Add "DO NOT ADD statements" comments to public

For visibility Bug: 232023812 Test: N/A Change-Id: I0bc6dc568210b81ba1f52acb18afd4bcc454ea1c
2024-03-28 10:37:28 +09:00 · 2024-03-28 10:37:28 +09:00 · 09b27c7109
commit 09b27c7109
parent 5769fd90f2
136 changed files with 540 additions and 7 deletions
--- a/public/adbd.te
+++ b/public/adbd.te
@ -2,3 +2,7 @@
 # it lives in the rootfs and has no unique file type.
 type adbd, domain;
 type adbd_exec, exec_type, file_type, system_file_type;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/aidl_lazy_test_server.te
+++ b/public/aidl_lazy_test_server.te
@ -1,2 +1,6 @@
 type aidl_lazy_test_server, domain;
 type aidl_lazy_test_server_exec, exec_type, file_type, system_file_type;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/apexd.te
+++ b/public/apexd.te
@ -1,3 +1,7 @@
 # apexd -- manager for APEX packages
 type apexd, domain;
 type apexd_exec, exec_type, file_type, system_file_type;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/app.te
+++ b/public/app.te
@ -7,3 +7,7 @@
 ### zygote spawned apps should be added here.
 ###
 type appdomain_tmpfs, file_type;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/app_zygote.te
+++ b/public/app_zygote.te
@ -1,6 +1,9 @@
 # app_zygote is an auxiliary zygote process that is used to spawn
 # isolated service processes for individual applications. It is
 # spawned from the regular zygote process as a "child zygote".
 type app_zygote, domain;
 type app_zygote_tmpfs, file_type;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/artd.te
+++ b/public/artd.te
@ -1,2 +1,6 @@
 # ART service daemon.
 type artd, domain;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/asan_extract.te
+++ b/public/asan_extract.te
@ -7,3 +7,7 @@ with_asan(`
  type asan_extract, domain, coredomain;
  type asan_extract_exec, exec_type, file_type, system_file_type;
 ')
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/atrace.te
+++ b/public/atrace.te
@ -1 +1,5 @@
 type atrace, domain, coredomain;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/audioserver.te
+++ b/public/audioserver.te
@ -2,3 +2,6 @@
 type audioserver, domain;
 type audioserver_tmpfs, file_type;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/blkid.te
+++ b/public/blkid.te
@ -1,2 +1,6 @@
 # blkid called from vold
 type blkid, domain;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/bluetooth.te
+++ b/public/bluetooth.te
@ -1,2 +1,6 @@
 # bluetooth subsystem
 type bluetooth, domain;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/bootanim.te
+++ b/public/bootanim.te
@ -1,3 +1,7 @@
 # bootanimation oneshot service
 type bootanim, domain;
 type bootanim_exec, system_file_type, exec_type, file_type;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/bootstat.te
+++ b/public/bootstat.te
@ -1,3 +1,7 @@
 # bootstat command
 type bootstat, domain;
 type bootstat_exec, system_file_type, exec_type, file_type;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/bpfloader.te
+++ b/public/bpfloader.te
@ -1 +1,5 @@
 type bpfloader, domain, coredomain;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/bufferhubd.te
+++ b/public/bufferhubd.te
@ -1,3 +1,7 @@
 # bufferhubd
 type bufferhubd, domain, mlstrustedsubject;
 type bufferhubd_exec, system_file_type, exec_type, file_type;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@ -2,3 +2,7 @@
 type cameraserver, domain;
 type cameraserver_exec, system_file_type, exec_type, file_type;
 type cameraserver_tmpfs, file_type;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/charger.te
+++ b/public/charger.te
@ -1,2 +1,6 @@
 type charger, charger_type, domain;
 type charger_exec, system_file_type, exec_type, file_type;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/charger_vendor.te
+++ b/public/charger_vendor.te
@ -1,3 +1,6 @@
 # Context when health HAL runs charger mode
 type charger_vendor, charger_type, domain;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/crash_dump.te
+++ b/public/crash_dump.te
@ -1,2 +1,6 @@
 type crash_dump, domain;
 type crash_dump_exec, system_file_type, exec_type, file_type;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/credstore.te
+++ b/public/credstore.te
@ -1,3 +1,7 @@
