-t) which takes a file_contexts and a test data file. Each line in the test data file contains a path and the expected type. checkfc loads the file_contexts and repeatedly calls selabel_lookup(3) to verify that the computed type is as expected. This mode can be used to confirm that any modification to file_contexts or its build process is benign. A test data file (plat_file_contexts_test) is added. This file was manually created based on private/file_contexts. Each static path was copied as-is. Each regular expression was expanded into a couple of entries. For instance, /dev/adf[0-9]* generated /dev/adf, /dev/adf0 and /dev/adf123. libselinux keeps track of which specification is being hit when using selabel_lookup. When calling selabel_stats(3), the file backend will output a warning if a specification has not been used. This can be leveraged to ensure that each rule is at least hit once. This property will be leveraged in a follow-up change (by running the test as part of the build process), to ensure that the plat_file_contexts_test file remains up-to-date (that is, when an entry is added to private/file_contexts, the build will fail unless a test is also added to plat_file_contexts_test to exercice the specification/regular expression). Test: m checkfc && checkfc -t ./private/file_contexts ./tests/plat_file_contexts_test Bug: 299839280 Change-Id: Ibf56859a16bd17e1f878ce7b0570b2aead79c7e0
2023-10-05 00:44:24 +02:00
/vendor/overlay vendor_overlay_file
/vendor/overlay/test vendor_overlay_file
/system/vendor/overlay vendor_overlay_file
/system/vendor/overlay/test vendor_overlay_file
/vendor/framework vendor_framework_file
/vendor/framework/test vendor_framework_file
/system/vendor/framework vendor_framework_file
/system/vendor/framework/test vendor_framework_file
/vendor/etc/avf/microdroid vendor_microdroid_file
/vendor/etc/avf/microdroid/test vendor_microdroid_file
Add checkfc mode to validate file_contexts against test data A new mode for checkfc is introduced (-t) which takes a file_contexts and a test data file. Each line in the test data file contains a path and the expected type. checkfc loads the file_contexts and repeatedly calls selabel_lookup(3) to verify that the computed type is as expected. This mode can be used to confirm that any modification to file_contexts or its build process is benign. A test data file (plat_file_contexts_test) is added. This file was manually created based on private/file_contexts. Each static path was copied as-is. Each regular expression was expanded into a couple of entries. For instance, /dev/adf[0-9]* generated /dev/adf, /dev/adf0 and /dev/adf123. libselinux keeps track of which specification is being hit when using selabel_lookup. When calling selabel_stats(3), the file backend will output a warning if a specification has not been used. This can be leveraged to ensure that each rule is at least hit once. This property will be leveraged in a follow-up change (by running the test as part of the build process), to ensure that the plat_file_contexts_test file remains up-to-date (that is, when an entry is added to private/file_contexts, the build will fail unless a test is also added to plat_file_contexts_test to exercice the specification/regular expression). Test: m checkfc && checkfc -t ./private/file_contexts ./tests/plat_file_contexts_test Bug: 299839280 Change-Id: Ibf56859a16bd17e1f878ce7b0570b2aead79c7e0
2023-10-05 00:44:24 +02:00
/vendor/apex vendor_apex_file
/vendor/apex/test vendor_apex_file
/vendor/apex/test/test vendor_apex_file
/vendor/apex/test/test/test vendor_file
/system/vendor/apex vendor_apex_file
/system/vendor/apex/test vendor_apex_file
/system/vendor/apex/test/test vendor_apex_file
/system/vendor/apex/test/test/test vendor_file
/vendor/bin/misc_writer vendor_misc_writer_exec
/system/vendor/bin/misc_writer vendor_misc_writer_exec
/vendor/bin/boringssl_self_test32 vendor_boringssl_self_test_exec
/vendor/bin/boringssl_self_test64 vendor_boringssl_self_test_exec
/system/vendor/bin/boringssl_self_test32 vendor_boringssl_self_test_exec
/system/vendor/bin/boringssl_self_test64 vendor_boringssl_self_test_exec
/vendor/lib/hw vendor_hal_file
/vendor/lib64/hw vendor_hal_file
/system/vendor/lib/hw vendor_hal_file
/system/vendor/lib64/hw vendor_hal_file
/vendor/etc/selinux/vendor_service_contexts vendor_service_contexts_file
/system/vendor/etc/selinux/vendor_service_contexts vendor_service_contexts_file
/odm vendor_file
/odm/does_not_exist vendor_file
/vendor/odm vendor_file
/vendor/does_not_exist vendor_file
/odm/lib/egl same_process_hal_file
/odm/lib64/egl same_process_hal_file
/odm/lib/egl/test same_process_hal_file
/odm/lib64/egl/test same_process_hal_file
/vendor/odm/lib/egl same_process_hal_file
/vendor/odm/lib64/egl same_process_hal_file
/vendor/odm/lib/egl/test same_process_hal_file
/vendor/odm/lib64/egl/test same_process_hal_file
/odm/lib/hw vendor_hal_file
/odm/lib64/hw vendor_hal_file
/vendor/odm/lib/hw vendor_hal_file
/vendor/odm/lib64/hw vendor_hal_file
/odm/lib/vndk-sp vndk_sp_file
/odm/lib64/vndk-sp vndk_sp_file
/odm/lib/vndk-sp/test vndk_sp_file
/odm/lib64/vndk-sp/test vndk_sp_file
/vendor/odm/lib/vndk-sp vndk_sp_file
/vendor/odm/lib64/vndk-sp vndk_sp_file
/vendor/odm/lib/vndk-sp/test vndk_sp_file
/vendor/odm/lib64/vndk-sp/test vndk_sp_file
/odm/bin/sh vendor_shell_exec
/vendor/odm/bin/sh vendor_shell_exec
/odm/etc vendor_configs_file
/odm/etc/test vendor_configs_file
/vendor/odm/etc vendor_configs_file
/vendor/odm/etc/test vendor_configs_file
/odm/app vendor_app_file
/odm/app/test vendor_app_file
/vendor/odm/app vendor_app_file
/vendor/odm/app/test vendor_app_file
/odm/priv-app vendor_app_file
/odm/priv-app/test vendor_app_file
/vendor/odm/priv-app vendor_app_file
/vendor/odm/priv-app/test vendor_app_file
/odm/overlay vendor_overlay_file
/odm/overlay/test vendor_overlay_file
/vendor/odm/overlay vendor_overlay_file
/vendor/odm/overlay/test vendor_overlay_file
/odm/framework vendor_framework_file
/odm/framework/test vendor_framework_file
/vendor/odm/framework vendor_framework_file
/vendor/odm/framework/test vendor_framework_file
/odm/etc/hal_uuid_map_.xml vendor_uuid_mapping_config_file
/odm/etc/hal_uuid_map_test.xml vendor_uuid_mapping_config_file
/vendor/odm/etc/hal_uuid_map_.xml vendor_uuid_mapping_config_file
/vendor/odm/etc/hal_uuid_map_test.xml vendor_uuid_mapping_config_file
/vendor/etc/hal_uuid_map_.xml vendor_uuid_mapping_config_file
/vendor/etc/hal_uuid_map_test.xml vendor_uuid_mapping_config_file
/system/vendor/etc/hal_uuid_map_.xml vendor_uuid_mapping_config_file
/system/vendor/etc/hal_uuid_map_test.xml vendor_uuid_mapping_config_file
/odm/usr/keylayout.kl vendor_keylayout_file
/odm/usr/keylayout/test.kl vendor_keylayout_file
/vendor/odm/usr/keylayout.kl vendor_keylayout_file
/vendor/odm/usr/keylayout/test.kl vendor_keylayout_file
/vendor/usr/keylayout.kl vendor_keylayout_file
/vendor/usr/keylayout/test.kl vendor_keylayout_file
/system/vendor/usr/keylayout.kl vendor_keylayout_file
/system/vendor/usr/keylayout/test.kl vendor_keylayout_file
/odm/usr/keychars.kcm vendor_keychars_file
/odm/usr/keychars/test.kcm vendor_keychars_file
/vendor/odm/usr/keychars.kcm vendor_keychars_file
/vendor/odm/usr/keychars/test.kcm vendor_keychars_file
/vendor/usr/keychars.kcm vendor_keychars_file
/vendor/usr/keychars/test.kcm vendor_keychars_file
/system/vendor/usr/keychars.kcm vendor_keychars_file
/system/vendor/usr/keychars/test.kcm vendor_keychars_file
/odm/usr/idc.idc vendor_idc_file
/odm/usr/idc/test.idc vendor_idc_file
/vendor/odm/usr/idc.idc vendor_idc_file
/vendor/odm/usr/idc/test.idc vendor_idc_file
/vendor/usr/idc.idc vendor_idc_file
/vendor/usr/idc/test.idc vendor_idc_file
/system/vendor/usr/idc.idc vendor_idc_file
/system/vendor/usr/idc/test.idc vendor_idc_file
/oem oemfs
/oem/does_not_exist oemfs
/oem/media/bootanimation.zip bootanim_oem_file
/oem/media/shutdownanimation.zip bootanim_oem_file
/oem/media/userspace-reboot.zip bootanim_oem_file
Add checkfc mode to validate file_contexts against test data A new mode for checkfc is introduced (-t) which takes a file_contexts and a test data file. Each line in the test data file contains a path and the expected type. checkfc loads the file_contexts and repeatedly calls selabel_lookup(3) to verify that the computed type is as expected. This mode can be used to confirm that any modification to file_contexts or its build process is benign. A test data file (plat_file_contexts_test) is added. This file was manually created based on private/file_contexts. Each static path was copied as-is. Each regular expression was expanded into a couple of entries. For instance, /dev/adf[0-9]* generated /dev/adf, /dev/adf0 and /dev/adf123. libselinux keeps track of which specification is being hit when using selabel_lookup. When calling selabel_stats(3), the file backend will output a warning if a specification has not been used. This can be leveraged to ensure that each rule is at least hit once. This property will be leveraged in a follow-up change (by running the test as part of the build process), to ensure that the plat_file_contexts_test file remains up-to-date (that is, when an entry is added to private/file_contexts, the build will fail unless a test is also added to plat_file_contexts_test to exercice the specification/regular expression). Test: m checkfc && checkfc -t ./private/file_contexts ./tests/plat_file_contexts_test Bug: 299839280 Change-Id: Ibf56859a16bd17e1f878ce7b0570b2aead79c7e0
2023-10-05 00:44:24 +02:00
/oem/overlay vendor_overlay_file
/oem/overlay/does_not_exist vendor_overlay_file
/odm/etc/selinux/precompiled_sepolicy sepolicy_file
/odm/etc/selinux/precompiled_sepolicy.plat_and_mapping.sha256 sepolicy_file
/odm/etc/selinux/odm_sepolicy.cil sepolicy_file
/vendor/odm/etc/selinux/odm_sepolicy.cil sepolicy_file
/odm/etc/selinux/odm_file_contexts file_contexts_file
/vendor/odm/etc/selinux/odm_file_contexts file_contexts_file
/odm/etc/selinux/odm_seapp_contexts seapp_contexts_file
/vendor/odm/etc/selinux/odm_seapp_contexts seapp_contexts_file
/odm/etc/selinux/odm_property_contexts property_contexts_file
/vendor/odm/etc/selinux/odm_property_contexts property_contexts_file
/odm/etc/selinux/odm_service_contexts vendor_service_contexts_file
/vendor/odm/etc/selinux/odm_service_contexts vendor_service_contexts_file
/odm/etc/selinux/odm_hwservice_contexts hwservice_contexts_file
/vendor/odm/etc/selinux/odm_hwservice_contexts hwservice_contexts_file
/odm/etc/selinux/odm_keystore2_key_contexts keystore2_key_contexts_file
/vendor/odm/etc/selinux/odm_keystore2_key_contexts keystore2_key_contexts_file
/odm/etc/selinux/odm_mac_permissions.xml mac_perms_file
/vendor/odm/etc/selinux/odm_mac_permissions.xml mac_perms_file
/product system_file
/product/does_not_exist system_file
/system/product system_file
/system/product/does_not_exist system_file
/product/etc/group system_group_file
/system/product/etc/group system_group_file
/product/etc/passwd system_passwd_file
/system/product/etc/passwd system_passwd_file
/product/overlay system_file
/product/overlay/does_not_exist system_file
/system/product/overlay system_file
/system/product/overlay/does_not_exist system_file
/product/etc/selinux/product_file_contexts file_contexts_file
/system/product/etc/selinux/product_file_contexts file_contexts_file
/product/etc/selinux/product_hwservice_contexts hwservice_contexts_file
/system/product/etc/selinux/product_hwservice_contexts hwservice_contexts_file
/product/etc/selinux/product_keystore2_key_contexts keystore2_key_contexts_file
/system/product/etc/selinux/product_keystore2_key_contexts keystore2_key_contexts_file
/product/etc/selinux/product_property_contexts property_contexts_file
/system/product/etc/selinux/product_property_contexts property_contexts_file
/product/etc/selinux/product_seapp_contexts seapp_contexts_file
/system/product/etc/selinux/product_seapp_contexts seapp_contexts_file
/product/etc/selinux/product_service_contexts service_contexts_file
/system/product/etc/selinux/product_service_contexts service_contexts_file
/product/etc/selinux/product_mac_permissions.xml mac_perms_file
/system/product/etc/selinux/product_mac_permissions.xml mac_perms_file
/product/lib system_lib_file
/product/lib/does_not_exist system_lib_file
/product/lib64 system_lib_file
/product/lib64/does_not_exist system_lib_file
/system/product/lib system_lib_file
/system/product/lib/does_not_exist system_lib_file
/system/product/lib64 system_lib_file
/system/product/lib64/does_not_exist system_lib_file
/system_ext system_file
/system_ext/does_not_exist system_file
/system/system_ext system_file
/system/system_ext/does_not_exist system_file
/system_ext/etc/group system_group_file
/system/system_ext/etc/group system_group_file
/system_ext/etc/passwd system_passwd_file
/system/system_ext/etc/passwd system_passwd_file
/system_ext/overlay vendor_overlay_file
/system_ext/overlay/does_not_exist vendor_overlay_file
/system/system_ext/overlay vendor_overlay_file
/system/system_ext/overlay/does_not_exist vendor_overlay_file
/system_ext/etc/aconfig system_aconfig_storage_file
/product/etc/aconfig system_aconfig_storage_file
Add checkfc mode to validate file_contexts against test data A new mode for checkfc is introduced (-t) which takes a file_contexts and a test data file. Each line in the test data file contains a path and the expected type. checkfc loads the file_contexts and repeatedly calls selabel_lookup(3) to verify that the computed type is as expected. This mode can be used to confirm that any modification to file_contexts or its build process is benign. A test data file (plat_file_contexts_test) is added. This file was manually created based on private/file_contexts. Each static path was copied as-is. Each regular expression was expanded into a couple of entries. For instance, /dev/adf[0-9]* generated /dev/adf, /dev/adf0 and /dev/adf123. libselinux keeps track of which specification is being hit when using selabel_lookup. When calling selabel_stats(3), the file backend will output a warning if a specification has not been used. This can be leveraged to ensure that each rule is at least hit once. This property will be leveraged in a follow-up change (by running the test as part of the build process), to ensure that the plat_file_contexts_test file remains up-to-date (that is, when an entry is added to private/file_contexts, the build will fail unless a test is also added to plat_file_contexts_test to exercice the specification/regular expression). Test: m checkfc && checkfc -t ./private/file_contexts ./tests/plat_file_contexts_test Bug: 299839280 Change-Id: Ibf56859a16bd17e1f878ce7b0570b2aead79c7e0