 # credstore daemon
 type credstore, domain;
 type credstore_exec, system_file_type, exec_type, file_type;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/device.te
+++ b/public/device.te
@ -137,3 +137,7 @@ type rootdisk_sysdev, dev_type;
 # vfio device
 type vfio_device, dev_type;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/dhcp.te
+++ b/public/dhcp.te
@ -1,2 +1,6 @@
 type dhcp, domain;
 type dhcp_exec, system_file_type, exec_type, file_type;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/dnsmasq.te
+++ b/public/dnsmasq.te
@ -1,3 +1,7 @@
 # DNS, DHCP services
 type dnsmasq, domain;
 type dnsmasq_exec, system_file_type, exec_type, file_type;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/drmserver.te
+++ b/public/drmserver.te
@ -2,3 +2,7 @@
 type drmserver, domain;
 type drmserver_exec, system_file_type, exec_type, file_type;
 type drmserver_socket, file_type;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@ -1,3 +1,7 @@
 # dumpstate
 type dumpstate, domain, mlstrustedsubject;
 type dumpstate_exec, system_file_type, exec_type, file_type;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/e2fs.te
+++ b/public/e2fs.te
@ -1,2 +1,6 @@
 type e2fs, domain, coredomain;
 type e2fs_exec, system_file_type, exec_type, file_type;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/ephemeral_app.te
+++ b/public/ephemeral_app.te
@ -12,3 +12,7 @@
 ### PackageManager flags an app as ephemeral at install time.
 type ephemeral_app, domain;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/evsmanagerd.te
+++ b/public/evsmanagerd.te
@ -1,2 +1,6 @@
 # evsmanager daemon
 type evsmanagerd, domain;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/extra_free_kbytes.te
+++ b/public/extra_free_kbytes.te
@ -1,3 +1,7 @@
 # The extra_free_kbytes.sh script run by init.
 type extra_free_kbytes, domain;
 type extra_free_kbytes_exec, system_file_type, exec_type, file_type;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/fastbootd.te
+++ b/public/fastbootd.te
@ -3,3 +3,7 @@
 # Declare the domain unconditionally so we can always reference it
 # in neverallow rules.
 type fastbootd, domain;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/file.te
+++ b/public/file.te
@ -627,3 +627,7 @@ with_asan(`type asanwrapper_exec, exec_type, file_type;')
 # Deprecated in SDK version 28
 type audiohal_data_file, file_type, data_file_type, core_data_file_type;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/fingerprintd.te
+++ b/public/fingerprintd.te
@ -1,2 +1,6 @@
 type fingerprintd, domain;
 type fingerprintd_exec, system_file_type, exec_type, file_type;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/flags_health_check.te
+++ b/public/flags_health_check.te
@ -1,3 +1,7 @@
 # The flags_health_check command run by init.
 type flags_health_check, domain, coredomain;
 type flags_health_check_exec, system_file_type, exec_type, file_type;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/fsck.te
+++ b/public/fsck.te
@ -1,3 +1,7 @@
 # Any fsck program run by init
 type fsck, domain;
 type fsck_exec, system_file_type, exec_type, file_type;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/fsck_untrusted.te
+++ b/public/fsck_untrusted.te
@ -1,2 +1,6 @@
 # Any fsck program run on untrusted block devices
 type fsck_untrusted, domain;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/gatekeeperd.te
+++ b/public/gatekeeperd.te
@ -1,2 +1,6 @@
 type gatekeeperd, domain;
 type gatekeeperd_exec, system_file_type, exec_type, file_type;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/gmscore_app.te
+++ b/public/gmscore_app.te
@ -3,3 +3,7 @@
 ###
 type gmscore_app, domain;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/gpuservice.te
+++ b/public/gpuservice.te
@ -1,2 +1,6 @@
 # gpuservice - server for gpu stats and other gpu related services
 type gpuservice, domain;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/hal_graphics_composer.te
+++ b/public/hal_graphics_composer.te
@ -1,3 +1,7 @@
 type hal_graphics_composer_server_tmpfs, file_type;
 attribute hal_graphics_composer_client_tmpfs;
 expandattribute hal_graphics_composer_client_tmpfs true;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/healthd.te