2023-10-05 00:44:24 +02:00
/system_ext/etc/selinux/system_ext_file_contexts file_contexts_file
/system/system_ext/etc/selinux/system_ext_file_contexts file_contexts_file
/system_ext/etc/selinux/system_ext_hwservice_contexts hwservice_contexts_file
/system/system_ext/etc/selinux/system_ext_hwservice_contexts hwservice_contexts_file
/system_ext/etc/selinux/system_ext_keystore2_key_contexts keystore2_key_contexts_file
/system/system_ext/etc/selinux/system_ext_keystore2_key_contexts keystore2_key_contexts_file
/system_ext/etc/selinux/system_ext_property_contexts property_contexts_file
/system/system_ext/etc/selinux/system_ext_property_contexts property_contexts_file
/system_ext/etc/selinux/system_ext_seapp_contexts seapp_contexts_file
/system/system_ext/etc/selinux/system_ext_seapp_contexts seapp_contexts_file
/system_ext/etc/selinux/system_ext_service_contexts service_contexts_file
/system/system_ext/etc/selinux/system_ext_service_contexts service_contexts_file
/system_ext/etc/selinux/system_ext_mac_permissions.xml mac_perms_file
/system/system_ext/etc/selinux/system_ext_mac_permissions.xml mac_perms_file
/system_ext/etc/selinux/userdebug_plat_sepolicy.cil sepolicy_file
/system/system_ext/etc/selinux/userdebug_plat_sepolicy.cil sepolicy_file
/system_ext/bin/aidl_lazy_test_server aidl_lazy_test_server_exec
/system/system_ext/bin/aidl_lazy_test_server aidl_lazy_test_server_exec
/system_ext/bin/aidl_lazy_cb_test_server aidl_lazy_test_server_exec
/system/system_ext/bin/aidl_lazy_cb_test_server aidl_lazy_test_server_exec
/system_ext/bin/hidl_lazy_test_server hidl_lazy_test_server_exec
/system/system_ext/bin/hidl_lazy_test_server hidl_lazy_test_server_exec
/system_ext/bin/hidl_lazy_cb_test_server hidl_lazy_test_server_exec
/system/system_ext/bin/hidl_lazy_cb_test_server hidl_lazy_test_server_exec
/system_ext/bin/hwservicemanager hwservicemanager_exec
/system/system_ext/bin/hwservicemanager hwservicemanager_exec
/system_ext/bin/hw/android.hidl.allocator@1.0-service hal_allocator_default_exec
/system/system_ext/bin/hw/android.hidl.allocator@1.0-service hal_allocator_default_exec
Add checkfc mode to validate file_contexts against test data A new mode for checkfc is introduced (-t) which takes a file_contexts and a test data file. Each line in the test data file contains a path and the expected type. checkfc loads the file_contexts and repeatedly calls selabel_lookup(3) to verify that the computed type is as expected. This mode can be used to confirm that any modification to file_contexts or its build process is benign. A test data file (plat_file_contexts_test) is added. This file was manually created based on private/file_contexts. Each static path was copied as-is. Each regular expression was expanded into a couple of entries. For instance, /dev/adf[0-9]* generated /dev/adf, /dev/adf0 and /dev/adf123. libselinux keeps track of which specification is being hit when using selabel_lookup. When calling selabel_stats(3), the file backend will output a warning if a specification has not been used. This can be leveraged to ensure that each rule is at least hit once. This property will be leveraged in a follow-up change (by running the test as part of the build process), to ensure that the plat_file_contexts_test file remains up-to-date (that is, when an entry is added to private/file_contexts, the build will fail unless a test is also added to plat_file_contexts_test to exercice the specification/regular expression). Test: m checkfc && checkfc -t ./private/file_contexts ./tests/plat_file_contexts_test Bug: 299839280 Change-Id: Ibf56859a16bd17e1f878ce7b0570b2aead79c7e0
2023-10-05 00:44:24 +02:00
/system_ext/bin/canhalconfigurator canhalconfigurator_exec
/system_ext/bin/canhalconfigurator-aidl canhalconfigurator_exec
/system/system_ext/bin/canhalconfigurator canhalconfigurator_exec
/system/system_ext/bin/canhalconfigurator-aidl canhalconfigurator_exec
/system_ext/lib system_lib_file
/system_ext/lib/does_not_exist system_lib_file
/system_ext/lib64 system_lib_file
/system_ext/lib64/does_not_exist system_lib_file
/system/system_ext/lib system_lib_file
/system/system_ext/lib/does_not_exist system_lib_file
/system/system_ext/lib64 system_lib_file
/system/system_ext/lib64/does_not_exist system_lib_file
/vendor_dlkm vendor_file
/vendor_dlkm/does_not_exist vendor_file
/vendor/vendor_dlkm vendor_file
/vendor/vendor_dlkm/does_not_exist vendor_file
/system/vendor/vendor_dlkm vendor_file
/system/vendor/vendor_dlkm/does_not_exist vendor_file
/vendor_dlkm/etc vendor_configs_file
/vendor_dlkm/etc/does_not_exist vendor_configs_file
/vendor/vendor_dlkm/etc vendor_configs_file
/vendor/vendor_dlkm/etc/does_not_exist vendor_configs_file
/system/vendor/vendor_dlkm/etc vendor_configs_file
/system/vendor/vendor_dlkm/etc/does_not_exist vendor_configs_file
/odm_dlkm vendor_file
/odm_dlkm/does_not_exist vendor_file
/vendor/odm_dlkm vendor_file
/vendor/odm_dlkm/does_not_exist vendor_file
/system/vendor/odm_dlkm vendor_file
/system/vendor/odm_dlkm/does_not_exist vendor_file
/odm_dlkm/etc vendor_configs_file
/odm_dlkm/etc/does_not_exist vendor_configs_file
/vendor/odm_dlkm/etc vendor_configs_file
/vendor/odm_dlkm/etc/does_not_exist vendor_configs_file
/system/vendor/odm_dlkm/etc vendor_configs_file
/system/vendor/odm_dlkm/etc/does_not_exist vendor_configs_file
/product/vendor_overlay/0/test vendor_file
/product/vendor_overlay/1/test vendor_file
/system/product/vendor_overlay/0/test vendor_file
/system/product/vendor_overlay/1/test vendor_file
/data system_data_root_file
/data/does_not_exist system_data_file
/data/system/environ environ_system_data_file
/data/system/environ/test environ_system_data_file
/data/system/packages.list packages_list_file
/data/system/game_mode_intervention.list game_mode_intervention_list_file
/data/unencrypted unencrypted_data_file
/data/unencrypted/test unencrypted_data_file
/data/backup backup_data_file
/data/backup/test backup_data_file
/data/secure/backup backup_data_file
/data/secure/backup/test backup_data_file
/data/system/ndebugsocket system_ndebug_socket
/data/system/unsolzygotesocket system_unsolzygote_socket
/data/drm drm_data_file
/data/drm/test drm_data_file
/data/resource-cache resourcecache_data_file
/data/resource-cache/test resourcecache_data_file
/data/dalvik-cache dalvikcache_data_file
/data/dalvik-cache/test dalvikcache_data_file
/data/ota ota_data_file
/data/ota/test ota_data_file
/data/ota_package ota_package_file
/data/ota_package/test ota_package_file
/data/adb adb_data_file
/data/adb/test adb_data_file
/data/anr anr_data_file
/data/anr/test anr_data_file
/data/apex apex_data_file
/data/apex/test apex_data_file
/data/apex/active/test staging_data_file
/data/apex/backup/test staging_data_file
/data/apex/decompressed/test staging_data_file
/data/apex/ota_reserved apex_ota_reserved_file
/data/apex/ota_reserved/test apex_ota_reserved_file
/data/app apk_data_file
/data/app/test apk_data_file
/data/app/test01/oat dalvikcache_data_file
/data/app/test01/oat/test dalvikcache_data_file