+++ b/public/healthd.te
@ -1,4 +1,7 @@
 # healthd - battery/charger monitoring service daemon
 # healthd is removed. The type is kept for backwards compatibility.
 type healthd, domain;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/heapprofd.te
+++ b/public/heapprofd.te
@ -1 +1,5 @@
 type heapprofd, domain, coredomain;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/hwservice.te
+++ b/public/hwservice.te
@ -90,3 +90,7 @@ type hidl_base_hwservice, hwservice_manager_type;
 type hidl_manager_hwservice, hwservice_manager_type, coredomain_hwservice;
 type hidl_memory_hwservice, hwservice_manager_type, coredomain_hwservice;
 type hidl_token_hwservice, hwservice_manager_type, coredomain_hwservice;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/hwservicemanager.te
+++ b/public/hwservicemanager.te
@ -1,3 +1,7 @@
 # hwservicemanager - the Binder context manager for HAL services
 type hwservicemanager, domain, mlstrustedsubject;
 type hwservicemanager_exec, system_file_type, exec_type, file_type;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/idmap.te
+++ b/public/idmap.te
@ -1,3 +1,7 @@
 # idmap, when executed by installd
 type idmap, domain;
 type idmap_exec, system_file_type, exec_type, file_type;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/incident.te
+++ b/public/incident.te
@ -6,3 +6,6 @@
 # incident
 type incident, domain;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/incident_helper.te
+++ b/public/incident_helper.te
@ -3,3 +3,7 @@
 # incident_helper
 type incident_helper, domain;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/incidentd.te
+++ b/public/incidentd.te
@ -1,3 +1,6 @@
 # incidentd
 type incidentd, domain;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/init.te
+++ b/public/init.te
@ -2,3 +2,7 @@
 type init, domain, mlstrustedsubject;
 type init_exec, system_file_type, exec_type, file_type;
 type init_tmpfs, file_type;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/inputflinger.te
+++ b/public/inputflinger.te
@ -1,3 +1,7 @@
 # inputflinger
 type inputflinger, domain;
 type inputflinger_exec, system_file_type, exec_type, file_type;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/installd.te
+++ b/public/installd.te
@ -1,3 +1,7 @@
 # installer daemon
 type installd, domain;
 type installd_exec, system_file_type, exec_type, file_type;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/isolated_app.te
+++ b/public/isolated_app.te
@ -7,3 +7,7 @@
 ###
 type isolated_app, domain;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/isolated_compute_app.te
+++ b/public/isolated_compute_app.te
@ -1 +1,5 @@
 type isolated_compute_app, domain;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/kernel.te
+++ b/public/kernel.te
@ -1,2 +1,6 @@
 # Life begins with the kernel.
 type kernel, domain, mlstrustedsubject;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/keystore.te
+++ b/public/keystore.te
@ -1,3 +1,7 @@
 # keystore daemon
 type keystore, domain, keystore2_key_type;
 type keystore_exec, system_file_type, exec_type, file_type;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/keystore_keys.te