/data/app/test01/test02/oat dalvikcache_data_file
/data/app/test01/test02/oat/test dalvikcache_data_file
/data/app/vmdltest01.tmp apk_tmp_file
/data/app/vmdltest01.tmp/test apk_tmp_file
/data/app/vmdltest02.tmp/oat dalvikcache_data_file
/data/app/vmdltest02.tmp/oat/test dalvikcache_data_file
/data/app-metadata apk_metadata_file
Add checkfc mode to validate file_contexts against test data A new mode for checkfc is introduced (-t) which takes a file_contexts and a test data file. Each line in the test data file contains a path and the expected type. checkfc loads the file_contexts and repeatedly calls selabel_lookup(3) to verify that the computed type is as expected. This mode can be used to confirm that any modification to file_contexts or its build process is benign. A test data file (plat_file_contexts_test) is added. This file was manually created based on private/file_contexts. Each static path was copied as-is. Each regular expression was expanded into a couple of entries. For instance, /dev/adf[0-9]* generated /dev/adf, /dev/adf0 and /dev/adf123. libselinux keeps track of which specification is being hit when using selabel_lookup. When calling selabel_stats(3), the file backend will output a warning if a specification has not been used. This can be leveraged to ensure that each rule is at least hit once. This property will be leveraged in a follow-up change (by running the test as part of the build process), to ensure that the plat_file_contexts_test file remains up-to-date (that is, when an entry is added to private/file_contexts, the build will fail unless a test is also added to plat_file_contexts_test to exercice the specification/regular expression). Test: m checkfc && checkfc -t ./private/file_contexts ./tests/plat_file_contexts_test Bug: 299839280 Change-Id: Ibf56859a16bd17e1f878ce7b0570b2aead79c7e0
2023-10-05 00:44:24 +02:00
/data/app-private apk_private_data_file
/data/app-private/test apk_private_data_file
/data/app-private/vmdltest.tmp apk_private_tmp_file
/data/app-private/vmdltest/does_not_exist.tmp apk_private_tmp_file
/data/app-private/vmdltest.tmp/test apk_private_tmp_file
/data/gsi gsi_data_file
/data/gsi/test gsi_data_file
/data/gsi_persistent_data gsi_persistent_data_file
/data/gsi/ota ota_image_data_file
/data/gsi/ota/test ota_image_data_file
/data/tombstones tombstone_data_file
/data/tombstones/test tombstone_data_file
/data/vendor/tombstones/wifi tombstone_wifi_data_file
/data/vendor/tombstones/wifi/test tombstone_wifi_data_file
/data/local/tests shell_test_data_file
/data/local/tests/test shell_test_data_file
/data/local/tmp shell_data_file
/data/local/tmp/test shell_data_file
/data/local/tmp/ltp nativetest_data_file
/data/local/tmp/ltp/test nativetest_data_file
/data/local/traces trace_data_file
/data/local/traces/test trace_data_file
/data/media media_userdir_file
/data/media/test media_rw_data_file
/data/mediadrm media_data_file
/data/mediadrm/test media_data_file
/data/nativetest nativetest_data_file
/data/nativetest/test nativetest_data_file
/data/nativetest64 nativetest_data_file
/data/nativetest64/test nativetest_data_file
/data/pkg_staging staging_data_file
/data/pkg_staging/test staging_data_file
/data/property property_data_file
/data/property/test property_data_file
/data/preloads preloads_data_file
/data/preloads/test preloads_data_file
/data/preloads/media preloads_media_file
/data/preloads/media/test preloads_media_file
/data/preloads/demo preloads_media_file
/data/preloads/demo/test preloads_media_file
/data/server_configurable_flags server_configurable_flags_data_file
/data/server_configurable_flags/test server_configurable_flags_data_file
/data/app-staging staging_data_file
/data/app-staging/test staging_data_file
/data/rollback/0/test/test.apk apk_data_file
/data/rollback/999/test/test.apex staging_data_file
/data/fonts/files font_data_file
/data/fonts/files/test font_data_file
/data/misc_ce system_userdir_file
/data/misc_de system_userdir_file
/data/system_ce system_userdir_file
/data/system_de system_userdir_file
/data/user system_userdir_file
/data/user_de system_userdir_file
Add SELinux policy for storage areas We are adding the ability for apps to create "storage areas", which are transparently encrypted directories that can only be opened when the device is unlocked. This CL makes the required SELinux policy changes. First, assign the type "system_userdir_file" to the new top-level directory /data/storage_area (non-recursively). This is the same type used by the other top-level directories containing app data, such as /data/user, and it restricts access to the directory in the desired way. Second, add new types to represent an app's directory of storage areas, the storage areas themselves, and their contents: `storage_area_app_dir`, `storage_area_dir`, and `storage_area_content_file` respectively. All are `app_data_file_type`s. The directory structure and their associated labels is as follows (note that they also all get the categories of the user+package): /data/storage_area/userId/pkgName storage_area_app_dir /data/storage_area/userId/pkgName/storageAreaName storage_area_dir /data/storage_area/userId/pkgName/storageAreaName/myFile.txt storage_area_content_file /data/storage_area/userId/pkgName/storageAreaName/mySubDir storage_area_content_file These new types allow us to restrict how and which processes interact with storage areas. The new type for the contents of storage areas allows us to add new, desirable restrictions that we cannot add to the more general `app_data_file` type in order to maintain backwards-compatibility, e.g., we block apps from executing any files in their storage areas. Third, allow: -- vold_prepare_subdirs to create and delete storage areas on behalf of apps, and assign them the SElinux type `storage_area_dir` i.e. create directories /data/storage_area/$userId/$pkgName/$storageAreaName -- vold to assign encryption policies to storage area directories -- installd to create an app's directory of storage areas on app install, and delete them on app uninstall, and assign them the SElinux type `storage_area_app_dir`, i.e. directories /data/storage_area/$userId/$pkgName We also add a new SELinux type to represent the storage area encryption keys: `storage_area_key_file`. The keys are created by vold on storage area creation, and deleted either by vold if an app calls the `deleteStorageArea` API function explicitly, or by installd on app uninstall. These keys are stored in `/data/misc_ce/$userId/storage_area_keys`, and only installd and vold have access to them. Bug: 325121608 Test: atest StorageAreaTest Change-Id: I74805d249f59226fc6963693f682c70949bfad93
2024-04-30 22:26:55 +02:00
/data/storage_area system_userdir_file
/data/misc_ce/0/storage_area_keys storage_area_key_file
Add checkfc mode to validate file_contexts against test data A new mode for checkfc is introduced (-t) which takes a file_contexts and a test data file. Each line in the test data file contains a path and the expected type. checkfc loads the file_contexts and repeatedly calls selabel_lookup(3) to verify that the computed type is as expected. This mode can be used to confirm that any modification to file_contexts or its build process is benign. A test data file (plat_file_contexts_test) is added. This file was manually created based on private/file_contexts. Each static path was copied as-is. Each regular expression was expanded into a couple of entries. For instance, /dev/adf[0-9]* generated /dev/adf, /dev/adf0 and /dev/adf123. libselinux keeps track of which specification is being hit when using selabel_lookup. When calling selabel_stats(3), the file backend will output a warning if a specification has not been used. This can be leveraged to ensure that each rule is at least hit once. This property will be leveraged in a follow-up change (by running the test as part of the build process), to ensure that the plat_file_contexts_test file remains up-to-date (that is, when an entry is added to private/file_contexts, the build will fail unless a test is also added to plat_file_contexts_test to exercice the specification/regular expression). Test: m checkfc && checkfc -t ./private/file_contexts ./tests/plat_file_contexts_test Bug: 299839280 Change-Id: Ibf56859a16bd17e1f878ce7b0570b2aead79c7e0
2023-10-05 00:44:24 +02:00
/data/misc/adb adb_keys_file
/data/misc/adb/test adb_keys_file
/data/misc/a11ytrace accessibility_trace_data_file
/data/misc/a11ytrace/test accessibility_trace_data_file
/data/misc/apexdata apex_module_data_file
/data/misc/apexdata/test apex_module_data_file
/data/misc/apexdata/com.android.art apex_art_data_file
/data/misc/apexdata/com.android.art/test apex_art_data_file
/data/misc/apexdata/com.android.compos apex_compos_data_file
/data/misc/apexdata/com.android.compos/test apex_compos_data_file
/data/misc/apexdata/com.android.virt apex_virt_data_file
/data/misc/apexdata/com.android.virt/test apex_virt_data_file
/data/misc/apexdata/com.android.permission apex_system_server_data_file
/data/misc/apexdata/com.android.permission/test apex_system_server_data_file
/data/misc/apexdata/com.android.scheduling apex_system_server_data_file
/data/misc/apexdata/com.android.scheduling/test apex_system_server_data_file
/data/misc/apexdata/com.android.tethering apex_tethering_data_file
/data/misc/apexdata/com.android.tethering/test apex_tethering_data_file
/data/misc/apexdata/com.android.tethering/threadnetwork apex_tethering_data_file
/data/misc/apexdata/com.android.tethering/threadnetwork/test apex_tethering_data_file
Add checkfc mode to validate file_contexts against test data A new mode for checkfc is introduced (-t) which takes a file_contexts and a test data file. Each line in the test data file contains a path and the expected type. checkfc loads the file_contexts and repeatedly calls selabel_lookup(3) to verify that the computed type is as expected. This mode can be used to confirm that any modification to file_contexts or its build process is benign. A test data file (plat_file_contexts_test) is added. This file was manually created based on private/file_contexts. Each static path was copied as-is. Each regular expression was expanded into a couple of entries. For instance, /dev/adf[0-9]* generated /dev/adf, /dev/adf0 and /dev/adf123. libselinux keeps track of which specification is being hit when using selabel_lookup. When calling selabel_stats(3), the file backend will output a warning if a specification has not been used. This can be leveraged to ensure that each rule is at least hit once. This property will be leveraged in a follow-up change (by running the test as part of the build process), to ensure that the plat_file_contexts_test file remains up-to-date (that is, when an entry is added to private/file_contexts, the build will fail unless a test is also added to plat_file_contexts_test to exercice the specification/regular expression). Test: m checkfc && checkfc -t ./private/file_contexts ./tests/plat_file_contexts_test Bug: 299839280 Change-Id: Ibf56859a16bd17e1f878ce7b0570b2aead79c7e0
2023-10-05 00:44:24 +02:00
/data/misc/apexdata/com.android.uwb apex_system_server_data_file
/data/misc/apexdata/com.android.uwb/test apex_system_server_data_file
/data/misc/apexdata/com.android.wifi apex_system_server_data_file
/data/misc/apexdata/com.android.wifi/test apex_system_server_data_file
/data/misc/apexrollback apex_rollback_data_file
/data/misc/apexrollback/test apex_rollback_data_file
/data/misc/apns radio_data_file
/data/misc/apns/test radio_data_file
/data/misc/appcompat appcompat_data_file
/data/misc/appcompat/test appcompat_data_file
/data/misc/audio audio_data_file
/data/misc/audio/test audio_data_file
/data/misc/audioserver audioserver_data_file
/data/misc/audioserver/test audioserver_data_file
/data/misc/audiohal audiohal_data_file
/data/misc/audiohal/test audiohal_data_file
/data/misc/bootstat bootstat_data_file
/data/misc/bootstat/test bootstat_data_file
/data/misc/boottrace boottrace_data_file
/data/misc/boottrace/test boottrace_data_file
/data/misc/bluetooth bluetooth_data_file
/data/misc/bluetooth/test bluetooth_data_file
/data/misc/bluetooth/logs bluetooth_logs_data_file
/data/misc/bluetooth/logs/test bluetooth_logs_data_file
/data/misc/bluedroid bluetooth_data_file
/data/misc/bluedroid/test bluetooth_data_file
/data/misc/bluedroid/.a2dp_ctrl bluetooth_socket
/data/misc/bluedroid/.a2dp_data bluetooth_socket
/data/misc/camera camera_data_file
/data/misc/camera/test camera_data_file
/data/misc/carrierid radio_data_file
/data/misc/carrierid/test radio_data_file
/data/misc/connectivityblobdb connectivityblob_data_file
/data/misc/connectivityblobdb/test connectivityblob_data_file
Add checkfc mode to validate file_contexts against test data A new mode for checkfc is introduced (-t) which takes a file_contexts and a test data file. Each line in the test data file contains a path and the expected type. checkfc loads the file_contexts and repeatedly calls selabel_lookup(3) to verify that the computed type is as expected. This mode can be used to confirm that any modification to file_contexts or its build process is benign. A test data file (plat_file_contexts_test) is added. This file was manually created based on private/file_contexts. Each static path was copied as-is. Each regular expression was expanded into a couple of entries. For instance, /dev/adf[0-9]* generated /dev/adf, /dev/adf0 and /dev/adf123. libselinux keeps track of which specification is being hit when using selabel_lookup. When calling selabel_stats(3), the file backend will output a warning if a specification has not been used. This can be leveraged to ensure that each rule is at least hit once. This property will be leveraged in a follow-up change (by running the test as part of the build process), to ensure that the plat_file_contexts_test file remains up-to-date (that is, when an entry is added to private/file_contexts, the build will fail unless a test is also added to plat_file_contexts_test to exercice the specification/regular expression). Test: m checkfc && checkfc -t ./private/file_contexts ./tests/plat_file_contexts_test Bug: 299839280 Change-Id: Ibf56859a16bd17e1f878ce7b0570b2aead79c7e0
2023-10-05 00:44:24 +02:00
/data/misc/dhcp dhcp_data_file
/data/misc/dhcp/test dhcp_data_file
/data/misc/dhcp-6.8.2 dhcp_data_file
/data/misc/dhcp-6.8.2/test dhcp_data_file
/data/misc/dmesgd dmesgd_data_file
/data/misc/dmesgd/test dmesgd_data_file