+++ b/public/keystore_keys.te
@ -1,2 +1,6 @@
 # A keystore2 namespace for WI-FI.
 type wifi_key, keystore2_key_type;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/llkd.te
+++ b/public/llkd.te
@ -1,3 +1,7 @@
 # llkd Live LocK Daemon
 type llkd, domain, mlstrustedsubject;
 type llkd_exec, system_file_type, exec_type, file_type;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/lmkd.te
+++ b/public/lmkd.te
@ -1,3 +1,7 @@
 # lmkd low memory killer daemon
 type lmkd, domain, mlstrustedsubject;
 type lmkd_exec, system_file_type, exec_type, file_type;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/logd.te
+++ b/public/logd.te
@ -1,3 +1,7 @@
 # android user-space log manager
 type logd, domain, mlstrustedsubject;
 type logd_exec, system_file_type, exec_type, file_type;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/logpersist.te
+++ b/public/logpersist.te
@ -1,2 +1,6 @@
 # android debug logging, logpersist domains
 type logpersist, domain;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/mdnsd.te
+++ b/public/mdnsd.te
@ -1,2 +1,6 @@
 # mdns daemon
 type mdnsd, domain;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/mediadrmserver.te
+++ b/public/mediadrmserver.te
@ -1,3 +1,7 @@
 # mediadrmserver - mediadrm daemon
 type mediadrmserver, domain;
 type mediadrmserver_exec, system_file_type, exec_type, file_type;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@ -2,3 +2,7 @@
 type mediaextractor, domain;
 type mediaextractor_exec, system_file_type, exec_type, file_type;
 type mediaextractor_tmpfs, file_type;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/mediametrics.te
+++ b/public/mediametrics.te
@ -1,3 +1,7 @@
 # mediametrics - daemon for collecting media.metrics data
 type mediametrics, domain;
 type mediametrics_exec, system_file_type, exec_type, file_type;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/mediaprovider.te
+++ b/public/mediaprovider.te
@ -4,3 +4,7 @@
 ###
 type mediaprovider, domain;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@ -2,3 +2,7 @@
 type mediaserver, domain;
 type mediaserver_exec, system_file_type, exec_type, file_type;
 type mediaserver_tmpfs, file_type;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/mediaswcodec.te
+++ b/public/mediaswcodec.te
@ -1,2 +1,6 @@
 type mediaswcodec, domain;
 type mediaswcodec_exec, system_file_type, exec_type, file_type;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/mediatranscoding.te
+++ b/public/mediatranscoding.te
@ -1 +1,5 @@
 type mediatranscoding, domain;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/modprobe.te
+++ b/public/modprobe.te
@ -1 +1,5 @@
 type modprobe, domain;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/mtp.te
+++ b/public/mtp.te
@ -1,2 +1,6 @@
 # vpn tunneling protocol manager
 type mtp, domain;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/net.te
+++ b/public/net.te
@ -2,3 +2,7 @@
 type node, node_type;
 type netif, netif_type;
 type port, port_type;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/netd.te
+++ b/public/netd.te
@ -1,3 +1,7 @@
 # network manager
 type netd, domain, mlstrustedsubject;
 type netd_exec, system_file_type, exec_type, file_type;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/netutils_wrapper.te
+++ b/public/netutils_wrapper.te
@ -1,2 +1,6 @@
 type netutils_wrapper, domain;
 type netutils_wrapper_exec, system_file_type, exec_type, file_type;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/network_stack.te
+++ b/public/network_stack.te
@ -1,2 +1,6 @@
 # Network stack service app
 type network_stack, domain;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/nfc.te
+++ b/public/nfc.te
@ -1,2 +1,6 @@
 # nfc subsystem
 type nfc, domain;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/otapreopt_chroot.te
+++ b/public/otapreopt_chroot.te
@ -2,3 +2,7 @@
 # TODO: Only present to allow mediatek/wembley-sepolicy to see it for validation reasons.
 type otapreopt_chroot, domain;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/perfetto.te
+++ b/public/perfetto.te
@ -1 +1,5 @@
 type perfetto, domain, coredomain;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/performanced.te
+++ b/public/performanced.te
@ -1,3 +1,7 @@
 # performanced
 type performanced, domain, mlstrustedsubject;
 type performanced_exec, system_file_type, exec_type, file_type;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/platform_app.te
+++ b/public/platform_app.te
@ -3,3 +3,7 @@
 ###
 type platform_app, domain;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/postinstall.te