/data/misc/emergencynumberdb emergency_data_file
/data/misc/emergencynumberdb/test emergency_data_file
/data/misc/gatekeeper gatekeeper_data_file
/data/misc/gatekeeper/test gatekeeper_data_file
/data/misc/incidents incident_data_file
/data/misc/incidents/test incident_data_file
/data/misc/installd install_data_file
/data/misc/installd/test install_data_file
/data/misc/keychain keychain_data_file
/data/misc/keychain/test keychain_data_file
/data/misc/credstore credstore_data_file
/data/misc/credstore/test credstore_data_file
/data/misc/keystore keystore_data_file
/data/misc/keystore/test keystore_data_file
/data/misc/logd misc_logd_file
/data/misc/logd/test misc_logd_file
/data/misc/media media_data_file
/data/misc/media/test media_data_file
/data/misc/net net_data_file
/data/misc/net/test net_data_file
/data/misc/network_watchlist network_watchlist_data_file
/data/misc/network_watchlist/test network_watchlist_data_file
/data/misc/telephonyconfig radio_data_file
/data/misc/telephonyconfig/test radio_data_file
Add checkfc mode to validate file_contexts against test data A new mode for checkfc is introduced (-t) which takes a file_contexts and a test data file. Each line in the test data file contains a path and the expected type. checkfc loads the file_contexts and repeatedly calls selabel_lookup(3) to verify that the computed type is as expected. This mode can be used to confirm that any modification to file_contexts or its build process is benign. A test data file (plat_file_contexts_test) is added. This file was manually created based on private/file_contexts. Each static path was copied as-is. Each regular expression was expanded into a couple of entries. For instance, /dev/adf[0-9]* generated /dev/adf, /dev/adf0 and /dev/adf123. libselinux keeps track of which specification is being hit when using selabel_lookup. When calling selabel_stats(3), the file backend will output a warning if a specification has not been used. This can be leveraged to ensure that each rule is at least hit once. This property will be leveraged in a follow-up change (by running the test as part of the build process), to ensure that the plat_file_contexts_test file remains up-to-date (that is, when an entry is added to private/file_contexts, the build will fail unless a test is also added to plat_file_contexts_test to exercice the specification/regular expression). Test: m checkfc && checkfc -t ./private/file_contexts ./tests/plat_file_contexts_test Bug: 299839280 Change-Id: Ibf56859a16bd17e1f878ce7b0570b2aead79c7e0
2023-10-05 00:44:24 +02:00
/data/misc/nfc/logs nfc_logs_data_file
/data/misc/nfc/logs/test nfc_logs_data_file
/data/misc/odrefresh odrefresh_data_file
/data/misc/odrefresh/test odrefresh_data_file
/data/misc/odsign odsign_data_file
/data/misc/odsign/test odsign_data_file
/data/misc/odsign/metrics odsign_metrics_file
/data/misc/odsign/metrics/test odsign_metrics_file
/data/misc/perfetto-traces/bugreport perfetto_traces_bugreport_data_file
/data/misc/perfetto-traces/bugreport/test perfetto_traces_bugreport_data_file
Add checkfc mode to validate file_contexts against test data A new mode for checkfc is introduced (-t) which takes a file_contexts and a test data file. Each line in the test data file contains a path and the expected type. checkfc loads the file_contexts and repeatedly calls selabel_lookup(3) to verify that the computed type is as expected. This mode can be used to confirm that any modification to file_contexts or its build process is benign. A test data file (plat_file_contexts_test) is added. This file was manually created based on private/file_contexts. Each static path was copied as-is. Each regular expression was expanded into a couple of entries. For instance, /dev/adf[0-9]* generated /dev/adf, /dev/adf0 and /dev/adf123. libselinux keeps track of which specification is being hit when using selabel_lookup. When calling selabel_stats(3), the file backend will output a warning if a specification has not been used. This can be leveraged to ensure that each rule is at least hit once. This property will be leveraged in a follow-up change (by running the test as part of the build process), to ensure that the plat_file_contexts_test file remains up-to-date (that is, when an entry is added to private/file_contexts, the build will fail unless a test is also added to plat_file_contexts_test to exercice the specification/regular expression). Test: m checkfc && checkfc -t ./private/file_contexts ./tests/plat_file_contexts_test Bug: 299839280 Change-Id: Ibf56859a16bd17e1f878ce7b0570b2aead79c7e0
2023-10-05 00:44:24 +02:00
/data/misc/perfetto-traces perfetto_traces_data_file
/data/misc/perfetto-traces/test perfetto_traces_data_file
/data/misc/perfetto-traces/profiling perfetto_traces_profiling_data_file
/data/misc/perfetto-traces/profiling/test perfetto_traces_profiling_data_file
Add checkfc mode to validate file_contexts against test data A new mode for checkfc is introduced (-t) which takes a file_contexts and a test data file. Each line in the test data file contains a path and the expected type. checkfc loads the file_contexts and repeatedly calls selabel_lookup(3) to verify that the computed type is as expected. This mode can be used to confirm that any modification to file_contexts or its build process is benign. A test data file (plat_file_contexts_test) is added. This file was manually created based on private/file_contexts. Each static path was copied as-is. Each regular expression was expanded into a couple of entries. For instance, /dev/adf[0-9]* generated /dev/adf, /dev/adf0 and /dev/adf123. libselinux keeps track of which specification is being hit when using selabel_lookup. When calling selabel_stats(3), the file backend will output a warning if a specification has not been used. This can be leveraged to ensure that each rule is at least hit once. This property will be leveraged in a follow-up change (by running the test as part of the build process), to ensure that the plat_file_contexts_test file remains up-to-date (that is, when an entry is added to private/file_contexts, the build will fail unless a test is also added to plat_file_contexts_test to exercice the specification/regular expression). Test: m checkfc && checkfc -t ./private/file_contexts ./tests/plat_file_contexts_test Bug: 299839280 Change-Id: Ibf56859a16bd17e1f878ce7b0570b2aead79c7e0
2023-10-05 00:44:24 +02:00
/data/misc/perfetto-configs perfetto_configs_data_file
/data/misc/perfetto-configs/test perfetto_configs_data_file
/data/misc/prereboot prereboot_data_file
/data/misc/prereboot/test prereboot_data_file
/data/misc/profcollectd profcollectd_data_file
/data/misc/profcollectd/test profcollectd_data_file
/data/misc/radio radio_core_data_file
/data/misc/radio/test radio_core_data_file
/data/misc/recovery recovery_data_file
/data/misc/recovery/test recovery_data_file
/data/misc/shared_relro shared_relro_file
/data/misc/shared_relro/test shared_relro_file
/data/misc/sms radio_data_file
/data/misc/sms/test radio_data_file
/data/misc/snapshotctl_log snapshotctl_log_data_file
/data/misc/snapshotctl_log/test snapshotctl_log_data_file
/data/misc/stats-active-metric stats_data_file
/data/misc/stats-active-metric/test stats_data_file