+++ b/public/postinstall.te
@ -2,3 +2,7 @@
 # Extend the permissions in this domain to allow this program to access other
 # files needed by the specific device on your device's sepolicy directory.
 type postinstall, domain;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/ppp.te
+++ b/public/ppp.te
@ -1,2 +1,6 @@
 # Point to Point Protocol daemon
 type ppp, domain;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/priv_app.te
+++ b/public/priv_app.te
@ -3,3 +3,7 @@
 ###
 type priv_app, domain;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/prng_seeder.te
+++ b/public/prng_seeder.te
@ -1,2 +1,6 @@
 # PRNG seeder daemon
 type prng_seeder, domain;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/profman.te
+++ b/public/profman.te
@ -1,3 +1,7 @@
 # profman
 type profman, domain;
 type profman_exec, system_file_type, exec_type, file_type;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/property.te
+++ b/public/property.te
@ -342,3 +342,7 @@ not_compatible_property(`
 compatible_property_only(`
    vendor_internal_prop(vendor_default_prop)
 ')
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/radio.te
+++ b/public/radio.te
@ -1,2 +1,6 @@
 # phone subsystem
 type radio, domain, mlstrustedsubject;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/recovery.te
+++ b/public/recovery.te
@ -3,3 +3,7 @@
 # Declare the domain unconditionally so we can always reference it
 # in neverallow rules.
 type recovery, domain;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/recovery_persist.te
+++ b/public/recovery_persist.te
@ -1,3 +1,7 @@
 # android recovery persistent log manager
 type recovery_persist, domain;
 type recovery_persist_exec, system_file_type, exec_type, file_type;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/recovery_refresh.te
+++ b/public/recovery_refresh.te
@ -1,3 +1,7 @@
 # android recovery refresh log manager
 type recovery_refresh, domain;
 type recovery_refresh_exec, system_file_type, exec_type, file_type;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/rkpd_app.te
+++ b/public/rkpd_app.te
@ -4,3 +4,7 @@
 ###
 type rkpdapp, domain;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/rs.te
+++ b/public/rs.te
@ -1,2 +1,6 @@
 type rs, domain, coredomain;
 type rs_exec, system_file_type, exec_type, file_type;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/rss_hwm_reset.te
+++ b/public/rss_hwm_reset.te
@ -1,2 +1,6 @@
 # rss_hwm_reset resets RSS high-water mark counters for all procesess.
 type rss_hwm_reset, domain, coredomain, mlstrustedsubject;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/runas.te
+++ b/public/runas.te
@ -1,2 +1,6 @@
 type runas, domain, mlstrustedsubject;
 type runas_exec, system_file_type, exec_type, file_type;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/runas_app.te
+++ b/public/runas_app.te
@ -1 +1,5 @@
 type runas_app, domain;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/sdcardd.te
+++ b/public/sdcardd.te
@ -1,2 +1,6 @@
 type sdcardd, domain;
 type sdcardd_exec, system_file_type, exec_type, file_type;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/secure_element.te
+++ b/public/secure_element.te
@ -1,2 +1,6 @@
 # secure_element subsystem
 type secure_element, domain;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/service.te
+++ b/public/service.te
@ -354,3 +354,7 @@ type hal_wifi_service, protected_service, hal_service_type, service_manager_type
 type hal_wifi_hostapd_service, protected_service, hal_service_type, service_manager_type;
 type hal_wifi_supplicant_service, protected_service, hal_service_type, service_manager_type;
 type hal_gatekeeper_service, protected_service, hal_service_type, service_manager_type;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/servicemanager.te
+++ b/public/servicemanager.te
@ -1,3 +1,7 @@
 # servicemanager - the Binder context manager
 type servicemanager, domain, mlstrustedsubject;
 type servicemanager_exec, system_file_type, exec_type, file_type;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/sgdisk.te
+++ b/public/sgdisk.te
@ -1,3 +1,7 @@
 # sgdisk called from vold
 type sgdisk, domain;
 type sgdisk_exec, system_file_type, exec_type, file_type;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/shared_relro.te
+++ b/public/shared_relro.te
@ -1,2 +1,6 @@
 # Process which creates/updates shared RELRO files to be used by other apps.
 type shared_relro, domain;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/public/shell.te
+++ b/public/shell.te
@ -1,3 +1,7 @@
 # Domain for shell processes spawned by ADB or console service.
 type shell, domain, mlstrustedsubject;
 type shell_exec, system_file_type, exec_type, file_type;
 # system/sepolicy/public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to system/sepolicy/private/*.te.
--- a/Show more
+++ b/Show more