/data/misc/stats-data stats_data_file
/data/misc/stats-data/test stats_data_file
/data/misc/stats-service stats_config_data_file
/data/misc/stats-service/test stats_config_data_file
/data/misc/stats-metadata stats_data_file
/data/misc/stats-metadata/test stats_data_file
/data/misc/systemkeys systemkeys_data_file
/data/misc/systemkeys/test systemkeys_data_file
/data/misc/textclassifier textclassifier_data_file
/data/misc/textclassifier/test textclassifier_data_file
/data/misc/train-info stats_data_file
/data/misc/train-info/test stats_data_file
/data/misc/user misc_user_data_file
/data/misc/user/test misc_user_data_file
/data/misc/virtualizationservice virtualizationservice_data_file
/data/misc/virtualizationservice/test virtualizationservice_data_file
/data/misc/vpn vpn_data_file
/data/misc/vpn/test vpn_data_file
/data/misc/wifi wifi_data_file
/data/misc/wifi/test wifi_data_file
/data/misc_ce/0/wifi wifi_data_file
/data/misc_ce/99/wifi/test wifi_data_file
/data/misc/wifi/sockets wpa_socket
/data/misc/wifi/sockets/test wpa_socket
/data/misc/wifi/sockets/wpa_ctrl_test system_wpa_socket
/data/misc/wifi/sockets/wpa_ctrl.rc system_wpa_socket
/data/misc/vold vold_data_file
/data/misc/vold/test vold_data_file
/data/misc/update_engine update_engine_data_file
/data/misc/update_engine/test update_engine_data_file
/data/misc/update_engine_log update_engine_log_data_file
/data/misc/update_engine_log/test update_engine_log_data_file
/data/misc/snapuserd_log snapuserd_log_data_file
/data/misc/snapuserd_log/test snapuserd_log_data_file
/data/system/dropbox dropbox_data_file
/data/system/dropbox/test dropbox_data_file
/data/system/heapdump heapdump_data_file
/data/system/heapdump/test heapdump_data_file
/data/misc/trace method_trace_data_file
/data/misc/trace/test method_trace_data_file
/data/misc/wmtrace wm_trace_data_file
/data/misc/wmtrace/test wm_trace_data_file
/data/misc/profiles/cur/0 user_profile_root_file
/data/misc/profiles/cur/9 user_profile_root_file
/data/misc/profiles/cur/0/test user_profile_data_file
/data/misc/profiles/ref user_profile_data_file
/data/misc/profiles/ref/test user_profile_data_file
/data/misc/profman profman_dump_data_file
/data/misc/profman/test profman_dump_data_file
/data/vendor vendor_data_file
/data/vendor/test vendor_data_file
/data/vendor_ce vendor_userdir_file
/data/vendor_ce/test vendor_data_file
/data/vendor_de vendor_userdir_file
/data/vendor_de/test vendor_data_file
/data/misc_de/0/storaged storaged_data_file
/data/misc_de/99/storaged/test storaged_data_file
/data/misc_ce/0/storaged storaged_data_file
/data/misc_ce/99/storaged/test storaged_data_file
/data/misc_ce/0/checkin checkin_data_file
/data/misc_ce/99/checkin/test checkin_data_file
/data/system/users/0/fpdata fingerprintd_data_file
/data/system/users/99/fpdata/test fingerprintd_data_file
/data/vendor_de/0/fpdata fingerprint_vendor_data_file
/data/vendor_de/99/fpdata/test fingerprint_vendor_data_file
/data/vendor_de/0/facedata face_vendor_data_file
/data/vendor_de/99/facedata/test face_vendor_data_file
/data/vendor_ce/0/facedata face_vendor_data_file
/data/vendor_ce/99/facedata/test face_vendor_data_file
/data/vendor_de/0/irisdata iris_vendor_data_file
/data/vendor_de/99/irisdata/test iris_vendor_data_file
/data/bootchart bootchart_data_file
/data/bootchart/test bootchart_data_file
/data/misc_de/0/sdksandbox sdk_sandbox_system_data_file
/data/misc_de/99/sdksandbox sdk_sandbox_system_data_file
/data/misc_ce/0/sdksandbox sdk_sandbox_system_data_file
/data/misc_ce/99/sdksandbox sdk_sandbox_system_data_file
/data/misc_de/0/rollback rollback_data_file
/data/misc_de/99/rollback/test rollback_data_file
/data/misc_ce/0/rollback rollback_data_file
/data/misc_ce/99/rollback/test rollback_data_file
/data/misc_de/0/apexdata apex_module_data_file
/data/misc_de/99/apexdata/test apex_module_data_file
/data/misc_ce/0/apexdata apex_module_data_file
/data/misc_ce/99/apexdata/test apex_module_data_file
/data/misc_ce/0/apexdata/com.android.appsearch apex_system_server_data_file
/data/misc_ce/99/apexdata/com.android.appsearch/test apex_system_server_data_file
/data/misc_de/0/apexdata/com.android.permission apex_system_server_data_file
/data/misc_de/99/apexdata/com.android.permission/test apex_system_server_data_file
/data/misc_ce/0/apexdata/com.android.permission apex_system_server_data_file
/data/misc_ce/99/apexdata/com.android.permission/test apex_system_server_data_file
/data/misc_de/0/apexdata/com.android.wifi apex_system_server_data_file
/data/misc_de/99/apexdata/com.android.wifi/test apex_system_server_data_file
/data/misc_ce/0/apexdata/com.android.wifi apex_system_server_data_file
/data/misc_ce/99/apexdata/com.android.wifi/test apex_system_server_data_file
/data/misc_de/0/apexdata/com.android.uwb apex_system_server_data_file
/data/misc_de/99/apexdata/com.android.uwb/test apex_system_server_data_file
/data/misc_ce/0/apexdata/com.android.uwb apex_system_server_data_file
/data/misc_ce/99/apexdata/com.android.uwb/test apex_system_server_data_file
/data/misc_de/0/apexrollback apex_rollback_data_file
/data/misc_de/99/apexrollback/test apex_rollback_data_file
/data/misc_ce/0/apexrollback apex_rollback_data_file
/data/misc_ce/99/apexrollback/test apex_rollback_data_file
/data/incremental apk_data_file
/data/incremental/test apk_data_file
/data/incremental/MT_test/mount/.pending_reads incremental_control_file
/data/incremental/MT_test/mount/.log incremental_control_file
/data/incremental/MT_test/mount/.blocks_written incremental_control_file
/data/misc/bootanim bootanim_data_file
/data/misc/bootanim/test bootanim_data_file
/mnt/expand mnt_expand_file
/mnt/expand/does_not_exist system_data_file
/mnt/expand/test/test system_data_file
/mnt/expand/test/app apk_data_file
/mnt/expand/test/app/test apk_data_file
/mnt/expand/test/app/test/oat dalvikcache_data_file
/mnt/expand/test/app/test/oat/test dalvikcache_data_file
/mnt/expand/test/app/test/test/oat dalvikcache_data_file
/mnt/expand/test/app/test/test/oat/test dalvikcache_data_file
/mnt/expand/test/app/vmdltest.tmp apk_tmp_file
/mnt/expand/test/app/vmdltest.tmp/test apk_tmp_file
/mnt/expand/test/app/vmdltest.tmp/oat dalvikcache_data_file
/mnt/expand/test/app/vmdltest.tmp/oat/test dalvikcache_data_file
/mnt/expand/test/local/tmp shell_data_file
/mnt/expand/test/local/tmp/test shell_data_file
/mnt/expand/test/media media_userdir_file
/mnt/expand/test/media/test media_rw_data_file
/mnt/expand/test/misc/vold vold_data_file
/mnt/expand/test/misc/vold/test vold_data_file
/mnt/expand/test/misc_ce system_userdir_file
/mnt/expand/test/misc_de system_userdir_file
/mnt/expand/test/user system_userdir_file
/mnt/expand/test/user_de system_userdir_file
/cores coredump_file
/cores/test coredump_file
/data/system/users/0/wallpaper_lock_orig wallpaper_file
/data/system/users/99/wallpaper_lock wallpaper_file
/data/system/users/0/wallpaper_orig wallpaper_file
/data/system/users/10/wallpaper wallpaper_file
/data/system_de/0/ringtones ringtone_file
/data/system_de/0/ringtones/test ringtone_file
/data/system_ce/0/shortcut_service/bitmaps shortcut_manager_icons
/data/system_ce/9/shortcut_service/bitmaps/test shortcut_manager_icons
/data/system/users/10/photo.png icon_file
/data/system/shutdown-checkpoints shutdown_checkpoints_system_data_file
/data/system/shutdown-checkpoints/test shutdown_checkpoints_system_data_file
/data/misc_de/0/vold vold_data_file
/data/misc_de/99/vold/test vold_data_file
/data/misc_ce/0/vold vold_data_file
/data/misc_ce/99/vold/test vold_data_file
/data/system_ce/0/backup backup_data_file
/data/system_ce/99/backup/test backup_data_file
/data/system_ce/0/backup_stage backup_data_file
/data/system_ce/99/backup_stage/test backup_data_file
/efs efs_file
/efs/test efs_file
/cache cache_file
/cache/test cache_file
/cache/recovery cache_recovery_file
/cache/recovery/test cache_recovery_file
/cache/backup_stage cache_backup_file
/cache/backup_stage/test cache_backup_file
/cache/backup cache_private_backup_file
/cache/backup/test cache_private_backup_file
/cache/overlay overlayfs_file
/cache/overlay/test overlayfs_file
/mnt/scratch overlayfs_file
/mnt/scratch/test overlayfs_file
/data/cache cache_file
/data/cache/test cache_file
/data/cache/recovery cache_recovery_file
/data/cache/recovery/test cache_recovery_file
/data/cache/backup_stage cache_backup_file
/data/cache/backup_stage/test cache_backup_file
/data/cache/backup cache_private_backup_file
/data/cache/backup/test cache_private_backup_file
/metadata metadata_file
/metadata/test metadata_file
/metadata/aconfig aconfig_storage_metadata_file
/metadata/aconfig/test aconfig_storage_metadata_file
/metadata/aconfig/flags aconfig_storage_flags_metadata_file
/metadata/aconfig/flags/test aconfig_storage_flags_metadata_file
/metadata/aconfig/boot aconfig_storage_metadata_file
/metadata/aconfig/boot/test aconfig_storage_metadata_file
/metadata/aconfig_test_missions aconfig_test_mission_files
/metadata/aconfig_test_missions/test aconfig_test_mission_files
Add checkfc mode to validate file_contexts against test data A new mode for checkfc is introduced (-t) which takes a file_contexts and a test data file. Each line in the test data file contains a path and the expected type. checkfc loads the file_contexts and repeatedly calls selabel_lookup(3) to verify that the computed type is as expected. This mode can be used to confirm that any modification to file_contexts or its build process is benign. A test data file (plat_file_contexts_test) is added. This file was manually created based on private/file_contexts. Each static path was copied as-is. Each regular expression was expanded into a couple of entries. For instance, /dev/adf[0-9]* generated /dev/adf, /dev/adf0 and /dev/adf123. libselinux keeps track of which specification is being hit when using selabel_lookup. When calling selabel_stats(3), the file backend will output a warning if a specification has not been used. This can be leveraged to ensure that each rule is at least hit once. This property will be leveraged in a follow-up change (by running the test as part of the build process), to ensure that the plat_file_contexts_test file remains up-to-date (that is, when an entry is added to private/file_contexts, the build will fail unless a test is also added to plat_file_contexts_test to exercice the specification/regular expression). Test: m checkfc && checkfc -t ./private/file_contexts ./tests/plat_file_contexts_test Bug: 299839280 Change-Id: Ibf56859a16bd17e1f878ce7b0570b2aead79c7e0
2023-10-05 00:44:24 +02:00
/metadata/apex apex_metadata_file
/metadata/apex/test apex_metadata_file
/metadata/vold vold_metadata_file
/metadata/vold/test vold_metadata_file
/metadata/gsi gsi_metadata_file
/metadata/gsi/test gsi_metadata_file
/metadata/gsi/dsu/active gsi_public_metadata_file
/metadata/gsi/dsu/booted gsi_public_metadata_file
/metadata/gsi/dsu/lp_names gsi_public_metadata_file
/metadata/gsi/dsu/test/metadata_encryption_dir gsi_public_metadata_file
/metadata/gsi/ota ota_metadata_file
/metadata/gsi/ota/test ota_metadata_file
/metadata/password_slots password_slot_metadata_file
/metadata/password_slots/test password_slot_metadata_file
/metadata/ota ota_metadata_file
/metadata/ota/test ota_metadata_file
/metadata/bootstat metadata_bootstat_file
/metadata/bootstat/test metadata_bootstat_file
/metadata/staged-install staged_install_file
/metadata/staged-install/test staged_install_file
/metadata/userspacereboot userspace_reboot_metadata_file
/metadata/userspacereboot/test userspace_reboot_metadata_file
/metadata/watchdog watchdog_metadata_file
/metadata/watchdog/test watchdog_metadata_file
/metadata/repair-mode repair_mode_metadata_file
/metadata/repair-mode/test repair_mode_metadata_file
Add checkfc mode to validate file_contexts against test data A new mode for checkfc is introduced (-t) which takes a file_contexts and a test data file. Each line in the test data file contains a path and the expected type. checkfc loads the file_contexts and repeatedly calls selabel_lookup(3) to verify that the computed type is as expected. This mode can be used to confirm that any modification to file_contexts or its build process is benign. A test data file (plat_file_contexts_test) is added. This file was manually created based on private/file_contexts. Each static path was copied as-is. Each regular expression was expanded into a couple of entries. For instance, /dev/adf[0-9]* generated /dev/adf, /dev/adf0 and /dev/adf123. libselinux keeps track of which specification is being hit when using selabel_lookup. When calling selabel_stats(3), the file backend will output a warning if a specification has not been used. This can be leveraged to ensure that each rule is at least hit once. This property will be leveraged in a follow-up change (by running the test as part of the build process), to ensure that the plat_file_contexts_test file remains up-to-date (that is, when an entry is added to private/file_contexts, the build will fail unless a test is also added to plat_file_contexts_test to exercice the specification/regular expression). Test: m checkfc && checkfc -t ./private/file_contexts ./tests/plat_file_contexts_test Bug: 299839280 Change-Id: Ibf56859a16bd17e1f878ce7b0570b2aead79c7e0
2023-10-05 00:44:24 +02:00
/mnt/asec asec_apk_file
/mnt/asec/test asec_apk_file
/mnt/asec/test/test.zip asec_public_file
/mnt/asec/test/lib asec_public_file
/mnt/asec/test/lib/test asec_public_file
/data/app-asec asec_image_file
/data/app-asec/test asec_image_file
/mnt/media_rw mnt_media_rw_file
/mnt/media_rw/test mnt_media_rw_file
/mnt/user mnt_user_file
/mnt/user/test mnt_user_file
/mnt/pass_through mnt_pass_through_file
/mnt/pass_through/test mnt_pass_through_file
/mnt/sdcard mnt_sdcard_file
/mnt/runtime storage_file
/mnt/runtime/test storage_file
/storage storage_file
/storage/test storage_file
/mnt/vendor mnt_vendor_file
/mnt/vendor/test mnt_vendor_file
/mnt/product mnt_product_file
/mnt/product/test mnt_product_file
/system/bin/check_dynamic_partitions postinstall_exec
/product/bin/check_dynamic_partitions postinstall_exec
/system/bin/otapreopt_script postinstall_exec
/product/bin/otapreopt_script postinstall_exec
/system/bin/otapreopt postinstall_dexopt_exec
/product/bin/otapreopt postinstall_dexopt_exec
/data/misc/uprobestats-configs uprobestats_configs_data_file
/data/misc/uprobestats-configs/test uprobestats_configs_data_file
/tmp shell_data_file
/mnt/pre_reboot_dexopt pre_reboot_dexopt_file